date:20051005

You can block the Policy/Policies at that OU.
 
I usually pre-create my computer accounts in the proper OU before joining
them to the domain. That way, I don't have to clean up any "default"
OU/container after the fact.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Frank Abagnale
Sent: Wed 10/5/2005 2:37 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD Question for your peers-GPO


But my default is an OU, I used the redircmp utility to redirect the default
location to an OU, not a container.

Mark Parris <[EMAIL PROTECTED]> wrote: 

This my default is a container not an OU, so the GPO does not apply.

Mark
-Original Message-
From: Frank Abagnale 
Date: Wed, 5 Oct 2005 00:46:53 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Question for your peers-GPO

I have exactly that, a Servers OU and a Clients OU which I put my
Workstations/Servers into. 

But the default OU I am talking about is where all the computers go
to when they are first added to the domain. They are then manually moved to
the respective OU once a week. 

thanks anyway 

[EMAIL PROTECTED] wrote: Easiest way: put the servers in one OU and
the non-servers in another OU.
Then create one policy for each OU.

There are other ways, like adding the servers to a security group and
filtering your policy by group membership. The separate OU formula is
easier
- IMO.


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon



From: [EMAIL PROTECTED] on behalf of Frank Abagnale
Sent: Tue 10/4/2005 6:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Question for your peers-GPO


What would I do in this situation

One OU which all Computers join when they are added to the domain

I have two Global Groups 1=WSAdmins and 2=SVRAdmins. These two groups
do not
contain the same users.

Now, I want to ensure that when I set a Restricted Policy, only the
WSAdmins
are listed in the Local Admins group on the Workstations and
SVRAdmins is
only a member of the local Administrators group on the Servers in the
default
OU

Is this possible? From how I see it, if a restricted group is set on
an OU,
then any computer which is a member of this OU receives this setting.

Sorry, this has always confused me, which is why I went for the
scripted
option on startup.

thanks

Frank

[EMAIL PROTECTED] wrote:

Correct.


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon



From: [EMAIL PROTECTED] on behalf of Frank Abagnale
Sent: Tue 10/4/2005 12:29 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Question for your peers-GPO


Deji,

I may sound real stupid asking this, but if I add Administrators to
the
Member Of attribute, how can I make sure this is only "local
Administrators"
e.g Local Workstations or Local member servers and not the builtin
Administrators group (the one with Domain Admin permissions)

Is this because the restricted groups GPO is only applied to the
ClientsOU?
and not at DDP level?

thanks

frank





[EMAIL PROTECTED] wrote:

Brian,

the "wipe and load" behavior is a thing of the past with the
introduction of
the new "MemberOf" attribute. Here's a short reply I posted on
another list a
while back.

Another option is to use the "MemberOf" option in a "Restricted
Groups" GPO.
Say the group is called GrpA and you want it to be a member of the
administrators group in every client in ClientsOU. You will create
and apply

RE: [ActiveDir] Change AD Passwords

2005-10-05 Thread Jake Stabl

Title: Change AD Passwords



Well on a Mac with OS 9 which is really out dated we have 
no choice but to install Netscape on these computers.  Installing Netscape 
just for password changing is ludicrous!  There should be a way to do this 
with any browser.  I work for a school district with 80% of the computers 
still having OS 9 because of funding issues.
 
--
Jake
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. 
LongSent: Tuesday, October 04, 2005 4:56 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Change AD 
Passwords


Iisadmpwd would be my 
solution. I wouldn’t even expect IE on a Mac to work. Are these all OS X 
machines? Why not support Safari as the standard browser, or some other common 
browser that works. Seems crazy to support  a browser that is no longer 
developed. 
 
Also, is it worth 
looking for something with automatic password reset? What I mean is, are people 
really going to supply or do you already have the proper data to fulfill 
validation of a user? If not, then it would be hard to justify the cost…unless 
like you said, there is something free out there that does it. In which case I 
would be interested tooJ
 
 
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Jake 
StablSent: Tuesday, October 
04, 2005 3:07 PMTo: 
[EMAIL PROTECTED]; MS-Exchange Admin Issues; 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Change AD 
Passwords
 
I 
know this message has come across this list before but I still don’t have a good 
solution.  Third party solutions that cost money are fine and FREE is 
better.
I 
have been looking for some way for users to change their AD passwords from the 
web.  I have tried to use the built-in method from MS IIS but the .asp 
script doesn’t work correctly on a Macintosh with IE on it.  Plus not every 
staff member has access to a PC to change 
passwords.
Also what would be nice is a product 
that does password change, and forgotten passwords.  This would greatly 
reduce the amount of service calls.  Also maybe a way to notify these 
people when their password will expire.
The 
NOS here is Windows 2003 naturally… 
Thanks 
-- Jacob 
Stabl Network Engineer 
Plain Local School 
District http://www.plainlocal.org 
Office:  
330.492.3500 Cell 
:    330.704.1278 IP Phone: 
4466

RE: [ActiveDir] Multiple forests with a common DNS parent zone

2005-10-05 Thread ActiveDirectory

Also, if your Forests are all Native 2003 domains you might look into their 
consolidation features.  Since none of your names overlap and the zones are the 
same you may have better luck.  I don't know the details as I've never done it 
myself, but it is theoretically possible to merge them together. 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, October 03, 2005 2:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Multiple forests with a common DNS parent zone

IF the NetBIOS names of the new root will NOT be the same as the old root, I 
can not make a technical case against your migration plans. It should work.
But, if the NetBIOS names are going to be the same (maybe because your users 
are too attached to that name, and you don't want to introduce too much 
changes), then you can't do it the way you described it.

Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon

From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Mon 10/3/2005 2:30 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Multiple forests with a common DNS parent zone

I have encountered a situation where 4 forests exist today, all of which have a 
common DNS parent zone - let's call it xxx.com.

Forest 1 has root domain named xxx.com with multiple child domains Forest 2 has 
root domain named ap.xxx.com with multiple child domains Forest 3 has root 
domain named am.xxx.com with multiple child domains Forest 4 has root domain 
named jp.xxx.com with no children 

DNS resolution between the 4 forests works fine. Xxx.com is hosted on UNIX BIND 
servers with all child zones delegated to Windows DNS servers. All child zone 
DNS servers forward to the servers hosting xxx.com. Existing forests are w2k 
native and no trusts exist between these forests.

There is a proposal to build a new, fifth forest and to migrate all objects 
from the 4 forests above into this new forest. 

Forest 5 will have root domain named global.xxx.com and 4 children - 
representing the 4 forests above. 

Does anyone have any concerns over the re-use of the same DNS name - xxx.com?
I feel uncomfortable with this proposal but don't have any technical reasons to 
block it.

Any comments? 

Thanks,
neil 

___ 
Neil Ruston 
Global Technology Infrastructure 
Nomura International plc 
Telephone: +44 (0) 20 7521 3481 

PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete your 
copy from your system. You must not copy, distribute or take any further 
action in reliance on it. Email is not a secure method of communication and 
Nomura International plc ('NIplc') will not, to the extent permitted by law, 
accept responsibility or liability for (a) the accuracy or completeness of, 
or (b) the presence of any virus, worm or similar malicious or disabling 
code in, this message or any attachment(s) to it. If verification of this 
email is sought then please request a hard copy. Unless otherwise stated 
this email: (1) is not, and should not be treated or relied upon as, 
investment research; (2) contains views or opinions that are solely those of 
the author and do not necessarily represent those of NIplc; (3) is intended 
for informational purposes only and is not a recommendation, solicitation or 
offer to buy or sell securities or related financial instruments. NIplc 
does not provide investment services to private customers. Authorised and 
regulated by the Financial Services Authority. Registered in England 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A member of the Nomura group of companies. 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Multiple forests with a common DNS parent zone

2005-10-05 Thread Phil Renouf

It is? This is the first I have heard of being able to merge forests, the only way I am aware of is migrations. Anyone have more information on this if that is the case?
 
Phil 
On 10/5/05, ActiveDirectory <[EMAIL PROTECTED]> wrote:
Also, if your Forests are all Native 2003 domains you might look into their consolidation features.  Since none of your names overlap and the zones are the same you may have better luck.  I don't know the details as I've never done it myself, but it is theoretically possible to merge them together.
-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
] On Behalf Of [EMAIL PROTECTED]Sent: Monday, October 03, 2005 2:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multiple forests with a common DNS parent zone
IF the NetBIOS names of the new root will NOT be the same as the old root, I can not make a technical case against your migration plans. It should work.But, if the NetBIOS names are going to be the same (maybe because your users are too attached to that name, and you don't want to introduce too much changes), then you can't do it the way you described it.
Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anonFrom: [EMAIL PROTECTED]
 on behalf of [EMAIL PROTECTED]Sent: Mon 10/3/2005 2:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Multiple forests with a common DNS parent zone
I have encountered a situation where 4 forests exist today, all of which have a common DNS parent zone - let's call it xxx.com.Forest 1 has root domain named 
xxx.com with multiple child domains Forest 2 has root domain named ap.xxx.com with multiple child domains Forest 3 has root domain named am.xxx.com with multiple child domains Forest 4 has root domain named 
jp.xxx.com with no childrenDNS resolution between the 4 forests works fine. Xxx.com is hosted on UNIX BIND servers with all child zones delegated to Windows DNS servers. All child zone DNS servers forward to the servers hosting 
xxx.com. Existing forests are w2k native and no trusts exist between these forests.There is a proposal to build a new, fifth forest and to migrate all objects from the 4 forests above into this new forest.
Forest 5 will have root domain named global.xxx.com and 4 children - representing the 4 forests above.Does anyone have any concerns over the re-use of the same DNS name - 
xxx.com?I feel uncomfortable with this proposal but don't have any technical reasons to block it.Any comments?Thanks,neil   ___
   Neil Ruston   Global Technology Infrastructure   Nomura International plc   Telephone: +44 (0) 20 7521 3481PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intendedrecipient of this email please notify the sender immediately and delete yourcopy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication andNomura International plc ('NIplc') will not, to the extent permitted by law,accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disablingcode in, this message or any attachment(s) to it. If verification of thisemail is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,investment research; (2) contains views or opinions that are solely those ofthe author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation oroffer to buy or sell securities or related financial instruments. NIplcdoes not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in Englandno. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,London, EC1A 4NP. A member of the Nomura group of companies.List info   : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/List info   : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] [OT] OU permissions for user object

You missed the discussion on Saturday. Apparently she spells everything in
the "ou" manner now.  


Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, October 04, 2005 10:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] OU permissions for user object

I certainly try to. :)

BTW, you are spending too much time around Dean, you spelled favorite wrong.

  joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter
Sent: Wednesday, September 07, 2005 1:44 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OU permissions for user object

< snip >
I would rather work 80 hours a week because I choose it than give out
permissions that cause me to work 80 hours a week because I have to hold the
environment together.


As joe-isms go, I think that one just became my favourite, and one to live
by.

 Laura
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Unable to map drive

2005-10-05 Thread Kamlesh Parmar

I hope you know, how to find the which group policy is applying it.
group policy setting:

User configuration > Administrative templates > Windows Explorer > "Remove Map Drive" and "disconnect map drive"


On 10/5/05, Craig Vaughan <[EMAIL PROTECTED]> wrote:
















Hi,

 

Please bear with me – this is probably a pretty simple
question for those who have a wealth of server mgt experience.  I'm using
XP in a Windows Server 2000 environment.

 

I've created a shared folder on a local machine.  As
an administrator I have the ability to go to the Tools menu and map a network
drive to this location – no problem.  Normal users, however do not have
this option.  If I give them administrator rights on the network, or administrator
rights on their local machine it doesn't matter – this is not an
option.  This must be some kind of Group Policy?  Where do I start to look for
how this function is controlled?

 

Thanks,

 

CAV

 

Craig A. Vaughan

Director of
Administration

Commerce Realty and Management Co.

32 Market Ave. SW, Suite 400

Grand Rapids, MI 49503

Phone: (616)454-7700 Ext. 246

Facsimile (616)454-1363

 

http://www.commercerealty.com


 

NOTICE:  This message (including any
attachments) is covered by the Electronic Communication Privacy Act, 18 U.S.C.
§ 2510 - 2521, is confidential and may also be protected by legal
privilege.  If you believe that it has been sent to you in error, do not
read it.  If you are not the intended recipient, you are hereby notified
that any retention, dissemination, distribution, or copying of this
communication is strictly prohibited.  Please reply to the sender that you
have received the message in error and then delete it. Under no
circumstances shall this email create a contract or other legally binding
relationship with any other party unless the digital signature of the sender is
affixed hereto.  Thank you.

 

 







-- ~~~"Fortune and Love befriend the bold"~~~

RE: [ActiveDir] Cleanup of Active Directory...

2005-10-05 Thread ActiveDirectory




You might also try ADModify from the PSS ftp 
site.  It allows bulk modification and also allows you to narrow down the 
focus to certain OU, users etc using limited wildcards.
 
Bob


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Monday, October 03, 2005 9:14 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cleanup of 
Active Directory...

You can easily dump all this data with 
either csvde or adfind and the included perl script (the latter is probably 
better). As for importing it back in, you'll need some sort of simple script 
which takes the DN from the csv file and sets the values accordingly. 

 
Thanks,Brian Desmond
[EMAIL PROTECTED]
 
c - 
312.731.3132
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Frank 
AbagnaleSent: Monday, October 03, 2005 4:20 AMTo: 
ActiveSubject: [ActiveDir] Cleanup of Active 
Directory...

Hi all,
 
If you remember some of my previous posts, I've had issues with excessive 
numbers of Domain Admins and a poorly managed Active Directory network.
 
I have now managed to control the number of Domain Admins to a suitable 
manner for our environment and delegated the appropriate permissions for the 
Service Desk.
 
I now need ton data 'cleanse' Active Directory due to the number of 
fields which contain incorrect data which has been manually entered by previous 
Service Desk users.
 
The fields which are showing incorrect data are the ones in the General and 
Organization tabs. Fields such as Description, Office, Title, 
Department etc are all showing the wrong data and are 
inconsistent. There are potentially 3500 users which may require 
account fields to be modified
 
What I want to do is to clean this up. Is there a way in which I can export 
this data to an excel spreadsheet and then re-import with out duplicating any 
accounts? Do I need to script this?(if so, does anyone have any scripts?)
 
Alternatively, is it worth employing someone to do it manually? time 
consuming and probably not the most favoured option, though any idea's would be 
appreciated.
 
Oh, it's a Single W2k3 domain, 2003 FFL, 
 
thanks...
 
frank
 
 


Yahoo! for GoodClick here 
to donate to the Hurricane Katrina relief effort.

RE: [ActiveDir] Cleanup of Active Directory...

2005-10-05 Thread Michael B. Smith




admodify.net is better (and replaces that 
tool)
 
http://www.admodify.net


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
ActiveDirectorySent: Wednesday, October 05, 2005 10:44 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Cleanup of Active Directory...

You might also try ADModify from the PSS ftp 
site.  It allows bulk modification and also allows you to narrow down the 
focus to certain OU, users etc using limited wildcards.
 
Bob


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Monday, October 03, 2005 9:14 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cleanup of 
Active Directory...

You can easily dump all this data with 
either csvde or adfind and the included perl script (the latter is probably 
better). As for importing it back in, you'll need some sort of simple script 
which takes the DN from the csv file and sets the values accordingly. 

 
Thanks,Brian Desmond
[EMAIL PROTECTED]
 
c - 
312.731.3132
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Frank 
AbagnaleSent: Monday, October 03, 2005 4:20 AMTo: 
ActiveSubject: [ActiveDir] Cleanup of Active 
Directory...

Hi all,
 
If you remember some of my previous posts, I've had issues with excessive 
numbers of Domain Admins and a poorly managed Active Directory network.
 
I have now managed to control the number of Domain Admins to a suitable 
manner for our environment and delegated the appropriate permissions for the 
Service Desk.
 
I now need ton data 'cleanse' Active Directory due to the number of 
fields which contain incorrect data which has been manually entered by previous 
Service Desk users.
 
The fields which are showing incorrect data are the ones in the General and 
Organization tabs. Fields such as Description, Office, Title, 
Department etc are all showing the wrong data and are 
inconsistent. There are potentially 3500 users which may require 
account fields to be modified
 
What I want to do is to clean this up. Is there a way in which I can export 
this data to an excel spreadsheet and then re-import with out duplicating any 
accounts? Do I need to script this?(if so, does anyone have any scripts?)
 
Alternatively, is it worth employing someone to do it manually? time 
consuming and probably not the most favoured option, though any idea's would be 
appreciated.
 
Oh, it's a Single W2k3 domain, 2003 FFL, 
 
thanks...
 
frank
 
 


Yahoo! for GoodClick here 
to donate to the Hurricane Katrina relief effort.

RE: [ActiveDir] Unable to map drive

2005-10-05 Thread Craig Vaughan










I found it – thanks.

 

CAV

 



Craig A. Vaughan

Director
of Administration

Commerce Realty and Management Co.

32 Market Ave. SW, Suite 400

Grand Rapids, MI 49503

Phone: (616)454-7700 Ext. 246

Facsimile (616)454-1363

 

http://www.commercerealty.com

 

NOTICE:  This message (including any
attachments) is covered by the Electronic Communication Privacy Act, 18 U.S.C.
§ 2510 - 2521, is confidential and may also be protected by legal
privilege.  If you believe that it has been sent to you in error, do not
read it.  If you are not the intended recipient, you are hereby notified
that any retention, dissemination, distribution, or copying of this
communication is strictly prohibited.  Please reply to the sender that you
have received the message in error and then delete it. Under no
circumstances shall this email create a contract or other legally binding
relationship with any other party unless the digital signature of the sender is
affixed hereto.  Thank you.

 











From: Kamlesh Parmar
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, October 05, 2005
10:36 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Unable to
map drive



 

I hope you know, how to
find the which group policy is applying it.
group policy setting:

User configuration > Administrative templates > Windows Explorer >
"Remove Map Drive"
and "disconnect map drive"






On 10/5/05, Craig
Vaughan <[EMAIL PROTECTED]>
wrote:



Hi,

 

Please
bear with me – this is probably a pretty simple question for those who have a
wealth of server mgt experience.  I'm using XP in a Windows Server 2000
environment.

 

I've
created a shared folder on a local machine.  As an administrator I have
the ability to go to the Tools menu and map a network drive to this location –
no problem.  Normal users, however do not have this option.  If I
give them administrator rights on the network, or administrator rights on their
local machine it doesn't matter – this is not an option.  This must be
some kind of Group Policy?  Where do I start to look for how this function
is controlled?

 

Thanks,

 

CAV

 

Craig A. Vaughan

Director of Administration

Commerce
Realty and Management Co.

32 Market Ave. SW, Suite 400

Grand Rapids, MI 49503

Phone:
(616)454-7700 Ext. 246

Facsimile
(616)454-1363

 

http://www.commercerealty.com


 

NOTICE:  This message (including any
attachments) is covered by the Electronic Communication Privacy Act, 18 U.S.C.
§ 2510 - 2521, is confidential and may also be protected by legal
privilege.  If you believe that it has been sent to you in error, do not
read it.  If you are not the intended recipient, you are hereby notified
that any retention, dissemination, distribution, or copying of this
communication is strictly prohibited.  Please reply to the sender that you
have received the message in error and then delete it. Under no
circumstances shall this email create a contract or other legally binding
relationship with any other party unless the digital signature of the sender is
affixed hereto.  Thank you.

 

 








-- 
~~~
"Fortune and Love befriend the bold"
~~~

RE: [ActiveDir] OT: Exchange alternate email address

2005-10-05 Thread ActiveDirectory




You could also just manually add a proxy address to her 
existing account.  We do this all the time for several alias accounts such 
as hostmaster, postmaster, and security etc.
 
You can get more flexibility by creating an 
account/mailbox, but why bother if it isn't needed.
 
