RE: [ActiveDir] Kerberos MaxTokenSize and too many groups issues
Thanks guys, really helpful didnt know how bad things can be with those huge groups...like poolpaged memory issues Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Wednesday, July 12, 2006 4:58 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Kerberos MaxTokenSize and too many groups issues Just noticed that we both referred to the same token limitation article. It's easy to find when you know what to look for. If you do a search in Google for "Token limitation" it's the first item that pops up.
RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau
So we can defend our security infras using either of 2 vapourware solutions now :) cool! Mr Tandon was there before you tho, joe :-^ neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 12 July 2006 03:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Gotta love that signature Tony... I promise not to disclose this information to anyone. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Tuesday, July 11, 2006 9:56 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] [List Owner] OOFs from Steven Comeau Hi all I have temporarily suspended Steven Comeaus subscription, which should stop the out of office replies hitting the list. Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
[ActiveDir] Multihomed Domain Controllers
Title: Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.
RE: [ActiveDir] Multihomed Domain Controllers
Title: Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob Robert RutherfordQuoStar Solutions Limited The Enterprise PavilionFern BarrowWallisdownPooleDorsetBH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff GreenSent: 12 July 2006 11:43To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.
Re: [ActiveDir] Multihomed Domain Controllers
There were known issues with NT 4.0 with WINS resolution for when WINS packets were lost trying to return through the 2nd NIC using multi-homed DCs. But I've have heard that this isn't the case in Windows 2000/2003. Otherwise you are probably OK but double-check DNS as well per the other email. Regards, Chuck
RE: [ActiveDir] Multihomed Domain Controllers
Title: Multihomed Domain Controllers I'd search around and do some research and testing. A quick Google search uncovered this within seconds... http://support.microsoft.com/?id=832478 The browser service is notoriously flaky in multi homed environments, too. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff GreenSent: 12 July 2006 11:43To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Multihomed Domain Controllers
Title: Multihomed Domain Controllers You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: 12 July 2006 12:57 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Green Sent: 12 July 2006 11:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.
Re: [ActiveDir] Multihomed Domain Controllers
Looks like SP1 fixes the DNS issue with replaces a few DNS files --At this point Windows 2003 SP1 should be a minimum. Good find - Chuck
Re: [ActiveDir] Multihomed Domain Controllers
You may want to configure one default gateway on your primary network interface and then configure the other nics routing (leave default gateway blank) in the local routing table else you can have loads of fun based on metrics and Lan speeds. Mark -Original Message- From: [EMAIL PROTECTED] Date: Wed, 12 Jul 2006 07:28:01 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers Looks like SP1 fixes the DNS issue with replaces a few DNS files -- At this point Windows 2003 SP1 should be a minimum. Good find - Chuck
RE: [ActiveDir] Moving a Certificate Authority
How about a P to V process to move the physical server to a virtual server. Then perform the upgrade. When I hear Slow, I assume you are concerned about the hardware. The idea is to keep the original server and just turn it off once you P to V it. Of course you need a Virtualization solution and a P2V solution. Personally I am a fan of rebuilding from scratch and keeping the same name. I havent done a CA upgrade to 2003, but most Microsoft network services run JET. In my experiences with JET services, you can install the new service, stop it, delete the new database, then just copy the older formatted database to the same location, then start the database When the service initially runs, it will convert the old database to the new format. From what I read about below. I am not sure what the impact would be with the templates, and registry settings though. If this makes no sense it is because I havent had my coffee. Todd From: Kevin Brunson [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 12, 2006 12:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Moving a Certificate Authority The other advantage to doing it this way, now that I think about it, is a little clearer recovery path if everything blows up. A system state restore on your old ca and an authoritative restore on AD should (please everyone check me on this) get you back where you were without having to reload the original un-upgraded OS on your original CA. Kevin Brunson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Tuesday, July 11, 2006 8:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Moving a Certificate Authority Have you thought about putting a new server (or an older one with good hardware) in the mix as 2000, moving the CA to it, and then upgrading it to 2k3? That way you dont have to worry about the hardware not supporting 2003 or something terrible like that. Then if you want you could move it from that 2003 server to another 2003 server, or you could just leave it where it is. Kevin Brunson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, July 11, 2006 6:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Moving a Certificate Authority And will it ever be a slooow 2k3 machine indeed. After continuing to do some reading and researching, it does appear that my only option is to 1) Upgrade the old DC to 2k3 2) Backup the CA and the registry key as stated in the KB298138 article. 3) Remove the CA services, demote server and rename it. 4) Promote a 2k3 server with the same name as the old DC and install the CA services. 5) Restore the CA data and registry key 6) Cross my fingers and hope that I have a CA once again Ill give this a shot tomorrow. I just wonder what would be my backup plan should the CA restoration fail on the new server? The old server will have been demoted and removed from Active Directory along with the CA services removed, not to mention a new server now has its name. Thanks for your .02 Steve, it seems to be spot on. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick Sent: Tuesday, July 11, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Moving a Certificate Authority You cannot move from 2000 to 2003 as the database has changed. You could upgrade to 2k3 ( this would be temporary ) and then move to another 2k3 server. I know that you said that the HW was old - but perhaps a temporary sloow 2k3 machine? You should keep the hostname the same - if you took the defaults for install ( 90% of CA's out there ) then you have paths in all of your issued certs which hardcode to this server, not to mention the name is also in AD as well as the CA web pages. Unless you have a very good reason - it'd be best to keep it the same. I think that the article doesnt mention moving to a new name, because it would vary from customer to customer and cause more trouble then its worth. my .02 steve - Original Message - From: WATSON, BEN To: ActiveDir@mail.activedir.org Sent: Tuesday, July 11, 2006 3:08 PM Subject: [ActiveDir] Moving a Certificate Authority As part of my on-going journey into upgrading a 2000 domain to 2003, Ive run into the issue of moving the Certificate Authority on one of the original domain controllers to a new Windows 2003 domain controller. I have found a couple KB articles that seem to put me down a good path, but then dont pan out. Here is the situation I am at the point in the domain upgrade process where I need to eliminate the Windows 2000 Servers from the domain so I can raise the functional level to 2003 native. However, the CA is currently on such old hardware that an OS upgrade to Windows 2003 from Windows 2000 is simply not possible so it will need to be
RE: [ActiveDir] Multihomed Domain Controllers
Title: Multihomed Domain Controllers Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not "registering this connection in DNS" on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hackinga registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff GreenSent: 12 July 2006 11:43To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.
RE: [ActiveDir] Multihomed Domain Controllers
Title: Multihomed Domain Controllers Ive used the same configuration ina number of relatively sizeablesites (2000+ user base) with no issues as the guys state.. just trial it. Cheers Rob Robert RutherfordQuoStar Solutions Limited The Enterprise PavilionFern BarrowWallisdownPooleDorsetBH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff GreenSent: 12 July 2006 13:03To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multihomed Domain Controllers Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not "registering this connection in DNS" on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hackinga registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff GreenSent: 12 July 2006 11:43To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.
Re: [ActiveDir] Kerberos MaxTokenSize and too many groups issues
Good news is, if you look around on the Exchange team blog site, you'll find articles about Exchange 2007 on 64-bit Windows (it's not going to support a 32-bit OS) and basically the paged pool memory issue goes away completely (lots more room for that stuff when we're talking about 64-bit addressing). Only problem with that is that you have to make sure that your spam filtering and antivirus software will support it. Once you have your antivirus and spam support for Exchange 2007, I honestly can't think of a good reason to stick with Exchange 2000 or 2003 any more. On 7/12/06, Freddy HARTONO [EMAIL PROTECTED] wrote: Thanks guys, really helpful didnt know how bad things can be with those huge groups...like poolpaged memory issues Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau
Neal, you totally misunderstood. I said DO NOT READ that worthless blog entry on Defending Security Infrastructures located at http://blog.joeware.net/2006/07/11/445/. And then if you read the blog on Defending Security Infrastructures, I asked for you to comment to the blog your thoughts on Defending Security Infrastructures This is neither the time to discuss Defending Security Infrastructures nor the place to discuss Defending Security Infrastructures. I personally haven't fully stepped into the Defending Security Infrastructures space yet, though if I did I would probably look to the fine folks at NetPro and Quest first to see their ideas on Defending Security Infrastructures, and of course I would be obligated to look at Microsoft's Defending Security Infrastructures solutions and also as mentioned in one of the blog comments, a key portion of the Defending Security Infrastructures solution would be GPOs so I would look to GPOGuy for Defending Security Infrastructures products as well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, July 12, 2006 3:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau So we can defend our security infras using either of 2 vapourware solutions now :) cool! Mr Tandon was there before you tho, joe :-^ neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 12 July 2006 03:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Gotta love that signature Tony... I promise not to disclose this information to anyone. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Tuesday, July 11, 2006 9:56 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] [List Owner] OOFs from Steven Comeau Hi all I have temporarily suspended Steven Comeaus subscription, which should stop the out of office replies hitting the list. Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] Multihomed Domain Controllers
Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural reasons to not do that. Since AD is made up of a multi-master fabric, I have had no reason at all to require an isolated network dedicated to backups. I get the feeling in your case it's just a nice to have vs. a requirement since you have the hardware and figure why not put it to use. You'd be a rare exception if the size of the dit is large enough to require such a configuration. Saying that, is it possible? Most likley. Will it be difficult when/if you call for support for some other issue to explain to the engineer that you have a mutli-homed DC? Most likely. Does it break the keep it as simple as possible while meeting the requirements? rule? Most likley. When you test this, as the others have mentioned, be sure to test the recoverability and the gotchas that come along with bringing up a recovered DC on a multi-homed machine. You'll want to have that documented and thouroughly tested so as not to have to deal with that when under pressure. You may also want to consider an alternative backup method that doesn't require a dedicated network to the DC's. Just some random thoughts and my $.04 (USD) worth. Al On 7/12/06, Jeff Green [EMAIL PROTECTED] wrote: Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not registering this connection in DNS on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hackinga registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jeff GreenSent: 12 July 2006 11:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED] , if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED] , if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.
RE: [ActiveDir] Multihomed Domain Controllers
I guess that is very true... on reflection I was using the separate connection situation on satellite sites, where the DC did have backup exec loaded.. I hear you*gasp* Cheers Robert RutherfordQuoStar Solutions Limited The Enterprise PavilionFern BarrowWallisdownPooleDorsetBH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 12 July 2006 14:36To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Multihomed Domain Controllers Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural reasons to not do that. Since AD is made up of a multi-master fabric, I have had no reason at all to require an isolated network dedicated to backups. I get the feeling in your case it's just a nice to have vs. a requirement since you have the hardware and figure why not put it to use. You'd be a rare exception if the size of the dit is large enough to require such a configuration. Saying that, is it possible? Most likley. Will it be difficult when/if you call for support for some other issue to explain to the engineer that you have a mutli-homed DC? Most likely. Does it break the "keep it as simple as possible while meeting the requirements?" rule? Most likley. When you test this, as the others have mentioned, be sure to test the recoverability and the gotchas that come along with bringing up a recovered DC on a multi-homed machine. You'll want to have that documented and thouroughly tested so as not to have to deal with that when under pressure. You may also want to consider an alternative backup method that doesn't require a dedicated network to the DC's. Just some random thoughts and my $.04 (USD) worth. Al On 7/12/06, Jeff Green [EMAIL PROTECTED] wrote: Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not "registering this connection in DNS" on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hackinga registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jeff GreenSent: 12 July 2006 11:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED] , if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating
Re: [ActiveDir] Multihomed Domain Controllers
Depends on your support engineers... mullihomed DCs are quite typical to the SBS CSS engineer :-) The KB in the 2000 era that we had tattooed to our foreheads due to our two nic DCs was this one http://support.microsoft.com/default.aspx?scid=kb;en-us;292822Al Mulnick [EMAIL PROTECTED] wrote:Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural reasons to not do that. Since AD is made up of a multi-master fabric, I have had no reason at all to require an isolated network dedicated to backups. I get the feeling in your case it's just a nice to have vs. a requirement since you have the hardware and figure why not put it to use. You'd be a rare exception if the size of the dit is large enough to require such a configuration. Saying that, is it possible? Most likley. Will it be difficult when/if you call for support for some other issue to explain to the engineer that you have a mutli-homed DC? Most likely. Does it break the "keep it as simple as possible while meeting the requirements?" rule? Most likley. When you test this, as the others have mentioned, be sure to test the recoverability and the gotchas that come along with bringing up a recovered DC on a multi-homed machine. You'll want to have that documented and thouroughly tested so as not to have to deal with that when under pressure. You may also want to consider an alternative backup method that doesn't require a dedicated network to the DC's. Just some random thoughts and my $.04 (USD) worth. Al On 7/12/06, Jeff Green [EMAIL PROTECTED] wrote: Hi Guys, Many thanks to all that have responded (and so quickly !)Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not "registering this connection in DNS" on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hackinga registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3.Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jeff GreenSent: 12 July 2006 11:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain ControllersHi,First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED] , if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED] , if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the
RE: [ActiveDir] Rights for Authorizing DHCP Server
Thanks for all the responses on this guys! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, July 11, 2006 2:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Rights for Authorizing DHCP Server You will need EA rights. The admin needs write access in the Config partition so child domain DA rights will *not* suffice. It is also possible to delegate the right - grant FC access in: CN=NetServices,CN=Services,CN=Configuration,DC=xxx,DC=yyy using adsiedit or similar. hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: 10 July 2006 19:20 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Rights for Authorizing DHCP Server I seem to be finding conflicting posts and articles on this subject. Are Enterprise Admin rights required to authorize a DHCP server in a child domain? Can a Domain Admin authorize a DHCP server in his own child domain? Thanks all! Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] Multihomed Domain Controllers
Title: Multihomed Domain Controllers The one gotcha I have seen (only once though), was that somehow multihoming a 2000 DC corrupted a couple of registry keys. I think KB 888048 appeared a few days after the 8 hour phone call with MS. Basically the dc no longer had a DNS name. Needless to say that caused problems. But as long as you know which registry keys to change if it goes bad, you should be fine. I have seen a multitude of multihomed domain controllers since with no issues. Kevin Brunson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Green Sent: Wednesday, July 12, 2006 5:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.
Re: [ActiveDir] Multihomed Domain Controllers
Did you hear me giggle? Are you watching me? Like I mentioned, keeping any solution as simple as possible will pay dividends later. If the solution requires two networks and a dual-homed DC, I have not qualms about doing that and I understand the amount of complexity that entails. I also accept that complexity by default if I have to go down that road. Satellite links? Permanent ones? Or mobile? ;-) On 7/12/06, Robert Rutherford [EMAIL PROTECTED] wrote: I guess that is very true... on reflection I was using the separate connection situation on satellite sites, where the DC did have backup exec loaded.. I hear you*gasp* Cheers Robert Rutherford QuoStar Solutions Limited The Enterprise PavilionFern BarrowWallisdownPooleDorsetBH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: 12 July 2006 14:36 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural reasons to not do that. Since AD is made up of a multi-master fabric, I have had no reason at all to require an isolated network dedicated to backups. I get the feeling in your case it's just a nice to have vs. a requirement since you have the hardware and figure why not put it to use. You'd be a rare exception if the size of the dit is large enough to require such a configuration. Saying that, is it possible? Most likley. Will it be difficult when/if you call for support for some other issue to explain to the engineer that you have a mutli-homed DC? Most likely. Does it break the keep it as simple as possible while meeting the requirements? rule? Most likley. When you test this, as the others have mentioned, be sure to test the recoverability and the gotchas that come along with bringing up a recovered DC on a multi-homed machine. You'll want to have that documented and thouroughly tested so as not to have to deal with that when under pressure. You may also want to consider an alternative backup method that doesn't require a dedicated network to the DC's. Just some random thoughts and my $.04 (USD) worth. Al On 7/12/06, Jeff Green [EMAIL PROTECTED] wrote: Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not registering this connection in DNS on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hackinga registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jeff GreenSent: 12 July 2006 11:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED] , if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.
Re: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau
I see there is an opening for a CEO too! -Original Message- From: joe [EMAIL PROTECTED] Date: Wed, 12 Jul 2006 09:26:39 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Neal, you totally misunderstood. I said DO NOT READ that worthless blog entry on Defending Security Infrastructures located at http://blog.joeware.net/2006/07/11/445/ http://blog.joeware.net/2006/07/11/445/. And then if you read the blog on Defending Security Infrastructures, I asked for you to comment to the blog your thoughts on Defending Security Infrastructures This is neither the time to discuss Defending Security Infrastructures nor the place to discuss Defending Security Infrastructures. I personally haven't fully stepped into the Defending Security Infrastructures space yet, though if I did I would probably look to the fine folks at NetPro and Quest first to see their ideas on Defending Security Infrastructures, and of course I would be obligated to look at Microsoft's Defending Security Infrastructures solutions and also as mentioned in one of the blog comments, a key portion of the Defending Security Infrastructures solution would be GPOs so I would look to GPOGuy for Defending Security Infrastructures products as well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm: http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/ http://blog.joeware.net/2006/07/11/445/ --- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 12, 2006 3:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau So we can defend our security infras using either of 2 vapourware solutions now :) cool! Mr Tandon was there before you tho, joe :-^ neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 12 July 2006 03:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Gotta love that signature Tony... I promise not to disclose this information to anyone. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm: http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/: http://blog.joeware.net/2006/07/11/445/ --- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, July 11, 2006 9:56 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] [List Owner] OOFs from Steven Comeau Hi all I have temporarily suspended Steven Comeau’s subscription, which should stop the out of office replies hitting the list. Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of
Re: [ActiveDir] Multihomed Domain Controllers
Title: Multihomed Domain Controllers Couple of points. Most have probably been covered, or read by you: Clearly label the NICs, e.g. LAN00 and BACKUP00. Adjust the binding order so that LAN00 is above BACKUP00. If you don't require NetBT, disable it on BACKUP00 (BackupExec will most likely not like you if you disable this). Forget about the Advanced TCP/IP DNS option "Don't register in DNS". There is a hotfix, and it's supposed to be in SP1, but I'm still seeing A records registered in DNS in my lab when I don't want them in there, so use the necessary registry key DisableDynamicUpdate on the NIC BACKUP00. Only have a gateway on LAN00 Bind the BackupExec agent to BACKUP00 only. If the backup LAN is routed, define persistent routes in the routing table. Brower operations won't affect AD. If you have bad entries in DNS, that will cause issues so check DNS. OS Shouldn't matter. I've implemented multi-homed systems many times in the past, and have been messing around with NLB and LDAP on DCs (in Unicast mode -requires a second NIC) over the last couple of days without any issues. DNS is the main issue. There can be some issues with NetBT/ WINS, but I personally wouldn't use LMHOSTS or WINS on the BACKUP00 NIC. That's a few points based on what I'm doing in the lab. Main thing is to test your configuration. In the last place I worked we used a dedicated backup LAN. No issues worth noting (in other words it worked and I don't remember any issues), and that was a mixed NT 4, 2k and k3 environment. Dedicated systems management LANs are also a good idea, e.g. iLO, etc. --Paul - Original Message - From: Jeff Green To: ActiveDir@mail.activedir.org Sent: Wednesday, July 12, 2006 1:03 PM Subject: RE: [ActiveDir] Multihomed Domain Controllers Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not "registering this connection in DNS" on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hackinga registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff GreenSent: 12 July 2006 11:43To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the
Re: [ActiveDir] Multihomed Domain Controllers
I've never seen a problem with doing this stuff before and there are actually some backup solution providers that recommend using a paralell network for backup data to transmit across.That being said, I think the most important thing for you to make sure that you're *not* doing is testing it out on your FSMO roles holder. Do it with a non-GC domain controller first, then move up to a GC and after all of your DCs are working on the paralell network for backups, I'd probably move FSMO roles over to one of them that is working and move the last GC over (then move back the FSMO roles, if you have some old software that's hardcoded to the 'PDC'). On 7/12/06, Kevin Brunson [EMAIL PROTECTED] wrote: The one gotcha I have seen (only once though), was that somehow multihoming a 2000 DC corrupted a couple of registry keys. I think KB 888048 appeared a few days after the 8 hour phone call with MS. Basically the dc no longer had a DNS name. Needless to say that caused problems. But as long as you know which registry keys to change if it goes bad, you should be fine. I have seen a multitude of multihomed domain controllers since with no issues. Kevin Brunson From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jeff Green Sent: Wednesday, July 12, 2006 5:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.
RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau
Oh F^%. I apologize in front of everyone for mispelling your name AGAIN, neil. I was so worked up over the topic of Defending Security Infrastructures that everything other than the topic of Defending Security Infrastructures completely slipped through my mind. Of course this would be much easier if you simply changed your first name to Neal then I would be right when I was wrong so when dicussing topics such as Defending Security Infrastructures I would not mess up the spelling on your name. Again, I humbly ask your forgiveness[1] and apologize profusely and blame it all on the lack of definitionof the termDefending Security Infrastructures[2]. So before I go on too much more about Defending Security Infrastructures and the webpage at http://blog.joeware.net/2006/07/11/445/which tells you absolutely nothing about Defending Security Infrastructures, I will now close this note on Defending Security Infrastructures. joe [1] That is serious. No excuse neil, I am quite sorry. [2] Err so is that, but not as serious as [1] above. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, July 12, 2006 9:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Neal, you totally misunderstood. I said DO NOT READ that worthless blog entry on Defending Security Infrastructures located at http://blog.joeware.net/2006/07/11/445/. And then if you read the blog on Defending Security Infrastructures, I asked for you to comment to the blog your thoughts on Defending Security Infrastructures This is neither the time to discuss Defending Security Infrastructures nor the place to discuss Defending Security Infrastructures. I personally haven't fully stepped into the Defending Security Infrastructures space yet, though if I did I would probably look to the fine folks at NetPro and Quest first to see their ideas on Defending Security Infrastructures, and of course I would be obligated to look at Microsoft's Defending Security Infrastructures solutions and also as mentioned in one of the blog comments, a key portion of the Defending Security Infrastructures solution would be GPOs so I would look to GPOGuy for Defending Security Infrastructures products as well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, July 12, 2006 3:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau So we can defend our security infras using either of 2 vapourware solutions now :) cool! Mr Tandon was there before you tho, joe :-^ neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 12 July 2006 03:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Gotta love that signature Tony... I promise not to disclose this information to anyone. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Tuesday, July 11, 2006 9:56 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] [List Owner] OOFs from Steven Comeau Hi all I have temporarily suspended Steven Comeaus subscription, which should stop the out of office replies hitting the list. Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura
[ActiveDir] OT: Free Virtual PC
If anyone cares, http://www.microsoft.com/windows/virtualpc/default.mspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Multihomed Domain Controllers
In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Moving a Certificate Authority
Ah, good point. I havent dealt with CAs in this regard in the past, and just assumed that CAs had to involve a DC since I couldnt demote the DC until the CA was removed. Ill certainly make it a point to move the CA to a server that is not a DC when this domain upgrade is complete. Thanks for the heads up. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick Sent: Tuesday, July 11, 2006 7:56 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Moving a Certificate Authority One morepoint - you dont have to have the CA on a DC just wanted to make sure you knew this. So, in the future ,you dont have to worry about removing\moving the CA in order to upgrade DC's steve - Original Message - From: WATSON, BEN To: ActiveDir@mail.activedir.org Sent: Tuesday, July 11, 2006 4:05 PM Subject: RE: [ActiveDir] Moving a Certificate Authority And will it ever be a slooow 2k3 machine indeed. After continuing to do some reading and researching, it does appear that my only option is to 1) Upgrade the old DC to 2k3 2) Backup the CA and the registry key as stated in the KB298138 article. 3) Remove the CA services, demote server and rename it. 4) Promote a 2k3 server with the same name as the old DC and install the CA services. 5) Restore the CA data and registry key 6) Cross my fingers and hope that I have a CA once again Ill give this a shot tomorrow. I just wonder what would be my backup plan should the CA restoration fail on the new server? The old server will have been demoted and removed from Active Directory along with the CA services removed, not to mention a new server now has its name. Thanks for your .02 Steve, it seems to be spot on. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick Sent: Tuesday, July 11, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Moving a Certificate Authority You cannot move from 2000 to 2003 as the database has changed. You could upgrade to 2k3 ( this would be temporary ) and then move to another 2k3 server. I know that you said that the HW was old - but perhaps a temporary sloow 2k3 machine? You should keep the hostname the same - if you took the defaults for install ( 90% of CA's out there ) then you have paths in all of your issued certs which hardcode to this server, not to mention the name is also in AD as well as the CA web pages. Unless you have a very good reason - it'd be best to keep it the same. I think that the article doesnt mention moving to a new name, because it would vary from customer to customer and cause more trouble then its worth. my .02 steve - Original Message - From: WATSON, BEN To: ActiveDir@mail.activedir.org Sent: Tuesday, July 11, 2006 3:08 PM Subject: [ActiveDir] Moving a Certificate Authority As part of my on-going journey into upgrading a 2000 domain to 2003, Ive run into the issue of moving the Certificate Authority on one of the original domain controllers to a new Windows 2003 domain controller. I have found a couple KB articles that seem to put me down a good path, but then dont pan out. Here is the situation I am at the point in the domain upgrade process where I need to eliminate the Windows 2000 Servers from the domain so I can raise the functional level to 2003 native. However, the CA is currently on such old hardware that an OS upgrade to Windows 2003 from Windows 2000 is simply not possible so it will need to be demoted. It was originally a Windows NT 4.0 domain controller back in the day. So I am in a situation where I need to take a Certificate Authority from a Windows 2000 Server, and transfer that over to a Windows 2003 Server. As stated before, one KB article seemed to be the most promising KB298138. However the instructions seem to be focused on moving a CA from a 2000 server to a 2000 server, or a 2003 server to a 2003 server. Is anyone familiar with the process of moving a CA from a 2000 DC to a 2003 DC? Also, is there a possibility of moving the CA to a server with a different hostname than the original CA? Thanks, ~Ben
RE: [ActiveDir] Moving a Certificate Authority
Excellent idea. I have a couple Vmware GSX servers in our test environment so I think Ill follow your suggestion and create a new 2000 server, try and transfer the CA services to the new 2000 server and then upgrade the box to 2003 if successful. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Tuesday, July 11, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Moving a Certificate Authority The other advantage to doing it this way, now that I think about it, is a little clearer recovery path if everything blows up. A system state restore on your old ca and an authoritative restore on AD should (please everyone check me on this) get you back where you were without having to reload the original un-upgraded OS on your original CA. Kevin Brunson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Tuesday, July 11, 2006 8:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Moving a Certificate Authority Have you thought about putting a new server (or an older one with good hardware) in the mix as 2000, moving the CA to it, and then upgrading it to 2k3? That way you dont have to worry about the hardware not supporting 2003 or something terrible like that. Then if you want you could move it from that 2003 server to another 2003 server, or you could just leave it where it is. Kevin Brunson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, July 11, 2006 6:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Moving a Certificate Authority And will it ever be a slooow 2k3 machine indeed. After continuing to do some reading and researching, it does appear that my only option is to 1) Upgrade the old DC to 2k3 2) Backup the CA and the registry key as stated in the KB298138 article. 3) Remove the CA services, demote server and rename it. 4) Promote a 2k3 server with the same name as the old DC and install the CA services. 5) Restore the CA data and registry key 6) Cross my fingers and hope that I have a CA once again Ill give this a shot tomorrow. I just wonder what would be my backup plan should the CA restoration fail on the new server? The old server will have been demoted and removed from Active Directory along with the CA services removed, not to mention a new server now has its name. Thanks for your .02 Steve, it seems to be spot on. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick Sent: Tuesday, July 11, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Moving a Certificate Authority You cannot move from 2000 to 2003 as the database has changed. You could upgrade to 2k3 ( this would be temporary ) and then move to another 2k3 server. I know that you said that the HW was old - but perhaps a temporary sloow 2k3 machine? You should keep the hostname the same - if you took the defaults for install ( 90% of CA's out there ) then you have paths in all of your issued certs which hardcode to this server, not to mention the name is also in AD as well as the CA web pages. Unless you have a very good reason - it'd be best to keep it the same. I think that the article doesnt mention moving to a new name, because it would vary from customer to customer and cause more trouble then its worth. my .02 steve - Original Message - From: WATSON, BEN To: ActiveDir@mail.activedir.org Sent: Tuesday, July 11, 2006 3:08 PM Subject: [ActiveDir] Moving a Certificate Authority As part of my on-going journey into upgrading a 2000 domain to 2003, Ive run into the issue of moving the Certificate Authority on one of the original domain controllers to a new Windows 2003 domain controller. I have found a couple KB articles that seem to put me down a good path, but then dont pan out. Here is the situation I am at the point in the domain upgrade process where I need to eliminate the Windows 2000 Servers from the domain so I can raise the functional level to 2003 native. However, the CA is currently on such old hardware that an OS upgrade to Windows 2003 from Windows 2000 is simply not possible so it will need to be demoted. It was originally a Windows NT 4.0 domain controller back in the day. So I am in a situation where I need to take a Certificate Authority from a Windows 2000 Server, and transfer that over to a Windows 2003 Server. As stated before, one KB article seemed to be the most promising KB298138. However the instructions seem to be focused on moving a CA from a 2000 server to a 2000 server, or a 2003 server to a 2003 server. Is anyone familiar with the process of moving a CA from a 2000 DC to a 2003 DC? Also, is there a possibility of moving the CA to a server with a different hostname than the original CA? Thanks, ~Ben
RE: [ActiveDir] OT: Free Virtual PC
Thanks for the heads up on this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, July 12, 2006 8:22 AM To: ActiveDir.org Subject: [ActiveDir] OT: Free Virtual PC If anyone cares, http://www.microsoft.com/windows/virtualpc/default.mspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau
I can see a TV Show emerging here DSI (Las Vegas)If he was still aliveHerve Villechaiz could have played the lead, he used to be on Fantasy Island (Tattoo)and the man with the Golden Gun (Nick Nack). From: "joe" [EMAIL PROTECTED]Sent: 12 July 2006 16:27To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Oh F^%. I apologize in front of everyone for mispelling your name AGAIN, neil. I was so worked up over the topic of Defending Security Infrastructures that everything other than the topic of Defending Security Infrastructures completely slipped through my mind. Of course this would be much easier if you simply changed your first name to Neal then I would be right when I was wrong so when dicussing topics such as Defending Security Infrastructures I would not mess up the spelling on your name. Again, I humbly ask your forgiveness[1] and apologize profusely and blame it all on the lack of definitionof the termDefending Security Infrastructures[2]. So before I go on too much more about Defending Security Infrastructures and the webpage at http://blog.joeware.net/2006/07/11/445/which tells you absolutely nothing about Defending Security Infrastructures, I will now close this note on Defending Security Infrastructures. joe [1] That is serious. No excuse neil, I am quite sorry. [2] Err so is that, but not as serious as [1] above. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures.From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, July 12, 2006 9:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Neal, you totally misunderstood. I said DO NOT READ that worthless blog entry on Defending Security Infrastructures located at http://blog.joeware.net/2006/07/11/445/. And then if you read the blog on Defending Security Infrastructures, I asked for you to comment to the blog your thoughts on Defending Security Infrastructures This is neither the time to discuss Defending Security Infrastructures nor the place to discuss Defending Security Infrastructures. I personally haven't fully stepped into the Defending Security Infrastructures space yet, though if I did I would probably look to the fine folks at NetPro and Quest first to see their ideas on Defending Security Infrastructures, and of course I would be obligated to look at Microsoft's Defending Security Infrastructures solutions and also as mentioned in one of the blog comments, a key portion of the Defending Security Infrastructures solution would be GPOs so I would look to GPOGuy for Defending Security Infrastructures products as well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, July 12, 2006 3:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau So we can defend our security infras using either of 2 vapourware solutions now :) cool! Mr Tandon was there before you tho, joe :-^ neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 12 July 2006 03:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Gotta love that signature Tony... I promise not to disclose this information to anyone.-- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Tuesday, July 11, 2006 9:56 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] [List Owner] OOFs from Steven Comeau Hi all I have temporarily suspended Steven Comeaus subscription, which should stop the out of office replies hitting the list. Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. PLEASE READ: The information contained in this email is confidential and intended for the named
RE: [ActiveDir] Multihomed Domain Controllers
So how many DC's do you have? What is your DIT size like to warrant going through all this trouble? Are there other applications that you need to backup on the DC's that are requiring full backups of all your DC's. With most environments getting the system state from a DC/GC in each domain should be enough to allow you to do whatever authoritative restores that you need. Now if you have other apps that you need to do a large data backups of then this may be required. Yes you can do multiple nic's on DC's and quite a few organizations do however it definitely would not fall under best practices for Domain Controllers. Kurt Falde Premier Field Engineer Northeast Region Microsoft Corporation -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Moving a Certificate Authority
http://technet2.microsoft.com/WindowsServer/en/Library/c3f67fb4-a1ae-43ed-b30e-fe1b183a553d1033.mspx Important: Important For security reasons, a CA should always run on a separate computer. Do not install an online CA on a domain controller, even if it is technically possible. Just a little extra backup on the installations of CAs on DCs from the PKI Best Practices whitepaper. Kurt Falde Premier FieldEngineer Northeast Region MicrosoftCorporation From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, July 12, 2006 11:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Moving a Certificate Authority Ah, good point. I havent dealt with CAs in this regard in the past, and just assumed that CAs had to involve a DC since I couldnt demote the DC until the CA was removed. Ill certainly make it a point to move the CA to a server that is not a DC when this domain upgrade is complete. Thanks for the heads up. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick Sent: Tuesday, July 11, 2006 7:56 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Moving a Certificate Authority One morepoint - you dont have to have the CA on a DC just wanted to make sure you knew this. So, in the future ,you dont have to worry about removing\moving the CA in order to upgrade DC's steve - Original Message - From: WATSON, BEN To: ActiveDir@mail.activedir.org Sent: Tuesday, July 11, 2006 4:05 PM Subject: RE: [ActiveDir] Moving a Certificate Authority And will it ever be a slooow 2k3 machine indeed. After continuing to do some reading and researching, it does appear that my only option is to 1) Upgrade the old DC to 2k3 2) Backup the CA and the registry key as stated in the KB298138 article. 3) Remove the CA services, demote server and rename it. 4) Promote a 2k3 server with the same name as the old DC and install the CA services. 5) Restore the CA data and registry key 6) Cross my fingers and hope that I have a CA once again Ill give this a shot tomorrow. I just wonder what would be my backup plan should the CA restoration fail on the new server? The old server will have been demoted and removed from Active Directory along with the CA services removed, not to mention a new server now has its name. Thanks for your .02 Steve, it seems to be spot on. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick Sent: Tuesday, July 11, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Moving a Certificate Authority You cannot move from 2000 to 2003 as the database has changed. You could upgrade to 2k3 ( this would be temporary ) and then move to another 2k3 server. I know that you said that the HW was old - but perhaps a temporary sloow 2k3 machine? You should keep the hostname the same - if you took the defaults for install ( 90% of CA's out there ) then you have paths in all of your issued certs which hardcode to this server, not to mention the name is also in AD as well as the CA web pages. Unless you have a very good reason - it'd be best to keep it the same. I think that the article doesnt mention moving to a new name, because it would vary from customer to customer and cause more trouble then its worth. my .02 steve - Original Message - From: WATSON, BEN To: ActiveDir@mail.activedir.org Sent: Tuesday, July 11, 2006 3:08 PM Subject: [ActiveDir] Moving a Certificate Authority As part of my on-going journey into upgrading a 2000 domain to 2003, Ive run into the issue of moving the Certificate Authority on one of the original domain controllers to a new Windows 2003 domain controller. I have found a couple KB articles that seem to put me down a good path, but then dont pan out. Here is the situation I am at the point in the domain upgrade process where I need to eliminate the Windows 2000 Servers from the domain so I can raise the functional level to 2003 native. However, the CA is currently on such old hardware that an OS upgrade to Windows 2003 from Windows 2000 is simply not possible so it will need to be demoted. It was originally a Windows NT 4.0 domain controller back in the day. So I am in a situation where I need to take a Certificate Authority from a Windows 2000 Server, and transfer that over to a Windows 2003 Server. As stated before, one KB article seemed to be the most promising KB298138. However the instructions seem to be focused on moving a CA from a 2000 server to a 2000 server, or a 2003 server to a 2003 server. Is anyone familiar with the process of moving a CA from a 2000 DC to a 2003 DC? Also, is there a possibility of moving the CA to a server with a different hostname than the
RE: [ActiveDir] Multihomed Domain Controllers
But I hope we still have the option of doing so... I use the hosts file on a regular basis to redirect the localhost name to the machine's IP instead of to 127.blah and then stick in route statements so all locally directed traffic bounces out to a router and back so I can look at the network traces of the traffic. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/ --- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau
LOL. It's a refreshing change to see my (simple?) first name spelt wrongly, rather than my last name. :) I sense some angst against a certain Mr Tandon... ??? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 12 July 2006 15:54To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Oh F^%. I apologize in front of everyone for mispelling your name AGAIN, neil. I was so worked up over the topic of Defending Security Infrastructures that everything other than the topic of Defending Security Infrastructures completely slipped through my mind. Of course this would be much easier if you simply changed your first name to Neal then I would be right when I was wrong so when dicussing topics such as Defending Security Infrastructures I would not mess up the spelling on your name. Again, I humbly ask your forgiveness[1] and apologize profusely and blame it all on the lack of definitionof the termDefending Security Infrastructures[2]. So before I go on too much more about Defending Security Infrastructures and the webpage at http://blog.joeware.net/2006/07/11/445/which tells you absolutely nothing about Defending Security Infrastructures, I will now close this note on Defending Security Infrastructures. joe [1] That is serious. No excuse neil, I am quite sorry. [2] Err so is that, but not as serious as [1] above. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, July 12, 2006 9:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Neal, you totally misunderstood. I said DO NOT READ that worthless blog entry on Defending Security Infrastructures located at http://blog.joeware.net/2006/07/11/445/. And then if you read the blog on Defending Security Infrastructures, I asked for you to comment to the blog your thoughts on Defending Security Infrastructures This is neither the time to discuss Defending Security Infrastructures nor the place to discuss Defending Security Infrastructures. I personally haven't fully stepped into the Defending Security Infrastructures space yet, though if I did I would probably look to the fine folks at NetPro and Quest first to see their ideas on Defending Security Infrastructures, and of course I would be obligated to look at Microsoft's Defending Security Infrastructures solutions and also as mentioned in one of the blog comments, a key portion of the Defending Security Infrastructures solution would be GPOs so I would look to GPOGuy for Defending Security Infrastructures products as well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, July 12, 2006 3:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau So we can defend our security infras using either of 2 vapourware solutions now :) cool! Mr Tandon was there before you tho, joe :-^ neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 12 July 2006 03:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Gotta love that signature Tony... I promise not to disclose this information to anyone. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Tuesday, July 11, 2006 9:56 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] [List Owner] OOFs from Steven Comeau Hi all I have temporarily suspended Steven Comeaus subscription, which should stop the out of office replies hitting the list. Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. PLEASE READ: The information
RE: [ActiveDir] Multihomed Domain Controllers
Susan, there are still valid reasons for using hosts file even in an enterprise. I believe that we went through this a couple of months ago. NB: Not to encourage joe or anything like that. I just need to point out that my statement abovemay beintepreted to imply that hosts files have a role to play in the whole big "Defending Security Infrastructure" realm; for example, if your "Defending SecurityInfrastructure" service delivery plans doesNOT include a robust "split-brain" DNS infrastructure. Of course, a "Defending Security Infrastructure" plan that does not include that is not worth the name "Defending SecurityInfrastructure plan" at all and does not belong in the "Defending SecurityInfrastructure" big black ops book. Now I crawl back into my heavily-defended "Defending Security Infrastructure" bunker - or castle - or cave. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Wed 7/12/2006 8:40 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Rights needed to Rename Computer Object
What rights are needed to delegate authority for people to rename computers that are joined to a domain? I know if I give Full Control of computer objects they of course can, but Id like to limit the authority they have. Ive so far tried: From running a comparison of before and after a rename, it looks like it needs the following: Write Computer name (pre-Windows 2000) Write displayName Write distringuishedName Write dNSHostName Write Name Write pwdLastSet Create/Delete service PrincipalName Does that sound correct? I want to make sure I delegate enough authority for them to rename computers, but not enough to do anything else. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] Multihomed Domain Controllers
I have definitely found the hosts file to be useful on servers to keep them from EVER getting to spyware sites. This guy has a great list : http://pgl.yoyo.org/adservers/serverlist.php?showintro=0hostformat=host s Just cut and paste into the hosts file and you are good to go. I scripted it for all of the servers I deal with. But I guess this is getting pretty far OT: :) Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 10:41 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Acqusition of 2003 Forest - options experiences
A company with an independent 2003 Forest has been acquired. They have Exchange 2003 and a Citrix server. We have a similar configuration minus Citrix. The goal is obviously to migrate key AD objects, mailboxes, and servers into our 2003 forest. I understand that ADMT is often the right tool for the job, but I would greatly appreciate hearing your personal experiences and any caveats that you may have run into. And is it the only tool you need? I am off to read some MS docs on the topic and specifically ADMT. Hopefully I am able to contribute back to the list. Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Planning for the future
Esteemed colleagues, We have a radio station that is currently part of our denomination that we want to finally put on our network. They are located about 20 miles from our headquarters. However, there has been talk for many, many years about selling off this radio station, but that hasn't come to pass yet. My question is, if we put them in their own domain in our existing forest, would that make it easier to get them into their own forest if they should some day no longer be a part of us? If not, what's the best way to plan for a possible future in which these 30 people might no longer be working for us? Many thanks in advance. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Multihomed Domain Controllers
Could someone please tell me what all this "Defending Security Infrastructure" stuff is about? Even though joe said "Do not read about "Defending Security Infrastructure"" on his blog, I went there and read all about what he wrote about "Defending Security Infrastructure" because I literally hang off every word joe writes, and he wrote about "Defending Security Infrastructure" and I wanted to know what his thoughts were on"Defending Security Infrastructure". But interestingly enough, joe didn't have much to say about "Defending Security Infrastructure" so I queried other avenues on "Defending Security Infrastructure" and there sure is a lot on the subject of "Defending Security Infrastructure" but I couldn't really distill it. So now I'm going to have to keep watching the joedog blog on "Defending Security Infrastructure", because if joe talks about "Defending Security Infrastructure", then "Defending Security Infrastructure" is probably pretty important. _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Deji AkomolafeSent: 12 July, 2006 12:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multihomed Domain Controllers Susan, there are still valid reasons for using hosts file even in an enterprise. I believe that we went through this a couple of months ago. NB: Not to encourage joe or anything like that. I just need to point out that my statement abovemay beintepreted to imply that hosts files have a role to play in the whole big "Defending Security Infrastructure" realm; for example, if your "Defending SecurityInfrastructure" service delivery plans doesNOT include a robust "split-brain" DNS infrastructure. Of course, a "Defending Security Infrastructure" plan that does not include that is not worth the name "Defending SecurityInfrastructure plan" at all and does not belong in the "Defending SecurityInfrastructure" big black ops book. Now I crawl back into my heavily-defended "Defending Security Infrastructure" bunker - or castle - or cave. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Wed 7/12/2006 8:40 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows"
RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau
No angst here. I think Sanjay is fine. I think he hasideas that are a bit off though. From the recent influx of notes in my inbox I don't appear to be completely isolated in these thoughts. I intend to blog something on the topic in the next week or so as I properly put into words my thoughts and comments on the topic of updating one of my blog posts from one year ago. In the meanwhile, anyone who has received a visit to their corporation from saidindividual, I would be interested to hear what the value of the visit was and the thoughts on what was discussed. Any humourous stories I would also love to hear as I have already heard some doozies already in addition to my own that I experienced personally. In the meanwhile, I want to become the undisputed search engine lead on the markitecture of Defending Security Infrastructures because Defending Security Infrastructuresis extremely important, I think, and having the top hitson the topic of Defending Security Infrastructures certainly says something about Defending Security Infrastructures. Whatever that is, I am not entirely sure, but it does comprise what we know about Defending Security Infrastructures. Thanks to all who have posted their comments on the topic of Defending Security Infrastructures at my worthless blog entry on the topic of Defending Security Infrastructures at http://blog.joeware.net/2006/07/11/445/. :o) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, July 12, 2006 12:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau LOL. It's a refreshing change to see my (simple?) first name spelt wrongly, rather than my last name. :) I sense some angst against a certain Mr Tandon... ??? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 12 July 2006 15:54To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Oh F^%. I apologize in front of everyone for mispelling your name AGAIN, neil. I was so worked up over the topic of Defending Security Infrastructures that everything other than the topic of Defending Security Infrastructures completely slipped through my mind. Of course this would be much easier if you simply changed your first name to Neal then I would be right when I was wrong so when dicussing topics such as Defending Security Infrastructures I would not mess up the spelling on your name. Again, I humbly ask your forgiveness[1] and apologize profusely and blame it all on the lack of definitionof the termDefending Security Infrastructures[2]. So before I go on too much more about Defending Security Infrastructures and the webpage at http://blog.joeware.net/2006/07/11/445/which tells you absolutely nothing about Defending Security Infrastructures, I will now close this note on Defending Security Infrastructures. joe [1] That is serious. No excuse neil, I am quite sorry. [2] Err so is that, but not as serious as [1] above. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, July 12, 2006 9:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Neal, you totally misunderstood. I said DO NOT READ that worthless blog entry on Defending Security Infrastructures located at http://blog.joeware.net/2006/07/11/445/. And then if you read the blog on Defending Security Infrastructures, I asked for you to comment to the blog your thoughts on Defending Security Infrastructures This is neither the time to discuss Defending Security Infrastructures nor the place to discuss Defending Security Infrastructures. I personally haven't fully stepped into the Defending Security Infrastructures space yet, though if I did I would probably look to the fine folks at NetPro and Quest first to see their ideas on Defending Security Infrastructures, and of course I would be obligated to look at Microsoft's Defending Security Infrastructures solutions and also as mentioned in one of the blog comments, a key portion of the Defending Security Infrastructures solution would be GPOs so I would look to GPOGuy for Defending Security Infrastructures products as well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do
Re: [ActiveDir] Multihomed Domain Controllers
You surf on your servers? My servers go to WU/MU...and maybe to Joe's blog for information on Defending Security Infrastructure..iin fact they regularly hang out on Joe's blog for all the information I need to know on Defending Security Infrastructure.. in fact http://blog.joeware.net/2006/07/11/445/ that link is the home page so that I'm constantly reminded about Defending Security Infrastructur ..but other than that... they don't have antispyware because they don't go anywhere to get spyware and the Enhanced IE is still on there. Kevin Brunson wrote: I have definitely found the hosts file to be useful on servers to keep them from EVER getting to spyware sites. This guy has a great list : http://pgl.yoyo.org/adservers/serverlist.php?showintro=0hostformat=host s Just cut and paste into the hosts file and you are good to go. I scripted it for all of the servers I deal with. But I guess this is getting pretty far OT: :) Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 10:41 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] SFTP with AD Auth
I just thought I'd poll everyone to see what is being used as a SFTP server. Because of the politics of the arena here, the server will have to be on a member server and not on an DC itself - which I can't think would make much of a difference.The users will be accessing their home dirs only. I've found a couple of packages just by doing some google searches: FreeSTP doesn't look like it works unless it's actually on a DC. Although I haven't confirmed that yet. SSH Secure Shell (which is now SSH TecTIA) at first glance looks like you need their client to connect to the server. I'd really like to stay with something that works with most free SFTP clients (Filezilla, WinSCP, Etc). I've found a few more, but I thought (like I said) I would get a poll just to see what others used.Thanks,Paul -- ***I've got a fever and the only prescription is morecowbell.--Christopher Walken***
RE: [ActiveDir] LDAP Referrals - just curious
Thanks joe, I almost forgot about this post.I found a draft of what I was originally going tosubmit which hasmore specifics in it, but I'm finding that your description below is actually right on in terms of the base specified (root) and scope (subtree). Only difference was that the query was for the name of user in a second child domain. Yes, in the trace I could see the referrals for all the other NCs, and I guess I wondered why the one for the child domain wasn't followed. I suppose that would mean all of the other ones would have to be followed as well, and as you mentioned, perhaps it is by designbecause it's probablynotwhat the calling user intended - and possibly the calling user has just learneda little bit more about the referral logic in the process! -DaveC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, July 11, 2006 11:15 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP Referrals - just curious Could you give specifics on what exactly you did, i.e. the exact query? The code for adfind by default follows the Windows LDAP lib's default for following referrals which is on. However I think that islimitedcapability and I specifically chose not to add manual referral chasing code because you will find that many queries that involve the root domain as the base return referrals if you look at the traces. In most cases those referrals are worthless to chase and would simply slow the application down. For instance, let's say you have a directory laid out like domain.com child.domain.com then you query a DC of child.domain.com with Base: domain.com Scope: subtree Query: name=someuser (which is a user objectin domain.com) So adfind will go to the DC you specify and issue the query, that DC will throw back a referral to go to a DC of domain.com, the LDAP client software will automatically chase this referral (adfind didn't do anything but let wldap32.dll do what it wanted to do). It will find the object and return it but also it will return referrals for dc=ForestDnsZones,dc=domain,dc=com, dc=DomainDnsZones,dc=domain,dc=com, dc=child,dc=domain,dc=com, and cn=configuration,dc=domain,dc=com which really aren't what the person wanted here most likely. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David CliffeSent: Thursday, June 29, 2006 5:43 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Referrals - just curious Hi, I was curious to watch some LDAP referral traces (OK, so it's been a quiet day) and am seeing some results I don't understand among different tools. The queries are issued from within a child domain to a DC in that same domain,searching for an object in another child domain (root + two child domains total). Not using the GC. LDPchases a referral(if I turn that option on) andreturns an object fromthe otherchild domain in the forest. Search call type tested was ASYNC. DSQuery, after getting aninitial referral to the other domain, reissues the query to a root DC butincludes the LDAP_SERVER_DOMAIN_SCOPE_OID control in that search, so then it gets no more referrals to the other child domain. Not sure why it does that? ADFind starts off looking good but unbinds and ends the session after gettingreferral references for the other NCs. Not sure why it doesn't continue to chase. I realize I should be providing more info and/or traces.I will be glad to, but just wanted to save some space first and make sure I wasn't missing something obvious? -DaveCTo find out more about Reuters visit www.about.reuters.comAny views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
RE: [ActiveDir] Account Password Expiration Tool
re:Anyone who has TAMs... Start screaming now... Done from here. -DaveC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, July 11, 2006 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account Password Expiration Tool A comprehensive list of attributes and values doesn't exist; I have thought about setting up a dynamic webpage backending into a MySQL DB on my website for a long time but just haven't done it. However for userAccountControl you can look at this enumeration: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/ad si/a ds_user_flag_enum.asp If you go up one level from that you will find several enumerations for some of the attributes. Keep in mind that there are some flags that actually are valid for ADSI in general but not for LDAP, for instance, ADS_UF_LOCKOUT works for the WinNT provider but not the LDAP provider. Again, no comprehensive docs exist for that, it is all one offs that people run into. Actually that is pretty pathetic in my opinion but hey, at least we get some info. Now for your other specific questions... All user accounts that must change password at next logon, that is handled by a combination of the pwdLastSet attribute and the domain policy for password aging which is in the maxPwdAge attribute and the current time/detae and the userAccountControl. If the account is set to not expire, it won't ever force a password change, if that isn't set then there is a combination of the password age and the maxpwdage and the current time. The easiest way to deal with this is findexpacc. If you just want all accounts that have never set a password or have been forced to change password at next logon that is a little easier, you look for pwdLastSet=0. All computers running Win2K pro would be handled by looking at the operatingsystem attribute. I don't recall the actual string for Windows 2000 Professional but I expect that is the string, Windows Server 2003 is Windows Server 2003, Windows XP Pro is Windows XP Professional. MSFT, again, in their infinite wisdom currently has Vista set as Windows Vista (copyright symbol) Ultimate. The copyright symbol is completely moronic in there as it blows out people trying to look for the machines with command line tools with really efficient queries. They have no choice but to wildcard the strings. I bugged it, it was rejected, Eric jumped into the fray and got it going again but just the same it seems we may end up losing and it getting out into the OEM launch. Anyone who has TAMs... Start screaming now, that is going to be a pain if it gets out there. I refuse to figure out a way around it and will just say that MSFT was stupid and didn't listen when I pitched it as a bug back in Beta 1. For excldn, it probably didn't work due to misunderstanding or mistake, my code is perfect. ;o) No seriously, if you have spaces in strings that are passed as command line parameters, you need to use quotes. Special characters need to be escaped, this isn't an issue with oldcmp, it is the command line interpretor interpreting things in the way you type them instead of how you intend them and passing that to my tools. Also if you pass multiple DNs the proper delimiter needs to be supplied (by default I think it is ; but would have to look to be sure) or else adfind doesn't know what you mean. I am also not good at divining intent versus what was typed. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard Sent: Tuesday, July 11, 2006 5:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account Password Expiration Tool Pardon my ignorance, but I have one more question: where do I get a list of all of user or computer object attributes and values as it was used in (useraccountcontrol:AND:=65536)? For instance if I want to enumerate all the user accounts with User Must Change Password at Next Logon or computers that are running WIN2K PRO. Also I noticed the OU exclusion switch (-excldn) did not work in the case of multiple OUs. Is it perhaps because they had space in their names? TIA Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, July 11, 2006 3:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account Password Expiration Tool This should do it oldcmp -report -users -bit -af (useraccountcontrol:AND:=65536) -sh If you want a listing of all accounts with that set you would add -age 0 You could also use adfind to get the info. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard Sent: Tuesday, July 11, 2006 2:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir]
Re: [ActiveDir] Acqusition of 2003 Forest - options experiences
I think you'd be doing yourself a favor to at least look into Quest Software's tools including Migration Manager for Active Directory. While I haven't used that particular tool I have used several of their other tools including their Domain Migration Wizard to move from NT4 to 2000/2003 with much success. They really reduce the workload in my experience and they have so much experience that they are less likely to miss something then if you try to do it manually =) Andrew Fidel Danny [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/12/2006 01:18 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Acqusition of 2003 Forest - options experiences A company with an independent 2003 Forest has been acquired. They have Exchange 2003 and a Citrix server. We have a similar configuration minus Citrix. The goal is obviously to migrate key AD objects, mailboxes, and servers into our 2003 forest. I understand that ADMT is often the right tool for the job, but I would greatly appreciate hearing your personal experiences and any caveats that you may have run into. And is it the only tool you need? I am off to read some MS docs on the topic and specifically ADMT. Hopefully I am able to contribute back to the list. Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Multihomed Domain Controllers
I only surf on the big ones. The small ones just don't catch the waves right. I don't even let them go to Windows Update. WSUS connections configured through Group Policy are about as far as I want them to go to the internet. The problem is users, and in many cases admins. I get a server just right, go back to my office, and by the time I get back they've already installed 15 programs ending in zilla. And of course no self-respecting admin can get a $15 Citrix infrastructure without immediately giving every STINKING user a desktop. Forget published apps. Forget everything that made it worth investing any money whatsoever, let's just give them a STINKING desktop. Sorry, I guess I must have let all of my thinking about Defending Security Infrastructure get to my head. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 12:45 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers You surf on your servers? My servers go to WU/MU...and maybe to Joe's blog for information on Defending Security Infrastructure..iin fact they regularly hang out on Joe's blog for all the information I need to know on Defending Security Infrastructure.. in fact http://blog.joeware.net/2006/07/11/445/ that link is the home page so that I'm constantly reminded about Defending Security Infrastructur ..but other than that... they don't have antispyware because they don't go anywhere to get spyware and the Enhanced IE is still on there. Kevin Brunson wrote: I have definitely found the hosts file to be useful on servers to keep them from EVER getting to spyware sites. This guy has a great list : http://pgl.yoyo.org/adservers/serverlist.php?showintro=0hostformat=hos t s Just cut and paste into the hosts file and you are good to go. I scripted it for all of the servers I deal with. But I guess this is getting pretty far OT: :) Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 10:41 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. --- - *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com --- - **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows --- - Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in
RE: [ActiveDir] SFTP with AD Auth
Were just now rolling into production with Globalscapes product. Mixed feelings about it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Glenn Sent: Wednesday, July 12, 2006 12:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SFTP with AD Auth I just thought I'd poll everyone to see what is being used as a SFTP server. Because of the politics of the arena here, the server will have to be on a member server and not on an DC itself - which I can't think would make much of a difference. The users will be accessing their home dirs only. I've found a couple of packages just by doing some google searches: FreeSTP doesn't look like it works unless it's actually on a DC. Although I haven't confirmed that yet. SSH Secure Shell (which is now SSH TecTIA) at first glance looks like you need their client to connect to the server. I'd really like to stay with something that works with most free SFTP clients (Filezilla, WinSCP, Etc). I've found a few more, but I thought (like I said) I would get a poll just to see what others used. Thanks, Paul -- *** I've got a fever and the only prescription is more cowbell.--Christopher Walken ***
Re: [ActiveDir] Acqusition of 2003 Forest - options experiences
ADMT does a pretty good job of domain migrations, although the exchange migration tools from Microsoft do leave a few tasks to be done manually (DL migration being one of them). There is a lot of benefit in some of the 3rd party Exchange migration utilities, but for many small AD migrations ADMT has enough functionality to manage it. For larger more complex migrations the 3rd party tools offer a lot of value. I've not tried to migrate Citrix servers in the past so I dont know if there are any specific pitfalls to watchout for with them. Phil On 7/12/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I think you'd be doing yourself a favor to at least look into Quest Software's tools including Migration Manager for Active Directory. While I haven't used that particular tool I have used several of their other tools including their Domain Migration Wizard to move from NT4 to 2000/2003 with much success. They really reduce the workload in my experience and they have so much experience that they are less likely to miss something then if you try to do it manually =) Andrew Fidel Danny [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/12/2006 01:18 PM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Acqusition of 2003 Forest - options experiences A company with an independent 2003 Forest has been acquired. Theyhave Exchange 2003 and a Citrix server. We have a similarconfiguration minus Citrix. The goal is obviously to migrate key AD objects, mailboxes, and servers into our 2003 forest.I understand that ADMT is often the right tool for the job, but Iwould greatly appreciate hearing your personal experiences and anycaveats that you may have run into. And is it the only tool you need? I am off to read some MS docs on the topic and specifically ADMT.Hopefully I am able to contribute back to the list.Thanks,...DList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Multihomed Domain Controllers
Not so sure I agree with that. Thin clients work just fine, require less maintenance and can be replaced in 5 minutes, vs. the 3 hour argument that you'll get if you try replacing someone's desktop because they saved 19 items that have nothing to do with their job on the local hard drive. Then again, desktops are about as expensive nowadays as thin clients, so the justification for thin clients isn't what it used to be.
Re: [ActiveDir] SFTP with AD Auth
On 7/12/06, Bernier, Brandon (.) [EMAIL PROTECTED] wrote: It's too bad IIS6 doesn't support TLS for FTP or that would be a great solution. Agreed! It's amazing to me that after all these years they haven't decided to have make some sort of SFTP native service. Too bad really. paul However, since it doesn't I would recommend a product called Serv-U by Rhinosoft. -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lucas, BryanSent: Wednesday, July 12, 2006 3:32 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] SFTP with AD Auth We're just now rolling into production with Globalscape's product. Mixed feelings about it. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Paul GlennSent: Wednesday, July 12, 2006 12:47 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] SFTP with AD Auth I just thought I'd poll everyone to see what is being used as a SFTP server. Because of the politics of the arena here, the server will have to be on a member server and not on an DC itself - which I can't think would make much of a difference.The users will be accessing their home dirs only. I've found a couple of packages just by doing some google searches: FreeSTP doesn't look like it works unless it's actually on a DC. Although I haven't confirmed that yet. SSH Secure Shell (which is now SSH TecTIA) at first glance looks like you need their client to connect to the server. I'd really like to stay with something that works with most free SFTP clients (Filezilla, WinSCP, Etc). I've found a few more, but I thought (like I said) I would get a poll just to see what others used.Thanks,Paul -- ***I've got a fever and the only prescription is morecowbell.--Christopher Walken*** -- ***I've got a fever and the only prescription is morecowbell.--Christopher Walken ***
RE: [ActiveDir] Planning for the future
an OU with the objects needed for those people (users, groups, computers) would be enough. Imagine a domain with at least 2 DCs for just 30 peoples with no special requirements while other domain(s) exist Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Larry Wahlers Sent: Wed 2006-07-12 19:18 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Planning for the future Esteemed colleagues, We have a radio station that is currently part of our denomination that we want to finally put on our network. They are located about 20 miles from our headquarters. However, there has been talk for many, many years about selling off this radio station, but that hasn't come to pass yet. My question is, if we put them in their own domain in our existing forest, would that make it easier to get them into their own forest if they should some day no longer be a part of us? If not, what's the best way to plan for a possible future in which these 30 people might no longer be working for us? Many thanks in advance. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
[OT]Re: [ActiveDir] Multihomed Domain Controllers
I know we're drifting off-topic, but I read this and started thinking: laptops. Why bother with desktops? On 7/12/06, Matt Hargraves [EMAIL PROTECTED] wrote: Not so sure I agree with that. Thin clients work just fine, require less maintenance and can be replaced in 5 minutes, vs. the 3 hour argument that you'll get if you try replacing someone's desktop because they saved 19 items that have nothing to do with their job on the local hard drive. Then again, desktops are about as expensive nowadays as thin clients, so the justification for thin clients isn't what it used to be.
RE: [ActiveDir] Multihomed Domain Controllers
Sorry, forgive me for my lack of clarity. I was on the phone with Microsoft when I wrote that, so my head was shrinking. But dont worry, they refunded my case. I agree with you 100%. My rant was purely referring to the desktop published app, not a physical workstation. I was ranting about admins who cant seem to understand that citrix costs more than rdp, but that is about the only difference if every user is connecting to the citrix desktop instead of published apps. Especially since they dont want to lock the users down on the citrix servers. Wow, its a long way from multihomed domain controllers to Citrix and desktops vs. thin clients. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Wednesday, July 12, 2006 3:46 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers Not so sure I agree with that. Thin clients work just fine, require less maintenance and can be replaced in 5 minutes, vs. the 3 hour argument that you'll get if you try replacing someone's desktop because they saved 19 items that have nothing to do with their job on the local hard drive. Then again, desktops are about as expensive nowadays as thin clients, so the justification for thin clients isn't what it used to be.
RE: [OT]Re: [ActiveDir] Multihomed Domain Controllers
Great so we can have even more people taking confidential data home with them and getting their laptops stolen from their cars J Until we get Vista BitLocker and laptops that utilize it across the board I would be extremely paranoid about laptops all over. Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, July 12, 2006 5:06 PM To: ActiveDir@mail.activedir.org Subject: [OT]Re: [ActiveDir] Multihomed Domain Controllers I know we're drifting off-topic, but I read this and started thinking: laptops. Why bother with desktops? On 7/12/06, Matt Hargraves [EMAIL PROTECTED] wrote: Not so sure I agree with that. Thin clients work just fine, require less maintenance and can be replaced in 5 minutes, vs. the 3 hour argument that you'll get if you try replacing someone's desktop because they saved 19 items that have nothing to do with their job on the local hard drive. Then again, desktops are about as expensive nowadays as thin clients, so the justification for thin clients isn't what it used to be.
Re: [ActiveDir] Planning for the future
I agree with Jorge but I think it pertinent to add that you would likely want to gain some perspective: You are asking about a configuration for something that might happen in the distant future or not to distant future. You're trying to future proof your design/deployment centered around 30 sec prins, possibly 60 if they bring computing hardware with them. Using an OU, you can satisfy today's needs, and you can adjust to whatever their future demands become. If they decide in the future to go with linux as their standard, then you'll not have wasted a moments time or a penny of hardware to satisfy what might have been. If they decide to go with Active Directory, what exactly do you want them to take with them? If you give them their own forest, you *could* just cut the ties and no worries. But the administrative headache that goes with that is formidable. It must be dealt with and it will always be different and require special handling, additional resources, and a different skill set than an OU would require. Separate forests offer few benefits from what I can see of this situation, but weigh that carefully. If they decide to split company and go their own way to a new AD forest, you can use migration utilities to give them the sec prins (if they wnat them; it would be easier to just create new ones IMHO) and give them their mail data and be done. 30 users is too small a number in my opinion to want to worry about separate forests etc. On 7/12/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: an OU with the objects needed for those people (users, groups, computers) would be enough. Imagine a domain with at least 2 DCs for just 30 peoples with no special requirements while other domain(s) exist Met vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40- 29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of Larry WahlersSent: Wed 2006-07-12 19:18To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Planning for the future Esteemed colleagues,We have a radio station that is currently part of our denomination thatwe want to finally put on our network. They are located about 20 milesfrom our headquarters. However, there has been talk for many, many years about selling off this radio station, but that hasn't come to pass yet.My question is, if we put them in their own domain in our existingforest, would that make it easier to get them into their own forest if they should some day no longer be a part of us? If not, what's the bestway to plan for a possible future in which these 30 people might nolonger be working for us?Many thanks in advance.--Larry Wahlers Concordia TechnologiesThe Lutheran Church - Missouri Synodmailto:[EMAIL PROTECTED]direct office line: (314) 996-1876List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [OT]Re: [ActiveDir] Multihomed Domain Controllers
Confidential data? Can you, in three minutes or less recite your companies confidential data policies if you were asked? Can you explain them to the users in your company (fair enough, I know you're a tech company; I've heard of you)? Or are your company classified docs going home on usb sticks and cd's or dvd's or in email and web uploads? I wonder though, desktop machines guarded by the cleaning crew are better? What about smart phones? Those keep you up late at night as well? :) We're easily years away from widespread use and adoption of things like bit-locker. With cross-platform usage, not sure the value outside of the sphere of windows desktops that have been upgraded (that's a what? 5 year cycle at many companies?)either but leave that for another time My preference is to embrace the new technology and find ways to mitigate the risks. Laptops are here to stay and although they go missing, that to me is not enough of a reason to not want to use them. I've seen instances of desktops that grow legs and go missing as well. Some might argue that VPN usage to non-company assets (those not ownedAND managed by the company) are enough to give you the heebie jeebies. I don't see bit-locker solving those issues. Know something different? On 7/12/06, Kurt Falde [EMAIL PROTECTED] wrote: Great so we can have even more people taking confidential data home with them and getting their laptops stolen from their cars J Until we get Vista BitLocker and laptops that utilize it across the board I would be extremely paranoid about laptops all over. Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Wednesday, July 12, 2006 5:06 PM To: ActiveDir@mail.activedir.org Subject: [OT]Re: [ActiveDir] Multihomed Domain Controllers I know we're drifting off-topic, but I read this and started thinking: laptops. Why bother with desktops? On 7/12/06, Matt Hargraves [EMAIL PROTECTED] wrote: Not so sure I agree with that. Thin clients work just fine, require less maintenance and can be replaced in 5 minutes, vs. the 3 hour argument that you'll get if you try replacing someone's desktop because they saved 19 items that have nothing to do with their job on the local hard drive. Then again, desktops are about as expensive nowadays as thin clients, so the justification for thin clients isn't what it used to be.
[ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
Today a conversation at my jobcame up about setting the preferred DNS server on the NIC of a DC with DNS installed. For as far as I know it's best topoint the DC (with DNS installed) to itself for DNS by specifying the internal IP address of the DC as the preferred DNS server on the NIC. Then I was told that this is not always necessary and this puzzled me a bit. Not everybody was convinced of the above and this got me thinking. Some people are claiming thatit doesnt really matter if you set that DC to bethe preferred or the alternate DNS server. I was then showed an environment where all DC's in a child domain (all had DNS installed), had the same DNS server set as preferred DNS server. Perhaps anexample will make it more clear: a forest root domain with 4 child domains. child domain A, B, C, and D. Names of the Domain Controllers: root domain: DC-A DC-B DC-C DC-D for child domain A: DC-A1 DC-A2 for child domain B: DC-B1 DC-B2 for child domain C: DC-C1 DC-C2 for child domain D: DC-D1 DC-D2 DC-A1 has specified DC-A2 as preferred DNS server and has specified DC-A1 (itself) as alternate DNS server. DC-A2 has specified DC-A2 (itself) as preferred DNS server and has specified DC-A1 as alternate DNS server DC-B1 has specified DC-B2 as preferred DNS server and has specified DC-B1 (itself) as alternate DNS server DC-B2 has specified DC-B2 (itself) as preferred DNS server and has specified DC-B1 as alternate DNS server And so on for the other child domains. I was told that thiswas done because this ADenvironment wasnot optimaland that bypointing all the dc's ina child domain to the same DNS server, other issues were prevented from occuring. This didnt sound all that good to me to be honoust :-) I am now wondering if there arescenario's thinkable when it would be betternot to point a DC with DNS installed as the preferred server on it's NIC. Does the term Island DNS also play a role in this?
Re: [ActiveDir] RDP Over SSL (No Security tab in Client)
Hi Al, Just came accross this link... Didn't test it myself as I am going to do a real upgrade of the stuff (I still don't understand why there is no real upgrade package, I really don't see any difference except the added feature and I want to have both mstsc.exe as the MMC with the feature)... http://www.petri.co.il/download_rdp_5_2.htm Regards, Bart On 7/4/06, Al Mulnick [EMAIL PROTECTED] wrote: Sounds suspiciously like a bug of omission that ought to be reported. The newer version should be laid down with the applications that it comes with IMHO. If it's in the code tree that far ahead, then I can't see a reason that it isn't laid down. Al On 7/4/06, Bart Van den Wyngaert [EMAIL PROTECTED] wrote: What I have found today is that I actually don't have to register the .DLL file, only have both files in the same directory present already does the trick. Although when you do a 'Start Run mstsc' it will start the one in your Windows folder ofcourse. Old version: 5.1.2600.2180 New version: 5.2.3790.1830 And when registering the new .DLL in another location then the current one (ex. D:\MSTSC\MSTSCAX.DLL), I receive the message *.DLL was loaded, but the DllInstall entry point was not found. *.DLL does not appear the be a .DLL or .OCX file For tsmmc.msc I have found that I needed to install the MMC 3.0 update, register the .DLL (although I had a warning) and then it was available... I've installed W2K3 SP1 Administration Tools, but that didn't actually do the upgrade. If I look into the source of the Support Tools, I don't see the .DLL files or the .EXE files located there. So actually we should fine tune this to have the ideal 'upgrade' ;-) Regards, Bart On 6/21/06, Al Mulnick [EMAIL PROTECTED] wrote: I would have expected the support tools from W2K3 SP1 Server to upgrade the version. Can you send the file version and time stamp information for those files? Al On 6/20/06, Ravi Dogra [EMAIL PROTECTED] wrote: HI, Al Mulnick:: I have tried updating the version but that didnt helped me. Did you see the snapshot without security tab it was same after installing updated version. Can you send me a link from where i can find Updated version to modify built in MSTSC. Thanks for all your help. Bart Van den Wyngaert:: You are right i tried same but it wasnt giving me option to select Require Authentication It look like there is a dll which is used by both mstsc and tsmmc.msc because when i registered this dll both things worked fine for me. Let me know if i am missing something? Thanks and Regards Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Moving a Certificate Authority
I am mostly complete with the domain upgrade and the subsequent certificate authority move. Ive run into what should be the final problem before I can say everything is now successful. I have moved the Certificate Authority from one Windows 2000 Server to another Windows 2000 Server. Everything appears happy on the new server running as a new certificate authority; however domain clients are unable to request a certificate at this point. For instance, when attempting to request a user certificate from a Windows 2000 member server, I get the pretty standard error message stating, Windows cannot find a certification authority that will process the request. I have followed the instructions from KB298138 in the Windows 2000 section and while the certificate authority itself seems happy, all the clients dont seem to know where it is located. The new certificate authority has the exact same name as the old certificate authority, and I backed up the old CA certs and keys along with a registry key and restored these on the new CA as directed in the KB article. Any advice on where to look to resolve this? I did find KB271861 which talked about the same error I was getting, and I did not have the Enroll right given to Domain Users, however even after giving Domain Users that right it still has not changed anything. Thanks, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Tuesday, July 11, 2006 6:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Moving a Certificate Authority Have you thought about putting a new server (or an older one with good hardware) in the mix as 2000, moving the CA to it, and then upgrading it to 2k3? That way you dont have to worry about the hardware not supporting 2003 or something terrible like that. Then if you want you could move it from that 2003 server to another 2003 server, or you could just leave it where it is. Kevin Brunson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, July 11, 2006 6:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Moving a Certificate Authority And will it ever be a slooow 2k3 machine indeed. After continuing to do some reading and researching, it does appear that my only option is to 1) Upgrade the old DC to 2k3 2) Backup the CA and the registry key as stated in the KB298138 article. 3) Remove the CA services, demote server and rename it. 4) Promote a 2k3 server with the same name as the old DC and install the CA services. 5) Restore the CA data and registry key 6) Cross my fingers and hope that I have a CA once again Ill give this a shot tomorrow. I just wonder what would be my backup plan should the CA restoration fail on the new server? The old server will have been demoted and removed from Active Directory along with the CA services removed, not to mention a new server now has its name. Thanks for your .02 Steve, it seems to be spot on. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick Sent: Tuesday, July 11, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Moving a Certificate Authority You cannot move from 2000 to 2003 as the database has changed. You could upgrade to 2k3 ( this would be temporary ) and then move to another 2k3 server. I know that you said that the HW was old - but perhaps a temporary sloow 2k3 machine? You should keep the hostname the same - if you took the defaults for install ( 90% of CA's out there ) then you have paths in all of your issued certs which hardcode to this server, not to mention the name is also in AD as well as the CA web pages. Unless you have a very good reason - it'd be best to keep it the same. I think that the article doesnt mention moving to a new name, because it would vary from customer to customer and cause more trouble then its worth. my .02 steve - Original Message - From: WATSON, BEN To: ActiveDir@mail.activedir.org Sent: Tuesday, July 11, 2006 3:08 PM Subject: [ActiveDir] Moving a Certificate Authority As part of my on-going journey into upgrading a 2000 domain to 2003, Ive run into the issue of moving the Certificate Authority on one of the original domain controllers to a new Windows 2003 domain controller. I have found a couple KB articles that seem to put me down a good path, but then dont pan out. Here is the situation I am at the point in the domain upgrade process where I need to eliminate the Windows 2000 Servers from the domain so I can raise the functional level to 2003 native. However, the CA is currently on such old hardware that an OS upgrade to Windows 2003 from Windows 2000 is simply not possible so it will need to be demoted. It was originally a Windows NT 4.0 domain controller back in the day. So I am in a situation where I need to take a Certificate Authority
Re: [ActiveDir] Planning for the future
I guess it really comes down to one thing:What does your employer want?If they want to be able to sell off the asset quickly and smoothly, a trusted peer forest is the way to go. If they want to save money now, then just build some OUs and go that direction. Make sure that they know the differences though:Moving 10-30 computers into a new domain isn't just a 2 minute move, unless you really don't care about the user's former profiles. 'Give them their e-mail' might sound really nice if you don't care about them either. Severing the users from their domain severs them from other things that are behind the scenes, their SID and the Exchange infrastructure (if you are using Exchange). Going with an OU to handle the computers and users is easy now, but it's not pretty or simple. Going with a separate peer domain/forest allows you to sever them very smoothly (break trust) and the users actually continue to work exactly as they did before, except that they can't access any resources on your existing domain. I'll be honest... a lot of people are more concerned with saving money than they are in making sure that an asset has the capability to be completely independent of the parent organization.My recommendation is based upon what several companies that I've worked for do when they start up divisions that might be spun off later or even with assets which they acquire. On 7/12/06, Al Mulnick [EMAIL PROTECTED] wrote: I agree with Jorge but I think it pertinent to add that you would likely want to gain some perspective: You are asking about a configuration for something that might happen in the distant future or not to distant future. You're trying to future proof your design/deployment centered around 30 sec prins, possibly 60 if they bring computing hardware with them. Using an OU, you can satisfy today's needs, and you can adjust to whatever their future demands become. If they decide in the future to go with linux as their standard, then you'll not have wasted a moments time or a penny of hardware to satisfy what might have been. If they decide to go with Active Directory, what exactly do you want them to take with them? If you give them their own forest, you *could* just cut the ties and no worries. But the administrative headache that goes with that is formidable. It must be dealt with and it will always be different and require special handling, additional resources, and a different skill set than an OU would require. Separate forests offer few benefits from what I can see of this situation, but weigh that carefully. If they decide to split company and go their own way to a new AD forest, you can use migration utilities to give them the sec prins (if they wnat them; it would be easier to just create new ones IMHO) and give them their mail data and be done. 30 users is too small a number in my opinion to want to worry about separate forests etc. On 7/12/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: an OU with the objects needed for those people (users, groups, computers) would be enough. Imagine a domain with at least 2 DCs for just 30 peoples with no special requirements while other domain(s) exist Met vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40- 29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Larry WahlersSent: Wed 2006-07-12 19:18To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Planning for the future Esteemed colleagues,We have a radio station that is currently part of our denomination thatwe want to finally put on our network. They are located about 20 milesfrom our headquarters. However, there has been talk for many, many years about selling off this radio station, but that hasn't come to pass yet.My question is, if we put them in their own domain in our existingforest, would that make it easier to get them into their own forest if they should some day no longer be a part of us? If not, what's the bestway to plan for a possible future in which these 30 people might nolonger be working for us?Many thanks in advance.-- Larry Wahlers Concordia TechnologiesThe Lutheran Church - Missouri Synodmailto:[EMAIL PROTECTED] direct office line: (314) 996-1876List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [OT]Re: [ActiveDir] Multihomed Domain Controllers
Fortunately, unless you know who has the data that you want to steal, the chances of any actual confidential data being stolen to the thieve's benefit is pretty slim. Even if you do find data that a competitor would want, most companies today are pretty hesitant about taking confidential information. Didn't you hear about Pepsi turning in that guy who was going to sell them confidential information from Coca Cola? The information that people are really worried about is controlled by the people who are usually more paranoid than we are the accountants ;)On 7/12/06, Al Mulnick [EMAIL PROTECTED] wrote: Confidential data? Can you, in three minutes or less recite your companies confidential data policies if you were asked? Can you explain them to the users in your company (fair enough, I know you're a tech company; I've heard of you)? Or are your company classified docs going home on usb sticks and cd's or dvd's or in email and web uploads? I wonder though, desktop machines guarded by the cleaning crew are better? What about smart phones? Those keep you up late at night as well? :) We're easily years away from widespread use and adoption of things like bit-locker. With cross-platform usage, not sure the value outside of the sphere of windows desktops that have been upgraded (that's a what? 5 year cycle at many companies?)either but leave that for another time My preference is to embrace the new technology and find ways to mitigate the risks. Laptops are here to stay and although they go missing, that to me is not enough of a reason to not want to use them. I've seen instances of desktops that grow legs and go missing as well. Some might argue that VPN usage to non-company assets (those not ownedAND managed by the company) are enough to give you the heebie jeebies. I don't see bit-locker solving those issues. Know something different? On 7/12/06, Kurt Falde [EMAIL PROTECTED] wrote: Great so we can have even more people taking confidential data home with them and getting their laptops stolen from their cars J Until we get Vista BitLocker and laptops that utilize it across the board I would be extremely paranoid about laptops all over. Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Wednesday, July 12, 2006 5:06 PM To: ActiveDir@mail.activedir.org Subject: [OT]Re: [ActiveDir] Multihomed Domain Controllers I know we're drifting off-topic, but I read this and started thinking: laptops. Why bother with desktops? On 7/12/06, Matt Hargraves [EMAIL PROTECTED] wrote: Not so sure I agree with that. Thin clients work just fine, require less maintenance and can be replaced in 5 minutes, vs. the 3 hour argument that you'll get if you try replacing someone's desktop because they saved 19 items that have nothing to do with their job on the local hard drive. Then again, desktops are about as expensive nowadays as thin clients, so the justification for thin clients isn't what it used to be.
RE: [ActiveDir] Multihomed Domain Controllers
Don't mean to hijack this thread but on a similar note - whats the downside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINS service will pops and error message (which can be ignored)...but anything else? I've always been a firm believer of one nic and no teaming... Any comments? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com -- -- **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows -- -- Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. -- -- -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Multihomed Domain Controllers
Hijack this thread? I didn't know it could be hijacked any more than I already had. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Wednesday, July 12, 2006 8:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers Don't mean to hijack this thread but on a similar note - whats the downside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINS service will pops and error message (which can be ignored)...but anything else? I've always been a firm believer of one nic and no teaming... Any comments? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com -- -- **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows -- -- Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. -- -- -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Multihomed Domain Controllers
I've not had good luck with teaming and I've yet to see much benefit. Saying that, I can see where teaming in a failover method might have some benefits for other types of servers. Due to the way AD is deployed (fabric vs. cluster or single instance) I see no point in making anything complex when it comes to a domain controller. I view teaming as one more piece of software to configure (and potentially mess up) and one more thing in my troubleshooting list if something goes amiss. On 7/12/06, Freddy HARTONO [EMAIL PROTECTED] wrote: Don't mean to hijack this thread but on a similar note - whats thedownside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINSservice will pops and error message (which can be ignored)...butanything else? I've always been a firm believer of one nic and noteaming... Any comments?Thank you and have a splendid day!Kind Regards,Freddy HartonoGroup Support EngineerInternationalSOS Pte Ltdmail: [EMAIL PROTECTED]phone: (+65) 6330-9785-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Wednesday, July 12, 2006 11:41 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain ControllersIn the year 2006.. I hope we are still not making host file entries onservers and workstations:-)Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com -- -- **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi,First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows -- -- Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED] , if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. -- Letting your vendors set your risk analysis these days? http://www.threatcode.comIf you are a SBSer and you don't subscribe to the SBS Blog... man ... Iwill hunt you down...http://blogs.technet.com/sbsList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Planning for the future
I can respect that. And I agree with some of that logic to an extent. I don't find migrations to be terribly complex, but I have to question what you're really migrating with 30 users. Email? Nope, that was held by the parent company. I need to get a PST (easily done with tools readily available that drops them into PST files nice and neat). Security principals? For what? What exactly are you going to access when you sever the ties? Do you have a file server? Hmm... again, a migration is pretty easy and well documented and for thirty users is a few hours work. Not much more or less than you'd likely spend unhooking the data and systems for the cast off if you went with multiple forests. In the meantime you have integration issues (Exchange would be particularly difficult to deal with in that environment leading me to my thoughts of migration later vs. separate forests now) and you likely have given access to other shared resources to the users while they were part of the company. Otherwise, why bother with the trusts at all? DNS is a PITA and the worst part is that nobody ever pays as much attention to the other forest or the DNS after you've moved on and been promoted or reassigned to some other project. In my experience, the times I've seen this approach it was worse operationally than I believe it should be. They were still the red-headed step children and received very little benefit from being joined in the first place. This was after walking into sites that had gone this route and then seeing it years after the decisions. Similar thinking was used to get there, but the people that made the decisions were long long gone. For all of that, I think it best to keep them part of the organization and not worry about three years down the road for what the business *might* do. If that time comes, deal with it as a migration/divestiture vs. a separate forest that you've been running for them. I think that results in lowered cost, better service and not much more dificulty divesting later than if you had given them a separate forest. On 7/12/06, Matt Hargraves [EMAIL PROTECTED] wrote: I guess it really comes down to one thing:What does your employer want?If they want to be able to sell off the asset quickly and smoothly, a trusted peer forest is the way to go. If they want to save money now, then just build some OUs and go that direction. Make sure that they know the differences though:Moving 10-30 computers into a new domain isn't just a 2 minute move, unless you really don't care about the user's former profiles. 'Give them their e-mail' might sound really nice if you don't care about them either. Severing the users from their domain severs them from other things that are behind the scenes, their SID and the Exchange infrastructure (if you are using Exchange). Going with an OU to handle the computers and users is easy now, but it's not pretty or simple. Going with a separate peer domain/forest allows you to sever them very smoothly (break trust) and the users actually continue to work exactly as they did before, except that they can't access any resources on your existing domain. I'll be honest... a lot of people are more concerned with saving money than they are in making sure that an asset has the capability to be completely independent of the parent organization.My recommendation is based upon what several companies that I've worked for do when they start up divisions that might be spun off later or even with assets which they acquire. On 7/12/06, Al Mulnick [EMAIL PROTECTED] wrote: I agree with Jorge but I think it pertinent to add that you would likely want to gain some perspective: You are asking about a configuration for something that might happen in the distant future or not to distant future. You're trying to future proof your design/deployment centered around 30 sec prins, possibly 60 if they bring computing hardware with them. Using an OU, you can satisfy today's needs, and you can adjust to whatever their future demands become. If they decide in the future to go with linux as their standard, then you'll not have wasted a moments time or a penny of hardware to satisfy what might have been. If they decide to go with Active Directory, what exactly do you want them to take with them? If you give them their own forest, you *could* just cut the ties and no worries. But the administrative headache that goes with that is formidable. It must be dealt with and it will always be different and require special handling, additional resources, and a different skill set than an OU would require. Separate forests offer few benefits from what I can see of this situation, but weigh that carefully. If they decide to split company and go their own way to a new AD forest, you can use migration utilities to give them the sec prins (if they wnat them; it would be easier to just create new ones IMHO) and give them their mail data and be done. 30 users is too small a number in my opinion to
Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
You don't work at the post office do you? ;) There are many many many ways to properly configure DNS.One thing that helps is to think of the terms client and server vs. preferred and alternate only. You are configuring a preferred server and an alternate server that you want this DC to be a client of. DNS is a standard.Windows 2003 DNS follows those standards (comments really, but let's not pick right?) Microsoft has done some enhancements above and beyond that make DNS play very well in the Microsoft sphere[1]. You can however have DNS that is a third party DNS system, such as BIND. Active Directory plays very well with such third party DNS systems. You could have your domain controllers not have any DNS hosted on them at all. You could have it hosted, but as a secondary zone. You could also have it AD integrated meaning that you have a listener for DNS but the data(base) is stored in the active directory. Something to clarify: what you're talking about is making the DC a *client* to another DNS server that hosts the zones. You're also talking about making dc1 a client of dc2 and vice versa. That's silly, but I'll get to that. If you have your dns hosted on a third party system such as BIND, you'll have one server as the primary (not best practice, but you get the idea; in practice you'd have multiple for failure tolerance wan traffic optimization) and your DC would be a client of that system. If you have a traditional DNS hierarchy that has primary and secondary transfers, you would be mimicking BIND topology and again could configure your DC's to be clients of the BIND or Microsoft DNS servers. If you have the the DNS AD-Integrated, then after initial replication you should have the client configured to use itself as the DNS server.That'd be the best practice. Before 2003 you could have an island effect where because you didn't have a full picture of the directory, you might not have all the records needed to fully *see* the entire DNS names list effectively creating an island of a DC. In 2003 some additional code was put in to make sure that doesn't happen. You need to be a client of a working DNS to join the domain and to find the other DC's when you get promoted. After replication completes, you have a full list and there's no need to continue as a client of a server that has the same information you do. So, what's silly about having your server configured to be a client of a dns server that has the same information? I find it amusing that if the server wants to find something he'll ask his neighbor if he has the information when he could just ask himself. It's brain dead in my opinion and very difficult to troubleshoot. In addition, and more importantly it breaks the idea of a fabric design because now dc1 and dc2 are reliant on each other to be operational. If either is down, both are down and that's ridiculous considering how easy it is to prevent that situation. But wait! you say? He should try the partner first and if that fails use himself right? Yes but. :) He'll try the neigbor first, because that's the preferred. He'll also register there etc. The worst part is that if he tries the partner and the partner is not completely dead, he'll not try himself even if he has the right information. Now, will it work? Yes. Is it a good idea? Absolutely not and shows a lack of understanding on the part of the folks that deployed it. From the sounds of it, an unwillingness to fix the underlying issues that led them there as well. On the other hand, they're spot on if it's W2K vs. K3 :) Does that help? [1] unless you like a granular audit logging. But that'sneither here nor there. On 7/12/06, Victor W. [EMAIL PROTECTED] wrote: Today a conversation at my jobcame up about setting the preferred DNS server on the NIC of a DC with DNS installed. For as far as I know it's best topoint the DC (with DNS installed) to itself for DNS by specifying the internal IP address of the DC as the preferred DNS server on the NIC. Then I was told that this is not always necessary and this puzzled me a bit. Not everybody was convinced of the above and this got me thinking. Some people are claiming thatit doesnt really matter if you set that DC to bethe preferred or the alternate DNS server. I was then showed an environment where all DC's in a child domain (all had DNS installed), had the same DNS server set as preferred DNS server. Perhaps anexample will make it more clear: a forest root domain with 4 child domains. child domain A, B, C, and D. Names of the Domain Controllers: root domain: DC-A DC-B DC-C DC-D for child domain A: DC-A1 DC-A2 for child domain B: DC-B1 DC-B2 for child domain C: DC-C1 DC-C2 for child domain D: DC-D1 DC-D2 DC-A1 has specified DC-A2 as preferred DNS server and has specified DC-A1 (itself) as alternate DNS server. DC-A2 has specified DC-A2 (itself) as preferred DNS server and has specified DC-A1 as alternate DNS server DC-B1 has specified DC-B2 as
RE: [ActiveDir] Multihomed Domain Controllers
Title: Multihomed Domain Controllers Thats fine. You need to do two things: This needs to be a backup subnet (so no gateway) In the Network Connections explorer window under toolsadvanced settings, prioritize your connections with this one being last (this is only necessary if you need a gateway for the backup subnet for whatever reason). Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Green Sent: Wednesday, July 12, 2006 5:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.
RE: [ActiveDir] Multihomed Domain Controllers
I’ve got hundreds of sites/forests with multihomed DCs. It works fine save for the browsing situation, but who uses that anyway? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, July 12, 2006 8:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural reasons to not do that. Since AD is made up of a multi-master fabric, I have had no reason at all to require an isolated network dedicated to backups. I get the feeling in your case it's just a nice to have vs. a requirement since you have the hardware and figure why not put it to use. You'd be a rare exception if the size of the dit is large enough to require such a configuration. Saying that, is it possible? Most likley. Will it be difficult when/if you call for support for some other issue to explain to the engineer that you have a mutli-homed DC? Most likely. Does it break the keep it as simple as possible while meeting the requirements? rule? Most likley. When you test this, as the others have mentioned, be sure to test the recoverability and the gotchas that come along with bringing up a recovered DC on a multi-homed machine. You'll want to have that documented and thouroughly tested so as not to have to deal with that when under pressure. You may also want to consider an alternative backup method that doesn't require a dedicated network to the DC's. Just some random thoughts and my $.04 (USD) worth. Al On 7/12/06, Jeff Green [EMAIL PROTECTED] wrote: Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not registering this connection in DNS on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hackinga registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jeff Green Sent: 12 July 2006 11:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED] , if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may
RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau
I think you meant Defending Security Infrastructures (DSI): Las Vegas. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, July 12, 2006 10:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau I can see a TV Show emerging here DSI (Las Vegas) If he was still aliveHerve Villechaiz could have played the lead, he used to be on Fantasy Island (Tattoo)and the man with the Golden Gun (Nick Nack). From: joe [EMAIL PROTECTED] Sent: 12 July 2006 16:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Oh F^%. I apologize in front of everyone for mispelling your name AGAIN, neil. I was so worked up over the topic of Defending Security Infrastructures that everything other than the topic of Defending Security Infrastructures completely slipped through my mind. Of course this would be much easier if you simply changed your first name to Neal then I would be right when I was wrong so when dicussing topics such as Defending Security Infrastructures I would not mess up the spelling on your name. Again, I humbly ask your forgiveness[1] and apologize profusely and blame it all on the lack of definitionof the termDefending Security Infrastructures[2]. So before I go on too much more about Defending Security Infrastructures and the webpage at http://blog.joeware.net/2006/07/11/445/which tells you absolutely nothing about Defending Security Infrastructures, I will now close this note on Defending Security Infrastructures. joe [1] That is serious. No excuse neil, I am quite sorry. [2] Err so is that, but not as serious as [1] above. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, July 12, 2006 9:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Neal, you totally misunderstood. I said DO NOT READ that worthless blog entry on Defending Security Infrastructures located at http://blog.joeware.net/2006/07/11/445/. And then if you read the blog on Defending Security Infrastructures, I asked for you to comment to the blog your thoughts on Defending Security Infrastructures This is neither the time to discuss Defending Security Infrastructures nor the place to discuss Defending Security Infrastructures. I personally haven't fully stepped into the Defending Security Infrastructures space yet, though if I did I would probably look to the fine folks at NetPro and Quest first to see their ideas on Defending Security Infrastructures, and of course I would be obligated to look at Microsoft's Defending Security Infrastructures solutions and also as mentioned in one of the blog comments, a key portion of the Defending Security Infrastructures solution would be GPOs so I would look to GPOGuy for Defending Security Infrastructures products as well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 12, 2006 3:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau So we can defend our security infras using either of 2 vapourware solutions now :) cool! Mr Tandon was there before you tho, joe :-^ neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 12 July 2006 03:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Gotta love that signature Tony... I promise not to disclose this information to anyone. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/--- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, July 11, 2006 9:56 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] [List Owner] OOFs from Steven Comeau Hi all I have temporarily suspended Steven Comeaus subscription, which should stop the out of office replies
RE: [ActiveDir] Multihomed Domain Controllers
I had a production environment which required hosts files to deal with the confusing mechanism behind Cisco's Layer 4 load balancer blades (CSMs). That was one of those if you didn't know about it (it being the CSM and the hosts file solution we came up with) you'd probably never figure it out type things. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, July 12, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers But I hope we still have the option of doing so... I use the hosts file on a regular basis to redirect the localhost name to the machine's IP instead of to 127.blah and then stick in route statements so all locally directed traffic bounces out to a router and back so I can look at the network traces of the traffic. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/ --- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. - - -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com - - -- **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows - - -- Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. - - -- -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info :
RE: [ActiveDir] Multihomed Domain Controllers
Hmm, this whole no surfing the web on DCs is potentially problematic if you're Defending Security Infrastructures in your datacenter. You would need to order the pizza whilst in the presence of your security infrastructures which might be collocated with the domain controllers. If you were to abandon your security infrastructures to order pizza, you would no longer be defending security infrastructures in your datacenter. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Wednesday, July 12, 2006 1:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers I only surf on the big ones. The small ones just don't catch the waves right. I don't even let them go to Windows Update. WSUS connections configured through Group Policy are about as far as I want them to go to the internet. The problem is users, and in many cases admins. I get a server just right, go back to my office, and by the time I get back they've already installed 15 programs ending in zilla. And of course no self-respecting admin can get a $15 Citrix infrastructure without immediately giving every STINKING user a desktop. Forget published apps. Forget everything that made it worth investing any money whatsoever, let's just give them a STINKING desktop. Sorry, I guess I must have let all of my thinking about Defending Security Infrastructure get to my head. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 12:45 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers You surf on your servers? My servers go to WU/MU...and maybe to Joe's blog for information on Defending Security Infrastructure..iin fact they regularly hang out on Joe's blog for all the information I need to know on Defending Security Infrastructure.. in fact http://blog.joeware.net/2006/07/11/445/ that link is the home page so that I'm constantly reminded about Defending Security Infrastructur ..but other than that... they don't have antispyware because they don't go anywhere to get spyware and the Enhanced IE is still on there. Kevin Brunson wrote: I have definitely found the hosts file to be useful on servers to keep them from EVER getting to spyware sites. This guy has a great list : http://pgl.yoyo.org/adservers/serverlist.php?showintro=0hostformat=ho s t s Just cut and paste into the hosts file and you are good to go. I scripted it for all of the servers I deal with. But I guess this is getting pretty far OT: :) Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 10:41 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. -- - - *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com -- - - **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues
RE: [ActiveDir] SFTP with AD Auth
VShells product works well. I got Kerberos cooking on RHEL4 with lib_krb5.so as the PAM. Works like a charm. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Wednesday, July 12, 2006 2:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SFTP with AD Auth Were just now rolling into production with Globalscapes product. Mixed feelings about it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Glenn Sent: Wednesday, July 12, 2006 12:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SFTP with AD Auth I just thought I'd poll everyone to see what is being used as a SFTP server. Because of the politics of the arena here, the server will have to be on a member server and not on an DC itself - which I can't think would make much of a difference. The users will be accessing their home dirs only. I've found a couple of packages just by doing some google searches: FreeSTP doesn't look like it works unless it's actually on a DC. Although I haven't confirmed that yet. SSH Secure Shell (which is now SSH TecTIA) at first glance looks like you need their client to connect to the server. I'd really like to stay with something that works with most free SFTP clients (Filezilla, WinSCP, Etc). I've found a few more, but I thought (like I said) I would get a poll just to see what others used. Thanks, Paul -- *** I've got a fever and the only prescription is more cowbell.--Christopher Walken ***