[ActiveDir] Site Link Bridging
Title: RE: Site Link Bridging
A friend of a friend when designing a new forest was asked
to disable site link bridging (forest wide) based upon the reasoning given
below.
I fail to see any connection between the description below
and site link bridging.
Does anyone see how these issues could be caused by
bridging and furthermore, why the issue would have been resolved by disabling
bridging???
neil
PS I
don't necessarily believe that MS really did suggest disabling bridging would
help - I merely copy/pasted the original thread :)
___Neil RustonGlobal Technology
InfrastructureNomura
International plcTelephone: +44 (0) 20 7521 3481
We had an issue
where the Domain Controllers in the New York
site and New
Jersey site were being registered under one site in DNS.
This was causing users to authenticate to DCs over the WAN link as well as
Exchange servers using GCs over the WAN link. This was causing some delays in
users logging on as well as outlook being slow using the address
book.
Also servers were
synching up their time with DCs in other sites causing w32 time errors at night
and during the weekend while backups were running. This caused some servers to
have their time offset be 3-5 seconds.
We had Microsoft
on-site services evaluate the infrastructure and they recommended that we
disable the Site Link Bridging to increase performance of the above issues.
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
[ActiveDir] Test Windows 23K Firewall
What is the best and faster way to test Windows firewall. I want to see if a specific port is block when it is supposed to be open. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Test Windows 23K Firewall
telnet or portqry? telnet [-a][-e escape char][-f log file][-l user][-t term][host [port]] -a Attempt automatic logon. Same as -l option except uses the currently logged on user's name. -e Escape character to enter telnet client prompt. -f File name for client side logging -l Specifies the user name to log in with on the remote system. Requires that the remote system support the TELNET ENVIRON option. -t Specifies terminal type. Supported term types are vt100, vt52, ansi and vtnt only. hostSpecifies the hostname or IP address of the remote computer to connect to. portSpecifies a port number or service name. Portqry: http://support.microsoft.com/default.aspx?kbid=832919 Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Tuesday, May 09, 2006 5:50 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Test Windows 23K Firewall What is the best and faster way to test Windows firewall. I want to see if a specific port is block when it is supposed to be open. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Test Windows 23K Firewall
I sometimes use netstat and if you get a syn_sent it's good start. If you get a name as opposed to a port, check the services file in the ..\drivers\etc folder where the lmhosts file is. Mark -Original Message- From: Za Vue [EMAIL PROTECTED] Date: Tue, 09 May 2006 06:49:54 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] Test Windows 23K Firewall What is the best and faster way to test Windows firewall. I want to see if a specific port is block when it is supposed to be open. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Site Link Bridging
Title: RE: Site Link Bridging
Having site link bridging should not have resulted in DCs
from different sites registering in the same site unless their wasn't full
coverage for the domains or if one of the sites didn't have a GC. Something
isn't right here.
Not that that might not be a response they heard from an
architecture review though, the qualityof
thosereviews/healthchecks/RAPs and the guidance given at the end
vary drammatically in quality based on the analyst involved. I have found in
general though the AD folks can't give any good advice on Exchange and the
Exchange healthcheck folks can't give very good advice on AD and MSFT doesn't
have an all consuminghealthcheck thattakes all of it into account.
So you end up getting a case of one healthcheck pointing at the other for
sources of problems. Usually what you see is the AD folks saying everything is
fine and the Exchange folks saying AD is in trouble but not being able to point
at anything in particular.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Tuesday, May 09, 2006 6:41
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir]
Site Link Bridging
A friend of a friend when designing a new forest was asked
to disable site link bridging (forest wide) based upon the reasoning given
below.
I fail to see any connection between the description below
and site link bridging.
Does anyone see how these issues could be caused by
bridging and furthermore, why the issue would have been resolved by disabling
bridging???
neil
PS I
don't necessarily believe that MS really did suggest disabling bridging would
help - I merely copy/pasted the original thread :)
___Neil RustonGlobal Technology
InfrastructureNomura
International plcTelephone: +44 (0) 20 7521 3481
We had an issue
where the Domain Controllers in the New York
site and New
Jersey site were being registered under one site in DNS.
This was causing users to authenticate to DCs over the WAN link as well as
Exchange servers using GCs over the WAN link. This was causing some delays in
users logging on as well as outlook being slow using the address
book.
Also servers were
synching up their time with DCs in other sites causing w32 time errors at night
and during the weekend while backups were running. This caused some servers to
have their time offset be 3-5 seconds.
