[ActiveDir] Script to transfer FSMO roles.
Hi All, Can somebody point me in the right direction as to how to use a scripted solution for seizing the FSMO roles in case of a site failure? What we have is a W2K3 Domain, with two core sites and 60 branch offices. In the case of site 1 failing we want a procedure of activation a script so on the standby DC to seize the FSMO roles. Site 1 1 X DC Sch, Inf, DNM, PDC, GC 1 X DC RID, GC Site 2 1 X DC Standby FSMO role holder, GC 1 X DC GC Regards, Simon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Script to transfer FSMO roles.
run the script on the DC that should host the FSMO role(s) or replace %COMPUTERNAME% with %1 and use the name of the new FSMO role holder as an argument. Make sure to adjust the script concerning the FSMO roles that should be seized/transfered -- Seize-Domain-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Seize infrastructure master Seize RID master Seize PDC QUIT QUIT -- Seize-Forest-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Seize domain naming master Seize schema master QUIT QUIT -- Transfer-Domain-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Transfer infrastructure master Transfer RID master Transfer PDC QUIT QUIT -- Transfer-Forest-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Transfer domain naming master Transfer schema master QUIT QUIT cheers, Jorge From: [EMAIL PROTECTED] on behalf of Simon Bembridge Sent: Mon 2006-02-13 10:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Script to transfer FSMO roles. Hi All, Can somebody point me in the right direction as to how to use a scripted solution for seizing the FSMO roles in case of a site failure? What we have is a W2K3 Domain, with two core sites and 60 branch offices. In the case of site 1 failing we want a procedure of activation a script so on the standby DC to seize the FSMO roles. Site 1 1 X DC Sch, Inf, DNM, PDC, GC 1 X DC RID, GC Site 2 1 X DC Standby FSMO role holder, GC 1 X DC GC Regards, Simon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [Norton AntiSpam] RE: [ActiveDir] OT: ADSI and Exchange 5.5
I am working on directory cleanup activities for the existing Exchange 5.5 directory. Where accounts are sharing an NT account or using a group I would like to replace the primary NT account with an unique account and update the additional permissions to include the account that was previously the primary NT account (so still allowing access to the mailbox).Most of the cleanup activities have used imports and exports but as you can imagine I can't acheive permissions update using this method. I found some VB code which I beleive is meant to do this but this just doesn't appear to be working. An other methods of achieving the same goals would be appreciated.Cheers. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: 12 February 2006 09:22To: ActiveDir@mail.activedir.orgSubject: [Norton AntiSpam] RE: [ActiveDir] OT: ADSI and Exchange 5.5As Al indicates, there may be other methods. One option could be to look at directory export/import to achieve what you want.Header.exe facilitates the creation of an export CSV template with additional fields, including Primary Windows NT Account and Obj-User (which shows those accounts with "User" role on the mailbox). You can also find accounts with delegate permissions on a mailbox by including public-delegates and public-delegates-bl in the CSV template.You can download header.exe here:http://exchange.mvps.org/Headerexe.htmTony www.activedir.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Sunday, 12 February 2006 12:26 p.m.To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: ADSI and Exchange 5.5 This would be a great time to ask: when you say "update Permissions on Exchange 5.5 mailboxes" what are you trying to accomplish exactly? It may be possible that what you want to do is possible with some other method. Al On 2/11/06, joe [EMAIL PROTECTED] wrote: I don't think so. Here are the reasons.o Exchange 5.5 ACLing isn't based on SIDs which is what ADSI perm mods work with (including ADsSecurity.dll).o I don't see MS doing ANYTHING to support 5.5, heck it is near impossible to get a change for Exchange Server 2003 at this point. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jacqui HurstSent: Friday, February 10, 2006 6:56 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: ADSI and Exchange 5.5 Can anyone advise me if there has been a change in the ADSI that now allows the ACL of an Exchange 5.5 mailbox to be manipulated? I have some sample VB code from the ADSI 2.0 SDK that appears to offer the ability but as yet I cannot get this to work. I have found articles on the MS web site that say it is not possible with code other than C or C++ (detailed in the Exchange 5.5 SDK).If it is possible where am I going wrong?I have an XP client with the ADSI resource kit installed (including ADsSecurity.dll)I have installed ADSI 2.5 on my Exchange 5.5 server (not sure if this was required)I have imported the code into Visual Basic 2005 Express edition and complied it (Build Security)The code builds but when I run it against my environment I get an MS error to be sent to Microsoft.Has anyone any advise on code I can use to update Permissions on Exchange 5.5 mailboxes? As you can gather I'm not a born coder, I dabble when I have to JRegards,Jacqui
[Norton AntiSpam] Re: [ActiveDir] OT: ADSI and Exchange 5.5
Thanks I will take a look at the tool. Might save me lots of grief :-)Cheers Also just found this... not sure whether its exactly what you are after but it may save you some programming time. This tool allows setting permissions across multiple mailboxes in 5.5.Setperm.exe @ http://www.fnds.net/html/downloads.html. Cheers, MattyOn 12/02/06, Matt Holland [EMAIL PROTECTED] wrote: The ACL COM object (ACL.DLL) provided in the platform SDK can be used to manipulate 5.5 Mailbox ACLs. Can be used with VB/_vbscript_ or .NET (via Interop). These VB examples may help youhttp://www.cdolive.com/aclviewer.htm http://support.microsoft.com/?kbid=240911Cheers, Matty On 12/02/06, Tony Murray [EMAIL PROTECTED] wrote: As Al indicates, there may be other methods. One option could be to look at directory export/import to achieve what you want.Header.exe facilitates the creation of an export CSV template with additional fields, including Primary Windows NT Account and Obj-User (which shows those accounts with "User" role on the mailbox). You can also find accounts with delegate permissions on a mailbox by including public-delegates and public-delegates-bl in the CSV template. You can download header.exe here:http://exchange.mvps.org/Headerexe.htm Tony www.activedir.org From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Sunday, 12 February 2006 12:26 p.m.To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: ADSI and Exchange 5.5 This would be a great time to ask: when you say "update Permissions on Exchange 5.5 mailboxes" what are you trying to accomplish exactly? It may be possible that what you want to do is possible with some other method. Al On 2/11/06, joe [EMAIL PROTECTED] wrote: I don't think so. Here are the reasons.o Exchange 5.5 ACLing isn't based on SIDs which is what ADSI perm mods work with (including ADsSecurity.dll).o I don't see MS doing ANYTHING to support 5.5, heck it is near impossible to get a change for Exchange Server 2003 at this point. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jacqui HurstSent: Friday, February 10, 2006 6:56 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: ADSI and Exchange 5.5 Can anyone advise me if there has been a change in the ADSI that now allows the ACL of an Exchange 5.5 mailbox to be manipulated? I have some sample VB code from the ADSI 2.0 SDK that appears to offer the ability but as yet I cannot get this to work. I have found articles on the MS web site that say it is not possible with code other than C or C++ (detailed in the Exchange 5.5 SDK).If it is possible where am I going wrong?I have an XP client with the ADSI resource kit installed (including ADsSecurity.dll)I have installed ADSI 2.5 on my Exchange 5.5 server (not sure if this was required)I have imported the code into Visual Basic 2005 Express edition and complied it (Build Security)The code builds but when I run it against my environment I get an MS error to be sent to Microsoft.Has anyone any advise on code I can use to update Permissions on Exchange 5.5 mailboxes? As you can gather I'm not a born coder, I dabble when I have to JRegards,Jacqui
RE: [ActiveDir] Script to transfer FSMO roles.
