Re: FW: [ActiveDir] Repadmin error message
We have many lingering objects in our domain (we have a main domain and 18 subdomains), Microsoft´s support detected that. I am trying to rehost informations from a good server (GC) to another that has a wrong information. I have already done that last year because we had the same problema with another user, and it worked fine. But now I have that error message and can not execute the command. att. Adrião Ferreira Ramos Superintendência de Tecnologia da Informação Depto. de Operações e Infra-estrutura - CII * [EMAIL PROTECTED] ( 11 - 3388-8193 Almeida Pinto, Jorge de [EMAIL PROTECTED] Enviado Por: [EMAIL PROTECTED] 17/04/2006 17:13 Favor responder a ActiveDir@mail.activedir.org Para ActiveDir@mail.activedir.org cc Assunto FW: [ActiveDir] Repadmin error message What are you trying to achieve? Are you rebuilding a read only NC (partition) on a global catalog? Why? The exact text is: D:\net helpmsg 8450 The naming context cannot be removed because it is replicated to another server. jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, April 06, 2006 13:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Repadmin error message My friedns, I´m having a problem when I try to run repamin /rehost. I receive an error message. I receive the message in portuguese, cause my domain is PT, but I´ll try to translate it (If some one Portugal or Brasil can Help me, I will Thnak) IN PORTUGUESE. failed with status 8450 (0x2102) O contexto de nomes não pode ser removido porque é duplicado para outro servidor. New DC Options: IS_GC IN ENGLISH failed with status 8450 (0x2102) the naming context could not be removed because it is replicated to another server Thnaks Adrião Ferreira Ramos Superintendência de Tecnologia da Informação Depto. de Operações e Infra-estrutura - CII * [EMAIL PROTECTED] ( 11 - 3388-8193 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
[ActiveDir] lockout account
How can you programatically lockout an account? Do i have to manipulate the userAccountControl attribute or lockoutTime attrib? Can you just do this using Adsiedit.msc or LDP.exe as well? Just curious. Thanks
RE: [ActiveDir] lockout account
When testing, I simply use a "net use" command and provide the correct userID but wrong pw. Repeat until the account locks. Simple but effective :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: 18 April 2006 14:31To: activedirectorySubject: [ActiveDir] lockout account How can you programatically lockout an account? Do i have to manipulate the userAccountControl attribute or lockoutTime attrib? Can you just do this using Adsiedit.msc or LDP.exe as well? Just curious. ThanksPLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] lockout account
I guess what I want to know is what attrib you can set to just lock it out... Thanks On 4/18/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: When testing, I simply use a net use command and provide the correct userID but wrong pw. Repeat until the account locks. Simple but effective :) neil From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: 18 April 2006 14:31To: activedirectorySubject: [ActiveDir] lockout account How can you programatically lockout an account? Do i have to manipulate the userAccountControl attribute or lockoutTime attrib? Can you just do this using Adsiedit.msc or LDP.exe as well? Just curious. Thanks PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] DNS addition - event error 4010: unable to create RR for AD zone
On 4/17/06, Al Mulnick [EMAIL PROTECTED] wrote: When you talk about deleting and such are you thinking about the newsgroups posts like this one: http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.dns/2005-05/msg00245.html ??? Yes, along those lines. But, the zone file in question in this scenario is the forward lookup zone for AD. Since DNS plays a critical role in AD, I am sure that you can understand that I am hesitant to just delete the AD DNS zone without understanding exactly how a new zone will automatically create all the essential resource records. Some questions: Is DNS AD-Integrated? Yes, the default. Software revisions in use? I am not sure what you mean, but there is a mix of Windows 2000 SP4 and Windows Server 2003 SP1. When the client fails, what's the error logged and what are they looking for? (I assume nslookup vs. live clients - is that correct?) Example: hosts file only contains one server on the LAN DNS cache has been flushed DNS client points exclusivley to IP of DNS server NIC has been restarted nslookup default server displayed; try a hostname lookup and I receive: DNS request timed out. timeout was 2 seconds When I ping a hostname not previously looked up (or in the cache), it takes a few seconds and then it finally resolves the name and pings host successfully. Regardless, do you know what can be done to resolve the original issue? What I have just described is more than likely a result of the root problem. Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange rights slow to become available
Seems to be areplication issue. You could manually forcereplication to your DC(s) and member serversusing the active directory sites and services. -Shariff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Monday, April 17, 2006 9:30 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange rights slow to become available I must be well past the beer-thirty for me, but I'm not getting enough information to understand what you're doing. I understand that you want to find a way to hurry up the end result, which is to let the user have access to something. But it seems critical to understand what that something is to understand where the lapse in expectations is occuring. Can you elaborate? What exactly are you doing that you want to speed up the process for? Can you give us step by step? Al On 4/17/06, Tim Egbert [EMAIL PROTECTED] wrote: Is anyone else experiencing this problem? I have a security group granting Exchange Server rights to group members (e.g. add/remove users). It takes about 30 minutes, however, after adding the user to the group before the rights become available to the user. How do I get the rights to become available to group members right away? Thanks, Tim
RE: [ActiveDir] Time Service Errors
After you run the below command to set the registry and restart the time service, it fails the time service advertising: w32tm /config /syncfromflags:domhier /manualpeerlist:pdc /reliable:yes If you use the below with /reliable:no stating it is NOT a reliable time source, it works correctly and advertises. w32tm /config /syncfromflags:domhier /manualpeerlist:pdc /reliable:no Am I interpreting this command incorrectly, or is the switch backwards? werdnA HKLM\system\currentcontrolset\services\w32time\ \config\AnnounceFlags = A (10) causes the server to announce itself as a time server (/reliable:no) \Parameters\NtpServer = pdc Uses the domain pdc emulator to sync time,. (manualpeerlist:pdc) \Parameters\Type = NT5DS NT5DS = synchronize to domain hierarchy [default] (/syncfromflags:domhier) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, April 17, 2006 12:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Time Service Errors And the second obvious question, have you taken a trace with something like ethereal? Im sure it has an (S)NTP protocol analyzer to look at the packets and tell you if its a network issue, a pdc issue or a host issue (or some combination thereof). Send a trace back (or privately if you prefer) of the w32tm /resync packets and I can look at it if need be. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Sunday, April 16, 2006 10:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Time Service Errors Importance: Low Stupid question, ntp port is opened between them? Since this is the only two servers in the site, is there any ipsec rules etc? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Feigin, Andrew Sent: Saturday, April 15, 2006 1:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Time Service Errors Im having a problem with time services in a particular root domain on 2003 sp1. Initially, all 4 dcs were not advertising as time servers, I was able to fix that issue. The 3 dcs will not do a resync with the pdc emulator when I run w32tm /resync C:\w32tm /resync Sending resync command to local computer... The computer did not resync because no time data was available. When I do the below monitor command, I get: C:\w32tm /monitor /domain:r2 LIVP3R2RDOM01.r2.xxx.net [172.20.225.239]: ICMP: 0ms delay. NTP: -6.5469435s offset from FTWP3R2RDOM02.r2.xxx.net RefID: 'LOCL' [76.79.67.76] LIVP3R2RDOM02.r2.xxx.net [172.20.225.240]: ICMP: 0ms delay. NTP: -5.9396763s offset from FTWP3R2RDOM02.r2.xxx.net RefID: 'LOCL' [76.79.67.76] FTWP3R2RDOM01.r2.xxx.net [10.175.36.11]: ICMP: 39ms delay. NTP: -0.685s offset from FTWP3R2RDOM02.r2.xxx.net RefID: 'LOCL' [76.79.67.76] FTWP3R2RDOM02.r2.xxx.net *** PDC *** [10.175.36.17]: ICMP: 39ms delay. NTP: +0.000s offset from FTWP3R2RDOM02.r2.xxx.net RefID: FTWP3R2RDOM01.r2.aig.net [10.175.36.11] The PDC is in synch with the other server in its site, the 2 not in its site will not sync, all get the error on a resync. I have a case open with MS, however they cant find a way to fix it. Help, Andrew
RE: [ActiveDir] Exchange rights slow to become available
See Microsoft KB 327378 (Exchange 2000 and Exchange 2003 mailbox size limits are not enforced in a reasonable period of time; fix requires Exchange 2000 SP3) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Egbert Sent: Monday, April 17, 2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange rights slow to become available Is anyone else experiencing this problem? I have a security group granting Exchange Server rights to group members (e.g. add/remove users). It takes about 30 minutes, however, after adding the user to the group before the rights become available to the user. How do I get the rights to become available to group members right away? Thanks, Tim
[ActiveDir] stupid ldap queries
All Could someone please explain how Non-indexed queries (e.g. objectClass=user) fall in this category? I saw this mentioned in some slides by Gil and couldnt quite understand what he meant. Isn't objectclass indexed as part of the partial attribute set? Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] any experiences with PassFilt Pro software?
Anybody out there have any experience with the PassFilt Pro software by Altus Networks Solutions, Inc.? TIA, Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] lockout account
You can try setting the lockout bit (below) on userAccountControl but Im nearly positive only the system can set that bit. What is your end goal/why are you trying to do this? ADS_UF_LOCKOUTADS_UF_LOCKOUT The account is currently locked out. = 16, // 0x10 Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, April 18, 2006 9:49 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] lockout account I guess what I want to know is what attrib you can set to just lock it out... Thanks On 4/18/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: When testing, I simply use a net use command and provide the correct userID but wrong pw. Repeat until the account locks. Simple but effective :) neil From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: 18 April 2006 14:31 To: activedirectory Subject: [ActiveDir] lockout account How can you programatically lockout an account? Do i have to manipulate the userAccountControl attribute or lockoutTime attrib? Can you just do this using Adsiedit.msc or LDP.exe as well? Just curious. Thanks PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] stupid ldap queries
Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do: ((objectCategory=person)(objectClass=user)) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] stupid ldap queries All Could someone please explain how Non-indexed queries (e.g. objectClass=user) fall in this category? I saw this mentioned in some slides by Gil and couldnt quite understand what he meant. Isn't objectclass indexed as part of the partial attribute set? Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] NT 3.51 trust verification lies
Anyone experience the following NT 3.51 to 2000 Native mode trust Nltest validates the trust GUI validates the trust Cannot enumerate users of 3.51 domain from domainA Can enumerate users of 3.51 from another 2000 native mode domain... domainB Trust no longer validates to domainA after about 30 minutes (plus/minus random time) Any help is highly appreciated List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] lockout account
Only the sytem can change that. Just curioisity. No real reason. I was just interested that if you wanted to lockout an account for testing purposes, you could do it with a script or mainipulating an attrib instead of making ldap or net use calls with bad passwords. Thanks a lot for all your help On 4/18/06, Brian Desmond [EMAIL PROTECTED] wrote: You can try setting the lockout bit (below) on userAccountControl but I'm nearly positive only the system can set that bit. What is your end goal/why are you trying to do this? ADS_UF_LOCKOUTADS_UF_LOCKOUT The account is currently locked out. = 16, // 0x10 Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Tuesday, April 18, 2006 9:49 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] lockout account I guess what I want to know is what attrib you can set to just lock it out... Thanks On 4/18/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: When testing, I simply use a net use command and provide the correct userID but wrong pw. Repeat until the account locks. Simple but effective :) neil From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: 18 April 2006 14:31To: activedirectorySubject: [ActiveDir] lockout account How can you programatically lockout an account? Do i have to manipulate the userAccountControl attribute or lockoutTime attrib? Can you just do this using Adsiedit.msc or LDP.exe as well? Just curious. Thanks PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] stupid ldap queries
Thanks for the reply. In that case why does adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b. ThanksM@On 4/18/06, Brian Desmond [EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do: ((objectCategory=person)(objectClass=user)) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] stupid ldap queries All Could someone please explain how Non-indexed queries (e.g. objectClass=user) fall in this category? I saw this mentioned in some slides by Gil and couldnt quite understand what he meant. Isn't objectclass indexed as part of the partial attribute set? Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] stupid ldap queries
sorry that was meant to be adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Thanks for the reply. In that case why does adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b. ThanksM@On 4/18/06, Brian Desmond [EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do: ((objectCategory=person)(objectClass=user)) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] stupid ldap queries All Could someone please explain how Non-indexed queries (e.g. objectClass=user) fall in this category? I saw this mentioned in some slides by Gil and couldnt quite understand what he meant. Isn't objectclass indexed as part of the partial attribute set? Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] stupid ldap queries