We had Microsoft
on-site services evaluate the infrastructure and they recommended that we
disable the Site Link Bridging to increase performance of the above issues.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
[ActiveDir] Schema extension
We received our OID from Microsoft this week, so I went ahead and added an attribute so I could flag service accounts so we won't accidently 'clean them up' during our account cleanup processes. I then went to the User class and added my new attribute to it. When I view a user's AD schema properties, however, I'm not seeing the new property assigned to it. Is there any other step that I'm missing? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it?
Thanks guys pretty much a gui to most of the tools, but nevertheless gave me some additional ideas for modding own script. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Tuesday, May 09, 2006 5:11 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it? Jef Kazimer wrote: Hmm.reading the PDF at : http://download.microsoft.com/download/5/8/e/58ededaf-4de0-4fd3-b500-8 a8f6bbfe1f4/ADRAP_Datasheet_v1.0t_English.pdf Is this something to have running where MOM is not running? It seems alot of his can be done via MOM, thought not as slick of a consolidated interface. Sort of like a all in one package? Believe me or not - not everybody runs MOM :) ADST was built for different purpose - to provide a way to gather data from current state of AD (snapshot) to perform further (maybe offline) analysis and build report. Off course it may be used as ad-hoc monitoring tool. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Schema extension
Did you flush the schema cache on the schema master?
How are you viewing the user's AD schema properties?
neil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 09 May 2006 15:38
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Schema extension
We received our OID from Microsoft this week, so I went ahead and added
an attribute so I could flag service accounts so we won't accidently
'clean them up' during our account cleanup processes.
I then went to the User class and added my new attribute to it.
When I view a user's AD schema properties, however, I'm not seeing the
new property assigned to it. Is there any other step that I'm missing?
Thanks
~~
This e-mail is confidential, may contain proprietary information of
Cameron and its operating Divisions and may be confidential or
privileged.
This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Schema extension
first, you need to wait for replication to occur so that the schema change is replicated to all DCs how are you looking at it? If you are using LDP, but the attribute does not have a value (yet) it will not show in LDP. ADSIEDIT however show all attributes of an object, populated or not Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ Sent: Tue 2006-05-09 16:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema extension We received our OID from Microsoft this week, so I went ahead and added an attribute so I could flag service accounts so we won't accidently 'clean them up' during our account cleanup processes. I then went to the User class and added my new attribute to it. When I view a user's AD schema properties, however, I'm not seeing the new property assigned to it. Is there any other step that I'm missing? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Schema extension
DefaultHidingValue? defaultHidingValue A Boolean value that specifies the default setting of the showInAdvancedViewOnly property of new instances of this class. Many directory objects are not interesting to end users. To keep these objects from cluttering the UI, every object has a Boolean attribute called showInAdvancedViewOnly. If defaultHidingValue is set to TRUE, new object instances are hidden in the Administrative snap-ins and the Windows shell. A menu item for the object class will not appear in the New context menu of the Administrative snap-inseven if the appropriate creation wizard properties are set on the object class's displaySpecifier object. If defaultHidingValue is set to FALSE, new instances of the object are displayed in the Administrative snap-ins and the Windows shell. Set this property to FALSE to see instances of the class in the administrative snap-ins and the shell and enable a creation wizard and its menu item in the New menu of the administrative snap-ins. If the defaultHidingValue value is not set, the default is TRUE. From: http://msdn.microsoft.com/library/default.asp?url=""> Mike thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 09, 2006 9:38 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema extension We received our OID from Microsoft this week, so I went ahead and added an attribute so I could flag service accounts so we won't accidently 'clean them up' during our account cleanup processes. I then went to the User class and added my new attribute to it. When I view a user's AD schema properties, however, I'm not seeing the new property assigned to it. Is there any other step that I'm missing? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Schema extension
This relates to classes and not
attributes.
I suspect russ needs to flush the schema cache and/or wait
for the change to replicate, but also to use a suitable editor, such as
adsiedit.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael
M.Sent: 09 May 2006 16:03To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema
extension
"DefaultHidingValue"?
defaultHidingValue
A Boolean
value that specifies the default setting of the showInAdvancedViewOnly property of
new instances of this class. Many directory objects are not interesting to
end users. To keep these objects from cluttering the UI, every object has
a Boolean attribute called showInAdvancedViewOnly.
If defaultHidingValue is set to TRUE,
new object instances are hidden in the Administrative snap-ins and the
Windows shell. A menu item for the object class will not appear in the
New context menu of the
Administrative snap-inseven if the appropriate creation wizard properties
are set on the object class's displaySpecifier
object.