Jorge, If we are simulating a DR scenario running the script on the backup FSMO serve in site 2 will not be a problem?? Simon _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 13 February 2006 10:09 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to transfer FSMO roles. run the script on the DC that should host the FSMO role(s) or replace %COMPUTERNAME% with %1 and use the name of the new FSMO role holder as an argument. Make sure to adjust the script concerning the FSMO roles that should be seized/transfered -- Seize-Domain-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Seize infrastructure master Seize RID master Seize PDC QUIT QUIT -- Seize-Forest-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Seize domain naming master Seize schema master QUIT QUIT -- Transfer-Domain-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Transfer infrastructure master Transfer RID master Transfer PDC QUIT QUIT -- Transfer-Forest-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Transfer domain naming master Transfer schema master QUIT QUIT cheers, Jorge _ From: [EMAIL PROTECTED] on behalf of Simon Bembridge Sent: Mon 2006-02-13 10:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Script to transfer FSMO roles. Hi All, Can somebody point me in the right direction as to how to use a scripted solution for seizing the FSMO roles in case of a site failure? What we have is a W2K3 Domain, with two core sites and 60 branch offices. In the case of site 1 failing we want a procedure of activation a script so on the standby DC to seize the FSMO roles. Site 1 1 X DC Sch, Inf, DNM, PDC, GC 1 X DC RID, GC Site 2 1 X DC Standby FSMO role holder, GC 1 X DC GC Regards, Simon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. attachment: winmail.dat
RE: [ActiveDir] Script to transfer FSMO roles.
Are you sayingsimulating the procedure in the production environment by seizing the FSMO roles ? don't do that! use a test environment that is a correct representation of the production environment to do your tests! jorge From: [EMAIL PROTECTED] on behalf of Simon Bembridge Sent: Mon 2006-02-13 13:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to transfer FSMO roles. Jorge, If we are simulating a DR scenario running the script on the backup FSMO serve in site 2 will not be a problem?? Simon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 13 February 2006 10:09 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to transfer FSMO roles. run the script on the DC that should host the FSMO role(s) or replace %COMPUTERNAME% with %1 and use the name of the new FSMO role holder as an argument. Make sure to adjust the script concerning the FSMO roles that should be seized/transfered -- Seize-Domain-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Seize infrastructure master Seize RID master Seize PDC QUIT QUIT -- Seize-Forest-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Seize domain naming master Seize schema master QUIT QUIT -- Transfer-Domain-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Transfer infrastructure master Transfer RID master Transfer PDC QUIT QUIT -- Transfer-Forest-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Transfer domain naming master Transfer schema master QUIT QUIT cheers, Jorge From: [EMAIL PROTECTED] on behalf of Simon Bembridge Sent: Mon 2006-02-13 10:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Script to transfer FSMO roles. Hi All, Can somebody point me in the right direction as to how to use a scripted solution for seizing the FSMO roles in case of a site failure? What we have is a W2K3 Domain, with two core sites and 60 branch offices. In the case of site 1 failing we want a procedure of activation a script so on the standby DC to seize the FSMO roles. Site 1 1 X DC Sch, Inf, DNM, PDC, GC 1 X DC RID, GC Site 2 1 X DC Standby FSMO role holder, GC 1 X DC GC Regards, Simon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
Re: [Norton AntiSpam] RE: [ActiveDir] OT: ADSI and Exchange 5.5
Actually, yes you can unless I totally misunderstood your requirement. To be sure, I think you're saying you want to remove the primary windows nt account value and replace it with a user representative but you want to allow the existing value represented to continue to have access to the mailboxes. You don't need to get granular and grant/revoke access at the folder level. If that's correct, then what Tony was talking about has worked for me in the past. I've used it in migration scenarios vs. just cleanup. i.e. migrating from domain1 to newDomain and want to let newDomain users have access to their mailboxes as if nothing happened. Solution: using import/export move the existing value to the obj-User field and replace the primary-Windows-NT value with newDomain\user value. In your case, you just need to identify which ones are groups vs. user accounts (looping through the spreadsheet and figure out which are groups and which are not might be one way to do this). To identify which are shared accounts you must have some other sort of knowledge because to the system a shared account (account where more than one wetware element knows the credentials) is the same as one security principal-one wetware element. Developing anything against 5.5 is a dead-end scenario that has a limited return on your time and resources invested. Might be fun, but I think if you write a lot of code for this one time use, it might not be an equitable transaction. Al On 2/13/06, Jacqui Hurst [EMAIL PROTECTED] wrote: I am working on directory cleanup activities for the existing Exchange 5.5 directory. Where accounts are sharing an NT account or using a group I would like to replace the primary NT account with an unique account and update the additional permissions to include the account that was previously the primary NT account (so still allowing access to the mailbox). Most of the cleanup activities have used imports and exports but as you can imagine I can't acheive permissions update using this method. I found some VB code which I beleive is meant to do this but this just doesn't appear to be working. An other methods of achieving the same goals would be appreciated. Cheers. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tony MurraySent: 12 February 2006 09:22To: ActiveDir@mail.activedir.org Subject: [Norton AntiSpam] RE: [ActiveDir] OT: ADSI and Exchange 5.5 As Al indicates, there may be other methods. One option could be to look at directory export/import to achieve what you want. Header.exe facilitates the creation of an export CSV template with additional fields, including Primary Windows NT Account and Obj-User (which shows those accounts with User role on the mailbox). You can also find accounts with delegate permissions on a mailbox by including public-delegates and public-delegates-bl in the CSV template. You can download header.exe here: http://exchange.mvps.org/Headerexe.htm Tony www.activedir.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Sunday, 12 February 2006 12:26 p.m.To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: ADSI and Exchange 5.5 This would be a great time to ask: when you say update Permissions on Exchange 5.5 mailboxes what are you trying to accomplish exactly? It may be possible that what you want to do is possible with some other method. Al On 2/11/06, joe [EMAIL PROTECTED] wrote: I don't think so. Here are the reasons. o Exchange 5.5 ACLing isn't based on SIDs which is what ADSI perm mods work with (including ADsSecurity.dll). o I don't see MS doing ANYTHING to support 5.5, heck it is near impossible to get a change for Exchange Server 2003 at this point. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jacqui HurstSent: Friday, February 10, 2006 6:56 AMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: ADSI and Exchange 5.5 Can anyone advise me if there has been a change in the ADSI that now allows the ACL of an Exchange 5.5 mailbox to be manipulated? I have some sample VB code from the ADSI 2.0 SDK that appears to offer the ability but as yet I cannot get this to work. I have found articles on the MS web site that say it is not possible with code other than C or C++ (detailed in the Exchange 5.5 SDK). If it is possible where am I going wrong? I have an XP client with the ADSI resource kit installed (including ADsSecurity.dll) I have installed ADSI 2.5 on my Exchange 5.5 server (not sure if this was required) I have imported the code into Visual Basic 2005 Express edition and complied it (Build Security) The code builds but when I run it against my environment I get an MS error to be sent to Microsoft. Has anyone any advise on code I can use to update Permissions on Exchange 5.5 mailboxes? As you can gather I'm not a born coder, I dabble when I have to J
[ActiveDir] OT:quickbooks alternatives
I have a group of users that want to use QuickBooks to track financial info about the vending machines. I told them I wouldn't support QuickBooks because they require local admin rights (I've seen the work arounds, but I'm sick of needing work arounds) Then they wanted Microsoft Small Business Accounting software but my desktop support guy tested that software and found it required local admin rights also, now I need to find another option for them that doesn't require local admin rights. Does anyone have any QuickBooks alternative options? Thanks,jb -- Jason Benway [EMAIL PROTECTED] GHSP 1250 S.Beechtree Grand Haven, MI 49417 616-847-8474 Fax: 616-850-1208 Required space inevitably expands to exceed available space... List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Script to transfer FSMO roles.
