RE: [ActiveDir] script to check the "inheritance" from the security Tab...
Hallo Michel, Look a the VB-Script in KB 817433 ( http://support.microsoft.com/?id=817433 ), especially the SetInheritanceFlag-Function. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Bruyere, Michel |Sent: Wednesday, October 26, 2005 12:48 AM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] script to check the "inheritance" from |the security Tab... | |Hi, | I would like to make sure that all the following check boxe is |checked: |Inherit from parent the permissions entries that apply to child object. | |I would like to do this as a batch job, without having to go |manually to each user objects. | | |Anyone has an idea on scripts or tools (freeware) that can |allow me to reset these? | | |Thanks! | | | | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADFIND mods
Beta 2 is ready. Same download location. http://www.joeware.net/win/free/tools/adfind-beta.htm I have fixed a couple of bugs I found and some others reported. Also added a couple of items that I thought of and/or were recommended. -tdcs - time decode in more easily sortable format than -tdc. CSV really helped drive this change. I had everything in place for it, just didn't have it exposed via a switch. -utc- output -tdc/-tdcs in UTC instead of local TZ Also have -tdc/-tdcs output TZ so you know what it is. -nocsvheader - doesn't list attribute header at top of csv output -po - print out all switches and attributes specified. This will dump out everything set through command line as well as -e and -ef options. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, October 19, 2005 12:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFIND mods I have finished the initial pass through the adfind updates. I have done some testing and allowed a few others to test it and am now opening up the beta to this list, please don't forward as I don't want a bunch of people using the beta 2 months from now. o Phantom Root capability (-pr) - Allows you to search across all partitions across a DC or ADAM instance based on specified base. I.E. -b ".com" would retrieve *.com partitions. -b "" would retrieve all partitions say all ADAM partitions or default domain, config, and schema of a DC (even if it isn't a GC). o Added list (-list) - output from adfind is in list format. For instance say you want a simple list of ldapdisplaynames of all the attributes in the schema. You could use a query like Adfind -schema -f objectcategory=attributeschema ldapdisplayname -list If you want the output sorted by ldapdisplayname, you do not have to specify -sort ldapdisplayname, if you specify -sort or -rsort it will automatically assume you want ldapdisplayname or whatever other attribute you are listing by. However, if you want it sorted by some other attribute, you can still specify it. o Added -soao - Sorted order attribute output. Jerry Schulman asked me for this and the next update. This sorts the attributes output for each object by attribute name so they will be in a consistent order. This is nice for scripting in the scripting languages that have minimal parsing capabilities (like not Perl) ;o) o -oao - Ordered attribute output. Attribute output for each object is in the order you specify attributes to be returned in the command submitted. Not only that, but if a specific object doesn't have one of the attributes, it will still put a slot in the output for that attribute. By default that slot will be empty (>attribname:) but if you like, you can specify a value to insert (this is from Al Mulnick from some time last year) like say #undef# so if an attribute you specify to be returned will have that value in the output (>attribname: #undef#). This is done by specifying that string after the -oao switch. o CSV output... You must specify a list of attributes to be returned, if you don't it will autoselect dn and name for you. If you don't want to specify a list of attributes, you can still use adcsv.pl (Should I compile that?). Supporting switches are -csvdelim, -csvmvdelim, -csvq. The delim switches let you specify delimiters for the attribs and the values of a mv attrib. csvq lets you specify a different value to quote the attributes, default is the quote character. -nodn is supported with -csv... o -incldn and -incldndelim - these are like -excldn and -excldndelim but allows you to filter on what you want to see versus what you don't want to see. Remember, all data from the query comes back, this will simply filter out unwanted objects on display. o Added the ability to decode msDS-User-Account-Control-Computed when using -samdc o Added decode for AzMan groups (basic and query based) with -samdc on grouptypes. o Fixed a bug in the filter expansion of the stats+ output. It would blow it if there were parens in the output that wasn't related to the filter itself. o Added environment option (-e). We discussed this functionality and the next functionality on the list a while back. You can specify environment variables and adfind will read them and use them like they were specified on the command line. Switches provided at the command line will override anything specified in the env vars. Attributes specified will be in addition to what is specified on the command line. The default prefix for the env vars is adfind-. So if you wanted to specify a host to use in the env vars, say because you don't want to keep typing it, you could type Set adfind-h=hostname.somedomain.someotherdomain.somedomain.com And then when you do adfind and specify the -e switch it will pull that in and use it. If you want to specify a different prefix you specify it after the -e like for instance -e adam1 -e adam2 -adam3 and then you could hav
RE: [ActiveDir]Group Policy Administrative Templates
There's a few free and for pay tools to do it. Check out the following: RegtoADM: turns .reg files into ADMs. Free tool that is part of the NUTS utilities at http://yizhar.mvps.org/ ADM TEmplate Editor: This is a for pay tool found at http://www.sysprosoft.com/adm_summary.shtml Policy Template Editor: a for pay tool at http://www.tools4ever.com/products/utilities/policytemplateeditor/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sadovskiy Artem NikolaevichSent: Tuesday, October 25, 2005 7:28 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir]Group Policy Administrative Templates Hi! Are there any tools that can assist me to create .ADM (Group Policy Administrative Templates) files? If anybody knows, please send me a link. Regards.
[ActiveDir]Group Policy Administrative Templates
Hi! Are there any tools that can assist me to create .ADM (Group Policy Administrative Templates) files? If anybody knows, please send me a link. Regards.