Bob


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Monday, October 03, 2005 3:58 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Exchange 
alternate email address

If I understand this 
correctly, You have Jane Doe ([EMAIL PROTECTED]), and she would like 
to send mail as suzy que ([EMAIL PROTECTED]).
 
In order to do this, you actually 
need to create an additional account and mailbox for Suzy Que. You can disable 
this account, though.
 
Once the account is created and the 
RUS has whacked it (e.g. it has an email address), go in the Exchange Advanced 
tab in ADUC for suzy que, and then into mailbox rights. You want to do two 
things:
 
Add Jane Doe on there and give her 
rights to Send As
 
In the SELF entry, tick full mailbox 
access and associated external account. 
 
Thanks,Brian Desmond
[EMAIL PROTECTED]
 
c - 
312.731.3132
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, October 03, 2005 10:40 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: 
Exchange alternate email address


Hi, all. Quick question 
for you:
 
I have a user who 
wishes to send/receive email as a different address than her own. 

 
We use Exchange 2003 
and Outlook 2003. I am just inquiring as to the ‘best practice’ for 
accomplishing this.
 
Thanks in 
advance,
James

Re: [ActiveDir] [OT] OU permissions for user object

2005-10-05 Thread Laura E. Hunter

Actually I've always done that, used to get me in trouble in high
school English class.  (And "grey" is spelled with an "e", dammit!)

The amusing part of Saturday's discussion, I thought, was the
determination that the British Empire began losing some of its
holdings because of all the time everyone was wasting writing out all
of those superfluous u's.  :-)

On 10/5/05, Brian Desmond <[EMAIL PROTECTED]> wrote:
> You missed the discussion on Saturday. Apparently she spells everything in
> the "ou" manner now.
>
>
> Thanks,
> Brian Desmond
> [EMAIL PROTECTED]
>
> c - 312.731.3132
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Tuesday, October 04, 2005 10:53 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] [OT] OU permissions for user object
>
> I certainly try to. :)
>
> BTW, you are spending too much time around Dean, you spelled favorite wrong.
>
>  joe
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter
> Sent: Wednesday, September 07, 2005 1:44 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] OU permissions for user object
>
> < snip >
> I would rather work 80 hours a week because I choose it than give out
> permissions that cause me to work 80 hours a week because I have to hold the
> environment together.
> 
>
> As joe-isms go, I think that one just became my favourite, and one to live
> by.
>
>  Laura
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>


--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Anti-virus protection in domain enviroment

2005-10-05 Thread Glen Miller

Look into a product called Office Scan, by a company called Trend Micro.  I 
have been using this product happily since 1998.  It saved me from the "I love 
you" bug and a few rather nasty ones since.  

"I want my two dollars!" 


And Joe!  Petitioning Webster's to include Joe-isms as an actual word. 

 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ahmed Al Awah
Sent: Tuesday, October 04, 2005 12:35 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Anti-virus protection in domain enviroment

Since we're on topic..is anyone using Symantec AntiVirus 10 corp edition for
A/V protection in a domain environment?

-Original Message-
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:[EMAIL PROTECTED] 
Sent: October 4, 2005 11:07 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Anti-virus protection in domain enviroment


My 1 cent.

I should go back to lurking...but... when choosing your a/v solution 
there's something to check on... some of the a/v vendors have 
historically  needed admin rights to update or have had vulnerabilities 
themselves.

Might be something to investigate and consider when chosing an a/v 
...especially on a DC.

In my own historical issues with Trend, the OfficeProtect dat file 
upgrade to XP sp2 wasn't properly 'vetted" and flatlined my workstations 
and last I heard cost Trend $8 mil in lost sales.  They've also had a 
security vulnerability patched somewhat recently.

Epo's had their issues as well

http://xforce.iss.net/xforce/xfdb/21839

ISS X-Force Database: epolicy-msde-obtain-password(12787): ePolicy 
Orchestrator could allow an attacker to obtain MSDE SA password:
http://xforce.iss.net/xforce/xfdb/12787

ISS X-Force Database: epolicy-execute-commands(14166): ePolicy 
Orchestrator command execution: http://xforce.iss.net/xforce/xfdb/14166



Al Garrett wrote:

> My 2 cents...
> EpO has worked outstanding for us.
> Does inventory reports, finds "rogues", demonstrates to pointy-haired
> bosses how many infections are avoided and how dangerous it is "out 
> there."
> Combined with CommTouch Anti-Spam solution.
>
> -Original Message-
> *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> *Sent:* Tuesday, October 04, 2005 8:36 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Anti-virus protection in domain 
> enviroment
>
> Just to add a little to what Phil says:
>  
> When I last used ePO I found that possibly the most useful feature
> was the reporting aspect. This allows you (amongst others) to
> assess which viruses were found in the environment and therefore
> what action if any needs to be taken to prevent further infection.
>  
> Most organisations don't have any idea how many infections they
> suffer from or how regularly the infections occur. A tool such as
> ePO can help in this area quite significantly. [it's also a handy
> management tool which helps justify the ongoing AV costs :) ]
>  
> neil
>
>
>   *___*
>   *Neil Ruston*
>   Global Technology Infrastructure
>   Nomura International plc
>
>
>

> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Phil Renouf
> *Sent:* 04 October 2005 16:10
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Anti-virus protection in domain 
> enviroment
>
> Take a look at this article, it should give you the information
> you need to configure Antivirus on your DC's:
>  
> http://support.microsoft.com/default.aspx/kb/822158
>  
> I don't have any experience running NOD32 on anything :)
>  
> As for clients, most environments I have been in use a product
> similar to McAfee's EPO to centrally manage all the AV agents on
> the desktop to make sure they are configured to the corporate
> standard and that they have up to date scan engines and DAT files.
>  
> Phil
>
>  
> On 10/4/05, *Boris Demirov* <[EMAIL PROTECTED]
> > wrote:
>
> Hello everybody,
> I got some questions about the anti-virus protection of a
> domain controller
> and the domain environment:
>
> In my opinion the best AV program for the moment is NOD32 - I
> am using it
> successfully on many workstations, but I am not quite sure how
> it will act on
> a DC. What kind of protection do you use on your DCs and have
> somebody got a
> closer look on the NOD32 installed on a DC?
> And something else to ask: what kind of AV protect your
> workstations in
> domain, do you use a single copy of a normal AV or some
> enterprise edition?
>
> All advises on the topic of antivirus protection in domain
>

RE: [ActiveDir] Anti-virus protection in domain enviroment

2005-10-05 Thread Dana Kukkonen









We’re testing SAV10 in our domain
environment at the moment.  SAV9 caused problems with the Appletalk protocol
(Macs couldn’t find shared volumes on 2K servers), and caused erroneous
results when scanning the network (every IP device showed up as having misconfigured
FTP, SMTP, and HTTP services running on them).  So far, SAV10 appears to
have fixed those problems.  The management seems quite simple, also.

Dana









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ActiveDir@mail.activedir.org
Sent: Wednesday, October 05, 2005
10:55 AM
Subject: RE: [ActiveDir]
Anti-virus protection in domain enviroment
Importance: Low



 

Look into a product
called Office Scan, by a company called Trend Micro.  I have been using
this product happily since 1998.  It saved me from the "I love
you" bug and a few rather nasty ones since.  

"I want my two dollars!" 


And Joe!  Petitioning Webster's to include Joe-isms as an actual word. 

 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Ahmed Al Awah
Sent: Tuesday, October 04, 2005 12:35 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Anti-virus protection in domain enviroment

Since we're on topic..is anyone using Symantec AntiVirus 10 corp edition for
A/V protection in a domain environment?

RE: [ActiveDir] Active Directory wish list

2005-10-05 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]

You can.  It's called Microsoft Virtual Server.

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Tuesday, October 04, 2005 6:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

I'd also like to see the ability to run DCs for multiple domains on the same
server. SMBs with limited resources balk at having to buy additional server
hardware for redundancy on multiple domains, especially when the AD load on
the DCs is minimal. This feature sounds like an offshoot of your list below.
If you can run AD as a service, it might not be that hard to allow multiple
domains similar to multiple websites/DBs on one server...

I remember discussing this with Stuart Kwan at DEC a couple of years ago. I
hope it makes it into the mix...

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Tuesday, October 04, 2005 4:25 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory wish list
> 
> Vista is the client OS. I don't believe they have named Longhorn 
> Server yet.I am voting for something like Windows Server 5.4.0 or 
> something like that. I realize that the marketing group would have 
> something to say about it but I figure the best thing from them is if 
> they pronounced their thoughts from the bottom of Lake Washington. 
> People don't install servers because they have cool names.
>  
> The biggest non-NDA pieces that I have heard announced in conferences 
> or seen on the web already is the Read Only DC to limit security 
> exposure for WAN deployments, restartable AD that can be 
> stopped/started as necessary, DA/Admin separation so that you can have 
> an Admin on a DC that "can't" achieve Domain-wide DA level rights, and 
> DCs running on Server Foundation or now its called Server Core which 
> is a GUI-challenged Windows Server.
>  
> I can also say that there are a myriad of GUI updates for the Admin 
> tools though I can't state specifics. BJ Whalen who was involved with 
> the GPMC project has been brought in to work on admin experience and 
> anyone who has worked with GPOs with and without GPMC know that he 
> really helped out.
>  
> All in all, there is some very cool stuff and MS has really been 
> listening to the community on what they want and need. I know that 
> this list is watched for ideas and such and has been the source of 
> DCRs internally. So if you have ideas, spout them here, they will most 
> certainly be heard. They may not make Longhorn as it is getting a bit 
> late to add major changes but your ideas could make it into a later 
> rev.
>  
>  
>joe
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Steven Wood
> Sent: Monday, October 03, 2005 3:46 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Active Directory wish list
> 
> 
> Hi,
>  
> With Windows Vista on it's way what's on people's wish list as far as 
> Active Directory is concerned? Also are there any big enhancements 
> due?
>  
> Thanks
> Steven
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Anti-virus protection in domain enviroment

2005-10-05 Thread Tim Vander Kooi

I've only been on the list a short time, but I must have missed the
mandatory Trend Micro brainwashing. :-)
So far from what I have noticed there seems to be a set answer to all AV
questions.
Question: I'm curious about the capabilities of NOD32.
Answers (en mass): You should use Trend Micro.
Question: Is anyone using Symantec?
Answer (again en mass): You should buy Trend Micro.

Not that there is anything wrong with Trend Micro's product, it's great
in my opinion, but these responses don't seem to be very helpful with
regard to the questions being asked.

My apologies to the list "gods" if TM is the list sponsor. :-)
Tim

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Glen Miller
Sent: Wednesday, October 05, 2005 11:55 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Anti-virus protection in domain enviroment

Look into a product called Office Scan, by a company called Trend Micro.
I have been using this product happily since 1998.  It saved me from the
"I love you" bug and a few rather nasty ones since.  

"I want my two dollars!" 

And Joe!  Petitioning Webster's to include Joe-isms as an actual word. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ahmed Al Awah
Sent: Tuesday, October 04, 2005 12:35 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Anti-virus protection in domain enviroment

Since we're on topic..is anyone using Symantec AntiVirus 10 corp edition
for A/V protection in a domain environment?

-Original Message-
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:[EMAIL PROTECTED]
Sent: October 4, 2005 11:07 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Anti-virus protection in domain enviroment

My 1 cent.

I should go back to lurking...but... when choosing your a/v solution 
there's something to check on... some of the a/v vendors have 
historically  needed admin rights to update or have had vulnerabilities 
themselves.

Might be something to investigate and consider when chosing an a/v 
...especially on a DC.

In my own historical issues with Trend, the OfficeProtect dat file 
upgrade to XP sp2 wasn't properly 'vetted" and flatlined my workstations

and last I heard cost Trend $8 mil in lost sales.  They've also had a 
security vulnerability patched somewhat recently.

Epo's had their issues as well

http://xforce.iss.net/xforce/xfdb/21839

ISS X-Force Database: epolicy-msde-obtain-password(12787): ePolicy 
Orchestrator could allow an attacker to obtain MSDE SA password:
http://xforce.iss.net/xforce/xfdb/12787

ISS X-Force Database: epolicy-execute-commands(14166): ePolicy 
Orchestrator command execution: http://xforce.iss.net/xforce/xfdb/14166

Al Garrett wrote:

> My 2 cents...
> EpO has worked outstanding for us.
> Does inventory reports, finds "rogues", demonstrates to pointy-haired
> bosses how many infections are avoided and how dangerous it is "out 
> there."
> Combined with CommTouch Anti-Spam solution.
>
> -Original Message-
> *From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> *Sent:* Tuesday, October 04, 2005 8:36 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Anti-virus protection in domain 
> enviroment
>
> Just to add a little to what Phil says:
>  
> When I last used ePO I found that possibly the most useful feature
> was the reporting aspect. This allows you (amongst others) to
> assess which viruses were found in the environment and therefore
> what action if any needs to be taken to prevent further infection.
>  
> Most organisations don't have any idea how many infections they
> suffer from or how regularly the infections occur. A tool such as
> ePO can help in this area quite significantly. [it's also a handy
> management tool which helps justify the ongoing AV costs :) ]
>  
> neil
>
>
>   *___*
>   *Neil Ruston*
>   Global Technology Infrastructure
>   Nomura International plc
>
>
>

> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Phil
Renouf
> *Sent:* 04 October 2005 16:10
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Anti-virus protection in domain 
> enviroment
>
> Take a look at this article, it should give you the information
> you need to configure Antivirus on your DC's:
>  
> http://support.microsoft.com/default.aspx/kb/822158
>  
> I don't have any experience running NOD32 on anything :)
>  
> As for clients, most environments I have been in use a product
> similar to McAfee's EPO to centrally manage all the AV agents on
> the desktop to make sure they are configured to the corporate
> standard and that they have up to date scan engines and DAT files.
>  
> Phi

Re: [ActiveDir] Anti-virus protection in domain enviroment

I came <> to ripping out Trend in my office due to the BSOD, 
false positives and the infamous Friday incident.  They are on probation 
right now.


The ones bantered around in our A/V wars discussions:

Symantec [not yellow box but corp]
Sophos
CA

I have a fellow SBSer in AU who LOVES Nod32.

Pick one... they are in reality ALL reactionary. 

Real geeks don't use A/V anyway.  [you should have seen the thread on 
whether to stick a/v on a web server on the focus on ms listserve... if 
you set up a server for a select job, lock it down only serve up 
static pages.. why 'does' it need to be covered by A/V was the topic]




Tim Vander Kooi wrote:


I've only been on the list a short time, but I must have missed the
mandatory Trend Micro brainwashing. :-)
So far from what I have noticed there seems to be a set answer to all AV
questions.
Question: I'm curious about the capabilities of NOD32.
Answers (en mass): You should use Trend Micro.
Question: Is anyone using Symantec?
Answer (again en mass): You should buy Trend Micro.

Not that there is anything wrong with Trend Micro's product, it's great
in my opinion, but these responses don't seem to be very helpful with
regard to the questions being asked.

My apologies to the list "gods" if TM is the list sponsor. :-)
Tim

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Glen Miller
Sent: Wednesday, October 05, 2005 11:55 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Anti-virus protection in domain enviroment

Look into a product called Office Scan, by a company called Trend Micro.
I have been using this product happily since 1998.  It saved me from the
"I love you" bug and a few rather nasty ones since.  

"I want my two dollars!" 



And Joe!  Petitioning Webster's to include Joe-isms as an actual word. 





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ahmed Al Awah
Sent: Tuesday, October 04, 2005 12:35 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Anti-virus protection in domain enviroment

Since we're on topic..is anyone using Symantec AntiVirus 10 corp edition
for A/V protection in a domain environment?

-Original Message-
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:[EMAIL PROTECTED]
Sent: October 4, 2005 11:07 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Anti-virus protection in domain enviroment


My 1 cent.

I should go back to lurking...but... when choosing your a/v solution 
there's something to check on... some of the a/v vendors have 
historically  needed admin rights to update or have had vulnerabilities 
themselves.


Might be something to investigate and consider when chosing an a/v 
...especially on a DC.


In my own historical issues with Trend, the OfficeProtect dat file 
upgrade to XP sp2 wasn't properly 'vetted" and flatlined my workstations


and last I heard cost Trend $8 mil in lost sales.  They've also had a 
security vulnerability patched somewhat recently.


Epo's had their issues as well

http://xforce.iss.net/xforce/xfdb/21839

ISS X-Force Database: epolicy-msde-obtain-password(12787): ePolicy 
Orchestrator could allow an attacker to obtain MSDE SA password:

http://xforce.iss.net/xforce/xfdb/12787

ISS X-Force Database: epolicy-execute-commands(14166): ePolicy 
Orchestrator command execution: http://xforce.iss.net/xforce/xfdb/14166




Al Garrett wrote:

 


My 2 cents...
EpO has worked outstanding for us.
Does inventory reports, finds "rogues", demonstrates to pointy-haired
bosses how many infections are avoided and how dangerous it is "out 
there."

Combined with CommTouch Anti-Spam solution.

   -Original Message-
   *From:* [EMAIL PROTECTED]
   


[mailto:[EMAIL PROTECTED]
 


   *Sent:* Tuesday, October 04, 2005 8:36 AM
   *To:* ActiveDir@mail.activedir.org
   *Subject:* RE: [ActiveDir] Anti-virus protection in domain 
enviroment


   Just to add a little to what Phil says:

   When I last used ePO I found that possibly the most useful feature

   was the reporting aspect. This allows you (amongst others) to
   assess which viruses were found in the environment and therefore
   what action if any needs to be taken to prevent further infection.

   Most organisations don't have any idea how many infections they

   suffer from or how regularly the infections occur. A tool such as
   ePO can help in this area quite significantly. [it's also a handy
   management tool which helps justify the ongoing AV costs :) ]

   neil



 *___*
 *Neil Ruston*
 Global Technology Infrastructure
 Nomura International plc



   



 


   *From:* [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] *On Behalf Of *Phil
   


Renouf
 


   *Sent:* 04 October 2005 16:10
   *To:* ActiveDir@mail.activedir.org
   *Subject:* Re: [ActiveDir] Anti-viru

RE: [ActiveDir] Active Directory wish list

I think the biggest reason people want to be able to run multiple
domains on one server is the same reason practically no one (except for
SBS) installs just one DC, and the same reason we always install a
minimum of 2 for a domain.  We have a forest root and 2 child domains
model, and it takes us 6 servers to run that - for basically 2
directories and fewer than 5000 users.  That seems like a waste of
hardware in some situations - especially if you have multiple orgs that
you run.  The parallel might be for a web hosting company to have 2 full
web servers for each domain they host - in case 1 goes down, they still
have a second.  VS is an answer, yes, although you still need a full
server license for each VM.  The thing with domains is you don't want to
only have 1 online copy of the directory.  MS didn't seem too convinced
there was a good reason to have an online second server - they cited
backups as a good solution to the issue.  In a big org the cost of an
additional server to provide redundancy is negligible, but is having an
online copy (second DC) really the BEST way to do this?  And it doesn't
help SBS users, since they can (correct me if I'm wrong) only have 1 DC.
I realize it may be the best way we have with W2K3, but how could the
issue of redundancy be addressed with AD differently than having 2 DCs
minimum per domain?  Anyone have any ideas?

Rich


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, October 04, 2005 9:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

Yeah I can say that it isn't in Longhorn. As the dev guys put it, this
is a
tough one. It wouldn't just be a nobrainer if they had separate
instances of
AD, there are just tons of other things involved that make it extremely
difficult. It was something that was brought up in the summit though,
not
sure how much I can say around it other than no, it won't be there.

MS feels the focus of this is dramatically reduced now as well due to
the
fact that VS is available and can run DCs. Also the Server Core DCs
helps
here as well as the DCs will have a smaller footprint. If folks are NOT
in
agreement with that assessment, definitely speak up, it is too late for
Longhorn but possibly the opportunity exists to convince them for
BlackComb.

