RE: [ActiveDir][OT] DNS on a DC or NOT

[Brian Desmond]

Why do you have a weekly reboot task? This isn't NT4 anymore...

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
> Sent: Tuesday, May 23, 2006 9:27 PM
> To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir][OT] DNS on a DC or NOT
> 
> 
> What about DHCP on a DC?  We just had an issue where our weekly reboot
> task to reboot all the DCs failed on one DC and it didn't come back
up.
> Any user at the site who rebooted their PC was down because they
> couldn't get an IP from DHCP.  Our standard is to run DHCP on the DCs
> at each site.  How does everyone else do it?  Maybe we just need a
> backup DHCP scope?
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of joe
> Sent: Tue 5/23/2006 8:13 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir][OT] DNS on a DC or NOT
> 
> 
> I think the goal should be to build a stable robust directory service
> that is as flexible as you make it but not so flexible that you put
> yourself into bad positions to support any one app. The goals of the
> Directory folks should be to make sure they have something that
> everyone can use and something no one group can wipe out. This means
> that every app is the same to the directory people, they have a
> dependency on the directory, none are more important than any others
in
> that set of goals.
> 
> 
> I completely agree with the LDAP auth stuff. LDAP isn't an auth
> protocol. I can carry water with my two hands cupped together, doesn't
> mean I am going to try and fill a pool that way.
> 
> 
> 
> 
> RE: Resource forest for Exchange The Exchange delegation model
> sucks so much water that running a separate forest is almost the only
> way to efficiently break off Exchange support in a guaranteed safe and
> secure manner. And there are other solutions to not using MIIS, such
as
> LDSU or other third party syncing. As you know I agree completely on
> MIIS'es "requirements". Personally I wouldn't even go for SQL 2005
> Express. I want to be able to specify any backend store or I want the
> backend store to be completely and utterly black box like ESE. Both
> because I don't want to have to worry about grooming it and I don't
> want to worry about SQL DBA wannabees screwing with it. Just like with
> AD there are a lot of people who think they know SQL when in fact they
> can simply spell it, this goes for several DBAs I have met through the
> years as well as some people I have heard about through others. I
heard
> a story recently about a SQL Expert that made me wonder who tied his
> shoes in the morning for him. Had I been dealing with him instead of
my
> oh so patient friend, I don't expect he would have reported back to
> work or his superiors would have let him come back to work. There
isn't
> a class or books teaching people how to manage ESE so that makes it
> about 10,000% better than SQL Server all alone because the people who
> will be figuring out how to work with it will be doing so from MSDN
API
> docs and will probably be considerably more capable than your normal
> Microsoft SQL Server DBA. But that is just one reason why I don't want
> SQL Server backend for stuff. I recall when we are the summit a couple
> of years ago when we all were piping up about this. It doesn't appear
> anyone listened, but I think it is good that we continue to pipe up
> about it.
> 
> 
> 
> 
> 
> 
> 
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
> 
> 
> 
> 
> 
> 
> 
> 
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Al Mulnick
> Sent: Tuesday, May 23, 2006 10:17 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir][OT] DNS on a DC or NOT
> 
> 
> No, Exchange is not the only app for the directory.  I concur.
> Exchange does not just leverage the NOS directory for it's usage. It
> relies on it heavily.  In fact, Exchange doesn't exist without it,
> but...
> 
> 
> I think the question needs to be answered though: Does the application
> dictate what the directory can do or should the directory dictate what
> the application does?  I think that's important to the way you design,
> deploy, and maintain your Active Directory, and other directory
> services in your organization.  The same theory and guidelines apply
> when you consider SiteMinder (shudder) and SunOne or OpenLDAP and
> Sendmail or ... the list goes on. Put another way, does the directory
> exist for the sole purpose of being a directory or does it exist to
> service multiple applications? If multiple applications, how much
> should the directory adjust to the needs of it's constituents vs. the
> constituents adjust to the needs of the directory?  the whole not the part that's important.  But neither has a reason to
> exist without the other, so we're still s

RE: [ActiveDir] AD DNS along with Bind

[Freddy HARTONO]

Hi Mike,

If you are delegating those 6 zones to only 1 DNS server, if that dns server
is going through a quick reboot or downtime - then none of your client can
find the NS delegation and hence causing a no domain controller found
scenario isnt it?

Interesting article mentioned below, does it applies to 2003 as well? 


Thank you and have a splendid day!
 
Kind Regards,
 
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Wednesday, May 24, 2006 4:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DNS along with Bind

Adeel,
Here is a response from our DNS guy.  I hope it helps you.

Mike Thommes
=

Here are the steps I took for delegating the AD zones for example.com:

1) In the example.com zone on the BIND server I added these NS records
   to delegate the zone to the Windows 2003 DNS Server:

_msdcs  IN  NS  windnsserver.example.com.
_sites  IN  NS  windnsserver.example.com.
_tcpIN  NS  windnsserver.example.com.
_udpIN  NS  windnsserver.example.com.
ForestDNSZones  IN  NS  windnsserver.example.com.
DomainDNSZones  IN  NS  windnsserver.example.com.

2) Define these six zones on the Windows 2003 DNS Server.
   I use ONLY ONE Windows DNS Server due to serial number problems
   that can/will occur with the MS multi-master setup.  See Q282826.

   Insure that the zones are AD-integrated with secure DDNS only.
   Change the zone properties:
 
In the SOA insure that the "Responsible person" field has 
the correct e-mail address (with the "@" replaced with ".").

In the "Name Servers" tab add the BIND slaves (that are the
registered nameservers for the example.com domain).

Allow zone transfers to the servers in the Name Servers tab.

Notify servers in the Name Servers tab.

   These changes will have to be done for each zone, as MS has not
   implemented global zone properties.

3) Define these six zones on the BIND slave DNS servers that are
   registered for the example.com zone.  The master server is
   obviously the Windows 2003 DNS Server.

4) In my case, the parent example.com zone is still on a BIND server,
   so I have manually entered the domain "A" records on that master
   server.  

Note that there are three types of DDNS from a Windows machine:

 a) A machine (desktop, server, or DC) self-registering
 b) A DC (netlogon) registering its SRV and CNAME records
 c) A DC (netlogon) registering the domain "A" record.

There are different registry keys controlling each of these, and since they
have been implemented at different times and since some of them have been
reused (from former, still current usage), the interaction among these
registry keys is complicated.  I count 162 different cases, and I have not
had time to test all of them.  If you do not care about DDNS requests being
sent to the BIND master for the example.com zone, where (I would hope) the
DDNS would be refused, then you do not have to worry about some of these
registry keys.

With this setup, the MS Windows DNS Server is a "hidden master".
It is known only via the MNAME (master server name) field in the SOA (Start
of Authority) record in each zone.  If your clients (be they Unix, Windows,
or Mac desktops) have the BIND servers in their TCP/IP configurations, then
these clients will continue to use the BIND servers for DNS resolution.
This will work for the AD zones, as all of the AD zones are slaved on the
BIND servers.  Any machine that needs to update the zone (DCs updating CNAME
and SRV records), or Windows clients (self-registration via DHCP) will use
secure DDNS, and these machines will locate the master via a standard SOA
query.

There is NO NEED for ANY machine to have the Windows DNS Server in its
TCP/IP configuration as a DNS server.  The nice thing about this is that you
do not have to go and change any client TCP/IP configuration.

On my one MS W2003 DNS Server I have the six AD zones for anl.gov and
fifteen sets of AD zones for subdomains of anl.gov.

There is documentation in the DNS "Bible" - "DNS and BIND" 4th edition (with
a fifth addition due out any minute, I am told).  There is also
documentation in "DNS on Windows Server 2003".  Both are O'Reilly books.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: [EMAIL PROTECTED]
Argonne, IL   60439-4828 IBMMAIL:  I1004994


-Original Message-
From: [EMAIL PROTECTED]
[mail

RE: [ActiveDir][OT] DNS on a DC or NOT

[Rimmerman, Russ]

What about DHCP on a DC?  We just had an issue where our weekly reboot task to 
reboot all the DCs failed on one DC and it didn't come back up.  Any user at 
the site who rebooted their PC was down because they couldn't get an IP from 
DHCP.  Our standard is to run DHCP on the DCs at each site.  How does everyone 
else do it?  Maybe we just need a backup DHCP scope?



From: [EMAIL PROTECTED] on behalf of joe
Sent: Tue 5/23/2006 8:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] DNS on a DC or NOT


I think the goal should be to build a stable robust directory service that is 
as flexible as you make it but not so flexible that you put yourself into bad 
positions to support any one app. The goals of the Directory folks should be to 
make sure they have something that everyone can use and something no one group 
can wipe out. This means that every app is the same to the directory people, 
they have a dependency on the directory, none are more important than any 
others in that set of goals.

I completely agree with the LDAP auth stuff. LDAP isn't an auth protocol. I can 
carry water with my two hands cupped together, doesn't mean I am going to try 
and fill a pool that way.


RE: Resource forest for Exchange The Exchange delegation model sucks so 
much water that running a separate forest is almost the only way to efficiently 
break off Exchange support in a guaranteed safe and secure manner. And there 
are other solutions to not using MIIS, such as LDSU or other third party 
syncing. As you know I agree completely on MIIS'es "requirements". Personally I 
wouldn't even go for SQL 2005 Express. I want to be able to specify any backend 
store or I want the backend store to be completely and utterly black box like 
ESE. Both because I don't want to have to worry about grooming it and I don't 
want to worry about SQL DBA wannabees screwing with it. Just like with AD there 
are a lot of people who think they know SQL when in fact they can simply spell 
it, this goes for several DBAs I have met through the years as well as some 
people I have heard about through others. I heard a story recently about a SQL 
Expert that made me wonder who tied his shoes in the morning for him. Had I 
been dealing with him instead of my oh so patient friend, I don't expect he 
would have reported back to work or his superiors would have let him come back 
to work. There isn't a class or books teaching people how to manage ESE so that 
makes it about 10,000% better than SQL Server all alone because the people who 
will be figuring out how to work with it will be doing so from MSDN API docs 
and will probably be considerably more capable than your normal Microsoft SQL 
Server DBA. But that is just one reason why I don't want SQL Server backend for 
stuff. I recall when we are the summit a couple of years ago when we all were 
piping up about this. It doesn't appear anyone listened, but I think it is good 
that we continue to pipe up about it.




--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, May 23, 2006 10:17 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir][OT] DNS on a DC or NOT


No, Exchange is not the only app for the directory.  I concur.  Exchange does 
not just leverage the NOS directory for it's usage. It relies on it heavily.  
In fact, Exchange doesn't exist without it, but...

I think the question needs to be answered though: Does the application dictate 
what the directory can do or should the directory dictate what the application 
does?  I think that's important to the way you design, deploy, and maintain 
your Active Directory, and other directory services in your organization.  The 
same theory and guidelines apply when you consider SiteMinder (shudder) and 
SunOne or OpenLDAP and Sendmail or ... the list goes on. Put another way, does 
the directory exist for the sole purpose of being a directory or does it exist 
to service multiple applications? If multiple applications, how much should the 
directory adjust to the needs of it's constituents vs. the constituents adjust 
to the needs of the directory? 

Figuring this out sets the stage for a solid deployment of both the directory 
service and the applications.  NOS directory aside, it is a directory and it's 
one that can and should be multifunction.  Whitepages are nice and cute and 
all, but have limited use if that's all they do.  But if it can also identify 
and authenticate a security principal (don't give me that LDAP authentication 
crap either - drives me nuts to hear LDAP being used as an authentication 
protocol ) now that's real value. What? The hosts can be multi-function 
devices? Bonus!  I like it even better. 

It's important to decide what the directory service is going to be and how it 
will be maintained IMHO.

-ajm

Exch

RE: [ActiveDir] Build an AD test lab with schema extension.

[joe]

I just took a quick glimpse at it and I would say no, not 
that I would have expected it to in the first place.
 
You may want to look at the adschemaanalyzer which can be 
found in the ADAM SP1 and ADAM R2 distributions. 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA 
YANNSent: Tuesday, May 23, 2006 12:23 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Build an AD test lab 
with schema extension.

Hello all,
 
I'm working on duplicating my AD env. into a test 
lab. 
 
I read lots of posts about this and choosed to use 
the "CreateXMLFromEnvironment.wsf" and "CreateEnvironmentFromXML.wsf" 
only.
 
The question is: I did a schema extension on my AD 
prod and i wondered if the 2 scripts will also import/export all the object 
class + attributes extended to my AD test lab ?
 
Thanks,
 
Yann

RE: [ActiveDir] [OT] RAID 5 Best Practice

[joe]

Yeah small as in the user has multiple personalities... :o) 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, May 23, 2006 9:25 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] RAID 5 Best Practice

Depends on the data. These days with identity theft rampant... 
anything with a PII element would be on a desktop over my dead body.

Software suppliers also tell me to run as admin and these days we need to
push strongly back on that as well.

Access works for a 'small' multi user app.. and I do mean small.

Dave Wade wrote:
> Joe,
>  
>  Well all agree on that, however we are pretty much stuck with the 
> apps in question "as-is" as the software is supplied "from above"
> (e.g. the stuff from www.ncer.org ). These days I 
> copy the database onto a users PC and they run the reports and 
> analysis locally, as that's what the software supplier tells them to 
> do, and the users are happy with that.
>  
> Dave.
>
> --
> --
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of *joe
> *Sent:* 23 May 2006 04:38
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] [OT] RAID 5 Best Practice
>
> Access is crap to use for a multiuser app. Don't discount the fact 
> that the perf could be simply related to that.
>  
> --
> O'Reilly Active Directory Third Edition - 
> http://www.joeware.net/win/ad3e.htm
>  
>  
>
> --
> --
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Dave Wade
> *Sent:* Thursday, May 18, 2006 7:08 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] [OT] RAID 5 Best Practice
>
> Its the one thing that seems to give us performance issues. Last time 
> I investigated things running slow, client was quiet (low CPU short 
> disk queue, minimal paging) , network was quiet yet response was slow.
> Conclusion was that server was some how bottle neck. I must admit I 
> didn't do much work on investigation. I think they should use 
> appropriate tool such as msde (only a few users) but program is 
> provided by central government, so we are stuck with it. I wonder if 
> it was just running same time as backups perhaps...
>
> -Original Message-
> *From:* [EMAIL PROTECTED] on behalf of Brian Desmond
> *Sent:* Thu 18/05/2006 23:34
> *To:* ActiveDir@mail.activedir.org
> *Cc:*
> *Subject:* RE: [ActiveDir] [OT] RAID 5 Best Practice
>
> Access database will likely get cached on the client in memory, in
> any case it’d be all read ops. Access doesn’t cache report output.
>
>  
>
> *Thanks,**
> *Brian Desmond**
>
> [EMAIL PROTECTED] 
>
>  
>
> *c - 312.731.3132*
>
>  
>
>  
>
> 
> --
> --
>
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Dave Wade
> *Sent:* Thursday, May 18, 2006 6:22 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] [OT] RAID 5 Best Practice
>
>  
>
>
> For file sharing, I would consider 0Ư but 5 would be more likely
> since you
> probably want/need the space more than the speed. File sharing doesn't
> really beat the disks up relative to a busy DC even in large
> multi-thousand
> user file servers I have seen.
>
>  
>
> What about when some idiot user sets up an Access database on one
> and runs "inappropriate" reports against it.. 
>
>  
>
>  
>
>  
>
> It is why most normal server admins really
> have no clue what to look for in terms of IO load on servers but any
> Exchange Admin worth anything is looking at that right away in a
> problem
> situation and able to quote IOPS stats off the top of their head
> and know
> what they can get from the underlying disk subsystem. Exchange
> disk configs
> are critical.
>
> 
> **
>
> This email and any files transmitted with it are confidential and
>
> intended solely for the use of the individual or entity to whom 
> they
>
> are addressed. As a public body, the Council may be required to
> disclose this email, or any response to it, under the Freedom of
> Information Act 2000, unless the information in it is covered by
> one of the exemptions in the Act.
>
> If you receive this email in error please notify Stockport
> e-Services via [EMAIL PROTECTED]
>  and then permanently remove
> it from your system.
>
> Thank you.
>
> http://www.stockport.gov.uk
>
> 
> **

RE: [ActiveDir] [Exchange] Full Mailbox Directory Name holds wrong Administrative Group name

[joe]

Even if it updated itself it would still be stamped in the 
contents of every message that still exists somewhere within the ORG, either in 
calendars or in mailboxes. That is the address Exchange uses when you try to 
update a meeting or respond to a message. You need something constant or else 
you would lose those connections when say an email address or name 
changed.
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Victor 
W.Sent: Tuesday, May 23, 2006 4:11 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [Exchange] Full 
Mailbox Directory Name holds wrong Administrative Group 
name

Thank you both very much for the replies and for the clear 
explanations.
 
