[ActiveDir] Site Link Bridging
Title: RE: Site Link Bridging A friend of a friend when designing a new forest was asked to disable site link bridging (forest wide) based upon the reasoning given below. I fail to see any connection between the description below and site link bridging. Does anyone see how these issues could be caused by bridging and furthermore, why the issue would have been resolved by disabling bridging??? neil PS I don't necessarily believe that MS really did suggest disabling bridging would help - I merely copy/pasted the original thread :) ___Neil RustonGlobal Technology InfrastructureNomura International plcTelephone: +44 (0) 20 7521 3481 We had an issue where the Domain Controllers in the New York site and New Jersey site were being registered under one site in DNS. This was causing users to authenticate to DCs over the WAN link as well as Exchange servers using GCs over the WAN link. This was causing some delays in users logging on as well as outlook being slow using the address book. Also servers were synching up their time with DCs in other sites causing w32 time errors at night and during the weekend while backups were running. This caused some servers to have their time offset be 3-5 seconds. We had Microsoft on-site services evaluate the infrastructure and they recommended that we disable the Site Link Bridging to increase performance of the above issues. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
[ActiveDir] Test Windows 23K Firewall
What is the best and faster way to test Windows firewall. I want to see if a specific port is block when it is supposed to be open. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Test Windows 23K Firewall
telnet or portqry? telnet [-a][-e escape char][-f log file][-l user][-t term][host [port]] -a Attempt automatic logon. Same as -l option except uses the currently logged on user's name. -e Escape character to enter telnet client prompt. -f File name for client side logging -l Specifies the user name to log in with on the remote system. Requires that the remote system support the TELNET ENVIRON option. -t Specifies terminal type. Supported term types are vt100, vt52, ansi and vtnt only. hostSpecifies the hostname or IP address of the remote computer to connect to. portSpecifies a port number or service name. Portqry: http://support.microsoft.com/default.aspx?kbid=832919 Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Tuesday, May 09, 2006 5:50 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Test Windows 23K Firewall What is the best and faster way to test Windows firewall. I want to see if a specific port is block when it is supposed to be open. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Test Windows 23K Firewall
I sometimes use netstat and if you get a syn_sent it's good start. If you get a name as opposed to a port, check the services file in the ..\drivers\etc folder where the lmhosts file is. Mark -Original Message- From: Za Vue [EMAIL PROTECTED] Date: Tue, 09 May 2006 06:49:54 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] Test Windows 23K Firewall What is the best and faster way to test Windows firewall. I want to see if a specific port is block when it is supposed to be open. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Site Link Bridging
Title: RE: Site Link Bridging Having site link bridging should not have resulted in DCs from different sites registering in the same site unless their wasn't full coverage for the domains or if one of the sites didn't have a GC. Something isn't right here. Not that that might not be a response they heard from an architecture review though, the qualityof thosereviews/healthchecks/RAPs and the guidance given at the end vary drammatically in quality based on the analyst involved. I have found in general though the AD folks can't give any good advice on Exchange and the Exchange healthcheck folks can't give very good advice on AD and MSFT doesn't have an all consuminghealthcheck thattakes all of it into account. So you end up getting a case of one healthcheck pointing at the other for sources of problems. Usually what you see is the AD folks saying everything is fine and the Exchange folks saying AD is in trouble but not being able to point at anything in particular. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 09, 2006 6:41 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Site Link Bridging A friend of a friend when designing a new forest was asked to disable site link bridging (forest wide) based upon the reasoning given below. I fail to see any connection between the description below and site link bridging. Does anyone see how these issues could be caused by bridging and furthermore, why the issue would have been resolved by disabling bridging??? neil PS I don't necessarily believe that MS really did suggest disabling bridging would help - I merely copy/pasted the original thread :) ___Neil RustonGlobal Technology InfrastructureNomura International plcTelephone: +44 (0) 20 7521 3481 We had an issue where the Domain Controllers in the New York site and New Jersey site were being registered under one site in DNS. This was causing users to authenticate to DCs over the WAN link as well as Exchange servers using GCs over the WAN link. This was causing some delays in users logging on as well as outlook being slow using the address book. Also servers were synching up their time with DCs in other sites causing w32 time errors at night and during the weekend while backups were running. This caused some servers to have their time offset be 3-5 seconds. We had Microsoft on-site services evaluate the infrastructure and they recommended that we disable the Site Link Bridging to increase performance of the above issues. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
[ActiveDir] Schema extension
We received our OID from Microsoft this week, so I went ahead and added an attribute so I could flag service accounts so we won't accidently 'clean them up' during our account cleanup processes. I then went to the User class and added my new attribute to it. When I view a user's AD schema properties, however, I'm not seeing the new property assigned to it. Is there any other step that I'm missing? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it?