Title: [ActiveDir] Script to transfer FSMO roles. A few thoughts -- I'm not entirely adverse to the idea of throwing commands at NTDSUTIL and seizing roles (and relying upon the mandatory pre-emptive transfer attempt) but I prefer not to perform such actions when the capability to trap failures within a sequence of events is beyond my control,e.g. the transfer fails and the seize continues without confirmation or regard for my input. Although I realize that your goal here is to seize a role, a single slip of the finger may inadvertently cause seizure to occur. I would suggest scripting the operation to _manually_ attempt a transfer first, trap the error and confirm your intention to proceed with a seize (remains achievable with NTDSUTIL). Of course, the implications of _not_ doing itthis way are entirely dependent upon either or both the FSMO role in question and/or your particular infrastructure. The commands below outline an alternative approach for attempting a FSMO transfer of the domain naming master - admod -htarget DCFQDN-b "" becomedomainmaster::1 ... and the equivalent seizure - admod -htarget DC FQDN-b cn=partitions,cn=configuration,dc=root DNfsmoroleowner::"NTDS Settings DN of recipient DC" ... e.g. - admod -h machine1.adcorp.lan -b cn=partitions,cn=configuration,dc=adcorp,dc=lan fsmoroleowner::"CN=NTDS Settings,CN=MACHINE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAN" This approach provides more control at the expense of requiring slightly more specific knowledge of the directory. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Monday, February 13, 2006 5:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to transfer FSMO roles. run the script on the DC that should host the FSMO role(s) or replace %COMPUTERNAME% with %1 and use the name of the new FSMO role holder as an argument. Make sure to adjust the script concerning the FSMO roles that should be seized/transfered -- Seize-Domain-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize infrastructure master" "Seize RID master" "Seize PDC" QUIT QUIT -- Seize-Forest-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize domain naming master" "Seize schema master" QUIT QUIT -- Transfer-Domain-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer infrastructure master" "Transfer RID master" "Transfer PDC" QUIT QUIT -- Transfer-Forest-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer domain naming master" "Transfer schema master" QUIT QUIT cheers, Jorge From: [EMAIL PROTECTED] on behalf of Simon BembridgeSent: Mon 2006-02-13 10:52To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Script to transfer FSMO roles. Hi All,Can somebody point me in the right direction as to how to use a scriptedsolution for seizing the FSMO roles in case of a site failure?What we have is a W2K3 Domain, with two core sites and 60 branch offices. Inthe case of site 1 failing we want a procedure of activation a script so onthe standby DC to seize the FSMO roles.Site 11 X DC Sch, Inf, DNM, PDC, GC1 X DC RID, GCSite 21 X DC Standby FSMO role holder, GC1 X DC GCRegards,SimonList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
[ActiveDir] Separate AD forest in a DMZ
Hey Guys, I need to setup a separate AD forest in our DMZ to accommodate the need for a domain (SQL log shipping, Windows clustering, etc). The issue is that we're using NAT and a Cisco PIX between our production network and the DMZ network. So even though our production network is 172.16.x.x, for example, the DMZ sees these resources as 10.10.x.x. From everything I've read, NAT breaks a lot of things, but unfortunately we must use NAT. Anyone have any real world experience with this? Any suggestions would be appreciated. -FDiskThePC __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT:quickbooks alternatives
I don't think SBA is beefy enough yet ...but I haven't found that it needed admin rights... What's your budget. And what does the vending machine industry in general use? Peachtree (after the 2004 version handles normal user) Jason Benway wrote: I have a group of users that want to use QuickBooks to track financial info about the vending machines. I told them I wouldn't support QuickBooks because they require local admin rights (I've seen the work arounds, but I'm sick of needing work arounds) Then they wanted Microsoft Small Business Accounting software but my desktop support guy tested that software and found it required local admin rights also, now I need to find another option for them that doesn't require local admin rights. Does anyone have any QuickBooks alternative options? Thanks,jb -- Jason Benway [EMAIL PROTECTED] GHSP 1250 S.Beechtree Grand Haven, MI 49417 616-847-8474 Fax: 616-850-1208 Required space inevitably expands to exceed available space... List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT:quickbooks alternatives
The SBA box has the designed for XP logo on it (unlike QB) which means it will support normal users and not require admin rights can you check with him and clarify that? It obviously needs admin rights to load, but it will (and it's logo'd) to run as a regular user. Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: I don't think SBA is beefy enough yet ...but I haven't found that it needed admin rights... What's your budget. And what does the vending machine industry in general use? Peachtree (after the 2004 version handles normal user) Jason Benway wrote: I have a group of users that want to use QuickBooks to track financial info about the vending machines. I told them I wouldn't support QuickBooks because they require local admin rights (I've seen the work arounds, but I'm sick of needing work arounds) Then they wanted Microsoft Small Business Accounting software but my desktop support guy tested that software and found it required local admin rights also, now I need to find another option for them that doesn't require local admin rights. Does anyone have any QuickBooks alternative options? Thanks,jb -- Jason Benway [EMAIL PROTECTED] GHSP 1250 S.Beechtree Grand Haven, MI 49417 616-847-8474 Fax: 616-850-1208 Required space inevitably expands to exceed available space... List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] permon access
In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them alocal admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
RE: [ActiveDir] permon access
How about utilizing the Performance Monitor Users built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto:[EMAIL PROTECTED] Sent: Monday, February 13, 2006 8:14 AM To: activedirectory Subject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them alocal admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
Re: [ActiveDir] permon access
Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] wrote: How about utilizing the "Performance Monitor Users" built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AM To: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them alocal admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
RE: [ActiveDir] permon access
Yeah sorry bout that! I realized that after I had already sent it. Check out the links below maybe they will help! http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html http://support.microsoft.com/default.aspx?scid=kb;en-us;164018 Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto:[EMAIL PROTECTED] Sent: Monday, February 13, 2006 8:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] permon access Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] wrote: How about utilizing the Performance Monitor Users built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AM To: activedirectory Subject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them alocal admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
RE: [ActiveDir] permon access
Are you wanting them to run perfmon against your domain controllers, or against member servers/workstations? Locally, or remotely? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Monday, February 13, 2006 8:14 AMTo: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them alocal admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
Re: [ActiveDir] permon access
Thank you very much!! Thats exactly what I was looking for... On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] wrote: Yeah sorry bout that! I realized that after I had already sent it. Check out the links below maybe they will help! http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html http://support.microsoft.com/default.aspx?scid=kb;en-us;164018 Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] permon access Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] wrote: How about utilizing the Performance Monitor Users built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AM To: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them alocal admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
Re: [ActiveDir] permon access
Sorry, member servers. remotely. Thanks On 2/13/06, Tom Kern [EMAIL PROTECTED] wrote: Thank you very much!! Thats exactly what I was looking for... On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] wrote: Yeah sorry bout that! I realized that after I had already sent it. Check out the links below maybe they will help! http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html http://support.microsoft.com/default.aspx?scid=kb;en-us;164018 Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] permon access Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] wrote: How about utilizing the Performance Monitor Users built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AM To: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them alocal admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
RE: [ActiveDir] Script to transfer FSMO roles.
