date:20060724




A senior guy IMO should be more focused on "design" aspects 
than "support" and thus should be able to answer questions along the line 
of:
 
"How would you design a schema change process, 
encompassing initial request through to implementation." 

 
The answer to the above should help determine alot of info 
from that person (see below) - even if they cannot answer the question 
fully.
 
 - Does this person think 
logically
 - Does this person explain ideas in a cohesive 
manner
 - Does this person answer questions with fluff and BS 
or are they succinct
 - etc
 
To answer 'what do the FSMOs do?' one can simply state - 
"I'd look it up in a book". I'd therefore always try to ask questions which can 
only be answered through experience (where possible) and not just through 
reading a book.
 
My 2 penneth,
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of mike 
klineSent: 24 July 2006 07:16To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Interview 
Techniques

Brian,
 
That 
was a good story, very funny.  So 
what did the guy do? Did he just get up and leave?  I know from reading your posts you are 
usually straight and to the point. I would be sweating if I had to interview 
with you.
 
Going off course a bit.  What are some types of AD questions that 
you all consider to be "senior level"?   
For example what if you ask someone how to do a metadata cleanup?  Would you all consider that to be a mid 
level question?   Just 
wondering because I always grapple trying to figure out questions for the mid 
vs. senior level candidate.
 
 
 
 
On 7/23/06, Brian 
Desmond <[EMAIL PROTECTED]> 
wrote: 
I've 
  got no second thoughts about being an asshole during a techinterview. I 
  ask the question, you either answer it or tell me you don't know. If you 
  choose not to tell me you don't know and demonstrate thatyou don't know 
  through what you tell me instead, I'm already pretty muchthrough. If 
  you're arrogant like this candidate you describe, I'm likely through as 
  well.My favorite exchange as of late goes like this:Me - Tell 
  me a little bit about your experience migrating Exchange 5.5orgs to 
  2003Them - blah blah blahMe - Ok, can you name the three types of 
  connection agreements in the ADC?Them - well uh blah blah well uh 
  excuse excuseMe - other questionsMe - So would you be comfortable 
  migrating a 10K user 5.5 org to 2003?Them - AbsolutelyMe - How can you 
  be comfortable doing that when you can't even explain the first step of 
  the migration to me?In any case, others have put some really good 
  advice here. What you wantin a technical lead is someone who can get their 
  hands dirty withoutgetting scared or screwing up. They should also have no 
  second thoughts about delegating work and asking their subordinates for 
  help. Thatperson needs to be able to deal with upper management, and they 
  alsoneed to make sure their self esteem is in check - none of that "I did 
  X" when all they did is watch. Hiring your new manager can be a 
  littledifficult on both sides from the point of view of why wasn't someone 
  onyour team promoted to that position?Thanks,Brian 
  Desmond[EMAIL PROTECTED]c - 
  312.731.3132> -Original Message-> From: [EMAIL PROTECTED] 
  [mailto:ActiveDir-> [EMAIL PROTECTED]] On Behalf 
  Of Matheesha Weerasinghe> Sent: Sunday, July 23, 2006 11:11 AM> 
  To: ActiveDir@mail.activedir.org> 
  Subject: [ActiveDir] OT: Interview Techniques>> 
  All>> I am currently in the process of interviewing job 
  candidates who if > successful will become my boss ;-) Basically the 
  manager who will be> his boss has asked me to do the technical side of 
  the interview and> check if the candidates are OK. I've had the 
  "pleasure" of interviewing> 2 so far and they were pretty weak 
  technically. I am not sure if Ihave> been spoilt by the 
  creme-de-la-creme here but I did check them alittle> thoroughly 
  especially with the candidate who was bold enough to mention> under 
  key skills "very strong knowledge of windows 2000/2003 Active> 
  Directory".>> Now I am definitely no expert, but if someone is 
  bold enough to claim> that, he better not buckle up under pressure and 
  reply that the > questions I am asking are only worthy knowledge to 
  those working at> Microsoft.> And this is the reply I got when I 
  asked him what the FSMO roles did.> Actually, I got a little miffed as 
  the guys had the audacity to demand > pretty much twice the pay I am 
  getting and were paper MCSE's.>> The feedback we received from 
  the candidates afterwards said the> interview style was .> 
  aggressive.>> So, my question to you guys is, if you 
  interviewing someone for a > Windows tech-lead position (with focus on 
  AD), how technical would you> want him to be? This is a guy who would 
  be steering the design of an> infrastructure to support tens of 
  thousands of users.>> Cheers>> Mudha> 
  {Newbie AD Guru wannabe ;0) } 
  _

RE: [ActiveDir] OT: Interview Techniques

2006-07-24 Thread Steve Rochford




the "look it up in a book" or (preferably!) "look it up on 
the MS web site" is not a bad answer - as Joe said, people can't know everything 
but should be able to find it out.
 
Given that, I'd be tempted to give them access to the 
internet and then ask some questions which need both factual knowledge that's 
looked up and an ability to apply that knowledge.
 
Steve


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: 24 July 2006 08:53To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Interview 
Techniques

A senior guy IMO should be more focused on "design" aspects 
than "support" and thus should be able to answer questions along the line 
of:
 
"How would you design a schema change process, 
encompassing initial request through to implementation." 

 
The answer to the above should help determine alot of info 
from that person (see below) - even if they cannot answer the question 
fully.
 
 - Does this person think 
logically
 - Does this person explain ideas in a cohesive 
manner
 - Does this person answer questions with fluff and BS 
or are they succinct
 - etc
 
To answer 'what do the FSMOs do?' one can simply state - 
"I'd look it up in a book". I'd therefore always try to ask questions which can 
only be answered through experience (where possible) and not just through 
reading a book.
 
My 2 penneth,
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of mike 
klineSent: 24 July 2006 07:16To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Interview 
Techniques

Brian,
 
That 
was a good story, very funny.  So 
what did the guy do? Did he just get up and leave?  I know from reading your posts you are 
usually straight and to the point. I would be sweating if I had to interview 
with you.
 
Going off course a bit.  What are some types of AD questions that 
you all consider to be "senior level"?   
For example what if you ask someone how to do a metadata cleanup?  Would you all consider that to be a mid 
level question?   Just 
wondering because I always grapple trying to figure out questions for the mid 
vs. senior level candidate.
 
 
 
 
On 7/23/06, Brian 
Desmond <[EMAIL PROTECTED]> 
wrote: 
I've 
  got no second thoughts about being an asshole during a techinterview. I 
  ask the question, you either answer it or tell me you don't know. If you 
  choose not to tell me you don't know and demonstrate thatyou don't know 
  through what you tell me instead, I'm already pretty muchthrough. If 
  you're arrogant like this candidate you describe, I'm likely through as 
  well.My favorite exchange as of late goes like this:Me - Tell 
  me a little bit about your experience migrating Exchange 5.5orgs to 
  2003Them - blah blah blahMe - Ok, can you name the three types of 
  connection agreements in the ADC?Them - well uh blah blah well uh 
  excuse excuseMe - other questionsMe - So would you be comfortable 
  migrating a 10K user 5.5 org to 2003?Them - AbsolutelyMe - How can you 
  be comfortable doing that when you can't even explain the first step of 
  the migration to me?In any case, others have put some really good 
  advice here. What you wantin a technical lead is someone who can get their 
  hands dirty withoutgetting scared or screwing up. They should also have no 
  second thoughts about delegating work and asking their subordinates for 
  help. Thatperson needs to be able to deal with upper management, and they 
  alsoneed to make sure their self esteem is in check - none of that "I did 
  X" when all they did is watch. Hiring your new manager can be a 
  littledifficult on both sides from the point of view of why wasn't someone 
  onyour team promoted to that position?Thanks,Brian 
  Desmond[EMAIL PROTECTED]c - 
  312.731.3132> -Original Message-> From: [EMAIL PROTECTED] 
  [mailto:ActiveDir-> [EMAIL PROTECTED]] On Behalf 
  Of Matheesha Weerasinghe> Sent: Sunday, July 23, 2006 11:11 AM> 
  To: ActiveDir@mail.activedir.org> 
  Subject: [ActiveDir] OT: Interview Techniques>> 
  All>> I am currently in the process of interviewing job 
  candidates who if > successful will become my boss ;-) Basically the 
  manager who will be> his boss has asked me to do the technical side of 
  the interview and> check if the candidates are OK. I've had the 
  "pleasure" of interviewing> 2 so far and they were pretty weak 
  technically. I am not sure if Ihave> been spoilt by the 
  creme-de-la-creme here but I did check them alittle> thoroughly 
  especially with the candidate who was bold enough to mention> under 
  key skills "very strong knowledge of windows 2000/2003 Active> 
  Directory".>> Now I am definitely no expert, but if someone is 
  bold enough to claim> that, he better not buckle up under pressure and 
  reply that the > questions I am asking are only worthy knowledge to 
  those working at> Microsoft.> And this is the reply I got when I 
  asked him what the FSMO roles did.> Actually, I got a little miffed

RE: [ActiveDir] OT: Interview Techniques

2006-07-24 Thread Ken Schaefer









I suppose there are several “roles”
that senior people could hold: some are managerial, some are architectural, and
some are deeply technical (i.e. high level support). Architects, in that taxonomy,
would do design work. Whereas a PSS engineer would probably spend more time
with a debugger than using Word and Visio to produce high-level designs.

 

Cheers

Ken

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Monday, 24 July 2006 5:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Interview Techniques





 

A senior guy IMO should be more focused on "design"
aspects than "support" and thus should be able to answer questions
along the line of:

 

"How would
you design a schema change process, encompassing initial request through to
implementation." 

 

The answer to the above should help determine alot of info from
that person (see below) - even if they cannot answer the question fully.

 

 - Does this person think logically

 - Does this person explain ideas in a cohesive manner

 - Does this person answer questions with fluff and BS or are
they succinct

 - etc

 

To answer 'what do the FSMOs do?' one can simply state - "I'd
look it up in a book". I'd therefore always try to ask questions which can
only be answered through experience (where possible) and not just through
reading a book.

 

My 2 penneth,

neil







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of mike kline
Sent: 24 July 2006 07:16
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Interview Techniques

Brian,

 

That was a good story, very funny.  So what did the guy do?
Did he just get up and leave?  I know from reading your posts you are usually
straight and to the point. I would be sweating if I had to interview with you.

 



Going off course a bit.  What are some types of AD questions
that you all consider to be "senior level"?   For example what if you
ask someone how to do a metadata cleanup?  Would you all consider that to be a
mid level question?   Just wondering because I always grapple trying to figure
out questions for the mid vs. senior level candidate.





 





 





 





 



 



On 7/23/06, Brian Desmond <[EMAIL PROTECTED]> wrote: 





I've got no second thoughts about
being an asshole during a tech
interview. I ask the question, you either answer it or tell me you don't 
know. If you choose not to tell me you don't know and demonstrate that
you don't know through what you tell me instead, I'm already pretty much
through. If you're arrogant like this candidate you describe, I'm likely 
through as well.

My favorite exchange as of late goes like this:

Me - Tell me a little bit about your experience migrating Exchange 5.5
orgs to 2003
Them - blah blah blah
Me - Ok, can you name the three types of connection agreements in the 
ADC?
Them - well uh blah blah well uh excuse excuse
Me - other questions
Me - So would you be comfortable migrating a 10K user 5.5 org to 2003?
Them - Absolutely
Me - How can you be comfortable doing that when you can't even explain 
the first step of the migration to me?


In any case, others have put some really good advice here. What you want
in a technical lead is someone who can get their hands dirty without
getting scared or screwing up. They should also have no second thoughts 
about delegating work and asking their subordinates for help. That
person needs to be able to deal with upper management, and they also
need to make sure their self esteem is in check - none of that "I did
X" 
when all they did is watch. Hiring your new manager can be a little
difficult on both sides from the point of view of why wasn't someone on
your team promoted to that position?

[ActiveDir] ldp in ADAM-SP1


All

Could someone with more experience with ldp provided with ADAM-SP1
tell me how I would go about configuring inherit-only Full Control
permissions on nTDSDSA objects in the
CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms
options is grayed out here and I dont know how to do it.

Based on joe's comments I assumed the ldp.exe's ACL editor is the most
comprehensive and capable ACL gui editor available. I must be doing
something wrong here so I would appreciate some help.

Regards

M@
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Raid 1 tangent -- Vendor Domain

I would say it was probably quite low relatively. Quite low is the norm for
AD logs and by that it is usually barely registering compared to what you
were doing the Log drive would have been hopping. I recall when you were
IM'ing about it you mentioned the Log drive IOPS and I was like wow, I don't
ever really expect to see those kind of numbers... 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Monday, July 24, 2006 1:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Raid 1 tangent -- Vendor Domain

> The exception to this is the edge case of Eric's big DIT[1] in which
> he dumped 2TB of data into AD in a month at which point he did
> something that few people see, pushed the IOPS on the log drive
> through the roof.

Actually, log IOs were quite low, considering. I bet a single spindle
pair would have been enough for most of my work.
The real killer was random I/O throughout the DB. Here I was pushing
1800 read / 1800 write for most of the run. I really needed more SAN
paths because I'm pretty sure that was the bottleneck (it just wasn't
set up to have as many redundant paths as I didn't anticipate the
bottlenecks hit).

I keep meaning to write a follow-up post with a lot of data. I'll do so
this week and post it so this sort of stuff is a bit more clear.

~Eric



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, July 22, 2006 9:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Raid 1 tangent -- Vendor Domain

Mirrors don't scale. 

Microsoft's deployment doc mostly just talks about using mirrors (small
nod
to RAID 10/0+1) so everyone thinks that they should build their
Corporate
DCs on mirrors, usually 3 - OS, Logs, and DIT. Very few people if anyone
would build a corporate Exchange Server on mirrors... Why not? The DB is
the
same under both of them... What is critical to Exchange? IOPS and that
means
spindles. If something is really beating on AD and the entire DIT can't
be
cached, IOPS are critical to AD as well. The main difference is that AD
is
mostly random read and Exchange is heavy writing and reading. The
exception
to this is the edge case of Eric's big DIT[1] in which he dumped 2TB of
data
into AD in a month at which point he did something that few people see,
pushed the IOPS on the log drive through the roof.

In a smaller environment (very low thousands), or for a low use DC
(small
WAN site), or a DC with a DIT fully cached a RAID-1 drive for DIT will
probably be sufficient, you will note that the only numbers mentioned in
the
deployment guide are about 5000[2]... That usually means a small DIT and
it
is extremely likely that a K3 DC will cache the entire DIT. Plus the
usage
is probably such that the IO capability of two spindles will likely be
ok.
Let me state though that even in a small user environment if there was
an
intensive directory based app or a buttload of data that pushes the DIT
into
GB's instead of MBs I would still be watching my disk queueing pretty
close
as well as the Read and Write Ops.

AD admins who aren't running directory intensive apps (read as Exchange
2000+) usually don't see any issues but then again most aren't looking
very
closely at the counters because they haven't had a reason too and even
if
they had some short lived issues they probably wouldn't go look at the
counters. At least that has been my experience in dealing with
companies. I
will admit that prior to implementing Exchange when I did AD Ops with a
rather large company I didn't once look at the disk counters, didn't
care,
everything ran perfectly well and about the only measure of perf was
replication latency and does ADUC start fast enough and it always was
fine
there unless there were network related issues or a DC was having
hardware
failure. 

Enter Exchange... Or some other app that pounds your DCs with millions
of
queries a day and tiny little bits of latency that you didn't previously
feel start having an impact. You won't feel 70-80ms of latency in
anything
you are doing with normal AD tools or NOS ops, not at all. You will feel
that with Exchange (and other heavy directory use apps), often with
painful
results unless it isn't consistent and the directory can unwind itself
again
and hence allow Exchange to then unwind itself.

Now let me point out, I don't deal with tiny companies for work, small
to me
is less than 40-50k. The smallest I tend to deal with is about 30k. I
usually get called to walk in to Exchange issues where Exchange is
underperforming or outright hanging, sometimes for hours at a time.
There
can be all sorts of issues causing this such as

O poor disk subsystem design for Exchange (someone say got fancy with a
SAN
layout and really didn't know what they were doing seems to be popular
here)


O hardware/drivers on the Exchange server just ar

RE: [ActiveDir] Have you built an R2 Forest?




This all started due to bad documentation on 

 
http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true
 
which states
 

Note the value in the Value column. If the value is , the default value is in effect as follows:

  
  


  On a domain controller in a forest that was created on a domain 
  controller running Windows Server 2003 with Service Pack 1 
  (SP1), the default value is 180 days.
  


  On a domain controller in a forest that was created on a domain 
  controller running Windows 2000 Server or 
  Windows Server 2003, the default value is 
  60 days.
 
 
which was confusing a customer. Then after I explained 
about how 60 days is hardcoded and 180 days was a schema.ini fix he further 
indicated that he wasn't seeing this in an R2 forest hence his original 
question. The test R2 forests I have built I never checked TSL, just assumed it 
was 180 and normally I don't built R2 machines because I really don't much care 
about R2, SP1 is far more important for the stuff I play with. I mean really, 
how many people verify the TSL of their forest versus just assuming it was 
whatever MSFT or someone representing MSFT said it should be. I know I have told 
a ton of people that after SP1 the value is 180 and I want to make sure I 
tell all of those same people that it really isn't in R2.
 
My concern is for people who have put an R2 forest out 
there and are under the running assumption that they now have a 180 day TSL and 
make some decision based on it (yes, it is ok if our DC sits on the doc in 
Mexican customs for 3 months (this is a real example) because we have a 180 day 
TSL) and learn after the fact that it was incorrect. It also has backup/restore 
implications. 
 
Hopefully the above docs will be corrected and the word 
will seep out and people will be aware.This is one of those things where if you 
find it out after you already had an incident you will be like, WTF Microsoft. 
It also makes me wonder if there is anything else that was 
regressed...
 
   joe
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Monday, July 24, 2006 2:12 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built 
an R2 Forest?

hehe, yep I've seen that (the difference of the Schema.ini 
files; i.e. missing entry for the tombstonelifetime property) but didn't think 
too much of it because for now I've only had to handle upgrading from Win2000 or 
2003 to R2 where the Schema.ini doesn't play a role. It is "only" used to 
populate a blank schema at the time that you create a new AD forest - and yes, 
this means that your tombstone lifetime wouln't match that of other Win2003 
forests that were created from a DC that had SP1 applied to 
it...
 
I agree, not very nice, but easily fixed as you describe. 
Personally, I don't think too much of the fact that the tombstonelifetime was 
increased to 180 days in SP1 anyways. This was done to avoid issues for 
companies with a badly managed AD - I would generally much prefer to adjust 
the value to what is appropriate for a company's backup & recovery strategy. 
And this usually doesn't mean that you need to keep the "garbage" in your AD for 
1/2 a year...
 
Granted, it's the inconsistency here with which MSFT has 
done the update of the schema.ini files which is not so nice - but the rules are 
pretty clear on how tombstone lifetime can be evaluated by an admin: if the 
attribute on the Directory Services object (tombstoneLifetime 
ð 
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=) 
shows NOT SET, then it't the "original" default tombstone lifetime of 60 days. 
Else it's whatever number of days has been set either by the DCPROMO routine 
writing a specific value into the attribute when creating a new 
forest, or by an admin changing the value to whatever is 
appropriate.
 
/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Monday, July 24, 2006 1:50 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Have you built an R2 
Forest?

If so... you may want to peek at
 
http://blog.joeware.net/2006/07/23/484/
 
entitled "R2 tombstoneLifetime boo 
boo"
 
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

RE: [ActiveDir] Have you built an R2 Forest?




