Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
I can't see how you can get a duplicate NDNC as the creation of such objects is targetted at the DN master. The DN master will check the existing crossRefs and stop this happening, as we can't rely on the DS stopping it as the RDN is different for each NDNC (unless they've used well-known GUIDs for the DNS NCs?). Although the behaviour you speak of is new to me, and another one of those slight, interesting changes, so thanks for that. Can you elaborate on this new behaviour? What, exactly, happens and in what order? --Paul - Original Message - From: Grillenmeier, Guido [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 6:52 PM Subject: RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? note that DNS startup behavious changes with SP1, which is another reason not to choose the DC itself as the preferred DNS server: with SP1, AD will not allow the DNS service to read any records, until it has successfully replicated with one of it's replication partners. This is to avoid false or duplicate registration of records (or even duplicate creation of the application partitions). As such, with SP1 it's better to point your DCs to a replication partner as a primary DNS and to self as a secondary. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 13. Juli 2006 17:02 To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? Hi Al I did want to throw in a personl experience I had with W2K3 that validates the Point your DNS server to a replication partner theory. I did see in one environment where every DC had DNS and the msdcs partition was a forest partition. An unfortunate DNS scavenge was done deleting some of the GUID records in the MSCDCS partition. Replication started to fail shortly after that and the missing GUIDs were discovered. The netlogon service was restarted to make the DCs re-register but of course they re-registered the GUID on themselves. They could find themselves but not their replication partners. The replication partners could find them but not themeselves. When the DCs were set to point to a hub replication partner for primary and themselves as secondary the problem went away - the netlogon service was restarted, the GUIDs registered on the central DNS server, the spokes did the lookup for replication parnters on the hub site DC and eventually things started working again. This was pre - SP1 so this may not be a problem anymore, but after that experience I have seen value in doing the DNS configuration so that the DCs all point to the hub first and themselves second. I have not seen any problems for the DC itself when the WAN link dropped for a length of time and the primary DNS server was not reachable. Of course, if there are never any changes to DC IPs or names and the MSDCS is never scavenged (or the interval is long enough not to recreate the above problem) then the above argument is moot. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service 202-230-2983 [EMAIL PROTECTED] Al Mulnick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent by: cc: (bcc: James Day/Contractor/NPS) [EMAIL PROTECTED]Subject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the tivedir.org preferred DNS server...always? 07/12/2006 09:58 PM AST Please respond to ActiveDir You don't work at the post office do you? ;) There are many many many ways to properly configure DNS. One thing that helps is to think of the terms client and server vs. preferred and alternate only. You are configuring a preferred server and an alternate server that you want this DC to be a client of. DNS is a standard. Windows 2003 DNS follows those standards (comments really, but let's not pick right?) Microsoft has done some enhancements above and beyond that make DNS play very well in the Microsoft sphere[1]. You can however have DNS that is a third party DNS system, such as BIND. Active Directory plays very well with such third party DNS systems. You could have your domain controllers not have any DNS hosted on them at all. You could have it hosted, but as a secondary zone. You could also have it AD integrated meaning that you have a listener for DNS but the data(base) is stored in the active directory. Something to clarify: what you're talking about is making the DC a *client* to another DNS server that hosts the zones. You're also talking about making dc1 a client
Re: [ActiveDir] ADSIEdit, Exchange and Assistants
Just looking further in to this, it seems telephoneAssistant and secretary are the fields that appear in outlook - both of which are free text input. It begs the question of what the DN field of 'assistant' actually does. Surely if it is expecting a distinguished name, it must be used for something, somewhere? Anyone know what? On 13/07/06, AdamT [EMAIL PROTECTED] wrote: Nevermind - figured it out myself after finding an account with N/A in the field- the correct field is called 'telephoneAssistant', and is a freetext input, rather than a DN. On 13/07/06, AdamT [EMAIL PROTECTED] wrote: Dear font of all knowledge, I remeber reading a thread a while back about changing the value of the 'assistant' field, using ADSIEdit. Somebody's asked me to do this today, so I've given it a go, and copied/pasted the DN from one user to the other's 'assistant' field - but the change doesn't appear to be showing in people's Outlook clients. I've checked on a freshly installed Outlook client, just to be sure there's no cached data, and looking at the user's GAL properties still shows the assistant field as blank. Am I missing something here? Is that not the same assistant field that Exchange 2K/2K3 would be looking at? Is there something else I need to do to enable usage of this field? Thanks in advance, -- AdamT If it truly were the thought that counted, more women would be pregnant - anon -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Forest trust - domain drop down list
yes Tony, this is standard behaviour - you'll only see domains that are directly trusted. Trust type doesn't matter. Even though a forest trust will be transitive to all child domains by default, you'll have to use UPN to authenticate to a child domain. Which is another reason why empty placeholder roots don't really make an administrator's life easier... The challenges continue for viewing objects of a trusted child-domain accross a forest trust in the object picker - afaik, it will also just show you the root domain (but you can find objects in the child by searching the GC...) if you put in a normal external trust between your DomB and the DomA2, you'll lose the benefit of kerberos authentication from your forest trust (when choosing DomA2 in the logon window). If that's ok for you, this is a solution, but then you might as well get rid of the forest trust... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Freitag, 14. Juli 2006 05:54 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Forest trust - domain drop down list Here's the scenario Forest trust between ForestA and ForestB. ForestA has two domains DomA1 (placeholder root) and DomA2 ForestB has one domain DomB Users from DomA2 sometimes log into DomB member machines. DomA2 is not shown in the drop-down list of domain names in the login dialog. DomA1 is shown. Users from DomB sometimes log into DomA2 member machines. DomB is not shown in the drop-down list of domain names ni the login dialog. Is it normal behaviour for the drop-down list not to show all the domains with trusts (including those that are transitive via the forest trust)? If so, is there any way to change the behaviour? The users can obviously login using UPN, but they are not used to doing this and there is talk of putting in an explicit domain trust between DomA2 and DomB simply to get around this. Ugh. Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] ADAM pwdLastSet
Title: ADAM pwdLastSet We need to delegate an ADAM Group the ability to change any other ADAM Users pwdLastSet to 0 under a certain OU. This way we can force ADAM Users to change their password if they meet specific criteria. So we add an ACE to the parent OU where the ADAM Users live for WPRP on pwdLastSet for Adam Users. However it keeps giving us Insufficient Access Rights. MSDN says the value is set by the system and we know that, but it will allow ADAM Administrators to change this value to 0. So what am I missing here? btw- this is ADAM RTM. -Brandon
RE: [ActiveDir] Forest trust - domain drop down list
Or you could just get users accustomed to using UPNs for logon and avoid the problem. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, July 14, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trust - domain drop down list yes Tony, this is standard behaviour - you'll only see domains that are directly trusted. Trust type doesn't matter. Even though a forest trust will be transitive to all child domains by default, you'll have to use UPN to authenticate to a child domain. Which is another reason why empty placeholder roots don't really make an administrator's life easier... The challenges continue for viewing objects of a trusted child-domain accross a forest trust in the object picker - afaik, it will also just show you the root domain (but you can find objects in the child by searching the GC...) if you put in a normal external trust between your DomB and the DomA2, you'll lose the benefit of kerberos authentication from your forest trust (when choosing DomA2 in the logon window). If that's ok for you, this is a solution, but then you might as well get rid of the forest trust... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Freitag, 14. Juli 2006 05:54 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Forest trust - domain drop down list Here's the scenario Forest trust between ForestA and ForestB. ForestA has two domains DomA1 (placeholder root) and DomA2 ForestB has one domain DomB Users from DomA2 sometimes log into DomB member machines. DomA2 is not shown in the drop-down list of domain names in the login dialog. DomA1 is shown. Users from DomB sometimes log into DomA2 member machines. DomB is not shown in the drop-down list of domain names ni the login dialog. Is it normal behaviour for the drop-down list not to show all the domains with trusts (including those that are transitive via the forest trust)? If so, is there any way to change the behaviour? The users can obviously login using UPN, but they are not used to doing this and there is talk of putting in an explicit domain trust between DomA2 and DomB simply to get around this. Ugh. Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADAM pwdLastSet
ADAM pwdLastSetAre you sure you want to do this? My experience with setting pwdLastSet to 0 in AD is that doing that will break the ability to do an LDAP bind for the user, so they can't do an LDAP change password operation. This would be a problem for ADAM users if the same behavior applies as LDAP is the only way to do a change password operation. In AD, when you are set to 0, the only way to change the password at next login is through a Windows login. I'd be interested to know if this really gets you the results you want. I may go test this... :) That said, I'm not sure what you did wrong from a delegation standpoint, but I always recommend using the allowedAttributesEffective constructed attribute to find out what attributes the currently bound user actually has rights to modify. This is an essential troubleshooting step. Also, the ACL editor in ADAM SP1 LDP is really nice and may help you see what you did wrong. Joe K. - Original Message - From: Bernier, Brandon (.) To: ActiveDir@mail.activedir.org Sent: Friday, July 14, 2006 9:30 AM Subject: [ActiveDir] ADAM pwdLastSet We need to delegate an ADAM Group the ability to change any other ADAM Users pwdLastSet to 0 under a certain OU. This way we can force ADAM Users to change their password if they meet specific criteria. So we add an ACE to the parent OU where the ADAM Users live for WPRP on pwdLastSet for Adam Users. However it keeps giving us Insufficient Access Rights. MSDN says the value is set by the system and we know that, but it will allow ADAM Administrators to change this value to 0. So what am I missing here? btw- this is ADAM RTM. -Brandon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADSIEdit, Exchange and Assistants
This is an interesting question. I'm going to posit a guess that the assistant field comes from a standard schema definition and is included in AD as a result of that. The DN field has many advantages, in that it is rename/move-safe, etc. One other interesting point about this attribute is that it is not linked, which means that you can't look at the backlink to see who supports who and such. The majority of DN attributes in AD are linked, but this one is not. I'm guessing the GAL doesn't use it because the GAL logic was either two slow/too lazy to do the appropriate attribute scope query to resolve the DN into a friendly name before publishing (no one wants to actually see the DN in the GAL!). This may also just be a throwback from previous versions of AD which didn't support ASQ, making this operation a little less elegant. In any event, it would definitely make the GAL building logic slower as an additional query would be required. You could always automate this yourself by populating the assistant field through some sort of provisioning process and then writing the free text attributes based on data from the referenced object. You could then implement some sort of change polling/sync process that would look for changes to objects for the attributes you use for the free text value and then set the value in the referencing object whenever the source value changes. That would be slick. :) Unfortunately, this is less easy to do than it might be due to the lack of the backlink. Joe K. - Original Message - From: AdamT [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, July 14, 2006 9:12 AM Subject: Re: [ActiveDir] ADSIEdit, Exchange and Assistants Just looking further in to this, it seems telephoneAssistant and secretary are the fields that appear in outlook - both of which are free text input. It begs the question of what the DN field of 'assistant' actually does. Surely if it is expecting a distinguished name, it must be used for something, somewhere? Anyone know what? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Forest trust - domain drop down list
If the client is modern, Windows XP SP1 or later then you can type domain\username in the username field and it will crack it as well just in case your users do not want to type their UPN or it is to long. :-) Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, July 14, 2006 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trust - domain drop down list Or you could just get users accustomed to using UPNs for logon and avoid the problem. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, July 14, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trust - domain drop down list yes Tony, this is standard behaviour - you'll only see domains that are directly trusted. Trust type doesn't matter. Even though a forest trust will be transitive to all child domains by default, you'll have to use UPN to authenticate to a child domain. Which is another reason why empty placeholder roots don't really make an administrator's life easier... The challenges continue for viewing objects of a trusted child-domain accross a forest trust in the object picker - afaik, it will also just show you the root domain (but you can find objects in the child by searching the GC...) if you put in a normal external trust between your DomB and the DomA2, you'll lose the benefit of kerberos authentication from your forest trust (when choosing DomA2 in the logon window). If that's ok for you, this is a solution, but then you might as well get rid of the forest trust... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Freitag, 14. Juli 2006 05:54 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Forest trust - domain drop down list Here's the scenario Forest trust between ForestA and ForestB. ForestA has two domains DomA1 (placeholder root) and DomA2 ForestB has one domain DomB Users from DomA2 sometimes log into DomB member machines. DomA2 is not shown in the drop-down list of domain names in the login dialog. DomA1 is shown. Users from DomB sometimes log into DomA2 member machines. DomB is not shown in the drop-down list of domain names ni the login dialog. Is it normal behaviour for the drop-down list not to show all the domains with trusts (including those that are transitive via the forest trust)? If so, is there any way to change the behaviour? The users can obviously login using UPN, but they are not used to doing this and there is talk of putting in an explicit domain trust between DomA2 and DomB simply to get around this. Ugh. Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
I'd have to do some more digging as to *why* the duplicate app-partitions were created, but I've had to troubleshoot this prior to SP1. This was during a global Win2003 DC rollout - we used the IFM feature to rollout the DCs. But prior to SP1 you couldn't add the application partitions to the dcpromo process (IFM in SP1 now offers an the options to include app partitions during the promotion). During this rollout a couple of DCs actually re-created the DomainDnsZones app-partiontion right after their first reboot, causing some interesting challenges. Agree they should have contacted the DN master - not sure why either they didn't, or why the DN master allowed them to re-create this well-known app-partition. Anyways, to avoid similar issues, SP1 ensures that AD completes the replication with one partner prior to allowing the DNS service to read it's records and to register anything. This is actually similar to the change that was done with either Win2000 SP2 or SP3 to avoid DCs to advertise their GC status prior to finishing a replication cycle with another GC or one DC of every domain in their site. The challenge here is that you get into a race-condition when using the DC itself as the primary DNS server - ofcourse this will still work, but you have to wait for many more timeouts during the reboot of the AD DC: for every DNS query prior to a successful replication, the DC will first try to query it's own DNS server and won't use the secondary until a DNS timeout... I've seen the boot-times of DCs go up to 10 and more minutes. This can usually be fixed by setting the primary DNS server of the DC to another DNS server (naturally won't help, if both are booted at once - consider this during your DR planning...) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Freitag, 14. Juli 2006 12:33 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? I can't see how you can get a duplicate NDNC as the creation of such objects is targetted at the DN master. The DN master will check the existing crossRefs and stop this happening, as we can't rely on the DS stopping it as the RDN is different for each NDNC (unless they've used well-known GUIDs for the DNS NCs?). Although the behaviour you speak of is new to me, and another one of those slight, interesting changes, so thanks for that. Can you elaborate on this new behaviour? What, exactly, happens and in what order? --Paul - Original Message - From: Grillenmeier, Guido [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 6:52 PM Subject: RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? note that DNS startup behavious changes with SP1, which is another reason not to choose the DC itself as the preferred DNS server: with SP1, AD will not allow the DNS service to read any records, until it has successfully replicated with one of it's replication partners. This is to avoid false or duplicate registration of records (or even duplicate creation of the application partitions). As such, with SP1 it's better to point your DCs to a replication partner as a primary DNS and to self as a secondary. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 13. Juli 2006 17:02 To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? Hi Al I did want to throw in a personl experience I had with W2K3 that validates the Point your DNS server to a replication partner theory. I did see in one environment where every DC had DNS and the msdcs partition was a forest partition. An unfortunate DNS scavenge was done deleting some of the GUID records in the MSCDCS partition. Replication started to fail shortly after that and the missing GUIDs were discovered. The netlogon service was restarted to make the DCs re-register but of course they re-registered the GUID on themselves. They could find themselves but not their replication partners. The replication partners could find them but not themeselves. When the DCs were set to point to a hub replication partner for primary and themselves as secondary the problem went away - the netlogon service was restarted, the GUIDs registered on the central DNS server, the spokes did the lookup for replication parnters on the hub site DC and eventually things started working again. This was pre - SP1 so this may not be a problem anymore, but after that experience I have seen value in doing the DNS configuration so that the DCs all point to the hub first and themselves second. I have not seen any problems for the DC itself when
RE: [ActiveDir] Moving a Certificate Authority
Here is the output file cert-ds.txt as requested. To me, everything appears proper, but perhaps you might be able to glean more information from it than I can. Thanks Steve. ~Ben From: [EMAIL PROTECTED] on behalf of steve patrickSent: Thu 7/13/2006 4:41 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving a Certificate Authority Please run "certutil -ds cert-ds.txt" and sendus ( or me ) the text file. steve - Original Message - From: WATSON, BEN To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 1:42 PM Subject: RE: [ActiveDir] Moving a Certificate Authority I am at a complete loss here as to what to do to resolve this issue. Domain has been uprgaded from 2000 to 2003 and the stand-alone CA has been moved from a very old Windows 2000 server to a new Windows 2000 server with the same name. It was at this point that clients became unable to request new certificates from the new CA. I then upgraded the new Windows 2000 CA Server to Windows 2003 in the hopes that would help. It did in fact eliminate one of two errors in the event logs I was seeing, but I'm still left with one recurring event log entry and a still unusable CA. Here is the one relevant entry in the event log that appears on the new CA server. Source: CertSvc Event ID: 44 Type: Error The "Windows default" Policy Module "Initialize" method returned an error. Element not found. The returned status code is 0x80070490 (1168). Certificate Services could not find required Active Directory information. Any thoughts? ~Ben From: WATSON, BENSent: Wed 7/12/2006 3:27 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Moving a Certificate Authority I am mostly complete with the domain upgrade and the subsequent certificate authority move. Iâve run into what âshouldâ be the final problem before I can say everything is now successful. I have moved the Certificate Authority from one Windows 2000 Server to another Windows 2000 Server. Everything appears happy on the new server running as a new certificate authority; however domain clients are unable to request a certificate at this point. For instance, when attempting to request a user certificate from a Windows 2000 member server, I get the pretty standard error message stating, âWindows cannot find a certification authority that will process the requestâ. I have followed the instructions from KB298138 in the Windows 2000 section and while the certificate authority itself seems happy, all the clients donât seem to know where it is located. The new certificate authority has the exact same name as the old certificate authority, and I backed up the old CA certs and keys along with a registry key and restored these on the new CA as directed in the KB article. Any advice on where to look to resolve this? I did find KB271861 which talked about the same error I was getting, and I did not have the Enroll right given to Domain Users, however even after giving Domain Users that right it still has not changed anything. Thanks, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BrunsonSent: Tuesday, July 11, 2006 6:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a Certificate Authority Have you thought about putting a new server (or an older one with good hardware) in the mix as 2000, moving the CA to it, and then upgrading it to 2k3? That way you donât have to worry about the hardware not supporting 2003 or something terrible like that. Then if you want you could move it from that 2003 server to another 2003 server, or you could just leave it where it is. Kevin Brunson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Tuesday, July 11, 2006 6:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a Certificate Authority And will it ever be a slooow 2k3 machine indeed. After continuing to do some reading and researching, it does appear that my only option is to⦠1) Upgrade the old DC to 2k3 2) Backup the CA and the registry key as stated in the KB298138 article. 3) Remove the CA services, demote server and rename it. 4) Promote a 2k3 server with the same name as the old DC and install the CA services. 5) Restore the CA data and registry key 6) Cross my fingers and hope that I have a CA once again Iâll give this a shot tomorrow. I just wonder what would be my backup plan should the CA restoration fail on the new server? The old server will have been demoted and removed from Active Directory along with the CA services removed, not to mention a new server now has its name. Thanks for your .02 Steve,
RE: [ActiveDir] Replication Problem After DC Demotion
Title: Replication Problem After DC Demotion Thats good to know Brian. The information that we came across and thought might be relevant is posted below for anyone who may find it of value. http://technet2.microsoft.com/WindowsServer/en/Library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx?mfr=true Excluded Nonresponding Servers The KCC automatically rebuilds the replication topology when it recognizes that a domain controller has failed or is unresponsive. The criteria that the KCC uses to determine when a domain controller is not responsive depend upon whether the server computer is within the site or not. Two thresholds must be reached before a domain controller is declared unavailable by the KCC: The requesting domain controller must have made n attempts to replicate from the target domain controller. For replication between sites, the default value of n is 1attempt. For replication within a site, the following distinctions are made between the two immediate neighbors (in the ring) and the optimizing connections: For immediate neighbors, the default value of n is 0failed attempts. Thus, as soon as an attempt fails, a new server is tried. For optimizing connections, the default value of n is 1failed attempt. Thus, as soon as a second failed attempt occurs, a new server is tried. A certain amount of time must have passed since the last successful replication attempt. For replication between sites, the default time is 2hours. For replication within a site, a distinction is made between the two immediate neighbors (in the ring) and the optimizing connections: For immediate neighbors, the default time is 2hours. For optimizing connections, the default value is 12hours. You can edit the registry to modify the thresholds for excluding nonresponding servers. Ushruf Abouelnasr IT Analyst II |City of Pasadena | ITSD (V) 626-744-3951 |(F) 626-396-7951 Email: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, July 13, 2006 7:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problem After DC Demotion You can run repadmin /kcc to force the KCC Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Riley, Devin Sent: Thursday, July 13, 2006 8:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problem After DC Demotion A coworker has researched the issue and found that the KCC could take two hours to fix the replication link. We have about a half hour to go to see if this is the case. So I think your idea of letting it bake a little while longer may do the trick I will post more information if the problem continues. Devin Riley Sr. Systems Engineer City of Pasadena, Department of Finance Information Technology Services Division Phone: 626-744-7072 Fax: 626-396-7300 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, July 13, 2006 5:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problem After DC Demotion From that machine can you run and post the output of repadmin /showreps /v ? Is the affected server Windows 2000 or Windows Server 2003 and what SP levels? I assume you also did not set any preferred bridgehead settings? You could also use ADLB.exe in report only mode to see the topology. I am guessing that if you let it bake a little more it will correct itself. Also what is the replication interval set on that site link, the minimum 15 minutes? Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Riley, Devin Sent: Thursday, July 13, 2006 7:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication Problem After DC Demotion We just demoted a W2K DC in our primary site. The demotion was successful and the NTDS object associated with the DC was removed from AD Sites Services. In our only other site, the one domain controller is reporting replication problems. Replmon is reporting the following: The DSA Operation is unable to proceed because of a DNS lookup failure. The error code from replmon is 8524 Over an hour has passed. The replication topology is automatic and we have all default settings in regards to replication schedules etc. Any suggestions? Devin
RE: [ActiveDir] Replication Problem After DC Demotion
Return Receipt Your RE: [ActiveDir] Replication Problem After DC Demotion document: wasJason Centenni/CDS/CG/CAPITAL received by: at:07/14/2006 11:49:11 AM CDT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Moving a Certificate Authority
I've not looked at the log, but you can't just move a CA to another machine with the same name. You have to back up the old CA's keys anddatabase and install Certificate Services on the new machine, performing an advanced setup and telling it that you have an existing key to use for the CA. After that, you import the database, etc. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Friday, July 14, 2006 12:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a Certificate Authority Here is the output file cert-ds.txt as requested. To me, everything appears proper, but perhaps you might be able to glean more information from it than I can. Thanks Steve. ~Ben From: [EMAIL PROTECTED] on behalf of steve patrickSent: Thu 7/13/2006 4:41 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving a Certificate Authority Please run "certutil -ds cert-ds.txt" and sendus ( or me ) the text file. steve - Original Message - From: WATSON, BEN To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 1:42 PM Subject: RE: [ActiveDir] Moving a Certificate Authority I am at a complete loss here as to what to do to resolve this issue. Domain has been uprgaded from 2000 to 2003 and the stand-alone CA has been moved from a very old Windows 2000 server to a new Windows 2000 server with the same name. It was at this point that clients became unable to request new certificates from the new CA. I then upgraded the new Windows 2000 CA Server to Windows 2003 in the hopes that would help. It did in fact eliminate one of two errors in the event logs I was seeing, but I'm still left with one recurring event log entry and a still unusable CA. Here is the one relevant entry in the event log that appears on the new CA server. Source: CertSvc Event ID: 44 Type: Error The "Windows default" Policy Module "Initialize" method returned an error. Element not found. The returned status code is 0x80070490 (1168). Certificate Services could not find required Active Directory information. Any thoughts? ~Ben From: WATSON, BENSent: Wed 7/12/2006 3:27 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Moving a Certificate Authority I am mostly complete with the domain upgrade and the subsequent certificate authority move. I’ve run into what “should†be the final problem before I can say everything is now successful. I have moved the Certificate Authority from one Windows 2000 Server to another Windows 2000 Server. Everything appears happy on the new server running as a new certificate authority; however domain clients are unable to request a certificate at this point. For instance, when attempting to request a user certificate from a Windows 2000 member server, I get the pretty standard error message stating, “Windows cannot find a certification authority that will process the requestâ€. I have followed the instructions from KB298138 in the Windows 2000 section and while the certificate authority itself seems happy, all the clients don’t seem to know where it is located. The new certificate authority has the exact same name as the old certificate authority, and I backed up the old CA certs and keys along with a registry key and restored these on the new CA as directed in the KB article. Any advice on where to look to resolve this? I did find KB271861 which talked about the same error I was getting, and I did not have the Enroll right given to Domain Users, however even after giving Domain Users that right it still has not changed anything. Thanks, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BrunsonSent: Tuesday, July 11, 2006 6:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a Certificate Authority Have you thought about putting a new server (or an older one with good hardware) in the mix as 2000, moving the CA to it, and then upgrading it to 2k3? That way you don’t have to worry about the hardware not supporting 2003 or something terrible like that. Then if you want you could move it from that 2003 server to another 2003 server, or you could just leave it where it is. Kevin Brunson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Tuesday, July 11, 2006 6:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a Certificate Authority And will it ever be a slooow 2k3
RE: [ActiveDir] ADAM pwdLastSet
I don't want to do this. One of the directories we are moving in is coming from iPlanet and you can do whatever you want there. That team has asked us to look into ramifications using pwdLastSet and from testing and your input, it's a bad idea. Basically we just need to expire someones password, but need them to be able to bind back in and change their password. I also wanted to test using msDS-UserPasswordExpired but that cannot be changed either. Any other ideas to delegate expiring a Users password in this case? Thanks for the help! -Brandon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Friday, July 14, 2006 11:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ADAM pwdLastSet ADAM pwdLastSetAre you sure you want to do this? My experience with setting pwdLastSet to 0 in AD is that doing that will break the ability to do an LDAP bind for the user, so they can't do an LDAP change password operation. This would be a problem for ADAM users if the same behavior applies as LDAP is the only way to do a change password operation. In AD, when you are set to 0, the only way to change the password at next login is through a Windows login. I'd be interested to know if this really gets you the results you want. I may go test this... :) That said, I'm not sure what you did wrong from a delegation standpoint, but I always recommend using the allowedAttributesEffective constructed attribute to find out what attributes the currently bound user actually has rights to modify. This is an essential troubleshooting step. Also, the ACL editor in ADAM SP1 LDP is really nice and may help you see what you did wrong. Joe K. - Original Message - From: Bernier, Brandon (.) To: ActiveDir@mail.activedir.org Sent: Friday, July 14, 2006 9:30 AM Subject: [ActiveDir] ADAM pwdLastSet We need to delegate an ADAM Group the ability to change any other ADAM Users pwdLastSet to 0 under a certain OU. This way we can force ADAM Users to change their password if they meet specific criteria. So we add an ACE to the parent OU where the ADAM Users live for WPRP on pwdLastSet for Adam Users. However it keeps giving us Insufficient Access Rights. MSDN says the value is set by the system and we know that, but it will allow ADAM Administrators to change this value to 0. So what am I missing here? btw- this is ADAM RTM. -Brandon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
Guido, have you checked this lately? I know there were several changes to that behavior in several revs IIRC. The problems you describe were better than a challenge, as I recall. they had a tenedancy to wreak havoc with integrated dns zones when a dc would come up and create a new zone and then replicate that. There were several fixes related though and that behavior might have changed several times. On 7/14/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: I'd have to do some more digging as to *why* the duplicateapp-partitions were created, but I've had to troubleshoot this prior to SP1. This was during a global Win2003 DC rollout - we used the IFMfeature to rollout the DCs. But prior to SP1 you couldn't add theapplication partitions to the dcpromo process (IFM in SP1 now offers anthe options to include app partitions during the promotion). During this rollout a couple of DCs actually re-created theDomainDnsZones app-partiontion right after their first reboot, causingsome interesting challenges. Agree they should have contacted the DNmaster - not sure why either they didn't, or why the DN master allowed them to re-create this well-known app-partition.Anyways, to avoid similar issues, SP1 ensures that AD completes thereplication with one partner prior to allowing the DNS service to readit's records and to register anything. This is actually similar to the change that was done with either Win2000 SP2 or SP3 to avoid DCs toadvertise their GC status prior to finishing a replication cycle withanother GC or one DC of every domain in their site.The challenge here is that you get into a race-condition when using the DC itself as the primary DNS server - ofcourse this will still work,but you have to wait for many more timeouts during the reboot of the ADDC: for every DNS query prior to a successful replication, the DC will first try to query it's own DNS server and won't use the secondary untila DNS timeout...I've seen the boot-times of DCs go up to 10 and moreminutes.This can usually be fixed by setting the primary DNS server of the DC to another DNS server (naturally won't help, if both are bootedat once - consider this during your DR planning...)/Guido-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: Freitag, 14. Juli 2006 12:33To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Always point a DC with DNS installed to itselfas the preferred DNS server...always?I can't see how you can get a duplicate NDNC as the creation of such objectsis targetted at the DN master. The DN master will check the existingcrossRefs and stop this happening, as we can't rely on the DS stoppingit asthe RDN is different for each NDNC (unless they've used well-known GUIDsfor the DNS NCs?).Although the behaviour you speak of is new to me, and another one ofthoseslight, interesting changes, so thanks for that.Can you elaborate on this new behaviour?What, exactly, happens and in whatorder?--Paul- Original Message -From: Grillenmeier, Guido [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Thursday, July 13, 2006 6:52 PMSubject: RE: [ActiveDir] Always point a DC with DNS installed to itselfasthe preferred DNS server...always? note that DNS startup behavious changes with SP1, which is another reason not to choose the DC itself as the preferred DNS server: with SP1, AD will not allow the DNS service to read any records, until ithas successfully replicated with one of it's replication partners.This is to avoid false or duplicate registration of records (or even duplicate creation of the application partitions). As such, with SP1 it's better to point your DCs to a replicationpartner as a primary DNS and to self as a secondary. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 13. Juli 2006 17:02 To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Always point a DC with DNS installed toitself as the preferred DNS server...always? Hi Al I did want to throw in a personl experience I had with W2K3 that validates the Point your DNS server to a replication partner theory.I didsee in one environment where every DC had DNS and the msdcs partition was a forest partition.An unfortunate DNS scavenge was done deleting some of the GUID records in the MSCDCS partition.Replication started to fail shortly after that and the missing GUIDs were discovered.The netlogon service was restarted to make the DCs re-register but of course they re-registered the GUID on themselves.They could find themselves but not their replication partners.The replication partners could find them but notthemeselves. When the DCs were set to point to a hub replication partner for primary and themselves as secondary the problem went away - the netlogon servicewas restarted, the GUIDs registered on the central DNS server, the spokes did the lookup for
RE: [ActiveDir] Moving a Certificate Authority
Ah, gotcha. Quick question, then- have you tried backing up the keys and certs again, then uninstalling and reinstalling certificate services on the machine? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Friday, July 14, 2006 1:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a Certificate Authority Hi Laura, Indeed, I have moved the CA to a new server of the same name using the instructions located in KB298138, and that KB article details the steps to move the CA from one server to another with the same name along with backing up the certificates and important registry keys that you later import to the new CA server. Unfortunately I am now getting the recurring error in the event log of the CA server as I detailed in a couple e-mails back. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Friday, July 14, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a Certificate Authority I've not looked at the log, but you can't just move a CA to another machine with the same name. You have to back up the old CA's keys anddatabase and install Certificate Services on the new machine, performing an advanced setup and telling it that you have an existing key to use for the CA. After that, you import the database, etc. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Friday, July 14, 2006 12:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a Certificate Authority Here is the output file cert-ds.txt as requested. To me, everything appears proper, but perhaps you might be able to glean more information from it than I can. Thanks Steve. ~Ben From: [EMAIL PROTECTED] on behalf of steve patrickSent: Thu 7/13/2006 4:41 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving a Certificate Authority Please run "certutil -ds cert-ds.txt" and sendus ( or me ) the text file. steve - Original Message - From: WATSON, BEN To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 1:42 PM Subject: RE: [ActiveDir] Moving a Certificate Authority I am at a complete loss here as to what to do to resolve this issue. Domain has been uprgaded from 2000 to 2003 and the stand-alone CA has been moved from a very old Windows 2000 server to a new Windows 2000 server with the same name. It was at this point that clients became unable to request new certificates from the new CA. I then upgraded the new Windows 2000 CA Server to Windows 2003 in the hopes that would help. It did in fact eliminate one of two errors in the event logs I was seeing, but I'm still left with one recurring event log entry and a still unusable CA. Here is the one relevant entry in the event log that appears on the new CA server. Source: CertSvc Event ID: 44 Type: Error The "Windows default" Policy Module "Initialize" method returned an error. Element not found. The returned status code is 0x80070490 (1168). Certificate Services could not find required Active Directory information. Any thoughts? ~Ben From: WATSON, BENSent: Wed 7/12/2006 3:27 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Moving a Certificate Authority I am mostly complete with the domain upgrade and the subsequent certificate authority move. I’ve run into what “should†be the final problem before I can say everything is now successful. I have moved the Certificate Authority from one Windows 2000 Server to another Windows 2000 Server. Everything appears happy on the new server running as a new certificate authority; however domain clients are unable to request a certificate at this point. For instance, when attempting to request a user certificate from a Windows 2000 member server, I get the pretty standard error message stating, “Windows cannot find a certification authority that will process the requestâ€. I have followed the instructions from KB298138 in the Windows 2000 section and while the certificate authority itself
RE: [ActiveDir] Moving a Certificate Authority
Also, one last item- you said that this is a standalone CA, correct? (sorry for missing your first e-mails; I didn't read far enough down. I blame ADD.) Standalone CAs don't use or store information in AD; enterprise CAs do. If you're trying to obtain certificates from a standalone CA via the "AD-ish" mechanisms such as the Certificates MMC or Group Policy, it won't work. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Friday, July 14, 2006 1:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a Certificate Authority Hi Laura, Indeed, I have moved the CA to a new server of the same name using the instructions located in KB298138, and that KB article details the steps to move the CA from one server to another with the same name along with backing up the certificates and important registry keys that you later import to the new CA server. Unfortunately I am now getting the recurring error in the event log of the CA server as I detailed in a couple e-mails back. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Friday, July 14, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a Certificate Authority I've not looked at the log, but you can't just move a CA to another machine with the same name. You have to back up the old CA's keys anddatabase and install Certificate Services on the new machine, performing an advanced setup and telling it that you have an existing key to use for the CA. After that, you import the database, etc. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Friday, July 14, 2006 12:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a Certificate Authority Here is the output file cert-ds.txt as requested. To me, everything appears proper, but perhaps you might be able to glean more information from it than I can. Thanks Steve. ~Ben From: [EMAIL PROTECTED] on behalf of steve patrickSent: Thu 7/13/2006 4:41 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving a Certificate Authority Please run "certutil -ds cert-ds.txt" and sendus ( or me ) the text file. steve - Original Message - From: WATSON, BEN To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 1:42 PM Subject: RE: [ActiveDir] Moving a Certificate Authority I am at a complete loss here as to what to do to resolve this issue. Domain has been uprgaded from 2000 to 2003 and the stand-alone CA has been moved from a very old Windows 2000 server to a new Windows 2000 server with the same name. It was at this point that clients became unable to request new certificates from the new CA. I then upgraded the new Windows 2000 CA Server to Windows 2003 in the hopes that would help. It did in fact eliminate one of two errors in the event logs I was seeing, but I'm still left with one recurring event log entry and a still unusable CA. Here is the one relevant entry in the event log that appears on the new CA server. Source: CertSvc Event ID: 44 Type: Error The "Windows default" Policy Module "Initialize" method returned an error. Element not found. The returned status code is 0x80070490 (1168). Certificate Services could not find required Active Directory information. Any thoughts? ~Ben From: WATSON, BENSent: Wed 7/12/2006 3:27 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Moving a Certificate Authority I am mostly complete with the domain upgrade and the subsequent certificate authority move. I’ve run into what “should†be the final problem before I can say everything is now successful. I have moved the Certificate Authority from one Windows 2000 Server to another Windows 2000 Server. Everything appears happy on the new server running as a new certificate authority; however domain clients are unable to request a certificate at this point. For instance, when attempting to request a user certificate from a Windows 2000 member server, I get the pretty standard error message stating, “Windows
Re: [ActiveDir] ADAM pwdLastSet
This is sort of a hard problem. If our investigations regarding the behavior of pwdLastSet are true in ADAM, then you don't really have a reasonable way of forcing a password change or expiring it outside of the defined policy. I still haven't had a chance to test it today. :) What you might consider is doing something application level, where you implement some sort of self service password reset feature. For example, you might do an administrative reset of the password and then send the user an email with a link that allows them to a website that allows them to log in and essentially do a password reset behind the scenes using a privileged service account. The link might contain a signed, encrypted query string that contains the user UPN and a timestamp that can be used for expiring the request. If you've got a 2nd viable login method such as a certificate or securID token or (far worse) verification questions, that would be less subject to theft than a simple URL. Since you'll almost certainly be using a web-based tool for password change operations anyway, this might be reasonable. I'm curious what other people think about this. I haven't even thought about this aspect of ADAM identity life cycle really. Joe K. - Original Message - From: Bernier, Brandon (.) [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, July 14, 2006 12:09 PM Subject: RE: [ActiveDir] ADAM pwdLastSet I don't want to do this. One of the directories we are moving in is coming from iPlanet and you can do whatever you want there. That team has asked us to look into ramifications using pwdLastSet and from testing and your input, it's a bad idea. Basically we just need to expire someones password, but need them to be able to bind back in and change their password. I also wanted to test using msDS-UserPasswordExpired but that cannot be changed either. Any other ideas to delegate expiring a Users password in this case? Thanks for the help! -Brandon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Friday, July 14, 2006 11:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ADAM pwdLastSet ADAM pwdLastSetAre you sure you want to do this? My experience with setting pwdLastSet to 0 in AD is that doing that will break the ability to do an LDAP bind for the user, so they can't do an LDAP change password operation. This would be a problem for ADAM users if the same behavior applies as LDAP is the only way to do a change password operation. In AD, when you are set to 0, the only way to change the password at next login is through a Windows login. I'd be interested to know if this really gets you the results you want. I may go test this... :) That said, I'm not sure what you did wrong from a delegation standpoint, but I always recommend using the allowedAttributesEffective constructed attribute to find out what attributes the currently bound user actually has rights to modify. This is an essential troubleshooting step. Also, the ACL editor in ADAM SP1 LDP is really nice and may help you see what you did wrong. Joe K. - Original Message - From: Bernier, Brandon (.) To: ActiveDir@mail.activedir.org Sent: Friday, July 14, 2006 9:30 AM Subject: [ActiveDir] ADAM pwdLastSet We need to delegate an ADAM Group the ability to change any other ADAM Users pwdLastSet to 0 under a certain OU. This way we can force ADAM Users to change their password if they meet specific criteria. So we add an ACE to the parent OU where the ADAM Users live for WPRP on pwdLastSet for Adam Users. However it keeps giving us Insufficient Access Rights. MSDN says the value is set by the system and we know that, but it will allow ADAM Administrators to change this value to 0. So what am I missing here? btw- this is ADAM RTM. -Brandon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Moving a Certificate Authority
Okay, skimming back to your original mail, I suspect that you did not have a standalone CA in the first place, which may be the cause of your problem. You probably should try reinstalling the CA as an enterprise CA and see if your problems clear up. Sorry for the multiple responses; I'm reading this thread in bits and pieces in between other stuff. :-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Friday, July 14, 2006 1:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a Certificate Authority Hi Laura, Indeed, I have moved the CA to a new server of the same name using the instructions located in KB298138, and that KB article details the steps to move the CA from one server to another with the same name along with backing up the certificates and important registry keys that you later import to the new CA server. Unfortunately I am now getting the recurring error in the event log of the CA server as I detailed in a couple e-mails back. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Friday, July 14, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a Certificate Authority I've not looked at the log, but you can't just move a CA to another machine with the same name. You have to back up the old CA's keys anddatabase and install Certificate Services on the new machine, performing an advanced setup and telling it that you have an existing key to use for the CA. After that, you import the database, etc. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Friday, July 14, 2006 12:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a Certificate Authority Here is the output file cert-ds.txt as requested. To me, everything appears proper, but perhaps you might be able to glean more information from it than I can. Thanks Steve. ~Ben From: [EMAIL PROTECTED] on behalf of steve patrickSent: Thu 7/13/2006 4:41 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving a Certificate Authority Please run "certutil -ds cert-ds.txt" and sendus ( or me ) the text file. steve - Original Message - From: WATSON, BEN To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 1:42 PM Subject: RE: [ActiveDir] Moving a Certificate Authority I am at a complete loss here as to what to do to resolve this issue. Domain has been uprgaded from 2000 to 2003 and the stand-alone CA has been moved from a very old Windows 2000 server to a new Windows 2000 server with the same name. It was at this point that clients became unable to request new certificates from the new CA. I then upgraded the new Windows 2000 CA Server to Windows 2003 in the hopes that would help. It did in fact eliminate one of two errors in the event logs I was seeing, but I'm still left with one recurring event log entry and a still unusable CA. Here is the one relevant entry in the event log that appears on the new CA server. Source: CertSvc Event ID: 44 Type: Error The "Windows default" Policy Module "Initialize" method returned an error. Element not found. The returned status code is 0x80070490 (1168). Certificate Services could not find required Active Directory information. Any thoughts? ~Ben From: WATSON, BENSent: Wed 7/12/2006 3:27 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Moving a Certificate Authority I am mostly complete with the domain upgrade and the subsequent certificate authority move. I’ve run into what “should†be the final problem before I can say everything is now successful. I have moved the Certificate Authority from one Windows 2000 Server to another Windows 2000 Server. Everything appears happy on the new server running as a new certificate authority; however domain clients are unable to request a certificate at this point. For instance, when attempting to request a user certificate from a Windows 2000 member server, I get the pretty standard error message stating, “Windows cannot find a
Re: [ActiveDir] Moving a Certificate Authority
- Original Message - From: WATSON, BEN To: ActiveDir@mail.activedir.org Sent: Friday, July 14, 2006 10:29 AM Subject: RE: [ActiveDir] Moving a Certificate Authority Hi Laura, Indeed, I have moved the CA to a new server of the same name using the instructions located in KB298138, and that KB article details the steps to move the CA from one server to another with the same name along with backing up the certificates and important registry keys that you later import to the new CA server. Unfortunately I am now getting the recurring error in the event log of the CA server as I detailed in a couple e-mails back. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Friday, July 14, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a Certificate Authority I've not looked at the log, but you can't just move a CA to another machine with the same name. You have to back up the old CA's keys anddatabase and install Certificate Services on the new machine, performing an advanced setup and telling it that you have an existing key to use for the CA. After that, you import the database, etc. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Friday, July 14, 2006 12:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a Certificate Authority Here is the output file cert-ds.txt as requested. To me, everything appears proper, but perhaps you might be able to glean more information from it than I can. Thanks Steve. ~Ben From: [EMAIL PROTECTED] on behalf of steve patrickSent: Thu 7/13/2006 4:41 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving a Certificate Authority Please run "certutil -ds cert-ds.txt" and sendus ( or me ) the text file. steve - Original Message - From: WATSON, BEN To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 1:42 PM Subject: RE: [ActiveDir] Moving a Certificate Authority I am at a complete loss here as to what to do to resolve this issue. Domain has been uprgaded from 2000 to 2003 and the stand-alone CA has been moved from a very old Windows 2000 server to a new Windows 2000 server with the same name. It was at this point that clients became unable to request new certificates from the new CA. I then upgraded the new Windows 2000 CA Server to Windows 2003 in the hopes that would help. It did in fact eliminate one of two errors in the event logs I was seeing, but I'm still left with one recurring event log entry and a still unusable CA. Here is the one relevant entry in the event log that appears on the new CA server. Source: CertSvc Event ID: 44 Type: Error The "Windows default" Policy Module "Initialize" method returned an error. Element not found. The returned status code is 0x80070490 (1168). Certificate Services could not find required Active Directory information. Any thoughts? ~Ben From: WATSON, BENSent: Wed 7/12/2006 3:27 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Moving a Certificate Authority I am mostly complete with the domain upgrade and the subsequent certificate authority move. I’ve run into what “should†be the final problem before I can say everything is now successful. I have moved the Certificate Authority from one Windows 2000 Server to another Windows 2000 Server. Everything appears happy on the new server running as a new certificate authority; however domain clients are unable to request a certificate at this point. For instance, when attempting to request a user certificate from a Windows 2000 member server, I get the pretty standard error message stating, “Windows cannot find a certification authority that will process the requestâ€. I have followed the instructions from KB298138 in the Windows 2000 section and while the certificate authority itself seems happy, all the clients don’t seem to know where it is located. The new certificate authority has the exact same name as the old certificate authority, and I
RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
there was no need to check on this issue again - with SP1 it doesn't happen ;-) I'm sure there were several pre-SP1 fixes targeted at this issue and were then integrated into SP1. but rgd. the startup behaviour of DNS in SP1, I'm rather sure that's unchanged at this point. Would be happy to be corrected. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Freitag, 14. Juli 2006 19:46To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? Guido, have you checked this lately? I know there were several changes to that behavior in several revs IIRC. The problems you describe were better than a challenge, as I recall. they had a tenedancy to wreak havoc with integrated dns zones when a dc would come up and create a new zone and then replicate that. There were several fixes related though and that behavior might have changed several times. On 7/14/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: I'd have to do some more digging as to *why* the duplicateapp-partitions were created, but I've had to troubleshoot this prior to SP1. This was during a global Win2003 DC rollout - we used the IFMfeature to rollout the DCs. But prior to SP1 you couldn't add theapplication partitions to the dcpromo process (IFM in SP1 now offers anthe options to include app partitions during the promotion). During this rollout a couple of DCs actually re-created theDomainDnsZones app-partiontion right after their first reboot, causingsome interesting challenges. Agree they should have contacted the DNmaster - not sure why either they didn't, or why the DN master allowed them to re-create this well-known app-partition.Anyways, to avoid similar issues, SP1 ensures that AD completes thereplication with one partner prior to allowing the DNS service to readit's records and to register anything. This is actually similar to the change that was done with either Win2000 SP2 or SP3 to avoid DCs toadvertise their GC status prior to finishing a replication cycle withanother GC or one DC of every domain in their site.The challenge here is that you get into a "race-condition" when using the DC itself as the primary DNS server - ofcourse this will still work,but you have to wait for many more timeouts during the reboot of the ADDC: for every DNS query prior to a successful replication, the DC will first try to query it's own DNS server and won't use the secondary untila DNS timeout...I've seen the boot-times of DCs go up to 10 and moreminutes.This can usually be fixed by setting the primary DNS server of the DC to another DNS server (naturally won't help, if both are bootedat once - consider this during your DR planning...)/Guido-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: Freitag, 14. Juli 2006 12:33To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Always point a DC with DNS installed to itselfas the preferred DNS server...always?I can't see how you can get a duplicate NDNC as the creation of such objectsis targetted at the DN master. The DN master will check the existingcrossRefs and stop this happening, as we can't rely on the DS stoppingit asthe RDN is different for each NDNC (unless they've used "well-known" GUIDsfor the DNS NCs?).Although the behaviour you speak of is new to me, and another one ofthoseslight, interesting changes, so thanks for that.Can you elaborate on this new behaviour?What, exactly, happens and in whatorder?--Paul- Original Message -From: "Grillenmeier, Guido" [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Thursday, July 13, 2006 6:52 PMSubject: RE: [ActiveDir] Always point a DC with DNS installed to itselfasthe preferred DNS server...always? note that DNS startup behavious changes with SP1, which is another reason not to choose the DC itself as the preferred DNS server: with SP1, AD will not allow the DNS service to read any records, until ithas successfully replicated with one of it's replication partners.This is to avoid false or duplicate registration of records (or even duplicate creation of the application partitions). As such, with SP1 it's better to point your DCs to a replicationpartner as a primary DNS and to self as a secondary. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 13. Juli 2006 17:02 To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Always point a DC with DNS installed toitself as the preferred DNS server...always? Hi Al I did want to throw in a personl experience I had with W2K3 that validates the "Point your DNS server to a replication partner
RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
I believe I covered most of this on a previous posting to ActiveDir but here are all of the details into what change was made and why: First of all the change that was made requires that an Initial Sync is completed before DNS will load the zones. This change was made after a customer reported a very nasty outage of all DNS records for one of their Domains. Needless to say with no DNS records many things break. So how and why did this happen. It turns out that many things have to come together but the end result is that we Conflict the MicrosoftDNS container, note not the application partition. This can occur do to a timing issue that was first seen when using an Install from Media (IFM) technique across a slow WAN link and of course you are not using the new feature in Windows Server 2003 SP1 that allows sourcing Application Partitions from media. Because Application Partitions have the lowest replication priority it was possible that the machine would register to host the DomainDNSZones application partition but never get a chance to replicate any information in do to it being pre-empted by higher priority Config and Domain partition replication. In that case if the timing was just right it was possible that the DNS server on this box would recreate the MicrosoftDNS container in order to store the root hints. This would of course replicate out and cause a CNF and since last writer wins you would end up with what looked like an empty MicrosoftDNS container, except for the root hints, which looked like corruption to all of the other DNS servers since they had records loaded from there at one point. To keep this from happening a requirement that the DC must perform an initial sync was put in place. This was the safest way to insure that we had replicated the necessary data in before trying to load zones and possibly conflict the MicrosoftDNS container. There were other places where this type of issue could pop up such as how we handle SOAs so the change was made. There is additional work being done in Windows Server Code Name Longhorn to help with this as well as other performance issues of loading large zones which caused slow DNS startup times. I have sent Email to the appropriate component owners so that they can revise if necessary our guidelines on how DNS should be configured for both Windows Server 2003 and the next version of the product. The only thing I would not recommend is removing the initial sync requirements by adding a registry value as this not only has affects on DNS but also the code that is used to insure that we do not have multiple machines believing that they are a particular FSMO owner. Here is the KB for the change that was introduced and rolled into SP1: http://support.microsoft.com/kb/836534/en-us . I have left out some of the hairy details as to exactly why the above happens as well as the customer who initially hit this, they know who they are. J Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, July 14, 2006 12:46 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? Guido, have you checked this lately? I know there were several changes to that behavior in several revs IIRC. The problems you describe were better than a challenge, as I recall. they had a tenedancy to wreak havoc with integrated dns zones when a dc would come up and create a new zone and then replicate that. There were several fixes related though and that behavior might have changed several times. On 7/14/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: I'd have to do some more digging as to *why* the duplicate app-partitions were created, but I've had to troubleshoot this prior to SP1. This was during a global Win2003 DC rollout - we used the IFM feature to rollout the DCs. But prior to SP1 you couldn't add the application partitions to the dcpromo process (IFM in SP1 now offers an the options to include app partitions during the promotion). During this rollout a couple of DCs actually re-created the DomainDnsZones app-partiontion right after their first reboot, causing some interesting challenges. Agree they should have contacted the DN master - not sure why either they didn't, or why the DN master allowed them to re-create this well-known app-partition. Anyways, to avoid similar issues, SP1 ensures that AD completes the replication with one partner prior to allowing the DNS service to read it's records and to register anything. This is actually similar to the change that was done with either Win2000 SP2 or SP3 to avoid DCs to advertise their GC status prior to finishing a replication cycle with another GC or one DC of every domain in their site. The challenge here is that you get into a race-condition when using the DC itself as the primary DNS server - ofcourse this will still work, but you have to
RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
just found the description of the error and the pre-SP1 hotfix to the duplicate DNS app-partitions issue: http://support.microsoft.com/kb/836534/en-us From: Grillenmeier, Guido Sent: Freitag, 14. Juli 2006 20:34To: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? there was no need to check on this issue again - with SP1 it doesn't happen ;-) I'm sure there were several pre-SP1 fixes targeted at this issue and were then integrated into SP1. but rgd. the startup behaviour of DNS in SP1, I'm rather sure that's unchanged at this point. Would be happy to be corrected. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Freitag, 14. Juli 2006 19:46To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? Guido, have you checked this lately? I know there were several changes to that behavior in several revs IIRC. The problems you describe were better than a challenge, as I recall. they had a tenedancy to wreak havoc with integrated dns zones when a dc would come up and create a new zone and then replicate that. There were several fixes related though and that behavior might have changed several times. On 7/14/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: I'd have to do some more digging as to *why* the duplicateapp-partitions were created, but I've had to troubleshoot this prior to SP1. This was during a global Win2003 DC rollout - we used the IFMfeature to rollout the DCs. But prior to SP1 you couldn't add theapplication partitions to the dcpromo process (IFM in SP1 now offers anthe options to include app partitions during the promotion). During this rollout a couple of DCs actually re-created theDomainDnsZones app-partiontion right after their first reboot, causingsome interesting challenges. Agree they should have contacted the DNmaster - not sure why either they didn't, or why the DN master allowed them to re-create this well-known app-partition.Anyways, to avoid similar issues, SP1 ensures that AD completes thereplication with one partner prior to allowing the DNS service to readit's records and to register anything. This is actually similar to the change that was done with either Win2000 SP2 or SP3 to avoid DCs toadvertise their GC status prior to finishing a replication cycle withanother GC or one DC of every domain in their site.The challenge here is that you get into a "race-condition" when using the DC itself as the primary DNS server - ofcourse this will still work,but you have to wait for many more timeouts during the reboot of the ADDC: for every DNS query prior to a successful replication, the DC will first try to query it's own DNS server and won't use the secondary untila DNS timeout...I've seen the boot-times of DCs go up to 10 and moreminutes.This can usually be fixed by setting the primary DNS server of the DC to another DNS server (naturally won't help, if both are bootedat once - consider this during your DR planning...)/Guido-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: Freitag, 14. Juli 2006 12:33To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Always point a DC with DNS installed to itselfas the preferred DNS server...always?I can't see how you can get a duplicate NDNC as the creation of such objectsis targetted at the DN master. The DN master will check the existingcrossRefs and stop this happening, as we can't rely on the DS stoppingit asthe RDN is different for each NDNC (unless they've used "well-known" GUIDsfor the DNS NCs?).Although the behaviour you speak of is new to me, and another one ofthoseslight, interesting changes, so thanks for that.Can you elaborate on this new behaviour?What, exactly, happens and in whatorder?--Paul- Original Message -From: "Grillenmeier, Guido" [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Thursday, July 13, 2006 6:52 PMSubject: RE: [ActiveDir] Always point a DC with DNS installed to itselfasthe preferred DNS server...always? note that DNS startup behavious changes with SP1, which is another reason not to choose the DC itself as the preferred DNS server: with SP1, AD will not allow the DNS service to read any records, until ithas successfully replicated with one of it's replication partners.This is to avoid false or duplicate registration of records (or even duplicate creation of the application partitions). As such, with SP1 it's better to point your DCs to a replicationpartner as a primary DNS and to self as a secondary. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 13. Juli 2006
Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
Yeah, that looks a lot more familiar now. I recall working with several of the hotfixes for a similar issue. Thanks Guido and Steve for taking the time and Steve for suggesting to the owners that recommendations get updated. As I've mentioned before, the thinking changes but I'd still prefer to keep the DC a client of itself and to makeit thereforeas autonomous as possible. I can accept putting a centrally accessible DNS server in some other site as the secondary client. I can alsoaccept the reboot times Guido mentioned.The clients have other servers to use anyway andif the DC's are rebooting constantly or more frequently than monthly (patches and all) then I've got bigger issues to deal with. Al On 7/14/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: just found the description of the error and the pre-SP1 hotfix to the duplicate DNS app-partitions issue: http://support.microsoft.com/kb/836534/en-us From: Grillenmeier, Guido Sent: Freitag, 14. Juli 2006 20:34 To: 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? there was no need to check on this issue again - with SP1 it doesn't happen ;-) I'm sure there were several pre-SP1 fixes targeted at this issue and were then integrated into SP1. but rgd. the startup behaviour of DNS in SP1, I'm rather sure that's unchanged at this point. Would be happy to be corrected. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Al Mulnick Sent: Freitag, 14. Juli 2006 19:46 To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? Guido, have you checked this lately? I know there were several changes to that behavior in several revs IIRC. The problems you describe were better than a challenge, as I recall. they had a tenedancy to wreak havoc with integrated dns zones when a dc would come up and create a new zone and then replicate that. There were several fixes related though and that behavior might have changed several times. On 7/14/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: I'd have to do some more digging as to *why* the duplicateapp-partitions were created, but I've had to troubleshoot this prior to SP1. This was during a global Win2003 DC rollout - we used the IFMfeature to rollout the DCs. But prior to SP1 you couldn't add theapplication partitions to the dcpromo process (IFM in SP1 now offers anthe options to include app partitions during the promotion). During this rollout a couple of DCs actually re-created theDomainDnsZones app-partiontion right after their first reboot, causingsome interesting challenges. Agree they should have contacted the DNmaster - not sure why either they didn't, or why the DN master allowed them to re-create this well-known app-partition.Anyways, to avoid similar issues, SP1 ensures that AD completes thereplication with one partner prior to allowing the DNS service to readit's records and to register anything. This is actually similar to the change that was done with either Win2000 SP2 or SP3 to avoid DCs toadvertise their GC status prior to finishing a replication cycle withanother GC or one DC of every domain in their site.The challenge here is that you get into a race-condition when using the DC itself as the primary DNS server - ofcourse this will still work,but you have to wait for many more timeouts during the reboot of the ADDC: for every DNS query prior to a successful replication, the DC will first try to query it's own DNS server and won't use the secondary untila DNS timeout...I've seen the boot-times of DCs go up to 10 and moreminutes.This can usually be fixed by setting the primary DNS server of the DC to another DNS server (naturally won't help, if both are bootedat once - consider this during your DR planning...)/Guido-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: Freitag, 14. Juli 2006 12:33To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Always point a DC with DNS installed to itselfas the preferred DNS server...always?I can't see how you can get a duplicate NDNC as the creation of such objectsis targetted at the DN master. The DN master will check the existingcrossRefs and stop this happening, as we can't rely on the DS stoppingit asthe RDN is different for each NDNC (unless they've used well-known GUIDsfor the DNS NCs?).Although the behaviour you speak of is new to me, and another one ofthoseslight, interesting changes, so thanks for that.Can you elaborate on this new behaviour?What, exactly, happens and in whatorder?--Paul- Original Message -From: Grillenmeier, Guido [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 6:52 PMSubject: RE: [ActiveDir] Always point a DC with DNS installed to itselfasthe preferred DNS server...always? note that DNS startup behavious changes
RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
thanks for the additional information Steve - I would also be interested to hear the official recommendation rgd. DNS configuration on DCs in Win2003 SP1/SP2 and Longhorn. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: Friday, July 14, 2006 8:41 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? I believe I covered most of this on a previous posting to ActiveDir but here are all of the details into what change was made and why: First of all the change that was made requires that an Initial Sync is completed before DNS will load the zones. This change was made after a customer reported a very nasty outage of all DNS records for one of their Domains. Needless to say with no DNS records many things break. So how and why did this happen. It turns out that many things have to come together but the end result is that we Conflict the MicrosoftDNS container, note not the application partition. This can occur do to a timing issue that was first seen when using an Install from Media (IFM) technique across a slow WAN link and of course you are not using the new feature in Windows Server 2003 SP1 that allows sourcing Application Partitions from media. Because Application Partitions have the lowest replication priority it was possible that the machine would register to host the DomainDNSZones application partition but never get a chance to replicate any information in do to it being pre-empted by higher priority Config and Domain partition replication. In that case if the timing was just right it was possible that the DNS server on this box would recreate the MicrosoftDNS container in order to store the root hints. This would of course replicate out and cause a CNF and since last writer wins you would end up with what looked like an empty MicrosoftDNS container, except for the root hints, which looked like corruption to all of the other DNS servers since they had records loaded from there at one point. To keep this from happening a requirement that the DC must perform an initial sync was put in place. This was the safest way to insure that we had replicated the necessary data in before trying to load zones and possibly conflict the MicrosoftDNS container. There were other places where this type of issue could pop up such as how we handle SOAs so the change was made. There is additional work being done in Windows Server Code Name Longhorn to help with this as well as other performance issues of loading large zones which caused slow DNS startup times. I have sent Email to the appropriate component owners so that they can revise if necessary our guidelines on how DNS should be configured for both Windows Server 2003 and the next version of the product. The only thing I would not recommend is removing the initial sync requirements by adding a registry value as this not only has affects on DNS but also the code that is used to insure that we do not have multiple machines believing that they are a particular FSMO owner. Here is the KB for the change that was introduced and rolled into SP1: http://support.microsoft.com/kb/836534/en-us . I have left out some of the hairy details as to exactly why the above happens as well as the customer who initially hit this, they know who they are. J Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Friday, July 14, 2006 12:46 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? Guido, have you checked this lately? I know there were several changes to that behavior in several revs IIRC. The problems you describe were better than a challenge, as I recall. they had a tenedancy to wreak havoc with integrated dns zones when a dc would come up and create a new zone and then replicate that. There were several fixes related though and that behavior might have changed several times. On 7/14/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: I'd have to do some more digging as to *why* the duplicateapp-partitions were created, but I've had to troubleshoot this prior to SP1. This was during a global Win2003 DC rollout - we used the IFMfeature to rollout the DCs. But prior to SP1 you couldn't add theapplication partitions to the dcpromo process (IFM in SP1 now offers anthe options to include app partitions during the promotion). During this rollout a couple of DCs actually re-created theDomainDnsZones app-partiontion right after their first reboot, causingsome interesting challenges. Agree they should have contacted the DNmaster - not sure why either they didn't, or why the DN master allowed them to re-create this well-known app-partition.Anyways, to avoid similar issues, SP1 ensures that AD completes thereplication with one partner prior to
[ActiveDir] Group Policy won't rerun
Title: Group Policy won't rerun I'm new to group policy and this is my first group policy with software installation. I have successfully created 2 msi files and placed them in a group policy. Earlier in the week, I was able to install the msi files via group policy on a test laptop. I then uninstall the application as I was testing a few things. I've been trying to have GP reinstall the application, but it's just not happening. I move the machine out of the OU and back in, but no luck. I've even gone as far as ghosting the laptop, but it still won't install. I've done a gpupdate /force several times, but it just won't reinstall after reboot. Could someone please lead this newbie to fixing this issue? I ask because I know this will come up several times when do go into productions. Thanks in advance.
RE: [ActiveDir] Group Policy won't rerun
Title: Group Policy won't rerun Are you seeing any errors in the event log? If you right-click on the Software Package, there is an option to Redeploy the application. You may want to try that. Kevin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett Sent: Friday, July 14, 2006 5:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group Policy won't rerun I'm new to group policy and this is my first group policy with software installation. I have successfully created 2 msi files and placed them in a group policy. Earlier in the week, I was able to install the msi files via group policy on a test laptop. I then uninstall the application as I was testing a few things. I've been trying to have GP reinstall the application, but it's just not happening. I move the machine out of the OU and back in, but no luck. I've even gone as far as ghosting the laptop, but it still won't install. I've done a gpupdate /force several times, but it just won't reinstall after reboot. Could someone please lead this newbie to fixing this issue? I ask because I know this will come up several times when do go into productions. Thanks in advance.
RE: [ActiveDir] Group Policy won't rerun
Title: Group Policy won't rerun By the way, the errors would be in the Application log on the client, not the server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett Sent: Friday, July 14, 2006 5:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group Policy won't rerun I'm new to group policy and this is my first group policy with software installation. I have successfully created 2 msi files and placed them in a group policy. Earlier in the week, I was able to install the msi files via group policy on a test laptop. I then uninstall the application as I was testing a few things. I've been trying to have GP reinstall the application, but it's just not happening. I move the machine out of the OU and back in, but no luck. I've even gone as far as ghosting the laptop, but it still won't install. I've done a gpupdate /force several times, but it just won't reinstall after reboot. Could someone please lead this newbie to fixing this issue? I ask because I know this will come up several times when do go into productions. Thanks in advance.
RE: [ActiveDir] Group Policy won't rerun
Title: Group Policy won't rerun Stu- When you uninstalled, did you do it through GP or by removing from Add/Remove Programs? If the latter, than that is your problem. Doing that leaves metadata in the registry related to the GP-deployed app that the Software Installation CSE is probably still finding. Try looking in HKLM (or HKCU for per-user apps) under Software\Microsoft\Windows\CurrentVersion\App Management for a reference to your packages. If you find it, delete it and see how it goes on the next GP application. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips,training videos, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu PackettSent: Friday, July 14, 2006 3:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group Policy won't rerun I'm new to group policy and this is my first group policy with software installation. I have successfully created 2 msi files and placed them in a group policy. Earlier in the week, I was able to install the msi files via group policy on a test laptop. I then uninstall the application as I was testing a few things. I've been trying to have GP reinstall the application, but it's just not happening. I move the machine out of the OU and back in, but no luck. I've even gone as far as ghosting the laptop, but it still won't install. I've done a gpupdate /force several times, but it just won't reinstall after reboot. Could someone please lead this newbie to fixing this issue? I ask because I know this will come up several times when do go into productions. Thanks in advance.
RE: [ActiveDir] Group Policy won't rerun
Title: Group Policy won't rerun I uninstalled via Add/Remove Programs. I thought that doing it that way would lead to problems, so I have ghosted the laptop and kept the same computer name. Is there anything lingering in AD that could be causing the same effect? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, July 14, 2006 3:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Policy won't rerun Stu- When you uninstalled, did you do it through GP or by removing from Add/Remove Programs? If the latter, than that is your problem. Doing that leaves metadata in the registry related to the GP-deployed app that the Software Installation CSE is probably still finding. Try looking in HKLM (or HKCU for per-user apps) under Software\Microsoft\Windows\CurrentVersion\App Management for a reference to your packages. If you find it, delete it and see how it goes on the next GP application. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips,training videos, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu PackettSent: Friday, July 14, 2006 3:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group Policy won't rerun I'm new to group policy and this is my first group policy with software installation. I have successfully created 2 msi files and placed them in a group policy. Earlier in the week, I was able to install the msi files via group policy on a test laptop. I then uninstall the application as I was testing a few things. I've been trying to have GP reinstall the application, but it's just not happening. I move the machine out of the OU and back in, but no luck. I've even gone as far as ghosting the laptop, but it still won't install. I've done a gpupdate /force several times, but it just won't reinstall after reboot. Could someone please lead this newbie to fixing this issue? I ask because I know this will come up several times when do go into productions. Thanks in advance.
RE: [ActiveDir] Group Policy won't rerun
Title: Group Policy won't rerun Nope. Its all client side stuff. Nothing is tracked in AD or SYSVOL as far as which machines got which apps. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips, video training, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu PackettSent: Friday, July 14, 2006 4:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Policy won't rerun I uninstalled via Add/Remove Programs. I thought that doing it that way would lead to problems, so I have ghosted the laptop and kept the same computer name. Is there anything lingering in AD that could be causing the same effect? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, July 14, 2006 3:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Policy won't rerun Stu- When you uninstalled, did you do it through GP or by removing from Add/Remove Programs? If the latter, than that is your problem. Doing that leaves metadata in the registry related to the GP-deployed app that the Software Installation CSE is probably still finding. Try looking in HKLM (or HKCU for per-user apps) under Software\Microsoft\Windows\CurrentVersion\App Management for a reference to your packages. If you find it, delete it and see how it goes on the next GP application. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips,training videos, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu PackettSent: Friday, July 14, 2006 3:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group Policy won't rerun I'm new to group policy and this is my first group policy with software installation. I have successfully created 2 msi files and placed them in a group policy. Earlier in the week, I was able to install the msi files via group policy on a test laptop. I then uninstall the application as I was testing a few things. I've been trying to have GP reinstall the application, but it's just not happening. I move the machine out of the OU and back in, but no luck. I've even gone as far as ghosting the laptop, but it still won't install. I've done a gpupdate /force several times, but it just won't reinstall after reboot. Could someone please lead this newbie to fixing this issue? I ask because I know this will come up several times when do go into productions. Thanks in advance.
RE: [ActiveDir] Group Policy won't rerun
Title: Group Policy won't rerun No, but if you ghosted the laptop after you uninstalled via Add/Remove programs, you ghosted the registry entries that are keeping it from reinstalling. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu PackettSent: Friday, July 14, 2006 7:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Policy won't rerun I uninstalled via Add/Remove Programs. I thought that doing it that way would lead to problems, so I have ghosted the laptop and kept the same computer name. Is there anything lingering in AD that could be causing the same effect? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, July 14, 2006 3:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Policy won't rerun Stu- When you uninstalled, did you do it through GP or by removing from Add/Remove Programs? If the latter, than that is your problem. Doing that leaves metadata in the registry related to the GP-deployed app that the Software Installation CSE is probably still finding. Try looking in HKLM (or HKCU for per-user apps) under Software\Microsoft\Windows\CurrentVersion\App Management for a reference to your packages. If you find it, delete it and see how it goes on the next GP application. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips,training videos, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu PackettSent: Friday, July 14, 2006 3:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group Policy won't rerun I'm new to group policy and this is my first group policy with software installation. I have successfully created 2 msi files and placed them in a group policy. Earlier in the week, I was able to install the msi files via group policy on a test laptop. I then uninstall the application as I was testing a few things. I've been trying to have GP reinstall the application, but it's just not happening. I move the machine out of the OU and back in, but no luck. I've even gone as far as ghosting the laptop, but it still won't install. I've done a gpupdate /force several times, but it just won't reinstall after reboot. Could someone please lead this newbie to fixing this issue? I ask because I know this will come up several times when do go into productions. Thanks in advance.
RE: [ActiveDir] Group Policy won't rerun
Title: Group Policy won't rerun Is there anything else I should try to get this going? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, July 14, 2006 4:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Policy won't rerun Nope. Its all client side stuff. Nothing is tracked in AD or SYSVOL as far as which machines got which apps. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips, video training, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu PackettSent: Friday, July 14, 2006 4:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Policy won't rerun I uninstalled via Add/Remove Programs. I thought that doing it that way would lead to problems, so I have ghosted the laptop and kept the same computer name. Is there anything lingering in AD that could be causing the same effect? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, July 14, 2006 3:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Policy won't rerun Stu- When you uninstalled, did you do it through GP or by removing from Add/Remove Programs? If the latter, than that is your problem. Doing that leaves metadata in the registry related to the GP-deployed app that the Software Installation CSE is probably still finding. Try looking in HKLM (or HKCU for per-user apps) under Software\Microsoft\Windows\CurrentVersion\App Management for a reference to your packages. If you find it, delete it and see how it goes on the next GP application. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips,training videos, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu PackettSent: Friday, July 14, 2006 3:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group Policy won't rerun I'm new to group policy and this is my first group policy with software installation. I have successfully created 2 msi files and placed them in a group policy. Earlier in the week, I was able to install the msi files via group policy on a test laptop. I then uninstall the application as I was testing a few things. I've been trying to have GP reinstall the application, but it's just not happening. I move the machine out of the OU and back in, but no luck. I've even gone as far as ghosting the laptop, but it still won't install. I've done a gpupdate /force several times, but it just won't reinstall after reboot. Could someone please lead this newbie to fixing this issue? I ask because I know this will come up several times when do go into productions. Thanks in advance.
Re: [ActiveDir] Group Policy won't rerun
Title: Group Policy won't rerun a few random ideas - not having any idea where the problem really lies... You can gather some basic app deployment extensionlogs - see q249621 You can make sure you check the event logs for any related userenv \ related errors You can enable MSI logging ( if we are getting that far ) q223300 steve - Original Message - From: Stu Packett To: ActiveDir@mail.activedir.org Sent: Friday, July 14, 2006 5:13 PM Subject: RE: [ActiveDir] Group Policy won't rerun Is there anything else I should try to get this going? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, July 14, 2006 4:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Policy won't rerun Nope. Its all client side stuff. Nothing is tracked in AD or SYSVOL as far as which machines got which apps. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips, video training, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu PackettSent: Friday, July 14, 2006 4:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Policy won't rerun I uninstalled via Add/Remove Programs. I thought that doing it that way would lead to problems, so I have ghosted the laptop and kept the same computer name. Is there anything lingering in AD that could be causing the same effect? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, July 14, 2006 3:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Policy won't rerun Stu- When you uninstalled, did you do it through GP or by removing from Add/Remove Programs? If the latter, than that is your problem. Doing that leaves metadata in the registry related to the GP-deployed app that the Software Installation CSE is probably still finding. Try looking in HKLM (or HKCU for per-user apps) under Software\Microsoft\Windows\CurrentVersion\App Management for a reference to your packages. If you find it, delete it and see how it goes on the next GP application. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips,training videos, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu PackettSent: Friday, July 14, 2006 3:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group Policy won't rerun I'm new to group policy and this is my first group policy with software installation. I have successfully created 2 msi files and placed them in a group policy. Earlier in the week, I was able to install the msi files via group policy on a test laptop. I then uninstall the application as I was testing a few things. I've been trying to have GP reinstall the application, but it's just not happening. I move the machine out of the OU and back in, but no luck. I've even gone as far as ghosting the laptop, but it still won't install. I've done a gpupdate /force several times, but it just won't reinstall after reboot. Could someone please lead this newbie to fixing this issue? I ask because I know this will come up several times when do go into productions. Thanks in advance.