RE: [ActiveDir] secure subnet; no sharing of files or internet access
Are you opening the ports between the subnets or between the subnet and the dc host IPs? If you do the latter, the only place your users could drop files and what have you is on the DCs and they'd need to be domain admins or someone has to create a share on the DC that they can access. You'll need to trust your admins or take away their privs. Your firewall rules should be permitting the traffic from the secure subnet to host objects for the DCs not from the secure subnet to the subnet with the DCs on them. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sdgesa gaeharth Sent: Tuesday, October 25, 2005 9:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] secure subnet; no sharing of files or internet access We have a single office with a single domain. Our physical network consists of a firewall with a set of managed switches behind it. I have partitioned the network into multiple subnets using vlans. Vlan 1:10.0.1.0/24: internal dmz(AD, DNS, DHCP) Vlan 2:10.0.2.0/24: accounting Vlan 3:10.0.3.0/24: business development Vlan 4:10.0.4.0/24: secured vlan We need to restrict the Vlan 4, "secured vlan" so no confidential files can get out. No Internet , no file sharing with the other subnets, no printers, etc. I opened dns, dhcp, and AD ports from Vlan 4 to Vlan 1 in order to facilitate authenticationa ganist the DC. However, I am still worried that users could possible be able to get files out. For example, it seems port 445 is needed for authentication and file sharing. Does anyone have any hints except the obvious one of separating the subnet physically which is not an option? thanks __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] secure subnet; no sharing of files or internet access
We have a single office with a single domain. Our physical network consists of a firewall with a set of managed switches behind it. I have partitioned the network into multiple subnets using vlans. Vlan 1:10.0.1.0/24: internal dmz(AD, DNS, DHCP) Vlan 2:10.0.2.0/24: accounting Vlan 3:10.0.3.0/24: business development Vlan 4:10.0.4.0/24: secured vlan We need to restrict the Vlan 4, "secured vlan" so no confidential files can get out. No Internet , no file sharing with the other subnets, no printers, etc. I opened dns, dhcp, and AD ports from Vlan 4 to Vlan 1 in order to facilitate authenticationa ganist the DC. However, I am still worried that users could possible be able to get files out. For example, it seems port 445 is needed for authentication and file sharing. Does anyone have any hints except the obvious one of separating the subnet physically which is not an option? thanks __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: QuickBooks 2005 permissions
I will have to try that on the 2006 beta. The last time I tried to do
'just' certain Classes roots that I saw in filemon/regmon it would not load.
I also had to do \common files\Intuit
If it works I'll update the instructions http://www.sbslinks.com/lua2.htm
Crawford, Scott wrote:
A few weeks ago, there was some mention of the required permissions to
run Quickbooks as a non-admin user. According to this site:
http://www.quickbooksgroup.com/webx/[EMAIL PROTECTED]@ the
perms needed are Users:W to the following locations:
HKLM\Software\Intuit
HKLM\Software\Classes\QuickBooks.CoLocator.1
HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A632-72062A99AA7F}
C:\Program Files\Intuit
Whenever I've tracked these things down, I just give users full control
to the needed locations instead of trying to determine the exact perms
needed. Furthermore, I generally apply the perms to the root of the
apps folder. For example, I'll grant the perms at the root Intuit
folder instead of chasing down the one or two files that actually need
to be modified. This tends to eliminate future problems when somebody
uses some new function of the app that hasn't been tested and it needs
to write to a different file. Anyway, I thought some of you might be
interested. I just tried it here and all seems good.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: QuickBooks 2005 permissions
A few weeks ago, there was some mention of the required permissions to
run Quickbooks as a non-admin user. According to this site:
http://www.quickbooksgroup.com/webx/[EMAIL PROTECTED]@ the
perms needed are Users:W to the following locations:
HKLM\Software\Intuit
HKLM\Software\Classes\QuickBooks.CoLocator.1
HKLM\Software\Classes\CLSID\{E53C85D6-E6D9-4BCF-A632-72062A99AA7F}
C:\Program Files\Intuit
Whenever I've tracked these things down, I just give users full control
to the needed locations instead of trying to determine the exact perms
needed. Furthermore, I generally apply the perms to the root of the
apps folder. For example, I'll grant the perms at the root Intuit
folder instead of chasing down the one or two files that actually need
to be modified. This tends to eliminate future problems when somebody
uses some new function of the app that hasn't been tested and it needs
to write to a different file. Anyway, I thought some of you might be
interested. I just tried it here and all seems good.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Are MS Sharepoint CAL's good for multiple portals?
My interpretation is that you need an EC for anonymous availability and cals for authenticated users – one SPS cal per authenticated user enterprise wide is I think how it works. The best thing to do would be to call your MS licensing person and ask them. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J B Sent: Tuesday, October 25, 2005 6:46 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Are MS Sharepoint CAL's good for multiple portals? Right, but the extranet isn't publicly available. It's only available to a select few clients. We'd rather purchase individual CAL's for the few extranet users at ~$71 each rather than $30K for an unlimited number. The licensing didn't stipulate that the individual CAL's could not be used for external users. The External Connector License option seemed to be geared toward a public sharepoint portal where you don't know how many users might be connecting to it, or would have enough connecting that would make purchasing individual CAL's unrealistic. http://www.microsoft.com/office/sharepoint/howtobuy/default.mspx Regardless, I should clarify. Suppose we have 20 employees, a license for Sharepoint and 30 CAL's. We run an extranet portal for sharepoint, which those employees access, as well as say, 5 clients. Without buying more CAL's, can we run an intranet portal for our employees using that Sharepoint server? Thanks! - Original Message - From: Tim Vander Kooi To: ActiveDir@mail.activedir.org Sent: Tuesday, October 25, 2005 3:27 PM Subject: RE: [ActiveDir] OT: Are MS Sharepoint CAL's good for multiple portals? For your described situation a CAL would not cover both portals. Then again, if you are using it for an Extranet with CALs you are incorrectly licensed as is. An Extranet setup would require an External Connector license, as the people connecting to it are not employees of your company. Using SharePoint Portal Server for an Intranet would require either user or device CALs, just like Windows Server does. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J B Sent: Tuesday, October 25, 2005 5:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Are MS Sharepoint CAL's good for multiple portals? I tried this question on the Sharepoint Newsgroup with no luck on responses. I'd like to know if MS Sharepoint CAL's will cover multiple portals on sharepoint. We are thinking of using sharepoint for our company intranet (we already use it for an extranet) and want to make sure we are covered if we go that route. Does anyone know?
RE : [ActiveDir] script to check the "inheritanc e" from the security Tab...