Thanks for this joe. That doc is more than bad - it's plain 
wrong :(
 
Just to further clarify:
1. If I build a new R2 forest, I should expect a blank 
TSL - which implies a 60 days TSL. Correct?
2. All I need to do to 'fix' this 'issue' is to amend 
the TSL via admod or adsiedit or whatever... ? 
Correct?
3. I only need to run the R2 adprep once per forest. 
[Stated for completeness]
4. Do I need to run the R2 setup on each machine I 
build? Will this process revert the TSL back to 'not 
set'?
 
I'm trying to understand the issue below but also how 
it is caused and how it may be caused again.
 
neil
PS I agree re R2 and its value above and beyond SP1. 
But what a great marketing ploy :)
 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: 24 July 2006 14:44To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built 
an R2 Forest?

This all started due to bad documentation on 

 
http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true
 
which states
 

Note the value in the Value column. If the value is , the default value is in effect as follows:

  
  


  On a domain controller in a forest that was created on a domain 
  controller running Windows Server 2003 with Service Pack 1 
  (SP1), the default value is 180 days.
  


  On a domain controller in a forest that was created on a domain 
  controller running Windows 2000 Server or 
  Windows Server 2003, the default value is 
  60 days.
 
 
which was confusing a customer. Then after I explained 
about how 60 days is hardcoded and 180 days was a schema.ini fix he further 
indicated that he wasn't seeing this in an R2 forest hence his original 
question. The test R2 forests I have built I never checked TSL, just assumed it 
was 180 and normally I don't built R2 machines because I really don't much care 
about R2, SP1 is far more important for the stuff I play with. I mean really, 
how many people verify the TSL of their forest versus just assuming it was 
whatever MSFT or someone representing MSFT said it should be. I know I have told 
a ton of people that after SP1 the value is 180 and I want to make sure I 
tell all of those same people that it really isn't in R2.
 
My concern is for people who have put an R2 forest out 
there and are under the running assumption that they now have a 180 day TSL and 
make some decision based on it (yes, it is ok if our DC sits on the doc in 
Mexican customs for 3 months (this is a real example) because we have a 180 day 
TSL) and learn after the fact that it was incorrect. It also has backup/restore 
implications. 
 
Hopefully the above docs will be corrected and the word 
will seep out and people will be aware.This is one of those things where if you 
find it out after you already had an incident you will be like, WTF Microsoft. 
It also makes me wonder if there is anything else that was 
regressed...
 
   joe
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Monday, July 24, 2006 2:12 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built 
an R2 Forest?

hehe, yep I've seen that (the difference of the Schema.ini 
files; i.e. missing entry for the tombstonelifetime property) but didn't think 
too much of it because for now I've only had to handle upgrading from Win2000 or 
2003 to R2 where the Schema.ini doesn't play a role. It is "only" used to 
populate a blank schema at the time that you create a new AD forest - and yes, 
this means that your tombstone lifetime wouln't match that of other Win2003 
forests that were created from a DC that had SP1 applied to 
it...
 
I agree, not very nice, but easily fixed as you describe. 
Personally, I don't think too much of the fact that the tombstonelifetime was 
increased to 180 days in SP1 anyways. This was done to avoid issues for 
companies with a badly managed AD - I would generally much prefer to adjust 
the value to what is appropriate for a company's backup & recovery strategy. 
And this usually doesn't mean that you need to keep the "garbage" in your AD for 
1/2 a year...
 
Granted, it's the inconsistency here with which MSFT has 
done the update of the schema.ini files which is not so nice - but the rules are 
pretty clear on how tombstone lifetime can be evaluated by an admin: if the 
attribute on the Directory Services object (tombstoneLifetime 
ð 
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=) 
shows NOT SET, then it't the "original" default tombstone lifetime of 60 days. 
Else it's whatever number of days has been set either by the DCPROMO routine 
writing a specific value into the attribute when creating a new 
forest, or by an admin changing the value to whatever is 
appropriate.
 
/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf O

RE: [ActiveDir] ldp in ADAM-SP1

Beautiful, this is bug week

There are actually two bugs here.

1. The inherit only check box is greyed out. This is the checkbox you would
need to check in order to specify an inherit only ACE (i.e. Child Objects
Only).

2. When you try to work around it and specify the actual object types to
inherit to it creates two ACEs instead of one. The first ACE is the FC
inherit only to the object class you specify but then there is also a FC to
the object itself. In the example below note the TEST\joe ACEs... I only
added a single FC for nTDSConnection objects for test\joe but got that AND
the non-inheritable Test\joe FC on the object itself. 


G:\>dsacls "\\r2dc1\CN=NTDS
Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=test,DC=loc"
Access list:
Effective Permissions on this object are:
Allow TEST\joe  FULL CONTROL
Allow TEST\Domain AdminsSPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
DELETE TREE
LIST OBJECT
CONTROL ACCESS
Allow NT AUTHORITY\Authenticated Users  SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow NT AUTHORITY\SYSTEM   FULL CONTROL
Allow TEST\Domain AdminsFULL CONTROL   
Allow TEST\Enterprise AdminsFULL CONTROL   

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow TEST\Domain AdminsFULL CONTROL   
Allow TEST\Enterprise AdminsFULL CONTROL   

Inherited to nTDSConnection
Allow TEST\joe  FULL CONTROL
The command completed successfully



So in order to generate a generic FC that is only inherited, you can't,
because of bug 1 do it with LDP. If you want to create an ACE for a specific
objectclass (which nTDSConnection should be ok in terms of what you are
trying to delegate) it can do it but you have to go back and clean up the
the additional ACE created by bug 2.


I will alert MSFT.

   joe
 



--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Monday, July 24, 2006 8:12 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ldp in ADAM-SP1

All

Could someone with more experience with ldp provided with ADAM-SP1
tell me how I would go about configuring inherit-only Full Control
permissions on nTDSDSA objects in the
CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms
options is grayed out here and I dont know how to do it.

Based on joe's comments I assumed the ldp.exe's ACL editor is the most
comprehensive and capable ACL gui editor available. I must be doing
something wrong here so I would appreciate some help.

Regards

M@
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Have you built an R2 Forest?

inline

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Monday, July 24, 2006
16:01To: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Have you built an R2 Forest?

Thanks for this joe. That doc is more than bad - it's
plain wrong :(
Just to further clarify:
1. If I build a new R2 forest, I should expect a blank TSL - which
implies a 60 days TSL. Correct?[JdAP says:] YES (but it should be 180
days!)
2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod
or adsiedit or whatever... ? Correct?[JdAP says:] YES, ADD THE 180
VALUE
3. I only need to run the R2 adprep once per forest. [Stated for
completeness][JdAP
says:] YES
4. Do I need to run the R2 setup on each machine I build? Will this
process revert the TSL back to 'not set'?[JdAP says:] (1) ONLY IF YOU
NEED THE R2 STUFF, (2)
NO
I'm trying to understand the issue below but also how it is caused and
how it may be caused again.[JdAP says:] WRONG SCHEMA.INI ON THE
MEDIA
neil
PS I agree re R2 and its value above and beyond SP1.
But what a great marketing ploy :)

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: 24 July 2006 14:44To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built
an R2 Forest?

This all started due to bad documentation on

http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true
which states

Note the value in the Value column. If the value is , the default value is in effect as follows:

On a domain controller in a forest that was created on a domain
controller running Windows Server 2003 with Service
Pack 1 (SP1), the default value is 180 days.

On a domain controller in a forest that was created on a domain
controller running Windows 2000 Server or
Windows Server 2003, the default value is
60 days.
which was confusing a customer. Then after I
explained about how 60 days is hardcoded and 180 days was a schema.ini fix he
further indicated that he wasn't seeing this in an R2 forest hence his
original question. The test R2 forests I have built I never checked TSL, just
assumed it was 180 and normally I don't built R2 machines because I really
don't much care about R2, SP1 is far more important for the stuff I play with.
I mean really, how many people verify the TSL of their forest versus just
assuming it was whatever MSFT or someone representing MSFT said it should be.
I know I have told a ton of people that after SP1 the value is 180 and I
want to make sure I tell all of those same people that it really isn't in
R2.
My concern is for people who have put an R2 forest
out there and are under the running assumption that they now have a 180 day
TSL and make some decision based on it (yes, it is ok if our DC sits on the
doc in Mexican customs for 3 months (this is a real example) because we have a
180 day TSL) and learn after the fact that it was incorrect. It also has
backup/restore implications.
Hopefully the above docs will be corrected and the
word will seep out and people will be aware.This is one of those things where
if you find it out after you already had an incident you will be like, WTF
Microsoft. It also makes me wonder if there is anything else that was
regressed...
joe

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
GuidoSent: Monday, July 24, 2006 2:12 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built
an R2 Forest?

hehe, yep I've seen that (the difference of the
Schema.ini files; i.e. missing entry for the tombstonelifetime property) but
didn't think too much of it because for now I've only had to handle upgrading
from Win2000 or 2003 to R2 where the Schema.ini doesn't play a role. It is
"only" used to populate a blank schema at the time that you create a new AD
forest - and yes, this means that your tombstone lifetime wouln't match that
of other Win2003 forests that were created from a DC that had SP1 applied to
it...
I agree, not very nice, but easily fixed as you describe.
Personally, I don't think too much of the fact that the tombstonelifetime was
increased to 180 days in SP1 anyways. This was done to avoid issues for
companies with a badly managed AD - I would generally much prefer to
adjust the value to what is appropriate for a company's backup & recovery
strategy. And this usually doesn't mean that you need to keep the "garbage" in
your AD for 1/2 a year...
Granted, it's the inconsistency here with which MS

Re: [ActiveDir] OT: Interview Techniques

I have to laugh.  This thread is starting to sound like the six blind men describing an elephant. 
 
As was mentioned, it is very hard to find somebody who can do the high-level design at all 8 layers, manage a staff of people, and still fit that into a 23 hour day. If you find one, keep him or her. If you don't find one, don't be terribly disappointed; look for one that's close and has the right personality to be made into one. There's plenty more of those, but be sure you're ready to keep him/her later because there are others looking for that type of person :)

 
FWIW, I think interviewing wtih Brian might be a laugh.  Can you answer all the questions?  Nope.  Not every one. But you can still enjoy it and I think Neil was wise enough to mention that, "no, I don't know it all but I do know how to use a book" :)  (ok, so I paraphrased.  The point is that you use it or lose it.  But knowing what questions to ask and where to find the answers is far more resilient than knowing everything there is to know about a product set on a given day.  Most of the players on the team that wrote the application or product don't know either.  But they do know where to go for the answers)

 
One thing that does come to mind would be to follow Brian's advice and ask open ended questions.  Those are going to be the hardest because you're not going to be able to study for that. You'll have to walk through it under the pressure of an interview.  That will tell the interviewer a lot about the person and what they would do 6 months from now when the technology is totally different and how they would deal with your unique situations. 

 
 
Best of luck in you hiring endeavors. I for one am interested to hear a follow up in a few months to hear how it went. 
 
 
Al
 
 
 
On 7/24/06, Ken Schaefer <[EMAIL PROTECTED]> wrote:




I suppose there are several "roles" that senior people could hold: some are managerial, some are architectural, and some are deeply technical (i.e. high level support). Architects, in that taxonomy, would do design work. Whereas a PSS engineer would probably spend more time with a debugger than using Word and Visio to produce high-level designs.

 
Cheers
Ken
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
] On Behalf Of [EMAIL PROTECTED]Sent:
 Monday, 24 July 2006 5:53 PM
To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] OT: Interview Techniques


 

A senior guy IMO should be more focused on "design" aspects than "support" and thus should be able to answer questions along the line of:
 
"How would you design a schema change process, encompassing initial request through to implementation." 
 
The answer to the above should help determine alot of info from that person (see below) - even if they cannot answer the question fully.
 
 - Does this person think logically
 - Does this person explain ideas in a cohesive manner
 - Does this person answer questions with fluff and BS or are they succinct
 - etc
 
To answer 'what do the FSMOs do?' one can simply state - "I'd look it up in a book". I'd therefore always try to ask questions which can only be answered through experience (where possible) and not just through reading a book.

 
My 2 penneth,
neil



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
] On Behalf Of mike klineSent: 24 July 2006 07:16To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Interview Techniques
Brian,
 
That was a good story, very funny.  So what did the guy do? Did he just get up and leave?  I know from reading your posts you are usually straight and to the point. I would be sweating if I had to interview with you.

 

Going off course a bit.  What are some types of AD questions that you all consider to be "senior level"?   For example what if you ask someone how to do a metadata cleanup?  Would you all consider that to be a mid level question?   Just wondering because I always grapple trying to figure out questions for the mid vs. senior level candidate.


 

 

 

 
 

On 7/23/06, Brian Desmond <[EMAIL PROTECTED]
> wrote: 

I've got no second thoughts about being an asshole during a techinterview. I ask the question, you either answer it or tell me you don't know. If you choose not to tell me you don't know and demonstrate that
you don't know through what you tell me instead, I'm already pretty muchthrough. If you're arrogant like this candidate you describe, I'm likely through as well.My favorite exchange as of late goes like this:
Me - Tell me a little bit about your experience migrating Exchange 5.5orgs to 2003Them - blah blah blahMe - Ok, can you name the three types of connection agreements in the ADC?Them - well uh blah blah well uh excuse excuse
Me - other questionsMe - So would you be comfortable migrating a 10K user 5.5 org to 2003?Them - AbsolutelyMe - How can you be comfortable doing that when you can't even explain the first step of the migration to me?
In any case, others have put some really good advice here. What you wantin a technic

Re: [ActiveDir] back up strategies

I think Matt had some really good advice in terms of figuring out what your needs are prior to coming up with a back plan.  As I'm fond of pointing out, backups are worthless, but restores are worth their weight in .  It's very important that you know what you need, what you want, and the difference between them. That's to help guage the sticker shock when you have to get it all purchased and configured etc. 

 
As Susan points out, tapes might not be enough for you whereas it is for others.  
 
Figure out your requirements prior to your strategy and you'll get a much better system in place. 
 
Al 
On 7/24/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote:
Why tapes?(Just wondering as we've found tapes haven't kept up with drive sizesand need for speed during a backup window)
NAS, SAN, rotation of harddrives... etc...etc..Matt Hargraves wrote:> What is your plan?  Do you want speed in restoration or backup?  Do> you have a 24-hour facility or is it an 8-hour facility?  Do you have
> a tape changer or a single tape unit (changing tapes daily)?>> If you have an 8-hour facility and the server is close to you, then> weekend fulls and differentials is fine.  If you have a 24-hour
> facility, then weekend full and incrementals might be the way to go.> If you want to be able to have quick full system restores, then daily> full backups is the best, but if you have a 24-hour facility then it's
> not practical and you're better off going with differentials> throughout the week (2-tape restore).>> I generally recommend more tapes, though.  Something more like 20> daily tapes and 5 weekly tapes so that you can always go back at least
> a month.  You don't always realize that something needs to be restored> immediately and being able to go back 3-4 weeks without going to the> previous month's 'master' backup tape is always nice.  Tapes don't
> cost *that* much and if going back 3 weeks can save an engineer 30> hours of work on a CAD drawing, then it's a good plan.  But if you can> only go back 1 and a half or 4 weeks back... you just lost 30 hours
> worth of work at around $75-100 per hour, that's between $2250 and 3k> saved by one restoration.>>> On 7/23/06, *Quatro Info* <[EMAIL PROTECTED]
> [EMAIL PROTECTED]>> wrote:>> Hi all,>>> I am interested in your stories about back up strategies /
> procedures with all advantages and disadvantages involved.>>> For example:>> Set up>> -Weekends full backups 2 tapes> -Working days incremental5 tapes
> -monthly full backups...12 tapes...1 each month.>>> Which strategy is most efficient and reliable?> When do you use full, copy, differential, incremental or daily?> (Considering windows backup utility)
> Which software do you use?>>> How often do you test a restore? (a few files)> How often do you perform a full restore?> If exchange or sql server is involved. For example with veritas
> remote agents. How often do you perform a restore on exchange> databases / sql server databases? Do you keep an exact copy of the backup hardware involved on a
> external location in case of fire/ theft?>>> All info is very appreciated.>> Thanks!>> Jorre> List info   : 
http://www.activedir.org/List.aspx> List FAQ: http://www.activedir.org/ListFAQ.aspx> <
http://www.activedir.org/ListFAQ.aspx>> List archive: http://www.activedir.org/ml/threads.aspx>>List info   : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Have you built an R2 Forest?




1. Yes
2. Yes
3. Yes, but this doesn't impact this issue because that 
assumes a pre-R2 forest. This issue is strictly with a forest initially built 
from an R2 machine.
4. Nope and Nope. The TSL will not revert in an existing 
forest, MSFT doesn't touch the existing value in a forest. The only time the TSL 
is modified is when you do it or when the forest is initially built. 

 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, July 24, 2006 10:01 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Have you built an R2 Forest?

Thanks for this joe. That doc is more than bad - it's plain 
wrong :(
 
Just to further clarify:
1. If I build a new R2 forest, I should expect a blank 
TSL - which implies a 60 days TSL. Correct?
2. All I need to do to 'fix' this 'issue' is to amend 
the TSL via admod or adsiedit or whatever... ? 
Correct?
3. I only need to run the R2 adprep once per forest. 
[Stated for completeness]
4. Do I need to run the R2 setup on each machine I 
build? Will this process revert the TSL back to 'not 
set'?
 
I'm trying to understand the issue below but also how 
it is caused and how it may be caused again.
 
neil
PS I agree re R2 and its value above and beyond SP1. 
But what a great marketing ploy :)
 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: 24 July 2006 14:44To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built 
an R2 Forest?

This all started due to bad documentation on 

 
http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true
 
which states
 

Note the value in the Value column. If the value is , the default value is in effect as follows:

  
  


  On a domain controller in a forest that was created on a domain 
  controller running Windows Server 2003 with Service Pack 1 
  (SP1), the default value is 180 days.
  


  On a domain controller in a forest that was created on a domain 
  controller running Windows 2000 Server or 
  Windows Server 2003, the default value is 
  60 days.
 
 
which was confusing a customer. Then after I explained 
about how 60 days is hardcoded and 180 days was a schema.ini fix he further 
indicated that he wasn't seeing this in an R2 forest hence his original 
question. The test R2 forests I have built I never checked TSL, just assumed it 
was 180 and normally I don't built R2 machines because I really don't much care 
about R2, SP1 is far more important for the stuff I play with. I mean really, 
how many people verify the TSL of their forest versus just assuming it was 
whatever MSFT or someone representing MSFT said it should be. I know I have told 
a ton of people that after SP1 the value is 180 and I want to make sure I 
tell all of those same people that it really isn't in R2.
 
My concern is for people who have put an R2 forest out 
there and are under the running assumption that they now have a 180 day TSL and 
make some decision based on it (yes, it is ok if our DC sits on the doc in 
Mexican customs for 3 months (this is a real example) because we have a 180 day 
TSL) and learn after the fact that it was incorrect. It also has backup/restore 
implications. 
 
Hopefully the above docs will be corrected and the word 
will seep out and people will be aware.This is one of those things where if you 
find it out after you already had an incident you will be like, WTF Microsoft. 
It also makes me wonder if there is anything else that was 
regressed...
 
   joe
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Monday, July 24, 2006 2:12 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built 
an R2 Forest?

hehe, yep I've seen that (the difference of the Schema.ini 
files; i.e. missing entry for the tombstonelifetime property) but didn't think 
too much of it because for now I've only had to handle upgrading from Win2000 or 
2003 to R2 where the Schema.ini doesn't play a role. It is "only" used to 
populate a blank schema at the time that you create a new AD forest - and yes, 
this means that your tombstone lifetime wouln't match that of other Win2003 
forests that were created from a DC that had SP1 applied to 
it...
 
