[ActiveDir] Disabling the file open security warning for certain VBS scripts
Title: Disabling the file open security warning for certain VBS scripts
I have a bunch of vbs scripts which are stored in SYSVOL.
They are called when a user right clicks an object in AD and chooses one of the extra functions added to the context menu (via a displaySpecifiers change) .
By default, these scripts generate a file open security dialog - which I'd like to suppress.
Any ideas as to how this might be done for just a select few VBS scripts, without allowing all VBS scripts to run without a warning? The scripts could be executed from any machine in the forest.
Software restriction policy?
Code signing?
IE zone changes?
???
Thx,
neil
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
[ActiveDir] Using non-standard TLDs within Active Directory
Title: Using non-standard TLDs within Active Directory
Does anyone have experience or comments regarding the use of non-standard TLDs within a production AD forest?
E.g. x.nom
The name will be used within a production environment - a separate forest will exist for testing and QA.
I've always preferred to use standard TLDs in prod [so the name can be registered etc] and permit the non-standard TLD in test forests only.
Any comments?
Thanks,
neil
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Using non-standard TLDs within Active Directory
Title: Using non-standard TLDs within Active Directory
I’ve always gone the opposite way. I
like the idea of using a completely non-standard TLD for my forest root so that
if the company name changes etc it has no effect on the forest. It also enables
you to split the internal DNS from the external DNS structure. If the internal DNS
structure is ever published to the Internet it will simply be dropped.
I always set mine up with non-standard TLD’s
and have never had any issues.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 10:20
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Using
non-standard TLDs within Active Directory
Does
anyone have experience or comments regarding the use of non-standard TLDs
within a production AD forest?
E.g.
x.nom
The
name will be used within a production environment - a separate forest will
exist for testing and QA.
I've
always preferred to use standard TLDs in prod [so the name can be registered
etc] and permit the non-standard TLD in test forests only.
Any
comments?
Thanks,
neil
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately
and delete your
copy from your system. You must not copy, distribute or take
any further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious
or disabling
code in, this message or any attachment(s) to it. If
verification of this
email is sought then please request a hard copy. Unless otherwise
stated
this email: (1) is not, and should not be treated or relied
upon as,
investment research; (2) contains views or opinions that are
solely those of
the author and do not necessarily represent those of NIplc;
(3) is intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial
instruments. NIplc
does not provide investment services to private customers.
Authorised and
regulated by the Financial Services Authority. Registered in
England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the
Nomura group of companies.
RE: [ActiveDir] Using non-standard TLDs within Active Directory
Title: Using non-standard TLDs within Active Directory
Thanks Peter.
Are we referring to same thing?
I refer to the suffix at the end of the DNS name - e.g. I
refer to 'blob' in 'neil.blob'.
I am not referring to the 'neil' part.
Does your response still hold?
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter
JohnsonSent: 21 July 2006 09:56To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
I’ve always gone the
opposite way. I like the idea of using a completely non-standard TLD for my
forest root so that if the company name changes etc it has no effect on the
forest. It also enables you to split the internal DNS from the external DNS
structure. If the internal DNS structure is ever published to the Internet it
will simply be dropped.
I always set mine up
with non-standard TLD’s and have never had any
issues.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: 21 July 2006 10:20To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Using non-standard
TLDs within Active Directory
Does anyone have experience or
comments regarding the use of non-standard TLDs within a production AD
forest?
E.g. x.nom
The
name will be used within a production environment - a separate forest will exist
for testing and QA.
I've always preferred to use
standard TLDs in prod [so the name can be registered etc] and permit the
non-standard TLD in test forests only.
Any
comments?
Thanks, neil
PLEASE READ: The information
contained in this email is confidential and
intended for the named recipient(s)
only. If you are not an intended
recipient of this email please
notify the sender immediately and delete your
copy from your system. You must not
copy, distribute or take any further
action in reliance on it. Email is
not a secure method of communication and
Nomura International plc ('NIplc')
will not, to the extent permitted by law,
accept responsibility or liability
for (a) the accuracy or completeness of,
or (b) the presence of any virus,
worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please request
a hard copy. Unless otherwise stated
this email: (1) is not, and should
not be treated or relied upon as,
investment research; (2) contains
views or opinions that are solely those of
the author and do not necessarily
represent those of NIplc; (3) is intended
for informational purposes only and
is not a recommendation, solicitation or
offer to buy or sell securities or
related financial instruments. NIplc
does not provide investment services
to private customers. Authorised and
regulated by the Financial Services
Authority. Registered in England
no. 1550505 VAT No. 447 2492 35.
Registered Office: 1 St Martin's-le-Grand,
London,
EC1A
4NP. A member of the Nomura group of
companies. PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Using non-standard TLDs within Active Directory
Title: Using non-standard TLDs within Active Directory
Hi Neil
Correct. The TLD is the normally the last
bit the in the string. So in the real world Internet examples of TLD’s
are .com,.edu etc plus the country codes such as .za for South Africa
which is where I from.
I always something like corp.local for the
forest name. I assuming you are going to be building a single domain forest
right?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 11:19
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Thanks Peter.
Are we referring to same thing?
I refer to the suffix at the end of the
DNS name - e.g. I refer to 'blob' in 'neil.blob'.
I am not referring to the 'neil' part.
Does your response still hold?
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 21 July 2006 09:56
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
I’ve always gone the opposite way. I
like the idea of using a completely non-standard TLD for my forest root so that
if the company name changes etc it has no effect on the forest. It also enables
you to split the internal DNS from the external DNS structure. If the internal
DNS structure is ever published to the Internet it will simply be dropped.
I always set mine up with non-standard
TLD’s and have never had any issues.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 10:20
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Using
non-standard TLDs within Active Directory
Does
anyone have experience or comments regarding the use of non-standard TLDs
within a production AD forest?
E.g.
x.nom
The
name will be used within a production environment - a separate forest will
exist for testing and QA.
I've
always preferred to use standard TLDs in prod [so the name can be registered
etc] and permit the non-standard TLD in test forests only.
Any
comments?
Thanks,
neil
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately
and delete your
copy from your system. You must not copy, distribute or take
any further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious
or disabling
code in, this message or any attachment(s) to it. If
verification of this
email is sought then please request a hard copy. Unless
otherwise stated
this email: (1) is not, and should not be treated or relied
upon as,
investment research; (2) contains views or opinions that are
solely those of
the author and do not necessarily represent those of NIplc;
(3) is intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial
instruments. NIplc
does not provide investment services to private customers.
Authorised and
regulated by the Financial Services Authority. Registered in
England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the
Nomura group of companies.
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately
and delete your
copy from your system. You must not copy, distribute or take
any further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious
or disabling
code in, this message or any attachment(s) to it. If
verification of this
email is sought then please request a hard copy. Unless
otherwise stated
this email: (1) is not, and should not be treated or relied
upon as,
investment research; (2) contains views or opinions that are
solely those of
the author and do not necessarily represent those of NIplc;
(3) is intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial
instruments. NIplc
does not provide investment services to private customers.
Authorised and
regulated by the Financial Services Authori
[ActiveDir] DNS Issue
Title: Message We have a single Windows 2003 SP1 forest/domain. DCs run AD integated zones. We have Forwarders configured for a domain e.g. test.com with 2 IP addresses entered for the DNS servers in test.com. We have seen a strange issue where queries for a host in the sub-domain nyc.test.com fail (even when doing an nslookup directly from the DC). When we restart the DNS service on the DC resolution succeeds for a host in nyc.test.com. After time it appears resolution fails again. Another observation is when (after time) name resolution fails for a host in nyc.test.com and we explicitly add nyc.test.com as another Forwarder and without restarting the DNS service names in nyc.test.com resolves. Remove the forwarding to nyc.test.com and resolution fails! Any ideas? Regards David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required. �
RE: [ActiveDir] Using non-standard TLDs within Active Directory
Title: Using non-standard TLDs within Active Directory
Thanks again. We're on the same wave length
:)
I appreciate that .local can work but as you state, it's
best to avoid names that can become obsolete if the company name
changes.
The proposal here is to use .nom and the
company name is Nomura.
...and
no, it will not be a single domain forest, but let's not go there please :) I've
already spent months on that subject :/
Thanks
for the comments and feedback.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter
JohnsonSent: 21 July 2006 10:30To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Hi
Neil
Correct. The TLD is the
normally the last bit the in the string. So in the real world Internet examples
of TLD’s are .com,.edu etc plus the country codes such as .za for
South
Africa which is where I from.
I always something like
corp.local for the forest name. I assuming you are going to be building a single
domain forest right?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: 21 July 2006 11:19To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using non-standard
TLDs within Active Directory
Thanks
Peter.
Are we referring to
same thing?
I refer to the suffix
at the end of the DNS name - e.g. I refer to 'blob' in
'neil.blob'.
I am not referring to
the 'neil' part.
Does your response
still hold?
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Peter
JohnsonSent: 21 July 2006
09:56To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using non-standard
TLDs within Active Directory
I’ve always gone the
opposite way. I like the idea of using a completely non-standard TLD for my
forest root so that if the company name changes etc it has no effect on the
forest. It also enables you to split the internal DNS from the external DNS
structure. If the internal DNS structure is ever published to the Internet it
will simply be dropped.
I always set mine up
with non-standard TLD’s and have never had any
issues.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: 21 July 2006 10:20To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Using non-standard
TLDs within Active Directory
Does anyone have experience or
comments regarding the use of non-standard TLDs within a production AD
forest?
E.g. x.nom
The
name will be used within a production environment - a separate forest will exist
for testing and QA.
I've always preferred to use
standard TLDs in prod [so the name can be registered etc] and permit the
non-standard TLD in test forests only.
Any
comments?
Thanks, neil
PLEASE READ: The information
contained in this email is confidential and
intended for the named recipient(s)
only. If you are not an intended
recipient of this email please
notify the sender immediately and delete your
copy from your system. You must not
copy, distribute or take any further
action in reliance on it. Email is
not a secure method of communication and
Nomura International plc ('NIplc')
will not, to the extent permitted by law,
accept responsibility or liability
for (a) the accuracy or completeness of,
or (b) the presence of any virus,
worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please request
a hard copy. Unless otherwise stated
this email: (1) is not, and should
not be treated or relied upon as,
investment research; (2) contains
views or opinions that are solely those of
the author and do not necessarily
represent those of NIplc; (3) is intended
for informational purposes only and
is not a recommendation, solicitation or
offer to buy or sell securities or
related financial instruments. NIplc
does not provide investment services
to private customers. Authorised and
regulated by the Financial Services
Authority. Registered in England
no. 1550505 VAT No. 447 2492 35.
Registered Office: 1 St Martin's-le-Grand,
London,
EC1A
4NP. A member of the Nomura group of
companies.
PLEASE READ: The information
contained in this email is confidential and
intended for the named recipient(s)
only. If you are not an intended
recipient of this email please
notify the sender immediately and delete your
copy from your system. You must not
copy, distribute or take any further
action in reliance on it. Email is
not a secure method of communication and
Nomura International plc ('NIplc')
will not, to the extent permitted by law,
accept responsibility or liability
for (a) the accuracy or completeness of,
or (b) the presence of any virus,
worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please request
a hard copy. Unless oth
RE: [ActiveDir] Using non-standard TLDs within Active Directory
Title: Using non-standard TLDs within Active Directory
That’s a really good solution. So
the forest root domain name would be nomura.nom and then there will child
domains below that?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 12:34
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Thanks again. We're on the same wave
length :)
I appreciate that .local can work but as
you state, it's best to avoid names that can become obsolete if the company
name changes.
The proposal here is to use .nom and
the company name is Nomura.
...and no, it will not be a single domain
forest, but let's not go there please :) I've already spent months on that
subject :/
Thanks for the comments and feedback.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Peter Johnson
Sent: 21 July 2006 10:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Hi Neil
Correct. The TLD is the normally the last
bit the in the string. So in the real world Internet examples of TLD’s
are .com,.edu etc plus the country codes such as .za for South Africa which is where I from.
I always something like corp.local for the
forest name. I assuming you are going to be building a single domain forest
right?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 11:19
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Thanks Peter.
Are we referring to same thing?
I refer to the suffix at the end of the
DNS name - e.g. I refer to 'blob' in 'neil.blob'.
I am not referring to the 'neil' part.
Does your response still hold?
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 21 July 2006 09:56
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
I’ve always gone the opposite way. I
like the idea of using a completely non-standard TLD for my forest root so that
if the company name changes etc it has no effect on the forest. It also enables
you to split the internal DNS from the external DNS structure. If the internal
DNS structure is ever published to the Internet it will simply be dropped.
I always set mine up with non-standard
TLD’s and have never had any issues.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 10:20
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Using
non-standard TLDs within Active Directory
Does
anyone have experience or comments regarding the use of non-standard TLDs
within a production AD forest?
E.g.
x.nom
The
name will be used within a production environment - a separate forest will
exist for testing and QA.
I've
always preferred to use standard TLDs in prod [so the name can be registered
etc] and permit the non-standard TLD in test forests only.
Any
comments?
Thanks,
neil
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately
and delete your
copy from your system. You must not copy, distribute or take
any further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious
or disabling
code in, this message or any attachment(s) to it. If
verification of this
email is sought then please request a hard copy. Unless
otherwise stated
this email: (1) is not, and should not be treated or relied
upon as,
investment research; (2) contains views or opinions that are
solely those of
the author and do not necessarily represent those of NIplc;
(3) is intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial instruments.
NIplc
does not provide investment services to private customers.
Authorised and
regulated by the Financial Services Authority. Registered in
England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the
Nomura group of companies.
