RE: [ActiveDir] Raid 1 tangent -- Vendor Domain

2006-07-22 Thread joe
That's a command line guy for you... 

:o)

The thing is that I type in a very odd way two, my whole right hand just one
or two fingers from my left hand. People tend to get a bit confused when
they see me type. 

 joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Gent
Sent: Saturday, July 22, 2006 7:29 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domain

joe,

you must type really, really fast

- Original Message - 
From: "Albert Duro" <[EMAIL PROTECTED]>
To: 
Sent: Saturday, July 22, 2006 7:06 PM
Subject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domain


> no debate from me.  I was just asking.  Thank you for the lesson.
>
> - Original Message - 
> From: "joe" <[EMAIL PROTECTED]>
> To: 
> Sent: Saturday, July 22, 2006 9:48 AM
> Subject: RE: [ActiveDir] Raid 1 tangent -- Vendor Domain
>
>
>> Mirrors don't scale.
>>
>> Microsoft's deployment doc mostly just talks about using mirrors (small 
>> nod
>> to RAID 10/0+1) so everyone thinks that they should build their Corporate
>> DCs on mirrors, usually 3 - OS, Logs, and DIT. Very few people if anyone
>> would build a corporate Exchange Server on mirrors... Why not? The DB is 
>> the
>> same under both of them... What is critical to Exchange? IOPS and that 
>> means
>> spindles. If something is really beating on AD and the entire DIT can't 
>> be
>> cached, IOPS are critical to AD as well. The main difference is that AD 
>> is
>> mostly random read and Exchange is heavy writing and reading. The 
>> exception
>> to this is the edge case of Eric's big DIT[1] in which he dumped 2TB of 
>> data
>> into AD in a month at which point he did something that few people see,
>> pushed the IOPS on the log drive through the roof.
>>
>> In a smaller environment (very low thousands), or for a low use DC (small
>> WAN site), or a DC with a DIT fully cached a RAID-1 drive for DIT will
>> probably be sufficient, you will note that the only numbers mentioned in 
>> the
>> deployment guide are about 5000[2]... That usually means a small DIT and 
>> it
>> is extremely likely that a K3 DC will cache the entire DIT. Plus the 
>> usage
>> is probably such that the IO capability of two spindles will likely be 
>> ok.
>> Let me state though that even in a small user environment if there was an
>> intensive directory based app or a buttload of data that pushes the DIT 
>> into
>> GB's instead of MBs I would still be watching my disk queueing pretty 
>> close
>> as well as the Read and Write Ops.
>>
>> AD admins who aren't running directory intensive apps (read as Exchange
>> 2000+) usually don't see any issues but then again most aren't looking 
>> very
>> closely at the counters because they haven't had a reason too and even if
>> they had some short lived issues they probably wouldn't go look at the
>> counters. At least that has been my experience in dealing with companies.

>> I
>> will admit that prior to implementing Exchange when I did AD Ops with a
>> rather large company I didn't once look at the disk counters, didn't 
>> care,
>> everything ran perfectly well and about the only measure of perf was
>> replication latency and does ADUC start fast enough and it always was 
>> fine
>> there unless there were network related issues or a DC was having 
>> hardware
>> failure.
>>
>> Enter Exchange... Or some other app that pounds your DCs with millions of
>> queries a day and tiny little bits of latency that you didn't previously
>> feel start having an impact. You won't feel 70-80ms of latency in 
>> anything
>> you are doing with normal AD tools or NOS ops, not at all. You will feel
>> that with Exchange (and other heavy directory use apps), often with 
>> painful
>> results unless it isn't consistent and the directory can unwind itself 
>> again
>> and hence allow Exchange to then unwind itself.
>>
>> Now let me point out, I don't deal with tiny companies for work, small to

>> me
>> is less than 40-50k. The smallest I tend to deal with is about 30k. I
>> usually get called to walk in to Exchange issues where Exchange is
>> underperforming or outright hanging, sometimes for hours at a time. There
>> can be all sorts of issues causing this such as
>>
>> O poor disk subsystem design for Exchange (someone say got fancy with a 
>> SAN
>> layout and really didn't know what they were doing seems to be popular 
>> here)
>>
>>
>> O hardware/drivers on the Exchange server just aren't working properly 
>> and
>> the drivers are experiencing timeout issues (for some reason I want to 
>> say
>> HBA here)
>>
>> O poor network configurations and odd load balancing solutions, etc that
>> generate a whole bunch of say keep alive traffic on the segment that no 
>> one
>> had any idea about because no one understood the solution nor took time 
>> to
>> look at the network traces. Or maybe
>> the 

Re: [ActiveDir] Raid 1 tangent -- Vendor Domain

2006-07-22 Thread Kevin Gent

joe,

you must type really, really fast

- Original Message - 
From: "Albert Duro" <[EMAIL PROTECTED]>

To: 
Sent: Saturday, July 22, 2006 7:06 PM
Subject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domain



no debate from me.  I was just asking.  Thank you for the lesson.

- Original Message - 
From: "joe" <[EMAIL PROTECTED]>

To: 
Sent: Saturday, July 22, 2006 9:48 AM
Subject: RE: [ActiveDir] Raid 1 tangent -- Vendor Domain



Mirrors don't scale.

Microsoft's deployment doc mostly just talks about using mirrors (small 
nod

to RAID 10/0+1) so everyone thinks that they should build their Corporate
DCs on mirrors, usually 3 - OS, Logs, and DIT. Very few people if anyone
would build a corporate Exchange Server on mirrors... Why not? The DB is 
the
same under both of them... What is critical to Exchange? IOPS and that 
means
spindles. If something is really beating on AD and the entire DIT can't 
be
cached, IOPS are critical to AD as well. The main difference is that AD 
is
mostly random read and Exchange is heavy writing and reading. The 
exception
to this is the edge case of Eric's big DIT[1] in which he dumped 2TB of 
data

into AD in a month at which point he did something that few people see,
pushed the IOPS on the log drive through the roof.

