Re: [ActiveDir] RDP Over SSL (No Security tab in Client)

[Ravi Dogra]

Thanks,

I have acheived by making a copy of mstsc.exe and mstscax.dll from
windows2k3 sp1 box and placing it in a different folder of client
other than system32.

Registered the dll and this fixed the problem.

Thanks Again,
Ravi Dogra
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] can I exclude a particular user account from "authenticated users"?

[joe]

Title: can I exclude a particular user account from "authenticated users"?



Disable the account's ability to authenticate. 

 
Makes the account rather worthless but it is the only thing 
I can think of that would accomplish the stated goal. 
 
Programmatically you might be able to modify the token at 
the local machine level such that the auth users SID isn't enabled, but 
that would take some rather involved work I expect. See http://msdn.microsoft.com/library/default.asp?url="">. 
It isn't anything I have tried, just a theory based on some reading I have done 
in the API docs.
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael 
M.Sent: Monday, June 19, 2006 10:31 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] can I exclude a 
particular user account from "authenticated users"?

This 
may sound like an off the wall question, but I would like to exclude a 
particular user account from the built-in security principal “Authenticated 
Users”.  Is there any way to do this?

TIA!
Mike 
Thommes

RE: [ActiveDir] Cisco Unity AD schema extensions

[Marcus.Oh]

I've had no issues with the extensions.  The required permissions, etc,
etc... different story.  It was very difficult getting any amount of
detail on the exact permissions.

:m:dsm:cci:mvp | marcusoh.blogspot.com
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Friday, June 16, 2006 4:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Cisco Unity AD schema extensions

Hi Jason, 

Is this a new install? What version of Exchange are you running? What
version of Cisco Unity are you implementing?

Just be very careful if you are using the Active Directory Connector and
you're migrating from Exchange 5.5 to Exchange 2003 with Cisco Unity (
Or any third party installed application that has hooks into some one's
mailbox ).

As a matter of fact I would probably export every mailbox that you
migrate prior to moving it over. 

Regards, 

Jose

" An ounce of prevention is better then a pound of cure "

Benjamin Franklin


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Wednesday, June 14, 2006 6:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Cisco Unity AD schema extensions

We've also been using the new Cisco Unity platform for unified messaging
for a few months now, and the schema extensions have caused us no
problems whatsoever.

Good luck - it's a very solid platform and we love it.

--
Brian Cline


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway
Sent: Tuesday 13 June 2006 10:06
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Cisco Unity AD schema extensions

Has anyone worked with/been involved with the Cisco unity AD schema
extensions?

One of our divisions is planning to go with the integrated solution and
wants to run the schema update.

I have the link on Cisco's site about what they add. 

http://www.cisco.com/en/US/products/sw/voicesw/ps2237/products_white_pap
er09186a00800e4535.shtml

But I don't know enough about AD to know the impact now and in the
future for windows and Exchange upgrades.

Any feedback is appreciated.

Thanks,jb

--
Jason Benway
Network Services Manager
[EMAIL PROTECTED]
GHSP
  
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] can I exclude a particular user account from "authenticated users"?

[Brian Desmond]

Title: can I exclude a particular user account from "authenticated
users"?








No

 



Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Thommes, Michael M.
Sent: Monday, June 19, 2006 9:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] can I exclude a particular user account from
"authenticated users"?





 

This may
sound like an off the wall question, but I would like to exclude a particular
user account from the built-in security principal “Authenticated
Users”.  Is there any way to do this?

TIA!

Mike Thommes

[ActiveDir] can I exclude a particular user account from "authenticated users"?

[Thommes, Michael M.]

Title: can I exclude a particular user account from "authenticated users"?






This may sound like an off the wall question, but I would like to exclude a particular user account from the built-in security principal “Authenticated Users”.  Is there any way to do this?



TIA!

Mike Thommes

Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server

[Paul Glenn]

Since I'm not small businees, no I didn't.  I also didn't go to Fenway.I opted to go see X-Men down at Boston Common :) 
On 6/19/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote:
BTW when you get the TechEd DVD .. listen to it.Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> And you didn't go to Jeff Middleton's TechEd session on DR for Small> business did you?>> We're a single DC folks.. hello... it works.>> We're not enterprise and that means best practices for you are not
> best practices for us.>> Acronis works.>> Big boys can't image DCs.. we can.  We're little..we're agile and we> can do it.>> Big server land can't ...and that's fine...but the rules of big server
> land stop at the gates of SBSland... it's a whole diff ball game for> us. (Fenway was cool btw)>>> Paul Glenn wrote:>>> I attended a Disaster Recovery of AD class at TechEd this past week.
>> One thing they said was to NEVER EVER rely on a ghost image for DR.>> Their reasoning was the whole SID situation. Paul>> On 6/17/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]*
>> <[EMAIL PROTECTED] [EMAIL PROTECTED]>> wrote: And us SBSers will say that sometimes that single DC with a DR
>> strategy>> in place can be less issue than multiple domain controllers.>> (please>> note the "DR strategy" phrase there.. this is planned ahead of time)
 What is the size of the firm and what is the tolerance of downtime.>> Start from there.  Plan your DR process. Almeida Pinto, Jorge de wrote:>>
>> > Only in an AD environment with ONE DC in the AD FOREST, there>> would>> > not be much of an issue. Although I still recomment to use a>> supported>> > method.
>> > No matter how many DCs, using a supported method/tool/procedure,>> you>> > will always be ready for it.>> > As soon as you get a second DC, the image thing won't work that
>> good>> > anymore.>> >>> > For more info also see:>> > http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx
>> >>> > I also recommend to have AT LEAST 2 DC in each AD domain (and>> backup>> > at least 2, preferably more if you have more DCs) for if something>> > goes wrong with one DC. In that case while one DC is still
>> running you>> > can repair the other or promote another DC into the AD domain.>> If you>> > only have one DC, AD will be available again as soon as that
>> single DC>> > is up and running again.>> >>> > Met vriendelijke groeten / Kind regards,>> > Ing. Jorge de Almeida Pinto>> > /Senior Infrastructure Consultant/
>> > /MVP Windows Server - Directory Services/>> > //>> > *LogicaCMG Nederland B.V. (BU RTINC Eindhoven)*>> > (   Tel : +31-(0)40-29.57.777>> > (   Mobile : +31-(0)6-
26.26.62.80 >> > *   E-mail : >> >>> >>>
>> >> > *From:* [EMAIL PROTECTED]>> [EMAIL PROTECTED]> on behalf of Jose>> Medeiros>> > *Sent:* Sat 2006-06-17 08:01>> > *To:* 
[EMAIL PROTECTED]>> [EMAIL PROTECTED]>>> > *Cc:* Medeiros, Jose; 
ActiveDir@mail.activedir.org>> ActiveDir@mail.activedir.org>>> > *Subject:* [ActiveDir] Ghost Backup or Image for Active Directory
>> > Server and Exchange Server>> >>> > Hi Amit,>> >>> > Well first you'll need to buy Symantec Ghost Corporate Edition>> so you
>> > have the 32 bit version. Then if you have a server such as a HP>> > Proliant DL-580 with a 6400 Smart Raid Controller you'll need>> to add>> > the Raid controller driver to your bootable CD Rom that you'll
>> have to>> > create so it can access the Raid Disk Array.>> >>> > If you Want to create your own Bootable CD, I would recommend>> you use
>> > Microsoft WinPE or Bart's PE http://www.nu2.nu/pebuilder/>> .>> >
>> > Barts also allows you to use Acronis http://www.acronis.com/>> which may>> > be less expensive then Ghost Corporate, however I have only used
>> Ghost>> > Version 8, 32Bit and can attest that it works ( I've imaged>> several>> > hundredservers with it at ADP Payroll Systems ).>> >>> > Hope this helps, the rest is up to you and requires that you
>> read the>> > documentation with each product.>> >>> > Best Wish's,>> >>> > Jose Medeiros>> > 
http://www.myspace.com/josemedeiros1>> >>> > ---
>> >>> > - Original Message ->> > *From:* Amit Kapoor [EMAIL PROTECTED]>> [EMAIL PROTECTED] > *To:* [EMAIL PROTECTED]>> 
[EMAIL PROTECTED]>>> [EMAIL PROTECTED]>> [EMAIL PROTECTED]
 > *Sent:* Friday, June 16, 2006 10:39 PM>> > *Su

Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

BTW when you get the TechEd DVD .. listen to it.

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:

And you didn't go to Jeff Middleton's TechEd session on DR for Small 
business did you?


We're a single DC folks.. hello... it works.

We're not enterprise and that means best practices for you are not 
best practices for us.


Acronis works.

Big boys can't image DCs.. we can.  We're little..we're agile and we 
can do it.


Big server land can't ...and that's fine...but the rules of big server 
land stop at the gates of SBSland... it's a whole diff ball game for 
us. (Fenway was cool btw)



Paul Glenn wrote:

I attended a Disaster Recovery of AD class at TechEd this past week.  
One thing they said was to NEVER EVER rely on a ghost image for DR.  
Their reasoning was the whole SID situation.
 
Paul


 
On 6/17/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* 
<[EMAIL PROTECTED] > wrote:


And us SBSers will say that sometimes that single DC with a DR
strategy
in place can be less issue than multiple domain controllers.  
(please

note the "DR strategy" phrase there.. this is planned ahead of time)

What is the size of the firm and what is the tolerance of downtime.
Start from there.  Plan your DR process.

Almeida Pinto, Jorge de wrote:

> Only in an AD environment with ONE DC in the AD FOREST, there 
would

> not be much of an issue. Although I still recomment to use a
supported
> method.
> No matter how many DCs, using a supported method/tool/procedure,
you
> will always be ready for it.
> As soon as you get a second DC, the image thing won't work that 
good

> anymore.
>
> For more info also see:
> http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx
>
> I also recommend to have AT LEAST 2 DC in each AD domain (and 
backup

> at least 2, preferably more if you have more DCs) for if something
> goes wrong with one DC. In that case while one DC is still
running you
> can repair the other or promote another DC into the AD domain.
If you
> only have one DC, AD will be available again as soon as that
single DC
> is up and running again.
>
> Met vriendelijke groeten / Kind regards,
> Ing. Jorge de Almeida Pinto
> /Senior Infrastructure Consultant/
> /MVP Windows Server - Directory Services/
> //
> *LogicaCMG Nederland B.V. (BU RTINC Eindhoven)*
> (   Tel : +31-(0)40-29.57.777
> (   Mobile : +31-(0)6-26.26.62.80 
> *   E-mail : 
>
>



> *From:* [EMAIL PROTECTED]
 on behalf of Jose
Medeiros
> *Sent:* Sat 2006-06-17 08:01
> *To:* [EMAIL PROTECTED] 


> *Cc:* Medeiros, Jose; ActiveDir@mail.activedir.org

> *Subject:* [ActiveDir] Ghost Backup or Image for Active Directory
> Server and Exchange Server
>
> Hi Amit,
>
> Well first you'll need to buy Symantec Ghost Corporate Edition
so you
> have the 32 bit version. Then if you have a server such as a HP
> Proliant DL-580 with a 6400 Smart Raid Controller you'll need 
to add

> the Raid controller driver to your bootable CD Rom that you'll
have to
> create so it can access the Raid Disk Array.
>
> If you Want to create your own Bootable CD, I would recommend
you use
> Microsoft WinPE or Bart's PE http://www.nu2.nu/pebuilder/
.
>
> Barts also allows you to use Acronis http://www.acronis.com/
which may
> be less expensive then Ghost Corporate, however I have only used
Ghost
> Version 8, 32Bit and can attest that it works ( I've imaged 
several

> hundredservers with it at ADP Payroll Systems ).
>
> Hope this helps, the rest is up to you and requires that you
read the
> documentation with each product.
>
> Best Wish's,
>
> Jose Medeiros
> http://www.myspace.com/josemedeiros1
>
>

--- 



>
> - Original Message -
> *From:* Amit Kapoor >
> *To:* [EMAIL PROTECTED]

>
> *Sent:* Friday, June 16, 2006 10:39 PM
> *Subject:* [ExchangeList] Ghost Backup or Image for Active
> Directory Server and Exchange Server
>
> Hi,
>
>
>
> I have windows 2000 domain controller and windows 2003 
server on

> which exchange 2003 is installed.
>
>
>
> I want to take Ghost Backup or an operating system image of 
the

   

Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

And you didn't go to Jeff Middleton's TechEd session on DR for Small 
business did you?


We're a single DC folks.. hello... it works.

We're not enterprise and that means best practices for you are not best 
practices for us.


Acronis works.

Big boys can't image DCs.. we can.  We're little..we're agile and we can 
do it.


Big server land can't ...and that's fine...but the rules of big server 
land stop at the gates of SBSland... it's a whole diff ball game for us. 
(Fenway was cool btw)



Paul Glenn wrote:

I attended a Disaster Recovery of AD class at TechEd this past week.  
One thing they said was to NEVER EVER rely on a ghost image for DR.  
Their reasoning was the whole SID situation.
 
Paul


 
On 6/17/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* 
<[EMAIL PROTECTED] > wrote:


And us SBSers will say that sometimes that single DC with a DR
strategy
in place can be less issue than multiple domain controllers.  (please
note the "DR strategy" phrase there.. this is planned ahead of time)

What is the size of the firm and what is the tolerance of downtime.
Start from there.  Plan your DR process.

Almeida Pinto, Jorge de wrote:

> Only in an AD environment with ONE DC in the AD FOREST, there would
> not be much of an issue. Although I still recomment to use a
supported
> method.
> No matter how many DCs, using a supported method/tool/procedure,
you
> will always be ready for it.
> As soon as you get a second DC, the image thing won't work that good
> anymore.
>
> For more info also see:
> http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx
>
> I also recommend to have AT LEAST 2 DC in each AD domain (and backup
> at least 2, preferably more if you have more DCs) for if something
> goes wrong with one DC. In that case while one DC is still
running you
> can repair the other or promote another DC into the AD domain.
If you
> only have one DC, AD will be available again as soon as that
single DC
> is up and running again.
>
> Met vriendelijke groeten / Kind regards,
> Ing. Jorge de Almeida Pinto
> /Senior Infrastructure Consultant/
> /MVP Windows Server - Directory Services/
> //
> *LogicaCMG Nederland B.V. (BU RTINC Eindhoven)*
> (   Tel : +31-(0)40-29.57.777
> (   Mobile : +31-(0)6-26.26.62.80 
> *   E-mail : 
>
>

> *From:* [EMAIL PROTECTED]
 on behalf of Jose
Medeiros
> *Sent:* Sat 2006-06-17 08:01
> *To:* [EMAIL PROTECTED] 
> *Cc:* Medeiros, Jose; ActiveDir@mail.activedir.org

> *Subject:* [ActiveDir] Ghost Backup or Image for Active Directory
> Server and Exchange Server
>
> Hi Amit,
>
> Well first you'll need to buy Symantec Ghost Corporate Edition
so you
> have the 32 bit version. Then if you have a server such as a HP
> Proliant DL-580 with a 6400 Smart Raid Controller you'll need to add
> the Raid controller driver to your bootable CD Rom that you'll
have to
> create so it can access the Raid Disk Array.
>
> If you Want to create your own Bootable CD, I would recommend
you use
> Microsoft WinPE or Bart's PE http://www.nu2.nu/pebuilder/
.
>
> Barts also allows you to use Acronis http://www.acronis.com/
which may
> be less expensive then Ghost Corporate, however I have only used
Ghost
> Version 8, 32Bit and can attest that it works ( I've imaged several
> hundredservers with it at ADP Payroll Systems ).
>
> Hope this helps, the rest is up to you and requires that you
read the
> documentation with each product.
>
> Best Wish's,
>
> Jose Medeiros
> http://www.myspace.com/josemedeiros1
>
>

---

>
> - Original Message -
> *From:* Amit Kapoor >
> *To:* [EMAIL PROTECTED]

>
> *Sent:* Friday, June 16, 2006 10:39 PM
> *Subject:* [ExchangeList] Ghost Backup or Image for Active
> Directory Server and Exchange Server
>
> Hi,
>
>
>
> I have windows 2000 domain controller and windows 2003 server on
> which exchange 2003 is installed.
>
>
>
> I want to take Ghost Backup or an operating system image of the
> server. So that in case of crisis the same can be recovered
in few
> minutes.
>
>
>
> Plea

Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server

[Paul Glenn]

I attended a Disaster Recovery of AD class at TechEd this past week.  One thing they said was to NEVER EVER rely on a ghost image for DR.  Their reasoning was the whole SID situation.
 
Paul 
On 6/17/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote:
And us SBSers will say that sometimes that single DC with a DR strategyin place can be less issue than multiple domain controllers.  (please
note the "DR strategy" phrase there.. this is planned ahead of time)What is the size of the firm and what is the tolerance of downtime.Start from there.  Plan your DR process.Almeida Pinto, Jorge de wrote:
> Only in an AD environment with ONE DC in the AD FOREST, there would> not be much of an issue. Although I still recomment to use a supported> method.> No matter how many DCs, using a supported method/tool/procedure, you
> will always be ready for it.> As soon as you get a second DC, the image thing won't work that good> anymore.>> For more info also see:> 
http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx>> I also recommend to have AT LEAST 2 DC in each AD domain (and backup> at least 2, preferably more if you have more DCs) for if something
> goes wrong with one DC. In that case while one DC is still running you> can repair the other or promote another DC into the AD domain. If you> only have one DC, AD will be available again as soon as that single DC
> is up and running again.>> Met vriendelijke groeten / Kind regards,> Ing. Jorge de Almeida Pinto> /Senior Infrastructure Consultant/> /MVP Windows Server - Directory Services/
> //> *LogicaCMG Nederland B.V. (BU RTINC Eindhoven)*> (   Tel : +31-(0)40-29.57.777> (   Mobile : +31-(0)6-26.26.62.80> *   E-mail : 
>> > *From:* [EMAIL PROTECTED] on behalf of Jose Medeiros
> *Sent:* Sat 2006-06-17 08:01> *To:* [EMAIL PROTECTED]> *Cc:* Medeiros, Jose; ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] Ghost Backup or Image for Active Directory> Server and Exchange Server>> Hi Amit,>> Well first you'll need to buy Symantec Ghost Corporate Edition so you
> have the 32 bit version. Then if you have a server such as a HP> Proliant DL-580 with a 6400 Smart Raid Controller you'll need to add> the Raid controller driver to your bootable CD Rom that you'll have to
> create so it can access the Raid Disk Array.>> If you Want to create your own Bootable CD, I would recommend you use> Microsoft WinPE or Bart's PE http://www.nu2.nu/pebuilder/
.>> Barts also allows you to use Acronis http://www.acronis.com/ which may> be less expensive then Ghost Corporate, however I have only used Ghost> Version 8, 32Bit and can attest that it works ( I've imaged several
> hundredservers with it at ADP Payroll Systems ).>> Hope this helps, the rest is up to you and requires that you read the> documentation with each product.>> Best Wish's,>
> Jose Medeiros> http://www.myspace.com/josemedeiros1>> ---
>> - Original Message -> *From:* Amit Kapoor [EMAIL PROTECTED]>> *To:* [EMAIL PROTECTED]
 [EMAIL PROTECTED]>> *Sent:* Friday, June 16, 2006 10:39 PM> *Subject:* [ExchangeList] Ghost Backup or Image for Active> Directory Server and Exchange Server
>> Hi, I have windows 2000 domain controller and windows 2003 server on> which exchange 2003 is installed. I want to take Ghost Backup or an operating system image of the
> server. So that in case of crisis the same can be recovered in few> minutes. Please help me and guide me how can I take the ghost backup of the> servers and how do I test restore of the ghost image.
 Thanks>> Amit *ps. check out our latest product: **www.DriveInside.com** -> India's No. 1 Auto Website*>> 
> Amit Kapoor>> Network Engineer> Module One India Ltd.> Paharpur Software Technology Incubator Park> A-88, Okhla Phase II, New Delhi 110020, India>
> Tel: +91-(0)11-41859200 ext. 204 |  Fax: +91-(0)11-41859220> E-mail: [EMAIL PROTECTED] [EMAIL PROTECTED]>  |  Web:
> www.moduleone.com >>  c r e a t i v e   i n t e r n e t   s o l u t i o n s 
>> Module One, one of India's leading Interactive agencies, uses a> combination of creative, marketing and technology skills to assist> clients in successfully using the Internet for their marketing
> initiatives. This e-mail and any attachment is for authorised use by the intended> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be> copied, disclosed to, retained or used by, any other party. If you are> not an intended recipient then please promptly delete this e-mail and
> any attachment and all copies and inform the sender. Th

Re: [ActiveDir] OT: Higher Education web access

[Paul Glenn]

On 6/19/06, Phil Renouf <[EMAIL PROTECTED]> wrote:


So, you offer a web based view of their home directories? Are they also able to access that data via a share or something like that or is it strictly web based access to those files?
 
We also map a drive for each student when they login using one of our lab machines.  We have also built into our images a re-direct of "My Documents" that points to their home directories.  This is mostly as a precaution since we use Deep Freeze to protect our machines.

 
The students are also allowed to FTP files to and from their directory.  Most people actually don't like the web interface b/c they can only upload or download one file at a time (a limitation of the IUAdmin software).

 


 
If I understand correctly you have two requirements:
 
- Web based access to files stored on a server with a quota to ensure that users dont blow up your disk space
 
Correct.  We will be using a product called File System Factory that will restrict the quota, creates the home directory and places the permissions on that directory when a student account is created in our AD and placed into our student group.

 


- Ability to create their own web pages
 
Correct again.
 
 


Based on your website, you want they to be able to build sites completely from scratch. Do they have FTP access for uploading files? Is that important to keep? 
 
FTP is an absolute must, I don't want to face the students if I tell them we no longer offer FTP.  However, I am also looking at providing WEBDAV.
 


Would you consider moving to a system where much of the site is precreated and users are able to change it's look via templates etc.? 

 
This is intriguing, however, I have to have control of the system for various reasons - the main one being for restores when a student or professor deletes that all important paper that is due in 15 minutes.  Another one is the ability to shut down the site when a parent sees naked pictures of their daughter on someone else's site - real life situation just this past semester.

 
Paul
 


Phil 

On 6/19/06, Paul Glenn <[EMAIL PROTECTED]> wrote:
 

Hello all,Sorry for the OT, but I'm a bit at a loss on parts of the big move.  As I've said in the past, I'm in the process of moving our student population from eDirectory to Active Directory.  We've overcome several hurdles up to this point.  Our next big one is how to give access to our student's files via a web brower and also a way to host their own web pages.  Currently we accomplish this via IUAdmin and apache services.  IUAdmin is not ported to the Windows platform and Apache for Windows has a few drawbacks.  I was wondering if there are any higher education folks out there that wouldn't mind talking with me about their environment.  To help give a better idea of what we do, I offer three web pages: 
Students can login to the following page and gain access to their files.http://locker.uky.edu 
The next link shows you some screenshots of what you would see if you logged in as bigtest. http://locker.uky.edu/help.htm 
Then off course we offer a way for them to publish their own webpages (the first link will show you where I get my signature):
http://locker.uky.edu/~pglennThanks for any help even if it's just a pointer to another listservPaul 
-- ***"I've got a fever and the only prescription is more cowbell."--Christopher Walken*** 

RE: [ActiveDir] Acitve Directory Internet Cafe Software

[Robert Rutherford]

Hello,

I looked some time ago but didn't find anything which truly fits, but I did use 
http://www.antamedia.com/caffe/ in one environment and it was fine.

If you have a suitable firewall and/or a suitable content filter then we could 
work something... what are u using?

Cheers

Rob


Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
 T:  +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lloyd Williams
Sent: 19 June 2006 21:47
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Acitve Directory Internet Cafe Software


Hi
Is there anyone out there aware of "internet Café" software that utilizes 
active directory accounts? Basically I have a bunch of computers I have users 
log into, and I need to monitor there time logged in and create reports on 
computer usage by active directory accounts. The sort of software that does 
this is typically the same software the runs internet cafés but it seems they 
all use a proprietary account setup.

Lloyd Williams 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

[Robert Rutherford]

Hi,

It does sound like our old pal DNS. 

If you run a dcdiag and netdiag, do they both run clean? If not then
please post the results.

If all is clean and it's a test environment then pull it and clean it up
with ntdsutil et al. 

If it's a new situation then just replicate and see if you still have
the issue. I have always found a couple of hours helps many ills.

BR

Rob

Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
 T:  +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom
Sent: 19 June 2006 20:52
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

I've in the process of upgrading my test domain (empty root and 1 child)

to w2k3 R2 based DCs and (thanks to help from the friendly folks here) 
am just about done. I have one last w2k dc left to remove. It doesn't 
want to go peacefully.

I moved the FSMO roles off and the next day tried to dcpromo it down to 
a simple server. I get

Managing the network session with FBDC1.fnal.gov failed

"Access is denied. "
dcpromoui t:0x848 00479  Exit  State::GetFailureMessage The 
operation failed because:

Managing the network session with FBDC1.fnal.gov failed

A quick check shows that I can't get to the admin shares of my new w2k3 
dc/FSMO role holder from the w2k dc. I can get to the admin shares of 
the other simple servers but not either of the 2 DCs. Other systems can 
access the admin shares via the domain admin account I'm using on the 
w2k DC.

I've been searching and have found people having a similar problem when 
promoting a w2k machine to be a DC but not when demoting. I've tried a 
number of the things that were suggested in those articles and they have

had no affect.

There is no firewall in the way. AD replication and FRS work.

Any ideas before I rip it out?

al

-- 

Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] RDP Over SSL (No Security tab in Client)

[Laura E. Hunter]

If you're not getting a Security tab on your clients, update their
client RDP software from the 2003 R2 CD (I think that 2003 w/SP1 will
do as well, but I don't have a representative box in front of me to
confirm.)

On 6/16/06, Ravi Dogra <[EMAIL PROTECTED]> wrote:

Hi All,

I have configured RDP Over SSL and its working fine when i tested it
from my Servers using tsmmc.msc

Whereas when i am trying to install a client (RDP 5.2) it is not
giving me any option to select Authentication Mode (Require
Authentication) in the client installed.

What should i do to resolve the issue.

Attached are both snapshots.
I am getting it without security tab. it should be with security tab
as shown in snapshots.

--
Thanks and Regards
Ravi Dogra
9899647200






--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Question on rightsguid

[Matheesha Weerasinghe]

All

I've been doing a little digging into AD and was wondering why the
rightsguid for the validated-spn and the self-membership validated
rights doesn't have objects in the schema with matching
attributesecurityguid values. Is it correct to assume that there
should be objects in the schema with attributesecurityguid values to
match each rightsguid values of each controlaccess object? Or is
rightsguid only really important for propertysets?

Also I noticed when I used joe's adfind to list objects which had the
rightsguid value from validated-dns-host-name, the filter listed the
same rightsguid value in a different format. i.e

adfind -propsetmembers:72e39547-7b18-11d1-adef-00c04fd8d5cd
attributesecurityguid"  was expanded as Transformed Filter:
(&(objectcategory=attributeschema)(attributeSecurityGUID=G\9
5\E3r\18\7B\D1\11\AD\EF\00\C0O\D8\D5\CD))

I deduced G=47, r=72 etc..

Can anyone explain the above for me?

Cheers

M@
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Acitve Directory Internet Cafe Software

[Lloyd Williams]

Hi
Is there anyone out there aware of "internet Café" software that utilizes 
active directory accounts? Basically I have a bunch of computers I have users 
log into, and I need to monitor there time logged in and create reports on 
computer usage by active directory accounts. The sort of software that does 
this is typically the same software the runs internet cafés but it seems they 
all use a proprietary account setup.

Lloyd Williams 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT: Higher Education web access

[Phil Renouf]

So, you offer a web based view of their home directories? Are they also able to access that data via a share or something like that or is it strictly web based access to those files?
 
If I understand correctly you have two requirements:
 
- Web based access to files stored on a server with a quota to ensure that users dont blow up your disk space
- Ability to create their own web pages
 
Based on your website, you want they to be able to build sites completely from scratch. Do they have FTP access for uploading files? Is that important to keep? Would you consider moving to a system where much of the site is precreated and users are able to change it's look via templates etc.?

 
Phil 
On 6/19/06, Paul Glenn <[EMAIL PROTECTED]> wrote:

Hello all,Sorry for the OT, but I'm a bit at a loss on parts of the big move.  As I've said in the past, I'm in the process of moving our student population from eDirectory to Active Directory.  We've overcome several hurdles up to this point.  Our next big one is how to give access to our student's files via a web brower and also a way to host their own web pages.  Currently we accomplish this via IUAdmin and apache services.  IUAdmin is not ported to the Windows platform and Apache for Windows has a few drawbacks.  I was wondering if there are any higher education folks out there that wouldn't mind talking with me about their environment.  To help give a better idea of what we do, I offer three web pages: 
Students can login to the following page and gain access to their files.http://locker.uky.edu 
The next link shows you some screenshots of what you would see if you logged in as bigtest. http://locker.uky.edu/help.htm
Then off course we offer a way for them to publish their own webpages (the first link will show you where I get my signature):
http://locker.uky.edu/~pglennThanks for any help even if it's just a pointer to another listservPaul 
-- ***"I've got a fever and the only prescription is more cowbell."--Christopher Walken***

[ActiveDir] OT: Higher Education web access

[Paul Glenn]

Hello all,Sorry for the OT, but I'm a bit at a loss on parts of the big move.  As I've said in the past, I'm in the process of moving our student population from eDirectory to Active Directory.  We've overcome several hurdles up to this point.  Our next big one is how to give access to our student's files via a web brower and also a way to host their own web pages.  Currently we accomplish this via IUAdmin and apache services.  IUAdmin is not ported to the Windows platform and Apache for Windows has a few drawbacks.  I was wondering if there are any higher education folks out there that wouldn't mind talking with me about their environment.  To help give a better idea of what we do, I offer three web pages:
Students can login to the following page and gain access to their files.http://locker.uky.edu The next link shows you some screenshots of what you would see if you logged in as bigtest.
http://locker.uky.edu/help.htmThen off course we offer a way for them to publish their own webpages (the first link will show you where I get my signature):
http://locker.uky.edu/~pglennThanks for any help even if it's just a pointer to another listservPaul-- ***"I've got a fever and the only prescription is more
cowbell."--Christopher Walken***

[ActiveDir] Problem removing last w2k DC from a w2k3 domain

[Al Lilianstrom]

I've in the process of upgrading my test domain (empty root and 1 child) 
to w2k3 R2 based DCs and (thanks to help from the friendly folks here) 
am just about done. I have one last w2k dc left to remove. It doesn't 
want to go peacefully.


I moved the FSMO roles off and the next day tried to dcpromo it down to 
a simple server. I get


Managing the network session with FBDC1.fnal.gov failed

"Access is denied. "
dcpromoui t:0x848 00479  Exit  State::GetFailureMessage The 
operation failed because:


Managing the network session with FBDC1.fnal.gov failed

A quick check shows that I can't get to the admin shares of my new w2k3 
dc/FSMO role holder from the w2k dc. I can get to the admin shares of 
the other simple servers but not either of the 2 DCs. Other systems can 
access the admin shares via the domain admin account I'm using on the 
w2k DC.


I've been searching and have found people having a similar problem when 
promoting a w2k machine to be a DC but not when demoting. I've tried a 
number of the things that were suggested in those articles and they have 
had no affect.


There is no firewall in the way. AD replication and FRS work.

Any ideas before I rip it out?

al

--

Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] DDNS in Unix environment

[Guy Teverovsky]

I will try to address all the points raised.
 
Al: 
You are right. The idea is to provide highly available service as transparently as possible. This is one of those times when Unix folks are leading the project and they are trying to find the solution in the DNS. I have already pointed out that even if DDNS is successful, the TTLs will have to be reduced drastically to very short values.
 
Mike:
I have already suggested simple WMI script somehow triggered by the cluster, but they are hesitant about any non-standard customization. The SimpleFailover however looks like something that I might be able to use. Will defenetly have a better look at it. Funny that I have not found it while exercising my google-fu.
 
Willem: 
If you ask me, the solution should indeed be based on some sort of appliance based load balancer, but the folks are looking into software based solution - introducing network related changes could be quite tricky in this case (politics, another IT group, single point of failure...)
 
Disclaimer: have no idea about Veritas HA Unix cluster either ;)
 
Now if I could only smack the Unix folks, make them disable DDNS registration requirement on the cluster and look into hardware load balancer, the life would be much easier...
 
Bottom line: Unix people are evil ! do not let them near your AD ;)
(ducking and getting on a plane)
 
Thanks all for the input !
Guy 
 


From: Willem KasdorpSent: Mon 6/19/2006 5:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DDNS in Unix environment


Guy,
 
Those are good points by Al. Especially the DNS TTL will break you up if the customer expects a quick failover. I would expect that there is some mechanism in the cluster failover (a script hook or something) that will allow you to manually change DNS where needed. But is this really the way to go? I’d take a hard look at how the app is supposed to realize high availability. Additionally, I have seen a similar scenario where a redundant network loadbalancer would reroute traffic to the active node. That would take care of name resolution and similar issues, anyway. 
 
--
    Cheers, Willem
 
(disclaimer: I know nothing about Veritas HA clusters)
 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Monday, June 19, 2006 4:01 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DDNS in Unix environment
 

Guy, can we assume that the requirement is to provide the high availability as transparently as possible then? 

What is the expectation if the primary site goes away as far as client name res? What is their way of knowing that the server went away and to use a new name (keeping in mind that caching etc is going to take place)? 

What does Veritas recommend? (it is there product after all).

 

Al 

On 6/17/06, Guy Teverovsky <[EMAIL PROTECTED]> wrote: 
Howdy all,I am banging my head over this trying to come up with a solution for a client.To make the long story short: financial organization which is very concerned about security. They are setting up a new network segment that will be serving some application to the internal network (there is a firewall in between). Because of the critical nature of the application, there is a DR site. AD is used for authentication and DNS. There is a Veritas HA cluster serving the application that will fail over to DR site in case the primary site goes down.Primary site: 2 DCs with SFU (R2) + Veritas cluster nodeDR site: 2 DCs with SFU (R2) + Veritas cluster node. Primary and DR site are at different physical locations and on different subnets.The only problem with this setup is that the cluster needs to register it's DNS name when failing over to DR site and it does not support secure DDNS. The best thing it can do is T-SIG DDNS with pre-shared key. Enabling non-secure DDNS is not an option.I can disable the DNS registration requirement in the cluster resource group, but this has some issues, while one of them is the fact that accessing the application at the DR site (from internal LAN) will require using FQDN different from the FQDN of the primary site. An alternative would be to somehow enable DDNS only from a predefined set of IP addresses, but from what I know the MS DNS is not capable of it (correct me if I'm wrong).Switching to BIND presents the same issue: while it can solve the dynamic registration of the cluster service using T-SIG DDNS, yet non-secure registration of SRV records is not acceptable and I would like to avoid having statically registered SRV records for the DCs. Not sure whether the solution is in the MS DNS, but there are some knowledgeable folks over here that might have stumbled upon something like this.Any help is greatly appreciated.Thanks,Guy
 

RE: [ActiveDir] NETBIOS Character Limitation?

[Medeiros, Jose]

Just as I thought. Thank you for the clarification.

 

Jose J

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, June 19, 2006 1:29
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NETBIOS
Character Limitation?



 

NetBIOS names are restricted to 15 chars.

 

As joe stated, the $ is not included in
that 15 since it's not part of the name being resolved (using WINS) - it's only
used within the AD database itself.

 

The 16th char is reserved and indicates
the service(s) offered by this NBT name.

 

Nothing changed from NT to w2k to w2k3
with regard to NBT names.

 

As joe also stated, your app appears
to introduce a 14 char limitation and not the underlying OS. ADU&C can
certainly create a 15 char NBT name (and still append the $ char in the
database) without issue. 



 





I hope this helps.





 





neil









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 16 June 2006 18:17
To: ActiveDir@mail.activedir.org;
ActiveDir@mail.activedir.org
Cc: joe
Subject: RE: [ActiveDir] NETBIOS
Character Limitation?



Hi Joe, 





 





So going back to my orginal question, can I use 15 charcter server
names or am I limited to 14 charchters?





 





Jose





 





-- Original message -- 
From: "joe" <[EMAIL PROTECTED]> 

The $ for computer accounts isn't included
in the NetBIOS name for nameres, only in the DB and that was to
hide them from being displayed with normal user accounts in NT days. 

 

What is the web based tool? Tell the
vendor to fix it. In the meanwhile, create the account another way.



 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Medeiros, Jose
Sent: Friday, June 16, 2006 12:06
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NETBIOS
Character Limitation?



 



Greetings, 

 

I am trying to create
a 15 character SQL cluster node name in Active Directory using a web based tool. The tool will
only allow me to use 14 characters and the Active Directory group states
“  The 14 character limit is due to the '$' that must be appended to
the samAccountName for backward compatibility. WINS has a 15 character limit.
To ensure there is always room for the '$' the field is limited to 14
characters “.

 

I have been working
with WINS since NT 3.51, and NetBIOS has always been 15 characters followed by
a 16th binary value. The last 16th binary value is for a unique ID.  I
have Michael Masterson's WINS & DNS book (I was on the board of the NTEA
www.ntea.net ) with him. 

 

http://www.amazon.com/gp/product/1562059432/qid=1150472910/sr=1-7/ref=sr_1_7/002-3567057-9128019?s=books&v=glance&n=283155

 

 

Was the character
limitation reduced in AD 2003 and Wins?

 

Sincerely,

Jose Medeiros
Storage Area Network Systems Engineer
MCP+I, MCSE, NT4 MCT 
408-765-0437  Direct, 408-449-6621 Cell

"Anyone who has never made a mistake
has never tried anything new."


Albert Einstein 

 

 





PLEASE READ: The information contained in this email is
confidential and 





intended for the named recipient(s) only. If you are not an
intended 





recipient of this email please notify the sender immediately
and delete your 





copy from your system. You must not copy, distribute or take
any further 





action in reliance on it. Email is not a secure method of
communication and 





Nomura International plc ('NIplc') will not, to the extent
permitted by law, 





accept responsibility or liability for (a) the accuracy or
completeness of, 





or (b) the presence of any virus, worm or similar malicious
or disabling 





code in, this message or any attachment(s) to it. If
verification of this 





email is sought then please request a hard copy. Unless
otherwise stated 





this email: (1) is not, and should not be treated or relied
upon as, 





investment research; (2) contains views or opinions that are
solely those of 





the author and do not necessarily represent those of NIplc;
(3) is intended 





for informational purposes only and is not a recommendation,
solicitation or 





offer to buy or sell securities or related financial
instruments. NIplc 





does not provide investment services to private customers.
Authorised and 





regulated by the Financial Services Authority. Registered in
England






no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,






London, EC1A 4NP. A member of the
Nomura group of companies. 

RE: [ActiveDir] DDNS in Unix environment

[Guest, Mike]

You could look at http://www.simplefailover.com/ (never
used or tried this – just found it in a google search)

 

Or you could look at writing a WMI script
yourself to update DDNS as long as you can find some way to trigger it. 
In that case http://www.iisfaq.com/Default.aspx?tabid=2986
may be of some assistance.

 

Hope this helps

 



__
Mike Guest | Capgemini | Sale 
Server Support | Outsourcing UK
Office: + 44 (0)870 366 1814 | 700 1814 | [EMAIL PROTECTED]
77-79 Cross Street, Sale, Cheshire.
M33 7HG

Join the Collaborative Business
Experience
__











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 19 June 2006 15:01
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DDNS in
Unix environment



 



Guy, can we assume that the requirement is to provide the high
availability as transparently as possible then? 





What is the expectation if the primary site goes away as far as client
name res? What is their way of knowing that the server went away and to use a
new name (keeping in mind that caching etc is going to take place)? 





What does Veritas recommend? (it is there product after all).





 





Al

 





On 6/17/06, Guy
Teverovsky <[EMAIL PROTECTED]>
wrote: 


Howdy all,

I am banging my head over this trying to come up with a solution for a client.

To make the long story short: financial organization which is very concerned
about security. They are setting up a new network segment that will be serving
some application to the internal network (there is a firewall in between).
Because of the critical nature of the application, there is a DR site. AD is
used for authentication and DNS. 
There is a Veritas HA cluster serving the application that will fail over to DR
site in case the primary site goes down.
Primary site: 2 DCs with SFU (R2) + Veritas cluster node
DR site: 2 DCs with SFU (R2) + Veritas cluster node. 
Primary and DR site are at different physical locations and on different
subnets.

The only problem with this setup is that the cluster needs to register it's DNS
name when failing over to DR site and it does not support secure DDNS. The best
thing it can do is T-SIG DDNS with pre-shared key. 
Enabling non-secure DDNS is not an option.

I can disable the DNS registration requirement in the cluster resource group,
but this has some issues, while one of them is the fact that accessing the
application at the DR site (from internal LAN) will require using FQDN
different from the FQDN of the primary site. 

An alternative would be to somehow enable DDNS only from a predefined set of IP
addresses, but from what I know the MS DNS is not capable of it (correct me if
I'm wrong).

Switching to BIND presents the same issue: while it can solve the dynamic
registration of the cluster service using T-SIG DDNS, yet non-secure
registration of SRV records is not acceptable and I would like to avoid having
statically registered SRV records for the DCs. 

Not sure whether the solution is in the MS DNS, but there are some
knowledgeable folks over here that might have stumbled upon something like
this.

Any help is greatly appreciated.

Thanks,
Guy



 







This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient,  you are not authorized to read, print, retain, copy, disseminate,  distribute, or use this message or any part thereof. If you receive this  message in error, please notify the sender immediately and delete all  copies of this message.

RE: [ActiveDir] DDNS in Unix environment

[Willem Kasdorp]

Guy,

 

Those are good points by Al. Especially
the DNS TTL will break you up if the customer expects a quick failover. I would
expect that there is some mechanism in the cluster failover (a script hook or
something) that will allow you to manually change DNS where needed. But is this
really the way to go? I’d take a hard look at how the app is supposed to
realize high availability. Additionally, I have seen a similar scenario where a
redundant network loadbalancer would reroute traffic to the active node. That
would take care of name resolution and similar issues, anyway. 

 

--

    Cheers, Willem

 

(disclaimer: I know nothing about Veritas
HA clusters)

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, June 19, 2006 4:01
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DDNS in
Unix environment



 



Guy, can we assume that the requirement is to provide the high
availability as transparently as possible then? 





What is the expectation if the primary site goes away as far as client
name res? What is their way of knowing that the server went away and to use a
new name (keeping in mind that caching etc is going to take place)? 





What does Veritas recommend? (it is there product after all).





 





Al

 





On 6/17/06, Guy
Teverovsky <[EMAIL PROTECTED]>
wrote: 


Howdy all,

I am banging my head over this trying to come up with a solution for a client.

To make the long story short: financial organization which is very concerned
about security. They are setting up a new network segment that will be serving
some application to the internal network (there is a firewall in between).
Because of the critical nature of the application, there is a DR site. AD is
used for authentication and DNS. 
There is a Veritas HA cluster serving the application that will fail over to DR
site in case the primary site goes down.
Primary site: 2 DCs with SFU (R2) + Veritas cluster node
DR site: 2 DCs with SFU (R2) + Veritas cluster node. 
Primary and DR site are at different physical locations and on different
subnets.

The only problem with this setup is that the cluster needs to register it's DNS
name when failing over to DR site and it does not support secure DDNS. The best
thing it can do is T-SIG DDNS with pre-shared key. 
Enabling non-secure DDNS is not an option.

I can disable the DNS registration requirement in the cluster resource group,
but this has some issues, while one of them is the fact that accessing the
application at the DR site (from internal LAN) will require using FQDN
different from the FQDN of the primary site. 

An alternative would be to somehow enable DDNS only from a predefined set of IP
addresses, but from what I know the MS DNS is not capable of it (correct me if
I'm wrong).

Switching to BIND presents the same issue: while it can solve the dynamic
registration of the cluster service using T-SIG DDNS, yet non-secure
registration of SRV records is not acceptable and I would like to avoid having
statically registered SRV records for the DCs. 

Not sure whether the solution is in the MS DNS, but there are some
knowledgeable folks over here that might have stumbled upon something like
this.

Any help is greatly appreciated.

Thanks,
Guy



 

Re: [ActiveDir] DDNS in Unix environment

[Al Mulnick]

Guy, can we assume that the requirement is to provide the high availability as transparently as possible then? 
What is the expectation if the primary site goes away as far as client name res? What is their way of knowing that the server went away and to use a new name (keeping in mind that caching etc is going to take place)? 

What does Veritas recommend? (it is there product after all).
 
Al 
On 6/17/06, Guy Teverovsky <[EMAIL PROTECTED]> wrote:
Howdy all,I am banging my head over this trying to come up with a solution for a client.
To make the long story short: financial organization which is very concerned about security. They are setting up a new network segment that will be serving some application to the internal network (there is a firewall in between). Because of the critical nature of the application, there is a DR site. AD is used for authentication and DNS.
There is a Veritas HA cluster serving the application that will fail over to DR site in case the primary site goes down.Primary site: 2 DCs with SFU (R2) + Veritas cluster nodeDR site: 2 DCs with SFU (R2) + Veritas cluster node.
Primary and DR site are at different physical locations and on different subnets.The only problem with this setup is that the cluster needs to register it's DNS name when failing over to DR site and it does not support secure DDNS. The best thing it can do is T-SIG DDNS with pre-shared key.
Enabling non-secure DDNS is not an option.I can disable the DNS registration requirement in the cluster resource group, but this has some issues, while one of them is the fact that accessing the application at the DR site (from internal LAN) will require using FQDN different from the FQDN of the primary site.
An alternative would be to somehow enable DDNS only from a predefined set of IP addresses, but from what I know the MS DNS is not capable of it (correct me if I'm wrong).Switching to BIND presents the same issue: while it can solve the dynamic registration of the cluster service using T-SIG DDNS, yet non-secure registration of SRV records is not acceptable and I would like to avoid having statically registered SRV records for the DCs.
Not sure whether the solution is in the MS DNS, but there are some knowledgeable folks over here that might have stumbled upon something like this.Any help is greatly appreciated.Thanks,Guy

RE: [ActiveDir] NETBIOS Character Limitation?

[neil.ruston]

NetBIOS names are restricted to 15 
chars.
 
As joe stated, the $ is not included in that 15 since it's 
not part of the name being resolved (using WINS) - it's only used within the AD 
database itself.
 
The 16th char is reserved and indicates the service(s) 
offered by this NBT name.
 
Nothing changed from NT to w2k to w2k3 with regard to NBT 
names.
 
As joe also stated, your app appears to introduce a 14 
char limitation and not the underlying OS. ADU&C can certainly create a 15 
char NBT name (and still append the $ char in the database) without 
issue. 
 
I hope this helps.
 
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: 16 June 2006 18:17To: 
ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgCc: 
joeSubject: RE: [ActiveDir] NETBIOS Character 
Limitation?

Hi Joe, 
 
So going back to my orginal question, can I use 15 charcter server names or 
am I limited to 14 charchters?
 
Jose
 
-- 
  Original message -- From: "joe" <[EMAIL PROTECTED]> 
  
  
  
  
  

  

  The $ for computer accounts isn't included in 
  the NetBIOS name for nameres, only in the DB and that was to 
  hide them from being displayed with normal user accounts in NT days. 
  
   
  What is the web based tool? Tell the vendor to fix it. In 
  the meanwhile, create the account another way.
   
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
   
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, 
  JoseSent: Friday, June 16, 2006 12:06 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] NETBIOS 
  Character Limitation?
   
  
  Greetings, 
  
   
  I am trying to 
  create a 15 character SQL cluster node 
  name in Active 
  Directory using a web based tool. The tool will only allow me to use 14 
  characters and the Active Directory group states “  The 14 character 
  limit is due to the '$' that must be appended to the samAccountName for 
  backward compatibility. WINS has a 15 character limit. To ensure there is 
  always room for the '$' the field is limited to 14 characters 
  “.
   
  I have been 
  working with WINS since NT 3.51, and NetBIOS has always been 15 characters 
  followed by a 16th binary value. The last 16th binary value is for a unique 
  ID.  I have Michael Masterson's WINS & DNS book (I was on the board 
  of the NTEA www.ntea.net ) with him. 
   
  http://www.amazon.com/gp/product/1562059432/qid=1150472910/sr=1-7/ref=sr_1_7/002-3567057-9128019?s=books&v=glance&n=283155
   
   
  Was the character 
  limitation reduced in AD 2003 and Wins?
   
  Sincerely,
  Jose 
  MedeirosStorage Area Network Systems EngineerMCP+I, MCSE, NT4 MCT 
  408-765-0437  Direct, 408-449-6621 Cell
  "Anyone who has never 
  made a mistake has never tried anything new."
   
  Albert Einstein 
   
   PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.