Thanks guys pretty much a gui to most of the tools, but nevertheless gave me some additional ideas for modding own script. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Tuesday, May 09, 2006 5:11 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it? Jef Kazimer wrote: Hmm.reading the PDF at : http://download.microsoft.com/download/5/8/e/58ededaf-4de0-4fd3-b500-8 a8f6bbfe1f4/ADRAP_Datasheet_v1.0t_English.pdf Is this something to have running where MOM is not running? It seems alot of his can be done via MOM, thought not as slick of a consolidated interface. Sort of like a all in one package? Believe me or not - not everybody runs MOM :) ADST was built for different purpose - to provide a way to gather data from current state of AD (snapshot) to perform further (maybe offline) analysis and build report. Off course it may be used as ad-hoc monitoring tool. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Schema extension
Did you flush the schema cache on the schema master? How are you viewing the user's AD schema properties? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 09 May 2006 15:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema extension We received our OID from Microsoft this week, so I went ahead and added an attribute so I could flag service accounts so we won't accidently 'clean them up' during our account cleanup processes. I then went to the User class and added my new attribute to it. When I view a user's AD schema properties, however, I'm not seeing the new property assigned to it. Is there any other step that I'm missing? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Schema extension
first, you need to wait for replication to occur so that the schema change is replicated to all DCs how are you looking at it? If you are using LDP, but the attribute does not have a value (yet) it will not show in LDP. ADSIEDIT however show all attributes of an object, populated or not Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ Sent: Tue 2006-05-09 16:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema extension We received our OID from Microsoft this week, so I went ahead and added an attribute so I could flag service accounts so we won't accidently 'clean them up' during our account cleanup processes. I then went to the User class and added my new attribute to it. When I view a user's AD schema properties, however, I'm not seeing the new property assigned to it. Is there any other step that I'm missing? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Schema extension
DefaultHidingValue? defaultHidingValue A Boolean value that specifies the default setting of the showInAdvancedViewOnly property of new instances of this class. Many directory objects are not interesting to end users. To keep these objects from cluttering the UI, every object has a Boolean attribute called showInAdvancedViewOnly. If defaultHidingValue is set to TRUE, new object instances are hidden in the Administrative snap-ins and the Windows shell. A menu item for the object class will not appear in the New context menu of the Administrative snap-inseven if the appropriate creation wizard properties are set on the object class's displaySpecifier object. If defaultHidingValue is set to FALSE, new instances of the object are displayed in the Administrative snap-ins and the Windows shell. Set this property to FALSE to see instances of the class in the administrative snap-ins and the shell and enable a creation wizard and its menu item in the New menu of the administrative snap-ins. If the defaultHidingValue value is not set, the default is TRUE. From: http://msdn.microsoft.com/library/default.asp?url=""> Mike thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 09, 2006 9:38 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema extension We received our OID from Microsoft this week, so I went ahead and added an attribute so I could flag service accounts so we won't accidently 'clean them up' during our account cleanup processes. I then went to the User class and added my new attribute to it. When I view a user's AD schema properties, however, I'm not seeing the new property assigned to it. Is there any other step that I'm missing? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Schema extension
