Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

[Laura E. Hunter]

Based on the trace you posted, I'm also raising an eyebrow about your
SMB signing levels. IE, you may have SMB signing mandatory on the
server service on the 2K3 boxen, while SMB signing isn't enabled on
the client service on the 2K box. Look for mismatches in the following
two settings on both the 2K and 2K3 box:

Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network server: Digitally sign communications (always)

- Laura E. Hunter


On 6/20/06, Al Mulnick <[EMAIL PROTECTED]> wrote:


Shot in the dark, but can you reboot the 2K dc and try again/check for
errors?




On 6/20/06, Al Lilianstrom <[EMAIL PROTECTED]> wrote:
> Al Mulnick wrote:
> > I'm with joe on getting that network trace.  I'm curious if replication
> > has been working and if you made any adjustments for having a windows
> > 2000 dc in a W2K3 environment? Any other applications?
> >
>
> Replication is working - both AD and FRS. GPOs apply. Everything seems
> to work except for the ability to access the admin$ share on the w2k3
> DCs so that I can demote the machine cleanly and remove it from the
domain.
>
> The trace is in my message sent around 11:00am Central.
>
> No other apps running.
>
> >
> > On 6/20/06, *joe* < [EMAIL PROTECTED] >
> > wrote:
> >
> > What do you see in the network trace? Is it attempting the
> > connection? Is it
> > establishing the TCP/IP connection and then blowing out in the
NetBIOS
> > handshake? Does it get through the handshake and then fail?
> >
> >
> > --
> > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > 
> > [mailto: [EMAIL PROTECTED]
> > ] On
Behalf Of Al Lilianstrom
> > Sent: Tuesday, June 20, 2006 10:53 AM
> > To: ActiveDir@mail.activedir.org

> > Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3
> > domain
> >
> > Al Mulnick wrote:
> >  > Denying access?  Hmm so logged on to the w2K machine you
can't
> >  > access the admin$ share of either of the DC's right?
> >
> > Correct.
> >
> > I can access any member server admin$ share from the w2k machine. I
can
> > access the w2k3 DC admin$ share from any other w2k3 machine in the
> > domain.
> >
> > I just can't access the w2k3 DC admin$ share from the w2k DC.
> >
> >al
> >
> >  >
> >  > On 6/20/06, *Al Lilianstrom* < [EMAIL PROTECTED]
> > 
> >  >  > >> wrote:
> >  >
> >  > Robert Rutherford wrote:
> >  >  > Hi,
> >  >  >
> >  >  > It does sound like our old pal DNS.
> >  >  >
> >  >  > If you run a dcdiag and netdiag, do they both run clean?
> > If not
> > then
> >  >  > please post the results.
> >  >
> >  > Both clean. Every test I can think of comes up clean. The
> > only real
> >  > symtom was in the orginal message - lack of admin access to
> > the w2k3
> > DCs
> >  > from the w2k DC. Checking the event log on the w2k3 DC I see
the
> >  > computer and user log in and out successfully. Just something
> > denying
> >  > access.
> >  >
> >  >  > If all is clean and it's a test environment then pull it
and
> >  > clean it up
> >  >  > with ntdsutil et al.
> >  >
> >  > Sounds like a fun way to spend the morning. :-)
> >  >
> >  >al
> >  >
> >  >  > If it's a new situation then just replicate and see if you
> > still
> > have
> >  >  > the issue. I have always found a couple of hours helps
> > many ills.
> >  >  >
> >  >  > BR
> >  >  >
> >  >  > Rob
> >  >  >
> >  >  > Robert Rutherford
> >  >  > QuoStar Solutions Limited
> >  >  >
> >  >  > The Enterprise Pavilion
> >  >  > Fern Barrow
> >  >  > Wallisdown
> >  >  > Poole
> >  >  > Dorset
> >  >  > BH12 5HH
> >  >  >T:  +44 (0) 8456 440
331
> >  >  > F: +44 (0) 8456 440 332
> >  >  > M: +44 (0) 7974 249 494
> >  >  > E:[EMAIL PROTECTED]
> > 
> >  >  > >
> >  >  > W:www.quostar.com 
> > 
> >  >  > -Original Message-
> >  >  > From: [EMAIL PROTECTED]
> > 
> >  >  > >
> >  >  >
[mailto:[EMAIL PROTECTED]
> > 
> >  >  > >] On
Behalf Of Al
> > Lilianstrom
> >  >  > Sent: 19 June 2006 20:52
> >  >  > To: A

RE: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

[joe]

Ok, thanks for the info. 

What happens if you try to connect to a non-admin share? Say like sysvol. I
am wondering about signing/encryption settings. I have had issues with that
in the past between 2K and K3. I believe that is where it will blow out but
it has been awhile since I have looked at a trace showing that failure. Your
nameres seems to be working ok though so we know that it is communicating
with the proper place so DNS is probably out of the picture for you at
least. :)

You will probably find that K3 DCs have that enabled as mandatory by default
in their local settings (undefined in domain and domain controllers policy).
Run secpol.msc from the command line so you can look at what your real
settings are.

If the signing/encryption stuff is all in sync, I would try connecting via
IP to see if it is some sort of kerb related issue. But seriously, my gut
says it is SMB signing.

  joe

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom
Sent: Tuesday, June 20, 2006 12:01 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

joe wrote:
> What do you see in the network trace? Is it attempting the connection? Is
it
> establishing the TCP/IP connection and then blowing out in the NetBIOS
> handshake? Does it get through the handshake and then fail? 
> 

I get a connection and then the access denied returned to the client.

SMB  Negotiate Protocol Request
SMB  Negotiate Protocol Response
SMB  Session Setup AndX Request
SMB  Session Setup AndX Response
SMB  Tree Connect AndX Request, Path: \\FBDC1\D$
SMB  Tree Connect AndX Response, Error: STATUS_ACCESS_DENIED
SMB  Logoff AndX Request
SMB  Logoff AndX Response, Error: STATUS_ACCESS_DENIED

I have a logon/logoff in the security log on the w2k3 DC.

al

> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom
> Sent: Tuesday, June 20, 2006 10:53 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
> 
> Al Mulnick wrote:
>> Denying access?  Hmm so logged on to the w2K machine you can't 
>> access the admin$ share of either of the DC's right?
> 
> Correct.
> 
> I can access any member server admin$ share from the w2k machine. I can 
> access the w2k3 DC admin$ share from any other w2k3 machine in the domain.
> 
> I just can't access the w2k3 DC admin$ share from the w2k DC.
> 
>   al
> 
>>  
>> On 6/20/06, *Al Lilianstrom* <[EMAIL PROTECTED] 
>> > wrote:
>>
>> Robert Rutherford wrote:
>>  > Hi,
>>  >
>>  > It does sound like our old pal DNS.
>>  >
>>  > If you run a dcdiag and netdiag, do they both run clean? If not
> then
>>  > please post the results.
>>
>> Both clean. Every test I can think of comes up clean. The only real
>> symtom was in the orginal message - lack of admin access to the w2k3
> DCs
>> from the w2k DC. Checking the event log on the w2k3 DC I see the
>> computer and user log in and out successfully. Just something denying
>> access.
>>
>>  > If all is clean and it's a test environment then pull it and
>> clean it up
>>  > with ntdsutil et al.
>>
>> Sounds like a fun way to spend the morning. :-)
>>
>>al
>>
>>  > If it's a new situation then just replicate and see if you still
> have
>>  > the issue. I have always found a couple of hours helps many ills.
>>  >
>>  > BR
>>  >
>>  > Rob
>>  >
>>  > Robert Rutherford
>>  > QuoStar Solutions Limited
>>  >
>>  > The Enterprise Pavilion
>>  > Fern Barrow
>>  > Wallisdown
>>  > Poole
>>  > Dorset
>>  > BH12 5HH
>>  >T:  +44 (0) 8456 440 331
>>  > F: +44 (0) 8456 440 332
>>  > M: +44 (0) 7974 249 494
>>  > E:[EMAIL PROTECTED]
>> 
>>  > W:www.quostar.com 
>>  > -Original Message-
>>  > From: [EMAIL PROTECTED]
>> 
>>  > [mailto:[EMAIL PROTECTED]
>> ] On Behalf Of Al
> Lilianstrom
>>  > Sent: 19 June 2006 20:52
>>  > To: ActiveDir@mail.activedir.org
>> 
>>  > Subject: [ActiveDir] Problem removing last w2k DC from a w2k3
> domain
>>  >
>>  > I've in the process of upgrading my test domain (empty root and 1
>> child)
>>  >
>>  > to w2k3 R2 based DCs and (thanks to help from the friendly folks
>> here)
>>  > am just about done. I have one last w2k dc left to remove. It
>> doesn't
>>  > want to go peacefully.
>>  >
>>   

RE: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

[joe]

That's scary. Laura and I agree on something. ;) 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter
Sent: Tuesday, June 20, 2006 2:34 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

Based on the trace you posted, I'm also raising an eyebrow about your
SMB signing levels. IE, you may have SMB signing mandatory on the
server service on the 2K3 boxen, while SMB signing isn't enabled on
the client service on the 2K box. Look for mismatches in the following
two settings on both the 2K and 2K3 box:

Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network server: Digitally sign communications (always)

- Laura E. Hunter


On 6/20/06, Al Mulnick <[EMAIL PROTECTED]> wrote:
>
> Shot in the dark, but can you reboot the 2K dc and try again/check for
> errors?
>
>
>
>
> On 6/20/06, Al Lilianstrom <[EMAIL PROTECTED]> wrote:
> > Al Mulnick wrote:
> > > I'm with joe on getting that network trace.  I'm curious if
replication
> > > has been working and if you made any adjustments for having a windows
> > > 2000 dc in a W2K3 environment? Any other applications?
> > >
> >
> > Replication is working - both AD and FRS. GPOs apply. Everything seems
> > to work except for the ability to access the admin$ share on the w2k3
> > DCs so that I can demote the machine cleanly and remove it from the
> domain.
> >
> > The trace is in my message sent around 11:00am Central.
> >
> > No other apps running.
> >
> > >
> > > On 6/20/06, *joe* < [EMAIL PROTECTED]
>
> > > wrote:
> > >
> > > What do you see in the network trace? Is it attempting the
> > > connection? Is it
> > > establishing the TCP/IP connection and then blowing out in the
> NetBIOS
> > > handshake? Does it get through the handshake and then fail?
> > >
> > >
> > > --
> > > O'Reilly Active Directory Third Edition -
> > > http://www.joeware.net/win/ad3e.htm
> > >
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > 
> > > [mailto: [EMAIL PROTECTED]
> > > ] On
> Behalf Of Al Lilianstrom
> > > Sent: Tuesday, June 20, 2006 10:53 AM
> > > To: ActiveDir@mail.activedir.org
> 
> > > Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3
> > > domain
> > >
> > > Al Mulnick wrote:
> > >  > Denying access?  Hmm so logged on to the w2K machine you
> can't
> > >  > access the admin$ share of either of the DC's right?
> > >
> > > Correct.
> > >
> > > I can access any member server admin$ share from the w2k machine.
I
> can
> > > access the w2k3 DC admin$ share from any other w2k3 machine in the
> > > domain.
> > >
> > > I just can't access the w2k3 DC admin$ share from the w2k DC.
> > >
> > >al
> > >
> > >  >
> > >  > On 6/20/06, *Al Lilianstrom* < [EMAIL PROTECTED]
> > > 
> > >  >  > > >> wrote:
> > >  >
> > >  > Robert Rutherford wrote:
> > >  >  > Hi,
> > >  >  >
> > >  >  > It does sound like our old pal DNS.
> > >  >  >
> > >  >  > If you run a dcdiag and netdiag, do they both run clean?
> > > If not
> > > then
> > >  >  > please post the results.
> > >  >
> > >  > Both clean. Every test I can think of comes up clean. The
> > > only real
> > >  > symtom was in the orginal message - lack of admin access to
> > > the w2k3
> > > DCs
> > >  > from the w2k DC. Checking the event log on the w2k3 DC I
see
> the
> > >  > computer and user log in and out successfully. Just
something
> > > denying
> > >  > access.
> > >  >
> > >  >  > If all is clean and it's a test environment then pull it
> and
> > >  > clean it up
> > >  >  > with ntdsutil et al.
> > >  >
> > >  > Sounds like a fun way to spend the morning. :-)
> > >  >
> > >  >al
> > >  >
> > >  >  > If it's a new situation then just replicate and see if
you
> > > still
> > > have
> > >  >  > the issue. I have always found a couple of hours helps
> > > many ills.
> > >  >  >
> > >  >  > BR
> > >  >  >
> > >  >  > Rob
> > >  >  >
> > >  >  > Robert Rutherford
> > >  >  > QuoStar Solutions Limited
> > >  >  >
> > >  >  > The Enterprise Pavilion
> > >  >  > Fern Barrow
> > >  >  > Wallisdown
> > >  >  > Poole
> > >  >  > Dorset
> > >  >  > BH12 5HH
> > >  >  >T:  +44 (0) 8456 440
> 331
> > >  >  > F: +44 (0) 8456 440 

Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

[Al Lilianstrom]

Laura E. Hunter wrote:

Based on the trace you posted, I'm also raising an eyebrow about your
SMB signing levels. IE, you may have SMB signing mandatory on the
server service on the 2K3 boxen, while SMB signing isn't enabled on
the client service on the 2K box. Look for mismatches in the following
two settings on both the 2K and 2K3 box:

Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network server: Digitally sign communications (always)


Laura,

You're an angel. I had looked at those settings yesterday and stopped on 
the w2k3 side at MS Client Sign if Server agrees.


Changed

Microsoft network server: Digitally sign communications (always)

and my w2k DC is no more. :-)

Thank you very much.

al



- Laura E. Hunter


On 6/20/06, Al Mulnick <[EMAIL PROTECTED]> wrote:


Shot in the dark, but can you reboot the 2K dc and try again/check for
errors?




On 6/20/06, Al Lilianstrom <[EMAIL PROTECTED]> wrote:
> Al Mulnick wrote:
> > I'm with joe on getting that network trace.  I'm curious if 
replication

> > has been working and if you made any adjustments for having a windows
> > 2000 dc in a W2K3 environment? Any other applications?
> >
>
> Replication is working - both AD and FRS. GPOs apply. Everything seems
> to work except for the ability to access the admin$ share on the w2k3
> DCs so that I can demote the machine cleanly and remove it from the
domain.
>
> The trace is in my message sent around 11:00am Central.
>
> No other apps running.
>
> >
> > On 6/20/06, *joe* < [EMAIL PROTECTED] 
>

> > wrote:
> >
> > What do you see in the network trace? Is it attempting the
> > connection? Is it
> > establishing the TCP/IP connection and then blowing out in the
NetBIOS
> > handshake? Does it get through the handshake and then fail?
> >
> >
> > --
> > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > 
> > [mailto: [EMAIL PROTECTED]
> > ] On
Behalf Of Al Lilianstrom
> > Sent: Tuesday, June 20, 2006 10:53 AM
> > To: ActiveDir@mail.activedir.org

> > Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3
> > domain
> >
> > Al Mulnick wrote:
> >  > Denying access?  Hmm so logged on to the w2K machine you
can't
> >  > access the admin$ share of either of the DC's right?
> >
> > Correct.
> >
> > I can access any member server admin$ share from the w2k 
machine. I

can
> > access the w2k3 DC admin$ share from any other w2k3 machine in 
the

> > domain.
> >
> > I just can't access the w2k3 DC admin$ share from the w2k DC.
> >
> >al
> >
> >  >
> >  > On 6/20/06, *Al Lilianstrom* < [EMAIL PROTECTED]
> > 
> >  >  > >> wrote:
> >  >
> >  > Robert Rutherford wrote:
> >  >  > Hi,
> >  >  >
> >  >  > It does sound like our old pal DNS.
> >  >  >
> >  >  > If you run a dcdiag and netdiag, do they both run 
clean?