bummer! I meant adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=TRUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: sorry that was meant to be adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Thanks for the reply. In that case why does adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b. ThanksM@On 4/18/06, Brian Desmond [EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do: ((objectCategory=person)(objectClass=user)) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] stupid ldap queries All Could someone please explain how Non-indexed queries (e.g. objectClass=user) fall in this category? I saw this mentioned in some slides by Gil and couldnt quite understand what he meant. Isn't objectclass indexed as part of the partial attribute set? Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] stupid ldap queries
I think you are confusing indexed with "is in the global catalog". They are not synonymous. You can have one without the other just fine. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha WeerasingheSent: Tuesday, April 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] stupid ldap queries sorry that was meant to be adfind -schema -f "(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)" ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Thanks for the reply. In that case why does adfind -schema -f "(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)" ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b. Thanks M@ On 4/18/06, Brian Desmond [EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do: ((objectCategory=person)(objectClass=user)) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] stupid ldap queries All Could someone please explain how Non-indexed queries (e.g. "objectClass=user") fall in this category? I saw this mentioned in some slides by Gil and couldnt quite understand what he meant. Isn't objectclass indexed as part of the partial attribute set? Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NT 3.51 trust verification lies
You are kidding, right? Please say yes. 3.51 You work in a museum or something? :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Douglas M. Long Sent: Tue 4/18/2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NT 3.51 trust verification lies Anyone experience the following NT 3.51 to 2000 Native mode trust Nltest validates the trust GUI validates the trust Cannot enumerate users of 3.51 domain from domainA Can enumerate users of 3.51 from another 2000 native mode domain... domainB Trust no longer validates to domainA after about 30 minutes (plus/minus random time) Any help is highly appreciated List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] stupid ldap queries
No. isMemberOfPartialAttributeSet just means that the attribute is replicated into the GC. Being in the GC does not imply that the attribute is indexed. Theres an attribute (I think isIndexed) which says the attribute should be indexed in the database. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 2:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] stupid ldap queries bummer! I meant adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=TRUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: sorry that was meant to be adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Thanks for the reply. In that case why does adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b. Thanks M@ On 4/18/06, Brian Desmond [EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do: ((objectCategory=person)(objectClass=user)) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] stupid ldap queries All Could someone please explain how Non-indexed queries (e.g. objectClass=user) fall in this category? I saw this mentioned in some slides by Gil and couldnt quite understand what he meant. Isn't objectclass indexed as part of the partial attribute set? Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NT 3.51 trust verification lies
Lol. Yeah, I am serious. Probably over 20 3.51 domains. Part of a migration project -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 18, 2006 2:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NT 3.51 trust verification lies You are kidding, right? Please say yes. 3.51 You work in a museum or something? :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Douglas M. Long Sent: Tue 4/18/2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NT 3.51 trust verification lies Anyone experience the following NT 3.51 to 2000 Native mode trust Nltest validates the trust GUI validates the trust Cannot enumerate users of 3.51 domain from domainA Can enumerate users of 3.51 from another 2000 native mode domain... domainB Trust no longer validates to domainA after about 30 minutes (plus/minus random time) Any help is highly appreciated List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NT 3.51 trust verification lies
Man, you sure are brave :) Anywhoo, I was going to suggest that you whip out the trusty lmhosts magic file and see if that helps you. That used to solve a lot of trust and resolution issues for us in those days. But then I read that DomainB has no beef with the 3.51. So, I don't know what to tell you - beside saying NT3.51 is NOT supported!. That won't work, eh? OK, let's take the obvious - is name resolution working fine otherwise between the 3.51 and DomainA? Are you seeing any specific error on DomainA DCs? If WINS is in the picture, can you configure WINS servers on both sides to be replication partners?[1] [1] I am reaching at this point. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Douglas M. Long Sent: Tue 4/18/2006 12:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NT 3.51 trust verification lies Lol. Yeah, I am serious. Probably over 20 3.51 domains. Part of a migration project -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 18, 2006 2:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NT 3.51 trust verification lies You are kidding, right? Please say yes. 3.51 You work in a museum or something? :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Douglas M. Long Sent: Tue 4/18/2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NT 3.51 trust verification lies Anyone experience the following NT 3.51 to 2000 Native mode trust Nltest validates the trust GUI validates the trust Cannot enumerate users of 3.51 domain from domainA Can enumerate users of 3.51 from another 2000 native mode domain... domainB Trust no longer validates to domainA after about 30 minutes (plus/minus random time) Any help is highly appreciated List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] stupid ldap queries
I never understood why Microsoft chose not to index objectclass by default. I indexed it in our directory as soon as we got the go ahead from Microsoft that it was supported. That was years ago. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 11:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries No. isMemberOfPartialAttributeSet just means that the attribute is replicated into the GC. Being in the GC does not imply that the attribute is indexed. Theres an attribute (I think isIndexed) which says the attribute should be indexed in the database. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 2:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] stupid ldap queries bummer! I meant adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=TRUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: sorry that was meant to be adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Thanks for the reply. In that case why does adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b. Thanks M@ On 4/18/06, Brian Desmond [EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do: ((objectCategory=person)(objectClass=user)) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] stupid ldap queries All Could someone please explain how Non-indexed queries (e.g. objectClass=user) fall in this category? I saw this mentioned in some slides by Gil and couldnt quite understand what he meant. Isn't objectclass indexed as part of the partial attribute set? Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] stupid ldap queries
I did the same after I saw some of the activedir folks post about doing it J :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Tuesday, April 18, 2006 4:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries I never understood why Microsoft chose not to index objectclass by default. I indexed it in our directory as soon as we got the go ahead from Microsoft that it was supported. That was years ago. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 11:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries No. isMemberOfPartialAttributeSet just means that the attribute is replicated into the GC. Being in the GC does not imply that the attribute is indexed. Theres an attribute (I think isIndexed) which says the attribute should be indexed in the database. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 2:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] stupid ldap queries bummer! I meant adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=TRUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: sorry that was meant to be adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Thanks for the reply. In that case why does adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b. Thanks M@ On 4/18/06, Brian Desmond [EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do: ((objectCategory=person)(objectClass=user)) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] stupid ldap queries All Could someone please explain how Non-indexed queries (e.g. objectClass=user) fall in this category? I saw this mentioned in some slides by Gil and couldnt quite understand what he meant. Isn't objectclass indexed as part of the partial attribute set? Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Tombstone attributes
Hi there all, Does anyone here know why Microsoft chose not to include the attributes related to user password and sidHistory in the tombstone of an object upon deletion? Was it a security decision? I would like to get some input from people here before I go and update my schema to enable the restoration of these properties from the tombstone'd object. Thanks for your input. /aaron Aaron SteeleUniversity of ChicagoEnterprise Systems AdministratorP: 773.834.9099E: [EMAIL PROTECTED] This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.
Re: [ActiveDir] Tombstone attributes
Steele, Aaron [BSD] - ADM wrote: Hi there all, Does anyone here know why Microsoft chose not to include the attributes related to user password and sidHistory in the tombstone of an object upon deletion? Was it a security decision? I would like to get some input from people here before I go and update my schema to enable the restoration of these properties from the tombstone'd object. Personally I would not like to preserve password attribute on tombstone - I don't see a reason for that, and yes, IMO it can be seen as possible security threat. If user is deleted and restoring it requires admin action it is just another logical step to reset it's password. SID History attribute is preserved as with SP1 on Windows 2003 DC. ~Eric wrote about it some time ago: http://blogs.technet.com/efleis/archive/2005/07/12/407648.aspx and this is OK - when you want to restore object and probably it's group membership etc. preserving SID History is good solution. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] stupid ldap queries
Thanks all for the clarification!M@On 4/18/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I did the same after I saw some of the activedir folks post about doing it… J :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lee, Wook Sent: Tuesday, April 18, 2006 4:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries I never understood why Microsoft chose not to index objectclass by default. I indexed it in our directory as soon as we got the go ahead from Microsoft that it was supported. That was years ago. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 11:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries No. isMemberOfPartialAttributeSet just means that the attribute is replicated into the GC. Being in the GC does not imply that the attribute is indexed. There's an attribute (I think "isIndexed") which says the attribute should be indexed in the database. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 2:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] stupid ldap queries bummer! I meant adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=TRUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: sorry that was meant to be adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Thanks for the reply. In that case why does adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b. Thanks M@ On 4/18/06, Brian Desmond [EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do: ((objectCategory=person)(objectClass=user)) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto: ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] stupid ldap queries All Could someone please explain how Non-indexed queries (e.g. objectClass=user) fall in this category? I saw this mentioned in some slides by Gil and couldnt quite understand what he meant. Isn't objectclass indexed as part of the partial attribute set? Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Tombstone attributes
In addition to what Tomasz said... How objects are deleted / tombstoned (simplified!) * The isDeleted attribute is set to TRUE (which marks the object as a tombstone - an object that has been deleted but not fully removed from the directory). * The relative distinguished name (RDN) of the object is set to a value that cannot be set by an LDAP application (a value that is impossible). * Strips ALL attributes not needed by AD, except for the important attributes like objectGUID, objectSid, distinguishedName, nTSecurityDescriptor and uSNChanged which are preserved on the tombstone. * On W2K3 SP1 DCs, the sIDHistory attribute is also preserved * Move the tombstone to the Deleted Objects container of the partition where the object resides (If the object systemFlags property contains the 0x0200 flag, the object is not moved to the Deleted Objects container) (e.g. NTDS Settings object of a DC) Config. which attr. are retained when object is tombstoned * Besides the mandatory retained attributes, additional attributes can be configured in the schema to be retained when an object is tombstoned * Using ADSIEDIT.MSC and connecting to the schema partition * Each attribute has a searchFlags property which consists of bits, each with a certain meaning * Enabling the FOURTH bit (bit 3) on the property preserves the attribute in the tombstone of the deleted objects 1st bit (bit 0): 2^0=1, 2nd bit (bit 1): 2^1=2, 3rd bit (bit 2): 2^2=4, 4th bit (bit 3): 2^3=8 More info How the Data Store Works http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/54094485-71f6-4be8-8ebf-faa45bc5db4c.mspx Creating and Deleting Active Directory Objects http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/creating_and_deleting_active_directory_objects.asp Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Steele, Aaron [BSD] - ADM Sent: Tue 2006-04-18 23:05 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Tombstone attributes Hi there all, Does anyone here know why Microsoft chose not to include the attributes related to user password and sidHistory in the tombstone of an object upon deletion? Was it a security decision? I would like to get some input from people here before I go and update my schema to enable the restoration of these properties from the tombstone'd object. Thanks for your input. /aaron Aaron Steele University of Chicago Enterprise Systems Administrator P: 773.834.9099 E: [EMAIL PROTECTED] This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] stupid ldap queries
It seems like an obvious idea to implement. Sad we never thought about it. :) Has anyone done any tests to reveal what performance gains this yields on queries? Thanks, Jef Subject: RE: [ActiveDir] stupid ldap queriesDate: Tue, 18 Apr 2006 17:03:35 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org I did the same after I saw some of the activedir folks post about doing it… J :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Tuesday, April 18, 2006 4:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries I never understood why Microsoft chose not to index objectclass by default. I indexed it in our directory as soon as we got the go ahead from Microsoft that it was supported. That was years ago. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, April 18, 2006 11:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries No. isMemberOfPartialAttributeSet just means that the attribute is replicated into the GC. Being in the GC does not imply that the attribute is indexed. There’s an attribute (I think “isIndexed”) which says the attribute should be indexed in the database. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha WeerasingheSent: Tuesday, April 18, 2006 2:15 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] stupid ldap queries bummer! I meant adfind -schema -f "(objectclass=attributeschema)(ismemberofpartialattributeset=TRUE)" ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: sorry that was meant to be adfind -schema -f "(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)" ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Thanks for the reply. In that case why does adfind -schema -f "(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)" ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b. Thanks M@ On 4/18/06, Brian Desmond [EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do: ((objectCategory=person)(objectClass=user)) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] stupid ldap queries All Could someone please explain how Non-indexed queries (e.g. "objectClass=user") fall in this category? I saw this mentioned in some slides by Gil and couldnt quite understand what he meant. Isn't objectclass indexed as part of the partial attribute set? Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Tombstone attributes
Unfortunately the passwords is the same attribute for users and computers. I thought recently to put the password in the tombstone to ease computer account reanimation - after the account is deleted the computer is not able to change it's password, and if it was deleted accidentally it's easy to reanimate the account and the computer will still be happy. I know that it'll be easy to put the computers in the domain again, however I've had a customer with hundreds of sites which lost a couple hundred computer accounts across those sites, and bandwidth didn't allow to remotly script the addition of the computer accounts to the domain via netdom. We were able to perform an authoritative restore, and were lucky that we lost almost no computer accounts due to changed password, however this was a unlikely event with the computers recently joined the newly created domain. In running domains we'd have to calculate an average of 1/15th of computers per day of the age of the backup to join manually. I agree on user objects - and if I'd decide to keep the password for computer account in the tombstone I'd would prefer to put a procedure in place to change a users password before deleting it. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko |Sent: Tuesday, April 18, 2006 11:19 PM |To: ActiveDir@mail.activedir.org |Subject: Re: [ActiveDir] Tombstone attributes | |Steele, Aaron [BSD] - ADM wrote: | Hi there all, | | Does anyone here know why Microsoft chose not to include the | attributes related to user password and sidHistory in the |tombstone of | an object upon deletion? | Was it a security decision? | I would like to get some input from people here before I go |and update | my schema to enable the restoration of these properties from the | tombstone'd object. | |Personally I would not like to preserve password attribute on tombstone |- I don't see a reason for that, and yes, IMO it can be seen |as possible | security threat. If user is deleted and restoring it |requires admin action it is just another logical step to reset |it's password. | |SID History attribute is preserved as with SP1 on Windows 2003 |DC. ~Eric wrote about it some time ago: |http://blogs.technet.com/efleis/archive/2005/07/12/407648.aspx | |and this is OK - when you want to restore object and probably |it's group membership etc. preserving SID History is good solution. | |-- |Tomasz Onyszko |http://www.w2k.pl/blog/ - (PL) |http://blogs.dirteam.com/blogs/tomek/ - (EN) |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Tombstone attributes
Ulf B. Simon-Weidner wrote: Unfortunately the passwords is the same attribute for users and computers. I thought recently to put the password in the tombstone to ease computer account reanimation - after the account is deleted the computer is not able to change it's password, and if it was deleted accidentally it's easy to reanimate the account and the computer will still be happy. I know that it'll be easy to put the computers in the domain again, however I've had a customer with hundreds of sites which lost a couple hundred computer accounts across those sites, and bandwidth didn't allow to remotly script the addition of the computer accounts to the domain via netdom. We were able to perform an authoritative restore, and were lucky that we lost almost no computer accounts due to changed password, however this was a unlikely event with the computers recently joined the newly created domain. In running domains we'd have to calculate an average of 1/15th of computers per day of the age of the backup to join manually. I agree on user objects - and if I'd decide to keep the password for computer account in the tombstone I'd would prefer to put a procedure in place to change a users password before deleting it. Jup, I can agree with it - but still I don't like idea of restoring the user with old password. What about password age and complying with security policy - I can imagine situation in which user's password was 89 day's old (wit 90 days maximum password age), then was deleted an restored - password will be valid for another 90 days. What about complexity requirements ? -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Tombstone attributes
Agreed - as I said I'd put procedures in place to protect user account passwords, but would use tombstones to ease computer account restores. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko |Sent: Wednesday, April 19, 2006 12:43 AM |To: ActiveDir@mail.activedir.org |Subject: Re: [ActiveDir] Tombstone attributes | |Ulf B. Simon-Weidner wrote: | Unfortunately the passwords is the same attribute for users and | computers. I thought recently to put the password in the |tombstone to | ease computer account reanimation - after the account is deleted the | computer is not able to change it's password, and if it was deleted | accidentally it's easy to reanimate the account and the |computer will still be happy. | | I know that it'll be easy to put the computers in the domain again, | however I've had a customer with hundreds of sites which |lost a couple | hundred computer accounts across those sites, and bandwidth didn't | allow to remotly script the addition of the computer accounts to the | domain via netdom. We were able to perform an authoritative restore, | and were lucky that we lost almost no computer accounts due |to changed | password, however this was a unlikely event with the |computers recently joined the newly created domain. | In running domains we'd have to calculate an average of 1/15th of | computers per day of the age of the backup to join manually. | | I agree on user objects - and if I'd decide to keep the password for | computer account in the tombstone I'd would prefer to put a |procedure | in place to change a users password before deleting it. | | |Jup, I can agree with it - but still I don't like idea of |restoring the user with old password. What about password age |and complying with security policy - I can imagine situation |in which user's password was |89 day's old (wit 90 days maximum password age), then was |deleted an restored - password will be valid for another 90 |days. What about complexity requirements ? | | | |-- |Tomasz Onyszko |http://www.w2k.pl/blog/ - (PL) |http://blogs.dirteam.com/blogs/tomek/ - (EN) |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User Accounts
Inline is my take on an IM conv. Brett and I just had, the result and content of which turned up some interesting (to me at least) implementation details. The short story is - * DNTs (to me) are _not_ a component of the directory - they _are_ a component of the layer that bridges the two (dblayer) - to Brett, I believe he sees them within the sum of what is the directory * DNTs (to both Brett and I) are not part of ESE * DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) * DNTs are not reusable I hope the summary and conversational text inline proves useful. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, April 18, 2006 5:11 PM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir] User Accounts Dean, I didn't understand this comment ... But, dude, seriously, you weren't aware that AD's ESE used a 32 bit DNT? Methinks perhaps you're muddling in the realms of personal interpretation ... though I'm quite certain you'll argue that too ... ESE purist :0p Are you claiming that ESE knows what a DNT is? Not at all ... but IMO, neither does the directory ... and per our IM, the dblayer knows what they are (after all, DNT = distinguished name tag ... blatantly not an ESE term ... and dblayer = database layer ... not a directory term ... hmmm) A DNT is an entirely AD concept, ESE has no idea what a DNT is. Nod. ESE also has no concept of linked-values, or the link_table. Now this was news to me, so here's the summary: ESE has tables + columns + indices over columns. The dblayer forms the bridge between two technologies, one molding the behavior of the other (dblayer molds ESE). ESE maintains no referential integrity, the dblayer does this ... including link-pairs -- this part was especially surprising to me. This is the 2nd time you've confused the AD dblayer (what maintains the AD schema on an ESE database) and the ESE database layer. Don't know that I'd agree with that since on neither occasion was the dblayer specifically referenced .. but it's moot for the moment since I'm still mulling over whether my new-found knowledge pertaining to link-pairs influences my opinion on where DNTs lie; directory or database. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Exchange 5.5 Upgrade Problems
I have taken over administration of a w2k AD domain running Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve all the errors in the event logs, but now they are just about all resolved and the DC/Ex5.5 server passes all netdiag/dcdiag tests. My current project is to upgrade the Ex5.5 server (which is also the domains only DC) to Ex2k3, but I am running into problems. I have successfully run Forestprep and Domainprep. However, when I attempt to run the installation, I receive the error Exchange cannot be assigned the task upgrade because the directory database is in an inconsistent state the private and or public stores are in an inconsistent state. However, when using Eseutil to check database consistency of all 3 databases, it reports that they are consistent. Even so, I tried using Eseutil to: repair all 3 DBs and perform soft recovery on all 3 DBs, but nothing worked. I then ran every test/repair using isinteg, all of which completed successfully and only some of which reported errors. However, nothing has worked and I am still getting the same errors when trying to upgrade. I also upgraded the ADC to the Ex2k SP3 version, which had no effect. Now my plan is to install a new WS2k3/Ex2k3 server into the Ex5.5 organization, move all mailboxes to it, then decommission the old Ex5.5 box. While waiting for my maintenance window to upgrade the current ADC to the 2k3 version, I installed EX2k3 ADC on the new mail server (which is not a DC). Now, when I try to run the Data collection step in ADC tools on the new ws2k3 box, I receive the error Server myserver:389 is not an Exchange 5.5 server or an SRS service. I realized that since it was installed on a DC that the LDAP port in ADC was changed to 38900, so I changed it in ADC tools. However, I am now receiving the error Could not connect to server myserver:38900 with LDAP error 6. Check server name, port number and account permissions. I am logged on with the Enterprise/Domain Administrator account and the ADC service is set to use the same service account as the ADC on the Ex5.5 server. If you need any more info please let me know. Any help that anyone can provide will be greatly appreciated. Dan DeStefano Info-lution Corporation www.info-lution.com MCSE - 2073750 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] Exchange 5.5 Upgrade Problems
Could be all sorts of things here, but lets start simple. Can you do an ldap bind to the exchange box on port 38900 using the ldp tool (or similar) from the support tools? You cant do an inplace upgrade from 5.5 to 2003 which is what it sounds like youre doing when you get the consistency error. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 8:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange 5.5 Upgrade Problems I have taken over administration of a w2k AD domain running Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve all the errors in the event logs, but now they are just about all resolved and the DC/Ex5.5 server passes all netdiag/dcdiag tests. My current project is to upgrade the Ex5.5 server (which is also the domains only DC) to Ex2k3, but I am running into problems. I have successfully run Forestprep and Domainprep. However, when I attempt to run the installation, I receive the error Exchange cannot be assigned the task upgrade because the directory database is in an inconsistent state the private and or public stores are in an inconsistent state. However, when using Eseutil to check database consistency of all 3 databases, it reports that they are consistent. Even so, I tried using Eseutil to: repair all 3 DBs and perform soft recovery on all 3 DBs, but nothing worked. I then ran every test/repair using isinteg, all of which completed successfully and only some of which reported errors. However, nothing has worked and I am still getting the same errors