This relates to classes and not attributes. I suspect russ needs to flush the schema cache and/or wait for the change to replicate, but also to use a suitable editor, such as adsiedit. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: 09 May 2006 16:03To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema extension "DefaultHidingValue"? defaultHidingValue A Boolean value that specifies the default setting of the showInAdvancedViewOnly property of new instances of this class. Many directory objects are not interesting to end users. To keep these objects from cluttering the UI, every object has a Boolean attribute called showInAdvancedViewOnly. If defaultHidingValue is set to TRUE, new object instances are hidden in the Administrative snap-ins and the Windows shell. A menu item for the object class will not appear in the New context menu of the Administrative snap-inseven if the appropriate creation wizard properties are set on the object class's displaySpecifier object. If defaultHidingValue is set to FALSE, new instances of the object are displayed in the Administrative snap-ins and the Windows shell. Set this property to FALSE to see instances of the class in the administrative snap-ins and the shell and enable a creation wizard and its menu item in the New menu of the administrative snap-ins. If the defaultHidingValue value is not set, the default is TRUE. From: http://msdn.microsoft.com/library/default.asp?url=""> Mike thommes -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Tuesday, May 09, 2006 9:38 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Schema extension We received our OID from Microsoft this week, so I went ahead and added an attribute so I could flag service accounts so we won't accidently 'clean them up' during our account cleanup processes. I then went to the "User" class and added my new attribute to it. When I view a user's AD schema properties, however, I'm not seeing the new property assigned to it. Is there any other step that I'm missing? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it?
I missed if anyone was making this tool available to the list? :) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Schema extension
I didn't flush the cache. Wasn't aware I had to do that, plus I'm not sure where to do it. I'm viewing the AD properties with Hyena. I just looked in ADSIEDIT and DO see the new property there. I guess Hyena has some sort of filter turned on somehow. It shows all the other extensions we've while installing various applications, just not this one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 09, 2006 9:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema extension Did you flush the schema cache on the schema master? How are you viewing the user's AD schema properties? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 09 May 2006 15:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema extension We received our OID from Microsoft this week, so I went ahead and added an attribute so I could flag service accounts so we won't accidently 'clean them up' during our account cleanup processes. I then went to the User class and added my new attribute to it. When I view a user's AD schema properties, however, I'm not seeing the new property assigned to it. Is there any other step that I'm missing? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it?
The tool is not the property of anyone on this list. As such, making it available on the list would be inappropriate. The goal of this tool has never been to be a stand-alone AD monitoring tool, nor even a snapshot tool. Rather, it was built specifically around the field offering of an AD risk assessment. As such, outside of that, the tool likely has little context, and may or may not be at all helpful. That said, it is available in this context only, to the best of my knowledge. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, May 09, 2006 8:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it? I missed if anyone was making this tool available to the list? :) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Exchange queue(OT)
When anyone sends to these lists on any exchange server, the same result occurs. Messages stay in the directory lookup queue for hours. Inetinfo.exe process goes through the roof in terms of cpu time and mem usage. sometimes smtp while still in a running state, seems to not process anything and everyone on that server complains of mail latency. the server has 1 gig of ram. Exchange is on a raid 5 with the edb/stm/trans logs on a seperate logical drive from the OS and binaries. AV is Sybari Antigen. When diag logging is turned up, I get no further errors from the CAT. Exchange Transport logs a bunch of errors pretaining to NDR's. The email causing this issue is an email sent to about 15 private Outlook DL's which all contain single internal members. Anywhere from 2 to 100, depending on the DL. No groups or nestd groups in the DL's. All recipients are internal. No external. Most DSAcess counters in perfmon are at 0. Out of SMTP server CAT:address lookups not found, the number is more than half of the CAT:Address Lookups in general. Tell me if you need more info or what else I should give you to adequately help in leading me in the right direction. Thank you On 5/4/06, joe [EMAIL PROTECTED] wrote: That would have been my logical response too; googling your erroragainst the support site pulls that exact KB and you didn't mention it in your initial post... So what else have you done and discounted before a bunch of other responses come through? Some additional questions to make the brain juices flow a little... Is cat logging cranked up to 7? What other cat messages are coming through? Have you looked