[ActiveDir] AD integration
Just a quick question. Is anyone aware of any "best practice" documentation of how a product ought to integrate with AD (e.g. to pull out user data for its own use). Failing that, can anyone comment on what they think of a model that can only pull data out of one domain at a time so for a >1 domain forest needs to make a connection to each domain in turn, pull down that information and then load it into SQL server. Am I crazy in thinking that anyone following this model has probably just found out that their old NT4 domain integration code "kinda works" and did the bare minimum tidying up before halting any further work? -- Robert Moir Microsoft MVP for Windows Servers & Security Senior IT Systems Engineer Luton Sixth Form College Right vs. Wrong | Good vs. Evil God vs. the devil | What side you on? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] AD integration
Is there a best practice? For what? For making it work or for security purposes? JoeK has a book full of coding information. That might be of use. As for a model, my personal advice is to ensure that the coder doesn't assume that the ldap data is static. For example, never assume that the items that aren't guaranteed to be unique will remain unique such as CN. In a multi-domain forest, the CN is not likely going to be unique unless additional steps have previously been taken. DN, RDN etc follow suit. As for more than one domain and pulling the data from domain at a time, well, that's up to the application. Is there a reason you only want it from one at a time that we should be aware of? Vs. say pulling information from a GC? WINNT code: yes it will still work depending on how you want to run it. But it won't allow you access to the GC, and it's going to have problems in multidomain models if the samaccountname is not unique across the domain boundaries. WINNT code is also legacy code and not guaranteed to work for future versions IIRC. Al On 6/12/06, Rob MOIR <[EMAIL PROTECTED]> wrote: Just a quick question. Is anyone aware of any "best practice"documentation of how a product ought to integrate with AD ( e.g. to pullout user data for its own use).Failing that, can anyone comment on what they think of a model that canonly pull data out of one domain at a time so for a >1 domain forestneeds to make a connection to each domain in turn, pull down that information and then load it into SQL server. Am I crazy in thinkingthat anyone following this model has probably just found out that theirold NT4 domain integration code "kinda works" and did the bare minimum tidying up before halting any further work?--Robert MoirMicrosoft MVP for Windows Servers & SecuritySenior IT Systems EngineerLuton Sixth Form CollegeRight vs. Wrong | Good vs. Evil God vs. the devil | What side you on?List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] AD integration
> -Original Message- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Al Mulnick > Sent: 12 June 2006 13:55 > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] AD integration > > Is there a best practice? For what? For making it work or for > security purposes? > JoeK has a book full of coding information. That might be of use. For making it work. I'm trying to resolve a dispute between a supplier of a commercial product and a customer about whether or not the "connect to each domain in turn" method is a satisfactory model (Supplier says 'what's the problem', customer regards it as poor practice). I'm after a general idea of how people feel about this. > As for a model, my personal advice is to ensure that the coder doesn't > assume that the ldap data is static. For example, never assume that > the items that aren't guaranteed to be unique will remain unique such > as CN. In a multi-domain forest, the CN is not likely going to be > unique unless additional steps have previously been taken. DN, RDN etc > follow suit. > > As for more than one domain and pulling the data from domain at a time, > well, that's up to the application. Is there a reason you only want it > from one at a time that we should be aware of? Vs. say pulling > information from a GC? I personally would regard pulling info for the whole forest from a GC as the preferred model where applicable (and in this case it would work fine), I'm trying to find out how people feel about the other methods. > WINNT code: yes it will still work depending on how you want to run it. > But it won't allow you access to the GC, and it's going to have > problems in multidomain models if the samaccountname is not unique > across the domain boundaries. > > WINNT code is also legacy code and not guaranteed to work for future > versions IIRC. > > Al > > > > On 6/12/06, Rob MOIR <[EMAIL PROTECTED]> wrote: > > Just a quick question. Is anyone aware of any "best practice" > documentation of how a product ought to integrate with AD ( e.g. > to pull > out user data for its own use). > > Failing that, can anyone comment on what they think of a model > that can > only pull data out of one domain at a time so for a >1 domain > forest > needs to make a connection to each domain in turn, pull down that > information and then load it into SQL server. Am I crazy in > thinking > that anyone following this model has probably just found out that > their > old NT4 domain integration code "kinda works" and did the bare > minimum > tidying up before halting any further work? > > -- > Robert Moir > Microsoft MVP for Windows Servers & Security > Senior IT Systems Engineer > Luton Sixth Form College > Right vs. Wrong | Good vs. Evil > God vs. the devil | What side you on? > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > >
Re: [ActiveDir] AD integration
I see what you're saying. I think the answer would totally depend on the application and the application scope. If the application scope is the entire forest, then it should pull from the GC if the data it wants resides in the GC. If not, then it will have to pull from a DC in each domain. A best practice in that case would be to be aware of the domains and the forest and find it's servers via name resolution vs. hard-coding any dc information. Outside of that, I don't think the vendor's necessarily wrong based on the information. To their argument, the data may not reside in the GC and therefore they would have to pull from each domain. If the data doesn't exist in the GC by default, they would have to instruct the clients to add information to the GC and I think that would be far worse because the impact would vary so widely. Robert, when you weigh the answers to this, I think it would be a good idea to consider that the vendor has to write for more than one customer audience. It would not make a lot of sense for the vendor to put a lot of work into something that already works if they don't have to and if it doesn't cause issues. In this case, I think it doesn't cause issues becuase it sounds like it works. It sounds like the customer needs to consider their options and if they feel that they can't live with the vendor's methods, perhaps they should consider voting with the wallet. :) On 6/12/06, Rob MOIR <[EMAIL PROTECTED]> wrote: > -Original Message-> From: [EMAIL PROTECTED] [mailto:ActiveDir-> [EMAIL PROTECTED]] On Behalf Of Al Mulnick> Sent: 12 June 2006 13:55> To: ActiveDir@mail.activedir.org> Subject: Re: [ActiveDir] AD integration>> Is there a best practice? For what? For making it work or for> security purposes?> JoeK has a book full of coding information. That might be of use. For making it work. I'm trying to resolve a dispute between a supplier of a commercial product and a customer about whether or not the "connect to each domain in turn" method is a satisfactory model (Supplier says 'what's the problem', customer regards it as poor practice). I'm after a general idea of how people feel about this. > As for a model, my personal advice is to ensure that the coder doesn't> assume that the ldap data is static. For example, never assume that> the items that aren't guaranteed to be unique will remain unique such > as CN. In a multi-domain forest, the CN is not likely going to be> unique unless additional steps have previously been taken. DN, RDN etc> follow suit.>> As for more than one domain and pulling the data from domain at a time, > well, that's up to the application. Is there a reason you only want it> from one at a time that we should be aware of? Vs. say pulling> information from a GC?I personally would regard pulling info for the whole forest from a GC as the preferred model where applicable (and in this case it would work fine), I'm trying to find out how people feel about the other methods. > WINNT code: yes it will still work depending on how you want to run it.> But it won't allow you access to the GC, and it's going to have> problems in multidomain models if the samaccountname is not unique > across the domain boundaries.>> WINNT code is also legacy code and not guaranteed to work for future> versions IIRC.>> Al On 6/12/06, Rob MOIR < [EMAIL PROTECTED]> wrote:>> Just a quick question. Is anyone aware of any "best practice"> documentation of how a product ought to integrate with AD ( e.g.> to pull> out user data for its own use).>> Failing that, can anyone comment on what they think of a model> that can> only pull data out of one domain at a time so for a >1 domain > forest> needs to make a connection to each domain in turn, pull down that> information and then load it into SQL server. Am I crazy in> thinking> that anyone following this model has probably just found out that > their> old NT4 domain integration code "kinda works" and did the bare> minimum> tidying up before halting any further work?>> --> Robert Moir > Microsoft MVP for Windows Servers & Security> Senior IT Systems Engineer> Luton Sixth Form College> Right vs. Wrong | Good vs. Evil> God vs. the devil | What side you on? >>> List info : http://www.activedir.org/List.aspx> List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx>>
[ActiveDir] Machine Password Changes
Everyone, Our Public Libraries use a software package that handles their patron logins and billing called SomeProduct. The company that makes SomeProduct includes in their suite, a product called SomeDiskProtection. SomeDiskProtection is similar to Windows Disk Protection, GoBack and Deep Freeze. It’s a product that upon reboot, restores the PC to its previously saved state. The problem with this of course is that while the PC is up and running during the day, if it changes its machine account password, the next time the PC is rebooted, it’s back to the old password which results in PCs that can’t log onto the domain. We’ve now spent a week on the phone with SomeCompany and they tell us that their only solution is to completely disable machine password changes for the PCs running their software. I want to ask you all what you think of this solution. How much of a security risk do you think it is? Can you think if a workaround? The frustrating thing is that Windows Disk Protection has a way of handling this. It disables automatic machine password changes, but every time the PC has its saved state updated, it performs a manual password change so that at least it’s being changed SOMETIMES. According to SomeCompany, they have absolutely no plans or desire to update their software to support similar functionality. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] AD integration
The answer to this one is of course it depends. At first blush it sounds like a single threaded app. Depending on the vendor, this may be the best/safest thing to do. :) As for best practices. I don't think there are any best practices for how many domains you should pull data from at a time. It would again depend entirely on the app and what it is supposed to be doing and the dangers exposed in doing it. For a "relatively" fast application that works well in single and multidomain environments I could see cases where it is better to pull from the GC or better to set up a thread pool and pull from x domains at once or a combination. Certainly the thread pool solutions are the more scalable solutions but they are also the much harder to do right and the more costly solutions. Most customers chose apps on how cheap they are first, then later they start to realize the shortcomings that made them cheaper. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR Sent: Monday, June 12, 2006 8:31 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD integration Just a quick question. Is anyone aware of any "best practice" documentation of how a product ought to integrate with AD (e.g. to pull out user data for its own use). Failing that, can anyone comment on what they think of a model that can only pull data out of one domain at a time so for a >1 domain forest needs to make a connection to each domain in turn, pull down that information and then load it into SQL server. Am I crazy in thinking that anyone following this model has probably just found out that their old NT4 domain integration code "kinda works" and did the bare minimum tidying up before halting any further work? -- Robert Moir Microsoft MVP for Windows Servers & Security Senior IT Systems Engineer Luton Sixth Form College Right vs. Wrong | Good vs. Evil God vs. the devil | What side you on? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Machine Password Changes
I think it would be best that SomeProduct should go in SomeTrashCan. http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/580.mspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Monday, June 12, 2006 10:56 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Machine Password Changes Everyone, Our Public Libraries use a software package that handles their patron logins and billing called SomeProduct. The company that makes SomeProduct includes in their suite, a product called SomeDiskProtection. SomeDiskProtection is similar to Windows Disk Protection, GoBack and Deep Freeze. It’s a product that upon reboot, restores the PC to its previously saved state. The problem with this of course is that while the PC is up and running during the day, if it changes its machine account password, the next time the PC is rebooted, it’s back to the old password which results in PCs that can’t log onto the domain. We’ve now spent a week on the phone with SomeCompany and they tell us that their only solution is to completely disable machine password changes for the PCs running their software. I want to ask you all what you think of this solution. How much of a security risk do you think it is? Can you think if a workaround? The frustrating thing is that Windows Disk Protection has a way of handling this. It disables automatic machine password changes, but every time the PC has its saved state updated, it performs a manual password change so that at least it’s being changed SOMETIMES. According to SomeCompany, they have absolutely no plans or desire to update their software to support similar functionality. Thanks, Justin ClayITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] AD integration
pse take me off your list, thx -- Original message -- From: "joe" <[EMAIL PROTECTED]> > The answer to this one is of course it depends. > > At first blush it sounds like a single threaded app. Depending on the > vendor, this may be the best/safest thing to do. :) > > As for best practices. I don't think there are any best practices for how > many domains you should pull data from at a time. It would again depend > entirely on the app and what it is supposed to be doing and the dangers > exposed in doing it. > > For a "relatively" fast application that works well in single and > multidomain environments I could see cases where it is better to pull from > the GC or better to set up a thread pool and pull from x domains at once or > a combination. Certainly the thread pool solutions are the m ore scalable > solutions but they are also the much harder to do right and the more costly > solutions. Most customers chose apps on how cheap they are first, then later > they start to realize the shortcomings that made them cheaper. > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR > Sent: Monday, June 12, 2006 8:31 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] AD integration > > Just a quick question. Is anyone aware of any "best practice" > documentation of how a product ought to integrate with AD (e.g. to pull > out user data for its own use). > > Failing that, can anyone comment on what they think of a model that can > on ly pull data out of one domain at a time so for a >1 domain forest > needs to make a connection to each domain in turn, pull down that > information and then load it into SQL server. Am I crazy in thinking > that anyone following this model has probably just found out that their > old NT4 domain integration code "kinda works" and did the bare minimum > tidying up before halting any further work? > > -- > Robert Moir > Microsoft MVP for Windows Servers & Security > Senior IT Systems Engineer > Luton Sixth Form College > Right vs. Wrong | Good vs. Evil > God vs. the devil | What side you on? > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir .org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Machine Password Changes
take me off your list, thx -- Original message -- From: "Kennedy, Jim" <[EMAIL PROTECTED]> I think it would be best that SomeProduct should go in SomeTrashCan. http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/580.mspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Monday, June 12, 2006 10:56 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Machine Password Changes Everyone, Our Public Libraries use a software package that handles their patron logins and billing called SomeProduct. The company that makes SomeProduct includes in their suite, a product called SomeDiskProtection. SomeDiskProtection is similar to Windows Disk Protection, GoBack and Deep Freeze. Its a product that upon reboot, restores the PC to its previously saved state. The problem with this of course is that while the PC is up and running during the day, if it changes its machine account password, the next time the PC is rebooted, its back to the old password which results in PCs that cant log onto the domain. Weve now spent a week on the phone with SomeCompany and they tell us that their only solution is to completely disable machine password changes for the PCs running their software. I want to ask you all what you think of this solution. How much of a security risk do you think it is? Can you think if a workaround? The frustrating thing is that Windows Disk Protection has a way of handling this. It disables automatic machine password changes, but every time the PC has its saved state updated, it performs a manual password change so that at least its being changed SOMETIMES. According to SomeCompany, they have absolutely no plans or desire to update their software to support similar functionality. Thanks, Justin ClayITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
[ActiveDir] DNS Question
Quick DNS question for you all. DNS server-> W23K Domain->W23K How do you add the URL http://www.test2.math.smith.edu to the domain "Physics.Smith.edu" in DNS? Use CNAME? If the URL was www.test2.physics.smith.edu than a simple host(A) would be fine. Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] DNS - How to tell the static DNS IP-addresses per server
The thing is this: I will be demoting a domain controller which is also running DNS. I would like to know which other servers have specified this dc as their DNS server (in their tcp/ip settings I mean). Is there some way to check this, from the command line for example? Like for instance checking which fsmo roles are held by which dc's via ntdsutil. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server
How about netdom query fsmo Z.V. [EMAIL PROTECTED] wrote: The thing is this: I will be demoting a domain controller which is also running DNS. I would like to know which other servers have specified this dc as their DNS server (in their tcp/ip settings I mean). Is there some way to check this, from the command line for example? Like for instance checking which fsmo roles are held by which dc's via ntdsutil. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DNS Question
I'd allow forwarding and DNS caching to accommodate this. Alternatively,
store a secondary copy of math.smith.edu and/or test2.math.smith.edu on
the DNS server in physics.smith.edu.
If you add a CNAME, what will the alias be called? Www?? You may already
have a www CNAME in that zone.
Maybe you should explain what you're trying to achieve :)
neil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: 12 June 2006 16:37
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS Question
Quick DNS question for you all.
DNS server-> W23K
Domain->W23K
How do you add the URL http://www.test2.math.smith.edu to the domain
"Physics.Smith.edu" in DNS? Use CNAME?
If the URL was www.test2.physics.smith.edu than a simple host(A) would
be fine.
Z.V.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server
Couple of answers spring to mind: - WMI script to query the other DC's IP Configuration - Monitor the DNS app to find out which servers are querying it -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 12 June 2006 16:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server The thing is this: I will be demoting a domain controller which is also running DNS. I would like to know which other servers have specified this dc as their DNS server (in their tcp/ip settings I mean). Is there some way to check this, from the command line for example? Like for instance checking which fsmo roles are held by which dc's via ntdsutil. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DNS Question
On 12/06/06, Za Vue <[EMAIL PROTECTED]> wrote: Quick DNS question for you all. DNS server-> W23K Domain->W23K How do you add the URL http://www.test2.math.smith.edu to the domain "Physics.Smith.edu" in DNS? Use CNAME? If the URL was www.test2.physics.smith.edu than a simple host(A) would be fine. You could create a CNAME record to point www.test2.math.smith.edu to physcis.smith.edu, but you'd need to make sure that the web server running on physics.smith.edu was prepared to take requests pointed at www.test2 When your browser connects to a web server, it sends a host argument, indicating which host it's attempting to connect to. This is done because sometimes several websites exist on one IP address. So connecting to 192.168.1.10 and asking to GET /index.html with a host argument of host:www.example.com might present the browser with a different page to connecting to the same IP with host:www.example.org -- AdamT "A casual stroll through the lunatic asylum shows that faith does not prove anything." - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server
you will need to script this using: (1) reading the registry of DCs (2) using WMI (3) using NETSH Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Mon 2006-06-12 17:36 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server The thing is this: I will be demoting a domain controller which is also running DNS. I would like to know which other servers have specified this dc as their DNS server (in their tcp/ip settings I mean). Is there some way to check this, from the command line for example? Like for instance checking which fsmo roles are held by which dc's via ntdsutil. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. <>
RE: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server
I suspect a WMI query will be needed.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 12 June 2006 16:37
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS - How to tell the static DNS IP-addresses per
server
The thing is this:
I will be demoting a domain controller which is also running DNS. I
would like to know which other servers have specified this dc as their
DNS server (in their tcp/ip settings I mean).
Is there some way to check this, from the command line for example?
Like for instance checking which fsmo roles are held by which dc's via
ntdsutil.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server
I think what was asked was a way to find out what other clients are using this as their DNS host. If that's the case, the best two ways I can think of to identify the hosts that use this server for DNS, is to use increased logging on DNS and or a network capture with filtered for DNS queries (both tcp and udp just to be sure). As a general best practice, good change and configuration databases are an industry best practice and helpful for this situation. Configuring more than one DNS host is another one. I realize how common your request is though, and that's how I know how to find the clients ;) On 6/12/06, Za Vue <[EMAIL PROTECTED]> wrote: How aboutnetdom query fsmoZ.V.[EMAIL PROTECTED] wrote:> The thing is this:>> I will be demoting a domain controller which is also running DNS. I> would like to know which other servers have specified this dc as their> DNS server (in their tcp/ip settings I mean). >> Is there some way to check this, from the command line for example?> Like for instance checking which fsmo roles are held by which dc's via> ntdsutil.> List info : http://www.activedir.org/List.aspx> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ml/threads.aspx>List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server
Try the "NetSh" command. I couldn't get the "-r (Computer Name)" option to work with the "interface ip show dns" option, but maybe you can. Or you can do a NetMon trace and filter for incoming DNS requests. -Sergio -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, June 12, 2006 8:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server The thing is this: I will be demoting a domain controller which is also running DNS. I would like to know which other servers have specified this dc as their DNS server (in their tcp/ip settings I mean). Is there some way to check this, from the command line for example? Like for instance checking which fsmo roles are held by which dc's via ntdsutil. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server
I'm shocked that an IT worker in an environment with as many potential computers as yours would consider querying each host out there to find out which ones use a particular host for DNS name resolution services vs. querying the DNS server itself to find out what's using it. Maybe I'm missing some bigger picture out there 'cuase there were several similar posts. Either that, or people have a lot of time on their hands and very few hosts in the pool. Al On 6/12/06, Olivarez, Sergio J Mr CTNOSC/GD-NS <[EMAIL PROTECTED]> wrote: Try the "NetSh" command. I couldn't get the "-r (Computer Name)" option towork with the "interface ip show dns" option, but maybe you can. Or you can do a NetMon trace and filter for incoming DNS requests.-Sergio-Original Message-From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]]Sent: Monday, June 12, 2006 8:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS - How to tell the static DNS IP-addresses per serverThe thing is this:I will be demoting a domain controller which is also running DNS. Iwould like to know which other servers have specified this dc as theirDNS server (in their tcp/ip settings I mean). Is there some way to check this, from the command line for example?Like for instance checking which fsmo roles are held by which dc's viantdsutil.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Time Server for Forest Root PDC
How have people on this list configured their Forest Root PDC to synchronize the time service? Is it O.K. to use an internal time server on a firewall? Is it best to point to tick.usno.navy.mil or time.windows.com? Teo
RE: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server
His question asked for a command line tool that he could use to query this information; this is why others and I suggested, Netsh. Maybe he has a small range of server that he doesn’t feel like logging into or writing a script for, and just feels like querying them from the command prompt. I don’t know! I made a suggestion; if your suggestion accommodates Victor’s situation better then he can choose to do it your way. -Sergio From: Al Mulnick [mailto:[EMAIL PROTECTED] Sent: Monday, June 12, 2006 9:50 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server I'm shocked that an IT worker in an environment with as many potential computers as yours would consider querying each host out there to find out which ones use a particular host for DNS name resolution services vs. querying the DNS server itself to find out what's using it. Maybe I'm missing some bigger picture out there 'cuase there were several similar posts. Either that, or people have a lot of time on their hands and very few hosts in the pool. Al On 6/12/06, Olivarez, Sergio J Mr CTNOSC/GD-NS <[EMAIL PROTECTED]> wrote: Try the "NetSh" command. I couldn't get the "-r (Computer Name)" option to work with the "interface ip show dns" option, but maybe you can. Or you can do a NetMon trace and filter for incoming DNS requests. -Sergio -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] Sent: Monday, June 12, 2006 8:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server The thing is this: I will be demoting a domain controller which is also running DNS. I would like to know which other servers have specified this dc as their DNS server (in their tcp/ip settings I mean). Is there some way to check this, from the command line for example? Like for instance checking which fsmo roles are held by which dc's via ntdsutil. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Time Server for Forest Root PDC
The best approach is to setup NTP on the PDC Emulator role Forest Root DC to point to the two IP addresses by IP on the 2 US Naval Observatory time servers. It is possible to use an internal server but best to use the external ones, depending on the individual company. Chuck -Original Message-From: Teo De Las Heras <[EMAIL PROTECTED]>To: ActiveDir@mail.activedir.orgSent: Mon, 12 Jun 2006 13:22:33 -0400Subject: [ActiveDir] Time Server for Forest Root PDC How have people on this list configured their Forest Root PDC to synchronize the time service? Is it O.K. to use an internal time server on a firewall? Is it best to point to tick.usno.navy.mil or time.windows.com? Teo Check out AOL.com today. Breaking news, video search, pictures, email and IM. All on demand. Always Free.
Re: [ActiveDir] Time Server for Forest Root PDC
That's how I feel. My argument against using the internal firewall is that should someone change the firewall (woops) then every PC get's that change. On the other hand, someone making a change to the DC's time should now enough about AD to not do it. Even then, an alert would be generated (if configured in MOM). Teo On 6/12/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: The best approach is to setup NTP on the PDC Emulator role Forest Root DC to point to the two IP addresses by IP on the 2 US Naval Observatory time servers. It is possible to use an internal server but best to use the external ones, depending on the individual company. Chuck -Original Message-From: Teo De Las Heras <[EMAIL PROTECTED] >To: ActiveDir@mail.activedir.orgSent: Mon, 12 Jun 2006 13:22:33 -0400Subject: [ActiveDir] Time Server for Forest Root PDC How have people on this list configured their Forest Root PDC to synchronize the time service? Is it O.K. to use an internal time server on a firewall? Is it best to point to tick.usno.navy.mil or time.windows.com? Teo Check out AOL.com today. Breaking news, video search, pictures, email and IM. All on demand. Always Free.
[ActiveDir] bitwise filters
Guys, I have a few questions on bitwise filters. 1. I just wanna make sure I've understood bitwise filters correctly. Basically if I want to check if all bits are set, I should use the Bitwise AND operator. If I need to check if any number of the bits I am interested in are set, I should use the OR operator. Therefore the OR operator is best used in multiple bit checking scenarios. If I am checking for only one bit (and not multiple bits) , then I should use the AND operator. I guess it really doesn't matter. Its just the logic behind it. If I want a list of global and local groups, I could either do a search for groups that are not universal or I could do a seach for groups that have the bit for either global or local set couldnt I? i.e (&(objectcategory=group)(grouptype:1.2.840.113556.1.4.804:=6)) or (&(objectcategory=group)(!(grouptype:1.2.840.113556.1.4.803:=8))). Please correct me if I am wrong. 2. How do I find the bitwise filter OID for AND or OR without refering to manuals. Can I query this in the directory or is it hardcoded? 3. Joe, Could you please explain why the group type value output in adfind is minus? If I do a query with -f "(objectcategory=group)(grouptype:1.2.840.113556.1.4.803:=2147483650)" grouptype, I get -2147483646 as the output. The results are correct. I just want to understand why the output is minus. Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Was: RE: [ActiveDir] Virtual DCs - Now: Question on tuning Virtual Server
Title: Virtual DCs Re-post Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Thursday, June 08, 2006 8:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs Along these lines, has anyone seen an actual best practices whitepaper for MS Virtual Server? How to configure disk arrays, controller cache, how many VHDs per volume, memory allocation, etc. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Presley, Steven Sent: Wednesday, June 07, 2006 10:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs This is absolutely true. I know virtualization scares a lot of people, but the fact is that in some environments virtualizing systems saves a great deal of money and actually makes managing systems much easier (here it has reportedly saved a "significant" amount in hardware cost for the enterprise). I have been closely watching my Exchange servers ever since our AD side of the house started virtualizing DC's and with domain controllers running on ESX servers in an optimized configuration the performance is very close to hardware. I have noticed that in terms of LDAP performance that VM's are a tad bit slower then hardware, but that "tad" is well within the range of performance that applications like Exchange require. After over a year of having virtualized DC's we have not had any problems with virtualized domain controllers (placed globally on ESX servers around the world). We do, however, work on the side of caution and do maintain a few hardware DC's in our HQ that own FSMO roles, but I've seen nothing to suggest that they could not be on VM's to date (it's just a precaution). I have to admit at first I totally dismissed virtualization because I considered it, like others, as more of a development\test environment solution, however I have since been convinced after working with virtualized OS's that it has it's place (we have 100's if not 1000's of virtualized hosts currently in production). I/O intensive applications are not a good place for virtualization in production, but other less I/O intensive applications work great with it. Brian does have a point in that it has to be "done correctly" and with the right understanding of how to build a high performing virtualization environment it will work just fine for domain controllers\global catalog servers. Regards, Steven From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, June 07, 2006 12:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs I have no problem with VMWare or Virtual Server DCs if done correctly. Frankly, 7K users is like pocket change if you ask me. Really, the users generate no load – they logon to the PC and change their password. Things like Exchange (and OLK), machines, and other AD aware apps do. If properly written and the virtual hardware properly configured everything should still jive. If I had to make a one off guess with no more info I’d say go for it. The price war with MS and EMC on virtualization has made this far more economical, and if you’re going to be doing branches, you can play your sacred card and virtualize stuff and quasi isolate it. There have been a couple lengthy discussions on that subject recently – Tony has a search widget on the website for this DL. :) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Tuesday, June 06, 2006 8:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs Ada, I am intrigued as to why "management" are directing you to do this. What benefits do they percieve? Do they understand the nature of the 2K3 directory and the load 7,000 users puts on it? This is not a criticism - just a curious thinking out loud moment... Personally - I wouldn't do it. Some would say a DC is a sacred thing, not to be toyed with. Proof of concept is always good in these scenarios... if you were to set this up in a lab, even with just two VMWare-ed DC's, you could show the overhead this would place on the machine and help them to understand the additional cost this will bring. Remember, a DC that is just a DC (AD, DNS, maybe DHCP) doesn't need to be a gutsy box - it can just be a PC rebuilt with Win2K3 server on it. However it does need to stay up all the time. ;) themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rivera, Ada Sent: Tuesday, 6 June 2006 9:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual DCs We have a single domain forest with about 7,000 users. Currently we 8 AD regional sites and one HQ AD site. T
[ActiveDir] Renaming a domain
I have a simple internal only domain: flat domain name, two DCs, no sub domains. I am renaming to a more discriptive name with a .edu suffix. I created the DNS zone with the new name. I am at step 6 of renaming a domain of the "Step by Step Guide to Implementing Domain Rename," "check for presence of required DNS resouce records." I am suppose to have a cname and srv record for each DC in the new DNS zone. I have only one DC listed for each record. All the commands so far have said "executed without error." Any advice?
RE: [ActiveDir] Renaming a domain
If i remember correctly from the last time I did this assuming (example) * OLD domain is called BEFORE.LOCAL * NEW domain is called AFTER.LOCAL in both cases you will have a _MSDCS subdomain OR additional zones like: _MSDCS.BEFORE.LOCAL _MSDCS.AFTER.LOCAL as this is the forest root domain being renamed... you will find a CNAME record in both "_MSDCS.BEFORE.LOCAL" and "_MSDCS.AFTER.LOCAL" that points to SOMEDC.BEFORE.LOCAL and you should have an A record SOMEDC.BEFORE.LOCAL that points to XXX.XXX.XXX.XXX (IP address) Does this answer your Q? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of Clingaman, Bruce Sent: Mon 2006-06-12 22:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Renaming a domain I have a simple internal only domain: flat domain name, two DCs, no sub domains. I am renaming to a more discriptive name with a .edu suffix. I created the DNS zone with the new name. I am at step 6 of renaming a domain of the "Step by Step Guide to Implementing Domain Rename," "check for presence of required DNS resouce records." I am suppose to have a cname and srv record for each DC in the new DNS zone. I have only one DC listed for each record. All the commands so far have said "executed without error." Any advice? This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. <>
RE: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server
Thank you all for the input. I will tell a little bit more about this situation: I am in an environment where it is unclear/undocumented which servers are using which DNS servers as their primary and secondary DNS servers (statically filled in in their TCP/IP settings). We are talking about 60 servers approx so logging on to each of them seperately would not be all that pleasant, ;-) maybe I should have been more clear about that from the start. What I am looking for is indeed something I could run on only one dc for instance, querying all servers in the domain and thereby checking which DNS servers they are using as their primary and secondary DNS servers. Victor From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivarez, Sergio J Mr CTNOSC/GD-NSSent: maandag 12 juni 2006 19:23To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server His question asked for a command line tool that he could use to query this information; this is why others and I suggested, Netsh. Maybe he has a small range of server that he doesn’t feel like logging into or writing a script for, and just feels like querying them from the command prompt. I don’t know! I made a suggestion; if your suggestion accommodates Victor’s situation better then he can choose to do it your way. -Sergio From: Al Mulnick [mailto:[EMAIL PROTECTED] Sent: Monday, June 12, 2006 9:50 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server I'm shocked that an IT worker in an environment with as many potential computers as yours would consider querying each host out there to find out which ones use a particular host for DNS name resolution services vs. querying the DNS server itself to find out what's using it. Maybe I'm missing some bigger picture out there 'cuase there were several similar posts. Either that, or people have a lot of time on their hands and very few hosts in the pool. Al On 6/12/06, Olivarez, Sergio J Mr CTNOSC/GD-NS <[EMAIL PROTECTED]> wrote: Try the "NetSh" command. I couldn't get the "-r (Computer Name)" option towork with the "interface ip show dns" option, but maybe you can. Or you can do a NetMon trace and filter for incoming DNS requests.-Sergio-Original Message-From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]]Sent: Monday, June 12, 2006 8:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS - How to tell the static DNS IP-addresses per serverThe thing is this:I will be demoting a domain controller which is also running DNS. Iwould like to know which other servers have specified this dc as theirDNS server (in their tcp/ip settings I mean). Is there some way to check this, from the command line for example?Like for instance checking which fsmo roles are held by which dc's viantdsutil.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: RUS
Would there be an easy way to write a RUS policy that stamped the email addresses based on what domain each user was in? This seems like it would be easy, but I don’t see any attribute that I can get the domain from with an LDAP query. Please tell me I’m missing something obvious! Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] OT: RUS
You can use userPrincipalName I suppose...perhaps something like (&(mailnickname=*)([EMAIL PROTECTED])). Regards, Steven From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Monday, June 12, 2006 5:28 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: RUS Would there be an easy way to write a RUS policy that stamped the email addresses based on what domain each user was in? This seems like it would be easy, but I don’t see any attribute that I can get the domain from with an LDAP query. Please tell me I’m missing something obvious! Justin ClayITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
Re: [ActiveDir] OT: RUS
There're probably too many definitions of the word "domain" to really give good advice. Can you expand that question? On 6/12/06, Clay, Justin (ITS) <[EMAIL PROTECTED]> wrote: Would there be an easy way to write a RUS policy that stamped the email addresses based on what domain each user was in? This seems like it would be easy, but I don't see any attribute that I can get the domain from with an LDAP query. Please tell me I'm missing something obvious! Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server
This
came from MSDN’s Scriptomatic 2.0.
It dumps
everything! Remove the many many lines which you don’t need. Edit the
constant “SERVERNAME” to machine in question. I’ve not
tried it but I think that you can put in multiple names separated by commas.
Rich
On Error Resume Next
Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20
arrComputers = Array("SERVERNAME")
For Each strComputer In arrComputers
WScript.Echo
WScript.Echo
"=="
WScript.Echo "Computer: "
& strComputer
WScript.Echo
"=="
Set objWMIService =
GetObject("winmgmts:\\" & strComputer &
"\root\CIMV2")
Set colItems =
objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration",
"WQL", _
wbemFlagReturnImmediately + wbemFlagForwardOnly)
For Each objItem In colItems
WScript.Echo
"ArpAlwaysSourceRoute: " & objItem.ArpAlwaysSourceRoute
WScript.Echo "ArpUseEtherSNAP:
" & objItem.ArpUseEtherSNAP
WScript.Echo "Caption: "
& objItem.Caption
WScript.Echo "DatabasePath:
" & objItem.DatabasePath
WScript.Echo
"DeadGWDetectEnabled: " & objItem.DeadGWDetectEnabled
strDefaultIPGateway = Join(objItem.DefaultIPGateway,
",")
WScript.Echo
"DefaultIPGateway: " & strDefaultIPGateway
WScript.Echo "DefaultTOS:
" & objItem.DefaultTOS
WScript.Echo "DefaultTTL:
" & objItem.DefaultTTL
WScript.Echo "Description:
" & objItem.Description
WScript.Echo "DHCPEnabled:
" & objItem.DHCPEnabled
WScript.Echo "DHCPLeaseExpires:
" & WMIDateStringToDate(objItem.DHCPLeaseExpires)
WScript.Echo
"DHCPLeaseObtained: " &
WMIDateStringToDate(objItem.DHCPLeaseObtained)
WScript.Echo "DHCPServer:
" & objItem.DHCPServer
WScript.Echo "DNSDomain: "
& objItem.DNSDomain
strDNSDomainSuffixSearchOrder =
Join(objItem.DNSDomainSuffixSearchOrder, ",")
WScript.Echo
"DNSDomainSuffixSearchOrder: " & strDNSDomainSuffixSearchOrder
WScript.Echo
"DNSEnabledForWINSResolution: " &
objItem.DNSEnabledForWINSResolution
WScript.Echo "DNSHostName:
" & objItem.DNSHostName
strDNSServerSearchOrder =
Join(objItem.DNSServerSearchOrder, ",")
WScript.Echo
"DNSServerSearchOrder: " & strDNSServerSearchOrder
WScript.Echo
"DomainDNSRegistrationEnabled: " &
objItem.DomainDNSRegistrationEnabled
WScript.Echo
"ForwardBufferMemory: " & objItem.ForwardBufferMemory
WScript.Echo
"FullDNSRegistrationEnabled: " &
objItem.FullDNSRegistrationEnabled
strGatewayCostMetric =
Join(objItem.GatewayCostMetric, ",")
WScript.Echo
"GatewayCostMetric: " & strGatewayCostMetric
WScript.Echo "IGMPLevel: "
& objItem.IGMPLevel
WScript.Echo "Index: "
& objItem.Index
strIPAddress =
Join(objItem.IPAddress, ",")
WScript.Echo "IPAddress:
" & strIPAddress
WScript.Echo
"IPConnectionMetric: " & objItem.IPConnectionMetric
WScript.Echo "IPEnabled: "
& objItem.IPEnabled
WScript.Echo
"IPFilterSecurityEnabled: " & objItem.IPFilterSecurityEnabled
WScript.Echo
"IPPortSecurityEnabled: " & objItem.IPPortSecurityEnabled
strIPSecPermitIPProtocols = Join(objItem.IPSecPermitIPProtocols,
",")
WScript.Echo
"IPSecPermitIPProtocols: " & strIPSecPermitIPProtocols
strIPSecPermitTCPPorts =
Join(objItem.IPSecPermitTCPPorts, ",")
WScript.Echo
"IPSecPermitTCPPorts: " & strIPSecPermitTCPPorts
strIPSecPermitUDPPorts =
Join(objItem.IPSecPermitUDPPorts, ",")
WScript.Echo
"IPSecPermitUDPPorts: " & strIPSecPermitUDPPorts
strIPSubnet = Join(objItem.IPSubnet,
",")
WScript.Echo "IPSubnet:
" & strIPSubnet
WScript.Echo "IPUseZeroBroadcast:
" & objItem.IPUseZeroBroadcast
WScript.Echo "IPXAddress:
" & objItem.IPXAddress
WScript.Echo "IPXEnabled:
" & objItem.IPXEnabled
strIPXFrameType =
Join(objItem.IPXFrameType, ",")
WScript.Echo "IPXFrameType:
" & strIPXFrameType
WScript.Echo "IPXMediaType:
" & objItem.IPXMediaType
strIPXNetworkNumber =
Join(objItem.IPXNetworkNumber, ",")
WScript.Echo
"IPXNetworkNumber: " & strIPXNetworkNumber
WScript.Echo
"IPXVirtualNetNumber: " & objItem.IPXVirtualNetNumber
WScript.Echo
"KeepAliveInterval: " & objItem.KeepAliveInterval
WScript.Echo "KeepAliveTime:
" & objItem.KeepAliveTime
WScript.Echo "MACAddress:
" & objItem.MACAddress
WScript.Echo "MTU: " &
objItem.MTU
WScript.Echo
"NumForwardPackets: " & objItem.NumForwardPackets
WScript.Echo
"PMTUBHDetectEnabled: " & objItem.PMTUBHDetectEnabled
WScript.Echo
"PMTUDiscoveryEnabled: " & objItem.PMTUDiscoveryEnabled
WScript.Echo "ServiceName:
" & objItem.ServiceName
WScript.Echo "SettingID: "
& objItem.SettingID
WScript.Echo
"TcpipNetbiosOptions: " & objIt
OT: Re: Was: RE: [ActiveDir] Virtual DCs - Now: Question on tuning Virtual Server
There's this: http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en And then http://www.microsoft.com/windowsserversystem/virtualserver/default.mspx And http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en But now that you mention it, I don't think a collective best practice for general usage is something I've seen. On 6/12/06, Lucas, Bryan <[EMAIL PROTECTED]> wrote: Re-post Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lucas, BryanSent: Thursday, June 08, 2006 8:05 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual DCs Along these lines, has anyone seen an actual best practices whitepaper for MS Virtual Server? How to configure disk arrays, controller cache, how many VHDs per volume, memory allocation, etc. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Presley, StevenSent: Wednesday, June 07, 2006 10:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual DCs This is absolutely true. I know virtualization scares a lot of people, but the fact is that in some environments virtualizing systems saves a great deal of money and actually makes managing systems much easier (here it has reportedly saved a "significant" amount in hardware cost for the enterprise). I have been closely watching my Exchange servers ever since our AD side of the house started virtualizing DC's and with domain controllers running on ESX servers in an optimized configuration the performance is very close to hardware. I have noticed that in terms of LDAP performance that VM's are a tad bit slower then hardware, but that "tad" is well within the range of performance that applications like Exchange require. After over a year of having virtualized DC's we have not had any problems with virtualized domain controllers (placed globally on ESX servers around the world). We do, however, work on the side of caution and do maintain a few hardware DC's in our HQ that own FSMO roles, but I've seen nothing to suggest that they could not be on VM's to date (it's just a precaution). I have to admit at first I totally dismissed virtualization because I considered it, like others, as more of a development\test environment solution, however I have since been convinced after working with virtualized OS's that it has it's place (we have 100's if not 1000's of virtualized hosts currently in production). I/O intensive applications are not a good place for virtualization in production, but other less I/O intensive applications work great with it. Brian does have a point in that it has to be "done correctly" and with the right understanding of how to build a high performing virtualization environment it will work just fine for domain controllers\global catalog servers. Regards, Steven From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Wednesday, June 07, 2006 12:04 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual DCs I have no problem with VMWare or Virtual Server DCs if done correctly. Frankly, 7K users is like pocket change if you ask me. Really, the users generate no load – they logon to the PC and change their password. Things like Exchange (and OLK), machines, and other AD aware apps do. If properly written and the virtual hardware properly configured everything should still jive. If I had to make a one off guess with no more info I'd say go for it. The price war with MS and EMC on virtualization has made this far more economical, and if you're going to be doing branches, you can play your sacred card and virtualize stuff and quasi isolate it. There have been a couple lengthy discussions on that subject recently – Tony has a search widget on the website for this DL. :) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Molkentin, SteveSent: Tuesday, June 06, 2006 8:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual DCs Ada , I am intrigued as to why "management" are directing you to do this. What benefits do they percieve? Do they understand the nature of the 2K3 directory and the load 7,000 users puts on it? This is not a criticism - just a curious thinking out loud moment... Personally - I wouldn't do it. Some would say a DC is a sacred thing, not to be toyed with. Proof of concept is always good in these scenarios... if you were to set this up in a lab, even with just two VMWare-ed DC's, you could show the overhead this would place on the machine and help them to understand the additional cost this will bring. Remember, a DC that is just a DC (AD, DNS, maybe DHCP) doesn't need to be a gutsy box - it can just be a PC
RE: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server
Here’s another option.
http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=45
There is a Group Policy setting that allows you to override any DNS
Servers configured in client IP settings (either manuall or via DHCP).
Unfortunately, it only works on XP.
Computer Configuration\Administrative Templates\Network\DNS Client\DNS
Servers
Tony
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Richard Kline
Sent: Tuesday, 13 June 2006 10:51 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS - How to tell the static DNS IP-addresses
per server
This came from MSDN’s Scriptomatic 2.0.
It dumps everything! Remove the many many lines which you
don’t need. Edit the constant “SERVERNAME” to machine in
question. I’ve not tried it but I think that you can put in
multiple names separated by commas.
Rich
On Error Resume Next
Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20
arrComputers = Array("SERVERNAME")
For Each strComputer In arrComputers
WScript.Echo
WScript.Echo
"=="
WScript.Echo "Computer: " & strComputer
WScript.Echo
"=="
Set objWMIService = GetObject("winmgmts:\\"
& strComputer & "\root\CIMV2")
Set colItems = objWMIService.ExecQuery("SELECT *
FROM Win32_NetworkAdapterConfiguration", "WQL", _
wbemFlagReturnImmediately + wbemFlagForwardOnly)
For Each objItem In colItems
WScript.Echo "ArpAlwaysSourceRoute:
" & objItem.ArpAlwaysSourceRoute
WScript.Echo "ArpUseEtherSNAP:
" & objItem.ArpUseEtherSNAP
WScript.Echo "Caption: "
& objItem.Caption
WScript.Echo "DatabasePath:
" & objItem.DatabasePath
WScript.Echo "DeadGWDetectEnabled:
" & objItem.DeadGWDetectEnabled
strDefaultIPGateway =
Join(objItem.DefaultIPGateway, ",")
WScript.Echo
"DefaultIPGateway: " & strDefaultIPGateway
WScript.Echo "DefaultTOS:
" & objItem.DefaultTOS
WScript.Echo "DefaultTTL:
" & objItem.DefaultTTL
WScript.Echo "Description:
" & objItem.Description
WScript.Echo "DHCPEnabled:
" & objItem.DHCPEnabled
WScript.Echo "DHCPLeaseExpires:
" & WMIDateStringToDate(objItem.DHCPLeaseExpires)
WScript.Echo "DHCPLeaseObtained:
" & WMIDateStringToDate(objItem.DHCPLeaseObtained)
WScript.Echo "DHCPServer:
" & objItem.DHCPServer
WScript.Echo "DNSDomain: "
& objItem.DNSDomain
strDNSDomainSuffixSearchOrder =
Join(objItem.DNSDomainSuffixSearchOrder, ",")
WScript.Echo
"DNSDomainSuffixSearchOrder: " & strDNSDomainSuffixSearchOrder
WScript.Echo
"DNSEnabledForWINSResolution: " &
objItem.DNSEnabledForWINSResolution
WScript.Echo "DNSHostName:
" & objItem.DNSHostName
strDNSServerSearchOrder =
Join(objItem.DNSServerSearchOrder, ",")
WScript.Echo
"DNSServerSearchOrder: " & strDNSServerSearchOrder
WScript.Echo
"DomainDNSRegistrationEnabled: " &
objItem.DomainDNSRegistrationEnabled
WScript.Echo
"ForwardBufferMemory: " & objItem.ForwardBufferMemory
WScript.Echo
"FullDNSRegistrationEnabled: " &
objItem.FullDNSRegistrationEnabled
strGatewayCostMetric =
Join(objItem.GatewayCostMetric, ",")
WScript.Echo
"GatewayCostMetric: " & strGatewayCostMetric
WScript.Echo "IGMPLevel: "
& objItem.IGMPLevel
WScript.Echo "Index: "
& objItem.Index
strIPAddress =
Join(objItem.IPAddress, ",")
WScript.Echo
"IPAddress: " & strIPAddress
WScript.Echo
"IPConnectionMetric: " & objItem.IPConnectionMetric
WScript.Echo "IPEnabled: "
& objItem.IPEnabled
WScript.Echo
"IPFilterSecurityEnabled: " & objItem.IPFilterSecurityEnabled
WScript.Echo
"IPPortSecurityEnabled: " & objItem.IPPortSecurityEnabled
strIPSecPermitIPProtocols =
Join(objItem.IPSecPermitIPProtocols, ",")
WScript.Echo
"IPSecPermitIPProtocols: " & strIPSecPermitIPProtocols
strIPSecPermitTCPPorts =
Join(objItem.IPSecPermitTCPPorts, ",")
WScript.Echo
"IPSecPermitTCPPorts: " & strIPSecPermitTCPPorts
strIPSecPermitUDPPorts =
Join(objItem.IPSecPermitUDPPorts, ",")
WScript.Echo
"IPSecPermitUDPPorts: " & strIPSecPermitUDPPorts
strIPSubnet = Join(objItem.IPSubnet,
",")
WScript.Echo
"IPSubnet: " & strIPSubnet
WScript.Echo
"IPUseZeroBroadcast: " & objItem.IPUseZeroBroadcast
WScript.Echo "IPXAddress:
" & objItem.IPXAddress
WScript.Echo "IPXEnabled:
" & objItem.IPXEnabled
strIPXFrameType =
Join(objItem.IPXFrameType, ",")
WScript.Echo
"IPXFrameType: " & strIPXFrameType
WScript.Echo "IPXMediaType:
" & objItem.IPXMediaType
strIPXNetworkNumber =
Join(objItem.IPXNetworkNumber, ",")
WScript.Echo
"IPXNetworkNumber: " & strIPXNetworkNumber
WScript.Echo "IPXVirtualNetNumber:
" & objItem.IPXVirtualNetNumber
RE: [ActiveDir] bitwise filters
Hi M@ Responses in-line. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, 13 June 2006 8:08 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] bitwise filters Guys, I have a few questions on bitwise filters. 1. I just wanna make sure I've understood bitwise filters correctly. Basically if I want to check if all bits are set, I should use the Bitwise AND operator. If I need to check if any number of the bits I am interested in are set, I should use the OR operator. Therefore the OR operator is best used in multiple bit checking scenarios. If I am checking for only one bit (and not multiple bits) , then I should use the AND operator. I guess it really doesn't matter. Its just the logic behind it. ***TM: Your understanding is correct. If I want a list of global and local groups, I could either do a search for groups that are not universal or I could do a seach for groups that have the bit for either global or local set couldnt I? i.e (&(objectcategory=group)(grouptype:1.2.840.113556.1.4.804:=6)) or (&(objectcategory=group)(!(grouptype:1.2.840.113556.1.4.803:=8))). Please correct me if I am wrong. ***TM: The first filter looks better to me. The second one would not find Universal security groups (because with the AND matching rule all of the bits must match). Universal security groups have a decimal value of 2147483656. 2. How do I find the bitwise filter OID for AND or OR without refering to manuals. Can I query this in the directory or is it hardcoded? ***TM: I don't believe you'll find it in the directory (i.e. it's not part of the schema). It is however a (Microsoft) registered OID. See http://www.alvestrand.no/objectid/1.2.840.113556.1.4.html 3. Joe, Could you please explain why the group type value output in adfind is minus? If I do a query with -f "(objectcategory=group)(grouptype:1.2.840.113556.1.4.803:=2147483650)" grouptype, I get -2147483646 as the output. The results are correct. I just want to understand why the output is minus. ***TM: I'm sure Joe will answer this one. Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. [EMAIL PROTECTED])
RE: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server
The only comments to the wmi below is that it will dump
every network cards that you have, is there a way that you could do it for the
primary network card (the one on top of the binding list?)
As for
registry key it will be NameServerList value but still binds to the transport
id..(which is different for all servers)
Thank you and have a splendid
day!
Kind Regards,
Freddy Hartono
Group Support
Engineer
InternationalSOS Pte Ltd
mail:
[EMAIL PROTECTED]
phone: (+65)
6330-9785
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard
KlineSent: Tuesday, June 13, 2006 6:51 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS - How to
tell the static DNS IP-addresses per server
This came from MSDN’s
Scriptomatic 2.0.
It dumps
everything! Remove the many many lines which you don’t need.
Edit the constant “SERVERNAME” to machine in question. I’ve not
tried it but I think that you can put in multiple names separated by
commas.
Rich
On Error Resume
Next
Const
wbemFlagReturnImmediately = &h10
Const
wbemFlagForwardOnly = &h20
arrComputers =
Array("SERVERNAME")
For Each strComputer In
arrComputers
WScript.Echo
WScript.Echo
"=="
WScript.Echo "Computer: " & strComputer
WScript.Echo
"=="
Set
objWMIService = GetObject("winmgmts:\\" & strComputer &
"\root\CIMV2")
Set
colItems = objWMIService.ExecQuery("SELECT * FROM
Win32_NetworkAdapterConfiguration", "WQL", _
wbemFlagReturnImmediately + wbemFlagForwardOnly)
For Each
objItem In colItems
WScript.Echo "ArpAlwaysSourceRoute: " &
objItem.ArpAlwaysSourceRoute
WScript.Echo "ArpUseEtherSNAP: " &
objItem.ArpUseEtherSNAP
WScript.Echo "Caption: " & objItem.Caption
WScript.Echo "DatabasePath: " &
objItem.DatabasePath
WScript.Echo "DeadGWDetectEnabled: " &
objItem.DeadGWDetectEnabled
strDefaultIPGateway = Join(objItem.DefaultIPGateway,
",")
WScript.Echo "DefaultIPGateway: " &
strDefaultIPGateway
WScript.Echo "DefaultTOS: " &
objItem.DefaultTOS
WScript.Echo "DefaultTTL: " &
objItem.DefaultTTL
WScript.Echo "Description: " &
objItem.Description
WScript.Echo "DHCPEnabled: " &
objItem.DHCPEnabled
WScript.Echo "DHCPLeaseExpires: " &
WMIDateStringToDate(objItem.DHCPLeaseExpires)
WScript.Echo "DHCPLeaseObtained: " &
WMIDateStringToDate(objItem.DHCPLeaseObtained)
WScript.Echo "DHCPServer: " &
objItem.DHCPServer
WScript.Echo "DNSDomain: " & objItem.DNSDomain
strDNSDomainSuffixSearchOrder = Join(objItem.DNSDomainSuffixSearchOrder,
",")
WScript.Echo "DNSDomainSuffixSearchOrder: " &
strDNSDomainSuffixSearchOrder
WScript.Echo "DNSEnabledForWINSResolution: " &
objItem.DNSEnabledForWINSResolution
WScript.Echo "DNSHostName: " &
objItem.DNSHostName
strDNSServerSearchOrder = Join(objItem.DNSServerSearchOrder,
",")
WScript.Echo "DNSServerSearchOrder: " &
strDNSServerSearchOrder
WScript.Echo "DomainDNSRegistrationEnabled: " &
objItem.DomainDNSRegistrationEnabled
WScript.Echo "ForwardBufferMemory: " &
objItem.ForwardBufferMemory
WScript.Echo "FullDNSRegistrationEnabled: " &
objItem.FullDNSRegistrationEnabled
strGatewayCostMetric = Join(objItem.GatewayCostMetric,
",")
WScript.Echo "GatewayCostMetric: " &
strGatewayCostMetric
WScript.Echo "IGMPLevel: " & objItem.IGMPLevel
WScript.Echo "Index: " & objItem.Index
strIPAddress = Join(objItem.IPAddress, ",")
WScript.Echo "IPAddress: " & strIPAddress
WScript.Echo "IPConnectionMetric: " &
objItem.IPConnectionMetric
WScript.Echo "IPEnabled: " & objItem.IPEnabled
WScript.Echo "IPFilterSecurityEnabled: " &
objItem.IPFilterSecurityEnabled
WScript.Echo "IPPortSecurityEnabled: " &
objItem.IPPortSecurityEnabled
strIPSecPermitIPProtocols = Join(objItem.IPSecPermitIPProtocols,
",")
WScript.Echo "IPSecPermitIPProtocols: " &
strIPSecPermitIPProtocols
strIPSecPermitTCPPorts = Join(objItem.IPSecPermitTCPPorts,
",")
WScript.Echo "IPSecPermitTCPPorts: " &
strIPSecPermitTCPPorts
strIPSecPermitUDPPorts = Join(objItem.IPSecPermitUDPPorts,
",")
WScript.Echo "IPSecPermitUDPPorts: " &
strIPSecPermitUDPPorts
strIPSubnet = Join(objItem.IPSubnet, ",")
WScript.Echo "IPSubnet: " & strIPSubnet
WScript.Echo "IPUseZeroBroadcast: " &
objItem.IPUseZeroBroadcast
WScript.Echo "IPXAddress: " &
objItem.IPXAddress
WScript.Echo "IPXEnabled: " &
objItem.IPXEnabled
strIPXFrameType = Join(objItem.IPXFrameType, ",")
WScript.Echo "IPXFrameType: " & strIPXFrameType
WScript.Echo "IPXMediaType: " &
objItem.IPXMediaType
strIPXNetworkNumber = Join(objItem.IPXNetworkNu
RE: Re: Was: RE: [ActiveDir] Virtual DCs - Now: Question on tuning Virtual Server
The paper on running a DC on a VM is interesting, particularly this section. What is Virtual Machine Additions and where do you get it? Why wouldn’t they just include this in the default install? You can improve performance by installing Virtual Machine Additions as soon as the guest operating system is up and running. Virtual Machine Additions is a set of features that improves the integration of the host and guest operating systems. It also improves the performance and manageability of the guest operating system. You must install Virtual Machine Additions on all virtual machines. Virtual Machine Additions adds the following enhancements to a guest operating system: · Improved mouse cursor tracking and control. · Greatly improved overall performance. · Virtual machine heartbeat generator. · Optional time synchronization with the clock of the physical computer. This feature is enabled by default and must be disabled for domain controllers that are running in virtual machines. · Increased small computer system interface (SCSI) controller performance. · Support for two-node clustering between virtual machines for testing and development scenarios. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, June 12, 2006 9:07 PM To: ActiveDir@mail.activedir.org Subject: OT: Re: Was: RE: [ActiveDir] Virtual DCs - Now: Question on tuning Virtual Server There's this: http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en And then http://www.microsoft.com/windowsserversystem/virtualserver/default.mspx And http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en But now that you mention it, I don't think a collective best practice for general usage is something I've seen. On 6/12/06, Lucas, Bryan <[EMAIL PROTECTED]> wrote: Re-post Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lucas, Bryan Sent: Thursday, June 08, 2006 8:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs Along these lines, has anyone seen an actual best practices whitepaper for MS Virtual Server? How to configure disk arrays, controller cache, how many VHDs per volume, memory allocation, etc. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Presley, Steven Sent: Wednesday, June 07, 2006 10:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs This is absolutely true. I know virtualization scares a lot of people, but the fact is that in some environments virtualizing systems saves a great deal of money and actually makes managing systems much easier (here it has reportedly saved a "significant" amount in hardware cost for the enterprise). I have been closely watching my Exchange servers ever since our AD side of the house started virtualizing DC's and with domain controllers running on ESX servers in an optimized configuration the performance is very close to hardware. I have noticed that in terms of LDAP performance that VM's are a tad bit slower then hardware, but that "tad" is well within the range of performance that applications like Exchange require. After over a year of having virtualized DC's we have not had any problems with virtualized domain controllers (placed globally on ESX servers around the world). We do, however, work on the side of caution and do maintain a few hardware DC's in our HQ that own FSMO roles, but I've seen nothing to suggest that they could not be on VM's to date (it's just a precaution). I have to admit at first I totally dismissed virtualization because I considered it, like others, as more of a development\test environment solution, however I have since been convinced after working with virtualized OS's that it has it's place (we have 100's if not 1000's of virtualized hosts currently in production). I/O intensive applications are not a good place for virtualization in production, but other less I/O intensive applications work great with it. Brian does have a point in that it has to be "done correctly" and with the right understanding of how to build a high performing virtualization environment it will work just fine for domain controllers\global catalog servers. Regards, Steven From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: Wednesday, June 07, 2006 12:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual DCs I have no problem with VMWare or Virtual Server DCs if done correctly. F
RE: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server
Please find a better VBS script below. The
last post was a “while rushing out the door” effort.
There is now:
A
Where clause which limits the adapter scope (“ where dnshostname is
not null”).
Less
information as most of the non-needed for this exercise stuff is removed.
An
example of how to embed an array of hosts.
Of course the script assumes that the
account with which you’ve logged in has adequate security permissions on
all of the boxes being queried.
Richard
On Error Resume Next
Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20
arrComputers =
Array("192.168.1.15","192.168.1.16","192.168.1.154")
For Each strComputer In arrComputers
WScript.Echo
WScript.Echo
"=="
WScript.Echo "Computer: "
& strComputer
WScript.Echo
"=="
Set objWMIService =
GetObject("winmgmts:\\" & strComputer &
"\root\CIMV2")
Set colItems =
objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration
where dnshostname is not null", "WQL", _
wbemFlagReturnImmediately + wbemFlagForwardOnly)
For Each objItem In colItems
WScript.Echo "DNSHostName:
" & objItem.DNSHostName
WScript.Echo "Caption: "
& objItem.Caption
strDefaultIPGateway =
Join(objItem.DefaultIPGateway, ",")
WScript.Echo
"DefaultIPGateway: " & strDefaultIPGateway
strDNSDomainSuffixSearchOrder =
Join(objItem.DNSDomainSuffixSearchOrder, ",")
WScript.Echo
"DNSDomainSuffixSearchOrder: " & strDNSDomainSuffixSearchOrder
WScript.Echo
"DNSEnabledForWINSResolution: " &
objItem.DNSEnabledForWINSResolution
strDNSServerSearchOrder =
Join(objItem.DNSServerSearchOrder, ",")
WScript.Echo
"DNSServerSearchOrder: " & strDNSServerSearchOrder
WScript.Echo
"DomainDNSRegistrationEnabled: " &
objItem.DomainDNSRegistrationEnabled
strIPAddress =
Join(objItem.IPAddress, ",")
WScript.Echo "IPAddress:
" & strIPAddress
WScript.Echo
"WINSEnableLMHostsLookup: " & objItem.WINSEnableLMHostsLookup
WScript.Echo
"WINSHostLookupFile: " & objItem.WINSHostLookupFile
WScript.Echo
"WINSPrimaryServer: " & objItem.WINSPrimaryServer
WScript.Echo "WINSScopeID:
" & objItem.WINSScopeID
WScript.Echo
"WINSSecondaryServer: " & objItem.WINSSecondaryServer
WScript.Echo
Next
Next
Function WMIDateStringToDate(dtmDate)
WScript.Echo dtm:
WMIDateStringToDate =
CDate(Mid(dtmDate, 5, 2) & "/" & _
Mid(dtmDate, 7, 2) &
"/" & Left(dtmDate, 4) _
& " " & Mid
(dtmDate, 9, 2) & ":" & Mid(dtmDate, 11, 2) &
":" & Mid(dtmDate,13, 2))
End Function
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO
Sent: Monday, June 12, 2006 11:16
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS - How
to tell the static DNS IP-addresses per server
The only comments to the wmi below is that
it will dump every network cards that you have, is there a way that you could
do it for the primary network card (the one on top of the binding list?)
As for registry key it will be
NameServerList value but still binds to the transport id..(which is different
for all servers)
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail:
[EMAIL PROTECTED]
phone: (+65)
6330-9785
