Re: [ActiveDir] OT: Command line for exchange
She's talking about Exchange 2007. Go look at the ms Exchange blog site and you'll see some references. (http://msexchangeteam.com/default.aspx)The nice thing about it is that most everything that I saw that they were doing with a command line you could do with the GUI. The only difference is that you can script something in a command line, while building scripting for a GUI is a lot more of a pain and a lot less reliable. Here's a good reference link:http://www.microsoft.com/technet/scriptcenter/scripts/message/exch2007/default.mspx?mfr=true I think that has a list of most all of the commands that you can do in the exchange command line. Again though, while you *can* do a lot of the stuff in Exchange 2007 with scripts, I believe that you can do more (everything) in the GUI. A lot more. From one of the demos on the exchange team blog site, I believe that if you do something in the GUI, it will create a command in the CLI window and you can evaluate what it is and how it works. Looks really interesting to me and I'm about as far as you can get from a 'script kiddie'. On 7/15/06, Brian Desmond [EMAIL PROTECTED] wrote: Command line for Exchange.. .yuck?There isn't one to speak of now, although Monad had some fundamentalissues last I saw/heard as far as the utility of the commands in largeenvironments. Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, July 15, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Command line for exchange Download details: Introduction to the Exchange Management Shell: http://www.microsoft.com/downloads/details.aspx?familyid=1dc0f61b-d30f- 44a2-882e-12ddd4ee09d2displaylang=en Command line for Exchange.. .yuck -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Command line for exchange
Yeah that doc is supposed to be about what they are doing with MONAD for Exchange. I, for one, based on some EHLO blog posts am concerned about its functionality and how it will work in large environments. I will try to download and read that doc to see if it has any meat in it but most Exchange docs tend to shy away from implementation details and you have to actually get the tools out and do things with it and watch closely what it does. My main concern so far based on what the Exchange team indicated was that this command line stuff is going to be just as fat as the GUI stuff in terms of traffic which will actually be felt in a worse way because with the GUI you tend to pick and choose what you want and command line you are usually trying to hit mass quantities. It sounds like if you say wanted one little piece of info for every mailbox, say mailbox last logon date or something you would have to pull back ALL info for the mailbox and then just display the little bit of info you want. That will be fine in small LAN environments with small numbers of users (say thousands or less) but in a large environments with tens or hundreds of thousands of users or millions of users or working across slow WAN links that is going to be lacking considerably. If you you thought WMI slow... Just wait! I hope it doesn't turn out that way but I don't have a lot of faith in MSFT's large scale management strategies and tools for the most part. Especially in the Exchange realm. I haven't seen a larger company yet (read company 100k users) that could actually use the MSFT Exchange management tools to do the needed work and even smaller companies tend to run pretty inefficiently using the tools. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Saturday, July 15, 2006 11:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Command line for exchange Command line for Exchange.. .yuck ? There isn't one to speak of now, although Monad had some fundamental issues last I saw/heard as far as the utility of the commands in large environments. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, July 15, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Command line for exchange Download details: Introduction to the Exchange Management Shell: http://www.microsoft.com/downloads/details.aspx?familyid=1dc0f61b-d30f- 44a2-882e-12ddd4ee09d2displaylang=en Command line for Exchange.. .yuck -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [OT]Multihomed Domain Controllers
I have found that trying to surf with servers doesn't work really well, the buoyancy factor is not substantial enough and as you paddle out to catch the big one you tend to sink before you get there. Actually having your ankle tied to the server makes for a rough day for yourself too. Actually that would make a good commercial. You see some guy walking out into the water carrying a mid-tower sized server with sex wax stickers all over it and tied to his ankle properly (sort of like in http://www.australianmajestictours.com/surfing.jpg) with big waves rolling in and a caption of, surfing with your server isn't just insecure, it is downright stupid. With a commercial it would be better because as the person lugs the server down into the water and hops onto it they sink out of sight (or would that be site?). I am sorry for the slow updates on Defending Security Infrastructures on http://blog.joeware.net; that is how it goes though when inventing new terms. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/ --- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 1:45 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers You surf on your servers? My servers go to WU/MU...and maybe to Joe's blog for information on Defending Security Infrastructure..iin fact they regularly hang out on Joe's blog for all the information I need to know on Defending Security Infrastructure.. in fact http://blog.joeware.net/2006/07/11/445/ that link is the home page so that I'm constantly reminded about Defending Security Infrastructur ..but other than that... they don't have antispyware because they don't go anywhere to get spyware and the Enhanced IE is still on there. Kevin Brunson wrote: I have definitely found the hosts file to be useful on servers to keep them from EVER getting to spyware sites. This guy has a great list : http://pgl.yoyo.org/adservers/serverlist.php?showintro=0hostformat=host s Just cut and paste into the hosts file and you are good to go. I scripted it for all of the servers I deal with. But I guess this is getting pretty far OT: :) Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 10:41 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows
RE: [ActiveDir] [Hijacked]Multihomed Domain Controllers
I would tend to agree with Al on this point. I haven't seen a need for teaming and feel that the more complex device drivers could actually put you in a position of failure and watch out for the times where someone accidently misconfigures something and you start getting really odd inconsistent network issues like the DC network just dropping randomly occasionally when it gets busy. Possibly with more and more deployment of x64 DCs the NIC will become more likely to bea bottleneck but I haven't seen that so far and as for failure rates of NICs and network cables, they have been very low in my experience. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, July 12, 2006 9:29 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Multihomed Domain Controllers I've not had good luck with teaming and I've yet to see much benefit. Saying that, I can see where teaming in a failover method might have some benefits for other types of servers. Due to the way AD is deployed (fabric vs. cluster or single instance) I see no point in making anything complex when it comes to a domain controller. I view teaming as one more piece of software to configure (and potentially mess up) and one more thing in my troubleshooting list if something goes amiss. On 7/12/06, Freddy HARTONO [EMAIL PROTECTED] wrote: Don't mean to hijack this thread but on a similar note - whats thedownside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINSservice will pops and error message (which can be ignored)...butanything else? I've always been a firm believer of one nic and noteaming... Any comments?Thank you and have a splendid day!Kind Regards,Freddy HartonoGroup Support EngineerInternationalSOS Pte Ltdmail: [EMAIL PROTECTED]phone: (+65) 6330-9785-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Wednesday, July 12, 2006 11:41 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain ControllersIn the year 2006.. I hope we are still not making host file entries onservers and workstations:-)Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com -- -- **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi,First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" -- -- Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED] , if you have
