[ActiveDir] Event 2069 - AD Quota tracking table?

2005-12-28 Thread Freddy HARTONO 
Title: Event 2069 - AD Quota tracking table?





Hi all


Found an interesting events, havent been able to find any additional info on this yet, but from the look of it its only happening in this domain controller and it seems to be responding well.

Is this much of a concern? 


Event Type: Error
Event Source:   NTDS General
Event Category: (9)
Event ID:   2069
Date:       12/28/2005
Time:       12:58:28 PM
User:       NT AUTHORITY\ANONYMOUS LOGON
Computer:   SELSOS01
Description:
Active Directory detected corrupt counts in the quota-tracking table. Quota enforcement may not behave correctly until the quota-tracking table is rebuilt. 

 




Thank you and have a splendid day!


Kind Regards,


Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785

RE: [ActiveDir] ID Locket Out when Accessing DC

2005-12-28 Thread Mark Parris 
Is the account the built in admin account (-500) or a newly created account
with the original account renamed. If so then normal account lockout
procedures should be followed.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: 28 December 2005 00:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ID Locket Out when Accessing DC

With my consulting hat on, I have the following questions:

Do you only have problems with this one user account?
What is your account lockout policy set to?
What are the Domain and Forest functional levels?
Are you having any replication problems with the DC you are connecting
to?
Is the machine you are using to connect to the DC joined to the domain?
Have you reviewed the security logs on the DC after this has happened?
Have you performed a network trace o understand what transactions are
taking place between the client system and the DC?

Answer to these will help in diagnosing your issue.

Regards,

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
Sent: Tuesday, December 27, 2005 3:53 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ID Locket Out when Accessing DC

I have a situation, where i am using my enterprise admin id to access
my DC through UNC Path. But everytime i try to do so this enterprise
admin id gets locked out.

Wht could be the possible reason for this. I have win2k3 enviornment.
--
RD
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT: creation of Email and Security groups [through GUI no less]

2005-12-28 Thread Al Mulnick 
Wouldn't Tony already be aware of such things?  
 
DL/DG management is not a new issue by any stretch.  It gets new life because the DG can now also be a SG which makes it more important to understand the ramifications of creating a new DG. 
 
The Dev team should well aware of such things and should also be familiar with the Microsoft solutions used in-house (which are not always available to the public).  
 
Personally, if they're going to roll a solution for group management, don't limit it to those using Exchange and therefore have DG's that are also SG's.  Make it a group management function (preferred not to be based on expensive DB technology) that encompasses customers of AD (the common denominator).  It would not bother me if there were added functions that you could get with Exchange deployed, but don't make it so you have to have it.  

 
Any solution created should have the ability to be self or centrally managed in an organization with 1 or more DC's and 1 to 500,000 users (or more?)  There should be audit ability as well as the ability to send reminders and validation flows of group membership along with the ability to set business logic rules.  An example of that would be to require an owner for every group created.  That owner MUST have an account in the AD and it must be active. If not, there must be some sort of override else the group is automatically removed from circulation. This would help greatly with things such as SOX compliance as well as other compliance efforts. Another need to have would be the ability to have the creation of groups follow a pre-defined naming standard.  Nice to allow users the freedom to create groups with any name they wish, but that doesn't help with the greater good in an organization over 100 people.  Surprisingly (not really) if you put 100 people in a room and ask them to come up with meaningful names for groups, you'd get 101 names for the same group you're going to create.  That would be fine in a Yahoo! setting but for corporate use it's unpredictable and next to impossible to manage or worse, troubleshoot.  Good naming standards are the responsibility of the corporation's architects and it's up to those standards creation processes to come up with meaningful and useful naming standards.  Not the consumers of the service.  At least, not if you intend to keep the service available and able to be troubleshot in a timely manner. Besides, who would win if two equal folks decided they wanted the same name for a group?  Sword fighting duels are not legal in most countries any longer :)

 
The list goes on, but there are many things that this type of tool can be useful for.  I think many of the third party solutions that are mentioned later in the thread are very good, but if Microsoft is going to create such a product, they should consider what it's intended uses are and balance that against what exists and what problems their customers need to solve. They should also consider the implications of creating a product that competes with their partners.  

 
 
Finally, Susan, if you know Tony, you might suggest that he talk with the Exchange and AD product teams.  I'm sure they have somebody who is aware of the issues and the currently available solutions from partners. It's possible there's still some room for additional solutions, but it would be good for him to research with them to avoid overlap where it may not be needed. 

 
Then again, what would I know about it? ;-) 
On 12/27/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote:
Got a list?  You might want to ping Tony so he doesn't reinvent thewheel  :-)Brian Desmond wrote:
>Tools exist form MS in the past, 3rd party, and in many large orgs home baked stuff...>>Thanks,>Brian Desmond>[EMAIL PROTECTED]>
>c - 312.731.3132>>>>From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Tue 12/27/2005 9:42 PM>To: ActiveDir@mail.activedir.org>Subject: [ActiveDir] OT: creation of Email and Security groups [through GUI no less]
http://blogs.technet.com/secguide/archive/2005/12/27/416528.aspx>>MSSC is looking into the possibility of a solution/tool to help with creation and lifecycle management of email and security distribution groups
>>*  Creating and managing groups within an organization requires unnecessary administrative overhead.>*  Administrators use valuable time creating groups that could otherwise be used for other IT activities.
>*  End-user productivity may be hampered by delays in processing requests for creation of groups.>*  End users find it frustrating that they cannot create and manage groups that have meaningful names and users find it hard to manage especially for adding and removing users.
>>The proposed solution would provide end-users with the ability to create and manage groups through a simple self-help Web portal.>>>--Letting your vendors set your risk analysis these days?
http://w

Re: [ActiveDir] Event 2069 - AD Quota tracking table?

2005-12-28 Thread Al Mulnick 
Freddy, is this also a global catalog server? 
It is a concern as this should not be something you see on normal servers.  Also, can you describe what changed in the environment recently and what else is running on that server? 
 
Al 
 
On 12/28/05, Freddy HARTONO <[EMAIL PROTECTED]> wrote:

Hi all 
Found an interesting events, havent been able to find any additional info on this yet, but from the look of it its only happening in this domain controller and it seems to be responding well.

Is this much of a concern? 
Event Type: Error Event Source:   NTDS General Event Category: (9) Event ID:   2069
 Date:       12/28/2005 Time:       12:58:28 PM User:       NT AUTHORITY\ANONYMOUS LOGON
 Computer:   SELSOS01 Description: Active Directory detected corrupt counts in the quota-tracking table. Quota enforcement may not behave correctly until the quota-tracking table is rebuilt. 

  
Thank you and have a splendid day! 
Kind Regards, 
Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: 
[EMAIL PROTECTED] phone: (+65) 6330-9785

[ActiveDir] Time Service

2005-12-28 Thread Douglas M. Long 
I have read the Time Service white paper from Microsoft and am still
confused. I have set the default domain GPO to use NT5DS under Configure
Windows NTP Client, and set an external time server (navobs1.oar.net,0x1)
for NTPServer. I have also set Enable Windows NTP Server to enabled. There
are no other time related GPOs set in the domain. I was under the assumption
that with that setting my PDC emulator (DC1) should be synching with
navobs1.oar.net,0x1 and the other DC synchs with the PDC emulator, and then
all clients synch to the closest DC. When I run a w32tm /monitor from the
either DC or from any clients, I get the following.

 

dc1.domain.com *** PDC *** [10.100.110.12]:

ICMP: 0ms delay.

NTP: +0.000s offset from dc1.domain.com

RefID: 'LOCL' [76.79.67.76]

dc2.domain.com [10.100.110.13]:

ICMP: 0ms delay.

NTP: +0.0226641s offset from dc1.domain.com

RefID: dc1.domain.com [10.100.110.12]

 

When I run it from a client:

 

dc1.domain.com *** PDC *** [10.100.110.12]:

ICMP: 0ms delay.

NTP: +0.000s offset from dc1.domain.com

RefID: 'LOCL' [76.79.67.76]

dc2.domain.com [10.100.110.13]:

ICMP: 8ms delay.

NTP: +0.0342476s offset from dc1.domain.com

RefID: dc1.domain.com [10.100.110.12]

 

What I am seeing is that everything is working except DC1 is not synching
with an external time server. Is that correct, or am I reading that wrong?
If it isn't synching with an external time source, what setting am I
missing?

 

 

List info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
<>

[ActiveDir] Problem with IE security Policies GP

2005-12-28 Thread Sudhir Kaushal 

Hi,

My users connect through ICA session
to couple of Citrix desktop servers ( all windows 2000 ). The profiles
they are using are mandatory. In those profiles the IE security settings
for Internet Zones\Navigate subframes across different domain are
set to "Prompt". I want this settings to be changed from
"Prompt" to "Enable". 

My DC's are 2003. I edited the GP associated
with the effected users OU and configured this particular settings and
set it to "enable", However the users are still getting
the older IE settings.

I dont know where i am going wrong..
Any help would be appreciated. 
Regards,
Sudhir  
 



This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.

[ActiveDir] Migration issues(OT)

2005-12-28 Thread Tom Kern 
I'm running Quest's AD Migration Manager and some workstations are experiencing issues post migration.
 
Their login scripts don't run(legacy not GPO scripts) and hence their drive mappings don't work.
This is sporadic as some users are fine.
 
The only thing these non working users have in common is that they all log a event id 1000-

Event Type: ErrorEvent Source: UserenvEvent Category: NoneEvent ID: 1000Date:  12/28/2005Time:  7:28:49 AMUser:  NT AUTHORITY\SYSTEMComputer: OP5041534335Description:Windows cannot obtain the domain controller name for your computer network. Return value (59).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
From eventid.net, this seems to indicate network connectivity issues but I don't think that applies here. Many users in the sam location are fine and all workstations are standard images, i,e; indentical.

 
The background is as follows- we are migrating from a win2k native mode forest to a win2k3 FFL win2k3 forest using Quest ADMM.
The servers and user machines are all double ACL'ed and sid history is enabled(sid filtering disabled).
The users have access to their old profiles.
 
The only thing I think could be an issue is DNS.
When the client is moved, he points to the DNS in the target forest. This AD intergrated DNS server forwards anything it dosen't know to a BIND 9 server which conditionally forwards to the source domain if a query is made for something there.

As it stands, all users/workstations have been migrated(copied) but some servers still remain in the source domain as we are in an interim stage right now.
 
Any help or ideas would be great.
Thanks a lot!

Re: [ActiveDir] Migration issues(OT)

2005-12-28 Thread James_Day 
Hi Tom

Is it possible to put secondary zones for the new forest on the old forest
DNS servers - so instead of double forwarding (to bind and back) clients
can look up the new domain directly.  In our migration we did it both ways.
The servers in the new forest contain secondaries for the old forest and
the servers in the old forest contain secondaries for the new forest - thus
either DNS configuration in the interim stage can see all AD records on
both sides.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
202-230-2983
[EMAIL PROTECTED]


|-+-->
| |   Tom Kern   |
| |   <[EMAIL PROTECTED]> |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   12/28/2005 09:39 AM EST|
| |   Please respond to  |
| |   ActiveDir  |
|-+-->
  
>--|
  | 
 |
  |   To:   activedirectory   
 |
  |   cc:   (bcc: James Day/Contractor/NPS) 
 |
  |   Subject:  [ActiveDir] Migration issues(OT)
 |
  
>--|




I'm running Quest's AD Migration Manager and some workstations are
experiencing issues post migration.

Their login scripts don't run(legacy not GPO scripts) and hence their drive
mappings don't work.
This is sporadic as some users are fine.

The only thing these non working users have in common is that they all log
a event id 1000-


Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date:  12/28/2005
Time:  7:28:49 AM
User:  NT AUTHORITY\SYSTEM
Computer: OP5041534335
Description:
Windows cannot obtain the domain controller name for your computer network.
Return value (59).


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.





>From eventid.net, this seems to indicate network connectivity issues but I
don't think that applies here. Many users in the sam location are fine and
all workstations are standard images, i,e; indentical.





The background is as follows- we are migrating from a win2k native mode
forest to a win2k3 FFL win2k3 forest using Quest ADMM.


The servers and user machines are all double ACL'ed and sid history is
enabled(sid filtering disabled).


The users have access to their old profiles.





The only thing I think could be an issue is DNS.


When the client is moved, he points to the DNS in the target forest. This
AD intergrated DNS server forwards anything it dosen't know to a BIND 9
server which conditionally forwards to the source domain if a query is made
for something there.


As it stands, all users/workstations have been migrated(copied) but some
servers still remain in the source domain as we are in an interim stage
right now.





Any help or ideas would be great.


Thanks a lot!



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Time Service

2005-12-28 Thread Ulf B. Simon-Weidner 
Hi Douglas,

 

To configure domain members and DCs to use the default behavior, either

 

Run w32tm /config /update /syncfromflags:DOMHIER

 

Or check the following registrykey

 

HKLM\System\CCS\Services\w32time\Parameters

Type=NT5DS

 

To configure a server to use a NTP-Timesource (what you want to do on the
PDC-E of the forest root):

 

Run w32tm /config /update /syncfromflags:MANUAL /manualpeerlist:"fqdn1 fqdn2
ip1"

 

Or check the following registrykeys

HKLM\System\CCS\Services\w32time\Parameters

Type=NTP

NTPServer="fqdn1 fqdn2 ip1"

 

To configure a server to trust his BIOS-Clock (test-environment) or which is
getting it's time from a 3rd party soft- or hardware attached locally check
the following reg-keys:

 

HKLM\System\CCS\Services\w32time\Parameters

Type=NoSync

ReliableTimeSource = 1 (reg_dword)

 

 

Afterwards I'd restart w32time using

net stop w32time && net start w32time

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book "Windows XP - Die Expertentipps":  
http://tinyurl.com/44zcz
  Weblog:  
http://msmvps.org/UlfBSimonWeidner
  Website:  
http://www.windowsserverfaq.org
  Profile:

http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Wednesday, December 28, 2005 3:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Time Service

 

I have read the Time Service white paper from Microsoft and am still
confused. I have set the default domain GPO to use NT5DS under Configure
Windows NTP Client, and set an external time server (navobs1.oar.net,0x1)
for NTPServer. I have also set Enable Windows NTP Server to enabled. There
are no other time related GPOs set in the domain. I was under the assumption
that with that setting my PDC emulator (DC1) should be synching with
navobs1.oar.net,0x1 and the other DC synchs with the PDC emulator, and then
all clients synch to the closest DC. When I run a w32tm /monitor from the
either DC or from any clients, I get the following.

 

dc1.domain.com *** PDC *** [10.100.110.12]:

ICMP: 0ms delay.

NTP: +0.000s offset from dc1.domain.com

RefID: 'LOCL' [76.79.67.76]

dc2.domain.com [10.100.110.13]:

ICMP: 0ms delay.

NTP: +0.0226641s offset from dc1.domain.com

RefID: dc1.domain.com [10.100.110.12]

 

When I run it from a client:

 

dc1.domain.com *** PDC *** [10.100.110.12]:

ICMP: 0ms delay.

NTP: +0.000s offset from dc1.domain.com

RefID: 'LOCL' [76.79.67.76]

dc2.domain.com [10.100.110.13]:

ICMP: 8ms delay.

NTP: +0.0342476s offset from dc1.domain.com

RefID: dc1.domain.com [10.100.110.12]

 

What I am seeing is that everything is working except DC1 is not synching
with an external time server. Is that correct, or am I reading that wrong?
If it isn't synching with an external time source, what setting am I
missing?

 

 

List info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

<>

[ActiveDir] command line tool to display object owner?

2005-12-28 Thread Thommes, Michael M. 
Can someone point me at a command line tool to display an AD object's
owner?  I know I can see the object's owner with
ADSIEdit/Properties/Security/Advanced.

TIA!
Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] command line tool to display object owner?

2005-12-28 Thread joe 
Adfind with the -owner switch.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Wednesday, December 28, 2005 10:02 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] command line tool to display object owner?

Can someone point me at a command line tool to display an AD object's owner?
I know I can see the object's owner with
ADSIEdit/Properties/Security/Advanced.

TIA!
Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Migration issues(OT)

2005-12-28 Thread Tom Kern 
Thanks. I already did the secondary of target on source and source on target dns, James. Sorry forgot to mention that.
 
I'll look into the kerberos over tcp, Jeff.
Thanks.
 
Another issue, is that some of the clients DHCP servers are still in the old domain(clients update their own A records) so the client gets a connection specific suffix of the old domain and a primary dns suffix of the new domain.

I don't know if this would screw things up.
However, all clients have a suffix search list for resloving flat names that includes the new and old domains.
 
Also, some clients have drives mapped to a Windows NT domain(no trust) in their login script. the script passes a user account and password in the NT domain to do the mappings. I find sometimes this breaks as well. The account used to do the mappings gets locked out sometimes.

 
 
 
 
To further elaborate my dns senario-  The target forest has an empty root. The child dns zone has been delegated to dns servers in the child domain.
DNS is AD intergrated(replicated to all DNS servers in the domain).
 
Thanks again, guys! 
On 12/28/05, Jeff Salisbury <[EMAIL PROTECTED]> wrote:

Tom - I saw very odd behavior in one of our offices when we migrated them to AD. It affected some, but not all machines, where they couldn't talk to the domain controller and weren't running group policy. Rather than DNS, it turned out to be a Kerberos authentication issue. Something in the network was fragmenting Kerberos UDP packets, which breaks authentication. We found a KB article (don't have it handy but should be easy to search for) that tells you how to force Kerberos to use TCP by making a registry change.

 
The local AD domain controller and clients were all within a local well connected (100 Mbps) network. We never did find out what was causing the Kerberos UDP packets to be fragmented. Either the packets were too big compared to our other offices, or somehow one of the network switches was enforcing a restrictive MTU (not likely). Most other offices did not have this problem, although we did have a few machines here and there that did.

 
Hope this helps!
 
Jeff Salisbury


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, December 28, 2005 6:39 AMTo: activedirectory 
Subject: [ActiveDir] Migration issues(OT) 


I'm running Quest's AD Migration Manager and some workstations are experiencing issues post migration.
 
Their login scripts don't run(legacy not GPO scripts) and hence their drive mappings don't work.
This is sporadic as some users are fine.
 
The only thing these non working users have in common is that they all log a event id 1000-

Event Type: ErrorEvent Source: UserenvEvent Category: NoneEvent ID: 1000Date:  12/28/2005Time:  7:28:49 AMUser:  NT AUTHORITY\SYSTEMComputer: OP5041534335Description:Windows cannot obtain the domain controller name for your computer network. Return value (59). 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp
.
 
From eventid.net, this seems to indicate network connectivity issues but I don't think that applies here. Many users in the sam location are fine and all workstations are standard images, i,e; indentical. 

 
The background is as follows- we are migrating from a win2k native mode forest to a win2k3 FFL win2k3 forest using Quest ADMM.
The servers and user machines are all double ACL'ed and sid history is enabled(sid filtering disabled).
The users have access to their old profiles.
 
The only thing I think could be an issue is DNS.
When the client is moved, he points to the DNS in the target forest. This AD intergrated DNS server forwards anything it dosen't know to a BIND 9 server which conditionally forwards to the source domain if a query is made for something there. 

As it stands, all users/workstations have been migrated(copied) but some servers still remain in the source domain as we are in an interim stage right now.
 
Any help or ideas would be great.
Thanks a lot!
ConfidentialThis e-mail and any files transmitted with it are the propertyof Belkin Corporation and/or its affiliates, are confidential,and are intended solely for the use of the individual or
entity to whom this e-mail is addressed.  If you are not oneof the named recipients or otherwise have reason to believethat you have received this e-mail in error, please notify thesender and delete this message immediately from your computer.
Any other use, retention, dissemination, forwarding, printingor copying of this e-mail is strictly prohibited.

RE: [ActiveDir] command line tool to display object owner?

2005-12-28 Thread Thommes, Michael M. 
Right under my nose!  Thanks for the Xmas present, joe!  8-)

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, December 28, 2005 9:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] command line tool to display object owner?

Adfind with the -owner switch.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Wednesday, December 28, 2005 10:02 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] command line tool to display object owner?

Can someone point me at a command line tool to display an AD object's
owner?
I know I can see the object's owner with
ADSIEdit/Properties/Security/Advanced.

TIA!
Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] command line tool to display object owner?

2005-12-28 Thread Tom Kern 
dscals with the "/A" switch
On 12/28/05, joe <[EMAIL PROTECTED]> wrote:
Adfind with the -owner switch.-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Thommes, Michael M.Sent: Wednesday, December 28, 2005 10:02 AM
To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] command line tool to display object owner?Can someone point me at a command line tool to display an AD object's owner?
I know I can see the object's owner withADSIEdit/Properties/Security/Advanced.TIA!Mike ThommesList info   : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: creation of Email and Security groups [through GUI no less]

2005-12-28 Thread joe 



The old MS Solution which just did DLs is called AutoDL and 
it has been available externally but as Al points out, depends on SQL Server. 
Then came AutoGroup which MS would not give out to anyone but handled Sec and 
Non-Sec AD groups, I know I tried for over a year to get it and was finally told 
all of this functionality was being wrapped into MIIS But again, that 
depends on SQL Server. 
 
If someone inside of MS intends to make yet another 
solution, I would highly recommend it not need SQL Server and that it handle AD 
and ADAM. Possibly it should use ADAM as its backend store? Alternatively it 
could use AD itself or MSDE (regardless of size of org) or 
ESE. 
 
I agree completely with Al on the group naming. Blood has 
been spilled over much less than names. Some of the biggest bloodiest corporate 
arguments I have been involved in have been about naming standards. I know of no 
large company that would allow end users to come up with their own names without 
rules around it. Even in a small company you could see a name like 
sbradleysucksmybutt or something like that which is obviously not a good thing 
in a corporate environment. Sure you will have logging of who did it once 
someone figures out it was done, but if you have 50,000 or 100,000 groups out 
there, who is doing that checking? 
 
Another thing, users shouldn't just be creating groups ad 
hoc. There needs to be a corporate strategy that walks you around the mine 
fields of having too many SIDS in your tokens or just plain replicating a bunch 
of crap that doesn't need to be out there at all. As Al indicated you definitely 
need a work flow where approval has to be gathered prior to the system just 
doing this.
 
Other 
than that. As Al and Brian indicated, this has been a problem with many 
solutions through the years. 
 
 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Wednesday, December 28, 2005 9:04 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: creation of 
Email and Security groups [through GUI no less]

Wouldn't Tony already be aware of such things?  
 
DL/DG management is not a new issue by any stretch.  It gets new life 
because the DG can now also be a SG which makes it more important to understand 
the ramifications of creating a new DG. 
 
The Dev team should well aware of such things and should also be familiar 
with the Microsoft solutions used in-house (which are not always available to 
the public).  
 
Personally, if they're going to roll a solution for group management, don't 
limit it to those using Exchange and therefore have DG's that are also 
SG's.  Make it a group management function (preferred not to be based on 
expensive DB technology) that encompasses customers of AD (the common 
denominator).  It would not bother me if there were added functions that 
you could get with Exchange deployed, but don't make it so you have to have 
it.  
 
Any solution created should have the ability to be self or centrally 
managed in an organization with 1 or more DC's and 1 to 500,000 users (or 
more?)  There should be audit ability as well as the ability to send 
reminders and validation flows of group membership along with the ability 
to set business logic rules.  An example of that would be to require an 
owner for every group created.  That owner MUST have an account in the AD 
and it must be active. If not, there must be some sort of override else the 
group is automatically removed from circulation. This would help greatly with 
things such as SOX compliance as well as other compliance efforts. Another need 
to have would be the ability to have the creation of groups follow a pre-defined 
naming standard.  Nice to allow users the freedom to create groups with any 
name they wish, but that doesn't help with the greater good in an organization 
over 100 people.  Surprisingly (not really) if you put 100 people in a room 
and ask them to come up with meaningful names for groups, you'd get 101 names 
for the same group you're going to create.  That would be fine in a Yahoo! 
setting but for corporate use it's unpredictable and next to impossible to 
manage or worse, troubleshoot.  Good naming standards are the 
responsibility of the corporation's architects and it's up to those standards 
creation processes to come up with meaningful and useful naming standards.  
Not the consumers of the service.  At least, not if you intend to keep the 
service available and able to be troubleshot in a timely manner. Besides, who 
would win if two equal folks decided they wanted the same name for a 
group?  Sword fighting duels are not legal in most countries any longer :) 

 
The list goes on, but there are many things that this type of tool can 
be useful for.  I think many of the third party solutions that are 
mentioned later in the thread are very good, but if Microsoft is going to create 
such a product, they should consider what it's intended uses are and balance 
that aga

RE: [ActiveDir] command line tool to display object owner?

2005-12-28 Thread joe 
No problem. :o) 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Wednesday, December 28, 2005 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] command line tool to display object owner?

Right under my nose!  Thanks for the Xmas present, joe!  8-)

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, December 28, 2005 9:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] command line tool to display object owner?

Adfind with the -owner switch.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Wednesday, December 28, 2005 10:02 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] command line tool to display object owner?

Can someone point me at a command line tool to display an AD object's owner?
I know I can see the object's owner with
ADSIEdit/Properties/Security/Advanced.

TIA!
Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Migration issues(OT)

2005-12-28 Thread Tom Kern 
Oh yeah, to add some more issues-
 
Some users don't get their home directory drive mapped either(the one defined as an attribute of the user object). The server their home drive is on has been double ACL'ed to have both accounts.
 
Not sure why this wouldn't work for some users.
 
The strange thing is this is sporadic and the users are all using a standard win2k pro image build and all have good conectivity to the DC's.
 
thanks again. 
On 12/28/05, Tom Kern <[EMAIL PROTECTED]> wrote:

Thanks. I already did the secondary of target on source and source on target dns, James. Sorry forgot to mention that.
 
I'll look into the kerberos over tcp, Jeff.
Thanks.
 
Another issue, is that some of the clients DHCP servers are still in the old domain(clients update their own A records) so the client gets a connection specific suffix of the old domain and a primary dns suffix of the new domain. 