when trying to upgrade. I also upgraded the ADC to the Ex2k SP3 version, which had no effect. Now my plan is to install a new WS2k3/Ex2k3 server into the Ex5.5 organization, move all mailboxes to it, then decommission the old Ex5.5 box. While waiting for my maintenance window to upgrade the current ADC to the 2k3 version, I installed EX2k3 ADC on the new mail server (which is not a DC). Now, when I try to run the Data collection step in ADC tools on the new ws2k3 box, I receive the error Server myserver:389 is not an Exchange 5.5 server or an SRS service. I realized that since it was installed on a DC that the LDAP port in ADC was changed to 38900, so I changed it in ADC tools. However, I am now receiving the error Could not connect to server myserver:38900 with LDAP error 6. Check server name, port number and account permissions. I am logged on with the Enterprise/Domain Administrator account and the ADC service is set to use the same service account as the ADC on the Ex5.5 server. If you need any more info please let me know. Any help that anyone can provide will be greatly appreciated. Dan DeStefano Info-lution Corporation www.info-lution.com MCSE - 2073750 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] Exchange 5.5 Upgrade Problems
Yes, I can connect to the dc/ex5.5 box from the new ex2k3 member server using ldp on both ports 389 and 38900. I can also bind using the enterprise/domain admin account and the ex service account. I am not trying to do a direct upgrade from 5.5 to 2k3, rather I am trying to do an interim upgrade to ex2k, then upgrade from ex2k to ex2k3. I am receiving the database inconsistent errors when trying to do the ex2k upgrade. Note: I am not sure if it matters, but in ex5.5 administrator, the ldap protocol for the site is set to 38900, but for the server it is set to 389. I tried changing it in the server to 38900, but that stopped mail from flowing. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Could be all sorts of things here, but lets start simple. Can you do an ldap bind to the exchange box on port 38900 using the ldp tool (or similar) from the support tools? You cant do an inplace upgrade from 5.5 to 2003 which is what it sounds like youre doing when you get the consistency error. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 8:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange 5.5 Upgrade Problems I have taken over administration of a w2k AD domain running Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve all the errors in the event logs, but now they are just about all resolved and the DC/Ex5.5 server passes all netdiag/dcdiag tests. My current project is to upgrade the Ex5.5 server (which is also the domains only DC) to Ex2k3, but I am running into problems. I have successfully run Forestprep and Domainprep. However, when I attempt to run the installation, I receive the error Exchange cannot be assigned the task upgrade because the directory database is in an inconsistent state the private and or public stores are in an inconsistent state. However, when using Eseutil to check database consistency of all 3 databases, it reports that they are consistent. Even so, I tried using Eseutil to: repair all 3 DBs and perform soft recovery on all 3 DBs, but nothing worked. I then ran every test/repair using isinteg, all of which completed successfully and only some of which reported errors. However, nothing has worked and I am still getting the same errors when trying to upgrade. I also upgraded the ADC to the Ex2k SP3 version, which had no effect. Now my plan is to install a new WS2k3/Ex2k3 server into the Ex5.5 organization, move all mailboxes to it, then decommission the old Ex5.5 box. While waiting for my maintenance window to upgrade the current ADC to the 2k3 version, I installed EX2k3 ADC on the new mail server (which is not a DC). Now, when I try to run the Data collection step in ADC tools on the new ws2k3 box, I receive the error Server myserver:389 is not an Exchange 5.5 server or an SRS service. I realized that since it was installed on a DC that the LDAP port in ADC was changed to 38900, so I changed it in ADC tools. However, I am now receiving the error Could not connect to server myserver:38900 with LDAP error 6. Check server name, port number and account permissions. I am logged on with the Enterprise/Domain Administrator account and the ADC service is set to use the same service account as the ADC on the Ex5.5 server. If you need any more info please let me know. Any help that anyone can provide will be greatly appreciated. Dan DeStefano Info-lution Corporation www.info-lution.com MCSE - 2073750 If you have received this message in error please notify the sender, disregard any content and remove it from your possession. If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] Exchange 5.5 Upgrade Problems
Why are you doing this interim upgrade when your end goal is a 2k3 native environment? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 9:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Yes, I can connect to the dc/ex5.5 box from the new ex2k3 member server using ldp on both ports 389 and 38900. I can also bind using the enterprise/domain admin account and the ex service account. I am not trying to do a direct upgrade from 5.5 to 2k3, rather I am trying to do an interim upgrade to ex2k, then upgrade from ex2k to ex2k3. I am receiving the database inconsistent errors when trying to do the ex2k upgrade. Note: I am not sure if it matters, but in ex5.5 administrator, the ldap protocol for the site is set to 38900, but for the server it is set to 389. I tried changing it in the server to 38900, but that stopped mail from flowing. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Could be all sorts of things here, but lets start simple. Can you do an ldap bind to the exchange box on port 38900 using the ldp tool (or similar) from the support tools? You cant do an inplace upgrade from 5.5 to 2003 which is what it sounds like youre doing when you get the consistency error. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 8:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange 5.5 Upgrade Problems I have taken over administration of a w2k AD domain running Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve all the errors in the event logs, but now they are just about all resolved and the DC/Ex5.5 server passes all netdiag/dcdiag tests. My current project is to upgrade the Ex5.5 server (which is also the domains only DC) to Ex2k3, but I am running into problems. I have successfully run Forestprep and Domainprep. However, when I attempt to run the installation, I receive the error Exchange cannot be assigned the task upgrade because the directory database is in an inconsistent state the private and or public stores are in an inconsistent state. However, when using Eseutil to check database consistency of all 3 databases, it reports that they are consistent. Even so, I tried using Eseutil to: repair all 3 DBs and perform soft recovery on all 3 DBs, but nothing worked. I then ran every test/repair using isinteg, all of which completed successfully and only some of which reported errors. However, nothing has worked and I am still getting the same errors when trying to upgrade. I also upgraded the ADC to the Ex2k SP3 version, which had no effect. Now my plan is to install a new WS2k3/Ex2k3 server into the Ex5.5 organization, move all mailboxes to it, then decommission the old Ex5.5 box. While waiting for my maintenance window to upgrade the current ADC to the 2k3 version, I installed EX2k3 ADC on the new mail server (which is not a DC). Now, when I try to run the Data collection step in ADC tools on the new ws2k3 box, I receive the error Server myserver:389 is not an Exchange 5.5 server or an SRS service. I realized that since it was installed on a DC that the LDAP port in ADC was changed to 38900, so I changed it in ADC tools. However, I am now receiving the error Could not connect to server myserver:38900 with LDAP error 6. Check server name, port number and account permissions. I am logged on with the Enterprise/Domain Administrator account and the ADC service is set to use the same service account as the ADC on the Ex5.5 server. If you need any more info please let me know. Any help that anyone can provide will be greatly appreciated. Dan DeStefano Info-lution Corporation www.info-lution.com MCSE - 2073750 If you have received this message in error please notify the sender, disregard any content and remove it from your possession. If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] Exchange 5.5 Upgrade Problems
We are planning a complete domain migration and restructuring, but that takes a while and the client has not signed off yet, but they want ex2k3 features quickly. So we determined the fastest way to implement ex2k3 would be to do an in-place upgrade of their server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 9:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Why are you doing this interim upgrade when your end goal is a 2k3 native environment? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 9:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Yes, I can connect to the dc/ex5.5 box from the new ex2k3 member server using ldp on both ports 389 and 38900. I can also bind using the enterprise/domain admin account and the ex service account. I am not trying to do a direct upgrade from 5.5 to 2k3, rather I am trying to do an interim upgrade to ex2k, then upgrade from ex2k to ex2k3. I am receiving the database inconsistent errors when trying to do the ex2k upgrade. Note: I am not sure if it matters, but in ex5.5 administrator, the ldap protocol for the site is set to 38900, but for the server it is set to 389. I tried changing it in the server to 38900, but that stopped mail from flowing. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Could be all sorts of things here, but lets start simple. Can you do an ldap bind to the exchange box on port 38900 using the ldp tool (or similar) from the support tools? You cant do an inplace upgrade from 5.5 to 2003 which is what it sounds like youre doing when you get the consistency error. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 8:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange 5.5 Upgrade Problems I have taken over administration of a w2k AD domain running Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve all the errors in the event logs, but now they are just about all resolved and the DC/Ex5.5 server passes all netdiag/dcdiag tests. My current project is to upgrade the Ex5.5 server (which is also the domains only DC) to Ex2k3, but I am running into problems. I have successfully run Forestprep and Domainprep. However, when I attempt to run the installation, I receive the error Exchange cannot be assigned the task upgrade because the directory database is in an inconsistent state the private and or public stores are in an inconsistent state. However, when using Eseutil to check database consistency of all 3 databases, it reports that they are consistent. Even so, I tried using Eseutil to: repair all 3 DBs and perform soft recovery on all 3 DBs, but nothing worked. I then ran every test/repair using isinteg, all of which completed successfully and only some of which reported errors. However, nothing has worked and I am still getting the same errors when trying to upgrade. I also upgraded the ADC to the Ex2k SP3 version, which had no effect. Now my plan is to install a new WS2k3/Ex2k3 server into the Ex5.5 organization, move all mailboxes to it, then decommission the old Ex5.5 box. While waiting for my maintenance window to upgrade the current ADC to the 2k3 version, I installed EX2k3 ADC on the new mail server (which is not a DC). Now, when I try to run the Data collection step in ADC tools on the new ws2k3 box, I receive the error Server myserver:389 is not an Exchange 5.5 server or an SRS service. I realized that since it was installed on a DC that the LDAP port in ADC was changed to 38900, so I changed it in ADC tools. However, I am now receiving the error Could not connect to server myserver:38900 with LDAP error 6. Check server name, port number and account permissions. I am logged on with the Enterprise/Domain Administrator account and the ADC service is set to use the same service account as the ADC on the Ex5.5 server. If you need any more info please let me know. Any help that anyone can provide will be greatly appreciated. Dan DeStefano Info-lution Corporation www.info-lution.com MCSE - 2073750 If you have received this message in error please notify the sender, disregard any content and remove it from your possession. If you have received this message in error please notify the sender, disregard any content and remove it from your possession. If you have received this message in error please notify the sender, disregard any content
RE: [ActiveDir] stupid ldap queries
Itd the same relative gain running a query using objectcategory versus objectclass. Most of the time, I would run into queries that people were using, utilizing objectclass instead of objectcategory. Indexing objectclass made this moot. :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Tuesday, April 18, 2006 5:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries It seems like an obvious idea to implement. Sad we never thought about it. :) Has anyone done any tests to reveal what performance gains this yields on queries? Thanks, Jef Subject: RE: [ActiveDir] stupid ldap queries Date: Tue, 18 Apr 2006 17:03:35 -0400 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org I did the same after I saw some of the activedir folks post about doing it J :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Tuesday, April 18, 2006 4:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries I never understood why Microsoft chose not to index objectclass by default. I indexed it in our directory as soon as we got the go ahead from Microsoft that it was supported. That was years ago. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 11:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries No. isMemberOfPartialAttributeSet just means that the attribute is replicated into the GC. Being in the GC does not imply that the attribute is indexed. Theres an attribute (I think isIndexed) which says the attribute should be indexed in the database. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 2:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] stupid ldap queries bummer! I meant adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=TRUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: sorry that was meant to be adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Thanks for the reply. In that case why does adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b. Thanks M@ On 4/18/06, Brian Desmond [EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do: ((objectCategory=person)(objectClass=user)) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] stupid ldap queries All Could someone please explain how Non-indexed queries (e.g. objectClass=user) fall in this category? I saw this mentioned in some slides by Gil and couldnt quite understand what he meant. Isn't objectclass indexed as part of the partial attribute set? Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/