I agree, not very nice, but easily fixed as you describe. 
Personally, I don't think too much of the fact that the tombstonelifetime was 
increased to 180 days in SP1 anyways. This was done to avoid issues for 
companies with a badly managed AD - I would generally much prefer to adjust 
the value to what is appropriate for a company's backup & recovery strategy. 
And this usually doesn't mean that you need to keep the "garbage" in your AD for 
1/2 a year...
 
Granted, it's the inconsistency here with

RE: [ActiveDir] Have you built an R2 Forest?

2006-07-24 Thread Grillenmeier, Guido




just to be clear: 
step 3 (R2 adprep) is NOT needed at all if you build a new 
forest - your not doing an upgrade here. 
Whenever you do an upgrade, you do NOT change the 
TSL.
 
The documentation is wrong as the TSL is always the 
hardcoded value of 60, if the value is "not set". If you've created a new forest 
from an SP1 DC it would be overwritten with an explicit value of 180.  This 
is what we'd also expect on R2, but due to an incomplete schema.ini file (which 
is missing the explicit setting of the TSL value to 180), a new R2 forest also 
has this value "not set" = 60.
 
/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge deSent: Monday, July 24, 2006 4:38 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built 
an R2 Forest?

inline

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Monday, July 24, 2006 
  16:01To: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Have you built an R2 Forest?
  
  Thanks for this joe. That doc is more than bad - it's 
  plain wrong :(
   
  Just to further clarify:
  1. If I build a new R2 forest, I should expect a blank TSL - which 
  implies a 60 days TSL. Correct?[JdAP says:] YES (but it should be 180 
  days!) 
  2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod 
  or adsiedit or whatever... ? Correct?[JdAP says:] YES, ADD THE 180 
  VALUE 
  3. I only need to run the R2 adprep once per forest. [Stated for 
  completeness][JdAP 
  says:] YES 
  4. Do I need to run the R2 setup on each machine I build? Will this 
  process revert the TSL back to 'not set'?[JdAP says:] (1) ONLY IF YOU 
  NEED THE R2 STUFF, (2) 
NO 
   
  I'm trying to understand the issue below but also how it is caused and 
  how it may be caused again.[JdAP says:] WRONG SCHEMA.INI ON THE 
  MEDIA 
   
  neil
  PS I agree re R2 and its value above and beyond SP1. 
  But what a great marketing ploy :)
   
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: 24 July 2006 14:44To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built 
  an R2 Forest?
  
  This all started due to bad documentation on 
  
   
  http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true
   
  which states
   
  
  Note the value in the Value column. If the value is , the default value is in effect as follows:
  


  
  
On a domain controller in a forest that was created on a domain 
controller running Windows Server 2003 with Service 
Pack 1 (SP1), the default value is 180 days.

  
  
On a domain controller in a forest that was created on a domain 
controller running Windows 2000 Server or 
Windows Server 2003, the default value is 
60 days.
   
   
  which was confusing a customer. Then after I 
  explained about how 60 days is hardcoded and 180 days was a schema.ini fix he 
  further indicated that he wasn't seeing this in an R2 forest hence his 
  original question. The test R2 forests I have built I never checked TSL, just 
  assumed it was 180 and normally I don't built R2 machines because I really 
  don't much care about R2, SP1 is far more important for the stuff I play with. 
  I mean really, how many people verify the TSL of their forest versus just 
  assuming it was whatever MSFT or someone representing MSFT said it should be. 
  I know I have told a ton of people that after SP1 the value is 180 and I 
  want to make sure I tell all of those same people that it really isn't in 
  R2.
   
  My concern is for people who have put an R2 forest 
  out there and are under the running assumption that they now have a 180 day 
  TSL and make some decision based on it (yes, it is ok if our DC sits on the 
  doc in Mexican customs for 3 months (this is a real example) because we have a 
  180 day TSL) and learn after the fact that it was incorrect. It also has 
  backup/restore implications. 
   
  Hopefully the above docs will be corrected and the 
  word will seep out and people will be aware.This is one of those things where 
  if you find it out after you already had an incident you will be like, WTF 
  Microsoft. It also makes me wonder if there is anything else that was 
  regressed...
   
     joe
   
   
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
   
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
  GuidoSent: Monday, July 24, 2006 2:12 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built 
  an R2 Forest?
  
  hehe, yep I've seen that (the difference of the 
  Schema.ini files; i.e. missing entry for the tombstonelifetime property) but 
  didn't think too much of it because for now I've only had to handle upgrading 
  from Win2000 or 2003 to R2 where the Schema.ini doesn

Re: [ActiveDir] ldp in ADAM-SP1


I dunno about you guys but I am very disappointed with the tools
available to me for configuring perms. dsacls can configure most perms
but cant configure control access rights to certain attribs of certain
objects. (e.g. when you configure an attribute as confidential and
need to allow certain people the control access right to view the
attribute). dsacls also cant display perms that great and gives
details as "special access". In order to see whats special, I have to
use something like acldiag and sdcheck. And then to revoke, yet
another tool dsrevoke which only works on domain objects and OUs.

After reading joe's book I figured ldp.exe from ADAM-SP1, here I come.
Now that also has issues.

I know I can write scripts for handling this. But they are cumbersome
and slow. I think a nice fast C++ tool that does all this would be
much appreciated. I am not sure how hard this is to do. But MSFT
certaintly have the expertise. May be longhorn will ship with
something like that. But I aint holding my breath.

I am no expert and no MVP. I aint convinced my rant is gonna be heeded
to. But please, guys out there with the influence (MVPs) help!!

M@


P.S Please!!!


On 7/24/06, joe <[EMAIL PROTECTED]> wrote:

Beautiful, this is bug week

There are actually two bugs here.

1. The inherit only check box is greyed out. This is the checkbox you would
need to check in order to specify an inherit only ACE (i.e. Child Objects
Only).

2. When you try to work around it and specify the actual object types to
inherit to it creates two ACEs instead of one. The first ACE is the FC
inherit only to the object class you specify but then there is also a FC to
the object itself. In the example below note the TEST\joe ACEs... I only
added a single FC for nTDSConnection objects for test\joe but got that AND
the non-inheritable Test\joe FC on the object itself.


G:\>dsacls "\\r2dc1\CN=NTDS
Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=test,DC=loc"
Access list:
Effective Permissions on this object are:
Allow TEST\joe  FULL CONTROL
Allow TEST\Domain AdminsSPECIAL ACCESS
   DELETE
   READ PERMISSONS
   WRITE PERMISSIONS
   CHANGE OWNERSHIP
   CREATE CHILD
   LIST CONTENTS
   WRITE SELF
   WRITE PROPERTY
   READ PROPERTY
   DELETE TREE
   LIST OBJECT
   CONTROL ACCESS
Allow NT AUTHORITY\Authenticated Users  SPECIAL ACCESS
   READ PERMISSONS
   LIST CONTENTS
   READ PROPERTY
   LIST OBJECT
Allow NT AUTHORITY\SYSTEM   FULL CONTROL
Allow TEST\Domain AdminsFULL CONTROL   
Allow TEST\Enterprise AdminsFULL CONTROL   

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow TEST\Domain AdminsFULL CONTROL   
Allow TEST\Enterprise AdminsFULL CONTROL   

Inherited to nTDSConnection
Allow TEST\joe  FULL CONTROL
The command completed successfully



So in order to generate a generic FC that is only inherited, you can't,
because of bug 1 do it with LDP. If you want to create an ACE for a specific
objectclass (which nTDSConnection should be ok in terms of what you are
trying to delegate) it can do it but you have to go back and clean up the
the additional ACE created by bug 2.


I will alert MSFT.

  joe




--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Monday, July 24, 2006 8:12 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ldp in ADAM-SP1

All

Could someone with more experience with ldp provided with ADAM-SP1
tell me how I would go about configuring inherit-only Full Control
permissions on nTDSDSA objects in the
CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms
options is grayed out here and I dont know how to do it.

Based on joe's comments I assumed the ldp.exe's ACL editor is the most
comprehensive and capable ACL gui editor available. I must be doing
something wrong here so I would appreciate some help.

Regards

M@
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/

[ActiveDir] Reset home page via GPO

2006-07-24 Thread Larry Wahlers

Hello, colleagues,

Our HR department wants everybody's IE home page reset to our intranet
home page. I presume the way to do this is via GPO, and apply it only to
the users' OU. 

Are there any issues (other than political ones, of course) with doing
this?

(Just an aside: We're back to work following the worst power outtage in
St. Louis history. Over 500,000 people without power for several days,
and nearly 200,000 still out. Very interesting week we just had.)

-- 
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT: Interview Techniques




LOL. I'd say it's more like watching 6 people describe a 
"wibble", where none of them has been told what a "wibble" actually is 
:)
 
As per most responses here (or at least what we *should* 
respond with) - "it depends".
 
I'd still argue that there's little value in asking very 
specific in depth technical questions - that's more of a memory test than 
anything else. I'd rather ask questions that help the candidate show me what 
he/she *can* do and do know rather than what they cannot do or do not 
know.
 
I agree that a slightly aggressive approach is useful to 
determine how the candidate performs under pressure - I would suggest you fore 
warn the candidate they are going to receive a tech grilling - most won't expect 
that and so will be rocked onto the back foot when it happens 
:)
 
Another 2 penneth,
neil
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: 24 July 2006 15:41To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Interview 
Techniques

I have to laugh.  This thread is starting to sound like the six blind 
men describing an elephant. 
 
As was mentioned, it is very hard to find somebody who can do the 
high-level design at all 8 layers, manage a staff of people, and still fit that 
into a 23 hour day. If you find one, keep him or her. If you don't find one, 
don't be terribly disappointed; look for one that's close and has the right 
personality to be made into one. There's plenty more of those, but be sure 
you're ready to keep him/her later because there are others looking for that 
type of person :) 
 
FWIW, I think interviewing wtih Brian might be a laugh.  Can you 
answer all the questions?  Nope.  Not every one. But you can still 
enjoy it and I think Neil was wise enough to mention that, "no, I don't know it 
all but I do know how to use a book" :)  (ok, so I paraphrased.  The 
point is that you use it or lose it.  But knowing what questions to ask and 
where to find the answers is far more resilient than knowing everything there is 
to know about a product set on a given day.  Most of the players on the 
team that wrote the application or product don't know either.  But they do 
know where to go for the answers) 
 
One thing that does come to mind would be to follow Brian's advice and ask 
open ended questions.  Those are going to be the hardest because you're not 
going to be able to study for that. You'll have to walk through it under the 
pressure of an interview.  That will tell the interviewer a lot about the 
person and what they would do 6 months from now when the technology is totally 
different and how they would deal with your unique situations. 
 
 
Best of luck in you hiring endeavors. I for one am interested to hear a 
follow up in a few months to hear how it went. 
 
 
Al
 
 
 
On 7/24/06, Ken 
Schaefer <[EMAIL PROTECTED]> wrote: 

  
  
  
  I suppose there are several "roles" 
  that senior people could hold: some are managerial, some are architectural, 
  and some are deeply technical (i.e. high level support). Architects, in that 
  taxonomy, would do design work. Whereas a PSS engineer would probably spend 
  more time with a debugger than using Word and Visio to produce high-level 
  designs. 
   
  Cheers
  Ken
   
   
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of [EMAIL PROTECTED]Sent: Monday, 24 July 
  2006 5:53 PM
  To: ActiveDir@mail.activedir.org 
  Subject: RE: [ActiveDir] OT: Interview 
  Techniques
  
  
   
  
  A senior guy IMO should be more 
  focused on "design" aspects than "support" and thus should be able to answer 
  questions along the line of:
   
  "How would you design 
  a schema change process, encompassing initial request through to 
  implementation." 
   
  The answer to the above should 
  help determine alot of info from that person (see below) - even if they cannot 
  answer the question fully.
   
   - Does this person think 
  logically
   - Does this person explain 
  ideas in a cohesive manner
   - Does this person answer 
  questions with fluff and BS or are they succinct
   - etc
   
  To answer 'what do the FSMOs 
  do?' one can simply state - "I'd look it up in a book". I'd therefore always 
  try to ask questions which can only be answered through experience (where 
  possible) and not just through reading a book. 
   
  My 2 penneth,
  neil
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of 
  mike klineSent: 24 July 2006 07:16To: ActiveDir@mail.activedir.orgSubject: Re: 
  [ActiveDir] OT: Interview Techniques
  Brian,
   
  That was a good story, very funny.  So what did the guy do? Did he 
  just get up and leave?  I know from reading your posts you are usually 
  straight and to the point. I would be sweating if I had to interview with 
  you.
   
  
  Going off course a bit.  What are some types of AD questions that you 
  all consider to be "senior level"?   For example what if you ask 
  someone how to do a m

Re: [ActiveDir] OT: Interview Techniques

2006-07-24 Thread Mudha Godasa

I will absolutely let you know of all the gory
details. I sure hope I dont get an $%^$£"! for a boss.
;-)

Cheers

P.S. Anyone want a job? ;0)


--- Al Mulnick <[EMAIL PROTECTED]> wrote:

> I have to laugh.  This thread is starting to sound
> like the six blind men
> describing an elephant.
> 
> As was mentioned, it is very hard to find somebody
> who can do the high-level
> design at all 8 layers, manage a staff of people,
> and still fit that into a
> 23 hour day. If you find one, keep him or her. If
> you don't find one, don't
> be terribly disappointed; look for one that's close
> and has the right
> personality to be made into one. There's plenty more
> of those, but be sure
> you're ready to keep him/her later because there are
> others looking for that
> type of person :)
> 
> FWIW, I think interviewing wtih Brian might be a
> laugh.  Can you answer all
> the questions?  Nope.  Not every one. But you can
> still enjoy it and I think
> Neil was wise enough to mention that, "no, I don't
> know it all but I do know
> how to use a book" :)  (ok, so I paraphrased.  The
> point is that you use it
> or lose it.  But knowing what questions to ask and
> where to find the answers
> is far more resilient than knowing everything there
> is to know about a
> product set on a given day.  Most of the players on
> the team that wrote the
> application or product don't know either.  But they
> do know where to go for
> the answers)
> 
> One thing that does come to mind would be to follow
> Brian's advice and ask
> open ended questions.  Those are going to be the
> hardest because you're not
> going to be able to study for that. You'll have to
> walk through it under the
> pressure of an interview.  That will tell the
> interviewer a lot about the
> person and what they would do 6 months from now when
> the technology is
> totally different and how they would deal with your
> unique situations.
> 
> 
> Best of luck in you hiring endeavors. I for one am
> interested to hear a
> follow up in a few months to hear how it went.
> 
> 
> Al
> 
> 
> 
> 
> 
> On 7/24/06, Ken Schaefer <[EMAIL PROTECTED]>
> wrote:
> >
> >   I suppose there are several "roles" that senior
> people could hold: some
> > are managerial, some are architectural, and some
> are deeply technical (i.e.
> > high level support). Architects, in that taxonomy,
> would do design work.
> > Whereas a PSS engineer would probably spend more
> time with a debugger than
> > using Word and Visio to produce high-level
> designs.
> >
> >
> >
> > Cheers
> >
> > Ken
> >
> >
> >
> >
> >
> > *From:* [EMAIL PROTECTED]
> [mailto:
> > [EMAIL PROTECTED] *On Behalf Of
> *
> > [EMAIL PROTECTED]
> > *Sent:* Monday, 24 July 2006 5:53 PM
> >
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* RE: [ActiveDir] OT: Interview
> Techniques
> >
> >
> >
> > A senior guy IMO should be more focused on
> "design" aspects than "support"
> > and thus should be able to answer questions along
> the line of:
> >
> >
> >
> > "*How would you design a schema change process,
> encompassing initial
> > request through to implementation*."
> >
> >
> >
> > The answer to the above should help determine alot
> of info from that
> > person (see below) - even if they cannot answer
> the question fully.
> >
> >
> >
> >  - Does this person think logically
> >
> >  - Does this person explain ideas in a cohesive
> manner
> >
> >  - Does this person answer questions with fluff
> and BS or are they
> > succinct
> >
> >  - etc
> >
> >
> >
> > To answer 'what do the FSMOs do?' one can simply
> state - "I'd look it up
> > in a book". I'd therefore always try to ask
> questions which can only be
> > answered through experience (where possible) and
> not just through reading a
> > book.
> >
> >
> >
> > My 2 penneth,
> >
> > neil
> >  --
> >
> > *From:* [EMAIL PROTECTED]
> [mailto:
> > [EMAIL PROTECTED] *On Behalf Of
> *mike kline
> > *Sent:* 24 July 2006 07:16
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* Re: [ActiveDir] OT: Interview
> Techniques
> >
> > Brian,
> >
> >
> >
> > That was a good story, very funny.  So what did
> the guy do? Did he just
> > get up and leave?  I know from reading your posts
> you are usually straight
> > and to the point. I would be sweating if I had to
> interview with you.
> >
> >
> >
> > Going off course a bit.  What are some types of AD
> questions that you all
> > consider to be "senior level"?   For example what
> if you ask someone how to
> > do a metadata cleanup?  Would you all consider
> that to be a mid level
> > question?   Just wondering because I always
> grapple trying to figure out
> > questions for the mid vs. senior level candidate.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On 7/23/06, *Brian Desmond*
> <[EMAIL PROTECTED]> wrote:
> >
> > I've got no second thoughts about being an asshole
> during a tech
> > interview. I ask the question, you either answer
> it or tell me you don't
> > know. If you choose not to tell me yo

RE: [ActiveDir] OT: Interview Techniques

2006-07-24 Thread WATSON, BEN











Byron,

 

I
thought you might find this a good read.  It’s an e-mail from Joe
Richards (author of the Active Directory O’Reilly book).  He’s
talking about why a tech lead (architect here at AppSig) should definitely be a
separate role from an actual manager.

 

Much
like I would rather hit the role of an architect before I would like to begin
thinking of moving into any managerial role.

 

~Ben

 

 



 

 

Interesting, I have a pretty different
view on tech lead. The things you mention (handing out tasks, interfacing with upper management,
discipline, etc...) are out and out
managerial tasks from my viewpoint and if I had a manager and a tech lead, I
wouldn't take any of that from the tech lead. I consider tech lead as senior
techy, the guy whom you go to when you are out of ideas on what to do next to
solve a technical problem. The manager is you go to for interfacing with anyone
outside of the group, personnel issues and getting your tasks.  I
think the manager and the tech lead need to work very closely but that is
mostly to keep the manager in a good place, informed, and pointed in the
right direction such that managerial decisions don't adversely impact the
technical aspects of the work too much as well as letting the manager know what
the technical priorities are from the tech leads viewpoint and so the manager
can tell the tech lead what the real priorities are as they are decided by the
manager. For instance if going into a meeting with a "customer"[1]
the tech lead feeds the manager with as much knowledge as necessary so the
manager isn't completely at a loss in the meeting and as things dive into tech,
if they do, the tech lead is either there (if it is known ahead of time it will
get deep) or available via phone to help.

 

Tech and managerial pieces do not normally
fit together well, very different skill sets and strengths needed to do one or
the other well. Very few people, IMO, can be good at tech and good at
managerial. Unfortunately many companies do not see this and in order for
someone to move up through the ranks they must assume managerial duties when in
fact the company should have a managerial track and a technical track for the
folks to follow so they can stick with the areas in which they have the
greatest strength. Hopefully it is getting more and more obvious to companies
that trying to make people spend all of the their time trying to improve on
their weaknesses versus utilizing their strengths is a losing proposition. To
put it another way, if someone is an amazing techy and a horrible manager, you
don't force them to spend their time trying to be a mediocre manager. That is
the person that everyone will point at and say they are a sucky manager. 

