RE: [ActiveDir] AD lag sites and replication
Thanks Mark. I'll take a look at that option... As to why I feel this may be an issue - let's just say I work in a company that has 4 autonomous infras today, which are all coming together soon under one new infra. [I'm the poor sucker tasked with designing this new infra as well as the new support model and policies and procedures etc etc!] There will be a number of service admins across the globe, most of which I have no jurisdiction over, as of today. The level of trust between the 4 'areas' will likely grow in time, but initially we need to have a very strong degree of control and monitoring within the env so as to ensure that admins are doing what they are supposed to do and also that they are not impacting other areas. [To that end, I'm evalling various tools in spaces such as GPO, security monitoring and such like.] I know this all sounds as tho we need to stick with multi forests until we have better collaboration and trust in place, but it's never that easy since politics is mixed in with technical arguments. The project described above is being used as a guinea pig or sounding board too. If we succeed, then we'll be used as an example for future global projects within the firm [no pressure then!] Thanks to all for the great feedback. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 30 May 2006 16:17 To: ActiveDir.org Subject: Re: [ActiveDir] AD lag sites and replication Neil, You could always hack the replication epoch values - but then again.. M -Original Message- From: Dave Wade [EMAIL PROTECTED] Date: Tue, 30 May 2006 14:36:34 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Al, Sorry, I mis-read it. I thought it was just controlling bandwith, but now I look its specific lag. However I still think that this could be dangerous and cause more problems than it solves. Dave. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 30 May 2006 13:53 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD lag sites and replication I think that's point, isn't it? To be able to have a site that lags the rest of them for replication changes? :) FWIW, there is no way that I'm aware of to prevent an admin from triggering replication in the sense that an admin could override any changes you make to be able that would otherwise allow them to trigger the replication. While you may counter that you're just trying to prevent the admin from doing something easily i.e. make them work to override the change, I read into this that you want to absolutely prevent them from triggering replication. For that, you need to look outside the system they have rights on else change them from DA to OU admin. The other alternative is to trust them not to make that change without knowing what they're doing. An easy argument that anyone with DA should be able to be that trusted, but reality often differs from desire. Admins, by design have rights to the system. As such, they have rights to make those changes that allow them to, well, make changes. Al On 5/30/06, Dave Wade [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] wrote: Neil, 1) If you start setting firewall rules then I am pretty sure you will break things as you will block urgent replication. What happens if some one changes their password and then goes to the home site? What about group membership changes? Do you really want to wait two days before you update these?. 2) I don't think that normal admins can trigger unscheduled replication changes. Certainly I am a Domain Admin and I can't trigger replication changes on our infrastructure, but it is Windows/2000 3) IMHO you would be better worrying about getting things to replicate when they are supposed to rather than things replicating when they shouldn't Dave From: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] ] On Behalf Of Ulf B. Simon-Weidner Sent: 30 May 2006 11:32 To: ActiveDir@mail.activedir.org: mailto:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Hi Neil, I'd still go for a firewall with scheduled rules. IMHO there's no such thing as locked down replication schedules - as soon as someone is hitting a switch to force replication across sites. And the firewall will help you to assure no client is hitting a lag sites DC. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] ] On Behalf Of [EMAIL
Re: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains
I have made some progress and I think that this query should work: ((( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(! (homeMDB=*))(!(msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(msExchHomeServerName=*/cn=AA*))( (objectCategory=person)(objectClass=contact)) (objectCategory=publicFolder))((objectCategory=group) ([EMAIL PROTECTED] email address Unfortunately I cannot paste this query in the LDAP query field on the Advanced tab of the screen I get in when I click properties of the address list. It seems I can only put a certain number of characters in there. - Oorspronkelijk bericht - Van: [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 9:55 am Onderwerp: Re: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains Good idea, but I think I am doing something wrong. It is not a matter of the AL being displayed differently by the RUS on the hand or the AL previeuw button on the other hand (at least in case of this company it isnt:-). The only thing I am looking at is the list which is displayed when clicking the AL preview button. When I put the query described beneath, in the address list in ESM and I click the preview button, a list is displayed which also contains mail enabled groups from the other child domains. I cannot seem to get the query right to not display those groups. It looks like this problem is more difficult than I thought it would be. Still working on it. - Oorspronkelijk bericht - Van: joe [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 1:59 am Onderwerp: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains First off, the test AL button in the ESM doesn't build the AL the same way that the RUS does. The RUS does not issue an LDAP query to build the AL, it looks at every object that is detected as changed (or at every object if forced to rebuild) via USN change tracking and manually compares it to the AL LDAP filter. This means that bugs in either mechanism could result in different lists being built, so basically, don't trust what ESM says the AL will have as members, it is pretty worthless. Set the filter and let the AL build the list. Because of how this is all implemented, there is no domain affinity for the building of the ALs. This means you need to focus on something else. I would not focus on the email addresses since those are also being set/modified by the RUS, you want to use something else. This could be a specific specialattribute you set on the objects that allow you to categorize them or add the users/groups to special groups that indicate what domain they are in and add a memberof=somegroupdn component to the filter. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of victor- [EMAIL PROTECTED]: Tuesday, May 30, 2006 3:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains I am in an organisation of which the Active Directory exists of a parent root domain and 4 child domains. Each child domain has its own address list in Exchange. It is one Exchange organisation with 1 Administrative Group. Let's call these domains A, B, C, and D. When looking at each of these lists I see the following: - Users with Exchange mailbox - Users with an External e-mail address - Groups - Contacts - Public Folders The thing I dont want to see but what I cannot seem to get rid of is the fact that I see (mail enabled) groups from other child domains in the address lists. Each child domain has several Exchange servers which names start with AA or BB or CC or DD, depending on the child domain for which they are serving. For instance the Exchange servers in child domain A, all start with AA. That is why I based the query on AA* for the A child domain. For child domain A the query looks like this: ((( (mailnickname=*) (| ((objectCategory=person)(objectClass=user) (!(homeMDB=*))(!(msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(msExchHomeServerName=*/cn=AA*))( (objectCategory=person)(objectClass=contact))(objectCategory=group) (objectCategory=publicFolder) What I would like to do is create an Exchange address list without groups from other child domains in it. The strange thing is that when I build a query which consists of groups based on the emailaddress/proxyaddress of that specific child domain, the query gives an output of exactly those groups which are in that child domain, so far soo good. When I then add all users with an emailaddress/proxyaddress to that same query (I do this all from with ESM, right click
Re: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains
Emm, it seems I just found it, might be usefull for anybody who didnt already know it, (probably just me): http://support.microsoft.com/default.aspx?scid=kb;en-us;312299 - Oorspronkelijk bericht - Van: [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 10:33 am Onderwerp: Re: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains I have made some progress and I think that this query should work: ((( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(!(homeMDB=*))(! (msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(msExchHomeServerName=*/cn=AA*))( (objectCategory=person)(objectClass=contact)) (objectCategory=publicFolder))((objectCategory=group) ([EMAIL PROTECTED] email address Unfortunately I cannot paste this query in the LDAP query field on the Advanced tab of the screen I get in when I click properties of the address list. It seems I can only put a certain number of characters in there. - Oorspronkelijk bericht - Van: [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 9:55 am Onderwerp: Re: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains Good idea, but I think I am doing something wrong. It is not a matter of the AL being displayed differently by the RUS on the hand or the AL previeuw button on the other hand (at least in case of this company it isnt:-). The only thing I am looking at is the list which is displayed when clicking the AL preview button. When I put the query described beneath, in the address list in ESM and I click the preview button, a list is displayed which also contains mail enabled groups from the other child domains. I cannot seem to get the query right to not display those groups. It looks like this problem is more difficult than I thought it would be. Still working on it. - Oorspronkelijk bericht - Van: joe [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 1:59 am Onderwerp: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains First off, the test AL button in the ESM doesn't build the AL the same way that the RUS does. The RUS does not issue an LDAP query to build the AL, it looks at every object that is detected as changed (or at every object if forced to rebuild) via USN change tracking and manually compares it to the AL LDAP filter. This means that bugs in either mechanism could result in different lists being built, so basically, don't trust what ESM says the AL will have as members, it is pretty worthless. Set the filter and let the AL build the list. Because of how this is all implemented, there is no domain affinity for the building of the ALs. This means you need to focus on something else. I would not focus on the email addresses since those are also being set/modified by the RUS, you want to use something else. This could be a specific specialattribute you set on the objects that allow you to categorize them or add the users/groups to special groups that indicate what domain they are in and add a memberof=somegroupdn component to the filter. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of victor- [EMAIL PROTECTED]: Tuesday, May 30, 2006 3:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains I am in an organisation of which the Active Directory exists of a parent root domain and 4 child domains. Each child domain has its own address list in Exchange. It is one Exchange organisation with 1 Administrative Group. Let's call these domains A, B, C, and D. When looking at each of these lists I see the following: - Users with Exchange mailbox - Users with an External e-mail address - Groups - Contacts - Public Folders The thing I dont want to see but what I cannot seem to get rid of is the fact that I see (mail enabled) groups from other child domains in the address lists. Each child domain has several Exchange servers which names start with AA or BB or CC or DD, depending on the child domain for which they are serving. For instance the Exchange servers in child domain A, all start with AA. That is why I based the query on AA* for the A child domain. For child domain A the query looks like this: ((( (mailnickname=*) (| ((objectCategory=person)(objectClass=user) (!(homeMDB=*))(!(msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(msExchHomeServerName=*/cn=AA*))( (objectCategory=person)(objectClass=contact))(objectCategory=group)
[ActiveDir] Restricted Groups
Hi,I am thinking of making all the builtin groups apart from the Administrators group part of the Restricted Groups function.I don't want any user to add themselves to the Account, Backup,Server, Print Operators group for any length of time.Or does anyone know of a simpler way to acheive this?Regards,James Be a chatter box. Enjoy free PC-to-PC calls with Yahoo! Messenger with Voice.
Re: [ActiveDir] Restricted Groups
Sorry I should clarify, by User I mean an IT Helpdesk Account CreatorSingle Domain Windows 2003, FFL. I have delegated rights to various Security Groups for privileges in the domain.JamesJames Carter [EMAIL PROTECTED] wrote:Hi,I am thinking of making all the builtin groups apart from the Administrators group part of the Restricted Groups function.I don't want any user to add themselves to the Account, Backup,Server, Print Operators group for any length of time.Or does anyone know of a simpler way to acheive this?Regards,James Be a chatter box. Enjoy free PC-to-PC calls with Yahoo! Messenger with Voice. New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
[ActiveDir] Group Policy Query:
The Brains Trust, I have a terminal serverwhich when users log on get a very restrictive view of the world, this is done via a GPO. I have another company which we have a an external trust with wanting to log onto the terminal sever to access specialist applications. I have created a Domain Local Security Group and put their members in there and set the appropriate permissions and they are now able to log in however they do not get the "restrictive view of the world". This is not a security policy so I can't use secedit.exe and the appropriate switches to roll the policy via "startup". Is there any way toeasilyapply the appropriate settings, these settings effect the User Configuration - Administrative Templates settings. I know I can create a user account on our domain for them and add them to the appropriate groups and get them to log in with those credentials but the numbers of these staff requiring the software is increasing and I am trying to decrease our admin requirement. Thanking you all in advance. James
Re: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains
Okay, I have been working on getting this query right for an hour now, tried several combinations but I believe it is not all that easy to build an LDAP query, things like parentheses and ampersands...they are driving me mad right now ;-) I have now created 2 seperated address lists in Exchange because I cannot seem to create one query to output the complete result I want. I have now composed 2 seperate queries which give me exactly the output that want, BUT only seperately. When I join these queries together I get a query which doesnt work or doesnt give me the output that I want. These are the queries: query 1: ((( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(! (homeMDB=*))(!(msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(msExchHomeServerName=*/cn=AA*))( (objectCategory=person)(objectClass=contact)) query 2: ((objectCategory=group)(proxyAddresses=*a.mydomain.com)) - AA are the first letters of the servernames for that child domain. - a in a.mydomain.com is the name of my child domain. Both these queries are working but I cannot seem to make one query out of them. I guess the query I want to create should have some sort of AND in it because I want the results of both queries together in one query. Does anybody have any idea how to create one working query out of these two? - Oorspronkelijk bericht - Van: [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 11:27 am Onderwerp: Re: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains Emm, it seems I just found it, might be usefull for anybody who didnt already know it, (probably just me): http://support.microsoft.com/default.aspx?scid=kb;en-us;312299 - Oorspronkelijk bericht - Van: [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 10:33 am Onderwerp: Re: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains I have made some progress and I think that this query should work: ((( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(!(homeMDB=*))(! (msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(msExchHomeServerName=*/cn=AA*))( (objectCategory=person)(objectClass=contact)) (objectCategory=publicFolder))((objectCategory=group) ([EMAIL PROTECTED] email address Unfortunately I cannot paste this query in the LDAP query field on the Advanced tab of the screen I get in when I click properties of the address list. It seems I can only put a certain number of characters in there. - Oorspronkelijk bericht - Van: [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 9:55 am Onderwerp: Re: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains Good idea, but I think I am doing something wrong. It is not a matter of the AL being displayed differently by the RUS on the hand or the AL previeuw button on the other hand (at least in case of this company it isnt:-). The only thing I am looking at is the list which is displayed when clicking the AL preview button. When I put the query described beneath, in the address list in ESM and I click the preview button, a list is displayed which also contains mail enabled groups from the other child domains. I cannot seem to get the query right to not display those groups. It looks like this problem is more difficult than I thought it would be. Still working on it. - Oorspronkelijk bericht - Van: joe [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 1:59 am Onderwerp: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains First off, the test AL button in the ESM doesn't build the AL the same way that the RUS does. The RUS does not issue an LDAP query to build the AL, it looks at every object that is detected as changed (or at every object if forced to rebuild) via USN change tracking and manually compares it to the AL LDAP filter. This means that bugs in either mechanism could result in different lists being built, so basically, don't trust what ESM says the AL will have as members, it is pretty worthless. Set the filter and let the AL build the list. Because of how this is all implemented, there is no domain affinity for the building of the ALs. This means you need to focus on something else. I would not focus on the email addresses since those are also being set/modified by the RUS, you want to use something else. This could be a specific specialattribute you set on the objects that allow you to categorize them or add the users/groups to special groups that indicate what domain they are in and add
RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains
Victor, There is a great little editor called Notepad2 that pairs up parentheses and makes this type of work much easier. http://www.flos-freeware.ch/ I copied your earlier query string into Notepad2 and see that the parentheses did not balance out. Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-5 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net ) IP Phone (VOIP): Jerry_Welch ( www.voipstunt.com ) VOIP to Landline: callto:+1-703-827-0919 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, May 31, 2006 7:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains Okay, I have been working on getting this query right for an hour now, tried several combinations but I believe it is not all that easy to build an LDAP query, things like parentheses and ampersands...they are driving me mad right now ;-) I have now created 2 seperated address lists in Exchange because I cannot seem to create one query to output the complete result I want. I have now composed 2 seperate queries which give me exactly the output that want, BUT only seperately. When I join these queries together I get a query which doesnt work or doesnt give me the output that I want. These are the queries: query 1: ((( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(! (homeMDB=*))(!(msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(msExchHomeServerName=*/cn=AA*))( (objectCategory=person)(objectClass=contact)) query 2: ((objectCategory=group)(proxyAddresses=*a.mydomain.com)) - AA are the first letters of the servernames for that child domain. - a in a.mydomain.com is the name of my child domain. Both these queries are working but I cannot seem to make one query out of them. I guess the query I want to create should have some sort of AND in it because I want the results of both queries together in one query. Does anybody have any idea how to create one working query out of these two? - Oorspronkelijk bericht - Van: [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 11:27 am Onderwerp: Re: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains Emm, it seems I just found it, might be usefull for anybody who didnt already know it, (probably just me): http://support.microsoft.com/default.aspx?scid=kb;en-us;312299 - Oorspronkelijk bericht - Van: [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 10:33 am Onderwerp: Re: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains I have made some progress and I think that this query should work: ((( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(!(homeMDB=*))(! (msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(msExchHomeServerName=*/cn=AA*))( (objectCategory=person)(objectClass=contact)) (objectCategory=publicFolder))((objectCategory=group) ([EMAIL PROTECTED] email address Unfortunately I cannot paste this query in the LDAP query field on the Advanced tab of the screen I get in when I click properties of the address list. It seems I can only put a certain number of characters in there. - Oorspronkelijk bericht - Van: [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 9:55 am Onderwerp: Re: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains Good idea, but I think I am doing something wrong. It is not a matter of the AL being displayed differently by the RUS on the hand or the AL previeuw button on the other hand (at least in case of this company it isnt:-). The only thing I am looking at is the list which is displayed when clicking the AL preview button. When I put the query described beneath, in the address list in ESM and I click the preview button, a list is displayed which also contains mail enabled groups from the other child domains. I cannot seem to get the query right to not display those groups. It looks like this problem is more difficult than I thought it would be. Still working on it. - Oorspronkelijk bericht - Van: joe [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 1:59 am Onderwerp: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains First off, the test AL button in the ESM doesn't build the AL the same way that the RUS does. The RUS does not issue an LDAP query to build the AL, it looks at every object that is detected as changed (or at every object if forced to rebuild) via USN change tracking and manually compares it to the AL LDAP filter. This means that
[ActiveDir] [OT] Sysprep Query
Can anybody point me in the direction of a statement as to the effects of not running sysprep - I know you have to and always do - but looking for hard (read that as decent) documentation as to the effects of not running sysprep on a server. I don't like the fact that most of the infrastructure that has not had this run on it. Regards, Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Group Policy Query:
Hi James... There are a couple articles warning against using Domain Local groups for policies. Can you try having them put in a global group in their own domain, and adding that directly to the read and apply section of the policy? http://support.microsoft.com/kb/309172/en-us has some info. John Blair, James [EMAIL PROTECTED] ream.originenergy To .com.au ActiveDir@mail.activedir.org Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject [ActiveDir] Group Policy Query: 05/31/2006 05:08 AM Please respond to [EMAIL PROTECTED] tivedir.org The Brains Trust, I have a terminal server which when users log on get a very restrictive view of the world, this is done via a GPO. I have another company which we have a an external trust with wanting to log onto the terminal sever to access specialist applications. I have created a Domain Local Security Group and put their members in there and set the appropriate permissions and they are now able to log in however they do not get the restrictive view of the world. This is not a security policy so I can't use secedit.exe and the appropriate switches to roll the policy via startup. Is there any way to easily apply the appropriate settings, these settings effect the User Configuration - Administrative Templates settings. I know I can create a user account on our domain for them and add them to the appropriate groups and get them to log in with those credentials but the numbers of these staff requiring the software is increasing and I am trying to decrease our admin requirement. Thanking you all in advance. James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains
Thanks for that, nice tool, it shows a lot of info. In the mean time I got the query working, finally. Does anybody know where I can find information about how to learn LDAP. It would be nice if in the future I would not have to disturb the people with LDAP query questions :-) but be able to fix/create them myself. I first started to read this: http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/ldapq uery.mspx Now I am working on this: http://download.microsoft.com/download/3/d/3/3d32b0cd-581c-4574-8a27- 67e89c206a54/uldap.doc But perhaps there is even better material, especially focussed on queries in AD. - Oorspronkelijk bericht - Van: Jerry Welch [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 1:40 pm Onderwerp: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains Victor, There is a great little editor called Notepad2 that pairs up parentheses and makes this type of work much easier. http://www.flos-freeware.ch/ I copied your earlier query string into Notepad2 and see that the parentheses did not balance out. Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-5 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net ) IP Phone (VOIP): Jerry_Welch ( www.voipstunt.com ) VOIP to Landline: callto:+1-703-827-0919 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of victor- [EMAIL PROTECTED]: Wednesday, May 31, 2006 7:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains Okay, I have been working on getting this query right for an hour now, tried several combinations but I believe it is not all that easy to build an LDAP query, things like parentheses and ampersands...they are driving me mad right now ;-) I have now created 2 seperated address lists in Exchange because I cannotseem to create one query to output the complete result I want. I have now composed 2 seperate queries which give me exactly the output that want, BUT only seperately. When I join these queries together I get a query which doesnt work or doesnt give me the output that I want. These are the queries: query 1: ((( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(!(homeMDB=*))(! (msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(msExchHomeServerName=*/cn=AA*))( (objectCategory=person)(objectClass=contact)) query 2: ((objectCategory=group)(proxyAddresses=*a.mydomain.com)) - AA are the first letters of the servernames for that child domain. - a in a.mydomain.com is the name of my child domain. Both these queries are working but I cannot seem to make one query out of them. I guess the query I want to create should have some sort of AND in it because I want the results of both queries together in one query. Does anybody have any idea how to create one working query out of these two? - Oorspronkelijk bericht - Van: [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 11:27 am Onderwerp: Re: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains Emm, it seems I just found it, might be usefull for anybody who didnt already know it, (probably just me): http://support.microsoft.com/default.aspx?scid=kb;en-us;312299 - Oorspronkelijk bericht - Van: [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 10:33 am Onderwerp: Re: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains I have made some progress and I think that this query should work: ((( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(!(homeMDB=*))(! (msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(msExchHomeServerName=*/cn=AA*))( (objectCategory=person)(objectClass=contact)) (objectCategory=publicFolder))((objectCategory=group) ([EMAIL PROTECTED] email address Unfortunately I cannot paste this query in the LDAP query field on the Advanced tab of the screen I get in when I click properties of the address list. It seems I can only put a certain number of characters in there. - Oorspronkelijk bericht - Van: [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 9:55 am Onderwerp: Re: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains Good idea, but I think I am doing something wrong. It is not a matter of the AL being displayed differently by the RUS on the hand or the AL previeuw button on the other hand (at least in case of this company it isnt:-). The only thing I am looking at is the list which is displayed when clicking the AL preview button. When I
RE: [ActiveDir] AD lag sites and replication
Return Receipt Your RE: [ActiveDir] AD lag sites and replication document: wasJustin Leney/US/DCI received by: at:05/31/2006 09:37:26 AM NEW! COSMEO, THE ONLINE HOMEWORK HELP TOOL BROUGHT TO YOU BY DISCOVERY CHANNEL. FREE TRIAL AT HTTP://WWW.COSMEO.COM This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI). List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] New DC can't find the machine account
Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] New DC can't find the machine account
off the top of my head Is DFS running? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: 31 May 2006 14:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] How To Determine What GC a Server is Using?
That's golden joe. You certainly gave a very detailed taste of what it looks like in a real-world environment. Couple of thoughts might also be warranted here: 1) If you're not monitoring GC performance and you're running Exchange, think again. 2) Size doesn't matter; what I mean by that is that the size of your organization is not as important as the volume of messages and the size of the GAL - it's all how you use it(-; 3) memory - always a good thing to have 4) you may notice that there's an excellent troubleshooting guide for Exchange performance that talks about GC interaction and some things to look for. Best to have a look in addition to this. 5) 64 bit + memory can be a nice thing 6) joe wrote a script and admitted it? AND used it? I'm floored. :) Exchange 12 fixes what? Are you repeating that something's fixed in the next version of an office server? Hmm...Maybe I'm just getting old and jaded, but I feel like I've heard a vendor say, oh, that's fixed in the nextversion a few times before. I'm still waiting patiently forthe ability to change the overquota message. And no, the kb that describes how to do this is not acceptable in case you're wondering. I shouldn't have to writecode or write a service to make this type of functionality work. It's a message in the DLL for crying out loud. Read it from somewhereelse and let it be changeable (it's been asked for by companies since before Exchange 4.0 even released; it was promised as a fix for just about every version of Exchange release since and never REALLY made it. Instead there's a variation on changing the mdbsz.dll called writing a service. Hmm... I'll wait to see what makes it into the final product when it comes to fixes [1] /rant) http://msexchangeteam.com/archive/2004/04/20/117024.aspxis the reference to it at the moment. I'm sure there's updates somewhere on the net. [1] Bonus question: anyone know what the difference between beta, RC and GA code is? On 5/30/06, joe [EMAIL PROTECTED] wrote: Unfortunately this is something I have had more than desired experience in.The official way to get the current GCs/DCs being used by Exchange is the ESM Directory Access Tab for a given Exchange Server. This leverages theExchange_DSAccessDC WMI provider. Unfortunately this mechanism has a rathernasty bug in it that I found and have been debating with MSFT with since last summer[1]. Basically you can't trust the information you are being toldunless you have just stopped and restarted the Exchange Management Service(MSExchangeMGMT). As I believe I mentioned before I heard two main things 1. WMI was never intended to be used for monitoring Windows machines andservices.2. This is all fixed in Exchange 12.I am not sure, but I don't think everyone in MSFT feels that #1 is accuratethough that is the response that came from the Exchange Dev and Exchange PSS folks.So the other mechanism that is available is to crank you your DSACCESSevents and scrape out the associated events from the log. However, thiswon't tell you what is being used, simply what has been detected and is valid for use.So that leaves as the only true mechanism either using netstat or networksniffing to work out what GCs are currently in use.My recommendation to folks who are having issues with Exchange reporting GCs as failing is to set up a script that calls out to the GCs in a site on aregular basis and queries them and checks the response time. Response timesshould be low, preferably subsecond but depending on the quality of the script, may not be able to see anything below a couple of seconds due toscript interpretation or firing up the connection etc. However, if you areseeing 4 servers reporting a 2 second delay and one reporting 7 second delays... There you go, that is a good candidate to check out. I havesuccessfully used that to track down several issues with GCs.If you just want to get into the real troubleshooting, the first thing I look at when I hear that Exchange GCs are supposedly causing problems is tolook at the disk counters, primarily I look at at the disk queues for theDIT file and the read operations. Exchange tends to really push AD to the limit for disk read access and a GC that normally looks fine and actuallyworks fine for 99% of the apps could crumple under Exchange load. Keep inmind that you will not normally catch a problem in a GC by using LDP or ADUC to see how long it takes to pull up an object. Exchange is sending tens ofthousands or millions of queries per day and the slightest delay could havesevere impact on Exchange even if you don't see anything when using ADUC or LDP or in fact, anything else. So back to disk subsystem, the commonlyaccepted way to build DCs/GCs is to use 3 RAID-1 arrays which is what is inthe deployment guide. I can't begin to state how much I dislike that design. I have seen it cause more issues than help but then I work on larger orgs. Iam far more apt to push a RAID-0 or RAID-0+1/10 or even RAID-5 than RAID-1to get the spindles