I think I will leave the legacyExchangeDN alone then. 
I was thinking about changing it because part of it refers to an 
object (Administrative Group) that no longer exists.
I am still a bit puzzled why it not updates itself when the 
Administrative Group a user sits in, changes.
 
I will definately read up on the other conversations about 
the legacyExchangeDN, sound interesting.
 
For the time being I will leave it to what it is now. 
;-)
 
Thanks again.
 
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: dinsdag 23 mei 2006 6:04To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [Exchange] Full 
Mailbox Directory Name holds wrong Administrative Group 
name

Yep I agree with Steven here. 
 
If you really feel you need to change this, stop feeling 
that way. ;o) It can impact mail delivery when someone tries to respond to a 
message as well as calendar entry ownership, etc. 
 
If you ABSOLUTELY must change the legacyExchangeDN, then 
search the archives as there are some conversations on this. Basically you will 
need to move the former legacyExchangeDN into proxyAddresses as an x500 address. 

 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Presley, 
StevenSent: Sunday, May 21, 2006 6:04 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [Exchange] Full 
Mailbox Directory Name holds wrong Administrative Group 
name

Victor,
At first I was not sure what you were talking about.  
I've never used this column before (it's not displayed as one of the defaults 
and I'm used to looking at mailbox enabled accounts via cmdline and now 
PowerShell), but after looking at ESM what you are really talking about 
(that most of us may be more familiar with) is the mailbox's legacyExchangeDN 
attribute (which is called "Full Mailbox Directory Name" in ESM).  This 
attribute does not change when you move mailboxes from one server or 
administrative group to another, in fact changing this attribute's 
value will lead to messages that were send out by the moved mailbox not 
being replyable.  
 
So in 
a nutshell, there is absolutely nothing wrong with what you are seeing.  It 
is expected and by design behavior.  The legacyExchangeDN is used by 
Outlook clients (under the hood) to address and submit mail through MAPI.  
When an Outlook user sends out an email to other internal mailboxes 
the from address, under the hood, is actually the legacyExchangeDN address (if 
viewed with a tool like MFCMapi it's the PR_SENDER_EMAIL_ADDRESS).  So if 
you were to change this value then any messages sent out before the change would 
become unreplyable (ok, not 100% true, because you could add an X500 address to 
the user's mailbox-enabled account that matches the old legacyExchangeDN and 
then the messages would get properly delivered).
 
Anyways, don't worry about it.  There is nothing 
wrong and I would highly recommend leaving the "full mailbox directory name" 
alone.  It's not that you can't change it, but you'd have to put it's old 
value in as an additional proxy address (of the X500 type) in order for mail to 
continue to be delivered properly.  Don't really know what you'd gain from 
that in the end.  Hope this helps explain it a bit.  There is a lot 
more to it then that naturally, but I think the above summarizes some of the key 
points about why you would not want to change it.
 
Best 
regards,
Steven
 


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Victor 
  W.Sent: Saturday, May 20, 2006 12:47 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [Exchange] 
  Full Mailbox Directory Name holds wrong Administrative Group 
  name
  
  Still hoping for somebody to think with me on this 
  matter  :-(
   
  75% of the mailboxes that were moved have a Full Mailbox 
  Directory Name which has the Administrative Group in it from wich they were 
  moved from, instead of the one they are in now.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Victor 
  W.Sent: donderdag 18 mei 2006 22:20To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDi

RE: [ActiveDir] IIS 6

[Ken Schaefer]

No, what you are stating below is incorrect.

You can add three entries to your host file.
On your IIS box, configure corresponding Host Header values for your three
sites.
Then you can access all three sites by name - no need to use alternate ports.

However you mentioned accessing sites by IP address:
" How can I access the individual URL using IP " 
Which to me means you want to use the IP address in the URL, rather than the
host name.

Can you clarify exactly what you are tryign to achieve?

Cheers
Ken


:  -Original Message-
:  From: [EMAIL PROTECTED] [mailto:ActiveDir-
:  [EMAIL PROTECTED] On Behalf Of Za Vue
:  Sent: Wednesday, 24 May 2006 10:26 AM
:  To: ActiveDir@mail.activedir.org
:  Subject: Re: [ActiveDir] IIS 6
:  
:  Correct. Using a host file only works for one website, which solved
:  part
:  of the problem. The other site will have to used another port.
:  The main site is registered with the external DNS(BIND), but the other
:  sites are registered with internal DNS(AD) server. No forwarding.
:  When
:  in production all sites will use port 80 on the same server and
:  register
:  with ext. DNS server.
:  
:  -Z.V.
:  
:  
:  Ken Schaefer wrote:
:  > :  -Original Message-
:  > :  From: [EMAIL PROTECTED] [mailto:ActiveDir-
:  > :  [EMAIL PROTECTED] On Behalf Of James Eaton-Lee
:  > :  Subject: RE: [ActiveDir] IIS 6
:  > :
:  > :  On Tue, 2006-05-23 at 10:59 +1000, Ken Schaefer wrote:
:  > :  > :  -Original Message-
:  > :  > :  From: [EMAIL PROTECTED] [mailto:ActiveDir-
:  > :  > :  [EMAIL PROTECTED] On Behalf Of Za Vue
:  > :  > :  Sent: Tuesday, 23 May 2006 10:54 AM
:  > :  > :  To: ActiveDir@mail.activedir.org
:  > :  > :  Subject: [ActiveDir] IIS 6
:  > :  > :
:  > :  > :  I have a web server running IIS6 hosting 3 websites-using
:  host
:  > :  > :  header.
:  > :  > :  How can I access the individual URL using IP?
:  > :  > :
:  > :  > :  -Z.V.
:  > :  >
:  > :  > http://10.10.10.10/yourURL.htm
:  > :  >
:  > :  > If you wish to be able to access all three websites, you will
:  either
:  > :  > need to have three IP addresses -or- run the websites on three
:  > :  > different ports (80, 81, 82 etc).
:  > :
:  > :  Or he could edit the hosts file, and then since the host will be
:  sent
:  > :  in the request to the webserver he'll be given content from the
:  > :  appropriate virtual host...
:  >
:  > >From my reading of the question, OP wanted to know how to access
:  the sites by
:  > IP address. Editing your hosts file doesn't help you with that.
:  >
:  > Cheers
:  > Ken
:  >
:  > --
:  > My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
:  > Tech.Ed Boston 2006 See you there: Everything the web administrator
:  needs to
:  > know about MOM 2005
:  > List info   : http://www.activedir.org/List.aspx
:  > List FAQ: http://www.activedir.org/ListFAQ.aspx
:  > List archive: http://www.mail-
:  archive.com/activedir%40mail.activedir.org/
:  >
:  
:  List info   : http://www.activedir.org/List.aspx
:  List FAQ: http://www.activedir.org/ListFAQ.aspx
:  List archive: http://www.mail-
:  archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] IIS 6

[Za Vue]

Correct. Using a host file only works for one website, which solved part 
of the problem. The other site will have to used another port.
The main site is registered with the external DNS(BIND), but the other 
sites are registered with internal DNS(AD) server. No forwarding.  When 
in production all sites will use port 80 on the same server and register 
with ext. DNS server.


-Z.V.


Ken Schaefer wrote:

:  -Original Message-
:  From: [EMAIL PROTECTED] [mailto:ActiveDir-
:  [EMAIL PROTECTED] On Behalf Of James Eaton-Lee
:  Subject: RE: [ActiveDir] IIS 6
:  
:  On Tue, 2006-05-23 at 10:59 +1000, Ken Schaefer wrote:

:  > :  -Original Message-
:  > :  From: [EMAIL PROTECTED] [mailto:ActiveDir-
:  > :  [EMAIL PROTECTED] On Behalf Of Za Vue
:  > :  Sent: Tuesday, 23 May 2006 10:54 AM
:  > :  To: ActiveDir@mail.activedir.org
:  > :  Subject: [ActiveDir] IIS 6
:  > :
:  > :  I have a web server running IIS6 hosting 3 websites-using host
:  > :  header.
:  > :  How can I access the individual URL using IP?
:  > :
:  > :  -Z.V.
:  >
:  > http://10.10.10.10/yourURL.htm
:  >
:  > If you wish to be able to access all three websites, you will either
:  > need to have three IP addresses -or- run the websites on three 
:  > different ports (80, 81, 82 etc).
:  
:  Or he could edit the hosts file, and then since the host will be sent

:  in the request to the webserver he'll be given content from the
:  appropriate virtual host...

>From my reading of the question, OP wanted to know how to access the sites by
IP address. Editing your hosts file doesn't help you with that.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
Tech.Ed Boston 2006 See you there: Everything the web administrator needs to
know about MOM 2005
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
  


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] IIS 6

[Brian Desmond]

I thought he wanted to access them by name without the DNS entries e.g.
for testing or something.

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Ken Schaefer
> Sent: Tuesday, May 23, 2006 7:50 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] IIS 6
> 
> :  -Original Message-
> :  From: [EMAIL PROTECTED] [mailto:ActiveDir-
> :  [EMAIL PROTECTED] On Behalf Of James Eaton-Lee
> :  Subject: RE: [ActiveDir] IIS 6
> :
> :  On Tue, 2006-05-23 at 10:59 +1000, Ken Schaefer wrote:
> :  > :  -Original Message-
> :  > :  From: [EMAIL PROTECTED] [mailto:ActiveDir-
> :  > :  [EMAIL PROTECTED] On Behalf Of Za Vue
> :  > :  Sent: Tuesday, 23 May 2006 10:54 AM
> :  > :  To: ActiveDir@mail.activedir.org
> :  > :  Subject: [ActiveDir] IIS 6
> :  > :
> :  > :  I have a web server running IIS6 hosting 3 websites-using host
> :  > :  header.
> :  > :  How can I access the individual URL using IP?
> :  > :
> :  > :  -Z.V.
> :  >
> :  > http://10.10.10.10/yourURL.htm
> :  >
> :  > If you wish to be able to access all three websites, you will
> either
> :  > need to have three IP addresses -or- run the websites on three
> :  > different ports (80, 81, 82 etc).
> :
> :  Or he could edit the hosts file, and then since the host will be
> sent
> :  in the request to the webserver he'll be given content from the
> :  appropriate virtual host...
> 
> >From my reading of the question, OP wanted to know how to access the
> >sites by
> IP address. Editing your hosts file doesn't help you with that.
> 
> Cheers
> Ken
> 
> --
> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken Tech.Ed Boston 2006 See
> you there: Everything the web administrator needs to know about MOM
> 2005
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-
> archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] IIS 6

[Ken Schaefer]

:  -Original Message-
:  From: [EMAIL PROTECTED] [mailto:ActiveDir-
:  [EMAIL PROTECTED] On Behalf Of James Eaton-Lee
:  Subject: RE: [ActiveDir] IIS 6
:  
:  On Tue, 2006-05-23 at 10:59 +1000, Ken Schaefer wrote:
:  > :  -Original Message-
:  > :  From: [EMAIL PROTECTED] [mailto:ActiveDir-
:  > :  [EMAIL PROTECTED] On Behalf Of Za Vue
:  > :  Sent: Tuesday, 23 May 2006 10:54 AM
:  > :  To: ActiveDir@mail.activedir.org
:  > :  Subject: [ActiveDir] IIS 6
:  > :
:  > :  I have a web server running IIS6 hosting 3 websites-using host
:  > :  header.
:  > :  How can I access the individual URL using IP?
:  > :
:  > :  -Z.V.
:  >
:  > http://10.10.10.10/yourURL.htm
:  >
:  > If you wish to be able to access all three websites, you will either
:  > need to have three IP addresses -or- run the websites on three 
:  > different ports (80, 81, 82 etc).
:  
:  Or he could edit the hosts file, and then since the host will be sent
:  in the request to the webserver he'll be given content from the
:  appropriate virtual host...

>From my reading of the question, OP wanted to know how to access the sites by
IP address. Editing your hosts file doesn't help you with that.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
Tech.Ed Boston 2006 See you there: Everything the web administrator needs to
know about MOM 2005
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD DNS along with Bind

[Adeel Ansari]

Mike, 

This is very detailed and clearly written. I appreciate it, say my thanks to
your DNS guy! 

Adeel

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Thommes, Michael
M.
Sent: Tuesday, May 23, 2006 3:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DNS along with Bind


Adeel,
Here is a response from our DNS guy.  I hope it helps you.

Mike Thommes
=

Here are the steps I took for delegating the AD zones for example.com:

1) In the example.com zone on the BIND server I added these NS records
   to delegate the zone to the Windows 2003 DNS Server:

_msdcs  IN  NS  windnsserver.example.com.
_sites  IN  NS  windnsserver.example.com.
_tcpIN  NS  windnsserver.example.com.
_udpIN  NS  windnsserver.example.com.
ForestDNSZones  IN  NS  windnsserver.example.com.
DomainDNSZones  IN  NS  windnsserver.example.com.

2) Define these six zones on the Windows 2003 DNS Server.
   I use ONLY ONE Windows DNS Server due to serial number problems
   that can/will occur with the MS multi-master setup.  See Q282826.

   Insure that the zones are AD-integrated with secure DDNS only.
   Change the zone properties:
 
In the SOA insure that the "Responsible person" field has 
the correct e-mail address (with the "@" replaced with ".").

In the "Name Servers" tab add the BIND slaves (that are the
registered nameservers for the example.com domain).

Allow zone transfers to the servers in the Name Servers tab.

Notify servers in the Name Servers tab.

   These changes will have to be done for each zone, as MS has not
   implemented global zone properties.

3) Define these six zones on the BIND slave DNS servers that are
   registered for the example.com zone.  The master server is
   obviously the Windows 2003 DNS Server.

4) In my case, the parent example.com zone is still on a BIND server,
   so I have manually entered the domain "A" records on that master
   server.  

Note that there are three types of DDNS from a Windows machine:

 a) A machine (desktop, server, or DC) self-registering
 b) A DC (netlogon) registering its SRV and CNAME records
 c) A DC (netlogon) registering the domain "A" record.

There are different registry keys controlling each of these, and since
they have been implemented at different times and since some of them
have been reused (from former, still current usage), the interaction
among these registry keys is complicated.  I count 162 different cases,
and I have not had time to test all of them.  If you do not care about
DDNS requests being sent to the BIND master for the example.com zone,
where (I would hope) the DDNS would be refused, then you do not have to
worry about some of these registry keys.

With this setup, the MS Windows DNS Server is a "hidden master".
It is known only via the MNAME (master server name) field in the SOA
(Start of Authority) record in each zone.  If your clients (be they
Unix, Windows, or Mac desktops) have the BIND servers in their TCP/IP
configurations, then these clients will continue to use the BIND servers
for DNS resolution.  This will work for the AD zones, as all of the AD
zones are slaved on the BIND servers.  Any machine that needs to update
the zone (DCs updating CNAME and SRV records), or Windows clients
(self-registration via DHCP) will use secure DDNS, and these machines
will locate the master via a standard SOA query.

There is NO NEED for ANY machine to have the Windows DNS Server in its
TCP/IP configuration as a DNS server.  The nice thing about this is that
you do not have to go and change any client TCP/IP configuration.

On my one MS W2003 DNS Server I have the six AD zones for anl.gov and
fifteen sets of AD zones for subdomains of anl.gov.

There is documentation in the DNS "Bible" - "DNS and BIND" 4th edition
(with a fifth addition due out any minute, I am told).  There is also
documentation in "DNS on Windows Server 2003".  Both are O'Reilly books.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: [EMAIL PROTECTED]
Argonne, IL   60439-4828 IBMMAIL:  I1004994


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari
Sent: Tuesday, May 23, 2006 2:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD DNS along with Bind

Team,

Is is possible to have AD DCs manage all the dynamic zones i.e. _tcp,
_udp,
_msdcs etc. and have the rest of the non-AD zones managed by Bind. Has
anyone done something like this? There is a MS article (ID:255913) tha

RE: [ActiveDir] AD DNS along with Bind

[Thommes, Michael M.]

Adeel,
Here is a response from our DNS guy.  I hope it helps you.

Mike Thommes
=

Here are the steps I took for delegating the AD zones for example.com:

1) In the example.com zone on the BIND server I added these NS records
   to delegate the zone to the Windows 2003 DNS Server:

_msdcs  IN  NS  windnsserver.example.com.
_sites  IN  NS  windnsserver.example.com.
_tcpIN  NS  windnsserver.example.com.
_udpIN  NS  windnsserver.example.com.
ForestDNSZones  IN  NS  windnsserver.example.com.
DomainDNSZones  IN  NS  windnsserver.example.com.

2) Define these six zones on the Windows 2003 DNS Server.
   I use ONLY ONE Windows DNS Server due to serial number problems
   that can/will occur with the MS multi-master setup.  See Q282826.

   Insure that the zones are AD-integrated with secure DDNS only.
   Change the zone properties:
 
In the SOA insure that the "Responsible person" field has 
the correct e-mail address (with the "@" replaced with ".").

In the "Name Servers" tab add the BIND slaves (that are the
registered nameservers for the example.com domain).

Allow zone transfers to the servers in the Name Servers tab.

Notify servers in the Name Servers tab.

   These changes will have to be done for each zone, as MS has not
   implemented global zone properties.

3) Define these six zones on the BIND slave DNS servers that are
   registered for the example.com zone.  The master server is
   obviously the Windows 2003 DNS Server.

4) In my case, the parent example.com zone is still on a BIND server,
   so I have manually entered the domain "A" records on that master
   server.  

Note that there are three types of DDNS from a Windows machine:

 a) A machine (desktop, server, or DC) self-registering
 b) A DC (netlogon) registering its SRV and CNAME records
 c) A DC (netlogon) registering the domain "A" record.

There are different registry keys controlling each of these, and since
they have been implemented at different times and since some of them
have been reused (from former, still current usage), the interaction
among these registry keys is complicated.  I count 162 different cases,
and I have not had time to test all of them.  If you do not care about
DDNS requests being sent to the BIND master for the example.com zone,
where (I would hope) the DDNS would be refused, then you do not have to
worry about some of these registry keys.

With this setup, the MS Windows DNS Server is a "hidden master".
It is known only via the MNAME (master server name) field in the SOA
(Start of Authority) record in each zone.  If your clients (be they
Unix, Windows, or Mac desktops) have the BIND servers in their TCP/IP
configurations, then these clients will continue to use the BIND servers
for DNS resolution.  This will work for the AD zones, as all of the AD
zones are slaved on the BIND servers.  Any machine that needs to update
the zone (DCs updating CNAME and SRV records), or Windows clients
(self-registration via DHCP) will use secure DDNS, and these machines
will locate the master via a standard SOA query.

There is NO NEED for ANY machine to have the Windows DNS Server in its
TCP/IP configuration as a DNS server.  The nice thing about this is that
you do not have to go and change any client TCP/IP configuration.

On my one MS W2003 DNS Server I have the six AD zones for anl.gov and
fifteen sets of AD zones for subdomains of anl.gov.

There is documentation in the DNS "Bible" - "DNS and BIND" 4th edition
(with a fifth addition due out any minute, I am told).  There is also
documentation in "DNS on Windows Server 2003".  Both are O'Reilly books.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: [EMAIL PROTECTED]
Argonne, IL   60439-4828 IBMMAIL:  I1004994


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari
Sent: Tuesday, May 23, 2006 2:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD DNS along with Bind

Team,

Is is possible to have AD DCs manage all the dynamic zones i.e. _tcp,
_udp,
_msdcs etc. and have the rest of the non-AD zones managed by Bind. Has
anyone done something like this? There is a MS article (ID:255913) that
talks about it however, it doesnt say what DNS should client point to?

Regards,
Adeel

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http:

RE: [ActiveDir] I try to execute applications in a script of a GPO but close after a few seconds

[Darren Mar-Elia]

		The only thing that GP will do around script execution is limit the combined time that all scripts will run, to prevent hanging scripts from hanging up a startup or logon process. The default total time for script execution is 10 minutes but you can adjust this using the policy at Computer Configuration\Admin Templates\System\Scripts\Maximum wait time for GP scripts. If someone adjusted this down dramatically, that would explain why your scripts are terminating before completing. Darren
		

From: "joe" <[EMAIL PROTECTED]>Sent: Monday, May 22, 2006 10:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I try to execute applications in a script of a GPO but close after a few seconds
		
		
		

		You need a GPO expert here but it sounds like the GPO processing is finishing up and it is closing out all of the outstanding processes it spawned. 

		
		 
		

		
--
		


		
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
		


		


		 
		
		 
		
		


		From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sergio Sánchez TrujilloSent: Thursday, May 18, 2006 3:24 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] I try to execute applications in a script of a GPO but close after a few seconds 

		
		
		
		

		
Hello,
		


		


		 

		
We have three domains controller in w2000 server, and Windows XP SP2 workstations. All users and machines are configure with group policies, in one of this GPO there are several _vbscript_, one of the scripts execute some applications.
		


		


		 

		
I try to execute the applications with this code (in this I try to execute the notepad).
		


		


		 

		

		Dim WShell

		


		

		Set WShell = Wscript.CreateObject("Wscript.Shell")

		


		

		WShell.Run("c:\WINDOWS\notepad.exe")

		


		


		 

		
The script run when user logon, and at the beginning the applications run correctly but in a few seconds all applications are closed.
		


		
Like additional information the antivirus program (Viruscan 8.0) don't report anything about a possible lock.
		


		


		 

		
Thanks for your time, and sorry for my terrible English.
		


		


		 

		
Sergio Sánchez Trujillo.
		


		


		 

		

		

		


		 

		

		

		

		Sergio Sánchez Trujillo

		
		

		

		
		

		Técnico de sistemas

		


		

		Proyecto Outsourcing EPES 

		

		
		

		


		 
		
		

		
iSOFT
		
		

		
		

		Sede en España

		

		
		

		
		
Carretera Nacional 340, km 259,nr.32.
		

		
		

		

		
		

		29790 Chilches Costa 

		
		

		

	

RE: [ActiveDir] [Exchange] Full Mailbox Directory Name holds wrong Administrative Group name

[Victor W.]

Thank you both very much for the replies and for the clear 
explanations.
 
I think I will leave the legacyExchangeDN alone then. 
I was thinking about changing it because part of it refers to an 
object (Administrative Group) that no longer exists.
I am still a bit puzzled why it not updates itself when the 
Administrative Group a user sits in, changes.
 
I will definately read up on the other conversations about 
the legacyExchangeDN, sound interesting.
 
For the time being I will leave it to what it is now. 
;-)
 
Thanks again.
 
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: dinsdag 23 mei 2006 6:04To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [Exchange] Full 
Mailbox Directory Name holds wrong Administrative Group 
name

Yep I agree with Steven here. 
 
If you really feel you need to change this, stop feeling 
that way. ;o) It can impact mail delivery when someone tries to respond to a 
message as well as calendar entry ownership, etc. 
 
If you ABSOLUTELY must change the legacyExchangeDN, then 
search the archives as there are some conversations on this. Basically you will 
need to move the former legacyExchangeDN into proxyAddresses as an x500 address. 

 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Presley, 
StevenSent: Sunday, May 21, 2006 6:04 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [Exchange] Full 
Mailbox Directory Name holds wrong Administrative Group 
name

Victor,
At first I was not sure what you were talking about.  
I've never used this column before (it's not displayed as one of the defaults 
and I'm used to looking at mailbox enabled accounts via cmdline and now 
PowerShell), but after looking at ESM what you are really talking about 
(that most of us may be more familiar with) is the mailbox's legacyExchangeDN 
attribute (which is called "Full Mailbox Directory Name" in ESM).  This 
attribute does not change when you move mailboxes from one server or 
administrative group to another, in fact changing this attribute's 
value will lead to messages that were send out by the moved mailbox not 
being replyable.  
 
So in 
a nutshell, there is absolutely nothing wrong with what you are seeing.  It 
is expected and by design behavior.  The legacyExchangeDN is used by 
Outlook clients (under the hood) to address and submit mail through MAPI.  
When an Outlook user sends out an email to other internal mailboxes 
the from address, under the hood, is actually the legacyExchangeDN address (if 
viewed with a tool like MFCMapi it's the PR_SENDER_EMAIL_ADDRESS).  So if 
you were to change this value then any messages sent out before the change would 
become unreplyable (ok, not 100% true, because you could add an X500 address to 
the user's mailbox-enabled account that matches the old legacyExchangeDN and 
then the messages would get properly delivered).
 
Anyways, don't worry about it.  There is nothing 
wrong and I would highly recommend leaving the "full mailbox directory name" 
alone.  It's not that you can't change it, but you'd have to put it's old 
value in as an additional proxy address (of the X500 type) in order for mail to 
continue to be delivered properly.  Don't really know what you'd gain from 
that in the end.  Hope this helps explain it a bit.  There is a lot 
more to it then that naturally, but I think the above summarizes some of the key 
points about why you would not want to change it.
 
Best 
regards,
Steven
 


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Victor 
  W.Sent: Saturday, May 20, 2006 12:47 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [Exchange] 
  Full Mailbox Directory Name holds wrong Administrative Group 
  name
  
  Still hoping for somebody to think with me on this 
  matter  :-(
   
  75% of the mailboxes that were moved have a Full Mailbox 
  Directory Name which has the Administrative Group in it from wich they were 
  moved from, instead of the one they are in now.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Victor 
  W.Sent: donderdag 18 mei 2006 22:20To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [Exchange] 
  Full Mailbox Directory Name holds wrong Administrative Group 
  name
  
  Perhaps I need to clarify this a little. What I mean is 
  that a mailbox that has been moved to another Administrative Group, still has 
  the Administrative Group in it's Full Mailbox Directory Name frow which it was 
  moved.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Victor 
  W.Sent: dinsdag 16 mei 2006 22:32To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] [Exchange] Full 
  Mailbox Directory Name holds wrong Administrative Group 
  name
  
   
  We are in the 
  middle of a migration from Exchange 2000 to Exchange 2003. We have 2 
  Administrative Groups in ESM. one of th

[ActiveDir] AD DNS along with Bind

[Adeel Ansari]

Team,

Is is possible to have AD DCs manage all the dynamic zones i.e. _tcp, _udp,
_msdcs etc. and have the rest of the non-AD zones managed by Bind. Has
anyone done something like this? There is a MS article (ID:255913) that
talks about it however, it doesnt say what DNS should client point to?

Regards,
Adeel

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] (OT)Non authenticating DC

[Mark Parris]

Nope - I meant OT at the time as we had just flammed a sarastic post and I was 
not in the mood for a flaming of my own. 

Anyway thanks for replying and perhaps "The Canadian" is making notes.

Mark


-Original Message-
From: "Grillenmeier, Guido" <[EMAIL PROTECTED]>
Date: Tue, 23 May 2006 15:45:29 
To:
Subject: RE: [ActiveDir] (OT)Non authenticating DC

maybe mark meant it as "on topic" :-)

I'm also not aware of any such changes, but as the mgmt of Read-Only DCs
(e.g. for PW replication or Admin Separation) is also not fully
finalized yet, we may see additional GPO options to configure various
aspects of the DCs. Who knows - maybe disabling authentication is one of
them.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Donnerstag, 18. Mai 2006 02:05
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] (OT)Non authenticating DC

I am not familiar with anything like this being on the drawing board.
Doesn't mean it isn't though. 

This is one topic that definitely doesn't need the OT moniker in my
opinion.

  joe 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, May 17, 2006 12:19 PM
To: ActiveDir.org
Subject: [ActiveDir] (OT)Non authenticating DC

With the upcoming release of Longhorn will it be possible via a tick box
or
GPO to disable authentication on a DC?  For example when its used as a
replication hub or as a lag site DC? I know how I could do do it now, ie
SRV
records\pause netlogon but something like this I could control via
policy
with more control.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[EMAIL PROTECTED]   šŠV«r¯yÊ&ý§-Š÷Š¾4™¨¥iËb½çb®Šà

[ActiveDir] Build an AD test lab with schema extension.

[TIROA YANN]

Hello all,
 
I'm working on duplicating my AD env. into a test 
lab. 
 
I read lots of posts about this and choosed to use 
the "CreateXMLFromEnvironment.wsf" and "CreateEnvironmentFromXML.wsf" 
only.
 
The question is: I did a schema extension on my AD 
prod and i wondered if the 2 scripts will also import/export all the object 
class + attributes extended to my AD test lab ?
 
Thanks,
 
Yann

RE : [ActiveDir] Delete only one object in the Tom bstone.

[TIROA YANN]

Hi Guido,
 
There is no secret behind the wall :o)
 
This is the full story.
 
I have Active Directory Connectors that permit bidirectionnal replication of 
all 5.5 mailboxes <-> Active Directory Forest.
The pb is that i had an issue where a user object had the ADC-Global-names 
mapped with multiple users DN and that is something wrong with the system. The 
fact is when the user (with multiple ADC-Global-names) has been deleted from 
AD, the deletion (from the tombstoned container) effects all the exchange 
mailboxes that correspond to the ADC-Global-names populated in that user  
So 5 milboxes were deleted. So i disable the deletion from Windows -> Exchange 
to occur. And i wondered if there was a way to delete *ONLY* the user in 
question.
 
Just to remind, the tombstoned container in AD is also replicated via the 
connection agreement.
 
Thanks,
 
Yann



De: [EMAIL PROTECTED] de la part de Grillenmeier, Guido
Date: mar. 23/05/2006 16:34
À: ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] Delete only one object in the Tombstone.


hmm - what would be the reason why you'd want to purge a single deleted object 
(tombstone) from your AD?  What secret information does the tombstone contain, 
that you don't wish remains in it?  Realize that there are hardly any 
attributes that remain in the tombstone by default, unless you've changed the 
searchflags of your attributes to include more.
 
E.g. by default, only the following attributes are kept in a user account's 
tombstone from the searchflags are:
Instance-Type
Legacy-Exchange-DN
NT-Security-Descriptor
Object-Class
Object-Guid
Object-Sid
Repl-Property-Meta-Data
SAM-Account-Name
System-Flags
uid
User-Account-Control
USN-Changed
USN-Created

Note that a few other attributes are hardcoded in AD to remain in the 
tombstone. If these really contain anything critical you'd want to get rid of 
(maybe in the name attribute etc.), you'd have the option to reanimate the 
tombstone (undelete) and then edit it appropriately, and delete it again :-). 
I'm actually unsure if the system allows you to edit the object in the deleted 
items container directly - might be worth a try.
 
/Guido



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-Weidner
Sent: Montag, 22. Mai 2006 14:34
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delete only one object in the Tombstone.


Hello Tiroa,
 
it is not possible to purge Tombstones, no matter if one or all. For all you'd 
be able to modify tombstone lifetime and the system time, however I strongly 
doubt this would be supported by MS (tombstone-lifetime is supported, modifying 
systemtime to enforce garbage collection of tombstones most likely not).

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile & Publications:   
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA 
YANN
Sent: Monday, May 22, 2006 10:59 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delete only one object in the Tombstone.


Hello,
 
I'd like to know if it is possible to delete *only one* object in the 
tombstone instead of purging all the objects ?
 
Thanks,
 
Yann

<>

RE: [ActiveDir] (OT)Non authenticating DC

[Grillenmeier, Guido]

maybe mark meant it as "on topic" :-)

I'm also not aware of any such changes, but as the mgmt of Read-Only DCs
(e.g. for PW replication or Admin Separation) is also not fully
finalized yet, we may see additional GPO options to configure various
aspects of the DCs. Who knows - maybe disabling authentication is one of
them.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Donnerstag, 18. Mai 2006 02:05
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] (OT)Non authenticating DC

I am not familiar with anything like this being on the drawing board.
Doesn't mean it isn't though. 

This is one topic that definitely doesn't need the OT moniker in my
opinion.

  joe 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, May 17, 2006 12:19 PM
To: ActiveDir.org
Subject: [ActiveDir] (OT)Non authenticating DC

With the upcoming release of Longhorn will it be possible via a tick box
or
GPO to disable authentication on a DC?  For example when its used as a
replication hub or as a lag site DC? I know how I could do do it now, ie
SRV
records\pause netlogon but something like this I could control via
policy
with more control.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Delete only one object in the Tombstone.

[Grillenmeier, Guido]

hmm - what would be the reason why you'd want to purge a 
single deleted object (tombstone) from your AD?  What secret information 
does the tombstone contain, that you don't wish remains in it?  Realize 
that there are hardly any attributes that remain in the tombstone by default, 
unless you've changed the searchflags of your attributes to include 
more.
 
E.g. by default, only the following attributes are kept in 
a user account's tombstone from the searchflags are:
Instance-TypeLegacy-Exchange-DNNT-Security-DescriptorObject-ClassObject-GuidObject-SidRepl-Property-Meta-DataSAM-Account-NameSystem-FlagsuidUser-Account-ControlUSN-ChangedUSN-Created
Note that a few other attributes are hardcoded in 
AD to remain in the tombstone. If these really contain anything critical 
you'd want to get rid of (maybe in the name attribute etc.), you'd have the 
option to reanimate the tombstone (undelete) and then edit it appropriately, and 
delete it again :-). I'm actually unsure if the system allows you to edit 
the object in the deleted items container directly - might be worth a 
try.
 
/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: Montag, 22. Mai 2006 14:34To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Delete only one 
object in the Tombstone.

Hello 
Tiroa,
 
it is not 
possible to purge Tombstones, no matter if one or all. For all you'd be able to 
modify tombstone lifetime and the system time, however I strongly doubt this 
would be supported by MS (tombstone-lifetime is supported, modifying systemtime 
to enforce garbage collection of tombstones most likely 
not).
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
  Profile 
& Publications:   http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner  Website: http://www.windowsserverfaq.org
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of TIROA 
  YANNSent: Monday, May 22, 2006 10:59 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Delete only one 
  object in the Tombstone.
  
  Hello,
   
  I'd like to know if it is possible to delete 
  *only one* object in the tombstone instead of purging all the objects 
  ?
   
  Thanks,
   
  Yann

Re: [ActiveDir] [OT] RAID 5 Best Practice

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Depends on the data. These days with identity theft rampant... 
anything with a PII element would be on a desktop over my dead body.


Software suppliers also tell me to run as admin and these days we need 
to push strongly back on that as well.


Access works for a 'small' multi user app.. and I do mean small.

Dave Wade wrote:

Joe,
 
 Well all agree on that, however we are pretty much stuck with the 
apps in question "as-is" as the software is supplied "from above" 
(e.g. the stuff from www.ncer.org ). These days I 
copy the database onto a users PC and they run the reports and 
analysis locally, as that's what the software supplier tells them to 
do, and the users are happy with that.
 
Dave.



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *joe

*Sent:* 23 May 2006 04:38
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] [OT] RAID 5 Best Practice

Access is crap to use for a multiuser app. Don't discount the fact 
that the perf could be simply related to that.
 
--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Dave Wade

*Sent:* Thursday, May 18, 2006 7:08 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] [OT] RAID 5 Best Practice

Its the one thing that seems to give us performance issues. Last time 
I investigated things running slow, client was quiet (low CPU short 
disk queue, minimal paging) , network was quiet yet response was slow. 
Conclusion was that server was some how bottle neck. I must admit I 
didn't do much work on investigation. I think they should use 
appropriate tool such as msde (only a few users) but program is 
provided by central government, so we are stuck with it. I wonder if 
it was just running same time as backups perhaps...


-Original Message-
*From:* [EMAIL PROTECTED] on behalf of Brian Desmond
*Sent:* Thu 18/05/2006 23:34
*To:* ActiveDir@mail.activedir.org
*Cc:*
*Subject:* RE: [ActiveDir] [OT] RAID 5 Best Practice

Access database will likely get cached on the client in memory, in
any case it’d be all read ops. Access doesn’t cache report output.

 


*Thanks,**
*Brian Desmond**

[EMAIL PROTECTED] 

 


*c - 312.731.3132*

 

 




*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Dave Wade
*Sent:* Thursday, May 18, 2006 6:22 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] [OT] RAID 5 Best Practice

 



For file sharing, I would consider 0Ư but 5 would be more likely
since you
probably want/need the space more than the speed. File sharing doesn't
really beat the disks up relative to a busy DC even in large
multi-thousand
user file servers I have seen.

 


What about when some idiot user sets up an Access database on one
and runs "inappropriate" reports against it.. 

 

 

 


It is why most normal server admins really
have no clue what to look for in terms of IO load on servers but any
Exchange Admin worth anything is looking at that right away in a
problem
situation and able to quote IOPS stats off the top of their head
and know
what they can get from the underlying disk subsystem. Exchange
disk configs
are critical.

**

This email and any files transmitted with it are confidential and

intended solely for the use of the individual or entity to whom they

are addressed. As a public body, the Council may be required to
disclose this email, or any response to it, under the Freedom of
Information Act 2000, unless the information in it is covered by
one of the exemptions in the Act.

If you receive this email in error please notify Stockport
e-Services via [EMAIL PROTECTED]
 and then permanently remove
it from your system.

Thank you.

http://www.stockport.gov.uk

**


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] IIS 6

[James Eaton-Lee]

On Tue, 2006-05-23 at 10:59 +1000, Ken Schaefer wrote:
> :  -Original Message-
> :  From: [EMAIL PROTECTED] [mailto:ActiveDir-
> :  [EMAIL PROTECTED] On Behalf Of Za Vue
> :  Sent: Tuesday, 23 May 2006 10:54 AM
> :  To: ActiveDir@mail.activedir.org
> :  Subject: [ActiveDir] IIS 6
> :  
> :  I have a web server running IIS6 hosting 3 websites-using host header.
> :  How can I access the individual URL using IP?
> :  
> :  -Z.V.
> 
> http://10.10.10.10/yourURL.htm
> 
> If you wish to be able to access all three websites, you will either need to
> have three IP addresses -or- run the websites on three different ports (80,
> 81, 82 etc).

Or he could edit the hosts file, and then since the host will be sent in
the request to the webserver he'll be given content from the appropriate
virtual host...

 - James.

-- 
  James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org
  Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix)

sites: https://www.bsrf.org.uk ~ http://www.security-forums.com
   ca: https://www.cacert.org/index.php?id=3


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] Removing ADAM from configuration set

[Bernier, Brandon \(.\)]

Title: Removing ADAM from configuration set



My 
lab has changed a bit but the error remains the same. I have two servers running 
ADAM SP1 and one isn't ADAM SP1, all in the same configiguration set. The one 
that isn't ADAM SP1 allows me to use DSMGMT to remove any server from the 
configuration set. The SP1 boxes throw this error when I try to remove a 
server via DSMGMT --> metadata clean up.
 
DsRemoveDsServerW error 0x57(The parameter 
is incorrect.)
 
 
-Brandon



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Tuesday, May 23, 2006 12:31 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Removing ADAM 
from configuration set

Define "it doesn't 
work".
 
Also go chat with Snyder, he had a fun little tool called 
Whack-A-DC that was used for the lifeboats that you may be able to modify for 
this.
 
But yes, the ADAM tools aren't all polished yet, and may 
not be polished later. The idea behind ADAM was providing an LDAP directory for 
developers, not for Admins, or at least that is my opinion on the 
matter.
 
  joe
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon 
(.)Sent: Wednesday, May 17, 2006 5:20 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Removing ADAM from 
configuration set

I'm currently blowing away the server object and 
nTDSDSA object I wish to separate from 
CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN=GUID. Is 
there a better way to knock it out of the configuration set? I tried using 
DSMGMT.exe and treating it as a Decommed/Dead server and cleaning up Metadata, 
but it doesn't work (the separated instance is offline). Some of these ADAM 
tools need some polishing up IMO. 
The reason I'm breaking it out is so when we do 
schema extensions if shit hits the fan we can uninstall ADAM on the other boxes 
and rejoin to this guy with minimal effort. 
-Brandon 

RE: [ActiveDir] Group audit

[Wyatt, David]

Title: Message



Good 
point!  Thanks.
 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of joeSent: 23 May 2006 5:15To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group 
  audit
  I would set the output up for csv output (see -csv) which 
  will make things easier to parse out. Once parsed you should be able to drive 
  the modifications pretty easily. 
   