If defaultHidingValue is set to FALSE,
new instances of the object are displayed in the Administrative snap-ins
and the Windows shell. Set this property to FALSE to see instances of the
class in the administrative snap-ins and the shell and enable a creation
wizard and its menu item in the New menu of the administrative
snap-ins.
If the
defaultHidingValue value is
not set, the default is
TRUE.
From: http://msdn.microsoft.com/library/default.asp?url="">
Mike thommes
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Rimmerman, RussSent: Tuesday, May 09, 2006 9:38 AMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Schema
extension
We received our OID from Microsoft this week, so I went
ahead and added
an attribute so I could flag service accounts so we
won't accidently
'clean them up' during our account cleanup
processes.
I then went to the "User" class and added my new
attribute to it.
When I view a user's AD schema properties, however, I'm
not seeing the
new property assigned to it. Is there any other step
that I'm missing?
Thanks
~~
This e-mail is confidential, may contain proprietary
information
of Cameron and its operating Divisions and may be
confidential
or privileged.
This e-mail should be read, copied, disseminated and/or
used only
by the addressee. If you have received this message in
error please
delete it, together with any attachments, from your
system.
~~
List info :
http://www.activedir.org/List.aspx
List FAQ :
http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it?
I missed if anyone was making this tool available to the list? :) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Schema extension
I didn't flush the cache. Wasn't aware I had to do that, plus I'm not
sure where to do it.
I'm viewing the AD properties with Hyena. I just looked in ADSIEDIT and
DO see the new property there. I guess Hyena has some sort of filter
turned on somehow. It shows all the other extensions we've while
installing various applications, just not this one.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, May 09, 2006 9:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Schema extension
Did you flush the schema cache on the schema master?
How are you viewing the user's AD schema properties?
neil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 09 May 2006 15:38
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Schema extension
We received our OID from Microsoft this week, so I went ahead and added
an attribute so I could flag service accounts so we won't accidently
'clean them up' during our account cleanup processes.
I then went to the User class and added my new attribute to it.
When I view a user's AD schema properties, however, I'm not seeing the
new property assigned to it. Is there any other step that I'm missing?
Thanks
~~
This e-mail is confidential, may contain proprietary information of
Cameron and its operating Divisions and may be confidential or
privileged.
This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your copy from your system. You must not copy, distribute or take any
further action in reliance on it. Email is not a secure method of
communication and Nomura International plc ('NIplc') will not, to the
extent permitted by law, accept responsibility or liability for (a) the
accuracy or completeness of, or (b) the presence of any virus, worm or
similar malicious or disabling code in, this message or any
attachment(s) to it. If verification of this email is sought then please
request a hard copy. Unless otherwise stated this email: (1) is not, and
should not be treated or relied upon as, investment research; (2)
contains views or opinions that are solely those of the author and do
not necessarily represent those of NIplc; (3) is intended for
informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised
and regulated by the Financial Services Authority. Registered in
England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of
companies.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
~~
This e-mail is confidential, may contain proprietary information
of Cameron and its operating Divisions and may be confidential
or privileged.
This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it?
The tool is not the property of anyone on this list. As such, making it available on the list would be inappropriate. The goal of this tool has never been to be a stand-alone AD monitoring tool, nor even a snapshot tool. Rather, it was built specifically around the field offering of an AD risk assessment. As such, outside of that, the tool likely has little context, and may or may not be at all helpful. That said, it is available in this context only, to the best of my knowledge. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, May 09, 2006 8:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it? I missed if anyone was making this tool available to the list? :) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Exchange queue(OT)
When anyone sends to these lists on any exchange server, the same result occurs. Messages stay in the directory lookup queue for hours. Inetinfo.exe process goes through the roof in terms of cpu time and mem usage. sometimes smtp while still in a running state, seems to not process anything and everyone on that server complains of mail latency. the server has 1 gig of ram. Exchange is on a raid 5 with the edb/stm/trans logs on a seperate logical drive from the OS and binaries. AV is Sybari Antigen. When diag logging is turned up, I get no further errors from the CAT. Exchange Transport logs a bunch of errors pretaining to NDR's. The email causing this issue is an email sent to about 15 private Outlook DL's which all contain single internal members. Anywhere from 2 to 100, depending on the DL. No groups or nestd groups in the DL's. All recipients are internal. No external. Most DSAcess counters in perfmon are at 0. Out of SMTP server CAT:address lookups not found, the number is more than half of the CAT:Address Lookups in general. Tell me if you need more info or what else I should give you to adequately help in leading me in the right direction. Thank you On 5/4/06, joe [EMAIL PROTECTED] wrote: That would have been my logical response too; googling your erroragainst the support site pulls that exact KB and you didn't mention it in your initial post... So what else have you done and discounted before a bunch of other responses come through? Some additional questions to make the brain juices flow a little... Is cat logging cranked up to 7? What other cat messages are coming through? Have you looked at the perms on the server objects to make sure they aren't incorrect? What is the disk config in that machine (physical and logicallevels)and where is everything at ( i.e. bins, logs, dbs, page files, etc)? How is the overall perf of the machine? What is the io load in iops and how does that stack up against the theoretical max of your disk layout? How do your dsaccess counters look? How does it compare with the normal baselines? Are there any Special IDs in the list? Can anyone else send to that list and not get the error? Is there anything odd about the list or the user in terms of permissions or settings? How long has the issue been going on? Has the user or anyone ever been able to send to that list and not have a problem? joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Thursday, May 04, 2006 4:19 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange queue(OT) No, I spent about 2 secs before finding that. Alas, it doesn't apply to my enviorment. I sometims have an itchy send finger but, I try not to waste your guys time fi I can help it. Thanks On 5/4/06, Katherine Coombs [EMAIL PROTECTED] wrote: Hi Tom, I'm sure that you've spent more than the 5 seconds that I did trying to find a solution, but I came across this article: http://support.microsoft.com/default.aspx?kbid=884996 HTH, Katherine From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: 04 May 2006 20:35 To: activedirectorySubject: [ActiveDir] Exchange queue(OT) I have an issue where a user sends an email to about 1800 recipients using Outlook DL's. The email always gets stuck in the messages awaiting directory lookup queue for hours(sometimes days). The only thing logged in the app log is- Event Type:WarningEvent Source:MSExchangeTransportEvent Category:Categorizer Event ID:6004Date:5/4/2006Time:3:21:02 PMUser:N/AComputer:EXNYC01Description:The categorizer is unable to categorize messages due to a retryable error. There is not enough space on the disk. For more information, click http://www.microsoft.com/contentredirect.asp. Data: : 70 00 00 00 p... The server has about 80gig of free space. I tried moving the user's mailbox to another server but she still gets the same issue. Has anyone had experience with this error? I'm running Exchange 2k in mixed mode ina AD 2000 native mode enviorment. Thanks
RE: [ActiveDir] Visio Stencil for AD Forest
I saw those. I was looking for something else - I just grabbed some good ones from Stuarts session at DEC and made a stencil. -fitz 703-866-7473 703-626-5741 (cell) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Eaton-Lee Sent: Saturday, May 06, 2006 10:37 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Visio Stencil for AD Forest On Fri, 2006-05-05 at 14:05 -0400, Stewart, Fitz wrote: Anyone know where I can find a good stencil for this? I just want a cool triangle – 3D and all – and not a server or a domain, or an OU. In the version of Visio I have (2003 Professional), I have these already, in the set of 'Active Directory Sites and Services' stencils. They don't look particularly glamorous in the preview, but they aren't bad once you use them, and look something like this: http://jeremiad.org/images-offsite/AD.png Had you seen these already, or were you looking for something else... - James. -- James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix) sites: https://www.bsrf.org.uk ~ http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3
Re: [ActiveDir] Exchange queue(OT)
