[ActiveDir] New DC can't find the machine account
Nice Picture Joe! Mine is at www.sjpc.org/~medeiros Jose From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, May 31, 2006 4:11 PM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir][OT] New DC can't find the machine account Hey I like that pic, that is why I posted it. :) See how observant Brett is?? I actually sat down and had a burger and a drink with him and he didn't catch my last name From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, May 31, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: OT: Re: [ActiveDir] New DC can't find the machine account Next time you operate that garage door, check the pass. joeis not the same as McNichols, Joe Need a picture? https://mvp.support.microsoft.com/profile="" for the link [1] [1] sorry joe, couldn't help it. I still crack up when I see the pic. On 5/31/06, Brett Shirley [EMAIL PROTECTED] wrote: Is this joe joe or joe someoneelse?It occured to me, I've NEVER seen joe joe's last name ... -B On Wed, 31 May 2006, McNicholas, Joe wrote: off the top of my head Is DFS running? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Lilianstrom Sent: 31 May 2006 14:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPEError SOURCEUserenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPEError SOURCEUserenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Machine Psswd Age
Agreed I have many things that need to go into a blog and that is likely something I will be working on in the near future. I just hate to set one up on technet and then not post, like someone else we know who took forever to get their first post up and happens to open the garage doors on campus. :-) As far as NT 4.0 is concerned I have not debugged or reviewed that code in years but I do not recall it being that much different except for the default time changing to 30 days. As far as netlogon debug logging you want at a minimum NL_MISC. I normally user 0x2000 to get the standard output and 0x2080 and then work up from there on the more verbose logging. Of course it does help to look at the source and see what flag they logged a particular event against but you can get there with trial and error. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Thursday, June 01, 2006 12:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Probably more than you ever wanted to know about machine account password changes. Not at all - my brain sucks that stuff in. To be complete: was it the same with NT4, or was there such a thing as half-time renewal? What's the required level of netlogon-debug-logging? 1 enough? Don't you want to share this info on a blog? It's great, and we could give you credits and avoid typing whenever there's a discussion of that topic. Might be worth to include the imaged-client and reset password on a computer account discussions. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, May 31, 2006 5:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Just to add some additional detail. The machine account password is actually changed every 30 days plus a random offset of up to 24 hours so ~31 days as a maximum by default with Windows 2000 and later OSes. This is done by the netlogon service on the client and there is a scavenger thread that wakes up and performs the reset once this threshold is met. If the it cannot reach a Domain Controller it will go back to sleep and wake up every 15 minutes to try and reset the password. You can see this behavior by turning up netlogon debug logging and see the following output: Success: 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Flag password changed in LsaSecret 05/25 14:48:23 [SESSION] NORTHAMERICA: NlChangePassword: Flag password updated on PDC 05/25 14:48:23 [MISC] NlWksScavenger: Can be called again in 30 days (0x9a7ec800) Failure: 05/16 01:13:24 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/16 01:13:24 [SESSION] NORTHAMERICA: NlSessionSetup: Try Session setup 05/16 01:13:24 [SESSION] NORTHAMERICA: NlDiscoverDc: Start Synchronous Discovery 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlDiscoverDc: Cannot find DC. 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlSessionSetup: Session setup: cannot pick trusted DC 05/16 01:14:05 [MISC] Eventlog: 5719 (1) NORTHAMERICA 0xc05e c05e ^... 05/16 01:14:05 [SESSION] NORTHAMERICA: NlSessionSetup: Session setup Failed 05/16 01:14:05 [MISC] NlWksScavenger: Can be called again in 15 minutes (0xdbba0) Random Offset: 05/25 15:03:22 [MISC] NlWksScavenger: Can be called again in 30 days (0x9d671aca) Since the value is in milliseconds when converting this you will see in the random offset case the value is really ~30.56 days where the one in success is exactly 30 days. Probably more than you ever wanted to know about machine account password changes. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Sunday, May 28, 2006 3:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Hmm - I can not find where I got this information from. The KB about disablePasswordChange has not been updated pretty long (still stated only NT in the early WS2k3 days). The following page even states that the NT4 Workstation changes the password every 3 days, and retries after another 3 days: http://www.microsoft.com/technet/archive/winntas/maintain/ntopt4.mspx?mf r=tr ue However I stand corrected - need to update my brains cache from google more often - to bad brains don't support TTL of websites. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original
[ActiveDir] Deny Read Permissions to Group Policy
Return Receipt Your [ActiveDir] Deny Read Permissions to Group Policy document: wasChris Ryan/MIS/CORP/KrogerCo received by: at:06/01/2006 08:02:17 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir][OT] Machine Psswd Age
Hey you, the garage door opener, and ~Eric[1] could all share a blog! You would still need to do a majority of the posting but occasionally they would kick something in. :) Certainly I would be an avid reader. joe [1] Who is actually being beat out this year in blog entries by the person he made fun of for having a blog and not posting -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, June 01, 2006 2:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Agreed I have many things that need to go into a blog and that is likely something I will be working on in the near future. I just hate to set one up on technet and then not post, like someone else we know who took forever to get their first post up and happens to open the garage doors on campus. :-) As far as NT 4.0 is concerned I have not debugged or reviewed that code in years but I do not recall it being that much different except for the default time changing to 30 days. As far as netlogon debug logging you want at a minimum NL_MISC. I normally user 0x2000 to get the standard output and 0x2080 and then work up from there on the more verbose logging. Of course it does help to look at the source and see what flag they logged a particular event against but you can get there with trial and error. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Thursday, June 01, 2006 12:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Probably more than you ever wanted to know about machine account password changes. Not at all - my brain sucks that stuff in. To be complete: was it the same with NT4, or was there such a thing as half-time renewal? What's the required level of netlogon-debug-logging? 1 enough? Don't you want to share this info on a blog? It's great, and we could give you credits and avoid typing whenever there's a discussion of that topic. Might be worth to include the imaged-client and reset password on a computer account discussions. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, May 31, 2006 5:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Just to add some additional detail. The machine account password is actually changed every 30 days plus a random offset of up to 24 hours so ~31 days as a maximum by default with Windows 2000 and later OSes. This is done by the netlogon service on the client and there is a scavenger thread that wakes up and performs the reset once this threshold is met. If the it cannot reach a Domain Controller it will go back to sleep and wake up every 15 minutes to try and reset the password. You can see this behavior by turning up netlogon debug logging and see the following output: Success: 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Flag password changed in LsaSecret 05/25 14:48:23 [SESSION] NORTHAMERICA: NlChangePassword: Flag password updated on PDC 05/25 14:48:23 [MISC] NlWksScavenger: Can be called again in 30 days (0x9a7ec800) Failure: 05/16 01:13:24 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/16 01:13:24 [SESSION] NORTHAMERICA: NlSessionSetup: Try Session setup 05/16 01:13:24 [SESSION] NORTHAMERICA: NlDiscoverDc: Start Synchronous Discovery 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlDiscoverDc: Cannot find DC. 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlSessionSetup: Session setup: cannot pick trusted DC 05/16 01:14:05 [MISC] Eventlog: 5719 (1) NORTHAMERICA 0xc05e c05e ^... 05/16 01:14:05 [SESSION] NORTHAMERICA: NlSessionSetup: Session setup Failed 05/16 01:14:05 [MISC] NlWksScavenger: Can be called again in 15 minutes (0xdbba0) Random Offset: 05/25 15:03:22 [MISC] NlWksScavenger: Can be called again in 30 days (0x9d671aca) Since the value is in milliseconds when converting this you will see in the random offset case the value is really ~30.56 days where the one in success is exactly 30 days. Probably more than you ever wanted to know about machine account password changes. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Sunday, May 28, 2006 3:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Hmm - I can not find where I got this information from. The KB about disablePasswordChange has not been updated pretty
Re: [ActiveDir] New DC can't find the machine account
[EMAIL PROTECTED] wrote: I bet you one crate to a bottle of German beer that your DNS is out to lunch. Every time when I've seen this, it always goes away by kicking a DNS server somewhere. Check your DNS servers. I talked to the networking people and the DNS server that is used for our test domains is a couple of major releases out of date and running on really crap hardware. Building him a new server... Thanks for all the help. al Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 5/31/2006 7:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account Almeida Pinto, Jorge de wrote: see if the following helps: http://www.eventid.net/display.asp?eventid=1097eventno=2126source=Userenvp hase=1 I had run across that page last night. Time is ok (ntp to local time source) I don't think that both computer accounts are corrupt as they were ok as simple servers I enabled debug logging for the netlogon service and at the same time I get the userenv events I get 05/31 09:48:22 [CRITICAL] NetpDcHandlePingResponse: test.fnal.gov.: Netlogon is paused on the server. 0x14 al Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 15:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir][OT] Machine Psswd Age
