RE: [ActiveDir] Ntds.dit file corruption
I'm tempted to open up the 'Novell were doing this back in '93' debate again, but won't ... and as for "comparing" what Novell did with the PDC/BDC model... that just doesn't deserve a comment at all :)) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sullivan TimSent: 06 December 2005 03:38To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption BDC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carpenter Robert A Contr WROCI/Enterprise IT Sent: Monday, December 05, 2005 5:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption Novell. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, JoseSent: Monday, December 05, 2005 11:24 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ). I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-) Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Phil RenoufSent: Monday, December 05, 2005 11:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress.You might give that a try.If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time):- Try making sure you have the latest driver and motherboard / controller firmware.Then see if you can reproduce. - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on RAID5.- Try swapping out the hard drives, one at a time.- Adding the jetstress
RE: [ActiveDir] Ntds.dit file corruption
Is this guaranteed? How can we/you be sure that the system will recognise the corruptions and therefore not replicate them? Surely this is akin to the new feature added to e2k3 sp1, but which is (sadly) missing from AD(?) I must be missing a subtle point - please show me the light :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: 05 December 2005 19:26To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption We do not replicate corruption so if you have local corruption as noted below there is no worry that it would replicate around to other servers in the environment. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil RenoufSent: Monday, December 05, 2005 1:04 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress.You might give that a try.If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time):- Try making sure you have the latest driver and motherboard / controller firmware.Then see if you can reproduce. - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on RAID5.- Try swapping out the hard drives, one at a time.- Adding the jetstress files to the exclude list in the Anti-Virus software. (A low probablility, I've never heard of Anit-Virus causing this paticular type of error, and I can't imagine the mistake an anti-virus product would have to have to cause this side effect) - If you can reproduce it several times, you could followup with Dell. Good luck. I'm not sure if I answered your question ... Cheers, BrettSh On Sun, 4 Dec 2005, Eric Fleischman wrote: Going back to the original post, I'm not sure I fully understand the problem yet. Susan, can you define "ntds.dit file corruption" for us? What sort of corruption? What errors/events lead you to believe this? Specifically, I'm interested in errors from NTDS ISAM or ESE if you have any. From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sat 12/3/2005 10:58 PM To:
RE: [ActiveDir] AD Wish list
Title: AD Wish list We have the NET IQ Application Manager suite and I have not been impressed with it at all. The information is not anything new, it is no more than a collection of scripts with a scheduler and then we tack on SQL Reporting Services and it makes a report out of its data. If you can script your data, I guess the best way to keep it along those lines would be pushing it into a SQL database and creating a report with Visual Studio so your data is viewable. Paying in the 000's for that is what you have to do if you cannot push and pull your data into what you want. Nate From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, December 05, 2005 4:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Wish list I would have to concur, reporting is pretty heavy duty stuff. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, December 05, 2005 9:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Wish list In my experience, if its going to be in the ,00s, its going to be a script. J Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com --"Cry 'Havoc!' and let slip the dogs of war" - Anthony, in Julius Caesar III i. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, DannySent: Thursday, December 01, 2005 4:05 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Wish list Hi I've been asked to contribute to a wish list and was planning on asking for some AD tools - specifically for reporting. I've had a look about, but the prices vary wildly. I know there's no chance of anything that's going to do a great job (Quest) as we're talking ,00's rather than ,000's. :) Trouble is there are a lot of tools out there and often they're doing stuff much of which I can script (or plagiarise :) ), plus the odd extra. Does anyone have good experiences of anything in the ,00's price range that'll report back auditing/stats/security info? All the best Danny
RE: [ActiveDir] Exporting Mailbox rights
Thank you Alain,I followed your instructions, I registered the DLL's on my PC then ran the following command from the XYZfolderFor /F "delims=*" %1 in ('dsquery * "ou=group mailboxes,ou=spinnaker,dc=org" -filter "(objectClass=user)"') do WMIManageSD.Wsf /E2KMailbox:"%1" /Decipher+ /ADSI+This runs and it does pick up the group mailbox in this OU.I then receive a message saying "WMIManageSD.Wsf(888, 19) (null): The server is not operational"Do I need to specify somewhere in the script my domain/server details? Am I able to output this information into a text file?thanks for your help, sorry I am being a pain.Amy ;-) Alain Lissoir [EMAIL PROTECTED] wrote: Do you have the Functions folder available? It contains a series of functions used by WMIManageSD.Wsf Next you must register the DLL with REGSVR32 in the resource folder. Then you are all set. By default, WMIManageSD.Wsf must be in Folder XYZ while Functions folder must be at the same level.Root + Functions | +XYZOtherwise you can change the "..\Functions" reference to an absolute path and point to the exact location of the Functions folder in your installation (you call).To run against a group of MB in an OU, just query the users you have in that OU with DSQUERY (or any equivalent tool) and combine them in a command like: (one single when you type. Line is cut for readability reasons in this mail).For /F "delims=*" %i in ('dsquery * "ou=group mailboxes,OU=,DC=spinnaker,DC=org" -filter "(objectClass=user)"') do WMIManageSD.Wsf /E2KMailbox:"%1" /Decipher+ /ADSI+ HTH.PS: Don't forget the + at the end of the /Decipher+ and /ADSI+ switches.From: Amy Hunter [mailto:[EMAIL PROTECTED] Sent: Monday, December 05, 2005 4:41 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exporting Mailbox rightsHi Alain,thanks for your response, it all looks very clever. I have tried running the following command:WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group mailboxes,OU=,DC=spinnaker,DC=org" /adsi WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group mailboxes,OU=,DC=spinnaker,DC=org" /decipher I receive this error "c:\WMIManageSD.Wsf(155, 39) Windows Script Host: Cannot retrieve referenced URL : ..\Functions\SecurityInclude.vbs"when I open this script, i can't see any reference to this Also, How can I run this against all group mailboxes in an OUany ideas?Amy ;-)Ps...sorry if I sound lame, scripting is not an area I spent too much time with Yet. /DIV Alain Lissoir [EMAIL PROTECTED] wrote: You can look at http://www.lissware.net, volume 2, Sample 4.02 to 4.13 - WMIManageSD.Wsf (and associated sub-functions in the Functions folder).Syntax to use in red below (the script supports Filesystem, Share, ADObject with Extended Rights, Exchange Mailbox, Registry Key, WMI namespace).Microsoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.Usage: WMIManageSD.Wsf [/FileSystem:value] [/Share:value] [/ADObject:value] [/E2KMailbox:value] [/E2KStore[+|-]] [/RegistryKey:value] [/WMINameSpace:value] [/ViewSD[+|-]] [/Owner:value] [/Group:value] [/SDControls:value] [/AddAce[+|-]] [/DelAce[+|-]] [/Trustee:value] [/ACEMask:value] [/ACEType:value] [/ACEFlags:value] [/ObjectType:value] [/InheritedObjectType:value] [/SACL[+|-]] [/Decipher[+|-]] [/ADSI[+|-]] [/SIDResolutionDC[+|-]] [/Machine:value] [/User:value] [/Password:value]Options:FileSystem : Get the security descriptor of the specified file or directory path.Share : Get the security descriptor of the specified share name.ADObject : Get the security descriptor of the specified distinguished name AD object.E2KMailbox : Get the security descriptor of the Exchange 2000 mailbox specified by AD user distinguished name.E2KStore : Specify if th e security descriptor must come from the Exchange 2000 store.RegistryKey : Get the security descriptor of the specified registry key.WMINameSpace : Get the security descriptor of the specified WMI Name space.ViewSD : Decipher the security descriptor.Owner : Set the security descriptor owner.Group : Set the security descriptor group.SDControls : Set the security descriptor control flags.AddAce : Add a new ACE to the ACL.DelAce : Remove an existing ACE from the ACL.Trustee : Specify the ACE mask (granted user, group or machine account).ACEMask : Specify the ACE mask (granted rights).ACEType : Specify the ACE type (allow or deny the ACE mask).ACEFlags : Specify the ACE flags (ACE mask inheritance).ObjectType : Specify which object type, property set, or property an ACE refers to.InheritedObjectType : Specify the GUID of an object that will inherit the ACE.SACL : Manage the System ACL (auditing) (default=Discretionary ACL).Decipher : Decipher the security descriptor.ADSI : Retrieve the security descriptor with ADSI.SIDResolutionDC : Domain Controller to use for SID resolution.Machine
[ActiveDir] next available RID?
(I hope this is not too dumb a question.) I'm looking for the next available RID in a domain. I believe a domain's RID master assigns blocks of RIDs to each DC, but I don't think that's relative. Although each DC has a block of numbers, they are handed out sequentially, I think. Are there any tools out there to give me this number? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Delegate disable/enable user accounts
Does anyone know off the top of their head the permissions required for delegation of disabling and enabling user accounts, or have a link? Google is failing meor rather me failing google
Re: [ActiveDir] next available RID?
Thommes, Michael M. wrote: (I hope this is not too dumb a question.) I'm looking for the next available RID in a domain. I believe a domain's RID master assigns blocks of RIDs to each DC, but I don't think that's relative. Although each DC has a block of numbers, they are handed out sequentially, I think. Are there any tools out there to give me this number? TIA! Read this description, it should clarify You a little this case: http://support.microsoft.com/?kbid=305475 To get to know exactly what will be a next RID assigned to new obejct in a domain You have to know on which DC You will create this object and then check RidNextRid value for this DC. -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] next available RID?
RIDs are is requested and distributed in blocks of 500 RIDs. Each DC has at least one block (RidpreviousAllocationpool). When that block has been exhausted for 50% of its RIDs, the DC will ask a new block and store that in the attribute called Ridallocationpool. When that block (RidpreviousAllocationpool) is empty (exhausted for 100%) the block stored in Ridallocationpool attribute will be moved to the RidpreviousAllocationpool attribute and at that moment the RidAllocationpool attribute will be empty. It will we used again when the RidpreviousAllocationpool has been exhausted for 50%. Try: DCDIAG /TEST:RIDMANAGER /V This will show amongst other info: * The available RID pool for the domain * Who is the Rid master * If a bind with the Rid master is successful * Ridallocationpool (= the second pool of RIDs a DC has. A DC gets a second pool when the first pool has passed 50%) * RidpreviousAllocationpool (=the first pool used by the DC) * RidNextRid (= the last used RID from the first pool)(and not the next rid to be used as it looks like) Does this answer your question? Cheers, jorge Van: [EMAIL PROTECTED] namens Thommes, Michael M. Verzonden: di 6-12-2005 14:13 Aan: ActiveDir@mail.activedir.org Onderwerp: [ActiveDir] next available RID? (I hope this is not too dumb a question.) I'm looking for the next available RID in a domain. I believe a domain's RID master assigns blocks of RIDs to each DC, but I don't think that's relative. Although each DC has a block of numbers, they are handed out sequentially, I think. Are there any tools out there to give me this number? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Delegate disable/enable user accounts
read/write permission on the useraccountcontrol attribute of the user object. HOWEVER... the disabled/enabled status of a user object is represented by a bit/flag in the useraccountcontrol attribute and that same attribute consists of more bits/flags. So if you delegate read/write permission on the useraccountcontrol, you delegate control on all of the bits/flags represented in that useraccountcontrol attribute. It may not be what you want Cheers, Jorge Van: [EMAIL PROTECTED] namens Douglas M. Long Verzonden: di 6-12-2005 14:19 Aan: ActiveDir@mail.activedir.org Onderwerp: [ActiveDir] Delegate disable/enable user accounts Does anyone know off the top of their head the permissions required for delegation of disabling and enabling user accounts, or have a link? Google is failing me...or rather me failing google This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
Re: [ActiveDir] Delegate disable/enable user accounts
WP on the user object's userAccountControl attribute.
Re: [ActiveDir] next available RID?
Almeida Pinto, Jorge de wrote: (...) Good information as always -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delegate disable/enable user accounts
... which is exactly why 3rd party vendors offer proxied user account admin tools, which can help to address this 'issue'. [I am not suggesting that the proxied approach is 'better' but simply that it may meet the poster's requirements.] neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: 06 December 2005 13:44To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Delegate disable/enable user accounts read/write permission on the useraccountcontrol attribute of the user object. HOWEVER... the disabled/enabled status of a user object is represented by a bit/flag in the useraccountcontrol attribute and that same attribute consists of more bits/flags. So if you delegate read/write permission on the useraccountcontrol, you delegate control on all of the bits/flags represented in that useraccountcontrol attribute. It may not be what you want Cheers, Jorge Van: [EMAIL PROTECTED] namens Douglas M. LongVerzonden: di 6-12-2005 14:19Aan: ActiveDir@mail.activedir.orgOnderwerp: [ActiveDir] Delegate disable/enable user accounts Does anyone know off the top of their head the permissions required for delegation of disabling and enabling user accounts, or have a link? Google is failing meor rather me failing google PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Delegate disable/enable user accounts
WP? Write permissions? Is that all the group would need? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, December 06, 2005 8:48 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate disable/enable user accounts WP on the user object's userAccountControl attribute.