I don't know if this would screw things up.
However, all clients have a suffix search list for resloving flat names that includes the new and old domains.
 
Also, some clients have drives mapped to a Windows NT domain(no trust) in their login script. the script passes a user account and password in the NT domain to do the mappings. I find sometimes this breaks as well. The account used to do the mappings gets locked out sometimes. 

 
 
 
 
To further elaborate my dns senario-  The target forest has an empty root. The child dns zone has been delegated to dns servers in the child domain.
DNS is AD intergrated(replicated to all DNS servers in the domain).
 
Thanks again, guys! 

On 12/28/05, Jeff Salisbury <[EMAIL PROTECTED]
> wrote: 

Tom - I saw very odd behavior in one of our offices when we migrated them to AD. It affected some, but not all machines, where they couldn't talk to the domain controller and weren't running group policy. Rather than DNS, it turned out to be a Kerberos authentication issue. Something in the network was fragmenting Kerberos UDP packets, which breaks authentication. We found a KB article (don't have it handy but should be easy to search for) that tells you how to force Kerberos to use TCP by making a registry change. 

 
The local AD domain controller and clients were all within a local well connected (100 Mbps) network. We never did find out what was causing the Kerberos UDP packets to be fragmented. Either the packets were too big compared to our other offices, or somehow one of the network switches was enforcing a restrictive MTU (not likely). Most other offices did not have this problem, although we did have a few machines here and there that did. 

 
Hope this helps!
 
Jeff Salisbury


From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, December 28, 2005 6:39 AMTo: activedirectory 
Subject: [ActiveDir] Migration issues(OT) 


I'm running Quest's AD Migration Manager and some workstations are experiencing issues post migration.
 
Their login scripts don't run(legacy not GPO scripts) and hence their drive mappings don't work.
This is sporadic as some users are fine.
 
The only thing these non working users have in common is that they all log a event id 1000-

Event Type: ErrorEvent Source: UserenvEvent Category: NoneEvent ID: 1000Date:  12/28/2005Time:  7:28:49 AMUser:  NT AUTHORITY\SYSTEMComputer: OP5041534335Description:Windows cannot obtain the domain controller name for your computer network. Return value (59). 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp 
.
 
From eventid.net, this seems to indicate network connectivity issues but I don't think that applies here. Many users in the sam location are fine and all workstations are standard images, i,e; indentical. 

 
The background is as follows- we are migrating from a win2k native mode forest to a win2k3 FFL win2k3 forest using Quest ADMM.
The servers and user machines are all double ACL'ed and sid history is enabled(sid filtering disabled).
The users have access to their old profiles.
 
The only thing I think could be an issue is DNS.
When the client is moved, he points to the DNS in the target forest. This AD intergrated DNS server forwards anything it dosen't know to a BIND 9 server which conditionally forwards to the source domain if a query is made for something there. 

As it stands, all users/workstations have been migrated(copied) but some servers still remain in the source domain as we are in an interim stage right now.
 
Any help or ideas would be great.
Thanks a lot!
ConfidentialThis e-mail and any files transmitted with it are the propertyof Belkin Corporation and/or its affiliates, are confidential,and are intended solely for the use of the individual or 
entity to whom this e-mail is addressed.  If you are not oneof the named recipients or otherwise have reason to believethat you have received this e-mail in error, please notify thesender and delete this message immediately from your computer. 
Any other use, retention, dissemination, fo

RE: [ActiveDir] Time Service

2005-12-28 Thread Douglas M. Long 
I have Run w32tm /config /update /syncfromflags:MANUAL /manualpeerlist:
"navobs1.oar.net" and also verified
HKLM\System\CCS\Services\w32time\Parameters

Type=NTP is set. I stopped and started w32time, and still the PDC-E points
to itself. Or at least that is what I think it is saying. Isn't LOCL in the
following telling me that it is looking at itself instead of an external
time source?

 

 

w32tm /monitor

 

dc1.domain.com *** PDC *** [10.100.110.12]:

ICMP: 0ms delay.

NTP: +0.000s offset from dc1.domain.com

RefID: 'LOCL' [76.79.67.76]

 

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Wednesday, December 28, 2005 9:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service

 

Hi Douglas,

 

To configure domain members and DCs to use the default behavior, either

 

Run w32tm /config /update /syncfromflags:DOMHIER

 

Or check the following registrykey

 

HKLM\System\CCS\Services\w32time\Parameters

Type=NT5DS

 

To configure a server to use a NTP-Timesource (what you want to do on the
PDC-E of the forest root):

 

Run w32tm /config /update /syncfromflags:MANUAL /manualpeerlist:"fqdn1 fqdn2
ip1"

 

Or check the following registrykeys

HKLM\System\CCS\Services\w32time\Parameters

Type=NTP

NTPServer="fqdn1 fqdn2 ip1"

 

To configure a server to trust his BIOS-Clock (test-environment) or which is
getting it's time from a 3rd party soft- or hardware attached locally check
the following reg-keys:

 

HKLM\System\CCS\Services\w32time\Parameters

Type=NoSync

ReliableTimeSource = 1 (reg_dword)

 

 

Afterwards I'd restart w32time using

net stop w32time && net start w32time

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book "Windows XP - Die Expertentipps":  
http://tinyurl.com/44zcz
  Weblog:  
http://msmvps.org/UlfBSimonWeidner
  Website:  
http://www.windowsserverfaq.org
  Profile:

http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Wednesday, December 28, 2005 3:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Time Service

 

I have read the Time Service white paper from Microsoft and am still
confused. I have set the default domain GPO to use NT5DS under Configure
Windows NTP Client, and set an external time server (navobs1.oar.net,0x1)
for NTPServer. I have also set Enable Windows NTP Server to enabled. There
are no other time related GPOs set in the domain. I was under the assumption
that with that setting my PDC emulator (DC1) should be synching with
navobs1.oar.net,0x1 and the other DC synchs with the PDC emulator, and then
all clients synch to the closest DC. When I run a w32tm /monitor from the
either DC or from any clients, I get the following.

 

dc1.domain.com *** PDC *** [10.100.110.12]:

ICMP: 0ms delay.

NTP: +0.000s offset from dc1.domain.com

RefID: 'LOCL' [76.79.67.76]

dc2.domain.com [10.100.110.13]:

ICMP: 0ms delay.

NTP: +0.0226641s offset from dc1.domain.com

RefID: dc1.domain.com [10.100.110.12]

 

When I run it from a client:

 

dc1.domain.com *** PDC *** [10.100.110.12]:

ICMP: 0ms delay.

NTP: +0.000s offset from dc1.domain.com

RefID: 'LOCL' [76.79.67.76]

dc2.domain.com [10.100.110.13]:

ICMP: 8ms delay.

NTP: +0.0342476s offset from dc1.domain.com

RefID: dc1.domain.com [10.100.110.12]

 

What I am seeing is that everything is working except DC1 is not synching
with an external time server. Is that correct, or am I reading that wrong?
If it isn't synching with an external time source, what setting am I
missing?

 

 

List info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

<>

Re: [ActiveDir] OT: creation of Email and Security groups [through GUI no less]

2005-12-28 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 




Tony Bailey
Senior Product Manager
Security and Compliance Solutions
http://www.microsoft.com/security/guidance/default.mspx

Sorry possibly a different Tony that what you may be thinking?

Al Mulnick wrote:

  Wouldn't Tony already be aware of such things?  
   
  DL/DG management is not a new issue by any stretch.  It gets new
life because the DG can now also be a SG which makes it more important
to understand the ramifications of creating a new DG. 
   
  The Dev team should well aware of such things and should also be
familiar with the Microsoft solutions used in-house (which are not
always available to the public).  
   
  Personally, if they're going to roll a solution for group
management, don't limit it to those using Exchange and therefore have
DG's that are also SG's.  Make it a group management function
(preferred not to be based on expensive DB technology) that encompasses
customers of AD (the common denominator).  It would not bother me if
there were added functions that you could get with Exchange deployed,
but don't make it so you have to have it.  
   
  Any solution created should have the ability to be self or
centrally managed in an organization with 1 or more DC's and 1 to
500,000 users (or more?)  There should be audit ability as well as the
ability to send reminders and validation flows of group membership
along with the ability to set business logic rules.  An example of that
would be to require an owner for every group created.  That owner MUST
have an account in the AD and it must be active. If not, there must be
some sort of override else the group is automatically removed from
circulation. This would help greatly with things such as SOX compliance
as well as other compliance efforts. Another need to have would be the
ability to have the creation of groups follow a pre-defined naming
standard.  Nice to allow users the freedom to create groups with any
name they wish, but that doesn't help with the greater good in an
organization over 100 people.  Surprisingly (not really) if you put 100
people in a room and ask them to come up with meaningful names for
groups, you'd get 101 names for the same group you're going to create. 
That would be fine in a Yahoo! setting but for corporate use it's
unpredictable and next to impossible to manage or worse, troubleshoot. 
Good naming standards are the responsibility of the corporation's
architects and it's up to those standards creation processes to come up
with meaningful and useful naming standards.  Not the consumers of the
service.  At least, not if you intend to keep the service available and
able to be troubleshot in a timely manner. Besides, who would win if
two equal folks decided they wanted the same name for a group?  Sword
fighting duels are not legal in most countries any longer :)
  
   
  The list goes on, but there are many things that this type of
tool can be useful for.  I think many of the third party solutions that
are mentioned later in the thread are very good, but if Microsoft is
going to create such a product, they should consider what it's intended
uses are and balance that against what exists and what problems their
customers need to solve. They should also consider the implications of
creating a product that competes with their partners.  
   
   
  Finally, Susan, if you know Tony, you might suggest that he talk
with the Exchange and AD product teams.  I'm sure they have somebody
who is aware of the issues and the currently available solutions from
partners. It's possible there's still some room for additional
solutions, but it would be good for him to research with them to avoid
overlap where it may not be needed. 
   
  Then again, what would I know about it? ;-)
  
 
  On 12/27/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
<[EMAIL PROTECTED]>
wrote:
  Got
a list?  You might want to ping Tony so he doesn't reinvent the
wheel  :-)

Brian Desmond wrote:


>Tools exist form MS in the past, 3rd party, and in many large orgs
home baked stuff...
>
>Thanks,
>Brian Desmond
>[EMAIL PROTECTED]
>

>c - 312.731.3132
>
>
>
>From: [EMAIL PROTECTED]
on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]

>Sent: Tue 12/27/2005 9:42 PM
>To: ActiveDir@mail.activedir.org
>Subject: [ActiveDir] OT: creation of Email and Security groups
[through GUI no less]
>
>
>
>http://blogs.technet.com/secguide/archive/2005/12/27/416528.aspx
>
>MSSC is looking into the possibility of a solution/tool to help
with creation and lifecycle management of email and security
distribution groups

>
>*  Creating and managing groups within an organization requires
unnecessary administrative overhead.
>*  Administrators use valuable time creating groups that could
otherwise be used for other IT activities.

>*  End-user productivity may be hampered by delays in
processing requests for creation of groups.
>*  End users find it frustrating that they cannot create and
manage g

Re: [ActiveDir] OT: creation of Email and Security groups [through GUI no less]

2005-12-28 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 

This post is darn near impossible not to respond to in some way   :-)

joe wrote:

The old MS Solution which just did DLs is called AutoDL and it has 
been available externally but as Al points out, depends on SQL Server. 
Then came AutoGroup which MS would not give out to anyone but handled 
Sec and Non-Sec AD groups, I know I tried for over a year to get it 
and was finally told all of this functionality was being wrapped into 
MIIS But again, that depends on SQL Server.
 
If someone inside of MS intends to make yet another solution, I would 
highly recommend it not need SQL Server and that it handle AD and 
ADAM. Possibly it should use ADAM as its backend store? Alternatively 
it could use AD itself or MSDE (regardless of size of org) or ESE. 
 
I agree completely with Al on the group naming. Blood has been spilled 
over much less than names. Some of the biggest bloodiest corporate 
arguments I have been involved in have been about naming standards. I 
know of no large company that would allow end users to come up with 
their own names without rules around it. Even in a small company you 
could see a name like sbradleysucksmybutt or something like that which 
is obviously not a good thing in a corporate environment. Sure you 
will have logging of who did it once someone figures out it was done, 
but if you have 50,000 or 100,000 groups out there, who is doing that 
checking?
 
Another thing, users shouldn't just be creating groups ad hoc. There 
needs to be a corporate strategy that walks you around the mine fields 
of having too many SIDS in your tokens or just plain replicating a 
bunch of crap that doesn't need to be out there at all. As Al 
indicated you definitely need a work flow where approval has to be 
gathered prior to the system just doing this.
 
Other than that. As Al and Brian indicated, this has been a problem 
with many solutions through the years.
 
 



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Al Mulnick

*Sent:* Wednesday, December 28, 2005 9:04 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] OT: creation of Email and Security groups 
[through GUI no less]


Wouldn't Tony already be aware of such things? 
 
DL/DG management is not a new issue by any stretch.  It gets new life 
because the DG can now also be a SG which makes it more important to 
understand the ramifications of creating a new DG.
 