Hello, Yes u can do it with dsacls command which i think is a part of 2k or 2k3 rkit. I have used it a long time ago to check the box and it wors great ! I did not remember the exact command but we will find easily by typing type dsacls /? The /I:T switch stated for "This object and sub objects". Yann De: [EMAIL PROTECTED] de la part de Bruyere, Michel Date: mer. 26/10/2005 00:47 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] script to check the "inheritance" from the security Tab... Hi, I would like to make sure that all the following check boxe is checked: Inherit from parent the permissions entries that apply to child object. I would like to do this as a batch job, without having to go manually to each user objects. Anyone has an idea on scripts or tools (freeware) that can allow me to reset these? Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
RE : [ActiveDir] Microsoft password notification s ervice
Hello, Sorry for the delay, i was a bit busy these days ;) So, this message appears when changing a password in AD... Some thought 1) Have u enabled password synchronisation on miis side? Go to tools->options and check the enable password sync. check box. 2) the "Access is denied" stated that the account associated to the pcns have not enought right to proceed the change notification passord for users. Try to associate pcns (with setspn.exe) with admin right (administrator) and see if that works. Tell us how it works, Yann De: [EMAIL PROTECTED] de la part de Antonio Aranda Date: jeu. 20/10/2005 16:53 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Microsoft password notification service yes, your directions worked antonio -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Thursday, October 20, 2005 3:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Microsoft password notification service Hi, Before continuing, Is your first problem resolved ? Yann De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Antonio Aranda Envoyé : jeudi 20 octobre 2005 01:15 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Microsoft password notification service Event Type: Error Event Source: PCNSSVC Event Category: Error Event ID: 6025 Date: 7/10/2005 Time: 1:08:29 PM User: N/A Computer: POLICE Description: Password Change Notification Service received an RPC exception attempting to deliver a notification. Thread ID: 1988 Tracking ID: e6656f05-0f1a-4fb7-b04c-a3f23deb8114 User GUID: 0146a5d7-774b-47b8-aeb3-72db14d038ac User: MCOM\agnew_s237 Target: personality Delivery Attempts: 1097 Queued Notifications: 3 0x0005 - Access is denied. could you help me with this error message? thanks Antonio -Original Message- From: TIROA YANN [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, October 19, 2005 12:58 PM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Microsoft password notification service Hi, seems like a collision problem while created 2 objects with same name and same DN on differents DCs. So the most recently named objects keeps the original DN attribute, AD renames the remaining duplicates to a name as "originalRdn#CNF:objectGuid", where CNF is a tag to denote that the object was renamed due to a name conflict. In order to resolve this issue u may delete 3 of them, logically, those which have the CNF tags:êrsonnaly, i will delete all of them and recreate them with pcnscfg.exe So open ADUC, go to "System" container (in advanced feature mode of ADUC), find the "Password Change Notification Service" container, u will see all your targets created. Delete all of them and recreate them again. Wait before for the end of replication to take place *BEFORE* recreatings targets. Yann De: [EMAIL PROTECTED] de la part de Antonio Aranda Date: mer. 19/10/2005 18:59 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Microsoft password notification service Here is what I typed and the responds. C:\Program Files\Microsoft Password Change Notification>pcnscfg DELETETARGET /N:miisdemo Error deleting the target. The target was not found. C:\Program Files\Microsoft Password Change Notification>pcnscfg DISABLETARGET /N:miisdemo Error modifying the target. The target was not found. C:\Program Files\Microsoft Password Change Notification>pcnscfg MODIFYTARGET /N:miisdemo /a:personality /s:PCNSPER2/PERSONALITY /fi:"domain Users" /f:3 Error modifying the target. The target was not found. C:\Program Files\Microsoft Password Change Notification>pcnscfg list The service configuration is not set. Defaults will be used by the service. Default Service Configuration MaxQueueLength: 0 MaxQueueAge...: 259200 seconds MaxNotificationRetries: 0
[ActiveDir] script to check the "inheritance" from the security Tab...
Hi, I would like to make sure that all the following check boxe is checked: Inherit from parent the permissions entries that apply to child object. I would like to do this as a batch job, without having to go manually to each user objects. Anyone has an idea on scripts or tools (freeware) that can allow me to reset these? Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Are MS Sharepoint CAL's good for multiple portals?
Right, but the extranet isn't publicly available. It's only available to a select few clients. We'd rather purchase individual CAL's for the few extranet users at ~$71 each rather than $30K for an unlimited number. The licensing didn't stipulate that the individual CAL's could not be used for external users. The External Connector License option seemed to be geared toward a public sharepoint portal where you don't know how many users might be connecting to it, or would have enough connecting that would make purchasing individual CAL's unrealistic. http://www.microsoft.com/office/sharepoint/howtobuy/default.mspx Regardless, I should clarify. Suppose we have 20 employees, a license for Sharepoint and 30 CAL's. We run an extranet portal for sharepoint, which those employees access, as well as say, 5 clients. Without buying more CAL's, can we run an intranet portal for our employees using that Sharepoint server? Thanks! - Original Message - From: Tim Vander Kooi To: ActiveDir@mail.activedir.org Sent: Tuesday, October 25, 2005 3:27 PM Subject: RE: [ActiveDir] OT: Are MS Sharepoint CAL's good for multiple portals? For your described situation a CAL would not cover both portals. Then again, if you are using it for an Extranet with CALs you are incorrectly licensed as is. An Extranet setup would require an External Connector license, as the people connecting to it are not employees of your company. Using SharePoint Portal Server for an Intranet would require either user or device CALs, just like Windows Server does. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J BSent: Tuesday, October 25, 2005 5:14 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Are MS Sharepoint CAL's good for multiple portals? I tried this question on the Sharepoint Newsgroup with no luck on responses. I'd like to know if MS Sharepoint CAL's will cover multiple portals on sharepoint. We are thinking of using sharepoint for our company intranet (we already use it for an extranet) and want to make sure we are covered if we go that route. Does anyone know?
RE: [ActiveDir] OT: Are MS Sharepoint CAL's good for multiple portals?
For your described situation a CAL would not cover both portals. Then again, if you are using it for an Extranet with CALs you are incorrectly licensed as is. An Extranet setup would require an External Connector license, as the people connecting to it are not employees of your company. Using SharePoint Portal Server for an Intranet would require either user or device CALs, just like Windows Server does. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J BSent: Tuesday, October 25, 2005 5:14 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Are MS Sharepoint CAL's good for multiple portals? I tried this question on the Sharepoint Newsgroup with no luck on responses. I'd like to know if MS Sharepoint CAL's will cover multiple portals on sharepoint. We are thinking of using sharepoint for our company intranet (we already use it for an extranet) and want to make sure we are covered if we go that route. Does anyone know?
[ActiveDir] OT: Are MS Sharepoint CAL's good for multiple portals?
I tried this question on the Sharepoint Newsgroup with no luck on responses. I'd like to know if MS Sharepoint CAL's will cover multiple portals on sharepoint. We are thinking of using sharepoint for our company intranet (we already use it for an extranet) and want to make sure we are covered if we go that route. Does anyone know?