Correction: the GDO and I are tied. I posted again this morning, just to spite you. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 01, 2006 6:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] Machine Psswd Age Hey you, the garage door opener, and ~Eric[1] could all share a blog! You would still need to do a majority of the posting but occasionally they would kick something in. :) Certainly I would be an avid reader. joe [1] Who is actually being beat out this year in blog entries by the person he made fun of for having a blog and not posting -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, June 01, 2006 2:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Agreed I have many things that need to go into a blog and that is likely something I will be working on in the near future. I just hate to set one up on technet and then not post, like someone else we know who took forever to get their first post up and happens to open the garage doors on campus. :-) As far as NT 4.0 is concerned I have not debugged or reviewed that code in years but I do not recall it being that much different except for the default time changing to 30 days. As far as netlogon debug logging you want at a minimum NL_MISC. I normally user 0x2000 to get the standard output and 0x2080 and then work up from there on the more verbose logging. Of course it does help to look at the source and see what flag they logged a particular event against but you can get there with trial and error. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Thursday, June 01, 2006 12:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Probably more than you ever wanted to know about machine account password changes. Not at all - my brain sucks that stuff in. To be complete: was it the same with NT4, or was there such a thing as half-time renewal? What's the required level of netlogon-debug-logging? 1 enough? Don't you want to share this info on a blog? It's great, and we could give you credits and avoid typing whenever there's a discussion of that topic. Might be worth to include the imaged-client and reset password on a computer account discussions. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, May 31, 2006 5:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Just to add some additional detail. The machine account password is actually changed every 30 days plus a random offset of up to 24 hours so ~31 days as a maximum by default with Windows 2000 and later OSes. This is done by the netlogon service on the client and there is a scavenger thread that wakes up and performs the reset once this threshold is met. If the it cannot reach a Domain Controller it will go back to sleep and wake up every 15 minutes to try and reset the password. You can see this behavior by turning up netlogon debug logging and see the following output: Success: 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Flag password changed in LsaSecret 05/25 14:48:23 [SESSION] NORTHAMERICA: NlChangePassword: Flag password updated on PDC 05/25 14:48:23 [MISC] NlWksScavenger: Can be called again in 30 days (0x9a7ec800) Failure: 05/16 01:13:24 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/16 01:13:24 [SESSION] NORTHAMERICA: NlSessionSetup: Try Session setup 05/16 01:13:24 [SESSION] NORTHAMERICA: NlDiscoverDc: Start Synchronous Discovery 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlDiscoverDc: Cannot find DC. 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlSessionSetup: Session setup: cannot pick trusted DC 05/16 01:14:05 [MISC] Eventlog: 5719 (1) NORTHAMERICA 0xc05e c05e ^... 05/16 01:14:05 [SESSION] NORTHAMERICA: NlSessionSetup: Session setup Failed 05/16 01:14:05 [MISC] NlWksScavenger: Can be called again in 15 minutes (0xdbba0) Random Offset: 05/25 15:03:22 [MISC] NlWksScavenger: Can be called again in 30 days (0x9d671aca) Since the value is in milliseconds when converting this you will see in the random offset case the value is really ~30.56 days where the one in success is exactly 30 days. Probably more than you ever wanted to know about machine account password changes. Thanks, -Steve -Original Message- From: [EMAIL
Re: [ActiveDir][OT] Machine Psswd Age
As someone who's been corrected in the past, it's rumored that he operates the garage doors, insinuating that he closes and opens them and presumably whatever else is in between. And joe, he just wanted the free lunch ;) NT 4 machine password update interval. There are definitely some conflicts. The kb's state every 7 days since NT3.51 - NT4.0 changing in Windows 2000 to 30 days (+ variable time w/in 24 hrs- thanks Steve.) It'd be nice to have some accurate information about how it *should* work to help in those situations where default is no longer the case. Given how old NT4 is now, that wouldn't be hard to find and vendor reference can be useful when building overwhelming for^^^ cases for changing things. -ajm On 6/1/06, joe [EMAIL PROTECTED] wrote: Hey you, the garage door opener, and ~Eric[1] could all share a blog! Youwould still need to do a majority of the posting but occasionally they would kick something in. :)Certainly I would be an avid reader.joe[1] Who is actually being beat out this year in blog entries by the personhe made fun of for having a blog and not posting --O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Steve LinehanSent: Thursday, June 01, 2006 2:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Machine Psswd AgeAgreed I have many things that need to go into a blog and that is likelysomething I will be working on in the near future.I just hate to set one up on technet and then not post, like someone else we know who tookforever to get their first post up and happens to open the garage doorson campus. :-)As far as NT 4.0 is concerned I have not debugged or reviewed that code in years but I do not recall it being that muchdifferent except for the default time changing to 30 days.As far asnetlogon debug logging you want at a minimum NL_MISC.I normally user 0x2000 to get the standard output and 0x2080 and then work upfrom there on the more verbose logging.Of course it does help to lookat the source and see what flag they logged a particular event against but you can get there with trial and error.Thanks,-Steve-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Ulf B.Simon-WeidnerSent: Thursday, June 01, 2006 12:22 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Machine Psswd Age Probably more than you ever wanted to know about machine account passwordchanges.Not at all - my brain sucks that stuff in. To be complete: was it thesame with NT4, or was there such a thing as half-time renewal? What's the required level of netlogon-debug-logging? 1 enough?Don't you want to share this info on a blog? It's great, and we couldgive you credits and avoid typing whenever there's a discussion of thattopic. Might be worth to include the imaged-client and reset password on acomputer account discussions.Gruesse - Sincerely,Ulf B. Simon-WeidnerProfile Publications: http://mvp.support.microsoft.com/profile="">C811DWeblog: http://msmvps.org/UlfBSimonWeidnerWebsite: http://www.windowsserverfaq.org-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Steve LinehanSent: Wednesday, May 31, 2006 5:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Machine Psswd Age Just to add some additional detail.The machine account password isactually changed every 30 days plus a random offset of up to 24 hours so~31 days as a maximum by default with Windows 2000 and later OSes.This is done by the netlogon service on the client and there is a scavengerthread that wakes up and performs the reset once this threshold is met.If the it cannot reach a Domain Controller it will go back to sleep and wake up every 15 minutes to try and reset the password.You can seethis behavior by turning up netlogon debug logging and see the followingoutput:Success:05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Flag passwordchanged in LsaSecret05/25 14:48:23 [SESSION] NORTHAMERICA: NlChangePassword: Flag passwordupdated on PDC05/25 14:48:23 [MISC] NlWksScavenger: Can be called again in 30 days (0x9a7ec800)Failure:05/16 01:13:24 [SESSION] NORTHAMERICA: NlChangePassword: Doing it.05/16 01:13:24 [SESSION] NORTHAMERICA: NlSessionSetup: Try Session setup05/16 01:13:24 [SESSION] NORTHAMERICA: NlDiscoverDc: Start Synchronous Discovery05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlDiscoverDc: Cannot find DC.05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlSessionSetup: Session setup:cannot pick trusted DC05/16 01:14:05 [MISC] Eventlog: 5719 (1) NORTHAMERICA 0xc05e c05e ^...05/16 01:14:05 [SESSION] NORTHAMERICA: NlSessionSetup: Session setupFailed05/16 01:14:05 [MISC] NlWksScavenger: Can be called again in 15 minutes(0xdbba0)Random Offset:05/25 15:03:22 [MISC] NlWksScavenger: Can be called again in 30 days (0x9d671aca)Since the value is
Re: [ActiveDir] New DC can't find the machine account
Did you see my post last night - this is expected behaviour? -Original Message- From: Al Lilianstrom [EMAIL PROTECTED] Date: Thu, 01 Jun 2006 08:13:20 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account [EMAIL PROTECTED] wrote: I bet you one crate to a bottle of German beer that your DNS is out to lunch. Every time when I've seen this, it always goes away by kicking a DNS server somewhere. Check your DNS servers. I talked to the networking people and the DNS server that is used for our test domains is a couple of major releases out of date and running on really crap hardware. Building him a new server... Thanks for all the help. al Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 5/31/2006 7:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account Almeida Pinto, Jorge de wrote: see if the following helps: http://www.eventid.net/display.asp?eventid=1097eventno=2126source=Userenvp hase=1 I had run across that page last night. Time is ok (ntp to local time source) I don't think that both computer accounts are corrupt as they were ok as simple servers I enabled debug logging for the netlogon service and at the same time I get the userenv events I get 05/31 09:48:22 [CRITICAL] NetpDcHandlePingResponse: test.fnal.gov.: Netlogon is paused on the server. 0x14 al Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 15:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Exchange queue(OT)
Another reason you'll get an Exchange consultant to recommend that is for management reasons. Few companies manage large groups well. Also, you can have better control over the expansion of groups with multiple separate groups, vs. one really large group. Tom, did you ever get good results? On 5/31/06, joe [EMAIL PROTECTED] wrote: I am not aware of any limits in the size of DLs specific to Exchange. There is a recommendation to keep your DLs less than 1000 members. However, I expect that this is due to attribute ranging which in Windows 2000 was 1000 attributes and in Windows Server 2003 AD that is now 1500 members. The idea being that you can get all of the values in a single query instead of sending back asking for more over and over again. I did notice that Exchange does something odd when it has to start ranging to retrieve more members. It doesn't appear to be using the normal WLDAP32 library to do it. I was using Insight for AD from winternals and the additional calls to get the additional members weren't being caught, yet I could see them over the wire with ethereal meaning that the hooks that Insight puts into the WLDAP32 libs weren't seeing the calls... hence they weren't using the standard library. Breaking the users up into separate smaller groups and then nesting thegroups is exactly what any Exchange consultant that came in would say. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, May 12, 2006 11:15 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange queue(OT) Well one thing I noticed is that the senders(and some recipients) are members of a AD security DG that has over 3300 members. I think the categorizer has a 1500 value limit for member? I'm gonna seperate the members into multiple local groups and then nest them into the DG. Maybe that will help. I'll let you know what I find. Thanks On 5/10/06, Al Mulnick [EMAIL PROTECTED] wrote:
RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it?
I see your points and think they are more of an argument to find and get the good dedicated knowledgeable people or farm out support to a company who has good knowledgeable people versus get a one time or even once per year consult. That one time consult does nothing to protect the infrastructure over the long term. If companies still to this point, do not understand the importance and criticality of Active Directory to them and it is truly is important and critical, IMO, they deserve anything that happens to them. Too many places, again IMO, run in a state where they assume everything will be running fine and don't get themselves into a position with knowledge and understanding and dedicated resources to handle issues that crop up and so issues that should be small issues or non-issues end up blowing up into disasters. I am aware of one company that took a non-issue that had it been handled by a solid knowledgeable crew would not have been but a blip on a monitor station and turned it into a week long outage. No part of it could have been prevented or probably even hinted at from a swing on by and try to point out issues but could easily have been handled by having empowered knowledgeable dedicated resources. Every company needs to ask themselves exactly how long can they go with being 100% down for various resources. Most places would be in extremely bad shape if something critical were out for a week. Finally, a tool that looks at an infrastructure and gathers the info together and tells you where the holes are probably shouldn't be an item that costs money from the company producing the infrastructure software... I would expect it to come with the infrastructure components or be a download. It isn't like if this were free the support teams at MSFT wouldn't have anything to do... joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Thursday, June 01, 2006 12:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it? The quality of AD admins in even very large orgs varies more than the engineers delivering the RAPs. I've seen AD administrators that literally had no clue what DSRM was, how data is transferred between DCs (doesn't FRS replicate users, too? Or, AD replication is broken so SYSVOL isn't replicating), the difference between seizing or transferring a FSMO role, etc. Those aren't even the worse examples of things I've seen. The information shared during the ADRAP is, in my opinion, among the best available today. I not saying it's the greatest thing since sliced bread, has nothing that can be improved, never includes bad/wrong info, or that you couldn't come up with something better. I am saying if you compare it to MOC classes, 3rd party training, etc, you'd be hard pressed to find anything better (besides Dean's class, of course). Most people administering AD environments do not focus on it as their sole job, lack the fundamental understanding of most of the core components that make up AD, and definitely benefit from workshops like the ADRAP. The real world, for whatever reason, typically either doesn't seem to be able to find all those highly qualified AD admins you think they should invest in or has decided to not make those investments. Now you, and several others in this listserv, would definitely be yawning through most of the delivery. However, I'd also say the people I'm referring to are well above average in their AD knowledge. As to the challenges of contradicting or silo type mentality when comparing the ADRAP and ExRAP I agree with you and effort should definitely be to stop it. However I wouldn't say those are good reasons to avoid the engagements. Although your experiences may differ from mine, I don't see so many instances of dramatic contradictions between the two engagements where Exchange is blaming AD for massive issues and vice versa. Resolving the differences, although a pain and something that shouldn't be necessary, doesn't significantly de-value the engagements. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, May 31, 2006 8:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it? I.E. This is easy money for the company, please don't distribute the tool that collects the data as that is really the whole ADRAP for the most part unless the people getting it really haven't a clue what they are doing with AD at all at which point you should be looking at spending money on getting admins who have a clue versus bringing in MSFT for a one shot peek. Until Microsoft puts together a AD and Exchange RAP that looks at both together and tries to determine the causes of issues from each other I see the whole RAP thing as having very limited use in Orgs that use AD and Exchange. If you just use AD then it
Re: [ActiveDir] New DC can't find the machine account
Mark Parris wrote: Did you see my post last night - this is expected behaviour? Yes I did. There are other DCs that are alive and responding. Unless the DC is only willing to talk to itself then it should talk to the other dc. We'll see if anything changes after the DNS server gets replaced. al -Original Message- From: Al Lilianstrom [EMAIL PROTECTED] Date: Thu, 01 Jun 2006 08:13:20 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account [EMAIL PROTECTED] wrote: I bet you one crate to a bottle of German beer that your DNS is out to lunch. Every time when I've seen this, it always goes away by kicking a DNS server somewhere. Check your DNS servers. I talked to the networking people and the DNS server that is used for our test domains is a couple of major releases out of date and running on really crap hardware. Building him a new server... Thanks for all the help. al Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 5/31/2006 7:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account Almeida Pinto, Jorge de wrote: see if the following helps: http://www.eventid.net/display.asp?eventid=1097eventno=2126source=Userenvp hase=1 I had run across that page last night. Time is ok (ntp to local time source) I don't think that both computer accounts are corrupt as they were ok as simple servers I enabled debug logging for the netlogon service and at the same time I get the userenv events I get 05/31 09:48:22 [CRITICAL] NetpDcHandlePingResponse: test.fnal.gov.: Netlogon is paused on the server. 0x14 al Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 15:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] New DC can't find the machine account
Mark: why would this be expected? Al: Who is doing DNS for this DC in question? If you ping a domain resource from that DNS server, does it resolve correctly? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Thu 6/1/2006 7:11 AM To: ActiveDir.org Subject: Re: [ActiveDir] New DC can't find the machine account Did you see my post last night - this is expected behaviour? -Original Message- From: Al Lilianstrom [EMAIL PROTECTED] Date: Thu, 01 Jun 2006 08:13:20 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account [EMAIL PROTECTED] wrote: I bet you one crate to a bottle of German beer that your DNS is out to lunch. Every time when I've seen this, it always goes away by kicking a DNS server somewhere. Check your DNS servers. I talked to the networking people and the DNS server that is used for our test domains is a couple of major releases out of date and running on really crap hardware. Building him a new server... Thanks for all the help. al Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 5/31/2006 7:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account Almeida Pinto, Jorge de wrote: see if the following helps: http://www.eventid.net/display.asp?eventid=1097eventno=2126source=Userenvp hase=1 I had run across that page last night. Time is ok (ntp to local time source) I don't think that both computer accounts are corrupt as they were ok as simple servers I enabled debug logging for the netlogon service and at the same time I get the userenv events I get 05/31 09:48:22 [CRITICAL] NetpDcHandlePingResponse: test.fnal.gov.: Netlogon is paused on the server. 0x14 al Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 15:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir][OT] DNS on a DC or NOT
I'm sure Deji is about to cry out loud at the image... what image? the image of joe on MVP site? the image of small joe lifting up some skirts? the image of joe cross-dressing - to look like Cher? it's been a sleepless night and I may be getting my images crossed :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Thu 6/1/2006 7:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir][OT] DNS on a DC or NOT BTW.. to Brett... Joe is like Cher.. he doesn't need a last name - I think I just had coffee come out my nose and spew across the cubicle and cover everything within 30 ft. Comparing joe and Cher. What a hoot! I'm sure Deji is about to cry out loud at the image... Putting everything but the mail data in the directory? joe, whatever happened to the abusive and pervasive Exchange servers in an AD environment? joe, I'd be fine with the idea of an Exchange forest if it were not doing anything. But because it's also doing auth, even if it is just trusting your other forest(s) it still has to be dealt with as an auth domain. You can minimize it, but like you said, there are rights in the store, on the server, in the directory, etc. Legacy decisions are a tough thing to overcome I'm sure. In the case of Exchange dedicated forests, I end up having more than two authentication domains: the one my primary account resides in, the one my mailbox resides in, my mailbox store (i.e. the db) and then my administrative overhead accounts. While some can happily run in that environment for years, I contend that the level of complexity is much more than is conducive [1] to a stable and healthy messaging environment. And since that causes some havoc with rights at the various levels, it comes across as an unnatural creation when you deploy that way. Sure you can live with it if that's what it takes, but it is most certainly not my first choice in deployment topologies and would be done at great peril to those in the room that pushed it. I know it's fine for the first 13 months, but then One stray thought: if made to deploy a resource forest topology, I think deploying one dedicated DC and then incorporating Exchange and AD on the same machines is warranted for decentralized deployments. Why? Becuase of the cross-forest communications etc. While it increases the complexity of the AD environment and limits the scalability it isolates the directory to that Exchange server in that site. It also mimics Exchange 5.x topology and gives greater stability. Setting up multiple directories to achieve that, well, we just need to agree to disagree. I think it can and should be done better.[2] For many of the same reasons, I'd like to see a contender. In the past several years many have tried and failed, but it would be a good and healthy change to see a real contender - both for customers but also for Microsoft Exchange teams. My opinion anyway. [1] ok, I'm out of big words now. [2] yep, many times I've had the conversations and been told that unless and until the problem stops deployment/adoption of the product, it won't be fixed/addressed. That's frustrating I know. I don't have those conversations with Exchange (or is it Office?) dev any longer. It's possible they wouldn't listen if I tried ;) On 5/31/06, joe [EMAIL PROTECTED] wrote: Two directories doesn't mean you are doing it for two auth domains. You did this in E55, the Exchange forest is simply for holding resources and the real directory handles the auth. I don't have a problem with multiple directories in order to protect the global whole... What really needs to happen is to push back on vendors who put out crap apps that don't play nice. This includes MSFT. Unfortunately I can think of no app that is as abusive and pervasive as Exchange and I still have no faith that the Exchange Dev group actually gets that they are playing in a shared sandbox versus their own private sandbox, so they feel no inhibition to crapping in it whereever they desire. I look with great joy at new mail/collaboration systems coming out that can give Exchange a serious run because I think that is probably one of the only things that will get them moving as they don't tend to listen to feedback unless there is pain associated with it. At least I haven't gotten them to fix a single thing unless I somehow threatened that they would feel pain over it. Otherwise they blow you off and laugh knowing you
[ActiveDir] OT: srvinfo output incomplete