RE: [ActiveDir] OT: Command line for exchange
Actually, you've got that a bit backwards. The Exchange GUI for 2007 is built completely on Monad/PowersHell cmdlets. In more recent builds, the GUI displays the cmdlet it executes to help the admin (if he/she so chooses) to learn the scripting. I don't think those builds are generally available yet. The command line is much more powerful than the GUI. Much. I've not tested in large environments, I'm a mid-sized guy. But it worksquite wellin my lab mockups of my production environment on decrepit hardware. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Sunday, July 16, 2006 9:43 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Command line for exchange She's talking about Exchange 2007. Go look at the ms Exchange blog site and you'll see some references. (http://msexchangeteam.com/default.aspx)The nice thing about it is that most everything that I saw that they were doing with a command line you could do with the GUI. The only difference is that you can script something in a command line, while building scripting for a GUI is a lot more of a pain and a lot less reliable. Here's a good reference link:http://www.microsoft.com/technet/scriptcenter/scripts/message/exch2007/default.mspx?mfr=true I think that has a list of most all of the commands that you can do in the exchange command line. Again though, while you *can* do a lot of the stuff in Exchange 2007 with scripts, I believe that you can do more (everything) in the GUI. A lot more. From one of the demos on the exchange team blog site, I believe that if you do something in the GUI, it will create a command in the CLI window and you can evaluate what it is and how it works. Looks really interesting to me and I'm about as far as you can get from a 'script kiddie'. On 7/15/06, Brian Desmond [EMAIL PROTECTED] wrote: Command line for Exchange.. .yuck?There isn't one to speak of now, although Monad had some fundamentalissues last I saw/heard as far as the utility of the commands in largeenvironments.Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, July 15, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Command line for exchange Download details: Introduction to the Exchange Management Shell: http://www.microsoft.com/downloads/details.aspx?familyid=1dc0f61b-d30f- 44a2-882e-12ddd4ee09d2displaylang=en Command line for Exchange.. .yuck
RE: [ActiveDir] Why not browsing - was Multihomed Domain Controllers
In larger companies browsing really isn't used all that much as there are quite a few things that can screw it up. It is entirely a broadcast based mechanism and I have seen several companies just start disabling the browsing service altogether to help alleviate browe master wars, etc. On 10Mbs ethernet that could be especially problematic and a small scale browse war could saturate the network. If you actually have an issue with browsing you will talk to MSFT and find out that most of that isn't even supported, or at least that was my experience early on when trying to get some support with some browsing issues and started learning how it all works back in about 1997 or so. So how do people find resources in large companies? A couple of ways: The first is standard namings of resources. For instance, in one large company there are pretty much onlysixshare namesthat are allowed 1. SYSVOL for reasons obvious to this crowd 2. NETLOGON for reasons obvious to this crowd plus local member servers used as home drive serves can use this share name if they want to implement secondary logon scripts that are managed by the local site admins 3. The home directory shares on the home server which are named as \\server\samaccountname$(the $ hides the share from casual enumeration with net view or the Windows standard tools) 4. SDS$ which is a share for the homebrew software delivery system 5. \\server\APPS which is a share that contains all application installation packages as well as apps that run across the network. For the latter say you have a simple app that doesn't need to update the local machine to run, it can be run right from the share. This share was set up as a null session share so even machines could connect and run things from it (say for software delivery) without having to depend on kerberos and specifically granting access. 6. \\server\PROJ which is a share that contains shared project data for the site. There are subfolders under the root of the share that are ACLed for the various groups that need a dedicated folder. The permissions are very simple as well... the groups will be named something like PREFIX-Foldername-R or PREFIX-Foldername, the first gives read access, the second gives change access. The prefix will usually be a site code but if there are multiple proj servers involved it will likely be sitecode-servername. Usually a given sitewill have but a single PROJ and APPS server which is usually named sitecode0001. So any site I go into, If I know the site code for the building (which is the start of the name of every PC in the building) then I know how to find proj and apps. On theoccasions (generally rare) that the data for a project needs to be used in another site you are told what the server name is that you need to connect to. The second is to publish resources in Active Directory. This is fairly common for printers though more and more I seem to be seeing people just sticking a sign up on local printers with the queue name and DNS name to avoid someone moron from accidently picking a printer somewhere he shouldn't be printing and sending some huge print job to it. Or even worse, purposely looking for printers with capabilties they want but not really a printer they should be able to use so in order to stop them you have to start ACLing the printers which can be a pain to manage - an example here would be giant plotters capable of doing wall sized plots or really nice die transfer printers or high high end color laser printers. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Thursday, July 13, 2006 8:25 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multihomed Domain Controllers Brian, Could you please explain to me what you mean by "save for the browsing situation, but who uses that anyway?" Are you saying that your networks don't have browse masters? How do people find resources then? Thanks. RH ___ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Brian DesmondSent: 13 July, 2006 1:29 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multihomed Domain Controllers Ive got hundreds of sites/forests with multihomed DCs. It works fine save for the browsing situation, but who uses that anyway? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, July 12, 2006 8:36 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Multihomed Domain Controllers Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural
RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau
ROFL Brilliant. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/ --- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, July 13, 2006 4:01 AM To: ActiveDir.org Subject: Re: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau I quite like the oxymoron - Attacking Defending Security Infrastructures Perhaps we could call it - ADSI for short? -Original Message- From: Mark Parris [EMAIL PROTECTED] Date: Thu, 13 Jul 2006 06:17:04 To:ActiveDir.org ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau I did indeed, but I was trying to introduce another acronym to the IT almanac, Defending Security Infrastructures DSI it is then. Boss, Boss, the DSI boss. -Original Message- From: Brian Desmond [EMAIL PROTECTED] Date: Thu, 13 Jul 2006 11:01:49 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau I think you meant Defending Security Infrastructures (“DSI”): Las Vegas. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, July 12, 2006 10:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau I can see a TV Show emerging here DSI (Las Vegas) If he was still alive Herve Villechaiz could have played the lead, he used to be on Fantasy Island (Tattoo) and the man with the Golden Gun (Nick Nack). From: joe [EMAIL PROTECTED] Sent: 12 July 2006 16:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Oh F^%. I apologize in front of everyone for mispelling your name AGAIN, neil. I was so worked up over the topic of Defending Security Infrastructures that everything other than the topic of Defending Security Infrastructures completely slipped through my mind. Of course this would be much easier if you simply changed your first name to Neal then I would be right when I was wrong so when dicussing topics such as Defending Security Infrastructures I would not mess up the spelling on your name. Again, I humbly ask your forgiveness[1] and apologize profusely and blame it all on the lack of definition of the term Defending Security Infrastructures[2]. So before I go on too much more about Defending Security Infrastructures and the webpage at http://blog.joeware.net/2006/07/11/445/ which tells you absolutely nothing about Defending Security Infrastructures, I will now close this note on Defending Security Infrastructures. joe [1] That is serious. No excuse neil, I am quite sorry. [2] Err so is that, but not as serious as [1] above. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/ --- I'm serious, you will learn absolutely nothing about Defending Security Infrastructures. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, July 12, 2006 9:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] [OT] OOFs from Steven Comeau Neal, you totally misunderstood. I said DO NOT READ that worthless blog entry on Defending Security Infrastructures located at http://blog.joeware.net/2006/07/11/445/. And then if you read the blog on Defending Security Infrastructures, I asked for you to comment to the blog your thoughts on Defending Security Infrastructures This is neither the time to discuss Defending Security Infrastructures nor the place to discuss Defending Security Infrastructures. I personally haven't fully stepped into the Defending Security Infrastructures space yet, though if I did I would probably look to the fine folks at NetPro and Quest first to see their ideas on Defending Security Infrastructures, and of course I would be obligated to look at Microsoft's Defending Security Infrastructures solutions and also as mentioned in one of the blog comments, a key portion of the Defending Security Infrastructures solution would be GPOs so I would look to GPOGuy for Defending Security Infrastructures products as well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm Do not read this worthless blog entry on Defending Security Infrastructures - http://blog.joeware.net/2006/07/11/445/ --- I'm serious, you will learn absolutely nothing
RE: [ActiveDir] Why not browsing - was Multihomed Domain Controllers
The second is to publish resources in Active Directory. This is fairly common for printers though more and more I seem to be seeing people just sticking a sign up on local printers with the queue name and DNS name to avoid someone moron from accidently picking a printer somewhere he shouldn't be printing and sending some huge print job to it. Or even worse, purposely looking for printers with capabilties they want but not really a printer they should be able to use so in order to stop them you have to start ACLing the printers which can be a pain to manage - an example here would be giant plotters capable of doing wall sized plots or really nice die transfer printers or high high end color laser printers. Ah but one of the benefits of being a domain admin in these large organizations is that you are empowered to test the print queues for these printers to make sure theyre fully functional at all times. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, July 16, 2006 9:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Why not browsing - was Multihomed Domain Controllers In larger companies browsing really isn't used all that much as there are quite a few things that can screw it up. It is entirely a broadcast based mechanism and I have seen several companies just start disabling the browsing service altogether to help alleviate browe master wars, etc. On 10Mbs ethernet that could be especially problematic and a small scale browse war could saturate the network. If you actually have an issue with browsing you will talk to MSFT and find out that most of that isn't even supported, or at least that was my experience early on when trying to get some support with some browsing issues and started learning how it all works back in about 1997 or so. So how do people find resources in large companies? A couple of ways: The first is standard namings of resources. For instance, in one large company there are pretty much onlysixshare namesthat are allowed 1. SYSVOL for reasons obvious to this crowd 2. NETLOGON for reasons obvious to this crowd plus local member servers used as home drive serves can use this share name if they want to implement secondary logon scripts that are managed by the local site admins 3. The home directory shares on the home server which are named as \\server\samaccountname$(the $ hides the share from casual enumeration with net view or the Windows standard tools) 4. SDS$ which is a share for the homebrew software delivery system 5. \\server\APPS which is a share that contains all application installation packages as well as apps that run across the network. For the latter say you have a simple app that doesn't need to update the local machine to run, it can be run right from the share. This share was set up as a null session share so even machines could connect and run things from it (say for software delivery) without having to depend on kerberos and specifically granting access. 6. \\server\PROJ which is a share that contains shared project data for the site. There are subfolders under the root of the share that are ACLed for the various groups that need a dedicated folder. The permissions are very simple as well... the groups will be named something like PREFIX-Foldername-R or PREFIX-Foldername, the first gives read access, the second gives change access. The prefix will usually be a site code but if there are multiple proj servers involved it will likely be sitecode-servername. Usually a given sitewill have but a single PROJ and APPS server which is usually named sitecode0001. So any site I go into, If I know the site code for the building (which is the start of the name of every PC in the building) then I know how to find proj and apps. On theoccasions (generally rare) that the data for a project needs to be used in another site you are told what the server name is that you need to connect to. The second is to publish resources in Active Directory. This is fairly common for printers though more and more I seem to be seeing people just sticking a sign up on local printers with the queue name and DNS name to avoid someone moron from accidently picking a printer somewhere he shouldn't be printing and sending some huge print job to it. Or even worse, purposely looking for printers with capabilties they want but not really a printer they should be able to use so in order to stop them you have to start ACLing the printers which can be a pain to manage - an example here would be giant plotters capable of doing wall sized plots or really nice die transfer printers or high high end color laser printers. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, July 13, 2006 8:25
RE: [ActiveDir] Home directories issue