[ActiveDir] Auditing permissions changes to a folder/disk/file
All, I am trying to audit changes to the permissions to a folder. So far: I have changed the local computer audit policy to audit success and failures of object access. I have enabled auditing on a folder for Everyone and put a check in the box for Change Permissions success and failures. I then change the permissions on the folder. Security log for the system does not log anything. Any thoughts on what step I may have missed or what could cause the Security log to not log any data? Nate From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HolmeSent: Monday, December 05, 2005 6:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Saved Query for Distinguished Name Contains Thanks For the scoop, Joe!!! And yes, I LOVE ADFIND, but it doesnt provide a result set within the MMC Im trying to do an MMC (AD UC snap-in) Saved Query as the basis for a custom Taskpad Sorry I wasnt clear about that. Guess Im out of luck. Thanks again, though! At least I know not to keep beating my head against the wall! Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, December 05, 2005 3:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Saved Query for Distinguished Name Contains It seems I have been answering a lot of questions like this lately... You can not put parts of the DN into the LDAP query. The only way to control what branches a query looks at are 1. Permissions 2. Search base 3. Search scope. You need to be the most specific you need to be to either include or exclude various branches of the tree. That being said, someone who wanted to have those specific branches filtered out or filtered in to the outputted return set but didn't mind actually returning a lot more data could look to see if they can find a tool that was written by someone bright enough to add options to let you do that. Hey there is one... It is called adfind and has excldn and incldn switches to allow you to specify portions of a DN of objects you would like outputted. FYI, there is a bug in the objects returned counter when using incldn, I have to go in and fish it out of there. It is because I cut and pasted the excldn code to produce the incldn section. ;o) Anyway, your query would look something like adfind -default -f objectcategory=computer -incldn ou=workstations Keep in mind though that every computer in your org will be passed back to your client so if you have 100k computers and only 10 are in the ou=workstations ou's it will seem AWFULLY SLOW There is no way for me to get around that. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HolmeSent: Sunday, December 04, 2005 2:18 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Saved Query for Distinguished Name Contains Hey, all! I am trying to create a saved query to pull out computers that exist within a WORKSTATIONS ou; and that OU may exist within several higher-level OUs, i.e. distinguishedName=*OU=Workstations* but the Saved Queries interface in ADUC doesnt seem to like distinguishedName (Ive also tried dn= and DN=). Any ideas, please? Dan Holme
RE: [ActiveDir] Auditing permissions changes to a folder/disk/file
Is the audit policy at the domain or OU level over riding the local policy settings? Generate a RSOP report to determine the effective settings. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNASent: 06 December 2005 14:26To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Auditing permissions changes to a folder/disk/file All, I am trying to audit changes to the permissions to a folder. So far: I have changed the local computer audit policy to audit success and failures of object access. I have enabled auditing on a folder for Everyone and put a check in the box for Change Permissions success and failures. I then change the permissions on the folder. Security log for the system does not log anything. Any thoughts on what step I may have missed or what could cause the Security log to not log any data? Nate From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HolmeSent: Monday, December 05, 2005 6:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Saved Query for Distinguished Name Contains Thanks For the scoop, Joe!!! And yes, I LOVE ADFIND, but it doesnt provide a result set within the MMC Im trying to do an MMC (AD UC snap-in) Saved Query as the basis for a custom Taskpad Sorry I wasnt clear about that. Guess Im out of luck. Thanks again, though! At least I know not to keep beating my head against the wall! Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, December 05, 2005 3:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Saved Query for Distinguished Name Contains It seems I have been answering a lot of questions like this lately... You can not put parts of the DN into the LDAP query. The only way to control what branches a query looks at are 1. Permissions 2. Search base 3. Search scope. You need to be the most specific you need to be to either include or exclude various branches of the tree. That being said, someone who wanted to have those specific branches filtered out or filtered in to the outputted return set but didn't mind actually returning a lot more data could look to see if they can find a tool that was written by someone bright enough to add options to let you do that. Hey there is one... It is called adfind and has excldn and incldn switches to allow you to specify portions of a DN of objects you would like outputted. FYI, there is a bug in the objects returned counter when using incldn, I have to go in and fish it out of there. It is because I cut and pasted the excldn code to produce the incldn section. ;o) Anyway, your query would look something like adfind -default -f objectcategory=computer -incldn ou=workstations Keep in mind though that every computer in your org will be passed back to your client so if you have 100k computers and only 10 are in the ou=workstations ou's it will seem AWFULLY SLOW There is no way for me to get around that. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HolmeSent: Sunday, December 04, 2005 2:18 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Saved Query for Distinguished Name Contains Hey, all! I am trying to create a saved query to pull out computers that exist within a WORKSTATIONS ou; and that OU may exist within several higher-level OUs, i.e. distinguishedName=*OU=Workstations* but the Saved Queries interface in ADUC doesnt seem to like distinguishedName (Ive also tried dn= and DN=). Any ideas, please? Dan HolmePLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member
RE: [ActiveDir] Auditing permissions changes to a folder/disk/fil e
There is no overriding taking place. Object access Success and failures are the effective settings. No RSOP, its a 2K box. Nate From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, December 06, 2005 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Auditing permissions changes to a folder/disk/file Is the audit policy at the domain or OU level over riding the local policy settings? Generate a RSOP report to determine the effective settings. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNASent: 06 December 2005 14:26To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Auditing permissions changes to a folder/disk/file All, I am trying to audit changes to the permissions to a folder. So far: I have changed the local computer audit policy to audit success and failures of object access. I have enabled auditing on a folder for Everyone and put a check in the box for Change Permissions success and failures. I then change the permissions on the folder. Security log for the system does not log anything. Any thoughts on what step I may have missed or what could cause the Security log to not log any data? Nate From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HolmeSent: Monday, December 05, 2005 6:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Saved Query for Distinguished Name Contains Thanks For the scoop, Joe!!! And yes, I LOVE ADFIND, but it doesnt provide a result set within the MMC Im trying to do an MMC (AD UC snap-in) Saved Query as the basis for a custom Taskpad Sorry I wasnt clear about that. Guess Im out of luck. Thanks again, though! At least I know not to keep beating my head against the wall! Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, December 05, 2005 3:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Saved Query for Distinguished Name Contains It seems I have been answering a lot of questions like this lately... You can not put parts of the DN into the LDAP query. The only way to control what branches a query looks at are 1. Permissions 2. Search base 3. Search scope. You need to be the most specific you need to be to either include or exclude various branches of the tree. That being said, someone who wanted to have those specific branches filtered out or filtered in to the outputted return set but didn't mind actually returning a lot more data could look to see if they can find a tool that was written by someone bright enough to add options to let you do that. Hey there is one... It is called adfind and has excldn and incldn switches to allow you to specify portions of a DN of objects you would like outputted. FYI, there is a bug in the objects returned counter when using incldn, I have to go in and fish it out of there. It is because I cut and pasted the excldn code to produce the incldn section. ;o) Anyway, your query would look something like adfind -default -f objectcategory=computer -incldn ou=workstations Keep in mind though that every computer in your org will be passed back to your client so if you have 100k computers and only 10 are in the ou=workstations ou's it will seem AWFULLY SLOW There is no way for me to get around that. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HolmeSent: Sunday, December 04, 2005 2:18 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Saved Query for Distinguished Name Contains Hey, all! I am trying to create a saved query to pull out computers that exist within a WORKSTATIONS ou; and that OU may exist within several higher-level OUs, i.e. distinguishedName=*OU=Workstations* but the Saved Queries interface in ADUC doesnt seem to like distinguishedName (Ive also tried dn= and DN=). Any ideas, please? Dan Holme PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational
Re: [ActiveDir] Moral of this story...don't move the log files
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: When you perform a system state backup on a domain controller that is running Windows Server 2003 with Service Pack 1, Backup may fail: http://support.microsoft.com/?kbid=909265 Funny, I just ran across that yesterday too. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Getting computer name from a username
Hello Shane, look at psloggedon from www.sysinternals.com, this might help you. Ulf |-Original Message- |From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shane De Jager |Sent: Thursday, December 01, 2005 10:50 AM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Getting computer name from a username | |Hi, | |Is there a way you can tell which computer a user has logged onto just from his username? | | | |-- |Shane De Jager |Technical Developer | |INTERGAGE |High-performance, updateable Web sites | |Switchboard +44 (0)845 456 1022 |== |www.intergage.co.uk |[EMAIL PROTECTED] | |Are you aware of our referral scheme? Learn how you could profit personally from passing us leads. | |Click here to pass a referral: www.intergage.co.uk/referrals |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: http://www.mail-archive.com/activedir%40mail.activedir.org// List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delegate disable/enable user accounts
Man, read/write to useraccountcontrol seems to enable a user to delete a mailbox too. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 06, 2005 8:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate disable/enable user accounts read/write permission on the useraccountcontrol attribute of the user object. HOWEVER... the disabled/enabled status of a user object is represented by a bit/flag in the useraccountcontrol attribute and that same attribute consists of more bits/flags. So if you delegate read/write permission on the useraccountcontrol, you delegate control on all of the bits/flags represented in that useraccountcontrol attribute. It may not be what you want Cheers, Jorge _ Van: [EMAIL PROTECTED] namens Douglas M. Long Verzonden: di 6-12-2005 14:19 Aan: ActiveDir@mail.activedir.org Onderwerp: [ActiveDir] Delegate disable/enable user accounts Does anyone know off the top of their head the permissions required for delegation of disabling and enabling user accounts, or have a link? Google is failing me...or rather me failing google This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. attachment: winmail.dat
RE: [ActiveDir] Delegate disable/enable user accounts
No, useraccountcontrol mainly holds the fields you see in the checkboxes of the account tab, such as logon with smardcard, must not change password a.s.o. You can not delegate deletion of mailboxes in AD only, you also need to give rights in the exchange store as well. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, December 06, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate disable/enable user accounts Man, read/write to useraccountcontrol seems to enable a user to delete a mailbox too. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 06, 2005 8:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate disable/enable user accounts read/write permission on the useraccountcontrol attribute of the user object. HOWEVER... the disabled/enabled status of a user object is represented by a bit/flag in the useraccountcontrol attribute and that same attribute consists of more bits/flags. So if you delegate read/write permission on the useraccountcontrol, you delegate control on all of the bits/flags represented in that useraccountcontrol attribute. It may not be what you want Cheers, Jorge _ Van: [EMAIL PROTECTED] namens Douglas M. Long Verzonden: di 6-12-2005 14:19 Aan: ActiveDir@mail.activedir.org Onderwerp: [ActiveDir] Delegate disable/enable user accounts Does anyone know off the top of their head the permissions required for delegation of disabling and enabling user accounts, or have a link? Google is failing me...or rather me failing google This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. attachment: winmail.dat
RE: [ActiveDir] Delegate disable/enable user accounts
Hmmm, is there the possibility that permissions are granted before even clicking Finish in the delegation wizard? The reason I ask is because I created a test user, started clicking on perms in the delegation wizard just to see what happened (without clicking on the Finish buttion), then clicked the back button, cancelled, and started the wizard again. When I started the wizard again, I instead put a group which I then made that same user a member of, then delegated them just the RW on useraccountcontrol. After I found out that I was able to delete a mailbox in that OU, I thought I had better check the effective permissions. The user had all kinds of permissions. I then added another new user to the group that had been delegated rights and that user only had the specific rights that it should have. Does this sound bogus? _ From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 06, 2005 10:09 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Delegate disable/enable user accounts Man, read/write to useraccountcontrol seems to enable a user to delete a mailbox too. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 06, 2005 8:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate disable/enable user accounts read/write permission on the useraccountcontrol attribute of the user object. HOWEVER... the disabled/enabled status of a user object is represented by a bit/flag in the useraccountcontrol attribute and that same attribute consists of more bits/flags. So if you delegate read/write permission on the useraccountcontrol, you delegate control on all of the bits/flags represented in that useraccountcontrol attribute. It may not be what you want Cheers, Jorge _ Van: [EMAIL PROTECTED] namens Douglas M. Long Verzonden: di 6-12-2005 14:19 Aan: ActiveDir@mail.activedir.org Onderwerp: [ActiveDir] Delegate disable/enable user accounts Does anyone know off the top of their head the permissions required for delegation of disabling and enabling user accounts, or have a link? Google is failing me...or rather me failing google This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. attachment: winmail.dat
RE: [ActiveDir] Delegate disable/enable user accounts
I agree that you can't delete mailboxes with WP to userAccountControl. However you don't need store access to delete mailboxes, or more accurately to disconnect them. You do need store access (admin rights on the Exchange server) to purge a mailbox. To delegate deletion of mailboxes you simply delegate WP to the list of all Exchange attributes that can be applied to a user object. While the GUI/CDOEXM may give you crap about it a simple LDAP write will work (which is what ExchMbx uses for the -clear option). You also don't need store or Exchange Admin (any level rights) to create a mailbox, having access to about 2 attributes in AD is all that is required. But again, GUI/CDOEXM will complain. The next version of ExchMbx should have that functionality implemented to work with only those two attributes being delegated. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Tuesday, December 06, 2005 10:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Delegate disable/enable user accounts No, useraccountcontrol mainly holds the fields you see in the checkboxes of the account tab, such as logon with smardcard, must not change password a.s.o. You can not delegate deletion of mailboxes in AD only, you also need to give rights in the exchange store as well. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Tuesday, December 06, 2005 4:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Delegate disable/enable user accounts Man, read/write to useraccountcontrol seems to enable a user to delete a mailbox too. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Tuesday, December 06, 2005 8:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Delegate disable/enable user accounts read/write permission on the useraccountcontrol attribute of the user object. HOWEVER... the disabled/enabled status of a user object is represented by a bit/flag in the useraccountcontrol attribute and that same attribute consists of more bits/flags. So if you delegate read/write permission on the useraccountcontrol, you delegate control on all of the bits/flags represented in that useraccountcontrol attribute. It may not be what you want Cheers, Jorge Van: [EMAIL PROTECTED] namens Douglas M. LongVerzonden: di 6-12-2005 14:19Aan: ActiveDir@mail.activedir.orgOnderwerp: [ActiveDir] Delegate disable/enable user accounts Does anyone know off the top of their head the permissions required for delegation of disabling and enabling user accounts, or have a link? Google is failing meor rather me failing google This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Delegate disable/enable user accounts
Yep WP on userAccountControl. But again, the caveats others have mentioned, it gives the person ability to modify quite a bit on an account. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Tuesday, December 06, 2005 9:08 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Delegate disable/enable user accounts WP? Write permissions? Is that all the group would need? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Tuesday, December 06, 2005 8:48 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Delegate disable/enable user accounts WP on the user object's userAccountControl attribute.
RE: [ActiveDir] Ntds.dit file corruption
Ack you left Alliance. Well crap. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: Tuesday, December 06, 2005 12:49 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption For full disclosure I am no longer in the Microsoft Services organization, I was the last time Joe talked to me where I was an Advisory Support Engineer (AKA Alliance Support). I am now a Product Technology Specialist for Directories and Identities in Microsoft's technical pre-sales organization. Not that it changes the answer below. :-) Thanks, -Steve Steve Linehan | Technology Specialist Directories Identities | South Central District | Microsoft Corporation From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, December 05, 2005 2:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption RODCs are a LongHorn feature. It will be one-way replication to the RODCs. They will not replicate out anything. If you are on the LongHorn beta you should be able to test this right now. But as Steve (one of the really good PSS guys)said and I can concur as I have seen my share of corrupted DITs, the corruption doesn't replicate. In every case I have seen it the problem has been hardware failure or a firmware/driver matchup issue in the disk subsystem. Fixing them is easy, wipe the machine, do hardware tests, if it passes, do it again. If it passes do it a third time. If it passes, reload and repromo. If it fails one of the tests, get the hardware fixed, reload, and repromo. If SBS, well you have all sorts of issues in that basket as your eggs leak. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, JoseSent: Monday, December 05, 2005 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ). I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-) Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Phil RenoufSent: Monday, December 05, 2005 11:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a
RE: [ActiveDir] Ntds.dit file corruption
I may get into trouble with this post as Brett/Eric/Dean/Steve correct me... But that will be good. I will start with tryingto differentiate between types of corruption... My idea of AD corruption is underlying table corruption. However some people may consider bad (really unexpected)values in AD to be corruption. The last isn't corruption, AD is simply a store of data, it passes no judgement on the data as long as it fits the schema guidelines for the attribute. If you have the DN of a user in the siteObject attribute that isn't corruption, it isn't good, but it is valid for the schema. Or if you have binary data in a unicode string, again, not corruption (a unicode string IS binary data). That being said, if apps (including parts of AD itself) hit unexpected data, you will have some issues even if it isn't truly "corruption" it may as well be in some cases. In fact, table corruption is probably better than unexpected data in many cases. You might be able to argue that a USN rollback is corruption but I still don't consider it so. Valid data, just out of step. Again corruption to me is in the underlying tables. Since AD doesn't replicate the table structures, you can't pass that table corruption around. Once AD realizes that some portion of the database is corrupt which would probably be recognized byESE saying, "that isn't right" and not passing info back up to higher levels, but instead passing an error. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, December 06, 2005 3:49 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption Is this guaranteed? How can we/you be sure that the system will recognise the corruptions and therefore not replicate them? Surely this is akin to the new feature added to e2k3 sp1, but which is (sadly) missing from AD(?) I must be missing a subtle point - please show me the light :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: 05 December 2005 19:26To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption We do not replicate corruption so if you have local corruption as noted below there is no worry that it would replicate around to other servers in the environment. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil RenoufSent: Monday, December 05, 2005 1:04 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually
RE: [ActiveDir] Ntds.dit file corruption
BDC.. Yes and no.. Yes it is read only copy of the PDC's database,but no you do not have an option to choose.Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Sullivan TimSent: Monday, December 05, 2005 7:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption BDC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carpenter Robert A Contr WROCI/Enterprise IT Sent: Monday, December 05, 2005 5:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption Novell. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, JoseSent: Monday, December 05, 2005 11:24 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ). I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-) Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Phil RenoufSent: Monday, December 05, 2005 11:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress.You might give that a try.If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time):- Try making sure you have the latest
RE: [ActiveDir] Client Shows IPv6
That's due to the fact that IP v6 was installed. You can uninstall it from the local area connections properties. -Navroz From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za VueSent: Tuesday, December 06, 2005 11:55 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Client Shows IPv6 Is there a reason why one of my clients is showing in DNS using IPv6? Here is a picture.Environment: Windows 2003 AD-Z.V.
RE: [ActiveDir] Ntds.dit file corruption
Well you have the option to chose what DCs will be RODCs or which will be normal, you just don't have the ability to switch on the fly. Also the replication mechanism isn't the same as the NT4 PDC/BDC relationship. It is the AD replication, but nothing can pull from an RODC. Also, you will be probably be able to make someone an Admin on an RODC for local server stuff who doesn't have admin rights on other DCs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, JoseSent: Tuesday, December 06, 2005 11:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption BDC.. Yes and no.. Yes it is read only copy of the PDC's database,but no you do not have an option to choose.Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Sullivan TimSent: Monday, December 05, 2005 7:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption BDC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carpenter Robert A Contr WROCI/Enterprise IT Sent: Monday, December 05, 2005 5:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption Novell. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, JoseSent: Monday, December 05, 2005 11:24 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ). I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-) Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Phil RenoufSent: Monday, December 05, 2005 11:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly
Re: [ActiveDir] Ntds.dit file corruption
Additional Domain controller BDC is a nt4 concept and in my book NT4 is dead ;-) Medeiros, Jose wrote: BDC.. Yes and no.. Yes it is read only copy of the PDC's database, but no you do not have an option to choose. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Sullivan Tim *Sent:* Monday, December 05, 2005 7:38 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption BDC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Carpenter Robert A Contr WROCI/Enterprise IT *Sent:* Monday, December 05, 2005 5:33 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption Novell. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Medeiros, Jose *Sent:* Monday, December 05, 2005 11:24 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ). I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-) Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Phil Renouf *Sent:* Monday, December 05, 2005 11:04 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, *Medeiros, Jose* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest. Maybe I am just being a worry wort and this really is not an issue. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, December 05, 2005 8:53 AM To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption I did? :-) I think I still said all I know is what the poster said :-) I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun. The directory services one is filled with events 'post' blow up. What is interesting is that it seems to me big server land goes .. oh yeah... ntds.dit corruption... and sbsland freaks out. Either we do indeed need to ensure we have a secondary DC or we need to park a second
[ActiveDir] LDAP Traffic Replay
Is anyone aware of a tool that will sit and watch LDAP traffic and track the threads/clients/etc and then be able to replay that traffic? Basically I am looking for a way to better judge DC perf in relation to Exchange LDAP queries. Setting up a whole Exchange environment to test the DCs is testing both Exchange and the DC and I am looking to try and narrow that to just AD so I can answer some of the questions of GC/DC capacity better than the 4:1 ratio business which everyone says isn't that great but doesn't seem to have anything easy to do that is better. I would like to track traffic to production GC/DCs and then be able to replay that LDAP load as desired over and over again against various pieces of hardware with different configs. joe
RE: [ActiveDir] Ntds.dit file corruption
In the Microsoft book it is dead too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 06, 2005 12:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption Additional Domain controller BDC is a nt4 concept and in my book NT4 is dead ;-) Medeiros, Jose wrote: BDC.. Yes and no.. Yes it is read only copy of the PDC's database, but no you do not have an option to choose. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Sullivan Tim *Sent:* Monday, December 05, 2005 7:38 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption BDC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Carpenter Robert A Contr WROCI/Enterprise IT *Sent:* Monday, December 05, 2005 5:33 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption Novell. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Medeiros, Jose *Sent:* Monday, December 05, 2005 11:24 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ). I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-) Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Phil Renouf *Sent:* Monday, December 05, 2005 11:04 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, *Medeiros, Jose* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest. Maybe I am just being a worry wort and this really is not an issue. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, December 05, 2005 8:53 AM To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption I did? :-) I think I still said all I know is what the poster said :-) I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a
RE: [ActiveDir] Ntds.dit file corruption
Hi Susan, With all do respect, I think you missed the point. The concept of having a read only DC is similar to a BDC since a BDC is only has a read only copy of the PDC's database. In some situations you may want a read only DC at a small remote office. Which would help reduce replication traffic. Also most technologies are built on past concepts and are hierarchical. Understanding one concept helps you to understand the logic in another. Peace! Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 06, 2005 9:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption Additional Domain controller BDC is a nt4 concept and in my book NT4 is dead ;-) Medeiros, Jose wrote: BDC.. Yes and no.. Yes it is read only copy of the PDC's database, but no you do not have an option to choose. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Sullivan Tim *Sent:* Monday, December 05, 2005 7:38 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption BDC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Carpenter Robert A Contr WROCI/Enterprise IT *Sent:* Monday, December 05, 2005 5:33 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption Novell. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Medeiros, Jose *Sent:* Monday, December 05, 2005 11:24 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ). I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-) Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Phil Renouf *Sent:* Monday, December 05, 2005 11:04 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, *Medeiros, Jose* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest. Maybe I am just being a worry wort and this really is not an issue. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]]On Behalf Of
RE: [ActiveDir] LDAP Traffic Replay
Ethereal. :-) Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joeSent: Tuesday, December 06, 2005 9:32 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Traffic Replay Is anyone aware of a tool that will sit and watch LDAP traffic and track the threads/clients/etc and then be able to replay that traffic? Basically I am looking for a way to better judge DC perf in relation to Exchange LDAP queries. Setting up a whole Exchange environment to test the DCs is testing both Exchange and the DC and I am looking to try and narrow that to just AD so I can answer some of the questions of GC/DC capacity better than the 4:1 ratio business which everyone says isn't that great but doesn't seem to have anything easy to do that is better. I would like to track traffic to production GC/DCs and then be able to replay that LDAP load as desired over and over again against various pieces of hardware with different configs. joe
RE: [ActiveDir] LDAP Traffic Replay
Opps.. almost forgot. Wildpacketshttp://www.wildpackets.com/ Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Medeiros, JoseSent: Tuesday, December 06, 2005 9:46 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP Traffic Replay Ethereal. :-) Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joeSent: Tuesday, December 06, 2005 9:32 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Traffic Replay Is anyone aware of a tool that will sit and watch LDAP traffic and track the threads/clients/etc and then be able to replay that traffic? Basically I am looking for a way to better judge DC perf in relation to Exchange LDAP queries. Setting up a whole Exchange environment to test the DCs is testing both Exchange and the DC and I am looking to try and narrow that to just AD so I can answer some of the questions of GC/DC capacity better than the 4:1 ratio business which everyone says isn't that great but doesn't seem to have anything easy to do that is better. I would like to track traffic to production GC/DCs and then be able to replay that LDAP load as desired over and over again against various pieces of hardware with different configs. joe
RE: [ActiveDir] LDAP Traffic Replay
The Winternals AD Insight thing may do this Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, December 06, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP Traffic Replay Is anyone aware of a tool that will sit and watch LDAP traffic and track the threads/clients/etc and then be able to replay that traffic? Basically I am looking for a way to better judge DC perf in relation to Exchange LDAP queries. Setting up a whole Exchange environment to test the DCs is testing both Exchange and the DC and I am looking to try and narrow that to just AD so I can answer some of the questions of GC/DC capacity better than the 4:1 ratio business which everyone says isn't that great but doesn't seem to have anything easy to do that is better. I would like to track traffic to production GC/DCs and then be able to replay that LDAP load as desired over and over again against various pieces of hardware with different configs. joe
Re: [ActiveDir] Ntds.dit file corruption
True, but right now, today, we have what we have. From what I'm hearing the corruption won't be replicated, but a longer term solution won't be in play until Longhorn/Vista. Medeiros, Jose wrote: Hi Susan, With all do respect, I think you missed the point. The concept of having a read only DC is similar to a BDC since a BDC is only has a read only copy of the PDC's database. In some situations you may want a read only DC at a small remote office. Which would help reduce replication traffic. Also most technologies are built on past concepts and are hierarchical. Understanding one concept helps you to understand the logic in another. Peace! Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 06, 2005 9:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption Additional Domain controller BDC is a nt4 concept and in my book NT4 is dead ;-) Medeiros, Jose wrote: BDC.. Yes and no.. Yes it is read only copy of the PDC's database, but no you do not have an option to choose. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Sullivan Tim *Sent:* Monday, December 05, 2005 7:38 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption BDC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Carpenter Robert A Contr WROCI/Enterprise IT *Sent:* Monday, December 05, 2005 5:33 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption Novell. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Medeiros, Jose *Sent:* Monday, December 05, 2005 11:24 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ). I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-) Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Phil Renouf *Sent:* Monday, December 05, 2005 11:04 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, *Medeiros, Jose* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest. Maybe I am just being a worry wort and this really is not an issue. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL
REÂ : [ActiveDir] LDAP Traffic Replay
Hi, tcpreplay might help you. Here u can find the it; http://tcpreplay.sourceforge.net/ Here is an extract from the faq http://tcpreplay.sourceforge.net/FAQ/node2.html#SECTION00021 Yann De: [EMAIL PROTECTED] de la part de joe Date: mar. 06/12/2005 18:31 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] LDAP Traffic Replay Is anyone aware of a tool that will sit and watch LDAP traffic and track the threads/clients/etc and then be able to replay that traffic? Basically I am looking for a way to better judge DC perf in relation to Exchange LDAP queries. Setting up a whole Exchange environment to test the DCs is testing both Exchange and the DC and I am looking to try and narrow that to just AD so I can answer some of the questions of GC/DC capacity better than the 4:1 ratio business which everyone says isn't that great but doesn't seem to have anything easy to do that is better. I would like to track traffic to production GC/DCs and then be able to replay that LDAP load as desired over and over again against various pieces of hardware with different configs. joe winmail.dat
RE: [ActiveDir] LDAP Traffic Replay
Insight for AD doesn't replay traffic but it will capture LDAP client activity on a per process level. Joe, have you looked at Server Performance Advisor 2.0 to get some of these metrics? It doesn't help with the replayability but it does help characterize load based on AD-specific events. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, December 06, 2005 10:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP Traffic Replay The Winternals AD Insight thing may do this Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, December 06, 2005 12:32 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Traffic Replay Is anyone aware of a tool that will sit and watch LDAP traffic and track the threads/clients/etc and then be able to replay that traffic? Basically I am looking for a way to better judge DC perf in relation to Exchange LDAP queries. Setting up a whole Exchange environment to test the DCs is testing both Exchange and the DC and I am looking to try and narrow that to just AD so I can answer some of the questions of GC/DC capacity better than the 4:1 ratio business which everyone says isn't that great but doesn't seem to have anything easy to do that is better. I would like to track traffic to production GC/DCs and then be able to replay that LDAP load as desired over and over again against various pieces of hardware with different configs. joe
RE: [ActiveDir] Ntds.dit file corruption
True.. But by bringing it up ( Which is what you did when your SBS server's NTDS.DIT file became Corrupt ) we hopefully can encourage the Microsoft team that monitiors this list into incoprating such features in the next release. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 06, 2005 10:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption True, but right now, today, we have what we have. From what I'm hearing the corruption won't be replicated, but a longer term solution won't be in play until Longhorn/Vista. Medeiros, Jose wrote: Hi Susan, With all do respect, I think you missed the point. The concept of having a read only DC is similar to a BDC since a BDC only has a read only copy of the PDC's database. In some situations you may want a read only DC at a small remote office. Which would help reduce replication traffic. Also most technologies are built on past concepts and are hierarchical. Understanding one concept helps you to understand the logic in another. Peace! Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 06, 2005 9:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption Additional Domain controller BDC is a nt4 concept and in my book NT4 is dead ;-) Medeiros, Jose wrote: BDC.. Yes and no.. Yes it is read only copy of the PDC's database, but no you do not have an option to choose. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Sullivan Tim *Sent:* Monday, December 05, 2005 7:38 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption BDC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Carpenter Robert A Contr WROCI/Enterprise IT *Sent:* Monday, December 05, 2005 5:33 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption Novell. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Medeiros, Jose *Sent:* Monday, December 05, 2005 11:24 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ). I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-) Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Phil Renouf *Sent:* Monday, December 05, 2005 11:04 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, *Medeiros, Jose* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many
RE: [ActiveDir] remove logon script?
This will work for the currently logged in domain right? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, December 05, 2005 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? One tiny correction :) Adfind f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) default dsq | admod unsafe scriptpath:- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, December 05, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? Adfind and admod from joeware.net Adfind f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) default dsq | admod unsafe scriptpath- Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, December 05, 2005 3:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] remove logon script? How can I remove the logon.bat from all my user (2000+) accounts at one time in my domain? Ive switch to GPO for the logon scripts. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] LDAP Traffic Replay
Yeah, thanks Darren, I was starting to think I was going to have to do something with the Event Tracing capability which is what SPA uses. I was hoping to be able to find somethingalreadycreated, don't want to invent the solution.Prefer a tool that does it already, barring that something that could be slapped together with perl scripts. I agree that AD Insight doesn't have replay capability. It also doesn't fit this very well for a couple of reasons (this is for the benefit of the crowd). 1. Only runs from the client side, can't hook at the DC. 2. It isn't very stable on Exchange. I think Exchange is a bit much for it. 3. When Exchange uses Ranged Retrieval Insight doesn't see the traffic which seems to mean that Exchange doesn't use the standard LDAP library when doing the ranged queries because insight hooks WLDAP32. As for the others Ethereal doesn't replay to my knowledge and it has trouble decoding larger LDAP queries anyway. I think tcpreplay will be at too low a level. Never heard of Wildpackets, I will check it out. thanks everyone. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Tuesday, December 06, 2005 1:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP Traffic Replay Insight for AD doesn't replay traffic but it will capture LDAP client activity on a per process level. Joe, have you looked at Server Performance Advisor 2.0 to get some of these metrics? It doesn't help with the replayability but it does help characterize load based on AD-specific events. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, December 06, 2005 10:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP Traffic Replay The Winternals AD Insight thing may do this Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, December 06, 2005 12:32 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Traffic Replay Is anyone aware of a tool that will sit and watch LDAP traffic and track the threads/clients/etc and then be able to replay that traffic? Basically I am looking for a way to better judge DC perf in relation to Exchange LDAP queries. Setting up a whole Exchange environment to test the DCs is testing both Exchange and the DC and I am looking to try and narrow that to just AD so I can answer some of the questions of GC/DC capacity better than the 4:1 ratio business which everyone says isn't that great but doesn't seem to have anything easy to do that is better. I would like to track traffic to production GC/DCs and then be able to replay that LDAP load as desired over and over again against various pieces of hardware with different configs. joe
RE: [ActiveDir] Ntds.dit file corruption
I think the topic shifted a little, specifically it shifted from the corruption aspect and into the concept of read only DCs. The read only DCs really have no bearing on directory corruption. I haven't seen details on what kind of corruption and how it was detected but if it is real corruption that is ESE level and not much AD can do about it but ESE can do things about it like the single bit correction he pointed out. Anyway, I don't expect RODCs to be a big hit for SBS deployments. ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 06, 2005 1:08 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption True, but right now, today, we have what we have. From what I'm hearing the corruption won't be replicated, but a longer term solution won't be in play until Longhorn/Vista. Medeiros, Jose wrote: Hi Susan, With all do respect, I think you missed the point. The concept of having a read only DC is similar to a BDC since a BDC is only has a read only copy of the PDC's database. In some situations you may want a read only DC at a small remote office. Which would help reduce replication traffic. Also most technologies are built on past concepts and are hierarchical. Understanding one concept helps you to understand the logic in another. Peace! Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 06, 2005 9:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption Additional Domain controller BDC is a nt4 concept and in my book NT4 is dead ;-) Medeiros, Jose wrote: BDC.. Yes and no.. Yes it is read only copy of the PDC's database, but no you do not have an option to choose. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Sullivan Tim *Sent:* Monday, December 05, 2005 7:38 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption BDC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Carpenter Robert A Contr WROCI/Enterprise IT *Sent:* Monday, December 05, 2005 5:33 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption Novell. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Medeiros, Jose *Sent:* Monday, December 05, 2005 11:24 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ). I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-) Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Phil Renouf *Sent:* Monday, December 05, 2005 11:04 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, *Medeiros, Jose* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the
RE: [ActiveDir] remove logon script?