at the perms on the server objects to make sure they aren't incorrect? What is the disk config in that machine (physical and logicallevels)and where is everything at ( i.e. bins, logs, dbs, page files, etc)? How is the overall perf of the machine? What is the io load in iops and how does that stack up against the theoretical max of your disk layout? How do your dsaccess counters look? How does it compare with the normal baselines? Are there any Special IDs in the list? Can anyone else send to that list and not get the error? Is there anything odd about the list or the user in terms of permissions or settings? How long has the issue been going on? Has the user or anyone ever been able to send to that list and not have a problem? joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Thursday, May 04, 2006 4:19 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange queue(OT) No, I spent about 2 secs before finding that. Alas, it doesn't apply to my enviorment. I sometims have an itchy send finger but, I try not to waste your guys time fi I can help it. Thanks On 5/4/06, Katherine Coombs [EMAIL PROTECTED] wrote: Hi Tom, I'm sure that you've spent more than the 5 seconds that I did trying to find a solution, but I came across this article: http://support.microsoft.com/default.aspx?kbid=884996 HTH, Katherine From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: 04 May 2006 20:35 To: activedirectorySubject: [ActiveDir] Exchange queue(OT) I have an issue where a user sends an email to about 1800 recipients using Outlook DL's. The email always gets stuck in the messages awaiting directory lookup queue for hours(sometimes days). The only thing logged in the app log is- Event Type:WarningEvent Source:MSExchangeTransportEvent Category:Categorizer Event ID:6004Date:5/4/2006Time:3:21:02 PMUser:N/AComputer:EXNYC01Description:The categorizer is unable to categorize messages due to a retryable error. There is not enough space on the disk. For more information, click http://www.microsoft.com/contentredirect.asp. Data: : 70 00 00 00 p... The server has about 80gig of free space. I tried moving the user's mailbox to another server but she still gets the same issue. Has anyone had experience with this error? I'm running Exchange 2k in mixed mode ina AD 2000 native mode enviorment. Thanks
RE: [ActiveDir] Visio Stencil for AD Forest
I saw those. I was looking for something else - I just grabbed some good ones from Stuarts session at DEC and made a stencil. -fitz 703-866-7473 703-626-5741 (cell) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Eaton-Lee Sent: Saturday, May 06, 2006 10:37 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Visio Stencil for AD Forest On Fri, 2006-05-05 at 14:05 -0400, Stewart, Fitz wrote: Anyone know where I can find a good stencil for this? I just want a cool triangle – 3D and all – and not a server or a domain, or an OU. In the version of Visio I have (2003 Professional), I have these already, in the set of 'Active Directory Sites and Services' stencils. They don't look particularly glamorous in the preview, but they aren't bad once you use them, and look something like this: http://jeremiad.org/images-offsite/AD.png Had you seen these already, or were you looking for something else... - James. -- James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix) sites: https://www.bsrf.org.uk ~ http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3
Re: [ActiveDir] Exchange queue(OT)
The biggest problem is that it's E2K :) Be sure you're patches are as up to date as they can be for E2K and the OS they run on. One other test might help: The email causing this issue is an email sent to about 15 private Outlook DL's which all contain single internal members. Anywhere from 2 to 100, depending on the DL. No groups or nestd groups in the DL's. All recipients are internal. No external. What happens if you only send to one of those DL's? Does any of the DL's have the same issues that the group of 15 does (test by sending one message to each and observing the behavior)? That may help to narrow it down. Al On 5/9/06, Tom Kern [EMAIL PROTECTED] wrote: When anyone sends to these lists on any exchange server, the same result occurs. Messages stay in the directory lookup queue for hours. Inetinfo.exe process goes through the roof in terms of cpu time and mem usage. sometimes smtp while still in a running state, seems to not process anything and everyone on that server complains of mail latency. the server has 1 gig of ram. Exchange is on a raid 5 with the edb/stm/trans logs on a seperate logical drive from the OS and binaries. AV is Sybari Antigen. When diag logging is turned up, I get no further errors from the CAT. Exchange Transport logs a bunch of errors pretaining to NDR's. The email causing this issue is an email sent to about 15 private Outlook DL's which all contain single internal members. Anywhere from 2 to 100, depending on the DL. No groups or nestd groups in the DL's. All recipients are internal. No