The biggest problem is that it's E2K :) Be sure you're patches are as up to date as they can be for E2K and the OS they run on. One other test might help: The email causing this issue is an email sent to about 15 private Outlook DL's which all contain single internal members. Anywhere from 2 to 100, depending on the DL. No groups or nestd groups in the DL's. All recipients are internal. No external. What happens if you only send to one of those DL's? Does any of the DL's have the same issues that the group of 15 does (test by sending one message to each and observing the behavior)? That may help to narrow it down. Al On 5/9/06, Tom Kern [EMAIL PROTECTED] wrote: When anyone sends to these lists on any exchange server, the same result occurs. Messages stay in the directory lookup queue for hours. Inetinfo.exe process goes through the roof in terms of cpu time and mem usage. sometimes smtp while still in a running state, seems to not process anything and everyone on that server complains of mail latency. the server has 1 gig of ram. Exchange is on a raid 5 with the edb/stm/trans logs on a seperate logical drive from the OS and binaries. AV is Sybari Antigen. When diag logging is turned up, I get no further errors from the CAT. Exchange Transport logs a bunch of errors pretaining to NDR's. The email causing this issue is an email sent to about 15 private Outlook DL's which all contain single internal members. Anywhere from 2 to 100, depending on the DL. No groups or nestd groups in the DL's. All recipients are internal. No external. Most DSAcess counters in perfmon are at 0. Out of SMTP server CAT:address lookups not found, the number is more than half of the CAT:Address Lookups in general. Tell me if you need more info or what else I should give you to adequately help in leading me in the right direction. Thank you On 5/4/06, joe [EMAIL PROTECTED] wrote: That would have been my logical response too; googling your error against the support site pulls that exact KB and you didn't mention it in your initial post... So what else have you done and discounted before a bunch of other responses come through? Some additional questions to make the brain juices flow a little... Is cat logging cranked up to 7? What other cat messages are coming through? Have you looked at the perms on the server objects to make sure they aren't incorrect? What is the disk config in that machine (physical and logical levels) and where is everything at ( i.e. bins, logs, dbs, page files, etc)? How is the overall perf of the machine? What is the io load in iops and how does that stack up against the theoretical max of your disk layout? How do your dsaccess counters look? How does it compare with the normal baselines? Are there any Special IDs in the list? Can anyone else send to that list and not get the error? Is there anything odd about the list or the user in terms of permissions or settings? How long has the issue been going on? Has the user or anyone ever been able to send to that list and not have a problem? joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, May 04, 2006 4:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange queue(OT) No, I spent about 2 secs before finding that. Alas, it doesn't apply to my enviorment. I sometims have an itchy send finger but, I try not to waste your guys time fi I can help it. Thanks On 5/4/06, Katherine Coombs [EMAIL PROTECTED] wrote: Hi Tom, I'm sure that you've spent more than the 5 seconds that I did trying to find a solution, but I came across this article: http://support.microsoft.com/default.aspx?kbid=884996 HTH, Katherine From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Tom Kern Sent: 04 May 2006 20:35 To: activedirectory Subject: [ActiveDir] Exchange queue(OT) I have an issue where a user sends an email to about 1800 recipients using Outlook DL's. The email always gets stuck in the messages awaiting directory lookup queue for hours(sometimes days). The only thing logged in the app log is- Event Type: Warning Event Source: MSExchangeTransport Event Category: Categorizer Event ID: 6004 Date: 5/4/2006 Time: 3:21:02 PM User: N/A Computer: EXNYC01 Description: The categorizer is unable to categorize messages due to a retryable error. There is not enough space on the disk. For more information, click http://www.microsoft.com/contentredirect.asp. Data: : 70 00 00 00 p... The server has about 80gig of free space. I tried moving the user's mailbox to another server but she still gets the same issue. Has anyone had experience with this error? I'm running Exchange 2k in mixed
RE: [ActiveDir] Site Link Bridging
Title: RE: Site Link Bridging
The primary reason I have
disabled site link bridging in the past has been to prevent domain controllers
in spokes with replicating with other dc's in spoke sites that are in another
hub site when they should only be replicating with DC's in the hub sites and
second with spoke dc's in their own hub.
If for example you had three hub sites and
one hub site failed you may want the dc's in the spokes to replicate with one of
the other regional hubs rather than the KCC generating replication links with
other hubs spoke dc's throughout the environment.
Site link costing of course comes into play
here too...
Ion V.
GottPrincipal Consultant
CISSP, MCSE + Security/Messaging
From: [EMAIL PROTECTED] on
behalf of joeSent: Tue 5/9/2006 6:39 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Site Link
Bridging
Having site link bridging should not have resulted in DCs
from different sites registering in the same site unless their wasn't full
coverage for the domains or if one of the sites didn't have a GC. Something
isn't right here.
Not that that might not be a response they heard from an
architecture review though, the qualityof
thosereviews/healthchecks/RAPs and the guidance given at the end
vary drammatically in quality based on the analyst involved. I have found in
general though the AD folks can't give any good advice on Exchange and the
Exchange healthcheck folks can't give very good advice on AD and MSFT doesn't
have an all consuminghealthcheck thattakes all of it into account.
So you end up getting a case of one healthcheck pointing at the other for
sources of problems. Usually what you see is the AD folks saying everything is
fine and the Exchange folks saying AD is in trouble but not being able to point
at anything in particular.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Tuesday, May 09, 2006 6:41
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir]
Site Link Bridging
A friend of a friend when designing a new forest was asked
to disable site link bridging (forest wide) based upon the reasoning given
below.
