RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
About a year and a half ago I have tested this as I was doing a migration from NDS to AD. Worked like a charm! (I even did tests for legacy clients like W9x as those were my biggest concern, did not find anything) The NDS groups were 64 chars and accepted all kinds of funny chars. I had to cut them down to 64 chars. Although the samaccountname accepts 256 chars, the full name (common name) accepts only 64 chars. And in cases like this I like to use the weakest link (smallest value) which is the length of the full name. (that us why I cut them down to 64 chars in the NDS so I did not experience any crap during the migration) Even in NT4 you could create groups 20 chars User Manager for domains allowed 20 chars and some other did the same. However, several third party tools like Hyena and others go beyond that limit. Even if you use scripts you can creare groups 20 chars. However you will not be able to manage them with user manager for domains. To my knowledge, AD has no problem with groups 20 chars By the way.. I remember another thread about this a while ago. Search the archives for it as I think you'll find more info on this Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Joe Kaplan Sent: Tue 2006-06-06 02:03 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Sure enough, rangeUpper is 256. I'm not sure where I got that 64 thing, but I'm guessing it was from memory and that was not up to the task again. Anyone else? Is it safe or not for groups to have a sAMAccountName 20 characters but = 64? I'm going to assume that users definitely need to be = 20. Joe K. - Original Message - From: Al Mulnick To: ActiveDir@mail.activedir.org Sent: Monday, June 05, 2006 5:46 PM Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Interesting. The online version I see says rangeupper is 256. Not sure how important that is, but... http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_samaccountname.asp Given the purpose of samaccountname I have a hard time believing something doesn't rely on that being 20 chars. Not to say that they haven't been since fixed, but that's too tempting for most folks not to just say, well, to be usable it's limited to 20 chars and since Microsoft has that number published everywhere, we'll just assume it's 20 chars all the time... or something like that. Al List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] max password age where else to look?
I'll second guess joe - 91 stops ppl from using cyclic passwords, which use dates or quarters to generate a password. e.g. passwordq12006, passwordq22006 etc. Hopefully joe will give an authoritative response :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SteveSent: 05 June 2006 22:59To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] max password age where else to look? Okay. I'll ask the question that everyone else is afraid to why 91 and not 90? Cheers On 5/31/06, joe [EMAIL PROTECTED] wrote: :o) I can imagine Something I like to recommend to folks is to monitor password changes. Depending on how big you are you may even want to do it daily. It is a great way to keep an eye open for various issues. For instance if passwords aren't being changed in the normal periods at the normal rates, your policy may not be working. If more than usual are being changed then possibly you have some DC issues. You will even be able to graph out the password changes and possibly find interesting trends.Oh to go along with this, I recommend a password age of 91 days for the obvious reasons... Actually I always recommend that over 90 days. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Douglas W StelleySent: Thursday, May 25, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] max password age where else to look? That was it, the policy needed to be re-applied. Boy did I cause hate and discontent when suddenly hundreds of users needed to change there password cause they had expired! Thanks all "joe" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 05/24/2006 10:41 PM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] max password age where else to look? Yeah doublecheck the value you are getting back from MaxPasswordAge, if zero, check out maxPwdAge attribute on the NC Head, possibly your policy isn't being applied properly. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Wednesday, May 24, 2006 4:47 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] max password age where else to look?What do you get if just before this: If intMaxPwdAge 0 Then WScript.Echo "The Maximum Password Age is set to 0 in the " _ "domain. Therefore, the password does not expire." you echo the intMaxPwdAge value? I'm wondering if you're not pulling back the max password age value correctly either through a misspelling or some other error prevents you from getting the value. Having used that method before, I can tell you it does work in a Windows 2000 environment and a Windows 2003 environment. Native, DFL, etc. If that doesn't work, do you get the same results with this script? http://support.microsoft.com/default.aspx?scid=kb;en-us;323750 On 5/24/06, Douglas W Stelley [EMAIL PROTECTED] wrote: In this domain, in the default domain policy the Max Password Age is set to 90, however when I look for when the password will change using the below sample script I always get the answer "The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire." The rest of the possibilities below do work, just the password age doesn't. This is a Win2K Active Directory I need to expire all passwords on a specific date, but before I do that I need to ensure the system will continue expiring them by age. What might I be doing wrong? Thanks Const SEC_IN_DAY = 86400 Const ADS_UF_DONT_EXPIRE_PASSWD = h1Set objUserLDAP = GetObject _("LDAP://CN=myerken,OU=management,DC=fabrikam,DC=com")intCurrentValue = objUserLDAP.Get("userAccountControl") If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then Wscript.Echo "The password does not expire."Else dtmValue = objUserLDAP.PasswordLastChanged Wscript.Echo "The password was last changed on " _ DateValue(dtmValue) " at " TimeValue(dtmValue) VbCrLf _ "The difference between when the password was last set" _ "and today is " int(now - dtmValue) " days" intTimeInterval = int(now - dtmValue) Set objDomainNT = GetObject("WinNT://fabrikam") intMaxPwdAge = objDomainNT.Get("MaxPasswordAge") If intMaxPwdAge 0 Then WScript.Echo "The Maximum Password Age is set to 0 in the " _ "domain.
[ActiveDir] Virtual DCs
Title: Virtual DCs We have a single domain forest with about 7,000 users. Currently we 8 AD regional sites and one HQ AD site. The regional sites each have a DC serving their local regional area and there are multiple DCs in our HQ site. The environment is currently running Windows 2000 SP4 and we are looking to upgrade our DCs to W2K3. The direction from management is that we will put all of our domain controllers on VM Ware when we upgrade the DCs to W2K3. Does anyone have any thoughts on this? Good or Bad idea?
[ActiveDir] Forcefully apply Group Policy
Title: Forcefully apply Group Policy Hello, We have a GP that defines which screensaver is to be used and when should this kick in. This is set to 10 minutes. Ideally this works for everyone. There are some users who require setting this time to 60 minutes (when they are presenting offline to customers). Such users have been provided with a script that changes the screen saver time to 60 minutes. The problem is when these users come online on the network their screen saver time does not change back to 10 minutes. We have a GP refresh interval of 45 minutes. But this time change is not happening. We are looking at an option to script the time change back to 10 minutes during every login. But that just adds to the load at the time of login. Besides if the users come online from stand-by mode (and being offline), the change was not get reflected. I want to know if the time can be reset through GP refresh. Any help in this is much appreciated. Regards, Murtaza Merchant
Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Jorge, if you happen to find that in the archives, please post the link. A quick search of the net brings back some items that seem to indicate that greater than 20 could result in a problem with some directory sync tools. samaccountname is listed as being expected to be 20 chars. It doesn't differentiate between groups and users that use the samaccountname. That just seems like a recipe for issues, but if you say it can be 256 without issue, then (I know Joe, you're using 64 and so did Jorge, but it looks like it was done for convenience vs. going with more chars.) Interesting. On 6/6/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: About a year and a half ago I have tested this as I was doing a migration from NDS to AD. Worked like a charm! (I even did tests for legacy clients like W9x as those were my biggest concern, did not find anything) The NDS groups were 64 chars and accepted all kinds of funny chars. I had to cut them down to 64 chars. Although the samaccountname accepts 256 chars, the full name (common name) accepts only 64 chars. And in cases like this I like to use the weakest link (smallest value) which is the length of the full name. (that us why I cut them down to 64 chars in the NDS so I did not experience any crap during the migration) Even in NT4 you could create groups 20 charsUser Manager for domains allowed 20 chars and some other did the same. However, several third party tools like Hyena and others go beyond that limit. Even if you use scripts you can creare groups 20 chars. However you will not be able to manage them with user manager for domains. To my knowledge, AD has no problem with groups 20 chars By the way.. I remember another thread about this a while ago. Search the archives for it as I think you'll find more info on thisMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida Pinto Senior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of Joe KaplanSent: Tue 2006-06-06 02:03 To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?Sure enough, rangeUpper is 256.I'm not sure where I got that 64 thing, but I'm guessing it was from memory and that was not up to the task again.Anyone else?Is it safe or not for groups to have a sAMAccountName 20characters but = 64?I'm going to assume that users definitely need to be = 20.Joe K.- Original Message -From: Al MulnickTo: ActiveDir@mail.activedir.orgSent: Monday, June 05, 2006 5:46 PMSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?Interesting.The online version I see says rangeupper is 256.Not sure howimportant that is, but... http://msdn.microsoft.com/library/default.asp?url="">Given the purpose of samaccountname I have a hard time believing somethingdoesn't rely on that being 20 chars. Not to say that they haven't been since fixed, but that's too tempting for most folks not to just say, well, to beusable it's limited to 20 chars and since Microsoft has that numberpublished everywhere, we'll just assume it's 20 chars all the time... or something like that.AlList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxThis e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Speaking of SamAccountName...
CN is typical. Inside a domain, samaccountname is unique. CN is only unique within the RDN. For those reasons, I often recommend that your CN and samaccountname be matched (which is not the default if you use the ADUC to create users). It's also helpful if you're an Exchange shop to have your alias and UPN (LHS) match your samaccountname match your CN Why? Because then you don't have users that are confused as to what to enter. You also don't have to worry about collisions when you move users around and so on. In the end, it's about the user experience (think how much easier this job would be without users ;) so you want to make it as consistent as you can. That'll reduce your helpdesk call volume to some degree as well. This also indicates that you should have a process that generates unique id's in your environment. That'll save time later. Does that help? On 6/6/06, RM [EMAIL PROTECTED] wrote: Guys, I have a dumb question.. A 3rd party app that uses LDAP for authentication... What attribute should be utilized for username? SamAccountName is thepre-Windows 2000 name. DistinguishedName is the long form OU/CN gobbledygook. So what is the name of the attributeforthe actual user logon name? Thx, RM
Re: [ActiveDir] Forcefully apply Group Policy
Hi Murtaza... You can try computer configuration/administrative templates/windows components/system/group policy/registry policy processing. Checking the process even if group policy has not changed may help. Could cause some performance issues though, unless you have those machines seperated. HTH, John Murtaza Merchant [EMAIL PROTECTED] To .com ActiveDir@mail.activedir.org Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject [ActiveDir] Forcefully apply Group Policy 06/06/2006 07:49 AM Please respond to [EMAIL PROTECTED] tivedir.org Hello, We have a GP that defines which screensaver is to be used and when should this kick in. This is set to 10 minutes. Ideally this works for everyone. There are some users who require setting this time to 60 minutes (when they are presenting ‘offline’ to customers). Such users have been provided with a script that changes the screen saver time to 60 minutes. The problem is when these users come online on the network their screen saver time does not change back to 10 minutes. We have a GP refresh interval of 45 minutes. But this time change is not happening. We are looking at an option to script the time change back to 10 minutes during every login. But that just adds to the load at the time of login. Besides if the users come online from stand-by mode (and being offline), the change was not get reflected. I want to know if the time can be reset through GP refresh. Any help in this is much appreciated. Regards, Murtaza Merchant
RE: [ActiveDir] Virtual DCs
Title: Virtual DCs Im a great advocate of VMWare and use it for many services. If the hardware supports the load happy days! Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rivera, Ada Sent: 06 June 2006 12:51 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual DCs We have a single domain forest with about 7,000 users. Currently we 8 AD regional sites and one HQ AD site. The regional sites each have a DC serving their local regional area and there are multiple DCs in our HQ site. The environment is currently running Windows 2000 SP4 and we are looking to upgrade our DCs to W2K3. The direction from management is that we will put all of our domain controllers on VM Ware when we upgrade the DCs to W2K3. Does anyone have any thoughts on this? Good or Bad idea?