The Dev team should well aware of such things and should also be 
familiar with the Microsoft solutions used in-house (which are not 
always available to the public). 
 
Personally, if they're going to roll a solution for group management, 
don't limit it to those using Exchange and therefore have DG's that 
are also SG's.  Make it a group management function (preferred not to 
be based on expensive DB technology) that encompasses customers of AD 
(the common denominator).  It would not bother me if there were added 
functions that you could get with Exchange deployed, but don't make it 
so you have to have it. 
 
Any solution created should have the ability to be self or centrally 
managed in an organization with 1 or more DC's and 1 to 500,000 users 
(or more?)  There should be audit ability as well as the ability to 
send reminders and validation flows of group membership along with the 
ability to set business logic rules.  An example of that would be to 
require an owner for every group created.  That owner MUST have an 
account in the AD and it must be active. If not, there must be some 
sort of override else the group is automatically removed from 
circulation. This would help greatly with things such as SOX 
compliance as well as other compliance efforts. Another need to have 
would be the ability to have the creation of groups follow a 
pre-defined naming standard.  Nice to allow users the freedom to 
create groups with any name they wish, but that doesn't help with the 
greater good in an organization over 100 people.  Surprisingly (not 
really) if you put 100 people in a room and ask them to come up with 
meaningful names for groups, you'd get 101 names for the same group 
you're going to create.  That would be fine in a Yahoo! setting but 
for corporate use it's unpredictable and next to impossible to manage 
or worse, troubleshoot.  Good naming standards are the responsibility 
of the corporation's architects and it's up to those standards 
creation processes to come up with meaningful and useful naming 
standards.  Not the consumers of the service.  At least, not if you 
intend to keep the service available and able to be troubleshot in a 
timely manner. Besides, who would win if two equal folks decided they 
wanted the same name for a group?  Sword fighting duels are not legal 
in most countries any longer :)
 
The list goes on, but there are many things that this type of tool can 
be useful for.  I think many of the third party solutions that are 
menti

Re: [ActiveDir] OT: creation of Email and Security groups [through GUI no less]

2005-12-28 Thread Al Mulnick 
MSDE = SQL2005Express isn't it? 
I'd really prefer not to introduce yet another DB technology into the mix if possible. 
 
Joe, I think that some logic to prevent the creation of too many sids is needed in the product regardless, but I think some level of self-service is needed. I've seen too many processes that allow for the 'rubber-stamp' approval of group creation that I'd rather see a system that enforces some of the rules and reports on exceptions vs. having a layer 8 process that just doesn't get the attention needed until long after it's a problem.  I can tell you from experience (and I'm sure I'm preaching to the choir here) that few organizations have regulated the creation of group policy the way they should until after it bit them either because of operational problems or because of compliance issues.  Some still won't address nor ack that it's a even important after that (other than those that are required for compliance of course.)

 
Autogroup was fine, but it still allowed for groups of any name.  I don't think that was such a hot idea for most organizations.  I wouldn't be surprised to find a group inside of MS that was called something like "pigpen" or some other peanuts character. (Side note: While many may not see that as a problem, if you have an international presence, what seems fine in one culture won't be fine in another and may even be offensive. )

 
Oddly, I've thought that something like this should be available for years from the vendor (MS) but AutoDL and AutoGroup are not the answers I had in mind if they were to do that.   

 
Putting tools that help you to manage your AD and or Exchange (let's just call them applications you've already bought) should not come in a product suite such as MIIS only.  That would be similar to buying from another large, blue company that Microsoft used to write code for. That's a horrible model from my perspective and usually just irritates me especially when you have a partner model vs. a "we'll build it all" model for bringing products to market.  That's because when you have that type of market, you make "good enough" products that satisfy the general need but allow room for creative and nimble third-party companies to come up with great products.  The issue here is whether I should have to even go to a third party to manage what I already bought.  

 
Anyway, if this doesn't make it, maybe we'll have to have a look at writing a tool based on some of that. For now, it might be good to move that to the back burner and see what already exists or can be easily modified.  

 
 
 
-ajm 
On 12/28/05, joe <[EMAIL PROTECTED]> wrote:

The old MS Solution which just did DLs is called AutoDL and it has been available externally but as Al points out, depends on SQL Server. Then came AutoGroup which MS would not give out to anyone but handled Sec and Non-Sec AD groups, I know I tried for over a year to get it and was finally told all of this functionality was being wrapped into MIIS But again, that depends on SQL Server. 

 
If someone inside of MS intends to make yet another solution, I would highly recommend it not need SQL Server and that it handle AD and ADAM. Possibly it should use ADAM as its backend store? Alternatively it could use AD itself or MSDE (regardless of size of org) or ESE. 

 
I agree completely with Al on the group naming. Blood has been spilled over much less than names. Some of the biggest bloodiest corporate arguments I have been involved in have been about naming standards. I know of no large company that would allow end users to come up with their own names without rules around it. Even in a small company you could see a name like sbradleysucksmybutt or something like that which is obviously not a good thing in a corporate environment. Sure you will have logging of who did it once someone figures out it was done, but if you have 50,000 or 100,000 groups out there, who is doing that checking? 

 
Another thing, users shouldn't just be creating groups ad hoc. There needs to be a corporate strategy that walks you around the mine fields of having too many SIDS in your tokens or just plain replicating a bunch of crap that doesn't need to be out there at all. As Al indicated you definitely need a work flow where approval has to be gathered prior to the system just doing this.

 
Other than that. As Al and Brian indicated, this has been a problem with many solutions through the years. 
 
 
 


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Wednesday, December 28, 2005 9:04 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: creation of Email and Security groups [through GUI no less] 


Wouldn't Tony already be aware of such things?  
 
DL/DG management is not a new issue by any stretch.  It gets new life because the DG can now also be a SG which makes it more important to understand the ramifications of creating a new DG. 
 
The Dev team should well aware of such things and should also b

Re: [ActiveDir] OT: creation of Email and Security groups [through GUI no less]

2005-12-28 Thread Al Mulnick 
Wasn't different than the one I was thinking of.  I wasn't thinking of the gentleman sailor, scholar, and world-traveller from NZ though.
 
I'm well aware that the Tony you speak of is a Microsoft employee who's considering writing a utility to fill a gap he likely sees among his customers. I was suggesting earlier, as were several others, that this functionality may already exist and that Tony should be made aware of it and possibly should check with the AD and Exchange produt teams and maybe even OTG (or whatever they're called today in case I missed the memo.)
 
 
Al 
On 12/28/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote:

Tony BaileySenior Product ManagerSecurity and Compliance Solutionshttp://www.microsoft.com/security/guidance/default.mspx
Sorry possibly a different Tony that what you may be thinking?
Al Mulnick wrote: 

Wouldn't Tony already be aware of such things?  
 
DL/DG management is not a new issue by any stretch.  It gets new life because the DG can now also be a SG which makes it more important to understand the ramifications of creating a new DG. 
 
The Dev team should well aware of such things and should also be familiar with the Microsoft solutions used in-house (which are not always available to the public).  
 
Personally, if they're going to roll a solution for group management, don't limit it to those using Exchange and therefore have DG's that are also SG's.  Make it a group management function (preferred not to be based on expensive DB technology) that encompasses customers of AD (the common denominator).  It would not bother me if there were added functions that you could get with Exchange deployed, but don't make it so you have to have it.  

 
Any solution created should have the ability to be self or centrally managed in an organization with 1 or more DC's and 1 to 500,000 users (or more?)  There should be audit ability as well as the ability to send reminders and validation flows of group membership along with the ability to set business logic rules.  An example of that would be to require an owner for every group created.  That owner MUST have an account in the AD and it must be active. If not, there must be some sort of override else the group is automatically removed from circulation. This would help greatly with things such as SOX compliance as well as other compliance efforts. Another need to have would be the ability to have the creation of groups follow a pre-defined naming standard.  Nice to allow users the freedom to create groups with any name they wish, but that doesn't help with the greater good in an organization over 100 people.  Surprisingly (not really) if you put 100 people in a room and ask them to come up with meaningful names for groups, you'd get 101 names for the same group you're going to create.  That would be fine in a Yahoo! setting but for corporate use it's unpredictable and next to impossible to manage or worse, troubleshoot.  Good naming standards are the responsibility of the corporation's architects and it's up to those standards creation processes to come up with meaningful and useful naming standards.  Not the consumers of the service.  At least, not if you intend to keep the service available and able to be troubleshot in a timely manner. Besides, who would win if two equal folks decided they wanted the same name for a group?  Sword fighting duels are not legal in most countries any longer :) 

 
The list goes on, but there are many things that this type of tool can be useful for.  I think many of the third party solutions that are mentioned later in the thread are very good, but if Microsoft is going to create such a product, they should consider what it's intended uses are and balance that against what exists and what problems their customers need to solve. They should also consider the implications of creating a product that competes with their partners.  

 
 
Finally, Susan, if you know Tony, you might suggest that he talk with the Exchange and AD product teams.  I'm sure they have somebody who is aware of the issues and the currently available solutions from partners. It's possible there's still some room for additional solutions, but it would be good for him to research with them to avoid overlap where it may not be needed. 

 
Then again, what would I know about it? ;-) 
On 12/27/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <
[EMAIL PROTECTED]> wrote: 
Got a list?  You might want to ping Tony so he doesn't reinvent thewheel  :-)Brian Desmond wrote: 
>Tools exist form MS in the past, 3rd party, and in many large orgs home baked stuff...>>Thanks,>Brian Desmond>
[EMAIL PROTECTED]> >c - 312.731.3132>>>>From: 
[EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] >Sent: Tue 12/27/2005 9:42 PM>To: 
ActiveDir@mail.activedir.org>Subject: [ActiveDir] OT: creation of Email and Security groups [through GUI no less]
http://blogs.technet.com/secguide/

RE: [ActiveDir] Time Service

2005-12-28 Thread Almeida Pinto, Jorge de 
w32tm /monitor

 

dc1.domain.com *** PDC *** [10.100.110.12]:

ICMP: 0ms delay.

NTP: +0.000s offset from dc1.domain.com

RefID: 'LOCL' [76.79.67.76]<<w32tm /monitor
PDC.DOMAIN.LOCAL *** PDC *** [172.16.1.1]:
ICMP: 0ms delay.
NTP: +0.000s offset from PDC.DOMAIN.LOCAL
RefID: (unknown) [internet IP]
 
A PDC that is configured to sync with its own internal clock
C:\>w32tm /monitor
rootdc001.ADCORP.LAN *** PDC *** [10.0.0.1]:
ICMP: 0ms delay.
NTP: +0.000s offset from rootdc001.ADCORP.LAN
RefID: 'LOCL' [76.79.67.76]
 
In addition to what Ulf said: 
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/20/111.aspx
 
Cheers,
Jorge



From: [EMAIL PROTECTED] on behalf of Douglas M. Long
Sent: Wed 2005-12-28 16:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service



I have Run w32tm /config /update /syncfromflags:MANUAL /manualpeerlist: 
"navobs1.oar.net" and also verified HKLM\System\CCS\Services\w32time\Parameters

Type=NTP is set. I stopped and started w32time, and still the PDC-E points to 
itself. Or at least that is what I think it is saying. Isn't LOCL in the 
following telling me that it is looking at itself instead of an external time 
source?

 

 

w32tm /monitor

 

dc1.domain.com *** PDC *** [10.100.110.12]:

ICMP: 0ms delay.

NTP: +0.000s offset from dc1.domain.com

RefID: 'LOCL' [76.79.67.76]

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-Weidner
Sent: Wednesday, December 28, 2005 9:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service

 

Hi Douglas,

 

To configure domain members and DCs to use the default behavior, either

 

Run w32tm /config /update /syncfromflags:DOMHIER

 

Or check the following registrykey

 

HKLM\System\CCS\Services\w32time\Parameters

Type=NT5DS

 

To configure a server to use a NTP-Timesource (what you want to do on the PDC-E 
of the forest root):

 

Run w32tm /config /update /syncfromflags:MANUAL /manualpeerlist:"fqdn1 fqdn2 
ip1"

 

Or check the following registrykeys

HKLM\System\CCS\Services\w32time\Parameters

Type=NTP

NTPServer="fqdn1 fqdn2 ip1"

 

To configure a server to trust his BIOS-Clock (test-environment) or which is 
getting it's time from a 3rd party soft- or hardware attached locally check the 
following reg-keys:

 

HKLM\System\CCS\Services\w32time\Parameters

Type=NoSync

ReliableTimeSource = 1 (reg_dword)

 

 

Afterwards I'd restart w32time using

net stop w32time && net start w32time

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz 
 
  Weblog: http://msmvps.org/UlfBSimonWeidner 
 
  Website: http://www.windowsserverfaq.org  
  Profile:   
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D 
 
   



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Wednesday, December 28, 2005 3:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Time Service

 

I have read the Time Service white paper from Microsoft and am still confused. 
I have set the default domain GPO to use NT5DS under Configure Windows NTP 
Client, and set an external time server (navobs1.oar.net,0x1) for NTPServer. I 
have also set Enable Windows NTP Server to enabled. There are no other time 
related GPOs set in the domain. I was under the assumption that with that 
setting my PDC emulator (DC1) should be synching with navobs1.oar.net,0x1 and 
the other DC synchs with the PDC emulator, and then all clients synch to the 
closest DC. When I run a w32tm /monitor from the either DC or from any clients, 
I get the following.

 

dc1.domain.com *** PDC *** [10.100.110.12]:

ICMP: 0ms delay.

NTP: +0.000s offset from dc1.domain.com

RefID: 'LOCL' [76.79.67.76]

dc2.domain.com [10.100.110.13]:

ICMP: 0ms delay.

NTP: +0.0226641s offset from dc1.domain.com

RefID: dc1.domain.com [10.100.110.12]

 

When I run it from a client:

 

dc1.domain.com *** PDC *** [10.100.110.12]:

ICMP: 0ms delay.

NTP: +0.000s offset from dc1.domain.com

RefID: 'LOCL' [76.79.67.76]

dc2.domain.com [10.100.110.13]:

ICMP: 8ms delay.

NTP: +0.0342476s offset from dc1.domain.com

RefID: dc1.domain.com [10.100.110.12]

 

What I am seeing is that everything is working except DC1 is not synching with 
an external time server. Is tha

RE: [ActiveDir] Time Service

2005-12-28 Thread deji 








To keep things simple, doing

 

Net time /setsntp:pool.ntp.org

 

then

 

net stop w32time& net start w32time

 

and 

 

net time /querysntp

 

(ALL at the PDC-E) should give acceptable result.
If it doesn’t, then something at the firewall may be blocking 123

 

 





Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M
MCT





Microsoft MVP - Directory Services





www.readymaids.com
- we know IT
www.akomolafe.com
Do you now realize that
Today is the Tomorrow you were worried about Yesterday?  -anon













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Almeida Pinto, Jorge de
Sent: Wednesday, December 28, 2005
8:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time
Service



 





w32tm /monitor

 

dc1.domain.com ***
PDC *** [10.100.110.12]:

   
ICMP: 0ms delay.

   
NTP: +0.000s offset from dc1.domain.com

   
RefID: 'LOCL' [76.79.67.76]   
<<<







 





 





A PDC that is not configured with an
external time source:(default after install)





C:\>w32tm /monitor
rootdc001.ADCORP.LAN *** PDC *** [10.0.0.1]:
    ICMP: 0ms delay.
    NTP: +0.000s offset from rootdc001.ADCORP.LAN
    RefID: 'LOCL' [76.79.67.76]





 





A PDC that is configured with an
external time source





C:\>w32tm /monitor
PDC.DOMAIN.LOCAL *** PDC *** [172.16.1.1]:
    ICMP: 0ms delay.
    NTP: +0.000s offset from PDC.DOMAIN.LOCAL
    RefID: (unknown) [internet IP]





 





A PDC that is configured to sync with
its own internal clock





C:\>w32tm /monitor
rootdc001.ADCORP.LAN *** PDC *** [10.0.0.1]:
    ICMP: 0ms delay.
    NTP: +0.000s offset from rootdc001.ADCORP.LAN
    RefID: 'LOCL' [76.79.67.76]





 





In addition to what Ulf said: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/20/111.aspx





 





Cheers,





Jorge















From:
[EMAIL PROTECTED] on behalf of Douglas M. Long
Sent: Wed 2005-12-28 16:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time
Service





I have Run w32tm /config /update
/syncfromflags:MANUAL /manualpeerlist: “navobs1.oar.net”
and also verified HKLM\System\CCS\Services\w32time\Parameters

Type=NTP is set. I
stopped and started w32time, and still the PDC-E points to itself. Or at least
that is what I think it is saying. Isn’t LOCL in the following telling me that it is looking at itself
instead of an external time source?

 

 

w32tm /monitor

 

dc1.domain.com ***
PDC *** [10.100.110.12]:

   
ICMP: 0ms delay.

   
NTP: +0.000s offset from dc1.domain.com

   
RefID: 'LOCL' [76.79.67.76]

 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ulf B. Simon-Weidner
Sent: Wednesday, December 28, 2005
9:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time
Service



 

Hi Douglas,

 

To configure domain
members and DCs to use the default behavior, either

 

Run w32tm /config /update
/syncfromflags:DOMHIER

 

Or check the
following registrykey

 

HKLM\System\CCS\Services\w32time\Parameters

Type=NT5DS

 

To configure a
server to use a NTP-Timesource (what you want to do on the PDC-E of the forest
root):

 

Run w32tm /config
/update /syncfromflags:MANUAL /manualpeerlist:”fqdn1 fqdn2 ip1”

 

Or check the
following registrykeys

HKLM\System\CCS\Services\w32time\Parameters

Type=NTP

NTPServer=”fqdn1
fqdn2 ip1”

 

To configure a server
to trust his BIOS-Clock (test-environment) or which is getting it’s time
from a 3rd party soft- or hardware attached locally check the
following reg-keys:

 

HKLM\System\CCS\Services\w32time\Parameters

Type=NoSync

ReliableTimeSource =
1 (reg_dword)

 

 

Afterwards I’d
restart w32time using

net stop w32time
&& net start w32time

 



Gruesse
- Sincerely, 

Ulf
B. Simon-Weidner 

 
MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:   http://mvp.support.microsoft.com/profile="">   











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Douglas M. Long
Sent: Wednesday, December 28, 2005
3:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Time Service



 



I have read the Time Service white paper
from Microsoft and am still confused. I have set the default domain GPO to use
NT5DS under Configure Windows NTP Client,
and set an external time server (navobs1.oar.net,0x1) for NTPServer. I have
also set Enable Windows NTP Server
to enabled. There are no other time related GPOs set in the domain. I was under
the assumption that with that setting my PDC emulator (DC1) should be synching
with navobs1.oar.net,0x1 and the other DC synchs with the PDC emulator, and
then all clients synch to the closest DC. When I run a w32tm /monitor from the
either DC or from any clients, I get the following.

 

dc1.domain.com *** PDC ***
[10.100.110.12]:

    ICMP: 0ms delay.

    NTP: +0.000s offset
from dc1.domain.com

   
RefID: 'LOCL' [76.79.67.76]

RE: [ActiveDir] OT: creation of Email and Security groups [through GUI no less]

2005-12-28 Thread joe 



I agree, autodl and autogroup aren't the answers, but they 
were the closest MS has gotten to the answer for companies drowning in group 
management issues such as the one I have most of my experience with. 

 
I agree that if rubber stamping is all the validation that 
is occurring, the company will have issues. But I also don't expect you can 
properly quantify and programmatically handle every possible thing that a person 
may want to bounce a group name for. Consider this, if you have some 
administrative group that is going through and processing group requests already 
including creating them, think of the work effort saved if they are now simply 
saying yes or no to the creation or population (knowing that the admin groups 
doing these two different tasks could be different). Slowly you add more and 
more rules to bounce common bad requests until rubber stamp is just about all 
that is needed, at that point then you have validated the system so that it 
can run autonomously. I have done that with a couple of automated systems and it 
tends to work well. This is admitting that no system from no company is going to 
work well right off and that some level of tweaking will be required until 
it is full-auto. Even then, occasional spot checks will be 
needed.
 
I was thinking MSDE in the generic sense of what it was 
supposed to be originally. A simple database tech that could be deployed with 
apps that needed some measure of DB functionality. Something that didn't require 
administration other than what the app applied to it. Of course, MSDE never 
really made it to that point and became a nightmare for many companies. I am a 
very vocal opponent of a full blown DB technology for being used with apps 
unless the technology is taken into account fully during the architecting, 
integration, installation, and daily maintenance which means full blown DBs 
managing the technology besides the app. Most companies do not think about the 
whole DB app in and of itself, they just think it makes a good backend. MS is 
great for this illogical approach with MOM and MIIS, etc. 
 
 
"Putting 
tools that help you to manage your AD and or Exchange (let's just call 
them applications you've already bought) should not come in a product 
suite such as MIIS only."
 
Absolutely agree with this one. I don't think you should 
need a SQL expert to properly manage your AD and that is exactly what MIIS will 
require. I do understand the direction that they are (or possibly now it is 
were) going with MIIS being the provisioning frontend for AD. Understanding it 
doesn't mean I have to like it. I think it is a big mistake. AD should be able 
to mostly stand alone, you want to front end it with MIIS, fine. Make that part 
of the AD product and don't require SQL backend, use ESE or the AD itself. 

 
I have recently spun up a folder under f:\dev\cpp called 
adauto. I applied the Borland service wizard to it and now have a basic fleshed 
out service for doing queries against AD and processing changes to that AD based 
on what the queries return. The initial thought was just to put together a 
solution people could point at when you hear the question "when someone gets 
added to an OU, how do I make them part of a group" but then when I started 
reading specs I had written down through the years I realized I wanted it to be 
able to do more than just groups which is why it got the name adauto instead of 
adautogroup. I figure I will try to make a fairly flexible tool which is 
entirely based on and in the AD it is doing things for as I think there are 
enough syncing apps out there already. I then hope to take that flexible tool 
and make up basic tasks that people like to do such as add/remove users to/from 
groups based on OU membership or other attributes. I have been promising myself 
to write one since about the fall of 2000 and have been slowly adding notes to 
the pile of things it can do. I guess I kept hoping I would never have to write 
it, but hey... it is now almost 2006, fully 6 years after the release of 2K and 
people are still saying the same things about a lot of this management. Possibly 
I can work into it the idea of taking feeds from a web site as well to handle 
group requests from the unwashed masses. If I do, that will be several revs into 
it, I don't expect it anywhere near the 1.x versions. I want to answer the other 
questions I have written down about things happening automatically based on 
rules/triggers first.
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Wednesday, December 28, 2005 11:04 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: creation of 
Email and Security groups [through GUI no less]

MSDE = SQL2005Express isn't it? 
I'd really prefer not to introduce yet another 
DB technology into the mix if possible. 
 
Joe, I think that some logic to prevent the 
creation of too many sids is needed in the product regardless, but I think some

RE: [ActiveDir] Time Service

2005-12-28 Thread Douglas M. Long 








OK, so then I am still not synching with
an external time source. I have followed the steps, and still I get the same
thing. I can not figure out what it causing it to not use the server I specify.
I am guessing it has something to do with some group policy setting? Do I need
to block inheritance on the default domain controller GPO and have different
settings?

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, December 28, 2005
12:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time
Service



 

To keep things simple, doing

 

Net time /setsntp:pool.ntp.org

 

then

 

net stop w32time& net start w32time

 

and 

 

net time /querysntp

 

(ALL at the PDC-E) should give acceptable
result. If it doesn’t, then something at the firewall may be blocking 123

 

 





Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M
MCT





Microsoft MVP - Directory Services





www.readymaids.com
- we know IT
www.akomolafe.com
Do you now realize that
Today is the Tomorrow you were worried about Yesterday?  -anon













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Almeida Pinto, Jorge de
Sent: Wednesday, December 28, 2005
8:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time
Service



 





w32tm /monitor

 

dc1.domain.com ***
PDC *** [10.100.110.12]:

   
ICMP: 0ms delay.

   
NTP: +0.000s offset from dc1.domain.com

   
RefID: 'LOCL' [76.79.67.76]   
<<<







 





 





A PDC that is not configured with an
external time source:(default after install)





C:\>w32tm /monitor
rootdc001.ADCORP.LAN *** PDC *** [10.0.0.1]:
    ICMP: 0ms delay.
    NTP: +0.000s offset from rootdc001.ADCORP.LAN
    RefID: 'LOCL' [76.79.67.76]





 





A PDC that is configured with an
external time source





C:\>w32tm /monitor
PDC.DOMAIN.LOCAL *** PDC *** [172.16.1.1]:
    ICMP: 0ms delay.
    NTP: +0.000s offset from PDC.DOMAIN.LOCAL
    RefID: (unknown) [internet IP]





 





A PDC that is configured to sync with
its own internal clock





C:\>w32tm /monitor
rootdc001.ADCORP.LAN *** PDC *** [10.0.0.1]:
    ICMP: 0ms delay.
    NTP: +0.000s offset from rootdc001.ADCORP.LAN
    RefID: 'LOCL' [76.79.67.76]





 





In addition to what Ulf said: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/20/111.aspx





 





Cheers,





Jorge















From:
[EMAIL PROTECTED] on behalf of Douglas M. Long
Sent: Wed 2005-12-28 16:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time
Service





I have Run w32tm /config /update
/syncfromflags:MANUAL /manualpeerlist: “navobs1.oar.net”
and also verified HKLM\System\CCS\Services\w32time\Parameters

Type=NTP is set. I
stopped and started w32time, and still the PDC-E points to itself. Or at least
that is what I think it is saying. Isn’t LOCL in the following telling me that it is looking at itself
instead of an external time source?

 

 

w32tm /monitor

 

dc1.domain.com ***
PDC *** [10.100.110.12]:

   
ICMP: 0ms delay.