 

  joe

 

 

[1] Define as you wish, different groups
have different customers. IT has the business, the business could have another
aspect of the business or external, etc.

 



 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

RE: [ActiveDir] DNS Issue

2006-07-24 Thread Wyatt, David


Hi Steve

Interesting findings.  Firstly, yes I am clearing the DNS Cache and not
doing ipconfig /flushdns on the DC.

I have shown the d2 output below but also see the following:

1.  Clear the DNS cache on DC
2.  Submit query for server1.nyc.test.com - success
3.  Explicitly delete the record for above host from the cache leaving
the nyc parent folder in cache.
4.  Submit query for server1.nyc.test.com - fail
5.  Delete nyc parent folder
6.  Submit query for server1.nyc.test.com - success

So what I think is happening is when the TTL for the cached record
expires it gets deleted (as per the manual deletion above) then
subsequent queries fail.

Note that the DNS server for test.com are QIP based - may have a
bearing?


> server1.nyc.test.com
Server:  dns1.int.mycorp.com
Address:  x.x.x.x


SendRequest(), len 62
HEADER:
opcode = QUERY, id = 15, rcode = NOERROR
header flags:  query, want recursion
questions = 1,  answers = 0,  authority records = 0,  additional
= 0

QUESTIONS:
server1.nyc.test.com.int.mycorp.com, type = A, class = IN



Got answer (135 bytes):
HEADER:
opcode = QUERY, id = 15, rcode = NXDOMAIN
header flags:  response, auth. answer, want recursion, recursion
avail.
questions = 1,  answers = 0,  authority records = 1,  additional
= 0

QUESTIONS:
server1.nyc.test.com.int.mycorp.com, type = A, class = IN
AUTHORITY RECORDS:
->  int.mycorp.com
type = SOA, class = IN, dlen = 47
ttl = 3600 (1 hour)
primary name server = dns1.int.mycorp.com
responsible mail addr = hostmaster.int.mycorp.com
serial  = 54966
refresh = 900 (15 mins)
retry   = 600 (10 mins)
expire  = 86400 (1 day)
default TTL = 3600 (1 hour)



SendRequest(), len 55
HEADER:
opcode = QUERY, id = 16, rcode = NOERROR
header flags:  query, want recursion
questions = 1,  answers = 0,  authority records = 0,  additional
= 0

QUESTIONS:
server1.nyc.test.com.mycorp.com, type = A, class = IN



Got answer (118 bytes):
HEADER:
opcode = QUERY, id = 16, rcode = NXDOMAIN
header flags:  response, auth. answer, want recursion, recursion
avail.
questions = 1,  answers = 0,  authority records = 1,  additional
= 0

QUESTIONS:
server1.nyc.test.com.mycorp.com, type = A, class = IN
AUTHORITY RECORDS:
->  mycorp.com
type = SOA, class = IN, dlen = 44
ttl = 86400 (1 day)
primary name server = name.int.com
responsible mail addr = postmaster.int.com
serial  = 2006072002
refresh = 1800 (30 mins)
retry   = 900 (15 mins)
expire  = 604800 (7 days)
default TTL = 86400 (1 day)



SendRequest(), len 47
HEADER:
opcode = QUERY, id = 17, rcode = NOERROR
header flags:  query, want recursion
questions = 1,  answers = 0,  authority records = 0,  additional
= 0

QUESTIONS:
server1.nyc.test.com, type = A, class = IN



Got answer (47 bytes):
HEADER:
opcode = QUERY, id = 17, rcode = SERVFAIL
header flags:  response, auth. answer, want recursion, recursion
avail.
questions = 1,  answers = 0,  authority records = 0,  additional
= 0

QUESTIONS:
server1.nyc.test.com, type = A, class = IN


*** dns1.int.mycorp.com can't find server1.nyc.test.com: Server
failed
>


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: 24 Jul 2006 3:58
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Issue


David,
  A few more questions.  When you state you cleared the cache I want to
insure this meant clearing the Cache on the DNS Server not the client
resolver cache.  Also if you open the DNS snap-in in advanced mode and
look in the cache do you see a record for nyc.test.com and if so can you
provide a screenshot of the entry from the DNS MMC?  Finally can you go
the DNS server open a cmd prompt and launch nslookup.  Type "set d2"
without the quotes so that you get additional debug output and then type
in nyc.test.com and post the output.  Why am I asking all of these
questions?  Well we had a few issues where the DNS servers cache may not
correctly cache entries causing the behavior that you are seeing.
Sometimes even though you clear the cache if the record is looked up
frequently then even clearing the cache will not resolve the issue long
enough to see it corrected.  I thought that all of these had been
addressed by the build that you are running however the output from the
above tests should let us see what is going on.
 
Thanks,
 
-Steve 




This message c

RE: [ActiveDir] OT: Interview Techniques

2006-07-24 Thread WATSON, BEN









Well, that was a forwarded e-mail gone
wrong.  Just ignore my inability to properly replace the TO field with the
appropriate e-mail address.  L

 









From: WATSON, BEN 
Sent: Monday, July 24, 2006 8:43
AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] OT:
Interview Techniques



 



Byron,

 

I thought you might find this a good
read.  It’s an e-mail from Joe Richards (author of the Active
Directory O’Reilly book).  He’s talking about why a tech lead
(architect here at AppSig) should definitely be a separate role from an actual
manager.

 

Much like I would rather hit the role of
an architect before I would like to begin thinking of moving into any
managerial role.

 

~Ben

 

 



 

 

Interesting, I have a pretty different
view on tech lead. The things you mention (handing out tasks, interfacing with upper management,
discipline, etc...) are out and out
managerial tasks from my viewpoint and if I had a manager and a tech lead, I
wouldn't take any of that from the tech lead. I consider tech lead as senior
techy, the guy whom you go to when you are out of ideas on what to do next to
solve a technical problem. The manager is you go to for interfacing with
anyone outside of the group, personnel issues and getting your
tasks.  I think the manager and the tech lead need to work very
closely but that is mostly to keep the manager in a good place,
informed, and pointed in the right direction such that managerial
decisions don't adversely impact the technical aspects of the work too much as
well as letting the manager know what the technical priorities are from the
tech leads viewpoint and so the manager can tell the tech lead what the real
priorities are as they are decided by the manager. For instance if going into a
meeting with a "customer"[1] the tech lead feeds the manager with as
much knowledge as necessary so the manager isn't completely at a loss in the
meeting and as things dive into tech, if they do, the tech lead is either there
(if it is known ahead of time it will get deep) or available via phone to
help.

 

Tech and managerial pieces do not normally
fit together well, very different skill sets and strengths needed to do one or
the other well. Very few people, IMO, can be good at tech and good at
managerial. Unfortunately many companies do not see this and in order for
someone to move up through the ranks they must assume managerial duties when in
fact the company should have a managerial track and a technical track for the
folks to follow so they can stick with the areas in which they have the
greatest strength. Hopefully it is getting more and more obvious to companies
that trying to make people spend all of the their time trying to
improve on their weaknesses versus utilizing their strengths is a losing
proposition. To put it another way, if someone is an amazing techy and a
horrible manager, you don't force them to spend their time trying to be a
mediocre manager. That is the person that everyone will point at and say they
are a sucky manager. 

 

  joe

 

 

[1] Define as you wish, different groups
have different customers. IT has the business, the business could have another
aspect of the business or external, etc.

 



 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

RE: [ActiveDir] Have you built an R2 Forest?




thanks horhay :)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge deSent: 24 July 2006 15:38To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built 
an R2 Forest?

inline

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Monday, July 24, 2006 
  16:01To: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Have you built an R2 Forest?
  
  Thanks for this joe. That doc is more than bad - it's 
  plain wrong :(
   
  Just to further clarify:
  1. If I build a new R2 forest, I should expect a blank TSL - which 
  implies a 60 days TSL. Correct?[JdAP says:] YES (but it should be 180 
  days!) 
  2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod 
  or adsiedit or whatever... ? Correct?[JdAP says:] YES, ADD THE 180 
  VALUE 
  3. I only need to run the R2 adprep once per forest. [Stated for 
  completeness][JdAP 
  says:] YES 
  4. Do I need to run the R2 setup on each machine I build? Will this 
  process revert the TSL back to 'not set'?[JdAP says:] (1) ONLY IF YOU 
  NEED THE R2 STUFF, (2) 
NO 
   
  I'm trying to understand the issue below but also how it is caused and 
  how it may be caused again.[JdAP says:] WRONG SCHEMA.INI ON THE 
  MEDIA 
   
  neil
  PS I agree re R2 and its value above and beyond SP1. 
  But what a great marketing ploy :)
   
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: 24 July 2006 14:44To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built 
  an R2 Forest?
  
  This all started due to bad documentation on 
  
   
  http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true
   
  which states
   
  
  Note the value in the Value column. If the value is , the default value is in effect as follows:
  


  
  
On a domain controller in a forest that was created on a domain 
controller running Windows Server 2003 with Service 
Pack 1 (SP1), the default value is 180 days.

  
  
On a domain controller in a forest that was created on a domain 
controller running Windows 2000 Server or 
Windows Server 2003, the default value is 
60 days.
   
   
  which was confusing a customer. Then after I 
  explained about how 60 days is hardcoded and 180 days was a schema.ini fix he 
  further indicated that he wasn't seeing this in an R2 forest hence his 
  original question. The test R2 forests I have built I never checked TSL, just 
  assumed it was 180 and normally I don't built R2 machines because I really 
  don't much care about R2, SP1 is far more important for the stuff I play with. 
  I mean really, how many people verify the TSL of their forest versus just 
  assuming it was whatever MSFT or someone representing MSFT said it should be. 
  I know I have told a ton of people that after SP1 the value is 180 and I 
  want to make sure I tell all of those same people that it really isn't in 
  R2.
   
  My concern is for people who have put an R2 forest 
  out there and are under the running assumption that they now have a 180 day 
  TSL and make some decision based on it (yes, it is ok if our DC sits on the 
  doc in Mexican customs for 3 months (this is a real example) because we have a 
  180 day TSL) and learn after the fact that it was incorrect. It also has 
  backup/restore implications. 
   
  Hopefully the above docs will be corrected and the 
  word will seep out and people will be aware.This is one of those things where 
  if you find it out after you already had an incident you will be like, WTF 
  Microsoft. It also makes me wonder if there is anything else that was 
  regressed...
   
     joe
   
   
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
   
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
  GuidoSent: Monday, July 24, 2006 2:12 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built 
  an R2 Forest?
  
  hehe, yep I've seen that (the difference of the 
  Schema.ini files; i.e. missing entry for the tombstonelifetime property) but 
  didn't think too much of it because for now I've only had to handle upgrading 
  from Win2000 or 2003 to R2 where the Schema.ini doesn't play a role. It is 
  "only" used to populate a blank schema at the time that you create a new AD 
  forest - and yes, this means that your tombstone lifetime wouln't match that 
  of other Win2003 forests that were created from a DC that had SP1 applied to 
  it...
   
  I agree, not very nice, but easily fixed as you describe. 
  Personally, I don't think too much of the fact that the tombstonelifetime was 
  increased to 180 days in SP1 anyways. This was done to avoid issues for 
  companies with a badly managed AD - I would generally much prefer to 
  adjust the value to w

RE: [ActiveDir] Have you built an R2 Forest?




crap, incomplete answer. thanks guido.
correct, my answer for (3) should have been (in addition to 
what guido said):
* YES, but only when upgrading (from either W2K, 
W2K3/W2K3SP1) AND R2 functionality is needed that requires the schema extension 
(DFS-R, Printer Connections through GPOs, UnixIDm)
 
jorge

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
  GuidoSent: Monday, July 24, 2006 17:25To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built 
  an R2 Forest?
  
  just to be clear: 
  step 3 (R2 adprep) is NOT needed at all if you build a 
  new forest - your not doing an upgrade here. 
  Whenever you do an upgrade, you do NOT change the 
  TSL.
   
  The documentation is wrong as the TSL is always the 
  hardcoded value of 60, if the value is "not set". If you've created a new 
  forest from an SP1 DC it would be overwritten with an explicit value of 
  180.  This is what we'd also expect on R2, but due to an incomplete 
  schema.ini file (which is missing the explicit setting of the TSL value to 
  180), a new R2 forest also has this value "not set" = 60.
   
  /Guido
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
  Jorge deSent: Monday, July 24, 2006 4:38 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built 
  an R2 Forest?
  
  inline
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, July 24, 2006 
16:01To: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] Have you built an R2 Forest?

Thanks for this joe. That doc is more than bad - it's 
plain wrong :(
 
Just to further clarify:
1. If I build a new R2 forest, I should expect a 
blank TSL - which implies a 60 days TSL. Correct?[JdAP says:] YES (but it 
should be 180 days!) 
2. All I need to do to 'fix' this 'issue' is to 
amend the TSL via admod or adsiedit or whatever... ? Correct?[JdAP says:] YES, 
ADD THE 180 
VALUE 
3. I only need to run the R2 adprep once per 
forest. [Stated for completeness][JdAP 
says:] YES 
4. Do I need to run the R2 setup on each machine 
I build? Will this process revert the TSL back to 'not set'?[JdAP says:] (1) ONLY IF 
YOU NEED THE R2 STUFF, (2) 
NO 
 
I'm trying to understand the issue below but also 
how it is caused and how it may be caused again.[JdAP says:] WRONG 
SCHEMA.INI ON THE 
MEDIA 
 
neil
PS I agree re R2 and its value above and beyond 
SP1. But what a great marketing ploy :)
 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: 24 July 2006 14:44To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you 
built an R2 Forest?

This all started due to bad documentation on 

 
http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true
 
which states
 

Note the value in the Value column. If the value is , the default value is in effect as follows:

  
  


  On a domain controller in a forest that was created on a domain 
  controller running Windows Server 2003 with Service 
  Pack 1 (SP1), the default value is 180 days.
  


  On a domain controller in a forest that was created on a domain 
  controller running Windows 2000 Server or 
  Windows Server 2003, the default value is 
60 days.
 
 
which was confusing a customer. Then after I 
explained about how 60 days is hardcoded and 180 days was a schema.ini fix 
he further indicated that he wasn't seeing this in an R2 forest hence his 
original question. The test R2 forests I have built I never checked TSL, 
just assumed it was 180 and normally I don't built R2 machines because I 
really don't much care about R2, SP1 is far more important for the stuff I 
play with. I mean really, how many people verify the TSL of their forest 
versus just assuming it was whatever MSFT or someone representing MSFT said 
it should be. I know I have told a ton of people that after SP1 the value 
is 180 and I want to make sure I tell all of those same people that it 
really isn't in R2.
 
My concern is for people who have put an R2 forest 
out there and are under the running assumption that they now have a 180 day 
TSL and make some decision based on it (yes, it is ok if our DC sits on the 
doc in Mexican customs for 3 months (this is a real example) because we have 
a 180 day TSL) and learn after the fact that it was incorrect. It also has 
backup/restore implications. 
 
Hopefully the above docs will be corrected and the 
word will seep out and people will be aware.This is one of those things 
wher

RE: [ActiveDir] Reset home page via GPO

2006-07-24 Thread David Adner

This IE setting can be applied via "policy mode" or "preferences mode".
Policy mode is what you normally think of when configuring GPO settings in
that it'll be reset if a user ever changes it.  Preferences mode only
changes the initial value but allows the user to change it afterwards if
they like without having it switch back each time GPOs are applied.
Instead, it is only reset if the GPO itself is modified.

Also, if by chance you're using NT authentication to browse to that homepage
be sure the web servers and DCs servicing them can support the load.  You
might also consider anonymous access to the homepage itself and then
authentication to the sites off it.

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
> Sent: Monday, July 24, 2006 10:34 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Reset home page via GPO
> 
> Hello, colleagues,
> 
> Our HR department wants everybody's IE home page reset to our 
> intranet home page. I presume the way to do this is via GPO, 
> and apply it only to the users' OU. 
> 
> Are there any issues (other than political ones, of course) 
> with doing this?
> 
> (Just an aside: We're back to work following the worst power 
> outtage in St. Louis history. Over 500,000 people without 
> power for several days, and nearly 200,000 still out. Very 
> interesting week we just had.)
> 
> --
> Larry Wahlers
> Concordia Technologies
> The Lutheran Church - Missouri Synod
> mailto:[EMAIL PROTECTED]
> direct office line: (314) 996-1876
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Reset home page via GPO

2006-07-24 Thread Za Vue

My labs are set up so that way. Users can add as many links as they care 
to, but at  3:00AM  every morning the labs reboot all their links will 
be gone excepts the links specified with GPO.


-Z.V.

Larry Wahlers wrote:

Hello, colleagues,

Our HR department wants everybody's IE home page reset to our intranet
home page. I presume the way to do this is via GPO, and apply it only to
the users' OU. 


Are there any issues (other than political ones, of course) with doing
this?

(Just an aside: We're back to work following the worst power outtage in
St. Louis history. Over 500,000 people without power for several days,
and nearly 200,000 still out. Very interesting week we just had.)

  



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Reset home page via GPO

2006-07-24 Thread Tim Foster



I have done this in the past and the only issue I am aware of is users not liking your choice of home page!
 
User Configuration\Windows Settings\Internet Explorer Maintenance\URLs
 
Tim



> Date: Mon, 24 Jul 2006 10:33:41 -0500> From: [EMAIL PROTECTED]> Subject: [ActiveDir] Reset home page via GPO> To: ActiveDir@mail.activedir.org> > Hello, colleagues,> > Our HR department wants everybody's IE home page reset to our intranet> home page. I presume the way to do this is via GPO, and apply it only to> the users' OU. > > Are there any issues (other than political ones, of course) with doing> this?> > (Just an aside: We're back to work following the worst power outtage in> St. Louis history. Over 500,000 people without power for several days,> and nearly 200,000 still out. Very interesting week we just had.)> > -- > Larry Wahlers> Concordia Technologies> The Lutheran Church - Missouri Synod> mailto:[EMAIL PROTECTED]> direct office line: (314) 996-1876> List info   : http://www.activedir.org/List.aspx> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Reset home page via GPO

2006-07-24 Thread Darren Mar-Elia

Larry-
Yes, you can do this with IE maintenance policy (User Configuration\Windows
Settings\IE Maintenance). Let us know if this causes you any issues.

Darren

Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out
www.gpoguy.com-- the best source for GPO FAQs, video training, tools and
whitepapers. Also check out the Windows Group Policy Guide, the definitive
resource for Group Policy information.
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: Monday, July 24, 2006 8:34 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Reset home page via GPO

Hello, colleagues,

Our HR department wants everybody's IE home page reset to our intranet home
page. I presume the way to do this is via GPO, and apply it only to the
users' OU. 

Are there any issues (other than political ones, of course) with doing this?

(Just an aside: We're back to work following the worst power outtage in St.
Louis history. Over 500,000 people without power for several days, and
nearly 200,000 still out. Very interesting week we just had.)

--
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT: Interview Techniques

2006-07-24 Thread Mudha Godasa

Forgive the reply to my own email. I purposely
prevented typing "a word that rhymes with bassdole"
below, but my reply with contents included someone
else using the same word in its orginal format! And
I've just been sent an email from the nice postmaster
at sx3 and the administrator at yahoo that I shouldnt
swear. 

Define irony!

I *swear* I didnt say it. I only said $%^$£"!

M@

--- Mudha Godasa <[EMAIL PROTECTED]> wrote:

> I will absolutely let you know of all the gory
> details. I sure hope I dont get an $%^$£"! for a
> boss.
> ;-)
> 
> Cheers
> 

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Reset home page via GPO

2006-07-24 Thread Bart Van den Wyngaert


We do it without issues. Only in case you have a large number of
users, it can give a load on your intranet ofcourse (each time IE is
opened, hitting your intranet).

I see most companies implementing that GPO. Not always that funny, but
you get used to it... :-)

Regards,
Bart

On 7/24/06, Larry Wahlers <[EMAIL PROTECTED]> wrote:

Hello, colleagues,

Our HR department wants everybody's IE home page reset to our intranet
home page. I presume the way to do this is via GPO, and apply it only to
the users' OU.

Are there any issues (other than political ones, of course) with doing
this?

(Just an aside: We're back to work following the worst power outtage in
St. Louis history. Over 500,000 people without power for several days,
and nearly 200,000 still out. Very interesting week we just had.)

--
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] ldp in ADAM-SP1

Yes the tools are not quite what they could be. A lot of this is based on
the complexity of the subject. The model is quite cool but it is also quite
complex and getting more so. Look at the confidential attribute hack and the
extended rights for protecting userAccountControl (Update Password Not
Required Bit, etc). 

When you take into account all of the special rules in the DIT (usually
around SAM attributes) which conflict with schema definitions as well as the
special cases of ACLing like the confidentiality bit and the
userAccountControl "modifiers" etc, the inheritence model it is very
difficult to write one tool to handle all of the various cases to tell you
what you have and to help you get to what you want. An additional difficulty
is that Microsoft isn't quick with updating tools to handle new features. 

Now third parties get into this realm and start playing but for many people
that just pisses them off and makes them say... Hey Microsoft should already
be supplying this, I'm not buying something. That combined with the fact
that just maybe MSFT will realize they should correct this will tend to kill
most third party folks from even going into that realm.

Oh another additional complexity and LDP actually exposes this. You could
create a tool that could build any kind of ACL you want without making any
judgements on what is being done so that at a later time if something
changes the tool doesn't have to be corrected. However, there are few people
who understand how ACLs really work and are configured to the point that the
tool would really be useful to any large number of people. 

Something we recommended previously to MSFT is that we need to radically
update the ACL dialog editors for ADUC, etc so that they have an easy mode
and an advanced mode for those who really understand what they are doing.
The challenge to MSFT is to work out the easy mode, you don't want it too
simply and ineffective and the advanced you still have to be careful with
because there are a lot of people out there who think they are advanced
security/AD people and they really don't have enough of a clue other than to
really hurt themselves. 

But yes, every MSFT security tool out there has some shortcoming in it. The
new LDP is the most flexible and has the most capability but as you have
found, there are some bugs in it. We have reported those bugs, hopefully
they will be corrected. The issue then becomes one of release. More than
likely I expect we wouldn't see something before Longhorn and maybe not even
before Longhorn R2. I hope that isn't the case, but expect it will be
Longhorn timeframe.

So the question comes down to are people willing to spend $1000 or $2000 or
$5000 or more on tools to manage the ACLing in their directory? If so, third
party tools are the answer. I am aware of a couple of tools that do things
in this area, BindView (BVAdmin/BVControl) and Active Roles. However again,
usually people immediately start talking about costs and the fact that MSFT
should be supplying the tools to do this. I am not arguing the point, but
that is where we are at at the moment.

I will say this, writing c code around ACLing is not trivial. From what I
understand the NET 2.0 framework is alleged to make this much easier.
Usually easier means less flexibility and builtin assumptions but I don't
know enough about it to speak to it for the NET Framework.

As a sidenote... I just this second received an email from the developer
working on LDP and can say that he is digging into this. I can't say much
more than that though. 


  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Monday, July 24, 2006 11:32 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ldp in ADAM-SP1

I dunno about you guys but I am very disappointed with the tools
available to me for configuring perms. dsacls can configure most perms
but cant configure control access rights to certain attribs of certain
objects. (e.g. when you configure an attribute as confidential and
need to allow certain people the control access right to view the
attribute). dsacls also cant display perms that great and gives
details as "special access". In order to see whats special, I have to
use something like acldiag and sdcheck. And then to revoke, yet
another tool dsrevoke which only works on domain objects and OUs.

After reading joe's book I figured ldp.exe from ADAM-SP1, here I come.
Now that also has issues.

I know I can write scripts for handling this. But they are cumbersome
and slow. I think a nice fast C++ tool that does all this would be
much appreciated. I am not sure how hard this is to do. But MSFT
certaintly have the expertise. May be longhorn will ship with
something like that. But I aint holding my breath.

I am no expert and no MVP. I aint convinced my rant is gonna be heeded
to. But please, gu

Re: [ActiveDir] Have you built an R2 Forest?

2006-07-24 Thread Mark Parris

And Joseph.
-Original Message-
From: <[EMAIL PROTECTED]>
Date: Mon, 24 Jul 2006 16:54:41 
To:
Subject: RE: [ActiveDir] Have you built an R2 Forest?

thanks horhay :)

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: 24 July 2006 15:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?

inline

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL 
PROTECTED]
Sent: Monday, July 24, 2006 16:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?

Thanks for this joe. That doc is more than bad - it's plain wrong :( 

Just to further clarify: 
1. If I build a new R2 forest, I should expect a blank TSL - which implies a 60 
days TSL. Correct?
[JdAP says:] YES (but it should be 180 days!)  
2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod or 
adsiedit or whatever... ? Correct?
[JdAP says:] YES, ADD THE 180 VALUE  
3. I only need to run the R2 adprep once per forest. [Stated for completeness]
[JdAP says:] YES  
4. Do I need to run the R2 setup on each machine I build? Will this process 
revert the TSL back to 'not set'?
[JdAP says:] (1) ONLY IF YOU NEED THE R2 STUFF, (2) NO  

I'm trying to understand the issue below but also how it is caused and how it 
may be caused again.
[JdAP says:] WRONG SCHEMA.INI ON THE MEDIA  

neil 
PS I agree re R2 and its value above and beyond SP1. But what a great marketing 
ploy :) 

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 24 July 2006 14:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?

This all started due to bad documentation on 

http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true:

which states 

Note the value in the Value column. If the value is , the default 
value is in effect as follows:

 • 
On a domain controller in a forest that was created on a domain controller 
running Windows Server 2003 with Service Pack 1 (SP1), the default value is 
180 days.

 • 
On a domain controller in a forest that was created on a domain controller 
running Windows 2000 Server or Windows Server 2003, the default value is 
60 days.

which was confusing a customer. Then after I explained about how 60 days is 
hardcoded and 180 days was a schema.ini fix he further indicated that he wasn't 
seeing this in an R2 forest hence his original question. The test R2 forests I 
have built I never checked TSL, just assumed it was 180 and normally I don't 
built R2 machines because I really don't much care about R2, SP1 is far more 
important for the stuff I play with. I mean really, how many people verify the 
TSL of their forest versus just assuming it was whatever MSFT or someone 
representing MSFT said it should be. I know I have told a ton of people that 
after SP1 the value is 180 and I want to make sure I tell all of those same 
people that it really isn't in R2. 

My concern is for people who have put an R2 forest out there and are under the 
running assumption that they now have a 180 day TSL and make some decision 
based on it (yes, it is ok if our DC sits on the doc in Mexican customs for 3 
months (this is a real example) because we have a 180 day TSL) and learn after 
the fact that it was incorrect. It also has backup/restore implications. 

Hopefully the above docs will be corrected and the word will seep out and 
people will be aware.This is one of those things where if you find it out after 
you already had an incident you will be like, WTF Microsoft. It also makes me 
wonder if there is anything else that was regressed... 

   joe 

-- 
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm: 

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
Guido
Sent: Monday, July 24, 2006 2:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?

hehe, yep I've seen that (the difference of the Schema.ini files; i.e. missing 
entry for the tombstonelifetime property) but didn't think too much of it 
because for now I've only had to handle upgrading from Win2000 or 2003 to R2 
where the Schema.ini doesn't play a role. It is "only" used to populate a blank 
schema at the time that you create a new AD forest - and yes, this means that 
your tombstone lifetime wouln't match that of other Win2003 forests that were 
created from a DC that had SP1 applied to it... 

I agree, not very nice, but easily fixed as you describe. Personally, I don't 
think too much of the fact that the tombstonelifetime was increased to 180 days 
in SP1 anywa

[ActiveDir] LDAP Queries across WAN links

2006-07-24 Thread Al Garrett









I’m am LDAP-challenged.

 

We have an application that appears to be performing LDAP
authentication to a Domain Controller at a remote location vs. the local DC.

 

Is there a comprehensive site for coming up to speed on
LDAP, how it’s used, how to adjust it’s performance, etc?

 

Is ntdsutil.exe the correct utility to modify how
applications interact with LDAP?

 

Al Garrett

SWCCD

RE: [ActiveDir] OT: Interview Techniques

Does it pay well with good bene's? 

While I have a nice job now, I always look at available opportunities. :) 

Don't have Brian interview me though, I expect I would come up short and I
would have to show how much I like the phrases "it depends" and "I don't
know". I have no doubt that Brian could bury me in an interview, or anyone
for that matter if they have a good understanding of the product and can
find the focuses I have and avoid those areas and stick to areas they focus
on. Again... No one can answer any question anyone can ask about AD. I am
sure that most everyone on this list has probably seen something that most
others haven't seen. 

For instance, right up until yesterday I could have been tripped up on what
the default tombstone lifetime is in a freshly built R2 forest. I would have
quoted what the correct answer should have been, not what it actually was.
The only people who would have known different are those that would have had
some reason to do it  and noticed the value or have read something written
about it or windiffed the schema.ini file for some reason against the SP1
version. Basically there are two types of knowing... Experience and
theoretical where theoretical is what you have read or been told or what you
derive yourself based on what you have experienced or been told or read. No
one has experienced it all though people in key spots will have been in a
position to have heard of a lot of things.

  joe

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mudha Godasa
Sent: Monday, July 24, 2006 11:38 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Interview Techniques

I will absolutely let you know of all the gory
details. I sure hope I dont get an $%^$£"! for a boss.
;-)

Cheers

P.S. Anyone want a job? ;0)

--- Al Mulnick <[EMAIL PROTECTED]> wrote:

> I have to laugh.  This thread is starting to sound
> like the six blind men
> describing an elephant.
> 
> As was mentioned, it is very hard to find somebody
> who can do the high-level
> design at all 8 layers, manage a staff of people,
> and still fit that into a
> 23 hour day. If you find one, keep him or her. If
> you don't find one, don't
> be terribly disappointed; look for one that's close
> and has the right
> personality to be made into one. There's plenty more
> of those, but be sure
> you're ready to keep him/her later because there are
> others looking for that
> type of person :)
> 
> FWIW, I think interviewing wtih Brian might be a
> laugh.  Can you answer all
> the questions?  Nope.  Not every one. But you can
> still enjoy it and I think
> Neil was wise enough to mention that, "no, I don't
> know it all but I do know
> how to use a book" :)  (ok, so I paraphrased.  The
> point is that you use it
> or lose it.  But knowing what questions to ask and
> where to find the answers
> is far more resilient than knowing everything there
> is to know about a
> product set on a given day.  Most of the players on
> the team that wrote the
> application or product don't know either.  But they
> do know where to go for
> the answers)
> 
> One thing that does come to mind would be to follow
> Brian's advice and ask
> open ended questions.  Those are going to be the
> hardest because you're not
> going to be able to study for that. You'll have to
> walk through it under the
> pressure of an interview.  That will tell the
> interviewer a lot about the
> person and what they would do 6 months from now when
> the technology is
> totally different and how they would deal with your
> unique situations.
> 
> 
> Best of luck in you hiring endeavors. I for one am
> interested to hear a
> follow up in a few months to hear how it went.
> 
> 
> Al
> 
> 
> 
> 
> 
> On 7/24/06, Ken Schaefer <[EMAIL PROTECTED]>
> wrote:
> >
> >   I suppose there are several "roles" that senior
> people could hold: some
> > are managerial, some are architectural, and some
> are deeply technical (i.e.
> > high level support). Architects, in that taxonomy,
> would do design work.
> > Whereas a PSS engineer would probably spend more
> time with a debugger than
> > using Word and Visio to produce high-level
> designs.
> >
> >
> >
> > Cheers
> >
> > Ken
> >
> >
> >
> >
> >
> > *From:* [EMAIL PROTECTED]
> [mailto:
> > [EMAIL PROTECTED] *On Behalf Of
> *
> > [EMAIL PROTECTED]
> > *Sent:* Monday, 24 July 2006 5:53 PM
> >
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* RE: [ActiveDir] OT: Interview
> Techniques
> >
> >
> >
> > A senior guy IMO should be more focused on
> "design" aspects than "support"
> > and thus should be able to answer questions along
> the line of:
> >
> >
> >
> > "*How would you design a schema change process,
> encompassing initial
> > request through to implementation*."
> >
> >
> >
> > The answer to the above should help determine alot
> of info from that
> > person (see below) - even if the

Re: [ActiveDir] ldp in ADAM-SP1


Joe

joe I see you were configuring Full Control (GA) for nTDSConnection
objects by configuring perms on the parent nTDSDSA object. I was
trying to actually configure full control to the nTDSDSA using perms
on the CN=Sites object but the principal is the same I guess. The only
thing is nTDSConnection objects cant have child objects can they?
Still I am having some issues repro'ing. You said your workaround was
to configure on the object types. Did you mean to configure explicitly
on the object or on the parent with the child's object type specified
in the ACE? I cant repro here and I am not sure whether you used
dsacls or ldp to repro.

And why does it not choose the "Access System Security" option when
you edit a Full Control ACE? Is that expected? I thought full control
meant everything. Not everything but "Access System Security".

Also how come there is no string defined for "Access System Security"?
There is for all other access masks.

I freely admit I know very little in this arena. Any lesson offered is
most appreciated. I am already reading technet and many books by the
fine guys on here. I just havent finished them yet ;-)

Thanks to everyone who's read this so far and for all the help I am
offered. I truly appreciate it.

Sincerely

M@


On 7/24/06, joe <[EMAIL PROTECTED]> wrote:

Beautiful, this is bug week

There are actually two bugs here.

1. The inherit only check box is greyed out. This is the checkbox you would
need to check in order to specify an inherit only ACE (i.e. Child Objects
Only).

2. When you try to work around it and specify the actual object types to
inherit to it creates two ACEs instead of one. The first ACE is the FC
inherit only to the object class you specify but then there is also a FC to
the object itself. In the example below note the TEST\joe ACEs... I only
added a single FC for nTDSConnection objects for test\joe but got that AND
the non-inheritable Test\joe FC on the object itself.


G:\>dsacls "\\r2dc1\CN=NTDS
Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=test,DC=loc"
Access list:
Effective Permissions on this object are:
Allow TEST\joe  FULL CONTROL
Allow TEST\Domain AdminsSPECIAL ACCESS
   DELETE
   READ PERMISSONS
   WRITE PERMISSIONS
   CHANGE OWNERSHIP
   CREATE CHILD
   LIST CONTENTS
   WRITE SELF
   WRITE PROPERTY
   READ PROPERTY
   DELETE TREE
   LIST OBJECT
   CONTROL ACCESS
Allow NT AUTHORITY\Authenticated Users  SPECIAL ACCESS
   READ PERMISSONS
   LIST CONTENTS
   READ PROPERTY
   LIST OBJECT
Allow NT AUTHORITY\SYSTEM   FULL CONTROL
Allow TEST\Domain AdminsFULL CONTROL   
Allow TEST\Enterprise AdminsFULL CONTROL   

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow TEST\Domain AdminsFULL CONTROL   
Allow TEST\Enterprise AdminsFULL CONTROL   

Inherited to nTDSConnection
Allow TEST\joe  FULL CONTROL
The command completed successfully



So in order to generate a generic FC that is only inherited, you can't,
because of bug 1 do it with LDP. If you want to create an ACE for a specific
objectclass (which nTDSConnection should be ok in terms of what you are
trying to delegate) it can do it but you have to go back and clean up the
the additional ACE created by bug 2.


I will alert MSFT.

  joe




--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Monday, July 24, 2006 8:12 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ldp in ADAM-SP1

All

Could someone with more experience with ldp provided with ADAM-SP1
tell me how I would go about configuring inherit-only Full Control
permissions on nTDSDSA objects in the
CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms
options is grayed out here and I dont know how to do it.

Based on joe's comments I assumed the ldp.exe's ACL editor is the most
comprehensive and capable ACL gui editor available. I must be doing
something wrong here so I would appreciate some help.

Regards

M@
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
L

RE: [ActiveDir] DNS Issue

2006-07-24 Thread Steve Linehan

This is similar to the problem that we had seen before with caching and
TTLs and I believe may be addressed by this fix:
http://support.microsoft.com/kb/903720/en-us.  You could confirm it by
disabling the cache but your performance will suffer.  It has been a
while since I actually looked at this type of failure but I believe we
worked around the issue temporarily by using stub zones.  Since it looks
like a possible issue with caching and TTL I would consider opening a
case with Product Support Services (PSS) to get to the bottom of it.  


Thanks,

-Steve

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
Sent: Monday, July 24, 2006 10:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Issue


Hi Steve

Interesting findings.  Firstly, yes I am clearing the DNS Cache and not
doing ipconfig /flushdns on the DC.

I have shown the d2 output below but also see the following:

1.  Clear the DNS cache on DC
2.  Submit query for server1.nyc.test.com - success
3.  Explicitly delete the record for above host from the cache leaving
the nyc parent folder in cache.
4.  Submit query for server1.nyc.test.com - fail
5.  Delete nyc parent folder
6.  Submit query for server1.nyc.test.com - success

So what I think is happening is when the TTL for the cached record
expires it gets deleted (as per the manual deletion above) then
subsequent queries fail.

Note that the DNS server for test.com are QIP based - may have a
bearing?