Jorge, Yes it is a test environment we will be doing it in. So much going on. Also just a quick question, is there a Inbound - Outbound replication fresh hold for a site bridgehead server?? I have read somewhere that it is 15? Not sure how this has changed with R2 also as we are still awaiting the software to install and trial. Simon _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 13 February 2006 12:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to transfer FSMO roles. Are you sayingsimulating the procedure in the production environment by seizing the FSMO roles ? don't do that! use a test environment that is a correct representation of the production environment to do your tests! jorge _ From: [EMAIL PROTECTED] on behalf of Simon Bembridge Sent: Mon 2006-02-13 13:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to transfer FSMO roles. Jorge, If we are simulating a DR scenario running the script on the backup FSMO serve in site 2 will not be a problem?? Simon _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 13 February 2006 10:09 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to transfer FSMO roles. run the script on the DC that should host the FSMO role(s) or replace %COMPUTERNAME% with %1 and use the name of the new FSMO role holder as an argument. Make sure to adjust the script concerning the FSMO roles that should be seized/transfered -- Seize-Domain-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Seize infrastructure master Seize RID master Seize PDC QUIT QUIT -- Seize-Forest-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Seize domain naming master Seize schema master QUIT QUIT -- Transfer-Domain-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Transfer infrastructure master Transfer RID master Transfer PDC QUIT QUIT -- Transfer-Forest-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Transfer domain naming master Transfer schema master QUIT QUIT cheers, Jorge _ From: [EMAIL PROTECTED] on behalf of Simon Bembridge Sent: Mon 2006-02-13 10:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Script to transfer FSMO roles. Hi All, Can somebody point me in the right direction as to how to use a scripted solution for seizing the FSMO roles in case of a site failure? What we have is a W2K3 Domain, with two core sites and 60 branch offices. In the case of site 1 failing we want a procedure of activation a script so on the standby DC to seize the FSMO roles. Site 1 1 X DC Sch, Inf, DNM, PDC, GC 1 X DC RID, GC Site 2 1 X DC Standby FSMO role holder, GC 1 X DC GC Regards, Simon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. attachment: winmail.dat
RE: [ActiveDir] permon access
http://support.microsoft.com/?kbid=300702if you have 2k3 members From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Monday, February 13, 2006 9:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access Sorry, member servers. remotely. Thanks On 2/13/06, Tom Kern [EMAIL PROTECTED] wrote: Thank you very much!! Thats exactly what I was looking for... On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] wrote: Yeah sorry bout that! I realized that after I had already sent it. Check out the links below maybe they will help! http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html http://support.microsoft.com/default.aspx?scid=kb;en-us;164018 Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:36 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] wrote: How about utilizing the "Performance Monitor Users" built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AMTo: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them alocal admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
RE: [ActiveDir] permon access
Wow, I wrote that "article" a long long long long long time ago. I am surprised they still have it available. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivarez, Sergio J Mr ANOSC/FCBSSent: Monday, February 13, 2006 10:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] permon access Yeah sorry bout that! I realized that after I had already sent it. Check out the links below maybe they will help! http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html http://support.microsoft.com/default.aspx?scid=kb;en-us;164018 Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto:[EMAIL PROTECTED] Sent: Monday, February 13, 2006 8:36 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] wrote: How about utilizing the "Performance Monitor Users" built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AMTo: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them alocal admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
[ActiveDir] ldifde download
Where can I download this to run on XP Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] ldifde download
Have you tried copying the ldifde.exe over to your XP workstation from a Server? Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Harding, Devon [mailto:[EMAIL PROTECTED] Sent: Monday, February 13, 2006 10:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ldifde download Where can I download this to run on XP Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE : [ActiveDir] ldifde download
on a win2k/2k3 box. Yann De: [EMAIL PROTECTED] de la part de Harding, Devon Date: lun. 13/02/2006 18:56 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] ldifde download Where can I download this to run on XP Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. winmail.dat
RE: [ActiveDir] Script to transfer FSMO roles.
Title: [ActiveDir] Script to transfer FSMO roles. Having chatted offline on this topic, I'm reminded that it's worth mentioning an exception pertaining to the RID FSMO. Extensive state is maintained for this particular role, state which is sensitive and requires modification when the role is seized. Unfortunately, these modifications are handled client-side by NTDSUTIL (a mistake in my opinion), as such, any manual seizure of the RID Master should be either conducted using NTDSUTIL (again, in a controlled manner) or supplemented with the necessary RID allocation pool modifications. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Monday, February 13, 2006 9:06 AMTo: Send - AD mailing list ([EMAIL PROTECTED])Subject: RE: [ActiveDir] Script to transfer FSMO roles. A few thoughts -- I'm not entirely adverse to the idea of throwing commands at NTDSUTIL and seizing roles (and relying upon the mandatory pre-emptive transfer attempt) but I prefer not to perform such actions when the capability to trap failures within a sequence of events is beyond my control,e.g. the transfer fails and the seize continues without confirmation or regard for my input. Although I realize that your goal here is to seize a role, a single slip of the finger may inadvertently cause seizure to occur. I would suggest scripting the operation to _manually_ attempt a transfer first, trap the error and confirm your intention to proceed with a seize (remains achievable with NTDSUTIL). Of course, the implications of _not_ doing itthis way are entirely dependent upon either or both the FSMO role in question and/or your particular infrastructure. The commands below outline an alternative approach for attempting a FSMO transfer of the domain naming master - admod -htarget DCFQDN-b "" becomedomainmaster::1 ... and the equivalent seizure - admod -htarget DC FQDN-b cn=partitions,cn=configuration,dc=root DNfsmoroleowner::"NTDS Settings DN of recipient DC" ... e.g. - admod -h machine1.adcorp.lan -b cn=partitions,cn=configuration,dc=adcorp,dc=lan fsmoroleowner::"CN=NTDS Settings,CN=MACHINE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAN" This approach provides more control at the expense of requiring slightly more specific knowledge of the directory. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Monday, February 13, 2006 5:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to transfer FSMO roles. run the script on the DC that should host the FSMO role(s) or replace %COMPUTERNAME% with %1 and use the name of the new FSMO role holder as an argument. Make sure to adjust the script concerning the FSMO roles that should be seized/transfered -- Seize-Domain-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize infrastructure master" "Seize RID master" "Seize PDC" QUIT QUIT -- Seize-Forest-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize domain naming master" "Seize schema master" QUIT QUIT -- Transfer-Domain-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer infrastructure master" "Transfer RID master" "Transfer PDC" QUIT QUIT -- Transfer-Forest-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer domain naming master" "Transfer schema master" QUIT QUIT cheers, Jorge From: [EMAIL PROTECTED] on behalf of Simon BembridgeSent: Mon 2006-02-13 10:52To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Script to transfer FSMO roles. Hi All,Can somebody point me in the right direction as to how to use a scriptedsolution for seizing the FSMO roles in case of a site failure?What we have is a W2K3 Domain, with two core sites and 60 branch offices. Inthe case of site 1 failing we want a procedure of activation a script so onthe standby DC to seize the FSMO roles.Site 11 X DC Sch, Inf, DNM, PDC, GC1 X DC RID, GCSite 21 X DC Standby FSMO role holder, GC1 X DC GCRegards,SimonList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Script to transfer FSMO roles.
Title: [ActiveDir] Script to transfer FSMO roles. Can you elaborate on what you mean by "replication threshold" (or fresh hold if you prefer ... gotta love spell checkers :o)? --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon BembridgeSent: Monday, February 13, 2006 11:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to transfer FSMO roles. Jorge, Yes it is a test environment we will be doing it in. So much going on. Also just a quick question, is there a Inbound Outbound replication fresh hold for a site bridgehead server?? I have read somewhere that it is 15? Not sure how this has changed with R2 also as we are still awaiting the software to install and trial. Simon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: 13 February 2006 12:45To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to transfer FSMO roles. Are you saying"simulating the procedure in the production environment by seizing the FSMO roles" ? don't do that! use a test environment that is a correct representation of the production environment to do your tests! jorge From: [EMAIL PROTECTED] on behalf of Simon BembridgeSent: Mon 2006-02-13 13:26To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to transfer FSMO roles. Jorge, If we are simulating a DR scenario running the script on the backup FSMO serve in site 2 will not be a problem?? Simon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: 13 February 2006 10:09To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to transfer FSMO roles. run the script on the DC that should host the FSMO role(s) or replace %COMPUTERNAME% with %1 and use the name of the new FSMO role holder as an argument. Make sure to adjust the script concerning the FSMO roles that should be seized/transfered -- Seize-Domain-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize infrastructure master" "Seize RID master" "Seize PDC" QUIT QUIT -- Seize-Forest-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize domain naming master" "Seize schema master" QUIT QUIT -- Transfer-Domain-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer infrastructure master" "Transfer RID master" "Transfer PDC" QUIT QUIT -- Transfer-Forest-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer domain naming master" "Transfer schema master" QUIT QUIT cheers, Jorge From: [EMAIL PROTECTED] on behalf of Simon BembridgeSent: Mon 2006-02-13 10:52To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Script to transfer FSMO roles. Hi All,Can somebody point me in the right direction as to how to use a scriptedsolution for seizing the FSMO roles in case of a site failure?What we have is a W2K3 Domain, with two core sites and 60 branch offices. Inthe case of site 1 failing we want a procedure of activation a script so onthe standby DC to seize the FSMO roles.Site 11 X DC Sch, Inf, DNM, PDC, GC1 X DC RID, GCSite 21 X DC Standby FSMO role holder, GC1 X DC GCRegards,SimonList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Separate AD forest in a DMZ
It's not clear what the requirements are nor what you expect to break. You aren't thinking of putting a MSCS across a firewall anyway, now are you? Better yet, if so, which type of cluster? On 2/13/06, FDiskThePC [EMAIL PROTECTED] wrote: Hey Guys,I need to setup a separate AD forest in our DMZ toaccommodate the need for a domain (SQL log shipping, Windows clustering, etc).The issue is that we'reusing NAT and a Cisco PIX between our productionnetwork and the DMZ network.So even though ourproduction network is 172.16.x.x, for example, the DMZsees these resources as 10.10.x.x.From everything I've read, NAT breaks a lot of things,but unfortunately we must use NAT.Anyone have anyreal world experience with this?Any suggestionswould be appreciated.-FDiskThePC __Do You Yahoo!?Tired of spam?Yahoo! Mail has the best spam protection aroundhttp://mail.yahoo.comList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Hash-based Software Restriction Policy
Hey All, I was curious if any of you have set up hash-based software restriction policies. Id like to set up a policy to only allow the executables that Ive hashed to run, and Im hoping that someone has a list of all of the base executables Ill need to hash just for WinXP to boot and log in successfully. Hopefully someone else has already done the work, so that I dont have to use trial and error to figure out all the exes I need to hash. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] Hash-based Software Restriction Policy
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Clay, Justin (ITS) [mailto:[EMAIL PROTECTED] Sent: Monday, February 13, 2006 12:27 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Hash-based Software Restriction Policy Hey All, I was curious if any of you have set up hash-based software restriction policies. Id like to set up a policy to only allow the executables that Ive hashed to run, and Im hoping that someone has a list of all of the base executables Ill need to hash just for WinXP to boot and log in successfully. Hopefully someone else has already done the work, so that I dont have to use trial and error to figure out all the exes I need to hash. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
Re: [ActiveDir] Hash-based Software Restriction Policy
NIST Scientific and Technical Databases - National Software Reference Library: http://www.nist.gov/srd/nistsd28.htm I know in forensics they get the hash sets from NIST for grep'ing purposes. Would that help? Clay, Justin (ITS) wrote: Hey All, I was curious if any of you have set up hash-based software restriction policies. I’d like to set up a policy to only allow the executables that I’ve hashed to run, and I’m hoping that someone has a list of all of the base executables I’ll need to hash just for WinXP to boot and log in successfully. Hopefully someone else has already done the work, so that I don’t have to use trial and error to figure out all the exe’s I need to hash. Thanks, /Justin Clay/ /ITS Enterprise Services/ /Metropolitan Government of Nashville and Davidson County Howard School Building/ /Phone: (615) 880-2573/ ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Script to transfer FSMO roles.
Title: [ActiveDir] Script to transfer FSMO roles. Yep I love spell checker, also have four kids running around the house at the moment ready for a pig out at TGIs. I do not know why but I am sure I read somewhere that a bridgehead server had a threshold of 15 inbound replication partners. We have two core sites with 2 x DC in both and around 64 branch offices. We were going to let the KCC sort it all out for us but just have this niggling doubt about the 15 limit I am sure I read or dreamt somewhere. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 13 February 2006 18:58 To: Send - AD mailing list Subject: RE: [ActiveDir] Script to transfer FSMO roles. Can you elaborate on what you mean by replication threshold (or fresh hold if you prefer ... gotta love spell checkers :o)? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Bembridge Sent: Monday, February 13, 2006 11:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to transfer FSMO roles. Jorge, Yes it is a test environment we will be doing it in. So much going on. Also just a quick question, is there a Inbound Outbound replication fresh hold for a site bridgehead server?? I have read somewhere that it is 15? Not sure how this has changed with R2 also as we are still awaiting the software to install and trial. Simon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 13 February 2006 12:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to transfer FSMO roles. Are you sayingsimulating the procedure in the production environment by seizing the FSMO roles ? don't do that! use a test environment that is a correct representation of the production environment to do your tests! jorge From: [EMAIL PROTECTED] on behalf of Simon Bembridge Sent: Mon 2006-02-13 13:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to transfer FSMO roles. Jorge, If we are simulating a DR scenario running the script on the backup FSMO serve in site 2 will not be a problem?? Simon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 13 February 2006 10:09 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to transfer FSMO roles. run the script on the DC that should host the FSMO role(s) or replace %COMPUTERNAME% with %1 and use the name of the new FSMO role holder as an argument. Make sure to adjust the script concerning the FSMO roles that should be seized/transfered -- Seize-Domain-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Seize infrastructure master Seize RID master Seize PDC QUIT QUIT -- Seize-Forest-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Seize domain naming master Seize schema master QUIT QUIT -- Transfer-Domain-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Transfer infrastructure master Transfer RID master Transfer PDC QUIT QUIT -- Transfer-Forest-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Transfer domain naming master Transfer schema master QUIT QUIT cheers, Jorge From: [EMAIL PROTECTED] on behalf of Simon Bembridge Sent: Mon 2006-02-13 10:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Script to transfer FSMO roles. Hi All, Can somebody point me in the right direction as to how to use a scripted solution for seizing the FSMO roles in case of a site failure? What we have is a W2K3 Domain, with two core sites and 60 branch offices. In the case of site 1 failing we want a procedure of activation a script so on the standby DC to seize the FSMO roles. Site 1 1 X DC Sch, Inf, DNM, PDC, GC 1 X DC RID, GC Site 2 1 X DC Standby FSMO role holder, GC 1 X DC GC Regards, Simon List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] ldifde download