Title: OT: srvinfo output incomplete Situation: running srvinfo \\computer_name with domain admin credentials from a remote computer. One w2k3/sp1 server target returns the full complement of information, including CPU, BIOS info, hotfixes, network card info, uptime. Another w2k3sp1 server target returns only partial information, missing CPU, BIOS info, hotfixes, network card info, and uptime. Also, this second computer also returns Domain: Error 5 and PDC: Error 5. This same domain admin can log into the second computer target directly and run srvinfo and get a full complement of information! Both target computers are in AD and have the same policies applied to them. Security options appear to be the same. Does anyone have any thoughts as to what might be preventing a complete information disclosure when running srvinfo from across the network? TIA! Mike Thommes
[ActiveDir] HIDE OU
I know it has been done and probably asked before..but how do you hide a particular user or OU in AD(W23K)? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] New DC can't find the machine account
I had the similar catch 22 a couple of months ago on a heavily utilised DC but it was DNS related where AD was dependant on DNS and DNS had not started fully. As the DC pointed to itself for DNS there was nothing else I could but accept the error. Or cross point the DNS servers but did not want to do that. But if your DC points at it self how will a rebuild fix the issue? -Original Message- From: Al Lilianstrom [EMAIL PROTECTED] Date: Thu, 01 Jun 2006 10:19:43 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account Mark Parris wrote: Did you see my post last night - this is expected behaviour? Yes I did. There are other DCs that are alive and responding. Unless the DC is only willing to talk to itself then it should talk to the other dc. We'll see if anything changes after the DNS server gets replaced. al -Original Message- From: Al Lilianstrom [EMAIL PROTECTED] Date: Thu, 01 Jun 2006 08:13:20 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account [EMAIL PROTECTED] wrote: I bet you one crate to a bottle of German beer that your DNS is out to lunch. Every time when I've seen this, it always goes away by kicking a DNS server somewhere. Check your DNS servers. I talked to the networking people and the DNS server that is used for our test domains is a couple of major releases out of date and running on really crap hardware. Building him a new server... Thanks for all the help. al Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 5/31/2006 7:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account Almeida Pinto, Jorge de wrote: see if the following helps: http://www.eventid.net/display.asp?eventid=1097eventno=2126source=Userenvp hase=1 I had run across that page last night. Time is ok (ntp to local time source) I don't think that both computer accounts are corrupt as they were ok as simple servers I enabled debug logging for the netlogon service and at the same time I get the userenv events I get 05/31 09:48:22 [CRITICAL] NetpDcHandlePingResponse: test.fnal.gov.: Netlogon is paused on the server. 0x14 al Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 15:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ:
Re: [ActiveDir] New DC can't find the machine account
Expected as in Microsoft knows that it sometimes happens upon a reboot but goes away when settled. That's how I read the KB. -Original Message- From: [EMAIL PROTECTED] Date: Thu, 1 Jun 2006 08:45:59 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] New DC can't find the machine account Mark: why would this be expected? Al: Who is doing DNS for this DC in question? If you ping a domain resource from that DNS server, does it resolve correctly? Sincerely, _ (, / | /) /) /) /---| (/__//_ //_ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Thu 6/1/2006 7:11 AM To: ActiveDir.org Subject: Re: [ActiveDir] New DC can't find the machine account Did you see my post last night - this is expected behaviour? -Original Message- From: Al Lilianstrom [EMAIL PROTECTED] Date: Thu, 01 Jun 2006 08:13:20 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account [EMAIL PROTECTED] wrote: I bet you one crate to a bottle of German beer that your DNS is out to lunch. Every time when I've seen this, it always goes away by kicking a DNS server somewhere. Check your DNS servers. I talked to the networking people and the DNS server that is used for our test domains is a couple of major releases out of date and running on really crap hardware. Building him a new server... Thanks for all the help. al Sincerely, _ (, / | /) /) /) /---| (/__//_ //_ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 5/31/2006 7:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account Almeida Pinto, Jorge de wrote: see if the following helps: http://www.eventid.net/display.asp?eventid=1097eventno=2126source=Userenvp hase=1 I had run across that page last night. Time is ok (ntp to local time source) I don't think that both computer accounts are corrupt as they were ok as simple servers I enabled debug logging for the netlogon service and at the same time I get the userenv events I get 05/31 09:48:22 [CRITICAL] NetpDcHandlePingResponse: test.fnal.gov.: Netlogon is paused on the server. 0x14 al Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 15:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another
RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it?
I agree with your ideals and wish the folks responsible for these things did, too, and would do something about it. I'd say, though, most do not today for whatever reason. I base this on empirical data of visiting a couple hundred different customers for various AD issues. Some customers look at me like I'm crazy when I talk about what happens when a DC is unreachable for greater than the tombstone lifetime interval while too many look embarrassed and describe how it's already happened to them. And I'm not talking about instances where the customer was actually aware of this happening until it was too late. As for the tool being free, I don't have any internal knowledge of pricing or future plans, but I would suspect that's a direction the tool is moving towards. The ExBPA is freely downloadable and the same internal group (different factions, perhaps, but the same overall group) are responsible for these engagements and tools. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 01, 2006 10:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it? I see your points and think they are more of an argument to find and get the good dedicated knowledgeable people or farm out support to a company who has good knowledgeable people versus get a one time or even once per year consult. That one time consult does nothing to protect the infrastructure over the long term. If companies still to this point, do not understand the importance and criticality of Active Directory to them and it is truly is important and critical, IMO, they deserve anything that happens to them. Too many places, again IMO, run in a state where they assume everything will be running fine and don't get themselves into a position with knowledge and understanding and dedicated resources to handle issues that crop up and so issues that should be small issues or non-issues end up blowing up into disasters. I am aware of one company that took a non-issue that had it been handled by a solid knowledgeable crew would not have been but a blip on a monitor station and turned it into a week long outage. No part of it could have been prevented or probably even hinted at from a swing on by and try to point out issues but could easily have been handled by having empowered knowledgeable dedicated resources. Every company needs to ask themselves exactly how long can they go with being 100% down for various resources. Most places would be in extremely bad shape if something critical were out for a week. Finally, a tool that looks at an infrastructure and gathers the info together and tells you where the holes are probably shouldn't be an item that costs money from the company producing the infrastructure software... I would expect it to come with the infrastructure components or be a download. It isn't like if this were free the support teams at MSFT wouldn't have anything to do... joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Thursday, June 01, 2006 12:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it? The quality of AD admins in even very large orgs varies more than the engineers delivering the RAPs. I've seen AD administrators that literally had no clue what DSRM was, how data is transferred between DCs (doesn't FRS replicate users, too? Or, AD replication is broken so SYSVOL isn't replicating), the difference between seizing or transferring a FSMO role, etc. Those aren't even the worse examples of things I've seen. The information shared during the ADRAP is, in my opinion, among the best available today. I not saying it's the greatest thing since sliced bread, has nothing that can be improved, never includes bad/wrong info, or that you couldn't come up with something better. I am saying if you compare it to MOC classes, 3rd party training, etc, you'd be hard pressed to find anything better (besides Dean's class, of course). Most people administering AD environments do not focus on it as their sole job, lack the fundamental understanding of most of the core components that make up AD, and definitely benefit from workshops like the ADRAP. The real world, for whatever reason, typically either doesn't seem to be able to find all those highly qualified AD admins you think they should invest in or has decided to not make those investments. Now you, and several others in this listserv, would definitely be yawning through most of the delivery. However, I'd also say the people I'm referring to are well above average in their AD knowledge. As to the challenges of contradicting or silo type mentality when comparing the ADRAP and ExRAP I agree with you and effort should
RE: [ActiveDir] tokenGroups field
Much cooler ;-) That worked great. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, May 31, 2006 4:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Does this rate as cooler? ((objectCategory=)(systemFlags:1.2.840.113556.1.4.803:=2)) In adfind, you would do something like adfind -config -rb cn=partitions -bit -f (objectcategory=crossRef)(systemflags:AND:=2) -flagdc ncname systemflags F:\DEV\cpp\MemberOfadfind -config -rb cn=partitions -bit -f (objectcategory=crossRef)(systemflags:AND:=2) -flagdc ncname systemflags AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Transformed Filter: (objectcategory=crossRef)(systemflags:1.2.840.113556.1.4.803:=2) Using server: 2k3dc02.joe.com:389 Directory: Windows Server 2003 Base DN: cn=partitions,CN=Configuration,DC=joe,DC=com dn:CN=JOE,CN=Partitions,CN=Configuration,DC=joe,DC=com nCName: DC=joe,DC=com systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] dn:CN=CHILD1,CN=Partitions,CN=Configuration,DC=joe,DC=com nCName: DC=child1,DC=joe,DC=com systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] 2 Objects returned -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, May 31, 2006 12:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks Joe, That's a little bit further than I want to go ;-) I wrote a GetMemberShip( DirectoryEntry ) method that finds all the domains in the forest and then connects to a GC in each and grabs tokenGroups for each and combines them into one string[] That seems to work fine ( until the day when we have a large number of domains :-o ). Speaking of enumerating the domains in the forest, I'm enumerating the domains by connecting to: CN=Partitions,CN=Configuration,DC=forestroot,DC=net Then I throw away the schema, config, and DNS partitions. That seems to work fine until the day we start using application partitions in which case I will have no way of distinguishing a security enabled partition from the application partition. Is there a cooler way to enumerate the domain partitions in a forest? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field The membership of groups is handled in a special way. Although the member attribute is marked for PAS inclusion only UG membership is replicated outside of a domain to all GCs. If you aren't worried about token creation for Windows security and instead just want to have full membership of a user in a single query you have two options that I can think of 1. Consolidate the group membership into another store, say ADAM or SQL Server. 2. Create another linked attribute pair that you apply to users and groups like member/memberof that is set for PAS inclusion. When you set the member attribute you set the additional attribute which will replicate to all GCs because the directory doesn't have any special rules for your custom attribute. If you go that far, I would also set that new attribute to be saved on tombstone as well. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks, that's pretty much what I figured. So this is of low importance, but why wouldn't any GC in the forest be able to provide me with the local groups for all of the domains? Why do I have to hit a GC in every domain? As I understand it the GC replicates the data from each domain that is marked for the partial attribute set. Like I said, really low importance, I'm just curious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Your token only contains groups that are valid locally. So if you log onto a workstation that is part of a forest, your token on the worksation will contain Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine. Take a look at whomami /groups or sectok to see your interactive token. Now if you connect to a remote machine, you will get the groups that have value there on your token on that remote machine. This is easiest to see with ADAM, connect to an ADAM instance and pull the rootdse attribute tokengroups and look at what is returned... adfind -h adammachine:port -rootdse -resolvesids tokengroups -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 7:27 PM To:
RE: [ActiveDir] tokenGroups field
I'm using 1.1. I actually wrote a bunch of interop code so that I can use most of the DS services (DSGetDCName, DSGetSite, Etc) as .Net objects. Nice to know I could have just upgraded to .Net 2.0 ;-) Thanks for the info -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Wednesday, May 31, 2006 5:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] tokenGroups field I was going to say the same thing. Also, if you are using .NET 2.0, the new S.DS.ActiveDirectory namespace has tons of cool ways to enumerate domains in a forest, DCs in a domain (and by site), etc. The domain enumeration code uses very similar LDAP searches under the hood. The DC enumeration stuff uses the locator service (DsGetDcName, etc.). Joe Kaplan - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, May 31, 2006 6:06 PM Subject: RE: [ActiveDir] tokenGroups field Does this rate as cooler? ((objectCategory=)(systemFlags:1.2.840.113556.1.4.803:=2)) In adfind, you would do something like adfind -config -rb cn=partitions -bit -f (objectcategory=crossRef)(systemflags:AND:=2) -flagdc ncname systemflags F:\DEV\cpp\MemberOfadfind -config -rb cn=partitions -bit -f (objectcategory=crossRef)(systemflags:AND:=2) -flagdc ncname systemflags AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Transformed Filter: (objectcategory=crossRef)(systemflags:1.2.840.113556.1.4.803:=2) Using server: 2k3dc02.joe.com:389 Directory: Windows Server 2003 Base DN: cn=partitions,CN=Configuration,DC=joe,DC=com dn:CN=JOE,CN=Partitions,CN=Configuration,DC=joe,DC=com nCName: DC=joe,DC=com systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] dn:CN=CHILD1,CN=Partitions,CN=Configuration,DC=joe,DC=com nCName: DC=child1,DC=joe,DC=com systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] 2 Objects returned -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, May 31, 2006 12:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks Joe, That's a little bit further than I want to go ;-) I wrote a GetMemberShip( DirectoryEntry ) method that finds all the domains in the forest and then connects to a GC in each and grabs tokenGroups for each and combines them into one string[] That seems to work fine ( until the day when we have a large number of domains :-o ). Speaking of enumerating the domains in the forest, I'm enumerating the domains by connecting to: CN=Partitions,CN=Configuration,DC=forestroot,DC=net Then I throw away the schema, config, and DNS partitions. That seems to work fine until the day we start using application partitions in which case I will have no way of distinguishing a security enabled partition from the application partition. Is there a cooler way to enumerate the domain partitions in a forest? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field The membership of groups is handled in a special way. Although the member attribute is marked for PAS inclusion only UG membership is replicated outside of a domain to all GCs. If you aren't worried about token creation for Windows security and instead just want to have full membership of a user in a single query you have two options that I can think of 1. Consolidate the group membership into another store, say ADAM or SQL Server. 2. Create another linked attribute pair that you apply to users and groups like member/memberof that is set for PAS inclusion. When you set the member attribute you set the additional attribute which will replicate to all GCs because the directory doesn't have any special rules for your custom attribute. If you go that far, I would also set that new attribute to be saved on tombstone as well. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks, that's pretty much what I figured. So this is of low importance, but why wouldn't any GC in the forest be able to provide me with the local groups for all of the domains? Why do I have to hit a GC in every domain? As I understand it the GC replicates the data from each domain that is marked for the partial attribute set. Like I said, really low importance, I'm just curious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Your token only contains groups that are valid locally. So if you log onto a
Re: [ActiveDir] OT: srvinfo output incomplete
Darn reskit tools. :) Check to see that you have the latest version and you may also want to check the security logs on the target and dc that was used. I don't have access to see what that tool is using to gather that information, but I would guess wmi information is being collected else a walk through the registry. Ensure you can do same locally on that machine. Also, you may want to get a better sampling to rule out tool vs. target. Or at least to get a better set of data points. Al On 6/1/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: Situation: running " srvinfo \\computer_name " with domain admin credentials from a remote computer. One w2k3/sp1 server target returns the full complement of information, including CPU, BIOS info, hotfixes, network card info, uptime. Another w2k3sp1 server target returns only partial information, missing CPU, BIOS info, hotfixes, network card info, and uptime. Also, this second computer also returns " Domain: Error 5" and " PDC: Error 5". This same domain admin can log into the second computer target directly and run " srvinfo" and get a full complement of information ! Both target computers are in AD and have the same policies applied to them. Security options appear to be the same. Does anyone have any thoughts as to what might be preventing a complete information disclosure when running srvinfo from across the network? TIA! Mike Thommes
RE: [ActiveDir] HIDE OU
We created OU's and removed all users except for Domain Admins (of course we left the SYSTEM access). The OU never shows up for non-Domain Admins. Domain Admins have full access to the OU and can add as many objects as they want. Dan Original Message Subject: [ActiveDir] HIDE OU From: Za Vue [EMAIL PROTECTED] Date: Thu, June 01, 2006 9:22 am To: ActiveDir@mail.activedir.org I know it has been done and probably asked before..but how do you hide a particular user or OU in AD(W23K)? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] HIDE OU
Hide from whom? And why? On 6/1/06, Za Vue [EMAIL PROTECTED] wrote: I know it has been done and probably asked before..but how do you hide aparticular user or OU in AD(W23K)? -Z.V.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Restricted Groups
Hmm... I'm not sure this is the way to go for your requirements. Restricted groups is going to have a delay before it puts the groups back to the way they *should* be. It sounds like you need a better system for delegation. Can you expand on your requirements? On 5/31/06, James Carter [EMAIL PROTECTED] wrote: Sorry I should clarify, by User I mean an IT Helpdesk Account Creator Single Domain Windows 2003, FFL. I have delegated rights to various Security Groups for privileges in the domain. James James Carter [EMAIL PROTECTED] wrote: Hi, I am thinking of making all the builtin groups apart from the Administrators group part of the Restricted Groups function. I don't want any user to add themselves to the Account, Backup,Server, Print Operators group for any length of time. Or does anyone know of a simpler way to acheive this? Regards, James Be a chatter box. Enjoy free PC-to-PC calls with Yahoo! Messenger with Voice. New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
RE: [ActiveDir] New DC can't find the machine account
When I hear expected, I usually translate it into it's OK, don't worry about it. I see what you are saying here, but I don't think it applies in the scenario he's described. I also don't think that building another DNS server is not what Al needs to be doing right now. Let's see what DNS the DCs are using and let's find out why it's not doing its job. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Thu 6/1/2006 10:04 AM To: ActiveDir.org Subject: Re: [ActiveDir] New DC can't find the machine account Expected as in Microsoft knows that it sometimes happens upon a reboot but goes away when settled. That's how I read the KB. -Original Message- From: [EMAIL PROTECTED] Date: Thu, 1 Jun 2006 08:45:59 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] New DC can't find the machine account Mark: why would this be expected? Al: Who is doing DNS for this DC in question? If you ping a domain resource from that DNS server, does it resolve correctly? Sincerely, _ (, / | /) /) /) /---| (/__//_ //_ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Thu 6/1/2006 7:11 AM To: ActiveDir.org Subject: Re: [ActiveDir] New DC can't find the machine account Did you see my post last night - this is expected behaviour? -Original Message- From: Al Lilianstrom [EMAIL PROTECTED] Date: Thu, 01 Jun 2006 08:13:20 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account [EMAIL PROTECTED] wrote: I bet you one crate to a bottle of German beer that your DNS is out to lunch. Every time when I've seen this, it always goes away by kicking a DNS server somewhere. Check your DNS servers. I talked to the networking people and the DNS server that is used for our test domains is a couple of major releases out of date and running on really crap hardware. Building him a new server... Thanks for all the help. al Sincerely, _ (, / | /) /) /) /---| (/__//_ //_ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 5/31/2006 7:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account Almeida Pinto, Jorge de wrote: see if the following helps: http://www.eventid.net/display.asp?eventid=1097eventno=2126source=Userenvp hase=1 I had run across that page last night. Time is ok (ntp to local time source) I don't think that both computer accounts are corrupt as they were ok as simple servers I enabled debug logging for the netlogon service and at the same time I get the userenv events I get 05/31 09:48:22 [CRITICAL] NetpDcHandlePingResponse: test.fnal.gov.: Netlogon is paused on the server. 0x14 al Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 15:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID
[ActiveDir] setting the regional settings with GPO or other scripts...
Hi, I would like to restrict the users from changing the regionals settings on their laptops. Also I would like to push the configuration as to date format and number decimals value and such. Anyone has a way to do that centrally? Thanks! Note: I'm googling for it right now, sorry if there is an easy answer for this one; I'm actually in a little hurry so I didn't search before posting. Sorry for that. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: srvinfo output incomplete
It's been a while but last time I checked srvinfo was predominately registry calls so I'd look at Remote Registry Service, policy settings like Network Access: Remotely accessible Registry paths, stuff like that. \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\w inreg might be enlightening... Regmon on the remote machine should be helpful... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, June 01, 2006 8:55 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: srvinfo output incomplete Situation: running srvinfo \\computer_name file://\\computer_name with domain admin credentials from a remote computer. One w2k3/sp1 server target returns the full complement of information, including CPU, BIOS info, hotfixes, network card info, uptime. Another w2k3sp1 server target returns only partial information, missing CPU, BIOS info, hotfixes, network card info, and uptime. Also, this second computer also returns Domain: Error 5 and PDC: Error 5. This same domain admin can log into the second computer target directly and run srvinfo and get a full complement of information! Both target computers are in AD and have the same policies applied to them. Security options appear to be the same. Does anyone have any thoughts as to what might be preventing a complete information disclosure when running srvinfo from across the network? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] setting the regional settings with GPO or other scripts...
You can set the default language and prevent users from changing the regional settings in Control Panel using the following setting: USER\Administrative Templates\Control Panel\Regional and Language Options Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Friday, 2 June 2006 8:34 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] setting the regional settings with GPO or other scripts... Hi, I would like to restrict the users from changing the regionals settings on their laptops. Also I would like to push the configuration as to date format and number decimals value and such. Anyone has a way to do that centrally? Thanks! Note: I'm googling for it right now, sorry if there is an easy answer for this one; I'm actually in a little hurry so I didn't search before posting. Sorry for that. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Profile migration to new domain
Hi all The environment I'm in has multiple domains and I've been given a task to move about 40 users from one domain to another. There's no trust between the source domain and mine and no plans to have one. Too much red tape. My dilemma is trying to preserve the user's desktop profiles when they come over to my domain. In the past there's been a trust between any domain migrations I've performed which provides a host of avenues but with no trust I'm not sure of a way to do it other than some manual moves and permission/registry tweaks. However, doing that for 40 users with a manual process is not my idea of fun. Saving their email is covered so it's not an issue. Any ideas or methods would be welcomed. Many thanks Jerry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] setting the regional settings with GPO or other scripts...
You should be able to set the date formats using a registry entry. Take a look at this page for the various settings http://www.jsifaq.com/SUBA/tip0300/rh0311.htm sTime and sTimeFormat should help you out. You can deploy the registry settings using a login script or create your own template. I like a freetool made by Desktopstandard for deploying registry settings via GPO. Check out PolicyMaker Registry Extension.Creating the adm template is really easy using that tool. Thanks Mike On 6/1/06, Tony Murray [EMAIL PROTECTED] wrote: You can set the default language and prevent users from changing theregional settings in Control Panel using the following setting: USER\Administrative Templates\Control Panel\Regional and LanguageOptionsTony-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bruyere, MichelSent: Friday, 2 June 2006 8:34 a.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] setting the regional settings with GPO or otherscripts...Hi, I would like to restrict the users from changing the regionalssettings on their laptops. Also I would like to push the configuration as to date format and number decimals value and such.Anyone has a way to do that centrally?Thanks!Note: I'm googling for it right now, sorry if there is an easy answerfor this one; I'm actually in a little hurry so I didn't search before posting. Sorry for that.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxThis communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Profile migration to new domain
Suggestions? More like a shot in the dark. :) Have you seen the transfer your settings wizard in XP? Have you checked to see what that can do for you? I suspect there will be some scripting involved, because there will be no automated way to determine the source/target profiles programatically. You could migrate their settings etc, but there's no sid/sidhistory to reference. Not much point in getting that information either. There's also the permissions issues etc. Was it me, I'd suggest taking this opportunity to re-image the workstations in question. Cleaner, neater, more secure, and no lingering issues to deal with. Al On 6/1/06, Condra, Jerry W Mr HP [EMAIL PROTECTED] wrote: Hi allThe environment I'm in has multiple domains and I've been given a taskto move about 40 users from one domain to another. There's no trust between the source domain and mine and no plans to have one. Too muchred tape. My dilemma is trying to preserve the user's desktop profileswhen they come over to my domain. In the past there's been a trust between any domain migrations I've performed which provides a host ofavenues but with no trust I'm not sure of a way to do it other than somemanual moves and permission/registry tweaks. However, doing that for 40 users with a manual process is not my idea of fun. Saving their email iscovered so it's not an issue. Any ideas or methods would be welcomed.Many thanksJerryList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Profile migration to new domain
Moveuser.exe is the tool that I would typically use for this to do it in a batch fashion. Just not sure if the lack of trust will be an issue, but probably worth a try. Its in the Reskit tools. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Thursday, June 01, 2006 2:39 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Profile migration to new domain Suggestions? More like a shot in the dark. :) Have you seen the transfer your settings wizard in XP? Have you checked to see what that can do for you? I suspect there will be some scripting involved, because there will be no automated way to determine the source/target profiles programatically. You could migrate their settings etc, but there's no sid/sidhistory to reference. Not much point in getting that information either. There's also the permissions issues etc. Was it me, I'd suggest taking this opportunity to re-image the workstations in question. Cleaner, neater, more secure, and no lingering issues to deal with. Al On 6/1/06, Condra, Jerry W Mr HP [EMAIL PROTECTED] wrote: Hi allThe environment I'm in has multiple domains and I've been given a taskto move about 40 users from one domain to another. There's no trust between the source domain and mine and no plans to have one. Too muchred tape. My dilemma is trying to preserve the user's desktop profileswhen they come over to my domain. In the past there's been a trustbetween any domain migrations I've performed which provides a host ofavenues but with no trust I'm not sure of a way to do it other than somemanual moves and permission/registry tweaks. However, doing that for 40users with a manual process is not my idea of fun. Saving their email iscovered so it's not an issue. Any ideas or methods would be welcomed.Many thanksJerryList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Profile migration to new domain
Rip out a profile? Nuke and pave? Bite your tongue sir... we want that icon to be exactly right THERE on the desktop. file/transfer wiz in XP (but don't get docs..just do settings) Download details: Windows Server 2003 Resource Kit Tools: http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffddisplaylang=en Moveuser.exe How to migrate user accounts: http://www.microsoft.com/technet/windowsvista/library/6730111b-b111-4a64-8f00-af87a63fd157.mspx Moveuser - Move between domains: http://www.ss64.com/nt/moveuser.html *The Old Fashioned Way* Call it a lesson learned late on a Saturday night. This method was used in late January during the heat of a conversion battle by yours truly! For this procedure, I assume that you are using a Windows XP Professional workstation. 1. While the XP Pro workstation is still attached to the legacy SBS 2000 network, copy the network profile down to the local hard disk. So assuming you are logged on to said SBS 2000 network, proceed to the next step. 2. Click StartControl PanelSystemAdvancedUser ProfilesSettings. 3. Highlight the network profile for the user. For example, NormH. 4. Select Copy To and direct the profile to copy to the local hard disk. For example, C:\Temp. Click OKOK. 5. From the Control Panel, launch Administrative ToolsComputer Management. 6. Select System ToolsLocal Users and Groups. 7. Select Users. 8. Right-click in the right-pane and select New User to add a user named Foo. 9. Double-click the user object and select the Profile tab to view the properties for Foo. 10. In the Profile path field, point to the exact profile you copied to C:\Temp in Step 4. Click OK. 11. Close all open applications, shut down the Windows XP Pro machine, and move it physically to the new SBS 2003 network. Reboot and relaunch the SBS Network Configuration Wizard. 12. Back on the screen to Assign users to this computer and migrate their profiles, in the lower section, under the user name (for example, NormH), click Current User Settings and select Foo. Complete the steps for joining the workstation to the SBS 2003 domain. The profile WILL be migrated! *User Profile Registry* This method came in from M.J. Shoer ([EMAIL PROTECTED]), who attended the SMB Nation Summit in Boston in May. He writes: This method has worked for us without fail. We can retain the complete profile customizations for a PC that was logged into one domain and must now be logged into a new one. The method works for both Win2K and WinXP. It has also worked for upgrading SBS 2000 to SBS 2003, where it is happening on the same server, meaning that you have to reformat the SBS 2000 server and load freshie, as you would say, with SBS 2003. Here's how it works. Once the SBS 2003 server is set up and the computers are set up on the server side, log into the client PC and run the connectcomputer URL. When that step is completed, log in as the user. Then immediately log off and log on as the domain administrator. Be sure the domain user account is in the local administrator's group. Then open Registry Editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList. You will see a listing for each SID. Within each SID key, you will see an entry for ProfileImagePath with a path to the users profile in the form of %SystemDrive%\Documents and Settings\UserName. The trick is to find the new key that was set up at logon to the SBS 2003 server and edit the path to refer back to the original profile path. So, for example, if you are migrating and changing domains, you want to have a path like %SystemDrive%\Documents and Settings\UserName.OldDomain. You then have a new SID key with a path like %SystemDrive%\Documents and Settings\UserName.NewDomain. You can edit this key and replace NewDomain with OldDomain to point to the old profile. In the case of a server migration within the same domain, you have a path to the effect of %SystemDrive%\Documents and Settings\UserName.Domain and %SystemDrive%\Documents and Settings\UserName.Domain.000. In this instance, you delete the .000 to point back to the original profile. *The MCSE Way* Then there are the grizzled MCSEs amongst us who pointedly highlight using the Active Directory Migration Tool (ADMT). Details at http://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/admtool.mspx). Enough said! Al Mulnick wrote: Suggestions? More like a shot in the dark. :) Have you seen the transfer your settings wizard in XP? Have you checked to see what that can do for you? I suspect there will be some scripting involved, because there will be no automated way to determine the source/target profiles programatically. You could migrate their settings etc, but there's no
RE: [ActiveDir] [ActiveDir Digest]