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
   
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, 
  DavidSent: Friday, May 19, 2006 5:18 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group 
  audit
  
  Thanks Joe.  I have now used your great adfind tool to find what 
  I'm looking for.  Now have one more question on how to use the 
  output.
   
  This 
  is a sample output:
   
  dn:CN=Group1,OU=Groups,OU=Production,DC=help,DC=com
   
  
  dn:CN=Group5,OU=Groups,OU=Production,DC=help,DC=com
  >member: CN=Group10,OU=Groups,OU=Production,DC=help,DC=com
   
  Now 
  what I need to do is create a script from this that ignores the groups 
  with no members i.e. line one, but adds the member(s) of a group to the 
  group above i.e. add Group10 to Group5
   
  Now 
  you're probably wondering why I want to do this when the group is already a 
  member but I want to run this is in a separate AD network where all groups are 
  present but no membership infomation is present.
   
  Is 
  this possible?
   
  thanks
  David
   
   
  

 
 -Original 
Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: 18 May 2006 23:38To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group 
audit
Yeah, this is going to have to be a script or custom 
code.
 
You have the option of using ADSI and enumerating each 
of the groups and chasing the properties of each group or writing something 
that calls out to a tool that uses ASQ queries (assumes K3 AD) which would 
be a world of difference faster.
 
So the ADSI algorithm would be
 
Get group name
bind to group
loop through group members
    
is member a group
    yes, then is it a global 
group
    
yes, print it out
    
no skip
    no skip
    
no skip
next group
Go back to start
 
for using ADSI
 
 
 
get group name
ASQ query against group's member attribute asking for 
all global group members
print members
go back to start
 
 
For an example of an ASQ Query in 
action
 
I have a group called HP-OVE-GROUP
 
Z:\>adfind -b 
"CN=HP-OVE-GROUP,CN=Users,DC=joe,DC=com" member grouptype 
-samdc
 
AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006
 
Using server: 
2k3dc02.joe.com:389Directory: Windows Server 2003
 
dn:CN=HP-OVE-GROUP,CN=Users,DC=joe,DC=com>member: 
CN=HP-OVE-User,CN=Users,DC=joe,DC=com>member: CN=Domain 
Admins,CN=Users,DC=joe,DC=com>groupType: -2147483646 
[GLOBAL(2);SECURITY(2147483648)]
 
1 Objects 
returned
 
 
 
As you can see there is one obvious global 
group listed. There are only 2 members so this would be fairly quick in ADSI 
as well but nowhere near as quick as ASQ because there will only be one 
query and roundtrip to/from the DC...
 
So I do an ASQ query against the 
group
 
Z:\>adfind -b 
"CN=HP-OVE-GROUP,CN=Users,DC=joe,DC=com" -asq member -f 
grouptype=-2147483646 name grouptype -samdc
 
AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006
 
Using server: 
2k3dc02.joe.com:389Directory: Windows Server 2003
 
dn:CN=Domain 
Admins,CN=Users,DC=joe,DC=com>name: Domain Admins>groupType: 
-2147483646 [GLOBAL(2);SECURITY(2147483648)]
 
1 Objects 
returned
 
 
  joe
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, 
DavidSent: Thursday, May 18, 2006 8:57 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group 
audit

Hi
 
I have a text 
file holding a list of approx 400 global groups such as:
 
Group1
Group2
Group3
Group4
etc
 
I need to query 
the membership to find out which of the above global groups have other 
global groups as members and then to list the group names, output 
example:
 

Group1
    Group10
Group2
    Group12
    Group14
Group3
Group4
 
 
Any ideas?
 
Regards
DavidThis 
message contains confi

RE: [ActiveDir] [OT] Service ChangeConf

[Wyatt, David]

Title: Message



This 
maybe overkill but you could use a GPO to do this.  You can configure 
service permissions, one of which is:
 
Change 
Template - Change the configuration of a service. This permission is required so 
that the user can change the startup type
 
 
-David 
 
 -Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Bernier, Brandon (.)Sent: 22 May 2006 
21:08To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
[OT] Service ChangeConf

  Is there another way to delegate the startup type 
  of a service besides using CC (ChangeConf), this would be fine but it also 
  gives whomever has access to change the service context to 
  localsystem.
  -Brandon 


This message contains confidential information and is intended only 
for the individual or entity named.  If you are not the named addressee
you should not disseminate, distribute or copy this e-mail.  
Please notify the sender immediately by e-mail if you have received 
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses.  The sender therefore does not
accept liability for any errors or omissions in the contents of this 
message which arise as a result of e-mail transmission.  
If verification is required please request a hard-copy version.
This message is provided for informational purposes and should not
be construed as an invitation or offer to buy or sell any securities or
related financial instruments.
GAM operates in many jurisdictions and is 
regulated or licensed in those jurisdictions as required.

RE: [ActiveDir] [OT] RAID 5 Best Practice

[Dave Wade]

Title: RE: [ActiveDir] [OT] RAID 5 Best Practice



Joe,
 
 Well all agree on that, however we are pretty much stuck 
with the apps in question "as-is" as the software is supplied "from 
above" (e.g. the stuff from www.ncer.org). 
These days I copy the database onto a users PC and they run the reports and 
analysis locally, as that's what the software supplier tells them to do, and the 
users are happy with that.
 
Dave.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: 23 May 2006 04:38To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] RAID 5 Best 
Practice

Access is crap to use for a multiuser app. Don't discount 
the fact that the perf could be simply related to that. 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dave 
WadeSent: Thursday, May 18, 2006 7:08 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] RAID 5 Best 
Practice

Its the one thing that seems to give us performance issues. Last time I 
investigated things running slow, client was quiet (low CPU short disk queue, 
minimal paging) , network was quiet yet response was slow. Conclusion was 
that server was some how bottle neck. I must admit I didn't do much work on 
investigation. I think they should use appropriate tool such as msde (only a few 
users) but program is provided by central government, so we are stuck with it. I 
wonder if it was just running same time as backups perhaps...

  -Original Message- From: 
  [EMAIL PROTECTED] on behalf of Brian Desmond 
  Sent: Thu 18/05/2006 23:34 To: 
  ActiveDir@mail.activedir.org Cc: Subject: RE: 
  [ActiveDir] [OT] RAID 5 Best Practice
  
  Access database 
  will likely get cached on the client in memory, in any case it’d be all read 
  ops. Access doesn’t cache report output. 
   
  
  Thanks,Brian 
  Desmond
  [EMAIL PROTECTED]
   
  c - 
  312.731.3132
   
   
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Dave WadeSent: Thursday, May 18, 2006 6:22 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] [OT] RAID 5 Best Practice
   
  
  For file sharing, I would 
  consider 0Ư but 5 would be more likely since youprobably want/need the 
  space more than the speed. File sharing doesn'treally beat the disks up 
  relative to a busy DC even in large multi-thousanduser file servers I have 
  seen. 
  
   
  
  What about when 
  some idiot user sets up an Access database on one and runs 
  "inappropriate" reports against it.. 
  
   
  
   
  
   
  
  It is why most normal server admins reallyhave no 
  clue what to look for in terms of IO load on servers but anyExchange Admin 
  worth anything is looking at that right away in a problemsituation and 
  able to quote IOPS stats off the top of their head and knowwhat they can 
  get from the underlying disk subsystem. Exchange disk configsare 
  critical.
  
  **
  
  This email and any files transmitted with it are 
  confidential and
  
  intended solely for the use of the individual or entity to 
  whom they
  
  are addressed. As a public body, the Council may be 
  required to disclose this email, or any response to it, under the Freedom of 
  Information Act 2000, unless the information in it is covered by one of the 
  exemptions in the Act. 
  
  If you receive this email in error please notify Stockport 
  e-Services via [EMAIL PROTECTED] 
  and then permanently remove it from your system. 
  
  Thank you.
  
  http://www.stockport.gov.uk
  
  **

Re: [ActiveDir] [OT] RAID 5 Best Practice

[ChuckGaff]

Exchange ideally should be run on RAID 1+0 if at all possible, even if it 
starts off with 4 disks although more is better and a SAN is preferable.  
Get the Exchange guides from the MS Technet site and start reading ...
 
Good luck,
 
Chuck