%SYSTEMROOT%\SYSTEM32 on any Domain Controller To run on Windows 2000 Pro and XP, copy the executables from a DC. from http://www.activedir.org/TF/Default.aspx Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, 14 February 2006 6:57 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ldifde download Where can I download this to run on XP Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
Re: [ActiveDir] Separate AD forest in a DMZ
Good point. The requirements are that the DMZ forest needs to have a one way trust to the production forest so that user accounts in the production forest can access DMZ resources. --- Al Mulnick [EMAIL PROTECTED] wrote: It's not clear what the requirements are nor what you expect to break. You aren't thinking of putting a MSCS across a firewall anyway, now are you? Better yet, if so, which type of cluster? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Restricting Hidden Attributes
HR would like to populate the EmployeeID Field and only allow certain people to view it in ADUC. I can enable it in the Schema for viewing when in ADUC advanced mode, but how do I restrict who can view it? Would restricting viewing it in ADUC stop someone from querying it in a script? I thought a certain trainer went over this in his outstanding AD class, however I cant seem to locate it. (DW) -Andy
[ActiveDir] Restricting Hidden Attributes
HR would like to populate the EmployeeID Field and only allow certain people to view it in ADUC. I can enable it in the Schema for viewing when in ADUC advanced mode, but how do I restrict who can view it? Would restricting viewing it in ADUC stop someone from querying it in a script? -Andy
RE: [ActiveDir] Separate AD forest in a DMZ
replication between DCs won't work accross a NAT, but authentication does. You might have to add some static entries to your DNS on either side of the FW, but should get it to work. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of FDiskThePC Sent: Montag, 13. Februar 2006 21:13 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Separate AD forest in a DMZ Good point. The requirements are that the DMZ forest needs to have a one way trust to the production forest so that user accounts in the production forest can access DMZ resources. --- Al Mulnick [EMAIL PROTECTED] wrote: It's not clear what the requirements are nor what you expect to break. You aren't thinking of putting a MSCS across a firewall anyway, now are you? Better yet, if so, which type of cluster? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Script to transfer FSMO roles.
Title: [ActiveDir] Script to transfer FSMO roles. Not that's springing to mind. Some related thoughts - * inbound replication is single threaded (i.e. no concurrency limitation is required) * in 2k, 15 mins. represented the anticipated end-to-end replication within a site * the KCC in 2k3 is capable of load-balancing bridgeheads * the min. polled replication interval between DCs in different sites is 15 mins. * the KCC in 2k is limited; assuming ((domain+1)* sites^2) =100,000 -- then all is good * the KCC in 2k3 is also limited but to a lesser extent; assuming ((domain+1)* sites) =100,000 -- then all is good Assuming you have a single domain (or less than ~10 total domain app. partitions combined), both Windows 2000 and Windows 2003 KCC/ISTGs will more than suffice. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon BembridgeSent: Monday, February 13, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to transfer FSMO roles. Yep I love spell checker, also have four kids running around the house at the moment ready for a pig out at TGIs. I do not know why but I am sure I read somewhere that a bridgehead server had a threshold of 15 inbound replication partners. We have two core sites with 2 x DC in both and around 64 branch offices. We were going to let the KCC sort it all out for us but just have this niggling doubt about the 15 limit I am sure I read or dreamt somewhere. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: 13 February 2006 18:58To: Send - AD mailing listSubject: RE: [ActiveDir] Script to transfer FSMO roles. Can you elaborate on what you mean by "replication threshold" (or fresh hold if you prefer ... gotta love spell checkers :o)? --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon BembridgeSent: Monday, February 13, 2006 11:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to transfer FSMO roles. Jorge, Yes it is a test environment we will be doing it in. So much going on. Also just a quick question, is there a Inbound Outbound replication fresh hold for a site bridgehead server?? I have read somewhere that it is 15? Not sure how this has changed with R2 also as we are still awaiting the software to install and trial. Simon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: 13 February 2006 12:45To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to transfer FSMO roles. Are you saying"simulating the procedure in the production environment by seizing the FSMO roles" ? don't do that! use a test environment that is a correct representation of the production environment to do your tests! jorge From: [EMAIL PROTECTED] on behalf of Simon BembridgeSent: Mon 2006-02-13 13:26To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to transfer FSMO roles. Jorge, If we are simulating a DR scenario running the script on the backup FSMO serve in site 2 will not be a problem?? Simon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: 13 February 2006 10:09To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to transfer FSMO roles. run the script on the DC that should host the FSMO role(s) or replace %COMPUTERNAME% with %1 and use the name of the new FSMO role holder as an argument. Make sure to adjust the script concerning the FSMO roles that should be seized/transfered -- Seize-Domain-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize infrastructure master" "Seize RID master" "Seize PDC" QUIT QUIT -- Seize-Forest-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Seize domain naming master" "Seize schema master" QUIT QUIT -- Transfer-Domain-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer infrastructure master" "Transfer RID master" "Transfer PDC" QUIT QUIT -- Transfer-Forest-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS "CONNECT TO SERVER %COMPUTERNAME%" QUIT "Transfer domain naming master" "Transfer schema master" QUIT QUIT cheers, Jorge From: [EMAIL PROTECTED] on behalf of Simon BembridgeSent: Mon 2006-02-13 10:52To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Script to transfer FSMO roles. Hi All,Can somebody point me in the right direction as to how to use a scriptedsolution for seizing the FSMO roles in case of a site failure?What we have is a W2K3 Domain, with two core sites and 60 branch offices. Inthe case of site 1 failing we want a procedure of activation a script so onthe standby DC to seize the FSMO roles.Site 11 X DC Sch, Inf, DNM, PDC,
Re: [ActiveDir] Restricting Hidden Attributes
Feigin, Andrew wrote: HR would like to populate the “EmployeeID” Field and only allow certain people to view it in ADUC. I can enable it in the Schema for viewing when in ADUC advanced mode, but how do I restrict who can view it? Would restricting viewing it in ADUC stop someone from querying it in a script? I thought a certain trainer went over this in his outstanding AD class, however I can’t seem to locate it. (DW) Check if this will be helpful for You: http://blogs.dirteam.com/blogs/tomek/archive/2005/11/21/confidential_bit.aspx http://blogs.dirteam.com/blogs/tomek/archive/2005/11/29/confidential_bit_fp.aspx -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Separate AD forest in a DMZ
What kind of resources specifically? Web based only? Or other? If other, what kinds? Trusts might be the least of your concerns depending on traffic types. Also, what are the security requirements? Is this something that has to be monitored via IDS systems? What other security requirements? I understand if you can't answer some of this in a public forum. You're welcome to drop a note directly or not answer at all. But these types of answers are critical to making any suggestions as they frame up the boundaries. Al On 2/13/06, FDiskThePC [EMAIL PROTECTED] wrote: Good point.The requirements are that the DMZ forestneeds to have a one way trust to the production forest so that user accounts in the production forest canaccess DMZ resources.--- Al Mulnick [EMAIL PROTECTED] wrote: It's not clear what the requirements are nor what you expect to break.You aren't thinking of putting a MSCS across a firewall anyway, now areyou? Better yet, if so, which type of cluster?__ Do You Yahoo!?Tired of spam?Yahoo! Mail has the best spam protection aroundhttp://mail.yahoo.comList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] ds* or joeware to get DN from email address