   
NTP: +0.000s offset from dc1.domain.com

   
RefID: 'LOCL' [76.79.67.76]

 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ulf B. Simon-Weidner
Sent: Wednesday, December 28, 2005
9:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time
Service



 

Hi Douglas,

 

To configure domain
members and DCs to use the default behavior, either

 

Run w32tm /config
/update /syncfromflags:DOMHIER

 

Or check the
following registrykey

 

HKLM\System\CCS\Services\w32time\Parameters

Type=NT5DS

 

To configure a
server to use a NTP-Timesource (what you want to do on the PDC-E of the forest
root):

 

Run w32tm /config
/update /syncfromflags:MANUAL /manualpeerlist:”fqdn1 fqdn2 ip1”

 

Or check the
following registrykeys

HKLM\System\CCS\Services\w32time\Parameters

Type=NTP

NTPServer=”fqdn1
fqdn2 ip1”

 

To configure a
server to trust his BIOS-Clock (test-environment) or which is getting it’s
time from a 3rd party soft- or hardware attached locally check the
following reg-keys:

 

HKLM\System\CCS\Services\w32time\Parameters

Type=NoSync

ReliableTimeSource =
1 (reg_dword)

 

 

Afterwards I’d
restart w32time using

net stop w32time
&& net start w32time

 



Gruesse
- Sincerely, 

Ulf
B. Simon-Weidner 

 
MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:   http://mvp.support.microsoft.com/profile="">   











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Douglas M. Long
Sent: Wednesday, December 28, 2005
3:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Time Service



 



I have read the Time Service white paper
from Microsoft and am still confused. I have set the default domain GPO to use
NT5DS under Configure Windows NTP Client,
and set an external time server (navobs1.oar.net,0x1)

Re: [ActiveDir] OT: creation of Email and Security groups [through GUI no less]

2005-12-28 Thread Al Mulnick 
I see what you're saying, Joe.  I wasn't thinking of the implementation so much as the end state.  I can see where it would take a while to implement and integrate into an environment.  It's certainly not something you drop in, add water, and let loose expecting great results. The rules would have to evolve without a doubt.  If it were included, it would evolve along with AD practices and procedures I'm sure. 

 
The advantage I see in using a MSDE like product would be the reporting and auditing as well as enforcement without inflating the DIT; I can hold a lot of rich information and build an app on it pretty easily. The tradeoff is of course, the synchronization mechanism and it's complexities inherent to that process.  Whichever way you choose to base a solution on, be sure to take into account the long-term (as if you wouldn't, right?)

 
 
Looking forward to it then.  Plus it saves some time from me having to write it or waiting another 6 years for Microsoft to write and package it ;)
 
 
 
On 12/28/05, joe <[EMAIL PROTECTED]> wrote:

I agree, autodl and autogroup aren't the answers, but they were the closest MS has gotten to the answer for companies drowning in group management issues such as the one I have most of my experience with. 

 
I agree that if rubber stamping is all the validation that is occurring, the company will have issues. But I also don't expect you can properly quantify and programmatically handle every possible thing that a person may want to bounce a group name for. Consider this, if you have some administrative group that is going through and processing group requests already including creating them, think of the work effort saved if they are now simply saying yes or no to the creation or population (knowing that the admin groups doing these two different tasks could be different). Slowly you add more and more rules to bounce common bad requests until rubber stamp is just about all that is needed, at that point then you have validated the system so that it can run autonomously. I have done that with a couple of automated systems and it tends to work well. This is admitting that no system from no company is going to work well right off and that some level of tweaking will be required until it is full-auto. Even then, occasional spot checks will be needed.

 
I was thinking MSDE in the generic sense of what it was supposed to be originally. A simple database tech that could be deployed with apps that needed some measure of DB functionality. Something that didn't require administration other than what the app applied to it. Of course, MSDE never really made it to that point and became a nightmare for many companies. I am a very vocal opponent of a full blown DB technology for being used with apps unless the technology is taken into account fully during the architecting, integration, installation, and daily maintenance which means full blown DBs managing the technology besides the app. Most companies do not think about the whole DB app in and of itself, they just think it makes a good backend. MS is great for this illogical approach with MOM and MIIS, etc. 

 
 
"Putting tools that help you to manage your AD and or Exchange (let's just call them applications you've already bought) should not come in a product suite such as MIIS only.
"
 
Absolutely agree with this one. I don't think you should need a SQL expert to properly manage your AD and that is exactly what MIIS will require. I do understand the direction that they are (or possibly now it is were) going with MIIS being the provisioning frontend for AD. Understanding it doesn't mean I have to like it. I think it is a big mistake. AD should be able to mostly stand alone, you want to front end it with MIIS, fine. Make that part of the AD product and don't require SQL backend, use ESE or the AD itself. 

 
I have recently spun up a folder under f:\dev\cpp called adauto. I applied the Borland service wizard to it and now have a basic fleshed out service for doing queries against AD and processing changes to that AD based on what the queries return. The initial thought was just to put together a solution people could point at when you hear the question "when someone gets added to an OU, how do I make them part of a group" but then when I started reading specs I had written down through the years I realized I wanted it to be able to do more than just groups which is why it got the name adauto instead of adautogroup. I figure I will try to make a fairly flexible tool which is entirely based on and in the AD it is doing things for as I think there are enough syncing apps out there already. I then hope to take that flexible tool and make up basic tasks that people like to do such as add/remove users to/from groups based on OU membership or other attributes. I have been promising myself to write one since about the fall of 2000 and have been slowly adding notes to the pile of things it can do. I guess I kept hoping I would never have to

RE: [ActiveDir] Time Service

2005-12-28 Thread Almeida Pinto, Jorge de 
why are you using the GPO to configure the time service on the PDC? Why not 
just configure the PDC with the commands and info provided?
Jorge



From: [EMAIL PROTECTED] on behalf of Douglas M. Long
Sent: Wed 2005-12-28 18:42
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service



OK, so then I am still not synching with an external time source. I have 
followed the steps, and still I get the same thing. I can not figure out what 
it causing it to not use the server I specify. I am guessing it has something 
to do with some group policy setting? Do I need to block inheritance on the 
default domain controller GPO and have different settings?

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, December 28, 2005 12:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service

 

To keep things simple, doing

 

Net time /setsntp:pool.ntp.org

 

then

 

net stop w32time& net start w32time

 

and 

 

net time /querysntp

 

(ALL at the PDC-E) should give acceptable result. If it doesn't, then something 
at the firewall may be blocking 123

 

 

Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT

Microsoft MVP - Directory Services

www.readymaids.com   - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: Wednesday, December 28, 2005 8:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service

 

w32tm /monitor

 

dc1.domain.com *** PDC *** [10.100.110.12]:

ICMP: 0ms delay.

NTP: +0.000s offset from dc1.domain.com

RefID: 'LOCL' [76.79.67.76]<<w32tm /monitor
PDC.DOMAIN.LOCAL *** PDC *** [172.16.1.1]:
ICMP: 0ms delay.
NTP: +0.000s offset from PDC.DOMAIN.LOCAL
RefID: (unknown) [internet IP]

 

A PDC that is configured to sync with its own internal clock

C:\>w32tm /monitor
rootdc001.ADCORP.LAN *** PDC *** [10.0.0.1]:
ICMP: 0ms delay.
NTP: +0.000s offset from rootdc001.ADCORP.LAN
RefID: 'LOCL' [76.79.67.76]

 

In addition to what Ulf said: 
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/20/111.aspx

 

Cheers,

Jorge



From: [EMAIL PROTECTED] on behalf of Douglas M. Long
Sent: Wed 2005-12-28 16:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service

I have Run w32tm /config /update /syncfromflags:MANUAL /manualpeerlist: 
"navobs1.oar.net" and also verified HKLM\System\CCS\Services\w32time\Parameters

Type=NTP is set. I stopped and started w32time, and still the PDC-E points to 
itself. Or at least that is what I think it is saying. Isn't LOCL in the 
following telling me that it is looking at itself instead of an external time 
source?

 

 

w32tm /monitor

 

dc1.domain.com *** PDC *** [10.100.110.12]:

ICMP: 0ms delay.

NTP: +0.000s offset from dc1.domain.com

RefID: 'LOCL' [76.79.67.76]

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-Weidner
Sent: Wednesday, December 28, 2005 9:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service

 

Hi Douglas,

 

To configure domain members and DCs to use the default behavior, either

 

Run w32tm /config /update /syncfromflags:DOMHIER

 

Or check the following registrykey

 

HKLM\System\CCS\Services\w32time\Parameters

Type=NT5DS

 

To configure a server to use a NTP-Timesource (what you want to do on the PDC-E 
of the forest root):

 

Run w32tm /config /update /syncfromflags:MANUAL /manualpeerlist:"fqdn1 fqdn2 
ip1"

 

Or check the following registrykeys

HKLM\System\CCS\Services\w32time\Parameters

Type=NTP

NTPServer="fqdn1 fqdn2 ip1"

 

To configure a server to trust his BIOS-Clock (test-environment) or which is 
getting it's time from a 3rd party soft- or hardware attached locally check the 
following reg-keys:

 

HKLM\System\CCS\Services\w32time\Parameters

Type=NoSync

ReliableTimeSource = 1 (reg_dword)

 

 

Afterwards I'd restart w32time using

net stop w32time && net start w32time

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz 
 
  Weblog: http://msmvps.org/UlfBSimonWeidner 
 
  Website: http://www.windowsserverfaq.org  
  Profile:   
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D

RE: [ActiveDir] Time Service

2005-12-28 Thread Douglas M. Long 
Isn't it best practice to set the entire domain time policy at the domain
level (Default Domain Policy) instead of trying to set every machine or
every OU separately? 

 

 

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, December 28, 2005 12:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service

 

why are you using the GPO to configure the time service on the PDC? Why not
just configure the PDC with the commands and info provided?

Jorge

 

  _  

From: [EMAIL PROTECTED] on behalf of Douglas M. Long
Sent: Wed 2005-12-28 18:42
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service

OK, so then I am still not synching with an external time source. I have
followed the steps, and still I get the same thing. I can not figure out
what it causing it to not use the server I specify. I am guessing it has
something to do with some group policy setting? Do I need to block
inheritance on the default domain controller GPO and have different
settings?

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, December 28, 2005 12:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service

 

To keep things simple, doing

 

Net time /setsntp:pool.ntp.org

 

then

 

net stop w32time& net start w32time

 

and 

 

net time /querysntp

 

(ALL at the PDC-E) should give acceptable result. If it doesn't, then
something at the firewall may be blocking 123

 

 

Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT

Microsoft MVP - Directory Services

www.readymaids.com   - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, December 28, 2005 8:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service

 

w32tm /monitor

 

dc1.domain.com *** PDC *** [10.100.110.12]:

ICMP: 0ms delay.

NTP: +0.000s offset from dc1.domain.com

RefID: 'LOCL' [76.79.67.76]<<w32tm /monitor
PDC.DOMAIN.LOCAL *** PDC *** [172.16.1.1]:
ICMP: 0ms delay.
NTP: +0.000s offset from PDC.DOMAIN.LOCAL
RefID: (unknown) [internet IP]

 

A PDC that is configured to sync with its own internal clock

C:\>w32tm /monitor
rootdc001.ADCORP.LAN *** PDC *** [10.0.0.1]:
ICMP: 0ms delay.
NTP: +0.000s offset from rootdc001.ADCORP.LAN
RefID: 'LOCL' [76.79.67.76]

 

In addition to what Ulf said:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/20/111.aspx

 

Cheers,

Jorge

  _  

From: [EMAIL PROTECTED] on behalf of Douglas M. Long
Sent: Wed 2005-12-28 16:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service

I have Run w32tm /config /update /syncfromflags:MANUAL /manualpeerlist:
"navobs1.oar.net" and also verified
HKLM\System\CCS\Services\w32time\Parameters

Type=NTP is set. I stopped and started w32time, and still the PDC-E points
to itself. Or at least that is what I think it is saying. Isn't LOCL in the
following telling me that it is looking at itself instead of an external
time source?

 

 

w32tm /monitor

 

dc1.domain.com *** PDC *** [10.100.110.12]:

ICMP: 0ms delay.

NTP: +0.000s offset from dc1.domain.com

RefID: 'LOCL' [76.79.67.76]

 

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Wednesday, December 28, 2005 9:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service

 

Hi Douglas,

 

To configure domain members and DCs to use the default behavior, either

 

Run w32tm /config /update /syncfromflags:DOMHIER

 

Or check the following registrykey

 

HKLM\System\CCS\Services\w32time\Parameters

Type=NT5DS

 

To configure a server to use a NTP-Timesource (what you want to do on the
PDC-E of the forest root):

 

Run w32tm /config /update /syncfromflags:MANUAL /manualpeerlist:"fqdn1 fqdn2
ip1"

 

Or check the following registrykeys

HKLM\System\CCS\Services\w32time\Parameters

Type=NTP

NTPServer="fqdn1 fqdn2 ip1"

 

To configure a server to trust his BIOS-Clock (test-environment) or which is
getting it's time from a 3rd party soft- or hardware attached locally check
the following reg-keys:

 

HKLM\System\CCS\Services\w32time\Parameters

Type=NoSync

ReliableTimeSource = 1 (reg_dword)

 

 

Afterwards I'd restart w32time using

net stop w32time && net start w32time

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book "Windows XP - Die Expertentipps":  
http://tinyurl.com/44zcz

RE: [ActiveDir] Time Service

2005-12-28 Thread Almeida Pinto, Jorge de 
well, yes but it is not needed for the time service
 
By default the time sync within a forest/domain is automatically configured as 
it shoud be...
 