RE: [ActiveDir] New DC can't find the machine account
see if the following helps: http://www.eventid.net/display.asp?eventid=1097eventno=2126source=Userenvphase=1 Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 15:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] New DC can't find the machine account
Is this joe joe or joe someoneelse? It occured to me, I've NEVER seen joe joe's last name ... -B On Wed, 31 May 2006, McNicholas, Joe wrote: off the top of my head Is DFS running? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: 31 May 2006 14:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPEError SOURCEUserenv EVENT ID 1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPEError SOURCEUserenv EVENT ID 1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] New DC can't find the machine account
McNicholas, Joe wrote: off the top of my head Is DFS running? Yep. Meant to include that below. DFS and netlogon are both running. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: 31 May 2006 14:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
OT: Re: [ActiveDir] New DC can't find the machine account
Next time you operate that garage door, check the pass. joeis not the same as McNichols, Joe Need a picture? https://mvp.support.microsoft.com/profile="" for the link [1] [1] sorry joe, couldn't help it. I still crack up when I see the pic. On 5/31/06, Brett Shirley [EMAIL PROTECTED] wrote: Is this joe joe or joe someoneelse?It occured to me, I've NEVER seen joejoe's last name ...-B On Wed, 31 May 2006, McNicholas, Joe wrote: off the top of my head Is DFS running? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Lilianstrom Sent: 31 May 2006 14:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPEError SOURCEUserenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPEError SOURCEUserenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [OT] Sysprep Query
This msg chain sums it up. http://groups.google.com/group/microsoft.public.windowsxp.setup_deployme nt/browse_thread/thread/1e82dbc6cb7480d0/655cafc92cb89c97?lnk=stq=why+n ot+use+syspreprnum=1hl=en#655cafc92cb89c97 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, May 31, 2006 9:02 AM To: ActiveDir.org Subject: [ActiveDir] [OT] Sysprep Query Can anybody point me in the direction of a statement as to the effects of not running sysprep - I know you have to and always do - but looking for hard (read that as decent) documentation as to the effects of not running sysprep on a server. I don't like the fact that most of the infrastructure that has not had this run on it. Regards, Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] New DC can't find the machine account
Every joe is someones joe, but Joe McNicholas Joe joeware Richards Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, May 31, 2006 4:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] New DC can't find the machine account Is this joe joe or joe someoneelse? It occured to me, I've NEVER seen joe joe's last name ... -B On Wed, 31 May 2006, McNicholas, Joe wrote: off the top of my head Is DFS running? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: 31 May 2006 14:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID 1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID 1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] New DC can't find the machine account
Almeida Pinto, Jorge de wrote: see if the following helps: http://www.eventid.net/display.asp?eventid=1097eventno=2126source=Userenvphase=1 I had run across that page last night. Time is ok (ntp to local time source) I don't think that both computer accounts are corrupt as they were ok as simple servers I enabled debug logging for the netlogon service and at the same time I get the userenv events I get 05/31 09:48:22 [CRITICAL] NetpDcHandlePingResponse: test.fnal.gov.: Netlogon is paused on the server. 0x14 al Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 15:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] New DC can't find the machine account
A bit confused here... you said: All that I see in there is netlogon pausing. and then DFS and netlogon are both running. thanks! steve - Original Message - From: Al Lilianstrom [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, May 31, 2006 7:03 AM Subject: Re: [ActiveDir] New DC can't find the machine account McNicholas, Joe wrote: off the top of my head Is DFS running? Yep. Meant to include that below. DFS and netlogon are both running. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: 31 May 2006 14:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID 1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID 1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] New DC can't find the machine account
Netlogon is paused on the server. 0x14 please check the following: * sc query netlogon - is it paused? * repadmin /options FQDN DC - are the options DISABLE_INBOUND_REPL and DISABLE_OUTBOUND_REPL shown? if both answer = YES - see directory services event log for event ID 2095 and 2103 - if available - issue = USN rollback - http://support.microsoft.com/?id=875495 Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 16:53 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account Almeida Pinto, Jorge de wrote: see if the following helps: http://www.eventid.net/display.asp?eventid=1097eventno=2126source=Userenvphase=1 I had run across that page last night. Time is ok (ntp to local time source) I don't think that both computer accounts are corrupt as they were ok as simple servers I enabled debug logging for the netlogon service and at the same time I get the userenv events I get 05/31 09:48:22 [CRITICAL] NetpDcHandlePingResponse: test.fnal.gov.: Netlogon is paused on the server. 0x14 al Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 15:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
Re: [ActiveDir] New DC can't find the machine account
steve patrick wrote: A bit confused here... you said: All that I see in there is netlogon pausing. This is in the netlogon.log file. and then DFS and netlogon are both running. Both are set to automatic and are running when I log in after the system boots. thanks! steve - Original Message - From: Al Lilianstrom [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, May 31, 2006 7:03 AM Subject: Re: [ActiveDir] New DC can't find the machine account McNicholas, Joe wrote: off the top of my head Is DFS running? Yep. Meant to include that below. DFS and netlogon are both running. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: 31 May 2006 14:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID 1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID 1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] New DC can't find the machine account
Almeida Pinto, Jorge de wrote: Netlogon is paused on the server. 0x14 please check the following: * sc query netlogon - is it paused? No. C:\sc query netlogon SERVICE_NAME: netlogon TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING ... It only shows paused in the netlogon.log file for ~30 seconds while the server is booting. * repadmin /options FQDN DC - are the options DISABLE_INBOUND_REPL and DISABLE_OUTBOUND_REPL shown? No. if both answer = YES - see directory services event log for event ID 2095 and 2103 - if available - issue = USN rollback - http://support.microsoft.com/?id=875495 Just for grins I looked to make sure those events weren't there and they are not. al Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 16:53 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account Almeida Pinto, Jorge de wrote: see if the following helps: http://www.eventid.net/display.asp?eventid=1097eventno=2126source=Userenvphase=1 I had run across that page last night. Time is ok (ntp to local time source) I don't think that both computer accounts are corrupt as they were ok as simple servers I enabled debug logging for the netlogon service and at the same time I get the userenv events I get 05/31 09:48:22 [CRITICAL] NetpDcHandlePingResponse: test.fnal.gov.: Netlogon is paused on the server. 0x14 al Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 15:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] New DC can't find the machine account
So after you boot and wait for a bit- if you run gpudate /force , it comes back successful yes? And netlogon is only paused for a time. Do the DC's point to themselves for DNS? If so - you probably are hitting the behavior where we have some delay due to waiting for an initial AD sync... Im sure there are many others who can comment on the specific behavior - but it is important to note that it is by design steve - Original Message - From: Al Lilianstrom [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, May 31, 2006 8:41 AM Subject: Re: [ActiveDir] New DC can't find the machine account Almeida Pinto, Jorge de wrote: Netlogon is paused on the server. 0x14 please check the following: * sc query netlogon - is it paused? No. C:\sc query netlogon SERVICE_NAME: netlogon TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING ... It only shows paused in the netlogon.log file for ~30 seconds while the server is booting. * repadmin /options FQDN DC - are the options DISABLE_INBOUND_REPL and DISABLE_OUTBOUND_REPL shown? No. if both answer = YES - see directory services event log for event ID 2095 and 2103 - if available - issue = USN rollback - http://support.microsoft.com/?id=875495 Just for grins I looked to make sure those events weren't there and they are not. al Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 16:53 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account Almeida Pinto, Jorge de wrote: see if the following helps: http://www.eventid.net/display.asp?eventid=1097eventno=2126source=Userenvphase=1 I had run across that page last night. Time is ok (ntp to local time source) I don't think that both computer accounts are corrupt as they were ok as simple servers I enabled debug logging for the netlogon service and at the same time I get the userenv events I get 05/31 09:48:22 [CRITICAL] NetpDcHandlePingResponse: test.fnal.gov.: Netlogon is paused on the server. 0x14 al Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 15:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and
RE: [ActiveDir] tokenGroups field
Thanks Joe, That's a little bit further than I want to go ;-) I wrote a GetMemberShip( DirectoryEntry ) method that finds all the domains in the forest and then connects to a GC in each and grabs tokenGroups for each and combines them into one string[] That seems to work fine ( until the day when we have a large number of domains :-o ). Speaking of enumerating the domains in the forest, I'm enumerating the domains by connecting to: CN=Partitions,CN=Configuration,DC=forestroot,DC=net Then I throw away the schema, config, and DNS partitions. That seems to work fine until the day we start using application partitions in which case I will have no way of distinguishing a security enabled partition from the application partition. Is there a cooler way to enumerate the domain partitions in a forest? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field The membership of groups is handled in a special way. Although the member attribute is marked for PAS inclusion only UG membership is replicated outside of a domain to all GCs. If you aren't worried about token creation for Windows security and instead just want to have full membership of a user in a single query you have two options that I can think of 1. Consolidate the group membership into another store, say ADAM or SQL Server. 2. Create another linked attribute pair that you apply to users and groups like member/memberof that is set for PAS inclusion. When you set the member attribute you set the additional attribute which will replicate to all GCs because the directory doesn't have any special rules for your custom attribute. If you go that far, I would also set that new attribute to be saved on tombstone as well. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks, that's pretty much what I figured. So this is of low importance, but why wouldn't any GC in the forest be able to provide me with the local groups for all of the domains? Why do I have to hit a GC in every domain? As I understand it the GC replicates the data from each domain that is marked for the partial attribute set. Like I said, really low importance, I'm just curious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Your token only contains groups that are valid locally. So if you log onto a workstation that is part of a forest, your token on the worksation will contain Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine. Take a look at whomami /groups or sectok to see your interactive token. Now if you connect to a remote machine, you will get the groups that have value there on your token on that remote machine. This is easiest to see with ADAM, connect to an ADAM instance and pull the rootdse attribute tokengroups and look at what is returned... adfind -h adammachine:port -rootdse -resolvesids tokengroups -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 7:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Yep your examples are helpful, that's what I'm using :-) It looks like hitting a GC for each domain in the forest is the way to go in order to get the local group membership from other domains. So just out of curiosity, when Windows builds your token, does it include the local groups from other domains? Or does it add them when you try to access a resource that is protected by the foreign group? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Sunday, May 28, 2006 9:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] tokenGroups field I've been checked out of the group here for a few weeks and just poked back in. I think Dmitri summed things up quite well. I'll just add that ADSI and S.DS don't do anything interesting here. The net result is the same base LDAP query you'd do in any other language. DLGs from multiple domains are not easy to get and there seems to be no really easy way to do it. The UGs and GGs from the user's home domain should always be there with tokenGroups though. We kind of glossed this over in our book, although our tokenGroups samples are pretty good otherwise. Ryan showed three different methods for converting the SIDs back into friendly names, which could help a lot of people. Joe K. - Original Message - From:
[ActiveDir] MSC pointing at untrusted domain?
Dear collective, I was wondering if there was a way to have a .MSC file (eg to show the event log) of a computer in another domain, which has no trust set up with the one I'm using. Unfortunately, setting up a trust is not an option - as the other domain is sitting on an SBS box. I had hoped I could create a .msc pointing at the SBS domain/server and get prompted for credentials, but it just goes straight to an access denied error. Any ideas? TIA, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] New DC can't find the machine account
steve patrick wrote: So after you boot and wait for a bit- if you run gpudate /force , it comes back successful yes? Yes. New policies apply without a /force. And netlogon is only paused for a time. Do the DC's point to themselves for DNS? No. External DNS. al If so - you probably are hitting the behavior where we have some delay due to waiting for an initial AD sync... Im sure there are many others who can comment on the specific behavior - but it is important to note that it is by design steve - Original Message - From: Al Lilianstrom [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, May 31, 2006 8:41 AM Subject: Re: [ActiveDir] New DC can't find the machine account Almeida Pinto, Jorge de wrote: Netlogon is paused on the server. 0x14 please check the following: * sc query netlogon - is it paused? No. C:\sc query netlogon SERVICE_NAME: netlogon TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING ... It only shows paused in the netlogon.log file for ~30 seconds while the server is booting. * repadmin /options FQDN DC - are the options DISABLE_INBOUND_REPL and DISABLE_OUTBOUND_REPL shown? No. if both answer = YES - see directory services event log for event ID 2095 and 2103 - if available - issue = USN rollback - http://support.microsoft.com/?id=875495 Just for grins I looked to make sure those events weren't there and they are not. al Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 16:53 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account Almeida Pinto, Jorge de wrote: see if the following helps: http://www.eventid.net/display.asp?eventid=1097eventno=2126source=Userenvphase=1 I had run across that page last night. Time is ok (ntp to local time source) I don't think that both computer accounts are corrupt as they were ok as simple servers I enabled debug logging for the netlogon service and at the same time I get the userenv events I get 05/31 09:48:22 [CRITICAL] NetpDcHandlePingResponse: test.fnal.gov.: Netlogon is paused on the server. 0x14 al Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 15:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used
Re: [ActiveDir] New DC can't find the machine account
If you have not already, have you run dcdiag on those machines? I'm curious what it says about dns and updating records etc Al On 5/31/06, Al Lilianstrom [EMAIL PROTECTED] wrote: steve patrick wrote: So after you boot and wait for a bit- if you run gpudate /force , it comes back successful yes? Yes.New policies apply without a /force. And netlogon is only paused for a time. Do the DC's point to themselves for DNS?No. External DNS. al If so - you probably are hitting the behavior where we have some delay due to waiting for an initial AD sync... Im sure there are many others who can comment on the specific behavior - but it is important to note that it is by design steve - Original Message - From: Al Lilianstrom [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, May 31, 2006 8:41 AM Subject: Re: [ActiveDir] New DC can't find the machine account Almeida Pinto, Jorge de wrote: Netlogon is paused on the server. 0x14 please check the following: * sc query netlogon - is it paused? No. C:\sc query netlogon SERVICE_NAME: netlogon TYPE : 20WIN32_SHARE_PROCESS STATE: 4RUNNING ... It only shows paused in the netlogon.log file for ~30 seconds while the server is booting. * repadmin /options FQDN DC - are the options DISABLE_INBOUND_REPL and DISABLE_OUTBOUND_REPL shown? No. if both answer = YES - see directory services event log for event ID 2095 and 2103 - if available - issue = USN rollback - http://support.microsoft.com/?id=875495 Just for grins I looked to make sure those events weren't there and they are not. alMet vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40- 29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 16:53 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account Almeida Pinto, Jorge de wrote: see if the following helps: http://www.eventid.net/display.asp?eventid=1097eventno=2126source=Userenvphase=1 I had run across that page last night. Time is ok (ntp to local time source) I don't think that both computer accounts are corrupt as they were ok as simple servers I enabled debug logging for the netlogon service and at the same time I get the userenv events I get 05/31 09:48:22 [CRITICAL] NetpDcHandlePingResponse: test.fnal.gov.: Netlogon is paused on the server. 0x14 al Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 15:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPEError SOURCEUserenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPEError SOURCEUserenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any
RE: [ActiveDir] MSC pointing at untrusted domain?