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Tuesday, October 04, 2005 9:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

I'd also like to see the ability to run DCs for multiple domains on the
same
server. SMBs with limited resources balk at having to buy additional
server
hardware for redundancy on multiple domains, especially when the AD load
on
the DCs is minimal. This feature sounds like an offshoot of your list
below.
If you can run AD as a service, it might not be that hard to allow
multiple
domains similar to multiple websites/DBs on one server...

I remember discussing this with Stuart Kwan at DEC a couple of years
ago. I
hope it makes it into the mix...

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Tuesday, October 04, 2005 4:25 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory wish list
> 
> Vista is the client OS. I don't believe they have named Longhorn 
> Server yet.I am voting for something like Windows Server 5.4.0 or 
> something like that. I realize that the marketing group would have 
> something to say about it but I figure the best thing from them is if 
> they pronounced their thoughts from the bottom of Lake Washington. 
> People don't install servers because they have cool names.
>  
> The biggest non-NDA pieces that I have heard announced in conferences 
> or seen on the web already is the Read Only DC to limit security 
> exposure for WAN deployments, restartable AD that can be 
> stopped/started as necessary, DA/Admin separation so that you can have

> an Admin on a DC that "can't" achieve Domain-wide DA level rights, and

> DCs running on Server Foundation or now its called Server Core which 
> is a GUI-challenged Windows Server.
>  
> I can also say that there are a myriad of GUI updates for the Admin 
> tools though I can't state specifics. BJ Whalen who was involved with 
> the GPMC project has been brought in to work on admin experience and 
> anyone who has worked with GPOs with and without GPMC know that he 
> really helped out.
>  
> All in all, there is some very cool stuff and MS has really been 
> listening to the community on what they want and need. I know that 
> this list is watched for ideas and such and has been the source of 
> DCRs internally. So if you have ideas, spout them here, they will most

> certa

RE: [ActiveDir] Active Directory wish list

2005-10-05 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]

SBS can have multiple DCs. The FSMOs just have to stay on the SBS box. They
can't have more than one domain in their forest because the trust
functionality is shutdown.  


Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Wednesday, October 05, 2005 1:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

I think the biggest reason people want to be able to run multiple domains on
one server is the same reason practically no one (except for
SBS) installs just one DC, and the same reason we always install a minimum
of 2 for a domain.  We have a forest root and 2 child domains model, and it
takes us 6 servers to run that - for basically 2 directories and fewer than
5000 users.  That seems like a waste of hardware in some situations -
especially if you have multiple orgs that you run.  The parallel might be
for a web hosting company to have 2 full web servers for each domain they
host - in case 1 goes down, they still have a second.  VS is an answer, yes,
although you still need a full server license for each VM.  The thing with
domains is you don't want to only have 1 online copy of the directory.  MS
didn't seem too convinced there was a good reason to have an online second
server - they cited backups as a good solution to the issue.  In a big org
the cost of an additional server to provide redundancy is negligible, but is
having an online copy (second DC) really the BEST way to do this?  And it
doesn't help SBS users, since they can (correct me if I'm wrong) only have 1
DC.
I realize it may be the best way we have with W2K3, but how could the issue
of redundancy be addressed with AD differently than having 2 DCs minimum per
domain?  Anyone have any ideas?

Rich


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, October 04, 2005 9:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

Yeah I can say that it isn't in Longhorn. As the dev guys put it, this is a
tough one. It wouldn't just be a nobrainer if they had separate instances of
AD, there are just tons of other things involved that make it extremely
difficult. It was something that was brought up in the summit though, not
sure how much I can say around it other than no, it won't be there.

MS feels the focus of this is dramatically reduced now as well due to the
fact that VS is available and can run DCs. Also the Server Core DCs helps
here as well as the DCs will have a smaller footprint. If folks are NOT in
agreement with that assessment, definitely speak up, it is too late for
Longhorn but possibly the opportunity exists to convince them for BlackComb.

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Tuesday, October 04, 2005 9:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

I'd also like to see the ability to run DCs for multiple domains on the same
server. SMBs with limited resources balk at having to buy additional server
hardware for redundancy on multiple domains, especially when the AD load on
the DCs is minimal. This feature sounds like an offshoot of your list below.
If you can run AD as a service, it might not be that hard to allow multiple
domains similar to multiple websites/DBs on one server...

I remember discussing this with Stuart Kwan at DEC a couple of years ago. I
hope it makes it into the mix...

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Tuesday, October 04, 2005 4:25 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory wish list
> 
> Vista is the client OS. I don't believe they have named Longhorn 
> Server yet.I am voting for something like Windows Server 5.4.0 or 
> something like that. I realize that the marketing group would have 
> something to say about it but I figure the best thing from them is if 
> they pronounced their thoughts from the bottom of Lake Washington.
> People don't install servers because they have cool names.
>  
> The biggest non-NDA pieces that I have heard announced in conferences 
> or seen on the web already is the Read Only DC to limit security 
> exposure for WAN deployments, restartable AD that can be 
> stopped/started as necessary, DA/Admin separation so that you can have

> an Admin on a DC that "can't" achieve Domain-wide DA level rights, and

> DCs running on Server Foundation or now its called Server Core which 
> is a GUI-challenged Windows Server.
>  
> I can also say that there are a myriad of GUI updates for the Admin 
> tools though I can't state specifics. BJ Whalen who was invo

[ActiveDir] Anyone ever run into this problem?

2005-10-05 Thread Gil Kirkpatrick

Title: Anyone ever run into this problem?






I haven't seen this myself, and I was curious if anyone else had….


http://support.microsoft.com/default.aspx?scid=kb;en-us;898613


-gil


Gil Kirkpatrick

CTO, NetPro


Don''t miss the Directory Experts Conference 2006. More information at www.dec2006.com.

Re: [ActiveDir] Active Directory wish list

As a representative of the SBS community there is not a day that goes by 
that the 'can we cluster SBS' or 'can I have a hot server' doesn't come 
up.  [if you have SA you can have a cold server]


With 9/11, with Katrina, with the potential for earthquakes in 
California ... honestly... the answer for any small business should not 
be 'well hope your backup is good... you have tested it right?'  
Conversely I would argue the home user needs to be better protected than 
they are now.  [but that's way OT]  I think the fault tolerance for 
small firms is being a bit pushed to the asp/hosted services model in 
the marketplace even though us control freaks aren't always fond of that.


Actually we 'can' have additional domain controllers..just that the SBS 
has to hold the FSMO roles and be the PDC.  By the time you reconfigure 
that additional DC to take over the FSMO roles...maybe your time is 
better spent fixing the PDC, ya know?


Is there a good story for small firms to have redundancy, fault 
tolerance without a fat checkbook? 

Nope, I would argue...not really.right now imaging is the only way.  
And in that instance.. you probably want to stay with a single DC and 
not suffer the wrath of Brett and ghosting your DCs.


A recent whitepaper on the subject of the 'myths' of SBS:
http://msmvps.com/bradley/archive/2005/10/04/68986.aspx
http://msmvps.com/bradley/archive/2005/10/05/69035.aspx

I still would argue that virtualization needs to be done WAY more than 
we are doing now...but that's just my wacko thoughts.



Rich Milburn wrote:


I think the biggest reason people want to be able to run multiple
domains on one server is the same reason practically no one (except for
SBS) installs just one DC, and the same reason we always install a
minimum of 2 for a domain.  We have a forest root and 2 child domains
model, and it takes us 6 servers to run that - for basically 2
directories and fewer than 5000 users.  That seems like a waste of
hardware in some situations - especially if you have multiple orgs that
you run.  The parallel might be for a web hosting company to have 2 full
web servers for each domain they host - in case 1 goes down, they still
have a second.  VS is an answer, yes, although you still need a full
server license for each VM.  The thing with domains is you don't want to
only have 1 online copy of the directory.  MS didn't seem too convinced
there was a good reason to have an online second server - they cited
backups as a good solution to the issue.  In a big org the cost of an
additional server to provide redundancy is negligible, but is having an
online copy (second DC) really the BEST way to do this?  And it doesn't
help SBS users, since they can (correct me if I'm wrong) only have 1 DC.
I realize it may be the best way we have with W2K3, but how could the
issue of redundancy be addressed with AD differently than having 2 DCs
minimum per domain?  Anyone have any ideas?

Rich


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, October 04, 2005 9:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

Yeah I can say that it isn't in Longhorn. As the dev guys put it, this
is a
tough one. It wouldn't just be a nobrainer if they had separate
instances of
AD, there are just tons of other things involved that make it extremely
difficult. It was something that was brought up in the summit though,
not
sure how much I can say around it other than no, it won't be there.

MS feels the focus of this is dramatically reduced now as well due to
the
fact that VS is available and can run DCs. Also the Server Core DCs
helps
here as well as the DCs will have a smaller footprint. If folks are NOT
in
agreement with that assessment, definitely speak up, it is too late for
Longhorn but possibly the opportunity exists to convince them for
BlackComb.

 joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Tuesday, October 04, 2005 9:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

I'd also like to see the ability to run DCs for multiple domains on the
same
server. SMBs with limited resources balk at having to buy additional
server
hardware for redundancy on multiple domains, especially when the AD load
on
the DCs is minimal. This feature sounds like an offshoot of your list
below.
If you can run AD as a service, it might not be that hard to allow
multiple
domains similar to multiple websites/DBs on one server...

I remember discussing this with Stuart Kwan at DEC a couple of years
ago. I
hope it makes it into the mix...

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**


 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, October 04, 2005 4:25 PM
To: Act

Re: [ActiveDir] AD Restore Problem

2005-10-05 Thread Laura E. Hunter

In multiple years of doing DR drills at an off-site location, I've
never had a "restore AD to alternate hardware" process go anywhere
near as smoothly as I'd like.  (For anyone who remembers joe's "AD
Gripes" thread, that was one of my big ones.)  I've almost always
needed to resort to a repair install or an in-place upgrade.

A few things that I've had to do to make things work in various situations:

* Rip out TCP/IP & Winsock and re-install them.  (4 pages of reg hacks
in 2000, like 3 netsh commands in 2K3.)

* Remove all video drivers and NICs before the final reboot to allow
Plug&Pl(r)ay to pick them back up again correctly.

* Save the boot.ini, ntldr, ntoskrnl.exe and a few other files from
the new hardware -before- restoring, then copy them back on -after-
the restore.  ( I just want to restore the DIT and
the log files, for cripes' sake, why can't I just DO that?!?!?!? )

Once you get it back up, make sure that you metadata cleanup, clean up
lingering replication objects and then seize all 5 FSMOs.  And at the
end of the day, once I have the "restored" box to the point that it's
(mostly) working, I'll manually dcpromo a second box up so that it can
come up "naturally" without any lingering dead bodies hiding in the
depths of the restored OS.

- Laura

On 10/5/05, Carerros, Charles <[EMAIL PROTECTED]> wrote:
> My DR plan in reality is:
>
> If I lose a building that hosts my DCs, I build new DCs and sync off DCs
> at remote locations (I'm lucky to have DCs placed throughout the US and
> Canada so I should always have a working DC somewhere to grab the AD
> databases and then I seize some FSMO roles) and then do a metadata cleanup
> on the boxes that are sitting under tons of rubble or in the middle of a
> river, etc.
>
> If someone deletes the AD, then I do an authoritative restore using the
> same hardware that the DC is stored on.
>
> The problem I'm facing right now is that we are going to do a DR test at
> Sunguard and they don't use the same hardware and even though I told
> everyone we don't do a full restore on a DC unless we have the hardware that
> the DC was installed upon they still want me to restore a DC from tape. Oh,
> and we won't have connectivity to any of our offices.
>
> I told them it might not be possible but I would do what I can to get it to
> work.  (I have a backup plan which is a VMWare copy of one of my production
> DCs but it is only in the test phase).
>
> In reality I should never had a need for this but for my test DR site I
> think I will.  And I was just wondering if anyone could give me some extra
> pointers that might help me along.
>
> Charlie
>
> 
> From: van Donk, Fred [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 05, 2005 12:34 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD Restore Problem
>
>
> Charlie,
>
> A few years ago I worked with PSS on this on Windows 2000. The end result
> was it will not work due to the fact it is different hardware.
> Biggest problems were SCSI controllers and Video Drivers we worked on it for
> a solid week straight.
>
> The real question is why do you want to move? Why would you not create a DC
> on the new box and demote the old box? Just make sure you have a DC
> somewhere in your network the hurricane will not take it out. :-)
>
> Fred
>
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Carerros, Charles
> Sent: Wednesday, October 05, 2005 9:05 AM
> To: 'ActiveDir@mail.activedir.org'
> Subject: [ActiveDir] AD Restore Problem
>
>
> I'm having a problem restoring my AD to different hardware.  I know there
> are some issues but I hear that people have been able to follow some MS docs
> and get it done but I can't seem to pull it off.
>
> I working with a HP server to Dell hardware and in the next week I will be
> going from HP to Compaq at our DR test site and I kinda need to get this
> working.
>
> I have included my documentation on how to do this DR restore below and they
> are the steps that I went through and when I got to the end I still get the
> blue screen and reboot.  Can someone tell me where I'm going wrong?
>
> We are running W2K3 fully patched with the exception of SP1.  DCs are all
> GCs, DNS and WINS servers.
>
> Thanks,
>
> Charlie
>
>
>
> Active Directory Disaster Recovery
>
> Company Name
>
> April 18, 2005, Revision 4
>
>
>
>
>
> The ability to recover from a catastrophic disaster is one of the goals of
> the Network Team.  With Active Directory quickly becoming the core
> technology for items such as e-mail, Citrix and local workstation security,
> it is imperative that in the case of a disaster a quick recovery can be had.
>  This process will outline the non-authoritative active directory restore
> process. [The authoritative process is used to restore a portion of the
> Active Directory while leaving parts intact.]
>
>
>
> Resources:
>
> To conduct a successful restore you must have the

RE: [ActiveDir] Anti-virus protection in domain enviroment

>>> if you set up a server for a select job, lock it down only serve up
static pages.. why 'does' it need to be covered by A/V was the topic
>>>

Maybe because if your server can "serve" anything, it can be "served" in
return. Where I come from, we call it the "scratch my back, I scratch your
back" factor :)

With the prevalence of network-burrowing, SMB-crawling worms and trojans, the
fact that you are serving static files is no protection at all.

 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka
Ebitz - SBS Rocks [MVP]
Sent: Wed 10/5/2005 10:28 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Anti-virus protection in domain enviroment



I came <> to ripping out Trend in my office due to the BSOD,
false positives and the infamous Friday incident.  They are on probation
right now.

The ones bantered around in our A/V wars discussions:

Symantec [not yellow box but corp]
Sophos
CA

I have a fellow SBSer in AU who LOVES Nod32.

Pick one... they are in reality ALL reactionary.

Real geeks don't use A/V anyway.  [you should have seen the thread on
whether to stick a/v on a web server on the focus on ms listserve... if
you set up a server for a select job, lock it down only serve up
static pages.. why 'does' it need to be covered by A/V was the topic]



Tim Vander Kooi wrote:

>I've only been on the list a short time, but I must have missed the
>mandatory Trend Micro brainwashing. :-)
>So far from what I have noticed there seems to be a set answer to all AV
>questions.
>Question: I'm curious about the capabilities of NOD32.
>Answers (en mass): You should use Trend Micro.
>Question: Is anyone using Symantec?
>Answer (again en mass): You should buy Trend Micro.
>
>Not that there is anything wrong with Trend Micro's product, it's great
>in my opinion, but these responses don't seem to be very helpful with
>regard to the questions being asked.
>
>My apologies to the list "gods" if TM is the list sponsor. :-)
>Tim
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Glen Miller
>Sent: Wednesday, October 05, 2005 11:55 AM
>To: 'ActiveDir@mail.activedir.org'
>Subject: RE: [ActiveDir] Anti-virus protection in domain enviroment
>
>Look into a product called Office Scan, by a company called Trend Micro.
>I have been using this product happily since 1998.  It saved me from the
>"I love you" bug and a few rather nasty ones since. 
>
>"I want my two dollars!"
>
>
>And Joe!  Petitioning Webster's to include Joe-isms as an actual word.
>
>
>
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Ahmed Al Awah
>Sent: Tuesday, October 04, 2005 12:35 PM
>To: 'ActiveDir@mail.activedir.org'
>Subject: RE: [ActiveDir] Anti-virus protection in domain enviroment
>
>Since we're on topic..is anyone using Symantec AntiVirus 10 corp edition
>for A/V protection in a domain environment?
>
>-Original Message-
>From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>[mailto:[EMAIL PROTECTED]
>Sent: October 4, 2005 11:07 AM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] Anti-virus protection in domain enviroment
>
>
>My 1 cent.
>
>I should go back to lurking...but... when choosing your a/v solution
>there's something to check on... some of the a/v vendors have
>historically  needed admin rights to update or have had vulnerabilities
>themselves.
>
>Might be something to investigate and consider when chosing an a/v
>...especially on a DC.
>
>In my own historical issues with Trend, the OfficeProtect dat file
>upgrade to XP sp2 wasn't properly 'vetted" and flatlined my workstations
>
>and last I heard cost Trend $8 mil in lost sales.  They've also had a
>security vulnerability patched somewhat recently.
>
>Epo's had their issues as well
>
>http://xforce.iss.net/xforce/xfdb/21839
>
>ISS X-Force Database: epolicy-msde-obtain-password(12787): ePolicy
>Orchestrator could allow an attacker to obtain MSDE SA password:
>http://xforce.iss.net/xforce/xfdb/12787
>
>ISS X-Force Database: epolicy-execute-commands(14166): ePolicy
>Orchestrator command execution: http://xforce.iss.net/xforce/xfdb/14166
>
>
>
>Al Garrett wrote:
>
> 
>
>>My 2 cents...
>>EpO has worked outstanding for us.
>>Does inventory reports, finds "rogues", demonstrates to pointy-haired
>>bosses how many infections are avoided and how dangerous it is "out
>>there."
>>Combined with CommTouch Anti-Spam solution.
>>
>>-Original Message-
>>*From:* [EMAIL PROTECTED]
>>   
>>
>[mailto:[EMAIL PROTECTED]
> 
>
>>*Sent:* Tuesday, October 04, 2005 8:36 AM
>>*To:* ActiveDir@mail.activedir.org
>>*Subject:* RE: [ActiveDir] Anti-virus protection in domain
>>enviroment
>>
>>Just to add a

RE: [ActiveDir] Anyone ever run into this problem?

I usually don't run into problems - they come running into me :)
 
Seriously, I haven't observed this. That may be because I haven't really
looked, or simply because I haven't seen any DNS-related issue attributable
to it. And, what exactly does this break anyway?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Wed 10/5/2005 11:01 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Anyone ever run into this problem?



I haven't seen this myself, and I was curious if anyone else had 

http://support.microsoft.com/default.aspx?scid=kb;en-us;898613
  

-gil 

Gil Kirkpatrick 
CTO, NetPro 

Don''t miss the Directory Experts Conference 2006. More information at
www.dec2006.com  . 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active Directory wish list

2005-10-05 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]

I kinda like the idea of running a DC in a VS machine, and having an
online realtime copy of it somewhere in addition to incremental
backups... and you should be able to bring up the vhd on any box, not
just one with similar hardware, and without having to go through Laura's
7 step DR plan :) (reference thread [ActiveDir] AD Restore Problem)

But can you have a VSS-type remote copy of your DC session vhd file?  

(Forgive me if I bring up topics that were adequately addressed during
my hiatus in Windows Desktop Deployment World...)

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819

---
"I am always doing that which I can not do, in order that I may learn
how to do it." - Pablo Picasso

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, October 05, 2005 1:12 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Active Directory wish list

As a representative of the SBS community there is not a day that goes by

that the 'can we cluster SBS' or 'can I have a hot server' doesn't come 
up.  [if you have SA you can have a cold server]

With 9/11, with Katrina, with the potential for earthquakes in 
California ... honestly... the answer for any small business should not 
be 'well hope your backup is good... you have tested it right?'  
Conversely I would argue the home user needs to be better protected than

they are now.  [but that's way OT]  I think the fault tolerance for 
small firms is being a bit pushed to the asp/hosted services model in 
the marketplace even though us control freaks aren't always fond of
that.