Each client and server syncs time with the authenticating DC
 
Each DC syncs time with the PDC in the same domain or with parent DCs (from a 
parent domain)
 
The PDC syncs time with parent DCs (from a parent domain)
 
The PDC in the forest root domain is the only DC you need to configure for time 
sync and for that several possibilties exist:
External/Internal Time Source
Internal hardware clock
 
Jorge



From: [EMAIL PROTECTED] on behalf of Douglas M. Long
Sent: Wed 2005-12-28 19:18
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service



Isn't it best practice to set the entire domain time policy at the domain level 
(Default Domain Policy) instead of trying to set every machine or every OU 
separately? 

 

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: Wednesday, December 28, 2005 12:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service

 

why are you using the GPO to configure the time service on the PDC? Why not 
just configure the PDC with the commands and info provided?

Jorge

 



From: [EMAIL PROTECTED] on behalf of Douglas M. Long
Sent: Wed 2005-12-28 18:42
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service

OK, so then I am still not synching with an external time source. I have 
followed the steps, and still I get the same thing. I can not figure out what 
it causing it to not use the server I specify. I am guessing it has something 
to do with some group policy setting? Do I need to block inheritance on the 
default domain controller GPO and have different settings?

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, December 28, 2005 12:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service

 

To keep things simple, doing

 

Net time /setsntp:pool.ntp.org

 

then

 

net stop w32time& net start w32time

 

and 

 

net time /querysntp

 

(ALL at the PDC-E) should give acceptable result. If it doesn't, then something 
at the firewall may be blocking 123

 

 

Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT

Microsoft MVP - Directory Services

www.readymaids.com   - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: Wednesday, December 28, 2005 8:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service

 

w32tm /monitor

 

dc1.domain.com *** PDC *** [10.100.110.12]:

ICMP: 0ms delay.

NTP: +0.000s offset from dc1.domain.com

RefID: 'LOCL' [76.79.67.76]<<w32tm /monitor
PDC.DOMAIN.LOCAL *** PDC *** [172.16.1.1]:
ICMP: 0ms delay.
NTP: +0.000s offset from PDC.DOMAIN.LOCAL
RefID: (unknown) [internet IP]

 

A PDC that is configured to sync with its own internal clock

C:\>w32tm /monitor
rootdc001.ADCORP.LAN *** PDC *** [10.0.0.1]:
ICMP: 0ms delay.
NTP: +0.000s offset from rootdc001.ADCORP.LAN
RefID: 'LOCL' [76.79.67.76]

 

In addition to what Ulf said: 
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/20/111.aspx

 

Cheers,

Jorge



From: [EMAIL PROTECTED] on behalf of Douglas M. Long
Sent: Wed 2005-12-28 16:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service

I have Run w32tm /config /update /syncfromflags:MANUAL /manualpeerlist: 
"navobs1.oar.net" and also verified HKLM\System\CCS\Services\w32time\Parameters

Type=NTP is set. I stopped and started w32time, and still the PDC-E points to 
itself. Or at least that is what I think it is saying. Isn't LOCL in the 
following telling me that it is looking at itself instead of an external time 
source?

 

 

w32tm /monitor

 

dc1.domain.com *** PDC *** [10.100.110.12]:

ICMP: 0ms delay.

NTP: +0.000s offset from dc1.domain.com

RefID: 'LOCL' [76.79.67.76]

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-Weidner
Sent: Wednesday, December 28, 2005 9:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service

 

Hi Douglas,

 

To configure domain members and DCs to use the default behavior, either

 

Run w32tm /config /update /syncfromflags:DOMHIER

 

Or check

RE: [ActiveDir] Time Service

2005-12-28 Thread deji 








You don’t really need to do all
this. Give the PDC-E an auth source to sync from, and the clients will be taken
care of.

 

If I were you, I’d undo the policies
you’ve set. Then I’d do net time /setsntp . Yeah, don’t
specify anything after /setsntp. That should clear out whatever is currently in
there.

 

Then do /querysntp, and you should get
something like: This computer is not currently configured to use a specific
SNTP server.

 

After that, do net time /setsntp:pool.ntp.org

 

/querysntp should now show:

The current SNTP value is: pool.ntp.org

 

Then do net stop w32time& net start
w32time

 

W32tm /monitor should now show:

 

C:\WINNT\system32>W32tm /monitor

KURUBE.jankariwo.com *** PDC ***
[192.168.11.250]:  

    ICMP: 0ms delay.

    NTP: +0.000s offset from
KURUBE.jankariwo.com

    RefID: main.szn.dk [217.157.1.202]

Eniyan.jankariwo.com [192.168.11.252]:  


    ICMP: 16ms delay.

    NTP: -0.0752045s offset from
KURUBE.jankariwo.com

    RefID: KURUBE.jankariwo.com
[192.168.11.250]

 

HTH

 





Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M
MCT





Microsoft MVP - Directory Services





www.readymaids.com
- we know IT
www.akomolafe.com
Do you now realize that
Today is the Tomorrow you were worried about Yesterday?  -anon













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Douglas M. Long
Sent: Wednesday, December 28, 2005
10:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time
Service



 

Isn’t it best practice to set the
entire domain time policy at the domain level (Default Domain Policy) instead
of trying to set every machine or every OU separately? 

 

 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Almeida Pinto, Jorge de
Sent: Wednesday, December 28, 2005
12:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time
Service



 





why are you using the GPO to
configure the time service on the PDC? Why not just configure the PDC with the
commands and info provided?





Jorge







 







From:
[EMAIL PROTECTED] on behalf of Douglas M. Long
Sent: Wed 2005-12-28 18:42
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time
Service





OK, so then I am still not synching with an
external time source. I have followed the steps, and still I get the same
thing. I can not figure out what it causing it to not use the server I specify.
I am guessing it has something to do with some group policy setting? Do I need
to block inheritance on the default domain controller GPO and have different
settings?

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, December 28, 2005
12:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time
Service



 

To keep things simple, doing

 

Net time /setsntp:pool.ntp.org

 

then

 

net stop w32time& net start w32time

 

and 

 

net time /querysntp

 

(ALL at the PDC-E) should give acceptable
result. If it doesn’t, then something at the firewall may be blocking 123

 

 





Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M
MCT





Microsoft MVP - Directory Services





www.readymaids.com
- we know IT
www.akomolafe.com
Do you now realize that
Today is the Tomorrow you were worried about Yesterday?  -anon













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Almeida Pinto, Jorge de
Sent: Wednesday, December 28, 2005
8:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time
Service



 





w32tm /monitor

 

dc1.domain.com ***
PDC *** [10.100.110.12]:

   
ICMP: 0ms delay.

   
NTP: +0.000s offset from dc1.domain.com

   
RefID: 'LOCL' [76.79.67.76]   
<<<







 





 





A PDC that is not configured with an
external time source:(default after install)





C:\>w32tm /monitor
rootdc001.ADCORP.LAN *** PDC *** [10.0.0.1]:
    ICMP: 0ms delay.
    NTP: +0.000s offset from rootdc001.ADCORP.LAN
    RefID: 'LOCL' [76.79.67.76]





 





A PDC that is configured with an
external time source





C:\>w32tm /monitor
PDC.DOMAIN.LOCAL *** PDC *** [172.16.1.1]:
    ICMP: 0ms delay.
    NTP: +0.000s offset from PDC.DOMAIN.LOCAL
    RefID: (unknown) [internet IP]





 





A PDC that is configured to sync with
its own internal clock





C:\>w32tm /monitor
rootdc001.ADCORP.LAN *** PDC *** [10.0.0.1]:
    ICMP: 0ms delay.
    NTP: +0.000s offset from rootdc001.ADCORP.LAN
    RefID: 'LOCL' [76.79.67.76]





 





In addition to what Ulf said: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/20/111.aspx





 





Cheers,





Jorge















From:
[EMAIL PROTECTED] on behalf of Douglas M. Long
Sent: Wed 2005-12-28 16:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time
Service





I have Run w32tm /config /update
/syncfromflags:MANUAL /manualpeerlist: “navobs1.oar.net”
and also verified HKLM\System\CCS\Services\w32time\Parameters

Type=NTP is set. I
stopped and started w

Re: [ActiveDir] Time Service

2005-12-28 Thread ChuckGaff 



Yes, the Domain Controller holding the PDC Emulator Role is the 
Domain-based FSMO which should be configured, ideally for external time from an 
atomic clock such as the US Naval Observatory two addresses so long as you have 
access through Port 123.    Desktops can be configured if desired to 
point to the PDC Emulator for time synchronization with the PDC Emulator Role 
server.
 
Chuck
Architect, Unisys
 
 
 
 
 

Re: [ActiveDir] Time Service

2005-12-28 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 

And we poke a hole in the firewall for the time service ...udp port 123

Almeida Pinto, Jorge de wrote:


well, yes but it is not needed for the time service

By default the time sync within a forest/domain is automatically configured as 
it shoud be...

Each client and server syncs time with the authenticating DC

Each DC syncs time with the PDC in the same domain or with parent DCs (from a 
parent domain)

The PDC syncs time with parent DCs (from a parent domain)

The PDC in the forest root domain is the only DC you need to configure for time 
sync and for that several possibilties exist:
External/Internal Time Source
Internal hardware clock

Jorge



From: [EMAIL PROTECTED] on behalf of Douglas M. Long
Sent: Wed 2005-12-28 19:18
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service



Isn't it best practice to set the entire domain time policy at the domain level (Default Domain Policy) instead of trying to set every machine or every OU separately? 










From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: Wednesday, December 28, 2005 12:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service



why are you using the GPO to configure the time service on the PDC? Why not 
just configure the PDC with the commands and info provided?

Jorge





From: [EMAIL PROTECTED] on behalf of Douglas M. Long
Sent: Wed 2005-12-28 18:42
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service

OK, so then I am still not synching with an external time source. I have 
followed the steps, and still I get the same thing. I can not figure out what 
it causing it to not use the server I specify. I am guessing it has something 
to do with some group policy setting? Do I need to block inheritance on the 
default domain controller GPO and have different settings?





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, December 28, 2005 12:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service



To keep things simple, doing



Net time /setsntp:pool.ntp.org



then



net stop w32time& net start w32time



and 




net time /querysntp



(ALL at the PDC-E) should give acceptable result. If it doesn't, then something 
at the firewall may be blocking 123





Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT

Microsoft MVP - Directory Services

www.readymaids.com   - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: Wednesday, December 28, 2005 8:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service



w32tm /monitor



dc1.domain.com *** PDC *** [10.100.110.12]:

   ICMP: 0ms delay.

   NTP: +0.000s offset from dc1.domain.com

   RefID: 'LOCL' [76.79.67.76]<<w32tm /monitor
PDC.DOMAIN.LOCAL *** PDC *** [172.16.1.1]:
   ICMP: 0ms delay.
   NTP: +0.000s offset from PDC.DOMAIN.LOCAL
   RefID: (unknown) [internet IP]



A PDC that is configured to sync with its own internal clock

C:\>w32tm /monitor
rootdc001.ADCORP.LAN *** PDC *** [10.0.0.1]:
   ICMP: 0ms delay.
   NTP: +0.000s offset from rootdc001.ADCORP.LAN
   RefID: 'LOCL' [76.79.67.76]



In addition to what Ulf said: 
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/20/111.aspx



Cheers,

Jorge



From: [EMAIL PROTECTED] on behalf of Douglas M. Long
Sent: Wed 2005-12-28 16:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service

I have Run w32tm /config /update /syncfromflags:MANUAL /manualpeerlist: 
"navobs1.oar.net" and also verified HKLM\System\CCS\Services\w32time\Parameters

Type=NTP is set. I stopped and started w32time, and still the PDC-E points to 
itself. Or at least that is what I think it is saying. Isn't LOCL in the 
following telling me that it is looking at itself instead of an external time 
source?





w32tm /monitor



dc1.domain.com *** PDC *** [10.100.110.12]:

   ICMP: 0ms delay.

   NTP: +0.000s offset from dc1.domain.com

   RefID: 'LOCL' [76.79.67.76]







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-Weidner
Sent: Wednesday, December 28, 2005 9:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Time Service



Hi Douglas,



To configure domain members and DCs to use the default behavior, either



Run w

[ActiveDir] 2005... Still?!?!...

2005-12-28 Thread Molkentin, Steve 
So, this year, due to "normal" adjustments in keeping our calendar in
sync with the moon (and no doubt the sun too), 2005 will exist for an
extra second this year.

See: http://msnbc.msn.com/id/8476418/

The clocks will read 11:59:60 before ticking over to 12:00:00

So... How will that affect us? If your machines are not time-sync'ed
with a clock that runs off the atomic clock, then you'll be a second
faster than everyone else, effectively opening a rip in the space time
continuum whereby you will do things 1 second before everybody else. The
world will turn topsy turvy: Lions will lie down with lambs; rappers
will remove their bling, stop their killing of each other and embrace
country music; cousins will marry; and anarchy will reign. We're through
the looking glass here, people...

What does it mean for you if you don't have your servers and PC's
time-sync properly? Ultimately, the molecules and atoms in your body
will have sped up, thus increasing the speed of the protons spinning
around the nucleus in each atom. This increase in speed and kinetic
energy is enough to displace at least one of these protons from their
orbit, triggering what is effectively a chain reaction in your body that
would complete in a massive nuclear explosion - meaning IT geeks all
around the world will spontaneous combust, taking out friends, family
and complete strangers, at 12:00:00 January 1 2006... If they don't
ensure their servers and PC's are set to account for this extra second.

Just something to brighten your 3rd last day on earth (if you don't
ensure your computers are set to allow for the extra second)...  ;)

Steve Molkentin (themolk).
 
Information Services Team (Qld)
ASSA ABLOY Asia Pacific
(p) +61 (0)7 3373 5233
(m) +61 (0)401 709 405
http://www.assaabloyasiapacific.com 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 2005... Still?!?!...

2005-12-28 Thread Navroz Shariff 
Hilarious Steve...I could not have put it better myself.

Cheers and Happy New Year to ALL!

-Nav 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Molkentin,
Steve
Sent: Wednesday, December 28, 2005 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2005... Still?!?!...

So, this year, due to "normal" adjustments in keeping our calendar in
sync with the moon (and no doubt the sun too), 2005 will exist for an
extra second this year.

See: http://msnbc.msn.com/id/8476418/

The clocks will read 11:59:60 before ticking over to 12:00:00

So... How will that affect us? If your machines are not time-sync'ed
with a clock that runs off the atomic clock, then you'll be a second
faster than everyone else, effectively opening a rip in the space time
continuum whereby you will do things 1 second before everybody else. The
world will turn topsy turvy: Lions will lie down with lambs; rappers
will remove their bling, stop their killing of each other and embrace
country music; cousins will marry; and anarchy will reign. We're through
the looking glass here, people...

What does it mean for you if you don't have your servers and PC's
time-sync properly? Ultimately, the molecules and atoms in your body
will have sped up, thus increasing the speed of the protons spinning
around the nucleus in each atom. This increase in speed and kinetic
energy is enough to displace at least one of these protons from their
orbit, triggering what is effectively a chain reaction in your body that
would complete in a massive nuclear explosion - meaning IT geeks all
around the world will spontaneous combust, taking out friends, family
and complete strangers, at 12:00:00 January 1 2006... If they don't
ensure their servers and PC's are set to account for this extra second.

Just something to brighten your 3rd last day on earth (if you don't
ensure your computers are set to allow for the extra second)...  ;)

Steve Molkentin (themolk).
 
Information Services Team (Qld)
ASSA ABLOY Asia Pacific
(p) +61 (0)7 3373 5233
(m) +61 (0)401 709 405
http://www.assaabloyasiapacific.com 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] WMI OS Caption

2005-12-28 Thread Harding, Devon 










How can I print out the OS Caption from WMI?  Trying to
incorporate in a .vbs

 

Devon Harding

Windows Systems Engineer

Southern Wine & Spirits
- BSG

954-602-2469

 










__This message and any attachments are solely for the intended recipientand may contain confidential or privileged information.  If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited.  If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments.  Thank You.

RE: [ActiveDir] WMI OS Caption

2005-12-28 Thread Marcus.Oh 








Devon, download scriptomatic.  It’ll build the code you require.

 



:m:dsm:cci:mvp  marcusoh.blogspot.com 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Wednesday, December 28, 2005
5:41 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] WMI OS
Caption



 

How can I print out the OS Caption from WMI?  Trying to
incorporate in a .vbs

 

Devon Harding

Windows Systems Engineer

Southern Wine & Spirits
- BSG

954-602-2469

 







__
This message and any attachments are
solely for the intended recipient
and may contain confidential or
privileged information. If you are not
the intended recipient, any disclosure,
copying, use or distribution of
the information included in the message
and any attachments is
prohibited. If you have received this
communication in error, please
notify us by reply e-mail and
immediately and permanently delete this
message and any attachments. Thank You.

RE: [ActiveDir] Event 2069 - AD Quota tracking table?

2005-12-28 Thread Freddy HARTONO 



Hi Al
 
Yup this is a GC.
 
Frankly I'm not sure what has been done to this DC as I 
just started to takeover the DC yesterday. One of the things that was done most 
probabbly was to standardize antivirus to SAV 9 - thats pretty much 
it.
 
Seems like after another reboot this error doesnt appear 
yet (only 1 event in the log).
 
Should this be a major alarm - is it recommended to demote 
and re-promote? (I hate to do this at holiday season :)
 
Thanks Al!
 
Thank you and have a splendid 
day! 
Kind Regards, 
Freddy Hartono 
Group Support 
Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] 
phone: (+65) 
6330-9785 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Wednesday, December 28, 2005 10:08 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Event 2069 - AD 
Quota tracking table?

Freddy, is this also a global catalog server? 
It is a concern as this should not be something you see on normal 
servers.  Also, can you describe what changed in the environment recently 
and what else is running on that server? 
 
Al 
 
On 12/28/05, Freddy 
HARTONO <[EMAIL PROTECTED]> 
wrote: 

  Hi all 
  Found an interesting events, havent been able to 
  find any additional info on this yet, but from the look of it its only 
  happening in this domain controller and it seems to be responding well. 
  
  Is this much of a concern? 
  Event Type: Error 
  Event Source:   NTDS General 
  Event Category: (9) Event ID:   2069 Date:       
  12/28/2005 Time:   
      12:58:28 PM User:       
  NT AUTHORITY\ANONYMOUS LOGON Computer:   SELSOS01 Description: Active 
  Directory detected corrupt counts in the quota-tracking table. Quota 
  enforcement may not behave correctly until the quota-tracking table is 
  rebuilt. 
   
  Thank you and have a splendid day! 
  Kind Regards, 
  Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785

Re: [ActiveDir] Event 2069 - AD Quota tracking table?

2005-12-28 Thread Al Mulnick 
Hard to say how much of a problem that is.  I've seen references to it being a problem with the GC which is why I asked.  It would be something where you'd want to remove the GC role, and then re-add it/rebuild it based on what I've seen.  I wouldn't have expected it to go away completely unless it only occurs at specific times such as during backup (not that it would be triggered that way in this case).

 
Given the timing, it might be a good idea to schedule it for rebuild at some point in the future post holiday season.  If for nothing else to ensure it is in a known good state and has no legacy issues. 
 
Al 
On 12/28/05, Freddy HARTONO <[EMAIL PROTECTED]> wrote:

Hi Al
 
Yup this is a GC.
 
Frankly I'm not sure what has been done to this DC as I just started to takeover the DC yesterday. One of the things that was done most probabbly was to standardize antivirus to SAV 9 - thats pretty much it.

 
Seems like after another reboot this error doesnt appear yet (only 1 event in the log).
 
Should this be a major alarm - is it recommended to demote and re-promote? (I hate to do this at holiday season :)
 
Thanks Al!
 
Thank you and have a splendid day! 
Kind Regards, 
Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd
 mail: [EMAIL PROTECTED]
 phone: (+65) 6330-9785 
 


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Wednesday, December 28, 2005 10:08 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Event 2069 - AD Quota tracking table? 


Freddy, is this also a global catalog server? 
It is a concern as this should not be something you see on normal servers.  Also, can you describe what changed in the environment recently and what else is running on that server? 
 
Al 
 
On 12/28/05, Freddy HARTONO <[EMAIL PROTECTED]
> wrote: 

Hi all 
Found an interesting events, havent been able to find any additional info on this yet, but from the look of it its only happening in this domain controller and it seems to be responding well. 

Is this much of a concern? 
Event Type: Error Event Source:   NTDS General Event Category: (9) Event ID:   2069 
Date:       12/28/2005 Time:       12:58:28 PM User:       NT AUTHORITY\ANONYMOUS LOGON
 Computer:   SELSOS01 Description: Active Directory detected corrupt counts in the quota-tracking table. Quota enforcement may not behave correctly until the quota-tracking table is rebuilt. 


Thank you and have a splendid day! 
Kind Regards, 
Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: 
[EMAIL PROTECTED] phone: (+65) 6330-9785

RE: [ActiveDir] Event 2069 - AD Quota tracking table?

2005-12-28 Thread Steve Linehan 



This error is benign as long as you are not enforcing 
quotas for Active Directory objects and if you are the only downside is that a 
user may be able to create more or less objects than they should.  The 
issue can occur on a DC or a GC and one of the ways it occurs is when SDProp 
fixes-up missing or corrupt security descriptors on objects.  To correct 
the problem you can boot the machine into Directory Service Restore Mode and 
then run the following commands from ntdsutil:
 
Semantic database analysisrebuild quotaOnce done, 
reboot back to DS & check for 2065 which signals a successful rebuild of the 
table.
 
Thanks,
 
-Steve


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Wednesday, December 28, 2005 9:29 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Event 2069 - AD 
Quota tracking table?

Hard to say how much of a problem that is.  I've seen references to it 
being a problem with the GC which is why I asked.  It would be something 
where you'd want to remove the GC role, and then re-add it/rebuild it based on 
what I've seen.  I wouldn't have expected it to go away completely unless 
it only occurs at specific times such as during backup (not that it would be 
triggered that way in this case). 
 
Given the timing, it might be a good idea to schedule it for rebuild at 
some point in the future post holiday season.  If for nothing else to 
ensure it is in a known good state and has no legacy issues. 
 
Al 
On 12/28/05, Freddy 
HARTONO <[EMAIL PROTECTED]> 
wrote: 

  Hi 
  Al
   
  Yup this 
  is a GC.
   
  Frankly 
  I'm not sure what has been done to this DC as I just started to takeover the 
  DC yesterday. One of the things that was done most probabbly was to 
  standardize antivirus to SAV 9 - thats pretty much it. 
   
  Seems like 
  after another reboot this error doesnt appear yet (only 1 event in the 
  log).
   
  Should 
  this be a major alarm - is it recommended to demote and re-promote? (I hate to 
  do this at holiday season :)
   
  Thanks 
  Al!
   
  Thank you and have a splendid 
  day! 
  Kind Regards, 
  Freddy Hartono 
  Group Support 
  Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 
   
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Al 
  MulnickSent: Wednesday, December 28, 2005 10:08 PMTo: ActiveDir@mail.activedir.orgSubject: Re: 
  [ActiveDir] Event 2069 - AD Quota tracking table? 
  
  
  Freddy, is this also a global catalog server? 
  It is a concern as this should not be something you see on normal 
  servers.  Also, can you describe what changed in the environment recently 
  and what else is running on that server? 
   
  Al 
   
  On 12/28/05, Freddy 
  HARTONO <[EMAIL PROTECTED] > wrote: 
  
Hi all 
Found an interesting events, havent been able to 
find any additional info on this yet, but from the look of it its only 
happening in this domain controller and it seems to be responding well. 

Is this much of a concern? 
Event Type: Error 
Event Source:   NTDS General 
Event Category: (9) Event ID:   2069 Date:   
    12/28/2005 Time:   
    12:58:28 PM User:   
    NT AUTHORITY\ANONYMOUS 
LOGON Computer:   SELSOS01 
Description: Active Directory detected corrupt counts in the quota-tracking table. 
Quota enforcement may not behave correctly until the quota-tracking table is 
rebuilt. 

Thank you and have a splendid day! 
Kind Regards, 
Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785

RE: [ActiveDir] WMI OS Caption

2005-12-28 Thread Alain Lissoir 



Here 
you go.
 
Set objWMIServices = Getobject 
("winmgmts:root\CIMv2")Set objWMIInstances = objWMIServices.InstancesOf 
("Win32_OperatingSystem")For Each objWMIInstance In objWMIInstances       WScript.Echo 
objWMIInstance.CaptionNext
You can also 
use an enhanced version of scriptomatic, called WMI Code Creator 
v1.0 
http://www.microsoft.com/downloads/details.aspx?FamilyID=2cc30a64-ea15-4661-8da4-55bbc145c30e&DisplayLang=en
It generates C#, VB.NET 
and _vbscript_ WMI code.
 
/Alain


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, December 28, 2005 11:57 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
WMI OS Caption


Devon, download 
scriptomatic.  It’ll build the code you 
require.
 

:m:dsm:cci:mvp  
marcusoh.blogspot.com 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Harding, 
DevonSent: Wednesday, December 
28, 2005 5:41 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] WMI OS 
Caption
 
How can I print out the OS Caption 
from WMI?  Trying to incorporate in a .vbs
 
Devon 
Harding
Windows Systems 
Engineer
Southern Wine & Spirits 
- BSG
954-602-2469
 



__This 
message and any attachments are solely for the intended 
recipientand may 
contain confidential or privileged information. If you are 
notthe intended 
recipient, any disclosure, copying, use or distribution 
ofthe 
information included in the message and any attachments 
isprohibited. If 
you have received this communication in error, 
pleasenotify us 
by reply e-mail and immediately and permanently delete 
thismessage and 
any attachments. Thank You.