> server1.nyc.test.com
Server:  dns1.int.mycorp.com
Address:  x.x.x.x


SendRequest(), len 62
HEADER:
opcode = QUERY, id = 15, rcode = NOERROR
header flags:  query, want recursion
questions = 1,  answers = 0,  authority records = 0,  additional
= 0

QUESTIONS:
server1.nyc.test.com.int.mycorp.com, type = A, class = IN



Got answer (135 bytes):
HEADER:
opcode = QUERY, id = 15, rcode = NXDOMAIN
header flags:  response, auth. answer, want recursion, recursion
avail.
questions = 1,  answers = 0,  authority records = 1,  additional
= 0

QUESTIONS:
server1.nyc.test.com.int.mycorp.com, type = A, class = IN
AUTHORITY RECORDS:
->  int.mycorp.com
type = SOA, class = IN, dlen = 47
ttl = 3600 (1 hour)
primary name server = dns1.int.mycorp.com
responsible mail addr = hostmaster.int.mycorp.com
serial  = 54966
refresh = 900 (15 mins)
retry   = 600 (10 mins)
expire  = 86400 (1 day)
default TTL = 3600 (1 hour)



SendRequest(), len 55
HEADER:
opcode = QUERY, id = 16, rcode = NOERROR
header flags:  query, want recursion
questions = 1,  answers = 0,  authority records = 0,  additional
= 0

QUESTIONS:
server1.nyc.test.com.mycorp.com, type = A, class = IN



Got answer (118 bytes):
HEADER:
opcode = QUERY, id = 16, rcode = NXDOMAIN
header flags:  response, auth. answer, want recursion, recursion
avail.
questions = 1,  answers = 0,  authority records = 1,  additional
= 0

QUESTIONS:
server1.nyc.test.com.mycorp.com, type = A, class = IN
AUTHORITY RECORDS:
->  mycorp.com
type = SOA, class = IN, dlen = 44
ttl = 86400 (1 day)
primary name server = name.int.com
responsible mail addr = postmaster.int.com
serial  = 2006072002
refresh = 1800 (30 mins)
retry   = 900 (15 mins)
expire  = 604800 (7 days)
default TTL = 86400 (1 day)



SendRequest(), len 47
HEADER:
opcode = QUERY, id = 17, rcode = NOERROR
header flags:  query, want recursion
questions = 1,  answers = 0,  authority records = 0,  additional
= 0

QUESTIONS:
server1.nyc.test.com, type = A, class = IN



Got answer (47 bytes):
HEADER:
opcode = QUERY, id = 17, rcode = SERVFAIL
header flags:  response, auth. answer, want recursion, recursion
avail.
questions = 1,  answers = 0,  authority records = 0,  additional
= 0

QUESTIONS:
server1.nyc.test.com, type = A, class = IN


*** dns1.int.mycorp.com can't find server1.nyc.test.com: Server
failed
>


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: 24 Jul 2006 3:58
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Issue


David,
  A few more questions.  When you state you cleared the cache I want to
insure this meant clearing the Cache on the DNS Server not the client
resolver cache.  Also if you open the DNS snap-in in advanced mode and
look in the cache do you see a record for nyc.test.com and if so can you
provide a screenshot of the entry from the DNS MMC?  Finally can you go
the DNS server open a cmd prompt and launch nsl

Re: [ActiveDir] OT: Interview Techniques

The only true way to be sure you don't get one of those for a boss is to not invite me to interview for it ;)  
 
 
On 7/24/06, Mudha Godasa <[EMAIL PROTECTED]> wrote:
I will absolutely let you know of all the gorydetails. I sure hope I dont get an $%^$£"! for a boss.
;-)CheersP.S. Anyone want a job? ;0)--- Al Mulnick <[EMAIL PROTECTED]> wrote:> I have to laugh.  This thread is starting to sound
> like the six blind men> describing an elephant.>> As was mentioned, it is very hard to find somebody> who can do the high-level> design at all 8 layers, manage a staff of people,
> and still fit that into a> 23 hour day. If you find one, keep him or her. If> you don't find one, don't> be terribly disappointed; look for one that's close> and has the right> personality to be made into one. There's plenty more
> of those, but be sure> you're ready to keep him/her later because there are> others looking for that> type of person :)>> FWIW, I think interviewing wtih Brian might be a> laugh.  Can you answer all
> the questions?  Nope.  Not every one. But you can> still enjoy it and I think> Neil was wise enough to mention that, "no, I don't> know it all but I do know> how to use a book" :)  (ok, so I paraphrased.  The
> point is that you use it> or lose it.  But knowing what questions to ask and> where to find the answers> is far more resilient than knowing everything there> is to know about a> product set on a given day.  Most of the players on
> the team that wrote the> application or product don't know either.  But they> do know where to go for> the answers)>> One thing that does come to mind would be to follow
> Brian's advice and ask> open ended questions.  Those are going to be the> hardest because you're not> going to be able to study for that. You'll have to> walk through it under the> pressure of an interview.  That will tell the
> interviewer a lot about the> person and what they would do 6 months from now when> the technology is> totally different and how they would deal with your> unique situations.>
>> Best of luck in you hiring endeavors. I for one am> interested to hear a> follow up in a few months to hear how it went.>>> Al>> On 7/24/06, Ken Schaefer <
[EMAIL PROTECTED]>> wrote:> >> >   I suppose there are several "roles" that senior> people could hold: some> > are managerial, some are architectural, and some
> are deeply technical (i.e.> > high level support). Architects, in that taxonomy,> would do design work.> > Whereas a PSS engineer would probably spend more> time with a debugger than
> > using Word and Visio to produce high-level> designs.> >> >> >> > Cheers> >> > Ken> >> >> >> >> >
> > *From:* [EMAIL PROTECTED]> [mailto:> > [EMAIL PROTECTED]
] *On Behalf Of> *> > [EMAIL PROTECTED]> > *Sent:* Monday, 24 July 2006 5:53 PM> >> > *To:* 
ActiveDir@mail.activedir.org> > *Subject:* RE: [ActiveDir] OT: Interview> Techniques> >> >> >> > A senior guy IMO should be more focused on> "design" aspects than "support"
> > and thus should be able to answer questions along> the line of:> >> >> >> > "*How would you design a schema change process,> encompassing initial
> > request through to implementation*."> >> >> >> > The answer to the above should help determine alot> of info from that> > person (see below) - even if they cannot answer
> the question fully.> >> >> >> >  - Does this person think logically> >> >  - Does this person explain ideas in a cohesive> manner> >
> >  - Does this person answer questions with fluff> and BS or are they> > succinct> >> >  - etc> >> >> >> > To answer 'what do the FSMOs do?' one can simply
> state - "I'd look it up> > in a book". I'd therefore always try to ask> questions which can only be> > answered through experience (where possible) and> not just through reading a
> > book.> >> >> >> > My 2 penneth,> >> > neil> >  --> >> > *From:* 
[EMAIL PROTECTED]> [mailto:> > [EMAIL PROTECTED]] *On Behalf Of> *mike kline> > *Sent:* 24 July 2006 07:16
> > *To:* ActiveDir@mail.activedir.org> > *Subject:* Re: [ActiveDir] OT: Interview> Techniques> >> > Brian,> >
> >> >> > That was a good story, very funny.  So what did> the guy do? Did he just> > get up and leave?  I know from reading your posts> you are usually straight> > and to the point. I would be sweating if I had to
> interview with you.> >> >> >> > Going off course a bit.  What are some types of AD> questions that you all> > consider to be "senior level"?   For example what
> if you ask someone how to> > do a metadata cleanup?  Would you all consider> that to be a mid level> > question?   Just wondering because I always> grapple trying to figure out
> > questions for the mid vs. senior level candidate.> >> >> >> >> >> >> >> >> >> >> >> > On 7/23/06, *Brian Desmond*
> <[EMAIL PROTECTED]> wrote:> >> > I've got no second thoughts about being an asshole> during a tech> > interview. I ask the question, you either answer
> it or tell me you don't> > know. If you choose not to tell me you don't know> and

RE: [ActiveDir] Have you built an R2 Forest?

shit I need to submit a bug fix for that! ;-)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 



From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Mon 2006-07-24 17:54
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?


thanks horhay :)



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: 24 July 2006 15:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?


inline




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL 
PROTECTED]
Sent: Monday, July 24, 2006 16:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?


Thanks for this joe. That doc is more than bad - it's plain wrong :(
 
Just to further clarify:
1. If I build a new R2 forest, I should expect a blank TSL - which 
implies a 60 days TSL. Correct?
[JdAP says:] YES (but it should be 180 days!) 
2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod 
or adsiedit or whatever... ? Correct?
[JdAP says:] YES, ADD THE 180 VALUE 
3. I only need to run the R2 adprep once per forest. [Stated for 
completeness]
[JdAP says:] YES 
4. Do I need to run the R2 setup on each machine I build? Will this 
process revert the TSL back to 'not set'?
[JdAP says:] (1) ONLY IF YOU NEED THE R2 STUFF, (2) NO 
 
I'm trying to understand the issue below but also how it is caused and 
how it may be caused again.
[JdAP says:] WRONG SCHEMA.INI ON THE MEDIA 
 
neil
PS I agree re R2 and its value above and beyond SP1. But what a great 
marketing ploy :)
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 24 July 2006 14:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?


This all started due to bad documentation on 
 

http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true
 
which states
 
Note the value in the Value column. If the value is , the 
default value is in effect as follows:

*On a domain controller in a forest that was created on a domain 
controller running Windows Server 2003 with Service Pack 1 (SP1), the default 
value is 180 days.

*On a domain controller in a forest that was created on a domain 
controller running Windows 2000 Server or Windows Server 2003, the default 
value is 60 days.

 
 
which was confusing a customer. Then after I explained about how 60 
days is hardcoded and 180 days was a schema.ini fix he further indicated that 
he wasn't seeing this in an R2 forest hence his original question. The test R2 
forests I have built I never checked TSL, just assumed it was 180 and normally 
I don't built R2 machines because I really don't much care about R2, SP1 is far 
more important for the stuff I play with. I mean really, how many people verify 
the TSL of their forest versus just assuming it was whatever MSFT or someone 
representing MSFT said it should be. I know I have told a ton of people that 
after SP1 the value is 180 and I want to make sure I tell all of those same 
people that it really isn't in R2.
 
My concern is for people who have put an R2 forest out there and are 
under the running assumption that they now have a 180 day TSL and make some 
decision based on it (yes, it is ok if our DC sits on the doc in Mexican 
customs for 3 months (this is a real example) because we have a 180 day TSL) 
and learn after the fact that it was incorrect. It also has backup/restore 
implications. 
 
Hopefully the above docs will be corrected and the word will seep out 
and people will be aware.This is one of those things where if you find it out 
after you already had an incident you will be like, WTF Microsoft. It also 
makes me wonder if there is anything else that was regressed...
 
   joe
 
 
--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
Grillenmeier, Guido
Sent: Monday, July 24, 2006 2:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?

RE: [ActiveDir] Have you built an R2 Forest?

a justice! ;-)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 



From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Mon 2006-07-24 19:16
To: ActiveDir.org
Subject: Re: [ActiveDir] Have you built an R2 Forest?



And Joseph.
-Original Message-
From: <[EMAIL PROTECTED]>
Date: Mon, 24 Jul 2006 16:54:41
To:
Subject: RE: [ActiveDir] Have you built an R2 Forest?

thanks horhay :)



 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: 24 July 2006 15:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?



inline



 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL 
PROTECTED]
Sent: Monday, July 24, 2006 16:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?



Thanks for this joe. That doc is more than bad - it's plain wrong :(
 
Just to further clarify:
1. If I build a new R2 forest, I should expect a blank TSL - which implies a 60 
days TSL. Correct?
[JdAP says:] YES (but it should be 180 days!) 
2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod or 
adsiedit or whatever... ? Correct?
[JdAP says:] YES, ADD THE 180 VALUE 
3. I only need to run the R2 adprep once per forest. [Stated for completeness]
[JdAP says:] YES 
4. Do I need to run the R2 setup on each machine I build? Will this process 
revert the TSL back to 'not set'?
[JdAP says:] (1) ONLY IF YOU NEED THE R2 STUFF, (2) NO 
 
I'm trying to understand the issue below but also how it is caused and how it 
may be caused again.
[JdAP says:] WRONG SCHEMA.INI ON THE MEDIA 
 
neil
PS I agree re R2 and its value above and beyond SP1. But what a great marketing 
ploy :)
 




 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 24 July 2006 14:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?



This all started due to bad documentation on
 
http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true:
 

 
which states
 

Note the value in the Value column. If the value is , the default 
value is in effect as follows:

 *
On a domain controller in a forest that was created on a domain controller 
running Windows Server 2003 with Service Pack 1 (SP1), the default value is 180 
days.

 *
On a domain controller in a forest that was created on a domain controller 
running Windows 2000 Server or Windows Server 2003, the default value is 60 
days.

 
 
which was confusing a customer. Then after I explained about how 60 days is 
hardcoded and 180 days was a schema.ini fix he further indicated that he wasn't 
seeing this in an R2 forest hence his original question. The test R2 forests I 
have built I never checked TSL, just assumed it was 180 and normally I don't 
built R2 machines because I really don't much care about R2, SP1 is far more 
important for the stuff I play with. I mean really, how many people verify the 
TSL of their forest versus just assuming it was whatever MSFT or someone 
representing MSFT said it should be. I know I have told a ton of people that 
after SP1 the value is 180 and I want to make sure I tell all of those same 
people that it really isn't in R2.
 
My concern is for people who have put an R2 forest out there and are under the 
running assumption that they now have a 180 day TSL and make some decision 
based on it (yes, it is ok if our DC sits on the doc in Mexican customs for 3 
months (this is a real example) because we have a 180 day TSL) and learn after 
the fact that it was incorrect. It also has backup/restore implications.
 
Hopefully the above docs will be corrected and the word will seep out and 
people will be aware.This is one of those things where if you find it out after 
you already had an incident you will be like, WTF Microsoft. It also makes me 
wonder if there is anything else that was regressed...
 
   joe
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm: 
  
 
 



 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
Guido
Sent: Monday, July 24, 2006 2:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?



hehe, yep I've seen that (the difference of the Schema.ini files; i.e. missing 
entry for the tombstonelifetime property) but didn't think too much of it 
because for now I've only had to handle upgrading from Win2000 or 2003 to R2 
where the Schema.ini doesn't play a ro

RE: [ActiveDir] OT: Interview Techniques

2006-07-24 Thread Brian Desmond

Yeah but see when I focus in on the areas you're weak in you could still talk 
your way out of it instead of making up some goofy ass bs that I have to write 
down when I get off the phone and file in my resumes and interviews folder. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of joe
> Sent: Monday, July 24, 2006 12:30 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] OT: Interview Techniques
> 
> Does it pay well with good bene's?
> 
> While I have a nice job now, I always look at available opportunities.
> :)
> 
> Don't have Brian interview me though, I expect I would come up short
> and I would have to show how much I like the phrases "it depends" and
> "I don't know". I have no doubt that Brian could bury me in an
> interview, or anyone for that matter if they have a good understanding
> of the product and can find the focuses I have and avoid those areas
> and stick to areas they focus on. Again... No one can answer any
> question anyone can ask about AD. I am sure that most everyone on this
> list has probably seen something that most others haven't seen.
> 
> For instance, right up until yesterday I could have been tripped up on
> what the default tombstone lifetime is in a freshly built R2 forest. I
> would have quoted what the correct answer should have been, not what it
> actually was.
> The only people who would have known different are those that would
> have had some reason to do it  and noticed the value or have read
> something written about it or windiffed the schema.ini file for some
> reason against the SP1 version. Basically there are two types of
> knowing... Experience and theoretical where theoretical is what you
> have read or been told or what you derive yourself based on what you
> have experienced or been told or read. No one has experienced it all
> though people in key spots will have been in a position to have heard
> of a lot of things.
> 
> 
>   joe
> 
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mudha Godasa
> Sent: Monday, July 24, 2006 11:38 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] OT: Interview Techniques
> 
> I will absolutely let you know of all the gory details. I sure hope I
> dont get an $%^$£"! for a boss.
> ;-)
> 
> Cheers
> 
> P.S. Anyone want a job? ;0)
> 
> 
> --- Al Mulnick <[EMAIL PROTECTED]> wrote:
> 
> > I have to laugh.  This thread is starting to sound like the six blind
> > men describing an elephant.
> >
> > As was mentioned, it is very hard to find somebody who can do the
> > high-level design at all 8 layers, manage a staff of people, and
> still
> > fit that into a
> > 23 hour day. If you find one, keep him or her. If you don't find one,
> > don't be terribly disappointed; look for one that's close and has the
> > right personality to be made into one. There's plenty more of those,
> > but be sure you're ready to keep him/her later because there are
> > others looking for that type of person :)
> >
> > FWIW, I think interviewing wtih Brian might be a laugh.  Can you
> > answer all the questions?  Nope.  Not every one. But you can still
> > enjoy it and I think Neil was wise enough to mention that, "no, I
> > don't know it all but I do know how to use a book" :)  (ok, so I
> > paraphrased.  The point is that you use it or lose it.  But knowing
> > what questions to ask and where to find the answers is far more
> > resilient than knowing everything there is to know about a product
> set
> > on a given day.  Most of the players on the team that wrote the
> > application or product don't know either.  But they do know where to
> > go for the answers)
> >
> > One thing that does come to mind would be to follow Brian's advice
> and
> > ask open ended questions.  Those are going to be the hardest because
> > you're not going to be able to study for that. You'll have to walk
> > through it under the pressure of an interview.  That will tell the
> > interviewer a lot about the person and what they would do 6 months
> > from now when the technology is totally different and how they would
> > deal with your unique situations.
> >
> >
> > Best of luck in you hiring endeavors. I for one am interested to hear
> > a follow up in a few months to hear how it went.
> >
> >
> > Al
> >
> >
> >
> >
> >
> > On 7/24/06, Ken Schaefer <[EMAIL PROTECTED]>
> > wrote:
> > >
> > >   I suppose there are several "roles" that senior
> > people could hold: some
> > > are managerial, some are architectural, and some
> > are deeply technical (i.e.
> > > high level support). Architects, in that taxonomy,
> > would do design work.
> > > Whereas a PSS engineer would probably spend more
> > time with a debugger than
> > > using Word and Visio to produce high-level
> > designs.
> > >

Re: [ActiveDir] OT: Interview Techniques

2006-07-24 Thread Laura E. Hunter


Now Al, have you been making your employees "drop and give you 20"
again?  Really, I thought we'd talked about that?  ;-)

- Laura

On 7/24/06, Al Mulnick <[EMAIL PROTECTED]> wrote:


The only true way to be sure you don't get one of those for a boss is to not
invite me to interview for it ;)




On 7/24/06, Mudha Godasa <[EMAIL PROTECTED]> wrote:
> I will absolutely let you know of all the gory
> details. I sure hope I dont get an $%^$£"! for a boss.
> ;-)
>
> Cheers
>
> P.S. Anyone want a job? ;0)
>
>
> --- Al Mulnick <[EMAIL PROTECTED]> wrote:
>
> > I have to laugh.  This thread is starting to sound
> > like the six blind men
> > describing an elephant.
> >
> > As was mentioned, it is very hard to find somebody
> > who can do the high-level
> > design at all 8 layers, manage a staff of people,
> > and still fit that into a
> > 23 hour day. If you find one, keep him or her. If
> > you don't find one, don't
> > be terribly disappointed; look for one that's close
> > and has the right
> > personality to be made into one. There's plenty more
> > of those, but be sure
> > you're ready to keep him/her later because there are
> > others looking for that
> > type of person :)
> >
> > FWIW, I think interviewing wtih Brian might be a
> > laugh.  Can you answer all
> > the questions?  Nope.  Not every one. But you can
> > still enjoy it and I think
> > Neil was wise enough to mention that, "no, I don't
> > know it all but I do know
> > how to use a book" :)  (ok, so I paraphrased.  The
> > point is that you use it
> > or lose it.  But knowing what questions to ask and
> > where to find the answers
> > is far more resilient than knowing everything there
> > is to know about a
> > product set on a given day.  Most of the players on
> > the team that wrote the
> > application or product don't know either.  But they
> > do know where to go for
> > the answers)
> >
> > One thing that does come to mind would be to follow
> > Brian's advice and ask
> > open ended questions.  Those are going to be the
> > hardest because you're not
> > going to be able to study for that. You'll have to
> > walk through it under the
> > pressure of an interview.  That will tell the
> > interviewer a lot about the
> > person and what they would do 6 months from now when
> > the technology is
> > totally different and how they would deal with your
> > unique situations.
> >
> >
> > Best of luck in you hiring endeavors. I for one am
> > interested to hear a
> > follow up in a few months to hear how it went.
> >
> >
> > Al
> >
> >
> >
> >
> >
> > On 7/24/06, Ken Schaefer < [EMAIL PROTECTED]>
> > wrote:
> > >
> > >   I suppose there are several "roles" that senior
> > people could hold: some
> > > are managerial, some are architectural, and some
> > are deeply technical (i.e.
> > > high level support). Architects, in that taxonomy,
> > would do design work.
> > > Whereas a PSS engineer would probably spend more
> > time with a debugger than
> > > using Word and Visio to produce high-level
> > designs.
> > >
> > >
> > >
> > > Cheers
> > >
> > > Ken
> > >
> > >
> > >
> > >
> > >
> > > *From:* [EMAIL PROTECTED]
> > [mailto:
> > > [EMAIL PROTECTED] ] *On Behalf Of
> > *
> > > [EMAIL PROTECTED]
> > > *Sent:* Monday, 24 July 2006 5:53 PM
> > >
> > > *To:* ActiveDir@mail.activedir.org
> > > *Subject:* RE: [ActiveDir] OT: Interview
> > Techniques
> > >
> > >
> > >
> > > A senior guy IMO should be more focused on
> > "design" aspects than "support"
> > > and thus should be able to answer questions along
> > the line of:
> > >
> > >
> > >
> > > "*How would you design a schema change process,
> > encompassing initial
> > > request through to implementation*."
> > >
> > >
> > >
> > > The answer to the above should help determine alot
> > of info from that
> > > person (see below) - even if they cannot answer
> > the question fully.
> > >
> > >
> > >
> > >  - Does this person think logically
> > >
> > >  - Does this person explain ideas in a cohesive
> > manner
> > >
> > >  - Does this person answer questions with fluff
> > and BS or are they
> > > succinct
> > >
> > >  - etc
> > >
> > >
> > >
> > > To answer 'what do the FSMOs do?' one can simply
> > state - "I'd look it up
> > > in a book". I'd therefore always try to ask
> > questions which can only be
> > > answered through experience (where possible) and
> > not just through reading a
> > > book.
> > >
> > >
> > >
> > > My 2 penneth,
> > >
> > > neil
> > >  --
> > >
> > > *From:* [EMAIL PROTECTED]
> > [mailto:
> > > [EMAIL PROTECTED] *On Behalf Of
> > *mike kline
> > > *Sent:* 24 July 2006 07:16
> > > *To:* ActiveDir@mail.activedir.org
> > > *Subject:* Re: [ActiveDir] OT: Interview
> > Techniques
> > >
> > > Brian,
> > >
> > >
> > >
> > > That was a good story, very funny.  So what did
> > the guy do? Did he just
> > > get up and leave?  I know from reading your posts
> > you are usually straight
> > > and to the point. I would be sweating if I had to
> > interview with

RE: [ActiveDir] Reset home page via GPO

2006-07-24 Thread Larry Wahlers

Thanks, everybody, for your replies. I thought it would work fine with
no "technical" issues (political ones are inevitable, of course).

