RE: [ActiveDir] Live Communications Server errors
Hello All, This is my first contribution to the list having been an avid reader for some time. Okay to the question in hand: What Client are you using?? Have you stipulated the following in AD?? Windows Messenger Policy Settings/SIP Communications Service Policies Windows Messenger Policy Settings/Windows Messenger Feature Policies Are you using TLS or TCP? Darren Marsden -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: 17 March 2006 16:19 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Live Communications Server errors Are you attempting to login with your e-mail address rather than your UPN in AD? Is your e-mail domain the same as the AD domain? If not, and you want to login to the LCS infrastructure with your smtp address as an ID, you will need to add that namespace to the list of namespaces that the LCS server is authorative for. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: 16 March 2006 23:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Live Communications Server errors Since I was in a lab environment and I wanted to first learn the basics, I turned the XP firewall off and still get the failures. Oh well, back to the books to see if I missed a small note or something. Dan Original Message Subject: Re: [ActiveDir] Live Communications Server errors From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] Date: Thu, March 16, 2006 2:31 pm To: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] Cc: ActiveDir@mail.activedir.org E-Bitz - SBS MVP the Official Blog of the SBS Diva : When troubleshooting setting up anything new: http://msmvps.com/blogs/bradley/archive/2004/12/04/22348.aspx Ah yes, my issue was with the XP firewalls... Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: I had to set up a DNS record. Let me see if I remember what I did. Daniel Gilbert wrote: I thought so at first but, according to the LCS documentation if I manually configure the clients I would not need DNS. Just to be on the safe side I created a new SRV record: _sipinternal _tcp port 5060 lcsservername.domainname Checked the output via a nslookup, set type-srv and the result was as expected. Went back to clients, flushed the DNS cache and still getting the same error: Cannot sign in to Communications Serivce because the server is temporarily unavailable. Please try again later. If the problem persists, contact your system administrator Dan Original Message Subject: RE: [ActiveDir] Live Communications Server errors From: Woodruff, Michael [EMAIL PROTECTED] Date: Thu, March 16, 2006 1:02 pm To: ActiveDir@mail.activedir.org Sounds like maybe a DNS issue... Does it check out ok? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Thursday, March 16, 2006 2:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Live Communications Server errors Does anyone if their is a forum dedicated to Live Communications Server (LCS)?? I am trying to establish a working LCS structure in a lab environment and it appears I am successful in all parts except for gwtting the clients to successfully connect to the LCS server. I built the lab following: Live Communications Server 2005 w/SP1 Active Directory Preparation Live Communications Server 2005 w/SP1 Standard Edition Deployment Guide Live Communications Server 2005 with SP1 Standard Edition Lab Quick Start From the Admin snap-in on the LCS server all looks well. On the clients I get the error: Cannot sign in to Communications Serivce because the server is temporarily unavailable. Please try again later. If the problem persists, contact your system administrator I have stopped and restarted both the LCS service and MSDE service on the LCS server with no change in the client error messages. A GOOGLE search does not turn up a lot of help but, I will continue to look. Any help in locating a forum or the answer would be much appreciated. Dan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info :
RE: [ActiveDir] Live Communications Server errors
Darren, I was able to solve my issue by adding the child domain in the global properties under the forest name inside of LCS. I had built the system in a child doman, I guess by default only the root was in the global properties. Once I added all child domain names, the clients were able to log on with no problem. Back to lurking and learning. Dan Original Message Subject: RE: [ActiveDir] Live Communications Server errors From: Marsden Darren [EMAIL PROTECTED] Date: Fri, March 24, 2006 4:35 am To: ActiveDir@mail.activedir.org Hello All, This is my first contribution to the list having been an avid reader for some time. Okay to the question in hand: What Client are you using?? Have you stipulated the following in AD?? Windows Messenger Policy Settings/SIP Communications Service Policies Windows Messenger Policy Settings/Windows Messenger Feature Policies Are you using TLS or TCP? Darren Marsden -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: 17 March 2006 16:19 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Live Communications Server errors Are you attempting to login with your e-mail address rather than your UPN in AD? Is your e-mail domain the same as the AD domain? If not, and you want to login to the LCS infrastructure with your smtp address as an ID, you will need to add that namespace to the list of namespaces that the LCS server is authorative for. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: 16 March 2006 23:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Live Communications Server errors Since I was in a lab environment and I wanted to first learn the basics, I turned the XP firewall off and still get the failures. Oh well, back to the books to see if I missed a small note or something. Dan Original Message Subject: Re: [ActiveDir] Live Communications Server errors From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] Date: Thu, March 16, 2006 2:31 pm To: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] Cc: ActiveDir@mail.activedir.org E-Bitz - SBS MVP the Official Blog of the SBS Diva : When troubleshooting setting up anything new: http://msmvps.com/blogs/bradley/archive/2004/12/04/22348.aspx Ah yes, my issue was with the XP firewalls... Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: I had to set up a DNS record. Let me see if I remember what I did. Daniel Gilbert wrote: I thought so at first but, according to the LCS documentation if I manually configure the clients I would not need DNS. Just to be on the safe side I created a new SRV record: _sipinternal _tcp port 5060 lcsservername.domainname Checked the output via a nslookup, set type-srv and the result was as expected. Went back to clients, flushed the DNS cache and still getting the same error: Cannot sign in to Communications Serivce because the server is temporarily unavailable. Please try again later. If the problem persists, contact your system administrator Dan Original Message Subject: RE: [ActiveDir] Live Communications Server errors From: Woodruff, Michael [EMAIL PROTECTED] Date: Thu, March 16, 2006 1:02 pm To: ActiveDir@mail.activedir.org Sounds like maybe a DNS issue... Does it check out ok? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Thursday, March 16, 2006 2:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Live Communications Server errors Does anyone if their is a forum dedicated to Live Communications Server (LCS)?? I am trying to establish a working LCS structure in a lab environment and it appears I am successful in all parts except for gwtting the clients to successfully connect to the LCS server. I built the lab following: Live Communications Server 2005 w/SP1 Active Directory Preparation Live Communications Server 2005 w/SP1 Standard Edition Deployment Guide Live Communications Server 2005 with SP1 Standard Edition Lab Quick Start From the Admin snap-in on the LCS server all looks well. On the clients I get the error: Cannot sign in to Communications Serivce because the server is temporarily unavailable. Please try again later. If the problem persists, contact your system administrator I have stopped and restarted both the LCS service and MSDE service on the LCS server with no change in the client error messages. A GOOGLE search does not turn up a lot of help but, I will continue to look. Any help in locating a forum or the answer would be much appreciated.
Re: [ActiveDir] Live Communications Server errors
Windows Messenger 5.1 I tried Office Communicator but didn't like it for two reasons one... something about the UI.. and two this is for internal only IM and I didn't want my end users to see things that they weren't getting (control freak, I know) Daniel Gilbert wrote: Darren, I was able to solve my issue by adding the child domain in the global properties under the forest name inside of LCS. I had built the system in a child doman, I guess by default only the root was in the global properties. Once I added all child domain names, the clients were able to log on with no problem. Back to lurking and learning. Dan Original Message Subject: RE: [ActiveDir] Live Communications Server errors From: Marsden Darren [EMAIL PROTECTED] Date: Fri, March 24, 2006 4:35 am To: ActiveDir@mail.activedir.org Hello All, This is my first contribution to the list having been an avid reader for some time. Okay to the question in hand: What Client are you using?? Have you stipulated the following in AD?? Windows Messenger Policy Settings/SIP Communications Service Policies Windows Messenger Policy Settings/Windows Messenger Feature Policies Are you using TLS or TCP? Darren Marsden -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: 17 March 2006 16:19 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Live Communications Server errors Are you attempting to login with your e-mail address rather than your UPN in AD? Is your e-mail domain the same as the AD domain? If not, and you want to login to the LCS infrastructure with your smtp address as an ID, you will need to add that namespace to the list of namespaces that the LCS server is authorative for. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: 16 March 2006 23:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Live Communications Server errors Since I was in a lab environment and I wanted to first learn the basics, I turned the XP firewall off and still get the failures. Oh well, back to the books to see if I missed a small note or something. Dan Original Message Subject: Re: [ActiveDir] Live Communications Server errors From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] Date: Thu, March 16, 2006 2:31 pm To: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] Cc: ActiveDir@mail.activedir.org E-Bitz - SBS MVP the Official Blog of the SBS Diva : When troubleshooting setting up anything new: http://msmvps.com/blogs/bradley/archive/2004/12/04/22348.aspx Ah yes, my issue was with the XP firewalls... Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: I had to set up a DNS record. Let me see if I remember what I did. Daniel Gilbert wrote: I thought so at first but, according to the LCS documentation if I manually configure the clients I would not need DNS. Just to be on the safe side I created a new SRV record: _sipinternal _tcp port 5060 lcsservername.domainname Checked the output via a nslookup, set type-srv and the result was as expected. Went back to clients, flushed the DNS cache and still getting the same error: Cannot sign in to Communications Serivce because the server is temporarily unavailable. Please try again later. If the problem persists, contact your system administrator Dan Original Message Subject: RE: [ActiveDir] Live Communications Server errors From: Woodruff, Michael [EMAIL PROTECTED] Date: Thu, March 16, 2006 1:02 pm To: ActiveDir@mail.activedir.org Sounds like maybe a DNS issue... Does it check out ok? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Thursday, March 16, 2006 2:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Live Communications Server errors Does anyone if their is a forum dedicated to Live Communications Server (LCS)?? I am trying to establish a working LCS structure in a lab environment and it appears I am successful in all parts except for gwtting the clients to successfully connect to the LCS server. I built the lab following: Live Communications Server 2005 w/SP1 Active Directory Preparation Live Communications Server 2005 w/SP1 Standard Edition Deployment Guide Live Communications Server 2005 with SP1 Standard Edition Lab Quick Start From the Admin snap-in on the LCS server all looks well. On the clients I get the error: Cannot sign in to Communications Serivce because the server is temporarily unavailable. Please try again later. If the problem persists, contact your system administrator I have stopped and restarted both the LCS
[ActiveDir] Copying OU permissions
Title: Message I need to find a way to dump the ACLs of an OU structure, then use that dump to re-apply the same permissions to a different OU. Anyone know of the best way to do this? I have seen DSACLS but cannot see a way to use a report to permission a different OU. cheers David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
[ActiveDir] ldifde question
Title: ldifde question Hi, Using LDIFDE, Ive been able to export/import users, groups and OUs from and into our test AD, but Im trying to figure out whether with the group export, can I export their memberships as well? Is there a better way to do that? This command seems to give me the group names at least ldifde -f c:\temp\exportOu.ldf -s myDC -d dc=my,dc=domain,dc=com -p subtre e -r ((objectCategory=group)(name=*)) -l cn,objectclass,ou Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
Re: [ActiveDir] Weird AD problem
Check the debug folder for the logs to see if there were any issues during the promotion. dcpromo, dcpromoui.logs and the err logs. M@ On 22/03/06, Rimmerman, Russ [EMAIL PROTECTED] wrote: Yes, from the good DC I can browse the bad DC, but not vice versa. The bad one can't see anything in the domain, no ADUC, can't browse any other computers, etc. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Olivarez, Sergio J Mr CTNOSC/GD-NS Sent: Wednesday, March 22, 2006 5:13 PMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Weird AD problem Unfortunately, 95% of my experience is with 2003 so I don't know if 2000 is known for having this type of an issue. Is the DC registered correctly in DNS (including SRV records) and is it associated correctly in sites and services? Are you able to connect from the good DC to the bad DC via ADUC or ADSI? Sounds like maybe it might have been an unsuccessful promotion! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Rimmerman, Russ [mailto: [EMAIL PROTECTED]] Sent: Wednesday, March 22, 2006 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Weird AD problem It was successfully demoted the first time, and the second answer is NO, I probably didn't. I'm trying http://support.microsoft.com/default.aspx?scid=kb;en-us;260575right now (NETDOM RESETPWD) and its telling me the specified network password is not correct. I'm using domain\administrator in the command line. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Olivarez, Sergio J Mr CTNOSC/GD-NSSent: Wednesday, March 22, 2006 4:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Weird AD problem Was the DC successfully demoted the first time or did you have to forcefully remove it? Did you make sure all traces of the old DC were gone in AD before you re-promoted it, including all DNS records? Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Rimmerman, Russ [mailto: [EMAIL PROTECTED]] Sent: Wednesday, March 22, 2006 3:20 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Weird AD problem Have a small Windows 2000 native AD domain, 2 DCs total. One of the DCs was rebuilt recently. It was demoted, a new server built, and promoted. Now, from the new DC, every server or desktop in the domain it tries to browse, you're prompted for username/password. Trying to use AD Users and Computers, it says it cant contact the domain. Viewing the FSMO role holders, it says the operations master is OFFLINE. I suspect this DC is off in the weeds. Would a simple demote/promote fix it or is there some other resolution? It has DNS configured properly, it just seems that keeping the same computername as the old DC wasn't sucha good idea as now it's confused. Thanks ~~This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error please delete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system. ~~ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system. ~~