RE: [ActiveDir] AD Lag Site
I did those too, and some other things to consider were: * Putting them inside a virtual machine with faked Subnetting in AD: Take a class C Network and split it in AD Sites and Services, not TCP/IP, then you can spare the router * Assign the site membership for the host via GPO if it is in one of the virtual subnets of the virtual lag-dcs (depending on the subnetting possibilities you have) * Configure a firewall between the sites to make sure the machienes only talk to the ones they are supposed to (if available) * Use scripting to shut down virtual networks if available in the times they are not supposed to replicate * Make sure that you configure replication that it runs a couple times during the allowed timeframe * Configure terminal services access on the lag DCs * Configure boot.ini to be able to boot into DSRM by changing the default without querying for the boot.ini parameter when necessary. For the replication I usually configured replication every 15 minutes (the Lag-Sites were on the same LAN), Site 1 replicates Tuesday 10pm to Wednesday 2am, Site 2 replicates Saturday 10am to 2pm (each 4 hrs, exactly 1/2 Week apart). Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Tuesday, October 25, 2005 3:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Site Hi, Guido and Gil wrote a great ebook about recovery whereas information about lagsites is included Take a look at: http://www.netpro.com/events/adrecovery/index.cfm (registration needed) For starters some tips: * Place at least on DC for each domain in the lag site * Allow the DCs in the lag site to register only the replication record (CNAME) in the DNS zone _MSDCS.FORESTROOT * Don't assign WINS server IP addresses for the DCs in the lag sites * Make sure the site link between the lag site and the hub site has a higher cost than all other site links that connect the hub site and other sites (reason: Exchange AD topology discovery for the out-of-site list of DCs/GCs) *You might want to use lag sites (e.g. 2) that replicate in steps (1st site replicates like each 3 days and the other each week) whereas the second lag site is connected to the first and the first is connected to the second and the hub site This might be expensive though and you also might have a look at objectrecovery tools available by third party vendors Cheers, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn HayesSent: Tuesday, October 25, 2005 15:31To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Lag Site Anyone have any pointers (documentation or real life experience) on setting up an AD Lag Site? Thanks in advance, Shawn This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] domain controller that is running Microsoft Windows Server 2003 may stop responding
Looks like a great reason to install SP1 :) From: "Medeiros, Jose" <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org To: Subject: [ActiveDir] domain controller that is running Microsoft Windows Server 2003 may stop responding Date: Tue, 25 Oct 2005 10:02:32 -0700 FYI.. A domain controller that is running Microsoft Windows Server 2003 may stop responding for 2 to 15 minutes several times a day http://www.kbalertz.com/Feedback_908370.aspx Has any one run into this? Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD Lag Site
As far as I know you can only achieve this objective with a WSUS implementation. -Original Message- From: "Whaley, Greg" <[EMAIL PROTECTED]> Date: Tue, 25 Oct 2005 15:34:56 To: Subject: RE: [ActiveDir] AD Lag Site Is it possible to give a user enough rights to install patches on a Windows 2000 Domain Controller but not give him the rights to administer the domain? Thanks in advance AUTOTEXTLIST \s E-mail Signature Greg Whaley Consulting LAN Engineer St. John Health List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] domain controller that is running Microsoft Windows Server 2003 may stop responding
Not sure... seen some folks complain about slow opening of files on SBS and need to go back into the newsgroup and follow up with them on that. Medeiros, Jose wrote: FYI.. A domain controller that is running Microsoft Windows Server 2003 may stop responding for 2 to 15 minutes several times a day http://www.kbalertz.com/Feedback_908370.aspx Has any one run into this? Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Lag Site
this has been answered quite a lot of times so you might wanna search the archives for all kinds of reactions... simple answer: NO Cheers, Jorge From: [EMAIL PROTECTED] on behalf of Whaley, Greg Sent: Tue 10/25/2005 9:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Site Is it possible to give a user enough rights to install patches on a Windows 2000 Domain Controller but not give him the rights to administer the domain? Thanks in advance Greg Whaley Consulting LAN Engineer St. John Health CONFIDENTIALITY NOTICE: This email message and any accompanying data are confidential, and intended only for the named recipient(s). If you are not the intended recipient(s), you are hereby notified that the dissemination, distribution, and or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at the email address above, delete this email from your computer, and destroy any copies in any form immediately. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Lag Site
Is it possible to give a user enough rights to install patches on a Windows 2000 Domain Controller but not give him the rights to administer the domain? Thanks in advance Greg Whaley Consulting LAN Engineer St. John Health CONFIDENTIALITY NOTICE: This email message and any accompanying data are confidential, and intended only for the named recipient(s). If you are not the intended recipient(s), you are hereby notified that the dissemination, distribution, and or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at the email address above, delete this email from your computer, and destroy any copies in any form immediately.
RE: [ActiveDir] AD Lag Site
And here's an article that covers the basics. http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.html?bucket=ETA) I think Rick Kingslan has done a lot of work in this area, so you might want to ping him too. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Wednesday, 26 October 2005 2:57 a.m.To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Site Hi, Guido and Gil wrote a great ebook about recovery whereas information about lagsites is included Take a look at: http://www.netpro.com/events/adrecovery/index.cfm (registration needed) For starters some tips: * Place at least on DC for each domain in the lag site * Allow the DCs in the lag site to register only the replication record (CNAME) in the DNS zone _MSDCS.FORESTROOT * Don't assign WINS server IP addresses for the DCs in the lag sites * Make sure the site link between the lag site and the hub site has a higher cost than all other site links that connect the hub site and other sites (reason: Exchange AD topology discovery for the out-of-site list of DCs/GCs) *You might want to use lag sites (e.g. 2) that replicate in steps (1st site replicates like each 3 days and the other each week) whereas the second lag site is connected to the first and the first is connected to the second and the hub site This might be expensive though and you also might have a look at objectrecovery tools available by third party vendors Cheers, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn HayesSent: Tuesday, October 25, 2005 15:31To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Lag Site Anyone have any pointers (documentation or real life experience) on setting up an AD Lag Site? Thanks in advance, Shawn This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This communication, including any attachments, is confidential.If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it.Thank You. Please note that this communication does not designate an information system for the purposes of the NZ Electronic Transactions Act 2002.. This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i
RE: [ActiveDir] OT: Robocopy command..