Meanwhile, David Adner wrote:

> This IE setting can be applied via "policy mode" or 
> "preferences mode".
> Policy mode is what you normally think of when configuring 
> GPO settings in
> that it'll be reset if a user ever changes it.  Preferences mode only
> changes the initial value but allows the user to change it 
> afterwards if
> they like without having it switch back each time GPOs are applied.
> Instead, it is only reset if the GPO itself is modified.

I can't seem to find those distinctions. I'd love to be able to reset
everybody's home page just for their initial login after all the
training is done, and let them reset it if they want to, and let it stay
that way. I see where you can set it as "enforced" which I did not do,
but our testing shows that everytime somebody logs off and then on
again, they'll get the intranet start page regardless of whether they
changed it or not.

In fact, one of our testers discovered that if she closes all instances
of IE, then waits five minutes or so, starting IE back up again once
again resets her homepage, even if she didn't log off the machine.

Gotta love all this fun we're having!

In a few days, it'll be a moot point. Some exec will decide they don't
like it, and I'll be instructed to take it off.

-- 
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] LDAP Queries across WAN links

Couple of things to get you started down the right path:
1) ldap is not an authentication protocol. Remember that as there will be a test later.
2) NTDSUTIL is not the tool to test with. LDP.EXE or one of the joeware tools might be better. There are several freeware tools that are also out there, but I've found that LDP is one of the easiest for a GUI based tool.

3) There are RFC's, books, websites, etc. What have you read so far and what types of questions does that lead you to? What I'm looking for is what aspect of LDAP you're wanting to follow. The field is wide, and we may need to narrow it down a bit to save time.

Also, can you describe the problems that you see? I mean, some details would be helpful. What language it's written in, how it was configured, what problem you see vs. what you expect to see, etc. would be really helpful. LDAP, in it's native state is not going to just pick a server out of a hat. Instead, it can either be told which server to use else use root dse (see RFC 2251 for explanation but basically it's a way to use name resolution to find directory servers.) Using root dse methods might make ldap seem less predictable in some cases.

Al
On 7/24/06, Al Garrett <[EMAIL PROTECTED]> wrote:

I'm am LDAP-challenged.
We have an application that appears to be performing LDAP authentication to a Domain Controller at a remote location vs. the local DC.

Is there a comprehensive site for coming up to speed on LDAP, how it's used, how to adjust it's performance, etc?
Is ntdsutil.exe the correct utility to modify how applications interact with LDAP?
Al Garrett
SWCCD

Re: [ActiveDir] Reset home page via GPO

2006-07-24 Thread Bart Van den Wyngaert


That's the point, but they will get used to it. It's like implementing
strong password policy in an environment which doesn't have it yet.
First there will be complaints, but after a while they stop nagging
and just follow the flow :-)

Bart

On 7/24/06, Tim Foster <[EMAIL PROTECTED]> wrote:


I have done this in the past and the only issue I am aware of is users not
liking your choice of home page!

User Configuration\Windows Settings\Internet Explorer Maintenance\URLs

Tim





> Date: Mon, 24 Jul 2006 10:33:41 -0500
> From: [EMAIL PROTECTED]

> Subject: [ActiveDir] Reset home page via GPO
> To: ActiveDir@mail.activedir.org
>
> Hello, colleagues,
>
> Our HR department wants everybody's IE home
page reset to our intranet
> home page. I presume the way to do this is via GPO,
and apply it only to
> the users' OU.
>
> Are there any issues (other than political ones,
of course) with doing
> this?
>
> (Just an aside: We're back to work following the
worst power outtage in
> St. Louis history. Over 500,000 people without power
for several days,
> and nearly 200,000 still out. Very interesting week we
just had.)
>
> --

> Larry Wahlers
> Concordia Technologies
> The Lutheran Church - Missouri Synod
> mailto:[EMAIL PROTECTED]
> direct office line: (314) 996-1876
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] LDAP Queries across WAN links

2006-07-24 Thread Al Garrett









I should have answered my own post, my
apologies for being slack.

 

The symptoms were slow application launch on
the first occurrence, faster the 2nd and subsequent launches.

 

We solved the problem in the ‘low-tech’
method.LMHOSTS to direct use of the local DC’s.

 

Thanks for the reply.

Al

 

 

-Original Message-
From: Al Mulnick [mailto:[EMAIL PROTECTED]

Sent: Monday, July 24, 2006 12:59
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP
Queries across WAN links

 



Couple of things to get you started down the right
path: 





1) ldap is not an authentication protocol. 
Remember that as there will be a test later. 





2) NTDSUTIL is not the tool to test with.  LDP.EXE
or one of the joeware tools might be better. There are several freeware tools
that are also out there, but I've found that LDP is one of the easiest for a
GUI based tool. 





3) There are RFC's, books, websites, etc.  What
have you read so far and what types of questions does that lead you to? What
I'm looking for is what aspect of LDAP you're wanting to follow.  The
field is wide, and we may need to narrow it down a bit to save time. 





 





Also, can you describe the problems that you
see?  I mean, some details would be helpful.  What language it's
written in, how it was configured, what problem you see vs. what you expect to
see, etc. would be really helpful.  LDAP, in it's native state is not
going to just pick a server out of a hat.  Instead, it can either be told
which server to use else use root dse (see RFC 2251 for explanation but
basically it's a way to use name resolution to find directory servers.) Using
root dse methods might make ldap seem less predictable in some cases. 





 





 





Al

 





On 7/24/06, Al Garrett <[EMAIL PROTECTED]> wrote:








I'm am LDAP-challenged.

 

We have an application that appears to be performing
LDAP authentication to a Domain Controller at a remote location vs. the local
DC. 

 

Is there a comprehensive site for coming up to speed
on LDAP, how it's used, how to adjust it's performance, etc?

 

Is ntdsutil.exe the correct utility to modify how
applications interact with LDAP?

 

Al Garrett

SWCCD

RE: [ActiveDir] [OT] Have you built an R2 Forest?

Settle down princess
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, July 24, 2006 3:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?


a justice! ;-)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 

  _  

From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Mon 2006-07-24 19:16
To: ActiveDir.org
Subject: Re: [ActiveDir] Have you built an R2 Forest?



And Joseph.
-Original Message-
From: <[EMAIL PROTECTED]>
Date: Mon, 24 Jul 2006 16:54:41
To:
Subject: RE: [ActiveDir] Have you built an R2 Forest?

thanks horhay :)



 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: 24 July 2006 15:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?



inline



 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, July 24, 2006 16:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?



Thanks for this joe. That doc is more than bad - it's plain wrong :(
 
Just to further clarify:
1. If I build a new R2 forest, I should expect a blank TSL - which implies a
60 days TSL. Correct?
[JdAP says:] YES (but it should be 180 days!) 
2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod or
adsiedit or whatever... ? Correct?
[JdAP says:] YES, ADD THE 180 VALUE 
3. I only need to run the R2 adprep once per forest. [Stated for
completeness]
[JdAP says:] YES 
4. Do I need to run the R2 setup on each machine I build? Will this process
revert the TSL back to 'not set'?
[JdAP says:] (1) ONLY IF YOU NEED THE R2 STUFF, (2) NO 
 
I'm trying to understand the issue below but also how it is caused and how
it may be caused again.
[JdAP says:] WRONG SCHEMA.INI ON THE MEDIA 
 
neil
PS I agree re R2 and its value above and beyond SP1. But what a great
marketing ploy :)
 




 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 24 July 2006 14:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?



This all started due to bad documentation on
 
http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-98
23-4e51fbd3422a1033.mspx?mfr=true:

 
which states
 

Note the value in the Value column. If the value is , the default
value is in effect as follows:

 •
On a domain controller in a forest that was created on a domain controller
running Windows Server 2003 with Service Pack 1 (SP1), the default value is
180 days.

 •
On a domain controller in a forest that was created on a domain controller
running Windows 2000 Server or Windows Server 2003, the default value is 60
days.

 
 
which was confusing a customer. Then after I explained about how 60 days is
hardcoded and 180 days was a schema.ini fix he further indicated that he
wasn't seeing this in an R2 forest hence his original question. The test R2
forests I have built I never checked TSL, just assumed it was 180 and
normally I don't built R2 machines because I really don't much care about
R2, SP1 is far more important for the stuff I play with. I mean really, how
many people verify the TSL of their forest versus just assuming it was
whatever MSFT or someone representing MSFT said it should be. I know I have
told a ton of people that after SP1 the value is 180 and I want to make sure
I tell all of those same people that it really isn't in R2.
 
My concern is for people who have put an R2 forest out there and are under
the running assumption that they now have a 180 day TSL and make some
decision based on it (yes, it is ok if our DC sits on the doc in Mexican
customs for 3 months (this is a real example) because we have a 180 day TSL)
and learn after the fact that it was incorrect. It also has backup/restore
implications.
 
Hopefully the above docs will be corrected and the word will seep out and
people will be aware.This is one of those things where if you find it out
after you already had an incident you will be like, WTF Microsoft. It also
makes me wonder if there is anything else that was regressed...
 
   joe
 
 

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm:   
 
 



 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Monday, July 24, 2006 2:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R

RE: [ActiveDir] LDAP Queries across WAN links




Yeah from your initial description I am guessing you 
specified your domain name for host. If you do that, depending on the underlying 
code for the resolution to a specific domain controller you can get ANY DC in 
the forest. This is a very common issue with folks using LDAP libraries that 
aren't the MSFT ones. They built a lot of cool logic into their libraries and if 
you aren't running on Windows you should try and duplicate and if you are, you 
should be using.
 
I am not sure I would solve this with lmhosts and short 
hostnames. The best solutions I have seen to date
 
1. Duplicate the DNS lookups that MSFT does for the locator 
service. This really isn't too hard and just takes a little bit of DNS code 
which you should find several examples in the UNIX world. You can even make it 
considerably smarter than the current Windows location services like looking at 
site link costs etc to get the next closest site for instance. 

 
2. Have a perl script (or some script) that does the 
DNS lookups manually and inserts the results into the application 
configuration every couple of hours or if there is a 
failure.
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
GarrettSent: Monday, July 24, 2006 4:16 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP Queries 
across WAN links


I should have answered 
my own post, my apologies for being slack.
 
The symptoms were slow 
application launch on the first occurrence, faster the 2nd and 
subsequent launches.
 
We solved the problem 
in the ‘low-tech’ method.LMHOSTS to direct use of the local 
DC’s.
 
Thanks for the 
reply.
Al
 
 
-Original 
Message-From: Al Mulnick 
[mailto:[EMAIL PROTECTED] Sent: Monday, July 24, 2006 12:59 
PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] LDAP Queries 
across WAN links
 

Couple of things to get you started down 
the right path: 

1) ldap is not an authentication 
protocol.  Remember that as there will be a test later. 


2) NTDSUTIL is not the tool to test 
with.  LDP.EXE or one of the joeware tools might be better. There are 
several freeware tools that are also out there, but I've found that LDP is one 
of the easiest for a GUI based tool. 

3) There are RFC's, books, websites, 
etc.  What have you read so far and what types of questions does that lead 
you to? What I'm looking for is what aspect of LDAP you're wanting to 
follow.  The field is wide, and we may need to narrow it down a bit to save 
time. 

 

Also, can you describe the problems that 
you see?  I mean, some details would be helpful.  What language it's 
written in, how it was configured, what problem you see vs. what you expect to 
see, etc. would be really helpful.  LDAP, in it's native state is not going 
to just pick a server out of a hat.  Instead, it can either be told which 
server to use else use root dse (see RFC 2251 for explanation but basically 
it's a way to use name resolution to find directory servers.) Using root dse 
methods might make ldap seem less predictable in some cases. 


 

 

Al 

On 7/24/06, Al Garrett <[EMAIL PROTECTED]> 
wrote: 



I'm am 
LDAP-challenged.
 
We have an application that appears 
to be performing LDAP authentication to a Domain Controller at a remote location 
vs. the local DC. 
 
Is there a comprehensive site for 
coming up to speed on LDAP, how it's used, how to adjust it's performance, 
etc?
 
Is ntdsutil.exe the correct utility 
to modify how applications interact with LDAP?
 
Al Garrett
SWCCD

RE: [ActiveDir] ldp in ADAM-SP1

Yeah what I was doing was setting a FC ACE for connection objects only. If
you want to cover multiple objects for this you would need to specify
multiple objectclasses which would result in multiple ACEs which is not a
good option. Which means, use a different tool as the bugs in the current
version of LDP make that difficult for this specific task. In my tests, I
was specifically using LDP from ADAM SP1. But for what you want to do, use
ADUC or DSACLS.

As an aside, I emailed Matheesha directly a little while ago when my first
email was lost in limbo waiting to be sent out by the list. A version of LDP
that doesn't have this issue should be in Longhorn when it is released. The
developer quickly fixed the first bug I mentioned this morning after I
pinged him and it seems the second bug had already been corrected. This
folks is the power of this list Take note. 

I am not entirely positive what the "Access system security" is supposed to
be... This is not an issue in later versions of LDP...

I would say read the chapters on security in the AD book, then if you don't
have it, get and read Sakari's book as that has a great chapter on AD
security and then finally if you still want to learn more, wander into the
MSDN library and start reading about Security Descriptors, Access Control
Lists, and Access Control Entries. Once you understand the structures and
how they are represented a lot of the security stuff starts making more and
more sense.

  joe

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Monday, July 24, 2006 2:03 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ldp in ADAM-SP1

Joe

joe I see you were configuring Full Control (GA) for nTDSConnection
objects by configuring perms on the parent nTDSDSA object. I was
trying to actually configure full control to the nTDSDSA using perms
on the CN=Sites object but the principal is the same I guess. The only
thing is nTDSConnection objects cant have child objects can they?
Still I am having some issues repro'ing. You said your workaround was
to configure on the object types. Did you mean to configure explicitly
on the object or on the parent with the child's object type specified
in the ACE? I cant repro here and I am not sure whether you used
dsacls or ldp to repro.

And why does it not choose the "Access System Security" option when
you edit a Full Control ACE? Is that expected? I thought full control
meant everything. Not everything but "Access System Security".

Also how come there is no string defined for "Access System Security"?
There is for all other access masks.

I freely admit I know very little in this arena. Any lesson offered is
most appreciated. I am already reading technet and many books by the
fine guys on here. I just havent finished them yet ;-)

Thanks to everyone who's read this so far and for all the help I am
offered. I truly appreciate it.

Sincerely

M@

On 7/24/06, joe <[EMAIL PROTECTED]> wrote:
> Beautiful, this is bug week
>
> There are actually two bugs here.
>
> 1. The inherit only check box is greyed out. This is the checkbox you
would
> need to check in order to specify an inherit only ACE (i.e. Child Objects
> Only).
>
> 2. When you try to work around it and specify the actual object types to
> inherit to it creates two ACEs instead of one. The first ACE is the FC
> inherit only to the object class you specify but then there is also a FC
to
> the object itself. In the example below note the TEST\joe ACEs... I only
> added a single FC for nTDSConnection objects for test\joe but got that AND
> the non-inheritable Test\joe FC on the object itself.
>
>
> G:\>dsacls "\\r2dc1\CN=NTDS
>
Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
> ation,DC=test,DC=loc"
> Access list:
> Effective Permissions on this object are:
> Allow TEST\joe  FULL CONTROL
> Allow TEST\Domain AdminsSPECIAL ACCESS
>DELETE
>READ PERMISSONS
>WRITE PERMISSIONS
>CHANGE OWNERSHIP
>CREATE CHILD
>LIST CONTENTS
>WRITE SELF
>WRITE PROPERTY
>READ PROPERTY
>DELETE TREE
>LIST OBJECT
>CONTROL ACCESS
> Allow NT AUTHORITY\Authenticated Users  SPECIAL ACCESS
>READ PERMISSONS
>LIST CONTENTS
>READ PROPERTY
>

RE: [ActiveDir] [OT] Have you built an R2 Forest?

you're getting slow joe? it took you about an hour! ;-)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 



From: [EMAIL PROTECTED] on behalf of joe
Sent: Mon 2006-07-24 22:25
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Have you built an R2 Forest?


Settle down princess
 
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: Monday, July 24, 2006 3:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?


a justice! ;-)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 



From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Mon 2006-07-24 19:16
To: ActiveDir.org
Subject: Re: [ActiveDir] Have you built an R2 Forest?



And Joseph.
-Original Message-
From: <[EMAIL PROTECTED]>
Date: Mon, 24 Jul 2006 16:54:41
To:
Subject: RE: [ActiveDir] Have you built an R2 Forest?

thanks horhay :)



 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: 24 July 2006 15:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?



inline



 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL 
PROTECTED]
Sent: Monday, July 24, 2006 16:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?



Thanks for this joe. That doc is more than bad - it's plain wrong :(
 
Just to further clarify:
1. If I build a new R2 forest, I should expect a blank TSL - which implies a 60 
days TSL. Correct?
[JdAP says:] YES (but it should be 180 days!) 
2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod or 
adsiedit or whatever... ? Correct?
[JdAP says:] YES, ADD THE 180 VALUE 
3. I only need to run the R2 adprep once per forest. [Stated for completeness]
[JdAP says:] YES 
4. Do I need to run the R2 setup on each machine I build? Will this process 
revert the TSL back to 'not set'?
[JdAP says:] (1) ONLY IF YOU NEED THE R2 STUFF, (2) NO 
 
I'm trying to understand the issue below but also how it is caused and how it 
may be caused again.
[JdAP says:] WRONG SCHEMA.INI ON THE MEDIA 
 
neil
PS I agree re R2 and its value above and beyond SP1. But what a great marketing 
ploy :)
 




 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 24 July 2006 14:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?