> > If not
> > then
> >  >  > please post the results.
> >  >
> >  > Both clean. Every test I can think of comes up clean. The
> > only real
> >  > symtom was in the orginal message - lack of admin 
access to

> > the w2k3
> > DCs
> >  > from the w2k DC. Checking the event log on the w2k3 DC 
I see

the
> >  > computer and user log in and out successfully. Just 
something

> > denying
> >  > access.
> >  >
> >  >  > If all is clean and it's a test environment then 
pull it

and
> >  > clean it up
> >  >  > with ntdsutil et al.
> >  >
> >  > Sounds like a fun way to spend the morning. :-)
> >  >
> >  >al
> >  >
> >  >  > If it's a new situation then just replicate and see 
if you

> > still
> > have
> >  >  > the issue. I have always found a couple of hours helps
> > many ills.
> >  >  >
> >  >  > BR
> >  >  >
> >  >  > Rob
> >  >  >
> >  >  > Robert Rutherford
> >  >  > QuoStar Solutions Limited
> >  >  >
> >  >  > The Enterprise Pavilion
> >  >  > Fern Barrow
> >  >  > Wallisdown
> >  >  > Poole
> >  >  > Dorset
> >  >  > BH12 5HH
> >  >  >T:  +44 (0) 8456 440
331
> >  >  > F: +44 (0) 8456 440 332
> >  >  > M: +44 (0) 7974 249 494
> >  >  > E:[EMAIL PROTECTED]
> > 
> >  >  > >
> >  >  > W:www.quostar.com 
> > 
> >  >  > -Original M

Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

[Al Lilianstrom]

joe wrote:
Ok, thanks for the info. 


What happens if you try to connect to a non-admin share? Say like sysvol. I
am wondering about signing/encryption settings. I have had issues with that
in the past between 2K and K3. I believe that is where it will blow out but
it has been awhile since I have looked at a trace showing that failure. Your
nameres seems to be working ok though so we know that it is communicating
with the proper place so DNS is probably out of the picture for you at
least. :)

You will probably find that K3 DCs have that enabled as mandatory by default
in their local settings (undefined in domain and domain controllers policy).
Run secpol.msc from the command line so you can look at what your real
settings are.

If the signing/encryption stuff is all in sync, I would try connecting via
IP to see if it is some sort of kerb related issue. But seriously, my gut
says it is SMB signing.


Thats what it was. Strange that it was a problem in the child domain and 
not the root.


Learn something new every day. :-)

Ethereal is far superior to tcpdump.

al


  joe

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom
Sent: Tuesday, June 20, 2006 12:01 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

joe wrote:

What do you see in the network trace? Is it attempting the connection? Is

it

establishing the TCP/IP connection and then blowing out in the NetBIOS
handshake? Does it get through the handshake and then fail? 



I get a connection and then the access denied returned to the client.

SMB  Negotiate Protocol Request
SMB  Negotiate Protocol Response
SMB  Session Setup AndX Request
SMB  Session Setup AndX Response
SMB  Tree Connect AndX Request, Path: \\FBDC1\D$
SMB  Tree Connect AndX Response, Error: STATUS_ACCESS_DENIED
SMB  Logoff AndX Request
SMB  Logoff AndX Response, Error: STATUS_ACCESS_DENIED

I have a logon/logoff in the security log on the w2k3 DC.

al


--


--

Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] OT IPSec API

[Isenhour, Joseph]

Does anyone know if there is a public API (preferably .NET) that will
allow me to programmatically modify IPSec filter lists and policies in
Active Directory?

Right now I'm just using netsh.exe.  It works but it seems like the
right way to do it is to call the actual API (if it exists).

Thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

[Laura E. Hunter]

Well would you look at that? Seems that I'm moving up in the world. ;-)

On 6/20/06, joe <[EMAIL PROTECTED]> wrote:

That's scary. Laura and I agree on something. ;)


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: Re: [ActiveDir] Errors During Authoritative Restore

[Joshua Coffman]

Thanks Brett,
 
I appreciate your assistance on this.
 
Yes, there are tons of schema mods.
 
In the domain throwing the majority of the errors, these mods were performed using an LDIF file, during the installation of a 3rd party Identity Management Application.
 
I do not know if there have been LDAP naming attributes added or not. If you can send a query to verify, I would be happy to run it.
I knew that Restore Database is the "last resort" method, but that is what we wanted to test. We do have multiple DCs replicating across multiple geographic sites, so this scenario is unlikely, unless there were some sort of catastrophic corruption that took place.
 
In the future, if "restore database" is unavailable, what will be used in its place if you need to do a bare metal authoritative restore of the entire AD?
 
It will take a while to run the tools you requested against the AD, because it is a production system. I cannot run them directly in the PROD environment, so I would have to pull a mirrored drive from the prod DC, and pop it into an offline server. This could take a while for the required approvals.
 
Thanks again for your help!
Josh



> Date: Tue, 20 Jun 2006 10:09:58 -0700> From: [EMAIL PROTECTED]> To: ActiveDir@mail.activedir.org> Subject: Re: [ActiveDir] Errors During Authoritative Restore> > Do you have any schema extensions applied?  Do you know if those schemas> added any LDAP naming attributes?  If the 2nd question doesn't make sense> to you, I'll figure out a way you can query this, and send it to us.> > Aside, it is generally not recommended to run "restore database".  In fact> this command was removed from Longhorn.> > If you decide to retry that scenario again, I can suggest some> intermediate steps that would be good to know.  i.e.> > 1. Before running auth restore, be interesting to know the results of an> esentutl /k ntds.dit (checksum the database).> > 2. After auth restore, it would be good to know if the database is> logically consistent from ESE's perspective (do this via "esentutl /g> ntds.dit").> > 3. Also after we know it is logically consistent from AD's perspective (do> this via, exact command line provided:> ntdsutil "sem data anal" "go" "q" "q"> > Cheers,> BrettSh [msft]> Ex-Building 7 Garage Door Operator> > > On Tue, 20 Jun 2006, Joshua Coffman wrote:> > > I have a few questions for you AD gurus out there! :)> >> >  I just ran through a Disaster Recovery test of two of our ADs and I> > have a few questions which have come up as a result of the test.> >  > > Configuration Notes:> > These boxes are Windows 2003, SP1.> > The domains were originally Windows 2000 domains.> >> >  The following errors pop up on one of the domain controllers during> > the restore.> >> >  "Could not display the attribute type for the object with DNT> > 831424.Error: failed to get dn of dnt 831424" This occurs many times> > throughout the restore.> >> >  NOTE: This is during a complete restore, e.g. "authoritative restore:> > restore database" I also see a few of these.> >> > "There was an error parsing the GUID from the file on line: 1981" (Not> > to many of these, maybe four or five)> >> >  Additionally, with SP1, LDIF files are created to restore back-links.> > The file that restores the user/group back-links imports successfully.> > The file that restores the configuration back-links fails. (sorry, I> > do not have the error handy)> >> >  The authoritative restore says it completed successfully, and after I> > go through metadata cleanup and FSMO seizure, the box starts up> > without any errors, and AD throws no errors on startup.> >> >  I was wondering if anyone can tell me what these errors mean? What> > are their ramifications? How can the errors be resolved.> >  > > Thanks,> >  > > Josh> > List info   : http://www.activedir.org/List.aspx> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Question on rightsguid

[Matheesha Weerasinghe]

thanks joe!

M@

On 6/20/06, joe <[EMAIL PROTECTED]> wrote:

Oops correction here, I spaced for a second. The value for Property Sets in
validAccesses is a combination of ACTRL_DS_WRITE_PROP + ACTRL_DS_READ_PROP
so the value is 32 + 16 or 48, not just 32.


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, June 20, 2006 10:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Question on rightsguid

There are three things currently handled in the extended-rights container of
objectclass controlAccessRight.

Validated Writes
Property Sets
Extended Rights

These are differentiated by the validAccesses attribute[1]. Quickly it lays
out like

Validated Writes have validAccess value of 8
Property Sets have validAccesses value of 32
Extended Rights have validAccess value of 256

While they are the same objectclass and in the same container, they are not
the same things. The attributeSecurityGUID is used to tie schema objects to
property sets. Validated Rights and Extended Rights are hardcoded into the
OS. While you could add those types of objects, you wouldn't get anything
out of the OS with them, you would need to write your application(s) to use
them.

Now there are some things that are a bit confusing... The rightsGuid of
"Add/Remove self as member" is the same as the member attribute's
schemaIDGUID. This means that if you don't use the correct access mask the
permission will not be written properly and many programs and scripts
(including several of mine) actually display this incorrectly. If the mask
is a CA grant/deny (control access) then the permission is for "Add/Remove
self as member", if the mask is anything else, it is the member schema
attribute. It gets even worse with the rightsGUID of
"Validated wite to DNS host name" is also the rightsGUID of the property set
"DNS Host Name Attributes" AND the schemaIDGUID of the attribute
dNSHostName.

I've actually been meaning to blog this for a while now as I keep fielding
questions in email and the newsgroups about it. Seems like a lot of people
are actually really looking at that stuff finally. I reported the DNS GUIDs
item to MSFT back after K3 came out as I didn't think it was right. I still
don't think it is the right way to handle it but too late to change now. It
just adds a bunch of confusion to something that doesn't need the confusion
because it is already too confusing.


As for the second part... I have been asked that and actually people have
insisted it is a bug in my code so much that I did blog it.

http://blog.joeware.net/2005/12/17/173/



   joe




[1]
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/contr
ol_access_rights.asp


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Monday, June 19, 2006 5:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Question on rightsguid

All

I've been doing a little digging into AD and was wondering why the
rightsguid for the validated-spn and the self-membership validated
rights doesn't have objects in the schema with matching
attributesecurityguid values. Is it correct to assume that there
should be objects in the schema with attributesecurityguid values to
match each rightsguid values of each controlaccess object? Or is
rightsguid only really important for propertysets?

Also I noticed when I used joe's adfind to list objects which had the
rightsguid value from validated-dns-host-name, the filter listed the
same rightsguid value in a different format. i.e

adfind -propsetmembers:72e39547-7b18-11d1-adef-00c04fd8d5cd
attributesecurityguid"  was expanded as Transformed Filter:
(&(objectcategory=attributeschema)(attributeSecurityGUID=G\9
5\E3r\18\7B\D1\11\AD\EF\00\C0O\D8\D5\CD))

I deduced G=47, r=72 etc..

Can anyone explain the above for me?

Cheers

M@
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Servers or Workstations

[Robert Rutherford]

Hi John,

I would 'generally' opt for servers first as you can then take advantage
of the 2K, 2K3 goodies, i.e. AD straight away when you migrate the
workstations. 

Rob

Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
T:   +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: 20 June 2006 18:37
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Servers or Workstations

 
Hey all,

  I thought I had our Ad Migration plan as we were going to do
workstations
first but I'm having second thoughts. I think we should do servers first
then workstation's. Could I have your thoughts on this.

Thanks

john
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Servers or Workstations

[John Strongosky]

Thanks Rob, thought so... 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford
Sent: Tuesday, June 20, 2006 3:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Servers or Workstations

Hi John,

I would 'generally' opt for servers first as you can then take advantage of
the 2K, 2K3 goodies, i.e. AD straight away when you migrate the
workstations. 

Rob

Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
T:   +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: 20 June 2006 18:37
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Servers or Workstations

 
Hey all,

  I thought I had our Ad Migration plan as we were going to do workstations
first but I'm having second thoughts. I think we should do servers first
then workstation's. Could I have your thoughts on this.

Thanks

john
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Mitel AD Integration

[Brian Desmond]

Has anyone dealt with Mitel’s
Directory Integration with regard to AD? Had the first meeting about that today
and it sounds scary – I haven’t read the docs yet but I didn’t
get the good feeling today. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

[ActiveDir] Event ID 20 :: KDC Certificate Error ::

[Ravi Dogra]

Hi All,

I am getting Event ID 20 :: KDC Error :: The currently selected KDC
certificate was once valid, but now is invalid and no suitable
replacement was found.  Smartcard logon may not function correctly if
this problem is not remedied.  Have the system administrator check on
the state of the domain's public key infrastructure.  The chain status
is in the error data.

I dont know how this is affecting or will affect as these are warning
messages. What is the impact?

I can see my Certificate is still valid. What could be the possible
reason. I have installed a Enterprise CA a long time back and since
then i can see this error every approx. 10 hours. (I think i did
something wrong)

Should id delete the previous Certificate and then issue a new
certificate. I am a bit confused. (Thinking of doing it in a test
enviornment first)

Sure i dont want to ignore these errors and Fix them ASAP.

Kindly Suggest how can i get rid of this.

--
Ravi Dogra
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Event ID 20 :: KDC Certificate Error ::

[Ken Schaefer]

: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Ravi Dogra
: Subject: [ActiveDir] Event ID 20 :: KDC Certificate Error ::
: 
: I am getting Event ID 20 :: KDC Error :: The currently selected KDC
: certificate was once valid, but now is invalid and no suitable
: replacement was found.  Smartcard logon may not function correctly if
: this problem is not remedied.  Have the system administrator check on
: the state of the domain's public key infrastructure.  The chain status
: is in the error data.
: 
: I dont know how this is affecting or will affect as these are warning
: messages. What is the impact?
: 
: I can see my Certificate is still valid. What could be the possible
: reason. I have installed a Enterprise CA a long time back and since
: then i can see this error every approx. 10 hours. (I think i did
: something wrong)

Is the CA's certificate valid?

Some other suggestions here:
http://www.eventid.net/display.asp?eventid=20&eventno=3396&source=KDC&phase=1

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
Tech.Ed Sydney: learn all about IIS 7.0 - See you there!
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT - Published app requires local admin

[Noah Eiger]

Thanks, Brian. That is what I am going to
do. 

 

-- nme

 









From: Brian
Desmond [mailto:[EMAIL PROTECTED] 
Sent: Sunday, June 18, 2006 9:11
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT -
Published app requires local admin



 

No it doesn’t. Just push the app down to
everyone and push the settings per user – it should accomplish the same thing…

 

--brian

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Sunday, June 18, 2006 7:35
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT -
Published app requires local admin





 

Hello:

 

I am trying to
deploy the Cisco VPN client (4.8.01.0300) via a GPO. With some chopping to the
MSI, I have been able to get it to install under the Computer Configuration.
However, I would like to Publish it to users instead. For users who are members
of the local admin group (yes, yes, I know – that is another discussion), the
software installs properly. 

 

For standard users,
the Published install fails. As far as I could determine, there are two errors:


1) “Error in custom
action. The library c:\Docume~\...\ProductCode\insthelper.dll is invalid or
could not be found.”

 

2)
“CreateDeviceInfo error: Access is denied.”

 

Doesn’t the
Published install run under the SYSTEM account? If so, why should it still need
to be a local admin?

 

Thanks.

 

-- nme

 

P.S. Is there an
effective way to prevent users from finding the original installer files and
copying them from the network share? (Besides hidden share or hide file
attribute.)

 

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.0/368 - Release Date: 6/16/2006








--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.0/368 - Release Date: 6/16/2006
 

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.2/370 - Release Date: 6/20/2006
 

[ActiveDir] OT?: Need to "NIS-enable" a crap load of users...

[Alex Fontana]

Anyone familiar with SFU out there?

 

At least half of my users do not have SFU attributes. 
I now have the need to create “NIS”
accounts for all of them.  Besides hitting the properties of each user and
enabling them for NIS
what other options do I have?  I do happen to have the means to generate a
passwd file with autogenerated UIDs for all the users without SFU attribs. 
So…

 

- 
ldif import?  I don’t think
that info will ever make it to the passwd map

- 
NIS2AD.exe?  Not sure if this
is for creating new maps or if it can be used to merge or add map entries

- 
(actually tested) nismap.exe –e
“line from passwd” –r yes nisdomainname passwd

 

The last one adds the SFU attributes, but disables the
account.  I figure I can follow that up with a one liner to re-enable the
account.  The only other concern is the msSFUPassword.  Obviously I’m
not going to put folks’ passwords in the import file.  

 

Any other ideas?

[ActiveDir] How to block particular Subjects

[Ajay Kumar]

Hi all,
 
I just wanna to know that, Is that possible to block particulars subjects  Ex: ( Resume ).
when user send any mail related to same subject to other domain ( Internet ).
 We are using exchange server 2003 and atleast 500 users.
  Pls give me any suggestion / Software through I can block particular subjects
 
Regards,
Sam
 

RE: [ActiveDir] Servers or Workstations

[Grillenmeier, Guido]

servers first? workstations first?
first what?

I assume you're talking about migrating your servers and workstations
from an NT4 domain to an AD domain - correct?  If so, the order strongly
depends on various aspects, such as the status of your user and group
migration and how you handle permissions on your servers.  There's too
much detail here to know, which doesn't make sense to add without
knowing more about your environment. 

But more often than not it is more advisable to 
1. migrate your users accounts and groups to AD
2. take care of the user profiles on the workstations and ensure that
the users are actually using the AD account (often combined with the
computer migration) 
3. migrate the servers and any other workstations to AD 

Usually the order of workstation or servers is not important - this
changes if you have a lot of trusts in your environment and need to
ensure availability of specific trusted resources from other domains
that have not been migrated yet. Suddenly the order can become important
again.

So maybe you want to enlighten us a little about your environment, such
as trusts between your domains, usage of SidHistory for account/group
migration, usage of local profiles/roaming profiles on workstations,
terminal servers, tools you're using for the migration etc.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: Mittwoch, 21. Juni 2006 00:22
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Servers or Workstations

Thanks Rob, thought so... 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert
Rutherford
Sent: Tuesday, June 20, 2006 3:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Servers or Workstations

Hi John,

I would 'generally' opt for servers first as you can then take advantage
of
the 2K, 2K3 goodies, i.e. AD straight away when you migrate the
workstations. 

Rob

Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
T:   +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: 20 June 2006 18:37
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Servers or Workstations

 
Hey all,

  I thought I had our Ad Migration plan as we were going to do
workstations
first but I'm having second thoughts. I think we should do servers first
then workstation's. Could I have your thoughts on this.

Thanks

john
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT: Higher Education web access

[Steve Rochford]

We use webdav and publish instructions for staff/students 
to just add their home folder as a "my network place" on their home computers. 
This works well - once you've connected it's just another location that appears 
in explorer or file dialogues.
 
If you're happy to continue with FTP access to the web 
folder then that's perfectly possible; I'm assuming you're scripting creation of 
users so it's just a case of adding an extra bit to create and permission a 
folder somewhere in the IIS folder for each user.
 
Steve


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
GlennSent: 19 June 2006 21:27To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Higher Education 
web access
Hello all,Sorry for the OT, but I'm a bit at a loss on parts 
of the big move.  As I've said in the past, I'm in the process of moving 
our student population from eDirectory to Active Directory.  We've overcome 
several hurdles up to this point.  Our next big one is how to give access 
to our student's files via a web brower and also a way to host their own web 
pages.  Currently we accomplish this via IUAdmin and apache services.  
IUAdmin is not ported to the Windows platform and Apache for Windows has a few 
drawbacks.  I was wondering if there are any higher education folks out 
there that wouldn't mind talking with me about their environment.  To help 
give a better idea of what we do, I offer three web pages: Students can 
login to the following page and gain access to their files.http://locker.uky.edu The next link 
shows you some screenshots of what you would see if you logged in as bigtest. 
http://locker.uky.edu/help.htmThen 
off course we offer a way for them to publish their own webpages (the first link 
will show you where I get my signature):http://locker.uky.edu/~pglennThanks for any help even if it's just a pointer to another 
listservPaul-- 
***"I've 
got a fever and the only prescription is more 
cowbell."--Christopher 
Walken***

RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server

[Wyatt, David]

To all single DC folks - when you perform a restore of your single DC
from an image, as part of your procedure do you increase the value of
the RID pool or just restore and resume working?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP] 
Sent: 20 Jun 2006 1:03
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Ghost Backup or Image for Active Directory
Server and Exchange Server


And you didn't go to Jeff Middleton's TechEd session on DR for Small 
business did you?

We're a single DC folks.. hello... it works.

We're not enterprise and that means best practices for you are not best 
practices for us.

Acronis works.

Big boys can't image DCs.. we can.  We're little..we're agile and we can

do it.

Big server land can't ...and that's fine...but the rules of big server 
land stop at the gates of SBSland... it's a whole diff ball game for us.

(Fenway was cool btw)


Paul Glenn wrote:

> I attended a Disaster Recovery of AD class at TechEd this past week.
> One thing they said was to NEVER EVER rely on a ghost image for DR.  
> Their reasoning was the whole SID situation.
>  
> Paul
>
>  
> On 6/17/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]*
> <[EMAIL PROTECTED] > wrote:
>
> And us SBSers will say that sometimes that single DC with a DR
> strategy
> in place can be less issue than multiple domain controllers.
(please
> note the "DR strategy" phrase there.. this is planned ahead of 
> time)
>
> What is the size of the firm and what is the tolerance of
downtime.
> Start from there.  Plan your DR process.
>
> Almeida Pinto, Jorge de wrote:
>
> > Only in an AD environment with ONE DC in the AD FOREST, there
would
> > not be much of an issue. Although I still recomment to use a
> supported
> > method.
> > No matter how many DCs, using a supported method/tool/procedure,
> you
> > will always be ready for it.
> > As soon as you get a second DC, the image thing won't work that
good
> > anymore.
> >
> > For more info also see:
> > http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx
> >
> > I also recommend to have AT LEAST 2 DC in each AD domain (and
backup
> > at least 2, preferably more if you have more DCs) for if
something
> > goes wrong with one DC. In that case while one DC is still
> running you
> > can repair the other or promote another DC into the AD domain.
> If you
> > only have one DC, AD will be available again as soon as that
> single DC
> > is up and running again.
> >
> > Met vriendelijke groeten / Kind regards,
> > Ing. Jorge de Almeida Pinto
> > /Senior Infrastructure Consultant/
> > /MVP Windows Server - Directory Services/
> > //
> > *LogicaCMG Nederland B.V. (BU RTINC Eindhoven)*
> > (   Tel : +31-(0)40-29.57.777
> > (   Mobile : +31-(0)6-26.26.62.80 
> > *   E-mail : 
> >
> >
>

> > *From:* [EMAIL PROTECTED]
>  on behalf of Jose
> Medeiros
> > *Sent:* Sat 2006-06-17 08:01
> > *To:* [EMAIL PROTECTED]

> > *Cc:* Medeiros, Jose; ActiveDir@mail.activedir.org
> 
> > *Subject:* [ActiveDir] Ghost Backup or Image for Active
Directory
> > Server and Exchange Server
> >
> > Hi Amit,
> >
> > Well first you'll need to buy Symantec Ghost Corporate Edition
> so you
> > have the 32 bit version. Then if you have a server such as a HP
> > Proliant DL-580 with a 6400 Smart Raid Controller you'll need to
add
> > the Raid controller driver to your bootable CD Rom that you'll
> have to
> > create so it can access the Raid Disk Array.
> >
> > If you Want to create your own Bootable CD, I would recommend
> you use
> > Microsoft WinPE or Bart's PE http://www.nu2.nu/pebuilder/
> .
> >
> > Barts also allows you to use Acronis http://www.acronis.com/
> which may
> > be less expensive then Ghost Corporate, however I have only used
> Ghost
> > Version 8, 32Bit and can attest that it works ( I've imaged
several
> > hundredservers with it at ADP Payroll Systems ).
> >
> > Hope this helps, the rest is up to you and requires that you
> read the
> > documentation with each product.
> >
> > Best Wish's,
> >
> > Jose Medeiros
> > http://www.myspace.com/josemedeiros1
> >
> >
> 
> --
> -
>
> >
> > - Original Message -
> > *From:* Amit Kapoor  

RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server

[Robert Rutherford]

Hi David,

Just restore and resume as it's a single DC.

Cheers

Rob


Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
 T:  +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
Sent: 20 June 2006 10:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory
Server and Exchange Server


To all single DC folks - when you perform a restore of your single DC
from an image, as part of your procedure do you increase the value of
the RID pool or just restore and resume working?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP] 
Sent: 20 Jun 2006 1:03
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Ghost Backup or Image for Active Directory
Server and Exchange Server


And you didn't go to Jeff Middleton's TechEd session on DR for Small 
business did you?

We're a single DC folks.. hello... it works.

We're not enterprise and that means best practices for you are not best 
practices for us.

Acronis works.

Big boys can't image DCs.. we can.  We're little..we're agile and we can

do it.

Big server land can't ...and that's fine...but the rules of big server 
land stop at the gates of SBSland... it's a whole diff ball game for us.

(Fenway was cool btw)


Paul Glenn wrote:

> I attended a Disaster Recovery of AD class at TechEd this past week.
> One thing they said was to NEVER EVER rely on a ghost image for DR.  
> Their reasoning was the whole SID situation.
>  
> Paul
>
>  
> On 6/17/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]*
> <[EMAIL PROTECTED] > wrote:
>
> And us SBSers will say that sometimes that single DC with a DR
> strategy
> in place can be less issue than multiple domain controllers.
(please
> note the "DR strategy" phrase there.. this is planned ahead of 
> time)
>
> What is the size of the firm and what is the tolerance of
downtime.
> Start from there.  Plan your DR process.
>
> Almeida Pinto, Jorge de wrote:
>
> > Only in an AD environment with ONE DC in the AD FOREST, there
would
> > not be much of an issue. Although I still recomment to use a
> supported
> > method.
> > No matter how many DCs, using a supported method/tool/procedure,
> you
> > will always be ready for it.
> > As soon as you get a second DC, the image thing won't work that
good
> > anymore.
> >
> > For more info also see:
> > http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx
> >
> > I also recommend to have AT LEAST 2 DC in each AD domain (and
backup
> > at least 2, preferably more if you have more DCs) for if
something
> > goes wrong with one DC. In that case while one DC is still
> running you
> > can repair the other or promote another DC into the AD domain.
> If you
> > only have one DC, AD will be available again as soon as that
> single DC
> > is up and running again.
> >
> > Met vriendelijke groeten / Kind regards,
> > Ing. Jorge de Almeida Pinto
> > /Senior Infrastructure Consultant/
> > /MVP Windows Server - Directory Services/
> > //
> > *LogicaCMG Nederland B.V. (BU RTINC Eindhoven)*
> > (   Tel : +31-(0)40-29.57.777
> > (   Mobile : +31-(0)6-26.26.62.80 
> > *   E-mail : 
> >
> >
>

> > *From:* [EMAIL PROTECTED]
>  on behalf of Jose
> Medeiros
> > *Sent:* Sat 2006-06-17 08:01
> > *To:* [EMAIL PROTECTED]

> > *Cc:* Medeiros, Jose; ActiveDir@mail.activedir.org
> 
> > *Subject:* [ActiveDir] Ghost Backup or Image for Active
Directory
> > Server and Exchange Server
> >
> > Hi Amit,
> >
> > Well first you'll need to buy Symantec Ghost Corporate Edition
> so you
> > have the 32 bit version. Then if you have a server such as a HP
> > Proliant DL-580 with a 6400 Smart Raid Controller you'll need to
add
> > the Raid controller driver to your bootable CD Rom that you'll
> have to
> > create so it can access the Raid Disk Array.
> >
> > If you Want to create your own Bootable CD, I would recommend
> you use
> > Microsoft WinPE or Bart's PE http://www.nu2.nu/pebuilder/
> .
> >
> > Barts also allows you to use Acronis http://www.acronis.com/
> which may
> > be less expensive then Ghost Corporate, however I have only used
> Ghost
> > Version 8, 32Bit and can at

[ActiveDir] Win2k Sites & Login Servers

[Christopher . Drewery]

Windows 2000 Domain in Native Mode (Test
Environment)

1 Domain
3 Sites each with it's subnets defined
3 servers each with an IP address relating
to a particular site.
Each server is hosting DNS and DHCP.
Each server is a GC.

When I plug a laptop in and log on as
a user for the 1st time it will log onto the DC that is in it's relevant
site, but when I log off and login to another site it will still connect
to the previous GC as it's login server unless we perform a flushdns before
login off. The laptop will pick up the correct DHCP address depending on
what site it is at.

I am using 'echo %logonserver%' to determine
which login server it is using.

I have tried shortening the DHCP lease
time but still the same issue occurs.

Chris.

RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server

[Robert Rutherford]

Note that you will of course need to restore the changes taken between
images, i.e. system state et al

Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
 T:  +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert
Rutherford
Sent: 20 June 2006 11:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory
Server and Exchange Server

Hi David,

Just restore and resume as it's a single DC.

Cheers

Rob


Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
 T:  +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
Sent: 20 June 2006 10:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory
Server and Exchange Server


To all single DC folks - when you perform a restore of your single DC
from an image, as part of your procedure do you increase the value of
the RID pool or just restore and resume working?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP] 
Sent: 20 Jun 2006 1:03
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Ghost Backup or Image for Active Directory
Server and Exchange Server


And you didn't go to Jeff Middleton's TechEd session on DR for Small 
business did you?

We're a single DC folks.. hello... it works.

We're not enterprise and that means best practices for you are not best 
practices for us.

Acronis works.

Big boys can't image DCs.. we can.  We're little..we're agile and we can

do it.

Big server land can't ...and that's fine...but the rules of big server 
land stop at the gates of SBSland... it's a whole diff ball game for us.

(Fenway was cool btw)


Paul Glenn wrote:

> I attended a Disaster Recovery of AD class at TechEd this past week.
> One thing they said was to NEVER EVER rely on a ghost image for DR.  
> Their reasoning was the whole SID situation.
>  
> Paul
>
>  
> On 6/17/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]*
> <[EMAIL PROTECTED] > wrote:
>
> And us SBSers will say that sometimes that single DC with a DR
> strategy
> in place can be less issue than multiple domain controllers.
(please
> note the "DR strategy" phrase there.. this is planned ahead of 
> time)
>
> What is the size of the firm and what is the tolerance of
downtime.
> Start from there.  Plan your DR process.
>
> Almeida Pinto, Jorge de wrote:
>
> > Only in an AD environment with ONE DC in the AD FOREST, there
would
> > not be much of an issue. Although I still recomment to use a
> supported
> > method.
> > No matter how many DCs, using a supported method/tool/procedure,
> you
> > will always be ready for it.
> > As soon as you get a second DC, the image thing won't work that
good
> > anymore.
> >
> > For more info also see:
> > http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx
> >
> > I also recommend to have AT LEAST 2 DC in each AD domain (and
backup
> > at least 2, preferably more if you have more DCs) for if
something
> > goes wrong with one DC. In that case while one DC is still
> running you
> > can repair the other or promote another DC into the AD domain.
> If you
> > only have one DC, AD will be available again as soon as that
> single DC
> > is up and running again.
> >
> > Met vriendelijke groeten / Kind regards,
> > Ing. Jorge de Almeida Pinto
> > /Senior Infrastructure Consultant/
> > /MVP Windows Server - Directory Services/
> > //
> > *LogicaCMG Nederland B.V. (BU RTINC Eindhoven)*
> > (   Tel : +31-(0)40-29.57.777
> > (   Mobile : +31-(0)6-26.26.62.80 
> > *   E-mail : 
> >
> >
>

> > *From:* [EMAIL PROTECTED]
>  on behalf of Jose
> Medeiros
> > *Sent:* Sat 2006-06-17 08:01
> > *To:* [EMAIL PROTECTED]

> > *Cc:* Medeiros, Jose; ActiveDir@mail.activedir.org
> 
> > *Subject:* [ActiveDir] Ghost Backup or Image for Active
Directory
> > Server and Exchange Server
> >
> > Hi Amit,
> >
> > Well first you'll need to buy Symantec Ghost Corporate Edition
> so you
> > have the 32 bit ver

RE: [ActiveDir] Win2k Sites & Login Servers

[Robert Rutherford]

Does all look good with your DNS SRV
records per site?

Are there any errors in the client event
logs?

Does the behavior occur from any site?

If you reboot and log on to the other site
is all ok?

 

 

 

 






 
  
  
  
  
   
  
  
  Robert Rutherford
  QuoStar
  Solutions Limited
   
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
   
  
  
   
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
   
  
 






 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 20 June 2006 11:08
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Win2k Sites
& Login Servers



 


Windows 2000 Domain in Native Mode (Test Environment)


1
Domain 
3
Sites each with it's subnets defined 
3
servers each with an IP address relating to a particular site. 
Each
server is hosting DNS and DHCP. 
Each
server is a GC. 

When
I plug a laptop in and log on as a user for the 1st time it will log onto the
DC that is in it's relevant site, but when I log off and login to another site
it will still connect to the previous GC as it's login server unless we perform
a flushdns before login off. The laptop will pick up the correct DHCP address
depending on what site it is at. 

I
am using 'echo %logonserver%' to determine which login server it is using.


I
have tried shortening the DHCP lease time but still the same issue occurs.


Chris.

RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server

[Wyatt, David]

Title: Message



Now here's the problem.  The 
"just restore and resume approach" could be, in a very specific situation, a bad 
idea.  I'm sure everything would "work" as such, but as 
desired?After a 
backup is taken, new security principals might have been created in the domain. 
These security principals might be permissioned on certain resources e.g. file 
shares etc.  Now depending on when the image was taken and restore, it is 
*possible* the security principals no longer exist because the recovery has 
reverted to the image date, but their access rights might still exist. If the 
RID pool is not raised after a restore, and new security principals are created 
after the recovery might obtain identical security IDs (SIDs) and could have 
access to those objects, which was not originally intended.  
So:Monday - image takenTuesday - 10 new domain groups created and 
assigned permissions to file serverWednesday - need to recover DC as its 
crashed, restore image from Monday.  Now you have SIDs assigned on the file 
server but are not present on the domain.  When you create new security 
principals they could obtain identical SIDs to the ones belonging to the groups 
that were created on Tuesday.Would it not be prudent to raise the RID 
pool as part of your single DC recovery procedure?  I can't see what harm 
it would do anyway.
-Original 
Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert RutherfordSent: 20 Jun 2006 
11:00To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ghost 
Backup or Image for Active Directory Server and Exchange ServerHi 
David,Just restore and resume as it's a single 
DC.CheersRobRobert RutherfordQuoStar Solutions 
LimitedThe Enterprise 
PavilionFern BarrowWallisdownPooleDorsetBH12 
5HH      
   T:  +44 (0) 
8456 440 331   F:   +44 (0) 
8456 440 332   M:   +44 (0) 
7974 249 494   E:  
[EMAIL PROTECTED]   W:  
www.quostar.com -Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Wyatt, DavidSent: 20 June 2006 
10:38To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ghost 
Backup or Image for Active Directory Server and Exchange ServerTo 
all single DC folks - when you perform a restore of your single DC from an 
image, as part of your procedure do you increase the value of the RID pool or 
just restore and resume working?-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks 
[MVP]Sent: 20 Jun 2006 1:03To: ActiveDir@mail.activedir.orgSubject: 
Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange 
ServerAnd you didn't go to Jeff Middleton's TechEd session on DR for 
Smallbusiness did you?We're a single DC folks.. hello... it 
works.We're not enterprise and that means best practices for you are not 
bestpractices for us.Acronis works.Big boys can't image 
DCs.. we can.  We're little..we're agile and we cando 
it.Big server land can't ...and that's fine...but the rules of big 
serverland stop at the gates of SBSland... it's a whole diff ball game for 
us.(Fenway was cool btw)Paul Glenn wrote:> I 
attended a Disaster Recovery of AD class at TechEd this past week.> One 
thing they said was to NEVER EVER rely on a ghost image for DR.> Their 
reasoning was the whole SID situation.> > 
Paul>> > On 6/17/06, *Susan Bradley, CPA aka Ebitz - 
SBS Rocks [MVP]*> <[EMAIL PROTECTED] > wrote:>> And us SBSers 
will say that sometimes that single DC with a DR> 
strategy> in place can be less issue than 
multiple domain controllers.(please> note the 
"DR strategy" phrase there.. this is planned ahead of> 
time)>> What is the size of the firm and 
what is the tolerance ofdowntime.> Start from 
there.  Plan your DR process.>> 
Almeida Pinto, Jorge de wrote:>> > Only 
in an AD environment with ONE DC in the AD FOREST, 
therewould> > not be much of an issue. 
Although I still recomment to use a> 
supported> > 
method.> > No matter how many DCs, using a 
supported method/tool/procedure,> 
you> > will always be ready for 
it.> > As soon as you get a second DC, the 
image thing won't work thatgood> > 
anymore.> >> 
> For more info also see:> > http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx> 
>> > I also recommend to have AT LEAST 2 DC 
in each AD domain (andbackup> > at least 
2, preferably more if you have more DCs) for 
ifsomething> > goes wrong with one DC. In 
that case while one DC is still> running 
you> > can repair the other or promote another 
DC into the AD domain.> If 
you> > only have one DC, AD will be available 
again as soon as that> single 
DC> > is up and running 
again.> >> > 
Met vriendelijke groeten / Kind regards,> > 
Ing. Jorge de Almeida Pinto> > /Senior 
Infrastructure Consultant/> > /MV

Re: [ActiveDir] can I exclude a particular user account from "authenticated users"?

[Al Mulnick]

I'm just curious why you would want to remove an authenticated user from the authenticated users group?  What's the goal?  
On 6/20/06, joe <[EMAIL PROTECTED]> wrote:



Disable the account's ability to authenticate. 
 
Makes the account rather worthless but it is the only thing I can think of that would accomplish the stated goal. 
 
Programmatically you might be able to modify the token at the local machine level such that the auth users SID isn't enabled, but that would take some rather involved work I expect. See 
http://msdn.microsoft.com/library/default.asp?url=""
. It isn't anything I have tried, just a theory based on some reading I have done in the API docs.
 

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Thommes, Michael M.
Sent: Monday, June 19, 2006 10:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] can I exclude a particular user account from "authenticated users"? 


This may sound like an off the wall question, but I would like to exclude a particular user account from the built-in security principal
 "Authenticated Users
".  Is there any way to do this?


TIA!
Mike Thommes

Re: [ActiveDir] RDP Over SSL (No Security tab in Client)

[Al Mulnick]

 
Why?  Why did you not just install the updated version using the installer? Was there an advantage? 
 
I'm so full of questions I know, but this seems the hard way with issues waiting for later.  
On 6/20/06, Ravi Dogra <[EMAIL PROTECTED]> wrote:
Thanks,I have acheived by making a copy of mstsc.exe and mstscax.dll fromwindows2k3 sp1 box and placing it in a different folder of client
other than system32.Registered the dll and this fixed the problem.Thanks Again,Ravi DograList info   : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

The decision is made by the IT pro of the needed recovery process.  I 
would hope that any one of the folks on this list wouldn't just have an 
image restore if they were a single DC but also a system state out there 
as well.


You as the pro then make the appropriate recovery method... 
authoritative restore throw back in the imagewhatever... if you 
are running a single DC... you've gone through the permutations... you 
know why you've chosen single DC over multiple DCs.. you have a plan.


Again... in the SBS space there is a camp that would argue that 
introduction of muliple DCs takes away the flexibility of imaging that DC.


...and in SBSland... who makes 10 new domain groups for heavens sake on 
Tuesday?  We set this network up three years ago with the appropriate 
security groups and OU structure and we honestly have not touched that 
structure since.


I would argue as an IT pro... you will know the needs of your client and 
have that decision tree mapped out of the ways you can DR that network.


As long as you can grab a part of that system state even if it's off an 
old tape media... you can reinsert that (this is called the "Graveyard 
Swing" by JeffM in SBSland.


When the need for DR hits you'll want options to go down that highway.. 
not just one path.


Wyatt, David wrote:

Now here's the problem.  The "just restore and resume approach" could 
be, in a very specific situation, a bad idea.  I'm sure everything 
would "work" as such, but as desired?


After a backup is taken, new security principals might have been 
created in the domain. These security principals might be permissioned 
on certain resources e.g. file shares etc.  Now depending on when the 
image was taken and restore, it is *possible* the security principals 
no longer exist because the recovery has reverted to the image date, 
but their access rights might still exist. If the RID pool is not 
raised after a restore, and new security principals are created after 
the recovery might obtain identical security IDs (SIDs) and could have 
access to those objects, which was not originally intended.  So:


Monday - image taken
Tuesday - 10 new domain groups created and assigned permissions to 
file server
Wednesday - need to recover DC as its crashed, restore image from 
Monday.  Now you have SIDs assigned on the file server but are not 
present on the domain.  When you create new security principals they 
could obtain identical SIDs to the ones belonging to the groups that 
were created on Tuesday.


Would it not be prudent to raise the RID pool as part of your single 
DC recovery procedure?  I can't see what harm it would do anyway.





-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford

Sent: 20 Jun 2006 11:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory 
Server and Exchange Server



Hi David,

Just restore and resume as it's a single DC.

Cheers

Rob


Robert Rutherford
QuoStar Solutions Limited

The Enterprise Pavilion

Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
 T:  +44 (0) 8456 440 331   
F:   +44 (0) 8456 440 332   
M:   +44 (0) 7974 249 494   
E:  [EMAIL PROTECTED]   
W:  www.quostar.com 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
Sent: 20 June 2006 10:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory 
Server and Exchange Server



To all single DC folks - when you perform a restore of your single DC 
from an image, as part of your procedure do you increase the value of 
the RID pool or just restore and resume working?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
Bradley, CPA aka Ebitz - SBS Rocks [MVP]

Sent: 20 Jun 2006 1:03
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Ghost Backup or Image for Active Directory 
Server and Exchange Server



And you didn't go to Jeff Middleton's TechEd session on DR for Small
business did you?

We're a single DC folks.. hello... it works.

We're not enterprise and that means best practices for you are not best
practices for us.

Acronis works.

Big boys can't image DCs.. we can.  We're little..we're agile and we can

do it.

Big server land can't ...and that's fine...but the rules of big server
land stop at the gates of SBSland... it's a whole diff ball game for us.

(Fenway was cool btw)


Paul Glenn wrote:

> I attended a Disaster Recovery of AD class at TechEd this past week.
> One thing they said was to NEVER EVER rely on a ghost image for DR.
> Their reasoning was the whole SID situation.
> 
> Paul

>
> 
> On 6/17/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]*

> <[EMAIL PROTECTED] > wrote:
>
> And us SBSers will say that sometimes that single DC with a DR
> strategy
> in place can be l

Re: [ActiveDir] DDNS in Unix environment

[Al Mulnick]

Guy, I think the concern I have (I'll limit to one for this sentence) is that if you update the DNS, what does that do for the client? I.E. how does the client know to look at some other DNS? Or, more simply, how does the DNS get updated if that site the client was using for DNS goes to the dogs?  I'm wondering how that mechanism works in your scenario because the client has to be able to find the information and if the DNS went with the solution, then it's going to be difficult to make that work.  On the other hand, if DNS is hosted outside this solution, then you're only real hope is to use a load balancer IMHO.  Why? Because the people already have a signifcant investment in making this work and to do otherwise would be the equivalent of putting Huffy tires on a Mazerati; sure it might work and it'll drastically cheaper up front, but would you really want to do that and would you really be happy about it?  Would you want your friends to see you in that car? 

 
Anyhow, the solution lies with Veritas and by taking a good hard look at all 8 layers of the stack and comparing/contrasting that with your deliverables. HA doesn't occur at the application layer alone; rather it's a system that comes together and takes into account all 8 layers of the computing stack.  To do otherwise is without question a waste of time and resources.   

 
Keep your head low, walk softly and carry a very large Windows appliance. ;)
 
Al 
On 6/19/06, Guy Teverovsky <[EMAIL PROTECTED]> wrote:




I will try to address all the points raised.
 
Al: 
You are right. The idea is to provide highly available service as transparently as possible. This is one of those times when Unix folks are leading the project and they are trying to find the solution in the DNS. I have already pointed out that even if DDNS is successful, the TTLs will have to be reduced drastically to very short values.

 
Mike:
I have already suggested simple WMI script somehow triggered by the cluster, but they are hesitant about any non-standard customization. The SimpleFailover however looks like something that I might be able to use. Will defenetly have a better look at it. Funny that I have not found it while exercising my google-fu.

 
Willem: 
If you ask me, the solution should indeed be based on some sort of appliance based load balancer, but the folks are looking into software based solution - introducing network related changes could be quite tricky in this case (politics, another IT group, single point of failure...)

 
Disclaimer: have no idea about Veritas HA Unix cluster either ;)
 
Now if I could only smack the Unix folks, make them disable DDNS registration requirement on the cluster and look into hardware load balancer, the life would be much easier...

 
Bottom line: Unix people are evil ! do not let them near your AD ;)
(ducking and getting on a plane)
 
Thanks all for the input !
Guy 
 


From: Willem KasdorpSent: Mon 6/19/2006 5:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DDNS in Unix environment 



Guy,
 
Those are good points by Al. Especially the DNS TTL will break you up if the customer expects a quick failover. I would expect that there is some mechanism in the cluster failover (a script hook or something) that will allow you to manually change DNS where needed. But is this really the way to go? I'd take a hard look at how the app is supposed to realize high availability. Additionally, I have seen a similar scenario where a redundant network loadbalancer would reroute traffic to the active node. That would take care of name resolution and similar issues, anyway. 

 
--
    Cheers, Willem
 
(disclaimer: I know nothing about Veritas HA clusters)
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Al MulnickSent: Monday, June 19, 2006 4:01 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DDNS in Unix environment
 

Guy, can we assume that the requirement is to provide the high availability as transparently as possible then? 

What is the expectation if the primary site goes away as far as client name res? What is their way of knowing that the server went away and to use a new name (keeping in mind that caching etc is going to take place)? 


What does Veritas recommend? (it is there product after all).

 

Al 

On 6/17/06, Guy Teverovsky <
[EMAIL PROTECTED]> wrote: 
Howdy all,I am banging my head over this trying to come up with a solution for a client.To make the long story short: financial organization which is very concerned about security. They are setting up a new network segment that will be serving some application to the internal network (there is a firewall in between). Because of the critical nature of the application, there is a DR site. AD is used for authentication and DNS. 
There is a Veritas HA cluster serving the application that will fail over to DR site in case the primary site goes down.Primary site: 2 DCs with SFU (R2) + Veritas cluster nodeDR site: 2 DCs with SFU (R2) + Ver

Re: [ActiveDir] OT: Higher Education web access

[Paul Glenn]

I myself would be more than happy with this scenario.  However, when I discuss this with the VP he says we can't take away anything they have now.  So that means I have to find a way for them to access their files through some type of web interface (which maybe I can convience him WEBDAV is almost like what they have now) and also be able to publish their own web pages.
PaulOn 6/20/06, Steve Rochford <[EMAIL PROTECTED]> wrote:





We use webdav and publish instructions for staff/students 
to just add their home folder as a "my network place" on their home computers. 
This works well - once you've connected it's just another location that appears 
in explorer or file dialogues.
 
If you're happy to continue with FTP access to the web 
folder then that's perfectly possible; I'm assuming you're scripting creation of 
users so it's just a case of adding an extra bit to create and permission a 
folder somewhere in the IIS folder for each user.
 
Steve


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Paul 
GlennSent: 19 June 2006 21:27To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Higher Education 
web access
Hello all,Sorry for the OT, but I'm a bit at a loss on parts 
of the big move.  As I've said in the past, I'm in the process of moving 
our student population from eDirectory to Active Directory.  We've overcome 
several hurdles up to this point.  Our next big one is how to give access 
to our student's files via a web brower and also a way to host their own web 
pages.  Currently we accomplish this via IUAdmin and apache services.  
IUAdmin is not ported to the Windows platform and Apache for Windows has a few 
drawbacks.  I was wondering if there are any higher education folks out 
there that wouldn't mind talking with me about their environment.  To help 
give a better idea of what we do, I offer three web pages: Students can 
login to the following page and gain access to their files.http://locker.uky.edu The next link 
shows you some screenshots of what you would see if you logged in as bigtest. 
http://locker.uky.edu/help.htmThen 
off course we offer a way for them to publish their own webpages (the first link 
will show you where I get my signature):http://locker.uky.edu/~pglennThanks for any help even if it's just a pointer to another 
listservPaul-- 
***"I've 
got a fever and the only prescription is more 
cowbell."--Christopher 
Walken***

-- ***"I've got a fever and the only prescription is morecowbell."--Christopher Walken
***

Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

[Al Lilianstrom]

Robert Rutherford wrote:

Hi,

It does sound like our old pal DNS. 


If you run a dcdiag and netdiag, do they both run clean? If not then
please post the results.


Both clean. Every test I can think of comes up clean. The only real 
symtom was in the orginal message - lack of admin access to the w2k3 DCs 
from the w2k DC. Checking the event log on the w2k3 DC I see the 
computer and user log in and out successfully. Just something denying 
access.



If all is clean and it's a test environment then pull it and clean it up
with ntdsutil et al. 


Sounds like a fun way to spend the morning. :-)

al


If it's a new situation then just replicate and see if you still have
the issue. I have always found a couple of hours helps many ills.

BR

Rob

Robert Rutherford
QuoStar Solutions Limited
 	 
The Enterprise Pavilion

Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
 	  	 T:	 +44 (0) 8456 440 331	 
F:	 +44 (0) 8456 440 332	 
M:	 +44 (0) 7974 249 494	 
E: 	[EMAIL PROTECTED]	 
W: 	www.quostar.com	 
-Original Message-

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom
Sent: 19 June 2006 20:52
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

I've in the process of upgrading my test domain (empty root and 1 child)

to w2k3 R2 based DCs and (thanks to help from the friendly folks here) 
am just about done. I have one last w2k dc left to remove. It doesn't 
want to go peacefully.


I moved the FSMO roles off and the next day tried to dcpromo it down to 
a simple server. I get


Managing the network session with FBDC1.fnal.gov failed

"Access is denied. "
dcpromoui t:0x848 00479  Exit  State::GetFailureMessage The 
operation failed because:


Managing the network session with FBDC1.fnal.gov failed

A quick check shows that I can't get to the admin shares of my new w2k3 
dc/FSMO role holder from the w2k dc. I can get to the admin shares of 
the other simple servers but not either of the 2 DCs. Other systems can 
access the admin shares via the domain admin account I'm using on the 
w2k DC.


I've been searching and have found people having a similar problem when 
promoting a w2k machine to be a DC but not when demoting. I've tried a 
number of the things that were suggested in those articles and they have


had no affect.

There is no firewall in the way. AD replication and FRS work.

Any ideas before I rip it out?

al



--

Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT: Higher Education web access

[Kennedy, Jim]

If I am reading your requirement correctly, WEBDAV is a web 
interface. Hit the page with IE and there is your network folder. As for the web 
publishingare they making the sites themselves and then just uploading 
them?  Then publish their website home folder also via 
WEBDAV./

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  GlennSent: Tuesday, June 20, 2006 9:13 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Higher 
  Education web access
  I myself would be more than happy with this scenario.  
  However, when I discuss this with the VP he says we can't take away anything 
  they have now.  So that means I have to find a way for them to access 
  their files through some type of web interface (which maybe I can convience 
  him WEBDAV is almost like what they have now) and also be able to publish 
  their own web pages. Paul
  On 6/20/06, Steve 
  Rochford <[EMAIL PROTECTED]> 
  wrote:
  


We use 
webdav and publish instructions for staff/students to just add their home 
folder as a "my network place" on their home computers. This works well - 
once you've connected it's just another location that appears in explorer or 
file dialogues.
 
If 
you're happy to continue with FTP access to the web folder then that's 
perfectly possible; I'm assuming you're scripting creation of users so it's 
just a case of adding an extra bit to create and permission a folder 
somewhere in the IIS folder for each user.
 
Steve


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
Paul GlennSent: 19 June 2006 21:27To: ActiveDir@mail.activedir.orgSubject: 
[ActiveDir] OT: Higher Education web access

Hello all,Sorry for the OT, but I'm a bit at a loss on 
parts of the big move.  As I've said in the past, I'm in the process of 
moving our student population from eDirectory to Active Directory.  
We've overcome several hurdles up to this point.  Our next big one is 
how to give access to our student's files via a web brower and also a way to 
host their own web pages.  Currently we accomplish this via IUAdmin and 
apache services.  IUAdmin is not ported to the Windows platform and 
Apache for Windows has a few drawbacks.  I was wondering if there are 
any higher education folks out there that wouldn't mind talking with me 
about their environment.  To help give a better idea of what we do, I 
offer three web pages: Students can login to the following page and 
gain access to their files.http://locker.uky.edu 
The next link shows you some screenshots of what you would see if 
you logged in as bigtest. http://locker.uky.edu/help.htmThen off course we 
offer a way for them to publish their own webpages (the first link will show 
you where I get my signature):http://locker.uky.edu/~pglennThanks for 
any help even if it's just a pointer to another listservPaul-- 
***"I've 
got a fever and the only prescription is more 
cowbell."--Christopher 
Walken***
-- 
  ***"I've 
  got a fever and the only prescription is 
  morecowbell."--Christopher Walken 
  ***

Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

[Al Mulnick]

Denying access?  Hmm so logged on to the w2K machine you can't access the admin$ share of either of the DC's right?
 
 
 
 
On 6/20/06, Al Lilianstrom <[EMAIL PROTECTED]> wrote:
Robert Rutherford wrote:> Hi,>> It does sound like our old pal DNS.>> If you run a dcdiag and netdiag, do they both run clean? If not then
> please post the results.Both clean. Every test I can think of comes up clean. The only realsymtom was in the orginal message - lack of admin access to the w2k3 DCsfrom the w2k DC. Checking the event log on the w2k3 DC I see the
computer and user log in and out successfully. Just something denyingaccess.> If all is clean and it's a test environment then pull it and clean it up> with ntdsutil et al.Sounds like a fun way to spend the morning. :-)
   al> If it's a new situation then just replicate and see if you still have> the issue. I have always found a couple of hours helps many ills.>> BR>> Rob>
> Robert Rutherford> QuoStar Solutions Limited>> The Enterprise Pavilion> Fern Barrow> Wallisdown> Poole> Dorset> BH12 5HH>T:  +44 (0) 8456 440 331
> F: +44 (0) 8456 440 332> M: +44 (0) 7974 249 494> E:[EMAIL PROTECTED]> W:www.quostar.com
> -Original Message-> From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED]
] On Behalf Of Al Lilianstrom> Sent: 19 June 2006 20:52> To: ActiveDir@mail.activedir.org> Subject: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
>> I've in the process of upgrading my test domain (empty root and 1 child)>> to w2k3 R2 based DCs and (thanks to help from the friendly folks here)> am just about done. I have one last w2k dc left to remove. It doesn't
> want to go peacefully.>> I moved the FSMO roles off and the next day tried to dcpromo it down to> a simple server. I get>> Managing the network session with 
FBDC1.fnal.gov failed>> "Access is denied. "> dcpromoui t:0x848 00479  Exit  State::GetFailureMessage The> operation failed because:>> Managing the network session with 
FBDC1.fnal.gov failed>> A quick check shows that I can't get to the admin shares of my new w2k3> dc/FSMO role holder from the w2k dc. I can get to the admin shares of
> the other simple servers but not either of the 2 DCs. Other systems can> access the admin shares via the domain admin account I'm using on the> w2k DC.>> I've been searching and have found people having a similar problem when
> promoting a w2k machine to be a DC but not when demoting. I've tried a> number of the things that were suggested in those articles and they have>> had no affect.>> There is no firewall in the way. AD replication and FRS work.
>> Any ideas before I rip it out?>>   al>--Al LilianstromCD/CSS/CSI[EMAIL PROTECTED]List info   : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Question on rightsguid

[joe]

There are three things currently handled in the extended-rights container of
objectclass controlAccessRight. 

Validated Writes
Property Sets
Extended Rights

These are differentiated by the validAccesses attribute[1]. Quickly it lays
out like

Validated Writes have validAccess value of 8
Property Sets have validAccesses value of 32
Extended Rights have validAccess value of 256

While they are the same objectclass and in the same container, they are not
the same things. The attributeSecurityGUID is used to tie schema objects to
property sets. Validated Rights and Extended Rights are hardcoded into the
OS. While you could add those types of objects, you wouldn't get anything
out of the OS with them, you would need to write your application(s) to use
them.

Now there are some things that are a bit confusing... The rightsGuid of
"Add/Remove self as member" is the same as the member attribute's
schemaIDGUID. This means that if you don't use the correct access mask the
permission will not be written properly and many programs and scripts
(including several of mine) actually display this incorrectly. If the mask
is a CA grant/deny (control access) then the permission is for "Add/Remove
self as member", if the mask is anything else, it is the member schema
attribute. It gets even worse with the rightsGUID of 
"Validated wite to DNS host name" is also the rightsGUID of the property set
"DNS Host Name Attributes" AND the schemaIDGUID of the attribute
dNSHostName.

I've actually been meaning to blog this for a while now as I keep fielding
questions in email and the newsgroups about it. Seems like a lot of people
are actually really looking at that stuff finally. I reported the DNS GUIDs
item to MSFT back after K3 came out as I didn't think it was right. I still
don't think it is the right way to handle it but too late to change now. It
just adds a bunch of confusion to something that doesn't need the confusion
because it is already too confusing.


As for the second part... I have been asked that and actually people have
insisted it is a bug in my code so much that I did blog it.

http://blog.joeware.net/2005/12/17/173/

 

   joe

 


[1]
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/contr
ol_access_rights.asp


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Monday, June 19, 2006 5:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Question on rightsguid

All

I've been doing a little digging into AD and was wondering why the
rightsguid for the validated-spn and the self-membership validated
rights doesn't have objects in the schema with matching
attributesecurityguid values. Is it correct to assume that there
should be objects in the schema with attributesecurityguid values to
match each rightsguid values of each controlaccess object? Or is
rightsguid only really important for propertysets?

Also I noticed when I used joe's adfind to list objects which had the
rightsguid value from validated-dns-host-name, the filter listed the
same rightsguid value in a different format. i.e

adfind -propsetmembers:72e39547-7b18-11d1-adef-00c04fd8d5cd
attributesecurityguid"  was expanded as Transformed Filter:
(&(objectcategory=attributeschema)(attributeSecurityGUID=G\9
5\E3r\18\7B\D1\11\AD\EF\00\C0O\D8\D5\CD))

I deduced G=47, r=72 etc..

Can anyone explain the above for me?

Cheers

M@
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

[Al Lilianstrom]

Al Mulnick wrote:
Denying access?  Hmm so logged on to the w2K machine you can't 
access the admin$ share of either of the DC's right?


Correct.

I can access any member server admin$ share from the w2k machine. I can 
access the w2k3 DC admin$ share from any other w2k3 machine in the domain.


I just can't access the w2k3 DC admin$ share from the w2k DC.

al

 
On 6/20/06, *Al Lilianstrom* <[EMAIL PROTECTED] 
> wrote:


Robert Rutherford wrote:
 > Hi,
 >
 > It does sound like our old pal DNS.
 >
 > If you run a dcdiag and netdiag, do they both run clean? If not then
 > please post the results.

Both clean. Every test I can think of comes up clean. The only real
symtom was in the orginal message - lack of admin access to the w2k3 DCs
from the w2k DC. Checking the event log on the w2k3 DC I see the
computer and user log in and out successfully. Just something denying
access.

 > If all is clean and it's a test environment then pull it and
clean it up
 > with ntdsutil et al.

Sounds like a fun way to spend the morning. :-)

   al

 > If it's a new situation then just replicate and see if you still have
 > the issue. I have always found a couple of hours helps many ills.
 >
 > BR
 >
 > Rob
 >
 > Robert Rutherford
 > QuoStar Solutions Limited
 >
 > The Enterprise Pavilion
 > Fern Barrow
 > Wallisdown
 > Poole
 > Dorset
 > BH12 5HH
 >T:  +44 (0) 8456 440 331
 > F: +44 (0) 8456 440 332
 > M: +44 (0) 7974 249 494
 > E:[EMAIL PROTECTED]

 > W:www.quostar.com 
 > -Original Message-
 > From: [EMAIL PROTECTED]

 > [mailto:[EMAIL PROTECTED]
] On Behalf Of Al Lilianstrom
 > Sent: 19 June 2006 20:52
 > To: ActiveDir@mail.activedir.org

 > Subject: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
 >
 > I've in the process of upgrading my test domain (empty root and 1
child)
 >
 > to w2k3 R2 based DCs and (thanks to help from the friendly folks
here)
 > am just about done. I have one last w2k dc left to remove. It
doesn't
 > want to go peacefully.
 >
 > I moved the FSMO roles off and the next day tried to dcpromo it
down to
 > a simple server. I get
 >
 > Managing the network session with FBDC1.fnal.gov
 failed
 >
 > "Access is denied. "
 > dcpromoui t:0x848 00479  Exit  State::GetFailureMessage The
 > operation failed because:
 >
 > Managing the network session with FBDC1.fnal.gov
 failed
 >
 > A quick check shows that I can't get to the admin shares of my
new w2k3
 > dc/FSMO role holder from the w2k dc. I can get to the admin
shares of
 > the other simple servers but not either of the 2 DCs. Other
systems can
 > access the admin shares via the domain admin account I'm using on the
 > w2k DC.
 >
 > I've been searching and have found people having a similar
problem when
 > promoting a w2k machine to be a DC but not when demoting. I've
tried a
 > number of the things that were suggested in those articles and
they have
 >
 > had no affect.
 >
 > There is no firewall in the way. AD replication and FRS work.
 >
 > Any ideas before I rip it out?
 >
 >   al
 >

--

Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED] 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx





--

Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] RDP Over SSL (No Security tab in Client)

[Bart Van den Wyngaert]

OK cool...
 
But as most know, there is 'tsmmc.msc' also to work with RDP. I use this a lot to have less windows open... If they make SSL available, what about having SSL with the 'tsmmc.msc' ?
 
TIA
 
On 6/20/06, Al Mulnick <[EMAIL PROTECTED]> wrote:


 
Why?  Why did you not just install the updated version using the installer? Was there an advantage? 
 
I'm so full of questions I know, but this seems the hard way with issues waiting for later.  

On 6/20/06, Ravi Dogra <[EMAIL PROTECTED]
> wrote: 
Thanks,I have acheived by making a copy of mstsc.exe and mstscax.dll fromwindows2k3 sp1 box and placing it in a different folder of client 
other than system32.Registered the dll and this fixed the problem.Thanks Again,Ravi DograList info   : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

[joe]

What do you see in the network trace? Is it attempting the connection? Is it
establishing the TCP/IP connection and then blowing out in the NetBIOS
handshake? Does it get through the handshake and then fail? 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom
Sent: Tuesday, June 20, 2006 10:53 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

Al Mulnick wrote:
> Denying access?  Hmm so logged on to the w2K machine you can't 
> access the admin$ share of either of the DC's right?

Correct.

I can access any member server admin$ share from the w2k machine. I can 
access the w2k3 DC admin$ share from any other w2k3 machine in the domain.

I just can't access the w2k3 DC admin$ share from the w2k DC.

al

>  
> On 6/20/06, *Al Lilianstrom* <[EMAIL PROTECTED] 
> > wrote:
> 
> Robert Rutherford wrote:
>  > Hi,
>  >
>  > It does sound like our old pal DNS.
>  >
>  > If you run a dcdiag and netdiag, do they both run clean? If not
then
>  > please post the results.
> 
> Both clean. Every test I can think of comes up clean. The only real
> symtom was in the orginal message - lack of admin access to the w2k3
DCs
> from the w2k DC. Checking the event log on the w2k3 DC I see the
> computer and user log in and out successfully. Just something denying
> access.
> 
>  > If all is clean and it's a test environment then pull it and
> clean it up
>  > with ntdsutil et al.
> 
> Sounds like a fun way to spend the morning. :-)
> 
>al
> 
>  > If it's a new situation then just replicate and see if you still
have
>  > the issue. I have always found a couple of hours helps many ills.
>  >
>  > BR
>  >
>  > Rob
>  >
>  > Robert Rutherford
>  > QuoStar Solutions Limited
>  >
>  > The Enterprise Pavilion
>  > Fern Barrow
>  > Wallisdown
>  > Poole
>  > Dorset
>  > BH12 5HH
>  >T:  +44 (0) 8456 440 331
>  > F: +44 (0) 8456 440 332
>  > M: +44 (0) 7974 249 494
>  > E:[EMAIL PROTECTED]
> 
>  > W:www.quostar.com 
>  > -Original Message-
>  > From: [EMAIL PROTECTED]
> 
>  > [mailto:[EMAIL PROTECTED]
> ] On Behalf Of Al
Lilianstrom
>  > Sent: 19 June 2006 20:52
>  > To: ActiveDir@mail.activedir.org
> 
>  > Subject: [ActiveDir] Problem removing last w2k DC from a w2k3
domain
>  >
>  > I've in the process of upgrading my test domain (empty root and 1
> child)
>  >
>  > to w2k3 R2 based DCs and (thanks to help from the friendly folks
> here)
>  > am just about done. I have one last w2k dc left to remove. It
> doesn't
>  > want to go peacefully.
>  >
>  > I moved the FSMO roles off and the next day tried to dcpromo it
> down to
>  > a simple server. I get
>  >
>  > Managing the network session with FBDC1.fnal.gov
>  failed
>  >
>  > "Access is denied. "
>  > dcpromoui t:0x848 00479  Exit  State::GetFailureMessage The
>  > operation failed because:
>  >
>  > Managing the network session with FBDC1.fnal.gov
>  failed
>  >
>  > A quick check shows that I can't get to the admin shares of my
> new w2k3
>  > dc/FSMO role holder from the w2k dc. I can get to the admin
> shares of
>  > the other simple servers but not either of the 2 DCs. Other
> systems can
>  > access the admin shares via the domain admin account I'm using on
the
>  > w2k DC.
>  >
>  > I've been searching and have found people having a similar
> problem when
>  > promoting a w2k machine to be a DC but not when demoting. I've
> tried a
>  > number of the things that were suggested in those articles and
> they have
>  >
>  > had no affect.
>  >
>  > There is no firewall in the way. AD replication and FRS work.
>  >
>  > Any ideas before I rip it out?
>  >
>  >   al
>  >
> 
> --
> 
> Al Lilianstrom
> CD/CSS/CSI
> [EMAIL PROTECTED] 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 
> 
> 

-- 

Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activ

RE: [ActiveDir] OT: Higher Education web access

[Steve Rochford]

All you're "taking away" is the limitation of 1 file at a 
time. (OK, the interface is different but for Windows users it's going to be 
much more like what they use when they're working with local 
files)
 
Steve


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
GlennSent: 20 June 2006 14:13To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Higher 
Education web access
I myself would be more than happy with this scenario.  However, 
when I discuss this with the VP he says we can't take away anything they have 
now.  So that means I have to find a way for them to access their files 
through some type of web interface (which maybe I can convience him WEBDAV is 
almost like what they have now) and also be able to publish their own web pages. 
Paul
On 6/20/06, Steve 
Rochford <[EMAIL PROTECTED]> 
wrote:

  
  
  We use 
  webdav and publish instructions for staff/students to just add their home 
  folder as a "my network place" on their home computers. This works well - once 
  you've connected it's just another location that appears in explorer or file 
  dialogues.
   
  If you're 
  happy to continue with FTP access to the web folder then that's perfectly 
  possible; I'm assuming you're scripting creation of users so it's just a case 
  of adding an extra bit to create and permission a folder somewhere in the IIS 
  folder for each user.
   
  Steve
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul 
  GlennSent: 19 June 2006 21:27To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  OT: Higher Education web access
  
  Hello all,Sorry for the OT, but I'm a bit at a loss on 
  parts of the big move.  As I've said in the past, I'm in the process of 
  moving our student population from eDirectory to Active Directory.  We've 
  overcome several hurdles up to this point.  Our next big one is how to 
  give access to our student's files via a web brower and also a way to host 
  their own web pages.  Currently we accomplish this via IUAdmin and apache 
  services.  IUAdmin is not ported to the Windows platform and Apache for 
  Windows has a few drawbacks.  I was wondering if there are any higher 
  education folks out there that wouldn't mind talking with me about their 
  environment.  To help give a better idea of what we do, I offer three web 
  pages: Students can login to the following page and gain access to 
  their files.http://locker.uky.edu 
  The next link shows you some screenshots of what you would see if you 
  logged in as bigtest. http://locker.uky.edu/help.htmThen off course we 
  offer a way for them to publish their own webpages (the first link will show 
  you where I get my signature):http://locker.uky.edu/~pglennThanks for 
  any help even if it's just a pointer to another listservPaul-- 
  ***"I've 
  got a fever and the only prescription is more 
  cowbell."--Christopher 
  Walken***
  -- 
***"I've 
got a fever and the only prescription is 
morecowbell."--Christopher Walken 
***

RE: [ActiveDir] Question on rightsguid

[joe]

Oops correction here, I spaced for a second. The value for Property Sets in
validAccesses is a combination of ACTRL_DS_WRITE_PROP + ACTRL_DS_READ_PROP
so the value is 32 + 16 or 48, not just 32.


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, June 20, 2006 10:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Question on rightsguid

There are three things currently handled in the extended-rights container of
objectclass controlAccessRight. 

Validated Writes
Property Sets
Extended Rights

These are differentiated by the validAccesses attribute[1]. Quickly it lays
out like

Validated Writes have validAccess value of 8
Property Sets have validAccesses value of 32
Extended Rights have validAccess value of 256

While they are the same objectclass and in the same container, they are not
the same things. The attributeSecurityGUID is used to tie schema objects to
property sets. Validated Rights and Extended Rights are hardcoded into the
OS. While you could add those types of objects, you wouldn't get anything
out of the OS with them, you would need to write your application(s) to use
them.

Now there are some things that are a bit confusing... The rightsGuid of
"Add/Remove self as member" is the same as the member attribute's
schemaIDGUID. This means that if you don't use the correct access mask the
permission will not be written properly and many programs and scripts
(including several of mine) actually display this incorrectly. If the mask
is a CA grant/deny (control access) then the permission is for "Add/Remove
self as member", if the mask is anything else, it is the member schema
attribute. It gets even worse with the rightsGUID of 
"Validated wite to DNS host name" is also the rightsGUID of the property set
"DNS Host Name Attributes" AND the schemaIDGUID of the attribute
dNSHostName.

I've actually been meaning to blog this for a while now as I keep fielding
questions in email and the newsgroups about it. Seems like a lot of people
are actually really looking at that stuff finally. I reported the DNS GUIDs
item to MSFT back after K3 came out as I didn't think it was right. I still
don't think it is the right way to handle it but too late to change now. It
just adds a bunch of confusion to something that doesn't need the confusion
because it is already too confusing.


As for the second part... I have been asked that and actually people have
insisted it is a bug in my code so much that I did blog it.

http://blog.joeware.net/2005/12/17/173/

 

   joe

 


[1]
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/contr
ol_access_rights.asp


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Monday, June 19, 2006 5:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Question on rightsguid

All

I've been doing a little digging into AD and was wondering why the
rightsguid for the validated-spn and the self-membership validated
rights doesn't have objects in the schema with matching
attributesecurityguid values. Is it correct to assume that there
should be objects in the schema with attributesecurityguid values to
match each rightsguid values of each controlaccess object? Or is
rightsguid only really important for propertysets?

Also I noticed when I used joe's adfind to list objects which had the
rightsguid value from validated-dns-host-name, the filter listed the
same rightsguid value in a different format. i.e

adfind -propsetmembers:72e39547-7b18-11d1-adef-00c04fd8d5cd
attributesecurityguid"  was expanded as Transformed Filter:
(&(objectcategory=attributeschema)(attributeSecurityGUID=G\9
5\E3r\18\7B\D1\11\AD\EF\00\C0O\D8\D5\CD))

I deduced G=47, r=72 etc..

Can anyone explain the above for me?

Cheers

M@
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Errors During Authoritative Restore

[Joshua Coffman]

I have a few questions for you AD gurus out there! :)
 
I just ran through a Disaster Recovery test of two of our ADs and I have a few questions which have come up as a result of the test.
 
Configuration Notes:
These boxes are Windows 2003, SP1.
The domains were originally Windows 2000 domains.
 
The following errors pop up on one of the domain controllers during the restore.
 
"Could not display the attribute type for the object with DNT 831424.Error: failed to get dn of dnt 831424"
This occurs many times throughout the restore.
 
NOTE: This is during a complete restore, e.g. "authoritative restore: restore database"
I also see a few of these.
 
"There was an error parsing the GUID from the file on line: 1981" (Not to many of these, maybe four or five)
 
Additionally, with SP1, LDIF files are created to restore back-links. The file that restores the user/group back-links imports successfully. The file that restores the configuration back-links fails. (sorry, I do not have the error handy)
 
The authoritative restore says it completed successfully, and after I go through metadata cleanup and FSMO seizure, the box starts up without any errors, and AD throws no errors on startup.
 
I was wondering if anyone can tell me what these errors mean? What are their ramifications? How can the errors be resolved.
 
Thanks,
 
Josh

Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

[Al Lilianstrom]

joe wrote:

What do you see in the network trace? Is it attempting the connection? Is it
establishing the TCP/IP connection and then blowing out in the NetBIOS
handshake? Does it get through the handshake and then fail? 



I get a connection and then the access denied returned to the client.

SMB  Negotiate Protocol Request
SMB  Negotiate Protocol Response
SMB  Session Setup AndX Request
SMB  Session Setup AndX Response
SMB  Tree Connect AndX Request, Path: \\FBDC1\D$
SMB  Tree Connect AndX Response, Error: STATUS_ACCESS_DENIED
SMB  Logoff AndX Request
SMB  Logoff AndX Response, Error: STATUS_ACCESS_DENIED

I have a logon/logoff in the security log on the w2k3 DC.

al


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom
Sent: Tuesday, June 20, 2006 10:53 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

Al Mulnick wrote:
Denying access?  Hmm so logged on to the w2K machine you can't 
access the admin$ share of either of the DC's right?


Correct.

I can access any member server admin$ share from the w2k machine. I can 
access the w2k3 DC admin$ share from any other w2k3 machine in the domain.


I just can't access the w2k3 DC admin$ share from the w2k DC.

al

 
On 6/20/06, *Al Lilianstrom* <[EMAIL PROTECTED] 
> wrote:


Robert Rutherford wrote:
 > Hi,
 >
 > It does sound like our old pal DNS.
 >
 > If you run a dcdiag and netdiag, do they both run clean? If not

then

 > please post the results.

Both clean. Every test I can think of comes up clean. The only real
symtom was in the orginal message - lack of admin access to the w2k3

DCs

from the w2k DC. Checking the event log on the w2k3 DC I see the
computer and user log in and out successfully. Just something denying
access.

 > If all is clean and it's a test environment then pull it and
clean it up
 > with ntdsutil et al.

Sounds like a fun way to spend the morning. :-)

   al

 > If it's a new situation then just replicate and see if you still

have

 > the issue. I have always found a couple of hours helps many ills.
 >
 > BR
 >
 > Rob
 >
 > Robert Rutherford
 > QuoStar Solutions Limited
 >
 > The Enterprise Pavilion
 > Fern Barrow
 > Wallisdown
 > Poole
 > Dorset
 > BH12 5HH
 >T:  +44 (0) 8456 440 331
 > F: +44 (0) 8456 440 332
 > M: +44 (0) 7974 249 494
 > E:[EMAIL PROTECTED]

 > W:www.quostar.com 
 > -Original Message-
 > From: [EMAIL PROTECTED]

 > [mailto:[EMAIL PROTECTED]
] On Behalf Of Al

Lilianstrom

 > Sent: 19 June 2006 20:52
 > To: ActiveDir@mail.activedir.org

 > Subject: [ActiveDir] Problem removing last w2k DC from a w2k3

domain

 >
 > I've in the process of upgrading my test domain (empty root and 1
child)
 >
 > to w2k3 R2 based DCs and (thanks to help from the friendly folks
here)
 > am just about done. I have one last w2k dc left to remove. It
doesn't
 > want to go peacefully.
 >
 > I moved the FSMO roles off and the next day tried to dcpromo it
down to
 > a simple server. I get
 >
 > Managing the network session with FBDC1.fnal.gov
 failed
 >
 > "Access is denied. "
 > dcpromoui t:0x848 00479  Exit  State::GetFailureMessage The
 > operation failed because:
 >
 > Managing the network session with FBDC1.fnal.gov
 failed
 >
 > A quick check shows that I can't get to the admin shares of my
new w2k3
 > dc/FSMO role holder from the w2k dc. I can get to the admin
shares of
 > the other simple servers but not either of the 2 DCs. Other
systems can
 > access the admin shares via the domain admin account I'm using on

the

 > w2k DC.
 >
 > I've been searching and have found people having a similar
problem when
 > promoting a w2k machine to be a DC but not when demoting. I've
tried a
 > number of the things that were suggested in those articles and
they have
 >
 > had no affect.
 >
 > There is no firewall in the way. AD replication and FRS work.
 >
 > Any ideas before I rip it out?
 >
 >   al
 >

--

Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED] 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.asp

Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server

[Brett Shirley]

Two things ...

Secondly, it isn't just security groups, has anyone been hired or quit?

Firstly, the whole thing isn't big server vs. small server ... it is
whether you have any AD replicas, that includes having two DCs for the
same domain (assuming neither is NT4, then these DCs replicate the
domain), or having another domain in the same forest (it is a replica of
the global config/schema).

Cheers,
-BrettSh



On Tue, 20 Jun 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]  wrote:

> The decision is made by the IT pro of the needed recovery process.  I 
> would hope that any one of the folks on this list wouldn't just have an 
> image restore if they were a single DC but also a system state out there 
> as well.
> 
> You as the pro then make the appropriate recovery method... 
> authoritative restore throw back in the imagewhatever... if you 
> are running a single DC... you've gone through the permutations... you 
> know why you've chosen single DC over multiple DCs.. you have a plan.
> 
> Again... in the SBS space there is a camp that would argue that 
> introduction of muliple DCs takes away the flexibility of imaging that DC.
> 
> ...and in SBSland... who makes 10 new domain groups for heavens sake on 
> Tuesday?  We set this network up three years ago with the appropriate 
> security groups and OU structure and we honestly have not touched that 
> structure since.
> 
> I would argue as an IT pro... you will know the needs of your client and 
> have that decision tree mapped out of the ways you can DR that network.
> 
> As long as you can grab a part of that system state even if it's off an 
> old tape media... you can reinsert that (this is called the "Graveyard 
> Swing" by JeffM in SBSland.
> 
> When the need for DR hits you'll want options to go down that highway.. 
> not just one path.
> 
> Wyatt, David wrote:
> 
> > Now here's the problem.  The "just restore and resume approach" could 
> > be, in a very specific situation, a bad idea.  I'm sure everything 
> > would "work" as such, but as desired?
> >
> > After a backup is taken, new security principals might have been 
> > created in the domain. These security principals might be permissioned 
> > on certain resources e.g. file shares etc.  Now depending on when the 
> > image was taken and restore, it is *possible* the security principals 
> > no longer exist because the recovery has reverted to the image date, 
> > but their access rights might still exist. If the RID pool is not 
> > raised after a restore, and new security principals are created after 
> > the recovery might obtain identical security IDs (SIDs) and could have 
> > access to those objects, which was not originally intended.  So:
> >
> > Monday - image taken
> > Tuesday - 10 new domain groups created and assigned permissions to 
> > file server
> > Wednesday - need to recover DC as its crashed, restore image from 
> > Monday.  Now you have SIDs assigned on the file server but are not 
> > present on the domain.  When you create new security principals they 
> > could obtain identical SIDs to the ones belonging to the groups that 
> > were created on Tuesday.
> >
> > Would it not be prudent to raise the RID pool as part of your single 
> > DC recovery procedure?  I can't see what harm it would do anyway.
> >
> >
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford
> > Sent: 20 Jun 2006 11:00
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory 
> > Server and Exchange Server
> >
> >
> > Hi David,
> >
> > Just restore and resume as it's a single DC.
> >
> > Cheers
> >
> > Rob
> >
> >
> > Robert Rutherford
> > QuoStar Solutions Limited
> > 
> > The Enterprise Pavilion
> > Fern Barrow
> > Wallisdown
> > Poole
> > Dorset
> > BH12 5HH
> >  T:  +44 (0) 8456 440 331   
> > F:   +44 (0) 8456 440 332   
> > M:   +44 (0) 7974 249 494   
> > E:  [EMAIL PROTECTED]   
> > W:  www.quostar.com 
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
> > Sent: 20 June 2006 10:38
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory 
> > Server and Exchange Server
> >
> >
> > To all single DC folks - when you perform a restore of your single DC 
> > from an image, as part of your procedure do you increase the value of 
> > the RID pool or just restore and resume working?
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Susan 
> > Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> > Sent: 20 Jun 2006 1:03
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Ghost Backup or Image for Active Directory 
> > Server and Exchange Server
> >
> >
> > And you didn't go to Jeff Middleton's TechEd session on DR for Small
> > business 

Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Yeah we fired the guy who screwed up the AD on Monday



Brett Shirley wrote


Two things ...

Secondly, it isn't just security groups, has anyone been hired or quit?

Firstly, the whole thing isn't big server vs. small server ... it is
whether you have any AD replicas, that includes having two DCs for the
same domain (assuming neither is NT4, then these DCs replicate the
domain), or having another domain in the same forest (it is a replica of
the global config/schema).

Cheers,
-BrettSh



On Tue, 20 Jun 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]  wrote:

 

The decision is made by the IT pro of the needed recovery process.  I 
would hope that any one of the folks on this list wouldn't just have an 
image restore if they were a single DC but also a system state out there 
as well.


You as the pro then make the appropriate recovery method... 
authoritative restore throw back in the imagewhatever... if you 
are running a single DC... you've gone through the permutations... you 
know why you've chosen single DC over multiple DCs.. you have a plan.


Again... in the SBS space there is a camp that would argue that 
introduction of muliple DCs takes away the flexibility of imaging that DC.


...and in SBSland... who makes 10 new domain groups for heavens sake on 
Tuesday?  We set this network up three years ago with the appropriate 
security groups and OU structure and we honestly have not touched that 
structure since.


I would argue as an IT pro... you will know the needs of your client and 
have that decision tree mapped out of the ways you can DR that network.


As long as you can grab a part of that system state even if it's off an 
old tape media... you can reinsert that (this is called the "Graveyard 
Swing" by JeffM in SBSland.


When the need for DR hits you'll want options to go down that highway.. 
not just one path.


Wyatt, David wrote:

   

Now here's the problem.  The "just restore and resume approach" could 
be, in a very specific situation, a bad idea.  I'm sure everything 
would "work" as such, but as desired?


After a backup is taken, new security principals might have been 
created in the domain. These security principals might be permissioned 
on certain resources e.g. file shares etc.  Now depending on when the 
image was taken and restore, it is *possible* the security principals 
no longer exist because the recovery has reverted to the image date, 
but their access rights might still exist. If the RID pool is not 
raised after a restore, and new security principals are created after 
the recovery might obtain identical security IDs (SIDs) and could have 
access to those objects, which was not originally intended.  So:


Monday - image taken
Tuesday - 10 new domain groups created and assigned permissions to 
file server
Wednesday - need to recover DC as its crashed, restore image from 
Monday.  Now you have SIDs assigned on the file server but are not 
present on the domain.  When you create new security principals they 
could obtain identical SIDs to the ones belonging to the groups that 
were created on Tuesday.


Would it not be prudent to raise the RID pool as part of your single 
DC recovery procedure?  I can't see what harm it would do anyway.





-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford

Sent: 20 Jun 2006 11:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory 
Server and Exchange Server



Hi David,

Just restore and resume as it's a single DC.

Cheers

Rob


Robert Rutherford
QuoStar Solutions Limited
   
The Enterprise Pavilion

Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
T:  +44 (0) 8456 440 331   
F:   +44 (0) 8456 440 332   
M:   +44 (0) 7974 249 494   
E:  [EMAIL PROTECTED]   
W:  www.quostar.com 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
Sent: 20 June 2006 10:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory 
Server and Exchange Server



To all single DC folks - when you perform a restore of your single DC 
from an image, as part of your procedure do you increase the value of 
the RID pool or just restore and resume working?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
Bradley, CPA aka Ebitz - SBS Rocks [MVP]

Sent: 20 Jun 2006 1:03
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Ghost Backup or Image for Active Directory 
Server and Exchange Server



And you didn't go to Jeff Middleton's TechEd session on DR for Small
business did you?

We're a single DC folks.. hello... it works.

We're not enterprise and that means best practices for you are not best
practices for us.

Acronis works.

Big boys can't image DCs.. we can.  We're little..we're agile and we can

do it.

Big server land can't ...and that's f

Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

[Al Mulnick]

I'm with joe on getting that network trace.  I'm curious if replication has been working and if you made any adjustments for having a windows 2000 dc in a W2K3 environment? Any other applications? 
 
On 6/20/06, joe <[EMAIL PROTECTED]> wrote:
What do you see in the network trace? Is it attempting the connection? Is itestablishing the TCP/IP connection and then blowing out in the NetBIOS
handshake? Does it get through the handshake and then fail?--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm
-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]
] On Behalf Of Al LilianstromSent: Tuesday, June 20, 2006 10:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
Al Mulnick wrote:> Denying access?  Hmm so logged on to the w2K machine you can't> access the admin$ share of either of the DC's right?Correct.I can access any member server admin$ share from the w2k machine. I can
access the w2k3 DC admin$ share from any other w2k3 machine in the domain.I just can't access the w2k3 DC admin$ share from the w2k DC.   al>> On 6/20/06, *Al Lilianstrom* <
[EMAIL PROTECTED]> [EMAIL PROTECTED]>> wrote:>> Robert Rutherford wrote:>  > Hi,>  >>  > It does sound like our old pal DNS.
>  >>  > If you run a dcdiag and netdiag, do they both run clean? If notthen>  > please post the results.>> Both clean. Every test I can think of comes up clean. The only real
> symtom was in the orginal message - lack of admin access to the w2k3DCs> from the w2k DC. Checking the event log on the w2k3 DC I see the> computer and user log in and out successfully. Just something denying
> access.>>  > If all is clean and it's a test environment then pull it and> clean it up>  > with ntdsutil et al.>> Sounds like a fun way to spend the morning. :-)
>>al>>  > If it's a new situation then just replicate and see if you stillhave>  > the issue. I have always found a couple of hours helps many ills.>  >
>  > BR>  >>  > Rob>  >>  > Robert Rutherford>  > QuoStar Solutions Limited>  >>  > The Enterprise Pavilion
>  > Fern Barrow>  > Wallisdown>  > Poole>  > Dorset>  > BH12 5HH>  >T:  +44 (0) 8456 440 331>  > F: +44 (0) 8456 440 332
>  > M: +44 (0) 7974 249 494>  > E:[EMAIL PROTECTED]> 
[EMAIL PROTECTED]>>  > W:www.quostar.com >  > -Original Message-
>  > From: [EMAIL PROTECTED]> [EMAIL PROTECTED]
>>  > [mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]
>] On Behalf Of AlLilianstrom>  > Sent: 19 June 2006 20:52>  > To: ActiveDir@mail.activedir.org> 
ActiveDir@mail.activedir.org>>  > Subject: [ActiveDir] Problem removing last w2k DC from a w2k3domain>  >>  > I've in the process of upgrading my test domain (empty root and 1
> child)>  >>  > to w2k3 R2 based DCs and (thanks to help from the friendly folks> here)>  > am just about done. I have one last w2k dc left to remove. It
> doesn't>  > want to go peacefully.>  >>  > I moved the FSMO roles off and the next day tried to dcpromo it> down to>  > a simple server. I get
>  >>  > Managing the network session with FBDC1.fnal.gov>  failed>  >
>  > "Access is denied. ">  > dcpromoui t:0x848 00479  Exit  State::GetFailureMessage The>  > operation failed because:>  >>  > Managing the network session with 
FBDC1.fnal.gov>  failed>  >>  > A quick check shows that I can't get to the admin shares of my
> new w2k3>  > dc/FSMO role holder from the w2k dc. I can get to the admin> shares of>  > the other simple servers but not either of the 2 DCs. Other> systems can
>  > access the admin shares via the domain admin account I'm using onthe>  > w2k DC.>  >>  > I've been searching and have found people having a similar> problem when
>  > promoting a w2k machine to be a DC but not when demoting. I've> tried a>  > number of the things that were suggested in those articles and> they have>  >
>  > had no affect.>  >>  > There is no firewall in the way. AD replication and FRS work.>  >>  > Any ideas before I rip it out?>  >>  >   al
>  >>> -->> Al Lilianstrom> CD/CSS/CSI> [EMAIL PROTECTED] 
[EMAIL PROTECTED]>> List info   : http://www.activedir.org/List.aspx> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx> >>--Al LilianstromCD/CSS/CSI[EMAIL PROTECTED]List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/

Re: [ActiveDir] Errors During Authoritative Restore

[Brett Shirley]

Do you have any schema extensions applied?  Do you know if those schemas
added any LDAP naming attributes?  If the 2nd question doesn't make sense
to you, I'll figure out a way you can query this, and send it to us.

Aside, it is generally not recommended to run "restore database".  In fact
this command was removed from Longhorn.

If you decide to retry that scenario again, I can suggest some
intermediate steps that would be good to know.  i.e.

1. Before running auth restore, be interesting to know the results of an
esentutl /k ntds.dit (checksum the database).

2. After auth restore, it would be good to know if the database is
logically consistent from ESE's perspective (do this via "esentutl /g
ntds.dit").

3. Also after we know it is logically consistent from AD's perspective (do
this via, exact command line provided:
ntdsutil "sem data anal" "go" "q" "q"

Cheers,
BrettSh [msft]
Ex-Building 7 Garage Door Operator


On Tue, 20 Jun 2006, Joshua Coffman wrote:

> I have a few questions for you AD gurus out there! :)
>
>  I just ran through a Disaster Recovery test of two of our ADs and I
> have a few questions which have come up as a result of the test.
>  
> Configuration Notes:
> These boxes are Windows 2003, SP1.
> The domains were originally Windows 2000 domains.
>
>  The following errors pop up on one of the domain controllers during
> the restore.
>
>  "Could not display the attribute type for the object with DNT
> 831424.Error: failed to get dn of dnt 831424" This occurs many times
> throughout the restore.
>
>  NOTE: This is during a complete restore, e.g. "authoritative restore:
> restore database" I also see a few of these.
>
> "There was an error parsing the GUID from the file on line: 1981" (Not
> to many of these, maybe four or five)
>
>  Additionally, with SP1, LDIF files are created to restore back-links.
> The file that restores the user/group back-links imports successfully.
> The file that restores the configuration back-links fails. (sorry, I
> do not have the error handy)
>
>  The authoritative restore says it completed successfully, and after I
> go through metadata cleanup and FSMO seizure, the box starts up
> without any errors, and AD throws no errors on startup.
>
>  I was wondering if anyone can tell me what these errors mean? What
> are their ramifications? How can the errors be resolved.
>  
> Thanks,
>  
> Josh

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Servers or Workstations

[John Strongosky]

 
Hey all,

  I thought I had our Ad Migration plan as we were going to do workstations
first but I'm having second thoughts. I think we should do servers first
then workstation's. Could I have your thoughts on this.

Thanks

john
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

[Al Lilianstrom]

Al Mulnick wrote:
I'm with joe on getting that network trace.  I'm curious if replication 
has been working and if you made any adjustments for having a windows 
2000 dc in a W2K3 environment? Any other applications?




Replication is working - both AD and FRS. GPOs apply. Everything seems 
to work except for the ability to access the admin$ share on the w2k3 
DCs so that I can demote the machine cleanly and remove it from the domain.


The trace is in my message sent around 11:00am Central.

No other apps running.

 
On 6/20/06, *joe* <[EMAIL PROTECTED] > 
wrote:


What do you see in the network trace? Is it attempting the
connection? Is it
establishing the TCP/IP connection and then blowing out in the NetBIOS
handshake? Does it get through the handshake and then fail?


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED]
] On Behalf Of Al Lilianstrom
Sent: Tuesday, June 20, 2006 10:53 AM
To: ActiveDir@mail.activedir.org 
Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3
domain

Al Mulnick wrote:
 > Denying access?  Hmm so logged on to the w2K machine you can't
 > access the admin$ share of either of the DC's right?

Correct.

I can access any member server admin$ share from the w2k machine. I can
access the w2k3 DC admin$ share from any other w2k3 machine in the
domain.

I just can't access the w2k3 DC admin$ share from the w2k DC.

   al

 >
 > On 6/20/06, *Al Lilianstrom* < [EMAIL PROTECTED]

 > >> wrote:
 >
 > Robert Rutherford wrote:
 >  > Hi,
 >  >
 >  > It does sound like our old pal DNS.
 >  >
 >  > If you run a dcdiag and netdiag, do they both run clean?
If not
then
 >  > please post the results.
 >
 > Both clean. Every test I can think of comes up clean. The
only real
 > symtom was in the orginal message - lack of admin access to
the w2k3
DCs
 > from the w2k DC. Checking the event log on the w2k3 DC I see the
 > computer and user log in and out successfully. Just something
denying
 > access.
 >
 >  > If all is clean and it's a test environment then pull it and
 > clean it up
 >  > with ntdsutil et al.
 >
 > Sounds like a fun way to spend the morning. :-)
 >
 >al
 >
 >  > If it's a new situation then just replicate and see if you
still
have
 >  > the issue. I have always found a couple of hours helps
many ills.
 >  >
 >  > BR
 >  >
 >  > Rob
 >  >
 >  > Robert Rutherford
 >  > QuoStar Solutions Limited
 >  >
 >  > The Enterprise Pavilion
 >  > Fern Barrow
 >  > Wallisdown
 >  > Poole
 >  > Dorset
 >  > BH12 5HH
 >  >T:  +44 (0) 8456 440 331
 >  > F: +44 (0) 8456 440 332
 >  > M: +44 (0) 7974 249 494
 >  > E:[EMAIL PROTECTED]

 > mailto:[EMAIL PROTECTED]>>
 >  > W:www.quostar.com 

 >  > -Original Message-
 >  > From: [EMAIL PROTECTED]

 > >
 >  > [mailto:[EMAIL PROTECTED]

 > >] On Behalf Of Al
Lilianstrom
 >  > Sent: 19 June 2006 20:52
 >  > To: ActiveDir@mail.activedir.org

 > mailto:ActiveDir@mail.activedir.org>>
 >  > Subject: [ActiveDir] Problem removing last w2k DC from a w2k3
domain
 >  >
 >  > I've in the process of upgrading my test domain (empty
root and 1
 > child)
 >  >
 >  > to w2k3 R2 based DCs and (thanks to help from the friendly
folks
 > here)
 >  > am just about done. I have one last w2k dc left to remove. It
 > doesn't
 >  > want to go peacefully.
 >  >
 >  > I moved the FSMO roles off and the next day tried to
dcpromo it
 > down to
 >  > a simple server. I get
 >  >
 >  > Managing the network session with FBDC1.fnal.gov

 >  failed
 >  >
 >  > "Access is denied. "
 >  > dcpromoui t:0x848
00479  Exit  State::GetFailureMessage The
   

Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

[Al Mulnick]

Shot in the dark, but can you reboot the 2K dc and try again/check for errors? 
 
 
On 6/20/06, Al Lilianstrom <[EMAIL PROTECTED]> wrote:
Al Mulnick wrote:> I'm with joe on getting that network trace.  I'm curious if replication> has been working and if you made any adjustments for having a windows
> 2000 dc in a W2K3 environment? Any other applications?>Replication is working - both AD and FRS. GPOs apply. Everything seemsto work except for the ability to access the admin$ share on the w2k3
DCs so that I can demote the machine cleanly and remove it from the domain.The trace is in my message sent around 11:00am Central.No other apps running.>> On 6/20/06, *joe* <
[EMAIL PROTECTED] [EMAIL PROTECTED]>>> wrote:>> What do you see in the network trace? Is it attempting the> connection? Is it
> establishing the TCP/IP connection and then blowing out in the NetBIOS> handshake? Does it get through the handshake and then fail?>>> --> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm>>> -Original Message-> From: 
[EMAIL PROTECTED]> [EMAIL PROTECTED]>> [mailto:
[EMAIL PROTECTED]> [EMAIL PROTECTED]>] On Behalf Of Al Lilianstrom> Sent: Tuesday, June 20, 2006 10:53 AM
> To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org>> Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3
> domain>> Al Mulnick wrote:>  > Denying access?  Hmm so logged on to the w2K machine you can't>  > access the admin$ share of either of the DC's right?>
> Correct.>> I can access any member server admin$ share from the w2k machine. I can> access the w2k3 DC admin$ share from any other w2k3 machine in the> domain.>
> I just can't access the w2k3 DC admin$ share from the w2k DC.>>al>>  >>  > On 6/20/06, *Al Lilianstrom* < [EMAIL PROTECTED]
> [EMAIL PROTECTED]>>  > [EMAIL PROTECTED]> [EMAIL PROTECTED]>>> wrote:>  >>  > Robert Rutherford wrote:>  >  > Hi,>  >  >>  >  > It does sound like our old pal DNS.
>  >  >>  >  > If you run a dcdiag and netdiag, do they both run clean?> If not> then>  >  > please post the results.>  >
>  > Both clean. Every test I can think of comes up clean. The> only real>  > symtom was in the orginal message - lack of admin access to> the w2k3> DCs
>  > from the w2k DC. Checking the event log on the w2k3 DC I see the>  > computer and user log in and out successfully. Just something> denying>  > access.
>  >>  >  > If all is clean and it's a test environment then pull it and>  > clean it up>  >  > with ntdsutil et al.>  >>  > Sounds like a fun way to spend the morning. :-)
>  >>  >al>  >>  >  > If it's a new situation then just replicate and see if you> still> have>  >  > the issue. I have always found a couple of hours helps
> many ills.>  >  >>  >  > BR>  >  >>  >  > Rob>  >  >>  >  > Robert Rutherford>  >  > QuoStar Solutions Limited
>  >  >>  >  > The Enterprise Pavilion>  >  > Fern Barrow>  >  > Wallisdown>  >  > Poole>  >  > Dorset
>  >  > BH12 5HH>  >  >T:  +44 (0) 8456 440 331>  >  > F: +44 (0) 8456 440 332>  >  > M: +44 (0) 7974 249 494
>  >  > E:[EMAIL PROTECTED]> [EMAIL PROTECTED]>
>  > [EMAIL PROTECTED]> [EMAIL PROTECTED]>>
>  >  > W:www.quostar.com > >  >  > -Original Message->  >  > From: [EMAIL PROTECTED]> 
[EMAIL PROTECTED]>>  > [EMAIL PROTECTED]> 
[EMAIL PROTECTED]>>>  >  > [mailto:[EMAIL PROTECTED]> 
[EMAIL PROTECTED]>>  > [EMAIL PROTECTED]> 
[EMAIL PROTECTED]>>] On Behalf Of Al> Lilianstrom>  >  > Sent: 19 June 2006 20:52>  >  > To: ActiveDir@mail.activedir.org
> ActiveDir@mail.activedir.org>>  > ActiveDir@mail.activedir.org
> ActiveDir@mail.activedir.org>>>  >  > Subject: [ActiveDir] Problem removing last w2k DC from a w2k3> domain
>  >  >>  >  > I've in the process of upgrading my test domain (empty> root and 1>  > child)>  >  >>  >  > to w2k3 R2 based DCs and (thanks to help from the friendly
> folks>  > here)>  >  > am just about done. I have one last w2k dc left to remove. It>  > doesn't>  >  > want to go peacefully.
>  >  >>  >  > I moved the FSMO roles off and the next day tried to> dcpromo it>  > down to>  >  > a simple server. I get>  >  >
>  >  > Managing the network session with FBDC1.fnal.gov> 

Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

[Al Lilianstrom]

Al Mulnick wrote:
Shot in the dark, but can you reboot the 2K dc and try again/check for 
errors?


I've done that a few times when I was trying to make sure there wasn't a 
GPO with a incorrect setting causing the problem.


al

 
On 6/20/06, *Al Lilianstrom* <[EMAIL PROTECTED] 
> wrote:


Al Mulnick wrote:
 > I'm with joe on getting that network trace.  I'm curious if
replication
 > has been working and if you made any adjustments for having a
windows
 > 2000 dc in a W2K3 environment? Any other applications?
 >

Replication is working - both AD and FRS. GPOs apply. Everything seems
to work except for the ability to access the admin$ share on the w2k3
DCs so that I can demote the machine cleanly and remove it from the
domain.

The trace is in my message sent around 11:00am Central.

No other apps running.

 >
 > On 6/20/06, *joe* < [EMAIL PROTECTED]
 >>
 > wrote:
 >
 > What do you see in the network trace? Is it attempting the
 > connection? Is it
 > establishing the TCP/IP connection and then blowing out in
the NetBIOS
 > handshake? Does it get through the handshake and then fail?
 >
 >
 > --
 > O'Reilly Active Directory Third Edition -
 > http://www.joeware.net/win/ad3e.htm
 >
 >
 > -Original Message-
 > From: [EMAIL PROTECTED]

 > >
 > [mailto: [EMAIL PROTECTED]

 > >] On Behalf Of Al
Lilianstrom
 > Sent: Tuesday, June 20, 2006 10:53 AM
 > To: ActiveDir@mail.activedir.org

>
 > Subject: Re: [ActiveDir] Problem removing last w2k DC from a
w2k3
 > domain
 >
 > Al Mulnick wrote:
 >  > Denying access?  Hmm so logged on to the w2K machine
you can't
 >  > access the admin$ share of either of the DC's right?
 >
 > Correct.
 >
 > I can access any member server admin$ share from the w2k
machine. I can
 > access the w2k3 DC admin$ share from any other w2k3 machine
in the
 > domain.
 >
 > I just can't access the w2k3 DC admin$ share from the w2k DC.
 >
 >al
 >
 >  >
 >  > On 6/20/06, *Al Lilianstrom* < [EMAIL PROTECTED]

 > >
 >  > 
 > mailto:[EMAIL PROTECTED] wrote:
 >  >
 >  > Robert Rutherford wrote:
 >  >  > Hi,
 >  >  >
 >  >  > It does sound like our old pal DNS.
 >  >  >
 >  >  > If you run a dcdiag and netdiag, do they both run
clean?
 > If not
 > then
 >  >  > please post the results.
 >  >
 >  > Both clean. Every test I can think of comes up clean. The
 > only real
 >  > symtom was in the orginal message - lack of admin
access to
 > the w2k3
 > DCs
 >  > from the w2k DC. Checking the event log on the w2k3 DC
I see the
 >  > computer and user log in and out successfully. Just
something
 > denying
 >  > access.
 >  >
 >  >  > If all is clean and it's a test environment then
pull it and
 >  > clean it up
 >  >  > with ntdsutil et al.
 >  >
 >  > Sounds like a fun way to spend the morning. :-)
 >  >
 >  >al
 >  >
 >  >  > If it's a new situation then just replicate and see
if you
 > still
 > have
 >  >  > the issue. I have always found a couple of hours helps
 > many ills.
 >  >  >
 >  >  > BR
 >  >  >
 >  >  > Rob
 >  >  >
 >  >  > Robert Rutherford
 >  >  > QuoStar Solutions Limited
 >  >  >
 >  >  > The Enterprise Pavilion
 >  >  > Fern Barrow
 >  >  > Wallisdown
 >  >  > Poole
 >  >  > Dorset
 >  >  > BH12 5HH
 >  >  >T:  +44 (0) 8456 440 331
 >  >  > F: +44 (0) 8456 440 332
 >  >  > M: +44 (0) 7974 249 494
 >  >  > E:[EMAIL PROTECTED]

 > >
 >  > mail