How about: Runas /netonly /user:target_computer\username eventvwr.exe /auxsource=target_computer Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, May 31, 2006 11:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MSC pointing at untrusted domain? Dear collective, I was wondering if there was a way to have a .MSC file (eg to show the event log) of a computer in another domain, which has no trust set up with the one I'm using. Unfortunately, setting up a trust is not an option - as the other domain is sitting on an SBS box. I had hoped I could create a .msc pointing at the SBS domain/server and get prompted for credentials, but it just goes straight to an access denied error. Any ideas? TIA, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] MSC pointing at untrusted domain?
Sorry for the last incorrect answer. Try this: runas /netonly /user:domain_or_target_computer\username mmc.exe eventvwr.msc /computer=target_computer Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, May 31, 2006 11:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MSC pointing at untrusted domain? Dear collective, I was wondering if there was a way to have a .MSC file (eg to show the event log) of a computer in another domain, which has no trust set up with the one I'm using. Unfortunately, setting up a trust is not an option - as the other domain is sitting on an SBS box. I had hoped I could create a .msc pointing at the SBS domain/server and get prompted for credentials, but it just goes straight to an access denied error. Any ideas? TIA, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] MSC pointing at untrusted domain?
On 31/05/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: How about: Runas /netonly /user:target_computer\username eventvwr.exe /auxsource=target_computer Interestingly - that prompts for the password, and launches eventviewer - but it's pointed at the logs of the local machine :-( Thanks anyhow -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] MSC pointing at untrusted domain?
That's done it! Thanks - you've saved me from 'Remote Desktop Rage' - that situation where there's too many people in need of an RDP session to a box with insufficient licenses ;-) On 31/05/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: Sorry for the last incorrect answer. Try this: runas /netonly /user:domain_or_target_computer\username mmc.exe eventvwr.msc /computer=target_computer Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, May 31, 2006 11:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MSC pointing at untrusted domain? Dear collective, I was wondering if there was a way to have a .MSC file (eg to show the event log) of a computer in another domain, which has no trust set up with the one I'm using. Unfortunately, setting up a trust is not an option - as the other domain is sitting on an SBS box. I had hoped I could create a .msc pointing at the SBS domain/server and get prompted for credentials, but it just goes straight to an access denied error. Any ideas? TIA, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] New DC can't find the machine account
I bet you one crate to a bottle of German beer that your DNS is out to lunch. Every time when I've seen this, it always goes away by kicking a DNS server somewhere. Check your DNS servers. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 5/31/2006 7:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account Almeida Pinto, Jorge de wrote: see if the following helps: http://www.eventid.net/display.asp?eventid=1097eventno=2126source=Userenvp hase=1 I had run across that page last night. Time is ok (ntp to local time source) I don't think that both computer accounts are corrupt as they were ok as simple servers I enabled debug logging for the netlogon service and at the same time I get the userenv events I get 05/31 09:48:22 [CRITICAL] NetpDcHandlePingResponse: test.fnal.gov.: Netlogon is paused on the server. 0x14 al Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 15:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] How To Determine What GC a Server is Using?
WMI is deprecated in E12. EMS (the Exchange Management Shell, today’s “official” name for the Exchange version of PowerShell/Monad) gives one access to lots and lots of information. So does the next version of mumble. Further this deponent sayeth not, not being exactly clear which version of my NDAs apply (having signed 4, so far, around E12). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, May 31, 2006 10:07 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How To Determine What GC a Server is Using? That's golden joe. You certainly gave a very detailed taste of what it looks like in a real-world environment. Couple of thoughts might also be warranted here: 1) If you're not monitoring GC performance and you're running Exchange, think again. 2) Size doesn't matter; what I mean by that is that the size of your organization is not as important as the volume of messages and the size of the GAL - it's all how you use it(-; 3) memory - always a good thing to have 4) you may notice that there's an excellent troubleshooting guide for Exchange performance that talks about GC interaction and some things to look for. Best to have a look in addition to this. 5) 64 bit + memory can be a nice thing 6) joe wrote a script and admitted it? AND used it? I'm floored. :) Exchange 12 fixes what? Are you repeating that something's fixed in the next version of an office server? Hmm...Maybe I'm just getting old and jaded, but I feel like I've heard a vendor say, oh, that's fixed in the nextversion a few times before. I'm still waiting patiently forthe ability to change the overquota message. And no, the kb that describes how to do this is not acceptable in case you're wondering. I shouldn't have to writecode or write a service to make this type of functionality work. It's a message in the DLL for crying out loud. Read it from somewhereelse and let it be changeable (it's been asked for by companies since before Exchange 4.0 even released; it was promised as a fix for just about every version of Exchange release since and never REALLY made it. Instead there's a variation on changing the mdbsz.dll called writing a service. Hmm... I'll wait to see what makes it into the final product when it comes to fixes [1] /rant) http://msexchangeteam.com/archive/2004/04/20/117024.aspxis the reference to it at the moment. I'm sure there's updates somewhere on the net. [1] Bonus question: anyone know what the difference between beta, RC and GA code is? On 5/30/06, joe [EMAIL PROTECTED] wrote: Unfortunately this is something I have had more than desired experience in. The official way to get the current GCs/DCs being used by Exchange is the ESM Directory Access Tab for a given Exchange Server. This leverages the Exchange_DSAccessDC WMI provider. Unfortunately this mechanism has a rather nasty bug in it that I found and have been debating with MSFT with since last summer[1]. Basically you can't trust the information you are being told unless you have just stopped and restarted the Exchange Management Service (MSExchangeMGMT). As I believe I mentioned before I heard two main things 1. WMI was never intended to be used for monitoring Windows machines and services. 2. This is all fixed in Exchange 12. I am not sure, but I don't think everyone in MSFT feels that #1 is accurate though that is the response that came from the Exchange Dev and Exchange PSS folks. So the other mechanism that is available is to crank you your DSACCESS events and scrape out the associated events from the log. However, this won't tell you what is being used, simply what has been detected and is valid for use. So that leaves as the only true mechanism either using netstat or network sniffing to work out what GCs are currently in use. My recommendation to folks who are having issues with Exchange reporting GCs as failing is to set up a script that calls out to the GCs in a site on a regular basis and queries them and checks the response time. Response times should be low, preferably subsecond but depending on the quality of the script, may not be able to see anything below a couple of seconds due to script interpretation or firing up the connection etc. However, if you are seeing 4 servers reporting a 2 second delay and one reporting 7 second delays... There you go, that is a good candidate to check out. I have successfully used that to track down several issues with GCs. If you just want to get into the real troubleshooting, the first thing I look at when I hear that Exchange GCs are supposedly causing problems is to look at the disk counters, primarily I look at at the disk queues for the DIT file and the read operations.
RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains
I suspect you are making this overly complicated. Can you state your query in words? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, May 31, 2006 7:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains Okay, I have been working on getting this query right for an hour now, tried several combinations but I believe it is not all that easy to build an LDAP query, things like parentheses and ampersands...they are driving me mad right now ;-) I have now created 2 seperated address lists in Exchange because I cannot seem to create one query to output the complete result I want. I have now composed 2 seperate queries which give me exactly the output that want, BUT only seperately. When I join these queries together I get a query which doesnt work or doesnt give me the output that I want. These are the queries: query 1: ((( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(! (homeMDB=*))(!(msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(msExchHomeServerName=*/cn=AA*))( (objectCategory=person)(objectClass=contact)) query 2: ((objectCategory=group)(proxyAddresses=*a.mydomain.com)) - AA are the first letters of the servernames for that child domain. - a in a.mydomain.com is the name of my child domain. Both these queries are working but I cannot seem to make one query out of them. I guess the query I want to create should have some sort of AND in it because I want the results of both queries together in one query. Does anybody have any idea how to create one working query out of these two? - Oorspronkelijk bericht - Van: [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 11:27 am Onderwerp: Re: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains Emm, it seems I just found it, might be usefull for anybody who didnt already know it, (probably just me): http://support.microsoft.com/default.aspx?scid=kb;en-us;312299 - Oorspronkelijk bericht - Van: [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 10:33 am Onderwerp: Re: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains I have made some progress and I think that this query should work: ((( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(!(homeMDB=*))(! (msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(msExchHomeServerName=*/cn=AA*))( (objectCategory=person)(objectClass=contact)) (objectCategory=publicFolder))((objectCategory=group) ([EMAIL PROTECTED] email address Unfortunately I cannot paste this query in the LDAP query field on the Advanced tab of the screen I get in when I click properties of the address list. It seems I can only put a certain number of characters in there. - Oorspronkelijk bericht - Van: [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 9:55 am Onderwerp: Re: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains Good idea, but I think I am doing something wrong. It is not a matter of the AL being displayed differently by the RUS on the hand or the AL previeuw button on the other hand (at least in case of this company it isnt:-). The only thing I am looking at is the list which is displayed when clicking the AL preview button. When I put the query described beneath, in the address list in ESM and I click the preview button, a list is displayed which also contains mail enabled groups from the other child domains. I cannot seem to get the query right to not display those groups. It looks like this problem is more difficult than I thought it would be. Still working on it. - Oorspronkelijk bericht - Van: joe [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 1:59 am Onderwerp: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains First off, the test AL button in the ESM doesn't build the AL the same way that the RUS does. The RUS does not issue an LDAP query to build the AL, it looks at every object that is detected as changed (or at every object if forced to rebuild) via USN change tracking and manually compares it to the AL LDAP filter. This means that bugs in either mechanism could result in different lists being built, so basically, don't trust what ESM says the AL will have as members, it is pretty worthless. Set the filter and let the AL build the list. Because of how this is all implemented, there is no domain affinity for the building of the ALs. This means you need to focus on
RE: [ActiveDir] New DC can't find the machine account
Reading the last paragraph this is expected behaviour (feature). Mark SNIP/ 832215 You receive event ID 1097 and event ID 1030 error events when you restart a Windows Server 2003-based domain controller This issue may occur if one or more of the following conditions are true: Only one other domain controller is available in the domain, and that domain controller is starting up, but is not completely started. This is the only domain controller in the domain. The error events that are described in the Symptoms section of this article are logged while the domain controller is starting up. A program sends a request that requires a domain controller role, and the domain controller is still starting up. The Net Logon service on a domain controller is set to Manual and is not started. This behavior occurs because, during startup, the Net Logon service enters a paused state together with Directory Services startup. During this time, the domain controller responds to netlogon ping requests with a netlogon paused response. Note These netlogon ping requests may also originate from the local computer. In this scenario, domain controller locator requests are unsuccessful. Therefore, the program or service that sends the request cannot locate a domain controller. Typically, this error only occurs while the domain controller starts. The error stops when the services are available. When the Net Logon service resumes from the paused state, other programs and services can again contact the domain controller. /END SNIP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: 31 May 2006 13:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Deny Read Permissions to Group Policy
I have a sub OU with 60 users and I wish to apply a group policy to 55 of the users. I assume the easy way is to deny read permissions to the policy for the handful of employees I do not want the policy to apply to. I have gpmc open and looking under security filtering and can't seem to figure out how to accomplish this. If there is a better method then deny reading of the policy, I'll take the advice. Thanks. Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains
That was indeed the case. In the mean time I got the query working, see my earlier reply to Jerry Welch. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: woensdag 31 mei 2006 22:42 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains I suspect you are making this overly complicated. Can you state your query in words? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, May 31, 2006 7:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains Okay, I have been working on getting this query right for an hour now, tried several combinations but I believe it is not all that easy to build an LDAP query, things like parentheses and ampersands...they are driving me mad right now ;-) I have now created 2 seperated address lists in Exchange because I cannot seem to create one query to output the complete result I want. I have now composed 2 seperate queries which give me exactly the output that want, BUT only seperately. When I join these queries together I get a query which doesnt work or doesnt give me the output that I want. These are the queries: query 1: ((( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(! (homeMDB=*))(!(msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(msExchHomeServerName=*/cn=AA*))( (objectCategory=person)(objectClass=contact)) query 2: ((objectCategory=group)(proxyAddresses=*a.mydomain.com)) - AA are the first letters of the servernames for that child domain. - a in a.mydomain.com is the name of my child domain. Both these queries are working but I cannot seem to make one query out of them. I guess the query I want to create should have some sort of AND in it because I want the results of both queries together in one query. Does anybody have any idea how to create one working query out of these two? - Oorspronkelijk bericht - Van: [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 11:27 am Onderwerp: Re: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains Emm, it seems I just found it, might be usefull for anybody who didnt already know it, (probably just me): http://support.microsoft.com/default.aspx?scid=kb;en-us;312299 - Oorspronkelijk bericht - Van: [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 10:33 am Onderwerp: Re: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains I have made some progress and I think that this query should work: ((( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(!(homeMDB=*))(! (msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(msExchHomeServerName=*/cn=AA*))( (objectCategory=person)(objectClass=contact)) (objectCategory=publicFolder))((objectCategory=group) ([EMAIL PROTECTED] email address Unfortunately I cannot paste this query in the LDAP query field on the Advanced tab of the screen I get in when I click properties of the address list. It seems I can only put a certain number of characters in there. - Oorspronkelijk bericht - Van: [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 9:55 am Onderwerp: Re: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains Good idea, but I think I am doing something wrong. It is not a matter of the AL being displayed differently by the RUS on the hand or the AL previeuw button on the other hand (at least in case of this company it isnt:-). The only thing I am looking at is the list which is displayed when clicking the AL preview button. When I put the query described beneath, in the address list in ESM and I click the preview button, a list is displayed which also contains mail enabled groups from the other child domains. I cannot seem to get the query right to not display those groups. It looks like this problem is more difficult than I thought it would be. Still working on it. - Oorspronkelijk bericht - Van: joe [EMAIL PROTECTED] Datum: woensdag, mei 31, 2006 1:59 am Onderwerp: RE: [ActiveDir] LDAP query to create Exchange address list - organisation with child domains First off, the test AL button in the ESM doesn't build the AL the same way that the RUS does. The RUS does not issue an LDAP query to build the AL, it looks at every object that is detected as changed (or at every object if forced to rebuild) via USN change tracking and manually compares it to the AL LDAP filter. This means that bugs in either mechanism
RE: [ActiveDir] Deny Read Permissions to Group Policy
Anthony- Unfortunately, the GPMC does not expose Deny ACEs in the same neat way that it exposes Allow. What you have to do is go into the Advanced view on Security Filtering, and essentially add the Deny ACE manually for that group using the good old ACL Editor. The easiest way to do a GP deny is to simply set a deny on the Apply Group Policy permission, rather than denying the read permission. Effectively there is no difference in the end result but to me its 'cleaner'. Also, I would put those handful of employees into a global group and then use that global group to set the deny, rather than having 5 separate ACEs for each employee. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anthony Crawford Sent: Wednesday, May 31, 2006 2:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Deny Read Permissions to Group Policy I have a sub OU with 60 users and I wish to apply a group policy to 55 of the users. I assume the easy way is to deny read permissions to the policy for the handful of employees I do not want the policy to apply to. I have gpmc open and looking under security filtering and can't seem to figure out how to accomplish this. If there is a better method then deny reading of the policy, I'll take the advice. Thanks. Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Deny Read Permissions to Group Policy
Why not just create a sub OU and put the 55 people in there? To deny rights to apply, you need to be on the Delegation tab and click on Advanced. Add a group and deny them the right to Apply Group Policy. Deny permissions tend to make things difficult to understand, so I think a better option would be to remove the permission to apply from Authenticated Users and then add that permission to another group. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anthony Crawford Sent: Wednesday, May 31, 2006 4:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Deny Read Permissions to Group Policy I have a sub OU with 60 users and I wish to apply a group policy to 55 of the users. I assume the easy way is to deny read permissions to the policy for the handful of employees I do not want the policy to apply to. I have gpmc open and looking under security filtering and can't seem to figure out how to accomplish this. If there is a better method then deny reading of the policy, I'll take the advice. Thanks. Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Deny Read Permissions to Group Policy
On the Scope tab of the GPO in the GPMC look at the Security Filtering section. The default is to have the policy applied to Authenticated Users. Probably the easiest option for you is to: - Create a group and add the 55 users as members. - Remove Authenticated Users from the Security Filter. - Add the newly created group to the Security Filter. You could also use the Deny method, but this is generally not recommended as it is harder to troubleshoot. Also, you can achieve everything you need to without using Deny. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anthony Crawford Sent: Thursday, 1 June 2006 9:03 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Deny Read Permissions to Group Policy I have a sub OU with 60 users and I wish to apply a group policy to 55 of the users. I assume the easy way is to deny read permissions to the policy for the handful of employees I do not want the policy to apply to. I have gpmc open and looking under security filtering and can't seem to figure out how to accomplish this. If there is a better method then deny reading of the policy, I'll take the advice. Thanks. Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [Exchange] Full Mailbox Directory Name holds wrong Administrative Group name
Sorry for the somewhat late response. Clear answer Joe, The fact that you need something constant really makes sense and explains a lot. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: woensdag 24 mei 2006 2:55To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [Exchange] Full Mailbox Directory Name holds wrong Administrative Group name Even if it updated itself it would still be stamped in the contents of every message that still exists somewhere within the ORG, either in calendars or in mailboxes. That is the address Exchange uses when you try to update a meeting or respond to a message. You need something constant or else you would lose those connections when say an email address or name changed. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor W.Sent: Tuesday, May 23, 2006 4:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [Exchange] Full Mailbox Directory Name holds wrong Administrative Group name Thank you both very much for the replies and for the clear explanations. Ithink I will leave the legacyExchangeDN alone then. I was thinking about changing it because part of itrefers toan object (Administrative Group) that no longer exists. I am still a bit puzzled why it not updates itself when the Administrative Group a user sits in, changes. I will definately read up on the other conversations about the legacyExchangeDN, sound interesting. For the time being I will leave it to what it is now. ;-) Thanks again. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: dinsdag 23 mei 2006 6:04To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [Exchange] Full Mailbox Directory Name holds wrong Administrative Group name Yep I agree with Steven here. If you really feel you need to change this, stop feeling that way. ;o) It can impact mail delivery when someone tries to respond to a message as well as calendar entry ownership, etc. If you ABSOLUTELY must change the legacyExchangeDN, then search the archives as there are some conversations on this. Basically you will need to move the former legacyExchangeDN into proxyAddresses as an x500 address. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Presley, StevenSent: Sunday, May 21, 2006 6:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [Exchange] Full Mailbox Directory Name holds wrong Administrative Group name Victor, At first I was not sure what you were talking about. I've never used this column before (it's not displayed as one of the defaults and I'm used to looking at mailbox enabled accounts via cmdline and now PowerShell), but after looking atESM what you are really talking about (that most of us may be more familiar with) is the mailbox's legacyExchangeDN attribute (which is called "Full Mailbox Directory Name" in ESM). This attribute does not change when you move mailboxes from one server or administrative group to another, in fact changing this attribute's valuewill lead to messages that were send out by the moved mailbox not being replyable. So in a nutshell, there is absolutely nothing wrong with what you are seeing. It is expected and by design behavior. The legacyExchangeDN is used by Outlook clients (under the hood) to address and submit mail through MAPI. When anOutlookuser sends out an email to other internal mailboxes the from address, under the hood, is actually the legacyExchangeDN address (if viewed with a tool like MFCMapi it's the PR_SENDER_EMAIL_ADDRESS). So if you were to change this value then any messages sent out before the change would become unreplyable (ok, not 100% true, because you could add an X500 address to the user's mailbox-enabled account that matches the old legacyExchangeDN and then the messages would get properly delivered). Anyways, don't worry about it. There is nothing wrong and I would highly recommend leaving the "full mailbox directory name" alone. It's not that you can't change it, but you'd have to put it's old value in as an additional proxy address (of the X500 type) in order for mail to continue to be delivered properly. Don't really know what you'd gain from that in the end. Hope this helps explain it a bit. There is a lot more to it then that naturally, but I think the above summarizes some of the key points about why you would not want to change it. Best regards, Steven From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor W.Sent: Saturday, May 20, 2006 12:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [Exchange] Full Mailbox Directory Name holds wrong Administrative Group name Still hoping for somebody to think with me on this matter :-( 75% of the mailboxes
RE: [ActiveDir] How To Determine What GC a Server is Using?
6) I write and use scripts all of the time. Mostly all perl that leverage joeware tools, usually I am wrapping up adfind in this that or the other script. In a very rare case I will write some _vbscript_. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, May 31, 2006 10:07 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] How To Determine What GC a Server is Using? That's golden joe. You certainly gave a very detailed taste of what it looks like in a real-world environment. Couple of thoughts might also be warranted here: 1) If you're not monitoring GC performance and you're running Exchange, think again. 2) Size doesn't matter; what I mean by that is that the size of your organization is not as important as the volume of messages and the size of the GAL - it's all how you use it(-; 3) memory - always a good thing to have 4) you may notice that there's an excellent troubleshooting guide for Exchange performance that talks about GC interaction and some things to look for. Best to have a look in addition to this. 5) 64 bit + memory can be a nice thing 6) joe wrote a script and admitted it? AND used it? I'm floored. :) Exchange 12 fixes what? Are you repeating that something's fixed in the next version of an office server? Hmm...Maybe I'm just getting old and jaded, but I feel like I've heard a vendor say, "oh, that's fixed in the nextversion" a few times before. I'm still waiting patiently forthe ability to change the overquota message. And no, the kb that describes how to do this is not acceptable in case you're wondering. I shouldn't have to writecode or write a service to make this type of functionality work. It's a message in the DLL for crying out loud. Read it from somewhereelse and let it be changeable (it's been asked for by companies since before Exchange 4.0 even released; it was promised as a fix for just about every version of Exchange release since and never REALLY made it. Instead there's a variation on changing the mdbsz.dll called writing a service. Hmm... I'll wait to see what makes it into the final product when it comes to fixes [1] /rant) http://msexchangeteam.com/archive/2004/04/20/117024.aspxis the reference to it at the moment. I'm sure there's updates somewhere on the net. [1] Bonus question: anyone know what the difference between beta, RC and GA code is? On 5/30/06, joe [EMAIL PROTECTED] wrote: Unfortunately this is something I have had more than desired experience in.The "official" way to get the current GCs/DCs being used by Exchange is the ESM Directory Access Tab for a given Exchange Server. This leverages theExchange_DSAccessDC WMI provider. Unfortunately this mechanism has a rathernasty bug in it that I found and have been "debating" with MSFT with since last summer[1]. Basically you can't trust the information you are being toldunless you have just stopped and restarted the Exchange Management Service(MSExchangeMGMT). As I believe I mentioned before I heard two main things 1. WMI was never intended to be used for monitoring Windows machines andservices.2. This is all fixed in Exchange 12.I am not sure, but I don't think everyone in MSFT feels that #1 is accuratethough that is the response that came from the Exchange Dev and Exchange PSS folks.So the other mechanism that is available is to crank you your DSACCESSevents and scrape out the associated events from the log. However, thiswon't tell you what is being used, simply what has been detected and is valid for use.So that leaves as the only true mechanism either using netstat or networksniffing to work out what GCs are currently in use.My recommendation to folks who are having issues with Exchange reporting GCs as failing is to set up a script that calls out to the GCs in a site on aregular basis and queries them and checks the response time. Response timesshould be low, preferably subsecond but depending on the quality of the script, may not be able to see anything below a couple of seconds due toscript interpretation or firing up the connection etc. However, if you areseeing 4 servers reporting a 2 second delay and one reporting 7 second delays... There you go, that is a good candidate to check out. I havesuccessfully used that to track down several issues with GCs.If you just want to get into the real troubleshooting, the first thing Ilook at when I hear that Exchange GCs are supposedly causing problems is tolook at the disk counters, primarily I look at at the disk queues for theDIT file and the read operations. Exchange tends to really push AD to the limit for disk read access and a GC that normally looks fine and actuallyworks fine for 99% of the apps could crumple under Exchange load. Keep inmind that you will not normally catch a problem in a GC by using LDP or ADUC to see how long it takes to pull up an object.
RE: [ActiveDir] How To Determine What GC a Server is Using?