In a smaller environment (very low thousands), or for a low use DC (small
WAN site), or a DC with a DIT fully cached a RAID-1 drive for DIT will
probably be sufficient, you will note that the only numbers mentioned in 
the
deployment guide are about 5000[2]... That usually means a small DIT and 
it
is extremely likely that a K3 DC will cache the entire DIT. Plus the 
usage
is probably such that the IO capability of two spindles will likely be 
ok.

Let me state though that even in a small user environment if there was an
intensive directory based app or a buttload of data that pushes the DIT 
into
GB's instead of MBs I would still be watching my disk queueing pretty 
close

as well as the Read and Write Ops.

AD admins who aren't running directory intensive apps (read as Exchange
2000+) usually don't see any issues but then again most aren't looking 
very

closely at the counters because they haven't had a reason too and even if
they had some short lived issues they probably wouldn't go look at the
counters. At least that has been my experience in dealing with companies. 
I

will admit that prior to implementing Exchange when I did AD Ops with a
rather large company I didn't once look at the disk counters, didn't 
care,

everything ran perfectly well and about the only measure of perf was
replication latency and does ADUC start fast enough and it always was 
fine
there unless there were network related issues or a DC was having 
hardware

failure.

Enter Exchange... Or some other app that pounds your DCs with millions of
queries a day and tiny little bits of latency that you didn't previously
feel start having an impact. You won't feel 70-80ms of latency in 
anything

you are doing with normal AD tools or NOS ops, not at all. You will feel
that with Exchange (and other heavy directory use apps), often with 
painful
results unless it isn't consistent and the directory can unwind itself 
again

and hence allow Exchange to then unwind itself.

Now let me point out, I don't deal with tiny companies for work, small to 
me

is less than 40-50k. The smallest I tend to deal with is about 30k. I
usually get called to walk in to Exchange issues where Exchange is
underperforming or outright hanging, sometimes for hours at a time. There
can be all sorts of issues causing this such as

O poor disk subsystem design for Exchange (someone say got fancy with a 
SAN
layout and really didn't know what they were doing seems to be popular 
here)



O hardware/drivers on the Exchange server just aren't working properly 
and
the drivers are experiencing timeout issues (for some reason I want to 
say

HBA here)

O poor network configurations and odd load balancing solutions, etc that
generate a whole bunch of say keep alive traffic on the segment that no 
one
had any idea about because no one understood the solution nor took time 
to

look at the network traces. Or maybe
the infamous Full/100 on one end and half/100 on the other. Whatever.

O Applications that beat the crap out of Exchange that weren't accounted 
for

in the design well or at all... such as Blackberry or Desktop Search or
various Archive solutions

O Poorly written event sinks, disclaimer type products that query AD
themselves for additional info fit nicely into this category (hint do not
deploy one of these unless you understand the queries it generates)

O DCs being too far away say like an Exchange server in the US hosting 
APAC

users. If you are running Exchange, you put Exchange and the DCs for the
domains of any users on that Exchange server on the same physical subnet.
And if you have a multidomain forest, strongly consider shortcut trusts
between the domains that the Exchange servers

Re: [ActiveDir] Raid 1 tangent -- Vendor Domain

2006-07-22 Thread Albert Duro

no debate from me.  I was just asking.  Thank you for the lesson.

- Original Message - 
From: "joe" <[EMAIL PROTECTED]>

To: 
Sent: Saturday, July 22, 2006 9:48 AM
Subject: RE: [ActiveDir] Raid 1 tangent -- Vendor Domain



Mirrors don't scale.

Microsoft's deployment doc mostly just talks about using mirrors (small 
nod

to RAID 10/0+1) so everyone thinks that they should build their Corporate
DCs on mirrors, usually 3 - OS, Logs, and DIT. Very few people if anyone
would build a corporate Exchange Server on mirrors... Why not? The DB is 
the
same under both of them... What is critical to Exchange? IOPS and that 
means

spindles. If something is really beating on AD and the entire DIT can't be
cached, IOPS are critical to AD as well. The main difference is that AD is
mostly random read and Exchange is heavy writing and reading. The 
exception
to this is the edge case of Eric's big DIT[1] in which he dumped 2TB of 
data

into AD in a month at which point he did something that few people see,
pushed the IOPS on the log drive through the roof.

In a smaller environment (very low thousands), or for a low use DC (small
WAN site), or a DC with a DIT fully cached a RAID-1 drive for DIT will
probably be sufficient, you will note that the only numbers mentioned in 
the
deployment guide are about 5000[2]... That usually means a small DIT and 
it

is extremely likely that a K3 DC will cache the entire DIT. Plus the usage
is probably such that the IO capability of two spindles will likely be ok.
Let me state though that even in a small user environment if there was an
intensive directory based app or a buttload of data that pushes the DIT 
into
GB's instead of MBs I would still be watching my disk queueing pretty 
close

as well as the Read and Write Ops.

AD admins who aren't running directory intensive apps (read as Exchange
2000+) usually don't see any issues but then again most aren't looking 
very

closely at the counters because they haven't had a reason too and even if
they had some short lived issues they probably wouldn't go look at the
counters. At least that has been my experience in dealing with companies. 
I

will admit that prior to implementing Exchange when I did AD Ops with a
rather large company I didn't once look at the disk counters, didn't care,
everything ran perfectly well and about the only measure of perf was
replication latency and does ADUC start fast enough and it always was fine
there unless there were network related issues or a DC was having hardware
failure.

Enter Exchange... Or some other app that pounds your DCs with millions of
queries a day and tiny little bits of latency that you didn't previously
feel start having an impact. You won't feel 70-80ms of latency in anything
you are doing with normal AD tools or NOS ops, not at all. You will feel
that with Exchange (and other heavy directory use apps), often with 
painful
results unless it isn't consistent and the directory can unwind itself 
again

and hence allow Exchange to then unwind itself.

Now let me point out, I don't deal with tiny companies for work, small to 
me

is less than 40-50k. The smallest I tend to deal with is about 30k. I
usually get called to walk in to Exchange issues where Exchange is
underperforming or outright hanging, sometimes for hours at a time. There
can be all sorts of issues causing this such as

O poor disk subsystem design for Exchange (someone say got fancy with a 
SAN
layout and really didn't know what they were doing seems to be popular 
here)



O hardware/drivers on the Exchange server just aren't working properly and
the drivers are experiencing timeout issues (for some reason I want to say
HBA here)

O poor network configurations and odd load balancing solutions, etc that
generate a whole bunch of say keep alive traffic on the segment that no 
one

had any idea about because no one understood the solution nor took time to
look at the network traces. Or maybe
the infamous Full/100 on one end and half/100 on the other. Whatever.

O Applications that beat the crap out of Exchange that weren't accounted 
for

in the design well or at all... such as Blackberry or Desktop Search or
various Archive solutions

O Poorly written event sinks, disclaimer type products that query AD
themselves for additional info fit nicely into this category (hint do not
deploy one of these unless you understand the queries it generates)

O DCs being too far away say like an Exchange server in the US hosting 
APAC

users. If you are running Exchange, you put Exchange and the DCs for the
domains of any users on that Exchange server on the same physical subnet.
And if you have a multidomain forest, strongly consider shortcut trusts
between the domains that the Exchange servers are in with the domains the
users are in.

O DCs underperforming

The last is almost always, heck, I will say in 98% of the cases I have had
to investigate, related to DC disk configuration and it is always a 
mirrored

setup. In fact, almo

RE: [ActiveDir] RootDSE requires admin privileges

2006-07-22 Thread Sakari Kouti
Nope. Not ICF or any other firewall on on these Virtual PC machines.

Yours, Sakari
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 22. heinäkuuta 2006 21:02
To: Send - AD mailing list
Subject: RE: [ActiveDir] RootDSE requires admin privileges

Windows or 3rd party firewall related??

--
Dean Wells
MSEtechnology
t Email: [EMAIL PROTECTED]
http://msetechnology.com

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Sakari Kouti
> Sent: Saturday, July 22, 2006 11:39 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] RootDSE requires admin privileges
> 
> Hi Joe,
> 
> I installed NetMon on that workstation and it seems that nothing gets
> out on the wire with the failure case. And quite normal LDAP searches
> in the success case.
> 
> I also did a little more testing and found out that the user doesn't
> need to be a domain admin for the script lines to work. A local admin
> in the workstation is enough (but still the same user).
> 
> Then I installed a second similar XP workstation in the forest, and it
> doesn't have this problem.
> 
> So it seems that something funny has happened in the first workstation
> that breaks ADSI. Probably not worth to explore any further.
> 
> Yours, Sakari
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of joe
> Sent: 21. heinäkuuta 2006 3:31
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] RootDSE requires admin privileges
> 
> Hey Sakari, do you have a trace showing the ADSI failure and its
> resulting success if run by DA that you can post?
> 
> 
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
> Sent: Thursday, July 20, 2006 6:26 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] RootDSE requires admin privileges
> 
> Hi,
> 
> I wonder if anyone else has run into a situation, where normal ADSI
> rootDSE binding doesn't work, unless the user is a domain admin?
> 
> The following two-line script is a sample:
> Set objDSE = GetObject("LDAP://rootDSE") WScript.Echo
> objDSE.Get("defaultNamingContext")
> 
> The first line produces the error 800401E4 (invalid syntax), if an end
> user runs the lines on an XP SP1 workstation in my tiny dev forest.
> 
> - If the same user logs on to a DC (everyone is allowed to log on to
> them in this case) and runs the lines, they work fine.
> 
> - If the same user is put in Domain Admins, the lines work fine even on
> the previously mentiones XP workstation.
> 
> - If the same user (without being an admin) starts LDP on the XP
> workstation, she'll get the rootDSE information in LDP.
> 
> This is only a two-DC dev forest (with one root domain and one child
> domain), but I wonder if this could happen in production too? The DCs
> are Windows Server 2003, and not even SP1, because they originate from
> a project I did early last year, and now returned to it. Even though
> the DCs were frozen for quite a while as Virtual PC images, replication
> works quite fine and the tombstone lifetime is 10 years.
> 
> Yours, Sakari
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


Re: [ActiveDir] Managing Third-Party Users

2006-07-22 Thread Joe Kaplan
Federation is the way of the future in these scenarios.  I'm spending about 
50% of my time at work these days helping to build out our federation 
infrastructure and imagine that we'll be using it extensively.  We are 
already doing some type of federation thing with over 30 vendor-hosted apps 
internally (benefits, travel, surveys, etc.).  However, none of these 
implemenations are currently using any of the standard federation protocols 
(SAML, WS-Fed) and suffer from expensive implementations, no reusability 
between implementations and dubious security.


We are also looking at hosting some services internally for clients and 
partners and using federation as a way to allow them to authenticate with 
their own credentials.


The big challenges right now are that with both SAML and WS-Fed as the 
dominate protocols out there (and WS-Fed much further behind in terms of 
adoption rates, but gaining due to the popularity of AD and the low cost of 
ADFS compared to many solutions), it is hard to say you only want to do 
ADFS/WS-Fed.  Our approach is to try to support both for the "outbound" 
scenario, where our users are accessing a partner resource, although we are 
still trying to pick a SAML 2 product yet.  We'll probably be more picky 
about WS-Fed for the opposite scenario as our guys like to use Windows 
token-based websites (like SharePoint) for custom dev and only ADFS has a 
really flexible solution for supporting this.


The big challenges are that right now, things are still pretty "early 
adopter", so it is hard to find a lot of partners that are ready to go with 
their infrastructure.  There isn't much expertise out there with these 
products yet either, so people are stumbling quite a bit.  In our "inbound" 
scenario, we are looking at needing to set up an alternate account store to 
host the accounts of partners who aren't "federation-capable" yet, so that's 
a drag.  I'm not sure the team building that app has realized yet that the 
cost and complexity of the identity and access management work for that 
account store will likely outstrip the cost of dev and maintenance on the 
app itself by an order of magnitude.  They aren't I&AM people, so they are 
just realizing that users of the store will need features like password 
change, password reset and password expiration notifications.  BTW, we are 
using ADAM for the account store and setting it up as a separate federation 
account partner.


Another thing worth noting is that we already have a well-established 
process for provisioning accounts for external users and contractors in the 
corp forest and we'll continue to use that in scenarios where it is 
appropriate.  However, we'll try to do as little as possible of that sort of 
thing when simple access to a few web apps is all that's needed.


All in all though, I'm pretty excited about the technology, especially ADFS. 
It combines my three favorite tech things, I&AM, web programming and .NET, 
so what's not to love?  :)



Joe K.
- Original Message - 
From: [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Saturday, July 22, 2006 12:05 PM
Subject: [ActiveDir] Managing Third-Party Users


My trusted directory resource,

I don't remember if this came up on a previous post. but don't recall seeing 
the topic.  As things become more and more integrated w/ some form of ldap 
authentication against a common directory, the necessity for managing 
outside vendors, contractors, etc is becoming a larger and larger task.  If 
you're in a situation where the vendor has a large population of users that 
require access . with incredible churn, this becomes a big issue.


I'm curious what, if anything, anyone else is doing to use some sort of 
federated system so that user management is left at the hands of the 
third-party companies.  I'm curious also if anyone is aware of any 
consulting groups that have done this sort of thing w/ an agnostic approach 
that can fit most environments.  I'd love to get an idea of where the 
industry is heading with this sort of thing.  I'm sure the topic probably 
came up at DEC which I didn't have the luxury of attending.


Thanks all!

marcus c. oh | cox communications, inc. | 404.847.6117 | 
marcusoh.blogspot.com



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


RE: [ActiveDir] RootDSE requires admin privileges

2006-07-22 Thread Dean Wells
Windows or 3rd party firewall related??

--
Dean Wells
MSEtechnology
t Email: [EMAIL PROTECTED]
http://msetechnology.com

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Sakari Kouti
> Sent: Saturday, July 22, 2006 11:39 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] RootDSE requires admin privileges
> 
> Hi Joe,
> 
> I installed NetMon on that workstation and it seems that nothing gets
> out on the wire with the failure case. And quite normal LDAP searches
> in the success case.
> 
> I also did a little more testing and found out that the user doesn't
> need to be a domain admin for the script lines to work. A local admin
> in the workstation is enough (but still the same user).
> 
> Then I installed a second similar XP workstation in the forest, and it
> doesn't have this problem.
> 
> So it seems that something funny has happened in the first workstation
> that breaks ADSI. Probably not worth to explore any further.
> 
> Yours, Sakari
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of joe
> Sent: 21. heinäkuuta 2006 3:31
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] RootDSE requires admin privileges
> 
> Hey Sakari, do you have a trace showing the ADSI failure and its
> resulting success if run by DA that you can post?
> 
> 
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
> Sent: Thursday, July 20, 2006 6:26 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] RootDSE requires admin privileges
> 
> Hi,
> 
> I wonder if anyone else has run into a situation, where normal ADSI
> rootDSE binding doesn't work, unless the user is a domain admin?
> 
> The following two-line script is a sample:
> Set objDSE = GetObject("LDAP://rootDSE") WScript.Echo
> objDSE.Get("defaultNamingContext")
> 
> The first line produces the error 800401E4 (invalid syntax), if an end
> user runs the lines on an XP SP1 workstation in my tiny dev forest.
> 
> - If the same user logs on to a DC (everyone is allowed to log on to
> them in this case) and runs the lines, they work fine.
> 
> - If the same user is put in Domain Admins, the lines work fine even on
> the previously mentiones XP workstation.
> 
> - If the same user (without being an admin) starts LDP on the XP
> workstation, she'll get the rootDSE information in LDP.
> 
> This is only a two-DC dev forest (with one root domain and one child
> domain), but I wonder if this could happen in production too? The DCs
> are Windows Server 2003, and not even SP1, because they originate from
> a project I did early last year, and now returned to it. Even though
> the DCs were frozen for quite a while as Virtual PC images, replication
> works quite fine and the tombstone lifetime is 10 years.
> 
> Yours, Sakari
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?

2006-07-22 Thread joe



Any 
poor implementation is going to hurt you but I would argue that you are 
better off with a poor BIND/QIP DNS implementation than a poor Windows DNS 
implementation just because of the whole dependency loop thing. 

 
If you 
can adequately state your needs to a UNIX DNS group they can usually fullfill 
those needs and things should work fine. 
 
I 
guess MSFT could help out with this and make it so there was a way to staticly 
specify the required records for replication in flat files on DCs in the event 
there is a failure. At least this gets you up and running to the point where 
replication is working again and you can start working on the original DNS issue 
that caused the mess. Once DNS is functioning properly again you turn off the 
side road with the static entries. 
 
Again 
for me the part that hurts is if AD and AD DNS running on a DC is down, you 
really don't have a clue what caused what and have to start looking at 
everything. Most people aren't equipped to look at everything and quickly narrow 
it down to the key components. 
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Saturday, July 22, 2006 10:24 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Always point a 
DC with DNS installed to itself as the preferred DNS 
server...always?

The downside is that your logic on this one is very hard to argue 
with.  At the heart of the matter you are saying (allow me to paraphrase) 
that the issue is the dependency of one system on another which is dependent on 
the former.  
 
Yep, that's hard to argue with because you are right. 
 
The part that gets me is that I've seen it the other way.  A BIND, or 
QIP implementation that was done horribly and offered way less simplicity (aka 
troubleshooting "hand-holds" - digression: I firmly believe that IT systems 
should be designed like sewer systems - with maintance access points built in 
along the way.  The results of not doing that are similar ;) and the 
results were a less stable system than with delegated ad-integrated zones that 
only the Windows environment relied on. Oddly, that Windows environment is the 
gateway to the rest of the environments for the users, but hey, that's not part 
of this conversation now is it? 
 
Anyhow, I see your point and that's an interesting point to consider and 
one that is certainly tough to argue with. My only counter at this point is that 
either DNS system is going to be dependent on those that design and deploy it 
and if you're like many companies of mid to large size, your DNS is distributed 
and managed by those of the platform it runs on.  In many instances if you 
run *nix, it'll be on the *nix platform, if by Windows, then by Windows 
support.  Worse to me is if it's done by the network (phys) folks. May as 
well give it to the guard shack. :) 
 
 
On 7/22/06, joe 
<[EMAIL PROTECTED]> 
wrote: 

  
  
  :)  
  
   
  
   
  The main 
  thing I don't like is AD Integrated. There is something fundamentally wrong 
  with having your directory replication completely dependent on the name 
  resolution system that is completely dependent on the directory replication 
  system that is completely dependent on the name resolution system that is 
  completely dependent on the directory replication system that is completely 
  dependent on the name resolution system that is completely dependent on the 
  directory replication system that is completely dependent on the name 
  resolution system that is completely dependent on the directory replication 
  system  
   
  I like the idea of multiple masters, I am tepid on the 
  security (I haven't seen nor heard of anyone who has been attacked this way in 
  6 years of asking around), I am outright against the replication model. 
  
   
  Aside from that, I was tainted by seeing UNIX DNS products 
  running great at large scales and seeing Microsoft DNS screwing up to no 
  end at medium scales. I fully realize it could have been a function of the 
  people running it but one key time I saw it was in a pretty large company that 
  had UNIX DNS in a complicated layout that worked great for hundreds of 
  thousands of machines and a Microsoft DNS being used for the hundreds of DMZ 
  machines in a very simple layout which had Microsoft resources helping with it 
  and guess which DNS system I was hearing issues about and that was 
  constantly having AD failures because of DNS? Again I fully realize it very 
  likely could have been the people involved but some of those people were MSFT 
  people so it shouldn't have been that difficult to get it working right. 
  Everytime they tried to pull me in to work on the AD issues I simply said, fix 
  your DNS and get on the corporate standard and then I will look at what your 
  problems are. 
   
  If I had 
  to work do ops in an environment where MSFT DNS was my only option it i

[ActiveDir] Managing Third-Party Users

2006-07-22 Thread Marcus.Oh








My trusted directory resource,

 

I don’t remember if this came up on a previous post…
but don’t recall seeing the topic.  As things become more and more
integrated w/ some form of ldap authentication against a common directory, the
necessity for managing outside vendors, contractors, etc is becoming a larger
and larger task.  If you’re in a situation where the vendor has a large
population of users that require access … with incredible churn, this
becomes a big issue.

 

I’m curious what, if anything, anyone else is doing to
use some sort of federated system so that user management is left at the hands
of the third-party companies.  I’m curious also if anyone is aware of any
consulting groups that have done this sort of thing w/ an agnostic approach
that can fit most environments.  I’d love to get an idea of where the industry
is heading with this sort of thing.  I’m sure the topic probably came up
at DEC which I didn’t have the luxury of attending.

 

Thanks all!

 

marcus
c. oh | cox communications, inc. | 404.847.6117 |
marcusoh.blogspot.com

 








RE: [ActiveDir] Raid 1 tangent -- Vendor Domain

2006-07-22 Thread joe
Mirrors don't scale. 

Microsoft's deployment doc mostly just talks about using mirrors (small nod
to RAID 10/0+1) so everyone thinks that they should build their Corporate
DCs on mirrors, usually 3 - OS, Logs, and DIT. Very few people if anyone
would build a corporate Exchange Server on mirrors... Why not? The DB is the
same under both of them... What is critical to Exchange? IOPS and that means
spindles. If something is really beating on AD and the entire DIT can't be
cached, IOPS are critical to AD as well. The main difference is that AD is
mostly random read and Exchange is heavy writing and reading. The exception
to this is the edge case of Eric's big DIT[1] in which he dumped 2TB of data
into AD in a month at which point he did something that few people see,
pushed the IOPS on the log drive through the roof.

In a smaller environment (very low thousands), or for a low use DC (small
WAN site), or a DC with a DIT fully cached a RAID-1 drive for DIT will
probably be sufficient, you will note that the only numbers mentioned in the
deployment guide are about 5000[2]... That usually means a small DIT and it
is extremely likely that a K3 DC will cache the entire DIT. Plus the usage
is probably such that the IO capability of two spindles will likely be ok.
Let me state though that even in a small user environment if there was an
intensive directory based app or a buttload of data that pushes the DIT into
GB's instead of MBs I would still be watching my disk queueing pretty close
as well as the Read and Write Ops.

AD admins who aren't running directory intensive apps (read as Exchange
2000+) usually don't see any issues but then again most aren't looking very
closely at the counters because they haven't had a reason too and even if
they had some short lived issues they probably wouldn't go look at the
counters. At least that has been my experience in dealing with companies. I
will admit that prior to implementing Exchange when I did AD Ops with a
rather large company I didn't once look at the disk counters, didn't care,
everything ran perfectly well and about the only measure of perf was
replication latency and does ADUC start fast enough and it always was fine
there unless there were network related issues or a DC was having hardware
failure. 

Enter Exchange... Or some other app that pounds your DCs with millions of
queries a day and tiny little bits of latency that you didn't previously
feel start having an impact. You won't feel 70-80ms of latency in anything
you are doing with normal AD tools or NOS ops, not at all. You will feel
that with Exchange (and other heavy directory use apps), often with painful
results unless it isn't consistent and the directory can unwind itself again
and hence allow Exchange to then unwind itself.

Now let me point out, I don't deal with tiny companies for work, small to me
is less than 40-50k. The smallest I tend to deal with is about 30k. I
usually get called to walk in to Exchange issues where Exchange is
underperforming or outright hanging, sometimes for hours at a time. There
can be all sorts of issues causing this such as

O poor disk subsystem design for Exchange (someone say got fancy with a SAN
layout and really didn't know what they were doing seems to be popular here)


O hardware/drivers on the Exchange server just aren't working properly and
the drivers are experiencing timeout issues (for some reason I want to say
HBA here)

O poor network configurations and odd load balancing solutions, etc that
generate a whole bunch of say keep alive traffic on the segment that no one
had any idea about because no one understood the solution nor took time to
look at the network traces. Or maybe 
the infamous Full/100 on one end and half/100 on the other. Whatever. 

O Applications that beat the crap out of Exchange that weren't accounted for
in the design well or at all... such as Blackberry or Desktop Search or
various Archive solutions

O Poorly written event sinks, disclaimer type products that query AD
themselves for additional info fit nicely into this category (hint do not
deploy one of these unless you understand the queries it generates)

O DCs being too far away say like an Exchange server in the US hosting APAC
users. If you are running Exchange, you put Exchange and the DCs for the
domains of any users on that Exchange server on the same physical subnet.
And if you have a multidomain forest, strongly consider shortcut trusts
between the domains that the Exchange servers are in with the domains the
users are in.

O DCs underperforming

The last is almost always, heck, I will say in 98% of the cases I have had
to investigate, related to DC disk configuration and it is always a mirrored
setup. In fact, almost always it is the deployment guide recommendation of
mirror for OS, mirror for logs, and mirror for DIT. Then you look at the
perf and you see that the counters on the DIT disk are in the nose bleed
seats and you are getting maybe 150 ops per second through the 

RE: [ActiveDir] RootDSE requires admin privileges

2006-07-22 Thread Sakari Kouti
Hi Joe,

I installed NetMon on that workstation and it seems that nothing gets out on 
the wire with the failure case. And quite normal LDAP searches in the success 
case.

I also did a little more testing and found out that the user doesn't need to be 
a domain admin for the script lines to work. A local admin in the workstation 
is enough (but still the same user).

Then I installed a second similar XP workstation in the forest, and it doesn't 
have this problem.

So it seems that something funny has happened in the first workstation that 
breaks ADSI. Probably not worth to explore any further.

Yours, Sakari


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 21. heinäkuuta 2006 3:31
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] RootDSE requires admin privileges

Hey Sakari, do you have a trace showing the ADSI failure and its resulting
success if run by DA that you can post?
 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Thursday, July 20, 2006 6:26 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] RootDSE requires admin privileges

Hi,

I wonder if anyone else has run into a situation, where normal ADSI
rootDSE binding doesn't work, unless the user is a domain admin?

The following two-line script is a sample:
Set objDSE = GetObject("LDAP://rootDSE")
WScript.Echo objDSE.Get("defaultNamingContext")

The first line produces the error 800401E4 (invalid syntax), if an end
user runs the lines on an XP SP1 workstation in my tiny dev forest.

- If the same user logs on to a DC (everyone is allowed to log on to
them in this case) and runs the lines, they work fine.

- If the same user is put in Domain Admins, the lines work fine even on
the previously mentiones XP workstation.

- If the same user (without being an admin) starts LDP on the XP
workstation, she'll get the rootDSE information in LDP.

This is only a two-DC dev forest (with one root domain and one child
domain), but I wonder if this could happen in production too? The DCs
are Windows Server 2003, and not even SP1, because they originate from a
project I did early last year, and now returned to it. Even though the
DCs were frozen for quite a while as Virtual PC images, replication
works quite fine and the tombstone lifetime is 10 years.

Yours, Sakari
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


RE: [ActiveDir] Raid 1 tangent -- Vendor Domain

2006-07-22 Thread albertduro
"- stop using mirrors damnit) ."[1]


can you please explain that?  What's wrong with mirrors?

[1] joe, speaking particularly in the context of Exchange
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?

2006-07-22 Thread joe



:)  
 

 
The main thing I don't like is AD Integrated. There is 
something fundamentally wrong with having your directory replication completely 
dependent on the name resolution system that is completely dependent on the 
directory replication system that is completely dependent on the name resolution 
system that is completely dependent on the directory replication system that is 
completely dependent on the name resolution system that is completely dependent 
on the directory replication system that is completely dependent on the name 
resolution system that is completely dependent on the directory replication 
system 
 
I like the idea of multiple masters, I am tepid on the 
security (I haven't seen nor heard of anyone who has been attacked this way in 6 
years of asking around), I am outright against the replication model. 

 
Aside from that, I was tainted by seeing UNIX DNS 
products running great at large scales and seeing Microsoft DNS screwing up 
to no end at medium scales. I fully realize it could have been a function 
of the people running it but one key time I saw it was in a pretty large company 
that had UNIX DNS in a complicated layout that worked great for hundreds of 
thousands of machines and a Microsoft DNS being used for the hundreds of DMZ 
machines in a very simple layout which had Microsoft resources helping with it 
and guess which DNS system I was hearing issues about and that was 
constantly having AD failures because of DNS? Again I fully realize it very 
likely could have been the people involved but some of those people were MSFT 
people so it shouldn't have been that difficult to get it working right. 
Everytime they tried to pull me in to work on the AD issues I simply said, fix 
your DNS and get on the corporate standard and then I will look at what your 
problems are. 
 
If I had to work do ops in an environment where MSFT DNS 
was my only option it is quite likely that I would work to become an expert on 
it and it is also possible I would work on it and finally just say screw this 
and I am going to sit down at night and write my own version of DNS or use 
BIND. That way I can have full control of what is going on and not wonder 
what the hell is going on or what changed in the last rev such that now my AD 
can't work because DNS isn't working because my DC is flaking out because AD 
isn't working. Etc etc etc.
 
I guess what I am saying, a string of dependencies no 
matter how long or how short really shouldn't loop back upon itself. You 
shouldn't have to be sitting there wondering if AD broke DNS or DNS broke AD and 
what you have to fix to make it all work again. If I am running DNS on another 
platform or at least on a Windows machine with no dependence on the domain and I 
see that DNS and AD are broken I know right where I need to start working 
without thinking very hard about it. The KISS philosphy is there for a reason, 
ops people especially in the middle of a blowup should not be required to think 
hard. The hard thinking needs to occur in the design and prior to things blowing 
up. When something blows up it should be a matter of putting it back together. 
Obviously it isn't always going to be that way but purposely putting something 
together that is going to require that hard thinking when it blows for sure 
doesn't make much sense to me.
 
   joe
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Friday, July 21, 2006 11:37 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Always point a 
DC with DNS installed to itself as the preferred DNS 
server...always?

Now don't go getting misty eyed and thinking that I'm coming over the 
joe-side of thinking when it comes to DNS and Microsoft.  But aye, it has 
it's shortcomings and could be much better.  Perhaps they need a real 
competitor vis a vis Firefox and IE to get things jumping? 
 
 
Hmm.
 
:) 
On 7/21/06, joe 
<[EMAIL PROTECTED]> 
wrote: 

  
  
  Hehe 
  Bingo... keep playing and one day you may even think how nice it is to not 
  have DNS on DCs at all or even on Microsoft Is that heresy here? If so I 
  will say three Hail Kwan's and sprinkle some ground up Intel chip dust on 
  myself...  ;o) 
   
   
   
  Dean 
  wonders why I hate DNS. :)
   
  http://www.gilsblog.com/index.cfm?commentID=60
  
   
   
   
   
   
  
  --
  O'Reilly 
  Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
   
   
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Al 
  MulnickSent: Thursday, July 13, 2006 3:32 PM
  To: ActiveDir@mail.activedir.org 
  Subject: Re: [ActiveDir] 
  Always point a DC with DNS installed to itself as the preferred DNS 
  server...always?
   
  
  
  See how quickly thinking changes? :)
   
  I almost think this is a better reason not to have AD-integrated 
  DNS.  Shall have to ponder a bit more, but

RE: [ActiveDir] DNS Issue

2006-07-22 Thread Wyatt, David

Hi Steve

Binary version is 5.2.3790.1830 (srv03_sp1_rtm.050324-1447)

Clearing the cache does not fix the issue.


Thanks
David



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: 22 Jul 2006 0:56
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Issue


What version of the DNS binary are you running and if you clear the
cache instead of restart DNS does it resolve the issue?
 
Thanks,
 
-Steve



From: [EMAIL PROTECTED] on behalf of Wyatt, David
Sent: Fri 7/21/2006 4:39 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS Issue


We have a single Windows 2003 SP1 forest/domain.  DCs run AD integated
zones.  We have Forwarders configured for a domain e.g. test.com with 2
IP addresses entered for the DNS servers in test.com.
 
We have seen a strange issue where queries for a host in the sub-domain
nyc.test.com fail (even when doing an nslookup directly from the DC).
When we restart the DNS service on the DC resolution succeeds for a host
in nyc.test.com.  After time it appears resolution fails again.
 
Another observation is when (after time) name resolution fails for a
host in nyc.test.com and we explicitly add nyc.test.com as another
Forwarder and without restarting the DNS service names in nyc.test.com
resolves.  Remove the forwarding to nyc.test.com and resolution fails!
 
Any ideas?
 
Regards
David


 

This message contains confidential information and is intended only 

for the individual or entity named. If you are not the named addressee 

you should not disseminate, distribute or copy this e-mail. 

Please notify the sender immediately by e-mail if you have received 

this e-mail by mistake and delete this e-mail from your system. 

E-mail transmission cannot be guaranteed to be secure or error-free 

as information could be intercepted, corrupted, lost, destroyed, arrive 

late or incomplete, or contain viruses. The sender therefore does not 

accept liability for any errors or omissions in the contents of this 

message which arise as a result of e-mail transmission. 

If verification is required please request a hard-copy version. 

This message is provided for informational purposes and should not 

be construed as an invitation or offer to buy or sell any securities or 

related financial instruments. 

GAM operates in many jurisdictions and is 

regulated or licensed in those jurisdictions as required. 


 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


RE: [ActiveDir] Domain Trusts.

2006-07-22 Thread Grillenmeier, Guido



you might want to describe to us what your actual goal is 
for creating a non-fully trusted domain in your AD forst.  Maybe you can 
reach a similar goal by using the fairly powerful capabilities in AD to delegate 
administration of objects within a domain. You can also use these features to 
hide specific parts of AD from the rest of the organization and thus create a 
"semi-isolated" units within a single AD domain. 
 
Note that there is no way to fully isolate any objects 
within a domain or forest from domain or enterprise admins - if you do need full 
administrative isolation, you have to create multiple 
forests.
 
/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge deSent: Saturday, July 22, 2006 12:45 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain 
Trusts.


1-yep
2-yep
 


Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 

LogicaCMG 
Nederland B.V. (BU RTINC Eindhoven)
(   Tel 
: +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 


From: [EMAIL PROTECTED] on 
behalf of Matt HargravesSent: Sat 2006-07-22 00:35To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain 
Trusts.
So basically there's no way to have a domain in a forest that doesn't fully 
trust every other domain in the forest?The only way to have a non 2-way 
trust is to make a separate forest?


RE: [ActiveDir] Vendor Domain

2006-07-22 Thread Grillenmeier, Guido



> Will the application run off of an ADAM 
instance instead of a full blown forest?
 
That was going through my mind as well - why would the 
vendor want to use a NOS AD for his application? Again, there must be some 
reason for this. 
 
joe makes great points rgd. the support issues of an 
application which is fully integrated into the NOS AD, but is managed by a 
different team - possibly the vendor himself.  So knowledge about the 
planned support model will certainly help to discuss justification of a separate 
forest. Clearly, that should include management of that extra forest itself (who 
is responsible for backing up that forest and ensuring operation of the DCs 
etc.).
 
/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Thursday, July 20, 2006 10:55 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vendor 
Domain

My first reaction is that that is pretty nebulous and hazy. 
I don't think they can compare whatever it is they do to a respirator and have 
validity, I think that would be talking apples and olive pits. 

 
Overall it sounds like a move to reduce support and 
troubleshooting costs by having a known fixed environment in which their app 
will run. It could even mean that they have bad decisions (and coding) in the 
software itself that has hard requirements to that specific layout so they don't 
have to code for a more generic setup. 
 
Certainly the concern that AD may not be stable is a valid 
one from a vendor doing managed service support standpoint as it is something I 
have encountered in the field myself. More environments than not that I 
have walked into to deploy Exchange the AD folks thought AD was perfectly fine 
and were surprised when Exchange dragged their DCs under water and I have to go 
through their design and figure out what exactly isn't optimal (hint usually the 
disk subsystems - stop using mirrors damnit). But if the 
customer is willing to accept that risk as a caveat to the support model then 
the vendor should be able to support it. This can and usually should have some 
level of impact on costing and possibly support levels and penalties (if they 
exist). It is cheaper to run support on a fixed known setup than it is to 
support something you didn't design and can't exercise control over. You as a 
customer would need to accept that as well. But it really comes back to whether 
the product will work in a generic environment at all and if the vendor is 
willing to put in the time to figure out their exposure and write the 
contract (and bill) to suitably cover for it. 
 
Taking this back to an Exchange example which is more 
familiar to many folks. Take the example where you want email and you bring 
someone in to create and run an Exchange service for you. You aren't managing or 
supporting it, it is all them, you simply give them the requirements. If 
they have a cookie cutter separate domain/forest solution it is something they 
have worked out and tested and understand and can best support. In general I 
think it is better for you and think it is good for you to strongly 
consider allowing them to run it that way because of the issues with 
Exchange and the resulting administration mess. It is tough to fight it because 
there aren't a lot of options outside of Exchange with the features people 
want... If you have strong feelings against that separate 
forest and want the vendor to forgo their own design, which does 
happen, they can and usually will run it from your forest however you 
have got to expect cost increases. You are basically telling the 
respirator company (to use that bad analogy) that you want the respirator to 
work in an entirely different way than the product you picked out of the 
catalog.
 
The prices increases are to cover real costs incurred by 
the vendor to cover a changed support model and cover for the extra 
design work that they would need to be involved in to support your 
environment. In addition, you would need to accept the caveats on 
service that they may need to put into place to protect themselves from lawsuits 
that are actually the fault of something they don't control. An example would 
be any issues that end up having a root cause back in the AD that you 
control releases them from SLA penalties and allows them to charge back costs 
associated with it. A specific example is say where you have company A running a 
mail service for you out of your directory and you allow local site admins to 
have extensive control over their users and one of the admins decided to give 
himself a 10GB quota and then uses it and kills the free space on the Exchange 
server causing the vendor to scramble resources to cover for the resulting 
issues. That absolutely needs to be charged back to the company and not the 
vendor. Even if you have separate groups in the same company running AD and 
Exchange those are things that get fights going over because the Exchange team 
is budgeted to cover E

RE: [ActiveDir] root admin account able to be locked out?

2006-07-22 Thread Thommes, Michael M.
Title: root admin account able to be locked out?








Jorge (and joe),

    Thanks for your reply on this issue!

 

Mike Thommes

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Almeida Pinto, Jorge de
Sent: Tuesday, July 18, 2006 3:43
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] root
admin account able to be locked out?



 





My experience with
this is





 





the default ADMINISTRATOR can be locked out (wait before
shouting!)





what I mean is that if you have a lockout threshold of
lets say 5, the lockoutTime attribute will show the lockout date and time the
account was locked. In ADUC (using another custom admin account for example)
you will see the default ADMINISTRATOR is locked you will even see and
event ID 644 mentioning the account lockout





 





HOWEVER here it comes...





 





while the default ADMINISTRATOR is locked, it will
unlocked automatically by the SYSTEM (DC) AS SOON AS the correct
password is used (even before it is unlocked after the unlock period)





 





jorge





 











Met vriendelijke
groeten / Kind regards,





Ing. Jorge de Almeida
Pinto





Senior Infrastructure
Consultant





MVP Windows
Server - Directory Services





 







LogicaCMG
Nederland B.V. (BU RTINC Eindhoven)





( Tel : +31-(0)40-29.57.777





(    Mobile : +31-(0)6-26.26.62.80



*   E-mail  : 









 







From:
[EMAIL PROTECTED] on behalf of Thommes, Michael M.
Sent: Tue 2006-07-18 20:27
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] root admin
account able to be locked out?





Hi
AD Gurus!

 
We have penetration testing going on and I saw a security event log entry that showed
our root admin account getting locked out.  I was surprised because I
thought this account could never get locked out.  In addition,
we had a scheduled job that runs under the credentials of this root account
that ran successfully a couple of minutes *after*
the supposed account was locked.  (We have the standard 30 minute lockout
time.)  I think the reason that this happened was that the
penetration testing really didn’t lock out the root account but did
lockout the local SID 500 account that exists on all
servers (including domain controllers).  This is my
belief.  My officemate says there is no such account on a DC
and that the root account could have been locked out for a short period of time
but then made active again when AD saw what the account was or that the
security log entry is just bogus.  Can someone offer a little insight into
this (nope, no dinners or cash riding on this debate!).  Thanks much!

Mike
Thommes










Re: [ActiveDir] Replmon vs. dssite.msc

2006-07-22 Thread Matheesha Weerasinghe

If I understand correctly, replmon shows connection object info that
was retrieved from the dc itself. dssite.msc shows the connection
object info from the dc the snap-in is focused on.

please correct me if i've misunderstood

M@

On 7/19/06, Noah Eiger <[EMAIL PROTECTED]> wrote:





Hi –



I am trying to promote a new DC in a branch location. I also want this to be
the bridgehead for IP at this Site. The promo seems to have worked, but
there are some replication problems.



Why would replmon show different replication partners than the Active
Directory Sites and Services (dssite.msc) snap-in? I am running both tools
on the same machine and have confirmed that they connect to the same
machine.



Thanks.



-- nme


--
 No virus found in this outgoing message.
 Checked by AVG Free Edition.
 Version: 7.1.394 / Virus Database: 268.10.1/391 - Release Date: 7/18/2006


[EMAIL PROTECTED])