Actually we 'can' have additional domain controllers..just that the SBS 
has to hold the FSMO roles and be the PDC.  By the time you reconfigure 
that additional DC to take over the FSMO roles...maybe your time is 
better spent fixing the PDC, ya know?

Is there a good story for small firms to have redundancy, fault 
tolerance without a fat checkbook? 

Nope, I would argue...not really.right now imaging is the only way.

And in that instance.. you probably want to stay with a single DC and 
not suffer the wrath of Brett and ghosting your DCs.

A recent whitepaper on the subject of the 'myths' of SBS:
http://msmvps.com/bradley/archive/2005/10/04/68986.aspx
http://msmvps.com/bradley/archive/2005/10/05/69035.aspx

I still would argue that virtualization needs to be done WAY more than 
we are doing now...but that's just my wacko thoughts.

Rich Milburn wrote:

>I think the biggest reason people want to be able to run multiple
>domains on one server is the same reason practically no one (except for
>SBS) installs just one DC, and the same reason we always install a
>minimum of 2 for a domain.  We have a forest root and 2 child domains
>model, and it takes us 6 servers to run that - for basically 2
>directories and fewer than 5000 users.  That seems like a waste of
>hardware in some situations - especially if you have multiple orgs that
>you run.  The parallel might be for a web hosting company to have 2
full
>web servers for each domain they host - in case 1 goes down, they still
>have a second.  VS is an answer, yes, although you still need a full
>server license for each VM.  The thing with domains is you don't want
to
>only have 1 online copy of the directory.  MS didn't seem too convinced
>there was a good reason to have an online second server - they cited
>backups as a good solution to the issue.  In a big org the cost of an
>additional server to provide redundancy is negligible, but is having an
>online copy (second DC) really the BEST way to do this?  And it doesn't
>help SBS users, since they can (correct me if I'm wrong) only have 1
DC.
>I realize it may be the best way we have with W2K3, but how could the
>issue of redundancy be addressed with AD differently than having 2 DCs
>minimum per domain?  Anyone have any ideas?
>
>Rich
>
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of joe
>Sent: Tuesday, October 04, 2005 9:20 PM
>To: ActiveDir@mail.activedir.org
>Subject: RE: [ActiveDir] Active Directory wish list
>
>Yeah I can say that it isn't in Longhorn. As the dev guys put it, this
>is a
>tough one. It wouldn't just be a nobrainer if they had separate
>instances of
>AD, there are just tons of other things involved that make it extremely
>difficult. It was something that was brought up in the summit though,
>not
>sure how much I can say around it other than no, it won't be there.
>
>MS feels the focus of this is dramatically reduced now as well due to
>the
>fact that VS is available and can run DCs. Also the Server Core DCs
>helps
>here as well as the DCs

Re: [ActiveDir] Anti-virus protection in domain enviroment

Read the thread and see this blog post that Harlan did on the topic.  I 
don't think it's as cut and dried as this.  The idea is that the 
webserver in this instance would have no connection to your domain.


http://windowsir.blogspot.com/2005/07/av-software-on-web-servers-revisited.html

We want to do it because it's cheap and it's there.  But in reality it 
is a bandaid and is reactive.

[EMAIL PROTECTED] wrote:


if you set up a server for a select job, lock it down only serve up
   


static pages.. why 'does' it need to be covered by A/V was the topic
 



Maybe because if your server can "serve" anything, it can be "served" in
return. Where I come from, we call it the "scratch my back, I scratch your
back" factor :)

With the prevalence of network-burrowing, SMB-crawling worms and trojans, the
fact that you are serving static files is no protection at all.


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka
Ebitz - SBS Rocks [MVP]
Sent: Wed 10/5/2005 10:28 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Anti-virus protection in domain enviroment



I came <> to ripping out Trend in my office due to the BSOD,
false positives and the infamous Friday incident.  They are on probation
right now.

The ones bantered around in our A/V wars discussions:

Symantec [not yellow box but corp]
Sophos
CA

I have a fellow SBSer in AU who LOVES Nod32.

Pick one... they are in reality ALL reactionary.

Real geeks don't use A/V anyway.  [you should have seen the thread on
whether to stick a/v on a web server on the focus on ms listserve... if
you set up a server for a select job, lock it down only serve up
static pages.. why 'does' it need to be covered by A/V was the topic]



Tim Vander Kooi wrote:

 


I've only been on the list a short time, but I must have missed the
mandatory Trend Micro brainwashing. :-)
So far from what I have noticed there seems to be a set answer to all AV
questions.
Question: I'm curious about the capabilities of NOD32.
Answers (en mass): You should use Trend Micro.
Question: Is anyone using Symantec?
Answer (again en mass): You should buy Trend Micro.

Not that there is anything wrong with Trend Micro's product, it's great
in my opinion, but these responses don't seem to be very helpful with
regard to the questions being asked.

My apologies to the list "gods" if TM is the list sponsor. :-)
Tim

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Glen Miller
Sent: Wednesday, October 05, 2005 11:55 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Anti-virus protection in domain enviroment

Look into a product called Office Scan, by a company called Trend Micro.
I have been using this product happily since 1998.  It saved me from the
"I love you" bug and a few rather nasty ones since. 


"I want my two dollars!"


And Joe!  Petitioning Webster's to include Joe-isms as an actual word.




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ahmed Al Awah
Sent: Tuesday, October 04, 2005 12:35 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Anti-virus protection in domain enviroment

Since we're on topic..is anyone using Symantec AntiVirus 10 corp edition
for A/V protection in a domain environment?

-Original Message-
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:[EMAIL PROTECTED]
Sent: October 4, 2005 11:07 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Anti-virus protection in domain enviroment


My 1 cent.

I should go back to lurking...but... when choosing your a/v solution
there's something to check on... some of the a/v vendors have
historically  needed admin rights to update or have had vulnerabilities
themselves.

Might be something to investigate and consider when chosing an a/v
...especially on a DC.

In my own historical issues with Trend, the OfficeProtect dat file
upgrade to XP sp2 wasn't properly 'vetted" and flatlined my workstations

and last I heard cost Trend $8 mil in lost sales.  They've also had a
security vulnerability patched somewhat recently.

Epo's had their issues as well

http://xforce.iss.net/xforce/xfdb/21839

ISS X-Force Database: epolicy-msde-obtain-password(12787): ePolicy
Orchestrator could allow an attacker to obtain MSDE SA password:
http://xforce.iss.net/xforce/xfdb/12787

ISS X-Force Database: epolicy-execute-commands(14166): ePolicy
Orchestrator command execution: http://xforce.iss.net/xforce/xfdb/14166



Al Garrett wrote:



   


My 2 cents...
EpO has worked outstanding for us.
Does inventory reports, finds "rogues", demonstrates to pointy-haired
bosses how many infections are avoided and how dangerous it is "out
there."
Combin

Re: [ActiveDir] Active Directory wish list

2005-10-05 Thread Phil Renouf

My question would be: for a small directory of 5000 users, why do you have 3 domains? If it is for separate password policies, then perhaps a better wish list item would be the ability to have multiple password policies in one domain. 

 
Phil 
On 10/5/05, Rich Milburn <[EMAIL PROTECTED]> wrote:
I think the biggest reason people want to be able to run multipledomains on one server is the same reason practically no one (except for
SBS) installs just one DC, and the same reason we always install aminimum of 2 for a domain.  We have a forest root and 2 child domainsmodel, and it takes us 6 servers to run that - for basically 2directories and fewer than 5000 users.  That seems like a waste of
hardware in some situations - especially if you have multiple orgs thatyou run.  The parallel might be for a web hosting company to have 2 fullweb servers for each domain they host - in case 1 goes down, they still
have a second.  VS is an answer, yes, although you still need a fullserver license for each VM.  The thing with domains is you don't want toonly have 1 online copy of the directory.  MS didn't seem too convinced
there was a good reason to have an online second server - they citedbackups as a good solution to the issue.  In a big org the cost of anadditional server to provide redundancy is negligible, but is having an
online copy (second DC) really the BEST way to do this?  And it doesn'thelp SBS users, since they can (correct me if I'm wrong) only have 1 DC.I realize it may be the best way we have with W2K3, but how could the
issue of redundancy be addressed with AD differently than having 2 DCsminimum per domain?  Anyone have any ideas?Rich-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Tuesday, October 04, 2005 9:20 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory wish listYeah I can say that it isn't in Longhorn. As the dev guys put it, thisis atough one. It wouldn't just be a nobrainer if they had separate
instances ofAD, there are just tons of other things involved that make it extremelydifficult. It was something that was brought up in the summit though,notsure how much I can say around it other than no, it won't be there.
MS feels the focus of this is dramatically reduced now as well due tothefact that VS is available and can run DCs. Also the Server Core DCshelpshere as well as the DCs will have a smaller footprint. If folks are NOT
inagreement with that assessment, definitely speak up, it is too late forLonghorn but possibly the opportunity exists to convince them forBlackComb.joe-Original Message-
From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Charlie Kaiser
Sent: Tuesday, October 04, 2005 9:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory wish listI'd also like to see the ability to run DCs for multiple domains on the
sameserver. SMBs with limited resources balk at having to buy additionalserverhardware for redundancy on multiple domains, especially when the AD loadonthe DCs is minimal. This feature sounds like an offshoot of your list
below.If you can run AD as a service, it might not be that hard to allowmultipledomains similar to multiple websites/DBs on one server...I remember discussing this with Stuart Kwan at DEC a couple of years
ago. Ihope it makes it into the mix...**Charlie KaiserW2K3 MCSA/MCSE/Security, CCNASystems EngineerEssex Credit / Brickwalk510 595 5083**
> -Original Message-> From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED]
] On Behalf Of joe> Sent: Tuesday, October 04, 2005 4:25 PM> To: ActiveDir@mail.activedir.org> Subject: RE: [ActiveDir] Active Directory wish list
>> Vista is the client OS. I don't believe they have named Longhorn> Server yet.I am voting for something like Windows Server 5.4.0 or> something like that. I realize that the marketing group would have
> something to say about it but I figure the best thing from them is if> they pronounced their thoughts from the bottom of Lake Washington.> People don't install servers because they have cool names.
>> The biggest non-NDA pieces that I have heard announced in conferences> or seen on the web already is the Read Only DC to limit security> exposure for WAN deployments, restartable AD that can be
> stopped/started as necessary, DA/Admin separation so that you can have> an Admin on a DC that "can't" achieve Domain-wide DA level rights, and> DCs running on Server Foundation or now its called Server Core which
> is a GUI-challenged Windows Server.>> I can also say that there are a myriad of GUI updates for the Admin> tools though I can't state specifics. BJ Whalen who was involved with> the GPMC project has been brought in to work on admin experience and
> anyone who has worked with GPOs with and without GPMC know that he> really helped out.>> All in all, there is some very cool stuff and MS has really been> listening to the community on what th

Re: [ActiveDir] Active Directory wish list

2005-10-05 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]


Have you guys checked out the PtoV tool on VMware?

Rich Milburn wrote:


I kinda like the idea of running a DC in a VS machine, and having an
online realtime copy of it somewhere in addition to incremental
backups... and you should be able to bring up the vhd on any box, not
just one with similar hardware, and without having to go through Laura's
7 step DR plan :) (reference thread [ActiveDir] AD Restore Problem)

But can you have a VSS-type remote copy of your DC session vhd file?  


(Forgive me if I bring up topics that were adequately addressed during
my hiatus in Windows Desktop Deployment World...)


---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819

---
"I am always doing that which I can not do, in order that I may learn
how to do it." - Pablo Picasso

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, October 05, 2005 1:12 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Active Directory wish list

As a representative of the SBS community there is not a day that goes by

that the 'can we cluster SBS' or 'can I have a hot server' doesn't come 
up.  [if you have SA you can have a cold server]


With 9/11, with Katrina, with the potential for earthquakes in 
California ... honestly... the answer for any small business should not 
be 'well hope your backup is good... you have tested it right?'  
Conversely I would argue the home user needs to be better protected than


they are now.  [but that's way OT]  I think the fault tolerance for 
small firms is being a bit pushed to the asp/hosted services model in 
the marketplace even though us control freaks aren't always fond of

that.

Actually we 'can' have additional domain controllers..just that the SBS 
has to hold the FSMO roles and be the PDC.  By the time you reconfigure 
that additional DC to take over the FSMO roles...maybe your time is 
better spent fixing the PDC, ya know?


Is there a good story for small firms to have redundancy, fault 
tolerance without a fat checkbook? 


Nope, I would argue...not really.right now imaging is the only way.

And in that instance.. you probably want to stay with a single DC and 
not suffer the wrath of Brett and ghosting your DCs.


A recent whitepaper on the subject of the 'myths' of SBS:
http://msmvps.com/bradley/archive/2005/10/04/68986.aspx
http://msmvps.com/bradley/archive/2005/10/05/69035.aspx

I still would argue that virtualization needs to be done WAY more than 
we are doing now...but that's just my wacko thoughts.



Rich Milburn wrote:

 


I think the biggest reason people want to be able to run multiple
domains on one server is the same reason practically no one (except for
SBS) installs just one DC, and the same reason we always install a
minimum of 2 for a domain.  We have a forest root and 2 child domains
model, and it takes us 6 servers to run that - for basically 2
directories and fewer than 5000 users.  That seems like a waste of
hardware in some situations - especially if you have multiple orgs that
you run.  The parallel might be for a web hosting company to have 2
   


full
 


web servers for each domain they host - in case 1 goes down, they still
have a second.  VS is an answer, yes, although you still need a full
server license for each VM.  The thing with domains is you don't want
   


to
 


only have 1 online copy of the directory.  MS didn't seem too convinced
there was a good reason to have an online second server - they cited
backups as a good solution to the issue.  In a big org the cost of an
additional server to provide redundancy is negligible, but is having an
online copy (second DC) really the BEST way to do this?  And it doesn't
help SBS users, since they can (correct me if I'm wrong) only have 1
   


DC.
 


I realize it may be the best way we have with W2K3, but how could the
issue of redundancy be addressed with AD differently than having 2 DCs
minimum per domain?  Anyone have any ideas?

Rich


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, October 04, 2005 9:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

Yeah I can say that it isn't in Longhorn. As the dev guys put it, this
is a
tough one. It wouldn't just be a nobrainer if they had separate
instances of
AD, there are just tons of other things involved that make it extremely
difficult. It was something that was brought up in the summit though,
not
sure how much I can say around it other than no, it won't be there.

MS feels the focus of this is dramatically reduced now as well due to
the
fact that VS is available

RE: [ActiveDir] Anti-virus protection in domain enviroment

2005-10-05 Thread Ken Schaefer

But see the response. What if I can exploit something on your webserver to
upload a virus to your server, and use your server to distribute it to
others? Download.Ject etc? So, it's not doing anything bad to your server,
but your server is being used to deliver the badness to others. That's where
AV on your server is going to clean these things up.

And, someone, somehow, needs to get the content onto your webserver in the
first place, unless you let developers sit at the console typing in webpages
by hand using notepad. So that's another infection vector.

Nothing is simple. AV is one more line of defense. Wether it's worth
implementing depends on your situation.

For the record (in reference to an earlier post) I like Symantec's corporate
offering, and Trend's stuff as well.

Cheers
Ken

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS
> Rocks [MVP]
> Sent: Thursday, 6 October 2005 5:19 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Anti-virus protection in domain enviroment
> 
> Read the thread and see this blog post that Harlan did on the topic.  I
> don't think it's as cut and dried as this.  The idea is that the
> webserver in this instance would have no connection to your domain.
> 
> http://windowsir.blogspot.com/2005/07/av-software-on-web-servers-
> revisited.html
> 
> We want to do it because it's cheap and it's there.  But in reality it
> is a bandaid and is reactive.
> [EMAIL PROTECTED] wrote:
> 
> if you set up a server for a select job, lock it down only serve
> up
> 
> 
> >static pages.. why 'does' it need to be covered by A/V was the topic
> >
> >
> >
> >Maybe because if your server can "serve" anything, it can be "served" in
> >return. Where I come from, we call it the "scratch my back, I scratch
> your
> >back" factor :)
> >
> >With the prevalence of network-burrowing, SMB-crawling worms and trojans,
> the
> >fact that you are serving static files is no protection at all.
> >
> >
> >Sincerely,
> >
> >Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
> >Microsoft MVP - Directory Services
> >www.readymaids.com - we know IT
> >www.akomolafe.com
> >Do you now realize that Today is the Tomorrow you were worried about
> >Yesterday?  -anon
> >
> >
> >
> >From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA
> aka
> >Ebitz - SBS Rocks [MVP]
> >Sent: Wed 10/5/2005 10:28 AM
> >To: ActiveDir@mail.activedir.org
> >Subject: Re: [ActiveDir] Anti-virus protection in domain enviroment
> >
> >
> >
> >I came <> to ripping out Trend in my office due to the BSOD,
> >false positives and the infamous Friday incident.  They are on probation
> >right now.
> >
> >The ones bantered around in our A/V wars discussions:
> >
> >Symantec [not yellow box but corp]
> >Sophos
> >CA
> >
> >I have a fellow SBSer in AU who LOVES Nod32.
> >
> >Pick one... they are in reality ALL reactionary.
> >
> >Real geeks don't use A/V anyway.  [you should have seen the thread on
> >whether to stick a/v on a web server on the focus on ms listserve... if
> >you set up a server for a select job, lock it down only serve up
> >static pages.. why 'does' it need to be covered by A/V was the topic]
> >
> >
> >
> >Tim Vander Kooi wrote:
> >
> >
> >
> >>I've only been on the list a short time, but I must have missed the
> >>mandatory Trend Micro brainwashing. :-)
> >>So far from what I have noticed there seems to be a set answer to all AV
> >>questions.
> >>Question: I'm curious about the capabilities of NOD32.
> >>Answers (en mass): You should use Trend Micro.
> >>Question: Is anyone using Symantec?
> >>Answer (again en mass): You should buy Trend Micro.
> >>
> >>Not that there is anything wrong with Trend Micro's product, it's great
> >>in my opinion, but these responses don't seem to be very helpful with
> >>regard to the questions being asked.
> >>
> >>My apologies to the list "gods" if TM is the list sponsor. :-)
> >>Tim
> >>
> >>-Original Message-
> >>From: [EMAIL PROTECTED]
> >>[mailto:[EMAIL PROTECTED] On Behalf Of Glen Miller
> >>Sent: Wednesday, October 05, 2005 11:55 AM
> >>To: 'ActiveDir@mail.activedir.org'
> >>Subject: RE: [ActiveDir] Anti-virus protection in domain enviroment
> >>
> >>Look into a product called Office Scan, by a company called Trend Micro.
> >>I have been using this product happily since 1998.  It saved me from the
> >>"I love you" bug and a few rather nasty ones since.
> >>
> >>"I want my two dollars!"
> >>
> >>
> >>And Joe!  Petitioning Webster's to include Joe-isms as an actual word.
> >>
> >>
> >>
> >>
> >>-Original Message-
> >>From: [EMAIL PROTECTED]
> >>[mailto:[EMAIL PROTECTED] On Behalf Of Ahmed Al Awah
> >>Sent: Tuesday, October 04, 2005 12:35 PM
> >>To: 'ActiveDir@mail.activedir.org'
> >>Subject: RE: [ActiveDir] Anti-virus protection in domain enviroment
> >>
> >>Since we're on topic..is anyone using Symantec AntiVirus 10 corp edition
> >>for

RE: [ActiveDir] Active Directory wish list

2005-10-05 Thread Rob MOIR

How would LDAP apps easily address multiple AD domains hosted on one server? 
What if you wanted to make this box a GC for more than one domain? How easily 
can you configure apps like Exchange to cope with this? I say "easily" because 
you talk about SMEs using this function, which are the places that might be 
less well equipped to figure out the support impact on those apps from having 
to make them work with this arrangement.
 