I fail to see any connection between the description below
and site link bridging.
Does anyone see how these issues could be caused by
bridging and furthermore, why the issue would have been resolved by disabling
bridging???
neil
PS I
don't necessarily believe that MS really did suggest disabling bridging would
help - I merely copy/pasted the original thread :)
___Neil RustonGlobal Technology
InfrastructureNomura
International plcTelephone: +44 (0) 20 7521 3481
We had an issue
where the Domain Controllers in the New York site and New Jersey site were being
registered under one site in DNS. This was causing users to authenticate to DCs
over the WAN link as well as Exchange servers using GCs over the WAN link. This
was causing some delays in users logging on as well as outlook being slow using
the address book.
Also servers were
synching up their time with DCs in other sites causing w32 time errors at night
and during the weekend while backups were running. This caused some servers to
have their time offset be 3-5 seconds.
We had Microsoft
on-site services evaluate the infrastructure and they recommended that we
disable the Site Link Bridging to increase performance of the above issues.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
RE: [ActiveDir] Site Link Bridging
Title: RE: Site Link Bridging
The OPs message sounds more like AutoSiteCoverage. Was
there no DC for that site that has NY and NJ DCs registered under it at some
point?
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ion Gott
Sent: Tuesday, May 09, 2006 7:47 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Site Link Bridging
The
primary reason I have disabled site link bridging in the past has been to
prevent domain controllers in spokes with replicating with other dc's in spoke
sites that are in another hub site when they should only be replicating with
DC's in the hub sites and second with spoke dc's in their own hub.
If for
example you had three hub sites and one hub site failed you may want the dc's
in the spokes to replicate with one of the other regional hubs rather than the
KCC generating replication links with other hubs spoke dc's throughout the
environment.
Site link
costing of course comes into play here too...
Ion V. Gott
Principal
Consultant
CISSP,
MCSE + Security/Messaging
From: [EMAIL PROTECTED] on behalf of joe
Sent: Tue 5/9/2006 6:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Site Link Bridging
Having
site link bridging should not have resulted in DCs from different sites
registering in the same site unless their wasn't full coverage for the domains
or if one of the sites didn't have a GC. Something isn't right here.
Not
that that might not be a response they heard from an architecture review
though, the qualityof thosereviews/healthchecks/RAPs and the
guidance given at the end vary drammatically in quality based on the analyst
involved. I have found in general though the AD folks can't give any good
advice on Exchange and the Exchange healthcheck folks can't give very good
advice on AD and MSFT doesn't have an all consuminghealthcheck
thattakes all of it into account. So you end up getting a case of one
healthcheck pointing at the other for sources of problems. Usually what you see
is the AD folks saying everything is fine and the Exchange folks saying AD is
in trouble but not being able to point at anything in particular.
joe
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, May 09, 2006 6:41 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Site Link Bridging
A
friend of a friend when designing a new forest was asked to disable site link
bridging (forest wide) based upon the reasoning given below.
I
fail to see any connection between the description below and site link
bridging.
Does
anyone see how these issues could be caused by bridging and furthermore, why
the issue would have been resolved by disabling bridging???
neil
PS
I don't necessarily believe that MS really did suggest disabling bridging would
help - I merely copy/pasted the original thread :)
___
Neil Ruston
Global
Technology Infrastructure
Nomura
International plc
Telephone:
+44 (0) 20 7521 3481
We
had an issue where the Domain Controllers in the New York site and New Jersey
site were being registered under one site in DNS. This was causing users to
authenticate to DCs over the WAN link as well as Exchange servers using
GCs over the WAN link. This was causing some delays in users logging on
as well as outlook being slow using the address book.
Also
servers were synching up their time with DCs in other sites causing w32
time errors at night and during the weekend while backups were running. This
caused some servers to have their time offset be 3-5 seconds.
We
had Microsoft on-site services evaluate the infrastructure and they recommended
that we disable the Site Link Bridging to increase performance of the above
issues.
PLEASE
READ: The information contained in this email is confidential and
intended
for the named recipient(s) only. If you are not an intended
recipient
of this email please notify the sender immediately and delete your
copy from
your system. You must not copy, distribute or take any further
action in
reliance on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in,
this message or any attachment(s) to it. If verification of this
email is
sought then please request a hard copy. Unless otherwise stated
this email:
(1) is not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely
