RE: [ActiveDir] OT: Higher Education web access
We use webdav and publish instructions for staff/students to just add their home folder as a "my network place" on their home computers. This works well - once you've connected it's just another location that appears in explorer or file dialogues. If you're happy to continue with FTP access to the web folder then that's perfectly possible; I'm assuming you're scripting creation of users so it's just a case of adding an extra bit to create and permission a folder somewhere in the IIS folder for each user. Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul GlennSent: 19 June 2006 21:27To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Higher Education web access Hello all,Sorry for the OT, but I'm a bit at a loss on parts of the big move. As I've said in the past, I'm in the process of moving our student population from eDirectory to Active Directory. We've overcome several hurdles up to this point. Our next big one is how to give access to our student's files via a web brower and also a way to host their own web pages. Currently we accomplish this via IUAdmin and apache services. IUAdmin is not ported to the Windows platform and Apache for Windows has a few drawbacks. I was wondering if there are any higher education folks out there that wouldn't mind talking with me about their environment. To help give a better idea of what we do, I offer three web pages: Students can login to the following page and gain access to their files.http://locker.uky.edu The next link shows you some screenshots of what you would see if you logged in as bigtest. http://locker.uky.edu/help.htmThen off course we offer a way for them to publish their own webpages (the first link will show you where I get my signature):http://locker.uky.edu/~pglennThanks for any help even if it's just a pointer to another listservPaul-- ***"I've got a fever and the only prescription is more cowbell."--Christopher Walken***
RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server
To all single DC folks - when you perform a restore of your single DC from an image, as part of your procedure do you increase the value of the RID pool or just restore and resume working? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 20 Jun 2006 1:03 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server And you didn't go to Jeff Middleton's TechEd session on DR for Small business did you? We're a single DC folks.. hello... it works. We're not enterprise and that means best practices for you are not best practices for us. Acronis works. Big boys can't image DCs.. we can. We're little..we're agile and we can do it. Big server land can't ...and that's fine...but the rules of big server land stop at the gates of SBSland... it's a whole diff ball game for us. (Fenway was cool btw) Paul Glenn wrote: I attended a Disaster Recovery of AD class at TechEd this past week. One thing they said was to NEVER EVER rely on a ghost image for DR. Their reasoning was the whole SID situation. Paul On 6/17/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: And us SBSers will say that sometimes that single DC with a DR strategy in place can be less issue than multiple domain controllers. (please note the DR strategy phrase there.. this is planned ahead of time) What is the size of the firm and what is the tolerance of downtime. Start from there. Plan your DR process. Almeida Pinto, Jorge de wrote: Only in an AD environment with ONE DC in the AD FOREST, there would not be much of an issue. Although I still recomment to use a supported method. No matter how many DCs, using a supported method/tool/procedure, you will always be ready for it. As soon as you get a second DC, the image thing won't work that good anymore. For more info also see: http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx I also recommend to have AT LEAST 2 DC in each AD domain (and backup at least 2, preferably more if you have more DCs) for if something goes wrong with one DC. In that case while one DC is still running you can repair the other or promote another DC into the AD domain. If you only have one DC, AD will be available again as soon as that single DC is up and running again. Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto /Senior Infrastructure Consultant/ /MVP Windows Server - Directory Services/ // *LogicaCMG Nederland B.V. (BU RTINC Eindhoven)* ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 http://26.26.62.80 * E-mail : see sender address *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] on behalf of Jose Medeiros *Sent:* Sat 2006-06-17 08:01 *To:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Cc:* Medeiros, Jose; ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server Hi Amit, Well first you'll need to buy Symantec Ghost Corporate Edition so you have the 32 bit version. Then if you have a server such as a HP Proliant DL-580 with a 6400 Smart Raid Controller you'll need to add the Raid controller driver to your bootable CD Rom that you'll have to create so it can access the Raid Disk Array. If you Want to create your own Bootable CD, I would recommend you use Microsoft WinPE or Bart's PE http://www.nu2.nu/pebuilder/ http://www.nu2.nu/pebuilder/. Barts also allows you to use Acronis http://www.acronis.com/ which may be less expensive then Ghost Corporate, however I have only used Ghost Version 8, 32Bit and can attest that it works ( I've imaged several hundredservers with it at ADP Payroll Systems ). Hope this helps, the rest is up to you and requires that you read the documentation with each product. Best Wish's, Jose Medeiros http://www.myspace.com/josemedeiros1 -- - - Original Message - *From:* Amit Kapoor mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *To:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Sent:* Friday, June 16, 2006
RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server
Hi David, Just restore and resume as it's a single DC. Cheers Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David Sent: 20 June 2006 10:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server To all single DC folks - when you perform a restore of your single DC from an image, as part of your procedure do you increase the value of the RID pool or just restore and resume working? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 20 Jun 2006 1:03 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server And you didn't go to Jeff Middleton's TechEd session on DR for Small business did you? We're a single DC folks.. hello... it works. We're not enterprise and that means best practices for you are not best practices for us. Acronis works. Big boys can't image DCs.. we can. We're little..we're agile and we can do it. Big server land can't ...and that's fine...but the rules of big server land stop at the gates of SBSland... it's a whole diff ball game for us. (Fenway was cool btw) Paul Glenn wrote: I attended a Disaster Recovery of AD class at TechEd this past week. One thing they said was to NEVER EVER rely on a ghost image for DR. Their reasoning was the whole SID situation. Paul On 6/17/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: And us SBSers will say that sometimes that single DC with a DR strategy in place can be less issue than multiple domain controllers. (please note the DR strategy phrase there.. this is planned ahead of time) What is the size of the firm and what is the tolerance of downtime. Start from there. Plan your DR process. Almeida Pinto, Jorge de wrote: Only in an AD environment with ONE DC in the AD FOREST, there would not be much of an issue. Although I still recomment to use a supported method. No matter how many DCs, using a supported method/tool/procedure, you will always be ready for it. As soon as you get a second DC, the image thing won't work that good anymore. For more info also see: http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx I also recommend to have AT LEAST 2 DC in each AD domain (and backup at least 2, preferably more if you have more DCs) for if something goes wrong with one DC. In that case while one DC is still running you can repair the other or promote another DC into the AD domain. If you only have one DC, AD will be available again as soon as that single DC is up and running again. Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto /Senior Infrastructure Consultant/ /MVP Windows Server - Directory Services/ // *LogicaCMG Nederland B.V. (BU RTINC Eindhoven)* ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 http://26.26.62.80 * E-mail : see sender address *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] on behalf of Jose Medeiros *Sent:* Sat 2006-06-17 08:01 *To:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Cc:* Medeiros, Jose; ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server Hi Amit, Well first you'll need to buy Symantec Ghost Corporate Edition so you have the 32 bit version. Then if you have a server such as a HP Proliant DL-580 with a 6400 Smart Raid Controller you'll need to add the Raid controller driver to your bootable CD Rom that you'll have to create so it can access the Raid Disk Array. If you Want to create your own Bootable CD, I would recommend you use Microsoft WinPE or Bart's PE http://www.nu2.nu/pebuilder/ http://www.nu2.nu/pebuilder/. Barts also allows you to use Acronis http://www.acronis.com/ which may be less expensive then Ghost Corporate, however I have only used Ghost Version 8, 32Bit and can attest that it works ( I've imaged several hundredservers with it at ADP Payroll Systems ). Hope this helps, the rest
[ActiveDir] Win2k Sites Login Servers
Windows 2000 Domain in Native Mode (Test Environment) 1 Domain 3 Sites each with it's subnets defined 3 servers each with an IP address relating to a particular site. Each server is hosting DNS and DHCP. Each server is a GC. When I plug a laptop in and log on as a user for the 1st time it will log onto the DC that is in it's relevant site, but when I log off and login to another site it will still connect to the previous GC as it's login server unless we perform a flushdns before login off. The laptop will pick up the correct DHCP address depending on what site it is at. I am using 'echo %logonserver%' to determine which login server it is using. I have tried shortening the DHCP lease time but still the same issue occurs. Chris.
RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server
Note that you will of course need to restore the changes taken between images, i.e. system state et al Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: 20 June 2006 11:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server Hi David, Just restore and resume as it's a single DC. Cheers Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David Sent: 20 June 2006 10:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server To all single DC folks - when you perform a restore of your single DC from an image, as part of your procedure do you increase the value of the RID pool or just restore and resume working? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 20 Jun 2006 1:03 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server And you didn't go to Jeff Middleton's TechEd session on DR for Small business did you? We're a single DC folks.. hello... it works. We're not enterprise and that means best practices for you are not best practices for us. Acronis works. Big boys can't image DCs.. we can. We're little..we're agile and we can do it. Big server land can't ...and that's fine...but the rules of big server land stop at the gates of SBSland... it's a whole diff ball game for us. (Fenway was cool btw) Paul Glenn wrote: I attended a Disaster Recovery of AD class at TechEd this past week. One thing they said was to NEVER EVER rely on a ghost image for DR. Their reasoning was the whole SID situation. Paul On 6/17/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: And us SBSers will say that sometimes that single DC with a DR strategy in place can be less issue than multiple domain controllers. (please note the DR strategy phrase there.. this is planned ahead of time) What is the size of the firm and what is the tolerance of downtime. Start from there. Plan your DR process. Almeida Pinto, Jorge de wrote: Only in an AD environment with ONE DC in the AD FOREST, there would not be much of an issue. Although I still recomment to use a supported method. No matter how many DCs, using a supported method/tool/procedure, you will always be ready for it. As soon as you get a second DC, the image thing won't work that good anymore. For more info also see: http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx I also recommend to have AT LEAST 2 DC in each AD domain (and backup at least 2, preferably more if you have more DCs) for if something goes wrong with one DC. In that case while one DC is still running you can repair the other or promote another DC into the AD domain. If you only have one DC, AD will be available again as soon as that single DC is up and running again. Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto /Senior Infrastructure Consultant/ /MVP Windows Server - Directory Services/ // *LogicaCMG Nederland B.V. (BU RTINC Eindhoven)* ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 http://26.26.62.80 * E-mail : see sender address *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] on behalf of Jose Medeiros *Sent:* Sat 2006-06-17 08:01 *To:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Cc:* Medeiros, Jose; ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server Hi Amit, Well first you'll need to buy Symantec Ghost Corporate Edition so you have the 32 bit version. Then if you have a server such as a HP Proliant DL-580 with a 6400 Smart Raid Controller
RE: [ActiveDir] Win2k Sites Login Servers
Does all look good with your DNS SRV records per site? Are there any errors in the client event logs? Does the behavior occur from any site? If you reboot and log on to the other site is all ok? Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 20 June 2006 11:08 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Win2k Sites Login Servers Windows 2000 Domain in Native Mode (Test Environment) 1 Domain 3 Sites each with it's subnets defined 3 servers each with an IP address relating to a particular site. Each server is hosting DNS and DHCP. Each server is a GC. When I plug a laptop in and log on as a user for the 1st time it will log onto the DC that is in it's relevant site, but when I log off and login to another site it will still connect to the previous GC as it's login server unless we perform a flushdns before login off. The laptop will pick up the correct DHCP address depending on what site it is at. I am using 'echo %logonserver%' to determine which login server it is using. I have tried shortening the DHCP lease time but still the same issue occurs. Chris.
RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server
Title: Message Now here's the problem. The "just restore and resume approach" could be, in a very specific situation, a bad idea. I'm sure everything would "work" as such, but as desired?After a backup is taken, new security principals might have been created in the domain. These security principals might be permissioned on certain resources e.g. file shares etc. Now depending on when the image was taken and restore, it is *possible* the security principals no longer exist because the recovery has reverted to the image date, but their access rights might still exist. If the RID pool is not raised after a restore, and new security principals are created after the recovery might obtain identical security IDs (SIDs) and could have access to those objects, which was not originally intended. So:Monday - image takenTuesday - 10 new domain groups created and assigned permissions to file serverWednesday - need to recover DC as its crashed, restore image from Monday. Now you have SIDs assigned on the file server but are not present on the domain. When you create new security principals they could obtain identical SIDs to the ones belonging to the groups that were created on Tuesday.Would it not be prudent to raise the RID pool as part of your single DC recovery procedure? I can't see what harm it would do anyway. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert RutherfordSent: 20 Jun 2006 11:00To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange ServerHi David,Just restore and resume as it's a single DC.CheersRobRobert RutherfordQuoStar Solutions LimitedThe Enterprise PavilionFern BarrowWallisdownPooleDorsetBH12 5HH T: +44 (0) 8456 440 331F: +44 (0) 8456 440 332M: +44 (0) 7974 249 494E: [EMAIL PROTECTED]W: www.quostar.com-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Wyatt, DavidSent: 20 June 2006 10:38To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange ServerTo all single DC folks - when you perform a restore of your single DC from an image, as part of your procedure do you increase the value of the RID pool or just restore and resume working?-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: 20 Jun 2006 1:03To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange ServerAnd you didn't go to Jeff Middleton's TechEd session on DR for Smallbusiness did you?We're a single DC folks.. hello... it works.We're not enterprise and that means best practices for you are not bestpractices for us.Acronis works.Big boys can't image DCs.. we can. We're little..we're agile and we cando it.Big server land can't ...and that's fine...but the rules of big serverland stop at the gates of SBSland... it's a whole diff ball game for us.(Fenway was cool btw)Paul Glenn wrote: I attended a Disaster Recovery of AD class at TechEd this past week. One thing they said was to NEVER EVER rely on a ghost image for DR. Their reasoning was the whole SID situation. Paul On 6/17/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: And us SBSers will say that sometimes that single DC with a DR strategy in place can be less issue than multiple domain controllers.(please note the "DR strategy" phrase there.. this is planned ahead of time) What is the size of the firm and what is the tolerance ofdowntime. Start from there. Plan your DR process. Almeida Pinto, Jorge de wrote: Only in an AD environment with ONE DC in the AD FOREST, therewould not be much of an issue. Although I still recomment to use a supported method. No matter how many DCs, using a supported method/tool/procedure, you will always be ready for it. As soon as you get a second DC, the image thing won't work thatgood anymore. For more info also see: http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx I also recommend to have AT LEAST 2 DC in each AD domain (andbackup at least 2, preferably more if you have more DCs) for ifsomething goes wrong with one DC. In that case while one DC is still running you can repair the other or promote another DC into the AD domain. If you only have one DC, AD will be available again as soon as that single DC is up and running again. Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto /Senior Infrastructure Consultant/ /MVP Windows Server - Directory Services/ // *LogicaCMG Nederland B.V. (BU RTINC Eindhoven)* ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 http://26.26.62.80 * E-mail : see sender address
Re: [ActiveDir] can I exclude a particular user account from authenticated users?
I'm just curious why you would want to remove an authenticated user from the authenticated users group? What's the goal? On 6/20/06, joe [EMAIL PROTECTED] wrote: Disable the account's ability to authenticate. Makes the account rather worthless but it is the only thing I can think of that would accomplish the stated goal. Programmatically you might be able to modify the token at the local machine levelsuch that the auth users SID isn't enabled, but that would take some rather involved work I expect. See http://msdn.microsoft.com/library/default.asp?url="" . It isn't anything I have tried, just a theory based on some reading I have done in the API docs. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Thommes, Michael M. Sent: Monday, June 19, 2006 10:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] can I exclude a particular user account from authenticated users? This may sound like an off the wall question, but I would like to exclude a particular user account from the built-in security principal "Authenticated Users ". Is there any way to do this? TIA! Mike Thommes
Re: [ActiveDir] RDP Over SSL (No Security tab in Client)
wrinkles nose Why? Why did you not just install the updated version using the installer? Was there an advantage? I'm so full of questions I know, but this seems the hard way with issues waiting for later. On 6/20/06, Ravi Dogra [EMAIL PROTECTED] wrote: Thanks,I have acheived by making a copy of mstsc.exe and mstscax.dll fromwindows2k3 sp1 box and placing it in a different folder of client other than system32.Registered the dll and this fixed the problem.Thanks Again,Ravi DograList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server
The decision is made by the IT pro of the needed recovery process. I would hope that any one of the folks on this list wouldn't just have an image restore if they were a single DC but also a system state out there as well. You as the pro then make the appropriate recovery method... authoritative restore throw back in the imagewhatever... if you are running a single DC... you've gone through the permutations... you know why you've chosen single DC over multiple DCs.. you have a plan. Again... in the SBS space there is a camp that would argue that introduction of muliple DCs takes away the flexibility of imaging that DC. ...and in SBSland... who makes 10 new domain groups for heavens sake on Tuesday? We set this network up three years ago with the appropriate security groups and OU structure and we honestly have not touched that structure since. I would argue as an IT pro... you will know the needs of your client and have that decision tree mapped out of the ways you can DR that network. As long as you can grab a part of that system state even if it's off an old tape media... you can reinsert that (this is called the Graveyard Swing by JeffM in SBSland. When the need for DR hits you'll want options to go down that highway.. not just one path. Wyatt, David wrote: Now here's the problem. The just restore and resume approach could be, in a very specific situation, a bad idea. I'm sure everything would work as such, but as desired? After a backup is taken, new security principals might have been created in the domain. These security principals might be permissioned on certain resources e.g. file shares etc. Now depending on when the image was taken and restore, it is *possible* the security principals no longer exist because the recovery has reverted to the image date, but their access rights might still exist. If the RID pool is not raised after a restore, and new security principals are created after the recovery might obtain identical security IDs (SIDs) and could have access to those objects, which was not originally intended. So: Monday - image taken Tuesday - 10 new domain groups created and assigned permissions to file server Wednesday - need to recover DC as its crashed, restore image from Monday. Now you have SIDs assigned on the file server but are not present on the domain. When you create new security principals they could obtain identical SIDs to the ones belonging to the groups that were created on Tuesday. Would it not be prudent to raise the RID pool as part of your single DC recovery procedure? I can't see what harm it would do anyway. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: 20 Jun 2006 11:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server Hi David, Just restore and resume as it's a single DC. Cheers Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David Sent: 20 June 2006 10:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server To all single DC folks - when you perform a restore of your single DC from an image, as part of your procedure do you increase the value of the RID pool or just restore and resume working? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 20 Jun 2006 1:03 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server And you didn't go to Jeff Middleton's TechEd session on DR for Small business did you? We're a single DC folks.. hello... it works. We're not enterprise and that means best practices for you are not best practices for us. Acronis works. Big boys can't image DCs.. we can. We're little..we're agile and we can do it. Big server land can't ...and that's fine...but the rules of big server land stop at the gates of SBSland... it's a whole diff ball game for us. (Fenway was cool btw) Paul Glenn wrote: I attended a Disaster Recovery of AD class at TechEd this past week. One thing they said was to NEVER EVER rely on a ghost image for DR. Their reasoning was the whole SID situation. Paul On 6/17/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: And us SBSers will say that sometimes that single DC with a DR strategy in place can be less issue than
Re: [ActiveDir] DDNS in Unix environment
Guy, I think the concern I have (I'll limit to one for this sentence) is that if you update the DNS, what does that do for the client? I.E. how does the client know to look at some other DNS? Or, more simply, how does the DNS get updated if that site the client was using for DNS goes to the dogs? I'm wondering how that mechanism works in your scenario because the client has to be able to find the information and if the DNS went with the solution, then it's going to be difficult to make that work. On the other hand, if DNS is hosted outside this solution, then you're only real hope is to use a load balancer IMHO. Why? Because the people already have a signifcant investment in making this work and to do otherwise would be the equivalent of puttingHuffy tires on a Mazerati; sure it might work andit'll drastically cheaper up front, but would you really want to do that and would you really be happy about it? Would you want your friends to see you in that car? Anyhow, the solution lies with Veritas and by taking a good hard look at all 8 layers of the stack and comparing/contrasting that with your deliverables. HA doesn't occur at the application layer alone; rather it's a system that comes together and takes into account all 8 layers of the computing stack. To do otherwise is without question a waste of time and resources. Keep your head low, walk softly and carry a very large Windows appliance. ;) Al On 6/19/06, Guy Teverovsky [EMAIL PROTECTED] wrote: I will try to address all the points raised. Al: You are right. The idea is to provide highly available service as transparently as possible. This is one of those times when Unix folks are leading the project and they are trying to find the solution in the DNS. I have already pointed out that even if DDNS is successful, the TTLs will have to be reduced drastically to very short values. Mike: I have already suggested simple WMI script somehow triggered by the cluster, but they are hesitant about any non-standard customization. The SimpleFailover however looks like something that I might be able to use. Will defenetly have a better look at it. Funny that I have not found it while exercising my google-fu. Willem: If you ask me, the solution should indeed be based on some sort of appliance based load balancer, but the folks are looking into software based solution - introducing network related changes could be quite tricky in this case (politics,another IT group, single point of failure...) Disclaimer: have no idea about Veritas HA Unix cluster either ;) Now if I could only smack the Unix folks, make them disable DDNS registration requirement on the cluster andlook into hardware load balancer, the life wouldbe much easier... Bottom line: Unix people are evil ! do notlet them near your AD ;) (ducking and getting on a plane) Thanks all for the input ! Guy From: Willem KasdorpSent: Mon 6/19/2006 5:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DDNS in Unix environment Guy, Those are good points by Al. Especially the DNS TTL will break you up if the customer expects a quick failover. I would expect that there is some mechanism in the cluster failover (a script hook or something) that will allow you to manually change DNS where needed. But is this really the way to go? I'd take a hard look at how the app is supposed to realize high availability. Additionally, I have seen a similar scenario where a redundant network loadbalancer would reroute traffic to the active node. That would take care of name resolution and similar issues, anyway. -- Cheers, Willem (disclaimer: I know nothing about Veritas HA clusters) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Monday, June 19, 2006 4:01 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DDNS in Unix environment Guy, can we assume that the requirement is to provide the high availability as transparently as possible then? What is the expectation if the primary site goes away as far as client name res? What is their way of knowing that the server went away and to use a new name (keeping in mind that caching etc is going to take place)? What does Veritas recommend? (it is there product after all). Al On 6/17/06, Guy Teverovsky [EMAIL PROTECTED] wrote: Howdy all,I am banging my head over this trying to come up with a solution for a client.To make the long story short: financial organization which is very concerned about security. They are setting up a new network segment that will be serving some application to the internal network (there is a firewall in between). Because of the critical nature of the application, there is a DR site. AD is used for authentication and DNS. There is a Veritas HA cluster serving the application that will fail over to DR site in case the primary site goes down.Primary site: 2 DCs with SFU (R2) + Veritas cluster nodeDR site: 2 DCs with SFU (R2) + Veritas cluster node. Primary and DR site
Re: [ActiveDir] OT: Higher Education web access
I myself would be more than happy with this scenario. However, when I discuss this with the VP he says we can't take away anything they have now. So that means I have to find a way for them to access their files through some type of web interface (which maybe I can convience him WEBDAV is almost like what they have now) and also be able to publish their own web pages. PaulOn 6/20/06, Steve Rochford [EMAIL PROTECTED] wrote: We use webdav and publish instructions for staff/students to just add their home folder as a my network place on their home computers. This works well - once you've connected it's just another location that appears in explorer or file dialogues. If you're happy to continue with FTP access to the web folder then that's perfectly possible; I'm assuming you're scripting creation of users so it's just a case of adding an extra bit to create and permission a folder somewhere in the IIS folder for each user. Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul GlennSent: 19 June 2006 21:27To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Higher Education web access Hello all,Sorry for the OT, but I'm a bit at a loss on parts of the big move. As I've said in the past, I'm in the process of moving our student population from eDirectory to Active Directory. We've overcome several hurdles up to this point. Our next big one is how to give access to our student's files via a web brower and also a way to host their own web pages. Currently we accomplish this via IUAdmin and apache services. IUAdmin is not ported to the Windows platform and Apache for Windows has a few drawbacks. I was wondering if there are any higher education folks out there that wouldn't mind talking with me about their environment. To help give a better idea of what we do, I offer three web pages: Students can login to the following page and gain access to their files.http://locker.uky.edu The next link shows you some screenshots of what you would see if you logged in as bigtest. http://locker.uky.edu/help.htmThen off course we offer a way for them to publish their own webpages (the first link will show you where I get my signature):http://locker.uky.edu/~pglennThanks for any help even if it's just a pointer to another listservPaul-- ***I've got a fever and the only prescription is more cowbell.--Christopher Walken*** -- ***I've got a fever and the only prescription is morecowbell.--Christopher Walken ***
Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
Robert Rutherford wrote: Hi, It does sound like our old pal DNS. If you run a dcdiag and netdiag, do they both run clean? If not then please post the results. Both clean. Every test I can think of comes up clean. The only real symtom was in the orginal message - lack of admin access to the w2k3 DCs from the w2k DC. Checking the event log on the w2k3 DC I see the computer and user log in and out successfully. Just something denying access. If all is clean and it's a test environment then pull it and clean it up with ntdsutil et al. Sounds like a fun way to spend the morning. :-) al If it's a new situation then just replicate and see if you still have the issue. I have always found a couple of hours helps many ills. BR Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: 19 June 2006 20:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem removing last w2k DC from a w2k3 domain I've in the process of upgrading my test domain (empty root and 1 child) to w2k3 R2 based DCs and (thanks to help from the friendly folks here) am just about done. I have one last w2k dc left to remove. It doesn't want to go peacefully. I moved the FSMO roles off and the next day tried to dcpromo it down to a simple server. I get Managing the network session with FBDC1.fnal.gov failed Access is denied. dcpromoui t:0x848 00479 Exit State::GetFailureMessage The operation failed because: Managing the network session with FBDC1.fnal.gov failed A quick check shows that I can't get to the admin shares of my new w2k3 dc/FSMO role holder from the w2k dc. I can get to the admin shares of the other simple servers but not either of the 2 DCs. Other systems can access the admin shares via the domain admin account I'm using on the w2k DC. I've been searching and have found people having a similar problem when promoting a w2k machine to be a DC but not when demoting. I've tried a number of the things that were suggested in those articles and they have had no affect. There is no firewall in the way. AD replication and FRS work. Any ideas before I rip it out? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Higher Education web access
If I am reading your requirement correctly, WEBDAV is a web interface. Hit the page with IE and there is your network folder. As for the web publishingare they making the sites themselves and then just uploading them? Then publish their website home folder also via WEBDAV./ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul GlennSent: Tuesday, June 20, 2006 9:13 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Higher Education web access I myself would be more than happy with this scenario. However, when I discuss this with the VP he says we can't take away anything they have now. So that means I have to find a way for them to access their files through some type of web interface (which maybe I can convience him WEBDAV is almost like what they have now) and also be able to publish their own web pages. Paul On 6/20/06, Steve Rochford [EMAIL PROTECTED] wrote: We use webdav and publish instructions for staff/students to just add their home folder as a "my network place" on their home computers. This works well - once you've connected it's just another location that appears in explorer or file dialogues. If you're happy to continue with FTP access to the web folder then that's perfectly possible; I'm assuming you're scripting creation of users so it's just a case of adding an extra bit to create and permission a folder somewhere in the IIS folder for each user. Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul GlennSent: 19 June 2006 21:27To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Higher Education web access Hello all,Sorry for the OT, but I'm a bit at a loss on parts of the big move. As I've said in the past, I'm in the process of moving our student population from eDirectory to Active Directory. We've overcome several hurdles up to this point. Our next big one is how to give access to our student's files via a web brower and also a way to host their own web pages. Currently we accomplish this via IUAdmin and apache services. IUAdmin is not ported to the Windows platform and Apache for Windows has a few drawbacks. I was wondering if there are any higher education folks out there that wouldn't mind talking with me about their environment. To help give a better idea of what we do, I offer three web pages: Students can login to the following page and gain access to their files.http://locker.uky.edu The next link shows you some screenshots of what you would see if you logged in as bigtest. http://locker.uky.edu/help.htmThen off course we offer a way for them to publish their own webpages (the first link will show you where I get my signature):http://locker.uky.edu/~pglennThanks for any help even if it's just a pointer to another listservPaul-- ***"I've got a fever and the only prescription is more cowbell."--Christopher Walken*** -- ***"I've got a fever and the only prescription is morecowbell."--Christopher Walken ***
Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
Denying access? Hmm so logged on to the w2K machine you can't access the admin$ share of either of the DC's right? On 6/20/06, Al Lilianstrom [EMAIL PROTECTED] wrote: Robert Rutherford wrote: Hi, It does sound like our old pal DNS. If you run a dcdiag and netdiag, do they both run clean? If not then please post the results.Both clean. Every test I can think of comes up clean. The only realsymtom was in the orginal message - lack of admin access to the w2k3 DCsfrom the w2k DC. Checking the event log on the w2k3 DC I see the computer and user log in and out successfully. Just something denyingaccess. If all is clean and it's a test environment then pull it and clean it up with ntdsutil et al.Sounds like a fun way to spend the morning. :-) al If it's a new situation then just replicate and see if you still have the issue. I have always found a couple of hours helps many ills. BR Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HHT:+44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Al Lilianstrom Sent: 19 June 2006 20:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem removing last w2k DC from a w2k3 domain I've in the process of upgrading my test domain (empty root and 1 child) to w2k3 R2 based DCs and (thanks to help from the friendly folks here) am just about done. I have one last w2k dc left to remove. It doesn't want to go peacefully. I moved the FSMO roles off and the next day tried to dcpromo it down to a simple server. I get Managing the network session with FBDC1.fnal.gov failed Access is denied. dcpromoui t:0x848 00479ExitState::GetFailureMessage The operation failed because: Managing the network session with FBDC1.fnal.gov failed A quick check shows that I can't get to the admin shares of my new w2k3 dc/FSMO role holder from the w2k dc. I can get to the admin shares of the other simple servers but not either of the 2 DCs. Other systems can access the admin shares via the domain admin account I'm using on the w2k DC. I've been searching and have found people having a similar problem when promoting a w2k machine to be a DC but not when demoting. I've tried a number of the things that were suggested in those articles and they have had no affect. There is no firewall in the way. AD replication and FRS work. Any ideas before I rip it out? al--Al LilianstromCD/CSS/CSI[EMAIL PROTECTED]List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Question on rightsguid
There are three things currently handled in the extended-rights container of objectclass controlAccessRight. Validated Writes Property Sets Extended Rights These are differentiated by the validAccesses attribute[1]. Quickly it lays out like Validated Writes have validAccess value of 8 Property Sets have validAccesses value of 32 Extended Rights have validAccess value of 256 While they are the same objectclass and in the same container, they are not the same things. The attributeSecurityGUID is used to tie schema objects to property sets. Validated Rights and Extended Rights are hardcoded into the OS. While you could add those types of objects, you wouldn't get anything out of the OS with them, you would need to write your application(s) to use them. Now there are some things that are a bit confusing... The rightsGuid of Add/Remove self as member is the same as the member attribute's schemaIDGUID. This means that if you don't use the correct access mask the permission will not be written properly and many programs and scripts (including several of mine) actually display this incorrectly. If the mask is a CA grant/deny (control access) then the permission is for Add/Remove self as member, if the mask is anything else, it is the member schema attribute. It gets even worse with the rightsGUID of Validated wite to DNS host name is also the rightsGUID of the property set DNS Host Name Attributes AND the schemaIDGUID of the attribute dNSHostName. I've actually been meaning to blog this for a while now as I keep fielding questions in email and the newsgroups about it. Seems like a lot of people are actually really looking at that stuff finally. I reported the DNS GUIDs item to MSFT back after K3 came out as I didn't think it was right. I still don't think it is the right way to handle it but too late to change now. It just adds a bunch of confusion to something that doesn't need the confusion because it is already too confusing. As for the second part... I have been asked that and actually people have insisted it is a bug in my code so much that I did blog it. http://blog.joeware.net/2005/12/17/173/ joe [1] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/contr ol_access_rights.asp -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, June 19, 2006 5:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question on rightsguid All I've been doing a little digging into AD and was wondering why the rightsguid for the validated-spn and the self-membership validated rights doesn't have objects in the schema with matching attributesecurityguid values. Is it correct to assume that there should be objects in the schema with attributesecurityguid values to match each rightsguid values of each controlaccess object? Or is rightsguid only really important for propertysets? Also I noticed when I used joe's adfind to list objects which had the rightsguid value from validated-dns-host-name, the filter listed the same rightsguid value in a different format. i.e adfind -propsetmembers:72e39547-7b18-11d1-adef-00c04fd8d5cd attributesecurityguid was expanded as Transformed Filter: ((objectcategory=attributeschema)(attributeSecurityGUID=G\9 5\E3r\18\7B\D1\11\AD\EF\00\C0O\D8\D5\CD)) I deduced G=47, r=72 etc.. Can anyone explain the above for me? Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
Al Mulnick wrote: Denying access? Hmm so logged on to the w2K machine you can't access the admin$ share of either of the DC's right? Correct. I can access any member server admin$ share from the w2k machine. I can access the w2k3 DC admin$ share from any other w2k3 machine in the domain. I just can't access the w2k3 DC admin$ share from the w2k DC. al On 6/20/06, *Al Lilianstrom* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Robert Rutherford wrote: Hi, It does sound like our old pal DNS. If you run a dcdiag and netdiag, do they both run clean? If not then please post the results. Both clean. Every test I can think of comes up clean. The only real symtom was in the orginal message - lack of admin access to the w2k3 DCs from the w2k DC. Checking the event log on the w2k3 DC I see the computer and user log in and out successfully. Just something denying access. If all is clean and it's a test environment then pull it and clean it up with ntdsutil et al. Sounds like a fun way to spend the morning. :-) al If it's a new situation then just replicate and see if you still have the issue. I have always found a couple of hours helps many ills. BR Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] W:www.quostar.com http://www.quostar.com -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] On Behalf Of Al Lilianstrom Sent: 19 June 2006 20:52 To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem removing last w2k DC from a w2k3 domain I've in the process of upgrading my test domain (empty root and 1 child) to w2k3 R2 based DCs and (thanks to help from the friendly folks here) am just about done. I have one last w2k dc left to remove. It doesn't want to go peacefully. I moved the FSMO roles off and the next day tried to dcpromo it down to a simple server. I get Managing the network session with FBDC1.fnal.gov http://FBDC1.fnal.gov failed Access is denied. dcpromoui t:0x848 00479 Exit State::GetFailureMessage The operation failed because: Managing the network session with FBDC1.fnal.gov http://FBDC1.fnal.gov failed A quick check shows that I can't get to the admin shares of my new w2k3 dc/FSMO role holder from the w2k dc. I can get to the admin shares of the other simple servers but not either of the 2 DCs. Other systems can access the admin shares via the domain admin account I'm using on the w2k DC. I've been searching and have found people having a similar problem when promoting a w2k machine to be a DC but not when demoting. I've tried a number of the things that were suggested in those articles and they have had no affect. There is no firewall in the way. AD replication and FRS work. Any ideas before I rip it out? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx http://www.activedir.org/ml/threads.aspx -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] RDP Over SSL (No Security tab in Client)
OK cool... But as most know, there is 'tsmmc.msc' also to work with RDP. I use this a lot to have less windows open... If they make SSL available, what about having SSL with the 'tsmmc.msc' ? TIA On 6/20/06, Al Mulnick [EMAIL PROTECTED] wrote: wrinkles nose Why? Why did you not just install the updated version using the installer? Was there an advantage? I'm so full of questions I know, but this seems the hard way with issues waiting for later. On 6/20/06, Ravi Dogra [EMAIL PROTECTED] wrote: Thanks,I have acheived by making a copy of mstsc.exe and mstscax.dll fromwindows2k3 sp1 box and placing it in a different folder of client other than system32.Registered the dll and this fixed the problem.Thanks Again,Ravi DograList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
What do you see in the network trace? Is it attempting the connection? Is it establishing the TCP/IP connection and then blowing out in the NetBIOS handshake? Does it get through the handshake and then fail? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Tuesday, June 20, 2006 10:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain Al Mulnick wrote: Denying access? Hmm so logged on to the w2K machine you can't access the admin$ share of either of the DC's right? Correct. I can access any member server admin$ share from the w2k machine. I can access the w2k3 DC admin$ share from any other w2k3 machine in the domain. I just can't access the w2k3 DC admin$ share from the w2k DC. al On 6/20/06, *Al Lilianstrom* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Robert Rutherford wrote: Hi, It does sound like our old pal DNS. If you run a dcdiag and netdiag, do they both run clean? If not then please post the results. Both clean. Every test I can think of comes up clean. The only real symtom was in the orginal message - lack of admin access to the w2k3 DCs from the w2k DC. Checking the event log on the w2k3 DC I see the computer and user log in and out successfully. Just something denying access. If all is clean and it's a test environment then pull it and clean it up with ntdsutil et al. Sounds like a fun way to spend the morning. :-) al If it's a new situation then just replicate and see if you still have the issue. I have always found a couple of hours helps many ills. BR Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] W:www.quostar.com http://www.quostar.com -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] On Behalf Of Al Lilianstrom Sent: 19 June 2006 20:52 To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem removing last w2k DC from a w2k3 domain I've in the process of upgrading my test domain (empty root and 1 child) to w2k3 R2 based DCs and (thanks to help from the friendly folks here) am just about done. I have one last w2k dc left to remove. It doesn't want to go peacefully. I moved the FSMO roles off and the next day tried to dcpromo it down to a simple server. I get Managing the network session with FBDC1.fnal.gov http://FBDC1.fnal.gov failed Access is denied. dcpromoui t:0x848 00479 Exit State::GetFailureMessage The operation failed because: Managing the network session with FBDC1.fnal.gov http://FBDC1.fnal.gov failed A quick check shows that I can't get to the admin shares of my new w2k3 dc/FSMO role holder from the w2k dc. I can get to the admin shares of the other simple servers but not either of the 2 DCs. Other systems can access the admin shares via the domain admin account I'm using on the w2k DC. I've been searching and have found people having a similar problem when promoting a w2k machine to be a DC but not when demoting. I've tried a number of the things that were suggested in those articles and they have had no affect. There is no firewall in the way. AD replication and FRS work. Any ideas before I rip it out? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx http://www.activedir.org/ml/threads.aspx -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Higher Education web access
All you're "taking away" is the limitation of 1 file at a time. (OK, the interface is different but for Windows users it's going to be much more like what they use when they're working with local files) Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul GlennSent: 20 June 2006 14:13To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Higher Education web access I myself would be more than happy with this scenario. However, when I discuss this with the VP he says we can't take away anything they have now. So that means I have to find a way for them to access their files through some type of web interface (which maybe I can convience him WEBDAV is almost like what they have now) and also be able to publish their own web pages. Paul On 6/20/06, Steve Rochford [EMAIL PROTECTED] wrote: We use webdav and publish instructions for staff/students to just add their home folder as a "my network place" on their home computers. This works well - once you've connected it's just another location that appears in explorer or file dialogues. If you're happy to continue with FTP access to the web folder then that's perfectly possible; I'm assuming you're scripting creation of users so it's just a case of adding an extra bit to create and permission a folder somewhere in the IIS folder for each user. Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul GlennSent: 19 June 2006 21:27To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Higher Education web access Hello all,Sorry for the OT, but I'm a bit at a loss on parts of the big move. As I've said in the past, I'm in the process of moving our student population from eDirectory to Active Directory. We've overcome several hurdles up to this point. Our next big one is how to give access to our student's files via a web brower and also a way to host their own web pages. Currently we accomplish this via IUAdmin and apache services. IUAdmin is not ported to the Windows platform and Apache for Windows has a few drawbacks. I was wondering if there are any higher education folks out there that wouldn't mind talking with me about their environment. To help give a better idea of what we do, I offer three web pages: Students can login to the following page and gain access to their files.http://locker.uky.edu The next link shows you some screenshots of what you would see if you logged in as bigtest. http://locker.uky.edu/help.htmThen off course we offer a way for them to publish their own webpages (the first link will show you where I get my signature):http://locker.uky.edu/~pglennThanks for any help even if it's just a pointer to another listservPaul-- ***"I've got a fever and the only prescription is more cowbell."--Christopher Walken*** -- ***"I've got a fever and the only prescription is morecowbell."--Christopher Walken ***
RE: [ActiveDir] Question on rightsguid
Oops correction here, I spaced for a second. The value for Property Sets in validAccesses is a combination of ACTRL_DS_WRITE_PROP + ACTRL_DS_READ_PROP so the value is 32 + 16 or 48, not just 32. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, June 20, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on rightsguid There are three things currently handled in the extended-rights container of objectclass controlAccessRight. Validated Writes Property Sets Extended Rights These are differentiated by the validAccesses attribute[1]. Quickly it lays out like Validated Writes have validAccess value of 8 Property Sets have validAccesses value of 32 Extended Rights have validAccess value of 256 While they are the same objectclass and in the same container, they are not the same things. The attributeSecurityGUID is used to tie schema objects to property sets. Validated Rights and Extended Rights are hardcoded into the OS. While you could add those types of objects, you wouldn't get anything out of the OS with them, you would need to write your application(s) to use them. Now there are some things that are a bit confusing... The rightsGuid of Add/Remove self as member is the same as the member attribute's schemaIDGUID. This means that if you don't use the correct access mask the permission will not be written properly and many programs and scripts (including several of mine) actually display this incorrectly. If the mask is a CA grant/deny (control access) then the permission is for Add/Remove self as member, if the mask is anything else, it is the member schema attribute. It gets even worse with the rightsGUID of Validated wite to DNS host name is also the rightsGUID of the property set DNS Host Name Attributes AND the schemaIDGUID of the attribute dNSHostName. I've actually been meaning to blog this for a while now as I keep fielding questions in email and the newsgroups about it. Seems like a lot of people are actually really looking at that stuff finally. I reported the DNS GUIDs item to MSFT back after K3 came out as I didn't think it was right. I still don't think it is the right way to handle it but too late to change now. It just adds a bunch of confusion to something that doesn't need the confusion because it is already too confusing. As for the second part... I have been asked that and actually people have insisted it is a bug in my code so much that I did blog it. http://blog.joeware.net/2005/12/17/173/ joe [1] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/contr ol_access_rights.asp -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, June 19, 2006 5:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question on rightsguid All I've been doing a little digging into AD and was wondering why the rightsguid for the validated-spn and the self-membership validated rights doesn't have objects in the schema with matching attributesecurityguid values. Is it correct to assume that there should be objects in the schema with attributesecurityguid values to match each rightsguid values of each controlaccess object? Or is rightsguid only really important for propertysets? Also I noticed when I used joe's adfind to list objects which had the rightsguid value from validated-dns-host-name, the filter listed the same rightsguid value in a different format. i.e adfind -propsetmembers:72e39547-7b18-11d1-adef-00c04fd8d5cd attributesecurityguid was expanded as Transformed Filter: ((objectcategory=attributeschema)(attributeSecurityGUID=G\9 5\E3r\18\7B\D1\11\AD\EF\00\C0O\D8\D5\CD)) I deduced G=47, r=72 etc.. Can anyone explain the above for me? Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Errors During Authoritative Restore
I have a few questions foryou AD gurus out there! :) I just ran through a Disaster Recovery test of two of our ADs and I have a few questions which have come up as a result of the test. Configuration Notes: These boxes are Windows 2003, SP1. The domains wereoriginally Windows 2000 domains. The followingerrors pop up on one of the domain controllers during the restore. "Could not display the attribute type for the object with DNT 831424.Error: failed to get dn of dnt 831424" This occurs many times throughout the restore. NOTE: This is during a complete restore,e.g."authoritative restore: restore database" I also see a few of these. "There was an error parsing the GUID from the file on line: 1981" (Not to many of these, maybe four or five) Additionally, with SP1,LDIF files are created to restore back-links. The file that restores the user/group back-links imports successfully. The file that restores the configuration back-links fails. (sorry, I do not have the error handy) The authoritative restore says it completed successfully, and after I go through metadata cleanup and FSMO seizure, the box starts up without any errors, and AD throws no errors on startup. I was wondering if anyone can tell me what these errors mean? What are their ramifications? How can the errors be resolved. Thanks, Josh
Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
joe wrote: What do you see in the network trace? Is it attempting the connection? Is it establishing the TCP/IP connection and then blowing out in the NetBIOS handshake? Does it get through the handshake and then fail? I get a connection and then the access denied returned to the client. SMB Negotiate Protocol Request SMB Negotiate Protocol Response SMB Session Setup AndX Request SMB Session Setup AndX Response SMB Tree Connect AndX Request, Path: \\FBDC1\D$ SMB Tree Connect AndX Response, Error: STATUS_ACCESS_DENIED SMB Logoff AndX Request SMB Logoff AndX Response, Error: STATUS_ACCESS_DENIED I have a logon/logoff in the security log on the w2k3 DC. al -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Tuesday, June 20, 2006 10:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain Al Mulnick wrote: Denying access? Hmm so logged on to the w2K machine you can't access the admin$ share of either of the DC's right? Correct. I can access any member server admin$ share from the w2k machine. I can access the w2k3 DC admin$ share from any other w2k3 machine in the domain. I just can't access the w2k3 DC admin$ share from the w2k DC. al On 6/20/06, *Al Lilianstrom* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Robert Rutherford wrote: Hi, It does sound like our old pal DNS. If you run a dcdiag and netdiag, do they both run clean? If not then please post the results. Both clean. Every test I can think of comes up clean. The only real symtom was in the orginal message - lack of admin access to the w2k3 DCs from the w2k DC. Checking the event log on the w2k3 DC I see the computer and user log in and out successfully. Just something denying access. If all is clean and it's a test environment then pull it and clean it up with ntdsutil et al. Sounds like a fun way to spend the morning. :-) al If it's a new situation then just replicate and see if you still have the issue. I have always found a couple of hours helps many ills. BR Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] W:www.quostar.com http://www.quostar.com -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] On Behalf Of Al Lilianstrom Sent: 19 June 2006 20:52 To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem removing last w2k DC from a w2k3 domain I've in the process of upgrading my test domain (empty root and 1 child) to w2k3 R2 based DCs and (thanks to help from the friendly folks here) am just about done. I have one last w2k dc left to remove. It doesn't want to go peacefully. I moved the FSMO roles off and the next day tried to dcpromo it down to a simple server. I get Managing the network session with FBDC1.fnal.gov http://FBDC1.fnal.gov failed Access is denied. dcpromoui t:0x848 00479 Exit State::GetFailureMessage The operation failed because: Managing the network session with FBDC1.fnal.gov http://FBDC1.fnal.gov failed A quick check shows that I can't get to the admin shares of my new w2k3 dc/FSMO role holder from the w2k dc. I can get to the admin shares of the other simple servers but not either of the 2 DCs. Other systems can access the admin shares via the domain admin account I'm using on the w2k DC. I've been searching and have found people having a similar problem when promoting a w2k machine to be a DC but not when demoting. I've tried a number of the things that were suggested in those articles and they have had no affect. There is no firewall in the way. AD replication and FRS work. Any ideas before I rip it out? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx http://www.activedir.org/ml/threads.aspx -- Al Lilianstrom CD/CSS/CSI [EMAIL
Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server
Two things ... Secondly, it isn't just security groups, has anyone been hired or quit? Firstly, the whole thing isn't big server vs. small server ... it is whether you have any AD replicas, that includes having two DCs for the same domain (assuming neither is NT4, then these DCs replicate the domain), or having another domain in the same forest (it is a replica of the global config/schema). Cheers, -BrettSh On Tue, 20 Jun 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: The decision is made by the IT pro of the needed recovery process. I would hope that any one of the folks on this list wouldn't just have an image restore if they were a single DC but also a system state out there as well. You as the pro then make the appropriate recovery method... authoritative restore throw back in the imagewhatever... if you are running a single DC... you've gone through the permutations... you know why you've chosen single DC over multiple DCs.. you have a plan. Again... in the SBS space there is a camp that would argue that introduction of muliple DCs takes away the flexibility of imaging that DC. ...and in SBSland... who makes 10 new domain groups for heavens sake on Tuesday? We set this network up three years ago with the appropriate security groups and OU structure and we honestly have not touched that structure since. I would argue as an IT pro... you will know the needs of your client and have that decision tree mapped out of the ways you can DR that network. As long as you can grab a part of that system state even if it's off an old tape media... you can reinsert that (this is called the Graveyard Swing by JeffM in SBSland. When the need for DR hits you'll want options to go down that highway.. not just one path. Wyatt, David wrote: Now here's the problem. The just restore and resume approach could be, in a very specific situation, a bad idea. I'm sure everything would work as such, but as desired? After a backup is taken, new security principals might have been created in the domain. These security principals might be permissioned on certain resources e.g. file shares etc. Now depending on when the image was taken and restore, it is *possible* the security principals no longer exist because the recovery has reverted to the image date, but their access rights might still exist. If the RID pool is not raised after a restore, and new security principals are created after the recovery might obtain identical security IDs (SIDs) and could have access to those objects, which was not originally intended. So: Monday - image taken Tuesday - 10 new domain groups created and assigned permissions to file server Wednesday - need to recover DC as its crashed, restore image from Monday. Now you have SIDs assigned on the file server but are not present on the domain. When you create new security principals they could obtain identical SIDs to the ones belonging to the groups that were created on Tuesday. Would it not be prudent to raise the RID pool as part of your single DC recovery procedure? I can't see what harm it would do anyway. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: 20 Jun 2006 11:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server Hi David, Just restore and resume as it's a single DC. Cheers Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David Sent: 20 June 2006 10:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server To all single DC folks - when you perform a restore of your single DC from an image, as part of your procedure do you increase the value of the RID pool or just restore and resume working? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 20 Jun 2006 1:03 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server And you didn't go to Jeff Middleton's TechEd session on DR for Small business did you? We're a single DC folks.. hello... it works. We're not enterprise and that means best practices for you are not best practices for us. Acronis works. Big boys can't image DCs.. we can.
Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server
Yeah we fired the guy who screwed up the AD on Monday Brett Shirley wrote Two things ... Secondly, it isn't just security groups, has anyone been hired or quit? Firstly, the whole thing isn't big server vs. small server ... it is whether you have any AD replicas, that includes having two DCs for the same domain (assuming neither is NT4, then these DCs replicate the domain), or having another domain in the same forest (it is a replica of the global config/schema). Cheers, -BrettSh On Tue, 20 Jun 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: The decision is made by the IT pro of the needed recovery process. I would hope that any one of the folks on this list wouldn't just have an image restore if they were a single DC but also a system state out there as well. You as the pro then make the appropriate recovery method... authoritative restore throw back in the imagewhatever... if you are running a single DC... you've gone through the permutations... you know why you've chosen single DC over multiple DCs.. you have a plan. Again... in the SBS space there is a camp that would argue that introduction of muliple DCs takes away the flexibility of imaging that DC. ...and in SBSland... who makes 10 new domain groups for heavens sake on Tuesday? We set this network up three years ago with the appropriate security groups and OU structure and we honestly have not touched that structure since. I would argue as an IT pro... you will know the needs of your client and have that decision tree mapped out of the ways you can DR that network. As long as you can grab a part of that system state even if it's off an old tape media... you can reinsert that (this is called the Graveyard Swing by JeffM in SBSland. When the need for DR hits you'll want options to go down that highway.. not just one path. Wyatt, David wrote: Now here's the problem. The just restore and resume approach could be, in a very specific situation, a bad idea. I'm sure everything would work as such, but as desired? After a backup is taken, new security principals might have been created in the domain. These security principals might be permissioned on certain resources e.g. file shares etc. Now depending on when the image was taken and restore, it is *possible* the security principals no longer exist because the recovery has reverted to the image date, but their access rights might still exist. If the RID pool is not raised after a restore, and new security principals are created after the recovery might obtain identical security IDs (SIDs) and could have access to those objects, which was not originally intended. So: Monday - image taken Tuesday - 10 new domain groups created and assigned permissions to file server Wednesday - need to recover DC as its crashed, restore image from Monday. Now you have SIDs assigned on the file server but are not present on the domain. When you create new security principals they could obtain identical SIDs to the ones belonging to the groups that were created on Tuesday. Would it not be prudent to raise the RID pool as part of your single DC recovery procedure? I can't see what harm it would do anyway. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: 20 Jun 2006 11:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server Hi David, Just restore and resume as it's a single DC. Cheers Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David Sent: 20 June 2006 10:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server To all single DC folks - when you perform a restore of your single DC from an image, as part of your procedure do you increase the value of the RID pool or just restore and resume working? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 20 Jun 2006 1:03 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server And you didn't go to Jeff Middleton's TechEd session on DR for Small business did you? We're a single DC folks.. hello... it works. We're not enterprise and that means best practices for you are not best practices for us. Acronis works. Big boys can't image DCs.. we can. We're little..we're agile and we can do it. Big server land can't ...and that's
Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
I'm with joe on getting that network trace. I'm curious if replication has been working and if you made any adjustments for having a windows 2000 dc in a W2K3 environment? Any other applications? On 6/20/06, joe [EMAIL PROTECTED] wrote: What do you see in the network trace? Is it attempting the connection? Is itestablishing the TCP/IP connection and then blowing out in the NetBIOS handshake? Does it get through the handshake and then fail?--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Al LilianstromSent: Tuesday, June 20, 2006 10:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain Al Mulnick wrote: Denying access?Hmm so logged on to the w2K machine you can't access the admin$ share of either of the DC's right?Correct.I can access any member server admin$ share from the w2k machine. I can access the w2k3 DC admin$ share from any other w2k3 machine in the domain.I just can't access the w2k3 DC admin$ share from the w2k DC. al On 6/20/06, *Al Lilianstrom* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Robert Rutherford wrote: Hi, It does sound like our old pal DNS. If you run a dcdiag and netdiag, do they both run clean? If notthen please post the results. Both clean. Every test I can think of comes up clean. The only real symtom was in the orginal message - lack of admin access to the w2k3DCs from the w2k DC. Checking the event log on the w2k3 DC I see the computer and user log in and out successfully. Just something denying access. If all is clean and it's a test environment then pull it and clean it up with ntdsutil et al. Sounds like a fun way to spend the morning. :-) al If it's a new situation then just replicate and see if you stillhave the issue. I have always found a couple of hours helps many ills. BR Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HHT:+44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] W:www.quostar.com http://www.quostar.com -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of AlLilianstrom Sent: 19 June 2006 20:52 To: ActiveDir@mail.activedir.org mailto: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem removing last w2k DC from a w2k3domain I've in the process of upgrading my test domain (empty root and 1 child) to w2k3 R2 based DCs and (thanks to help from the friendly folks here) am just about done. I have one last w2k dc left to remove. It doesn't want to go peacefully. I moved the FSMO roles off and the next day tried to dcpromo it down to a simple server. I get Managing the network session with FBDC1.fnal.gov http://FBDC1.fnal.gov failed Access is denied. dcpromoui t:0x848 00479ExitState::GetFailureMessage The operation failed because: Managing the network session with FBDC1.fnal.gov http://FBDC1.fnal.gov failed A quick check shows that I can't get to the admin shares of my new w2k3 dc/FSMO role holder from the w2k dc. I can get to the admin shares of the other simple servers but not either of the 2 DCs. Other systems can access the admin shares via the domain admin account I'm using onthe w2k DC. I've been searching and have found people having a similar problem when promoting a w2k machine to be a DC but not when demoting. I've tried a number of the things that were suggested in those articles and they have had no affect. There is no firewall in the way. AD replication and FRS work. Any ideas before I rip it out? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx http://www.activedir.org/ml/threads.aspx --Al LilianstromCD/CSS/CSI[EMAIL PROTECTED]List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Errors During Authoritative Restore
Do you have any schema extensions applied? Do you know if those schemas added any LDAP naming attributes? If the 2nd question doesn't make sense to you, I'll figure out a way you can query this, and send it to us. Aside, it is generally not recommended to run restore database. In fact this command was removed from Longhorn. If you decide to retry that scenario again, I can suggest some intermediate steps that would be good to know. i.e. 1. Before running auth restore, be interesting to know the results of an esentutl /k ntds.dit (checksum the database). 2. After auth restore, it would be good to know if the database is logically consistent from ESE's perspective (do this via esentutl /g ntds.dit). 3. Also after we know it is logically consistent from AD's perspective (do this via, exact command line provided: ntdsutil sem data anal go q q Cheers, BrettSh [msft] Ex-Building 7 Garage Door Operator On Tue, 20 Jun 2006, Joshua Coffman wrote: I have a few questions for you AD gurus out there! :) I just ran through a Disaster Recovery test of two of our ADs and I have a few questions which have come up as a result of the test. Configuration Notes: These boxes are Windows 2003, SP1. The domains were originally Windows 2000 domains. The following errors pop up on one of the domain controllers during the restore. Could not display the attribute type for the object with DNT 831424.Error: failed to get dn of dnt 831424 This occurs many times throughout the restore. NOTE: This is during a complete restore, e.g. authoritative restore: restore database I also see a few of these. There was an error parsing the GUID from the file on line: 1981 (Not to many of these, maybe four or five) Additionally, with SP1, LDIF files are created to restore back-links. The file that restores the user/group back-links imports successfully. The file that restores the configuration back-links fails. (sorry, I do not have the error handy) The authoritative restore says it completed successfully, and after I go through metadata cleanup and FSMO seizure, the box starts up without any errors, and AD throws no errors on startup. I was wondering if anyone can tell me what these errors mean? What are their ramifications? How can the errors be resolved. Thanks, Josh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Servers or Workstations
Hey all, I thought I had our Ad Migration plan as we were going to do workstations first but I'm having second thoughts. I think we should do servers first then workstation's. Could I have your thoughts on this. Thanks john List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
Al Mulnick wrote: I'm with joe on getting that network trace. I'm curious if replication has been working and if you made any adjustments for having a windows 2000 dc in a W2K3 environment? Any other applications? Replication is working - both AD and FRS. GPOs apply. Everything seems to work except for the ability to access the admin$ share on the w2k3 DCs so that I can demote the machine cleanly and remove it from the domain. The trace is in my message sent around 11:00am Central. No other apps running. On 6/20/06, *joe* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: What do you see in the network trace? Is it attempting the connection? Is it establishing the TCP/IP connection and then blowing out in the NetBIOS handshake? Does it get through the handshake and then fail? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] On Behalf Of Al Lilianstrom Sent: Tuesday, June 20, 2006 10:53 AM To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain Al Mulnick wrote: Denying access? Hmm so logged on to the w2K machine you can't access the admin$ share of either of the DC's right? Correct. I can access any member server admin$ share from the w2k machine. I can access the w2k3 DC admin$ share from any other w2k3 machine in the domain. I just can't access the w2k3 DC admin$ share from the w2k DC. al On 6/20/06, *Al Lilianstrom* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Robert Rutherford wrote: Hi, It does sound like our old pal DNS. If you run a dcdiag and netdiag, do they both run clean? If not then please post the results. Both clean. Every test I can think of comes up clean. The only real symtom was in the orginal message - lack of admin access to the w2k3 DCs from the w2k DC. Checking the event log on the w2k3 DC I see the computer and user log in and out successfully. Just something denying access. If all is clean and it's a test environment then pull it and clean it up with ntdsutil et al. Sounds like a fun way to spend the morning. :-) al If it's a new situation then just replicate and see if you still have the issue. I have always found a couple of hours helps many ills. BR Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] W:www.quostar.com http://www.quostar.com http://www.quostar.com -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] On Behalf Of Al Lilianstrom Sent: 19 June 2006 20:52 To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org mailto: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem removing last w2k DC from a w2k3 domain I've in the process of upgrading my test domain (empty root and 1 child) to w2k3 R2 based DCs and (thanks to help from the friendly folks here) am just about done. I have one last w2k dc left to remove. It doesn't want to go peacefully. I moved the FSMO roles off and the next day tried to dcpromo it down to a simple server. I get Managing the network session with FBDC1.fnal.gov http://FBDC1.fnal.gov http://FBDC1.fnal.gov failed Access is denied. dcpromoui t:0x848 00479 Exit State::GetFailureMessage The operation failed because: Managing the network session with
Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
Shot in the dark, but can you reboot the 2K dc and try again/check for errors? On 6/20/06, Al Lilianstrom [EMAIL PROTECTED] wrote: Al Mulnick wrote: I'm with joe on getting that network trace.I'm curious if replication has been working and if you made any adjustments for having a windows 2000 dc in a W2K3 environment? Any other applications?Replication is working - both AD and FRS. GPOs apply. Everything seemsto work except for the ability to access the admin$ share on the w2k3 DCs so that I can demote the machine cleanly and remove it from the domain.The trace is in my message sent around 11:00am Central.No other apps running. On 6/20/06, *joe* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: What do you see in the network trace? Is it attempting the connection? Is it establishing the TCP/IP connection and then blowing out in the NetBIOS handshake? Does it get through the handshake and then fail? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] On Behalf Of Al Lilianstrom Sent: Tuesday, June 20, 2006 10:53 AM To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain Al Mulnick wrote: Denying access?Hmm so logged on to the w2K machine you can't access the admin$ share of either of the DC's right? Correct. I can access any member server admin$ share from the w2k machine. I can access the w2k3 DC admin$ share from any other w2k3 machine in the domain. I just can't access the w2k3 DC admin$ share from the w2k DC.al On 6/20/06, *Al Lilianstrom* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] wrote: Robert Rutherford wrote: Hi, It does sound like our old pal DNS. If you run a dcdiag and netdiag, do they both run clean? If not then please post the results. Both clean. Every test I can think of comes up clean. The only real symtom was in the orginal message - lack of admin access to the w2k3 DCs from the w2k DC. Checking the event log on the w2k3 DC I see the computer and user log in and out successfully. Just something denying access. If all is clean and it's a test environment then pull it and clean it up with ntdsutil et al. Sounds like a fun way to spend the morning. :-) al If it's a new situation then just replicate and see if you still have the issue. I have always found a couple of hours helps many ills. BR Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HHT:+44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] W:www.quostar.com http://www.quostar.com http://www.quostar.com -Original Message- From: [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED]] On Behalf Of Al Lilianstrom Sent: 19 June 2006 20:52 To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org mailto: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem removing last w2k DC from a w2k3 domain I've in the process of upgrading my test domain (empty root and 1 child) to w2k3 R2 based DCs and (thanks to help from the friendly folks here) am just about done. I have one last w2k dc left to remove. It doesn't want to go peacefully. I moved the FSMO roles off and the next day tried to dcpromo it down to a simple server. I get Managing the network session with FBDC1.fnal.gov http://FBDC1.fnal.gov http://FBDC1.fnal.gov failed Access is denied. dcpromoui t:0x848 00479ExitState::GetFailureMessage The operation failed because: Managing the network session with FBDC1.fnal.gov http://FBDC1.fnal.gov http://FBDC1.fnal.gov failed A quick check shows that I can't get to the admin shares of my new w2k3 dc/FSMO role holder from the w2k dc. I can get to the admin shares of the other simple servers but not either of the 2 DCs. Other systems can access the admin shares via the domain admin account I'm using on the w2k DC. I've been searching and have found people having a similar problem when promoting a w2k machine to be a DC but not when demoting. I've tried a number of the things that were suggested in those articles and they have had no affect. There is no firewall in the way. AD replication and FRS work. Any ideas before I rip it out? al --Al LilianstromCD/CSS/CSI[EMAIL PROTECTED]List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
Al Mulnick wrote: Shot in the dark, but can you reboot the 2K dc and try again/check for errors? I've done that a few times when I was trying to make sure there wasn't a GPO with a incorrect setting causing the problem. al On 6/20/06, *Al Lilianstrom* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Al Mulnick wrote: I'm with joe on getting that network trace. I'm curious if replication has been working and if you made any adjustments for having a windows 2000 dc in a W2K3 environment? Any other applications? Replication is working - both AD and FRS. GPOs apply. Everything seems to work except for the ability to access the admin$ share on the w2k3 DCs so that I can demote the machine cleanly and remove it from the domain. The trace is in my message sent around 11:00am Central. No other apps running. On 6/20/06, *joe* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: What do you see in the network trace? Is it attempting the connection? Is it establishing the TCP/IP connection and then blowing out in the NetBIOS handshake? Does it get through the handshake and then fail? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] On Behalf Of Al Lilianstrom Sent: Tuesday, June 20, 2006 10:53 AM To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain Al Mulnick wrote: Denying access? Hmm so logged on to the w2K machine you can't access the admin$ share of either of the DC's right? Correct. I can access any member server admin$ share from the w2k machine. I can access the w2k3 DC admin$ share from any other w2k3 machine in the domain. I just can't access the w2k3 DC admin$ share from the w2k DC. al On 6/20/06, *Al Lilianstrom* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Robert Rutherford wrote: Hi, It does sound like our old pal DNS. If you run a dcdiag and netdiag, do they both run clean? If not then please post the results. Both clean. Every test I can think of comes up clean. The only real symtom was in the orginal message - lack of admin access to the w2k3 DCs from the w2k DC. Checking the event log on the w2k3 DC I see the computer and user log in and out successfully. Just something denying access. If all is clean and it's a test environment then pull it and clean it up with ntdsutil et al. Sounds like a fun way to spend the morning. :-) al If it's a new situation then just replicate and see if you still have the issue. I have always found a couple of hours helps many ills. BR Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] W:www.quostar.com http://www.quostar.com
Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
Based on the trace you posted, I'm also raising an eyebrow about your SMB signing levels. IE, you may have SMB signing mandatory on the server service on the 2K3 boxen, while SMB signing isn't enabled on the client service on the 2K box. Look for mismatches in the following two settings on both the 2K and 2K3 box: Microsoft network client: Digitally sign communications (if server agrees) Microsoft network server: Digitally sign communications (always) - Laura E. Hunter On 6/20/06, Al Mulnick [EMAIL PROTECTED] wrote: Shot in the dark, but can you reboot the 2K dc and try again/check for errors? On 6/20/06, Al Lilianstrom [EMAIL PROTECTED] wrote: Al Mulnick wrote: I'm with joe on getting that network trace. I'm curious if replication has been working and if you made any adjustments for having a windows 2000 dc in a W2K3 environment? Any other applications? Replication is working - both AD and FRS. GPOs apply. Everything seems to work except for the ability to access the admin$ share on the w2k3 DCs so that I can demote the machine cleanly and remove it from the domain. The trace is in my message sent around 11:00am Central. No other apps running. On 6/20/06, *joe* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: What do you see in the network trace? Is it attempting the connection? Is it establishing the TCP/IP connection and then blowing out in the NetBIOS handshake? Does it get through the handshake and then fail? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] On Behalf Of Al Lilianstrom Sent: Tuesday, June 20, 2006 10:53 AM To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain Al Mulnick wrote: Denying access? Hmm so logged on to the w2K machine you can't access the admin$ share of either of the DC's right? Correct. I can access any member server admin$ share from the w2k machine. I can access the w2k3 DC admin$ share from any other w2k3 machine in the domain. I just can't access the w2k3 DC admin$ share from the w2k DC. al On 6/20/06, *Al Lilianstrom* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] wrote: Robert Rutherford wrote: Hi, It does sound like our old pal DNS. If you run a dcdiag and netdiag, do they both run clean? If not then please post the results. Both clean. Every test I can think of comes up clean. The only real symtom was in the orginal message - lack of admin access to the w2k3 DCs from the w2k DC. Checking the event log on the w2k3 DC I see the computer and user log in and out successfully. Just something denying access. If all is clean and it's a test environment then pull it and clean it up with ntdsutil et al. Sounds like a fun way to spend the morning. :-) al If it's a new situation then just replicate and see if you still have the issue. I have always found a couple of hours helps many ills. BR Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] W:www.quostar.com http://www.quostar.com http://www.quostar.com -Original Message- From: [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED]] On Behalf Of Al Lilianstrom Sent: 19 June 2006 20:52 To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org mailto: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem removing
RE: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
Ok, thanks for the info. What happens if you try to connect to a non-admin share? Say like sysvol. I am wondering about signing/encryption settings. I have had issues with that in the past between 2K and K3. I believe that is where it will blow out but it has been awhile since I have looked at a trace showing that failure. Your nameres seems to be working ok though so we know that it is communicating with the proper place so DNS is probably out of the picture for you at least. :) You will probably find that K3 DCs have that enabled as mandatory by default in their local settings (undefined in domain and domain controllers policy). Run secpol.msc from the command line so you can look at what your real settings are. If the signing/encryption stuff is all in sync, I would try connecting via IP to see if it is some sort of kerb related issue. But seriously, my gut says it is SMB signing. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Tuesday, June 20, 2006 12:01 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain joe wrote: What do you see in the network trace? Is it attempting the connection? Is it establishing the TCP/IP connection and then blowing out in the NetBIOS handshake? Does it get through the handshake and then fail? I get a connection and then the access denied returned to the client. SMB Negotiate Protocol Request SMB Negotiate Protocol Response SMB Session Setup AndX Request SMB Session Setup AndX Response SMB Tree Connect AndX Request, Path: \\FBDC1\D$ SMB Tree Connect AndX Response, Error: STATUS_ACCESS_DENIED SMB Logoff AndX Request SMB Logoff AndX Response, Error: STATUS_ACCESS_DENIED I have a logon/logoff in the security log on the w2k3 DC. al -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Tuesday, June 20, 2006 10:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain Al Mulnick wrote: Denying access? Hmm so logged on to the w2K machine you can't access the admin$ share of either of the DC's right? Correct. I can access any member server admin$ share from the w2k machine. I can access the w2k3 DC admin$ share from any other w2k3 machine in the domain. I just can't access the w2k3 DC admin$ share from the w2k DC. al On 6/20/06, *Al Lilianstrom* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Robert Rutherford wrote: Hi, It does sound like our old pal DNS. If you run a dcdiag and netdiag, do they both run clean? If not then please post the results. Both clean. Every test I can think of comes up clean. The only real symtom was in the orginal message - lack of admin access to the w2k3 DCs from the w2k DC. Checking the event log on the w2k3 DC I see the computer and user log in and out successfully. Just something denying access. If all is clean and it's a test environment then pull it and clean it up with ntdsutil et al. Sounds like a fun way to spend the morning. :-) al If it's a new situation then just replicate and see if you still have the issue. I have always found a couple of hours helps many ills. BR Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] W:www.quostar.com http://www.quostar.com -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] On Behalf Of Al Lilianstrom Sent: 19 June 2006 20:52 To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem removing last w2k DC from a w2k3 domain I've in the process of upgrading my test domain (empty root and 1 child) to w2k3 R2 based DCs and (thanks to help from the friendly folks here) am just about done. I have one last w2k dc left to remove. It doesn't want to go peacefully. I moved the FSMO roles off and the next day tried to dcpromo it down to a simple server. I get Managing the network session with FBDC1.fnal.gov http://FBDC1.fnal.gov failed
RE: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
That's scary. Laura and I agree on something. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Tuesday, June 20, 2006 2:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain Based on the trace you posted, I'm also raising an eyebrow about your SMB signing levels. IE, you may have SMB signing mandatory on the server service on the 2K3 boxen, while SMB signing isn't enabled on the client service on the 2K box. Look for mismatches in the following two settings on both the 2K and 2K3 box: Microsoft network client: Digitally sign communications (if server agrees) Microsoft network server: Digitally sign communications (always) - Laura E. Hunter On 6/20/06, Al Mulnick [EMAIL PROTECTED] wrote: Shot in the dark, but can you reboot the 2K dc and try again/check for errors? On 6/20/06, Al Lilianstrom [EMAIL PROTECTED] wrote: Al Mulnick wrote: I'm with joe on getting that network trace. I'm curious if replication has been working and if you made any adjustments for having a windows 2000 dc in a W2K3 environment? Any other applications? Replication is working - both AD and FRS. GPOs apply. Everything seems to work except for the ability to access the admin$ share on the w2k3 DCs so that I can demote the machine cleanly and remove it from the domain. The trace is in my message sent around 11:00am Central. No other apps running. On 6/20/06, *joe* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: What do you see in the network trace? Is it attempting the connection? Is it establishing the TCP/IP connection and then blowing out in the NetBIOS handshake? Does it get through the handshake and then fail? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] On Behalf Of Al Lilianstrom Sent: Tuesday, June 20, 2006 10:53 AM To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain Al Mulnick wrote: Denying access? Hmm so logged on to the w2K machine you can't access the admin$ share of either of the DC's right? Correct. I can access any member server admin$ share from the w2k machine. I can access the w2k3 DC admin$ share from any other w2k3 machine in the domain. I just can't access the w2k3 DC admin$ share from the w2k DC. al On 6/20/06, *Al Lilianstrom* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] wrote: Robert Rutherford wrote: Hi, It does sound like our old pal DNS. If you run a dcdiag and netdiag, do they both run clean? If not then please post the results. Both clean. Every test I can think of comes up clean. The only real symtom was in the orginal message - lack of admin access to the w2k3 DCs from the w2k DC. Checking the event log on the w2k3 DC I see the computer and user log in and out successfully. Just something denying access. If all is clean and it's a test environment then pull it and clean it up with ntdsutil et al. Sounds like a fun way to spend the morning. :-) al If it's a new situation then just replicate and see if you still have the issue. I have always found a couple of hours helps many ills. BR Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] W:www.quostar.com http://www.quostar.com http://www.quostar.com -Original Message- From: [EMAIL PROTECTED] mailto: [EMAIL PROTECTED]
Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
Laura E. Hunter wrote: Based on the trace you posted, I'm also raising an eyebrow about your SMB signing levels. IE, you may have SMB signing mandatory on the server service on the 2K3 boxen, while SMB signing isn't enabled on the client service on the 2K box. Look for mismatches in the following two settings on both the 2K and 2K3 box: Microsoft network client: Digitally sign communications (if server agrees) Microsoft network server: Digitally sign communications (always) Laura, You're an angel. I had looked at those settings yesterday and stopped on the w2k3 side at MS Client Sign if Server agrees. Changed Microsoft network server: Digitally sign communications (always) and my w2k DC is no more. :-) Thank you very much. al - Laura E. Hunter On 6/20/06, Al Mulnick [EMAIL PROTECTED] wrote: Shot in the dark, but can you reboot the 2K dc and try again/check for errors? On 6/20/06, Al Lilianstrom [EMAIL PROTECTED] wrote: Al Mulnick wrote: I'm with joe on getting that network trace. I'm curious if replication has been working and if you made any adjustments for having a windows 2000 dc in a W2K3 environment? Any other applications? Replication is working - both AD and FRS. GPOs apply. Everything seems to work except for the ability to access the admin$ share on the w2k3 DCs so that I can demote the machine cleanly and remove it from the domain. The trace is in my message sent around 11:00am Central. No other apps running. On 6/20/06, *joe* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: What do you see in the network trace? Is it attempting the connection? Is it establishing the TCP/IP connection and then blowing out in the NetBIOS handshake? Does it get through the handshake and then fail? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] On Behalf Of Al Lilianstrom Sent: Tuesday, June 20, 2006 10:53 AM To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain Al Mulnick wrote: Denying access? Hmm so logged on to the w2K machine you can't access the admin$ share of either of the DC's right? Correct. I can access any member server admin$ share from the w2k machine. I can access the w2k3 DC admin$ share from any other w2k3 machine in the domain. I just can't access the w2k3 DC admin$ share from the w2k DC. al On 6/20/06, *Al Lilianstrom* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] wrote: Robert Rutherford wrote: Hi, It does sound like our old pal DNS. If you run a dcdiag and netdiag, do they both run clean? If not then please post the results. Both clean. Every test I can think of comes up clean. The only real symtom was in the orginal message - lack of admin access to the w2k3 DCs from the w2k DC. Checking the event log on the w2k3 DC I see the computer and user log in and out successfully. Just something denying access. If all is clean and it's a test environment then pull it and clean it up with ntdsutil et al. Sounds like a fun way to spend the morning. :-) al If it's a new situation then just replicate and see if you still have the issue. I have always found a couple of hours helps many ills. BR Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] W:www.quostar.com http://www.quostar.com http://www.quostar.com -Original Message- From: [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:
Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
joe wrote: Ok, thanks for the info. What happens if you try to connect to a non-admin share? Say like sysvol. I am wondering about signing/encryption settings. I have had issues with that in the past between 2K and K3. I believe that is where it will blow out but it has been awhile since I have looked at a trace showing that failure. Your nameres seems to be working ok though so we know that it is communicating with the proper place so DNS is probably out of the picture for you at least. :) You will probably find that K3 DCs have that enabled as mandatory by default in their local settings (undefined in domain and domain controllers policy). Run secpol.msc from the command line so you can look at what your real settings are. If the signing/encryption stuff is all in sync, I would try connecting via IP to see if it is some sort of kerb related issue. But seriously, my gut says it is SMB signing. Thats what it was. Strange that it was a problem in the child domain and not the root. Learn something new every day. :-) Ethereal is far superior to tcpdump. al joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Tuesday, June 20, 2006 12:01 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain joe wrote: What do you see in the network trace? Is it attempting the connection? Is it establishing the TCP/IP connection and then blowing out in the NetBIOS handshake? Does it get through the handshake and then fail? I get a connection and then the access denied returned to the client. SMB Negotiate Protocol Request SMB Negotiate Protocol Response SMB Session Setup AndX Request SMB Session Setup AndX Response SMB Tree Connect AndX Request, Path: \\FBDC1\D$ SMB Tree Connect AndX Response, Error: STATUS_ACCESS_DENIED SMB Logoff AndX Request SMB Logoff AndX Response, Error: STATUS_ACCESS_DENIED I have a logon/logoff in the security log on the w2k3 DC. al -- -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT IPSec API
Does anyone know if there is a public API (preferably .NET) that will allow me to programmatically modify IPSec filter lists and policies in Active Directory? Right now I'm just using netsh.exe. It works but it seems like the right way to do it is to call the actual API (if it exists). Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
Well would you look at that? Seems that I'm moving up in the world. ;-) On 6/20/06, joe [EMAIL PROTECTED] wrote: That's scary. Laura and I agree on something. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: Re: [ActiveDir] Errors During Authoritative Restore
Thanks Brett, I appreciate your assistance on this. Yes, there are tons of schema mods. In the domain throwing the majority of the errors, these mods were performed using an LDIF file, during the installation of a 3rd partyIdentity Management Application. I do not know if therehave beenLDAP naming attributes added or not. If you can send a query to verify, I would be happy to run it. I knew that Restore Database is the "last resort" method, but that is what we wanted to test. We do have multiple DCs replicating across multiple geographic sites, so this scenario is unlikely, unless there were some sort of catastrophic corruption that took place. In the future, if "restore database" is unavailable, what will be used in its place if you need to do a bare metal authoritative restore of the entire AD? It will take a while to run the tools you requested against the AD, because it is a production system. I cannot run them directlyin the PROD environment, so I would have to pull a mirrored drive from the prod DC, and pop it into an offline server. This could take a while for the required approvals. Thanks again for your help! Josh Date: Tue, 20 Jun 2006 10:09:58 -0700 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Errors During Authoritative Restore Doyouhaveanyschemaextensionsapplied?Doyouknowifthoseschemas addedanyLDAPnamingattributes?Ifthe2ndquestiondoesn'tmakesense toyou,I'llfigureoutawayyoucanquerythis,andsendittous. Aside,itisgenerallynotrecommendedtorun"restoredatabase".Infact thiscommandwasremovedfromLonghorn. Ifyoudecidetoretrythatscenarioagain,Icansuggestsome intermediatestepsthatwouldbegoodtoknow.i.e. 1.Beforerunningauthrestore,beinterestingtoknowtheresultsofan esentutl/kntds.dit(checksumthedatabase). 2.Afterauthrestore,itwouldbegoodtoknowifthedatabaseis logicallyconsistentfromESE'sperspective(dothisvia"esentutl/g ntds.dit"). 3.AlsoafterweknowitislogicallyconsistentfromAD'sperspective(do thisvia,exactcommandlineprovided: ntdsutil"semdataanal""go""q""q" Cheers, BrettSh[msft] Ex-Building7GarageDoorOperator OnTue,20Jun2006,JoshuaCoffmanwrote: IhaveafewquestionsforyouADgurusoutthere!:) IjustranthroughaDisasterRecoverytestoftwoofourADsandI haveafewquestionswhichhavecomeupasaresultofthetest. ConfigurationNotes: TheseboxesareWindows2003,SP1. ThedomainswereoriginallyWindows2000domains. Thefollowingerrorspopupononeofthedomaincontrollersduring therestore. "CouldnotdisplaytheattributetypefortheobjectwithDNT 831424.Error:failedtogetdnofdnt831424"Thisoccursmanytimes throughouttherestore. NOTE:Thisisduringacompleterestore,e.g."authoritativerestore: restoredatabase"Ialsoseeafewofthese. "TherewasanerrorparsingtheGUIDfromthefileonline:1981"(Not tomanyofthese,maybefourorfive) Additionally,withSP1,LDIFfilesarecreatedtorestoreback-links. Thefilethatrestorestheuser/groupback-linksimportssuccessfully. Thefilethatrestorestheconfigurationback-linksfails.(sorry,I donothavetheerrorhandy) Theauthoritativerestoresaysitcompletedsuccessfully,andafterI gothroughmetadatacleanupandFSMOseizure,theboxstartsup withoutanyerrors,andADthrowsnoerrorsonstartup. Iwaswonderingifanyonecantellmewhattheseerrorsmean?What aretheirramifications?Howcantheerrorsberesolved. Thanks, Josh Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Question on rightsguid
thanks joe! M@ On 6/20/06, joe [EMAIL PROTECTED] wrote: Oops correction here, I spaced for a second. The value for Property Sets in validAccesses is a combination of ACTRL_DS_WRITE_PROP + ACTRL_DS_READ_PROP so the value is 32 + 16 or 48, not just 32. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, June 20, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on rightsguid There are three things currently handled in the extended-rights container of objectclass controlAccessRight. Validated Writes Property Sets Extended Rights These are differentiated by the validAccesses attribute[1]. Quickly it lays out like Validated Writes have validAccess value of 8 Property Sets have validAccesses value of 32 Extended Rights have validAccess value of 256 While they are the same objectclass and in the same container, they are not the same things. The attributeSecurityGUID is used to tie schema objects to property sets. Validated Rights and Extended Rights are hardcoded into the OS. While you could add those types of objects, you wouldn't get anything out of the OS with them, you would need to write your application(s) to use them. Now there are some things that are a bit confusing... The rightsGuid of Add/Remove self as member is the same as the member attribute's schemaIDGUID. This means that if you don't use the correct access mask the permission will not be written properly and many programs and scripts (including several of mine) actually display this incorrectly. If the mask is a CA grant/deny (control access) then the permission is for Add/Remove self as member, if the mask is anything else, it is the member schema attribute. It gets even worse with the rightsGUID of Validated wite to DNS host name is also the rightsGUID of the property set DNS Host Name Attributes AND the schemaIDGUID of the attribute dNSHostName. I've actually been meaning to blog this for a while now as I keep fielding questions in email and the newsgroups about it. Seems like a lot of people are actually really looking at that stuff finally. I reported the DNS GUIDs item to MSFT back after K3 came out as I didn't think it was right. I still don't think it is the right way to handle it but too late to change now. It just adds a bunch of confusion to something that doesn't need the confusion because it is already too confusing. As for the second part... I have been asked that and actually people have insisted it is a bug in my code so much that I did blog it. http://blog.joeware.net/2005/12/17/173/ joe [1] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/contr ol_access_rights.asp -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, June 19, 2006 5:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question on rightsguid All I've been doing a little digging into AD and was wondering why the rightsguid for the validated-spn and the self-membership validated rights doesn't have objects in the schema with matching attributesecurityguid values. Is it correct to assume that there should be objects in the schema with attributesecurityguid values to match each rightsguid values of each controlaccess object? Or is rightsguid only really important for propertysets? Also I noticed when I used joe's adfind to list objects which had the rightsguid value from validated-dns-host-name, the filter listed the same rightsguid value in a different format. i.e adfind -propsetmembers:72e39547-7b18-11d1-adef-00c04fd8d5cd attributesecurityguid was expanded as Transformed Filter: ((objectcategory=attributeschema)(attributeSecurityGUID=G\9 5\E3r\18\7B\D1\11\AD\EF\00\C0O\D8\D5\CD)) I deduced G=47, r=72 etc.. Can anyone explain the above for me? Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Servers or Workstations
Hi John, I would 'generally' opt for servers first as you can then take advantage of the 2K, 2K3 goodies, i.e. AD straight away when you migrate the workstations. Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky Sent: 20 June 2006 18:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Servers or Workstations Hey all, I thought I had our Ad Migration plan as we were going to do workstations first but I'm having second thoughts. I think we should do servers first then workstation's. Could I have your thoughts on this. Thanks john List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Servers or Workstations
Thanks Rob, thought so... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Tuesday, June 20, 2006 3:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Servers or Workstations Hi John, I would 'generally' opt for servers first as you can then take advantage of the 2K, 2K3 goodies, i.e. AD straight away when you migrate the workstations. Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky Sent: 20 June 2006 18:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Servers or Workstations Hey all, I thought I had our Ad Migration plan as we were going to do workstations first but I'm having second thoughts. I think we should do servers first then workstation's. Could I have your thoughts on this. Thanks john List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Mitel AD Integration
Has anyone dealt with Mitels Directory Integration with regard to AD? Had the first meeting about that today and it sounds scary I havent read the docs yet but I didnt get the good feeling today. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
[ActiveDir] Event ID 20 :: KDC Certificate Error ::
Hi All, I am getting Event ID 20 :: KDC Error :: The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data. I dont know how this is affecting or will affect as these are warning messages. What is the impact? I can see my Certificate is still valid. What could be the possible reason. I have installed a Enterprise CA a long time back and since then i can see this error every approx. 10 hours. (I think i did something wrong) Should id delete the previous Certificate and then issue a new certificate. I am a bit confused. (Thinking of doing it in a test enviornment first) Sure i dont want to ignore these errors and Fix them ASAP. Kindly Suggest how can i get rid of this. -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Event ID 20 :: KDC Certificate Error ::
: -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Ravi Dogra : Subject: [ActiveDir] Event ID 20 :: KDC Certificate Error :: : : I am getting Event ID 20 :: KDC Error :: The currently selected KDC : certificate was once valid, but now is invalid and no suitable : replacement was found. Smartcard logon may not function correctly if : this problem is not remedied. Have the system administrator check on : the state of the domain's public key infrastructure. The chain status : is in the error data. : : I dont know how this is affecting or will affect as these are warning : messages. What is the impact? : : I can see my Certificate is still valid. What could be the possible : reason. I have installed a Enterprise CA a long time back and since : then i can see this error every approx. 10 hours. (I think i did : something wrong) Is the CA's certificate valid? Some other suggestions here: http://www.eventid.net/display.asp?eventid=20eventno=3396source=KDCphase=1 Cheers Ken -- My IIS Blog: www.adOpenStatic.com/cs/blogs/ken Tech.Ed Sydney: learn all about IIS 7.0 - See you there! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT - Published app requires local admin
Thanks, Brian. That is what I am going to do. -- nme From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Sunday, June 18, 2006 9:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Published app requires local admin No it doesnt. Just push the app down to everyone and push the settings per user it should accomplish the same thing --brian From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Sunday, June 18, 2006 7:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT - Published app requires local admin Hello: I am trying to deploy the Cisco VPN client (4.8.01.0300) via a GPO. With some chopping to the MSI, I have been able to get it to install under the Computer Configuration. However, I would like to Publish it to users instead. For users who are members of the local admin group (yes, yes, I know that is another discussion), the software installs properly. For standard users, the Published install fails. As far as I could determine, there are two errors: 1) Error in custom action. The library c:\Docume~\...\ProductCode\insthelper.dll is invalid or could not be found. 2) CreateDeviceInfo error: Access is denied. Doesnt the Published install run under the SYSTEM account? If so, why should it still need to be a local admin? Thanks. -- nme P.S. Is there an effective way to prevent users from finding the original installer files and copying them from the network share? (Besides hidden share or hide file attribute.) -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.9.0/368 - Release Date: 6/16/2006 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.9.0/368 - Release Date: 6/16/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.9.2/370 - Release Date: 6/20/2006
[ActiveDir] OT?: Need to NIS-enable a crap load of users...
Anyone familiar with SFU out there? At least half of my users do not have SFU attributes. I now have the need to create NIS accounts for all of them. Besides hitting the properties of each user and enabling them for NIS what other options do I have? I do happen to have the means to generate a passwd file with autogenerated UIDs for all the users without SFU attribs. So - ldif import? I dont think that info will ever make it to the passwd map - NIS2AD.exe? Not sure if this is for creating new maps or if it can be used to merge or add map entries - (actually tested) nismap.exe e line from passwd r yes nisdomainname passwd The last one adds the SFU attributes, but disables the account. I figure I can follow that up with a one liner to re-enable the account. The only other concern is the msSFUPassword. Obviously Im not going to put folks passwords in the import file. Any other ideas?