FYI, I’ve used CopyRite XP (don’t know if it is still available) on top of robocopy as it is a graphical interface, so I don’t have to worry so much about typing in the switches. Steven Comeau Manager of Corporate IT Systems Main Tape 1 Capital Drive, Suite 101 Cranbury, NJ 08512 1-800-526-8273 x332 From: TIROA YANN [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 25, 2005 3:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Robocopy command.. What about dfs ? Yann De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Frank Abagnale Envoyé : mardi 25 octobre 2005 12:05 À : Active Objet : [ActiveDir] OT: Robocopy command.. Hi. I have used robocopy to copy an entire folder content from oldserver1 to newserver1. I want to keep this data on the newserver consistent however, I only want it to copy file changes and additional files that have been created, not the entire folder content. I was thinking of using robocopy d:\source d:\destination /e /IT /log:e:\log.txt /r:1 does anyone have any thoughts about the parameters I've used? thanks frank Yahoo! FareChase - Search multiple travel sites in one click.
RE: [ActiveDir] OT: Robocopy command..
What about dfs ? Yann De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Frank AbagnaleEnvoyé : mardi 25 octobre 2005 12:05À : ActiveObjet : [ActiveDir] OT: Robocopy command.. Hi. I have used robocopy to copy an entire folder content from oldserver1 to newserver1. I want to keep this data on the newserver consistent however, I only want it to copy file changes and additional files that have been created, not the entire folder content. I was thinking of using robocopy d:\source d:\destination /e /IT /log:e:\log.txt /r:1 does anyone have any thoughts about the parameters I've used? thanks frank Yahoo! FareChase - Search multiple travel sites in one click.
Re: [ActiveDir] OT: Robocopy command..
I know it's not really what you've asked, but would VSS be a good option for you? It seems like a good alternative to what you're talking about, but would need a client on the desktops of people who you want to be able to recover items on their own. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/2b0d2457-b7d8-42c3-b6c9-59c145b7765f.mspx Phil On 10/25/05, Frank Abagnale <[EMAIL PROTECTED]> wrote: Hi Alain, I have thought about this, but the supervisor of this dept does not want the files removed in the target directory if they are deleted in the source, he kind of wants this as an archived/backed up copy. Alain Lissoir <[EMAIL PROTECTED] > wrote: Have you looked at /MIR? (Mirror) It adds files in the target folder added in the source folder. It updates files in the target folder updated in the source folder. It removes files in the target folder removed in the source folder. Untouched files just stay as they are and they are not copied over. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Frank AbagnaleSent: Tuesday, October 25, 2005 3:05 AMTo: ActiveSubject: [ActiveDir] OT: Robocopy command.. Hi. I have used robocopy to copy an entire folder content from oldserver1 to newserver1. I want to keep this data on the newserver consistent however, I only want it to copy file changes and additional files that have been created, not the entire folder content. I was thinking of using robocopy d:\source d:\destination /e /IT /log:e:\log.txt /r:1 does anyone have any thoughts about the parameters I've used? thanks frank Yahoo! FareChase - Search multiple travel sites in one click. Yahoo! FareChase - Search multiple travel sites in one click.
[ActiveDir] domain controller that is running Microsoft Windows Server 2003 may stop responding
FYI.. A domain controller that is running Microsoft Windows Server 2003 may stop responding for 2 to 15 minutes several times a day http://www.kbalertz.com/Feedback_908370.aspx Has any one run into this? Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Robocopy command..
does /M help, it will behave like ntbackup with incremental backup type i.e. if archive bit is set then only copy. and as we know archive bit is set for new files and changed files. On 10/25/05, Frank Abagnale <[EMAIL PROTECTED]> wrote: Hi. I have used robocopy to copy an entire folder content from oldserver1 to newserver1. I want to keep this data on the newserver consistent however, I only want it to copy file changes and additional files that have been created, not the entire folder content. I was thinking of using robocopy d:\source d:\destination /e /IT /log:e:\log.txt /r:1 does anyone have any thoughts about the parameters I've used? thanks frank Yahoo! FareChase - Search multiple travel sites in one click. -- ~~~"Fortune and Love befriend the bold"~~~
Re: [ActiveDir] ForestDnsZones
Now I get it!! Thanks a lot! I was confusing the contents of the app partition with the dns rr needed for the app partition/nc itself. sorry. i'm sure that was obivious. Thanks again, Jorge. You saved me some sleepless nights thinking about it. On 10/25/05, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote: The DNS subdomain "ForestDNSZones" is for the DNS app partition itself. By default a W2K3 DC registers certain SRV RRs record for a domain partition/naming context it hosts. The ForestDNSZones (per AD forest) and the DomainDNSZones (per AD domain in an AD forest) are application partitions/naming contexts for DNS. Again by default the DCs hosting the ForestDNSZones (all the DCs in the AD forest!) register SRV RRs in that subdomain and DCs hosting the DomainDNSZones (per domain and all DCs in a certain AD domain) register records in that subdomain. If you create a custom app partition beneath some domain and enlist several DCs as replica members, those DCs will host replica's for that partition and thus register SRV RRs for that partition When creating a DNS zone and choosing a replication scope you are just saying: store the data for that DNS zone in that app partition and replicate to the DCs that are replica members of that partition For more info: http://www.oreilly.com/catalog/dnswinsvr/chapter/ch08.pdf Cheers, Jorge From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Tuesday, October 25, 2005 15:48 To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] ForestDnsZones I found that. Thanks. I guess what my question is, what is the point/relationship of the ForestDnsZones subdomain folder in your dns zone? Its my understanding there is an App partition called dc=ForestDnsZones,Dc=root,DC=com which houses the root dns entries and srv rr for GC's and DC guid's. How does that relate to the subdomain i see in DNS called ForestDnsZones? This subdomain only contains site specific records for ldap servers. Thanks On 10/25/05, Almeida Pinto, Jorge de < [EMAIL PROTECTED]> wrote: If you have configured the DNS ZONE _MSDCS.FORESTROOT with the "to all DNS/DC servers in the forest" you must have a separate DNS zone configured as such. To see more you could fire up LDP and browse to CN=MicrosoftDNS,DC=ForestDnsZones,DC=,DC= and see the contents of the DNS app partition/NC. If you have configured DNS zones with the forest replication scope you'll see them listed