Or the cost of buying and implementing upgrades that figure it out for them... 
that money we saved on the seperate hardware boxes just went bye-bye... Oh 
well, at least multiple domains on one hardware box *sounds* cool.
 
Rob
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Tuesday, October 04, 2005 6:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

I'd also like to see the ability to run DCs for multiple domains on the same
server. SMBs with limited resources balk at having to buy additional server
hardware for redundancy on multiple domains, especially when the AD load on
the DCs is minimal. This feature sounds like an offshoot of your list below.
If you can run AD as a service, it might not be that hard to allow multiple
domains similar to multiple websites/DBs on one server...

I remember discussing this with Stuart Kwan at DEC a couple of years ago. I
hope it makes it into the mix...

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Tuesday, October 04, 2005 4:25 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory wish list
>
> Vista is the client OS. I don't believe they have named Longhorn
> Server yet.I am voting for something like Windows Server 5.4.0 or
> something like that. I realize that the marketing group would have
> something to say about it but I figure the best thing from them is if
> they pronounced their thoughts from the bottom of Lake Washington.
> People don't install servers because they have cool names.
> 
> The biggest non-NDA pieces that I have heard announced in conferences
> or seen on the web already is the Read Only DC to limit security
> exposure for WAN deployments, restartable AD that can be
> stopped/started as necessary, DA/Admin separation so that you can have
> an Admin on a DC that "can't" achieve Domain-wide DA level rights, and
> DCs running on Server Foundation or now its called Server Core which
> is a GUI-challenged Windows Server.
> 
> I can also say that there are a myriad of GUI updates for the Admin
> tools though I can't state specifics. BJ Whalen who was involved with
> the GPMC project has been brought in to work on admin experience and
> anyone who has worked with GPOs with and without GPMC know that he
> really helped out.
> 
> All in all, there is some very cool stuff and MS has really been
> listening to the community on what they want and need. I know that
> this list is watched for ideas and such and has been the source of
> DCRs internally. So if you have ideas, spout them here, they will most
> certainly be heard. They may not make Longhorn as it is getting a bit
> late to add major changes but your ideas could make it into a later
> rev.
> 
> 
>joe
> 
>
> 
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Steven Wood
> Sent: Monday, October 03, 2005 3:46 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Active Directory wish list
>
>
> Hi,
> 
> With Windows Vista on it's way what's on people's wish list as far as
> Active Directory is concerned? Also are there any big enhancements
> due?
> 
> Thanks
> Steven
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] GPO Permissions with .vbs

2005-10-05 Thread Harding, Devon











I created a GPO for all Domain Users to run a .vbs script to
create a Scheduled Task.  It works with Domain Admins, but not with regular
users.  How can I fix this?

 

Devon Harding

Windows Systems Engineer

Southern Wine & Spirits
- BSG

954-602-2469

 










__This message and any attachments are solely for the intended recipientand may contain confidential or privileged information.  If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited.  If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments.  Thank You.

[ActiveDir] Rights Management Server

2005-10-05 Thread travis.abrams

Has anyone deployed Microsoft's RMS and used their DC's as the Root
certification server? We are debating wether we need dedicated hardware
for the RMS servers or whether they can share.

Thanks in advance. 


Holland + Knight
 
Travis Abrams
IT Security & Systems Manager
Holland & Knight LLP
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active Directory wish list

2005-10-05 Thread Bernard, Aric

How about the VSMT for VS2005? ;)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, October 05, 2005 12:45 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Active Directory wish list

Have you guys checked out the PtoV tool on VMware?

Rich Milburn wrote:

>I kinda like the idea of running a DC in a VS machine, and having an
>online realtime copy of it somewhere in addition to incremental
>backups... and you should be able to bring up the vhd on any box, not
>just one with similar hardware, and without having to go through
Laura's
>7 step DR plan :) (reference thread [ActiveDir] AD Restore Problem)
>
>But can you have a VSS-type remote copy of your DC session vhd file?  
>
>(Forgive me if I bring up topics that were adequately addressed during
>my hiatus in Windows Desktop Deployment World...)
>
>---
-
>---
>Rich Milburn
>MCSE, Microsoft MVP - Directory Services
>Sr Network Analyst, Field Platform Development
>Applebee's International, Inc.
>4551 W. 107th St
>Overland Park, KS 66207
>913-967-2819
>---
-
>---
>"I am always doing that which I can not do, in order that I may learn
>how to do it." - Pablo Picasso
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
>CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Wednesday, October 05, 2005 1:12 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] Active Directory wish list
>
>As a representative of the SBS community there is not a day that goes
by
>
>that the 'can we cluster SBS' or 'can I have a hot server' doesn't come

>up.  [if you have SA you can have a cold server]
>
>With 9/11, with Katrina, with the potential for earthquakes in 
>California ... honestly... the answer for any small business should not

>be 'well hope your backup is good... you have tested it right?'  
>Conversely I would argue the home user needs to be better protected
than
>
>they are now.  [but that's way OT]  I think the fault tolerance for 
>small firms is being a bit pushed to the asp/hosted services model in 
>the marketplace even though us control freaks aren't always fond of
>that.
>
>Actually we 'can' have additional domain controllers..just that the SBS

>has to hold the FSMO roles and be the PDC.  By the time you reconfigure

>that additional DC to take over the FSMO roles...maybe your time is 
>better spent fixing the PDC, ya know?
>
>Is there a good story for small firms to have redundancy, fault 
>tolerance without a fat checkbook? 
>
>Nope, I would argue...not really.right now imaging is the only way.
>
>And in that instance.. you probably want to stay with a single DC and 
>not suffer the wrath of Brett and ghosting your DCs.
>
>A recent whitepaper on the subject of the 'myths' of SBS:
>http://msmvps.com/bradley/archive/2005/10/04/68986.aspx
>http://msmvps.com/bradley/archive/2005/10/05/69035.aspx
>
>I still would argue that virtualization needs to be done WAY more than 
>we are doing now...but that's just my wacko thoughts.
>
>
>Rich Milburn wrote:
>
>  
>
>>I think the biggest reason people want to be able to run multiple
>>domains on one server is the same reason practically no one (except
for
>>SBS) installs just one DC, and the same reason we always install a
>>minimum of 2 for a domain.  We have a forest root and 2 child domains
>>model, and it takes us 6 servers to run that - for basically 2
>>directories and fewer than 5000 users.  That seems like a waste of
>>hardware in some situations - especially if you have multiple orgs
that
>>you run.  The parallel might be for a web hosting company to have 2
>>
>>
>full
>  
>
>>web servers for each domain they host - in case 1 goes down, they
still
>>have a second.  VS is an answer, yes, although you still need a full
>>server license for each VM.  The thing with domains is you don't want
>>
>>
>to
>  
>
>>only have 1 online copy of the directory.  MS didn't seem too
convinced
>>there was a good reason to have an online second server - they cited
>>backups as a good solution to the issue.  In a big org the cost of an
>>additional server to provide redundancy is negligible, but is having
an
>>online copy (second DC) really the BEST way to do this?  And it
doesn't
>>help SBS users, since they can (correct me if I'm wrong) only have 1
>>
>>
>DC.
>  
>
>>I realize it may be the best way we have with W2K3, but how could the
>>issue of redundancy be addressed with AD differently than having 2 DCs
>>minimum per domain?  Anyone have any ideas?
>>
>>Rich
>>
>>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of joe
>>Sent: Tuesday, October 04, 2005 9:20 PM
>>To: ActiveDir@mail.activedir.org
>>Subject: RE: [ActiveDir] Active Directory wish list
>>
>>Yeah I can say th

RE: [ActiveDir] [ActiveDir Digest]

2005-10-05 Thread Darren Mar-Elia

Jeri-
(Not sure about the thread this email came attached to but here goes)

Yes, you can use Restricted Group policy for this purpose. Its under
Computer Configuration\Windows Settings\Security Settings\Restricted
Groups. Simply link a GPO to the OU(s) where those laptop machine
accounts reside and then set the "Members of this Group" option on the
local Administrators group and add your manager's user id. Note that
using this option is an exclusive arrangement, meaning that if you only
add the local manager's account, all other groups (except local
Administrator) will get removed from the local Administrators group, so
you'll need those other groups in the list if you don't want that to
happen.

Darren 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bland, Jeri
Sent: Wednesday, October 05, 2005 12:37 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] [ActiveDir Digest]

Is it possible to apply a group policy to establish one of our managers
as
an administrator on all the laptops we stage for the employees in his
department, without having to manually go in on each laptop in Local
Users/Groups and resolve his name as an administrator.  We have AD 2000
and
XP workstations.

Thanks and the pardon the first grade question...

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active Directory wish list

2005-10-05 Thread Charlie Kaiser

What I want is to be able to run multiple domains on one OS installation
and segment the directories from each other. That way I don't need to
run multiple licenses of the OS, nor do I need hardware that can power 4
VMs.
I already run VMs using VMWare in my test lab; it works but I'd prefer
to be able to run AD as a service and have it be smart enough to be able
to segment itself without needing a separate OS...

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Ed 
> Crowley [MVP]
> Sent: Wednesday, October 05, 2005 10:07 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory wish list
> 
> You can.  It's called Microsoft Virtual Server.
> 
> Ed Crowley MCSE+Internet MVP
> Freelance E-Mail Philosopher
> Protecting the world from PSTs and Bricked Backups!T
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Charlie Kaiser
> Sent: Tuesday, October 04, 2005 6:37 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory wish list
> 
> I'd also like to see the ability to run DCs for multiple 
> domains on the same
> server. SMBs with limited resources balk at having to buy 
> additional server
> hardware for redundancy on multiple domains, especially when 
> the AD load on
> the DCs is minimal. This feature sounds like an offshoot of 
> your list below.
> If you can run AD as a service, it might not be that hard to 
> allow multiple
> domains similar to multiple websites/DBs on one server...
> 
> I remember discussing this with Stuart Kwan at DEC a couple 
> of years ago. I
> hope it makes it into the mix...
> 
> **
> Charlie Kaiser
> W2K3 MCSA/MCSE/Security, CCNA
> Systems Engineer
> Essex Credit / Brickwalk
> 510 595 5083
> **
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of joe
> > Sent: Tuesday, October 04, 2005 4:25 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Active Directory wish list
> > 
> > Vista is the client OS. I don't believe they have named Longhorn 
> > Server yet.I am voting for something like Windows Server 5.4.0 or 
> > something like that. I realize that the marketing group would have 
> > something to say about it but I figure the best thing from 
> them is if 
> > they pronounced their thoughts from the bottom of Lake Washington. 
> > People don't install servers because they have cool names.
> >  
> > The biggest non-NDA pieces that I have heard announced in 
> conferences 
> > or seen on the web already is the Read Only DC to limit security 
> > exposure for WAN deployments, restartable AD that can be 
> > stopped/started as necessary, DA/Admin separation so that 
> you can have 
> > an Admin on a DC that "can't" achieve Domain-wide DA level 
> rights, and 
> > DCs running on Server Foundation or now its called Server 
> Core which 
> > is a GUI-challenged Windows Server.
> >  
> > I can also say that there are a myriad of GUI updates for the Admin 
> > tools though I can't state specifics. BJ Whalen who was 
> involved with 
> > the GPMC project has been brought in to work on admin 
> experience and 
> > anyone who has worked with GPOs with and without GPMC know that he 
> > really helped out.
> >  
> > All in all, there is some very cool stuff and MS has really been 
> > listening to the community on what they want and need. I know that 
> > this list is watched for ideas and such and has been the source of 
> > DCRs internally. So if you have ideas, spout them here, 
> they will most 
> > certainly be heard. They may not make Longhorn as it is 
> getting a bit 
> > late to add major changes but your ideas could make it into a later 
> > rev.
> >  
> >  
> >joe
> >  
> > 
> > 
> > 
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Steven Wood
> > Sent: Monday, October 03, 2005 3:46 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Active Directory wish list
> > 
> > 
> > Hi,
> >  
> > With Windows Vista on it's way what's on people's wish list 
> as far as 
> > Active Directory is concerned? Also are there any big enhancements 
> > due?
> >  
> > Thanks
> > Steven
> > 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activ

RE: [ActiveDir] Active Directory wish list

As I understood it, these were the issues MS faced in considering the
possibility of multiple domains on one server.  Maybe you could have a
server with multiple offline replicas of domains, and if the DC for one
of those went down, the replica could be brought online as a DC until
the DC could be brought back up.  Or something like that? 


---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819

---
"I am always doing that which I can not do, in order that I may learn
how to do it." - Pablo Picasso

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
Sent: Wednesday, October 05, 2005 3:17 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

How would LDAP apps easily address multiple AD domains hosted on one
server? What if you wanted to make this box a GC for more than one
domain? How easily can you configure apps like Exchange to cope with
this? I say "easily" because you talk about SMEs using this function,
which are the places that might be less well equipped to figure out the
support impact on those apps from having to make them work with this
arrangement.
 
Or the cost of buying and implementing upgrades that figure it out for
them... that money we saved on the seperate hardware boxes just went
bye-bye... Oh well, at least multiple domains on one hardware box
*sounds* cool.
 
Rob
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Tuesday, October 04, 2005 6:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

I'd also like to see the ability to run DCs for multiple domains on the
same
server. SMBs with limited resources balk at having to buy additional
server
hardware for redundancy on multiple domains, especially when the AD load
on
the DCs is minimal. This feature sounds like an offshoot of your list
below.
If you can run AD as a service, it might not be that hard to allow
multiple
domains similar to multiple websites/DBs on one server...

I remember discussing this with Stuart Kwan at DEC a couple of years
ago. I
hope it makes it into the mix...

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Tuesday, October 04, 2005 4:25 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory wish list
>
> Vista is the client OS. I don't believe they have named Longhorn
> Server yet.I am voting for something like Windows Server 5.4.0 or
> something like that. I realize that the marketing group would have
> something to say about it but I figure the best thing from them is if
> they pronounced their thoughts from the bottom of Lake Washington.
> People don't install servers because they have cool names.
> 
> The biggest non-NDA pieces that I have heard announced in conferences
> or seen on the web already is the Read Only DC to limit security
> exposure for WAN deployments, restartable AD that can be
> stopped/started as necessary, DA/Admin separation so that you can have
> an Admin on a DC that "can't" achieve Domain-wide DA level rights, and
> DCs running on Server Foundation or now its called Server Core which
> is a GUI-challenged Windows Server.
> 
> I can also say that there are a myriad of GUI updates for the Admin
> tools though I can't state specifics. BJ Whalen who was involved with
> the GPMC project has been brought in to work on admin experience and
> anyone who has worked with GPOs with and without GPMC know that he
> really helped out.
> 
> All in all, there is some very cool stuff and MS has really been
> listening to the community on what they want and need. I know that
> this list is watched for ideas and such and has been the source of
> DCRs internally. So if you have ideas, spout them here, they will most
> certainly be heard. They may not make Longhorn as it is getting a bit
> late to add major changes but your ideas could make it into a later
> rev.
> 
> 
>joe
> 
>
> 
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Steven Wood
> Sent: Monday, October 03, 2005 3:46 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Active Directory wish list
>
>
> Hi,
> 
> With Windows Vista on it's way what's on people's wish list as far as
> Active Directory is concerned? Also are there any big enhancements
> due?
> 
> Thanks
> Steven
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/L

RE: [ActiveDir] Active Directory wish list









I’m not saying we need a better solution here, and there are factors due to the
internal/external nature of our business that PSS (I think) recommended the
design we have.  When we built
it, the empty root was widely considered to be the best design.  My point was
that to support this, we need at least 6 W2K3 servers running (physical or not
is mostly beside the point).  We don’t really need load balancing for
this size – but we need 2 servers for each domain if we want to avoid the
risk of having the only DC for a domain go down.  My point was that the
directory is a database, but it’s tied to the server OS in such a way
that even stopping the directory on one box is a feat for MS to do (they’re
working on that, as I think Joe mentioned and is non-NDA).  Securing a copy of
the directory and making it available means doing that for the entire server
unit right now, not just the directory – a different database model than
say SQL.  Should the AD database be more modular to separate it out from the OS
so that it could be treated as one might treat a SQL database?  Maybe not.  I
was just asking the question in hopes of sparking some new ideas of ways to mitigate
the risk a single DC domain incurs today. J



---
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field
Platform Development
Applebee's International,
Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
---
"I am always doing
that which I can not do, in order that I may learn how to do it." - Pablo
Picasso











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Wednesday, October 05, 2005
2:37 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Active
Directory wish list



 



My question would be: for a small directory of 5000 users, why do you
have 3 domains? If it is for separate password policies, then perhaps a better
wish list item would be the ability to have multiple password policies in one
domain. 





 





Phil

 





On 10/5/05, Rich
Milburn <[EMAIL PROTECTED]>
wrote: 

I think the biggest reason people want to be able to run multiple
domains on one server is the same reason practically no one (except for 
SBS) installs just one DC, and the same reason we always install a
minimum of 2 for a domain.  We have a forest root and 2 child domains
model, and it takes us 6 servers to run that - for basically 2
directories and fewer than 5000 users.  That seems like a waste of 
hardware in some situations - especially if you have multiple orgs that
you run.  The parallel might be for a web hosting company to have 2
full
web servers for each domain they host - in case 1 goes down, they still 
have a second.  VS is an answer, yes, although you still need a full
server license for each VM.  The thing with domains is you don't want
to
only have 1 online copy of the directory.  MS didn't seem too
convinced 
there was a good reason to have an online second server - they cited
backups as a good solution to the issue.  In a big org the cost of an
additional server to provide redundancy is negligible, but is having an
online copy (second DC) really the BEST way to do this?  And it
doesn't
help SBS users, since they can (correct me if I'm wrong) only have 1 DC.
I realize it may be the best way we have with W2K3, but how could the
issue of redundancy be addressed with AD differently than having 2 DCs
minimum per domain?  Anyone have any ideas?

Rich


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of joe
Sent: Tuesday, October 04, 2005 9:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

Yeah I can say that it isn't in Longhorn. As the dev guys put it, this
is a
tough one. It wouldn't just be a nobrainer if they had separate 
instances of
AD, there are just tons of other things involved that make it extremely
difficult. It was something that was brought up in the summit though,
not
sure how much I can say around it other than no, it won't be there. 

MS feels the focus of this is dramatically reduced now as well due to
the
fact that VS is available and can run DCs. Also the Server Core DCs
helps
here as well as the DCs will have a smaller footprint. If folks are NOT 
in
agreement with that assessment, definitely speak up, it is too late for
Longhorn but possibly the opportunity exists to convince them for
BlackComb.

joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Charlie Kaiser 
Sent: Tuesday, October 04, 2005 9:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

I'd also like to see the ability to run DCs for multiple domains on the 
same
server. SMBs with limited resources balk at having to buy additional
server
hardware for redundancy on multiple domains

RE: [ActiveDir] Active Directory wish list

2005-10-05 Thread Charlie Kaiser

Not being an OS architect, I'm not sure how MS would make it work
(obviously it's not easy) but I would think something along the lines of
different IP addresses per domain and using DNS to resolve the domain to
an IP or host headers or multiple NICs or something like that...
The idea is that it would look externally like multiple DCs, but they
would be on one OS...
If you can put multiple websites on one server and have them look
different, maybe they can do the same with domains...
Never said it was easy; this is a wish list, after all... :-)

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
> Sent: Wednesday, October 05, 2005 1:17 PM
> To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory wish list
> 
> How would LDAP apps easily address multiple AD domains hosted 
> on one server? What if you wanted to make this box a GC for 
> more than one domain? How easily can you configure apps like 
> Exchange to cope with this? I say "easily" because you talk 
> about SMEs using this function, which are the places that 
> might be less well equipped to figure out the support impact 
> on those apps from having to make them work with this arrangement.
>  
> Or the cost of buying and implementing upgrades that figure 
> it out for them... that money we saved on the seperate 
> hardware boxes just went bye-bye... Oh well, at least 
> multiple domains on one hardware box *sounds* cool.
>  
> Rob
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Charlie Kaiser
> Sent: Tuesday, October 04, 2005 6:37 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory wish list
> 
> I'd also like to see the ability to run DCs for multiple 
> domains on the same
> server. SMBs with limited resources balk at having to buy 
> additional server
> hardware for redundancy on multiple domains, especially when 
> the AD load on
> the DCs is minimal. This feature sounds like an offshoot of 
> your list below.
> If you can run AD as a service, it might not be that hard to 
> allow multiple
> domains similar to multiple websites/DBs on one server...
> 
> I remember discussing this with Stuart Kwan at DEC a couple 
> of years ago. I
> hope it makes it into the mix...
> 
> **
> Charlie Kaiser
> W2K3 MCSA/MCSE/Security, CCNA
> Systems Engineer
> Essex Credit / Brickwalk
> 510 595 5083
> **
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of joe
> > Sent: Tuesday, October 04, 2005 4:25 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Active Directory wish list
> >
> > Vista is the client OS. I don't believe they have named Longhorn
> > Server yet.I am voting for something like Windows Server 5.4.0 or
> > something like that. I realize that the marketing group would have
> > something to say about it but I figure the best thing from 
> them is if
> > they pronounced their thoughts from the bottom of Lake Washington.
> > People don't install servers because they have cool names.
> > 
> > The biggest non-NDA pieces that I have heard announced in 
> conferences
> > or seen on the web already is the Read Only DC to limit security
> > exposure for WAN deployments, restartable AD that can be
> > stopped/started as necessary, DA/Admin separation so that 
> you can have
> > an Admin on a DC that "can't" achieve Domain-wide DA level 
> rights, and
> > DCs running on Server Foundation or now its called Server Core which
> > is a GUI-challenged Windows Server.
> > 
> > I can also say that there are a myriad of GUI updates for the Admin
> > tools though I can't state specifics. BJ Whalen who was 
> involved with
> > the GPMC project has been brought in to work on admin experience and
> > anyone who has worked with GPOs with and without GPMC know that he
> > really helped out.
> > 
> > All in all, there is some very cool stuff and MS has really been
> > listening to the community on what they want and need. I know that
> > this list is watched for ideas and such and has been the source of
> > DCRs internally. So if you have ideas, spout them here, 
> they will most
> > certainly be heard. They may not make Longhorn as it is 
> getting a bit
> > late to add major changes but your ideas could make it into a later
> > rev.
> > 
> > 
> >joe
> > 
> >
> > 
> >
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Steven Wood
> > Sent: Monday, October 03, 2005 3:46 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Active Directory wish list
> >
> >
> > Hi,
> > 
> > With Windows Vista on it's way what's on people's wish list 
> as far as
> > Active Dire

[ActiveDir] Feel like contributing 1 minute to a worthy cause?

I am conducting a scientifically unreliable poll on my site to gather inputs
for my next "big" thing.
 
I would really appreciate your stopping by and just clicking a Yes/No button.
Takes less than a minute, and you can go back to doing your usual thing.
http://www.akomolafe.com/Survey/tabid/89/Default.aspx
 
If you feel lucky after voting 'NO', please take the next poll to tell me why
you voted 'NO' - be careful, I may trace your IP :)[1]
 
If you are feeling really, really generous and want to give more than a
minute for a "noble" cause, I'd send you a virtual hug (or hand-shake if you
are male :)) IF you take the survey. You only need to take the survey IF you
voted 'YES' on the first poll.
http://www.akomolafe.com/Survey/tabid/89/ctl/ViewFeedback/mid/493/FeedbackID/
1/Default.aspx
 
The catch? No registration is require to take the first 2 polls, but you
can't take the survey unless you are registered. The payment for registration
is the promised hug/hand-shake.
 
Again, your participation is appreciated - and completely voluntary. It won't
stop me from disagreeing with your points of view when they differ from mine
:)
 
[1] I was just kidding about that, alright?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO Permissions with .vbs

2005-10-05 Thread Tim Vander Kooi




What is your OS? Is it a user specific task or a computer 
based task? If it is a task scheduled to run after the user logs on I'm sure it 
is permissions, or lack there of. 
Tim Vander Kooi
Microsoft Systems Administrator
Explorer Pipeline


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
DevonSent: Wednesday, October 05, 2005 3:56 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO Permissions with 
.vbs





I created a GPO for all Domain Users 
to run a .vbs script to create a Scheduled Task.  It works with Domain 
Admins, but not with regular users.  How can I fix 
this?
 
Devon 
Harding
Windows Systems 
Engineer
Southern Wine & Spirits 
- BSG
954-602-2469
 




__This message and any 
attachments are solely for the intended recipientand may contain 
confidential or privileged information. If you are notthe intended 
recipient, any disclosure, copying, use or distribution ofthe information 
included in the message and any attachments isprohibited. If you have 
received this communication in error, pleasenotify us by reply e-mail and 
immediately and permanently delete thismessage and any attachments. Thank 
You.

RE: [ActiveDir] [ActiveDir Digest]

What about just doing it in the reverse direction, using the "memberof"
option as I described earlier this week? It's also described here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q810076
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Wed 10/5/2005 2:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [ActiveDir Digest]



Jeri-
(Not sure about the thread this email came attached to but here goes)

Yes, you can use Restricted Group policy for this purpose. Its under
Computer Configuration\Windows Settings\Security Settings\Restricted
Groups. Simply link a GPO to the OU(s) where those laptop machine
accounts reside and then set the "Members of this Group" option on the
local Administrators group and add your manager's user id. Note that
using this option is an exclusive arrangement, meaning that if you only
add the local manager's account, all other groups (except local
Administrator) will get removed from the local Administrators group, so
you'll need those other groups in the list if you don't want that to
happen.

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bland, Jeri
Sent: Wednesday, October 05, 2005 12:37 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] [ActiveDir Digest]

Is it possible to apply a group policy to establish one of our managers
as
an administrator on all the laptops we stage for the employees in his
department, without having to manually go in on each laptop in Local
Users/Groups and resolve his name as an administrator.  We have AD 2000
and
XP workstations.

Thanks and the pardon the first grade question...

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Anti-virus protection in domain enviroment

2005-10-05 Thread Tim Vander Kooi

I agree that most all AV vendors are alike, as are most of their
products. I have used every vendor you have mentioned here, and more,
and with the exception of CA they were all perfectly fine. The one
differentiating factor I have found is in the proactive approach that
NOD takes compared to most other vendors. Where as Symantec comes out
with 1 weekly update on every Wednesday unless there is a major outbreak
to deal with, Nod comes out with at least one, and sometimes 3 or more
updates per day that deal with minor threats that they find on a real
time basis. That and I have had occasion to contact NOD's support team
due to their picking up an app we run to do system monitoring here. They
tagged it as Spyware (which was good as it could be used that way) and
after I informed them of the issue they had a new definition set that
corrected the problem released within 60 minutes. Try getting that kind
of response out of Symantec or Norton. I've never gotten it. It takes me
almost that long just to find Symantec's support phone number on their
website. To me it's those little things that make the difference more
than the up front cost.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, October 05, 2005 12:28 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Anti-virus protection in domain enviroment

I came <> to ripping out Trend in my office due to the BSOD,
false positives and the infamous Friday incident.  They are on probation
right now.

The ones bantered around in our A/V wars discussions:

Symantec [not yellow box but corp]
Sophos
CA

I have a fellow SBSer in AU who LOVES Nod32.

Pick one... they are in reality ALL reactionary. 

Real geeks don't use A/V anyway.  [you should have seen the thread on
whether to stick a/v on a web server on the focus on ms listserve... if
you set up a server for a select job, lock it down only serve up
static pages.. why 'does' it need to be covered by A/V was the topic]

Tim Vander Kooi wrote:

>I've only been on the list a short time, but I must have missed the 
>mandatory Trend Micro brainwashing. :-) So far from what I have noticed

>there seems to be a set answer to all AV questions.
>Question: I'm curious about the capabilities of NOD32.
>Answers (en mass): You should use Trend Micro.
>Question: Is anyone using Symantec?
>Answer (again en mass): You should buy Trend Micro.
>
>Not that there is anything wrong with Trend Micro's product, it's great

>in my opinion, but these responses don't seem to be very helpful with 
>regard to the questions being asked.
>
>My apologies to the list "gods" if TM is the list sponsor. :-) Tim
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Glen Miller
>Sent: Wednesday, October 05, 2005 11:55 AM
>To: 'ActiveDir@mail.activedir.org'
>Subject: RE: [ActiveDir] Anti-virus protection in domain enviroment
>
>Look into a product called Office Scan, by a company called Trend
Micro.
>I have been using this product happily since 1998.  It saved me from 
>the "I love you" bug and a few rather nasty ones since.
>
>"I want my two dollars!" 
>
>
>And Joe!  Petitioning Webster's to include Joe-isms as an actual word. 
>
> 
>
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Ahmed Al Awah
>Sent: Tuesday, October 04, 2005 12:35 PM
>To: 'ActiveDir@mail.activedir.org'
>Subject: RE: [ActiveDir] Anti-virus protection in domain enviroment
>
>Since we're on topic..is anyone using Symantec AntiVirus 10 corp 
>edition for A/V protection in a domain environment?
>
>-Original Message-
>From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
>[mailto:[EMAIL PROTECTED]
>Sent: October 4, 2005 11:07 AM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] Anti-virus protection in domain enviroment
>
>
>My 1 cent.
>
>I should go back to lurking...but... when choosing your a/v solution 
>there's something to check on... some of the a/v vendors have 
>historically  needed admin rights to update or have had vulnerabilities

>themselves.
>
>Might be something to investigate and consider when chosing an a/v 
>...especially on a DC.
>
>In my own historical issues with Trend, the OfficeProtect dat file 
>upgrade to XP sp2 wasn't properly 'vetted" and flatlined my 
>workstations
>
>and last I heard cost Trend $8 mil in lost sales.  They've also had a 
>security vulnerability patched somewhat recently.
>
>Epo's had their issues as well
>
>http://xforce.iss.net/xforce/xfdb/21839
>
>ISS X-Force Database: epolicy-msde-obtain-password(12787): ePolicy 
>Orchestrator could allow an attacker to obtain MSDE SA password:
>http://xforce.iss.net/xforce/xfdb/12787
>
>ISS X-Force Database: epolicy-execute-commands(14166): ePolicy 
>Orchestrator command execution: http://xforce.iss.net/xforce/xfdb/14166
>
>
>
>Al Garrett wrote:
>
>  
>
>>My 2 cents...
>>EpO has wor

RE: [ActiveDir] Active Directory wish list

2005-10-05 Thread DeStefano, Dan


You can have additional DCs when using SBS, but the SBS server must be
the domain root.


Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Wednesday, October 05, 2005 1:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

I think the biggest reason people want to be able to run multiple
domains on one server is the same reason practically no one (except for
SBS) installs just one DC, and the same reason we always install a
minimum of 2 for a domain.  We have a forest root and 2 child domains
model, and it takes us 6 servers to run that - for basically 2
directories and fewer than 5000 users.  That seems like a waste of
hardware in some situations - especially if you have multiple orgs that
you run.  The parallel might be for a web hosting company to have 2 full
web servers for each domain they host - in case 1 goes down, they still
have a second.  VS is an answer, yes, although you still need a full
server license for each VM.  The thing with domains is you don't want to
only have 1 online copy of the directory.  MS didn't seem too convinced
there was a good reason to have an online second server - they cited
backups as a good solution to the issue.  In a big org the cost of an
additional server to provide redundancy is negligible, but is having an
online copy (second DC) really the BEST way to do this?  And it doesn't
help SBS users, since they can (correct me if I'm wrong) only have 1 DC.
I realize it may be the best way we have with W2K3, but how could the
issue of redundancy be addressed with AD differently than having 2 DCs
minimum per domain?  Anyone have any ideas?

Rich


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, October 04, 2005 9:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

Yeah I can say that it isn't in Longhorn. As the dev guys put it, this
is a
tough one. It wouldn't just be a nobrainer if they had separate
instances of
AD, there are just tons of other things involved that make it extremely
difficult. It was something that was brought up in the summit though,
not
sure how much I can say around it other than no, it won't be there.

MS feels the focus of this is dramatically reduced now as well due to
the
fact that VS is available and can run DCs. Also the Server Core DCs
helps
here as well as the DCs will have a smaller footprint. If folks are NOT
in
agreement with that assessment, definitely speak up, it is too late for
Longhorn but possibly the opportunity exists to convince them for
BlackComb.

  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Tuesday, October 04, 2005 9:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

I'd also like to see the ability to run DCs for multiple domains on the
same
server. SMBs with limited resources balk at having to buy additional
server
hardware for redundancy on multiple domains, especially when the AD load
on
the DCs is minimal. This feature sounds like an offshoot of your list
below.
If you can run AD as a service, it might not be that hard to allow
multiple
domains similar to multiple websites/DBs on one server...

I remember discussing this with Stuart Kwan at DEC a couple of years
ago. I
hope it makes it into the mix...

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Tuesday, October 04, 2005 4:25 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory wish list
>
> Vista is the client OS. I don't believe they have named Longhorn
> Server yet.I am voting for something like Windows Server 5.4.0 or
> something like that. I realize that the marketing group would have
> something to say about it but I figure the best thing from them is if
> they pronounced their thoughts from the bottom of Lake Washington.
> People don't install servers because they have cool names.
> 
> The biggest non-NDA pieces that I have heard announced in conferences
> or seen on the web already is the Read Only DC to limit security
> exposure for WAN deployments, restartable AD that can be
> stopped/started as necessary, DA/Admin separation so that you can have

> an Admin on a DC that "can't" achieve Domain-wide DA level rights, and

> DCs running on Server Foundation or now its called Server Core which
> is a GUI-challenged Windows Server.
> 
> I can also say that there are a myriad of GUI updates for the Admin
> tools though I can't state specifics. BJ Whalen who was involved with
> the GPMC project has been brought in to work on admin experience and
> anyone who has worked with GPOs with and without GPMC know that he
> rea

[ActiveDir] Notes/Domino LDAP

2005-10-05 Thread Tony Murray




Can anyone point me 
at an independent source of information on the capabilities and limitations of 
the Notes/Domino directory as compared with AD?
 
Tony

RE: [ActiveDir] Rights Management Server

Putting the CA on a DC is a bad idea IMHO. You'd rather have dedicated CA
hardware, because as far as I have gathered, rebuilding CAs can be a real
bitch. 



Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, October 05, 2005 5:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Rights Management Server

Has anyone deployed Microsoft's RMS and used their DC's as the Root
certification server? We are debating wether we need dedicated hardware for
the RMS servers or whether they can share.

Thanks in advance. 


Holland + Knight
 
Travis Abrams
IT Security & Systems Manager
Holland & Knight LLP
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active Directory wish list

One of the issues with this is that there are numerous legacy APIs for LSA
that don't have a domain parameter because there's never been an instance of
multiple domains on one host. 


Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Wednesday, October 05, 2005 5:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

Not being an OS architect, I'm not sure how MS would make it work (obviously
it's not easy) but I would think something along the lines of different IP
addresses per domain and using DNS to resolve the domain to an IP or host
headers or multiple NICs or something like that...
The idea is that it would look externally like multiple DCs, but they would
be on one OS...
If you can put multiple websites on one server and have them look different,
maybe they can do the same with domains...
Never said it was easy; this is a wish list, after all... :-)

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
> Sent: Wednesday, October 05, 2005 1:17 PM
> To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory wish list
> 
> How would LDAP apps easily address multiple AD domains hosted on one 
> server? What if you wanted to make this box a GC for more than one 
> domain? How easily can you configure apps like Exchange to cope with 
> this? I say "easily" because you talk about SMEs using this function, 
> which are the places that might be less well equipped to figure out 
> the support impact on those apps from having to make them work with 
> this arrangement.
>  
> Or the cost of buying and implementing upgrades that figure it out for 
> them... that money we saved on the seperate hardware boxes just went 
> bye-bye... Oh well, at least multiple domains on one hardware box 
> *sounds* cool.
>  
> Rob
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Charlie 
> Kaiser
> Sent: Tuesday, October 04, 2005 6:37 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory wish list
> 
> I'd also like to see the ability to run DCs for multiple domains on 
> the same server. SMBs with limited resources balk at having to buy 
> additional server hardware for redundancy on multiple domains, 
> especially when the AD load on the DCs is minimal. This feature sounds 
> like an offshoot of your list below.
> If you can run AD as a service, it might not be that hard to allow 
> multiple domains similar to multiple websites/DBs on one server...
> 
> I remember discussing this with Stuart Kwan at DEC a couple of years 
> ago. I hope it makes it into the mix...
> 
> **
> Charlie Kaiser
> W2K3 MCSA/MCSE/Security, CCNA
> Systems Engineer
> Essex Credit / Brickwalk
> 510 595 5083
> **
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of joe
> > Sent: Tuesday, October 04, 2005 4:25 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Active Directory wish list
> >
> > Vista is the client OS. I don't believe they have named Longhorn 
> > Server yet.I am voting for something like Windows Server 5.4.0 or 
> > something like that. I realize that the marketing group would have 
> > something to say about it but I figure the best thing from
> them is if
> > they pronounced their thoughts from the bottom of Lake Washington.
> > People don't install servers because they have cool names.
> > 
> > The biggest non-NDA pieces that I have heard announced in
> conferences
> > or seen on the web already is the Read Only DC to limit security 
> > exposure for WAN deployments, restartable AD that can be 
> > stopped/started as necessary, DA/Admin separation so that
> you can have
> > an Admin on a DC that "can't" achieve Domain-wide DA level
> rights, and
> > DCs running on Server Foundation or now its called Server Core which 
> > is a GUI-challenged Windows Server.
> > 
> > I can also say that there are a myriad of GUI updates for the Admin 
> > tools though I can't state specifics. BJ Whalen who was
> involved with
> > the GPMC project has been brought in to work on admin experience and 
> > anyone who has worked with GPOs with and without GPMC know that he 
> > really helped out.
> > 
> > All in all, there is some very cool stuff and MS has really been 
> > listening to the community on what they want and need. I know that 
> > this list is watched for ideas and such and has been the source of 
> > DCRs internally. So if you have ideas, spout them here,
> they will most
> > certainly be heard. They may not make Longhorn as it is
> getting a bit
> >

[ActiveDir] Most common cause of Active Directory "failures"?

2005-10-05 Thread Gil Kirkpatrick

Title: Most common cause of Active Directory "failures"?

Greetings fellow travellers,

Here's a quick, informal, non-scientific survey. Please reply to me directly at mailto:[EMAIL PROTECTED] so we don't spam the list with responses. I've got a some swell gifts to give away at random to a couple of lucky respondants (nothing too fancy). I'll post the summary in a few days.

Question: *In your experience*, which are the most common causes of Active Directory "failure" (where failure is defined as failure to authenticate, authorize, replicate, or apply GPOs as expected). List as many as you care to, in order from most common to least common. Note that I am not considering the consequences of the failure, just how frequent they are.

Just send me a response like B, A, F or some such, along with any commentary you might have.

A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU)

B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change)

C. Inadvertant misconfiguration of MSFT DNS.

D. Inadvertant misconfiguration of non-MSFT DNS.

E. Inadvertant misconfiguration of networking devices

F. Hardware failure of a DC

G. Hardware failure of a networking device (including DNS servers, if they are not also DCs)

H. Physical disaster (fire, flood, power failure, etc)

I. Malicious attack by a service admin

J. Malicious attack by a data admin

K. Malicious attack by an authenticated user

L. Malicious attack by an unauthenticated user

M. Other (please specify)

Thanks for your feedback.

-gil

Gil Kirkpatrick

CTO, NetPro

Don''t miss the Directory Experts Conference 2006. More information at www.dec2006.com.

RE: [ActiveDir] Most common cause of Active Directory "failures"?