Thanks everyone. This did the trick. I'm now able to hand to another admin two sets of *.cmd files which read SMTP addresses from a text file and update group membership. If any troubleshooting needs to be done aftera failed updatehe's empowered to look on the internet and research. Awesome! Teo On 2/11/06, Michael B. Smith [EMAIL PROTECTED] wrote: for /? An excerpt thereof: FOR /F eol=; tokens=2,3* delims=, %i in (myfile.txt) do @echo %i %j %k would parse each line in myfile.txt, ignoring lines that begin with a semicolon, passing the 2nd and 3rd token from each line to the for body, with tokens delimited by commas and/or spaces. Notice the for body statements reference %i to get the 2nd token, %j to get the 3rd token, and %k to get all remaining tokens after the 3rd. For file names that contain spaces, you need to quote the filenames with double quotes. In order to use double quotes in this manner, you also need to use the usebackq option, otherwise the double quotes will be From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Teo De Las HerasSent: Saturday, February 11, 2006 12:05 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ds* or joeware to get DN from email address Joe and Hunter, thanks for the reply. Is it possible to feed the query the SMTP address from a file? Something similar to: c:\type smtp_addresses.txt | adfind -gc -b -f (objectCategory=person)(proxyaddresses=get this from smtp_addresses.txt) -dn Thanks! Teo On 2/10/06, joe [EMAIL PROTECTED] wrote: If you want to match on any smtp address (primary or any secondaries) adfind-gc -b -f (objectCategory=person)( proxyaddresses=smtp:[EMAIL PROTECTED] )-dn That will hit every domain in the forest too. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Coleman, HunterSent: Friday, February 10, 2006 5:23 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ds* or joeware to get DN from email address adfind -default -f (objectCategory=person)(mail= [EMAIL PROTECTED]) dn You can change your search base as necessary. This also assumes that you want to check the primary SMTP address, and not match on a secondary address. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Teo De Las HerasSent: Friday, February 10, 2006 2:50 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] ds* or joeware to get DN from email address Are there any tools out there that can get me the DN from an email address? I canwrite a script for this pretty easily, but I want to hand the task off to another admin that does not know scripting. Having him use pre-existing tools will simplify things. Teo
Re: [ActiveDir] permon access
That works except when the user tries to create a counter log. The log doesn't start and when an attempt is made to start it, the user gets an event id 2046. The soultion here- http://eventid.net/display.asp?eventid=2046eventno=2556source=SysmonLogphase=1 says to allow the Performance Logs and Alerts service on the local boxto use an account that has the logon as service right on the remote server. Is this my only solution? Thanks On 2/13/06, Coleman, Hunter [EMAIL PROTECTED] wrote: http://support.microsoft.com/?kbid=300702 if you have 2k3 members From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Monday, February 13, 2006 9:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access Sorry, member servers. remotely. Thanks On 2/13/06, Tom Kern [EMAIL PROTECTED] wrote: Thank you very much!! Thats exactly what I was looking for... On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] wrote: Yeah sorry bout that! I realized that after I had already sent it. Check out the links below maybe they will help! http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html http://support.microsoft.com/default.aspx?scid=kb;en-us;164018 Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] permon access Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] wrote: How about utilizing the Performance Monitor Users built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AM To: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them alocal admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
RE: [ActiveDir] Script to transfer FSMO roles.
Title: [ActiveDir] Script to transfer FSMO roles. Dean All sounds good. We are creating a single domain, two core main sites with around 60 branch office world wide. Each core site has 2 X DC, will be W2K3 R2 once we get are heads around the new product. At first we are working with W2K3 SP1. DC will be Server Standard, Exch W2K3. A bit of citrix, and unix (Vintela for SSO) lots to think about. We are just doing a bit of AD proving at the moment and I will write up the FSMO transfer/seizure scenarios. Is their any really advantage over the server additions :- Standard vs Enterprise. My feeling and what I have seen in the past, that standard fits the build for a DC build. Simon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 13 February 2006 20:38 To: Send - AD mailing list Subject: RE: [ActiveDir] Script to transfer FSMO roles. Not that's springing to mind. Some related thoughts - * inbound replication is single threaded (i.e. no concurrency limitation is required) * in 2k, 15 mins. represented the anticipated end-to-end replication within a site * the KCC in 2k3 is capable of load-balancing bridgeheads * the min. polled replication interval between DCs in different sites is 15 mins. * the KCC in 2k is limited; assuming ((domain+1)* sites^2) =100,000 -- then all is good * the KCC in 2k3 is also limited but to a lesser extent; assuming ((domain+1)* sites) =100,000 -- then all is good Assuming you have a single domain (or less than ~10 total domain app. partitions combined), both Windows 2000 and Windows 2003 KCC/ISTGs will more than suffice. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Bembridge Sent: Monday, February 13, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to transfer FSMO roles. Yep I love spell checker, also have four kids running around the house at the moment ready for a pig out at TGIs. I do not know why but I am sure I read somewhere that a bridgehead server had a threshold of 15 inbound replication partners. We have two core sites with 2 x DC in both and around 64 branch offices. We were going to let the KCC sort it all out for us but just have this niggling doubt about the 15 limit I am sure I read or dreamt somewhere. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 13 February 2006 18:58 To: Send - AD mailing list Subject: RE: [ActiveDir] Script to transfer FSMO roles. Can you elaborate on what you mean by replication threshold (or fresh hold if you prefer ... gotta love spell checkers :o)? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Bembridge Sent: Monday, February 13, 2006 11:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to transfer FSMO roles. Jorge, Yes it is a test environment we will be doing it in. So much going on. Also just a quick question, is there a Inbound Outbound replication fresh hold for a site bridgehead server?? I have read somewhere that it is 15? Not sure how this has changed with R2 also as we are still awaiting the software to install and trial. Simon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 13 February 2006 12:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to transfer FSMO roles. Are you sayingsimulating the procedure in the production environment by seizing the FSMO roles ? don't do that! use a test environment that is a correct representation of the production environment to do your tests! jorge From: [EMAIL PROTECTED] on behalf of Simon Bembridge Sent: Mon 2006-02-13 13:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to transfer FSMO roles. Jorge, If we are simulating a DR scenario running the script on the backup FSMO serve in site 2 will not be a problem?? Simon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 13 February 2006 10:09 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to transfer FSMO roles. run the script on the DC that should host the FSMO role(s) or replace %COMPUTERNAME% with %1 and use the name of the new FSMO role holder as an argument. Make sure to adjust the script concerning the FSMO roles that should be seized/transfered -- Seize-Domain-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Seize infrastructure master Seize RID master Seize PDC QUIT QUIT -- Seize-Forest-FSMO-Roles.cmd NTDSUTIL ROLES CONNECTIONS CONNECT TO SERVER %COMPUTERNAME% QUIT Seize domain naming
RE: [ActiveDir] Script to transfer FSMO roles.
Title: [ActiveDir] Script to transfer FSMO roles. Great, sounds like you're good to go! Re: W2K3 Standard vs. Enterprise: there's a mass of information concerning the feature differences and supported hardware, the following is as good a place as any to start - http://www.microsoft.com/windowsserver2003/default.mspx I have no concerns using Standard edition for DCs, I don't see it too often since the majority of my customers are licensed up the wazoo and use whatever ISO they stumble across first :o) --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon BembridgeSent: Monday, February 13, 2006 5:02 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to transfer FSMO roles. Dean All sounds good. We are creating a single domain, two core main sites with around 60 branch office world wide. Each core site has 2 X DC, will be W2K3 R2 once we get are heads around the new product. At first we are working with W2K3 SP1. DC will be Server Standard, Exch W2K3. A bit of citrix, and unix (Vintela for SSO) lots to think about. We are just doing a bit of AD proving at the moment and I will write up the FSMO transfer/seizure scenarios. Is their any really advantage over the server additions :- Standard vs Enterprise. My feeling and what I have seen in the past, that standard fits the build for a DC build. Simon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: 13 February 2006 20:38To: Send - AD mailing listSubject: RE: [ActiveDir] Script to transfer FSMO roles. Not that's springing to mind. Some related thoughts - * inbound replication is single threaded (i.e. no concurrency limitation is required) * in 2k, 15 mins. represented the anticipated end-to-end replication within a site * the KCC in 2k3 is capable of load-balancing bridgeheads * the min. polled replication interval between DCs in different sites is 15 mins. * the KCC in 2k is limited; assuming ((domain+1)* sites^2) =100,000 -- then all is good * the KCC in 2k3 is also limited but to a lesser extent; assuming ((domain+1)* sites) =100,000 -- then all is good Assuming you have a single domain (or less than ~10 total domain app. partitions combined), both Windows 2000 and Windows 2003 KCC/ISTGs will more than suffice. --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon BembridgeSent: Monday, February 13, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to transfer FSMO roles. Yep I love spell checker, also have four kids running around the house at the moment ready for a pig out at TGIs. I do not know why but I am sure I read somewhere that a bridgehead server had a threshold of 15 inbound replication partners. We have two core sites with 2 x DC in both and around 64 branch offices. We were going to let the KCC sort it all out for us but just have this niggling doubt about the 15 limit I am sure I read or dreamt somewhere. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: 13 February 2006 18:58To: Send - AD mailing listSubject: RE: [ActiveDir] Script to transfer FSMO roles. Can you elaborate on what you mean by "replication threshold" (or fresh hold if you prefer ... gotta love spell checkers :o)? --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon BembridgeSent: Monday, February 13, 2006 11:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to transfer FSMO roles. Jorge, Yes it is a test environment we will be doing it in. So much going on. Also just a quick question, is there a Inbound Outbound replication fresh hold for a site bridgehead server?? I have read somewhere that it is 15? Not sure how this has changed with R2 also as we are still awaiting the software to install and trial. Simon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: 13 February 2006 12:45To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to transfer FSMO roles. Are you saying"simulating the procedure in the production environment by seizing the FSMO roles" ? don't do that! use a test environment that is a correct representation of the production environment to do your tests! jorge From: [EMAIL PROTECTED] on behalf of Simon BembridgeSent: Mon 2006-02-13 13:26To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script to transfer FSMO roles. Jorge, If we are simulating a DR scenario running the script on the backup FSMO serve in site 2 will not be a problem?? Simon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge
RE: [ActiveDir] permon access
What account is the Performance Logs and Alerts running under, and what account did you give permissions to on the remote server's registry keys? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Monday, February 13, 2006 2:59 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access That works except when the user tries to create a counter log. The log doesn't start and when an attempt is made to start it, the user gets an event id 2046. The soultion here- http://eventid.net/display.asp?eventid=2046eventno=2556source=SysmonLogphase=1 says to allow the Performance Logs and Alerts service on the local boxto use an account that has the "logon as service" right on the remote server. Is this my only solution? Thanks On 2/13/06, Coleman, Hunter [EMAIL PROTECTED] wrote: http://support.microsoft.com/?kbid=300702 if you have 2k3 members From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Monday, February 13, 2006 9:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access Sorry, member servers. remotely. Thanks On 2/13/06, Tom Kern [EMAIL PROTECTED] wrote: Thank you very much!! Thats exactly what I was looking for... On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] wrote: Yeah sorry bout that! I realized that after I had already sent it. Check out the links below maybe they will help! http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html http://support.microsoft.com/default.aspx?scid=kb;en-us;164018 Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:36 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] wrote: How about utilizing the "Performance Monitor Users" built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AMTo: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them alocal admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
Re: [ActiveDir] permon access
Performance Logs and Alertswas running under Local system. I gave Read access to that reg key to a local group and put the user running the monitoring into that group. He gets that error when trying to start a counter log. So I created an account to run Performance logs and Alerts service on the user's local boxand gave it log on as a service rights on the servers to be monitored and now it works. I'm not sure if this is the best or right way to go about it. Thanks On 2/13/06, Coleman, Hunter [EMAIL PROTECTED] wrote: What account is the Performance Logs and Alerts running under, and what account did you give permissions to on the remote server's registry keys? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Monday, February 13, 2006 2:59 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access That works except when the user tries to create a counter log. The log doesn't start and when an attempt is made to start it, the user gets an event id 2046. The soultion here- http://eventid.net/display.asp?eventid=2046eventno=2556source=SysmonLogphase=1 says to allow the Performance Logs and Alerts service on the local boxto use an account that has the logon as service right on the remote server. Is this my only solution? Thanks On 2/13/06, Coleman, Hunter [EMAIL PROTECTED] wrote: http://support.microsoft.com/?kbid=300702 if you have 2k3 members From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Monday, February 13, 2006 9:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access Sorry, member servers. remotely. Thanks On 2/13/06, Tom Kern [EMAIL PROTECTED] wrote: Thank you very much!! Thats exactly what I was looking for... On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] wrote: Yeah sorry bout that! I realized that after I had already sent it. Check out the links below maybe they will help! http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html http://support.microsoft.com/default.aspx?scid=kb;en-us;164018 Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] permon access Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] wrote: How about utilizing the Performance Monitor Users built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AM To: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them alocal admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
[ActiveDir] dssite Still Sees Old DC
Hi I am running through the W2k to W2k3 upgrade process in a lab. I have two sites. I have added a W2k3 box to Site1 and promoted it, transferred roles, moved the GC, confirmed SRV records, etc. I then demoted the W2k box at Site1. Once I stopped the DNS service on the now-member-server W2k box, the SRV records cleaned up. But - W2kServer at Site1 still shows up as a Name Server for the fwd lookup zone. Do I need to manually get rid of this? (I would have thought that AD-integrated DNS would have cleaned this up automatically when I demoted). - Even though replication is working, Site2 still sees both DCs at Site1. I am sure I can manually clean this up but shouldnt the ISTG clean this up? Thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.15.6/258 - Release Date: 2/13/2006
RE: [ActiveDir] dssite Still Sees Old DC
Unfortunately the name servers tab often requires manual effort to keep it up to date. As for Sites and Services, just what object(s) do you see for the old DC? Just the server object or also its NTDS Settings object? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Monday, February 13, 2006 7:11 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] dssite Still Sees Old DC Hi I am running through the W2k to W2k3 upgrade process in a lab. I have two sites. I have added a W2k3 box to Site1 and promoted it, transferred roles, moved the GC, confirmed SRV records, etc. I then demoted the W2k box at Site1. Once I stopped the DNS service on the now-member-server W2k box, the SRV records cleaned up. But - W2kServer at Site1 still shows up as a Name Server for the fwd lookup zone. Do I need to manually get rid of this? (I would have thought that AD-integrated DNS would have cleaned this up automatically when I demoted). - Even though replication is working, Site2 still sees both DCs at Site1. I am sure I can manually clean this up but shouldnt the ISTG clean this up? Thanks. -- nme --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.15.6/258 - Release Date: 2/13/2006