external. Most DSAcess counters in perfmon are at 0. Out of SMTP server CAT:address lookups not found, the number is more than half of the CAT:Address Lookups in general. Tell me if you need more info or what else I should give you to adequately help in leading me in the right direction. Thank you On 5/4/06, joe [EMAIL PROTECTED] wrote: That would have been my logical response too; googling your error against the support site pulls that exact KB and you didn't mention it in your initial post... So what else have you done and discounted before a bunch of other responses come through? Some additional questions to make the brain juices flow a little... Is cat logging cranked up to 7? What other cat messages are coming through? Have you looked at the perms on the server objects to make sure they aren't incorrect? What is the disk config in that machine (physical and logical levels) and where is everything at ( i.e. bins, logs, dbs, page files, etc)? How is the overall perf of the machine? What is the io load in iops and how does that stack up against the theoretical max of your disk layout? How do your dsaccess counters look? How does it compare with the normal baselines? Are there any Special IDs in the list? Can anyone else send to that list and not get the error? Is there anything odd about the list or the user in terms of permissions or settings? How long has the issue been going on? Has the user or anyone ever been able to send to that list and not have a problem? joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, May 04, 2006 4:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange queue(OT) No, I spent about 2 secs before finding that. Alas, it doesn't apply to my enviorment. I sometims have an itchy send finger but, I try not to waste your guys time fi I can help it. Thanks On 5/4/06, Katherine Coombs [EMAIL PROTECTED] wrote: Hi Tom, I'm sure that you've spent more than the 5 seconds that I did trying to find a solution, but I came across this article: http://support.microsoft.com/default.aspx?kbid=884996 HTH, Katherine From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Tom Kern Sent: 04 May 2006 20:35 To: activedirectory Subject: [ActiveDir] Exchange queue(OT) I have an issue where a user sends an email to about 1800 recipients using Outlook DL's. The email always gets stuck in the messages awaiting directory lookup queue for hours(sometimes days). The only thing logged in the app log is- Event Type: Warning Event Source: MSExchangeTransport Event Category: Categorizer Event ID: 6004 Date: 5/4/2006 Time: 3:21:02 PM User: N/A Computer: EXNYC01 Description: The categorizer is unable to categorize messages due to a retryable error. There is not enough space on the disk. For more information, click http://www.microsoft.com/contentredirect.asp. Data: : 70 00 00 00 p... The server has about 80gig of free space. I tried moving the user's mailbox to another server but she still gets the same issue. Has anyone had experience with this error? I'm running Exchange 2k in mixed
RE: [ActiveDir] Site Link Bridging
Title: RE: Site Link Bridging The primary reason I have disabled site link bridging in the past has been to prevent domain controllers in spokes with replicating with other dc's in spoke sites that are in another hub site when they should only be replicating with DC's in the hub sites and second with spoke dc's in their own hub. If for example you had three hub sites and one hub site failed you may want the dc's in the spokes to replicate with one of the other regional hubs rather than the KCC generating replication links with other hubs spoke dc's throughout the environment. Site link costing of course comes into play here too... Ion V. GottPrincipal Consultant CISSP, MCSE + Security/Messaging From: [EMAIL PROTECTED] on behalf of joeSent: Tue 5/9/2006 6:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Site Link Bridging Having site link bridging should not have resulted in DCs from different sites registering in the same site unless their wasn't full coverage for the domains or if one of the sites didn't have a GC. Something isn't right here. Not that that might not be a response they heard from an architecture review though, the qualityof thosereviews/healthchecks/RAPs and the guidance given at the end vary drammatically in quality based on the analyst involved. I have found in general though the AD folks can't give any good advice on Exchange and the Exchange healthcheck folks can't give very good advice on AD and MSFT doesn't have an all consuminghealthcheck thattakes all of it into account. So you end up getting a case of one healthcheck pointing at the other for sources of problems. Usually what you see is the AD folks saying everything is fine and the Exchange folks saying AD is in trouble but not being able to point at anything in particular. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 09, 2006 6:41 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Site Link Bridging A friend of a friend when designing a new forest was asked to disable site link bridging (forest wide) based upon the reasoning given below. I fail to see any connection between the description below and site link bridging. Does anyone see how these issues could be caused by bridging and furthermore, why the issue would have been resolved by disabling bridging??? neil PS I don't necessarily believe that MS really did suggest disabling bridging would help - I merely copy/pasted the original thread :) ___Neil RustonGlobal Technology InfrastructureNomura International plcTelephone: +44 (0) 20 7521 3481 We had an issue where the Domain Controllers in the New York site and New Jersey site were being registered under one site in DNS. This was causing users to authenticate to DCs over the WAN link as well as Exchange servers using GCs over the WAN link. This was causing some delays in users logging on as well as outlook being slow using the address book. Also servers were synching up their time with DCs in other sites causing w32 time errors at night and during the weekend while backups were running. This caused some servers to have their time offset be 3-5 seconds. We had Microsoft on-site services evaluate the infrastructure and they recommended that we disable the Site Link Bridging to increase performance of the above issues. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Site Link Bridging
Title: RE: Site Link Bridging The OPs message sounds more like AutoSiteCoverage. Was there no DC for that site that has NY and NJ DCs registered under it at some point? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ion Gott Sent: Tuesday, May 09, 2006 7:47 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Site Link Bridging The primary reason I have disabled site link bridging in the past has been to prevent domain controllers in spokes with replicating with other dc's in spoke sites that are in another hub site when they should only be replicating with DC's in the hub sites and second with spoke dc's in their own hub. If for example you had three hub sites and one hub site failed you may want the dc's in the spokes to replicate with one of the other regional hubs rather than the KCC generating replication links with other hubs spoke dc's throughout the environment. Site link costing of course comes into play here too... Ion V. Gott Principal Consultant CISSP, MCSE + Security/Messaging From: [EMAIL PROTECTED] on behalf of joe Sent: Tue 5/9/2006 6:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Site Link Bridging Having site link bridging should not have resulted in DCs from different sites registering in the same site unless their wasn't full coverage for the domains or if one of the sites didn't have a GC. Something isn't right here. Not that that might not be a response they heard from an architecture review though, the qualityof thosereviews/healthchecks/RAPs and the guidance given at the end vary drammatically in quality based on the analyst involved. I have found in general though the AD folks can't give any good advice on Exchange and the Exchange healthcheck folks can't give very good advice on AD and MSFT doesn't have an all consuminghealthcheck thattakes all of it into account. So you end up getting a case of one healthcheck pointing at the other for sources of problems. Usually what you see is the AD folks saying everything is fine and the Exchange folks saying AD is in trouble but not being able to point at anything in particular. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 09, 2006 6:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Site Link Bridging A friend of a friend when designing a new forest was asked to disable site link bridging (forest wide) based upon the reasoning given below. I fail to see any connection between the description below and site link bridging. Does anyone see how these issues could be caused by bridging and furthermore, why the issue would have been resolved by disabling bridging??? neil PS I don't necessarily believe that MS really did suggest disabling bridging would help - I merely copy/pasted the original thread :) ___ Neil Ruston Global Technology Infrastructure Nomura International plc Telephone: +44 (0) 20 7521 3481 We had an issue where the Domain Controllers in the New York site and New Jersey site were being registered under one site in DNS. This was causing users to authenticate to DCs over the WAN link as well as Exchange servers using GCs over the WAN link. This was causing some delays in users logging on as well as outlook being slow using the address book. Also servers were synching up their time with DCs in other sites causing w32 time errors at night and during the weekend while backups were running. This caused some servers to have their time offset be 3-5 seconds. We had Microsoft on-site services evaluate the infrastructure and they recommended that we disable the Site Link Bridging to increase performance of the above issues. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely