Re: RE : [ActiveDir] How to block a sender in Exchange.
hi, I have already blocked sender from smtp virtual server and smpt connector. But the prob. has not been resolved. I am still not able to block particular sender. One more thing I wanna share is that my exchange server having some Prob. since last week, Due to I was not able to take backup of exchange database. I was not able to take backup through NTbackup and also some other third party software. To take backup of exchange database I just copy of MDdatabase folder. And I reinstall exchange and when i pasting data on MDdatabase it paste on it, But it i am not able to retrive mail from backup. Pls tell me is that it will possible to retrieve data If I pasting data into newly setup exchange. Ajay On 6/15/06, Yann [EMAIL PROTECTED] wrote: Hi, U can block someone from sending mail by 2 means: - fromthe properties or your smtp virtual server - from the properties of your smtp connector I have no exchange box nearby but you will easily find the option. If youu can not receive any mails from arvindmills *ONLY*, check if u have not enabled IMF at your Exchange Org Level: check to see if you have not enabled filtering based on IP, domain or senders. If you can not send mail *ONLY* to arvindmills: - check if u have not been blacklisted. - activatelogging on the properties of your exchange server (Org-admin group- your_ server); choose smtp category. - activate smtp logging (if not done yet)on your smtp virtual server, and see if connections to foreign server are OK - put a network traceon your exhange boxet send amail. Yann Ajay Kumar [EMAIL PROTECTED] a écrit: Hi there, I m having a exchange 2003 running in my org. with 500 clients using that. few weeks i m monitoring that a Particular Id is sending a virius mails i wanna block this sender how i will do that,.And also we are not able to send and recveive mails from a particular domain. Everytime when we r sending mails to arvindmills.com msg bounce back with error of Retry timeout exceeded.and on arvindmills side when they are sending mails they r not getting any bounce back and on our end we are not receiving that mail. We are having DHCP ip . Plz help me out on this prob. wating for ur resp. Thanx Regds Ajay __Do You Yahoo!?En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
[ActiveDir] How to get rid of from blacklisted
Hi all, Can u help me on this prob. Problem is that my exchange 2003 which installed on win 2003 dc agets blacklisted (Means my static ip is blacklisted). I searched how to stop this and on net i found solutions pointing towards open relay and spam protection. They r saying that ur exchange is spaming so tell me how to control and stop spamming. Sam.
RE: [ActiveDir] FRS/DFS woes
The FRS services is running, restarted it various times. They are member servers. The sysvol share is replicating wonderfully on DCs. This new DFS root just won't replicate on these member servers. I'm stumped! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, June 14, 2006 6:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Russ, This may sound silly - but is the File Replication Service running on all three servers? Are they DC's or just member servers? If DC's, is the sysvol share replicating? Thanks! :) themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Thursday, 15 June 2006 12:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Share permissions are everyone full control. NTFS Permissions are pretty wide open too. All in the same domain. FQDN resolution is working great. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Tuesday, June 13, 2006 5:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Russ, Possibly - what are the permissions of the 3 folders you are trying to replicate around? Are they identical? Check the share permissions as well as the folder permissions. Can each machine resolve the FQDN of each of the other two machines from it? I'm making the assumption that all 3 machines are in the same domain - this is correct? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, 14 June 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Sonar says the CreateFailedCount is 16 on my replication test. Maybe it's some sort of permission issue. ?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: Tuesday, June 13, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Where is the root of the DFS located? I seem to remember having problems with DFS replication before, because one of the servers hosting the root had it's DNS incorrectly configured. Ultrasound would report any errors sure enough. After decoding what it all means you'll need a dark room to lie down in for a few hours. :) Cheers Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 13 June 2006 15:31 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRS/DFS woes I'm trying to set up a DFS share and having all sorts of issues getting it to work. I've installed Ultrasound and i'm either not sure where to look in it for the answer or it's not giving me the answer. I set up a link with 3 targets in a ring replication topology. 2 of the 3 servers are Win2k3, 1 is Win2k. The only server the file is showing up on is the one that is set up as the master to replicate from. The errors i'm mostly seeing are: The File Replication Service is having trouble enabling replication from CAMPATFS01 to CCVVPLFS01 for d:\communicator using the DNS name campatfs01.ccc.ourdomain.com. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name campatfs01.ccc.ourdomain.com from this computer. [2] FRS is not running on campatfs01.ccc.ourdomain.com. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. and Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller \\camdhqdc01.ccc.ourdomain.com for FRS replica set configuration information. I'm thoroughly stumped. Any advice? Name resolution seems to be working reverse and forward between the servers. Thanks in advance ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Email has been scanned for viruses by Altman Technologies' email management service - www.altman.co.uk/emailsystems List info :
RE: [ActiveDir] FRS/DFS woes
Is the DNS configuration of this server pointing to itself for DNS resolution? Are the other server resolving against the same DNS? Cheers Danny The root of the DFS is located on our PDC emulator, which is also a DNS server itself. If I go into the dfs root on the PDC emulator I see the file I copied to the \\domain.com\dfs\software directory, it's just not replicating to any of the other links. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: Tuesday, June 13, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Where is the root of the DFS located? I seem to remember having problems with DFS replication before, because one of the servers hosting the root had it's DNS incorrectly configured. Ultrasound would report any errors sure enough. After decoding what it all means you'll need a dark room to lie down in for a few hours. :) Cheers Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 13 June 2006 15:31 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRS/DFS woes I'm trying to set up a DFS share and having all sorts of issues getting it to work. I've installed Ultrasound and i'm either not sure where to look in it for the answer or it's not giving me the answer. I set up a link with 3 targets in a ring replication topology. 2 of the 3 servers are Win2k3, 1 is Win2k. The only server the file is showing up on is the one that is set up as the master to replicate from. The errors i'm mostly seeing are: The File Replication Service is having trouble enabling replication from CAMPATFS01 to CCVVPLFS01 for d:\communicator using the DNS name campatfs01.ccc.ourdomain.com. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name campatfs01.ccc.ourdomain.com from this computer. [2] FRS is not running on campatfs01.ccc.ourdomain.com. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. and Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller \\camdhqdc01.ccc.ourdomain.com for FRS replica set configuration information. I'm thoroughly stumped. Any advice? Name resolution seems to be working reverse and forward between the servers. Thanks in advance ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Email has been scanned for viruses by Altman Technologies' email management service - www.altman.co.uk/emailsystems List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Email has been scanned for viruses by Altman Technologies' email management service - www.altman.co.uk/emailsystems List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] FRS/DFS woes
Also, one more finding - I'm not sure if this helps or not. When I run the DFS snapin on the main target that I want to replace to the other targets, it shows the DFS roots but when I select the one I want to view it says The specified DFS root does not exist. I can, however, view it with no issues on the root target server. If I try to view it on one of the 'receiving' DFS targets, it comes up OK. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, June 14, 2006 6:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Russ, This may sound silly - but is the File Replication Service running on all three servers? Are they DC's or just member servers? If DC's, is the sysvol share replicating? Thanks! :) themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Thursday, 15 June 2006 12:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Share permissions are everyone full control. NTFS Permissions are pretty wide open too. All in the same domain. FQDN resolution is working great. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Tuesday, June 13, 2006 5:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Russ, Possibly - what are the permissions of the 3 folders you are trying to replicate around? Are they identical? Check the share permissions as well as the folder permissions. Can each machine resolve the FQDN of each of the other two machines from it? I'm making the assumption that all 3 machines are in the same domain - this is correct? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, 14 June 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Sonar says the CreateFailedCount is 16 on my replication test. Maybe it's some sort of permission issue. ?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: Tuesday, June 13, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Where is the root of the DFS located? I seem to remember having problems with DFS replication before, because one of the servers hosting the root had it's DNS incorrectly configured. Ultrasound would report any errors sure enough. After decoding what it all means you'll need a dark room to lie down in for a few hours. :) Cheers Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 13 June 2006 15:31 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRS/DFS woes I'm trying to set up a DFS share and having all sorts of issues getting it to work. I've installed Ultrasound and i'm either not sure where to look in it for the answer or it's not giving me the answer. I set up a link with 3 targets in a ring replication topology. 2 of the 3 servers are Win2k3, 1 is Win2k. The only server the file is showing up on is the one that is set up as the master to replicate from. The errors i'm mostly seeing are: The File Replication Service is having trouble enabling replication from CAMPATFS01 to CCVVPLFS01 for d:\communicator using the DNS name campatfs01.ccc.ourdomain.com. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name campatfs01.ccc.ourdomain.com from this computer. [2] FRS is not running on campatfs01.ccc.ourdomain.com. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. and Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller \\camdhqdc01.ccc.ourdomain.com for FRS replica set configuration information. I'm thoroughly stumped. Any advice? Name resolution seems to be working reverse and forward between the servers. Thanks in advance ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: RE : [ActiveDir] How to block a sender in Exchange.
wow... I mean, where do you begin? I suggest you do some reading on backing up/restoring Exchange Server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ajay KumarSent: Thursday, June 15, 2006 8:51 AMTo: ActiveDir@mail.activedir.orgSubject: Re: RE : [ActiveDir] How to block a sender in Exchange. hi, I have already blocked sender from smtp virtual server and smpt connector. But the prob. has not been resolved. I am still not able to block particular sender. One more thing I wanna share is that my exchange server having some Prob. since last week, Due to I was not able to take backup of exchange database. I was not able to take backup through NTbackup and also some other third party software. To take backup of exchange database I just copy of MDdatabase folder. And I reinstall exchange and when i pasting data on MDdatabase it paste on it, But it i am not able to retrive mail from backup. Pls tell me is that it will possible to retrieve data If I pasting data into newly setup exchange. Ajay On 6/15/06, Yann [EMAIL PROTECTED] wrote: Hi, U can block someone from sending mail by 2 means: - fromthe properties or your smtp virtual server - from the properties of your smtp connector I have no exchange box nearby but you will easily find the option. If youu can not receive any mails from arvindmills *ONLY*, check if u have not enabled IMF at your Exchange Org Level: check to see if you have not enabled filtering based on IP, domain or senders. If you can not send mail *ONLY* to arvindmills: - check if u have not been blacklisted. - activatelogging on the properties of your exchange server (Org-admin group- your_ server); choose smtp category. - activate smtp logging (if not done yet)on your smtp virtual server, and see if connections to foreign server are OK - put a network traceon your exhange boxet send amail. Yann Ajay Kumar [EMAIL PROTECTED] a écrit: Hi there, I m having a exchange 2003 running in my org. with 500 clients using that. few weeks i m monitoring that a Particular Id is sending a virius mails i wanna block this sender how i will do that,.And also we are not able to send and recveive mails from a particular domain. Everytime when we r sending mails to arvindmills.com msg bounce back with error of Retry timeout exceeded.and on arvindmills side when they are sending mails they r not getting any bounce back and on our end we are not receiving that mail. We are having DHCP ip . Plz help me out on this prob. wating for ur resp. Thanx Regds Ajay __Do You Yahoo!?En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
RE: [ActiveDir] How to get rid of from blacklisted
This isnt AD should be posted in Exch groups. http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ajay Kumar Sent: 15 June 2006 14:12 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to get rid of from blacklisted Hi all, Can u help me on this prob. Problem is that my exchange 2003 which installed on win 2003 dc agets blacklisted (Means my static ip is blacklisted). I searched how to stop this and on net i found solutions pointing towards open relay and spam protection. They r saying that ur exchange is spaming so tell me how to control and stop spamming. Sam.
RE: [ActiveDir] FRS/DFS woes
No, PDC emulator (which is also the root target) is not pointing to itself for DNS. Other servers are resolving against their local DNS which is replicated from the same DNS as the root target. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: Thursday, June 15, 2006 8:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Is the DNS configuration of this server pointing to itself for DNS resolution? Are the other server resolving against the same DNS? Cheers Danny The root of the DFS is located on our PDC emulator, which is also a DNS server itself. If I go into the dfs root on the PDC emulator I see the file I copied to the \\domain.com\dfs\software directory, it's just not replicating to any of the other links. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: Tuesday, June 13, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Where is the root of the DFS located? I seem to remember having problems with DFS replication before, because one of the servers hosting the root had it's DNS incorrectly configured. Ultrasound would report any errors sure enough. After decoding what it all means you'll need a dark room to lie down in for a few hours. :) Cheers Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 13 June 2006 15:31 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRS/DFS woes I'm trying to set up a DFS share and having all sorts of issues getting it to work. I've installed Ultrasound and i'm either not sure where to look in it for the answer or it's not giving me the answer. I set up a link with 3 targets in a ring replication topology. 2 of the 3 servers are Win2k3, 1 is Win2k. The only server the file is showing up on is the one that is set up as the master to replicate from. The errors i'm mostly seeing are: The File Replication Service is having trouble enabling replication from CAMPATFS01 to CCVVPLFS01 for d:\communicator using the DNS name campatfs01.ccc.ourdomain.com. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name campatfs01.ccc.ourdomain.com from this computer. [2] FRS is not running on campatfs01.ccc.ourdomain.com. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. and Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller \\camdhqdc01.ccc.ourdomain.com for FRS replica set configuration information. I'm thoroughly stumped. Any advice? Name resolution seems to be working reverse and forward between the servers. Thanks in advance ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Email has been scanned for viruses by Altman Technologies' email management service - www.altman.co.uk/emailsystems List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Email has been scanned for viruses by Altman Technologies' email management service - www.altman.co.uk/emailsystems List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with
RE: [ActiveDir] FRS/DFS woes
When trying to add a new root on the server I'm trying to replicate from, I get an error The following error occurred while creating DFS root on the server server123: Unable to update the password. The value provided as the current password is incorrect. What password is it talking about? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Thursday, June 15, 2006 8:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Also, one more finding - I'm not sure if this helps or not. When I run the DFS snapin on the main target that I want to replace to the other targets, it shows the DFS roots but when I select the one I want to view it says The specified DFS root does not exist. I can, however, view it with no issues on the root target server. If I try to view it on one of the 'receiving' DFS targets, it comes up OK. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, June 14, 2006 6:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Russ, This may sound silly - but is the File Replication Service running on all three servers? Are they DC's or just member servers? If DC's, is the sysvol share replicating? Thanks! :) themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Thursday, 15 June 2006 12:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Share permissions are everyone full control. NTFS Permissions are pretty wide open too. All in the same domain. FQDN resolution is working great. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Tuesday, June 13, 2006 5:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Russ, Possibly - what are the permissions of the 3 folders you are trying to replicate around? Are they identical? Check the share permissions as well as the folder permissions. Can each machine resolve the FQDN of each of the other two machines from it? I'm making the assumption that all 3 machines are in the same domain - this is correct? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, 14 June 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Sonar says the CreateFailedCount is 16 on my replication test. Maybe it's some sort of permission issue. ?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: Tuesday, June 13, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Where is the root of the DFS located? I seem to remember having problems with DFS replication before, because one of the servers hosting the root had it's DNS incorrectly configured. Ultrasound would report any errors sure enough. After decoding what it all means you'll need a dark room to lie down in for a few hours. :) Cheers Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 13 June 2006 15:31 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRS/DFS woes I'm trying to set up a DFS share and having all sorts of issues getting it to work. I've installed Ultrasound and i'm either not sure where to look in it for the answer or it's not giving me the answer. I set up a link with 3 targets in a ring replication topology. 2 of the 3 servers are Win2k3, 1 is Win2k. The only server the file is showing up on is the one that is set up as the master to replicate from. The errors i'm mostly seeing are: The File Replication Service is having trouble enabling replication from CAMPATFS01 to CCVVPLFS01 for d:\communicator using the DNS name campatfs01.ccc.ourdomain.com. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name campatfs01.ccc.ourdomain.com from this computer. [2] FRS is not running on campatfs01.ccc.ourdomain.com. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. and Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller \\camdhqdc01.ccc.ourdomain.com for FRS replica set configuration information. I'm thoroughly stumped. Any advice? Name resolution seems to be working reverse and forward between the servers. Thanks in advance
RE: [ActiveDir] Active Directory Cookbook 2e
WoW $50.00 I remember when AD Cookbooks listed for $45.00 and you could pick them up for $25.00, we must be paying for Robbies Harvard Education these days or Gas Money. J Worthy investment at any price though. Todd Myrick From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 14, 2006 1:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Cookbook 2e is now out. http://www.oreilly.com/catalog/activedckbk2/ Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
RE: [ActiveDir] FRS/DFS woes
You might try using DFSutil.exe to see if it can query and possibly fix your problem. I personally haven't used it other that on stand-alone DFS roots in the classroom. There is an option to clean the registry. Stand-alone roots store their information in the registry of the root. Their might be a command to query and look at the information in the AD. dfsutil /clean:servername Todd Myrick -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Thursday, June 15, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes When trying to add a new root on the server I'm trying to replicate from, I get an error The following error occurred while creating DFS root on the server server123: Unable to update the password. The value provided as the current password is incorrect. What password is it talking about? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Thursday, June 15, 2006 8:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Also, one more finding - I'm not sure if this helps or not. When I run the DFS snapin on the main target that I want to replace to the other targets, it shows the DFS roots but when I select the one I want to view it says The specified DFS root does not exist. I can, however, view it with no issues on the root target server. If I try to view it on one of the 'receiving' DFS targets, it comes up OK. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, June 14, 2006 6:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Russ, This may sound silly - but is the File Replication Service running on all three servers? Are they DC's or just member servers? If DC's, is the sysvol share replicating? Thanks! :) themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Thursday, 15 June 2006 12:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Share permissions are everyone full control. NTFS Permissions are pretty wide open too. All in the same domain. FQDN resolution is working great. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Tuesday, June 13, 2006 5:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Russ, Possibly - what are the permissions of the 3 folders you are trying to replicate around? Are they identical? Check the share permissions as well as the folder permissions. Can each machine resolve the FQDN of each of the other two machines from it? I'm making the assumption that all 3 machines are in the same domain - this is correct? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, 14 June 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Sonar says the CreateFailedCount is 16 on my replication test. Maybe it's some sort of permission issue. ?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: Tuesday, June 13, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Where is the root of the DFS located? I seem to remember having problems with DFS replication before, because one of the servers hosting the root had it's DNS incorrectly configured. Ultrasound would report any errors sure enough. After decoding what it all means you'll need a dark room to lie down in for a few hours. :) Cheers Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 13 June 2006 15:31 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRS/DFS woes I'm trying to set up a DFS share and having all sorts of issues getting it to work. I've installed Ultrasound and i'm either not sure where to look in it for the answer or it's not giving me the answer. I set up a link with 3 targets in a ring replication topology. 2 of the 3 servers are Win2k3, 1 is Win2k. The only server the file is showing up on is the one that is set up as the master to replicate from. The errors i'm mostly seeing are: The File Replication Service is having trouble enabling replication from CAMPATFS01 to CCVVPLFS01 for d:\communicator using the DNS name campatfs01.ccc.ourdomain.com. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name campatfs01.ccc.ourdomain.com from this computer. [2] FRS is not running
RE: [ActiveDir] Active Directory Cookbook 2e
Amazon has it listed at 49.99 but youreally pay31.49. AD3E is also listed for 49.99 and selling at 31.49. Interestingly one of the Amazon MarketPlace Sellers has it listed for $102.33... If they sell it at that price I am going to start selling mine with signatures for like $100. :) For some reason Amazon isn't listing it the book as the 2nd Edition though the date is June 2006 and Laura's name is on it. Oh and great... they have it paired up for the "buy together" with AD Second Edition instead of Third Edition... So you have to wonder, did they do it on purpose to dump old versions or simple mistake? Be aware folks. I will check with O'Reilly to see if they have any leverage to correct that. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E]Sent: Thursday, June 15, 2006 10:34 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Cookbook 2e WoW $50.00 I remember when AD Cookbooks listed for $45.00 and you could pick them up for $25.00, we must be paying for Robbies Harvard Education these days or Gas Money. J Worthy investment at any price though. Todd Myrick From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 14, 2006 1:19 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Active Directory Cookbook 2e is now out. http://www.oreilly.com/catalog/activedckbk2/ TonyThis communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
RE: [ActiveDir] FRS/DFS woes
Maybe the problem is a confusion of mine between DFS ROOTS and DFS LINKS. I'm starting to get the feeling that LINKS don't replicate, only TARGETS do. So if I have 10 servers that I want a file to replicate to, I must create 10 root targets, not 10 links...? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Thursday, June 15, 2006 9:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes You might try using DFSutil.exe to see if it can query and possibly fix your problem. I personally haven't used it other that on stand-alone DFS roots in the classroom. There is an option to clean the registry. Stand-alone roots store their information in the registry of the root. Their might be a command to query and look at the information in the AD. dfsutil /clean:servername Todd Myrick -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Thursday, June 15, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes When trying to add a new root on the server I'm trying to replicate from, I get an error The following error occurred while creating DFS root on the server server123: Unable to update the password. The value provided as the current password is incorrect. What password is it talking about? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Thursday, June 15, 2006 8:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Also, one more finding - I'm not sure if this helps or not. When I run the DFS snapin on the main target that I want to replace to the other targets, it shows the DFS roots but when I select the one I want to view it says The specified DFS root does not exist. I can, however, view it with no issues on the root target server. If I try to view it on one of the 'receiving' DFS targets, it comes up OK. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, June 14, 2006 6:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Russ, This may sound silly - but is the File Replication Service running on all three servers? Are they DC's or just member servers? If DC's, is the sysvol share replicating? Thanks! :) themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Thursday, 15 June 2006 12:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Share permissions are everyone full control. NTFS Permissions are pretty wide open too. All in the same domain. FQDN resolution is working great. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Tuesday, June 13, 2006 5:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Russ, Possibly - what are the permissions of the 3 folders you are trying to replicate around? Are they identical? Check the share permissions as well as the folder permissions. Can each machine resolve the FQDN of each of the other two machines from it? I'm making the assumption that all 3 machines are in the same domain - this is correct? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, 14 June 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Sonar says the CreateFailedCount is 16 on my replication test. Maybe it's some sort of permission issue. ?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: Tuesday, June 13, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Where is the root of the DFS located? I seem to remember having problems with DFS replication before, because one of the servers hosting the root had it's DNS incorrectly configured. Ultrasound would report any errors sure enough. After decoding what it all means you'll need a dark room to lie down in for a few hours. :) Cheers Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 13 June 2006 15:31 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRS/DFS woes I'm trying to set up a DFS share and having all sorts of issues getting it to work. I've installed Ultrasound and i'm either not sure where to look in it for the answer or it's not giving me the answer. I set up a link with 3 targets in a ring replication topology. 2 of the 3 servers are Win2k3, 1 is Win2k. The only server the file is showing up on is the one that is
RE: [ActiveDir] corrupt vmware DC
I did a quick search on Internal Error and Active Directory Came up with this as possible reference. http://support.microsoft.com/?kbid=265090 Under Jet Error Codes a 1017 is a record deleted error. http://support.microsoft.com/?kbid=172570 Joe, Eric and I discussed the best DR options you have for corrupt Domain Controllers in the past. If the server isnt your last DC, it is probably best to remove the DC, clean-up the AD, and then reinstall the DC. I know you said you are looking for a why and not to rebuild, but if your DC is unresponsive or has corrupted information, do you want to risk reintroducing it to your AD? If it is your last DC, you probably are more concerned about getting the objects our of it, and repopulated into a working DC. Which I am sure you are more than versed in the various ways of doing. Do you still have the benefit of using those great products from your former employer? Todd Myrick From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 13, 2006 10:20 AM To: activedir@mail.activedir.org Subject: [ActiveDir] corrupt vmware DC Booted up VMware with DC (2003, SP1)on it yesterday and got an internal error on AD at start, forcing a reboot. Went into DSRM and ran semantic checker in ntdsutil. Checker returned error: Records scanned: 1200Error fetching security descriptor [ Jet Error -1017] which, upon searching out that error code, indicates the record has been deleted. Thanks... Go Fixupfails similarly. As this is just a test server, I'm not too bummed, although I would love to not have to reinstall the OS. In any case, anyone seen this and know any nifty tricks to recover from it? Darren
RE: [ActiveDir] Active Directory Cookbook 2e
Yeah Amazon needs to get their act together Are you all using the Same ISBNs? One thing you can do in the comments section is add on that says that there is a newer version out. Todd From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, June 15, 2006 11:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbook 2e Amazon has it listed at 49.99 but youreally pay31.49. AD3E is also listed for 49.99 and selling at 31.49. Interestingly one of the Amazon MarketPlace Sellers has it listed for $102.33... If they sell it at that price I am going to start selling mine with signatures for like $100. :) For some reason Amazon isn't listing it the book as the 2nd Edition though the date is June 2006 and Laura's name is on it. Oh and great... they have it paired up for the buy together with AD Second Edition instead of Third Edition... So you have to wonder, did they do it on purpose to dump old versions or simple mistake? Be aware folks. I will check with O'Reilly to see if they have any leverage to correct that. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Thursday, June 15, 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbook 2e WoW $50.00 I remember when AD Cookbooks listed for $45.00 and you could pick them up for $25.00, we must be paying for Robbies Harvard Education these days or Gas Money. J Worthy investment at any price though. Todd Myrick From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 14, 2006 1:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Cookbook 2e is now out. http://www.oreilly.com/catalog/activedckbk2/ Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
RE: [ActiveDir] FRS/DFS woes
You might review this site at Microsoft http://www.microsoft.com/windowsserver2003/technologies/storage/dfs/defa ult.mspx They have a FAQ for DFS. http://www.microsoft.com/windowsserver2003/techinfo/overview/dfsfaq.mspx I think you want to enable File Replication Services in order to replicate data. http://technet2.microsoft.com/WindowsServer/en/Library/965a9e1a-8223-4d3 e-8e5d-39aeb70ec5d91033.mspx?mfr=true This has information on FRS from Technet. What are you trying to accomplish on the network for your users? Thanks, Todd Myrick -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Thursday, June 15, 2006 11:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Maybe the problem is a confusion of mine between DFS ROOTS and DFS LINKS. I'm starting to get the feeling that LINKS don't replicate, only TARGETS do. So if I have 10 servers that I want a file to replicate to, I must create 10 root targets, not 10 links...? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Thursday, June 15, 2006 9:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes You might try using DFSutil.exe to see if it can query and possibly fix your problem. I personally haven't used it other that on stand-alone DFS roots in the classroom. There is an option to clean the registry. Stand-alone roots store their information in the registry of the root. Their might be a command to query and look at the information in the AD. dfsutil /clean:servername Todd Myrick -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Thursday, June 15, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes When trying to add a new root on the server I'm trying to replicate from, I get an error The following error occurred while creating DFS root on the server server123: Unable to update the password. The value provided as the current password is incorrect. What password is it talking about? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Thursday, June 15, 2006 8:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Also, one more finding - I'm not sure if this helps or not. When I run the DFS snapin on the main target that I want to replace to the other targets, it shows the DFS roots but when I select the one I want to view it says The specified DFS root does not exist. I can, however, view it with no issues on the root target server. If I try to view it on one of the 'receiving' DFS targets, it comes up OK. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, June 14, 2006 6:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Russ, This may sound silly - but is the File Replication Service running on all three servers? Are they DC's or just member servers? If DC's, is the sysvol share replicating? Thanks! :) themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Thursday, 15 June 2006 12:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Share permissions are everyone full control. NTFS Permissions are pretty wide open too. All in the same domain. FQDN resolution is working great. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Tuesday, June 13, 2006 5:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Russ, Possibly - what are the permissions of the 3 folders you are trying to replicate around? Are they identical? Check the share permissions as well as the folder permissions. Can each machine resolve the FQDN of each of the other two machines from it? I'm making the assumption that all 3 machines are in the same domain - this is correct? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, 14 June 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Sonar says the CreateFailedCount is 16 on my replication test. Maybe it's some sort of permission issue. ?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: Tuesday, June 13, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Where is the root of the DFS located? I seem to remember having problems with DFS replication before, because one of the servers hosting the root had it's DNS incorrectly configured. Ultrasound would report any errors sure enough. After decoding what
Re: [ActiveDir] Active Directory Cookbook 2e
Go buy the new edition, all the cool people are doing it! ;-) But seriously, folks, there's some pretty nice changes in existing content as well as a bunch of new stuffs. We tried to add at least a handful of new recipes in each chapter, as well as updating the existing recipes with command-line stuff (lots of adfind/admod) as well as fixing various errata. The new content is a chapter on Exchange (mostly courtesty of joe), a chapter on MIIS from Gil Kirkpatrick and Steven Plank, and a chapter each on ADAM, ADFS, and the new File/Print stuff in R2. I for one think that it's a substantial update to the already-wonderful 1st Edition. Robbie found me a wonderful group of reviewers - joe and Al Mulnick in particular kicked my butt from here into next week during the TR process. Also much good help from TonyM, RBuike and Rick Kingslan, and Darren Mar-elia kept us all honest on the Group Policy chapter. So anyway. Go buy it so that I can afford that new yacht I've been eyeing up lately. ;-) - Laura On 6/14/06, joe [EMAIL PROTECTED] wrote: Laura will have to stop by and explain what has really changed. However I know that the chapter I wrote for the Windows Server Cookbook for Exchange tasks got pulled into it and extended (and probably some corrections as well). That same chapter went into AD3E as well but I trimmed it down considerably for AD3E as the format didn't fit right. Obviously it fit perfectly for the AD Cookbook. I believe there is an ADAM chapter now. I am sure some errata got input as well as issues I and probably others found on the second pass that we didn't find on the first or maybe we did find on the first but for some reason or another didn't make it into the final. (that never happens smirk) Ummm I know Laura added a ton of adfind/admod examples because she would write me an email every week with a list of questions for the week and I would respond to it for her. Plus if I saw places it could be added in the chapters themselves I put in notes for her. Sheeoot. I used to know what was changed as I reviewed the darn thing and was doing Word compares between the chapters but I'll be darned if I can recall everything now... I must be gettin' old. I recall Laura was really busting ass on it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 14, 2006 7:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbook 2e To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbook 2e I have had a look at the O'Reilly website and cannot see what the differences between the 1st and 2nd editions are. Is it Errata or new content? So I am now wondering – why should I buy this, apart from the Authors and the Blue Fin Tuna on the front? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 14 June 2006 06:19 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Cookbook 2e …is now out. http://www.oreilly.com/catalog/activedckbk2/ TonyThis communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Active Directory Cookbook 2e
Title: Active Directory Cookbook $49 Second Edition: June 2006 Series: Cookbooks ISBN: 0-596-10202-X Pages: 991 Title: Exchange Server Cookbook $45 Subtitle: For Exchange Server 2003 and Exchange 2000 Server First Edition: June 2005 Series: Cookbooks ISBN: 0-596-00717-5 Yeah Amazon needs to get their act together... Are you all using the Same ISBNs? One thing you can do in the comments section is add on that says that there is a newer version out. Todd From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, June 15, 2006 11:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbook 2e Amazon has it listed at 49.99 but you really pay 31.49. AD3E is also listed for 49.99 and selling at 31.49. Interestingly one of the Amazon MarketPlace Sellers has it listed for $102.33... If they sell it at that price I am going to start selling mine with signatures for like $100. :) For some reason Amazon isn't listing it the book as the 2nd Edition though the date is June 2006 and Laura's name is on it. Oh and great... they have it paired up for the buy together with AD Second Edition instead of Third Edition... So you have to wonder, did they do it on purpose to dump old versions or simple mistake? Be aware folks. I will check with O'Reilly to see if they have any leverage to correct that. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Thursday, June 15, 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbook 2e WoW $50.00 I remember when AD Cookbooks listed for $45.00 and you could pick them up for $25.00, we must be paying for Robbie's Harvard Education these days... or Gas Money. :-) Worthy investment at any price though Todd Myrick From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 14, 2006 1:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Cookbook 2e ...is now out. http://www.oreilly.com/catalog/activedckbk2/ Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [OT] Active Directory Cookbook 2e
In the spirit of sharing we have here on AD ORG, here is the yacht Laura is eyeing... http://www.flickr.com/photos/chardsy/14145521/ With outrageous sales numbers she may be able to actually attain it. The cookbook sells much better than the normal AD books... :) joe P.S. Hmm seems there are some missing commas in the post below... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Thursday, June 15, 2006 12:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Active Directory Cookbook 2e Go buy the new edition, all the cool people are doing it! ;-) But seriously, folks, there's some pretty nice changes in existing content as well as a bunch of new stuffs. We tried to add at least a handful of new recipes in each chapter, as well as updating the existing recipes with command-line stuff (lots of adfind/admod) as well as fixing various errata. The new content is a chapter on Exchange (mostly courtesty of joe), a chapter on MIIS from Gil Kirkpatrick and Steven Plank, and a chapter each on ADAM, ADFS, and the new File/Print stuff in R2. I for one think that it's a substantial update to the already-wonderful 1st Edition. Robbie found me a wonderful group of reviewers - joe and Al Mulnick in particular kicked my butt from here into next week during the TR process. Also much good help from TonyM, RBuike and Rick Kingslan, and Darren Mar-elia kept us all honest on the Group Policy chapter. So anyway. Go buy it so that I can afford that new yacht I've been eyeing up lately. ;-) - Laura On 6/14/06, joe [EMAIL PROTECTED] wrote: Laura will have to stop by and explain what has really changed. However I know that the chapter I wrote for the Windows Server Cookbook for Exchange tasks got pulled into it and extended (and probably some corrections as well). That same chapter went into AD3E as well but I trimmed it down considerably for AD3E as the format didn't fit right. Obviously it fit perfectly for the AD Cookbook. I believe there is an ADAM chapter now. I am sure some errata got input as well as issues I and probably others found on the second pass that we didn't find on the first or maybe we did find on the first but for some reason or another didn't make it into the final. (that never happens smirk) Ummm I know Laura added a ton of adfind/admod examples because she would write me an email every week with a list of questions for the week and I would respond to it for her. Plus if I saw places it could be added in the chapters themselves I put in notes for her. Sheeoot. I used to know what was changed as I reviewed the darn thing and was doing Word compares between the chapters but I'll be darned if I can recall everything now... I must be gettin' old. I recall Laura was really busting ass on it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 14, 2006 7:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbook 2e To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbook 2e I have had a look at the O'Reilly website and cannot see what the differences between the 1st and 2nd editions are. Is it Errata or new content? So I am now wondering - why should I buy this, apart from the Authors and the Blue Fin Tuna on the front? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 14 June 2006 06:19 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Cookbook 2e .is now out. http://www.oreilly.com/catalog/activedckbk2/ TonyThis communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] FRS/DFS woes
Hi Russ Try pointing the server to itself for DNS resolution. This is the problem I had with one replica in a similar situation and it resolved the problem for me. BTW, It only affected DFS replication, SYSVOL was fine. Cheers Danny No, PDC emulator (which is also the root target) is not pointing to itself for DNS. Other servers are resolving against their local DNS which is replicated from the same DNS as the root target. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: Thursday, June 15, 2006 8:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Is the DNS configuration of this server pointing to itself for DNS resolution? Are the other server resolving against the same DNS? Cheers Danny The root of the DFS is located on our PDC emulator, which is also a DNS server itself. If I go into the dfs root on the PDC emulator I see the file I copied to the \\domain.com\dfs\software directory, it's just not replicating to any of the other links. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: Tuesday, June 13, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Where is the root of the DFS located? I seem to remember having problems with DFS replication before, because one of the servers hosting the root had it's DNS incorrectly configured. Ultrasound would report any errors sure enough. After decoding what it all means you'll need a dark room to lie down in for a few hours. :) Cheers Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 13 June 2006 15:31 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRS/DFS woes I'm trying to set up a DFS share and having all sorts of issues getting it to work. I've installed Ultrasound and i'm either not sure where to look in it for the answer or it's not giving me the answer. I set up a link with 3 targets in a ring replication topology. 2 of the 3 servers are Win2k3, 1 is Win2k. The only server the file is showing up on is the one that is set up as the master to replicate from. The errors i'm mostly seeing are: The File Replication Service is having trouble enabling replication from CAMPATFS01 to CCVVPLFS01 for d:\communicator using the DNS name campatfs01.ccc.ourdomain.com. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name campatfs01.ccc.ourdomain.com from this computer. [2] FRS is not running on campatfs01.ccc.ourdomain.com. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. and Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller \\camdhqdc01.ccc.ourdomain.com for FRS replica set configuration information. I'm thoroughly stumped. Any advice? Name resolution seems to be working reverse and forward between the servers. Thanks in advance ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Email has been scanned for viruses by Altman Technologies' email management service - www.altman.co.uk/emailsystems List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Email has been scanned for viruses by Altman Technologies' email management service - www.altman.co.uk/emailsystems List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ~~ This e-mail is confidential, may contain proprietary
Re: [ActiveDir] bitwise filters
Thanks joe! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Cross forest issue
Hi, New member here, with an issue L We have implemented 2 forests with a cross forest trust such that forest B trusts forest A one-way. The intention is that all admins in forest A will be able to manage both forests, and that accounts in forest B cannot be authenticated in forest A Whilst I can add the admins from forest A into a domain local group in forest B, allowing me to grant administrators rights, I cannot add any security principal from forest A to a universal (or global) group in forest B. This precludes me from granting domain, enterprise or schema admin rights to the forest A administrators and thus defeats the objective of having the admins in a single forest. (FYI, creating a DL, adding a remote user, then trying to change that group to a universal group gives the message Foreign security principals cannot be members of universal groups) Forest B is in a DMZ, and is solely being used to give the benefits of centralised management to the servers in the DMZ. Consequently, we want to avoid having many user accounts in that forest. Company policy states that every admin must log on using their own account Hope you can help. __ Mike Guest| Capgemini | Sale Server Support | Outsourcing UK Office: + 44 (0)870 366 1814 | 700 1814| [EMAIL PROTECTED] 77-79 Cross Street, Sale, Cheshire. M33 7HG Join the Collaborative Business Experience __ This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
[ActiveDir] OT (kinda): Standard Desktop Build
Dear all, What's in your standard desktop build? We're looking at getting another 1,000 machines or so and coming up with a new standard build for XP. Apart from some of the obvious 'lockdown' changes, what else do you add or modify in your standard desktop images? Do you allow anyone access to the 'Power Users' group, and if so - do you change the ACLs on any of the processes that run as LocalSystem? Any funky utilities from technet or research.microsoft.com that are worth playing with? Any ideas appreciated, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT (kinda): Standard Desktop Build
On Thu, 15 Jun 2006 18:30:22 +0100, AdamT [EMAIL PROTECTED] said: What's in your standard desktop build? The lowest common denominator software that everyone needs. There seems to be two schools of thought for desktop deployment: Image-based deployment and script-based deployment. Lately, I've taken a hybrid approach -- Using an image with about 60% of the standard software load plus a large install script kicked-off via GuiRunOnce. This script detects the PC model and branches accordingly (touchpad drivers/VPN/iPass for laptops and etc). The nice thing about the script approach is that I can update a software version by simply replacing the setup files rather than having to roll-up a new image. OTOH, the image-based approach makes for faster deployment. RM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Cross forest issue
Been a while since I looked at this and I've only got one forest in VM on my machine at the moment so I cant test it, but I believe that if you create a global group in ForestA you can add it to a Universal group in ForestB. You will not be able to add users from ForestA to the Domain Admins group in ForestB, but you can add them to the Administrators group (which you've already figured out). The way I've always dealt with this was to have admin accounts in each forest, not as ideal as a unified admin account, but quite workable. Phil On 6/15/06, Guest, Mike [EMAIL PROTECTED] wrote: Hi, New member here, with an issue L We have implemented 2 forests with a cross forest trust such that forest B trusts forest A one-way. The intention is that all admins in forest A will be able to manage both forests, and that accounts in forest B cannot be authenticated in forest A Whilst I can add the admins from forest A into a domain local group in forest B, allowing me to grant administrators rights, I cannot add any security principal from forest A to a universal (or global) group in forest B. This precludes me from granting domain, enterprise or schema admin rights to the forest A administrators – and thus defeats the objective of having the admins in a single forest. (FYI, creating a DL, adding a remote user, then trying to change that group to a universal group gives the message Foreign security principals cannot be members of universal groups) Forest B is in a DMZ, and is solely being used to give the benefits of centralised management to the servers in the DMZ. Consequently, we want to avoid having many user accounts in that forest. Company policy states that every admin must log on using their own account Hope you can help. __ Mike Guest| Capgemini | Sale Server Support | Outsourcing UKOffice: + 44 (0)870 366 1814 | 700 1814| [EMAIL PROTECTED]77-79 Cross Street, Sale, Cheshire. M33 7HG Join the Collaborative Business Experience__ This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
RE: [ActiveDir] Cross forest issue
You can only add members to Domain Local groups across the forest trust. Behaviour by design. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Friday, 16 June 2006 7:56 a.m. To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cross forest issue Been a while since I looked at this and I've only got one forest in VM on my machine at the moment so I cant test it, but I believe that if you create a global group in ForestA you can add it to a Universal group in ForestB. You will not be able to add users from ForestA to the Domain Admins group in ForestB, but you can add them to the Administrators group (which you've already figured out). The way I've always dealt with this was to have admin accounts in each forest, not as ideal as a unified admin account, but quite workable. Phil On 6/15/06, Guest, Mike [EMAIL PROTECTED] wrote: Hi, New member here, with an issue L We have implemented 2 forests with a cross forest trust such that forest B trusts forest A one-way. The intention is that all admins in forest A will be able to manage both forests, and that accounts in forest B cannot be authenticated in forest A Whilst I can add the admins from forest A into a domain local group in forest B, allowing me to grant administrators rights, I cannot add any security principal from forest A to a universal (or global) group in forest B. This precludes me from granting domain, enterprise or schema admin rights to the forest A administrators and thus defeats the objective of having the admins in a single forest. (FYI, creating a DL, adding a remote user, then trying to change that group to a universal group gives the message Foreign security principals cannot be members of universal groups) Forest B is in a DMZ, and is solely being used to give the benefits of centralised management to the servers in the DMZ. Consequently, we want to avoid having many user accounts in that forest. Company policy states that every admin must log on using their own account Hope you can help. __ Mike Guest| Capgemini | Sale Server Support | Outsourcing UK Office: + 44 (0)870 366 1814 | 700 1814| [EMAIL PROTECTED] 77-79 Cross Street, Sale, Cheshire. M33 7HG Join the Collaborative Business Experience __ This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
RE: [ActiveDir] [OT] Active Directory Cookbook 2e
Yeah, those imports are always really pricey. :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, 16 June 2006 4:14 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Active Directory Cookbook 2e In the spirit of sharing we have here on AD ORG, here is the yacht Laura is eyeing... http://www.flickr.com/photos/chardsy/14145521/ With outrageous sales numbers she may be able to actually attain it. The cookbook sells much better than the normal AD books... :) joe P.S. Hmm seems there are some missing commas in the post below... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Thursday, June 15, 2006 12:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Active Directory Cookbook 2e Go buy the new edition, all the cool people are doing it! ;-) But seriously, folks, there's some pretty nice changes in existing content as well as a bunch of new stuffs. We tried to add at least a handful of new recipes in each chapter, as well as updating the existing recipes with command-line stuff (lots of adfind/admod) as well as fixing various errata. The new content is a chapter on Exchange (mostly courtesty of joe), a chapter on MIIS from Gil Kirkpatrick and Steven Plank, and a chapter each on ADAM, ADFS, and the new File/Print stuff in R2. I for one think that it's a substantial update to the already-wonderful 1st Edition. Robbie found me a wonderful group of reviewers - joe and Al Mulnick in particular kicked my butt from here into next week during the TR process. Also much good help from TonyM, RBuike and Rick Kingslan, and Darren Mar-elia kept us all honest on the Group Policy chapter. So anyway. Go buy it so that I can afford that new yacht I've been eyeing up lately. ;-) - Laura On 6/14/06, joe [EMAIL PROTECTED] wrote: Laura will have to stop by and explain what has really changed. However I know that the chapter I wrote for the Windows Server Cookbook for Exchange tasks got pulled into it and extended (and probably some corrections as well). That same chapter went into AD3E as well but I trimmed it down considerably for AD3E as the format didn't fit right. Obviously it fit perfectly for the AD Cookbook. I believe there is an ADAM chapter now. I am sure some errata got input as well as issues I and probably others found on the second pass that we didn't find on the first or maybe we did find on the first but for some reason or another didn't make it into the final. (that never happens smirk) Ummm I know Laura added a ton of adfind/admod examples because she would write me an email every week with a list of questions for the week and I would respond to it for her. Plus if I saw places it could be added in the chapters themselves I put in notes for her. Sheeoot. I used to know what was changed as I reviewed the darn thing and was doing Word compares between the chapters but I'll be darned if I can recall everything now... I must be gettin' old. I recall Laura was really busting ass on it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 14, 2006 7:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbook 2e To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbook 2e I have had a look at the O'Reilly website and cannot see what the differences between the 1st and 2nd editions are. Is it Errata or new content? So I am now wondering - why should I buy this, apart from the Authors and the Blue Fin Tuna on the front? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 14 June 2006 06:19 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Cookbook 2e .is now out. http://www.oreilly.com/catalog/activedckbk2/ TonyThis communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx
RE: [ActiveDir] Cross forest issue
Quick answer is you can't add users fromone forestto the global/universal groups in another forest. Global groups in particular are very picky and only allow security principals from the same domain to be added to their membership. I am not sure I understand the security benefits you are shooting for here anyway. You usually use a DMZ forest to separate yourself from the production internal forest because you want to protect it. If you set up a trust from A to B, it means that Forest info from A can be sucked down the pipe to B. That is what a trust is about, souser info in Ais available in B (has to be or else you couldn't say put a SID of user A in a user B group and get anywhere with it). When you set up a DMZ forest, it should generally be standing alone and the access fromit andto it from the intranet should be strictly limited (like no RPC, noLDAP or maybe LDAPS out to DMZ to push provisioning data if really really really needed, just a couple of small holes maybe for RDP one way from intranet to DMZ). -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guest, MikeSent: Thursday, June 15, 2006 1:24 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Cross forest issue Hi, New member here, with an issue L We have implemented 2 forests with a cross forest trust such that forest B trusts forest A one-way. The intention is that all admins in forest A will be able to manage both forests, and that accounts in forest B cannot be authenticated in forest A Whilst I can add the admins from forest A into a domain local group in forest B, allowing me to grant administrators rights, I cannot add any security principal from forest A to a universal (or global) group in forest B. This precludes me from granting domain, enterprise or schema admin rights to the forest A administrators and thus defeats the objective of having the admins in a single forest. (FYI, creating a DL, adding a remote user, then trying to change that group to a universal group gives the message Foreign security principals cannot be members of universal groups) Forest B is in a DMZ, and is solely being used to give the benefits of centralised management to the servers in the DMZ. Consequently, we want to avoid having many user accounts in that forest. Company policy states that every admin must log on using their own account Hope you can help. __Mike Guest| Capgemini | Sale Server Support | Outsourcing UKOffice: + 44 (0)870 366 1814 | 700 1814| [EMAIL PROTECTED]77-79 Cross Street, Sale, Cheshire. M33 7HG Join the Collaborative Business Experience__ This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
Re: [ActiveDir] Cross forest issue
Indeed, you are quite right. My memory is not as good as I hoped: http://technet2.microsoft.com/WindowsServer/en/Library/517b4fa4-5266-419c-9791-6fb56fabb85e1033.mspx?mfr=true To implement access to a resource across a forest, add universal groups (or global groups in mixed-mode domains) from trusted forests to the domain local groups in the trusting forests. For example, add the SalesAccountsOrders universal group from ForestA to the OrderEntryApp domain local group in ForestB. Phil On 6/15/06, Tony Murray [EMAIL PROTECTED] wrote: You can only add members to Domain Local groups across the forest trust. Behaviour by design. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Friday, 16 June 2006 7:56 a.m.To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cross forest issue Been a while since I looked at this and I've only got one forest in VM on my machine at the moment so I cant test it, but I believe that if you create a global group in ForestA you can add it to a Universal group in ForestB. You will not be able to add users from ForestA to the Domain Admins group in ForestB, but you can add them to the Administrators group (which you've already figured out). The way I've always dealt with this was to have admin accounts in each forest, not as ideal as a unified admin account, but quite workable. Phil On 6/15/06, Guest, Mike [EMAIL PROTECTED] wrote: Hi, New member here, with an issue L We have implemented 2 forests with a cross forest trust such that forest B trusts forest A one-way. The intention is that all admins in forest A will be able to manage both forests, and that accounts in forest B cannot be authenticated in forest A Whilst I can add the admins from forest A into a domain local group in forest B, allowing me to grant administrators rights, I cannot add any security principal from forest A to a universal (or global) group in forest B. This precludes me from granting domain, enterprise or schema admin rights to the forest A administrators – and thus defeats the objective of having the admins in a single forest. (FYI, creating a DL, adding a remote user, then trying to change that group to a universal group gives the message Foreign security principals cannot be members of universal groups) Forest B is in a DMZ, and is solely being used to give the benefits of centralised management to the servers in the DMZ. Consequently, we want to avoid having many user accounts in that forest. Company policy states that every admin must log on using their own account Hope you can help. __Mike Guest| Capgemini | Sale Server Support | Outsourcing UKOffice: + 44 (0)870 366 1814 | 700 1814| [EMAIL PROTECTED]77-79 Cross Street, Sale, Cheshire. M33 7HG Join the Collaborative Business Experience__ This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
RE: [ActiveDir] How much of the DIT is cached in RAM ?
Following up: http://msexchangeteam.com/archive/2006/06/15/427966.aspx Cheers, BrettSh On Thu, 28 Apr 2005, joe wrote: Hey Brett... I've seen your blog, how about you tell ~Eric the story and he can blog it. :o) evilgrin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, April 28, 2005 8:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? The dev who put it in, is what I like to call my boss ... he has no child, I can guarantee it had nothing to do with that ... Email me directly the Exch product manager's name, and I'll try to light a fire under them ... if they don't product something, I'll produce something on my blog (when it is up) and send it around ... Cheers, BrettSh On Thu, 28 Apr 2005, Michael B. Smith wrote: One of the Exchange Product Managers said today that she is preparing a blog on Squeaky Lobster, including a picture of the original Squeaky. I also asked about the KB and was told, simply, that it isn't currently publicly available. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 28, 2005 7:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Try - http://www.realcooltoys.com/squeakylobster.html Squeaky Lobster is a magic reg key to enable special Squeaky Lobster ESE counters. It first came to being, I believe, with Exchange 5.5 where I heard two different stories, the first being that the dev guy who put it in had a kid who had a squeaky lobster toy (or he had it) and the other is that it was thought up after lunch. I would tend to go with the first explanation myself... Anyway, it was carried through and is available on AD, or at least it was on 2K AD which is the last time I used it a couple of years ago. There used to be a KB out there that talked about what it made available but I don't see it anywhere which sucks because if I need it again I will have to go dig through 8 GB of PSTs and notepad docs. :o) I want to say that I think I heard they changed (or were changing) the name of this reg entry to something like show advanced counters or something like that but I don't think I can point at any references for that. As far as I know, this key wasn't supposed to be hidden or secret, though it appears it might have gone underground. I don't think I will post any more on it and let ~Eric or Brett put out in the public whatever they think should be available. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Thursday, April 28, 2005 1:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? This has been a great thread. I've really enjoyed reading it. This question is going to illustrate my extreme ignorance; however, the answer is worth it. What is Squeaky Lobster? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, April 27, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? From ESE's advanced perf counters exist, that tell you on a non-per-search basis: - Database Pages Transferred/sec - Database Page Latches/sec IIRC, the first is rate of pages being transferred from disk, and the 2nd is the rate at wich you are making a read of something on a page in the cache (that will include the read right after a page is transferred, BTW). It doesn't give you the per query stats you were discussing, but it does give you an idea of how much disk the DC is requiring ... If you were to isolate a DC from load, except your query, it could give a _rough_ idea for a paticular query, but remember latches aren't unique references, so if a single query internally has to read a page several times, that will be several latch counts. ... Cheers, -BrettSh On Wed, 27 Apr 2005, joe wrote: I waffled on posting that at all. I am not sure I can properly illustrate why I think it would be good for educational info. Maybe just to see from the outside the deltas in speeds of the same query when things are in cache versus not, etc. Overall it is just another stat to help understand how your directory is performing. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Wednesday, April 27, 2005 2:14 AM To:
RE: [ActiveDir] Cross forest issue
Mike, as others have mentioned, users and groups from externally trusted domains can only be added to domain local groups (DLG) in another forest. This is by design for any type of trust that you establish. If all you're trying to do is to manage the member servers in your DMZ with the same admin accounts that you have in your production forest, you could still leveragea GPO in your DMZ forest/domain that either adds a DLG to the adminsitrators group of all your DMZ servers using the restrictive groups feature. If you combine this approach with enabling Selective Authentication for the trust between the two forests and use this feature to restrict authentication to the servers to members of the same group, you'll have a reasonable integration of the two forests to allow managment of the DMZ servers using your production admin accounts. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guest, MikeSent: Donnerstag, 15. Juni 2006 19:24To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Cross forest issue Hi, New member here, with an issue L We have implemented 2 forests with a cross forest trust such that forest B trusts forest A one-way. The intention is that all admins in forest A will be able to manage both forests, and that accounts in forest B cannot be authenticated in forest A Whilst I can add the admins from forest A into a domain local group in forest B, allowing me to grant administrators rights, I cannot add any security principal from forest A to a universal (or global) group in forest B. This precludes me from granting domain, enterprise or schema admin rights to the forest A administrators and thus defeats the objective of having the admins in a single forest. (FYI, creating a DL, adding a remote user, then trying to change that group to a universal group gives the message Foreign security principals cannot be members of universal groups) Forest B is in a DMZ, and is solely being used to give the benefits of centralised management to the servers in the DMZ. Consequently, we want to avoid having many user accounts in that forest. Company policy states that every admin must log on using their own account Hope you can help. __Mike Guest| Capgemini | Sale Server Support | Outsourcing UKOffice: + 44 (0)870 366 1814 | 700 1814| [EMAIL PROTECTED]77-79 Cross Street, Sale, Cheshire. M33 7HG Join the Collaborative Business Experience__ This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
RE: [ActiveDir] How much of the DIT is cached in RAM ?
Awesome! I completely forgot about this. I did; however, thoroughly document the process so that my team can squeak the lobster whenever necessary. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, June 15, 2006 2:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Following up: http://msexchangeteam.com/archive/2006/06/15/427966.aspx Cheers, BrettSh On Thu, 28 Apr 2005, joe wrote: Hey Brett... I've seen your blog, how about you tell ~Eric the story and he can blog it. :o) evilgrin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, April 28, 2005 8:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? The dev who put it in, is what I like to call my boss ... he has no child, I can guarantee it had nothing to do with that ... Email me directly the Exch product manager's name, and I'll try to light a fire under them ... if they don't product something, I'll produce something on my blog (when it is up) and send it around ... Cheers, BrettSh On Thu, 28 Apr 2005, Michael B. Smith wrote: One of the Exchange Product Managers said today that she is preparing a blog on Squeaky Lobster, including a picture of the original Squeaky. I also asked about the KB and was told, simply, that it isn't currently publicly available. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 28, 2005 7:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Try - http://www.realcooltoys.com/squeakylobster.html Squeaky Lobster is a magic reg key to enable special Squeaky Lobster ESE counters. It first came to being, I believe, with Exchange 5.5 where I heard two different stories, the first being that the dev guy who put it in had a kid who had a squeaky lobster toy (or he had it) and the other is that it was thought up after lunch. I would tend to go with the first explanation myself... Anyway, it was carried through and is available on AD, or at least it was on 2K AD which is the last time I used it a couple of years ago. There used to be a KB out there that talked about what it made available but I don't see it anywhere which sucks because if I need it again I will have to go dig through 8 GB of PSTs and notepad docs. :o) I want to say that I think I heard they changed (or were changing) the name of this reg entry to something like show advanced counters or something like that but I don't think I can point at any references for that. As far as I know, this key wasn't supposed to be hidden or secret, though it appears it might have gone underground. I don't think I will post any more on it and let ~Eric or Brett put out in the public whatever they think should be available. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Thursday, April 28, 2005 1:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? This has been a great thread. I've really enjoyed reading it. This question is going to illustrate my extreme ignorance; however, the answer is worth it. What is Squeaky Lobster? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, April 27, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? From ESE's advanced perf counters exist, that tell you on a non-per-search basis: - Database Pages Transferred/sec - Database Page Latches/sec IIRC, the first is rate of pages being transferred from disk, and the 2nd is the rate at wich you are making a read of something on a page in the cache (that will include the read right after a page is transferred, BTW). It doesn't give you the per query stats you were discussing, but it does give you an idea of how much disk the DC is requiring ... If you were to isolate a DC from load, except your query, it could give a _rough_ idea for a paticular query, but remember latches aren't unique references, so if a single query internally has to read a page several times, that will be several latch counts. ... Cheers, -BrettSh On Wed, 27 Apr 2005, joe wrote: I waffled on posting that at all. I am not sure I can properly illustrate why I think it would be good for educational info. Maybe just to see from the
RE: [ActiveDir] FRS/DFS woes
Russ, Not to complicate things on you, but both ROOTS and LINKS can be set to replicate - it can depend on what you want them to do. Read the MS stuff and get back to us then... Still more than happy to help where I/we can... themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, 16 June 2006 1:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Maybe the problem is a confusion of mine between DFS ROOTS and DFS LINKS. I'm starting to get the feeling that LINKS don't replicate, only TARGETS do. So if I have 10 servers that I want a file to replicate to, I must create 10 root targets, not 10 links...? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Thursday, June 15, 2006 9:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes You might try using DFSutil.exe to see if it can query and possibly fix your problem. I personally haven't used it other that on stand-alone DFS roots in the classroom. There is an option to clean the registry. Stand-alone roots store their information in the registry of the root. Their might be a command to query and look at the information in the AD. dfsutil /clean:servername Todd Myrick -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Thursday, June 15, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes When trying to add a new root on the server I'm trying to replicate from, I get an error The following error occurred while creating DFS root on the server server123: Unable to update the password. The value provided as the current password is incorrect. What password is it talking about? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Thursday, June 15, 2006 8:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Also, one more finding - I'm not sure if this helps or not. When I run the DFS snapin on the main target that I want to replace to the other targets, it shows the DFS roots but when I select the one I want to view it says The specified DFS root does not exist. I can, however, view it with no issues on the root target server. If I try to view it on one of the 'receiving' DFS targets, it comes up OK. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Wednesday, June 14, 2006 6:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Russ, This may sound silly - but is the File Replication Service running on all three servers? Are they DC's or just member servers? If DC's, is the sysvol share replicating? Thanks! :) themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Thursday, 15 June 2006 12:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Share permissions are everyone full control. NTFS Permissions are pretty wide open too. All in the same domain. FQDN resolution is working great. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Tuesday, June 13, 2006 5:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Russ, Possibly - what are the permissions of the 3 folders you are trying to replicate around? Are they identical? Check the share permissions as well as the folder permissions. Can each machine resolve the FQDN of each of the other two machines from it? I'm making the assumption that all 3 machines are in the same domain - this is correct? themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, 14 June 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Sonar says the CreateFailedCount is 16 on my replication test. Maybe it's some sort of permission issue. ?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: Tuesday, June 13, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRS/DFS woes Where is the root of the DFS located? I seem to remember having problems with DFS replication before, because one of the servers hosting the root had it's DNS incorrectly configured. Ultrasound would report any errors sure enough. After decoding what it all means you'll need a dark room to lie down in for a few hours.
RE: [ActiveDir] How much of the DIT is cached in RAM ?
lol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Thursday, June 15, 2006 3:04 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Awesome! I completely forgot about this. I did; however, thoroughly document the process so that my team can squeak the lobster whenever necessary. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, June 15, 2006 2:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Following up: http://msexchangeteam.com/archive/2006/06/15/427966.aspx Cheers, BrettSh On Thu, 28 Apr 2005, joe wrote: Hey Brett... I've seen your blog, how about you tell ~Eric the story and he can blog it. :o) evilgrin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, April 28, 2005 8:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? The dev who put it in, is what I like to call my boss ... he has no child, I can guarantee it had nothing to do with that ... Email me directly the Exch product manager's name, and I'll try to light a fire under them ... if they don't product something, I'll produce something on my blog (when it is up) and send it around ... Cheers, BrettSh On Thu, 28 Apr 2005, Michael B. Smith wrote: One of the Exchange Product Managers said today that she is preparing a blog on Squeaky Lobster, including a picture of the original Squeaky. I also asked about the KB and was told, simply, that it isn't currently publicly available. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 28, 2005 7:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Try - http://www.realcooltoys.com/squeakylobster.html Squeaky Lobster is a magic reg key to enable special Squeaky Lobster ESE counters. It first came to being, I believe, with Exchange 5.5 where I heard two different stories, the first being that the dev guy who put it in had a kid who had a squeaky lobster toy (or he had it) and the other is that it was thought up after lunch. I would tend to go with the first explanation myself... Anyway, it was carried through and is available on AD, or at least it was on 2K AD which is the last time I used it a couple of years ago. There used to be a KB out there that talked about what it made available but I don't see it anywhere which sucks because if I need it again I will have to go dig through 8 GB of PSTs and notepad docs. :o) I want to say that I think I heard they changed (or were changing) the name of this reg entry to something like show advanced counters or something like that but I don't think I can point at any references for that. As far as I know, this key wasn't supposed to be hidden or secret, though it appears it might have gone underground. I don't think I will post any more on it and let ~Eric or Brett put out in the public whatever they think should be available. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Thursday, April 28, 2005 1:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? This has been a great thread. I've really enjoyed reading it. This question is going to illustrate my extreme ignorance; however, the answer is worth it. What is Squeaky Lobster? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, April 27, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? From ESE's advanced perf counters exist, that tell you on a non-per-search basis: - Database Pages Transferred/sec - Database Page Latches/sec IIRC, the first is rate of pages being transferred from disk, and the 2nd is the rate at wich you are making a read of something on a page in the cache (that will include the read right after a page is transferred, BTW). It doesn't give you the per query stats you were discussing, but it does give you an idea of how much disk the DC is requiring ... If you were to isolate a DC from load, except your query, it could give a _rough_ idea for a paticular query, but remember latches aren't unique references, so if a single query internally has to read a page several times, that will be several latch counts.