there JorgeFrom: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge deSent: Tue 10/25/2005 8:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ForestDnsZonesI think you are looking inside the wrong folder...you are looking into the DNS subdomain folder ForestDnsZones within the forestroot DNS zone. Either look inside the DNS subdomain _MSDCS within the forestroot DNS zone or look inside the DNS zone _MSDCS.forestroot DNS zone if you have configured it with its own replication scope (DNS-domain, DNS-forest or DCs-domain) JorgeFrom: [EMAIL PROTECTED] on behalf of Tom KernSent: Tue 10/25/2005 1:24 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] ForestDnsZones It is.I think i'm missing something.In ForestDnsZones folder in dns management, I just have ldap site info.There is the usual _msdcs.forestroot subdomain folder in the root domain zone but i thought that stuff should be in the ForestDnsZones folder thats in the app partition? I know i'm not getting something obivious because this same thing happens in every test win2k3 forest i create.thanksOn 10/24/05, Almeida Pinto, Jorge de < [EMAIL PROTECTED]> wrote: true.. they should be there. if your replication is working the CNAME records must be available otherwise you would have little replication ;-) Are you sure the replication scope is set to all dns servers in the forest, secure dynamic updates are enabled, etc. Jorge From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 10/24/2005 11:05 PM To: activedirectory Subject: [ActiveDir] ForestDnsZones Ok, am I missing something here? I thought one of the main points of this concept was so the forest _msdcs.forestroot.com which contained the GC RR's and the DC GUID cname records could be accessed and updated from any child domain in the forest? But the ForestDnsZones app partition only has site specific ldap records DC's. What happened to the GC/DC GUID records? Thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. Li
RE: [ActiveDir] ForestDnsZones
The DNS subdomain "ForestDNSZones" is for the DNS app partition itself. By default a W2K3 DC registers certain SRV RRs record for a domain partition/naming context it hosts. The ForestDNSZones (per AD forest) and the DomainDNSZones (per AD domain in an AD forest) are application partitions/naming contexts for DNS. Again by default the DCs hosting the ForestDNSZones (all the DCs in the AD forest!) register SRV RRs in that subdomain and DCs hosting the DomainDNSZones (per domain and all DCs in a certain AD domain) register records in that subdomain. If you create a custom app partition beneath some domain and enlist several DCs as replica members, those DCs will host replica's for that partition and thus register SRV RRs for that partition When creating a DNS zone and choosing a replication scope you are just saying: store the data for that DNS zone in that app partition and replicate to the DCs that are replica members of that partition For more info: http://www.oreilly.com/catalog/dnswinsvr/chapter/ch08.pdf Cheers, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Tuesday, October 25, 2005 15:48To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] ForestDnsZones I found that. Thanks. I guess what my question is, what is the point/relationship of the ForestDnsZones subdomain folder in your dns zone? Its my understanding there is an App partition called dc=ForestDnsZones,Dc=root,DC=com which houses the root dns entries and srv rr for GC's and DC guid's. How does that relate to the subdomain i see in DNS called ForestDnsZones? This subdomain only contains site specific records for ldap servers. Thanks On 10/25/05, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote: If you have configured the DNS ZONE _MSDCS.FORESTROOT with the "to all DNS/DC servers in the forest" you must have a separate DNS zone configured as such. To see more you could fire up LDP and browse to CN=MicrosoftDNS,DC=ForestDnsZones,DC=,DC= and see the contents of the DNS app partition/NC. If you have configured DNS zones with the forest replication scope you'll see them listed there JorgeFrom: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge deSent: Tue 10/25/2005 8:20 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ForestDnsZonesI think you are looking inside the wrong folder...you are looking into the DNS subdomain folder ForestDnsZones within the forestroot DNS zone. Either look inside the DNS subdomain _MSDCS within the forestroot DNS zone or look inside the DNS zone _MSDCS.forestroot DNS zone if you have configured it with its own replication scope (DNS-domain, DNS-forest or DCs-domain) JorgeFrom: [EMAIL PROTECTED] on behalf of Tom KernSent: Tue 10/25/2005 1:24 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] ForestDnsZonesIt is.I think i'm missing something.In ForestDnsZones folder in dns management, I just have ldap site info.There is the usual _msdcs.forestroot subdomain folder in the root domain zone but i thought that stuff should be in the ForestDnsZones folder thats in the app partition? I know i'm not getting something obivious because this same thing happens in every test win2k3 forest i create.thanksOn 10/24/05, Almeida Pinto, Jorge de < [EMAIL PROTECTED]> wrote: true.. they should be there. if your replication is working the CNAME records must be available otherwise you would have little replication ;-) Are you sure the replication scope is set to all dns servers in the forest, secure dynamic updates are enabled, etc. Jorge From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 10/24/2005 11:05 PM To: activedirectory Subject: [ActiveDir] ForestDnsZones Ok, am I missing something here? I thought one of the main points of this concept was so the forest _msdcs.forestroot.com which contained the GC RR's and the DC GUID cname records could be accessed and updated from any child domain in the forest? But the ForestDnsZones app partition only has site specific ldap records DC's. What happened to the GC/DC GUID records? Thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.co
RE: [ActiveDir] AD Lag Site
Hi, Guido and Gil wrote a great ebook about recovery whereas information about lagsites is included Take a look at: http://www.netpro.com/events/adrecovery/index.cfm (registration needed) For starters some tips: * Place at least on DC for each domain in the lag site * Allow the DCs in the lag site to register only the replication record (CNAME) in the DNS zone _MSDCS.FORESTROOT * Don't assign WINS server IP addresses for the DCs in the lag sites * Make sure the site link between the lag site and the hub site has a higher cost than all other site links that connect the hub site and other sites (reason: Exchange AD topology discovery for the out-of-site list of DCs/GCs) *You might want to use lag sites (e.g. 2) that replicate in steps (1st site replicates like each 3 days and the other each week) whereas the second lag site is connected to the first and the first is connected to the second and the hub site This might be expensive though and you also might have a look at objectrecovery tools available by third party vendors Cheers, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn HayesSent: Tuesday, October 25, 2005 15:31To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Lag Site Anyone have any pointers (documentation or real life experience) on setting up an AD Lag Site? Thanks in advance, Shawn This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] ForestDnsZones
I found that. Thanks. I guess what my question is, what is the point/relationship of the ForestDnsZones subdomain folder in your dns zone? Its my understanding there is an App partition called dc=ForestDnsZones,Dc=root,DC=com which houses the root dns entries and srv rr for GC's and DC guid's. How does that relate to the subdomain i see in DNS called ForestDnsZones? This subdomain only contains site specific records for ldap servers. Thanks On 10/25/05, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote: If you have configured the DNS ZONE _MSDCS.FORESTROOT with the "to all DNS/DC servers in the forest" you must have a separate DNS zone configured as such. To see more you could fire up LDP and browse to CN=MicrosoftDNS,DC=ForestDnsZones,DC=,DC= and see the contents of the DNS app partition/NC. If you have configured DNS zones with the forest replication scope you'll see them listed there JorgeFrom: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge deSent: Tue 10/25/2005 8:20 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ForestDnsZonesI think you are looking inside the wrong folder...you are looking into the DNS subdomain folder ForestDnsZones within the forestroot DNS zone. Either look inside the DNS subdomain _MSDCS within the forestroot DNS zone or look inside the DNS zone _MSDCS.forestroot DNS zone if you have configured it with its own replication scope (DNS-domain, DNS-forest or DCs-domain) JorgeFrom: [EMAIL PROTECTED] on behalf of Tom KernSent: Tue 10/25/2005 1:24 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] ForestDnsZonesIt is.I think i'm missing something.In ForestDnsZones folder in dns management, I just have ldap site info.There is the usual _msdcs.forestroot subdomain folder in the root domain zone but i thought that stuff should be in the ForestDnsZones folder thats in the app partition? I know i'm not getting something obivious because this same thing happens in every test win2k3 forest i create.thanksOn 10/24/05, Almeida Pinto, Jorge de < [EMAIL PROTECTED]> wrote: true.. they should be there. if your replication is working the CNAME records must be available otherwise you would have little replication ;-) Are you sure the replication scope is set to all dns servers in the forest, secure dynamic updates are enabled, etc. Jorge From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 10/24/2005 11:05 PM To: activedirectory Subject: [ActiveDir] ForestDnsZones Ok, am I missing something here? I thought one of the main points of this concept was so the forest _msdcs.forestroot.com which contained the GC RR's and the DC GUID cname records could be accessed and updated from any child domain in the forest? But the ForestDnsZones app partition only has site specific ldap records DC's. What happened to the GC/DC GUID records? Thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Need ADSI Scripting help.
Thanks much I really appreciate your help!
Thanks again,
Jitendra Kalyankar
On 10/24/05, AD <[EMAIL PROTECTED]> wrote:
>
>
> Assuming file containing computer names is Computers.txt located in the same
> folder as vbs. This creates an outputfile called "Computers – Results.txt".
> You can add any attributes to your outputfile as needed.
>
>
>
> ' Start of Script
>
> Option Explicit
>
>
>
> ' Objects
>
> Dim oFS
>
> Dim oInputFile
>
> Dim oOutputFile
>
> Dim rootDSE
>
> Dim objConnection
>
> Dim objCommand
>
> Dim objRecordSet
>
> Dim rsComputers
>
>
>
> ' Arrays
>
> Dim aComputers
>
>
>
> ' Strings
>
> Dim sComputer
>
> Dim sDomain
>
> Dim sStatus
>
>
>
> Set oFS = CreateObject("Scripting.FileSystemObject")
>
> Set oInputFile = oFS.OpenTextFile("Computers.txt", 1)
>
> Set oOutputFile = oFS.CreateTextFile("Computers - Result.txt", True)
>
>
>
> ' Doing AD Stuff
>
> Set rootDSE = GetObject("LDAP://RootDSE")
>
> sDomain = rootDSE.Get("defaultNamingContext")
>
> Set objConnection = CreateObject("ADODB.Connection")
>
> Set objCommand = CreateObject("ADODB.Command")
>
> objConnection.Provider = "ADsDSOObject"
>
> objConnection.Open "Active Directory Provider"
>
> Set objCOmmand.ActiveConnection = objConnection
>
> objCommand.Properties("Page Size") = 1000
>
> objCommand.properties("Cache Results") = True
>
>
>
> ' Reading Text File
>
> aComputers = Split(oInputFile.ReadAll, VbCrLf)
>
>
>
> ' looping every computer
>
> For Each sComputer In aComputers
>
>
>
> objCommand.CommandText = " ">;(&(objectcategory=computer)(cn=" & sComputer & "));Name,
> userAccountControl;Subtree"
>
> Set rsComputers = objCommand.Execute
>
>
>
> If rsComputers.EOF Then
>
> oOutputFile.WriteLine sComputer& vbTab &
> "Can't find computer"
>
> Else
>
> Do Until rsComputers.EOF
>
>
>
> If
> rsComputers.Fields("userAccountControl").value And 2 Then
>
> sStatus = "Disabled"
>
> Else
>
> sStatus = "Enabled"
>
> End if
>
>
>
> oOutputFile.WriteLine sComputer & vbTab &
> sStatus
>
>
>
> rsComputers.MoveNext
>
> Loop
>
> End if
>
> Next
>
>
>
> ' Closing Text file
>
> oInputFile.Close
>
> oOutputFile.Close
>
> objConnection.Close
>
>
>
> ' End of Script
>
>
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Kamlesh Parmar
> Sent: Friday, October 21, 2005 5:10 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Need ADSI Scripting help.
>
>
>
>
> I was hoping someone will direct him to dsquery :o)
>
> Assuming file containing computernames is Comps.txt
>
> put this in the batch file and keep it in same folder as comps.txt
>
> for /f %%A in (comps.txt) do (
> dsquery computer -samid %%A$ | dsget computer -samid -disabled
> )
>
> You should get the two column listing computername with YES or NO for
> disabled.
>
> -
> Kamlesh
>
>
> On 10/21/05, Jitendra Kalyankar <[EMAIL PROTECTED] > wrote:
>
> I know about the Oldcmp.exe, but the thing is the tool is really
> powerful and I don't want Jr. Sys. Admins doing something or
> deleting something that they are not suppose to. And again
> I will have to go through the security department route to use
> it. Too much hassel
>
> Hope that explains my situation.
>
> Sincerely,
> Jitendra Kalyankar
>
> On 10/20/05, Creamer, Mark <[EMAIL PROTECTED]> wrote:
> > Before you do this, see oldcmp at www.joeware.net
> >
> > http://www.joeware.net/win/free/index.htm
> >
> >
> >
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> > Jitendra Kalyankar
> > Sent: Thursday, October 20, 2005 4:14 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Need ADSI Scripting help.
> >
> > I am looking for some example script and/or help for the script I am
> writing for
> > my company. What I want to achieve is if I run the script against the
> machine
> > list which will be in the text file, it should give me the output in
> > the text file
> > saying which machine account is enabled, disabled or not found.
> >
> > I know how to manipulate the text files using fso object but I am not sure
> > what do I need to use to get the attributes of computer container in AD.
> Any
> > help in this regard is highly appreciated and valued.
> >
> > Please let me know if you need more information abou this.
> >
> > --
> > Thanks,
> > Jitendra Kalyankar
> > List info : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> > This e-mail transmission contains information that is intended to be
> confidential and privileged. If y
[ActiveDir] AD Lag Site
Anyone have any pointers (documentation or real life experience) on setting up an AD Lag Site? Thanks in advance, Shawn
Re: [ActiveDir] Folder redirection permissions
David J. Kinsella wrote: When I’ve redirected various folders to a network share I’m finding that administrators cannot access users’ folders on the server itself, is there any way to configure permissions so that administrators can access such folders? This article might help: Enabling the administrator to have access to redirected folders http://support.microsoft.com/default.aspx?scid=kb;en-us;Q288991 Also, on some clients were finding that folder redirection simply wont work because of a permissions error, this is strange as it has never happened before and configuration has not changed. To create a detailed log file for folder redirection, use the following registry key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics Set: FdeployDebugLevel = Reg_DWORD 0x0f The log file can be found at: %windir%\debug\usermode\fdeploy.log hth, john List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Server With Hyperthreading/Multicore Licensing
Hi Marc and Edwin, Edwin wrote: http://www.microsoft.com/windows2000/server/evaluation/performance/reports/hyperthread.asp http://www.microsoft.com/sql/howtobuy/SQLonHTT.doc More info on this topic, http://www.microsoft.com/licensing/highlights/multicore.mspx. fr -- André Franciosi Consultor em TI [0x15C50B90, pgp.mit.edu] Franciosi Consultoria http://www.franciosi.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Robocopy command..
Hi Alain, I have thought about this, but the supervisor of this dept does not want the files removed in the target directory if they are deleted in the source, he kind of wants this as an archived/backed up copy.Alain Lissoir <[EMAIL PROTECTED]> wrote: Have you looked at /MIR? (Mirror) It adds files in the target folder added in the source folder. It updates files in the target folder updated in the source folder. It removes files in the target folder removed in the source folder. Untouched files just stay as they are and they are not copied over. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Tuesday, October 25, 2005 3:05 AMTo: ActiveSubject: [ActiveDir] OT: Robocopy command.. Hi. I have used robocopy to copy an entire folder content from oldserver1 to newserver1. I want to keep this data on the newserver consistent however, I only want it to copy file changes and additional files that have been created, not the entire folder content. I was thinking of using robocopy d:\source d:\destination /e /IT /log:e:\log.txt /r:1 does anyone have any thoughts about the parameters I've used? thanks frank Yahoo! FareChase - Search multiple travel sites in one click. Yahoo! FareChase - Search multiple travel sites in one click.
RE: [ActiveDir] OT: Robocopy command..
Have you looked at /MIR? (Mirror) It adds files in the target folder added in the source folder. It updates files in the target folder updated in the source folder. It removes files in the target folder removed in the source folder. Untouched files just stay as they are and they are not copied over. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Tuesday, October 25, 2005 3:05 AMTo: ActiveSubject: [ActiveDir] OT: Robocopy command.. Hi. I have used robocopy to copy an entire folder content from oldserver1 to newserver1. I want to keep this data on the newserver consistent however, I only want it to copy file changes and additional files that have been created, not the entire folder content. I was thinking of using robocopy d:\source d:\destination /e /IT /log:e:\log.txt /r:1 does anyone have any thoughts about the parameters I've used? thanks frank Yahoo! FareChase - Search multiple travel sites in one click.
[ActiveDir] Folder redirection permissions
Hi, When I’ve redirected various folders to a network share I’m finding that administrators cannot access users’ folders on the server itself, is there any way to configure permissions so that administrators can access such folders? Also, on some clients were finding that folder redirection simply wont work because of a permissions error, this is strange as it has never happened before and configuration has not changed. Thanks, DK
[ActiveDir] OT: Robocopy command..
Hi. I have used robocopy to copy an entire folder content from oldserver1 to newserver1. I want to keep this data on the newserver consistent however, I only want it to copy file changes and additional files that have been created, not the entire folder content. I was thinking of using robocopy d:\source d:\destination /e /IT /log:e:\log.txt /r:1 does anyone have any thoughts about the parameters I've used? thanks frank Yahoo! FareChase - Search multiple travel sites in one click.
RE: [ActiveDir] ForestDnsZones
If you have configured the DNS ZONE _MSDCS.FORESTROOT with the "to all DNS/DC servers in the forest" you must have a separate DNS zone configured as such. To see more you could fire up LDP and browse to CN=MicrosoftDNS,DC=ForestDnsZones,DC=,DC= and see the contents of the DNS app partition/NC. If you have configured DNS zones with the forest replication scope you'll see them listed there Jorge From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de Sent: Tue 10/25/2005 8:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ForestDnsZones I think you are looking inside the wrong folder... you are looking into the DNS subdomain folder ForestDnsZones within the forestroot DNS zone. Either look inside the DNS subdomain _MSDCS within the forestroot DNS zone or look inside the DNS zone _MSDCS.forestroot DNS zone if you have configured it with its own replication scope (DNS-domain, DNS-forest or DCs-domain) Jorge From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Tue 10/25/2005 1:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ForestDnsZones It is. I think i'm missing something. In ForestDnsZones folder in dns management, I just have ldap site info. There is the usual _msdcs.forestroot subdomain folder in the root domain zone but i thought that stuff should be in the ForestDnsZones folder thats in the app partition? I know i'm not getting something obivious because this same thing happens in every test win2k3 forest i create. thanks On 10/24/05, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote: true.. they should be there. if your replication is working the CNAME records must be available otherwise you would have little replication ;-) Are you sure the replication scope is set to all dns servers in the forest, secure dynamic updates are enabled, etc. Jorge From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 10/24/2005 11:05 PM To: activedirectory Subject: [ActiveDir] ForestDnsZones Ok, am I missing something here? I thought one of the main points of this concept was so the forest _msdcs.forestroot.com which contained the GC RR's and the DC GUID cname records could be accessed and updated from any child domain in the forest? But the ForestDnsZones app partition only has site specific ldap records DC's. What happened to the GC/DC GUID records? Thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