RE: [ActiveDir] Virtual DCs
Title: Virtual DCs Ada, I am intrigued as to why "management" are directing you to do this. What benefits do they percieve? Do they understand the nature of the 2K3 directory and the load 7,000 users puts on it? This is not a criticism - just a curious thinking out loud moment... Personally - I wouldn't do it. Some would say a DC is a sacred thing, not to be toyed with. Proof of concept is always good in these scenarios... if you were to set this up in a lab, even with just two VMWare-ed DC's, you could show the overhead this would place on the machine and help them to understand the additional cost this will bring. Remember, a DC that is just a DC (AD, DNS, maybe DHCP) doesn't need to be a gutsy box - it can just be a PC rebuilt with Win2K3 server on it. However it does need to stay up all the time. ;) themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rivera, AdaSent: Tuesday, 6 June 2006 9:51 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual DCs We have a single domain forest with about 7,000 users. Currently we 8 AD regional sites and one HQ AD site. The regional sites each have a DC serving their local regional area and there are multiple DCs in our HQ site. The environment is currently running Windows 2000 SP4 and we are looking to upgrade our DCs to W2K3. The direction from management is that we will put all of our domain controllers on VM Ware when we upgrade the DCs to W2K3. Does anyone have any thoughts on this? Good or Bad idea?
RE: [ActiveDir] max password age where else to look?
Think divisble by 7 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 06, 2006 12:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] max password age where else to look? I'll second guess joe - 91 stops ppl from using cyclic passwords, which use dates or quarters to generate a password. e.g. passwordq12006, passwordq22006 etc. Hopefully joe will give an authoritative response :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Sent: 05 June 2006 22:59 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] max password age where else to look? Okay. I'll ask the question that everyone else is afraid to why 91 and not 90? Cheers On 5/31/06, joe [EMAIL PROTECTED] wrote: :o) I can imagine Something I like to recommend to folks is to monitor password changes. Depending on how big you are you may even want to do it daily. It is a great way to keep an eye open for various issues. For instance if passwords aren't being changed in the normal periods at the normal rates, your policy may not be working. If more than usual are being changed then possibly you have some DC issues. You will even be able to graph out the password changes and possibly find interesting trends.Oh to go along with this, I recommend a password age of 91 days for the obvious reasons... Actually I always recommend that over 90 days. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Douglas W Stelley Sent: Thursday, May 25, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] max password age where else to look? That was it, the policy needed to be re-applied. Boy did I cause hate and discontent when suddenly hundreds of users needed to change there password cause they had expired! Thanks all joe [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 05/24/2006 10:41 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] max password age where else to look? Yeah doublecheck the value you are getting back from MaxPasswordAge, if zero, check out maxPwdAge attribute on the NC Head, possibly your policy isn't being applied properly. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Wednesday, May 24, 2006 4:47 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] max password age where else to look? What do you get if just before this: If intMaxPwdAge 0 Then WScript.Echo The Maximum Password Age is set to 0 in the _ domain. Therefore, the password does not expire. you echo the intMaxPwdAge value? I'm wondering if you're not pulling back the max password age value correctly either through a misspelling or some other error prevents you from getting the value. Having used that method before, I can tell you it does work in a Windows 2000 environment and a Windows 2003 environment. Native, DFL, etc. If that doesn't work, do you get the same results with this script? http://support.microsoft.com/default.aspx?scid=kb;en-us;323750 On 5/24/06, Douglas W Stelley [EMAIL PROTECTED] wrote: In this domain, in the default domain policy the Max Password Age is set to 90, however when I look for when the password will change using the below sample script I always get the answer The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire. The rest of the possibilities below do work, just the password age doesn't. This is a Win2K Active Directory I need to expire all passwords on a specific date, but before I do that I need to ensure the system will continue expiring them by age. What might I be doing wrong? Thanks Const SEC_IN_DAY = 86400 Const ADS_UF_DONT_EXPIRE_PASSWD = h1 Set objUserLDAP = GetObject _ (LDAP://CN=myerken,OU=management,DC=fabrikam,DC=com) intCurrentValue = objUserLDAP.Get(userAccountControl) If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then Wscript.Echo The password does not expire. Else dtmValue = objUserLDAP.PasswordLastChanged Wscript.Echo The password was last changed on _ DateValue(dtmValue) at TimeValue(dtmValue) VbCrLf _ The difference between when the password was last set _ and today is int(now - dtmValue) days intTimeInterval = int(now - dtmValue) Set objDomainNT = GetObject(WinNT://fabrikam) intMaxPwdAge = objDomainNT.Get(MaxPasswordAge) If intMaxPwdAge 0 Then WScript.Echo The Maximum Password Age is set to 0 in the _
RE: [ActiveDir] Virtual DCs
Title: Virtual DCs I would agree with your comments whole heartedly. I dont think this is a good idea. Add to the fact that we are running Exchange 2003 and all of our DCs are also GCs. As to why management is directing us to do this, one can only surmiseMy guess is they are thinking of this as a way to save on hardware costs and reduce the number of servers to be managed. Thanks for your input. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Tuesday, June 06, 2006 9:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs Ada, I am intrigued as to why management are directing you to do this. What benefits do they percieve? Do they understand the nature of the 2K3 directory and the load 7,000 users puts on it? This is not a criticism - just a curious thinking out loud moment... Personally - I wouldn't do it. Some would say a DC is a sacred thing, not to be toyed with. Proof of concept is always good in these scenarios... if you were to set this up in a lab, even with just two VMWare-ed DC's, you could show the overhead this would place on the machine and help them to understand the additional cost this will bring. Remember, a DC that is just a DC (AD, DNS, maybe DHCP) doesn't need to be a gutsy box - it can just be a PC rebuilt with Win2K3 server on it. However it does need to stay up all the time. ;) themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rivera, Ada Sent: Tuesday, 6 June 2006 9:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual DCs We have a single domain forest with about 7,000 users. Currently we 8 AD regional sites and one HQ AD site. The regional sites each have a DC serving their local regional area and there are multiple DCs in our HQ site. The environment is currently running Windows 2000 SP4 and we are looking to upgrade our DCs to W2K3. The direction from management is that we will put all of our domain controllers on VM Ware when we upgrade the DCs to W2K3. Does anyone have any thoughts on this? Good or Bad idea?
RE: [ActiveDir] Virtual DCs
We have two DC's in our headquarters that are beefy boxes dedicated to being just DC's. They also hold our FSMO roles. However, in our larger remote sites, we are running DCs with VMWare. It has worked great. It reduced the number of boxes we support and what's great about a VM DC is you can shut it down and move it over to another box in less than 15 minutes. So hardware upgrades and maintenance have little impact on the users. I'm not sure I recommend DC's being 100% VM, but if you put your FSMOs on dedicated boxes and run all other DCs in VMs I think you'll be pleased. Kevin Molkentin, Steve [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 06/06/2006 09:50 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Virtual DCs Ada, I am intrigued as to why management are directing you to do this. What benefits do they percieve? Do they understand the nature of the 2K3 directory and the load 7,000 users puts on it? This is not a criticism - just a curious thinking out loud moment... Personally - I wouldn't do it. Some would say a DC is a sacred thing, not to be toyed with. Proof of concept is always good in these scenarios... if you were to set this up in a lab, even with just two VMWare-ed DC's, you could show the overhead this would place on the machine and help them to understand the additional cost this will bring. Remember, a DC that is just a DC (AD, DNS, maybe DHCP) doesn't need to be a gutsy box - it can just be a PC rebuilt with Win2K3 server on it. However it does need to stay up all the time. ;) themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rivera, Ada Sent: Tuesday, 6 June 2006 9:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual DCs We have a single domain forest with about 7,000 users. Currently we 8 AD regional sites and one HQ AD site. The regional sites each have a DC serving their local regional area and there are multiple DCs in our HQ site. The environment is currently running Windows 2000 SP4 and we are looking to upgrade our DCs to W2K3. The direction from management is that we will put all of our domain controllers on VM Ware when we upgrade the DCs to W2K3. Does anyone have any thoughts on this? Good or Bad idea? Notice: This e-mail and any files transmitted are confidential and may also be privileged. This communication is intended solely for the use of the individual or entity to which it is addressed. If you are the intended recipient of this information, please treat it as confidential information and take all necessary action to keep it secure. If you are not the intended recipient, you are hereby notified that any use, dissemination, forwarding, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender at once by reply e-mail and destroy all copies of the original message.
[ActiveDir] GPO Screen Saver
Title: GPO Screen Saver We have a GPO to lock users desktops after 10 mins. However, now it seems to be locking their terminal server sessions. The GPO is at the domain level so our ts servers have the gpo applied to them as well. Could this gpo be locking their ts session as well? This gpo has been in place for a while and this just started happening. -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan 2 Copley Place Boston, MA 02116 617-748-6034 617-293-4407 [EMAIL PROTECTED]
RE: [ActiveDir] Virtual DCs
Title: Virtual DCs Just because its a VM, doesnt mean you can stop managing it. You still have to patch it, monitor it, upgrade it, etc. Only thing it buys you from a management perspective is less hardware to manage. How often are you managing your physical hardware? If the answer is a lot, then maybe youd should look at better hardware ;) IMHO, I think VMs are a great thing, but Im not sure Id turn *all* of my DCs into VMs. Typically we use them for DEV/TEST and lightly used web/app servers. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rivera, Ada Sent: Tuesday, June 06, 2006 9:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs I would agree with your comments whole heartedly. I dont think this is a good idea. Add to the fact that we are running Exchange 2003 and all of our DCs are also GCs. As to why management is directing us to do this, one can only surmiseMy guess is they are thinking of this as a way to save on hardware costs and reduce the number of servers to be managed. Thanks for your input. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Tuesday, June 06, 2006 9:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs Ada, I am intrigued as to why management are directing you to do this. What benefits do they percieve? Do they understand the nature of the 2K3 directory and the load 7,000 users puts on it? This is not a criticism - just a curious thinking out loud moment... Personally - I wouldn't do it. Some would say a DC is a sacred thing, not to be toyed with. Proof of concept is always good in these scenarios... if you were to set this up in a lab, even with just two VMWare-ed DC's, you could show the overhead this would place on the machine and help them to understand the additional cost this will bring. Remember, a DC that is just a DC (AD, DNS, maybe DHCP) doesn't need to be a gutsy box - it can just be a PC rebuilt with Win2K3 server on it. However it does need to stay up all the time. ;) themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rivera, Ada Sent: Tuesday, 6 June 2006 9:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual DCs We have a single domain forest with about 7,000 users. Currently we 8 AD regional sites and one HQ AD site. The regional sites each have a DC serving their local regional area and there are multiple DCs in our HQ site. The environment is currently running Windows 2000 SP4 and we are looking to upgrade our DCs to W2K3. The direction from management is that we will put all of our domain controllers on VM Ware when we upgrade the DCs to W2K3. Does anyone have any thoughts on this? Good or Bad idea?
RE: [ActiveDir] GPO Screen Saver
Title: GPO Screen Saver Hey Christine- You might want to check and see if something has changed on the filtering of that GPO. If its linked to the domain then I would guess it would be applying to all users in the domain, even if they are logged onto a TS (unless you are using loopback in replace mode)unless it had a security filter preventing that. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine AllenSent: Tuesday, June 06, 2006 7:45 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO Screen Saver We have a GPO to lock users desktops after 10 mins. However, now it seems to be locking their terminal server sessions. The GPO is at the domain level so our ts servers have the gpo applied to them as well. Could this gpo be locking their ts session as well? This gpo has been in place for a while and this just started happening. -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan 2 Copley Place Boston, MA 02116 617-748-6034 617-293-4407 [EMAIL PROTECTED]
RE: [ActiveDir] max password age where else to look?
Yeah, I realised that shortly afterwards. The value of this approach escapes me, however :) I don't care which day of the week I change my password on and nor should the users IMHO. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: 06 June 2006 15:07To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] max password age where else to look? Think divisble by 7 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, June 06, 2006 12:36 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] max password age where else to look? I'll second guess joe - 91 stops ppl from using cyclic passwords, which use dates or quarters to generate a password. e.g. passwordq12006, passwordq22006 etc. Hopefully joe will give an authoritative response :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SteveSent: 05 June 2006 22:59To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] max password age where else to look? Okay. I'll ask the question that everyone else is afraid to why 91 and not 90? Cheers On 5/31/06, joe [EMAIL PROTECTED] wrote: :o) I can imagine Something I like to recommend to folks is to monitor password changes. Depending on how big you are you may even want to do it daily. It is a great way to keep an eye open for various issues. For instance if passwords aren't being changed in the normal periods at the normal rates, your policy may not be working. If more than usual are being changed then possibly you have some DC issues. You will even be able to graph out the password changes and possibly find interesting trends.Oh to go along with this, I recommend a password age of 91 days for the obvious reasons... Actually I always recommend that over 90 days. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Douglas W StelleySent: Thursday, May 25, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] max password age where else to look? That was it, the policy needed to be re-applied. Boy did I cause hate and discontent when suddenly hundreds of users needed to change there password cause they had expired! Thanks all "joe" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 05/24/2006 10:41 PM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] max password age where else to look? Yeah doublecheck the value you are getting back from MaxPasswordAge, if zero, check out maxPwdAge attribute on the NC Head, possibly your policy isn't being applied properly. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Wednesday, May 24, 2006 4:47 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] max password age where else to look?What do you get if just before this: If intMaxPwdAge 0 Then WScript.Echo "The Maximum Password Age is set to 0 in the " _ "domain. Therefore, the password does not expire." you echo the intMaxPwdAge value? I'm wondering if you're not pulling back the max password age value correctly either through a misspelling or some other error prevents you from getting the value. Having used that method before, I can tell you it does work in a Windows 2000 environment and a Windows 2003 environment. Native, DFL, etc. If that doesn't work, do you get the same results with this script? http://support.microsoft.com/default.aspx?scid=kb;en-us;323750 On 5/24/06, Douglas W Stelley [EMAIL PROTECTED] wrote: In this domain, in the default domain policy the Max Password Age is set to 90, however when I look for when the password will change using the below sample script I always get the answer "The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire." The rest of the possibilities below do work, just the password age doesn't. This is a Win2K Active Directory I need to expire all passwords on a specific date, but before I do that I need to ensure the system will continue expiring them by age. What might I be doing wrong? Thanks Const SEC_IN_DAY = 86400 Const ADS_UF_DONT_EXPIRE_PASSWD = h1Set objUserLDAP = GetObject _("LDAP://CN=myerken,OU=management,DC=fabrikam,DC=com")intCurrentValue = objUserLDAP.Get("userAccountControl") If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then Wscript.Echo
RE: [ActiveDir] Virtual DCs
Title: Virtual DCs Hardware costs will fall but will the overall costs over say 3 years really be lower? Factor in the cost of VMware; additional engineering effort required; additional admin overhead; additional support overhead to manage virtual machines. How will these machines be administered? Patched? Backed up? etc etc. I'd love to see a cost / benefit study for the above. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rivera, AdaSent: 06 June 2006 15:30To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual DCs I would agree with your comments whole heartedly. I dont think this is a good idea. Add to the fact that we are running Exchange 2003 and all of our DCs are also GCs. As to why management is directing us to do this, one can only surmiseMy guess is they are thinking of this as a way to save on hardware costs and reduce the number of servers to be managed. Thanks for your input. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, SteveSent: Tuesday, June 06, 2006 9:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual DCs Ada, I am intrigued as to why "management" are directing you to do this. What benefits do they percieve? Do they understand the nature of the 2K3 directory and the load 7,000 users puts on it? This is not a criticism - just a curious thinking out loud moment... Personally - I wouldn't do it. Some would say a DC is a sacred thing, not to be toyed with. Proof of concept is always good in these scenarios... if you were to set this up in a lab, even with just two VMWare-ed DC's, you could show the overhead this would place on the machine and help them to understand the additional cost this will bring. Remember, a DC that is just a DC (AD, DNS, maybe DHCP) doesn't need to be a gutsy box - it can just be a PC rebuilt with Win2K3 server on it. However it does need to stay up all the time. ;) themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rivera, AdaSent: Tuesday, 6 June 2006 9:51 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual DCs We have a single domain forest with about 7,000 users. Currently we 8 AD regional sites and one HQ AD site. The regional sites each have a DC serving their local regional area and there are multiple DCs in our HQ site. The environment is currently running Windows 2000 SP4 and we are looking to upgrade our DCs to W2K3. The direction from management is that we will put all of our domain controllers on VM Ware when we upgrade the DCs to W2K3. Does anyone have any thoughts on this? Good or Bad idea?PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] GPO Screen Saver
Title: GPO Screen Saver It is linked to the Domain and has been in place for about 2 years. I does filter down to our servers, which I liked. What's weird is this just started happening and I'm not sure what changed. Can you explain a bit more about "(unless you are using loopback in replace mode)unless it had a security filter preventing that" -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan 2 Copley Place Boston, MA 02116 617-748-6034 617-293-4407 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Tuesday, June 06, 2006 11:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Screen Saver Hey Christine- You might want to check and see if something has changed on the filtering of that GPO. If its linked to the domain then I would guess it would be applying to all users in the domain, even if they are logged onto a TS (unless you are using loopback in replace mode)unless it had a security filter preventing that. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine AllenSent: Tuesday, June 06, 2006 7:45 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO Screen Saver We have a GPO to lock users desktops after 10 mins. However, now it seems to be locking their terminal server sessions. The GPO is at the domain level so our ts servers have the gpo applied to them as well. Could this gpo be locking their ts session as well? This gpo has been in place for a while and this just started happening. -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan 2 Copley Place Boston, MA 02116 617-748-6034 617-293-4407 [EMAIL PROTECTED]
RE: [ActiveDir] GPO Screen Saver
Title: GPO Screen Saver Sure. Most TS' are configured to use loopback policy. This is per-computer policy you set in Admin. Templates that would apply to an OU containing TS servers. What setting a machine for loopback says is, "when a user logs into this TS, ignore their "normal" user policy settings and instead apply the user settings that are contained in the GPOs that apply to the computer (in this case, the TS servers)". Loopback comes with two modes. The first is replace, which is what I just described, where the user's policies are completely replaced. The second is "merge", which means, first run the user's normal user policies then run the computer's user policies. If the latter overwrites the former, then the computer policies "win". From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine AllenSent: Tuesday, June 06, 2006 8:30 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Screen Saver It is linked to the Domain and has been in place for about 2 years. I does filter down to our servers, which I liked. What's weird is this just started happening and I'm not sure what changed. Can you explain a bit more about "(unless you are using loopback in replace mode)unless it had a security filter preventing that" -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan 2 Copley Place Boston, MA 02116 617-748-6034 617-293-4407 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Tuesday, June 06, 2006 11:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Screen Saver Hey Christine- You might want to check and see if something has changed on the filtering of that GPO. If its linked to the domain then I would guess it would be applying to all users in the domain, even if they are logged onto a TS (unless you are using loopback in replace mode)unless it had a security filter preventing that. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine AllenSent: Tuesday, June 06, 2006 7:45 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO Screen Saver We have a GPO to lock users desktops after 10 mins. However, now it seems to be locking their terminal server sessions. The GPO is at the domain level so our ts servers have the gpo applied to them as well. Could this gpo be locking their ts session as well? This gpo has been in place for a while and this just started happening. -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan 2 Copley Place Boston, MA 02116 617-748-6034 617-293-4407 [EMAIL PROTECTED]
[ActiveDir] LAG and LDAP queries
I have a group of applications (ie. Sibel etc) running from Unix boxes using AD for LDAP. I'm wanting to put in a Lag Infrastructure. The queries from these APPs basically look at mydomain.mycomapny.com 389. That's about as smart as they get. So, I know this isn't a AD problem but if I want my lag I have to figure this out for them. I don't want one of the lag servers to return there query (stale info). I have read thew a couple of LAG threads here and not really found anything referring to my exact problem. I know I can kill all the SRV records and keep the windows boxes out but I have to keep the cname to let this replicate on schedule. Anyone tried something like putting in a DNS record with just the DC's they want to return queries? LDAPSERVERS.mydomain.mycompany.com Am I way off base(DN) sorry bad j/k List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Exchange queue(OT)
nope. I disabled Antigen AV and rebooted the box. Mail is stuck in the local queue and messages awaiting directory lookup queue. In perfmon, the VM largest Block Size starts high(~80mb) but falls down to below 16mb in about an hour. VM Total 16mb Free Blocks is at zero as is VM Total Large Free Block Bytes. This is a Win2k standard sp4server running Exchange Enterprise with sp3 and all rollups and hotfixes. We have 6 mailbox servers and one GC(maybe that could be an issue but I don't think it explains the local delivery queue issue). I spilt all the large groups up into smaller global groups. I followed this article, http://support.microsoft.com/kb/325044/en-us, but still no go. Any other help would be great Thanks On 6/1/06, Al Mulnick [EMAIL PROTECTED] wrote: Another reason you'll get an Exchange consultant to recommend that is for management reasons. Few companies manage large groups well. Also, you can have better control over the expansion of groups with multiple separate groups, vs. one really large group. Tom, did you ever get good results? On 5/31/06, joe [EMAIL PROTECTED] wrote: I am not aware of any limits in the size of DLs specific to Exchange. There is a recommendation to keep your DLs less than 1000 members. However, I expect that this is due to attribute ranging which in Windows 2000 was 1000 attributes and in Windows Server 2003 AD that is now 1500 members. The idea being that you can get all of the values in a single query instead of sending back asking for more over and over again. I did notice that Exchange does something odd when it has to start ranging to retrieve more members. It doesn't appear to be using the normal WLDAP32 library to do it. I was using Insight for AD from winternals and the additional calls to get the additional members weren't being caught, yet I could see them over the wire with ethereal meaning that the hooks that Insight puts into the WLDAP32 libs weren't seeing the calls... hence they weren't using the standard library. Breaking the users up into separate smaller groups and then nesting thegroups is exactly what any Exchange consultant that came in would say. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, May 12, 2006 11:15 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange queue(OT) Well one thing I noticed is that the senders(and some recipients) are members of a AD security DG that has over 3300 members. I think the categorizer has a 1500 value limit for member? I'm gonna seperate the members into multiple local groups and then nest them into the DG. Maybe that will help. I'll let you know what I find. Thanks On 5/10/06, Al Mulnick [EMAIL PROTECTED] wrote:
RE: [ActiveDir] OT: Move Enterprise CA
If you use Autoenrollment, you also need to repoint the PKI settings in theGPO that tells the clients to autoenroll to the new CA. -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Monday, June 05, 2006 11:09 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Move Enterprise CA Hi all I have to move an Enterprise CA from one DC to another. The following article appears to show the required steps. How to move a certification authority to another server http://support.microsoft.com/?kbid=298138 For those of you that have done this, is the process as straightforward as it appears? Anything to look for that isnt mentioned in the article? Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
RE: [ActiveDir] LAG and LDAP queries
Jason, You shouldn't have any problems with your ldap query if you use the LDAPSERVERS.mydomain.mycompany.com DNS record that you proposed below. Using that record is the same thing as using mydomain.mycompany.com. Both are records which point to another server. Always glad to lend a hand to CCIT West. -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 06, 2006 11:09 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LAG and LDAP queries I have a group of applications (ie. Sibel etc) running from Unix boxes using AD for LDAP. I'm wanting to put in a Lag Infrastructure. The queries from these APPs basically look at mydomain.mycomapny.com 389. That's about as smart as they get. So, I know this isn't a AD problem but if I want my lag I have to figure this out for them. I don't want one of the lag servers to return there query (stale info). I have read thew a couple of LAG threads here and not really found anything referring to my exact problem. I know I can kill all the SRV records and keep the windows boxes out but I have to keep the cname to let this replicate on schedule. Anyone tried something like putting in a DNS record with just the DC's they want to return queries? LDAPSERVERS.mydomain.mycompany.com Am I way off base(DN) sorry bad j/k List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx smime.p7s Description: S/MIME cryptographic signature
Re: [ActiveDir] max password age where else to look?
On 06/06/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Yeah, I realised that shortly afterwards. The value of this approach escapes me, however :) I don't care which day of the week I change my password on and nor should the users IMHO. neil The Friday before a long public holiday weekend is always a bad one to have people changing their passwords. So is the last working day before a Christmas holiday, as users will tend to either forget what they set it to, or write it down on a post-it and leave it in their desk. My € 0.02-- AdamTA casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche
Re: [ActiveDir] Exchange queue(OT)
One GC? Can you verify the performance on that GC? Waiting on a response from disk, GC, or other could absolutely cause the problems you are seeing. Al On 6/6/06, Tom Kern [EMAIL PROTECTED] wrote: nope. I disabled Antigen AV and rebooted the box. Mail is stuck in the local queue and messages awaiting directory lookup queue. In perfmon, the VM largest Block Size starts high(~80mb) but falls down to below 16mb in about an hour. VM Total 16mb Free Blocks is at zero as is VM Total Large Free Block Bytes. This is a Win2k standard sp4server running Exchange Enterprise with sp3 and all rollups and hotfixes. We have 6 mailbox servers and one GC(maybe that could be an issue but I don't think it explains the local delivery queue issue). I spilt all the large groups up into smaller global groups. I followed this article, http://support.microsoft.com/kb/325044/en-us, but still no go. Any other help would be great Thanks On 6/1/06, Al Mulnick [EMAIL PROTECTED] wrote: Another reason you'll get an Exchange consultant to recommend that is for management reasons. Few companies manage large groups well. Also, you can have better control over the expansion of groups with multiple separate groups, vs. one really large group. Tom, did you ever get good results? On 5/31/06, joe [EMAIL PROTECTED] wrote: I am not aware of any limits in the size of DLs specific to Exchange. There is a recommendation to keep your DLs less than 1000 members. However, I expect that this is due to attribute ranging which in Windows 2000 was 1000 attributes and in Windows Server 2003 AD that is now 1500 members. The idea being that you can get all of the values in a single query instead of sending back asking for more over and over again. I did notice that Exchange does something odd when it has to start ranging to retrieve more members. It doesn't appear to be using the normal WLDAP32 library to do it. I was using Insight for AD from winternals and the additional calls to get the additional members weren't being caught, yet I could see them over the wire with ethereal meaning that the hooks that Insight puts into the WLDAP32 libs weren't seeing the calls... hence they weren't using the standard library. Breaking the users up into separate smaller groups and then nesting thegroups is exactly what any Exchange consultant that came in would say. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, May 12, 2006 11:15 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange queue(OT) Well one thing I noticed is that the senders(and some recipients) are members of a AD security DG that has over 3300 members. I think the categorizer has a 1500 value limit for member? I'm gonna seperate the members into multiple local groups and then nest them into the DG. Maybe that will help. I'll let you know what I find. Thanks On 5/10/06, Al Mulnick [EMAIL PROTECTED] wrote:
Re: [ActiveDir] Exchange queue(OT)
Can you tell me what counters I should be looking at to determine GC perf? Thanks On 6/6/06, Al Mulnick [EMAIL PROTECTED] wrote: One GC? Can you verify the performance on that GC? Waiting on a response from disk, GC, or other could absolutely cause the problems you are seeing. Al On 6/6/06, Tom Kern [EMAIL PROTECTED] wrote: nope. I disabled Antigen AV and rebooted the box. Mail is stuck in the local queue and messages awaiting directory lookup queue. In perfmon, the VM largest Block Size starts high(~80mb) but falls down to below 16mb in about an hour. VM Total 16mb Free Blocks is at zero as is VM Total Large Free Block Bytes. This is a Win2k standard sp4server running Exchange Enterprise with sp3 and all rollups and hotfixes. We have 6 mailbox servers and one GC(maybe that could be an issue but I don't think it explains the local delivery queue issue). I spilt all the large groups up into smaller global groups. I followed this article, http://support.microsoft.com/kb/325044/en-us, but still no go. Any other help would be great Thanks On 6/1/06, Al Mulnick [EMAIL PROTECTED] wrote: Another reason you'll get an Exchange consultant to recommend that is for management reasons. Few companies manage large groups well. Also, you can have better control over the expansion of groups with multiple separate groups, vs. one really large group. Tom, did you ever get good results? On 5/31/06, joe [EMAIL PROTECTED] wrote: I am not aware of any limits in the size of DLs specific to Exchange. There is a recommendation to keep your DLs less than 1000 members. However, I expect that this is due to attribute ranging which in Windows 2000 was 1000 attributes and in Windows Server 2003 AD that is now 1500 members. The idea being that you can get all of the values in a single query instead of sending back asking for more over and over again. I did notice that Exchange does something odd when it has to start ranging to retrieve more members. It doesn't appear to be using the normal WLDAP32 library to do it. I was using Insight for AD from winternals and the additional calls to get the additional members weren't being caught, yet I could see them over the wire with ethereal meaning that the hooks that Insight puts into the WLDAP32 libs weren't seeing the calls... hence they weren't using the standard library. Breaking the users up into separate smaller groups and then nesting thegroups is exactly what any Exchange consultant that came in would say. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, May 12, 2006 11:15 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange queue(OT) Well one thing I noticed is that the senders(and some recipients) are members of a AD security DG that has over 3300 members. I think the categorizer has a 1500 value limit for member? I'm gonna seperate the members into multiple local groups and then nest them into the DG. Maybe that will help. I'll let you know what I find. Thanks On 5/10/06, Al Mulnick [EMAIL PROTECTED] wrote:
[ActiveDir] Address List based on OU
I have several sites that are sitting on one mailbox store but are located in different OUs. What LDAP query can I use to create an Exchange 2003 address list, based on users that are in a particular OU? -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Re: [ActiveDir] Exchange queue(OT)
Sorry, On the exchange server- Smtp Server - Categorizer Queue length is always at zero MsExchange DSAccess Process- LDAP read time is at zero LDAP search time is at zero as well. On the GC- System- processor queue length is at zero PhysicalDisk(NTDS db/logs)- Avg disk/sec read is at zero Memory-available MBytes is 533 Pages/sec stays at zero but occasionally spikes to 90 for a sec. No errors on the NIC's on both Exchange or GC. Thanks On 6/6/06, Tom Kern [EMAIL PROTECTED] wrote: Can you tell me what counters I should be looking at to determine GC perf? Thanks On 6/6/06, Al Mulnick [EMAIL PROTECTED] wrote: One GC? Can you verify the performance on that GC? Waiting on a response from disk, GC, or other could absolutely cause the problems you are seeing. Al On 6/6/06, Tom Kern [EMAIL PROTECTED] wrote: nope. I disabled Antigen AV and rebooted the box. Mail is stuck in the local queue and messages awaiting directory lookup queue. In perfmon, the VM largest Block Size starts high(~80mb) but falls down to below 16mb in about an hour. VM Total 16mb Free Blocks is at zero as is VM Total Large Free Block Bytes. This is a Win2k standard sp4server running Exchange Enterprise with sp3 and all rollups and hotfixes. We have 6 mailbox servers and one GC(maybe that could be an issue but I don't think it explains the local delivery queue issue). I spilt all the large groups up into smaller global groups. I followed this article, http://support.microsoft.com/kb/325044/en-us, but still no go. Any other help would be great Thanks On 6/1/06, Al Mulnick [EMAIL PROTECTED] wrote: Another reason you'll get an Exchange consultant to recommend that is for management reasons. Few companies manage large groups well. Also, you can have better control over the expansion of groups with multiple separate groups, vs. one really large group. Tom, did you ever get good results? On 5/31/06, joe [EMAIL PROTECTED] wrote: I am not aware of any limits in the size of DLs specific to Exchange. There is a recommendation to keep your DLs less than 1000 members. However, I expect that this is due to attribute ranging which in Windows 2000 was 1000 attributes and in Windows Server 2003 AD that is now 1500 members. The idea being that you can get all of the values in a single query instead of sending back asking for more over and over again. I did notice that Exchange does something odd when it has to start ranging to retrieve more members. It doesn't appear to be using the normal WLDAP32 library to do it. I was using Insight for AD from winternals and the additional calls to get the additional members weren't being caught, yet I could see them over the wire with ethereal meaning that the hooks that Insight puts into the WLDAP32 libs weren't seeing the calls... hence they weren't using the standard library. Breaking the users up into separate smaller groups and then nesting thegroups is exactly what any Exchange consultant that came in would say. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, May 12, 2006 11:15 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange queue(OT) Well one thing I noticed is that the senders(and some recipients) are members of a AD security DG that has over 3300 members. I think the categorizer has a 1500 value limit for member? I'm gonna seperate the members into multiple local groups and then nest them into the DG. Maybe that will help. I'll let you know what I find. Thanks On 5/10/06, Al Mulnick [EMAIL PROTECTED] wrote:
[ActiveDir] Logged in user
Is there a Command line util., to remotely tell what user is logged into a PC? -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Re: [ActiveDir] Exchange queue(OT)
I don't commit them to memory, but usually look here instead: http://www.microsoft.com/technet/prodtechnol/exchange/guides/TrblshtE2k3Perf/8d4b5381-bdab-44bc-9df4-35e9d6192b86.mspx?mfr=true Al On 6/6/06, Tom Kern [EMAIL PROTECTED] wrote: Can you tell me what counters I should be looking at to determine GC perf? Thanks On 6/6/06, Al Mulnick [EMAIL PROTECTED] wrote: One GC? Can you verify the performance on that GC? Waiting on a response from disk, GC, or other could absolutely cause the problems you are seeing. Al On 6/6/06, Tom Kern [EMAIL PROTECTED] wrote: nope. I disabled Antigen AV and rebooted the box. Mail is stuck in the local queue and messages awaiting directory lookup queue. In perfmon, the VM largest Block Size starts high(~80mb) but falls down to below 16mb in about an hour. VM Total 16mb Free Blocks is at zero as is VM Total Large Free Block Bytes. This is a Win2k standard sp4server running Exchange Enterprise with sp3 and all rollups and hotfixes. We have 6 mailbox servers and one GC(maybe that could be an issue but I don't think it explains the local delivery queue issue). I spilt all the large groups up into smaller global groups. I followed this article, http://support.microsoft.com/kb/325044/en-us, but still no go. Any other help would be great Thanks On 6/1/06, Al Mulnick [EMAIL PROTECTED] wrote: Another reason you'll get an Exchange consultant to recommend that is for management reasons. Few companies manage large groups well. Also, you can have better control over the expansion of groups with multiple separate groups, vs. one really large group. Tom, did you ever get good results? On 5/31/06, joe [EMAIL PROTECTED] wrote: I am not aware of any limits in the size of DLs specific to Exchange. There is a recommendation to keep your DLs less than 1000 members. However, I expect that this is due to attribute ranging which in Windows 2000 was 1000 attributes and in Windows Server 2003 AD that is now 1500 members. The idea being that you can get all of the values in a single query instead of sending back asking for more over and over again. I did notice that Exchange does something odd when it has to start ranging to retrieve more members. It doesn't appear to be using the normal WLDAP32 library to do it. I was using Insight for AD from winternals and the additional calls to get the additional members weren't being caught, yet I could see them over the wire with ethereal meaning that the hooks that Insight puts into the WLDAP32 libs weren't seeing the calls... hence they weren't using the standard library. Breaking the users up into separate smaller groups and then nesting thegroups is exactly what any Exchange consultant that came in would say. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, May 12, 2006 11:15 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange queue(OT) Well one thing I noticed is that the senders(and some recipients) are members of a AD security DG that has over 3300 members. I think the categorizer has a 1500 value limit for member? I'm gonna seperate the members into multiple local groups and then nest them into the DG. Maybe that will help. I'll let you know what I find. Thanks On 5/10/06, Al Mulnick [EMAIL PROTECTED] wrote:
Re: [ActiveDir] Logged in user
psloggedon from sysinternals.com On 6/6/06, Harding, Devon [EMAIL PROTECTED] wrote: Is there a Command line util., to remotely tell what user is logged into a PC? -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Logged in user
nbtstat - A ipaddress John Harding, Devon [EMAIL PROTECTED] NWINE.com To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject [ActiveDir] Logged in user 06/06/2006 12:54 PM Please respond to [EMAIL PROTECTED] tivedir.org Is there a Command line util., to remotely tell what user is logged into a PC? -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Logged in user
psloggedon from Sysinternals On 6/6/06, Harding, Devon [EMAIL PROTECTED] wrote: Is there a Command line util., to remotely tell what user is logged into a PC? -Devon--- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
RE: [ActiveDir] Logged in user
At the dos prompt type SET USERNAME From: [EMAIL PROTECTED] on behalf of Harding, Devon Sent: Tue 6/6/2006 12:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logged in user Is there a Command line util., to remotely tell what user is logged into a PC? -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Logged in user
Sorry, you said remotely. I usually pull it from WMI. In Win32_ComputerSystem there's a property called UserName that stores it along with the domain they're logged into in the domain\username format. From: [EMAIL PROTECTED] on behalf of Harding, Devon Sent: Tue 6/6/2006 12:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logged in user Is there a Command line util., to remotely tell what user is logged into a PC? -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Logged in user
RComp = remote-computer-name Set objWMIService = GetObject(winmgmts:{impersonationLevel=impersonate}!\\ RComp \root\cimv2) Set Attribs = objWMIService.ExecQuery(Select * from Win32_ComputerSystem) For Each myProps in Attribs Wscript.Echo myProps.UserName is the user currently logged into RComp Next Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Harding, Devon Sent: Tue 6/6/2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logged in user Is there a Command line util., to remotely tell what user is logged into a PC? -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Address List based on OU
Devon, I don't thinkit is possible to do an ldap query based on the parent OU. In our environment, we have a script that runs nightly, which stamps some of the extensionAttribute values with something representative of their location. We then base our queries off of that value. -Andrew From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Tuesday, June 06, 2006 12:42 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Address List based on OU I have several sites that are sitting on one mailbox store but are located in different OUs. What LDAP query can I use to create an Exchange 2003 address list, based on users that are in a particular OU? -Devon--- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. smime.p7s Description: S/MIME cryptographic signature
RE: [ActiveDir] Logged in user
Any command line tools? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 06, 2006 2:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logged in user RComp = remote-computer-name Set objWMIService = GetObject(winmgmts:{impersonationLevel=impersonate}!\\ RComp \root\cimv2) Set Attribs = objWMIService.ExecQuery(Select * from Win32_ComputerSystem) For Each myProps in Attribs Wscript.Echo myProps.UserName is the user currently logged into RComp Next Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Harding, Devon Sent: Tue 6/6/2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logged in user Is there a Command line util., to remotely tell what user is logged into a PC? -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Exchange queue(OT)
In that case, can you go ahead and show us the export of those pab entries that were found to cause the issue? Al On 6/6/06, Tom Kern [EMAIL PROTECTED] wrote: Sorry, On the exchange server- Smtp Server - Categorizer Queue length is always at zero MsExchange DSAccess Process- LDAP read time is at zero LDAP search time is at zero as well. On the GC- System- processor queue length is at zero PhysicalDisk(NTDS db/logs)- Avg disk/sec read is at zero Memory-available MBytes is 533 Pages/sec stays at zero but occasionally spikes to 90 for a sec. No errors on the NIC's on both Exchange or GC. Thanks On 6/6/06, Tom Kern [EMAIL PROTECTED] wrote: Can you tell me what counters I should be looking at to determine GC perf? Thanks On 6/6/06, Al Mulnick [EMAIL PROTECTED] wrote: One GC? Can you verify the performance on that GC? Waiting on a response from disk, GC, or other could absolutely cause the problems you are seeing. Al On 6/6/06, Tom Kern [EMAIL PROTECTED] wrote: nope. I disabled Antigen AV and rebooted the box. Mail is stuck in the local queue and messages awaiting directory lookup queue. In perfmon, the VM largest Block Size starts high(~80mb) but falls down to below 16mb in about an hour. VM Total 16mb Free Blocks is at zero as is VM Total Large Free Block Bytes. This is a Win2k standard sp4server running Exchange Enterprise with sp3 and all rollups and hotfixes. We have 6 mailbox servers and one GC(maybe that could be an issue but I don't think it explains the local delivery queue issue). I spilt all the large groups up into smaller global groups. I followed this article, http://support.microsoft.com/kb/325044/en-us, but still no go. Any other help would be great Thanks On 6/1/06, Al Mulnick [EMAIL PROTECTED] wrote: Another reason you'll get an Exchange consultant to recommend that is for management reasons. Few companies manage large groups well. Also, you can have better control over the expansion of groups with multiple separate groups, vs. one really large group. Tom, did you ever get good results? On 5/31/06, joe [EMAIL PROTECTED] wrote: I am not aware of any limits in the size of DLs specific to Exchange. There is a recommendation to keep your DLs less than 1000 members. However, I expect that this is due to attribute ranging which in Windows 2000 was 1000 attributes and in Windows Server 2003 AD that is now 1500 members. The idea being that you can get all of the values in a single query instead of sending back asking for more over and over again. I did notice that Exchange does something odd when it has to start ranging to retrieve more members. It doesn't appear to be using the normal WLDAP32 library to do it. I was using Insight for AD from winternals and the additional calls to get the additional members weren't being caught, yet I could see them over the wire with ethereal meaning that the hooks that Insight puts into the WLDAP32 libs weren't seeing the calls... hence they weren't using the standard library. Breaking the users up into separate smaller groups and then nesting thegroups is exactly what any Exchange consultant that came in would say. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, May 12, 2006 11:15 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange queue(OT) Well one thing I noticed is that the senders(and some recipients) are members of a AD security DG that has over 3300 members. I think the categorizer has a 1500 value limit for member? I'm gonna seperate the members into multiple local groups and then nest them into the DG. Maybe that will help. I'll let you know what I find. Thanks On 5/10/06, Al Mulnick [EMAIL PROTECTED] wrote:
RE: [ActiveDir] Logged in user
If youre looking for terminal services sessions in particular, you can use query.exe (have to copy it from the sys32 dir of a server, I believe), then issue: query session /server:servername :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, June 06, 2006 2:08 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logged in user psloggedon from Sysinternals On 6/6/06, Harding, Devon [EMAIL PROTECTED] wrote: Is there a Command line util., to remotely tell what user is logged into a PC? -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Re: [ActiveDir] Address List based on OU
You can't directly do that. To do that, you'll want to tag each of the users in that OU with some attribute and then create your AL based on that attribute instead. Al On 6/6/06, Harding, Devon [EMAIL PROTECTED] wrote: I have several sites that are sitting on one mailbox store but are located in different OU's. What LDAP query can I use to create an Exchange 2003 address list, based on users that are in a particular OU? -Devon--- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
[ActiveDir] sample vbs script
Could some one send me a sample vbs script that creates AD user accounts? Thanks Antonio
[ActiveDir] [OT] Uninstalling Exchange - how does this modify AD, what alters in AD
Lately I have been thinking about the following: What happens actually in Active Directory and what changes in it, while or after having uninstalled Exchange. I am asking this because usually when I uninstall an Exhange server, I do this according to the KB articles from Microsoft i.e."How to remove the first Exhange server". After that I insert the Exchange 2003 cd and do a 'remove components' (in case of Exchange 2000 I remove it from within Add/Remove Programs in Control Panel). After having done that I go into ESM and delete the server object from there. Recently I have had a customer asking me to remove his first Exhange server and transfer everything to another Exchange server. So I went along and followed the KB article up to the point where I had to uninstall Exhange.Everything went fine. After that, before I wanted to uninstall Exchange, I stopped the Exchange services and left this so for a day, just to be sure kept on running right without the Exhange services on the old server running. This also went fine. I then left the instruction with the customer how to uninstall Exchange and delete the server object from within ESM. They want to do something themselves also, they have their own IT department :-). Instead of doing that, they simply switched the server off and told me this a couple of days later. I offcourse told them that Exchange needed to be uninstalled the way Microsoft says so but now they want me to somehow provewhat will happen if they do it asthey have always done it, simply remove the server object from within ESM and notuninstalling Exchange from the server at all. This Exchange Organisation exists of several servers and several Administrative Groups. I know that in order to uninstall Exchange you need the necessary rights on the Administrative Group the server is in, so I guess that during the uninstall, the server'unties' itself from that Administrative Group. But what happens if you dont do this, are you then really stuck with pieces in AD of the 'not properly uninstalled server'? Lets ssay you would not uninstall Exchange but you will remove the server object from within ESM and then, much later you would bring that same server, not uninstalled, online again. I guess you could end up with messy thing then. But I dont think Microsoft says to uninstall Exchange because of this reason only. Is there aprogramfor AD like there is 'Snapshot' for the Windows registry.A program which creates a 'before' and 'after'picture. Or am I now thinking too complex? Can anybody who can shed some light on what exactly is altered in AD when doing an uninstall of an an Exchange server?
Re: [ActiveDir] Exchange queue(OT)
Well, I don't think that was the issue because those entries were deleted awhile ago and it was only one user with that PAB. Since then, we've had issues with users having their mail stuck in the CAT queue. This morning that was the case. I disabled Antigen(which next to the Info store, was using the most mem). To disable Antigen, you have to stop all the Exchange services. After the services started, mail was stuck in the CAT queue and the Local Delivery queue. Exchange was in this state for about 5-6 hrs. Now all the queues have emptied out and the VM Largest Block Size is up from 16mb to 30mb. We get this issue ocasionally with the other mail servers(but not the Local Queue). In my uneducated opinion I think acouple ofthings are causing this- 1.This corp does NOT set mailbox or mesage size limits. I've seen mail with 50-100mb attachments in the queue. 2.I suspect that maybe Antigen or one of its engines is at fault. Though maybe, its just using a lot of mem due to the size of the emails. On the other hand, I've seen issues with just one or 2 emails of normal sizesitting in the CAT queue for days. This occurs on all servers. It is not isolated to one specific box. The only thing these boxes have in common is Antigen.. Thanks On 6/6/06, Al Mulnick [EMAIL PROTECTED] wrote: In that case, can you go ahead and show us the export of those pab entries that were found to cause the issue? Al On 6/6/06, Tom Kern [EMAIL PROTECTED] wrote: Sorry, On the exchange server- Smtp Server - Categorizer Queue length is always at zero MsExchange DSAccess Process- LDAP read time is at zero LDAP search time is at zero as well. On the GC- System- processor queue length is at zero PhysicalDisk(NTDS db/logs)- Avg disk/sec read is at zero Memory-available MBytes is 533 Pages/sec stays at zero but occasionally spikes to 90 for a sec. No errors on the NIC's on both Exchange or GC. Thanks On 6/6/06, Tom Kern [EMAIL PROTECTED] wrote: Can you tell me what counters I should be looking at to determine GC perf? Thanks On 6/6/06, Al Mulnick [EMAIL PROTECTED] wrote: One GC? Can you verify the performance on that GC? Waiting on a response from disk, GC, or other could absolutely cause the problems you are seeing. Al On 6/6/06, Tom Kern [EMAIL PROTECTED] wrote: nope. I disabled Antigen AV and rebooted the box. Mail is stuck in the local queue and messages awaiting directory lookup queue. In perfmon, the VM largest Block Size starts high(~80mb) but falls down to below 16mb in about an hour. VM Total 16mb Free Blocks is at zero as is VM Total Large Free Block Bytes. This is a Win2k standard sp4server running Exchange Enterprise with sp3 and all rollups and hotfixes. We have 6 mailbox servers and one GC(maybe that could be an issue but I don't think it explains the local delivery queue issue). I spilt all the large groups up into smaller global groups. I followed this article, http://support.microsoft.com/kb/325044/en-us, but still no go. Any other help would be great Thanks On 6/1/06, Al Mulnick [EMAIL PROTECTED] wrote: Another reason you'll get an Exchange consultant to recommend that is for management reasons. Few companies manage large groups well. Also, you can have better control over the expansion of groups with multiple separate groups, vs. one really large group. Tom, did you ever get good results? On 5/31/06, joe [EMAIL PROTECTED] wrote: I am not aware of any limits in the size of DLs specific to Exchange. There is a recommendation to keep your DLs less than 1000 members. However, I expect that this is due to attribute ranging which in Windows 2000 was 1000 attributes and in Windows Server 2003 AD that is now 1500 members. The idea being that you can get all of the values in a single query instead of sending back asking for more over and over again. I did notice that Exchange does something odd when it has to start ranging to retrieve more members. It doesn't appear to be using the normal WLDAP32 library to do it. I was using Insight for AD from winternals and the additional calls to get the additional members weren't being caught, yet I could see them over the wire with ethereal meaning that the hooks that Insight puts into the WLDAP32 libs weren't seeing the calls... hence they weren't using the standard library. Breaking the users up into separate smaller groups and then nesting thegroups is exactly what any Exchange consultant that came in would say. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, May 12, 2006 11:15 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange queue(OT) Well one thing I noticed is that the senders(and some recipients) are members of a AD security DG that has over 3300 members. I think the categorizer has a 1500 value limit for member? I'm gonna seperate the members into multiple local groups and then nest them into the DG. Maybe that will help. I'll let you
RE: [ActiveDir] Address List based on OU
DamnI was trying to avoid using extensionAttribute Oh well.admodify.NET? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, June 06, 2006 3:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Address List based on OU You can't directly do that. To do that, you'll want to tag each of the users in that OU with some attribute and then create your AL based on that attribute instead. Al On 6/6/06, Harding, Devon [EMAIL PROTECTED] wrote: I have several sites that are sitting on one mailbox store but are located in different OU's. What LDAP query can I use to create an Exchange 2003 address list, based on users that are in a particular OU? -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
RE: [ActiveDir] sample vbs script
Take a look at the source code for chapter 6.1 in this excellent (fish) book. http://rallenhome.com/books/adcookbook/code.html Clyde Burns From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio ArandaSent: Tuesday, June 06, 2006 3:29 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] sample vbs script Could some one send me a sample vbs script that creates AD user accounts? Thanks Antonio This message is confidential, intended only for the named recipient(s) and may contain information that is privileged or exempt from disclosure under applicable law. Any patient health information must be delivered immediately to intended recipient(s). If you are not the intended recipient(s), you are notified that the dissemination, distribution or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at either the e-mail address or telephone number above and discard this e-mail. Thank you.
RE: [ActiveDir] sample vbs script
There are several in the TechNet Script Center http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/manage/default.mspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: Tuesday, June 06, 2006 12:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] sample vbs script Could some one send me a sample vbs script that creates AD user accounts? Thanks Antonio
RE: [ActiveDir] sample vbs script
Hi Antonio Here's a link to one of the microsoft script centre repositories. You may want to look at some of the other sections to see how to set passwords, etc. There are lots of other sites out there which will supply more sophisticated scripts, but this is a good start for picking up the building blocks. http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/manage/usmgvb05.mspx Cheers Danny -Original Message- From: [EMAIL PROTECTED] on behalf of Antonio Aranda Sent: Tue 06/06/2006 20:28 To: ActiveDir@mail.activedir.org Cc: Subject: [ActiveDir] sample vbs script Could some one send me a sample vbs script that creates AD user accounts? Thanks Antonio Email has been scanned for viruses by Altman Technologies' email management service http://www.altman.co.uk/emailsystems winmail.dat
RE: [ActiveDir] sample vbs script
IANAP, but .. http://www.akomolafe.com/LinkClick.aspx?link=Create-Users-and-Sec-Group.vbst abid=63mid=431 Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Antonio Aranda Sent: Tue 6/6/2006 12:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] sample vbs script Could some one send me a sample vbs script that creates AD user accounts? Thanks Antonio List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] sample vbs script
Look at http://www.lissware.net, White Papers section. February 2000 (Compaq Active Answers):Part 1 - Understanding the Microsoft WSH and the ADSI in Windows 2000 (Script Kit) Part 2 - The powerful combination of WSH and ADSI under Windows 2000 (Script Kit) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, LarrySent: Tuesday, June 06, 2006 1:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] sample vbs script There are several in the TechNet Script Center http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/manage/default.mspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio ArandaSent: Tuesday, June 06, 2006 12:29 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] sample vbs script Could some one send me a sample vbs script that creates AD user accounts? Thanks Antonio
RE: [ActiveDir] Logged in user
psloggedon \\Computername http://www.sysinternals.com/Utilities/PsLoggedOn.html From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, June 06, 2006 10:55 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logged in user Is there a Command line util., to remotely tell what user is logged into a PC? -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] sample vbs script
Even though Compaq let me go these are still my favourites... -Original Message- From: [EMAIL PROTECTED] on behalf of Alain Lissoir Sent: Tue 06/06/2006 21:41 To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] sample vbs script Look at http://www.lissware.net, White Papers section. February 2000 (Compaq Active Answers): Part 1 http://users.skynet.be/alain.lissoir/hp/Part%201%20-%20Understanding%20Microsoft%20WSH%20and%20ADSI%20in%20Windows%202000.pdf - Understanding the Microsoft WSH and the ADSI in Windows 2000 (Script Kit) http://users.skynet.be/alain.lissoir/hp/Part%201%20-%20Understanding%20Microsoft%20WSH%20and%20ADSI%20in%20Windows%202000%20(Scripts%20Kit).zip Part 2 http://users.skynet.be/alain.lissoir/hp/Part%202%20-%20The%20powerful%20combination%20of%20WSH%20and%20ADSI%20under%20Windows%202000.pdf - The powerful combination of WSH and ADSI under Windows 2000 (Script Kit) http://users.skynet.be/alain.lissoir/hp/Part%202%20-%20The%20powerful%20combination%20of%20WSH%20and%20ADSI%20under%20Windows%202000%20(Scripts%20Kit).zip _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Tuesday, June 06, 2006 1:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] sample vbs script There are several in the TechNet Script Center http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/manage/default.mspx _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: Tuesday, June 06, 2006 12:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] sample vbs script Could some one send me a sample vbs script that creates AD user accounts? Thanks Antonio ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** winmail.dat
Re: [ActiveDir] Address List based on OU
I prefer a script that can be waked up to read that OU periodically and assure me to some degree that the objects contained are tagged as I expect them to be. ADMODIFY would like do it as well. I'm sure *somebody-who's-name-starts-with-j* would have a tool preference that would also do such a thing. Well, pretty sure anyway. :) On 6/6/06, Harding, Devon [EMAIL PROTECTED] wrote: Damn…I was trying to avoid using extensionAttribute Oh well….admodify.NET? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Tuesday, June 06, 2006 3:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Address List based on OU You can't directly do that. To do that, you'll want to tag each of the users in that OU with some attribute and then create your AL based on that attribute instead. Al On 6/6/06, Harding, Devon [EMAIL PROTECTED] wrote: I have several sites that are sitting on one mailbox store but are located in different OU's. What LDAP query can I use to create an Exchange 2003 address list, based on users that are in a particular OU? -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Re: [ActiveDir] Exchange queue(OT)
Well, there are other similarities on those machines Have you see this already? http://support.microsoft.com/?kbid=329137 It might be worth it to check it out. Al On 6/6/06, Tom Kern [EMAIL PROTECTED] wrote: Well, I don't think that was the issue because those entries were deleted awhile ago and it was only one user with that PAB. Since then, we've had issues with users having their mail stuck in the CAT queue. This morning that was the case. I disabled Antigen(which next to the Info store, was using the most mem). To disable Antigen, you have to stop all the Exchange services. After the services started, mail was stuck in the CAT queue and the Local Delivery queue. Exchange was in this state for about 5-6 hrs. Now all the queues have emptied out and the VM Largest Block Size is up from 16mb to 30mb. We get this issue ocasionally with the other mail servers(but not the Local Queue). In my uneducated opinion I think acouple ofthings are causing this- 1.This corp does NOT set mailbox or mesage size limits. I've seen mail with 50-100mb attachments in the queue. 2.I suspect that maybe Antigen or one of its engines is at fault. Though maybe, its just using a lot of mem due to the size of the emails. On the other hand, I've seen issues with just one or 2 emails of normal sizesitting in the CAT queue for days. This occurs on all servers. It is not isolated to one specific box. The only thing these boxes have in common is Antigen.. Thanks On 6/6/06, Al Mulnick [EMAIL PROTECTED] wrote: In that case, can you go ahead and show us the export of those pab entries that were found to cause the issue? Al On 6/6/06, Tom Kern [EMAIL PROTECTED] wrote: Sorry, On the exchange server- Smtp Server - Categorizer Queue length is always at zero MsExchange DSAccess Process- LDAP read time is at zero LDAP search time is at zero as well. On the GC- System- processor queue length is at zero PhysicalDisk(NTDS db/logs)- Avg disk/sec read is at zero Memory-available MBytes is 533 Pages/sec stays at zero but occasionally spikes to 90 for a sec. No errors on the NIC's on both Exchange or GC. Thanks On 6/6/06, Tom Kern [EMAIL PROTECTED] wrote: Can you tell me what counters I should be looking at to determine GC perf? Thanks On 6/6/06, Al Mulnick [EMAIL PROTECTED] wrote: One GC? Can you verify the performance on that GC? Waiting on a response from disk, GC, or other could absolutely cause the problems you are seeing. Al On 6/6/06, Tom Kern [EMAIL PROTECTED] wrote: nope. I disabled Antigen AV and rebooted the box. Mail is stuck in the local queue and messages awaiting directory lookup queue. In perfmon, the VM largest Block Size starts high(~80mb) but falls down to below 16mb in about an hour. VM Total 16mb Free Blocks is at zero as is VM Total Large Free Block Bytes. This is a Win2k standard sp4server running Exchange Enterprise with sp3 and all rollups and hotfixes. We have 6 mailbox servers and one GC(maybe that could be an issue but I don't think it explains the local delivery queue issue). I spilt all the large groups up into smaller global groups. I followed this article, http://support.microsoft.com/kb/325044/en-us, but still no go. Any other help would be great Thanks On 6/1/06, Al Mulnick [EMAIL PROTECTED] wrote: Another reason you'll get an Exchange consultant to recommend that is for management reasons. Few companies manage large groups well. Also, you can have better control over the expansion of groups with multiple separate groups, vs. one really large group. Tom, did you ever get good results? On 5/31/06, joe [EMAIL PROTECTED] wrote: I am not aware of any limits in the size of DLs specific to Exchange. There is a recommendation to keep your DLs less than 1000 members. However, I expect that this is due to attribute ranging which in Windows 2000 was 1000 attributes and in Windows Server 2003 AD that is now 1500 members. The idea being that you can get all of the values in a single query instead of sending back asking for more over and over again. I did notice that Exchange does something odd when it has to start ranging to retrieve more members. It doesn't appear to be using the normal WLDAP32 library to do it. I was using Insight for AD from winternals and the additional calls to get the additional members weren't being caught, yet I could see them over the wire with ethereal meaning that the hooks that Insight puts into the WLDAP32 libs weren't seeing the calls... hence they weren't using the standard library. Breaking the users up into separate smaller groups and then nesting thegroups is exactly what any Exchange consultant that came in would say. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, May 12, 2006 11:15 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange queue(OT) Well one thing I noticed is that the senders(and some recipients) are members of a AD
Re: [ActiveDir] [OT] Uninstalling Exchange - how does this modify AD, what alters in AD
In theory, you *could* just remove it from ESM if you believe this article. http://support.microsoft.com/?kbid=260378 On 6/6/06, Victor W. [EMAIL PROTECTED] wrote: Lately I have been thinking about the following: What happens actually in Active Directory and what changes in it, while or after having uninstalled Exchange. I am asking this because usually when I uninstall an Exhange server, I do this according to the KB articles from Microsoft i.e.Ho w to remove the first Exhange server. After that I insert the Exchange 2003 cd and do a 'remove components' (in case of Exchange 2000 I remove it from within Add/Remove Programs in Control Panel). After having done that I go into ESM and delete the server object from there. Recently I have had a customer asking me to remove his first Exhange server and transfer everything to another Exchange server. So I went along and followed the KB article up to the point where I had to uninstall Exhange.Everything went fine. After that, before I wanted to uninstall Exchange, I stopped the Exchange services and left this so for a day, just to be sure kept on running right without the Exhange services on the old server running. This also went fine. I then left the instruction with the customer how to uninstall Exchange and delete the server object from within ESM. They want to do something themselves also, they have their own IT department :-). Instead of doing that, they simply switched the server off and told me this a couple of days later. I offcourse told them that Exchange needed to be uninstalled the way Microsoft says so but now they want me to somehow provewhat will happen if they do it asthey have always done it, simply remove the server object from within ESM and notuninstalling Exchange from the server at all. This Exchange Organisation exists of several servers and several Administrative Groups. I know that in order to uninstall Exchange you need the necessary rights on the Administrative Group the server is in, so I guess that during the uninstall, the server'unties' itself from that Administrative Group. But what happens if you dont do this, are you then really stuck with pieces in AD of the 'not properly uninstalled server'? Lets ssay you would not uninstall Exchange but you will remove the server object from within ESM and then, much later you would bring that same server, not uninstalled, online again. I guess you could end up with messy thing then. But I dont think Microsoft says to uninstall Exchange because of this reason only. Is there aprogramfor AD like there is 'Snapshot' for the Windows registry.A program which creates a 'before' and 'after'picture. Or am I now thinking too complex? Can anybody who can shed some light on what exactly is altered in AD when doing an uninstall of an an Exchange server?
Re: [ActiveDir] Speaking of SamAccountName...
Speaking of SamAccountName...If they are using LDAP bind for authentication, then it depends on what type of bind they are doing. For LDAP simple bind (hopefully combined with SSL or it is not secure!), AD supports: distinguishedName userPrincipalName NT account name (domain\user with user being the sAMAcountName and domain being the NetBIOS domain name) For secure bind using SASL with SPNEGO (Windows auth LDAP bind), AD supports: userPrincipalName NT account name (domain\user with user being the sAMAcountName and domain being the NetBIOS domain name) sAMAccountName For that reason, I generally recommend that people use UPN or NT name as a bind user name because it works with both. DN is also unwieldy and reveals a lot of the structure of the directory that apps don't necessarily need to know. HTH, Joe K. - Original Message - From: RM To: ActiveDir@mail.activedir.org Sent: Tuesday, June 06, 2006 12:12 AM Subject: [ActiveDir] Speaking of SamAccountName... Guys, I have a dumb question.. A 3rd party app that uses LDAP for authentication... What attribute should be utilized for username? SamAccountName is the pre-Windows 2000 name. DistinguishedName is the long form OU/CN gobbledygook. So what is the name of the attribute for the actual user logon name? Thx, RM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] sample vbs script
Thanks for the help so far But does any one know how to add the attribute Home Folder? Not the Local Path but the Connect: with letter drive using vbs script? Thanks Again Antonio Aranda attachment: winmail.dat
RE: [ActiveDir] sample vbs script
Look at BLOCKED::http://www.lissware.net http://www.lissware.net, White Papers section, page 73, Sample 22, line 460 and 462. 459: 460:objUser.Put homeDirectory, \\ strAccountComputer _ 461:\ strUserID $ 462:objUser.Put homeDrive, cHomeDrive 463: February 2000 (Compaq Active Answers): BLOCKED::http://users.skynet.be/alain.lissoir/hp/Part 1 - Understanding Microsoft WSH and ADSI in Windows 2000.pdf Part 1 - Understanding the Microsoft WSH and the ADSI in Windows 2000 BLOCKED::http://users.skynet.be/alain.lissoir/hp/Part 1 - Understanding Microsoft WSH and ADSI in Windows 2000 (Scripts Kit).zip (Script Kit) BLOCKED::http://users.skynet.be/alain.lissoir/hp/Part 2 - The powerful combination of WSH and ADSI under Windows 2000.pdf Part 2 - The powerful combination of WSH and ADSI under Windows 2000 BLOCKED::http://users.skynet.be/alain.lissoir/hp/Part 2 - The powerful combination of WSH and ADSI under Windows 2000 (Scripts Kit).zip (Script Kit) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: Tuesday, June 06, 2006 5:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] sample vbs script Thanks for the help so far But does any one know how to add the attribute Home Folder? Not the Local Path but the Connect: with letter drive using vbs script? Thanks Again Antonio Aranda attachment: winmail.dat
RE: [ActiveDir] sample vbs script
Thank you ... _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Tuesday, June 06, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] sample vbs script Even though Compaq let me go these are still my favourites... -Original Message- From: [EMAIL PROTECTED] on behalf of Alain Lissoir Sent: Tue 06/06/2006 21:41 To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] sample vbs script Look at http://www.lissware.net, White Papers section. February 2000 (Compaq Active Answers): http://users.skynet.be/alain.lissoir/hp/Part%201%20-%20Understanding%20Micr osoft%20WSH%20and%20ADSI%20in%20Windows%202000.pdf Part 1 - Understanding the Microsoft WSH and the ADSI in Windows 2000 http://users.skynet.be/alain.lissoir/hp/Part%201%20-%20Understanding%20Micr osoft%20WSH%20and%20ADSI%20in%20Windows%202000%20(Scripts%20Kit).zip (Script Kit) http://users.skynet.be/alain.lissoir/hp/Part%202%20-%20The%20powerful%20com bination%20of%20WSH%20and%20ADSI%20under%20Windows%202000.pdf Part 2 - The powerful combination of WSH and ADSI under Windows 2000 http://users.skynet.be/alain.lissoir/hp/Part%202%20-%20The%20powerful%20com bination%20of%20WSH%20and%20ADSI%20under%20Windows%202000%20(Scripts%20Kit). zip (Script Kit) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Tuesday, June 06, 2006 1:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] sample vbs script There are several in the TechNet Script Center http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/manage/defaul t.mspx _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: Tuesday, June 06, 2006 12:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] sample vbs script Could some one send me a sample vbs script that creates AD user accounts? Thanks Antonio ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** attachment: winmail.dat
Re: [ActiveDir] Speaking of SamAccountName...
Just to throw in $0.02 (USD): DN would be a bad idea with Active Directory outside of the information it gives away. Active Directory is desinged to allow for the movement and changing of accounts. Using the DN would break that as far as the user is concerned. Since you can have multiple UPN's and at least one samaccount name, you should choose between them. One thought might help: if your cn and samaccountname match, it's easier to choose. If your upn lhs matches the cn which matches the samaccountname, then it might be even easier to prevent identity crises. FWIW. And hey, that's good information to have Joe. cheers :) On 6/6/06, Joe Kaplan [EMAIL PROTECTED] wrote: Speaking of SamAccountName...If they are using LDAP bind for authentication,then it depends on what type of bind they are doing.For LDAP simple bind (hopefully combined with SSL or it is not secure!), AD supports:distinguishedNameuserPrincipalNameNT account name (domain\userwith user being the sAMAcountName and domainbeing the NetBIOS domain name) For secure bind using SASL with SPNEGO (Windows auth LDAP bind), ADsupports:userPrincipalNameNT account name (domain\userwith user being the sAMAcountName and domainbeing the NetBIOS domain name) sAMAccountNameFor that reason, I generally recommend that people use UPN or NT name as abind user name because it works with both.DN is also unwieldy and revealsa lot of the structure of the directory that apps don't necessarily need to know.HTH,Joe K.- Original Message -From: RMTo: ActiveDir@mail.activedir.orgSent: Tuesday, June 06, 2006 12:12 AMSubject: [ActiveDir] Speaking of SamAccountName... Guys, I have a dumb question..A 3rd party app that uses LDAP forauthentication...What attribute should be utilized for username?SamAccountName is the pre-Windows 2000 name.DistinguishedName is the long form OU/CN gobbledygook.So what is the name of the attribute for theactual user logon name?Thx,RMList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Speaking of SamAccountName...
I with you on discouraging using DN as a binding user name for AD. However, this is very common practice in other directories and DN is the only attribute that the LDAP spec defines as needing to be supported for simple bind. A lot of apps that support multiple directories will insist you do it this way. That isn't to say that this will apply to the app the OP is using, but I thought this was worth sharing. :) Joe K. - Original Message - From: Al Mulnick To: ActiveDir@mail.activedir.org Sent: Tuesday, June 06, 2006 8:53 PM Subject: Re: [ActiveDir] Speaking of SamAccountName... Just to throw in $0.02 (USD): DN would be a bad idea with Active Directory outside of the information it gives away. Active Directory is desinged to allow for the movement and changing of accounts. Using the DN would break that as far as the user is concerned. Since you can have multiple UPN's and at least one samaccount name, you should choose between them. One thought might help: if your cn and samaccountname match, it's easier to choose. If your upn lhs matches the cn which matches the samaccountname, then it might be even easier to prevent identity crises. FWIW. And hey, that's good information to have Joe. cheers :) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Virtual DCs
IMO vmware is great for dev/stage/cit/test/dr and good for some prod applications but I wouldn't be running my AD purely on VM's. AD is critically dependant upon time and some VM configurations interfere with the system clock, thereby upsetting the kbt timestamps. Referring specifically to VMware's products; ESX works but GSX is uselss for prod (poor resourcing). In addition, some applications do behave differently inside a VM (despite what the vendors say), and there are numerous cases where support staff have wasted hours troubleshooting a problem only to discover it was a VM problem. Do the sums on ESX and it could be cheaper to own a server. Rgds, Tim On 6/6/06, Rivera, Ada [EMAIL PROTECTED] wrote: We have a single domain forest with about 7,000 users. Currently we 8 AD regional sites and one HQ AD site. The regional sites each have a DC serving their local regional area and there are multiple DCs in our HQ site. The environment is currently running Windows 2000 SP4 and we are looking to upgrade our DCs to W2K3. The direction from management is that we will put all of our domain controllers on VM Ware when we upgrade the DCs to W2K3. Does anyone have any thoughts on this? Good or Bad idea? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Profile migration to new domain
Are you talking about Livestate or Ghost? Livestate is the old PQ V2i. Do you have a Symtantec account person or are you buying shrink wrap? If the former I'd give them a buzz, they can hook you up with a tech spec, otherwise why not call support?? Thanks, Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyp New Sent: Friday, June 02, 2006 10:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Profile migration to new domain I use Symantec V2i Desktop (formerly Powerquest Drive Image) for backing up and for cloning my workstations's. The restores don't seem to work, especially when restoring cloned image, when I leave that Dell partition on there. Advice I got from a consultant (pretty good consultant otherwise, so don't say drop the guy) was to wipe that partition. It's stopped the problems. And I seem to have fewer problems in general when I wipe the HD clean and install windows without the Dell partition. I'm open to suggestions - probably some good ones in this bunch. That's probably not the best way to clone either. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Navroz Shariff Sent: Friday, June 02, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Profile migration to new domain Gary, Why would you nuke the Dell partition? I find it very useful for diagnosing hardware issues especially when Dell reps ask: 'Did you run the Dell diagnostics on your machine and if so what's the error code?' prior to them sending out the needed hardware replacement. -Shariff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garyp New Sent: Friday, June 02, 2006 9:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Profile migration to new domain Susan, All nuke and pave's may not be equal. Occasionally, I encounter a machine where the little Dell partition doesn't want to completely go away when you try to re-partition the HD during the windows install. That causes problems for the windows install, or other issues if the install goes through, that can't be cleared up unless I use Partition Magic to wipe the partition and then re-partition it during the windows install. Has worked every time so far. Just a thought. Gary Polvinale Denton ATD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, June 01, 2006 9:48 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Profile migration to new domain Well I nuked and paved a formerly Dell OEM now a retail OS.. and now can't get the NIC on the motherboard to find nic driversanyone for a black decorative doorstop until I find the driver it wants or throw a intel card in there? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] PCs hang at Applying computer settings after upgrading DCs to 2K3 SP1
1753 is failed trust iirc. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, June 02, 2006 1:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at Applying computer settings after upgrading DCs to 2K3 SP1 You realize what those 5722 messages are and how to correct, right? On 6/2/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: Nothing else has changed. We are seeing several Access is Denied errors from computer accounts trying to authenticate. Event ID 5722 from NETLOGON. No other changes were made, just the SP1 install. I installed it on the PDC emulator first, finished the install, rebooted, waited for it to boot back up, ran a dcdiag /s:servername, repeated on the other two DCs. DCDIAG to both the naming context and each DC individually comes back clean except for systemlog, because of the aforementioned 5722 errors. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Friday, June 02, 2006 11:59 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at Applying computer settings after upgrading DCs to 2K3 SP1 What else did you do during the upgrade? Make any other changes? What steps did you take? What other software is running on the machines? What other errors? DCDIAG results? Netdiag results? -ajm On 6/2/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: Hello, Last night we upgraded our 3 Win2K3 domain controllers to SP1. This morning, we're getting tons and tons of calls from users who report that their computer sits at Applying computer settings for a good 10 minutes, then another 10 or so minutes at Applying your personalized settings After the upgrade we did start seeing DCOM errors in the System event log, which I've found many people online have experienced. I fixed it (or at least the DCOM errors went away) by granting Network Service the following rights: Local Launch Remote Launch Local Activation Remote Activation In the Launch and Activation Permissions dialog on the Security tab of the netman component. However, even after the DCOM errors have gone away, we continue to see the same results on the clients. Any ideas? I'm considering calling Premier Support, but I figured you guys would be better help than them. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
And fwiw you have some forgiving firewall people. I would have told you to f off and lock it down. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 02, 2006 4:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Well everyone, its fixed. Its something that even MS is a bit surprised at, although they say they have seen it before. Essentially, the last year since this forest has been deployed, high ports (1024-65535) have been blocked at the firewall but for whatever reason, everything seemed to work fine. Installing SP1 apparently changed something, or fixed something that finally made it a requirement to have those high ports open. They opened 1024-65535 on our Checkpoint firewall and the login times instantly went from 4-8 minutes back down to the usual few seconds. It sucks to have to learn about things like this by killing a production environment for 4 hours and burning some Premiere Support hours, but at least we know what to look for when we upgrade some of our other domains to SP1! Thanks to everyone for all the suggestions and help, its always appreciated! Also, to everyone else that was experiencing this issue, Id be interested to know if a firewall or router ACL blocking high ports is the cause of the problem for you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 02, 2006 2:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Nope, I can get to them from the client PCs just fineI was able to drill down into all of the policies that I tried. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, June 02, 2006 1:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Any problems accessing \\domain\sysvol\domain\Policies ? On 6/2/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: Hopefully the attachment comes through. The interesting part, and where most of the time delay is seen is here: USERENV(42c.2f0) 12:36:47:528 ProcessGPOs: Machine role is 2. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:41:01:573 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: MyGetUserName failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: No WMI logging done in this policy cycle. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: Processing failed with error 1753. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Friday, June 02, 2006 12:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 I think a different thread mentioned that DNS was about 90% of the cause of this type of behavior. It's not the only one however. What keeps rebooting? The DC? Or the workstations? If the workstations, not only ethereal but Darren's suggestion of logging is a good idea. On 6/2/06, Za Vue [EMAIL PROTECTED] wrote: Finally..someone is also experiencing this problem. My DCs are Windows 2003 SP1 also. It seems to hang every 3-4 reboots. My first thought was DNS DNS.. but NetDiag, Repl, DCDiag, Nslookup all show no error. Nothing is reported in logs. It is not firewall. I have play with NetBIOS, changing Provider Order in Network Neighborhood-Advanced Settings..nada. This week has been quiet. If someone calls again I have ethereal setup and ready to capture. The thing about my environment is I do not manage the switches or router. I don't know if someone is messing with something. -Z.V. , Justin (ITS) wrote: Hello, Last night we upgraded our 3 Win2K3 domain controllers to SP1. This morning, we're getting tons and tons of calls from users who report that their computer sits at Applying computer settings for a good 10 minutes, then another 10 or so minutes at Applying your personalized settings After the upgrade we did start seeing DCOM errors in the System event log, which I've found many people online have experienced. I fixed it (or at least the DCOM errors went away) by granting Network
RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
Right. So you need to lock down DCOM ports on your workstatiosn, servers, and then add that to your checkpoints. I use 5000-5020 (which is in a KB), although we had some issues on really really busy boxes and upped it enterprise wide to 5000-5100. Get a GPO together for the reg hack and include it in your build process moving forward. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 02, 2006 4:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Well everyone, its fixed. Its something that even MS is a bit surprised at, although they say they have seen it before. Essentially, the last year since this forest has been deployed, high ports (1024-65535) have been blocked at the firewall but for whatever reason, everything seemed to work fine. Installing SP1 apparently changed something, or fixed something that finally made it a requirement to have those high ports open. They opened 1024-65535 on our Checkpoint firewall and the login times instantly went from 4-8 minutes back down to the usual few seconds. It sucks to have to learn about things like this by killing a production environment for 4 hours and burning some Premiere Support hours, but at least we know what to look for when we upgrade some of our other domains to SP1! Thanks to everyone for all the suggestions and help, its always appreciated! Also, to everyone else that was experiencing this issue, Id be interested to know if a firewall or router ACL blocking high ports is the cause of the problem for you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 02, 2006 2:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Nope, I can get to them from the client PCs just fineI was able to drill down into all of the policies that I tried. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, June 02, 2006 1:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Any problems accessing \\domain\sysvol\domain\Policies ? On 6/2/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: Hopefully the attachment comes through. The interesting part, and where most of the time delay is seen is here: USERENV(42c.2f0) 12:36:47:528 ProcessGPOs: Machine role is 2. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:41:01:573 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: MyGetUserName failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: No WMI logging done in this policy cycle. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: Processing failed with error 1753. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Friday, June 02, 2006 12:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 I think a different thread mentioned that DNS was about 90% of the cause of this type of behavior. It's not the only one however. What keeps rebooting? The DC? Or the workstations? If the workstations, not only ethereal but Darren's suggestion of logging is a good idea. On 6/2/06, Za Vue [EMAIL PROTECTED] wrote: Finally..someone is also experiencing this problem. My DCs are Windows 2003 SP1 also. It seems to hang every 3-4 reboots. My first thought was DNS DNS.. but NetDiag, Repl, DCDiag, Nslookup all show no error. Nothing is reported in logs. It is not firewall. I have play with NetBIOS, changing Provider Order in Network Neighborhood-Advanced Settings..nada. This week has been quiet. If someone calls again I have ethereal setup and ready to capture. The thing about my environment is I do not manage the switches or router. I don't know if someone is messing with something. -Z.V. , Justin (ITS) wrote: Hello, Last night we upgraded our 3 Win2K3 domain controllers to SP1. This morning, we're getting tons and tons of calls from users who report that their computer sits at Applying computer settings for a good 10 minutes, then another 10 or so minutes at
RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
Probably some ports were open on the firewalls so crapshoot if you hit them – network traceor tcpdump on the nokia’s would have revelealed this straight away… Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Saturday, June 03, 2006 3:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Yeah, you would want to assume that DNS was ok in that situation. Network would be more of a suspect given those symtpoms. Possibly even at the nic level, but could be anywhere else as well. The thing to do, (I'm sure I'm not telling you anything new, but rather thinking out loud) is to find the commonality of the problem occurence. Every 3-4 times you reboot is not a very good problem definition to work with as it's not repeatable in the sense that you can make a change and see the results. It's every 3-4 times. That's odd. Almost sounds like a port mismatch at the switch or discarded packets somewhere vs. a client/server issue. But, doing the due dilligence is still needed right? Al On 6/3/06, Za Vue [EMAIL PROTECTED] wrote: I know almost every admin would probably say it is DNS, but if nslookup,Dcdiag,NetDiag, DC replication, GPOs all work properly or show no error one should assume DNS is working properly. No problem accessing DFS shares. If you sit down on a machine and restart the machine 3-4 times in a row, it would hang at least once. That is my problem. Yes.. I have a Portqry.exe batch file that checks the DC ports every time there is a problem. I have another Portqry script that checks other random ports that are not suppose to be opened-just to make sure the firewall is working properly. There hasn't been a problem. I also run Sniffer Pro v.5. However, things has been quiet this past week so I will wait and see anyone else calls in about it. -Z.V. Al Mulnick wrote: For you it just started? Are you familiar with tools such as portqry? I know you're familiar with packet sniffers. It might be good to have a look and at least rule out the personal firewalls, the network acls, network firewalls, and the other network issues that can be introduced outside your control. Al On 6/3/06, Za Vue [EMAIL PROTECTED] wrote: This doesn't sound right. I have been running SP1 since it was released. This just started last month. -Z.V. Clay, Justin (ITS) wrote: Well everyone, it's fixed. It's something that even MS is a bit surprised at, although they say they have seen it before. Essentially, the last year since this forest has been deployed, high ports (1024-65535) have been blocked at the firewall but for whatever reason, everything seemed to work fine. Installing SP1 apparently changed something, or fixed something that finally made it a requirement to have those high ports open. They opened 1024-65535 on our Checkpoint firewall and the login times instantly went from 4-8 minutes back down to the usual few seconds. It sucks to have to learn about things like this by killing a production environment for 4 hours and burning some Premiere Support hours, but at least we know what to look for when we upgrade some of our other domains to SP1! Thanks to everyone for all the suggestions and help, it's always appreciated! Also, to everyone else that was experiencing this issue, I'd be interested to know if a firewall or router ACL blocking high ports is the cause of the problem for you!
RE: [ActiveDir] sample vbs script
www.microsoft.com/technet/scriptcenter - go under ad Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: Tuesday, June 06, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] sample vbs script Could some one send me a sample vbs script that creates AD user accounts? Thanks Antonio
RE: [ActiveDir] Logged in user
Psloggedon from pstools www.sysinternals.com Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, June 06, 2006 12:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logged in user Is there a Command line util., to remotely tell what user is logged into a PC? -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
RE: [ActiveDir] Virtual DCs
Title: Virtual DCs I have no problem with VMWare or Virtual Server DCs if done correctly. Frankly, 7K users is like pocket change if you ask me. Really, the users generate no load they logon to the PC and change their password. Things like Exchange (and OLK), machines, and other AD aware apps do. If properly written and the virtual hardware properly configured everything should still jive. If I had to make a one off guess with no more info Id say go for it. The price war with MS and EMC on virtualization has made this far more economical, and if youre going to be doing branches, you can play your sacred card and virtualize stuff and quasi isolate it. There have been a couple lengthy discussions on that subject recently Tony has a search widget on the website for this DL. :) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Tuesday, June 06, 2006 8:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs Ada, I am intrigued as to why management are directing you to do this. What benefits do they percieve? Do they understand the nature of the 2K3 directory and the load 7,000 users puts on it? This is not a criticism - just a curious thinking out loud moment... Personally - I wouldn't do it. Some would say a DC is a sacred thing, not to be toyed with. Proof of concept is always good in these scenarios... if you were to set this up in a lab, even with just two VMWare-ed DC's, you could show the overhead this would place on the machine and help them to understand the additional cost this will bring. Remember, a DC that is just a DC (AD, DNS, maybe DHCP) doesn't need to be a gutsy box - it can just be a PC rebuilt with Win2K3 server on it. However it does need to stay up all the time. ;) themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rivera, Ada Sent: Tuesday, 6 June 2006 9:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual DCs We have a single domain forest with about 7,000 users. Currently we 8 AD regional sites and one HQ AD site. The regional sites each have a DC serving their local regional area and there are multiple DCs in our HQ site. The environment is currently running Windows 2000 SP4 and we are looking to upgrade our DCs to W2K3. The direction from management is that we will put all of our domain controllers on VM Ware when we upgrade the DCs to W2K3. Does anyone have any thoughts on this? Good or Bad idea?