Without a shred of doubt:
C: - This is why I'm putting a DNS book together. Hope you are not doing the
same ;)
G
B
F
D
 
HTH
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Wed 10/5/2005 4:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Most common cause of Active Directory "failures"?



Greetings fellow travellers, 

Here's a quick, informal, non-scientific survey. Please reply to me directly
at mailto:[EMAIL PROTECTED]   so we don't spam the 
list
with responses. I've got a some swell gifts to give away at random to a
couple of lucky respondants (nothing too fancy). I'll post the summary in a
few days.

Question: *In your experience*, which are the most common causes of Active
Directory "failure" (where failure is defined as failure to authenticate,
authorize, replicate, or apply GPOs as expected). List as many as you care
to, in order from most common to least common. Note that I am not considering
the consequences of the failure, just how frequent they are.

Just send me a response like B, A, F or some such, along with any commentary
you might have. 

A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an
OU) 
B. Inadvertant misconfiguration of AD (for instance screwing up a connection
object, or changing the wrong registry setting, or making an inappropriate
GPO change)

C. Inadvertant misconfiguration of MSFT DNS. 
D. Inadvertant misconfiguration of non-MSFT DNS. 
E. Inadvertant misconfiguration of networking devices 
F. Hardware failure of a DC 
G. Hardware failure of a networking device (including DNS servers, if they
are not also DCs) 
H. Physical disaster (fire, flood, power failure, etc) 
I. Malicious attack by a service admin 
J. Malicious attack by a data admin 
K. Malicious attack by an authenticated user 
L. Malicious attack by an unauthenticated user 
M. Other (please specify) 

Thanks for your feedback. 

-gil 

Gil Kirkpatrick 
CTO, NetPro 

Don''t miss the Directory Experts Conference 2006. More information at
www.dec2006.com  . 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Most common cause of Active Directory "failures"?

OK. Now, I have to go and bury my head in the sand for a while :(
 
The previous message was meant to be private. I profusely apologize.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Wed 10/5/2005 4:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Most common cause of Active Directory "failures"?



Greetings fellow travellers, 

Here's a quick, informal, non-scientific survey. Please reply to me directly
at mailto:[EMAIL PROTECTED]   so we don't spam the 
list
with responses. I've got a some swell gifts to give away at random to a
couple of lucky respondants (nothing too fancy). I'll post the summary in a
few days.

Question: *In your experience*, which are the most common causes of Active
Directory "failure" (where failure is defined as failure to authenticate,
authorize, replicate, or apply GPOs as expected). List as many as you care
to, in order from most common to least common. Note that I am not considering
the consequences of the failure, just how frequent they are.

Just send me a response like B, A, F or some such, along with any commentary
you might have. 

A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an
OU) 
B. Inadvertant misconfiguration of AD (for instance screwing up a connection
object, or changing the wrong registry setting, or making an inappropriate
GPO change)

C. Inadvertant misconfiguration of MSFT DNS. 
D. Inadvertant misconfiguration of non-MSFT DNS. 
E. Inadvertant misconfiguration of networking devices 
F. Hardware failure of a DC 
G. Hardware failure of a networking device (including DNS servers, if they
are not also DCs) 
H. Physical disaster (fire, flood, power failure, etc) 
I. Malicious attack by a service admin 
J. Malicious attack by a data admin 
K. Malicious attack by an authenticated user 
L. Malicious attack by an unauthenticated user 
M. Other (please specify) 

Thanks for your feedback. 

-gil 

Gil Kirkpatrick 
CTO, NetPro 

Don''t miss the Directory Experts Conference 2006. More information at
www.dec2006.com  . 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active Directory wish list

2005-10-05 Thread Tyson Leslie




In our case (empty root, 4 child domains, 3500 users), it 
was primarily politics.  We brought in two consultants (one from 
a VAR, one from Microsoft), and the decision was that the best way to go, based 
on politics, geographical location of the offices, and division of 
administration, was the empty root and 4 child domains.  Password policies 
was a small factor, but not a driving force...
 
That said, I personally would love to see the ability to 
have multiple password policies within a single domain.
 
Tyson.   



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Phil 
RenoufSent: Wednesday, October 05, 2005 1:37 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Active Directory 
wish list

My question would be: for a small directory of 5000 users, why do you have 
3 domains? If it is for separate password policies, then perhaps a better wish 
list item would be the ability to have multiple password policies in one domain. 

 
Phil 
On 10/5/05, Rich 
Milburn <[EMAIL PROTECTED]> 
wrote: 
I 
  think the biggest reason people want to be able to run multipledomains on 
  one server is the same reason practically no one (except for SBS) installs 
  just one DC, and the same reason we always install aminimum of 2 for a 
  domain.  We have a forest root and 2 child domainsmodel, and it 
  takes us 6 servers to run that - for basically 2directories and fewer than 
  5000 users.  That seems like a waste of hardware in some 
  situations - especially if you have multiple orgs thatyou 
  run.  The parallel might be for a web hosting company to have 2 
  fullweb servers for each domain they host - in case 1 goes down, they 
  still have a second.  VS is an answer, yes, although you still 
  need a fullserver license for each VM.  The thing with domains 
  is you don't want toonly have 1 online copy of the 
  directory.  MS didn't seem too convinced there was a good reason 
  to have an online second server - they citedbackups as a good solution to 
  the issue.  In a big org the cost of anadditional server to 
  provide redundancy is negligible, but is having anonline copy (second DC) 
  really the BEST way to do this?  And it doesn'thelp SBS users, 
  since they can (correct me if I'm wrong) only have 1 DC.I realize it may 
  be the best way we have with W2K3, but how could theissue of redundancy be 
  addressed with AD differently than having 2 DCsminimum per 
  domain?  Anyone have any ideas?Rich-Original 
  Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
  On Behalf Of joeSent: Tuesday, October 04, 2005 9:20 PMTo: ActiveDir@mail.activedir.orgSubject: 
  RE: [ActiveDir] Active Directory wish listYeah I can say that it isn't 
  in Longhorn. As the dev guys put it, thisis atough one. It wouldn't 
  just be a nobrainer if they had separate instances ofAD, there are 
  just tons of other things involved that make it extremelydifficult. It was 
  something that was brought up in the summit though,notsure how much I 
  can say around it other than no, it won't be there. MS feels the focus 
  of this is dramatically reduced now as well due tothefact that VS is 
  available and can run DCs. Also the Server Core DCshelpshere as well 
  as the DCs will have a smaller footprint. If folks are NOT inagreement 
  with that assessment, definitely speak up, it is too late forLonghorn but 
  possibly the opportunity exists to convince them 
  forBlackComb.joe-Original 
  Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
  On Behalf Of Charlie Kaiser Sent: Tuesday, October 04, 2005 9:37 PMTo: 
  ActiveDir@mail.activedir.orgSubject: 
  RE: [ActiveDir] Active Directory wish listI'd also like to see the 
  ability to run DCs for multiple domains on the sameserver. SMBs with 
  limited resources balk at having to buy additionalserverhardware for 
  redundancy on multiple domains, especially when the AD loadonthe DCs 
  is minimal. This feature sounds like an offshoot of your list below.If 
  you can run AD as a service, it might not be that hard to 
  allowmultipledomains similar to multiple websites/DBs on one 
  server...I remember discussing this with Stuart Kwan at DEC a couple 
  of years ago. Ihope it makes it into the 
  mix...**Charlie KaiserW2K3 
  MCSA/MCSE/Security, CCNASystems EngineerEssex Credit / 
  Brickwalk510 595 5083**> 
  -Original Message-> From: [EMAIL PROTECTED]> 
  [mailto:[EMAIL PROTECTED] 
  ] On Behalf Of joe> Sent: Tuesday, October 04, 2005 4:25 PM> 
  To: ActiveDir@mail.activedir.org> 
  Subject: RE: [ActiveDir] Active Directory wish list >> Vista is 
  the client OS. I don't believe they have named Longhorn> Server yet.I 
  am voting for something like Windows Server 5.4.0 or> something like 
  that. I realize that the marketing group would have > something to say 
  about it but I figure the best thing from them is if> they pronounced 
  their thoughts from the bottom of Lake Washingto

RE: [ActiveDir] Rights Management Server

The only thing I know about RMS is what the acronym stands for. However, your
question is about using the DC as the cert server so you don't have to
procure additional hardware, right? There is nothing wrong with that. It's a
supported configuration, and as long as you do your due diligence and get
your backup right, you should be fine.
 
One common issue with running the CA on a DC is that the cert service will be
broken if you use one of the MS custom inf to harden the DC. I forgot which
one exactly, but you will know when your cert service is broken. Recovery is
not too hard, so don't sweat it.
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Wed 10/5/2005 2:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Rights Management Server



Has anyone deployed Microsoft's RMS and used their DC's as the Root
certification server? We are debating wether we need dedicated hardware
for the RMS servers or whether they can share.

Thanks in advance.


Holland + Knight

Travis Abrams
IT Security & Systems Manager
Holland & Knight LLP

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active Directory wish list

The way I can see different password policies for one domain being
implemented is if you have a product/tool in front of your directory
intercepting the passwords and enforcing different rules as the passwords go
through. The underlying directory (AD) will have to have no policy, or have
at least a very relaxed policy. This would be a sort of password servicing
provisioning system.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Tyson Leslie
Sent: Wed 10/5/2005 4:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list


In our case (empty root, 4 child domains, 3500 users), it was primarily
politics.  We brought in two consultants (one from a VAR, one from
Microsoft), and the decision was that the best way to go, based on politics,
geographical location of the offices, and division of administration, was the
empty root and 4 child domains.  Password policies was a small factor, but
not a driving force...
 
That said, I personally would love to see the ability to have multiple
password policies within a single domain.
 
Tyson.   



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Wednesday, October 05, 2005 1:37 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Active Directory wish list


My question would be: for a small directory of 5000 users, why do you have 3
domains? If it is for separate password policies, then perhaps a better wish
list item would be the ability to have multiple password policies in one
domain. 
 
Phil

 
On 10/5/05, Rich Milburn <[EMAIL PROTECTED]> wrote: 

I think the biggest reason people want to be able to run multiple
domains on one server is the same reason practically no one (except
for 
SBS) installs just one DC, and the same reason we always install a
minimum of 2 for a domain.  We have a forest root and 2 child domains
model, and it takes us 6 servers to run that - for basically 2
directories and fewer than 5000 users.  That seems like a waste of 
hardware in some situations - especially if you have multiple orgs
that
you run.  The parallel might be for a web hosting company to have 2
full
web servers for each domain they host - in case 1 goes down, they
still 
have a second.  VS is an answer, yes, although you still need a full
server license for each VM.  The thing with domains is you don't want
to
only have 1 online copy of the directory.  MS didn't seem too
convinced 
there was a good reason to have an online second server - they cited
backups as a good solution to the issue.  In a big org the cost of an
additional server to provide redundancy is negligible, but is having
an
online copy (second DC) really the BEST way to do this?  And it
doesn't
help SBS users, since they can (correct me if I'm wrong) only have 1
DC.
I realize it may be the best way we have with W2K3, but how could the
issue of redundancy be addressed with AD differently than having 2
DCs
minimum per domain?  Anyone have any ideas?

Rich


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, October 04, 2005 9:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

Yeah I can say that it isn't in Longhorn. As the dev guys put it,
this
is a
tough one. It wouldn't just be a nobrainer if they had separate 
instances of
AD, there are just tons of other things involved that make it
extremely
difficult. It was something that was brought up in the summit though,
not
sure how much I can say around it other than no, it won't be there. 

MS feels the focus of this is dramatically reduced now as well due to
the
fact that VS is available and can run DCs. Also the Server Core DCs
helps
here as well as the DCs will have a smaller footprint. If folks are
NOT 
in
agreement with that assessment, definitely speak up, it is too late
for
Longhorn but possibly the opportunity exists to convince them for
BlackComb.

joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie
Kaiser 
Sent: Tuesday, October 04, 2005 9:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

I'd also like to see the ability to run

Re: [ActiveDir] Notes/Domino LDAP

2005-10-05 Thread Laura E. Hunter

Unless I'm misunderstanding the question, I'm going to say that
that'll be a tough compare since Notes/Domino maps much more closely
to Exchange and Groupwise in terms of functionality.  IE, it's a
groupware/messaging/collaboration environment rather than a proper
directory service.  In most cases, in fact, a Notes/Domino environment
will run on top of AD just like Exchange does, though I think you can
hook Domino into a Linux infra as well.

My personal recollection of Domino, though this is from several revs
ago, was that it was close-but-not-quite-so-good as Outlook in terms
of being a cool messaging client, but it gave you more options in
terms of collaboration apps.  (Sharepoint has likely rendered this
comparison obsolete in the intervening years since I was a Notes
admin.)

A quick Google doesn't return what I'd consider a vendor-neutral
comparison of Exchange and Domino, but here's the market-speak from
both sides of the house.  (Maybe compare them and split the
difference.  :-)):

http://www-03.ibm.com/servers/eserver/iseries/domino/inotes/compare.html
http://www.lotus.com/lotus/offering1.nsf/wdocs/messagingcompetitive?OpenDocument&cwesite=lotusnotesdom
http://www.microsoft.com/exchange/evaluation/compare/METAEx2k3vNotes.mspx

- Laura

On 10/5/05, Tony Murray <[EMAIL PROTECTED]> wrote:
>
> Can anyone point me at an independent source of information on the
> capabilities and limitations of the Notes/Domino directory as compared with
> AD?
>
> Tony

--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active Directory wish list

Sounds like Microsoft Virtual Server.

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Wednesday, October 05, 2005 2:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

Not being an OS architect, I'm not sure how MS would make it work (obviously
it's not easy) but I would think something along the lines of different IP
addresses per domain and using DNS to resolve the domain to an IP or host
headers or multiple NICs or something like that...
The idea is that it would look externally like multiple DCs, but they would
be on one OS...
If you can put multiple websites on one server and have them look different,
maybe they can do the same with domains...
Never said it was easy; this is a wish list, after all... :-)

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
> Sent: Wednesday, October 05, 2005 1:17 PM
> To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory wish list
> 
> How would LDAP apps easily address multiple AD domains hosted on one 
> server? What if you wanted to make this box a GC for more than one 
> domain? How easily can you configure apps like Exchange to cope with 
> this? I say "easily" because you talk about SMEs using this function, 
> which are the places that might be less well equipped to figure out 
> the support impact on those apps from having to make them work with 
> this arrangement.
>  
> Or the cost of buying and implementing upgrades that figure it out for 
> them... that money we saved on the seperate hardware boxes just went 
> bye-bye... Oh well, at least multiple domains on one hardware box 
> *sounds* cool.
>  
> Rob
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Charlie 
> Kaiser
> Sent: Tuesday, October 04, 2005 6:37 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory wish list
> 
> I'd also like to see the ability to run DCs for multiple domains on 
> the same server. SMBs with limited resources balk at having to buy 
> additional server hardware for redundancy on multiple domains, 
> especially when the AD load on the DCs is minimal. This feature sounds 
> like an offshoot of your list below.
> If you can run AD as a service, it might not be that hard to allow 
> multiple domains similar to multiple websites/DBs on one server...
> 
> I remember discussing this with Stuart Kwan at DEC a couple of years 
> ago. I hope it makes it into the mix...
> 
> **
> Charlie Kaiser
> W2K3 MCSA/MCSE/Security, CCNA
> Systems Engineer
> Essex Credit / Brickwalk
> 510 595 5083
> **
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of joe
> > Sent: Tuesday, October 04, 2005 4:25 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Active Directory wish list
> >
> > Vista is the client OS. I don't believe they have named Longhorn 
> > Server yet.I am voting for something like Windows Server 5.4.0 or 
> > something like that. I realize that the marketing group would have 
> > something to say about it but I figure the best thing from
> them is if
> > they pronounced their thoughts from the bottom of Lake Washington.
> > People don't install servers because they have cool names.
> > 
> > The biggest non-NDA pieces that I have heard announced in
> conferences
> > or seen on the web already is the Read Only DC to limit security 
> > exposure for WAN deployments, restartable AD that can be 
> > stopped/started as necessary, DA/Admin separation so that
> you can have
> > an Admin on a DC that "can't" achieve Domain-wide DA level
> rights, and
> > DCs running on Server Foundation or now its called Server Core which 
> > is a GUI-challenged Windows Server.
> > 
> > I can also say that there are a myriad of GUI updates for the Admin 
> > tools though I can't state specifics. BJ Whalen who was
> involved with
> > the GPMC project has been brought in to work on admin experience and 
> > anyone who has worked with GPOs with and without GPMC know that he 
> > really helped out.
> > 
> > All in all, there is some very cool stuff and MS has really been 
> > listening to the community on what they want and need. I know that 
> > this list is watched for ideas and such and has been the source of 
> > DCRs internally. So if you have ideas, spout them here,
> they will most
> > certainly be heard. They may not make Longhorn as it is
> getting a bit
> > late to add major changes but your ideas could make it into a later 
> > rev.
> > 
> > 
> >joe

RE: [ActiveDir] Active Directory wish list

I'd be surprised if we see this in my lifetime, or at least before I retire.

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Wednesday, October 05, 2005 2:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

What I want is to be able to run multiple domains on one OS installation and
segment the directories from each other. That way I don't need to run
multiple licenses of the OS, nor do I need hardware that can power 4 VMs.
I already run VMs using VMWare in my test lab; it works but I'd prefer to be
able to run AD as a service and have it be smart enough to be able to
segment itself without needing a separate OS...

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley 
> [MVP]
> Sent: Wednesday, October 05, 2005 10:07 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory wish list
> 
> You can.  It's called Microsoft Virtual Server.
> 
> Ed Crowley MCSE+Internet MVP
> Freelance E-Mail Philosopher
> Protecting the world from PSTs and Bricked Backups!T
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Charlie 
> Kaiser
> Sent: Tuesday, October 04, 2005 6:37 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Active Directory wish list
> 
> I'd also like to see the ability to run DCs for multiple domains on 
> the same server. SMBs with limited resources balk at having to buy 
> additional server hardware for redundancy on multiple domains, 
> especially when the AD load on the DCs is minimal. This feature sounds 
> like an offshoot of your list below.
> If you can run AD as a service, it might not be that hard to allow 
> multiple domains similar to multiple websites/DBs on one server...
> 
> I remember discussing this with Stuart Kwan at DEC a couple of years 
> ago. I hope it makes it into the mix...
> 
> **
> Charlie Kaiser
> W2K3 MCSA/MCSE/Security, CCNA
> Systems Engineer
> Essex Credit / Brickwalk
> 510 595 5083
> **
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of joe
> > Sent: Tuesday, October 04, 2005 4:25 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Active Directory wish list
> > 
> > Vista is the client OS. I don't believe they have named Longhorn 
> > Server yet.I am voting for something like Windows Server 5.4.0 or 
> > something like that. I realize that the marketing group would have 
> > something to say about it but I figure the best thing from
> them is if
> > they pronounced their thoughts from the bottom of Lake Washington. 
> > People don't install servers because they have cool names.
> >  
> > The biggest non-NDA pieces that I have heard announced in
> conferences
> > or seen on the web already is the Read Only DC to limit security 
> > exposure for WAN deployments, restartable AD that can be 
> > stopped/started as necessary, DA/Admin separation so that
> you can have
> > an Admin on a DC that "can't" achieve Domain-wide DA level
> rights, and
> > DCs running on Server Foundation or now its called Server
> Core which
> > is a GUI-challenged Windows Server.
> >  
> > I can also say that there are a myriad of GUI updates for the Admin 
> > tools though I can't state specifics. BJ Whalen who was
> involved with
> > the GPMC project has been brought in to work on admin
> experience and
> > anyone who has worked with GPOs with and without GPMC know that he 
> > really helped out.
> >  
> > All in all, there is some very cool stuff and MS has really been 
> > listening to the community on what they want and need. I know that 
> > this list is watched for ideas and such and has been the source of 
> > DCRs internally. So if you have ideas, spout them here,
> they will most
> > certainly be heard. They may not make Longhorn as it is
> getting a bit
> > late to add major changes but your ideas could make it into a later 
> > rev.
> >  
> >  
> >joe
> >  
> > 
> > 
> > 
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Steven Wood
> > Sent: Monday, October 03, 2005 3:46 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Active Directory wish list
> > 
> > 
> > Hi,
> >  
> > With Windows Vista on it's way what's on people's wish list
> as far as
> > Active Directory is concerned? Also are there any big enhancements 
> > due?
> >  
> > Thanks
> > Steven
> > 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.co

RE: [ActiveDir] Rights Management Server

2005-10-05 Thread Bernard, Aric

BTW - RMS does not leverage the traditional cert services that you would use 
for a PKI.  It has its own "certs" that it hands out.  Also it requires a 
database server (SQL).  On principal, I would not put this on a DC.  Both the 
DC and the RMS Server play critical roles, however losing the RMS server could 
be far more devastating than a single DC.


Aric

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, October 05, 2005 5:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Rights Management Server

The only thing I know about RMS is what the acronym stands for. However, your
question is about using the DC as the cert server so you don't have to
procure additional hardware, right? There is nothing wrong with that. It's a
supported configuration, and as long as you do your due diligence and get
your backup right, you should be fine.
 
One common issue with running the CA on a DC is that the cert service will be
broken if you use one of the MS custom inf to harden the DC. I forgot which
one exactly, but you will know when your cert service is broken. Recovery is
not too hard, so don't sweat it.
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Wed 10/5/2005 2:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Rights Management Server



Has anyone deployed Microsoft's RMS and used their DC's as the Root
certification server? We are debating wether we need dedicated hardware
for the RMS servers or whether they can share.

Thanks in advance.


Holland + Knight

Travis Abrams
IT Security & Systems Manager
Holland & Knight LLP

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active Directory wish list




You're hardly alone in this.  It took a little while 
before the touted security of the empty root model was blown open by my esteemed 
colleagues at HP (then Compaq).  Lots and lots of organizations have 
adopted empty-root and other multiple-domain architectures, only to regret it 
later.
 
Still, Virtual Server (or VMware) would address the 
hardware requirement to a large extent since you could run two 
physical machines instead of six, but it doesn't really do anything for 
Charlie's desire to buy fewer server licenses.
Ed Crowley MCSE+Internet MVPFreelance E-Mail 
PhilosopherProtecting the world from PSTs and Bricked 
Backups!™
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rich 
MilburnSent: Wednesday, October 05, 2005 2:29 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory 
wish list


I’m not saying we need a better solution here, and there are factors due to the 
internal/external nature of our business that PSS (I think) recommended the 
design we have.  When we 
built it, the empty root was widely considered to be the best design.  My 
point was that to support this, we need at least 6 W2K3 servers running 
(physical or not is mostly beside the point).  We don’t really need load 
balancing for this size – but we need 2 servers for each domain if we want to 
avoid the risk of having the only DC for a domain go down.  My point was 
that the directory is a database, but it’s tied to the server OS in such a way 
that even stopping the directory on one box is a feat for MS to do (they’re 
working on that, as I think Joe mentioned and is non-NDA).  Securing a copy 
of the directory and making it available means doing that for the entire server 
unit right now, not just the directory – a different database model than say 
SQL.  Should the AD database be more modular to separate it out from the OS 
so that it could be treated as one might treat a SQL database?  Maybe 
not.  I was just asking the question in hopes of sparking some new ideas of 
ways to mitigate the risk a single DC domain incurs today. J

---Rich 
MilburnMCSE, Microsoft MVP - 
Directory ServicesSr 
Network Analyst, Field Platform DevelopmentApplebee's 
International, Inc.4551 
W. 107th 
StOverland 
Park, 
KS 66207913-967-2819---"I am always doing 
that which I can not do, in order that I may learn how to do it." - Pablo 
Picasso




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Phil 
RenoufSent: Wednesday, October 
05, 2005 2:37 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Active Directory 
wish list
 

My question would be: for a small directory of 5000 
users, why do you have 3 domains? If it is for separate password policies, then 
perhaps a better wish list item would be the ability to have multiple password 
policies in one domain. 

 

Phil 

On 10/5/05, Rich Milburn <[EMAIL PROTECTED]> 
wrote: 
I think the biggest reason people want to be able to run 
multipledomains on one server is the same reason practically no one (except 
for SBS) installs just one DC, and the same reason we always install 
aminimum of 2 for a domain.  We have a forest root and 2 child 
domainsmodel, and it takes us 6 servers to run that - for basically 
2directories and fewer than 5000 users.  That seems like a waste 
of hardware in some situations - especially if you have multiple orgs 
thatyou run.  The parallel might be for a web hosting company to 
have 2 fullweb servers for each domain they host - in case 1 goes down, they 
still have a second.  VS is an answer, yes, although you still 
need a fullserver license for each VM.  The thing with domains is 
you don't want toonly have 1 online copy of the directory.  MS 
didn't seem too convinced there was a good reason to have an online second 
server - they citedbackups as a good solution to the issue.  In a 
big org the cost of anadditional server to provide redundancy is negligible, 
but is having anonline copy (second DC) really the BEST way to do 
this?  And it doesn'thelp SBS users, since they can (correct me if 
I'm wrong) only have 1 DC.I realize it may be the best way we have with 
W2K3, but how could theissue of redundancy be addressed with AD differently 
than having 2 DCsminimum per domain?  Anyone have any 
ideas?Rich-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
On Behalf Of joeSent: Tuesday, October 04, 2005 9:20 PMTo: ActiveDir@mail.activedir.orgSubject: 
RE: [ActiveDir] Active Directory wish listYeah I can say that it isn't 
in Longhorn. As the dev guys put it, thisis atough one. It wouldn't just 
be a nobrainer if they had separate instances ofAD, there are just tons 
of other things involved that make it extremelydifficult. It was something 
that was brought up in the summit though,notsure how much I can say 
around it other than no, i

RE: [ActiveDir] Notes/Domino LDAP

2005-10-05 Thread Tony Murray

Thanks Laura

My understanding is also that the Domino Directory is tightly bundled
with the messaging service.  I'm looking at a scenario in which a client
wants to expose some information via LDAP.  They have both AD and
Notes/Domino.  My preference would be to point them to AD (or AD/AM),
but I need to come up with good reasons for them not to use the Domino
Directory, which appears to be their preference. The information I have
found so far (on lotus.com) indicates that the Domino Directory schema
is extensible and supports LDAP v2 and v3.  So apart from the fact that
the Domino Directory can't be decoupled from the messaging elements, I'm
struggling to find compelling arguments in favour of AD (mainly because
I don't know Domino and can't seem to find an independent comparison).

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter
Sent: Thursday, 6 October 2005 1:27 p.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Notes/Domino LDAP

Unless I'm misunderstanding the question, I'm going to say that that'll
be a tough compare since Notes/Domino maps much more closely to Exchange
and Groupwise in terms of functionality.  IE, it's a
groupware/messaging/collaboration environment rather than a proper
directory service.  In most cases, in fact, a Notes/Domino environment
will run on top of AD just like Exchange does, though I think you can
hook Domino into a Linux infra as well.

My personal recollection of Domino, though this is from several revs
ago, was that it was close-but-not-quite-so-good as Outlook in terms of
being a cool messaging client, but it gave you more options in terms of
collaboration apps.  (Sharepoint has likely rendered this comparison
obsolete in the intervening years since I was a Notes
admin.)

A quick Google doesn't return what I'd consider a vendor-neutral
comparison of Exchange and Domino, but here's the market-speak from both
sides of the house.  (Maybe compare them and split the difference.
:-)):

http://www-03.ibm.com/servers/eserver/iseries/domino/inotes/compare.html
http://www.lotus.com/lotus/offering1.nsf/wdocs/messagingcompetitive?Open
Document&cwesite=lotusnotesdom
http://www.microsoft.com/exchange/evaluation/compare/METAEx2k3vNotes.msp
x

- Laura

On 10/5/05, Tony Murray <[EMAIL PROTECTED]> wrote:
>
> Can anyone point me at an independent source of information on the 
> capabilities and limitations of the Notes/Domino directory as compared

> with AD?
>
> Tony

--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_
(http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

#
This communication, including any attachments, is confidential.
If you are not the intended recipient, you should not read it - please
contact me immediately, destroy it, and do not copy or use any part of
this communication or disclose anything about it.
Thank You.

Please note that this communication does not designate an information
system for the purposes of the NZ Electronic Transactions Act 2002.

This email has been scanned for Viruses and Content and cleared by NetIQ
MailMarshal at Gen-i.

#

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active Directory wish list

2005-10-05 Thread Bernard, Aric









Actually, it may – rumor has it that
there may be some licensing changes coming for the virtualized Windows world…

 

 

 

Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP]
Sent: Wednesday, October 05, 2005
5:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active
Directory wish list



 

You're hardly alone in this.  It took
a little while before the touted security of the empty root model was blown
open by my esteemed colleagues at HP (then Compaq).  Lots and lots of
organizations have adopted empty-root and other multiple-domain architectures,
only to regret it later.

 

Still, Virtual Server (or VMware) would
address the hardware requirement to a large extent since you could
run two physical machines instead of six, but it doesn't really do anything for
Charlie's desire to buy fewer server licenses.

Ed
Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!™



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Wednesday, October 05, 2005
2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active
Directory wish list

I’m not saying we need a better solution here, and there are factors due to the
internal/external nature of our business that PSS (I think) recommended the
design we have.  When we
built it, the empty root was widely considered to be the best design.  My
point was that to support this, we need at least 6 W2K3 servers running
(physical or not is mostly beside the point).  We don’t really need
load balancing for this size – but we need 2 servers for each domain if
we want to avoid the risk of having the only DC for a domain go down.  My
point was that the directory is a database, but it’s tied to the server
OS in such a way that even stopping the directory on one box is a feat for MS
to do (they’re working on that, as I think Joe mentioned and is
non-NDA).  Securing a copy of the directory and making it available means
doing that for the entire server unit right now, not just the directory –
a different database model than say SQL.  Should the AD database be more
modular to separate it out from the OS so that it could be treated as one might
treat a SQL database?  Maybe not.  I was just asking the question in
hopes of sparking some new ideas of ways to mitigate the risk a single DC
domain incurs today. J



---
Rich Milburn
MCSE, Microsoft MVP - Directory
Services
Sr Network Analyst, Field
Platform Development
Applebee's International,
Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
---
"I am always doing
that which I can not do, in order that I may learn how to do it." - Pablo
Picasso











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Wednesday, October 05, 2005
2:37 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Active
Directory wish list



 



My question would be: for a small directory of 5000 users, why do you
have 3 domains? If it is for separate password policies, then perhaps a better
wish list item would be the ability to have multiple password policies in one
domain. 





 





Phil

 





On 10/5/05, Rich
Milburn <[EMAIL PROTECTED]>
wrote: 

I think the biggest reason people want to be able to run multiple
domains on one server is the same reason practically no one (except for 
SBS) installs just one DC, and the same reason we always install a
minimum of 2 for a domain.  We have a forest root and 2 child domains
model, and it takes us 6 servers to run that - for basically 2
directories and fewer than 5000 users.  That seems like a waste of 
hardware in some situations - especially if you have multiple orgs that
you run.  The parallel might be for a web hosting company to have 2
full
web servers for each domain they host - in case 1 goes down, they still 
have a second.  VS is an answer, yes, although you still need a full
server license for each VM.  The thing with domains is you don't want
to
only have 1 online copy of the directory.  MS didn't seem too
convinced 
there was a good reason to have an online second server - they cited
backups as a good solution to the issue.  In a big org the cost of an
additional server to provide redundancy is negligible, but is having an
online copy (second DC) really the BEST way to do this?  And it
doesn't
help SBS users, since they can (correct me if I'm wrong) only have 1 DC.
I realize it may be the best way we have with W2K3, but how could the
issue of redundancy be addressed with AD differently than having 2 DCs
minimum per domain?  Anyone have any ideas?

Rich


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of joe
Sent: Tuesday, October 04, 2005 9:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [Active

RE: [ActiveDir] Notes/Domino LDAP

My employer uses Notes. I happen to think it sucks. Notes is kind of like a
app dev platform. You can make programs that run inside notes. It's a real
version of public folders with custom forms. They focus on that and then
happen to have a messaging client. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter
Sent: Wednesday, October 05, 2005 8:27 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Notes/Domino LDAP

Unless I'm misunderstanding the question, I'm going to say that that'll be a
tough compare since Notes/Domino maps much more closely to Exchange and
Groupwise in terms of functionality.  IE, it's a
groupware/messaging/collaboration environment rather than a proper directory
service.  In most cases, in fact, a Notes/Domino environment will run on top
of AD just like Exchange does, though I think you can hook Domino into a
Linux infra as well.

My personal recollection of Domino, though this is from several revs ago,
was that it was close-but-not-quite-so-good as Outlook in terms of being a
cool messaging client, but it gave you more options in terms of
collaboration apps.  (Sharepoint has likely rendered this comparison
obsolete in the intervening years since I was a Notes
admin.)

A quick Google doesn't return what I'd consider a vendor-neutral comparison
of Exchange and Domino, but here's the market-speak from both sides of the
house.  (Maybe compare them and split the difference.  :-)):

http://www-03.ibm.com/servers/eserver/iseries/domino/inotes/compare.html
http://www.lotus.com/lotus/offering1.nsf/wdocs/messagingcompetitive?OpenDocu
ment&cwesite=lotusnotesdom
http://www.microsoft.com/exchange/evaluation/compare/METAEx2k3vNotes.mspx

- Laura

On 10/5/05, Tony Murray <[EMAIL PROTECTED]> wrote:
>
> Can anyone point me at an independent source of information on the 
> capabilities and limitations of the Notes/Domino directory as compared 
> with AD?
>
> Tony

--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_
(http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Anti-virus protection in domain enviroment

2005-10-05 Thread Derek Harris

Actually, Symantec releases an update at least once a day, but you have
to ftp it (you can script/schedule it). 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi
Sent: Wednesday, October 05, 2005 4:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Anti-virus protection in domain enviroment

I agree that most all AV vendors are alike, as are most of their
products. I have used every vendor you have mentioned here, and more,
and with the exception of CA they were all perfectly fine. The one
differentiating factor I have found is in the proactive approach that
NOD takes compared to most other vendors. Where as Symantec comes out
with 1 weekly update on every Wednesday unless there is a major outbreak
to deal with, Nod comes out with at least one, and sometimes 3 or more
updates per day that deal with minor threats that they find on a real
time basis. That and I have had occasion to contact NOD's support team
due to their picking up an app we run to do system monitoring here. They
tagged it as Spyware (which was good as it could be used that way) and
after I informed them of the issue they had a new definition set that
corrected the problem released within 60 minutes. Try getting that kind
of response out of Symantec or Norton. I've never gotten it. It takes me
almost that long just to find Symantec's support phone number on their
website. To me it's those little things that make the difference more
than the up front cost.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, October 05, 2005 12:28 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Anti-virus protection in domain enviroment

I came <> to ripping out Trend in my office due to the BSOD,
false positives and the infamous Friday incident.  They are on probation
right now.

The ones bantered around in our A/V wars discussions:

Symantec [not yellow box but corp]
Sophos
CA

I have a fellow SBSer in AU who LOVES Nod32.

Pick one... they are in reality ALL reactionary. 

Real geeks don't use A/V anyway.  [you should have seen the thread on
whether to stick a/v on a web server on the focus on ms listserve... if
you set up a server for a select job, lock it down only serve up
static pages.. why 'does' it need to be covered by A/V was the topic]

Tim Vander Kooi wrote:

>I've only been on the list a short time, but I must have missed the 
>mandatory Trend Micro brainwashing. :-) So far from what I have noticed

>there seems to be a set answer to all AV questions.
>Question: I'm curious about the capabilities of NOD32.
>Answers (en mass): You should use Trend Micro.
>Question: Is anyone using Symantec?
>Answer (again en mass): You should buy Trend Micro.
>
>Not that there is anything wrong with Trend Micro's product, it's great

>in my opinion, but these responses don't seem to be very helpful with 
>regard to the questions being asked.
>
>My apologies to the list "gods" if TM is the list sponsor. :-) Tim
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Glen Miller
>Sent: Wednesday, October 05, 2005 11:55 AM
>To: 'ActiveDir@mail.activedir.org'
>Subject: RE: [ActiveDir] Anti-virus protection in domain enviroment
>
>Look into a product called Office Scan, by a company called Trend
Micro.
>I have been using this product happily since 1998.  It saved me from 
>the "I love you" bug and a few rather nasty ones since.
>
>"I want my two dollars!" 
>
>
>And Joe!  Petitioning Webster's to include Joe-isms as an actual word. 
>
> 
>
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Ahmed Al Awah
>Sent: Tuesday, October 04, 2005 12:35 PM
>To: 'ActiveDir@mail.activedir.org'
>Subject: RE: [ActiveDir] Anti-virus protection in domain enviroment
>
>Since we're on topic..is anyone using Symantec AntiVirus 10 corp 
>edition for A/V protection in a domain environment?
>
>-Original Message-
>From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
>[mailto:[EMAIL PROTECTED]
>Sent: October 4, 2005 11:07 AM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] Anti-virus protection in domain enviroment
>
>
>My 1 cent.
>
>I should go back to lurking...but... when choosing your a/v solution 
>there's something to check on... some of the a/v vendors have 
>historically  needed admin rights to update or have had vulnerabilities

>themselves.
>
>Might be something to investigate and consider when chosing an a/v 
>...especially on a DC.
>
>In my own historical issues with Trend, the OfficeProtect dat file 
>upgrade to XP sp2 wasn't properly 'vetted" and flatlined my 
>workstations
>
>and last I heard cost Trend $8 mil in lost sales.  They've also had a 
>security vulnerability patched somewhat recently.
>
>Epo's had their issues as well
>
>http://xforce.iss.net/xforce/xfdb/21839
>
>ISS X-Force D

RE: [ActiveDir] Notes/Domino LDAP

Of course that doesn't have anything to do with AD.

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, October 05, 2005 6:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Notes/Domino LDAP

My employer uses Notes. I happen to think it sucks. Notes is kind of like a
app dev platform. You can make programs that run inside notes. It's a real
version of public folders with custom forms. They focus on that and then
happen to have a messaging client. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter
Sent: Wednesday, October 05, 2005 8:27 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Notes/Domino LDAP

Unless I'm misunderstanding the question, I'm going to say that that'll be a
tough compare since Notes/Domino maps much more closely to Exchange and
Groupwise in terms of functionality.  IE, it's a
groupware/messaging/collaboration environment rather than a proper directory
service.  In most cases, in fact, a Notes/Domino environment will run on top
of AD just like Exchange does, though I think you can hook Domino into a
Linux infra as well.

My personal recollection of Domino, though this is from several revs ago,
was that it was close-but-not-quite-so-good as Outlook in terms of being a
cool messaging client, but it gave you more options in terms of
collaboration apps.  (Sharepoint has likely rendered this comparison
obsolete in the intervening years since I was a Notes
admin.)

A quick Google doesn't return what I'd consider a vendor-neutral comparison
of Exchange and Domino, but here's the market-speak from both sides of the
house.  (Maybe compare them and split the difference.  :-)):

http://www-03.ibm.com/servers/eserver/iseries/domino/inotes/compare.html
http://www.lotus.com/lotus/offering1.nsf/wdocs/messagingcompetitive?OpenDocu
ment&cwesite=lotusnotesdom
http://www.microsoft.com/exchange/evaluation/compare/METAEx2k3vNotes.mspx

- Laura

On 10/5/05, Tony Murray <[EMAIL PROTECTED]> wrote:
>
> Can anyone point me at an independent source of information on the 
> capabilities and limitations of the Notes/Domino directory as compared 
> with AD?
>
> Tony

--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_
(http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active Directory wish list