Yeah I "chatted" with the EHLO blog guys over the whole MONAD thing in their comments. From what it sounded like, they still forget that people run more than one Exchange Server on a single Gbit subnet so assume unlimited bandwidth between the management stations and the Exchange Servers. The SBS people should be thrilled to death. Folks doing work with very large orgs or over very slow lines may not be as thrilled with the architecture they described. Though probably most won't understand the issues because they expect Exchange to be slow. That expectation is actually useful in customer sites... Things can run incorrectly for a long time and people just expect that that is the way Exchange is supposed to run. They don't complain until it out and out breaks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Wednesday, May 31, 2006 4:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How To Determine What GC a Server is Using? WMI is deprecated in E12. EMS (the Exchange Management Shell, todays official name for the Exchange version of PowerShell/Monad) gives one access to lots and lots of information. So does the next version of mumble. Further this deponent sayeth not, not being exactly clear which version of my NDAs apply (having signed 4, so far, around E12). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, May 31, 2006 10:07 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] How To Determine What GC a Server is Using? That's golden joe. You certainly gave a very detailed taste of what it looks like in a real-world environment. Couple of thoughts might also be warranted here: 1) If you're not monitoring GC performance and you're running Exchange, think again. 2) Size doesn't matter; what I mean by that is that the size of your organization is not as important as the volume of messages and the size of the GAL - it's all how you use it(-; 3) memory - always a good thing to have 4) you may notice that there's an excellent troubleshooting guide for Exchange performance that talks about GC interaction and some things to look for. Best to have a look in addition to this. 5) 64 bit + memory can be a nice thing 6) joe wrote a script and admitted it? AND used it? I'm floored. :) Exchange 12 fixes what? Are you repeating that something's fixed in the next version of an office server? Hmm...Maybe I'm just getting old and jaded, but I feel like I've heard a vendor say, "oh, that's fixed in the nextversion" a few times before. I'm still waiting patiently forthe ability to change the overquota message. And no, the kb that describes how to do this is not acceptable in case you're wondering. I shouldn't have to writecode or write a service to make this type of functionality work. It's a message in the DLL for crying out loud. Read it from somewhereelse and let it be changeable (it's been asked for by companies since before Exchange 4.0 even released; it was promised as a fix for just about every version of Exchange release since and never REALLY made it. Instead there's a variation on changing the mdbsz.dll called writing a service. Hmm... I'll wait to see what makes it into the final product when it comes to fixes [1] /rant) http://msexchangeteam.com/archive/2004/04/20/117024.aspxis the reference to it at the moment. I'm sure there's updates somewhere on the net. [1] Bonus question: anyone know what the difference between beta, RC and GA code is? On 5/30/06, joe [EMAIL PROTECTED] wrote: Unfortunately this is something I have had more than desired experience in.The "official" way to get the current GCs/DCs being used by Exchange is the ESM Directory Access Tab for a given Exchange Server. This leverages theExchange_DSAccessDC WMI provider. Unfortunately this mechanism has a rathernasty bug in it that I found and have been "debating" with MSFT with since last summer[1]. Basically you can't trust the information you are being toldunless you have just stopped and restarted the Exchange Management Service(MSExchangeMGMT). As I believe I mentioned before I heard two main things 1. WMI was never intended to be used for monitoring Windows machines andservices.2. This is all fixed in Exchange 12.I am not sure, but I don't think everyone in MSFT feels that #1 is accuratethough that is the response that came from the Exchange Dev and Exchange PSS folks.So the other mechanism that is available is to crank you your DSACCESSevents and scrape out the associated events from the log. However, thiswon't tell you what is being used, simply what has been detected and is valid for use.So that leaves as the only true mechanism either using netstat or networksniffing to work out what GCs are currently in use.My recommendation to folks who are having issues with Exchange reporting GCs as failing is to set up a script that calls out to the GCs in
RE: [ActiveDir] tokenGroups field
Does this rate as cooler? ((objectCategory=)(systemFlags:1.2.840.113556.1.4.803:=2)) In adfind, you would do something like adfind -config -rb cn=partitions -bit -f (objectcategory=crossRef)(systemflags:AND:=2) -flagdc ncname systemflags F:\DEV\cpp\MemberOfadfind -config -rb cn=partitions -bit -f (objectcategory=crossRef)(systemflags:AND:=2) -flagdc ncname systemflags AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Transformed Filter: (objectcategory=crossRef)(systemflags:1.2.840.113556.1.4.803:=2) Using server: 2k3dc02.joe.com:389 Directory: Windows Server 2003 Base DN: cn=partitions,CN=Configuration,DC=joe,DC=com dn:CN=JOE,CN=Partitions,CN=Configuration,DC=joe,DC=com nCName: DC=joe,DC=com systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] dn:CN=CHILD1,CN=Partitions,CN=Configuration,DC=joe,DC=com nCName: DC=child1,DC=joe,DC=com systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] 2 Objects returned -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, May 31, 2006 12:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks Joe, That's a little bit further than I want to go ;-) I wrote a GetMemberShip( DirectoryEntry ) method that finds all the domains in the forest and then connects to a GC in each and grabs tokenGroups for each and combines them into one string[] That seems to work fine ( until the day when we have a large number of domains :-o ). Speaking of enumerating the domains in the forest, I'm enumerating the domains by connecting to: CN=Partitions,CN=Configuration,DC=forestroot,DC=net Then I throw away the schema, config, and DNS partitions. That seems to work fine until the day we start using application partitions in which case I will have no way of distinguishing a security enabled partition from the application partition. Is there a cooler way to enumerate the domain partitions in a forest? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field The membership of groups is handled in a special way. Although the member attribute is marked for PAS inclusion only UG membership is replicated outside of a domain to all GCs. If you aren't worried about token creation for Windows security and instead just want to have full membership of a user in a single query you have two options that I can think of 1. Consolidate the group membership into another store, say ADAM or SQL Server. 2. Create another linked attribute pair that you apply to users and groups like member/memberof that is set for PAS inclusion. When you set the member attribute you set the additional attribute which will replicate to all GCs because the directory doesn't have any special rules for your custom attribute. If you go that far, I would also set that new attribute to be saved on tombstone as well. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks, that's pretty much what I figured. So this is of low importance, but why wouldn't any GC in the forest be able to provide me with the local groups for all of the domains? Why do I have to hit a GC in every domain? As I understand it the GC replicates the data from each domain that is marked for the partial attribute set. Like I said, really low importance, I'm just curious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Your token only contains groups that are valid locally. So if you log onto a workstation that is part of a forest, your token on the worksation will contain Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine. Take a look at whomami /groups or sectok to see your interactive token. Now if you connect to a remote machine, you will get the groups that have value there on your token on that remote machine. This is easiest to see with ADAM, connect to an ADAM instance and pull the rootdse attribute tokengroups and look at what is returned... adfind -h adammachine:port -rootdse -resolvesids tokengroups -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 7:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Yep your examples are helpful, that's what I'm using :-) It looks like hitting a GC for each domain in the forest is the way to go in order to get the local group membership from other
RE: [ActiveDir] tokenGroups field
If you are interested in doing this over LDAP, you are on the right track. One way is to look for crossRefs in that container like you are, but only look for those with flag FLAG_CR_NTDS_DOMAIN set in systemFlags. You'll find that config and schema don't have this set, nor do arbitrary app partitions, but domains do. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, May 31, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks Joe, That's a little bit further than I want to go ;-) I wrote a GetMemberShip( DirectoryEntry ) method that finds all the domains in the forest and then connects to a GC in each and grabs tokenGroups for each and combines them into one string[] That seems to work fine ( until the day when we have a large number of domains :-o ). Speaking of enumerating the domains in the forest, I'm enumerating the domains by connecting to: CN=Partitions,CN=Configuration,DC=forestroot,DC=net Then I throw away the schema, config, and DNS partitions. That seems to work fine until the day we start using application partitions in which case I will have no way of distinguishing a security enabled partition from the application partition. Is there a cooler way to enumerate the domain partitions in a forest? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field The membership of groups is handled in a special way. Although the member attribute is marked for PAS inclusion only UG membership is replicated outside of a domain to all GCs. If you aren't worried about token creation for Windows security and instead just want to have full membership of a user in a single query you have two options that I can think of 1. Consolidate the group membership into another store, say ADAM or SQL Server. 2. Create another linked attribute pair that you apply to users and groups like member/memberof that is set for PAS inclusion. When you set the member attribute you set the additional attribute which will replicate to all GCs because the directory doesn't have any special rules for your custom attribute. If you go that far, I would also set that new attribute to be saved on tombstone as well. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks, that's pretty much what I figured. So this is of low importance, but why wouldn't any GC in the forest be able to provide me with the local groups for all of the domains? Why do I have to hit a GC in every domain? As I understand it the GC replicates the data from each domain that is marked for the partial attribute set. Like I said, really low importance, I'm just curious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Your token only contains groups that are valid locally. So if you log onto a workstation that is part of a forest, your token on the worksation will contain Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine. Take a look at whomami /groups or sectok to see your interactive token. Now if you connect to a remote machine, you will get the groups that have value there on your token on that remote machine. This is easiest to see with ADAM, connect to an ADAM instance and pull the rootdse attribute tokengroups and look at what is returned... adfind -h adammachine:port -rootdse -resolvesids tokengroups -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 7:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Yep your examples are helpful, that's what I'm using :-) It looks like hitting a GC for each domain in the forest is the way to go in order to get the local group membership from other domains. So just out of curiosity, when Windows builds your token, does it include the local groups from other domains? Or does it add them when you try to access a resource that is protected by the foreign group? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Sunday, May 28, 2006 9:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] tokenGroups field I've been checked out of the group here for a few weeks and just poked back in. I think Dmitri summed things up quite well. I'll just add that ADSI and S.DS don't do anything interesting
RE: Re: [ActiveDir][OT] New DC can't find the machine account
Hey I like that pic, that is why I posted it. :) See how observant Brett is?? I actually sat down and had a burger and a drink with him and he didn't catch my last name From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, May 31, 2006 10:44 AMTo: ActiveDir@mail.activedir.orgSubject: OT: Re: [ActiveDir] New DC can't find the machine account Next time you operate that garage door, check the pass. joeis not the same as "McNichols, Joe" Need a picture? https://mvp.support.microsoft.com/profile="" for the link [1] [1] sorry joe, couldn't help it. I still crack up when I see the pic. On 5/31/06, Brett Shirley [EMAIL PROTECTED] wrote: Is this joe joe or joe someoneelse?It occured to me, I've NEVER seen joejoe's last name ...-B On Wed, 31 May 2006, McNicholas, Joe wrote: off the top of my head Is DFS running? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Lilianstrom Sent: 31 May 2006 14:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPEError SOURCEUserenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPEError SOURCEUserenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] AD lag sites and replication
Title: AD lag sites and replication You can look at the ACLs on your NC Head objects to see who can do what, but last I checked, it didn't even take domain admins to force replication, a normal administrator account could do it. Anyway, an admin or a domain admin could always escalate to enterprise admin if they needed it. In my mind, anyone who has any of those admin IDs is an Enterprise Admin in my head. In fact even if they have Acc Op or Srv Op they are practically EAs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Wednesday, May 31, 2006 3:59 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Joe, I thought" (and its a long time since I looked) that you needed to be an enterprise admin to force replication in AD Sites and Services... You can force replication in the domain context in replmon. I guess that this begs another question 1. Are you trying to stop replication in all replication contexts? Dave From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 31 May 2006 00:27To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication I am confused by your #2. Are you saying that admins can't force replication outside of the normal replication periods? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Tuesday, May 30, 2006 6:59 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Neil, 1) If you start setting firewall rules then I am pretty sure you will break things as you will block urgent replication. What happens if some one changes their password and then goes to the home site? What about group membership changes?Do you really want to wait two days before you update these?. 2) I don't think that "normal admins" can trigger unscheduled replication changes. Certainly I am a Domain Admin and I can't trigger replication changes on our infrastructure, but it is Windows/2000 3) IMHO you would be better worrying about getting things to replicate when they are supposed to rather than things replicating when they shouldn't Dave From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 30 May 2006 11:32To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Hi Neil, I'd still go for a firewall with scheduled rules. IMHO there's no such thing as "locked down replication schedules" - as soon as someone is hitting a switch to force replication across sites. And the firewall will help you to assure no client is hitting a lag sites DC. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 10:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Thanks Ulf. I was hoping to avoid NIC disabling and such like. I was looking for a solution which would enforce the replication schedule between sites, such that an admin could not 'over ride' it. I'd rather handle the situation with procedures and policies than use scripts to disable NICs (or connection objects) at scheduled times :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 30 May 2006 09:01To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication You are able to disable the network interfaces, pretty easy with VMWare or Virtual Server since you are able to do it from the host via scripting, bit more painfull if you have to do it from the DC itself since you don't have any remote access when the nic is disabled (you could use a scheduled task which runs netsh to activate / deactivate the interface). Also putting a firewall with scheduled rules in between would work very well, especially since you can block everything but RDP at the no-sync times. As long as you don't exceed the tombstone-lifetime I don't see any reasons why this should not be supported since we are just talking about lag-sites without any memberservers / clients / users who log onto those DCs. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD lag sites and replication I'm looking to implement one or more lag sites, with staggered
RE: [ActiveDir] Machine Psswd Age
Probably more than you ever wanted to know about machine account password changes. No not at all, all of the technical detail you can share is always good Steve. Thanks! joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, May 30, 2006 11:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Just to add some additional detail. The machine account password is actually changed every 30 days plus a random offset of up to 24 hours so ~31 days as a maximum by default with Windows 2000 and later OSes. This is done by the netlogon service on the client and there is a scavenger thread that wakes up and performs the reset once this threshold is met. If the it cannot reach a Domain Controller it will go back to sleep and wake up every 15 minutes to try and reset the password. You can see this behavior by turning up netlogon debug logging and see the following output: Success: 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Flag password changed in LsaSecret 05/25 14:48:23 [SESSION] NORTHAMERICA: NlChangePassword: Flag password updated on PDC 05/25 14:48:23 [MISC] NlWksScavenger: Can be called again in 30 days (0x9a7ec800) Failure: 05/16 01:13:24 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/16 01:13:24 [SESSION] NORTHAMERICA: NlSessionSetup: Try Session setup 05/16 01:13:24 [SESSION] NORTHAMERICA: NlDiscoverDc: Start Synchronous Discovery 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlDiscoverDc: Cannot find DC. 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlSessionSetup: Session setup: cannot pick trusted DC 05/16 01:14:05 [MISC] Eventlog: 5719 (1) NORTHAMERICA 0xc05e c05e ^... 05/16 01:14:05 [SESSION] NORTHAMERICA: NlSessionSetup: Session setup Failed 05/16 01:14:05 [MISC] NlWksScavenger: Can be called again in 15 minutes (0xdbba0) Random Offset: 05/25 15:03:22 [MISC] NlWksScavenger: Can be called again in 30 days (0x9d671aca) Since the value is in milliseconds when converting this you will see in the random offset case the value is really ~30.56 days where the one in success is exactly 30 days. Probably more than you ever wanted to know about machine account password changes. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Sunday, May 28, 2006 3:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Hmm - I can not find where I got this information from. The KB about disablePasswordChange has not been updated pretty long (still stated only NT in the early WS2k3 days). The following page even states that the NT4 Workstation changes the password every 3 days, and retries after another 3 days: http://www.microsoft.com/technet/archive/winntas/maintain/ntopt4.mspx?mf r=tr ue However I stand corrected - need to update my brains cache from google more often - to bad brains don't support TTL of websites. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, May 24, 2006 9:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age I agree with Bob. Seven days pre-W2K, 30 days for W2K and better. I have never seen a machine change its password at the 50% age and I have looked at this quite a bit for various[1] reasons. joe [1] OldCmp being one of them... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, May 24, 2006 3:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age The default was 7 days for NT, increased to 30 in W2K and above. See http://support.microsoft.com/kb/154501/ or q175468 or any of the old domain sizing docs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, May 24, 2006 11:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age AFAIK the password change interval is set to 30 in XP (15 in NT, W2k), but the computer accounts starts to request renewal after 50% of the time is over. After 30 days it'll change it if being logged onto the domain for sure (unless otherwise configured or connected). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 9-F2F1214 C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message-
RE: [ActiveDir] AD, LDAP, and VB Script
Sorry for the delayed response. Yes, all of my tools are written with Borland Builder C++ Pro, mostly version 5.0 but I am slowly converting to version 6.0 While I don't do it much, I find the RAD dev environment for unmanaged C++ completely missing in VS... mostly because it is. For some stupid reason MSFT only gives RAD GUI dev if you want to do NET and I am not even close to doing that. The funny thing is is that Borland has been doing it for over 10 years. They took what MSFT did with VB and applied it to Object Pascal (Delphi) and C++ (Borland Builder C++). Ditto for making services It doesn't make sense for me to use VS for non-GUI and BBC++PRO 6.0for the GUI. Might as well use onethat does both and doesn't require NET. If I want to do NET though BBC++PRO 6.0 supports that as well. I would love to use VS as it would save me considerable money but I don't see them getting off the NET bandwagon until they just start getting wailed on for some reason or another. Not that I hate .NET mind you, I just don't like it for me and I have received too many emails from people telling me they would not like my tools as much and possibly stop using themif they were written in .NET. People like the idea that they can pick up one of my exes and just run it on pretty much any Windows machine without worrying if the proper framework components are in place. As for the book recommendations I recommend two... The one in my signature below and the Active Directory CookBook. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Navroz ShariffSent: Thursday, May 25, 2006 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD, LDAP, and _vbscript_ Dear group, Can anyone recommend books or references regarding querying AD via LDAP using _vbscript_? I am a native C++ and JAVA programmer and am very interested in learning how one goes about doing that. Joe, your set of tools from joeware-very handy set of tools thank you-were they written in C, C++? If so, do you use Borland or Studio.net to write and compile them? Thank you, -Shariff
RE: [ActiveDir] Reanimate or Authoritatively Restore objects
It depends on what info you have captured for the objects, what info is scrubbed in the tombstone, and how you personally feel about it. I personally prefer to reanimate objects over restoring them. When you do a restore there is always a possibility you can hurt yourself pretty bad. Reanimation is much less dangerous but if the info isn't there and you don't know what to populate manually and you need the old info, you don't have a lot of choice. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teo De Las HerasSent: Thursday, May 25, 2006 12:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Reanimate or Authoritatively Restore objects In reference to the following KB article: http://support.microsoft.com/kb/840001/ In a Domain and Forest that is at a 2003 functional level, is it better to reanimate objects from the deleted items container or authoritatively restore them?
RE: [ActiveDir] max password age where else to look?
:o) I can imagine Something I like to recommend to folks is to monitor password changes. Depending on how big you are you may even want to do it daily. It is a great way to keep an eye open for various issues. For instance if passwords aren't being changed in the normal periods at the normal rates, your policy may not be working. If more than usual are being changed then possibly you have some DC issues. You will even be able to graph out the password changes and possibly find interesting trends.Oh to go along with this, I recommend a password age of 91 days for the obvious reasons... Actually I always recommend that over 90 days. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas W StelleySent: Thursday, May 25, 2006 11:49 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] max password age where else to look? That was it, the policy needed to be re-applied. Boy did I cause hate and discontent when suddenly hundreds of users needed to change there password cause they had expired! Thanks all "joe" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 05/24/2006 10:41 PM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] max password age where else to look? Yeah doublecheck the value you are getting back from MaxPasswordAge, if zero, check out maxPwdAge attribute on the NC Head, possibly your policy isn't being applied properly. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, May 24, 2006 4:47 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] max password age where else to look?What do you get if just before this: If intMaxPwdAge 0 Then WScript.Echo "The Maximum Password Age is set to 0 in the " _ "domain. Therefore, the password does not expire." you echo the intMaxPwdAge value? I'm wondering if you're not pulling back the max password age value correctly either through a misspelling or some other error prevents you from getting the value. Having used that method before, I can tell you it does work in a Windows 2000 environment and a Windows 2003 environment. Native, DFL, etc. If that doesn't work, do you get the same results with this script? http://support.microsoft.com/default.aspx?scid=kb;en-us;323750 On 5/24/06, Douglas W Stelley [EMAIL PROTECTED] wrote: In this domain, in the default domain policy the Max Password Age is set to 90, however when I look for when the password will change using the below sample script I always get the answer "The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire." The rest of the possibilities below do work, just the password age doesn't. This is a Win2K Active Directory I need to expire all passwords on a specific date, but before I do that I need to ensure the system will continue expiring them by age. What might I be doing wrong? Thanks Const SEC_IN_DAY = 86400 Const ADS_UF_DONT_EXPIRE_PASSWD = h1Set objUserLDAP = GetObject _("LDAP://CN=myerken,OU=management,DC=fabrikam,DC=com")intCurrentValue = objUserLDAP.Get("userAccountControl") If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then Wscript.Echo "The password does not expire."Else dtmValue = objUserLDAP.PasswordLastChanged Wscript.Echo "The password was last changed on " _ DateValue(dtmValue) " at " TimeValue(dtmValue) VbCrLf _ "The difference between when the password was last set" _ "and today is " int(now - dtmValue) " days" intTimeInterval = int(now - dtmValue) Set objDomainNT = GetObject("WinNT://fabrikam") intMaxPwdAge = objDomainNT.Get("MaxPasswordAge") If intMaxPwdAge 0 Then WScript.Echo "The Maximum Password Age is set to 0 in the " _ "domain. Therefore, the password does not expire." Else intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY) Wscript.Echo "The maximum password age is " intMaxPwdAge " days" If intTimeInterval = intMaxPwdAge ThenWscript.Echo "The password has expired." Else Wscript.Echo "The password will expire on " _ DateValue(dtmValue + intMaxPwdAge) " (" _int((dtmValue + intMaxPwdAge) - now) " days from today" _ ")." End If End IfEnd If
RE: [ActiveDir] Slow Boot Up
Did this end up being a problem with DNS? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, May 25, 2006 10:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Slow Boot Up Morning everyone, Recently all my wkstns are taking up to 5 minutes to log in after a restart. Stuck at Applying Computer Settings and Applying Security Settings. Only change to GPO is offline files options are all disabled. While from the desktop it takes up to 30 seconds to load and open up AD snap-in to add a user to a group. Doesn't matter if firewall is turned on or off. No weir logs on DC. DCDIAG and NetDiag showed no errors. My FSMO roles are spread between two DC in two separate subnets. Schema Master, Domain Naming Master, and GC are on the same DC. RID, Infras, and PDC is on the other DC. I thought about promoting another server to a DC. Any thought or idea where to check and look? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Blank messages to lists???
FWIW... I haven't seen a blank message in some time now... Did you change something Tony? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Saturday, May 06, 2006 7:56 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Blank messages to lists???
Re: [ActiveDir] tokenGroups field
I was going to say the same thing. Also, if you are using .NET 2.0, the new S.DS.ActiveDirectory namespace has tons of cool ways to enumerate domains in a forest, DCs in a domain (and by site), etc. The domain enumeration code uses very similar LDAP searches under the hood. The DC enumeration stuff uses the locator service (DsGetDcName, etc.). Joe Kaplan - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, May 31, 2006 6:06 PM Subject: RE: [ActiveDir] tokenGroups field Does this rate as cooler? ((objectCategory=)(systemFlags:1.2.840.113556.1.4.803:=2)) In adfind, you would do something like adfind -config -rb cn=partitions -bit -f (objectcategory=crossRef)(systemflags:AND:=2) -flagdc ncname systemflags F:\DEV\cpp\MemberOfadfind -config -rb cn=partitions -bit -f (objectcategory=crossRef)(systemflags:AND:=2) -flagdc ncname systemflags AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Transformed Filter: (objectcategory=crossRef)(systemflags:1.2.840.113556.1.4.803:=2) Using server: 2k3dc02.joe.com:389 Directory: Windows Server 2003 Base DN: cn=partitions,CN=Configuration,DC=joe,DC=com dn:CN=JOE,CN=Partitions,CN=Configuration,DC=joe,DC=com nCName: DC=joe,DC=com systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] dn:CN=CHILD1,CN=Partitions,CN=Configuration,DC=joe,DC=com nCName: DC=child1,DC=joe,DC=com systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] 2 Objects returned -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, May 31, 2006 12:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks Joe, That's a little bit further than I want to go ;-) I wrote a GetMemberShip( DirectoryEntry ) method that finds all the domains in the forest and then connects to a GC in each and grabs tokenGroups for each and combines them into one string[] That seems to work fine ( until the day when we have a large number of domains :-o ). Speaking of enumerating the domains in the forest, I'm enumerating the domains by connecting to: CN=Partitions,CN=Configuration,DC=forestroot,DC=net Then I throw away the schema, config, and DNS partitions. That seems to work fine until the day we start using application partitions in which case I will have no way of distinguishing a security enabled partition from the application partition. Is there a cooler way to enumerate the domain partitions in a forest? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field The membership of groups is handled in a special way. Although the member attribute is marked for PAS inclusion only UG membership is replicated outside of a domain to all GCs. If you aren't worried about token creation for Windows security and instead just want to have full membership of a user in a single query you have two options that I can think of 1. Consolidate the group membership into another store, say ADAM or SQL Server. 2. Create another linked attribute pair that you apply to users and groups like member/memberof that is set for PAS inclusion. When you set the member attribute you set the additional attribute which will replicate to all GCs because the directory doesn't have any special rules for your custom attribute. If you go that far, I would also set that new attribute to be saved on tombstone as well. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks, that's pretty much what I figured. So this is of low importance, but why wouldn't any GC in the forest be able to provide me with the local groups for all of the domains? Why do I have to hit a GC in every domain? As I understand it the GC replicates the data from each domain that is marked for the partial attribute set. Like I said, really low importance, I'm just curious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Your token only contains groups that are valid locally. So if you log onto a workstation that is part of a forest, your token on the worksation will contain Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine. Take a look at whomami /groups or sectok to see your interactive token. Now if you connect to a remote machine, you will get the groups that have value there on your token on that remote machine. This is easiest to see with ADAM, connect to an ADAM instance and pull
Re: [ActiveDir][OT] DNS on a DC or NOT
BTW.. to Brett... Joe is like "Cher".. he doesn't need a last name joe wrote: Two directories doesn't mean you are doing it for two auth domains. You did this in E55, the Exchange forest is simply for holding resources and the "real" directory handles the auth. I don't have a problem with multiple directories in order to protect the global whole... What really needs to happen is to push back on vendors who put out crap apps that don't play nice. This includes MSFT. Unfortunately I can think of no app that is as abusive and pervasive as Exchange and I still have no faith that the Exchange Dev group actually gets that they are playing in a shared sandbox versus their own private sandbox, so they feel no inhibition to crapping in it whereever they desire. I look with great joy at new mail/collaboration systems coming out that can give Exchange a serious run because I think that is probably one of the only things that will get them moving as they don't tend to listen to feedback unless there is pain associated with it. At least I haven't gotten them to fix a single thing unless I somehow threatened that they would feel pain over it. Otherwise they blow you off and laugh knowing you are pretty much stuck with it because while it sucks, as many say, it is probably the best of crap apps out there doing the same thing. I love the idea of Exchange using ADAM. Unfortunately it doesn't appear that this is happening in E12 except in a very minimal way, but at least it is a start. I think the issue here is that Exchange Dev is more interesting in rushing towards new features over stabilizing and properly securing the core application. I understand why... For most customers out there, Exchange is good enough as it is at a core infrastructure level because no one has used it against them to beat their ass yet. They assume since nothing has happened and they don't have the skill themselves to do something with it that it must be safe and secure and good. Perhaps nothing will ever happen, perhaps next week someone will release something that burns out 98% of the Exchange deployments and Active Directories in corporate America because of the poor underpinnings in Exchange. The binding between ADAM really doesn't need all that much work. It could be very much like the msExchMasterAccountSid... The ADAM directory simply points at the associated object in AD so when a user logs into Exchange, it can figure out what mailbox to present. Maybe you have a sync process for maintaining the site/subnet definitions if the Exchange folks don't want to have their own site/subnet/replication topology. The most work is what I think Exchange needs to do whether it uses ADAM or not and that is to start tearing all of the data except the actual messaging info out of the store and maintaining it in the directory. Permissions shouldn't be stored in both places... one or the other and I think with the ease andthinness of LDAP over MAPI the logical place is in the directory. Then Exchange can stop coming up with all sorts of fun interfaces to allow intelligent admins to automate things, they can focus on making the product bullet proof and leverage everything that already exists for managing LDAP. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Thursday, May 25, 2006 9:15 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir][OT] DNS on a DC or NOT Making it a black box is a strong argument. But it is Microsoft and if they can't support it on their own software, then I have no confidence in their ability. If they open it to other software, the support matrix becomes increasingly detrimental to the availability as you go through the possibilities causing the outage. *could* these DB apps work with other DB's. Sure. It's not likely that the DB's differ so much that they couldn't.But it's the principalof the matter.And making it blackbox doesn't offer any value other than masking it from rogue/stupid sql l-admins. Hmm... Exchange permissioning. Funny, as bad as it is, the more I use some of this opensource and *nix based cr*p, the more I like the way they did it :) But you are correct that the permissions are difficult. I disagree that you should ever give an Exchange admin rights, even local rights, if they can't be trusted. Let's face it, if I give a file/print admin rights, they can be dangerous and likely could find a way to exploit something to cause pain. Lesson: give out admin rights in a miserly fashion. Additionally, I agree that the rights could and should be much better; an Exchange admin on a machine should not have the rights available that they tend to have on a shared service. That should have been nixed early in the dev cycle. Since it wasn't, then the alternative you're presenting is to maintain two directories and two authentication domains. I don't like that option either. Does it protect
RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it?
I.E. This is easy money for the company, please don't distribute the tool that collects the data as that is really the whole ADRAP for the most part unless the people getting it really haven't a clue what they are doing with AD at all at which point you should be looking at spending money on getting admins who have a clue versus bringing in MSFT for a one shot peek. Until Microsoft puts together a AD and Exchange RAP that looks at both together and tries to determine the causes of issues from each other I see the whole RAP thing as having very limited use in Orgs that use AD and Exchange. If you just use AD then it is pretty decent. However if you have both, the Exchange RAP tends to point at AD saying that it has massive issues and the AD RAP tends to say things are pretty decent. Or at least that is the results I have seen in every single case where both RAPs have been performed. Certainly the analysis was nothing to write home about. However I expect that entirely depends on who you happen to get in the drawing of who does your analysis, the skill levels vary greatly as I have seen some pretty intelligent things in the analysis and I have seen some absolutely stinkeroo completely incorrect things where you wonder if the analyzer had actually every been introduced to AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, May 09, 2006 12:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it? The tool is not the property of anyone on this list. As such, making it available on the list would be inappropriate. The goal of this tool has never been to be a stand-alone AD monitoring tool, nor even a snapshot tool. Rather, it was built specifically around the field offering of an AD risk assessment. As such, outside of that, the tool likely has little context, and may or may not be at all helpful. That said, it is available in this context only, to the best of my knowledge. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, May 09, 2006 8:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it? I missed if anyone was making this tool available to the list? :) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Schema extension
admod -b schemaupdatenow::1 Or put this in an LDIF file and execute it with LDIFDE dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 09, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema extension I didn't flush the cache. Wasn't aware I had to do that, plus I'm not sure where to do it. I'm viewing the AD properties with Hyena. I just looked in ADSIEDIT and DO see the new property there. I guess Hyena has some sort of filter turned on somehow. It shows all the other extensions we've while installing various applications, just not this one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 09, 2006 9:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema extension Did you flush the schema cache on the schema master? How are you viewing the user's AD schema properties? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 09 May 2006 15:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema extension We received our OID from Microsoft this week, so I went ahead and added an attribute so I could flag service accounts so we won't accidently 'clean them up' during our account cleanup processes. I then went to the User class and added my new attribute to it. When I view a user's AD schema properties, however, I'm not seeing the new property assigned to it. Is there any other step that I'm missing? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it?
The quality of AD admins in even very large orgs varies more than the engineers delivering the RAPs. I've seen AD administrators that literally had no clue what DSRM was, how data is transferred between DCs (doesn't FRS replicate users, too? Or, AD replication is broken so SYSVOL isn't replicating), the difference between seizing or transferring a FSMO role, etc. Those aren't even the worse examples of things I've seen. The information shared during the ADRAP is, in my opinion, among the best available today. I not saying it's the greatest thing since sliced bread, has nothing that can be improved, never includes bad/wrong info, or that you couldn't come up with something better. I am saying if you compare it to MOC classes, 3rd party training, etc, you'd be hard pressed to find anything better (besides Dean's class, of course). Most people administering AD environments do not focus on it as their sole job, lack the fundamental understanding of most of the core components that make up AD, and definitely benefit from workshops like the ADRAP. The real world, for whatever reason, typically either doesn't seem to be able to find all those highly qualified AD admins you think they should invest in or has decided to not make those investments. Now you, and several others in this listserv, would definitely be yawning through most of the delivery. However, I'd also say the people I'm referring to are well above average in their AD knowledge. As to the challenges of contradicting or silo type mentality when comparing the ADRAP and ExRAP I agree with you and effort should definitely be to stop it. However I wouldn't say those are good reasons to avoid the engagements. Although your experiences may differ from mine, I don't see so many instances of dramatic contradictions between the two engagements where Exchange is blaming AD for massive issues and vice versa. Resolving the differences, although a pain and something that shouldn't be necessary, doesn't significantly de-value the engagements. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, May 31, 2006 8:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it? I.E. This is easy money for the company, please don't distribute the tool that collects the data as that is really the whole ADRAP for the most part unless the people getting it really haven't a clue what they are doing with AD at all at which point you should be looking at spending money on getting admins who have a clue versus bringing in MSFT for a one shot peek. Until Microsoft puts together a AD and Exchange RAP that looks at both together and tries to determine the causes of issues from each other I see the whole RAP thing as having very limited use in Orgs that use AD and Exchange. If you just use AD then it is pretty decent. However if you have both, the Exchange RAP tends to point at AD saying that it has massive issues and the AD RAP tends to say things are pretty decent. Or at least that is the results I have seen in every single case where both RAPs have been performed. Certainly the analysis was nothing to write home about. However I expect that entirely depends on who you happen to get in the drawing of who does your analysis, the skill levels vary greatly as I have seen some pretty intelligent things in the analysis and I have seen some absolutely stinkeroo completely incorrect things where you wonder if the analyzer had actually every been introduced to AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, May 09, 2006 12:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it? The tool is not the property of anyone on this list. As such, making it available on the list would be inappropriate. The goal of this tool has never been to be a stand-alone AD monitoring tool, nor even a snapshot tool. Rather, it was built specifically around the field offering of an AD risk assessment. As such, outside of that, the tool likely has little context, and may or may not be at all helpful. That said, it is available in this context only, to the best of my knowledge. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, May 09, 2006 8:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it? I missed if anyone was making this tool available to the list? :) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] ADAM: Possible to only enforce local account policies when in a domain?
There is no hidden setting... However, here is something that might help you http://blog.joeware.net/2006/06/01/392/ joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mr OteeceSent: Thursday, February 23, 2006 1:42 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] ADAM: Possible to only enforce local account policies when in a domain? ADAM seems to have an all or nothing approach to account policies if you are in a domain. Either you get the domain policies or you get no policies (by setting ADAMDisablePasswordPolicies=1). If you are in a workgroup, you get the local policies. But is there any way to get only the local policies if you are in a domain? At times, domain password rules are incompatible with applications that need to leverage the ADAM for authentication. Please tell me there is a hidden setting for this...
RE: [ActiveDir] AD lag sites and replication
Title: AD lag sites and replication 1) We are talking about blocking the replication to and from a lag-site, and the good thing about using a firewall is that we are able to block users and memberservers authenticating against the lag-site. You do not want anyone to authenticate against a lag-site DC. So urgent replication is not a issue 2) Agree to Joe here Im quite sure that the rights to force replication are available for at least dom-admins, and Im very sure that no matter how many you have (OK more than yourself) they will forget not to trigger forced replication sometime. 3) Lag-Sites dont make any sense if they do replicate in between the scheduled times so in this scenario you may worry about both. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Tuesday, May 30, 2006 12:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Neil, 1) If you start setting firewall rules then I am pretty sure you will break things as you will block urgent replication. What happens if some one changes their password and then goes to the home site? What about group membership changes?Do you really want to wait two days before you update these?. 2) I don't think that normal admins can trigger unscheduled replication changes. Certainly I am a Domain Admin and I can't trigger replication changes on our infrastructure, but it is Windows/2000 3) IMHO you would be better worrying about getting things to replicate when they are supposed to rather than things replicating when they shouldn't Dave From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: 30 May 2006 11:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Hi Neil, I'd still go for a firewall with scheduled rules. IMHO there's no such thing as locked down replication schedules - as soon as someone is hitting a switch to force replication across sites. And the firewall will help you to assure no client is hitting a lag sites DC. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 30, 2006 10:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Thanks Ulf. I was hoping to avoid NIC disabling and such like. I was looking for a solution which would enforce the replication schedule between sites, such that an admin could not 'over ride' it. I'd rather handle the situation with procedures and policies than use scripts to disable NICs (or connection objects) at scheduled times :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: 30 May 2006 09:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication You are able to disable the network interfaces, pretty easy with VMWare or Virtual Server since you are able to do it from the host via scripting, bit more painfull if you have to do it from the DC itself since you don't have any remote access when the nic is disabled (you could use a scheduled task which runs netsh to activate / deactivate the interface). Also putting a firewall with scheduled rules in between would work very well, especially since you can block everything but RDP at the no-sync times. As long as you don't exceed the tombstone-lifetime I don't see any reasons why this should not be supported since we are just talking about lag-sites without any memberservers / clients / users who log onto those DCs. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 30, 2006 9:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD lag sites and replication I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the
RE: [ActiveDir] Machine Psswd Age
Probably more than you ever wanted to know about machine account password changes. Not at all - my brain sucks that stuff in. To be complete: was it the same with NT4, or was there such a thing as half-time renewal? What's the required level of netlogon-debug-logging? 1 enough? Don't you want to share this info on a blog? It's great, and we could give you credits and avoid typing whenever there's a discussion of that topic. Might be worth to include the imaged-client and reset password on a computer account discussions. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, May 31, 2006 5:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Just to add some additional detail. The machine account password is actually changed every 30 days plus a random offset of up to 24 hours so ~31 days as a maximum by default with Windows 2000 and later OSes. This is done by the netlogon service on the client and there is a scavenger thread that wakes up and performs the reset once this threshold is met. If the it cannot reach a Domain Controller it will go back to sleep and wake up every 15 minutes to try and reset the password. You can see this behavior by turning up netlogon debug logging and see the following output: Success: 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Flag password changed in LsaSecret 05/25 14:48:23 [SESSION] NORTHAMERICA: NlChangePassword: Flag password updated on PDC 05/25 14:48:23 [MISC] NlWksScavenger: Can be called again in 30 days (0x9a7ec800) Failure: 05/16 01:13:24 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/16 01:13:24 [SESSION] NORTHAMERICA: NlSessionSetup: Try Session setup 05/16 01:13:24 [SESSION] NORTHAMERICA: NlDiscoverDc: Start Synchronous Discovery 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlDiscoverDc: Cannot find DC. 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlSessionSetup: Session setup: cannot pick trusted DC 05/16 01:14:05 [MISC] Eventlog: 5719 (1) NORTHAMERICA 0xc05e c05e ^... 05/16 01:14:05 [SESSION] NORTHAMERICA: NlSessionSetup: Session setup Failed 05/16 01:14:05 [MISC] NlWksScavenger: Can be called again in 15 minutes (0xdbba0) Random Offset: 05/25 15:03:22 [MISC] NlWksScavenger: Can be called again in 30 days (0x9d671aca) Since the value is in milliseconds when converting this you will see in the random offset case the value is really ~30.56 days where the one in success is exactly 30 days. Probably more than you ever wanted to know about machine account password changes. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Sunday, May 28, 2006 3:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Hmm - I can not find where I got this information from. The KB about disablePasswordChange has not been updated pretty long (still stated only NT in the early WS2k3 days). The following page even states that the NT4 Workstation changes the password every 3 days, and retries after another 3 days: http://www.microsoft.com/technet/archive/winntas/maintain/ntopt4.mspx?mf r=tr ue However I stand corrected - need to update my brains cache from google more often - to bad brains don't support TTL of websites. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, May 24, 2006 9:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age I agree with Bob. Seven days pre-W2K, 30 days for W2K and better. I have never seen a machine change its password at the 50% age and I have looked at this quite a bit for various[1] reasons. joe [1] OldCmp being one of them... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, May 24, 2006 3:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age The default was 7 days for NT, increased to 30 in W2K and above. See http://support.microsoft.com/kb/154501/ or q175468 or any of the old domain sizing docs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, May 24, 2006 11:52 AM To: ActiveDir@mail.activedir.org