It works against the current default domain which is the domain of the default domain controller. You can determine what that is with adfind -default -s base -dn If you want it to work against another domain, remove -default and add -b domain_dn (i.e. change the search base of the adfind query). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Tuesday, December 06, 2005 1:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] remove logon script? This will work for the currently logged in domain right? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, December 05, 2005 4:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] remove logon script? One tiny correction :) Adfind f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) default dsq | admod unsafe scriptpath:- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, December 05, 2005 4:00 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] remove logon script? Adfind and admod from joeware.net Adfind f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) default dsq | admod unsafe scriptpath- Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Monday, December 05, 2005 3:40 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] remove logon script? How can I remove the logon.bat from all my user (2000+) accounts at one time in my domain? Ive switch to GPO for the logon scripts. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] Ntds.dit file corruption
Great topic and, IMO, great answer ... I've only a few comments in addition to Joe's reply (inline). --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, December 06, 2005 8:56 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption I may get into trouble with this post as Brett/Eric/Dean/Steve correct me... But that will be good. [DAW] I'm fairly certain Brattwill have something to say on this one (in his shoes, I know I would). [/DAW] I will start with tryingto differentiate between types of corruption... My idea of AD corruption is underlying table corruption. However some people may consider bad (really unexpected)values in AD to be corruption. The last isn't corruption, AD is simply a store of data, it passes no judgement on the data as long as it fits the schema guidelines for the attribute. If you have the DN of a user in the siteObject attribute that isn't corruption, it isn't good, but it is valid for the schema. Or if you have binary data in a unicode string, again, not corruption (a unicode string IS binary data). That being said, if apps (including parts of AD itself) hit unexpected data, you will have some issues even if it isn't truly "corruption" it may as well be in some cases. In fact, table corruption is probably better than unexpected data in many cases. You might be able to argue that a USN rollback is corruption but I still don't consider it so. Valid data, just out of step. [DAW] That's an interesting one. If you treat thedistributed database as a whole, then USN rollback is indeed a form of corruption even though each instance may deem itselfconsistent and intact. [/DAW] Again corruption to me is in the underlying tables. Since AD doesn't replicate the table structures, you can't pass that table corruption around. Once AD realizes that some portion of the database is corrupt which would probably be recognized byESE saying, "that isn't right" and not passing info back up to higher levels, but instead passing an error. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, December 06, 2005 3:49 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption Is this guaranteed? How can we/you be sure that the system will recognise the corruptions and therefore not replicate them? Surely this is akin to the new feature added to e2k3 sp1, but which is (sadly) missing from AD(?) I must be missing a subtle point - please show me the light :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: 05 December 2005 19:26To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption We do not replicate corruption so if you have local corruption as noted below there is no worry that it would replicate around to other servers in the environment. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil RenoufSent: Monday, December 05, 2005 1:04 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs,
RE: [ActiveDir] Ntds.dit file corruption
My apologies to the list members for taking this issue slightly off topic, I hope that no one is offended by such remarks or the additional email. Peace ! :-) Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Tuesday, December 06, 2005 10:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption I think the topic shifted a little, specifically it shifted from the corruption aspect and into the concept of read only DCs. The read only DCs really have no bearing on directory corruption. I haven't seen details on what kind of corruption and how it was detected but if it is real corruption that is ESE level and not much AD can do about it but ESE can do things about it like the single bit correction he pointed out. Anyway, I don't expect RODCs to be a big hit for SBS deployments. ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 06, 2005 1:08 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption True, but right now, today, we have what we have. From what I'm hearing the corruption won't be replicated, but a longer term solution won't be in play until Longhorn/Vista. Medeiros, Jose wrote: Hi Susan, With all do respect, I think you missed the point. The concept of having a read only DC is similar to a BDC since a BDC is only has a read only copy of the PDC's database. In some situations you may want a read only DC at a small remote office. Which would help reduce replication traffic. Also most technologies are built on past concepts and are hierarchical. Understanding one concept helps you to understand the logic in another. Peace! Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 06, 2005 9:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption Additional Domain controller BDC is a nt4 concept and in my book NT4 is dead ;-) Medeiros, Jose wrote: BDC.. Yes and no.. Yes it is read only copy of the PDC's database, but no you do not have an option to choose. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Sullivan Tim *Sent:* Monday, December 05, 2005 7:38 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption BDC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Carpenter Robert A Contr WROCI/Enterprise IT *Sent:* Monday, December 05, 2005 5:33 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption Novell. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Medeiros, Jose *Sent:* Monday, December 05, 2005 11:24 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ). I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-) Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Phil Renouf *Sent:* Monday, December 05, 2005 11:04 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that?
RE: [ActiveDir] Ntds.dit file corruption
LOL. I enjoyed it which means it is all good as you all exist for my personal entertainment. ;o) Well except for Laura, she exists to hound me to the end of my existence on commas. very glad that you can't throw virtual vegetables at list posters joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, December 06, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption My apologies to the list members for taking this issue slightly off topic, I hope that no one is offended by such remarks or the additional email. Peace ! :-) Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Tuesday, December 06, 2005 10:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption I think the topic shifted a little, specifically it shifted from the corruption aspect and into the concept of read only DCs. The read only DCs really have no bearing on directory corruption. I haven't seen details on what kind of corruption and how it was detected but if it is real corruption that is ESE level and not much AD can do about it but ESE can do things about it like the single bit correction he pointed out. Anyway, I don't expect RODCs to be a big hit for SBS deployments. ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 06, 2005 1:08 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption True, but right now, today, we have what we have. From what I'm hearing the corruption won't be replicated, but a longer term solution won't be in play until Longhorn/Vista. Medeiros, Jose wrote: Hi Susan, With all do respect, I think you missed the point. The concept of having a read only DC is similar to a BDC since a BDC is only has a read only copy of the PDC's database. In some situations you may want a read only DC at a small remote office. Which would help reduce replication traffic. Also most technologies are built on past concepts and are hierarchical. Understanding one concept helps you to understand the logic in another. Peace! Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 06, 2005 9:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption Additional Domain controller BDC is a nt4 concept and in my book NT4 is dead ;-) Medeiros, Jose wrote: BDC.. Yes and no.. Yes it is read only copy of the PDC's database, but no you do not have an option to choose. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Sullivan Tim *Sent:* Monday, December 05, 2005 7:38 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption BDC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Carpenter Robert A Contr WROCI/Enterprise IT *Sent:* Monday, December 05, 2005 5:33 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption Novell. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Medeiros, Jose *Sent:* Monday, December 05, 2005 11:24 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Ntds.dit file corruption I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ). I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-) Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Phil Renouf *Sent:* Monday,
RE: [ActiveDir] Ntds.dit file corruption
I stopped reading after"great answer"... :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Tuesday, December 06, 2005 2:14 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Ntds.dit file corruption Great topic and, IMO, great answer ... I've only a few comments in addition to Joe's reply (inline). --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, December 06, 2005 8:56 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption I may get into trouble with this post as Brett/Eric/Dean/Steve correct me... But that will be good. [DAW] I'm fairly certain Brattwill have something to say on this one (in his shoes, I know I would). [/DAW] I will start with tryingto differentiate between types of corruption... My idea of AD corruption is underlying table corruption. However some people may consider bad (really unexpected)values in AD to be corruption. The last isn't corruption, AD is simply a store of data, it passes no judgement on the data as long as it fits the schema guidelines for the attribute. If you have the DN of a user in the siteObject attribute that isn't corruption, it isn't good, but it is valid for the schema. Or if you have binary data in a unicode string, again, not corruption (a unicode string IS binary data). That being said, if apps (including parts of AD itself) hit unexpected data, you will have some issues even if it isn't truly "corruption" it may as well be in some cases. In fact, table corruption is probably better than unexpected data in many cases. You might be able to argue that a USN rollback is corruption but I still don't consider it so. Valid data, just out of step. [DAW] That's an interesting one. If you treat thedistributed database as a whole, then USN rollback is indeed a form of corruption even though each instance may deem itselfconsistent and intact. [/DAW] Again corruption to me is in the underlying tables. Since AD doesn't replicate the table structures, you can't pass that table corruption around. Once AD realizes that some portion of the database is corrupt which would probably be recognized byESE saying, "that isn't right" and not passing info back up to higher levels, but instead passing an error. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, December 06, 2005 3:49 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption Is this guaranteed? How can we/you be sure that the system will recognise the corruptions and therefore not replicate them? Surely this is akin to the new feature added to e2k3 sp1, but which is (sadly) missing from AD(?) I must be missing a subtle point - please show me the light :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: 05 December 2005 19:26To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption We do not replicate corruption so if you have local corruption as noted below there is no worry that it would replicate around to other servers in the environment. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil RenoufSent: Monday, December 05, 2005 1:04 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo:
RE: [ActiveDir] Ntds.dit file corruption
I wouldn't say that, joe ... Lets take another hypothetical real quick, lets say you have a column for the RDN of an AD object (well we do) and that value is NULL. From AD's perspective this object is well not really an object, it would be corrupt, and might even crash lsass.exe (I don't know, it might). However, from ESE's persepctive though, the table/row/column is valid, it has a particular column that doesn't have a value. A column which I might add is declared optional (real term is tagged) in the ESE layer schema (real term is catalog). ESE is simply a store of data, it passes no judgement on the data as long as it fits the schema guidelines for the column. Joe, is the DB corrupt? An AD object without an RDN? I have tendency to think in layers and sources of corruption. App Logical Layer AD Logical Layer ESE Logical Layer [ESE] Physical Layer Corruptions coming top down through that stack are protected by the schema configuration/constraints of that layer (as joe astutely pointed out). Corruptions coming bottom up, from disk sub-system hardware, are protected by whatever mechanisms those layers have. Dropping back to the above hypothetical as an ESE dev I can say to the AD devs that until they can prove that ESE actually lost thier column, that it's most likely some sort of AD transactional problem, and the source is an AD bug. If I am feeling unbusy I will debug at the AD logical layer, because I know what it's supposed to look like. Coming back to the original issue of replicating _this kind_ of corruption a normal corruption coming bottom up, because the bits we (ESE) sent down the disk subsystem, were not the exact bits we got back later from the sub-systems is almost always detected by the fact that ESE checksums _every byte_ of it's database pages ... and at this point everyone should be very thankful Win2k3 AD isn't on SQL 2000, because it has few such protections, though SQL 2005 finally caught up, 10 years after the fact, it's such a legacy DB, really ... anyway. When the corruption comes up from the bottom, what happens is ESE detects the data is not checksumming, logs an event, and returns a -1018 error (in this case), and starts rejecting DB operations (such as JetSeek() / JetRetrieveColumn()) that involve that corrupt database page. AD then responds to these failed DB ops with can't authenticate a user, AD can't return the results of a search, or AD can't read or apply data during replication (those 3 at least probably being the most common). In short the system starts limping, without affecting the rest of the distributed system. Coming back to jose's worry of old hardware injecting bad data into the distributed system. Fortunately, when the disk subsystem goes bad, ESE does a pretty good job of protecting you, but there are other sources of corruption, besides corruption, an especially insidious one is the bit flip in memory (and yes I see these too) which injects itself in the middle of the above stack. This kind of corruption can both end up making it's way down to the disk subsystem (with a valid ESE checksum), and up and out to the distributed system. From the perspective of older hardware though, I would _hypothesize_ that if you're going to have something go bad the disk or the memory over time, keep in mind the disk is the only part of the computer that has a moving part. I would expect disks to go bad first. I would generally not call USN rollback a corruption either, but I think Dean make a fair and quasi-valid point that if you consider the distributed system, yes such a thing is a corruption. Feel free to shim in a AD Distributed System Logical Layer in the above stack, between AD Logical Layer and App Logical Layer. I'm waffling on this point though, as somethign smells differnent that other types of corruption. I'm going to think about that for a long time ... in fact Eric yes the ~Eric) is at my door and says he would consider it corruption, so there is a long debate in my future as well ... From a storage developers perspective, what someone usually calls corruption, is when the data layer they own or lower returns the wrong result. From a non-storage developers perspective, what someone usually calls corruption, is when the data layer below them returns the wrong result. I'll wax more philosophically on it later Cheers, BrettSh On Tue, 6 Dec 2005, Dean Wells wrote: Great topic and, IMO, great answer ... I've only a few comments in addition to Joe's reply (inline). -- Dean Wells MSEtechnology * Email: dwells mailto:[EMAIL PROTECTED] @msetechnology.com http://msetechnology.com/ http://msetechnology.com _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, December 06, 2005 8:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption I may get into trouble with this post as
[ActiveDir] Moving 3rd party DNS to AD
I will be removing a couple of Lucent QIP DNS servers running on Sun Solaris with Microsoft DNS. We already have our AD infrastructure. The _zones in the QIP DNS servers were delegated to AD DNS/DCs so the domain controllers could update their SRV records. We debated if we should integrate the zones owned by the QIP solution into AD (DC/DNS Servers) or create a couple of standalone DNS servers in AD, which will not be domain controllers. We chose to go with the standalone DNS servers mainly so that the testing, cutover and potential roll back could be done with minimal changes. I.e. turn off QIP DNS servers, change IP on the MS DNS servers to that of the old QIP servers and we are done. Roll back would be something like turn off MS DNS servers and turn QIP back on. The _zones in question are in our empty root domain, the clients and the AD resource records are in a child domain/zone already in AD. Feel free to comments or make suggestions about that approach, but my real question is around performance. I am trying to get performance data from the folks that support the QIP DNS servers but that may not be an option at this time. Those servers connect via firewall to the internet for root servers and do not forward to anybody else at this point and so will the MS replacements. The AD DNS servers currently forward to the QIP servers mentioned for Internet address resolution and cache it for the clients. There are some mainframe systems that point to the QIP servers directly but that's the exception not the rule, our clients point to AD DNS servers. The performance documents I found so far talk about memory being the real issue with DNS servers and they give me a formula, something like 100K for every 1000 records. My questions are: 1) No sure if I need to go with anything else other than dual processors, quads seem like overkill. 2) I am not reading anything that would tell me how I may setup the disks for the server. The zones themselves are in the megabytes range so they will not take a lot of space. I will probably mirror the OS as that is our standard, but then is there a way to have the zones on different disk drives and perhaps set those up as RAID 5? I realize performance are tough questions without knowing the environment but it has been my experience that you always get useful replies from this group. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] remove logon script?
I get the following error: (objectClass was unexpected at this time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, December 06, 2005 2:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? It works against the current default domain which is the domain of the default domain controller. You can determine what that is with adfind -default -s base -dn If you want it to work against another domain, remove -default and add -b domain_dn (i.e. change the search base of the adfind query). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, December 06, 2005 1:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? This will work for the currently logged in domain right? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, December 05, 2005 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? One tiny correction :) Adfind f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) default dsq | admod unsafe scriptpath:- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, December 05, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? Adfind and admod from joeware.net Adfind f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) default dsq | admod unsafe scriptpath- Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, December 05, 2005 3:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] remove logon script? How can I remove the logon.bat from all my user (2000+) accounts at one time in my domain? Ive switch to GPO for the logon scripts. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] remove logon script?
Try putting the LDAP filter in double-quotes. -Andrew From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Tuesday, December 06, 2005 3:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] remove logon script? I get the following error: (objectClass was unexpected at this time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, December 06, 2005 2:00 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] remove logon script? It works against the current default domain which is the domain of the default domain controller. You can determine what that is with adfind -default -s base -dn If you want it to work against another domain, remove -default and add -b domain_dn (i.e. change the search base of the adfind query). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Tuesday, December 06, 2005 1:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] remove logon script? This will work for the currently logged in domain right? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, December 05, 2005 4:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] remove logon script? One tiny correction :) Adfind f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) default dsq | admod unsafe scriptpath:- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, December 05, 2005 4:00 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] remove logon script? Adfind and admod from joeware.net Adfind f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) default dsq | admod unsafe scriptpath- Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Monday, December 05, 2005 3:40 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] remove logon script? How can I remove the logon.bat from all my user (2000+) accounts at one time in my domain? Ive switch to GPO for the logon scripts. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You. __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You. smime.p7s Description: S/MIME cryptographic signature
Re: [ActiveDir] Ntds.dit file corruption
On 12/6/05, joe [EMAIL PROTECTED] wrote: LOL. I enjoyed it which means it is all good as you all exist for my personal entertainment. ;o) Well except for Laura, she exists to hound me to the end of my existence on commas. very glad that you can't throw virtual vegetables at list posters Keep it up, joe, and I'll start proofreading your activedir posts as well. (Note the appropriate comma usage.) :-) - Laura List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MAC and DNS - off topic
Hi Susan Thank you VERY much for this info!!! I'm book marking this Blog Thanks Russ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, November 27, 2005 4:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] MAC and DNS Lessons Learned: Connecting a Macintosh to SBS 2003 Server via SMB: http://simultaneouspancakes.com/Lessons/archives/2004/12/connecting_a_ma .shtml What version of Macs? shereen naser wrote: Hi list, I have a MAC lab in a windows 2000 network eniroment, the MACs take an automatic IP and work fine but they can't resolve names, the MAC users can only reach resources by suppliying the IP address of the resource (on the windows 2000) even if I put the DNS server IP static on the MAC it still can't resolve the windows names, how can I solve this? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] remove logon script?
Didnt work: C:\Adfind -f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat )) -default -dsq | admod -unsafe scriptpath:- AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 AdMod V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004 ERROR: Issue with attrib parameter - [unsafe] ERROR: Missing operation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cace, Andrew Sent: Tuesday, December 06, 2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? Try putting the LDAP filter in double-quotes. -Andrew From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, December 06, 2005 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? I get the following error: (objectClass was unexpected at this time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, December 06, 2005 2:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? It works against the current default domain which is the domain of the default domain controller. You can determine what that is with adfind -default -s base -dn If you want it to work against another domain, remove -default and add -b domain_dn (i.e. change the search base of the adfind query). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, December 06, 2005 1:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? This will work for the currently logged in domain right? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, December 05, 2005 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? One tiny correction :) Adfind f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) default dsq | admod unsafe scriptpath:- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, December 05, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? Adfind and admod from joeware.net Adfind f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) default dsq | admod unsafe scriptpath- Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, December 05, 2005 3:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] remove logon script? How can I remove the logon.bat from all my user (2000+) accounts at one time in my domain? Ive switch to GPO for the logon scripts. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] MAC and DNS - off topic
Hmm.. SMB ( Server Messaging Block ) connectivity is not your problem. I have an old Beige G3 Macintosh running Mac OS Tiger 10.4 and have no problem with Microsoft DNS resolving names, as a matter of Fact at Grand Central Communication we had well over 10 G5's with Panther 10.3 and our Internal DNS was hosted on the Active Directory 2000 controllers, and they also had no problems with our Linux and Solaris systems. This really sounds like a problem with your installation on your Macintosh. What type of Macintosh and what version of the OS are you running. Are you running NT 4 servers requiring WINS or is everything Windows 2000 or 2003? Also this site is very helpful, http://www.macwindows.com/ Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Etts, Russell Sent: Tuesday, December 06, 2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MAC and DNS - off topic Hi Susan Thank you VERY much for this info!!! I'm book marking this Blog Thanks Russ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, November 27, 2005 4:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] MAC and DNS Lessons Learned: Connecting a Macintosh to SBS 2003 Server via SMB: http://simultaneouspancakes.com/Lessons/archives/2004/12/connecting_a_ma .shtml What version of Macs? shereen naser wrote: Hi list, I have a MAC lab in a windows 2000 network eniroment, the MACs take an automatic IP and work fine but they can't resolve names, the MAC users can only reach resources by suppliying the IP address of the resource (on the windows 2000) even if I put the DNS server IP static on the MAC it still can't resolve the windows names, how can I solve this? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] remove logon script?
By double quotes he meant . As opposed to for a single quote. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, December 06, 2005 5:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? Didnt work: C:\Adfind -f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat )) -default -dsq | admod -unsafe scriptpath:- AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 AdMod V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004 ERROR: Issue with attrib parameter - [ûunsafe] ERROR: Missing operation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cace, Andrew Sent: Tuesday, December 06, 2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? Try putting the LDAP filter in double-quotes. -Andrew From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, December 06, 2005 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? I get the following error: (objectClass was unexpected at this time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, December 06, 2005 2:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? It works against the current default domain which is the domain of the default domain controller. You can determine what that is with adfind -default -s base -dn If you want it to work against another domain, remove -default and add -b domain_dn (i.e. change the search base of the adfind query). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, December 06, 2005 1:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? This will work for the currently logged in domain right? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, December 05, 2005 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? One tiny correction :) Adfind f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) default dsq | admod unsafe scriptpath:- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, December 05, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? Adfind and admod from joeware.net Adfind f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) default dsq | admod unsafe scriptpath- Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, December 05, 2005 3:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] remove logon script? How can I remove the logon.bat from all my user (2000+) accounts at one time in my domain? Ive switch to GPO for the logon scripts. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] remove logon script?
Double quotes got me the first error: (objectClass was unexpected at this time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, December 06, 2005 5:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? By double quotes he meant . As opposed to for a single quote. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, December 06, 2005 5:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? Didnt work: C:\Adfind -f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat )) -default -dsq | admod -unsafe scriptpath:- AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 AdMod V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004 ERROR: Issue with attrib parameter - [ûunsafe] ERROR: Missing operation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cace, Andrew Sent: Tuesday, December 06, 2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? Try putting the LDAP filter in double-quotes. -Andrew From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, December 06, 2005 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? I get the following error: (objectClass was unexpected at this time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, December 06, 2005 2:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? It works against the current default domain which is the domain of the default domain controller. You can determine what that is with adfind -default -s base -dn If you want it to work against another domain, remove -default and add -b domain_dn (i.e. change the search base of the adfind query). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, December 06, 2005 1:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? This will work for the currently logged in domain right? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, December 05, 2005 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? One tiny correction :) Adfind f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) default dsq | admod unsafe scriptpath:- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, December 05, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove logon script? Adfind and admod from joeware.net Adfind f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) default dsq | admod unsafe scriptpath- Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, December 05, 2005 3:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] remove logon script? How can I remove the logon.bat from all my user (2000+) accounts at one time in my domain? Ive switch to GPO for the logon scripts. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] Ntds.dit file corruption
snip I would generally not call USN rollback a corruption either, but I think Dean make a fair and quasi-valid point that if you consider the distributed system, yes such a thing is a corruption. Feel free to shim in a AD Distributed System Logical Layer in the above stack, between AD Logical Layer and App Logical Layer. I'm waffling on this point though, as somethign smells differnent that other types of corruption. I'm going to think about that for a long time ... in fact Eric yes the ~Eric) is at my door and says he would consider it corruption, so there is a long debate in my future as well ... /snip Over lunch, Brett and I discussed this some more. My contention is that USN rollback would be a form of corruption under a somewhat broad definition. The reality is that there is a layer that Brett mentioned which actually has a two parts when looked at from a high level. Namely, this layer: AD Logical Layer The first piece could be thought of as local logical layer. That is, data hierarchy, conforming to the code assumptions of how it should be, data conforming to the schema as defined, etc. This is a layer of data that clearly need be proper (leaving the definition of proper to another day), else we are in some sort of corrupt state. Brett and I both agree on this I'm pretty sure. However, there is then distributed systems corruption. In AD, one of the services we aim to provide is convergence. If we do not converge, we define this divergence as at a minimum bad, perhaps corrupt. USN rollback breaks our convergence guarantees, it breaks replication such that you will not attain convergence in the system. I would as such consider it a form of corruption. Over Teriyaki a few minutes ago, Brett posited the question well if USN rollback is corruption, what else? Valid question. I would concede that if USN rollback is considered distributed systems corruption, so too would be other conditions which yield divergence. Perhaps this is a slippery slope that goes too far. I need to think about this some more. I would also toss out there that corruption should not be confused with forever broken. There are many states in which the directory can exist where it is functional, but in some way broken. Such divergences can typically be repaired with administrative action, so long as it is a savvy administrator. :) If we are willing to assume that divergence is corruption, I'd tend to believe that most people on this list have recovered from some form of corruption before. The worse the corruption, the more help you likely want to recover from it. :) Anyway, we'll likely debate this for a few months, as we usually do on such points. More thoughts to come as we debate further. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, December 06, 2005 12:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption I wouldn't say that, joe ... Lets take another hypothetical real quick, lets say you have a column for the RDN of an AD object (well we do) and that value is NULL. From AD's perspective this object is well not really an object, it would be corrupt, and might even crash lsass.exe (I don't know, it might). However, from ESE's persepctive though, the table/row/column is valid, it has a particular column that doesn't have a value. A column which I might add is declared optional (real term is tagged) in the ESE layer schema (real term is catalog). ESE is simply a store of data, it passes no judgement on the data as long as it fits the schema guidelines for the column. Joe, is the DB corrupt? An AD object without an RDN? I have tendency to think in layers and sources of corruption. App Logical Layer AD Logical Layer ESE Logical Layer [ESE] Physical Layer Corruptions coming top down through that stack are protected by the schema configuration/constraints of that layer (as joe astutely pointed out). Corruptions coming bottom up, from disk sub-system hardware, are protected by whatever mechanisms those layers have. Dropping back to the above hypothetical as an ESE dev I can say to the AD devs that until they can prove that ESE actually lost thier column, that it's most likely some sort of AD transactional problem, and the source is an AD bug. If I am feeling unbusy I will debug at the AD logical layer, because I know what it's supposed to look like. Coming back to the original issue of replicating _this kind_ of corruption a normal corruption coming bottom up, because the bits we (ESE) sent down the disk subsystem, were not the exact bits we got back later from the sub-systems is almost always detected by the fact that ESE checksums _every byte_ of it's database pages ... and at this point everyone should be very thankful Win2k3 AD isn't on SQL 2000, because it has few such protections, though SQL 2005 finally caught up, 10 years after the fact, it's such a legacy DB,
Re: [ActiveDir] MAC and DNS - off topic
Medeiros, Jose wrote: Hmm.. SMB ( Server Messaging Block ) connectivity is not your problem. I have an old Beige G3 Macintosh running Mac OS Tiger 10.4 and have no problem with Microsoft DNS resolving names, as a matter of Fact at Grand Central Communication we had well over 10 G5's with Panther 10.3 and our Internal DNS was hosted on the Active Directory 2000 controllers, and they also had no problems with our Linux and Solaris systems. This really sounds like a problem with your installation on your Macintosh. What type of Macintosh and what version of the OS are you running. Are you running NT 4 servers requiring WINS or is everything Windows 2000 or 2003? You are partial true - the problem which went out in this conversation is a problem I pointed out some time ago - private namespace with .local name in AD network and Linux\Mac clients. Private .local namespace is a namespace reserved for multicast DNS in its specification: http://www.multicastdns.org/ Every DNS query for .local namespace on system which supports multicast DNS is sent to multicast address - thus in Windows AD environment with .local domain it causes a problems, DNS query never reaches the DNS server and client can't find a domain. That's why we should avoid using .local namespace for AD domain name in non heterogeneous environments. -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MAC and DNS - off topic
Hi Tomasz, Thank you for pointing this out, I some how missed your earlier posts. So you believe that he has not configured his DNS suffix properly on his Mac's TCP/IP Stack - Client. I think you hit the nail on the head. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tomasz Onyszko Sent: Tuesday, December 06, 2005 2:56 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] MAC and DNS - off topic Medeiros, Jose wrote: Hmm.. SMB ( Server Messaging Block ) connectivity is not your problem. I have an old Beige G3 Macintosh running Mac OS Tiger 10.4 and have no problem with Microsoft DNS resolving names, as a matter of Fact at Grand Central Communication we had well over 10 G5's with Panther 10.3 and our Internal DNS was hosted on the Active Directory 2000 controllers, and they also had no problems with our Linux and Solaris systems. This really sounds like a problem with your installation on your Macintosh. What type of Macintosh and what version of the OS are you running. Are you running NT 4 servers requiring WINS or is everything Windows 2000 or 2003? You are partial true - the problem which went out in this conversation is a problem I pointed out some time ago - private namespace with .local name in AD network and Linux\Mac clients. Private .local namespace is a namespace reserved for multicast DNS in its specification: http://www.multicastdns.org/ Every DNS query for .local namespace on system which supports multicast DNS is sent to multicast address - thus in Windows AD environment with .local domain it causes a problems, DNS query never reaches the DNS server and client can't find a domain. That's why we should avoid using .local namespace for AD domain name in non heterogeneous environments. -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] MAC and DNS - off topic
I'm a smidge fuzzy on this and Eriq Neale who wrote SBS Unleashed [which has a chapter on Apple/Mac integration] is our Mac/SBS guru... I do not believe with the new Max the .local is an issue anymore with 10.4 but if you have older ones, yes. Lessons Learned: More Mac .local nonsense: http://simultaneouspancakes.com/Lessons/archives/2005/05/more_mac_local.shtml He's hosting a webcast on Mac interop with SBS ...if anyone is interested you can ping me offline. Tomasz Onyszko wrote: Medeiros, Jose wrote: Hmm.. SMB ( Server Messaging Block ) connectivity is not your problem. I have an old Beige G3 Macintosh running Mac OS Tiger 10.4 and have no problem with Microsoft DNS resolving names, as a matter of Fact at Grand Central Communication we had well over 10 G5's with Panther 10.3 and our Internal DNS was hosted on the Active Directory 2000 controllers, and they also had no problems with our Linux and Solaris systems. This really sounds like a problem with your installation on your Macintosh. What type of Macintosh and what version of the OS are you running. Are you running NT 4 servers requiring WINS or is everything Windows 2000 or 2003? You are partial true - the problem which went out in this conversation is a problem I pointed out some time ago - private namespace with .local name in AD network and Linux\Mac clients. Private .local namespace is a namespace reserved for multicast DNS in its specification: http://www.multicastdns.org/ Every DNS query for .local namespace on system which supports multicast DNS is sent to multicast address - thus in Windows AD environment with .local domain it causes a problems, DNS query never reaches the DNS server and client can't find a domain. That's why we should avoid using .local namespace for AD domain name in non heterogeneous environments. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] MAC and DNS - off topic
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: I'm a smidge fuzzy on this and Eriq Neale who wrote SBS Unleashed [which has a chapter on Apple/Mac integration] is our Mac/SBS guru... I do not believe with the new Max the .local is an issue anymore with 10.4 but if you have older ones, yes. I don't know how about Macs - this OS is not very popular here in Poland but I came across this issue with multicast DNS enabled clients on linux platform some time ago. I gathered this in quick blog entry: http://blogs.dirteam.com/blogs/tomek/archive/2005/12/06/231.aspx -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MAC and DNS - off topic
This is another: http://www.ku.edu/acs/documentation/docs/email/dnssearch.shtml Mac users (OS 9 and earlier) 1. Go to the Apple menu in the upper left of your desktop and select Control Panels from the pop-up menu. 2. Go to TCP/IP on the pop-up menu (or double-click on the TCP/IP icon). Under Additional search domains field type in home.ku.edu. 3. If you have a listing for mail.ukans.edu delete it. (If you have a listing for mail.ku.edu you can keep it.) 4. Go to the File menu and select Quit. When asked if you want to save changes, select Yes. Launch Outlook. Mac OS X users 1. Under the Apple menu select System Preferences... 2. Under Internet Network select Network. 3. In the Show pull-down menu, select your connection type (e.g. Built in Ethernet). 4. Under the TCP/IP tab enter home.ku.edu in the Search Domains box. If you have a listing for mail.ukans.edu delete it. (If you have a listing for mail.ku.edu you can keep it.) Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL - -Original Message- From: Medeiros, Jose Sent: Tuesday, December 06, 2005 4:16 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] MAC and DNS - off topic Hmm.. DNS is DNS regardless if is hosted on SBS, or 2000/2003 server. If the DNS name suffix is incorrect on the client, Russell would have to use the fully qualified host name to resolve to other systems that are registered properly in their internal DNS. And yes, the default installation of MAC 10.X still uses the .local, of course us IT people know how to correct this easily. This may help. http://support.microsoft.com/default.aspx?scid=kb;en-us;149596 Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 06, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] MAC and DNS - off topic I'm a smidge fuzzy on this and Eriq Neale who wrote SBS Unleashed [which has a chapter on Apple/Mac integration] is our Mac/SBS guru... I do not believe with the new Max the .local is an issue anymore with 10.4 but if you have older ones, yes. Lessons Learned: More Mac .local nonsense: http://simultaneouspancakes.com/Lessons/archives/2005/05/more_mac_local.shtml He's hosting a webcast on Mac interop with SBS ...if anyone is interested you can ping me offline. Tomasz Onyszko wrote: Medeiros, Jose wrote: Hmm.. SMB ( Server Messaging Block ) connectivity is not your problem. I have an old Beige G3 Macintosh running Mac OS Tiger 10.4 and have no problem with Microsoft DNS resolving names, as a matter of Fact at Grand Central Communication we had well over 10 G5's with Panther 10.3 and our Internal DNS was hosted on the Active Directory 2000 controllers, and they also had no problems with our Linux and Solaris systems. This really sounds like a problem with your installation on your Macintosh. What type of Macintosh and what version of the OS are you running. Are you running NT 4 servers requiring WINS or is everything Windows 2000 or 2003? You are partial true - the problem which went out in this conversation is a problem I pointed out some time ago - private namespace with .local name in AD network and Linux\Mac clients. Private .local namespace is a namespace reserved for multicast DNS in its specification: http://www.multicastdns.org/ Every DNS query for .local namespace on system which supports multicast DNS is sent to multicast address - thus in Windows AD environment with .local domain it causes a problems, DNS query never reaches the DNS server and client can't find a domain. That's why we should avoid using .local namespace for AD domain name in non heterogeneous environments. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] remove logon script?
Yeah I have seen odd things like that before if you cut and paste from email or doc files, some bogus character you can't see is in there or something like that. Retype it... [Tue 12/06/2005 20:20:01.78]G:\Adfind -f "((objectCategory=person)(objectClass=user)(scriptpath=logon.bat))" -default -dsq | admod -unsafe scriptpath:-(objectClass was unexpected at this time. [Tue 12/06/2005 20:20:07.26]G:\Adfind -f "((objectcategory=person)(objectclass=user)(scriptpath=logon.bat))" -default -dsq | admod -unsafe scriptpath:- AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 0 No object DNs to update. The command completed successfully. [Tue 12/06/2005 20:20:10.93] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Tuesday, December 06, 2005 4:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] remove logon script? I get the following error: (objectClass was unexpected at this time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, December 06, 2005 2:00 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] remove logon script? It works against the current default domain which is the domain of the default domain controller. You can determine what that is with adfind -default -s base -dn If you want it to work against another domain, remove -default and add -b domain_dn (i.e. change the search base of the adfind query). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Tuesday, December 06, 2005 1:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] remove logon script? This will work for the currently logged in domain right? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, December 05, 2005 4:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] remove logon script? One tiny correction :) Adfind f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) default dsq | admod unsafe scriptpath:- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, December 05, 2005 4:00 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] remove logon script? Adfind and admod from joeware.net Adfind f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) default dsq | admod unsafe scriptpath- Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Monday, December 05, 2005 3:40 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] remove logon script? How can I remove the logon.bat from all my user (2000+) accounts at one time in my domain? Ive switch to GPO for the logon scripts. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You. __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] Ntds.dit file corruption
I like, to fly in; the face of: convention... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Tuesday, December 06, 2005 4:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption On 12/6/05, joe [EMAIL PROTECTED] wrote: LOL. I enjoyed it which means it is all good as you all exist for my personal entertainment. ;o) Well except for Laura, she exists to hound me to the end of my existence on commas. very glad that you can't throw virtual vegetables at list posters Keep it up, joe, and I'll start proofreading your activedir posts as well. (Note the appropriate comma usage.) :-) - Laura List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] MAC and DNS - off topic-DNS Suffix
This is another link that may also be helpful: http://www.ku.edu/acs/documentation/docs/email/dnssearch.shtml Mac users (OS 9 and earlier) 1. Go to the Apple menu in the upper left of your desktop and select Control Panels from the pop-up menu. 2. Go to TCP/IP on the pop-up menu (or double-click on the TCP/IP icon). Under Additional search domains field type in home.ku.edu. 3. If you have a listing for mail.ukans.edu delete it. (If you have a listing for mail.ku.edu you can keep it.) 4. Go to the File menu and select Quit. When asked if you want to save changes, select Yes. Launch Outlook. Mac OS X users 1. Under the Apple menu select System Preferences... 2. Under Internet Network select Network. 3. In the Show pull-down menu, select your connection type (e.g. Built in Ethernet). 4. Under the TCP/IP tab enter home.ku.edu in the Search Domains box. If you have a listing for mail.ukans.edu delete it. (If you have a listing for mail.ku.edu you can keep it.) Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL - -Original Message- From: Medeiros, Jose Sent: Tuesday, December 06, 2005 4:16 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] MAC and DNS - off topic Hmm.. DNS is DNS regardless if is hosted on SBS, or 2000/2003 server. If the DNS name suffix is incorrect on the client, Russell would have to use the fully qualified host name to resolve to other systems that are registered properly in their internal DNS. And yes, the default installation of MAC 10.X still uses the .local, of course us IT people know how to correct this easily. This may help. http://support.microsoft.com/default.aspx?scid=kb;en-us;149596 Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 06, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] MAC and DNS - off topic I'm a smidge fuzzy on this and Eriq Neale who wrote SBS Unleashed [which has a chapter on Apple/Mac integration] is our Mac/SBS guru... I do not believe with the new Max the .local is an issue anymore with 10.4 but if you have older ones, yes. Lessons Learned: More Mac .local nonsense: http://simultaneouspancakes.com/Lessons/archives/2005/05/more_mac_local.shtml He's hosting a webcast on Mac interop with SBS ...if anyone is interested you can ping me offline. Tomasz Onyszko wrote: Medeiros, Jose wrote: Hmm.. SMB ( Server Messaging Block ) connectivity is not your problem. I have an old Beige G3 Macintosh running Mac OS Tiger 10.4 and have no problem with Microsoft DNS resolving names, as a matter of Fact at Grand Central Communication we had well over 10 G5's with Panther 10.3 and our Internal DNS was hosted on the Active Directory 2000 controllers, and they also had no problems with our Linux and Solaris systems. This really sounds like a problem with your installation on your Macintosh. What type of Macintosh and what version of the OS are you running. Are you running NT 4 servers requiring WINS or is everything Windows 2000 or 2003? You are partial true - the problem which went out in this conversation is a problem I pointed out some time ago - private namespace with .local name in AD network and Linux\Mac clients. Private .local namespace is a namespace reserved for multicast DNS in its specification: http://www.multicastdns.org/ Every DNS query for .local namespace on system which supports multicast DNS is sent to multicast address - thus in Windows AD environment with .local domain it causes a problems, DNS query never reaches the DNS server and client can't find a domain. That's why we should avoid using .local namespace for AD domain name in non heterogeneous environments. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Ntds.dit file corruption
Good post ~Eric, thanks for chiming in. I see where you are coming from with the corruption at the distributed level. In terms of corruption at that level I see it as corruption but just can't get myself to see it as AD corruption. I am not sure if I can put it down in words why. I just don't. :) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, December 06, 2005 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption snip I would generally not call USN rollback a corruption either, but I think Dean make a fair and quasi-valid point that if you consider the distributed system, yes such a thing is a corruption. Feel free to shim in a AD Distributed System Logical Layer in the above stack, between AD Logical Layer and App Logical Layer. I'm waffling on this point though, as somethign smells differnent that other types of corruption. I'm going to think about that for a long time ... in fact Eric yes the ~Eric) is at my door and says he would consider it corruption, so there is a long debate in my future as well ... /snip Over lunch, Brett and I discussed this some more. My contention is that USN rollback would be a form of corruption under a somewhat broad definition. The reality is that there is a layer that Brett mentioned which actually has a two parts when looked at from a high level. Namely, this layer: AD Logical Layer The first piece could be thought of as local logical layer. That is, data hierarchy, conforming to the code assumptions of how it should be, data conforming to the schema as defined, etc. This is a layer of data that clearly need be proper (leaving the definition of proper to another day), else we are in some sort of corrupt state. Brett and I both agree on this I'm pretty sure. However, there is then distributed systems corruption. In AD, one of the services we aim to provide is convergence. If we do not converge, we define this divergence as at a minimum bad, perhaps corrupt. USN rollback breaks our convergence guarantees, it breaks replication such that you will not attain convergence in the system. I would as such consider it a form of corruption. Over Teriyaki a few minutes ago, Brett posited the question well if USN rollback is corruption, what else? Valid question. I would concede that if USN rollback is considered distributed systems corruption, so too would be other conditions which yield divergence. Perhaps this is a slippery slope that goes too far. I need to think about this some more. I would also toss out there that corruption should not be confused with forever broken. There are many states in which the directory can exist where it is functional, but in some way broken. Such divergences can typically be repaired with administrative action, so long as it is a savvy administrator. :) If we are willing to assume that divergence is corruption, I'd tend to believe that most people on this list have recovered from some form of corruption before. The worse the corruption, the more help you likely want to recover from it. :) Anyway, we'll likely debate this for a few months, as we usually do on such points. More thoughts to come as we debate further. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, December 06, 2005 12:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption I wouldn't say that, joe ... Lets take another hypothetical real quick, lets say you have a column for the RDN of an AD object (well we do) and that value is NULL. From AD's perspective this object is well not really an object, it would be corrupt, and might even crash lsass.exe (I don't know, it might). However, from ESE's persepctive though, the table/row/column is valid, it has a particular column that doesn't have a value. A column which I might add is declared optional (real term is tagged) in the ESE layer schema (real term is catalog). ESE is simply a store of data, it passes no judgement on the data as long as it fits the schema guidelines for the column. Joe, is the DB corrupt? An AD object without an RDN? I have tendency to think in layers and sources of corruption. App Logical Layer AD Logical Layer ESE Logical Layer [ESE] Physical Layer Corruptions coming top down through that stack are protected by the schema configuration/constraints of that layer (as joe astutely pointed out). Corruptions coming bottom up, from disk sub-system hardware, are protected by whatever mechanisms those layers have. Dropping back to the above hypothetical as an ESE dev I can say to the AD devs that until they can prove that ESE actually lost thier column, that it's most likely some sort of AD transactional problem, and the source is an AD bug. If I am feeling unbusy I will debug at the AD logical layer, because I know what it's supposed to look
RE: [ActiveDir] Ntds.dit file corruption
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, December 06, 2005 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption snip I would generally not call USN rollback a corruption either, but I think Dean make a fair and quasi-valid point that if you consider the distributed system, yes such a thing is a corruption. Feel free to shim in a AD Distributed System Logical Layer in the above stack, between AD Logical Layer and App Logical Layer. I'm waffling on this point though, as somethign smells differnent that other types of corruption. I'm going to think about that for a long time ... in fact Eric yes the ~Eric) is at my door and says he would consider it corruption, so there is a long debate in my future as well ... /snip Over lunch, Brett and I discussed this some more. My contention is that USN rollback would be a form of corruption under a somewhat broad definition. The reality is that there is a layer that Brett mentioned which actually has a two parts when looked at from a high level. Namely, this layer: AD Logical Layer The first piece could be thought of as local logical layer. That is, data hierarchy, conforming to the code assumptions of how it should be, data conforming to the schema as defined, etc. This is a layer of data that clearly need be proper (leaving the definition of proper to another day), else we are in some sort of corrupt state. Brett and I both agree on this I'm pretty sure. However, there is then distributed systems corruption. In AD, one of the services we aim to provide is convergence. If we do not converge, we define this divergence as at a minimum bad, perhaps corrupt. USN rollback breaks our convergence guarantees, it breaks replication such that you will not attain convergence in the system. I would as such consider it a form of corruption. Over Teriyaki a few minutes ago, Brett posited the question well if USN rollback is corruption, what else? Valid question. I would concede that if USN rollback is considered distributed systems corruption, so too would be other conditions which yield divergence. Perhaps this is a slippery slope that goes too far. I need to think about this some more. I would also toss out there that corruption should not be confused with forever broken. There are many states in which the directory can exist where it is functional, but in some way broken. Such divergences can typically be repaired with administrative action, so long as it is a savvy administrator. :) If we are willing to assume that divergence is corruption, I'd tend to believe that most people on this list have recovered from some form of corruption before. The worse the corruption, the more help you likely want to recover from it. :) Anyway, we'll likely debate this for a few months, as we usually do on such points. More thoughts to come as we debate further. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, December 06, 2005 12:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption I wouldn't say that, joe ... Lets take another hypothetical real quick, lets say you have a column for the RDN of an AD object (well we do) and that value is NULL. From AD's perspective this object is well not really an object, it would be corrupt, and might even crash lsass.exe (I don't know, it might). However, from ESE's persepctive though, the table/row/column is valid, it has a particular column that doesn't have a value. A column which I might add is declared optional (real term is tagged) in the ESE layer schema (real term is catalog). ESE is simply a store of data, it passes no judgement on the data as long as it fits the schema guidelines for the column. Joe, is the DB corrupt? An AD object without an RDN? I have tendency to think in layers and sources of corruption. App Logical Layer AD Logical Layer ESE Logical Layer [ESE] Physical Layer Corruptions coming top down through that stack are protected by the schema configuration/constraints of that layer (as joe astutely pointed out). Corruptions coming bottom up, from disk sub-system hardware, are protected by whatever mechanisms those layers have. Dropping back to the above hypothetical as an ESE dev I can say to the AD devs that until they can prove that ESE actually lost thier column, that it's most likely some sort of AD transactional problem, and the source is an AD bug. If I am feeling unbusy I will debug at the AD logical layer, because I know what it's supposed to look like. Coming back to the original issue of replicating _this kind_ of corruption a normal corruption coming bottom up, because the bits we (ESE) sent down the disk subsystem, were not the exact bits we got back later from the sub-systems is almost always detected by the fact that ESE checksums _every
RE: [ActiveDir] Ntds.dit file corruption
Cool, got Brett to sit up and type... Crap, now I have to read it. j/k, I like long answers from people like Brett, it gives insight into the person as well as into the technology. When people ask, how do you know so much about , it is because I piss off the people to make them teach me how it really works. That is how I learned most of the Exchange stuff back when I first started working on it. ;o) Joe, is the DB corrupt? An AD object without an RDN? Good example, I would have to say maybe in that case. I expect it would either be a normal occurrence or take a serious failure of the AD App layer to allow that to occur unless ESE for some reason decided not to write or retrieve it properly. Even though it isn't required at the ESE Layer, I expect at some level of AD there is something enforcing the setting of that column. I don't know enough about the mechanics to say if it bad or not. be very thankful Win2k3 AD isn't on SQL 2000, because it has few such protections, though SQL 2005 finally caught up, 10 years after the fact, it's such a legacy DB, really ... anyway. I am. Thank you Brett. Even though I want triggers and business rules, I would rather see them make it into ESE than move AD to SQL. In fact, I tell everyone who will listen that I will likely not willingly get very serious with MIIS while it is sitting on SQL. I would prefer to see ESE under it. I like ESE. I would even wear a Brett says ESE rocks T-Shirt if I had one with that ugly mug of yours on it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, December 06, 2005 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption I wouldn't say that, joe ... Lets take another hypothetical real quick, lets say you have a column for the RDN of an AD object (well we do) and that value is NULL. From AD's perspective this object is well not really an object, it would be corrupt, and might even crash lsass.exe (I don't know, it might). However, from ESE's persepctive though, the table/row/column is valid, it has a particular column that doesn't have a value. A column which I might add is declared optional (real term is tagged) in the ESE layer schema (real term is catalog). ESE is simply a store of data, it passes no judgement on the data as long as it fits the schema guidelines for the column. Joe, is the DB corrupt? An AD object without an RDN? I have tendency to think in layers and sources of corruption. App Logical Layer AD Logical Layer ESE Logical Layer [ESE] Physical Layer Corruptions coming top down through that stack are protected by the schema configuration/constraints of that layer (as joe astutely pointed out). Corruptions coming bottom up, from disk sub-system hardware, are protected by whatever mechanisms those layers have. Dropping back to the above hypothetical as an ESE dev I can say to the AD devs that until they can prove that ESE actually lost thier column, that it's most likely some sort of AD transactional problem, and the source is an AD bug. If I am feeling unbusy I will debug at the AD logical layer, because I know what it's supposed to look like. Coming back to the original issue of replicating _this kind_ of corruption a normal corruption coming bottom up, because the bits we (ESE) sent down the disk subsystem, were not the exact bits we got back later from the sub-systems is almost always detected by the fact that ESE checksums _every byte_ of it's database pages ... and at this point everyone should be very thankful Win2k3 AD isn't on SQL 2000, because it has few such protections, though SQL 2005 finally caught up, 10 years after the fact, it's such a legacy DB, really ... anyway. When the corruption comes up from the bottom, what happens is ESE detects the data is not checksumming, logs an event, and returns a -1018 error (in this case), and starts rejecting DB operations (such as JetSeek() / JetRetrieveColumn()) that involve that corrupt database page. AD then responds to these failed DB ops with can't authenticate a user, AD can't return the results of a search, or AD can't read or apply data during replication (those 3 at least probably being the most common). In short the system starts limping, without affecting the rest of the distributed system. Coming back to jose's worry of old hardware injecting bad data into the distributed system. Fortunately, when the disk subsystem goes bad, ESE does a pretty good job of protecting you, but there are other sources of corruption, besides corruption, an especially insidious one is the bit flip in memory (and yes I see these too) which injects itself in the middle of the above stack. This kind of corruption can both end up making it's way down to the disk subsystem (with a valid ESE checksum), and up and out to the distributed system. From the perspective of older hardware though, I would
RE: [ActiveDir] Ntds.dit file corruption
Absolutely a great way to learn. I haven't tried to piss off people smarter than me approach, but I'll have put that in the bag of tricks ;) I have to disagree Joe. I'd say that if the column were missing the data and that was allowed at that layer, then it's not corruption, it's just unexpected at the other layers. In fact, I'd have to question whether or not it's really an object at all (any longer) because it's a DN, but that's neither here nor there. I suppose the counter to that is that it's still broken. To that, I would say I agree, but it's not corruption which is often very important in the recovery process (diagnosis and prevention). As you mentioned, it's just a storage mechanism - similar to an intelligent shoebox. If I put a rock in there, it remains a rock. If my dog takes the rock out, when I go to get it, it's not corrupt, it's just not there. But it's still a shoe box, and it still operates as expected and if the rock were there it wouldn't change the rock in any unexpected way. It's just that something else took my rock from me. This is only important when it comes to diagnosing and preventing the symptoms you experience when your rock is taken unexpectedly. The end result may be the same regardless. aside I don't know as I'd wear a powder blue shirt with Brett's mug on it, but I might carry a mug with his picture on it. Maybe similar to http://www.cafepress.com/ehlo.10124219 with some snazzy saying on there? Also, I'd love to know how a memory bit flip was diagnosed. If you ever get the time, Brett. From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption Date: Tue, 6 Dec 2005 20:54:56 -0500 Cool, got Brett to sit up and type... Crap, now I have to read it. j/k, I like long answers from people like Brett, it gives insight into the person as well as into the technology. When people ask, how do you know so much about , it is because I piss off the people to make them teach me how it really works. That is how I learned most of the Exchange stuff back when I first started working on it. ;o) Joe, is the DB corrupt? An AD object without an RDN? Good example, I would have to say maybe in that case. I expect it would either be a normal occurrence or take a serious failure of the AD App layer to allow that to occur unless ESE for some reason decided not to write or retrieve it properly. Even though it isn't required at the ESE Layer, I expect at some level of AD there is something enforcing the setting of that column. I don't know enough about the mechanics to say if it bad or not. be very thankful Win2k3 AD isn't on SQL 2000, because it has few such protections, though SQL 2005 finally caught up, 10 years after the fact, it's such a legacy DB, really ... anyway. I am. Thank you Brett. Even though I want triggers and business rules, I would rather see them make it into ESE than move AD to SQL. In fact, I tell everyone who will listen that I will likely not willingly get very serious with MIIS while it is sitting on SQL. I would prefer to see ESE under it. I like ESE. I would even wear a Brett says ESE rocks T-Shirt if I had one with that ugly mug of yours on it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, December 06, 2005 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption I wouldn't say that, joe ... Lets take another hypothetical real quick, lets say you have a column for the RDN of an AD object (well we do) and that value is NULL. From AD's perspective this object is well not really an object, it would be corrupt, and might even crash lsass.exe (I don't know, it might). However, from ESE's persepctive though, the table/row/column is valid, it has a particular column that doesn't have a value. A column which I might add is declared optional (real term is tagged) in the ESE layer schema (real term is catalog). ESE is simply a store of data, it passes no judgement on the data as long as it fits the schema guidelines for the column. Joe, is the DB corrupt? An AD object without an RDN? I have tendency to think in layers and sources of corruption. App Logical Layer AD Logical Layer ESE Logical Layer [ESE] Physical Layer Corruptions coming top down through that stack are protected by the schema configuration/constraints of that layer (as joe astutely pointed out). Corruptions coming bottom up, from disk sub-system hardware, are protected by whatever mechanisms those layers have. Dropping back to the above hypothetical as an ESE dev I can say to the AD devs that until they can prove that ESE actually lost thier column, that it's most likely some sort of AD transactional problem, and the source is an AD bug. If I am feeling unbusy I will debug at the AD logical layer, because I know
Re: [ActiveDir] Moving 3rd party DNS to AD
Boy that is a real toughie! I have experience both with AD using QIP (6.x version) which was really good and now for the past year getting used to MS DNS with integrated zones on DC's which was ok but has been rock solid with w2k3 sp1 (lots of DNS fixes in w2k3 sp1). What would I do, boy not sure but here is an attempt. If your goal is have AD/DNS hosted on MS to quickly cutover one brainstorm is to have your DNS servers in AD be secondary's and ability to *import* the QIP zones so you could have real-time updates up to and just before cutover. Not sure off-hand if that is possible but believe so. Then for cutover, unplug QIP network cable, change the IP on the MS dns servers, convert to a primary zone to allow dynamic updates if you are supporting that. You can also setup the QIP to be the forwarders for the AD ones but would suggest to stay away from that if possible and just use the ROOT servers. As far as performance, DNS is not a very intensive process for a standard type setup. I would suggest RAID 1 for redundancy with 1 or 2 gig of ram. A dual proc machine would be more than sufficient. The RAID should use a hardware based controller with some cache for added boost. One benefit if these were DC's vs. standard DNS servers is the multi-master replication being integrated into AD database providing redundancy. Depending on your AD database size and DC's size, the entire database is loaded into memory could provide a pretty good boost. The ISP I work for (orcsweb.com) our internal AD servers take a lot of requests and those machines sit idle regarding DNS (we send lots of emails a day pretty DNS lookup intensive and works well). The QIP experience I didn't directly manage so I can't provide any stats there sorry. Hope that provides some ideas, the UI management tool in QIP is better than AD but the MMC is ok for a few domains.. Good luck, feel free to contact me [EMAIL PROTECTED] Steve Schofield Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Managed Complex Hosting #1 in Service and Support - Original Message - From: Figueroa, Johnny [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 06, 2005 3:18 PM Subject: [ActiveDir] Moving 3rd party DNS to AD I will be removing a couple of Lucent QIP DNS servers running on Sun Solaris with Microsoft DNS. We already have our AD infrastructure. The _zones in the QIP DNS servers were delegated to AD DNS/DCs so the domain controllers could update their SRV records. We debated if we should integrate the zones owned by the QIP solution into AD (DC/DNS Servers) or create a couple of standalone DNS servers in AD, which will not be domain controllers. We chose to go with the standalone DNS servers mainly so that the testing, cutover and potential roll back could be done with minimal changes. I.e. turn off QIP DNS servers, change IP on the MS DNS servers to that of the old QIP servers and we are done. Roll back would be something like turn off MS DNS servers and turn QIP back on. The _zones in question are in our empty root domain, the clients and the AD resource records are in a child domain/zone already in AD. Feel free to comments or make suggestions about that approach, but my real question is around performance. I am trying to get performance data from the folks that support the QIP DNS servers but that may not be an option at this time. Those servers connect via firewall to the internet for root servers and do not forward to anybody else at this point and so will the MS replacements. The AD DNS servers currently forward to the QIP servers mentioned for Internet address resolution and cache it for the clients. There are some mainframe systems that point to the QIP servers directly but that's the exception not the rule, our clients point to AD DNS servers. The performance documents I found so far talk about memory being the real issue with DNS servers and they give me a formula, something like 100K for every 1000 records. My questions are: 1) No sure if I need to go with anything else other than dual processors, quads seem like overkill. 2) I am not reading anything that would tell me how I may setup the disks for the server. The zones themselves are in the megabytes range so they will not take a lot of space. I will probably mirror the OS as that is our standard, but then is there a way to have the zones on different disk drives and perhaps set those up as RAID 5? I realize performance are tough questions without knowing the environment but it has been my experience that you always get useful replies from this group. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and
Re: [ActiveDir] Moving 3rd party DNS to AD
probably not needed but here is a script I used and deployed with SMS to all my member servers to update the DNS order. The script was used to add a third DNS server for 'just in-case' lookups but was effective in updating the member servers w/o having to manually do it. Probably won't be useful but thought I would pass along. You could easily make this accept command line switches but by default only runs on the local machine. Hope that helps. Sub Main() SetDNSServerSearchOrder() End Sub Sub SetDNSServerSearchOrder() ' On Error Resume Next Err.clear dim aDNS(1) 'Primary DNS server aDNS(0) = x.x.x.x 'Alternate DNS server aDNS(1) = x.x.x.x 'Set Networking Managing Objects strComputer = . set objWMIService = GetObject(winmgmts:\\ strComputer \root\cimv2) Set colItems = objWMIService.ExecQuery(Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = 1) For Each objItem in colItems errDNS = objItem.SetDNSServerSearchOrder() wscript.sleep 500 errDNS = objItem.SetDNSServerSearchOrder(aDNS) Next set objWMIService = Nothing set colItems = Nothing End Sub Steve Schofield Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Managed Complex Hosting #1 in Service and Support - Original Message - From: Steve Schofield [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 06, 2005 10:39 PM Subject: Re: [ActiveDir] Moving 3rd party DNS to AD Boy that is a real toughie! I have experience both with AD using QIP (6.x version) which was really good and now for the past year getting used to MS DNS with integrated zones on DC's which was ok but has been rock solid with w2k3 sp1 (lots of DNS fixes in w2k3 sp1). What would I do, boy not sure but here is an attempt. If your goal is have AD/DNS hosted on MS to quickly cutover one brainstorm is to have your DNS servers in AD be secondary's and ability to *import* the QIP zones so you could have real-time updates up to and just before cutover. Not sure off-hand if that is possible but believe so. Then for cutover, unplug QIP network cable, change the IP on the MS dns servers, convert to a primary zone to allow dynamic updates if you are supporting that. You can also setup the QIP to be the forwarders for the AD ones but would suggest to stay away from that if possible and just use the ROOT servers. As far as performance, DNS is not a very intensive process for a standard type setup. I would suggest RAID 1 for redundancy with 1 or 2 gig of ram. A dual proc machine would be more than sufficient. The RAID should use a hardware based controller with some cache for added boost. One benefit if these were DC's vs. standard DNS servers is the multi-master replication being integrated into AD database providing redundancy. Depending on your AD database size and DC's size, the entire database is loaded into memory could provide a pretty good boost. The ISP I work for (orcsweb.com) our internal AD servers take a lot of requests and those machines sit idle regarding DNS (we send lots of emails a day pretty DNS lookup intensive and works well). The QIP experience I didn't directly manage so I can't provide any stats there sorry. Hope that provides some ideas, the UI management tool in QIP is better than AD but the MMC is ok for a few domains.. Good luck, feel free to contact me [EMAIL PROTECTED] Steve Schofield Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Managed Complex Hosting #1 in Service and Support - Original Message - From: Figueroa, Johnny [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 06, 2005 3:18 PM Subject: [ActiveDir] Moving 3rd party DNS to AD I will be removing a couple of Lucent QIP DNS servers running on Sun Solaris with Microsoft DNS. We already have our AD infrastructure. The _zones in the QIP DNS servers were delegated to AD DNS/DCs so the domain controllers could update their SRV records. We debated if we should integrate the zones owned by the QIP solution into AD (DC/DNS Servers) or create a couple of standalone DNS servers in AD, which will not be domain controllers. We chose to go with the standalone DNS servers mainly so that the testing, cutover and potential roll back could be done with minimal changes. I.e. turn off QIP DNS servers, change IP on the MS DNS servers to that of the old QIP servers and we are done. Roll back would be something like turn off MS DNS servers and turn QIP back on. The _zones in question are in our empty root domain, the clients and the AD resource records are in a child domain/zone already in AD. Feel free to comments or make suggestions about that approach, but my real question is around performance. I am trying to get performance data from the folks that support the QIP DNS servers but that may not be an option at this time. Those servers connect via firewall to the internet for root servers and do not forward to
Re: [ActiveDir] LDAP Traffic Replay
Etherpeek is a network based tool. I think that is what wildpackets reference is but not sure. I have NO idea but if you have SMS 2003 in your environment they have a full-fledged network scanner. Its free and if you have it might be worth checking out. good luck. Steve Schofield Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Managed Complex Hosting #1 in Service and Support - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 06, 2005 12:31 PM Subject: [ActiveDir] LDAP Traffic Replay Is anyone aware of a tool that will sit and watch LDAP traffic and track the threads/clients/etc and then be able to replay that traffic? Basically I am looking for a way to better judge DC perf in relation to Exchange LDAP queries. Setting up a whole Exchange environment to test the DCs is testing both Exchange and the DC and I am looking to try and narrow that to just AD so I can answer some of the questions of GC/DC capacity better than the 4:1 ratio business which everyone says isn't that great but doesn't seem to have anything easy to do that is better. I would like to track traffic to production GC/DCs and then be able to replay that LDAP load as desired over and over again against various pieces of hardware with different configs. joe List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exporting Mailbox rights
Where are you running the script? On your workstation or your server? On your workstation is the ESM installed? If yes, can you try to run the script with the /E2KStore+ switch instead? Is this error message coming with an error # 0x8007203A? From: Amy Hunter [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 06, 2005 2:18 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exporting Mailbox rights Thank you Alain, I followed your instructions, I registered the DLL's on my PC then ran the following command from the XYZfolder For /F "delims=*" %1 in ('dsquery * "ou=group mailboxes,ou=spinnaker,dc=org" -filter "(objectClass=user)"') do WMIManageSD.Wsf /E2KMailbox:"%1" /Decipher+ /ADSI+ This runs and it does pick up the group mailbox in this OU. I then receive a message saying "WMIManageSD.Wsf(888, 19) (null): The server is not operational" Do I need to specify somewhere in the script my domain/server details? Am I able to output this information into a text file? thanks for your help, sorry I am being a pain. Amy ;-) Alain Lissoir [EMAIL PROTECTED] wrote: Do you have the Functions folder available? It contains a series of functions used by WMIManageSD.Wsf Next you must register the DLL with REGSVR32 in the resource folder. Then you are all set. By default, WMIManageSD.Wsf must be in Folder XYZ while Functions folder must be at the same level. Root + Functions | +XYZ Otherwise you can change the "..\Functions" reference to an absolute path and point to the exact location of the Functions folder in your installation (you call). To run against a group of MB in an OU, just query the users you have in that OU with DSQUERY (or any equivalent tool) and combine them in a command like: (one single when you type. Line is cut for readability reasons in this mail). For /F "delims=*" %i in ('dsquery * "ou=group mailboxes,OU=,DC=spinnaker,DC=org" -filter "(objectClass=user)"') do WMIManageSD.Wsf /E2KMailbox:"%1" /Decipher+ /ADSI+ HTH. PS: Don't forget the + at the end of the /Decipher+ and /ADSI+ switches. From: Amy Hunter [mailto:[EMAIL PROTECTED] Sent: Monday, December 05, 2005 4:41 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exporting Mailbox rights Hi Alain, thanks for your response, it all looks very clever. ; I have tried running the following command: WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group mailboxes,OU=,DC=spinnaker,DC=org" /adsi WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group mailboxes,OU=,DC=spinnaker,DC=org" /decipher I receive this error "c:\WMIManageSD.Wsf(155, 39) Windows Script Host: Cannot retrieve referenced URL : ..\Functions\SecurityInclude.vbs" when I open this script, i can't see any reference to this Also, How can I run this against all group mailboxes in an OU any ideas? Amy ;-) Ps...sorry if I sound lame, scripting is not an area I spent too much time with Yet. /DIV Alain Lissoir [EMAIL PROTECTED] wrote: You can look at http://www.lissware.net, volume 2, Sample 4.02 to 4.13 - WMIManageSD.Wsf (and associated sub-functions in the Functions folder). Syntax to use in red below (the script supports Filesystem, Share, ADObject with Extended Rights, Exchange Mailbox, Registry Key, WMI namespace). Microsoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. Usage: WMIManageSD.Wsf [/FileSystem:value] [/Share:value] [/ADObject:value] [/E2KMailbox:value] [/E2KStore[+|-]] [/RegistryKey:value] [/WMINameSpace:value] [/ViewSD[+|-]] [/Owner:value] [/Group:value] [/SDControls:value] [/AddAce[+|-]] [/DelAce[+|-]] [/Trustee:value] [/ACEMask:value] [/ACEType:value] [/ACEFlags:value] [/ObjectType:value] [/InheritedObjectType:value] [/SACL[+|-]] [/Decipher[+|-]] [/ADSI[+|-]] [/SIDResolutionDC[+|-]] [/Machine:value] [/User:value] [/Password:value] Options: FileSystem : Get the security descriptor of the specified file or directory path.Share : Get the security descriptor of the specified share name.ADObject : Get the security descriptor of the specified distinguished name AD object.E2KMailbox : Get the security descriptor of the Exchange 2000 mailbox specified by AD user distinguished name.E2KStore : Specify if th e security descriptor must come from the Exchange 2000 store.RegistryKey : Get the security descriptor of the specified registry key.WMINameSpace : Get the security descriptor of the specified WMI Name space.ViewSD : Decipher the security descriptor.Owner : Set the security descriptor owner.Group : Set the security descriptor group.SDControls :
RE: [ActiveDir] Ntds.dit file corruption
Ok, a mug with Brett's mug on it and with him saying My ESE can beat up your SQL Server. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, December 06, 2005 9:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption Absolutely a great way to learn. I haven't tried to piss off people smarter than me approach, but I'll have put that in the bag of tricks ;) I have to disagree Joe. I'd say that if the column were missing the data and that was allowed at that layer, then it's not corruption, it's just unexpected at the other layers. In fact, I'd have to question whether or not it's really an object at all (any longer) because it's a DN, but that's neither here nor there. I suppose the counter to that is that it's still broken. To that, I would say I agree, but it's not corruption which is often very important in the recovery process (diagnosis and prevention). As you mentioned, it's just a storage mechanism - similar to an intelligent shoebox. If I put a rock in there, it remains a rock. If my dog takes the rock out, when I go to get it, it's not corrupt, it's just not there. But it's still a shoe box, and it still operates as expected and if the rock were there it wouldn't change the rock in any unexpected way. It's just that something else took my rock from me. This is only important when it comes to diagnosing and preventing the symptoms you experience when your rock is taken unexpectedly. The end result may be the same regardless. aside I don't know as I'd wear a powder blue shirt with Brett's mug on it, but I might carry a mug with his picture on it. Maybe similar to http://www.cafepress.com/ehlo.10124219 with some snazzy saying on there? Also, I'd love to know how a memory bit flip was diagnosed. If you ever get the time, Brett. From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption Date: Tue, 6 Dec 2005 20:54:56 -0500 Cool, got Brett to sit up and type... Crap, now I have to read it. j/k, I like long answers from people like Brett, it gives insight into the person as well as into the technology. When people ask, how do you know so much about , it is because I piss off the people to make them teach me how it really works. That is how I learned most of the Exchange stuff back when I first started working on it. ;o) Joe, is the DB corrupt? An AD object without an RDN? Good example, I would have to say maybe in that case. I expect it would either be a normal occurrence or take a serious failure of the AD App layer to allow that to occur unless ESE for some reason decided not to write or retrieve it properly. Even though it isn't required at the ESE Layer, I expect at some level of AD there is something enforcing the setting of that column. I don't know enough about the mechanics to say if it bad or not. be very thankful Win2k3 AD isn't on SQL 2000, because it has few such protections, though SQL 2005 finally caught up, 10 years after the fact, it's such a legacy DB, really ... anyway. I am. Thank you Brett. Even though I want triggers and business rules, I would rather see them make it into ESE than move AD to SQL. In fact, I tell everyone who will listen that I will likely not willingly get very serious with MIIS while it is sitting on SQL. I would prefer to see ESE under it. I like ESE. I would even wear a Brett says ESE rocks T-Shirt if I had one with that ugly mug of yours on it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, December 06, 2005 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption I wouldn't say that, joe ... Lets take another hypothetical real quick, lets say you have a column for the RDN of an AD object (well we do) and that value is NULL. From AD's perspective this object is well not really an object, it would be corrupt, and might even crash lsass.exe (I don't know, it might). However, from ESE's persepctive though, the table/row/column is valid, it has a particular column that doesn't have a value. A column which I might add is declared optional (real term is tagged) in the ESE layer schema (real term is catalog). ESE is simply a store of data, it passes no judgement on the data as long as it fits the schema guidelines for the column. Joe, is the DB corrupt? An AD object without an RDN? I have tendency to think in layers and sources of corruption. App Logical Layer AD Logical Layer ESE Logical Layer [ESE] Physical Layer Corruptions coming top down through that stack are protected by the schema configuration/constraints of that layer (as joe astutely pointed out). Corruptions coming bottom up, from disk sub-system hardware, are protected by whatever mechanisms those layers have.
RE: [ActiveDir] LDAP Traffic Replay
Yeah I have the full netmon available to me but Ethereal kind of punks netmon out. I stopped using netmon a couple of years ago now. ;o) Either way, both are simple monitors and that is a very small piece of what I need. The hard parts are the breaking out into a replayable format and replaying. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Tuesday, December 06, 2005 10:59 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Traffic Replay Etherpeek is a network based tool. I think that is what wildpackets reference is but not sure. I have NO idea but if you have SMS 2003 in your environment they have a full-fledged network scanner. Its free and if you have it might be worth checking out. good luck. Steve Schofield Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Managed Complex Hosting #1 in Service and Support - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 06, 2005 12:31 PM Subject: [ActiveDir] LDAP Traffic Replay Is anyone aware of a tool that will sit and watch LDAP traffic and track the threads/clients/etc and then be able to replay that traffic? Basically I am looking for a way to better judge DC perf in relation to Exchange LDAP queries. Setting up a whole Exchange environment to test the DCs is testing both Exchange and the DC and I am looking to try and narrow that to just AD so I can answer some of the questions of GC/DC capacity better than the 4:1 ratio business which everyone says isn't that great but doesn't seem to have anything easy to do that is better. I would like to track traffic to production GC/DCs and then be able to replay that LDAP load as desired over and over again against various pieces of hardware with different configs. joe List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP Traffic Replay
I can't figure out the filtering thing in ethereal. Netmon works great for me, and the installer is on at least one server in every wan site I have. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, December 06, 2005 11:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Traffic Replay Yeah I have the full netmon available to me but Ethereal kind of punks netmon out. I stopped using netmon a couple of years ago now. ;o) Either way, both are simple monitors and that is a very small piece of what I need. The hard parts are the breaking out into a replayable format and replaying. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Tuesday, December 06, 2005 10:59 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Traffic Replay Etherpeek is a network based tool. I think that is what wildpackets reference is but not sure. I have NO idea but if you have SMS 2003 in your environment they have a full-fledged network scanner. Its free and if you have it might be worth checking out. good luck. Steve Schofield Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Managed Complex Hosting #1 in Service and Support - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 06, 2005 12:31 PM Subject: [ActiveDir] LDAP Traffic Replay Is anyone aware of a tool that will sit and watch LDAP traffic and track the threads/clients/etc and then be able to replay that traffic? Basically I am looking for a way to better judge DC perf in relation to Exchange LDAP queries. Setting up a whole Exchange environment to test the DCs is testing both Exchange and the DC and I am looking to try and narrow that to just AD so I can answer some of the questions of GC/DC capacity better than the 4:1 ratio business which everyone says isn't that great but doesn't seem to have anything easy to do that is better. I would like to track traffic to production GC/DCs and then be able to replay that LDAP load as desired over and over again against various pieces of hardware with different configs. joe List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP Traffic Replay
That actually surprised me. The filtering and stream trace in Ethereal is one of the most powerful aspects of it IMO. When I am dealing with a multi-threaded LDAP app I think ethereal smokes netmon hands down for displaying the traces. If you want to just say capture LDAP traffic you can set up a capture filter of tcp port 389 or tcp port 3268. Last time I tried to do that in netmon you have to pick off the value at the offset into the raw packet. Netmon does allow for easy filtering by host but that is also not too difficult in Ethereal. For a capture filter a simple host somehostname. I really like being able to do more filtering easily at the capture so traces can run longer and seemingly impact the machine a little less because a lot more traffic can be ignored (especially RDP traffic for instance if TSed into a machine). Also the buffering in Ethereal seems to be much better for larger traces. Note that the language for the display filters is different from the filters for capture. That is because the capture filters are passed down to WinPCAP. A sample display filter for ldap traffic would be tcp.port==389 or tcp.port==3268 or ip.host == somehostname, alternately you can use eq for == so tcp.port eq 389 or tcp.port eq 3268. It definitely takes a bit to get used to when coming from netmon though. However once you get used to it you start wanting to look at all traces with it, even those taken with netmon. I know several MS guys that will use both netmon and ethereal. I think they mostly use netmon still at all because they have some special internal parsers they don't share with the public such as an RPC traffic parser. Back to the problem at hand, I may just look at the options I have with winpcap and using that to capture the packets from command line and parsing out the LDAP traffic and then see if I can go from there. Maybe make up a dumbed down LDAP query tool instead of using adfind to send the queries that just sends the exact queries that were intercepted. Still a ton of work though. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, December 06, 2005 11:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Traffic Replay I can't figure out the filtering thing in ethereal. Netmon works great for me, and the installer is on at least one server in every wan site I have. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, December 06, 2005 11:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Traffic Replay Yeah I have the full netmon available to me but Ethereal kind of punks netmon out. I stopped using netmon a couple of years ago now. ;o) Either way, both are simple monitors and that is a very small piece of what I need. The hard parts are the breaking out into a replayable format and replaying. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Tuesday, December 06, 2005 10:59 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Traffic Replay Etherpeek is a network based tool. I think that is what wildpackets reference is but not sure. I have NO idea but if you have SMS 2003 in your environment they have a full-fledged network scanner. Its free and if you have it might be worth checking out. good luck. Steve Schofield Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Managed Complex Hosting #1 in Service and Support - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 06, 2005 12:31 PM Subject: [ActiveDir] LDAP Traffic Replay Is anyone aware of a tool that will sit and watch LDAP traffic and track the threads/clients/etc and then be able to replay that traffic? Basically I am looking for a way to better judge DC perf in relation to Exchange LDAP queries. Setting up a whole Exchange environment to test the DCs is testing both Exchange and the DC and I am looking to try and narrow that to just AD so I can answer some of the questions of GC/DC capacity better than the 4:1 ratio business which everyone says isn't that great but doesn't seem to have anything easy to do that is better. I would like to track traffic to production GC/DCs and then be able to replay that LDAP load as desired over and over again against various pieces of hardware with different configs. joe List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] LDAP Traffic Replay
10.13 has an expression builder for building your filters. And ip.src==10.10.10.1 isn't that complex a syntax :-) Cheers Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, 7 December 2005 3:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Traffic Replay I can't figure out the filtering thing in ethereal. Netmon works great for me, and the installer is on at least one server in every wan site I have. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, December 06, 2005 11:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Traffic Replay Yeah I have the full netmon available to me but Ethereal kind of punks netmon out. I stopped using netmon a couple of years ago now. ;o) Either way, both are simple monitors and that is a very small piece of what I need. The hard parts are the breaking out into a replayable format and replaying. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Tuesday, December 06, 2005 10:59 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Traffic Replay Etherpeek is a network based tool. I think that is what wildpackets reference is but not sure. I have NO idea but if you have SMS 2003 in your environment they have a full-fledged network scanner. Its free and if you have it might be worth checking out. good luck. Steve Schofield Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Managed Complex Hosting #1 in Service and Support - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 06, 2005 12:31 PM Subject: [ActiveDir] LDAP Traffic Replay Is anyone aware of a tool that will sit and watch LDAP traffic and track the threads/clients/etc and then be able to replay that traffic? Basically I am looking for a way to better judge DC perf in relation to Exchange LDAP queries. Setting up a whole Exchange environment to test the DCs is testing both Exchange and the DC and I am looking to try and narrow that to just AD so I can answer some of the questions of GC/DC capacity better than the 4:1 ratio business which everyone says isn't that great but doesn't seem to have anything easy to do that is better. I would like to track traffic to production GC/DCs and then be able to replay that LDAP load as desired over and over again against various pieces of hardware with different configs. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/