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately
and delete your
copy from your system. You must not copy, distribute o
RE: [ActiveDir] Using non-standard TLDs within Active Directory
Title: Using non-standard TLDs within Active Directory
for the LOCAL tld, you need be aware that it can cause
issues with MAC computers
http://support.microsoft.com/kb/836413/en-us
http://docs.info.apple.com/article.html?artnum=107800
Jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Friday, July 21, 2006
12:34To: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Using non-standard TLDs within Active
Directory
Thanks again. We're on the same wave length
:)
I appreciate that .local can work but as you state, it's
best to avoid names that can become obsolete if the company name
changes.
The proposal here is to use .nom and the
company name is Nomura.
...and no, it will not be a single domain forest, but let's not go
there please :) I've already spent months on that subject
:/
Thanks for the comments and feedback.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter
JohnsonSent: 21 July 2006 10:30To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Hi
Neil
Correct. The TLD is
the normally the last bit the in the string. So in the real world Internet
examples of TLD’s are .com,.edu etc plus the country codes such as .za for
South
Africa which is where I from.
I always something
like corp.local for the forest name. I assuming you are going to be building a
single domain forest right?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: 21 July 2006 11:19To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Thanks
Peter.
Are we referring to
same thing?
I refer to the suffix
at the end of the DNS name - e.g. I refer to 'blob' in
'neil.blob'.
I am not referring to
the 'neil' part.
Does your response
still hold?
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Peter
JohnsonSent: 21 July 2006
09:56To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
I’ve always gone the
opposite way. I like the idea of using a completely non-standard TLD for my
forest root so that if the company name changes etc it has no effect on the
forest. It also enables you to split the internal DNS from the external DNS
structure. If the internal DNS structure is ever published to the Internet it
will simply be dropped.
I always set mine up
with non-standard TLD’s and have never had any
issues.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: 21 July 2006 10:20To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Using non-standard
TLDs within Active Directory
Does anyone have experience or
comments regarding the use of non-standard TLDs within a production AD
forest?
E.g. x.nom
The name will be used within a
production environment - a separate forest will exist for testing and
QA.
I've always preferred to use
standard TLDs in prod [so the name can be registered etc] and permit the
non-standard TLD in test forests only.
Any comments?
Thanks, neil
PLEASE READ: The information
contained in this email is confidential and
intended for the named
recipient(s) only. If you are not an intended
recipient of this email please
notify the sender immediately and delete your
copy from your system. You must
not copy, distribute or take any further
action in reliance on it. Email is
not a secure method of communication and
Nomura International plc ('NIplc')
will not, to the extent permitted by law,
accept responsibility or liability
for (a) the accuracy or completeness of,
or (b) the presence of any virus,
worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please
request a hard copy. Unless otherwise stated
this email: (1) is not, and should
not be treated or relied upon as,
investment research; (2) contains
views or opinions that are solely those of
the author and do not necessarily
represent those of NIplc; (3) is intended
for informational purposes only
and is not a recommendation, solicitation or
offer to buy or sell securities or
related financial instruments. NIplc
does not provide investment
services to private customers. Authorised and
regulated by the Financial
Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35.
Registered Office: 1 St Martin's-le-Grand,
London,
EC1A
4NP.
RE: [ActiveDir] Using non-standard TLDs within Active Directory
Title: Using non-standard TLDs within Active Directory
Hi Neil and Peter,
If two companies both happen to choose corp.local for their
forest name, they cannot create forest trusts, if the need later arises. Of
course, if one of them is a chemical company in the west coast and the other is
a media company in the west coast, the risk is quite small.
But still, the only way to make sure that you can later
create forest trusts (without renaming one of the forests) with any other
company/forest is to register your forest name (or use a delegated one, such as
corp.microsoft.com).
Yours, Sakari
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter
JohnsonSent: 21. heinäkuuta 2006 12:30To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Hi
Neil
Correct. The TLD is the
normally the last bit the in the string. So in the real world Internet examples
of TLDs are .com,.edu etc plus the country codes such as .za for
South
Africa which is where I from.
I always something like
corp.local for the forest name. I assuming you are going to be building a single
domain forest right?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: 21 July 2006 11:19To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using non-standard
TLDs within Active Directory
Thanks
Peter.
Are we referring to
same thing?
I refer to the suffix
at the end of the DNS name - e.g. I refer to 'blob' in
'neil.blob'.
I am not referring to
the 'neil' part.
Does your response
still hold?
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Peter
JohnsonSent: 21 July 2006
09:56To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using non-standard
TLDs within Active Directory
Ive always gone the
opposite way. I like the idea of using a completely non-standard TLD for my
forest root so that if the company name changes etc it has no effect on the
forest. It also enables you to split the internal DNS from the external DNS
structure. If the internal DNS structure is ever published to the Internet it
will simply be dropped.
I always set mine up
with non-standard TLDs and have never had any
issues.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: 21 July 2006 10:20To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Using non-standard
TLDs within Active Directory
Does anyone have experience or
comments regarding the use of non-standard TLDs within a production AD
forest?
E.g. x.nom
The
name will be used within a production environment - a separate forest will exist
for testing and QA.
I've always preferred to use
standard TLDs in prod [so the name can be registered etc] and permit the
non-standard TLD in test forests only.
Any
comments?
Thanks, neil
PLEASE READ: The information
contained in this email is confidential and
intended for the named recipient(s)
only. If you are not an intended
recipient of this email please
notify the sender immediately and delete your
copy from your system. You must not
copy, distribute or take any further
action in reliance on it. Email is
not a secure method of communication and
Nomura International plc ('NIplc')
will not, to the extent permitted by law,
accept responsibility or liability
for (a) the accuracy or completeness of,
or (b) the presence of any virus,
worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please request
a hard copy. Unless otherwise stated
this email: (1) is not, and should
not be treated or relied upon as,
investment research; (2) contains
views or opinions that are solely those of
the author and do not necessarily
represent those of NIplc; (3) is intended
for informational purposes only and
is not a recommendation, solicitation or
offer to buy or sell securities or
related financial instruments. NIplc
does not provide investment services
to private customers. Authorised and
regulated by the Financial Services
Authority. Registered in England
no. 1550505 VAT No. 447 2492 35.
Registered Office: 1 St Martin's-le-Grand,
London,
EC1A
4NP. A member of the Nomura group of
companies.
PLEASE READ: The information
contained in this email is confidential and
intended for the named recipient(s)
only. If you are not an intended
recipient of this email please
notify the sender immediately and delete your
copy from your system. You must not
copy, distribute or take any further
action in reliance on it. Email is
not a secure method of communication and
Nomura International plc ('NIplc')
will not, to the extent permitted by law,
accept responsibility or liability
for (a) the accuracy or completeness of,
or (b) the presence of any virus,
worm or similar malicious or disabling
code in,
RE: [ActiveDir] Using non-standard TLDs within Active Directory
Title: Using non-standard TLDs within Active Directory
It
will be "something" .nom, where "something" is to be
determined.
Whether children or additional trees, is also to be
determined.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter
JohnsonSent: 21 July 2006 11:44To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
That’s a really good
solution. So the forest root domain name would be nomura.nom and then there will
child domains below that?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: 21 July 2006 12:34To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using non-standard
TLDs within Active Directory
Thanks again. We're on
the same wave length :)
I appreciate that
.local can work but as you state, it's best to avoid names that can become
obsolete if the company name changes.
The proposal here is to
use .nom and the company name
is Nomura.
...and no, it will not
be a single domain forest, but let's not go there please :) I've already spent
months on that subject :/
Thanks for the comments
and feedback.
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Peter
JohnsonSent: 21 July 2006
10:30To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using non-standard
TLDs within Active Directory
Hi
Neil
Correct. The TLD is the
normally the last bit the in the string. So in the real world Internet examples
of TLD’s are .com,.edu etc plus the country codes such as .za for South
Africa which is where I from.
I always something like
corp.local for the forest name. I assuming you are going to be building a single
domain forest right?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: 21 July 2006 11:19To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using non-standard
TLDs within Active Directory
Thanks
Peter.
Are we referring to
same thing?
I refer to the suffix
at the end of the DNS name - e.g. I refer to 'blob' in
'neil.blob'.
I am not referring to
the 'neil' part.
Does your response
still hold?
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Peter
JohnsonSent: 21 July 2006
09:56To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using non-standard
TLDs within Active Directory
I’ve always gone the
opposite way. I like the idea of using a completely non-standard TLD for my
forest root so that if the company name changes etc it has no effect on the
forest. It also enables you to split the internal DNS from the external DNS
structure. If the internal DNS structure is ever published to the Internet it
will simply be dropped.
I always set mine up
with non-standard TLD’s and have never had any
issues.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: 21 July 2006 10:20To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Using non-standard
TLDs within Active Directory
Does anyone have experience or
comments regarding the use of non-standard TLDs within a production AD
forest?
E.g. x.nom
The
name will be used within a production environment - a separate forest will exist
for testing and QA.
I've always preferred to use
standard TLDs in prod [so the name can be registered etc] and permit the
non-standard TLD in test forests only.
Any
comments?
Thanks, neil
PLEASE READ: The information
contained in this email is confidential and
intended for the named recipient(s)
only. If you are not an intended
recipient of this email please
notify the sender immediately and delete your
copy from your system. You must not
copy, distribute or take any further
action in reliance on it. Email is
not a secure method of communication and
Nomura International plc ('NIplc')
will not, to the extent permitted by law,
accept responsibility or liability
for (a) the accuracy or completeness of,
or (b) the presence of any virus,
worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please request
a hard copy. Unless otherwise stated
this email: (1) is not, and should
not be treated or relied upon as,
investment research; (2) contains
views or opinions that are solely those of
the author and do not necessarily
represent those of NIplc; (3) is intended
for informational purposes only and
is not a recommendation, solicitation or
offer to buy or sell securities or
related financial instruments. NIplc
does not provide investment services
to private customers. Authorised and
regulated by the Financial Services
Authority. Registered in England
no. 1550505 VAT No. 447 2492 35.
Registered Office: 1 St Martin's-le-Grand,
London,
EC1A
4NP. A member of the Nomura group of
companies.
PLEASE READ: The information
cont
RE: [ActiveDir] Using non-standard TLDs within Active Directory
Title: Using non-standard TLDs within Active Directory
That’s a gotcha I hadn’t
thought of. However I’ve normally dealt with smaller companies we this is
less of an issue. I also tend to user the company name.local method .
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: 21 July 2006 12:47
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Hi Neil and Peter,
If two companies both happen to choose
corp.local for their forest name, they cannot create forest trusts, if the need
later arises. Of course, if one of them is a chemical company in the west coast
and the other is a media company in the west coast, the risk is quite small.
But still, the only way to make sure that
you can later create forest trusts (without renaming one of the forests) with
any other company/forest is to register your forest name (or use a delegated
one, such as corp.microsoft.com).
Yours, Sakari
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 21. heinäkuuta 2006 12:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Hi Neil
Correct. The TLD is the normally the last
bit the in the string. So in the real world Internet examples of TLD’s
are .com,.edu etc plus the country codes such as .za for South Africa which is where I from.
I always something like corp.local for the
forest name. I assuming you are going to be building a single domain forest
right?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 11:19
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Thanks Peter.
Are we referring to same thing?
I refer to the suffix at the end of the
DNS name - e.g. I refer to 'blob' in 'neil.blob'.
I am not referring to the 'neil' part.
Does your response still hold?
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 21 July 2006 09:56
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
I’ve always gone the opposite way. I
like the idea of using a completely non-standard TLD for my forest root so that
if the company name changes etc it has no effect on the forest. It also enables
you to split the internal DNS from the external DNS structure. If the internal
DNS structure is ever published to the Internet it will simply be dropped.
I always set mine up with non-standard
TLD’s and have never had any issues.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 10:20
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Using
non-standard TLDs within Active Directory
Does
anyone have experience or comments regarding the use of non-standard TLDs
within a production AD forest?
E.g.
x.nom
The
name will be used within a production environment - a separate forest will
exist for testing and QA.
I've
always preferred to use standard TLDs in prod [so the name can be registered
etc] and permit the non-standard TLD in test forests only.
Any
comments?
Thanks,
neil
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately
and delete your
copy from your system. You must not copy, distribute or take
any further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious
or disabling
code in, this message or any attachment(s) to it. If
verification of this
email is sought then please request a hard copy. Unless
otherwise stated
this email: (1) is not, and should not be treated or relied
upon as,
investment research; (2) contains views or opinions that are
solely those of
the author and do not necessarily represent those of NIplc;
(3) is intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial
instruments. NIplc
does not provide investment services to private customers.
Authorised and
regulated by the Financial Services Authority. Registered in
England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the
Nomura group of companies.
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
RE: [ActiveDir] Using non-standard TLDs within Active Directory
Title: Using non-standard TLDs within Active Directory
I guess CORP.MICROSOFT.COM would still be an issue when
trying to create a trust when the other company has
CORP.SOMETHING.ELSE
Reason: both have the same NetBIOS name which is CORP
(assuming the NetBIOS is always the most left part of the DNS
name
Jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari
KoutiSent: Friday, July 21, 2006 12:47To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Hi Neil and Peter,
If two companies both happen to choose corp.local for
their forest name, they cannot create forest trusts, if the need later arises.
Of course, if one of them is a chemical company in the west coast and the
other is a media company in the west coast, the risk is quite
small.
But still, the only way to make sure that you can later
create forest trusts (without renaming one of the forests) with any other
company/forest is to register your forest name (or use a delegated one, such
as corp.microsoft.com).
Yours, Sakari
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter
JohnsonSent: 21. heinäkuuta 2006 12:30To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Hi
Neil
Correct. The TLD is
the normally the last bit the in the string. So in the real world Internet
examples of TLDs are .com,.edu etc plus the country codes such as .za for
South
Africa which is where I from.
I always something
like corp.local for the forest name. I assuming you are going to be building a
single domain forest right?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: 21 July 2006 11:19To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Thanks
Peter.
Are we referring to
same thing?
I refer to the suffix
at the end of the DNS name - e.g. I refer to 'blob' in
'neil.blob'.
I am not referring to
the 'neil' part.
Does your response
still hold?
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Peter
JohnsonSent: 21 July 2006
09:56To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Ive always gone the
opposite way. I like the idea of using a completely non-standard TLD for my
forest root so that if the company name changes etc it has no effect on the
forest. It also enables you to split the internal DNS from the external DNS
structure. If the internal DNS structure is ever published to the Internet it
will simply be dropped.
I always set mine up
with non-standard TLDs and have never had any
issues.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: 21 July 2006 10:20To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Using non-standard
TLDs within Active Directory
Does anyone have experience or
comments regarding the use of non-standard TLDs within a production AD
forest?
E.g. x.nom
The name will be used within a
production environment - a separate forest will exist for testing and
QA.
I've always preferred to use
standard TLDs in prod [so the name can be registered etc] and permit the
non-standard TLD in test forests only.
Any comments?
Thanks, neil
PLEASE READ: The information
contained in this email is confidential and
intended for the named
recipient(s) only. If you are not an intended
recipient of this email please
notify the sender immediately and delete your
copy from your system. You must
not copy, distribute or take any further
action in reliance on it. Email is
not a secure method of communication and
Nomura International plc ('NIplc')
will not, to the extent permitted by law,
accept responsibility or liability
for (a) the accuracy or completeness of,
or (b) the presence of any virus,
worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please
request a hard copy. Unless otherwise stated
this email: (1) is not, and should
not be treated or relied upon as,
investment research; (2) contains
views or opinions that are solely those of
the author and do not necessarily
represent those of NIplc; (3) is intended
for informational purposes only
and is not a recommendation, solicitation or
offer to buy or sell securities or
related financial instruments. NIplc
does not provide investment
services to private customers. Authorised and
r
RE: [ActiveDir] Using non-standard TLDs within Active Directory
Title: Using non-standard TLDs within Active Directory
Well something.nom would work J J From an AD perspective
so would nom.de-plume. Sorry it’s a weak pun but I couldn’t resist.
Have a great weekend
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 13:07
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
It will be "something" .nom,
where "something" is to be determined.
Whether children or additional trees, is
also to be determined.
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 21 July 2006 11:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
That’s a really good solution. So
the forest root domain name would be nomura.nom and then there will child
domains below that?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 12:34
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Thanks again. We're on the same wave
length :)
I appreciate that .local can work but as
you state, it's best to avoid names that can become obsolete if the company
name changes.
The proposal here is to use .nom and
the company name is Nomura.
...and no, it will not be a single domain
forest, but let's not go there please :) I've already spent months on that
subject :/
Thanks for the comments and feedback.
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 21 July 2006 10:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Hi Neil
Correct. The TLD is the normally the last
bit the in the string. So in the real world Internet examples of TLD’s
are .com,.edu etc plus the country codes such as .za for South Africa which is where I from.
I always something like corp.local for the
forest name. I assuming you are going to be building a single domain forest
right?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 11:19
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Thanks Peter.
Are we referring to same thing?
I refer to the suffix at the end of the
DNS name - e.g. I refer to 'blob' in 'neil.blob'.
I am not referring to the 'neil' part.
Does your response still hold?
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 21 July 2006 09:56
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
I’ve always gone the opposite way. I
like the idea of using a completely non-standard TLD for my forest root so that
if the company name changes etc it has no effect on the forest. It also enables
you to split the internal DNS from the external DNS structure. If the internal
DNS structure is ever published to the Internet it will simply be dropped.
I always set mine up with non-standard
TLD’s and have never had any issues.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 10:20
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Using
non-standard TLDs within Active Directory
Does
anyone have experience or comments regarding the use of non-standard TLDs
within a production AD forest?
E.g.
x.nom
The
name will be used within a production environment - a separate forest will
exist for testing and QA.
I've
always preferred to use standard TLDs in prod [so the name can be registered
etc] and permit the non-standard TLD in test forests only.
Any
comments?
Thanks,
neil
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately
and delete your
copy from your system. You must not copy, distribute or take
any further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious
or disabling
code in, this message or any attachment(s) to it. If
verification of this
email is sought then please request a hard copy. Unless
otherwise stated
this email: (1) is not, and should not be treated or relied
upon as,
investment research; (2) contains views or opinions that are
solely those of
the author and do not necessarily represent those of NIplc;
(3) is i
RE: [ActiveDir] Using non-standard TLDs within Active Directory
Title: Using non-standard TLDs within Active Directory
Hi Jorge. Is the issue related to NetBios
names or DNS names? i.e. If you have corp.local and corp.local with Netbios
names of corp1 and corp 2 what would happen?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: 21 July 2006 13:11
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
I guess CORP.MICROSOFT.COM would still
be an issue when trying to create a trust when the other company has
CORP.SOMETHING.ELSE
Reason: both have the same NetBIOS name
which is CORP (assuming the NetBIOS is always the most left part of the DNS
name
Jorge
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Friday, July 21, 2006 12:47
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Hi Neil and Peter,
If two companies both happen to choose
corp.local for their forest name, they cannot create forest trusts, if the need
later arises. Of course, if one of them is a chemical company in the west coast
and the other is a media company in the west coast, the risk is quite small.
But still, the only way to make sure that
you can later create forest trusts (without renaming one of the forests) with
any other company/forest is to register your forest name (or use a delegated
one, such as corp.microsoft.com).
Yours, Sakari
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 21. heinäkuuta 2006 12:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Hi Neil
Correct. The TLD is the normally the last
bit the in the string. So in the real world Internet examples of TLD’s
are .com,.edu etc plus the country codes such as .za for South Africa which is where I from.
I always something like corp.local for the
forest name. I assuming you are going to be building a single domain forest
right?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 11:19
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Thanks Peter.
Are we referring to same thing?
I refer to the suffix at the end of the
DNS name - e.g. I refer to 'blob' in 'neil.blob'.
I am not referring to the 'neil' part.
Does your response still hold?
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 21 July 2006 09:56
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
I’ve always gone the opposite way. I
like the idea of using a completely non-standard TLD for my forest root so that
if the company name changes etc it has no effect on the forest. It also enables
you to split the internal DNS from the external DNS structure. If the internal
DNS structure is ever published to the Internet it will simply be dropped.
I always set mine up with non-standard
TLD’s and have never had any issues.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 10:20
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Using
non-standard TLDs within Active Directory
Does
anyone have experience or comments regarding the use of non-standard TLDs
within a production AD forest?
E.g.
x.nom
The
name will be used within a production environment - a separate forest will
exist for testing and QA.
I've
always preferred to use standard TLDs in prod [so the name can be registered
etc] and permit the non-standard TLD in test forests only.
Any
comments?
Thanks,
neil
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately
and delete your
copy from your system. You must not copy, distribute or take
any further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious
or disabling
code in, this message or any attachment(s) to it. If
verification of this
email is sought then please request a hard copy. Unless
otherwise stated
this email: (1) is not, and should not be treated or relied
upon as,
investment research; (2) contains views or opinions that are
solely those of
the author and do not necessarily represent those of NIplc;
(3) is intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or rel
RE: [ActiveDir] Using non-standard TLDs within Active Directory
For this and other reason I like to
use the .ad or .ads TLD for my active directory.
Andrew Fidel
"Almeida Pinto, Jorge
de" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
07/21/2006 06:43 AM
Please respond to
ActiveDir@mail.activedir.org
To
cc
Subject
RE: [ActiveDir] Using non-standard
TLDs within Active Directory
for the LOCAL tld, you need
be aware that it can cause issues with MAC computers
http://support.microsoft.com/kb/836413/en-us
http://docs.info.apple.com/article.html?artnum=107800
Jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, July 21, 2006 12:34
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using non-standard TLDs within Active Directory
Thanks again. We're on the same
wave length :)
I appreciate that .local can work
but as you state, it's best to avoid names that can become obsolete if
the company name changes.
The proposal here is to use .nom
and the company name is Nomura.
...and no, it will not be a single
domain forest, but let's not go there please :) I've already spent months
on that subject :/
Thanks for the comments and feedback.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 21 July 2006 10:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using non-standard TLDs within Active Directory
Hi Neil
Correct. The TLD is the normally
the last bit the in the string. So in the real world Internet examples
of TLD’s are .com,.edu etc plus the country codes such as .za for South
Africa which is where I from.
I always something like corp.local
for the forest name. I assuming you are going to be building a single domain
forest right?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 11:19
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using non-standard TLDs within Active Directory
Thanks Peter.
Are we referring to same thing?
I refer to the suffix at the end
of the DNS name - e.g. I refer to 'blob' in 'neil.blob'.
I am not referring to the 'neil'
part.
Does your response still hold?
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 21 July 2006 09:56
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using non-standard TLDs within Active Directory
I’ve always gone the opposite
way. I like the idea of using a completely non-standard TLD for my forest
root so that if the company name changes etc it has no effect on the forest.
It also enables you to split the internal DNS from the external DNS structure.
If the internal DNS structure is ever published to the Internet it will
simply be dropped.
I always set mine up with non-standard
TLD’s and have never had any issues.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 10:20
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Using non-standard TLDs within Active Directory
Does anyone have experience or comments regarding
the use of non-standard TLDs within a production AD forest?
E.g. x.nom
The name will be used within a production
environment - a separate forest will exist for testing and QA.
I've always preferred to use standard TLDs
in prod [so the name can be registered etc] and permit the non-standard
TLD in test forests only.
Any comments?
Thanks,
neil
PLEASE READ: The information contained in
this email is confidential and
intended for the named recipient(s) only.
If you are not an intended
recipient of this email please notify the
sender immediately and delete your
copy from your system. You must not copy,
distribute or take any further
action in reliance on it. Email is not a
secure method of communication and
Nomura International plc ('NIplc') will not,
to the extent permitted by law,
accept responsibility or liability for (a)
the accuracy or completeness of,
or (b) the presence of any virus, worm or
similar malicious or disabling
code in, this message or any attachment(s)
to it. If verification of this
email is sought then please request a hard
copy. Unless otherwise stated
this email: (1) is not, and should not be
treated or relied upon as,
investment research; (2) contains views or
opinions that are solely those of
the author and do not necessarily represent
those of NIplc; (3) is intended
for informational purposes only and is not
a recommendation, solicitation or
offer to buy or sell securities or related
financial instruments. NIplc
does not provide investment services to private
customers. Authorised and
regulated by the Financial Services Authority.
Registered in England
no. 1550505 VAT No. 447 2492 35. Registered
Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura
group of companies.
PLEASE READ: The information contained in
this email is confidential and
intended for the named recipient(s) only.
If you are not an intended
re
RE: [ActiveDir] Using non-standard TLDs within Active Directory
Title: Using non-standard TLDs within Active Directory both endpoints of a trust must have unique DNS and NetBIOS names when talking about trusts between AD domains/forests. either using the DNS name or the NetBIOS name, it can only exist on one of the endpoints, not both jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JohnsonSent: Friday, July 21, 2006 13:44To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using non-standard TLDs within Active Directory Hi Jorge. Is the issue related to NetBios names or DNS names? i.e. If you have corp.local and corp.local with Netbios names of corp1 and corp 2 what would happen? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: 21 July 2006 13:11To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using non-standard TLDs within Active Directory I guess CORP.MICROSOFT.COM would still be an issue when trying to create a trust when the other company has CORP.SOMETHING.ELSE Reason: both have the same NetBIOS name which is CORP (assuming the NetBIOS is always the most left part of the DNS name Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari KoutiSent: Friday, July 21, 2006 12:47To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using non-standard TLDs within Active Directory Hi Neil and Peter, If two companies both happen to choose corp.local for their forest name, they cannot create forest trusts, if the need later arises. Of course, if one of them is a chemical company in the west coast and the other is a media company in the west coast, the risk is quite small. But still, the only way to make sure that you can later create forest trusts (without renaming one of the forests) with any other company/forest is to register your forest name (or use a delegated one, such as corp.microsoft.com). Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JohnsonSent: 21. heinäkuuta 2006 12:30To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using non-standard TLDs within Active Directory Hi Neil Correct. The TLD is the normally the last bit the in the string. So in the real world Internet examples of TLDs are .com,.edu etc plus the country codes such as .za for South Africa which is where I from. I always something like corp.local for the forest name. I assuming you are going to be building a single domain forest right? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: 21 July 2006 11:19To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using non-standard TLDs within Active Directory Thanks Peter. Are we referring to same thing? I refer to the suffix at the end of the DNS name - e.g. I refer to 'blob' in 'neil.blob'. I am not referring to the 'neil' part. Does your response still hold? neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JohnsonSent: 21 July 2006 09:56To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using non-standard TLDs within Active Directory Ive always gone the opposite way. I like the idea of using a completely non-standard TLD for my forest root so that if the company name changes etc it has no effect on the forest. It also enables you to split the internal DNS from the external DNS structure. If the internal DNS structure is ever published to the Internet it will simply be dropped. I always set mine up with non-standard TLDs and have never had any issues. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: 21 July 2006 10:20To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Using non-standard TLDs within Active Directory Does anyone have experience or comments regarding the use of non-standard TLDs within a production AD forest? E.g. x.nom The name will be used within a production environment - a separate forest will exist for testing and QA. I've always preferred to use standard TLDs in prod [so the name can be registered etc] and permit the non-standard TLD in test forests only. Any comments? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an
RE: [ActiveDir] Using non-standard TLDs within Active Directory
Title: Using non-standard TLDs within Active Directory
"But still, the only way to make sure
that you can later create forest trusts (without renaming one of the forests)
with any other company/forest is to register your forest name (or use a
delegated one, such as corp.microsoft.com)."
...and that's (one of) my point. If we use a
non-standard TLD then we cannot register the name and may run into
issues.
Thanks for the
feedback.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari
KoutiSent: 21 July 2006 11:47To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Hi Neil and Peter,
If two companies both happen to choose corp.local for their
forest name, they cannot create forest trusts, if the need later arises. Of
course, if one of them is a chemical company in the west coast and the other is
a media company in the west coast, the risk is quite small.
But still, the only way to make sure that you can later
create forest trusts (without renaming one of the forests) with any other
company/forest is to register your forest name (or use a delegated one, such as
corp.microsoft.com).
Yours, Sakari
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter
JohnsonSent: 21. heinäkuuta 2006 12:30To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Hi
Neil
Correct. The TLD is the
normally the last bit the in the string. So in the real world Internet examples
of TLDs are .com,.edu etc plus the country codes such as .za for
South
Africa which is where I from.
I always something like
corp.local for the forest name. I assuming you are going to be building a single
domain forest right?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: 21 July 2006 11:19To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using non-standard
TLDs within Active Directory
Thanks
Peter.
Are we referring to
same thing?
I refer to the suffix
at the end of the DNS name - e.g. I refer to 'blob' in
'neil.blob'.
I am not referring to
the 'neil' part.
Does your response
still hold?
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Peter
JohnsonSent: 21 July 2006
09:56To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using non-standard
TLDs within Active Directory
Ive always gone the
opposite way. I like the idea of using a completely non-standard TLD for my
forest root so that if the company name changes etc it has no effect on the
forest. It also enables you to split the internal DNS from the external DNS
structure. If the internal DNS structure is ever published to the Internet it
will simply be dropped.
I always set mine up
with non-standard TLDs and have never had any
issues.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: 21 July 2006 10:20To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Using non-standard
TLDs within Active Directory
Does anyone have experience or
comments regarding the use of non-standard TLDs within a production AD
forest?
E.g. x.nom
The
name will be used within a production environment - a separate forest will exist
for testing and QA.
I've always preferred to use
standard TLDs in prod [so the name can be registered etc] and permit the
non-standard TLD in test forests only.
Any
comments?
Thanks, neil
PLEASE READ: The information
contained in this email is confidential and
intended for the named recipient(s)
only. If you are not an intended
recipient of this email please
notify the sender immediately and delete your
copy from your system. You must not
copy, distribute or take any further
action in reliance on it. Email is
not a secure method of communication and
Nomura International plc ('NIplc')
will not, to the extent permitted by law,
accept responsibility or liability
for (a) the accuracy or completeness of,
or (b) the presence of any virus,
worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please request
a hard copy. Unless otherwise stated
this email: (1) is not, and should
not be treated or relied upon as,
investment research; (2) contains
views or opinions that are solely those of
the author and do not necessarily
represent those of NIplc; (3) is intended
for informational purposes only and
is not a recommendation, solicitation or
offer to buy or sell securities or
related financial instruments. NIplc
does not provide investment services
to private customers. Authorised and
regulated by the Financial Services
Authority. Registered in England
no. 1550505 VAT No. 447 2492 35.
Registered Office: 1 St Martin's-le-Grand,
London,
EC1A
4NP. A member of the Nomura group of
companies.
PLEASE READ: The inform
Re: [ActiveDir] Using non-standard TLDs within Active Directory
Title: Using non-standard TLDs within Active Directory
neil,
In a re-design we are moving away from using our
existing COM TLD, and moving to a CORP TLD.
IE - COMPANY.COM is now COMPANY.CORP
for the internal Forest name and DNS zone.
There are issues with having COMPANY.COM internal
and external from a DNS routing perspective, so we want to remove any possibly
assumption that they are the same thing.
Thanks,
Jef
- Original Message -
From:
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, July 21, 2006 4:19 AM
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Thanks Peter.
Are we referring to same thing?
I refer to the suffix at the end of the DNS name - e.g. I
refer to 'blob' in 'neil.blob'.
I am not referring to the 'neil'
part.
Does your response still hold?
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter
JohnsonSent: 21 July 2006 09:56To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
I’ve always gone the
opposite way. I like the idea of using a completely non-standard TLD for my
forest root so that if the company name changes etc it has no effect on the
forest. It also enables you to split the internal DNS from the external DNS
structure. If the internal DNS structure is ever published to the Internet it
will simply be dropped.
I always set mine up
with non-standard TLD’s and have never had any
issues.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: 21 July 2006 10:20To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Using non-standard
TLDs within Active Directory
Does anyone have experience or
comments regarding the use of non-standard TLDs within a production AD
forest?
E.g. x.nom
The name will be used within a
production environment - a separate forest will exist for testing and
QA.
I've always preferred to use
standard TLDs in prod [so the name can be registered etc] and permit the
non-standard TLD in test forests only.
Any comments?
Thanks, neil
PLEASE READ: The information
contained in this email is confidential and
intended for the named
recipient(s) only. If you are not an intended
recipient of this email please
notify the sender immediately and delete your
copy from your system. You must
not copy, distribute or take any further
action in reliance on it. Email is
not a secure method of communication and
Nomura International plc ('NIplc')
will not, to the extent permitted by law,
accept responsibility or liability
for (a) the accuracy or completeness of,
or (b) the presence of any virus,
worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please
request a hard copy. Unless otherwise stated
this email: (1) is not, and should
not be treated or relied upon as,
investment research; (2) contains
views or opinions that are solely those of
the author and do not necessarily
represent those of NIplc; (3) is intended
for informational purposes only
and is not a recommendation, solicitation or
offer to buy or sell securities or
related financial instruments. NIplc
does not provide investment
services to private customers. Authorised and
regulated by the Financial
Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35.
Registered Office: 1 St Martin's-le-Grand,
London,
EC1A
4NP. A member of the Nomura group of
companies.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitat
RE: [ActiveDir] Using non-standard TLDs within Active Directory
Also a good idea.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 14:05
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
For this and other reason I like to use the .ad or .ads
TLD for my active directory.
Andrew
Fidel
"Almeida Pinto, Jorge
de" <[EMAIL PROTECTED]>
Sent
by: [EMAIL PROTECTED]
07/21/2006 06:43 AM
Please
respond to
ActiveDir@mail.activedir.org
To
cc
Subject
RE: [ActiveDir] Using non-standard TLDs
within Active Directory
for the LOCAL tld, you need be aware that it
can cause issues with MAC computers
http://support.microsoft.com/kb/836413/en-us
http://docs.info.apple.com/article.html?artnum=107800
Jorge
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, July 21, 2006 12:34
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using non-standard TLDs within Active
Directory
Thanks again. We're on the same wave length :)
I appreciate that .local can work but as you state, it's best
to avoid names that can become obsolete if the company name changes.
The proposal here is to use .nom and the company name is Nomura.
...and no, it will not be a single domain forest, but let's
not go there please :) I've already spent months on that subject :/
Thanks for the comments and feedback.
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 21 July 2006 10:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using non-standard TLDs within Active
Directory
Hi Neil
Correct. The TLD is the normally the last bit the in the
string. So in the real world Internet examples of TLD’s are .com,.edu etc
plus the country codes such as .za for South Africa which is where I from.
I always something like corp.local for the forest name. I
assuming you are going to be building a single domain forest right?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 11:19
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using non-standard TLDs within Active
Directory
Thanks Peter.
Are we referring to same thing?
I refer to the suffix at the end of the DNS name - e.g. I
refer to 'blob' in 'neil.blob'.
I am not referring to the 'neil' part.
Does your response still hold?
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 21 July 2006 09:56
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using non-standard TLDs within Active
Directory
I’ve always gone the opposite way. I like the idea of
using a completely non-standard TLD for my forest root so that if the company
name changes etc it has no effect on the forest. It also enables you to split
the internal DNS from the external DNS structure. If the internal DNS structure
is ever published to the Internet it will simply be dropped.
I always set mine up with non-standard TLD’s and have
never had any issues.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 10:20
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Using non-standard TLDs within Active Directory
Does
anyone have experience or comments regarding the use of non-standard TLDs
within a production AD forest?
E.g.
x.nom
The
name will be used within a production environment - a separate forest will
exist for testing and QA.
I've
always preferred to use standard TLDs in prod [so the name can be registered
etc] and permit the non-standard TLD in test forests only.
Any
comments?
Thanks,
neil
PLEASE
READ: The information contained in this email is confidential and
intended
for the named recipient(s) only. If you are not an intended
recipient
of this email please notify the sender immediately and delete your
copy
from your system. You must not copy, distribute or take any further
action
in reliance on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b)
the presence of any virus, worm or similar malicious or disabling
code
in, this message or any attachment(s) to it. If verification of this
email
is sought then please request a hard copy. Unless otherwise stated
this
email: (1) is not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the
author and do not necessarily represent those of NIplc; (3) is intended
for
informat
Re: [ActiveDir] Using non-standard TLDs within Active Directory
Well it would be a good idea as long as no one thinks "crikey thats a
great idea" and people start making corp.ad or corp.ads as their
forest name ;-)
As I understand it, the forest names need to be unique DNS names. If
you have two corp.local's, how would you do conditional forwarding and
the like? What happens when a SRV record query is sent by a client who
is possibly able to query SRV records for both forests?
M@
On 7/21/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
For this and other reason I like to use the .ad or .ads TLD for my active
directory.
Andrew Fidel
"Almeida Pinto, Jorge de" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
07/21/2006 06:43 AM
Please respond to
ActiveDir@mail.activedir.org
To
cc
SubjectRE: [ActiveDir] Using non-standard TLDs within Active Directory
for the LOCAL tld, you need be aware that it can cause issues with MAC computers
http://support.microsoft.com/kb/836413/en-us
http://docs.info.apple.com/article.html?artnum=107800
Jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, July 21, 2006 12:34
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using non-standard TLDs within Active Directory
Thanks again. We're on the same wave length :)
I appreciate that .local can work but as you state, it's best to avoid names
that can become obsolete if the company name changes.
The proposal here is to use .nom and the company name is Nomura.
...and no, it will not be a single domain forest, but let's not go there please
:) I've already spent months on that subject :/
Thanks for the comments and feedback.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 21 July 2006 10:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using non-standard TLDs within Active Directory
Hi Neil
Correct. The TLD is the normally the last bit the in the string. So in the real
world Internet examples of TLD's are .com,.edu etc plus the country codes such
as .za for South Africa which is where I from.
I always something like corp.local for the forest name. I assuming you are
going to be building a single domain forest right?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 11:19
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using non-standard TLDs within Active Directory
Thanks Peter.
Are we referring to same thing?
I refer to the suffix at the end of the DNS name - e.g. I refer to 'blob' in
'neil.blob'.
I am not referring to the 'neil' part.
Does your response still hold?
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 21 July 2006 09:56
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using non-standard TLDs within Active Directory
I've always gone the opposite way. I like the idea of using a completely
non-standard TLD for my forest root so that if the company name changes etc it
has no effect on the forest. It also enables you to split the internal DNS from
the external DNS structure. If the internal DNS structure is ever published to
the Internet it will simply be dropped.
I always set mine up with non-standard TLD's and have never had any issues.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 10:20
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Using non-standard TLDs within Active Directory
Does anyone have experience or comments regarding the use of non-standard TLDs
within a production AD forest?
E.g. x.nom
The name will be used within a production environment - a separate forest will
exist for testing and QA.
I've always preferred to use standard TLDs in prod [so the name can be
registered etc] and permit the non-standard TLD in test forests only.
Any comments?
Thanks,
neil
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessaril
Re: [ActiveDir] Using non-standard TLDs within Active Directory
On 21/07/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: The proposal here is to use .nom and the company name is Nomura. Which is all fine and dandy until the French get envious of the .name TLD and decide they're going to have their own equivalent... -- AdamT "A casual stroll through the lunatic asylum shows that faith does not prove anything." - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Using non-standard TLDs within Active Directory
Title: Using non-standard TLDs within Active Directory
Thanks Jef. Obviously, this can be avoided by choosing a
separate name for internal and external DNS zones.
One such approach is to use .net inside and .com outside.
Either way, I'd prefer to register the names (Int and ext) so as to avoid future
issues.
I appreciate all the feedback :)
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: 21 July 2006 13:30To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Using
non-standard TLDs within Active Directory
neil,
In a re-design we are moving away from using our
existing COM TLD, and moving to a CORP TLD.
IE - COMPANY.COM is now COMPANY.CORP
for the internal Forest name and DNS zone.
There are issues with having COMPANY.COM internal
and external from a DNS routing perspective, so we want to remove any possibly
assumption that they are the same thing.
Thanks,
Jef
- Original Message -
From:
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, July 21, 2006 4:19 AM
Subject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
Thanks Peter.
Are we referring to same thing?
I refer to the suffix at the end of the DNS name - e.g. I
refer to 'blob' in 'neil.blob'.
I am not referring to the 'neil'
part.
Does your response still hold?
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter
JohnsonSent: 21 July 2006 09:56To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using
non-standard TLDs within Active Directory
I’ve always gone the
opposite way. I like the idea of using a completely non-standard TLD for my
forest root so that if the company name changes etc it has no effect on the
forest. It also enables you to split the internal DNS from the external DNS
structure. If the internal DNS structure is ever published to the Internet it
will simply be dropped.
I always set mine up
with non-standard TLD’s and have never had any
issues.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: 21 July 2006 10:20To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Using non-standard
TLDs within Active Directory
Does anyone have experience or
comments regarding the use of non-standard TLDs within a production AD
forest?
E.g. x.nom
The name will be used within a
production environment - a separate forest will exist for testing and
QA.
I've always preferred to use
standard TLDs in prod [so the name can be registered etc] and permit the
non-standard TLD in test forests only.
Any comments?
Thanks, neil
PLEASE READ: The information
contained in this email is confidential and
intended for the named
recipient(s) only. If you are not an intended
recipient of this email please
notify the sender immediately and delete your
copy from your system. You must
not copy, distribute or take any further
action in reliance on it. Email is
not a secure method of communication and
Nomura International plc ('NIplc')
will not, to the extent permitted by law,
accept responsibility or liability
for (a) the accuracy or completeness of,
or (b) the presence of any virus,
worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please
request a hard copy. Unless otherwise stated
this email: (1) is not, and should
not be treated or relied upon as,
investment research; (2) contains
views or opinions that are solely those of
the author and do not necessarily
represent those of NIplc; (3) is intended
for informational purposes only
and is not a recommendation, solicitation or
offer to buy or sell securities or
related financial instruments. NIplc
does not provide investment
services to private customers. Authorised and
regulated by the Financial
Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35.
Registered Office: 1 St Martin's-le-Grand,
London,
EC1A
4NP. A member of the Nomura group of
companies.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, wor
RE: [ActiveDir] Disabling the file open security warning for certain VBS scripts
Title: Disabling the file open security warning for certain VBS scripts
You can’t turn it off for specific
files, or even file types. You can set it via Internet Explorer GPO to turn
off the warning altogether, but I don’t think you really want that.
There are two options that I know of. You
can either use a trusted source for code-signing, or you can store the files
locally on every machine in the environment. If it is stored locally Windows
doesn’t consider it to be a threat. You would have to change the path
to the vbs scripts to something that resolves locally on the machines
(c:\scripts\..., for example). Of course the admin overhead on that becomes
insane. If every user connects to your network from a Citrix server or
something like that, it is a little more doable. Otherwise code-signing is
really the only viable option.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Friday, July 21, 2006 3:04
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Disabling the
file open security warning for certain VBS scripts
I have a bunch of vbs scripts which are stored in SYSVOL.
They are called when a user right clicks an object in AD and
chooses one of the extra functions added to the context menu (via a
displaySpecifiers change) .
By default, these scripts generate a file open security
dialog - which I'd like to suppress.
Any ideas as to how this might be done for just a select few
VBS scripts, without allowing all VBS scripts to run without a warning? The
scripts could be executed from any machine in the forest.
Software restriction policy?
Code signing?
IE zone changes?
???
Thx,
neil
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately
and delete your
copy from your system. You must not copy, distribute or take
any further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious
or disabling
code in, this message or any attachment(s) to it. If verification
of this
email is sought then please request a hard copy. Unless
otherwise stated
this email: (1) is not, and should not be treated or relied
upon as,
investment research; (2) contains views or opinions that are
solely those of
the author and do not necessarily represent those of NIplc;
(3) is intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial
instruments. NIplc
does not provide investment services to private customers.
Authorised and
regulated by the Financial Services Authority. Registered in
England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the
Nomura group of companies.
RE: [ActiveDir] Disabling the file open security warning for certain VBS scripts
Title: Disabling the file open security warning for certain VBS scripts
Thanks Kevin. I thought as much.
The option to store the files locally is not viable - there
are ~15,000 machines :)
Code signing may be viable altho I'm not sure there is a
single, trusted PKI within the org...
Thank again,
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin
BrunsonSent: 21 July 2006 15:06To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Disabling the
file open security warning for certain VBS scripts
You can’t turn it off
for specific files, or even file types. You can set it via Internet
Explorer GPO to turn off the warning altogether, but I don’t think you really
want that.
There are two options
that I know of. You can either use a trusted source for code-signing, or
you can store the files locally on every machine in the environment. If it
is stored locally Windows doesn’t consider it to be a threat. You
would have to change the path to the vbs scripts to something that resolves
locally on the machines (c:\scripts\..., for example). Of course the admin
overhead on that becomes insane. If every user connects to your network
from a Citrix server or something like that, it is a little more doable.
Otherwise code-signing is really the only viable option.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: Friday, July 21, 2006 3:04
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Disabling the file
open security warning for certain VBS scripts
I have a bunch of vbs
scripts which are stored in SYSVOL.
They are called when a
user right clicks an object in AD and chooses one of the extra functions added
to the context menu (via a displaySpecifiers change)
.
By default, these
scripts generate a file open security dialog - which I'd like to
suppress.
Any ideas as to how
this might be done for just a select few VBS scripts, without allowing all VBS
scripts to run without a warning? The scripts could be executed from any machine
in the forest.
Software restriction
policy? Code
signing? IE zone
changes? ???
Thx,
neil
PLEASE READ: The information
contained in this email is confidential and
intended for the named recipient(s)
only. If you are not an intended
recipient of this email please
notify the sender immediately and delete your
copy from your system. You must not
copy, distribute or take any further
action in reliance on it. Email is
not a secure method of communication and
Nomura International plc ('NIplc')
will not, to the extent permitted by law,
accept responsibility or liability
for (a) the accuracy or completeness of,
or (b) the presence of any virus,
worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please request
a hard copy. Unless otherwise stated
this email: (1) is not, and should
not be treated or relied upon as,
investment research; (2) contains
views or opinions that are solely those of
the author and do not necessarily
represent those of NIplc; (3) is intended
for informational purposes only and
is not a recommendation, solicitation or
offer to buy or sell securities or
related financial instruments. NIplc
does not provide investment services
to private customers. Authorised and
regulated by the Financial Services
Authority. Registered in England
no. 1550505 VAT No. 447 2492 35.
Registered Office: 1 St Martin's-le-Grand,
London,
EC1A
4NP. A member of the Nomura group of
companies. PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4
RE: [ActiveDir] Disabling the file open security warning for certain VBS scripts
Title: Disabling the file open security warning for certain VBS scripts
You could add all of the possible source servers to your IE
"Local Intranet" zone via group policy.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Friday, July 21, 2006 9:22
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
Disabling the file open security warning for certain VBS
scripts
Thanks Kevin. I thought as much.
The option to store the files locally is not viable - there
are ~15,000 machines :)
Code signing may be viable altho I'm not sure there is a
single, trusted PKI within the org...
Thank again,
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin
BrunsonSent: 21 July 2006 15:06To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Disabling the
file open security warning for certain VBS scripts
You can’t turn it off
for specific files, or even file types. You can set it via Internet
Explorer GPO to turn off the warning altogether, but I don’t think you really
want that.
There are two options
that I know of. You can either use a trusted source for code-signing, or
you can store the files locally on every machine in the environment. If it
is stored locally Windows doesn’t consider it to be a threat. You
would have to change the path to the vbs scripts to something that resolves
locally on the machines (c:\scripts\..., for example). Of course the admin
overhead on that becomes insane. If every user connects to your network
from a Citrix server or something like that, it is a little more doable.
Otherwise code-signing is really the only viable option.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: Friday, July 21, 2006 3:04
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Disabling the file
open security warning for certain VBS scripts
I have a bunch of vbs
scripts which are stored in SYSVOL.
They are called when a
user right clicks an object in AD and chooses one of the extra functions added
to the context menu (via a displaySpecifiers change)
.
By default, these
scripts generate a file open security dialog - which I'd like to
suppress.
Any ideas as to how
this might be done for just a select few VBS scripts, without allowing all VBS
scripts to run without a warning? The scripts could be executed from any machine
in the forest.
Software restriction
policy? Code
signing? IE zone
changes? ???
Thx,
neil
PLEASE READ: The information
contained in this email is confidential and
intended for the named recipient(s)
only. If you are not an intended
recipient of this email please
notify the sender immediately and delete your
copy from your system. You must not
copy, distribute or take any further
action in reliance on it. Email is
not a secure method of communication and
Nomura International plc ('NIplc')
will not, to the extent permitted by law,
accept responsibility or liability
for (a) the accuracy or completeness of,
or (b) the presence of any virus,
worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please request
a hard copy. Unless otherwise stated
this email: (1) is not, and should
not be treated or relied upon as,
investment research; (2) contains
views or opinions that are solely those of
the author and do not necessarily
represent those of NIplc; (3) is intended
for informational purposes only and
is not a recommendation, solicitation or
offer to buy or sell securities or
related financial instruments. NIplc
does not provide investment services
to private customers. Authorised and
regulated by the Financial Services
Authority. Registered in England
no. 1550505 VAT No. 447 2492 35.
Registered Office: 1 St Martin's-le-Grand,
London,
EC1A
4NP. A member of the Nomura group of
companies.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes on
RE: [ActiveDir] Disabling the file open security warning for certain VBS scripts
Title: Disabling the file open security warning for certain VBS scripts
That'd be all 15,000 :) not sure I'd maintain such a list
either - machines are added and removed on an hourly basis
:/
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken
CornetetSent: 21 July 2006 16:07To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Disabling the
file open security warning for certain VBS scripts
You could add all of the possible source servers to your IE
"Local Intranet" zone via group policy.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Friday, July 21, 2006 9:22
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
Disabling the file open security warning for certain VBS
scripts
Thanks Kevin. I thought as much.
The option to store the files locally is not viable - there
are ~15,000 machines :)
Code signing may be viable altho I'm not sure there is a
single, trusted PKI within the org...
Thank again,
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin
BrunsonSent: 21 July 2006 15:06To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Disabling the
file open security warning for certain VBS scripts
You can’t turn it off
for specific files, or even file types. You can set it via Internet
Explorer GPO to turn off the warning altogether, but I don’t think you really
want that.
There are two options
that I know of. You can either use a trusted source for code-signing, or
you can store the files locally on every machine in the environment. If it
is stored locally Windows doesn’t consider it to be a threat. You
would have to change the path to the vbs scripts to something that resolves
locally on the machines (c:\scripts\..., for example). Of course the admin
overhead on that becomes insane. If every user connects to your network
from a Citrix server or something like that, it is a little more doable.
Otherwise code-signing is really the only viable option.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: Friday, July 21, 2006 3:04
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Disabling the file
open security warning for certain VBS scripts
I have a bunch of vbs
scripts which are stored in SYSVOL.
They are called when a
user right clicks an object in AD and chooses one of the extra functions added
to the context menu (via a displaySpecifiers change)
.
By default, these
scripts generate a file open security dialog - which I'd like to
suppress.
Any ideas as to how
this might be done for just a select few VBS scripts, without allowing all VBS
scripts to run without a warning? The scripts could be executed from any machine
in the forest.
Software restriction
policy? Code
signing? IE zone
changes? ???
Thx,
neil
PLEASE READ: The information
contained in this email is confidential and
intended for the named recipient(s)
only. If you are not an intended
recipient of this email please
notify the sender immediately and delete your
copy from your system. You must not
copy, distribute or take any further
action in reliance on it. Email is
not a secure method of communication and
Nomura International plc ('NIplc')
will not, to the extent permitted by law,
accept responsibility or liability
for (a) the accuracy or completeness of,
or (b) the presence of any virus,
worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please request
a hard copy. Unless otherwise stated
this email: (1) is not, and should
not be treated or relied upon as,
investment research; (2) contains
views or opinions that are solely those of
the author and do not necessarily
represent those of NIplc; (3) is intended
for informational purposes only and
is not a recommendation, solicitation or
offer to buy or sell securities or
related financial instruments. NIplc
does not provide investment services
to private customers. Authorised and
regulated by the Financial Services
Authority. Registered in England
no. 1550505 VAT No. 447 2492 35.
Registered Office: 1 St Martin's-le-Grand,
London,
EC1A
4NP. A member of the Nomura group of
companies.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verif
RE: [ActiveDir] Disabling the file open security warning for certain VBS scripts
Title: Disabling the file open security warning for certain VBS scripts
I don’t think it matters if they are
in the Local Intranet or not. It is the unsigned code that XP SP2 and
Win2k3 SP1 don’t like. It is going to block unsigned code from any
network source. I dealt with this for a customer who was running a custom
app during login. It was calling a _vbscript_ from a domain controller in
the same subnet, and every time it ran it gave the security warning. The
only way to fix it was to sign it or turn off the warning in IE for the entire
domain. I think it is the “Check for Signatures on Downloaded
Programs” checkbox in Internet Options > Advanced.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Friday, July 21, 2006 10:07
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabling
the file open security warning for certain VBS scripts
You could add all of the possible source
servers to your IE "Local Intranet" zone via group policy.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, July 21, 2006 9:22
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabling
the file open security warning for certain VBS scripts
Thanks Kevin. I thought as much.
The option to store the files locally is
not viable - there are ~15,000 machines :)
Code signing may be viable altho I'm not
sure there is a single, trusted PKI within the org...
Thank again,
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
Brunson
Sent: 21 July 2006 15:06
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabling
the file open security warning for certain VBS scripts
You can’t turn it off for specific
files, or even file types. You can set it via Internet Explorer GPO to
turn off the warning altogether, but I don’t think you really want that.
There are two options that I know
of. You can either use a trusted source for code-signing, or you can
store the files locally on every machine in the environment. If it is
stored locally Windows doesn’t consider it to be a threat.
You would have to change the path to the vbs scripts to something that resolves
locally on the machines (c:\scripts\..., for example). Of course the
admin overhead on that becomes insane. If every user connects to your
network from a Citrix server or something like that, it is a little more
doable. Otherwise code-signing is really the only viable option.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, July 21, 2006 3:04
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Disabling the
file open security warning for certain VBS scripts
I have a bunch of vbs scripts which are stored in SYSVOL.
They are called when a user right clicks an object in AD and
chooses one of the extra functions added to the context menu (via a
displaySpecifiers change) .
By default, these scripts generate a file open security
dialog - which I'd like to suppress.
Any ideas as to how this might be done for just a select few
VBS scripts, without allowing all VBS scripts to run without a warning? The
scripts could be executed from any machine in the forest.
Software restriction policy?
Code signing?
IE zone changes?
???
Thx,
neil
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately
and delete your
copy from your system. You must not copy, distribute or take
any further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious
or disabling
code in, this message or any attachment(s) to it. If
verification of this
email is sought then please request a hard copy. Unless otherwise
stated
this email: (1) is not, and should not be treated or relied
upon as,
investment research; (2) contains views or opinions that are
solely those of
the author and do not necessarily represent those of NIplc;
(3) is intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial
instruments. NIplc
does not provide investment services to private customers.
Authorised and
regulated by the Financial Services Authority. Registered in
England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the
Nomura group of companies.
PLEASE READ: The information contained in this email is
confidential and
intended for the named re
[ActiveDir] Domain Trusts.
I've done some looking around on Microsoft's site, but can't find the information that I need.What can be done with/to the automatic trusts that are created when a new tree is created in a forest and/or a new subdomain is created? I understand that 2-way transitive trusts are created, but can I break that or alter it in any way and if so, what way can those trusts be changed?One other quick question, as long as I'm asking what is the impact to a parent domain's DIT database when you create a subdomain, if any?
RE: [ActiveDir] Domain Trusts.
>>>What can be done with/to the automatic trusts that are created when a new tree is created in a forest and/or a new subdomain is created? nothing >>>I understand that 2-way transitive trusts are created, but can I break that or alter it in any way and if so, what way can those trusts be changed? no, nothinig you don't want to do that as, amongst others replication will break what are trying to acchieve? If you need isolation or something similar, the way to go is a separate forest the DIT of a DC in some domain will grow if it is a GC and another domain is added to the forest Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Fri 2006-07-21 20:54To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Trusts. I've done some looking around on Microsoft's site, but can't find the information that I need.What can be done with/to the automatic trusts that are created when a new tree is created in a forest and/or a new subdomain is created? I understand that 2-way transitive trusts are created, but can I break that or alter it in any way and if so, what way can those trusts be changed?One other quick question, as long as I'm asking what is the impact to a parent domain's DIT database when you create a subdomain, if any? This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Domain Trusts.
I guess the thing to remember about the DIT file is that it will be different on every domain controller. If it is a global catalog it might very well be bigger than the DIT file on another domain controller that is not a GC. It will also depend on whether or not the ntds.dit has been defragged offline. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Friday, July 21, 2006 1:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Trusts. I've done some looking around on Microsoft's site, but can't find the information that I need. What can be done with/to the automatic trusts that are created when a new tree is created in a forest and/or a new subdomain is created? I understand that 2-way transitive trusts are created, but can I break that or alter it in any way and if so, what way can those trusts be changed? One other quick question, as long as I'm asking what is the impact to a parent domain's DIT database when you create a subdomain, if any?
RE: [ActiveDir] Domain Trusts.
When is offline defragging the DIT file recommended: to reduce its size? What other factors impact (increase) its size: # of objects, FSMO roles, AD integrated DNS, etc.? Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Friday, July 21, 2006 3:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Trusts. I guess the thing to remember about the DIT file is that it will be different on every domain controller. If it is a global catalog it might very well be bigger than the DIT file on another domain controller that is not a GC. It will also depend on whether or not the ntds.dit has been defragged offline. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Friday, July 21, 2006 1:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Trusts. I've done some looking around on Microsoft's site, but can't find the information that I need. What can be done with/to the automatic trusts that are created when a new tree is created in a forest and/or a new subdomain is created? I understand that 2-way transitive trusts are created, but can I break that or alter it in any way and if so, what way can those trusts be changed? One other quick question, as long as I'm asking what is the impact to a parent domain's DIT database when you create a subdomain, if any?
Re: [ActiveDir] Domain Trusts.
So basically there's no way to have a domain in a forest that doesn't fully trust every other domain in the forest?The only way to have a non 2-way trust is to make a separate forest?
[ActiveDir] OT: Microsoft Acquires Winternals Software
Title: OT: Microsoft Acquires Winternals Software You may find this of interest (from today’s WServerNews): Mike Thommes = Microsoft Acquires Winternals Software Mark Russinovich and Bryce Cogswell have been snagged up by Redmond. And they deserve to be, as they have been making significant and very useful contributions to the Windows Market. Congrats from all of us at Sunbelt Software. Current Winternals products will be withdrawn from the market as they're integrated into existing or new Microsoft product offerings. The Sysinternals community site and tools will likely continue to be available, but that is not completely sure, so grab those tools while you can. Mark will become one of only 14 Microsoft Technical Fellows, taking his place alongside legends like Windows NT guru Dave Cutler and Jim Gray. Mark and Bryce are looking forward to making Windows an even better platform for all of us, and I'm sure they will. Official Press Release at: http://www.wservernews.com/30R633/060724-Winternals
RE: [ActiveDir] Domain Trusts.
1-yep 2-yep Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of Matt Hargraves Sent: Sat 2006-07-22 00:35 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Trusts. So basically there's no way to have a domain in a forest that doesn't fully trust every other domain in the forest? The only way to have a non 2-way trust is to make a separate forest? This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. <>
RE: [ActiveDir] [OT] Why not browsing - was Multihomed Domain Controllers
Laura, where did you pop out of? Good to see you re-engaging again. Long time no see posts from. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Sunday, July 16, 2006 1:45 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Why not browsing - was Multihomed Domain Controllers With the Print Management Console that was introduced with Win2K3 R2, managing printers is *significantly* easier and ACLing them appropriately becomes a more realistic task. It's also now downloadable separately from R2 and will run on Win2K3 SP1+. http://www.microsoft.com/downloads/details.aspx?FamilyID=83066ddc-bc96-4418-a629-48c8abd2c7a0&displaylang=en Laura The second is to publish resources in Active Directory. This is fairly common for printers though more and more I seem to be seeing people just sticking a sign up on local printers with the queue name and DNS name to avoid someone moron from accidently picking a printer somewhere he shouldn't be printing and sending some huge print job to it. Or even worse, purposely looking for printers with capabilties they want but not really a printer they should be able to use so in order to stop them you have to start ACLing the printers which can be a pain to manage - an example here would be giant plotters capable of doing wall sized plots or really nice die transfer printers or high high end color laser printers.
RE: OT: adfind feature request (was RE: [ActiveDir] User extraction)
Submit it via email and maybe I will see what I can do about it... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Thursday, July 20, 2006 9:05 AMTo: ActiveDir@mail.activedir.orgSubject: Re: OT: adfind feature request (was RE: [ActiveDir] User extraction) Hmm.. Maybe the wishlist idea was a wish on my part :) On 7/19/06, joe <[EMAIL PROTECTED]> wrote: Nope no wishlist on the site, people can submit through email or newsgroup post or just asking me... I added this one with four question marks after it meaning Iam not sure if I fully agree with the value but respect Michael's opinion and think it will require the new overall flexible output framework I have been working on and can't be a quick addon to what is there now. You can SORT OF do it now if you know that all fields you specify will be populated. The CSV option allows you to specify a default value for attributes that have no value, so something like this for instance would work great adfind -default -bit -f "&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)" -csv DISABLED samaccountname status G:\Virtuals>adfind -default -bit -f "&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)" -csv DISABLED samaccountname status "dn","samaccountname","status""CN=Guest,CN=Users,DC=test,DC=loc","Guest","DISABLED""CN=krbtgt,CN=Users,DC=test,DC=loc","krbtgt","DISABLED" That works because any object that matched would have a sAMAccountname and there is no attribute called status so it would always be null and so would always be populated with the string specified with the CSV switch. It could work with the previous query as well if you knew for sure that first and last name were always populated otherwise you would start seeing DISABLED popping up in a those fields if they weren't populated. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Al Mulnick Sent: Wednesday, July 19, 2006 9:37 PM To: ActiveDir@mail.activedir.orgSubject: Re: OT: adfind feature request (was RE: [ActiveDir] User extraction) Ah. I think joe has a wishlist on his site. Have you tried posting it there? In the meantime, you might consider just putting something in the stream and piping it to the file in between the types. Not as clean, but... You could also write a script wrapper that calls this and appends it for you. FWIW. Al On 7/19/06, Michael B. Smith < [EMAIL PROTECTED]> wrote: 'Cuz then I can follow it with the second request, appended into the proper file, and get the non-disabled accounts. To wit: if exists output.txt del output.txt adfind -default -bit -f "&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)" -csv -nodn givenname sn text:disabled >>output.txtadfind -default -bit -f "&(objectcategory=person)(objectclass=user)(!(useraccountcontrol:AND:=2))" -csv -nodn givenname sn text:enabled >> output.txt Am I lazy? Heck yes. But that feature would save me several manual steps. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Al MulnickSent: Wednesday, July 19, 2006 7:36 PM To: ActiveDir@mail.activedir.org Subject: Re: OT: adfind feature request (was RE: [ActiveDir] User extraction) Just for my benefit, if you use that query all the records returned are disabled accounts, so what would be the point of adding that text via the tool? What's the benefit? On 7/18/06, Michael B. Smith < [EMAIL PROTECTED]> wrote: Feature request: give me a way, in the attribute list, to specifyarbitrary text for output. E.g., in this case for disabled: adfind -default -bit -f"&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)"-csv -nodn givenname sn text:disabled-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of joeSent: Tuesday, July 18, 2006 8:35 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User extractionNo that is what bitwise filters are all about, so you can focus in onjustthe disabled bit which happens to be bit 1 which is value 2. So to find alldisabled users in a domain you do something likeadfind -default -bit -f"&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)"-dnThat will dump the DN of every disabled user, if you have a large domain with lots of objects that aren't users, especially say
RE: [ActiveDir] Replmon vs. dssite.msc
I actually haven't looked at ReplMon is at least 3 years so I can't really speak to it. But I would say trust Sites and Services because I have investigated how it does things in some depth and I know it is doing it correctly. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, July 19, 2006 1:45 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Replmon vs. dssite.msc Hi – I am trying to promote a new DC in a branch location. I also want this to be the bridgehead for IP at this Site. The promo seems to have worked, but there are some replication problems. Why would replmon show different replication partners than the Active Directory Sites and Services (dssite.msc) snap-in? I am running both tools on the same machine and have confirmed that they connect to the same machine. Thanks. -- nme --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.394 / Virus Database: 268.10.1/391 - Release Date: 7/18/2006
RE: [ActiveDir] Account Password Expiration Tool
Thank you! -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Wednesday, July 12, 2006 2:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account Password Expiration Tool re:"Anyone who has TAMs... Start screaming now..." Done from here. -DaveC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, July 11, 2006 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account Password Expiration Tool A comprehensive list of attributes and values doesn't exist; I have thought about setting up a dynamic webpage backending into a MySQL DB on my website for a long time but just haven't done it. However for userAccountControl you can look at this enumeration: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/ad si/a ds_user_flag_enum.asp If you go up one level from that you will find several enumerations for some of the attributes. Keep in mind that there are some flags that actually are valid for ADSI in general but not for LDAP, for instance, ADS_UF_LOCKOUT works for the WinNT provider but not the LDAP provider. Again, no comprehensive docs exist for that, it is all one offs that people run into. Actually that is pretty pathetic in my opinion but hey, at least we get some info. Now for your other specific questions... All user accounts that must change password at next logon, that is handled by a combination of the pwdLastSet attribute and the domain policy for password aging which is in the maxPwdAge attribute and the current time/detae and the userAccountControl. If the account is set to not expire, it won't ever force a password change, if that isn't set then there is a combination of the password age and the maxpwdage and the current time. The easiest way to deal with this is findexpacc. If you just want all accounts that have never set a password or have been forced to change password at next logon that is a little easier, you look for pwdLastSet=0. All computers running Win2K pro would be handled by looking at the operatingsystem attribute. I don't recall the actual string for Windows 2000 Professional but I expect that is the string, Windows Server 2003 is Windows Server 2003, Windows XP Pro is Windows XP Professional. MSFT, again, in their infinite wisdom currently has Vista set as Windows Vista (copyright symbol) Ultimate. The copyright symbol is completely moronic in there as it blows out people trying to look for the machines with command line tools with really efficient queries. They have no choice but to wildcard the strings. I bugged it, it was rejected, Eric jumped into the fray and got it going again but just the same it seems we may end up losing and it getting out into the OEM launch. Anyone who has TAMs... Start screaming now, that is going to be a pain if it gets out there. I refuse to figure out a way around it and will just say that MSFT was stupid and didn't listen when I pitched it as a bug back in Beta 1. For excldn, it probably didn't work due to misunderstanding or mistake, my code is perfect. ;o) No seriously, if you have spaces in strings that are passed as command line parameters, you need to use quotes. Special characters need to be escaped, this isn't an issue with oldcmp, it is the command line interpretor interpreting things in the way you type them instead of how you intend them and passing that to my tools. Also if you pass multiple DNs the proper delimiter needs to be supplied (by default I think it is ; but would have to look to be sure) or else adfind doesn't know what you mean. I am also not good at divining intent versus what was typed. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard Sent: Tuesday, July 11, 2006 5:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account Password Expiration Tool Pardon my ignorance, but I have one more question: where do I get a list of all of user or computer object attributes and values as it was used in "(useraccountcontrol:AND:=65536)"? For instance if I want to enumerate all the user accounts with User Must Change Password at Next Logon" or computers that are running WIN2K PRO. Also I noticed the OU exclusion switch (-excldn) did not work in the case of multiple OUs. Is it perhaps because they had space in their names? TIA Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, July 11, 2006 3:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account Password Expiration Tool This should do it oldcmp -report -users -bit -af "(useraccountcontrol:AND:=65536)" -sh If you want a listing of all accounts with that set you would add -age
RE: [ActiveDir] root admin account able to be locked out?
That has been my experience as well. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, July 18, 2006 4:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] root admin account able to be locked out? My experience with this is the default ADMINISTRATOR can be locked out (wait before shouting!) what I mean is that if you have a lockout threshold of lets say 5, the lockoutTime attribute will show the lockout date and time the account was locked. In ADUC (using another custom admin account for example) you will see the default ADMINISTRATOR is locked you will even see and event ID 644 mentioning the account lockout HOWEVER here it comes... while the default ADMINISTRATOR is locked, it will unlocked automatically by the SYSTEM (DC) AS SOON AS the correct password is used (even before it is unlocked after the unlock period) jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : _ From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Tue 2006-07-18 20:27 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] root admin account able to be locked out? Hi AD Gurus! We have penetration testing going on and I saw a security event log entry that showed our root admin account getting locked out. I was surprised because I thought this account could never get locked out. In addition, we had a scheduled job that runs under the credentials of this root account that ran successfully a couple of minutes *after* the supposed account was locked. (We have the standard 30 minute lockout time.) I think the reason that this happened was that the penetration testing really didn't lock out the root account but did lockout the local SID 500 account that exists on all servers (including domain controllers). This is my belief. My officemate says there is no such account on a DC and that the root account could have been locked out for a short period of time but then made active again when AD saw what the account was or that the security log entry is just bogus. Can someone offer a little insight into this (nope, no dinners or cash riding on this debate!). Thanks much! Mike Thommes <>
RE: [ActiveDir] Clean install VS Upgrade of Windows 2003
Agreed. Documentation from a vendor is labeled by me to be propaganda until I have proven it out myself or someone I trust very much (extremely small group has told me). As my old support manager used to say "Believe none of what you hear and only half of what you see..." joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Sunday, July 16, 2006 11:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003 Drifting OT... I find myself often following behind those "perfect world" folks, having to break the news that their wonderful product (I've seen no monopoly by Microsoft (no pun intended); this seems an equal opportunity offense by sales folks and certain types of consultants of all vendors). I think I get a much better response by customers when I don't simply read them the marketing material but actually describe the pro's and con's in all their gory detail. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, July 16, 2006 10:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003 Oh I'm definitely not saying it isn't getting better. It truly is. But with each release they tell you it is great and go ahead and do it and then the next rev is when they tell you all the things that were done wrong that they now do fine. While they don't tell you it is perfect, you certainly could get that impression when dealing with them and the propaganda that is released. It is the same with all of the MSFT products though, I had an OSS guy chewing me out for it just this week how MSFT tells you how great the product is until the next rev and then they tell you how horrible the last was and how this one fixes everything. I really didn't debate the topic as I have been onsite at MSFT for different events in a two week consecutive period where the first week you are looking at the current product and they are telling you how great it is and it doesn't have perf issues etc that you may have heard about and then the next week you're there for a pre-release NDA event and they are telling you how crappy the old (current that you just saw the week before) product is and how all of these perf issues have been corrected, etc. I am not even saying that people are lying because it was completely different sets of people, had it been the same people I would have called them out for it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Sunday, July 16, 2006 9:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003 The statement that with each new OS the upgrade in place scenario has improved, at least to date, has been true. If they said it's perfected each time then I could see your point. I've been to many customers that have done in-place upgrades of the OS with great success. Is it the preferred method assuming you have a choice? I think everyone would agree a clean install is always preferred. But it's a very valid option given some of the challenges that can crop up. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, July 16, 2006 6:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003 I agree with Jorge on this. Every new OS MSFT comes out with they tell you that it is much better at handling upgrades than the last and how bad the last one actually did it. So if someone tells me K3 does it great I tell them to say that when say LongHorn comes out. :) Anyway, you will have legacy settings that stay around when you do an upgrade say like the replication holdback reg settings, etc when you do an upgrade and it could be confusing later when troubleshooting something. Unless there is absolutely no way possible to do a fresh install then I would recommend going that way. Going slightly OT, I even reinstall my personal home clients on a regular basis (normally every 6 months but occasionally that slides depending on how busy I am) to get away from Windows rot and clean off crap that I don't currently use. I am also getting big into using virtual machines for most desktop functions now so that makes things even easier as I can roll back to a predetermined point or just pull the backup image off of a DVD that I made when I first made the image. Of course make sure you update the image with new patches first thing. :) In fact right now, I am writing this email on a virtual XP instance running with about 15 other virtuals on a machine that is on the other side of my house. Also all web surfing to untrusted sites is done through a virtual I have with undo di
RE: [ActiveDir] Clean install VS Upgrade of Windows 2003
What joeware widget required an install and uninstall? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Monday, July 17, 2006 9:01 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Clean install VS Upgrade of Windows 2003 Perfect world scenarios are good for one thing only: understanding a known state. Since this is a science, it helps to understand some known way points somewhere along the way, especially when explaining pros and cons. As for upgrades, I'd be inclined to agree with the idea of improved upgrades except that the upgrades only take into account the first 7 layers of the OSI stack. Unfortunately, in layer 8 v1.0 there is no really good way to outsmart the settings and migrate them during the upgrade without just assuming that layer 8 v1.0 made the informed choice and did so on purpose. In other words, the problem inherent in upgrades is that what was valid for the previous version is not necessarily something that can be changed on the fly for the next. Therefore, the vendor will always have to err on the side of caution ( i.e. choose not to break vs. overwrite) whenever possible. You always have to rely on the vendor to make the *right* choices in your unique environment with your unique settings and requirements. Clean installs also take care of another layer 8 v1.0 problem: program bloat. For some crazy reason that admin that was here when it was set up and for a few months after, decided to try that new widget from joeware :) and several other sources. Then never uninstalled them. Or partially uninstalled them. Or didn't realize that it put hooks deep into the OS and didn't come out clean as can happen when you change third party vendors (AV for example). You're left with crud on the machine that's often undocumented or otherwise lost to the winds of time. (speaking of OT lost changes are often an artifact and a testament to the longevity of the OS. It's not unique to Windows, but rather a badge of courage for many shops. Not that I agree it should be, but just pointing that out.) I have yet to see an inplace upgrade (define that please?) be the best solution to a given problem outside of upgrading the boss' kid's desktop before she leaves for college. My $0.04 worth anyway (USD) On 7/16/06, David Adner <[EMAIL PROTECTED]> wrote: Drifting OT... I find myself often following behind those "perfect world"folks, having to break the news that their wonderful product (I've seen no monopoly by Microsoft (no pun intended); this seems an equal opportunityoffense by sales folks and certain types of consultants of all vendors). Ithink I get a much better response by customers when I don't simply read them the marketing material but actually describe the pro's and con's in alltheir gory detail._From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Sunday, July 16, 2006 10:31 PMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003Oh I'm definitely not saying it isn't getting better. It truly is. But witheach release they tell you it is great and go ahead and do it and then the next rev is when they tell you all the things that were done wrong that theynow do fine. While they don't tell you it is perfect, you certainly couldget that impression when dealing with them and the propaganda that is released.It is the same with all of the MSFT products though, I had an OSS guychewing me out for it just this week how MSFT tells you how great theproduct is until the next rev and then they tell you how horrible the last was and how this one fixes everything. I really didn't debate the topic as Ihave been onsite at MSFT for different events in a two week consecutiveperiod where the first week you are looking at the current product and they are telling you how great it is and it doesn't have perf issues etc that youmay have heard about and then the next week you're there for a pre-releaseNDA event and they are telling you how crappy the old (current that you just saw the week before) product is and how all of these perf issues have beencorrected, etc. I am not even saying that people are lying because it wascompletely different sets of people, had it been the same people I would have called them out for it.--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm_From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of David AdnerSent: Sunday, July 16, 2006 9:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003The statement that with each new OS the upgrade in place scenario hasimproved, at least to date, has been true. If they said it's perfected each time then I could se
RE: [ActiveDir] Clean install VS Upgrade of Windows 2003
Yeah that winnt -> windows change pissed me right off. Windows takes longer to type... :) Solution www.sysinternals.com/Utilities/Junction.html junction C:\WINNT C:\Windows -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BrunsonSent: Monday, July 17, 2006 10:21 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003 Certainly the biggest problem I have come across upgrading from 2k to 2003 was because of one of these legacy settings. I don’t know who at MS decided to go from “WINNT” to “Windows”, but it can cause some pretty serious recovery issues if you are not using some sort of bare metal restore. Here’s the scenario: You’ve got a server with some critical piece of software. Because you don’t know anything about the software and it was the last admin that installed it you decide to upgrade instead of clean install. This leaves Win2k3 running out of the WINNT folder instead of the Windows folder. After a few months, the server loses a RAID card, corrupting the disk set, and it needs to be back up immediately. You begin a fresh load of 2003 on the server, and then notice that it is installing to Windows, not WINNT. After the fresh load finishes, you try to restore the last backup. BSOD. Hmm, how do you make Win2k3 install to WINNT, oh yeah that’s right, you don’t. Now instead of restoring the last backup and system state and moving on with life you are installing the apps from scratch and hoping they work right. Perhaps after a long weekend it is back up again, but it shouldn’t have been that hard. Too bad the last admin who worked here didn’t leave any sort of documentation on how this thing works. Sure, you’re running all of your servers virtual so this doesn’t apply to you. Bare-metal restore, no big deal. Restore from tape or file, good luck. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, July 16, 2006 6:28 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003 I agree with Jorge on this. Every new OS MSFT comes out with they tell you that it is much better at handling upgrades than the last and how bad the last one actually did it. So if someone tells me K3 does it great I tell them to say that when say LongHorn comes out. :) Anyway, you will have legacy settings that stay around when you do an upgrade say like the replication holdback reg settings, etc when you do an upgrade and it could be confusing later when troubleshooting something. Unless there is absolutely no way possible to do a fresh install then I would recommend going that way. Going slightly OT, I even reinstall my personal home clients on a regular basis (normally every 6 months but occasionally that slides depending on how busy I am) to get away from Windows rot and clean off crap that I don't currently use. I am also getting big into using virtual machines for most desktop functions now so that makes things even easier as I can roll back to a predetermined point or just pull the backup image off of a DVD that I made when I first made the image. Of course make sure you update the image with new patches first thing. :) In fact right now, I am writing this email on a virtual XP instance running with about 15 other virtuals on a machine that is on the other side of my house. Also all web surfing to untrusted sites is done through a virtual I have with undo disks, after I finish surfing I tell it to undo and it is ready for the next time. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Sunday, July 16, 2006 3:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Clean install VS Upgrade of Windows 2003 Personally I hate OS upgrades and try hard to avoid them and prefer to choose a fresh clean install... Although supported when upgrading an OS old stuff from the previous OS is kept and besides that you might run into issues because of incompatibilities with software, drivers, etc. A clean install in combination the migration of the stuff hosted on the old server to the new server gives you a phased approach. Upgrading directly impacts the server and if the upgrade fails you might end up with a trouble server. IMHO: * avoid OS upgrades when possible and only use it when really necessary (like for example NT4 PDC -> W2K3 DC, which is mandatory) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80
RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
If it should be, it should come from MSFT... They could easily configure that if they feel it is important. As a general thing, you really shouldn't be having to manipulate service startup order especially for critical services. I think I have done that maybe 5 or 10 times in 10 years and I am a complete hacker with this stuff. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Thursday, July 13, 2006 10:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? Not unless you make Netlogon dependent on DNS in the startup order. That should be a standard practice. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com -5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Thu 7/13/2006 1:20 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? One point that is nearly always overlooked is the following, if a DC points to itself for DNS name res: The DNS server service starts *after* NETLOGON, at startup The DNS server service stops *before* NETLOGON, at shutdown i.e. at startup netlogon cannot register DNS records on the local machine until the DNS server starts (record reg may fail or be stalled / time out). at shutdown or during a demotion netlogon cannot un-register DNS records on the local machine since DNS server has stopped (demotion will leave DC records in tact). For these reasons alone - I always recommend that a DC points to another (local) DNS server (not necessarily a DC) and then itself as secondary (or maybe even tertiary). my 2 penneth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 13 July 2006 02:59To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? You don't work at the post office do you? ;) There are many many many ways to properly configure DNS. One thing that helps is to think of the terms client and server vs. preferred and alternate only. You are configuring a preferred server and an alternate server that you want this DC to be a client of. DNS is a standard. Windows 2003 DNS follows those standards (comments really, but let's not pick right?) Microsoft has done some enhancements above and beyond that make DNS play very well in the Microsoft sphere[1]. You can however have DNS that is a third party DNS system, such as BIND. Active Directory plays very well with such third party DNS systems. You could have your domain controllers not have any DNS hosted on them at all. You could have it hosted, but as a secondary zone. You could also have it AD integrated meaning that you have a listener for DNS but the data(base) is stored in the active directory. Something to clarify: what you're talking about is making the DC a *client* to another DNS server that hosts the zones. You're also talking about making dc1 a client of dc2 and vice versa. That's silly, but I'll get to that. If you have your dns hosted on a third party system such as BIND, you'll have one server as the primary (not best practice, but you get the idea; in practice you'd have multiple for failure tolerance wan traffic optimization) and your DC would be a client of that system. If you have a traditional DNS hierarchy that has primary and secondary transfers, you would be mimicking BIND topology and again could configure your DC's to be clients of the BIND or Microsoft DNS servers. If you have the the DNS AD-Integrated, then after initial replication you should have the client configured to use itself as the DNS server. That'd be the best practice. Before 2003 you could have an "island effect" where because you didn't have a full picture of the directory, you might not have all the records needed to fully *see* the entire DNS names list effectively creating an island of a DC. In 2003 some additional code was put in to make sure that doesn't happen. You need to be a client of a working DNS to join the domain and to find the other DC's when you get promoted. After replication completes, you have a full list and there's no need to continue as a client of a server that has the same information you do. So, what's silly about having your server configured to be a client of a dns server that has the same information? I fi
RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
Hehe Bingo... keep playing and one day you may even think how nice it is to not have DNS on DCs at all or even on Microsoft Is that heresy here? If so I will say three Hail Kwan's and sprinkle some ground up Intel chip dust on myself... ;o) Dean wonders why I hate DNS. :) http://www.gilsblog.com/index.cfm?commentID=60 -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Thursday, July 13, 2006 3:32 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? See how quickly thinking changes? :) I almost think this is a better reason not to have AD-integrated DNS. Shall have to ponder a bit more, but I detest the idea of a DNS server being a client to a peer name res server. I'm still inclined to continue to use the self-as-primary deployment. I understand that silliness (thanks for pointing out that situation James) can impact availability and that would normally indicate a bad design. I'm curious though, why in the situation described that the server couldn't replicate and begin serving records. I haven't looked lately, but how many replication partners does it have to talk to before it will serve DNS? "I'm looking for server x. Do you have it? Hello? Are you there? No? Let me check myself then." It also goes against the idea that each name res server should have as much of a complete picture of the environment as possible else there's no reason to have multiples. Hmm... On 7/13/06, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote: note that DNS startup behavious changes with SP1, which is anotherreason not to choose the DC itself as the preferred DNS server: with SP1, AD will not allow the DNS service to read any records, until it hassuccessfully replicated with one of it's replication partners. This isto avoid false or duplicate registration of records (or even duplicate creation of the application partitions).As such, with SP1 it's better to point your DCs to a replication partneras a primary DNS and to self as a secondary./Guido-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of[EMAIL PROTECTED]Sent: Donnerstag, 13. Juli 2006 17:02To: ActiveDir@mail.activedir.orgCc: ActiveDir@mail.activedir.org ; [EMAIL PROTECTED]Subject: Re: [ActiveDir] Always point a DC with DNS installed to itselfas the preferred DNS server...always?Hi Al I did want to throw in a personl experience I had with W2K3 thatvalidatesthe "Point your DNS server to a replication partner theory". I did seeinone environment where every DC had DNS and the msdcs partition was a forestpartition. An unfortunate DNS scavenge was done deleting some of theGUIDrecords in the MSCDCS partition. Replication started to fail shortlyafterthat and the missing GUIDs were discovered. The netlogon service was restarted to make the DCs re-register but of course they re-registeredtheGUID on themselves. They could find themselves but not theirreplicationpartners. The replication partners could find them but not themeselves. When the DCs were set to point to a hub replication partner for primaryandthemselves as secondary the problem went away - the netlogon service wasrestarted, the GUIDs registered on the central DNS server, the spokes didthe lookup for replication parnters on the hub site DC and eventuallythings started working again.This was pre - SP1 so this may not be a problem anymore, but after thatexperience I have seen value in doing the DNS configuration so that the DCsall point to the hub first and themselves second. I have not seen anyproblems for the DC itself when the WAN link dropped for a length oftimeand the primary DNS server was not reachable.Of course, if there are never any changes to DC IPs or names and the MSDCSis never scavenged (or the interval is long enough not to recreate theabove problem) then the above argument is moot.Regards;James R. DayActive Directory Core TeamOffice of the Chief Information Officer National Park Service202-230-2983[EMAIL PROTECTED] "Al Mulnick" < [EMAIL PROTECTED]> To:ActiveDir@mail.activedir.org Sent by: cc: (bcc:James Day/Contractor/NPS) [EMAIL PROTECTED]Subject: Re:[ActiveDir] Always point a DC with DNS installed to itself as the tivedir.org preferred DNSserver...always? 07/12/2006 09:58 PM AST Please respond to ActiveDir You don't work at the post office do you? ;)There are many many many ways to
RE: [ActiveDir][OT] Always point a DC with DNS installed to itself as the preferred DNS server...always?
Paul with the combination of your TLAs and your harsh Welsh Accent I haven't the foggiest clue what you said here yeah... :) Warm[1] [1] That kills me, inside joke... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Friday, July 14, 2006 6:33 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? I can't see how you can get a duplicate NDNC as the creation of such objects is targetted at the DN master. The DN master will check the existing crossRefs and stop this happening, as we can't rely on the DS stopping it as the RDN is different for each NDNC (unless they've used "well-known" GUIDs for the DNS NCs?). Although the behaviour you speak of is new to me, and another one of those slight, interesting changes, so thanks for that. Can you elaborate on this new behaviour? What, exactly, happens and in what order? --Paul - Original Message - From: "Grillenmeier, Guido" <[EMAIL PROTECTED]> To: Sent: Thursday, July 13, 2006 6:52 PM Subject: RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? > note that DNS startup behavious changes with SP1, which is another > reason not to choose the DC itself as the preferred DNS server: with > SP1, AD will not allow the DNS service to read any records, until it has > successfully replicated with one of it's replication partners. This is > to avoid false or duplicate registration of records (or even duplicate > creation of the application partitions). > > As such, with SP1 it's better to point your DCs to a replication partner > as a primary DNS and to self as a secondary. > > /Guido > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Donnerstag, 13. Juli 2006 17:02 > To: ActiveDir@mail.activedir.org > Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] > Subject: Re: [ActiveDir] Always point a DC with DNS installed to itself > as the preferred DNS server...always? > > Hi Al > > I did want to throw in a personl experience I had with W2K3 that > validates > the "Point your DNS server to a replication partner theory". I did see > in > one environment where every DC had DNS and the msdcs partition was a > forest > partition. An unfortunate DNS scavenge was done deleting some of the > GUID > records in the MSCDCS partition. Replication started to fail shortly > after > that and the missing GUIDs were discovered. The netlogon service was > restarted to make the DCs re-register but of course they re-registered > the > GUID on themselves. They could find themselves but not their > replication > partners. The replication partners could find them but not themeselves. > When the DCs were set to point to a hub replication partner for primary > and > themselves as secondary the problem went away - the netlogon service was > restarted, the GUIDs registered on the central DNS server, the spokes > did > the lookup for replication parnters on the hub site DC and eventually > things started working again. > > This was pre - SP1 so this may not be a problem anymore, but after that > experience I have seen value in doing the DNS configuration so that the > DCs > all point to the hub first and themselves second. I have not seen any > problems for the DC itself when the WAN link dropped for a length of > time > and the primary DNS server was not reachable. > > Of course, if there are never any changes to DC IPs or names and the > MSDCS > is never scavenged (or the interval is long enough not to recreate the > above problem) then the above argument is moot. > > Regards; > > James R. Day > Active Directory Core Team > Office of the Chief Information Officer > National Park Service > 202-230-2983 > [EMAIL PROTECTED] > > > > > "Al Mulnick" > > <[EMAIL PROTECTED]> To: > ActiveDir@mail.activedir.org > > Sent by: cc: (bcc: > James Day/Contractor/NPS) > [EMAIL PROTECTED]Subject: Re: > [ActiveDir] Always point a DC with DNS installed to itself as the > > tivedir.org preferred DNS > server...always? > > > > > > 07/12/2006 09:58 PM AST > > Please respond to > > ActiveDir > > > > > > > > You don't work at the post office do you? ;) > > > There are many many many ways to properly configure DNS. One thing that > helps is to think of the terms client and server vs. preferred and > alternate only. You are configuring a preferred server and an alternate > server that you want this DC to be a client of. > > DNS is a standard. Windows 2003 DNS follows those standards (comments >
RE: [ActiveDir] DNS Issue
What version of the DNS binary are you running and if you clear the cache instead of restart DNS does it resolve the issue? Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Wyatt, David Sent: Fri 7/21/2006 4:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Issue We have a single Windows 2003 SP1 forest/domain. DCs run AD integated zones. We have Forwarders configured for a domain e.g. test.com with 2 IP addresses entered for the DNS servers in test.com. We have seen a strange issue where queries for a host in the sub-domain nyc.test.com fail (even when doing an nslookup directly from the DC). When we restart the DNS service on the DC resolution succeeds for a host in nyc.test.com. After time it appears resolution fails again. Another observation is when (after time) name resolution fails for a host in nyc.test.com and we explicitly add nyc.test.com as another Forwarder and without restarting the DNS service names in nyc.test.com resolves. Remove the forwarding to nyc.test.com and resolution fails! Any ideas? Regards David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Interesting read
Ouch, how many things could go wrong? I thought the domain controllers would complaint if the time synch had a gap over 5 mins. http://redmondmag.com/columns/article.asp?editorialsid=1388
Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
Now don't go getting misty eyed and thinking that I'm coming over the joe-side of thinking when it comes to DNS and Microsoft. But aye, it has it's shortcomings and could be much better. Perhaps they need a real competitor vis a vis Firefox and IE to get things jumping? Hmm. :) On 7/21/06, joe <[EMAIL PROTECTED]> wrote: Hehe Bingo... keep playing and one day you may even think how nice it is to not have DNS on DCs at all or even on Microsoft Is that heresy here? If so I will say three Hail Kwan's and sprinkle some ground up Intel chip dust on myself... ;o) Dean wonders why I hate DNS. :) http://www.gilsblog.com/index.cfm?commentID=60 -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Al MulnickSent: Thursday, July 13, 2006 3:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? See how quickly thinking changes? :) I almost think this is a better reason not to have AD-integrated DNS. Shall have to ponder a bit more, but I detest the idea of a DNS server being a client to a peer name res server. I'm still inclined to continue to use the self-as-primary deployment. I understand that silliness (thanks for pointing out that situation James) can impact availability and that would normally indicate a bad design. I'm curious though, why in the situation described that the server couldn't replicate and begin serving records. I haven't looked lately, but how many replication partners does it have to talk to before it will serve DNS? "I'm looking for server x. Do you have it? Hello? Are you there? No? Let me check myself then." It also goes against the idea that each name res server should have as much of a complete picture of the environment as possible else there's no reason to have multiples. Hmm... On 7/13/06, Grillenmeier, Guido < [EMAIL PROTECTED]> wrote: note that DNS startup behavious changes with SP1, which is anotherreason not to choose the DC itself as the preferred DNS server: with SP1, AD will not allow the DNS service to read any records, until it hassuccessfully replicated with one of it's replication partners. This isto avoid false or duplicate registration of records (or even duplicate creation of the application partitions).As such, with SP1 it's better to point your DCs to a replication partneras a primary DNS and to self as a secondary./Guido-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Donnerstag, 13. Juli 2006 17:02 To: ActiveDir@mail.activedir.orgCc: ActiveDir@mail.activedir.org ; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Always point a DC with DNS installed to itselfas the preferred DNS server...always?Hi Al I did want to throw in a personl experience I had with W2K3 thatvalidates the "Point your DNS server to a replication partner theory". I did seeinone environment where every DC had DNS and the msdcs partition was a forestpartition. An unfortunate DNS scavenge was done deleting some of the GUIDrecords in the MSCDCS partition. Replication started to fail shortlyafterthat and the missing GUIDs were discovered. The netlogon service was restarted to make the DCs re-register but of course they re-registered theGUID on themselves. They could find themselves but not theirreplicationpartners. The replication partners could find them but not themeselves. When the DCs were set to point to a hub replication partner for primary andthemselves as secondary the problem went away - the netlogon service wasrestarted, the GUIDs registered on the central DNS server, the spokes didthe lookup for replication parnters on the hub site DC and eventually things started working again.This was pre - SP1 so this may not be a problem anymore, but after thatexperience I have seen value in doing the DNS configuration so that the DCsall point to the hub first and themselves second. I have not seen any problems for the DC itself when the WAN link dropped for a length oftimeand the primary DNS server was not reachable.Of course, if there are never any changes to DC IPs or names and the MSDCSis never scavenged (or the interval is long enough not to recreate the above problem) then the above argument is moot.Regards;James R. DayActive Directory Core TeamOffice of the Chief Information Officer National Park Service202-230-2983 [EMAIL PROTECTED] "Al Mulnick" < [EMAIL PROTECTED]> To:ActiveDir@mail.activedir.org Sent by: cc: (bcc:James Day/Contractor/NPS) [EMAIL PROTECTED]Subject: Re:[ActiveDir] Always point a DC with DNS installed to itself as the tivedir.org preferred DNSserver...always? 0
Re: [ActiveDir] Interesting read
"The list is long, yet distinguished." Pretty much the combinations are endless. Think about it: for every deployment there is at least one administrative staff member and one boss. That means there are likely at least three opinions on how it should be done "right". Multiply that number of deployments times the number of opinions of how it should be done and you have a start at getting the number of possible things that could go wrong. Just always remember that if it weren't for the 8th layer, the other 7 would run flawleslly. Always best to distill the products to the decision points during the design and deployment. Make the decisions based on the best information available *at the time* and move forward. Remember that it's expected to have to adjust over time, but this should not be painful adjustments if the entire team (you, yourself, and the vendor in most cases) did their job to the best of their ability. On 7/21/06, Figueroa, Johnny <[EMAIL PROTECTED]> wrote: Ouch, how many things could go wrong? I thought the domain controllers would complaint if the time synch had a gap over 5 mins. http://redmondmag.com/columns/article.asp?editorialsid=1388