RE: [ActiveDir] ldifde question
Title: ldifde question Just add member to the list of attributes. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, March 24, 2006 8:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ldifde question Hi, Using LDIFDE, Ive been able to export/import users, groups and OUs from and into our test AD, but Im trying to figure out whether with the group export, can I export their memberships as well? Is there a better way to do that? This command seems to give me the group names at least ldifde -f c:\temp\exportOu.ldf -s myDC -d dc=my,dc=domain,dc=com -p subtre e -r ((objectCategory=group)(name=*)) -l cn,objectclass,ou Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] ldifde question
Title: ldifde question Ahan easy one then. Thanks Wook! mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, March 24, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ldifde question Just add member to the list of attributes. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, March 24, 2006 8:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ldifde question Hi, Using LDIFDE, Ive been able to export/import users, groups and OUs from and into our test AD, but Im trying to figure out whether with the group export, can I export their memberships as well? Is there a better way to do that? This command seems to give me the group names at least ldifde -f c:\temp\exportOu.ldf -s myDC -d dc=my,dc=domain,dc=com -p subtre e -r ((objectCategory=group)(name=*)) -l cn,objectclass,ou Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] ldifde question
Assuming that the structures are now the same, then if you modify your query as follows: -l cn,objectclass,ou,member, you should get an output that includes the DN of the members of each group. Then you should be able to import the output into your target AD. If the structures are not the same, then the DN will bite you during import, unless you manually adjust the output file before import. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Creamer, Mark Sent: Fri 3/24/2006 8:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ldifde question Hi, Using LDIFDE, I've been able to export/import users, groups and OUs from and into our test AD, but I'm trying to figure out whether with the group export, can I export their memberships as well? Is there a better way to do that? This command seems to give me the group names at least... ldifde -f c:\temp\exportOu.ldf -s myDC -d dc=my,dc=domain,dc=com -p subtre e -r ((objectCategory=group)(name=*)) -l cn,objectclass,ou Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ldifde question
Cool, thanks guys. I was afraid I was going to run into issues because it's multi-valued. Seems to work fine. Thanks again mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 24, 2006 12:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ldifde question Assuming that the structures are now the same, then if you modify your query as follows: -l cn,objectclass,ou,member, you should get an output that includes the DN of the members of each group. Then you should be able to import the output into your target AD. If the structures are not the same, then the DN will bite you during import, unless you manually adjust the output file before import. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Creamer, Mark Sent: Fri 3/24/2006 8:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ldifde question Hi, Using LDIFDE, I've been able to export/import users, groups and OUs from and into our test AD, but I'm trying to figure out whether with the group export, can I export their memberships as well? Is there a better way to do that? This command seems to give me the group names at least... ldifde -f c:\temp\exportOu.ldf -s myDC -d dc=my,dc=domain,dc=com -p subtre e -r ((objectCategory=group)(name=*)) -l cn,objectclass,ou Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ldifde question
The sequence is of course to export the users and import them first. Then export the groups then import them. If you're doing a big directory, you have to watch out for adds/modifies/deletes that occur for users while you are dumping the groups. Generally not a problem if you export during a lull in AD writing, usually late at night on the weekend. Even if the structures are not identical, as long as they are parallel (different forest/domain root, but same OU structure) then you can always use the -c switch in ldifde either at the export or import steps to rewrite the DNs. You have to be careful though since with any find-and-replace operation, you may not be doing what you think you're doing. Doing this is ok for one offs, but for on going sync, you'll of course want to use something like MIIS or LDSU (which is an HP Services product) or whatever your fave meta-directory product happens to be. Or if you'd rather, you can always custom script it. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, March 24, 2006 10:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ldifde question Cool, thanks guys. I was afraid I was going to run into issues because it's multi-valued. Seems to work fine. Thanks again mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 24, 2006 12:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ldifde question Assuming that the structures are now the same, then if you modify your query as follows: -l cn,objectclass,ou,member, you should get an output that includes the DN of the members of each group. Then you should be able to import the output into your target AD. If the structures are not the same, then the DN will bite you during import, unless you manually adjust the output file before import. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Creamer, Mark Sent: Fri 3/24/2006 8:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ldifde question Hi, Using LDIFDE, I've been able to export/import users, groups and OUs from and into our test AD, but I'm trying to figure out whether with the group export, can I export their memberships as well? Is there a better way to do that? This command seems to give me the group names at least... ldifde -f c:\temp\exportOu.ldf -s myDC -d dc=my,dc=domain,dc=com -p subtre e -r ((objectCategory=group)(name=*)) -l cn,objectclass,ou Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: RE: [ActiveDir] FYI: W2K3 SP1 VMWARE issue
Title: FYI: W2K3 SP1 VMWARE issue The standalone server is in a workgroup. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, March 22, 2006 5:11 PM To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] FYI: W2K3 SP1 VMWARE issue Is the stand alone server a member of the domain? I have had issues non vmware related where I could not promote a server to become a DC if it was a member of the domain I had to remove it first then promote it this was post sp1. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robinson, Chuck Sent: 22 March 2006 16:50 To: ActiveDir@mail.activedir.org Subject: [Norton AntiSpam] RE: [ActiveDir] FYI: W2K3 SP1 VMWARE issue Resend: I would like to add, Can anyone from Microsoft on this list speak to what changed in Windows 2003 SP1 that would cause this symptom? Chuck From: Robinson, Chuck Sent: Friday, March 10, 2006 6:22 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] FYI: W2K3 SP1 VMWARE issue Sorry to revive this one from the archives, but it's been haunting me. I've experienced the same issue when trying to promote a standalone W2K3 SP1 server to a domain controller. In an attempt to further uncover the root cause of this nuisance I would like to add the following. This problem seems to affect Windows Server 2003 SP1 VM's running on VMware Workstation and ESX, even though ESX doesn't use shared folders (haven't tested on GSX). If the VMware Tools Shared Folders component is installed on a VM running on ESX (not default VMware Tools installation on ESX hosted VM's) the issue still raises its ugly head. Also, a Windows Server 2003 (no SP1) standalone server with the Shared Folders option installed does not experience this symptom. So, the question is what changed in Windows Server 2003 SP1 that is causing this symptom/problem? And is it Shared Folders or something in Windows Server 2003 SP1 that is incompatible with Shared Folders. Regards, Chuck From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, January 17, 2006 11:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FYI: W2K3 SP1 VMWARE issue Hi Everyone, As you all may know a few months ago I posted two issues with Vmware and W2K3SP1 DCs. The issues described are: * Adding additional W2K3SP1 DCs to the forest * Creating trusts from a W2K3SP1 forest to another forest (does not matter which OS) Both the issues are described here: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/14/60.aspx http://blogs.dirteam.com/blogs/jorge/archive/2005/12/18/297.aspx http://www.activedir.org/article.aspx?aid=75 This time a was setting up an environment with a w2k forest and a w2k3 sp1 forest. When setting up the trust I received the error we discussed a while ago (see articles above). A few days ago someone posted which component caused this issue. The component in error seems to be the Shared Folder component from Vmware (at least in Vmware Workstation). This time instead of changing the password of the administrator account, I deinstalled the Shared Folder component and rebooted the DC. After that I was able to create the trust without any problem. So, the Shared Folder component from Vmware does seem to be the root cause of this. Cheers, Jorge Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant BLOG http://blogs.dirteam.com/blogs/jorge/default.aspx __ LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (IDT) Kennedyplein 248, 5611 ZT, Eindhoven . Postbus 7089 5605 JB Eindhoven ( Tel : +31-(0)40-29.57.777 2 Fax : +31-(0)40-29.57.709 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] http://www.logicacmg.com/ - Solutions that matter - This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Copying OU permissions
Title: Message Hi David, my script at http://www.windowsserverfaq.org/faq/CompACLs.aspprovides you with all the parts you need to put your script together. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, DavidSent: Friday, March 24, 2006 4:27 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Copying OU permissions I need to find a way to dump the ACLs of an OU structure, then use that dump to re-apply the same permissions to a different OU. Anyone know of the best way to do this? I have seen DSACLS but cannot see a way to use a report to permission a different OU. cheers David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addresseeyou should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-freeas information could be intercepted, corrupted, lost, destroyed, arrivelate or incomplete, or contain viruses. The sender therefore does notaccept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.This message is provided for informational purposes and should notbe construed as an invitation or offer to buy or sell any securities orrelated financial instruments.GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
[ActiveDir] OT: Microsoft Apply By Phone Patches:
FYI, If you are lucky enough to have to ring Microsoft in order to ascertain a patch take the following into consideration. Should you use Microsoft Outlook with the junk e-mail filter set to "High" and the "Permanently delete suspected junk e-mail..." option ticked you will never receive the e-mail. James Blair
RE: [ActiveDir] Weird AD problem
Just an idea (where I would start looking) ... As your error says it cannot find the operation Masters ... Did you check in AD on which server they are now? By the sound of it you demoted the server holding all the roles and it might be that the roles haven't transferred correctly this is an issue if you used the same server again. If the roles are not assigned to the right (if everything went Ok they should be on the server you did not work on!) server then you have to seize them (as the original is no more existing). May be this fixes your issue. Cheers Kat From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of matheesha weerasingheSent: Saturday, 25 March 2006 4:01 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Weird AD problem Check the debug folder for the logs to see if there were any issues during the promotion. dcpromo, dcpromoui.logs and the err logs. M@ On 22/03/06, Rimmerman, Russ [EMAIL PROTECTED] wrote: Yes, from the good DC I can browse the bad DC, but not vice versa. The bad one can't see anything in the domain, no ADUC, can't browse any other computers, etc. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Olivarez, Sergio J Mr CTNOSC/GD-NSSent: Wednesday, March 22, 2006 5:13 PMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Weird AD problem Unfortunately, 95% of my experience is with 2003 so I don't know if 2000 is known for having this type of an issue. Is the DC registered correctly in DNS (including SRV records) and is it associated correctly in sites and services? Are you able to connect from the good DC to the bad DC via ADUC or ADSI? Sounds like maybe it might have been an unsuccessful promotion! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Rimmerman, Russ [mailto: [EMAIL PROTECTED]] Sent: Wednesday, March 22, 2006 4:00 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Weird AD problem It was successfully demoted the first time, and the second answer is NO, I probably didn't. I'm trying http://support.microsoft.com/default.aspx?scid=kb;en-us;260575right now (NETDOM RESETPWD) and its telling me the specified network password is not correct. I'm using domain\administrator in the command line. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Olivarez, Sergio J Mr CTNOSC/GD-NSSent: Wednesday, March 22, 2006 4:54 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Weird AD problem Was the DC successfully demoted the first time or did you have to forcefully remove it? Did you make sure all traces of the old DC were gone in AD before you re-promoted it, including all DNS records? Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Rimmerman, Russ [mailto: [EMAIL PROTECTED]] Sent: Wednesday, March 22, 2006 3:20 PM To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Weird AD problem Have a small Windows 2000 native AD domain, 2 DCs total. One of the DCs was rebuilt recently. It was demoted, a new server built, and promoted. Now, from the new DC, every server or desktop in the domain it tries to browse, you're prompted for username/password. Trying to use AD Users and Computers, it says it cant contact the domain. Viewing the FSMO role holders, it says the operations master is "OFFLINE". I suspect this DC is off in the weeds. Would a simple demote/promote fix it or is there some other resolution? It has DNS configured properly, it just seems that keeping the same computername as the old DC wasn't sucha good idea as now it's confused. Thanks ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error please delete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system. ~~
Re: [ActiveDir] OT: Microsoft Apply By Phone Patches:
LOL!! Live and learn, I guess! On 3/24/06, Blair, James [EMAIL PROTECTED] wrote: FYI, If you are lucky enough to have to ring Microsoft in order to ascertain a patch take the following into consideration. Should you use Microsoft Outlook with the junk e-mail filter set to High and the Permanently delete suspected junk e-mail... option ticked you will never receive the e-mail…. James Blair -- Kat Collins - The Email of the species is more powerful than the Mail! The human voice is the organ of the soul. Henry Wadsworth Longfellow