Although this also involves Exchange, I hope someone can help me with the following scenario as soon as possible: Same Company Two Separate Forests Two Separate Domains Two-way transitive trust One Exchange Org with Admin Group One as Forest A and Admin Group Two as Forest B Full ability to see and administer each other's AD and Exchange, if necessary Forest A recently migrated from Exchange 5.5 to Exchange 2003 and AD 2003. Forest B wants to do the same. When Forest A decommissioned its Exchange 5.5 server, its new Exchange 2003 server could no longer see Forest B's Exchange 5.5 server (which is Win2k OS), and any new users added to Forest A do not appear in the Global Address Book used by Forest B, and which was in the past shared by both forests - as a result, Forest B can send no emails to new users in Forest A. In addition, the 5.5 server in Forest B can no longer be seen or administered by Forest A, even though there is an ADC between them. Microsoft says that because Exchange 5.5 does not use AD and Exchange 2003 does, there will no longer be any communication between the 5.5 server and the 2003 server until Forest B migrates or upgrades to AD 2003 and Exchange 2003. Microsoft also said that if Forest A brings back the 5.5 server for the sake of Forest B's upgrade or migration, that it still would not work. Forest B has a new AD 2003 server that it wants to promote, and demote the existing AD 2000 server. After establishing an ADC between forests, Forest B has a new Exchange 2003 server that it wants to introduce to its domain. Forest B is also considering an inplace upgrade of its existing 5.5 server. The issue is the preservation and move of the mailboxes without having to PST them manually. If an Exchange 2003 environment cannot see an Exchange 5.5 server, how can we move the mailboxes? Sorry for being long-winded... thanks for any help you can give List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] HIDE OU
be careful doing that... if you have users in that container and you do not give both the client machine and the user certain read props then policy will break, among other things. If your just trying to hide from AD mmc's then you can set the ShowAdvanceViewOnly attrib which will hide the object unless the admin has enabled 'Advanced View'. Rgds, Tim On 6/2/06, Daniel Gilbert [EMAIL PROTECTED] wrote: We created OU's and removed all users except for Domain Admins (of course we left the SYSTEM access). The OU never shows up for non-Domain Admins. Domain Admins have full access to the OU and can add as many objects as they want. Dan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Profile migration to new domain
Check out USMT 2.6.1 - free download - it is scriptable. steve - Original Message - From: Al Mulnick To: ActiveDir@mail.activedir.org Sent: Thursday, June 01, 2006 2:38 PM Subject: Re: [ActiveDir] Profile migration to new domain Suggestions? More like a shot in the dark. :) Have you seen the transfer your settings wizard in XP? Have you checked to see what that can do for you? I suspect there will be some scripting involved, because there will be no automated way to determine the source/target profiles programatically. You could migrate their settings etc, but there's no sid/sidhistory to reference. Not much point in getting that information either. There's also the permissions issues etc. Was it me, I'd suggest taking this opportunity to re-image the workstations in question. Cleaner, neater, more secure, and no lingering issues to deal with. Al On 6/1/06, Condra, Jerry W Mr HP [EMAIL PROTECTED] wrote: Hi allThe environment I'm in has multiple domains and I've been given a taskto move about 40 users from one domain to another. There's no trust between the source domain and mine and no plans to have one. Too muchred tape. My dilemma is trying to preserve the user's desktop profileswhen they come over to my domain. In the past there's been a trustbetween any domain migrations I've performed which provides a host ofavenues but with no trust I'm not sure of a way to do it other than somemanual moves and permission/registry tweaks. However, doing that for 40users with a manual process is not my idea of fun. Saving their email iscovered so it's not an issue. Any ideas or methods would be welcomed.Many thanksJerryList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Profile migration to new domain
Sorry ma'am. I should have completed my sentence and said, ..unless Susan can post the step by step directions. Silly me for not proof reading first. I'd still opt for nuke and pave in that environment. Allows you to have a known state, and last I checked that's kind of important to the type of customer he has. Now he has more options. USMT would have been a thought except that there is no trust and no reason to move the sid that I can think of. Same reason that moveuser wouldn't really matter to me. I'd prefer the control of creating the users as new users. In effect, they are new users (secprin's) anyway - treat 'em that way. Susan offers a way to get the settings and magical icons though. That's a nice touch an option if so taken. On 6/1/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Rip out a profile?Nuke and pave?Bite your tongue sir... we want that icon to be exactly right THERE on the desktop.file/transfer wiz in XP (but don't get docs..just do settings)Download details: Windows Server 2003 Resource Kit Tools: http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffddisplaylang=enMoveuser.exeHow to migrate user accounts: http://www.microsoft.com/technet/windowsvista/library/6730111b-b111-4a64-8f00-af87a63fd157.mspxMoveuser - Move between domains:http://www.ss64.com/nt/moveuser.html *The Old Fashioned Way*Call it a lesson learned late on a Saturday night. This method was usedin late January during the heat of a conversion battle by yours truly!For this procedure, I assume that you are using a Windows XP Professional workstation.1. While the XP Pro workstation is still attached to the legacy SBS 2000 network, copy the network profile down to the local hard disk. So assuming you are logged on to said SBS 2000 network, proceed to the next step.2. Click StartControl PanelSystemAdvancedUser ProfilesSettings.3. Highlight the network profile for the user. For example, NormH.4. Select Copy To and direct the profile to copy to the local hard disk. For example, C:\Temp. Click OKOK.5.From the Control Panel, launch Administrative ToolsComputer Management.6. Select System ToolsLocal Users and Groups.7. Select Users. 8. Right-click in the right-pane and select New User to add a user named Foo.9. Double-click the user object and select the Profile tab to view the properties for Foo. 10. In the Profile path field, point to the exact profile you copied to C:\Temp in Step 4. Click OK.11. Close all open applications, shut down the Windows XP Pro machine, and move it physically to the new SBS 2003 network. Reboot and relaunch the SBS Network Configuration Wizard.12. Back on the screen to Assign users to this computer and migrate their profiles, in the lower section, under the user name (for example, NormH), click Current User Settings and select Foo. Complete the steps for joining the workstation to the SBS 2003 domain. The profile WILL be migrated!*User Profile Registry*This method came in from M.J. Shoer ( [EMAIL PROTECTED]), who attendedthe SMB Nation Summit in Boston in May. He writes: This method has worked for us without fail. We can retain the complete profile customizations for a PC that was logged into one domain and must now be logged into a new one. The method works for both Win2K and WinXP. It has also worked for upgrading SBS 2000 to SBS 2003, where it is happening on the same server, meaning that you have to reformat the SBS 2000 server and load freshie, as you would say, with SBS 2003. Here's how it works. Once the SBS 2003 server is set up and the computers are set up on the server side, log into the client PC and run the connectcomputer URL. When that step is completed, log in as the user. Then immediately log off and log on as the domain administrator. Be sure the domain user account is in the local administrator's group. Then open Registry Editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList. You will see a listing for each SID. Within each SID key, you will see an entry for ProfileImagePath with a path to the users profile in the form of %SystemDrive%\Documents and Settings\UserName. The trick is to find the new key that was set up at logon to the SBS 2003 server and edit the path to refer back to the original profile path. So, for example, if you are migrating and changing domains, you want to have a path like %SystemDrive%\Documents and Settings\UserName.OldDomain. You then have a new SID key with a path like %SystemDrive%\Documents and Settings\UserName.NewDomain. You can edit this key and replace NewDomain with OldDomain to point to the old profile. In the case of a server migration within the same domain, you have a path to the effect of %SystemDrive%\Documents and Settings\UserName.Domain and %SystemDrive%\Documents and Settings\UserName.Domain.000. In this instance, you delete the .000 to point back to the original profile.*The MCSE Way*Then there are the
Re: [ActiveDir] [ActiveDir Digest]
Jeri, the ADC is the component that helps to bridge the 5.5 and AD directories. Regardless of what happens, you should have the ability for the ADC to put Exchange 5.5 data into the AD and vice-versa. Although the 5.5 server is gone in forest A that doesn't necessarily mean they can't have the ADC there. They can also have the forest B 5.5 site replicate it's data via 5.5 methods. All of that depends on what settings that forest A made when they removed Exchange 5.5. It's possible they made a change that prevents Exchange 2003 from ever seeing a 5.5 server again. It's dangerous to second guess Microsoft on this. I'm sure there're many more details that are to be had, and I'm curious what makes you think that if Microsoft support couldn't help, that you think somebody else can? Can you enlighten us as to what was said and what reasons were given? Al On 6/1/06, Bland, Jeri [EMAIL PROTECTED] wrote: Although this also involves Exchange, I hope someone can help me with thefollowing scenario as soon as possible: Same CompanyTwo Separate ForestsTwo Separate DomainsTwo-way transitive trustOne Exchange Org with Admin Group One as Forest A and Admin Group Two as Forest BFull ability to see and administer each other's AD and Exchange, if necessaryForest A recently migrated from Exchange 5.5 to Exchange 2003 and AD 2003.Forest B wants to do the same.When Forest A decommissioned its Exchange 5.5 server, its new Exchange 2003server could no longer see Forest B's Exchange 5.5 server (which is Win2kOS), and any new users added to Forest A do not appear in the Global AddressBook used by Forest B, and which was in the past shared by both forests - asa result, Forest B can send no emails to new users in Forest A. In addition, the 5.5 server in Forest B can no longer be seen oradministered by Forest A, even though there is an ADC between them.Microsoft says that because Exchange 5.5 does not use AD and Exchange 2003 does, there will no longer be any communication between the 5.5 server andthe 2003 server until Forest B migrates or upgrades to AD 2003 and Exchange2003.Microsoft also said that if Forest A brings back the 5.5 server forthe sake of Forest B's upgrade or migration, that it still would not work.Forest B has a new AD 2003 server that it wants to promote, and demote theexisting AD 2000 server.After establishing an ADC between forests, Forest B has a new Exchange 2003 server that it wants to introduce to its domain.Forest B is alsoconsidering an inplace upgrade of its existing 5.5 server.The issue is the preservation and move of the mailboxes without having toPST them manually.If an Exchange 2003 environment cannot see an Exchange 5.5 server, how can we move the mailboxes?Sorry for being long-winded... thanks for any help you can giveList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Profile migration to new domain
Jerry, I think without the trusts and using ADMT, you are going to be pushing it up a hill as far as the easy portion of this goes. Good luck and let us know what you end up doing... themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP Sent: Friday, 2 June 2006 7:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Profile migration to new domain Hi all The environment I'm in has multiple domains and I've been given a task to move about 40 users from one domain to another. There's no trust between the source domain and mine and no plans to have one. Too much red tape. My dilemma is trying to preserve the user's desktop profiles when they come over to my domain. In the past there's been a trust between any domain migrations I've performed which provides a host of avenues but with no trust I'm not sure of a way to do it other than some manual moves and permission/registry tweaks. However, doing that for 40 users with a manual process is not my idea of fun. Saving their email is covered so it's not an issue. Any ideas or methods would be welcomed. Many thanks Jerry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Profile migration to new domain
Well I nuked and paved a formerly Dell OEM now a retail OS.. and now can't get the NIC on the motherboard to find nic driversanyone for a black decorative doorstop until I find the driver it wants or throw a intel card in there? Small firms we a. don't have the proper license to nuke/pave/reimage b. may not have the proper media to restore (you get the lovely OEM view of 'restoration media') c. We're already running the kitchen sink service as it is and now you want us to RIS on that box as well? Geeze guys(it can do it but we recommend you turn it on when you need it and turn it off otherwise Exchange isn't a real happy camper sharing mem space) Al Mulnick wrote: Sorry ma'am. I should have completed my sentence and said, ..unless Susan can post the step by step directions. Silly me for not proof reading first. I'd still opt for nuke and pave in that environment. Allows you to have a known state, and last I checked that's kind of important to the type of customer he has. Now he has more options. USMT would have been a thought except that there is no trust and no reason to move the sid that I can think of. Same reason that moveuser wouldn't really matter to me. I'd prefer the control of creating the users as new users. In effect, they are new users (secprin's) anyway - treat 'em that way. Susan offers a way to get the settings and magical icons though. That's a nice touch an option if so taken. On 6/1/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Rip out a profile? Nuke and pave? Bite your tongue sir... we want that icon to be exactly right THERE on the desktop. file/transfer wiz in XP (but don't get docs..just do settings) Download details: Windows Server 2003 Resource Kit Tools: http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffddisplaylang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffddisplaylang=en Moveuser.exe How to migrate user accounts: http://www.microsoft.com/technet/windowsvista/library/6730111b-b111-4a64-8f00-af87a63fd157.mspx Moveuser - Move between domains: http://www.ss64.com/nt/moveuser.html http://www.ss64.com/nt/moveuser.html *The Old Fashioned Way* Call it a lesson learned late on a Saturday night. This method was used in late January during the heat of a conversion battle by yours truly! For this procedure, I assume that you are using a Windows XP Professional workstation. 1. While the XP Pro workstation is still attached to the legacy SBS 2000 network, copy the network profile down to the local hard disk. So assuming you are logged on to said SBS 2000 network, proceed to the next step. 2. Click StartControl PanelSystemAdvancedUser ProfilesSettings. 3. Highlight the network profile for the user. For example, NormH. 4. Select Copy To and direct the profile to copy to the local hard disk. For example, C:\Temp. Click OKOK. 5. From the Control Panel, launch Administrative ToolsComputer Management. 6. Select System ToolsLocal Users and Groups. 7. Select Users. 8. Right-click in the right-pane and select New User to add a user named Foo. 9. Double-click the user object and select the Profile tab to view the properties for Foo. 10. In the Profile path field, point to the exact profile you copied to C:\Temp in Step 4. Click OK. 11. Close all open applications, shut down the Windows XP Pro machine, and move it physically to the new SBS 2003 network. Reboot and relaunch the SBS Network Configuration Wizard. 12. Back on the screen to Assign users to this computer and migrate their profiles, in the lower section, under the user name (for example, NormH), click Current User Settings and select Foo. Complete the steps for joining the workstation to the SBS 2003 domain. The profile WILL be migrated! *User Profile Registry* This method came in from M.J. Shoer ( [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]), who attended the SMB Nation Summit in Boston in May. He writes: This method has worked for us without fail. We can retain the complete profile customizations for a PC that was logged into one domain and must now be logged into a new one. The method works for both Win2K and WinXP. It has also worked for upgrading SBS 2000 to SBS 2003, where it is happening on the same server, meaning that you have to reformat the SBS 2000 server and load freshie, as you would say, with SBS 2003. Here's how it works. Once the SBS 2003 server is set up and the computers are set up on the server side, log into the client PC and run the
Re: [ActiveDir] New DC can't find the machine account
[EMAIL PROTECTED] wrote: Mark: why would this be expected? Al: Who is doing DNS for this DC in question? If you ping a domain resource from that DNS server, does it resolve correctly? Deji, DNS for this test domain is provided by our datacom people. It's Lucent's QIP server on a old slow NT box. According to the guy who manages it he's a couple of major releases behind on the software. We're also seeing some other issues with machines in the child domain to this domain having problems registering their DNS records. Machines Existing DCs can be resolved and accessed - which confuses me with the netlogon pausing as the DC when booting should, in my mind, query the other dc for it's account information - not itself. al From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Thu 6/1/2006 7:11 AM To: ActiveDir.org Subject: Re: [ActiveDir] New DC can't find the machine account Did you see my post last night - this is expected behaviour? -Original Message- From: Al Lilianstrom [EMAIL PROTECTED] Date: Thu, 01 Jun 2006 08:13:20 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account [EMAIL PROTECTED] wrote: I bet you one crate to a bottle of German beer that your DNS is out to lunch. Every time when I've seen this, it always goes away by kicking a DNS server somewhere. Check your DNS servers. I talked to the networking people and the DNS server that is used for our test domains is a couple of major releases out of date and running on really crap hardware. Building him a new server... Thanks for all the help. al Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 5/31/2006 7:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account Almeida Pinto, Jorge de wrote: see if the following helps: http://www.eventid.net/display.asp?eventid=1097eventno=2126source=Userenvp hase=1 I had run across that page last night. Time is ok (ntp to local time source) I don't think that both computer accounts are corrupt as they were ok as simple servers I enabled debug logging for the netlogon service and at the same time I get the userenv events I get 05/31 09:48:22 [CRITICAL] NetpDcHandlePingResponse: test.fnal.gov.: Netlogon is paused on the server. 0x14 al Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 15:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . and EVENT TYPE Error SOURCE Userenv EVENT ID1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. Neither system has these messages when they were simple servers in the domain. They were rebooted several times before becoming DCs to make sure the event logs were clean. They seem to be functioning as DCs. File replication with the orginal w2k dc took a long time to start up. I added a second w2k3 r2 DC and it is showing the exact same messages. Both machines were created from the same sysprep image - the machine that was built as the basis for the sysprep image was never in the domain. I've been searching Microsoft and came up with one or two applicable docs. One said to make sure that services like netlogon were set to automatic (it is). Another had settings for enabling debug on the netlogon service which I implemented. All that I see in there is netlogon pausing. Any ideas? al -- List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] New DC can't find the machine account
In this case, you want to point the new DC to an internal DNS server authoritative for the domain. To close this - and answer joe's question - yes, it's DNS, silly. It's always DNS :). Slow startup, slow GP processing, slow desktop showing up, slow coffee maker, slow uplifting of skirts - always DNS. Choose a working INTERNAL DNS server, make netlogon dependent on DNS and 99% of the trouble is resolved :o Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Thu 6/1/2006 7:52 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account [EMAIL PROTECTED] wrote: Mark: why would this be expected? Al: Who is doing DNS for this DC in question? If you ping a domain resource from that DNS server, does it resolve correctly? Deji, DNS for this test domain is provided by our datacom people. It's Lucent's QIP server on a old slow NT box. According to the guy who manages it he's a couple of major releases behind on the software. We're also seeing some other issues with machines in the child domain to this domain having problems registering their DNS records. Machines Existing DCs can be resolved and accessed - which confuses me with the netlogon pausing as the DC when booting should, in my mind, query the other dc for it's account information - not itself. al From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Thu 6/1/2006 7:11 AM To: ActiveDir.org Subject: Re: [ActiveDir] New DC can't find the machine account Did you see my post last night - this is expected behaviour? -Original Message- From: Al Lilianstrom [EMAIL PROTECTED] Date: Thu, 01 Jun 2006 08:13:20 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account [EMAIL PROTECTED] wrote: I bet you one crate to a bottle of German beer that your DNS is out to lunch. Every time when I've seen this, it always goes away by kicking a DNS server somewhere. Check your DNS servers. I talked to the networking people and the DNS server that is used for our test domains is a couple of major releases out of date and running on really crap hardware. Building him a new server... Thanks for all the help. al Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 5/31/2006 7:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account Almeida Pinto, Jorge de wrote: see if the following helps: http://www.eventid.net/display.asp?eventid=1097eventno=2126source=Userenvp hase=1 I had run across that page last night. Time is ok (ntp to local time source) I don't think that both computer accounts are corrupt as they were ok as simple servers I enabled debug logging for the netlogon service and at the same time I get the userenv events I get 05/31 09:48:22 [CRITICAL] NetpDcHandlePingResponse: test.fnal.gov.: Netlogon is paused on the server. 0x14 al Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 2006-05-31 15:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New DC can't find the machine account Hi, I have a Windows 2000 based AD (empty root with 1 child domain) that I'm in the process of upgrading to w2003r2 as a test for our production domain (same configuration). The adprep went fine as well as the dcpromo of the new DC. However when the new DC reboots I get the following messages in the application log: EVENT TYPE Error SOURCE Userenv EVENT ID1097 Windows cannot find the machine account, The Local Security Authority