Title: Home directories issue Has any headway been made with this problem? I cant find any solutions out there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Conrad, Daniel C Mr. Nortel PEC Solutions Sent: Tuesday, December 13, 2005 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home directories issue Its all AD on 2k3 with XP Pro clients, connecting to a real share (both by IP and NetBIOS to ensure name resolution isnt an issue. No DFS. On behalf of Jerry Dan Nortel PEC Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Tuesday, December 13, 2005 12:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home directories issue %USERNAME% wont help, as it is translated on the fly to the users name the moment you use it, so it ends up joe.user anyway. Are your users having the problem using W2K or later, I assume? (if not, theres your answer) And you ARE using a real share, not a DFS root share, right? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Arnold Arce Sent: Monday, December 12, 2005 9:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home directories issue I have experienced this same problem. Usually logging off and logging on fixes it. I need to find a better answer. Ill try the %USERNAME% variable like someone else suggested. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP Sent: Monday, December 12, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Home directories issue Hoping someone has seen this problem before. Users are mapping home folders using AD profile tab which maps X: to \\servername\home\joe.user. Occasionally, upon logon, users will map to \\servername\home and not all the way to their own home directory. Ive seen several blogs and the same problem posted elsewhere but no cause or solution. Thanks Jerry
RE: [ActiveDir] Why not browsing - was Multihomed Domain Controllers
With the Print Management Consolethat was introduced with Win2K3 R2, managing printers is *significantly* easier and ACLing them appropriately becomes a more realistic task. It's also now downloadable separately from R2 and will run on Win2K3 SP1+. http://www.microsoft.com/downloads/details.aspx?FamilyID=83066ddc-bc96-4418-a629-48c8abd2c7a0displaylang=en Laura The second is to publish resources in Active Directory. This is fairly common for printers though more and more I seem to be seeing people just sticking a sign up on local printers with the queue name and DNS name to avoid someone moron from accidently picking a printer somewhere he shouldn't be printing and sending some huge print job to it. Or even worse, purposely looking for printers with capabilties they want but not really a printer they should be able to use so in order to stop them you have to start ACLing the printers which can be a pain to manage - an example here would be giant plotters capable of doing wall sized plots or really nice die transfer printers or high high end color laser printers.
[ActiveDir] Clean install VS Upgrade of Windows 2003
Hey all, Does anyone have any comments/articles, etc on the benefits or concerns of a clean install of Windows 2003 Server VS an Upgrade? My opinion is that doing a clean install keeps system root clean. It also pristinely adopts the security best practices of 2003 Server. Disk performance will improve as well. Does anyone have anything they can add to this? I have migrated a great portion of my network in a clean install path, and now it is coming into question why did I not choose the upgrade path. Any comments would be greatly appreciated, Thanks, Nate
RE: [ActiveDir] Clean install VS Upgrade of Windows 2003
Personally I hate OS upgrades and try hard to avoid them and prefer to choose a fresh clean install... Although supported when upgrading an OS old stuff from the previous OS is kept and besides that you might run into issues because of incompatibilities with software, drivers, etc. A clean install in combination the migration of the stuff hosted on the old server to the new server gives you a phased approach. Upgrading directly impacts the server and if the upgrade fails you might end up with a trouble server. IMHO: * avoid OS upgrades when possible and only use it when really necessary (like for example NT4 PDC - W2K3 DC, which is mandatory) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Sun 2006-07-16 20:53 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Clean install VS Upgrade of Windows 2003 Hey all, Does anyone have any comments/articles, etc on the benefits or concerns of a clean install of Windows 2003 Server VS an Upgrade? My opinion is that doing a clean install keeps system root clean. It also pristinely adopts the security best practices of 2003 Server. Disk performance will improve as well. Does anyone have anything they can add to this? I have migrated a great portion of my network in a clean install path, and now it is coming into question why did I not choose the upgrade path. Any comments would be greatly appreciated, Thanks, Nate This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
Re: [ActiveDir] OT: Command line for exchange
I'll be really interested to know if the underlying protocol for talking to Exchange remotely is any different than webdav in the next release. I admit to not having looked at the Power Shell stuff for Exchange yet, so I have no idea. I kind of hate programming Exchange, so I tend to avoid it. If there is a different protocol, then there might be hope that non-Power Shell programmers will have a way in as well. There may also be an underlying provider that provides access to features than the default wrappers in PS. There is a chance that would be managed code though, so I'm sure that would be a big frown for you. :) I do think we'll see more and more of that kind of thing though (APIs written in managed code with no straight C bindings). As far as PS itself is concerned, I'm pretty excited about it. It is a very cool shell with a lot of interesting features. It is also pretty intensely geeky, so I think the learning curve is going to be pretty steep for a lot of people. Joe K. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, July 16, 2006 8:44 AM Subject: RE: [ActiveDir] OT: Command line for exchange Yeah that doc is supposed to be about what they are doing with MONAD for Exchange. I, for one, based on some EHLO blog posts am concerned about its functionality and how it will work in large environments. I will try to download and read that doc to see if it has any meat in it but most Exchange docs tend to shy away from implementation details and you have to actually get the tools out and do things with it and watch closely what it does. My main concern so far based on what the Exchange team indicated was that this command line stuff is going to be just as fat as the GUI stuff in terms of traffic which will actually be felt in a worse way because with the GUI you tend to pick and choose what you want and command line you are usually trying to hit mass quantities. It sounds like if you say wanted one little piece of info for every mailbox, say mailbox last logon date or something you would have to pull back ALL info for the mailbox and then just display the little bit of info you want. That will be fine in small LAN environments with small numbers of users (say thousands or less) but in a large environments with tens or hundreds of thousands of users or millions of users or working across slow WAN links that is going to be lacking considerably. If you you thought WMI slow... Just wait! I hope it doesn't turn out that way but I don't have a lot of faith in MSFT's large scale management strategies and tools for the most part. Especially in the Exchange realm. I haven't seen a larger company yet (read company 100k users) that could actually use the MSFT Exchange management tools to do the needed work and even smaller companies tend to run pretty inefficiently using the tools. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Command line for exchange
I've heard there's ASP.Net webservices that expose a lot of this stuff. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Sunday, July 16, 2006 2:57 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Command line for exchange I'll be really interested to know if the underlying protocol for talking to Exchange remotely is any different than webdav in the next release. I admit to not having looked at the Power Shell stuff for Exchange yet, so I have no idea. I kind of hate programming Exchange, so I tend to avoid it. If there is a different protocol, then there might be hope that non- Power Shell programmers will have a way in as well. There may also be an underlying provider that provides access to features than the default wrappers in PS. There is a chance that would be managed code though, so I'm sure that would be a big frown for you. :) I do think we'll see more and more of that kind of thing though (APIs written in managed code with no straight C bindings). As far as PS itself is concerned, I'm pretty excited about it. It is a very cool shell with a lot of interesting features. It is also pretty intensely geeky, so I think the learning curve is going to be pretty steep for a lot of people. Joe K. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, July 16, 2006 8:44 AM Subject: RE: [ActiveDir] OT: Command line for exchange Yeah that doc is supposed to be about what they are doing with MONAD for Exchange. I, for one, based on some EHLO blog posts am concerned about its functionality and how it will work in large environments. I will try to download and read that doc to see if it has any meat in it but most Exchange docs tend to shy away from implementation details and you have to actually get the tools out and do things with it and watch closely what it does. My main concern so far based on what the Exchange team indicated was that this command line stuff is going to be just as fat as the GUI stuff in terms of traffic which will actually be felt in a worse way because with the GUI you tend to pick and choose what you want and command line you are usually trying to hit mass quantities. It sounds like if you say wanted one little piece of info for every mailbox, say mailbox last logon date or something you would have to pull back ALL info for the mailbox and then just display the little bit of info you want. That will be fine in small LAN environments with small numbers of users (say thousands or less) but in a large environments with tens or hundreds of thousands of users or millions of users or working across slow WAN links that is going to be lacking considerably. If you you thought WMI slow... Just wait! I hope it doesn't turn out that way but I don't have a lot of faith in MSFT's large scale management strategies and tools for the most part. Especially in the Exchange realm. I haven't seen a larger company yet (read company 100k users) that could actually use the MSFT Exchange management tools to do the needed work and even smaller companies tend to run pretty inefficiently using the tools. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Clean install VS Upgrade of Windows 2003
There are a few times where upgrading is easier than installing fresh and doesn't have that big of an impact... but most times I prefer to simply install fresh.There are only a few examples of where I think that upgrading is better or easier overall: 1) Workstations -- I'd rather upgrade a Win2k Pro (or even WinXP Home) box than reinstall the OS *and* all the software and worry about user settings/data.2) When a piece of software requires an in-place upgrade instead of allowing a multi-homed approach. Not a large number of these, but enough to where most people should check their software to see if it will support being migrated to another box (the fresh install) while live. Other than those 2 (there are a few others like the example given by Jorge), there aren't many reasons to not install fresh and sometimes upgrading ends up with other problems appearing that weren't there before. On 7/16/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: Personally I hate OS upgrades and try hard to avoid them and prefer to choose a fresh clean install... Although supported when upgrading an OS old stuff from the previous OS is kept and besides that you might run into issues because of incompatibilities with software, drivers, etc. A clean install in combination the migration of the stuff hosted on the old server to the new server gives you a phased approach. Upgrading directly impacts the server and if the upgrade fails you might end up with a trouble server. IMHO:* avoid OS upgrades when possible and only use it when really necessary (like for example NT4 PDC - W2K3 DC, which is mandatory)Met vriendelijke groeten / Kind regards,Ing. Jorge de Almeida Pinto Senior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6- 26.26.62.80* E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Sun 2006-07-16 20:53To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Clean install VS Upgrade of Windows 2003Hey all,Does anyone have any comments/articles, etc on the benefits or concerns of a clean install of Windows 2003 Server VS an Upgrade?My opinion is that doing a clean install keeps system root clean.It also pristinely adopts the security best practices of 2003 Server.Disk performance will improve as well.Does anyone have anything they can add to this?I have migrated a great portion of my network in a clean install path, and now it is coming into question why did I not choose the upgrade path. Any comments would be greatly appreciated,Thanks,NateThis e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Home directories issue
Well, when you're mapping to \\server\share\directory, if the user has permission issues at the directory level (their actual home share location), I believe that it will simply map to the share and not go into the directory. Make sure that you have granted all users Full Control at the share level. You don't need to grant them anything more than Read at the NTFS level (since I believe the System account creates their home directory), but to have full control (which is required for the home drive location), you have to be *able* to have full control and you can only have full control on a share if *both* the Share-level permissions and the directory level permissions state that. Example:The \\server01\users share is located on the E drive in the directory users. You can have the perms on that directory to be Administrators: Full, System: Full, Everyone: Read, the System will create the user directories (E:\users\joebloe\) and grant the required permissions for that directory (full control for joebloe). However, if the share perms state Change or Read Only, then the user can only have that level *or lower* of effective permissions on the files. So even if joebloe has Full Control on his directory, if the share says Everyone: Change, then his effective permissions on everything in that share (including his directory) won't ever be more than Change. You could actually have E:\users shared out as \\server01\users and \\server01\home and if you have everyone as Change on the users share and Full Control on the home share, even though it's the exact same location on the system and the NTFS permissions haven't changed, the people who are mapped to \\server01\home will work, while the people who are mapped to \\server01\users won't work. Change everyone's mapping to \\server01\home (or change \\server01\users to have Everyone: Full) and they will all work. Some of this is speculation and while I seem to remember running into this in someone's network before, that was something like 6 years ago and haven't run into it since. I could be mistaken. On 7/16/06, Arnold Arce [EMAIL PROTECTED] wrote: Has any headway been made with this problem? I can't find any solutions out there. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Conrad, Daniel C Mr. Nortel PEC Solutions Sent: Tuesday, December 13, 2005 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home directories issue It's all AD on 2k3 with XP Pro clients, connecting to a real share (both by IP and NetBIOS to ensure name resolution isn't an issue. No DFS. On behalf of Jerry Dan Nortel PEC Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Holme Sent: Tuesday, December 13, 2005 12:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home directories issue %USERNAME% won't help, as it is translated "on the fly" to the user's name the moment you use it, so it ends up joe.user anyway. Are your users having the problem using W2K or later, I assume? (if not, there's your answer) And you ARE using a "real" share, not a DFS root share, right? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Arnold Arce Sent: Monday, December 12, 2005 9:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home directories issue I have experienced this same problem. Usually logging off and logging on fixes it. I need to find a better answer. I'll try the %USERNAME% variable like someone else suggested. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Condra, Jerry W Mr HP Sent: Monday, December 12, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Home directories issue Hoping someone has seen this problem before. Users are mapping home folders using AD profile tab which maps X: to \\servername\home\joe.user . Occasionally, upon logon, users will map to \\servername\home and not all the way to their own home directory. I've seen several blogs and the same problem posted elsewhere but no cause or solution. Thanks Jerry
RE: [ActiveDir] Home directories issue
Taking everything you said, why would this problem be intermittent and not every single time the user logs in? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Sunday, July 16, 2006 6:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Home directories issue Well, when you're mapping to \\server\share\directory, if the user has permission issues at the directory level (their actual home share location), I believe that it will simply map to the share and not go into the directory. Make sure that you have granted all users Full Control at the share level. You don't need to grant them anything more than Read at the NTFS level (since I believe the System account creates their home directory), but to have full control (which is required for the home drive location), you have to be *able* to have full control and you can only have full control on a share if *both* the Share-level permissions and the directory level permissions state that. Example: The \\server01\users share is located on the E drive in the directory users. You can have the perms on that directory to be Administrators: Full, System: Full, Everyone: Read, the System will create the user directories (E:\users\joebloe\) and grant the required permissions for that directory (full control for joebloe). However, if the share perms state Change or Read Only, then the user can only have that level *or lower* of effective permissions on the files. So even if joebloe has Full Control on his directory, if the share says Everyone: Change, then his effective permissions on everything in that share (including his directory) won't ever be more than Change. You could actually have E:\users shared out as \\server01\users and \\server01\home and if you have everyone as Change on the users share and Full Control on the home share, even though it's the exact same location on the system and the NTFS permissions haven't changed, the people who are mapped to \\server01\home will work, while the people who are mapped to \\server01\users won't work. Change everyone's mapping to \\server01\home (or change \\server01\users to have Everyone: Full) and they will all work. Some of this is speculation and while I seem to remember running into this in someone's network before, that was something like 6 years ago and haven't run into it since. I could be mistaken. On 7/16/06, Arnold Arce [EMAIL PROTECTED] wrote: Has any headway been made with this problem? I can't find any solutions out there. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Conrad, Daniel C Mr. Nortel PEC Solutions Sent: Tuesday, December 13, 2005 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home directories issue It's all AD on 2k3 with XP Pro clients, connecting to a real share (both by IP and NetBIOS to ensure name resolution isn't an issue. No DFS. On behalf of Jerry Dan Nortel PEC Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Holme Sent: Tuesday, December 13, 2005 12:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home directories issue %USERNAME% won't help, as it is translated on the fly to the user's name the moment you use it, so it ends up joe.user anyway. Are your users having the problem using W2K or later, I assume? (if not, there's your answer) And you ARE using a real share, not a DFS root share, right? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Arnold Arce Sent: Monday, December 12, 2005 9:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home directories issue I have experienced this same problem. Usually logging off and logging on fixes it. I need to find a better answer. I'll try the %USERNAME% variable like someone else suggested. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Condra, Jerry W Mr HP Sent: Monday, December 12, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Home directories issue Hoping someone has seen this problem before. Users are mapping home folders using AD profile tab which maps X: to \\servername\home\joe.user . Occasionally, upon logon, users will map to \\servername\home and not all the way to their own home directory. I've seen several blogs and the same problem posted elsewhere but no cause or solution. Thanks Jerry
RE: [ActiveDir] Clean install VS Upgrade of Windows 2003
I agree with Jorge on this. Every new OS MSFT comes out with they tell you that it is much better at handling upgrades than the last and how bad the last one actually did it. So if someone tells me K3 does it great I tell them to say that when say LongHorn comes out. :) Anyway, you will have legacy settings that stay around when you do an upgrade say like the replication holdback reg settings, etc when you do an upgrade and it could be confusing later when troubleshooting something. Unless there is absolutely no way possible to do a fresh install then I would recommend going that way. Going slightly OT, I even reinstall my personal home clients on a regular basis (normally every 6 months but occasionally that slides depending on how busy I am) to get away from Windows rot and clean off crap that I don't currently use. I am also getting big into using virtual machines for most desktop functions now so that makes things even easier as I can roll back to a predetermined point or just pull the backup image off of a DVD that I made when I first made the image. Of course make sure you update the image with new patches first thing. :) In fact right now, I am writing this email on a virtual XP instance running with about 15 other virtuals on a machine that is on the other side of my house. Also all web surfing to untrusted sites is done through a virtual I have with undo disks, after I finish surfing I tell it to undo and it is ready for the next time. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Sunday, July 16, 2006 3:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003 Personally I hate OS upgrades and try hard to avoid them and prefer to choose a fresh clean install... Although supported when upgrading an OS old stuff from the previous OS is kept and besides that you might run into issues because of incompatibilities with software, drivers, etc. A clean install in combination the migration of the stuff hosted on the old server to the new server gives you a phased approach. Upgrading directly impacts the server and if the upgrade fails you might end up with a trouble server. IMHO: * avoid OS upgrades when possible and only use it when really necessary (like for example NT4 PDC - W2K3 DC, which is mandatory) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Sun 2006-07-16 20:53 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Clean install VS Upgrade of Windows 2003 Hey all, Does anyone have any comments/articles, etc on the benefits or concerns of a clean install of Windows 2003 Server VS an Upgrade? My opinion is that doing a clean install keeps system root clean. It also pristinely adopts the security best practices of 2003 Server. Disk performance will improve as well. Does anyone have anything they can add to this? I have migrated a great portion of my network in a clean install path, and now it is coming into question why did I not choose the upgrade path. Any comments would be greatly appreciated, Thanks, Nate attachment: winmail.dat
Re: [ActiveDir] OT: Command line for exchange
The plot thickens. I'd assume that PS and ASP.NET are using the same network layer to do the actual heavy lifting, so the question is then, what is that based on? :) Joe K. - Original Message - From: Brian Desmond [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, July 16, 2006 3:12 PM Subject: RE: [ActiveDir] OT: Command line for exchange I've heard there's ASP.Net webservices that expose a lot of this stuff. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Clean install VS Upgrade of Windows 2003
The statement that with each new OS the upgrade in place scenario has improved, at least to date, has been true. If they said it's perfected each time then I could see your point. I've been to many customers that have done in-place upgrades of the OS with great success. Is it the preferred method assuming you have a choice? I think everyone would agree a clean install is always preferred. But it's a very valid option given some of the challenges that can crop up. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, July 16, 2006 6:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003 I agree with Jorge on this. Every new OS MSFT comes out with they tell you that it is much better at handling upgrades than the last and how bad the last one actually did it. So if someone tells me K3 does it great I tell them to say that when say LongHorn comes out. :) Anyway, you will have legacy settings that stay around when you do an upgrade say like the replication holdback reg settings, etc when you do an upgrade and it could be confusing later when troubleshooting something. Unless there is absolutely no way possible to do a fresh install then I would recommend going that way. Going slightly OT, I even reinstall my personal home clients on a regular basis (normally every 6 months but occasionally that slides depending on how busy I am) to get away from Windows rot and clean off crap that I don't currently use. I am also getting big into using virtual machines for most desktop functions now so that makes things even easier as I can roll back to a predetermined point or just pull the backup image off of a DVD that I made when I first made the image. Of course make sure you update the image with new patches first thing. :) In fact right now, I am writing this email on a virtual XP instance running with about 15 other virtuals on a machine that is on the other side of my house. Also all web surfing to untrusted sites is done through a virtual I have with undo disks, after I finish surfing I tell it to undo and it is ready for the next time. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Sunday, July 16, 2006 3:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003 Personally I hate OS upgrades and try hard to avoid them and prefer to choose a fresh clean install... Although supported when upgrading an OS old stuff from the previous OS is kept and besides that you might run into issues because of incompatibilities with software, drivers, etc. A clean install in combination the migration of the stuff hosted on the old server to the new server gives you a phased approach. Upgrading directly impacts the server and if the upgrade fails you might end up with a trouble server. IMHO: * avoid OS upgrades when possible and only use it when really necessary (like for example NT4 PDC - W2K3 DC, which is mandatory) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Sun 2006-07-16 20:53 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Clean install VS Upgrade of Windows 2003 Hey all, Does anyone have any comments/articles, etc on the benefits or concerns of a clean install of Windows 2003 Server VS an Upgrade? My opinion is that doing a clean install keeps system root clean. It also pristinely adopts the security best practices of 2003 Server. Disk performance will improve as well. Does anyone have anything they can add to this? I have migrated a great portion of my network in a clean install path, and now it is coming into question why did I not choose the upgrade path. Any comments would be greatly appreciated, Thanks, Nate attachment: winmail.dat
Re: [ActiveDir] Clean install VS Upgrade of Windows 2003
I would like to point out though that a inplace install machine leaves behind a mixture of 2000 and 2k3 permissions an d thus a comparison to a true Win2k3 box is sometimes a bit tricky. Combined with that the SFN issue... http://support.microsoft.com/kb/195144/EN-US/ Us SBSers are facing the no inplace in the next version as we have to go to 64 bit... of which the support folks are appreciative as they prefer clean boxes. (and btw thank you...we're having a lovely clean versus upgrade on our SBS MVP listserve so your comments and thoughts are being sent elsewhere... David Adner wrote: The statement that with each new OS the upgrade in place scenario has improved, at least to date, has been true. If they said it's perfected each time then I could see your point. I've been to many customers that have done in-place upgrades of the OS with great success. Is it the preferred method assuming you have a choice? I think everyone would agree a clean install is always preferred. But it's a very valid option given some of the challenges that can crop up. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, July 16, 2006 6:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003 I agree with Jorge on this. Every new OS MSFT comes out with they tell you that it is much better at handling upgrades than the last and how bad the last one actually did it. So if someone tells me K3 does it great I tell them to say that when say LongHorn comes out. :) Anyway, you will have legacy settings that stay around when you do an upgrade say like the replication holdback reg settings, etc when you do an upgrade and it could be confusing later when troubleshooting something. Unless there is absolutely no way possible to do a fresh install then I would recommend going that way. Going slightly OT, I even reinstall my personal home clients on a regular basis (normally every 6 months but occasionally that slides depending on how busy I am) to get away from Windows rot and clean off crap that I don't currently use. I am also getting big into using virtual machines for most desktop functions now so that makes things even easier as I can roll back to a predetermined point or just pull the backup image off of a DVD that I made when I first made the image. Of course make sure you update the image with new patches first thing. :) In fact right now, I am writing this email on a virtual XP instance running with about 15 other virtuals on a machine that is on the other side of my house. Also all web surfing to untrusted sites is done through a virtual I have with undo disks, after I finish surfing I tell it to undo and it is ready for the next time. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Sunday, July 16, 2006 3:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003 Personally I hate OS upgrades and try hard to avoid them and prefer to choose a fresh clean install... Although supported when upgrading an OS old stuff from the previous OS is kept and besides that you might run into issues because of incompatibilities with software, drivers, etc. A clean install in combination the migration of the stuff hosted on the old server to the new server gives you a phased approach. Upgrading directly impacts the server and if the upgrade fails you might end up with a trouble server. IMHO: * avoid OS upgrades when possible and only use it when really necessary (like for example NT4 PDC - W2K3 DC, which is mandatory) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Sun 2006-07-16 20:53 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Clean install VS Upgrade of Windows 2003 Hey all, Does anyone have any comments/articles, etc on the benefits or concerns of a clean install of Windows 2003 Server VS an Upgrade? My opinion is that doing a clean install keeps system root clean. It also pristinely adopts the security best practices of 2003 Server. Disk performance will improve as well. Does anyone have anything they can add to this? I have migrated a great portion of my network in a clean install path, and now it is coming into question why did I not choose the upgrade path. Any comments would be greatly appreciated, Thanks, Nate List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Clean install VS Upgrade of Windows 2003
Oh I'm definitely not saying it isn't getting better. It truly is. But with each release they tell you it is great and go ahead and do it and then the next rev is when they tell you all the things that were done wrong that they now do fine. While they don't tell you it is perfect, you certainly could get that impression when dealing with them and the propaganda that is released. It is the same with all of the MSFT products though, I had an OSS guy chewing me out for it just this week how MSFT tells you how great the product is until the next rev and then they tell you how horrible the last was and how this one fixes everything. I really didn't debate the topic as I have been onsite at MSFT for different events in a two week consecutive period where the first week you are looking at the current product and they are telling you how great it is and it doesn't have perf issues etc that you may have heard about and then the next week you're there for a pre-release NDA event and they are telling you how crappy the old (current that you just saw the week before) product is and how all of these perf issues have been corrected, etc. I am not even saying that people are lying because it was completely different sets of people, had it been the same people I would have called them out for it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Sunday, July 16, 2006 9:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003 The statement that with each new OS the upgrade in place scenario has improved, at least to date, has been true. If they said it's perfected each time then I could see your point. I've been to many customers that have done in-place upgrades of the OS with great success. Is it the preferred method assuming you have a choice? I think everyone would agree a clean install is always preferred. But it's a very valid option given some of the challenges that can crop up. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, July 16, 2006 6:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003 I agree with Jorge on this. Every new OS MSFT comes out with they tell you that it is much better at handling upgrades than the last and how bad the last one actually did it. So if someone tells me K3 does it great I tell them to say that when say LongHorn comes out. :) Anyway, you will have legacy settings that stay around when you do an upgrade say like the replication holdback reg settings, etc when you do an upgrade and it could be confusing later when troubleshooting something. Unless there is absolutely no way possible to do a fresh install then I would recommend going that way. Going slightly OT, I even reinstall my personal home clients on a regular basis (normally every 6 months but occasionally that slides depending on how busy I am) to get away from Windows rot and clean off crap that I don't currently use. I am also getting big into using virtual machines for most desktop functions now so that makes things even easier as I can roll back to a predetermined point or just pull the backup image off of a DVD that I made when I first made the image. Of course make sure you update the image with new patches first thing. :) In fact right now, I am writing this email on a virtual XP instance running with about 15 other virtuals on a machine that is on the other side of my house. Also all web surfing to untrusted sites is done through a virtual I have with undo disks, after I finish surfing I tell it to undo and it is ready for the next time. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Sunday, July 16, 2006 3:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003 Personally I hate OS upgrades and try hard to avoid them and prefer to choose a fresh clean install... Although supported when upgrading an OS old stuff from the previous OS is kept and besides that you might run into issues because of incompatibilities with software, drivers, etc. A clean install in combination the migration of the stuff hosted on the old server to the new server gives you a phased approach. Upgrading directly impacts the server and if the upgrade fails you might end up with a trouble server. IMHO: * avoid OS upgrades when possible and only use it when really necessary (like for example NT4 PDC - W2K3 DC, which is mandatory) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 (
RE: [ActiveDir] Clean install VS Upgrade of Windows 2003
Drifting OT... I find myself often following behind those perfect world folks, having to break the news that their wonderful product (I've seen no monopoly by Microsoft (no pun intended); this seems an equal opportunity offense by sales folks and certain types of consultants of all vendors). I think I get a much better response by customers when I don't simply read them the marketing material but actually describe the pro's and con's in all their gory detail. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, July 16, 2006 10:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003 Oh I'm definitely not saying it isn't getting better. It truly is. But with each release they tell you it is great and go ahead and do it and then the next rev is when they tell you all the things that were done wrong that they now do fine. While they don't tell you it is perfect, you certainly could get that impression when dealing with them and the propaganda that is released. It is the same with all of the MSFT products though, I had an OSS guy chewing me out for it just this week how MSFT tells you how great the product is until the next rev and then they tell you how horrible the last was and how this one fixes everything. I really didn't debate the topic as I have been onsite at MSFT for different events in a two week consecutive period where the first week you are looking at the current product and they are telling you how great it is and it doesn't have perf issues etc that you may have heard about and then the next week you're there for a pre-release NDA event and they are telling you how crappy the old (current that you just saw the week before) product is and how all of these perf issues have been corrected, etc. I am not even saying that people are lying because it was completely different sets of people, had it been the same people I would have called them out for it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Sunday, July 16, 2006 9:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003 The statement that with each new OS the upgrade in place scenario has improved, at least to date, has been true. If they said it's perfected each time then I could see your point. I've been to many customers that have done in-place upgrades of the OS with great success. Is it the preferred method assuming you have a choice? I think everyone would agree a clean install is always preferred. But it's a very valid option given some of the challenges that can crop up. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, July 16, 2006 6:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003 I agree with Jorge on this. Every new OS MSFT comes out with they tell you that it is much better at handling upgrades than the last and how bad the last one actually did it. So if someone tells me K3 does it great I tell them to say that when say LongHorn comes out. :) Anyway, you will have legacy settings that stay around when you do an upgrade say like the replication holdback reg settings, etc when you do an upgrade and it could be confusing later when troubleshooting something. Unless there is absolutely no way possible to do a fresh install then I would recommend going that way. Going slightly OT, I even reinstall my personal home clients on a regular basis (normally every 6 months but occasionally that slides depending on how busy I am) to get away from Windows rot and clean off crap that I don't currently use. I am also getting big into using virtual machines for most desktop functions now so that makes things even easier as I can roll back to a predetermined point or just pull the backup image off of a DVD that I made when I first made the image. Of course make sure you update the image with new patches first thing. :) In fact right now, I am writing this email on a virtual XP instance running with about 15 other virtuals on a machine that is on the other side of my house. Also all web surfing to untrusted sites is done through a virtual I have with undo disks, after I finish surfing I tell it to undo and it is ready for the next time. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Sunday, July 16, 2006 3:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003 Personally I hate OS upgrades and try hard to avoid them and prefer to choose a fresh clean install... Although supported when upgrading an OS old stuff from the previous OS is kept and besides that