This all started due to bad documentation on
 
http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true:
 

 
which states
 

Note the value in the Value column. If the value is , the default 
value is in effect as follows:

 *
On a domain controller in a forest that was created on a domain controller 
running Windows Server 2003 with Service Pack 1 (SP1), the default value is 180 
days.

 *
On a domain controller in a forest that was created on a domain controller 
running Windows 2000 Server or Windows Server 2003, the default value is 60 
days.

 
 
which was confusing a customer. Then after I explained about how 60 days is 
hardcoded and 180 days was a schema.ini fix he further indicated that he wasn't 
seeing this in an R2 forest hence his original question. The test R2 forests I 
have built I never checked TSL, just assumed it was 180 and normally I don't 
built R2 machines because I really don't much care about R2, SP1 is far more 
important for the stuff I play with. I mean really, how many people verify the 
TSL of their forest versus just assuming it was whatever MSFT or someone 
representing MSFT said it should be. I know I have told a ton of people that 
after SP1 the value is 180 and I want to make sure I tell all of those same 
people that it really isn't in R2.
 
My concern is for people who have put an R2 forest out there and are under the 
running assumption that they now have a 180 day TSL and make some decision 
based on it (yes, it is ok if our DC sits on the doc in Mexican customs for 3 
months (this is a real example) because we have a 180 day TSL) and learn after 
the fact that it was incorrect. It also has backup/restore implications.
 
Hopefully the above docs will be correct

RE: [ActiveDir] Managing Third-Party Users

2006-07-24 Thread Marcus.Oh

Thanks for your take on it, Joe.  I'm finding the same thing when it comes to 
the ideology.  It's not baked in very well yet... so trying to make a judgment 
on strategy is a bit difficult.  :)  I think I'll start looking down what 
Microsoft offers... problem is I'm not even sure what the competitors are ... 

:m:dsm:cci:mvp | marcusoh.blogspot.com

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Saturday, July 22, 2006 3:43 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Managing Third-Party Users

Federation is the way of the future in these scenarios.  I'm spending about 
50% of my time at work these days helping to build out our federation 
infrastructure and imagine that we'll be using it extensively.  We are 
already doing some type of federation thing with over 30 vendor-hosted apps 
internally (benefits, travel, surveys, etc.).  However, none of these 
implemenations are currently using any of the standard federation protocols 
(SAML, WS-Fed) and suffer from expensive implementations, no reusability 
between implementations and dubious security.

We are also looking at hosting some services internally for clients and 
partners and using federation as a way to allow them to authenticate with 
their own credentials.

The big challenges right now are that with both SAML and WS-Fed as the 
dominate protocols out there (and WS-Fed much further behind in terms of 
adoption rates, but gaining due to the popularity of AD and the low cost of 
ADFS compared to many solutions), it is hard to say you only want to do 
ADFS/WS-Fed.  Our approach is to try to support both for the "outbound" 
scenario, where our users are accessing a partner resource, although we are 
still trying to pick a SAML 2 product yet.  We'll probably be more picky 
about WS-Fed for the opposite scenario as our guys like to use Windows 
token-based websites (like SharePoint) for custom dev and only ADFS has a 
really flexible solution for supporting this.

The big challenges are that right now, things are still pretty "early 
adopter", so it is hard to find a lot of partners that are ready to go with 
their infrastructure.  There isn't much expertise out there with these 
products yet either, so people are stumbling quite a bit.  In our "inbound" 
scenario, we are looking at needing to set up an alternate account store to 
host the accounts of partners who aren't "federation-capable" yet, so that's 
a drag.  I'm not sure the team building that app has realized yet that the 
cost and complexity of the identity and access management work for that 
account store will likely outstrip the cost of dev and maintenance on the 
app itself by an order of magnitude.  They aren't I&AM people, so they are 
just realizing that users of the store will need features like password 
change, password reset and password expiration notifications.  BTW, we are 
using ADAM for the account store and setting it up as a separate federation 
account partner.

Another thing worth noting is that we already have a well-established 
process for provisioning accounts for external users and contractors in the 
corp forest and we'll continue to use that in scenarios where it is 
appropriate.  However, we'll try to do as little as possible of that sort of 
thing when simple access to a few web apps is all that's needed.

All in all though, I'm pretty excited about the technology, especially ADFS. 
It combines my three favorite tech things, I&AM, web programming and .NET, 
so what's not to love?  :)


Joe K.
- Original Message - 
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Saturday, July 22, 2006 12:05 PM
Subject: [ActiveDir] Managing Third-Party Users


My trusted directory resource,

I don't remember if this came up on a previous post. but don't recall seeing 
the topic.  As things become more and more integrated w/ some form of ldap 
authentication against a common directory, the necessity for managing 
outside vendors, contractors, etc is becoming a larger and larger task.  If 
you're in a situation where the vendor has a large population of users that 
require access . with incredible churn, this becomes a big issue.

I'm curious what, if anything, anyone else is doing to use some sort of 
federated system so that user management is left at the hands of the 
third-party companies.  I'm curious also if anyone is aware of any 
consulting groups that have done this sort of thing w/ an agnostic approach 
that can fit most environments.  I'd love to get an idea of where the 
industry is heading with this sort of thing.  I'm sure the topic probably 
came up at DEC which I didn't have the luxury of attending.

Thanks all!

marcus c. oh | cox communications, inc. | 404.847.6117 | 
marcusoh.blogspot.com
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http:/

[ActiveDir] Securing DFS

2006-07-24 Thread Lucas, Bryan









We built a DFS Root on a windows 2000 domain controller and
the root of the share has “Everyone” Full Control.  E.g. if I go to
\\domain.com, right click on the dfs root’s
properties, the security tab.

 

Can I simply take FC away?  I’m a bit hesitant because
it lives on the DC and came this way by default.

 

Bryan Lucas

Server Administrator

Texas Christian University

RE: [ActiveDir] Securing DFS

2006-07-24 Thread Kevin Brunson









I have never had any problems caused by
changing permissions on a DFS root.  One thing to consider before you move too
far down the road of configuration though is if you really want to invest in a
2000 DFS structure when the 2003 R2 DFS structure is so much more robust and
reliable.  I have had and heard of countless problems with 2000 DFS.  I have
not had any problems with 2003 R2 DFS at all.  If you decide to move forward
with 2000 DFS, be aware that they will probably stop replicating occasionally. 
You will then spend hours troubleshooting.  Seriously it is worth building this
on 2003 R2 servers even if you don’t currently have any, if you are doing
anything with DFS.  I know that is not what you are asking, sorry.  

Anyone disagree?

Kevin
 Brunson

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Monday, July 24, 2006 4:07
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Securing DFS



 

We built a DFS Root on a windows 2000 domain controller and
the root of the share has “Everyone” Full Control.  E.g. if I
go to \\domain.com, right click on the dfs
root’s properties, the security tab.

 

Can I simply take FC away?  I’m a bit hesitant
because it lives on the DC and came this way by default.

 

Bryan Lucas

Server Administrator

Texas Christian University

RE: [ActiveDir] ldp in ADAM-SP1

2006-07-24 Thread Dmitri Gavrilov

Re "Access System Security" checkbox. We removed it from the latest
versions of ldp.exe because it does not do what you want. Even if you
grant this right to some principal, he will still be unable to read or
tweak the SACLs. The only way to be able to do this is to grant
SE_ACCESS_SYSTEM_SECURITY privilege. You do this from gpedit.msc
(security settings/User rights assignments).

On a more general note -- yes, AD security is a mess to manage and to
understand. We are trying to improve it, but it is super super difficult
task. Not only the rules are difficult to understand and are numerous,
but also we need to respect the existing security setups which use weird
ACLs. There were several attempts to improve things, but I don't believe
we are getting closer, mostly due to backward compatibility issues, as
well as due to the need to introduce new rules (such as confidentiality
bit and many new control access rights).

BTW, the Delegation Wizard is considered to be the "entry-level" ACLing
tool. Alas, it does not work for ADAM.

Dmitri

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, July 24, 2006 1:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ldp in ADAM-SP1

Yeah what I was doing was setting a FC ACE for connection objects only.
If you want to cover multiple objects for this you would need to specify
multiple objectclasses which would result in multiple ACEs which is not
a good option. Which means, use a different tool as the bugs in the
current version of LDP make that difficult for this specific task. In my
tests, I was specifically using LDP from ADAM SP1. But for what you want
to do, use ADUC or DSACLS.

As an aside, I emailed Matheesha directly a little while ago when my
first email was lost in limbo waiting to be sent out by the list. A
version of LDP that doesn't have this issue should be in Longhorn when
it is released. The developer quickly fixed the first bug I mentioned
this morning after I pinged him and it seems the second bug had already
been corrected. This folks is the power of this list Take note. 

I am not entirely positive what the "Access system security" is supposed
to be... This is not an issue in later versions of LDP...

I would say read the chapters on security in the AD book, then if you
don't have it, get and read Sakari's book as that has a great chapter on
AD security and then finally if you still want to learn more, wander
into the MSDN library and start reading about Security Descriptors,
Access Control Lists, and Access Control Entries. Once you understand
the structures and how they are represented a lot of the security stuff
starts making more and more sense.

  joe

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Monday, July 24, 2006 2:03 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ldp in ADAM-SP1

Joe

joe I see you were configuring Full Control (GA) for nTDSConnection
objects by configuring perms on the parent nTDSDSA object. I was trying
to actually configure full control to the nTDSDSA using perms on the
CN=Sites object but the principal is the same I guess. The only thing is
nTDSConnection objects cant have child objects can they?
Still I am having some issues repro'ing. You said your workaround was to
configure on the object types. Did you mean to configure explicitly on
the object or on the parent with the child's object type specified in
the ACE? I cant repro here and I am not sure whether you used dsacls or
ldp to repro.

And why does it not choose the "Access System Security" option when you
edit a Full Control ACE? Is that expected? I thought full control meant
everything. Not everything but "Access System Security".

Also how come there is no string defined for "Access System Security"?
There is for all other access masks.

I freely admit I know very little in this arena. Any lesson offered is
most appreciated. I am already reading technet and many books by the
fine guys on here. I just havent finished them yet ;-)

Thanks to everyone who's read this so far and for all the help I am
offered. I truly appreciate it.

Sincerely

M@

On 7/24/06, joe <[EMAIL PROTECTED]> wrote:
> Beautiful, this is bug week
>
> There are actually two bugs here.
>
> 1. The inherit only check box is greyed out. This is the checkbox you
would
> need to check in order to specify an inherit only ACE (i.e. Child 
> Objects Only).
>
> 2. When you try to work around it and specify the actual object types 
> to inherit to it creates two ACEs instead of one. The first ACE is the

> FC inherit only to the object class you specify but then there is also

> a FC
to
> the object itself. In the example below note the TEST\joe ACEs... I 
> only added a single FC for nTDSConnection objects for test\joe but got

> that AND the non-inheritable T

RE: [ActiveDir] Reset home page via GPO

2006-07-24 Thread David Adner

Look here:

http://technet2.microsoft.com/WindowsServer/en/library/1f105ee4-b025-478c-a0
3e-77fcd91a64e41033.mspx?mfr=true 

> -Original Message-
> > This IE setting can be applied via "policy mode" or "preferences 
> > mode".
> > Policy mode is what you normally think of when configuring GPO 
> > settings in that it'll be reset if a user ever changes it.  
> > Preferences mode only changes the initial value but allows 
> the user to 
> > change it afterwards if they like without having it switch 
> back each 
> > time GPOs are applied.
> > Instead, it is only reset if the GPO itself is modified.
> 
> I can't seem to find those distinctions. I'd love to be able 
> to reset everybody's home page just for their initial login 
> after all the training is done, and let them reset it if they 
> want to, and let it stay that way. I see where you can set it 
> as "enforced" which I did not do, but our testing shows that 
> everytime somebody logs off and then on again, they'll get 
> the intranet start page regardless of whether they changed it or not.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] [OT] Have you built an R2 Forest?

Not working today, just running around doing errands and popping in and
looking at email occasionally. The rest of the week I will probably be even
slower. I decided to take the week off and get caught up on things that I
have been putting off.  
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, July 24, 2006 4:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Have you built an R2 Forest?


you're getting slow joe? it took you about an hour! ;-)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 

  _  

From: [EMAIL PROTECTED] on behalf of joe
Sent: Mon 2006-07-24 22:25
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Have you built an R2 Forest?


Settle down princess
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, July 24, 2006 3:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?


a justice! ;-)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 

  _  

From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Mon 2006-07-24 19:16
To: ActiveDir.org
Subject: Re: [ActiveDir] Have you built an R2 Forest?



And Joseph.
-Original Message-
From: <[EMAIL PROTECTED]>
Date: Mon, 24 Jul 2006 16:54:41
To:
Subject: RE: [ActiveDir] Have you built an R2 Forest?

thanks horhay :)



 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: 24 July 2006 15:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?



inline



 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, July 24, 2006 16:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?



Thanks for this joe. That doc is more than bad - it's plain wrong :(
 
Just to further clarify:
1. If I build a new R2 forest, I should expect a blank TSL - which implies a
60 days TSL. Correct?
[JdAP says:] YES (but it should be 180 days!) 
2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod or
adsiedit or whatever... ? Correct?
[JdAP says:] YES, ADD THE 180 VALUE 
3. I only need to run the R2 adprep once per forest. [Stated for
completeness]
[JdAP says:] YES 
4. Do I need to run the R2 setup on each machine I build? Will this process
revert the TSL back to 'not set'?
[JdAP says:] (1) ONLY IF YOU NEED THE R2 STUFF, (2) NO 
 
I'm trying to understand the issue below but also how it is caused and how
it may be caused again.
[JdAP says:] WRONG SCHEMA.INI ON THE MEDIA 
 
neil
PS I agree re R2 and its value above and beyond SP1. But what a great
marketing ploy :)
 




 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 24 July 2006 14:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?



This all started due to bad documentation on
 
http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-98
23-4e51fbd3422a1033.mspx?mfr=true:

 
which states
 

Note the value in the Value column. If the value is , the default
value is in effect as follows:

 •
On a domain controller in a forest that was created on a domain controller
running Windows Server 2003 with Service Pack 1 (SP1), the default value is
180 days.

 •
On a domain controller in a forest that was created on a domain controller
running Windows 2000 Server or Windows Server 2003, the default value is 60
days.

 
 
which was confusing a customer. Then after I explained about how 60 days is
hardcoded and 180 days was a schema.ini fix he further indicated that he
wasn't seeing this in an R2 forest hence his original question. The test R2
forests I have built I never checked TSL, just assumed it was 180 and
normally I don't built R2 machines because I really don't much care about
R2, SP1 is far more important for the stuff I play with. I mean really, how
many people verify the TSL of their forest versus just assuming it was
whatever MSFT or someone representing MSFT said it should be. I know I have
told a ton of people that after SP1 the value is 180 and I want to make sure
I tell all of those

Re: [ActiveDir] ldp in ADAM-SP1


There is much in ldp I dont know. Everything I do know, I learned from
John Craddock's book and the understanding ldap whitepaper from MSFT.

Thanks for all the help so far joe and Dmitri . If I wanted to get my
TAM to get the updated version of ldp as it stands, what QFE number
should I quote?

The more I look into this the more insane I get ;-) Why is the
Extended Right is defined with the string "SW" in the sddl format but
dsacls uses "WS". Different access masks have different names
depending on what I read.  "Read permissions" in ldp is "Read Control"
in the docs. "Extended write" in ldp is "Write to self" in dsacls. At
least thats how I understood it.

I may have to make my own notes on this. If I ever have to read this
stuff and the delegation docs I am definitely going to go nuts.

Would it be fare to say we can do all we need definitely using
scripts? Or is that also not definite? You see, until recently I was
reading this delegation doc with a grin from ear-to-ear thinking yeah!
And now I am not so 

Before I break down and cry like Homer, I'm gonna go get some Zz!

Cheers

M@

On 7/24/06, Dmitri Gavrilov <[EMAIL PROTECTED]> wrote:

Re "Access System Security" checkbox. We removed it from the latest
versions of ldp.exe because it does not do what you want. Even if you
grant this right to some principal, he will still be unable to read or
tweak the SACLs. The only way to be able to do this is to grant
SE_ACCESS_SYSTEM_SECURITY privilege. You do this from gpedit.msc
(security settings/User rights assignments).

On a more general note -- yes, AD security is a mess to manage and to
understand. We are trying to improve it, but it is super super difficult
task. Not only the rules are difficult to understand and are numerous,
but also we need to respect the existing security setups which use weird
ACLs. There were several attempts to improve things, but I don't believe
we are getting closer, mostly due to backward compatibility issues, as
well as due to the need to introduce new rules (such as confidentiality
bit and many new control access rights).

BTW, the Delegation Wizard is considered to be the "entry-level" ACLing
tool. Alas, it does not work for ADAM.

Dmitri

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, July 24, 2006 1:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ldp in ADAM-SP1

Yeah what I was doing was setting a FC ACE for connection objects only.
If you want to cover multiple objects for this you would need to specify
multiple objectclasses which would result in multiple ACEs which is not
a good option. Which means, use a different tool as the bugs in the
current version of LDP make that difficult for this specific task. In my
tests, I was specifically using LDP from ADAM SP1. But for what you want
to do, use ADUC or DSACLS.

As an aside, I emailed Matheesha directly a little while ago when my
first email was lost in limbo waiting to be sent out by the list. A
version of LDP that doesn't have this issue should be in Longhorn when
it is released. The developer quickly fixed the first bug I mentioned
this morning after I pinged him and it seems the second bug had already
been corrected. This folks is the power of this list Take note.

I am not entirely positive what the "Access system security" is supposed
to be... This is not an issue in later versions of LDP...

I would say read the chapters on security in the AD book, then if you
don't have it, get and read Sakari's book as that has a great chapter on
AD security and then finally if you still want to learn more, wander
into the MSDN library and start reading about Security Descriptors,
Access Control Lists, and Access Control Entries. Once you understand
the structures and how they are represented a lot of the security stuff
starts making more and more sense.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Monday, July 24, 2006 2:03 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ldp in ADAM-SP1

Joe

joe I see you were configuring Full Control (GA) for nTDSConnection
objects by configuring perms on the parent nTDSDSA object. I was trying
to actually configure full control to the nTDSDSA using perms on the
CN=Sites object but the principal is the same I guess. The only thing is
nTDSConnection objects cant have child objects can they?
Still I am having some issues repro'ing. You said your workaround was to
configure on the object types. Did you mean to configure explicitly on
the object or on the parent with the child's object type specified in
the ACE? I cant repro here and I am not sure whether you used dsacls or
ldp to repro.

And why does it not choose the "Access System Security" option when you
edit a Full Control ACE? Is that expected? I thought full control me

Re: [ActiveDir] ldp in ADAM-SP1

I think you can infer from the posts by Dmitri and joe that this is more complex than you'd like to hear.  That said, it might be more productive if you post what you want to accomplish and see if somebody can help you determine/navigate the way forward. 

 
A QFE for Longhorn?  You're making the assumption that the fix is backported.  It may not be. 
I think that would be the first question to ask before asking to get a copy. 
 
Al
 
On 7/24/06, Matheesha Weerasinghe <[EMAIL PROTECTED]> wrote:
There is much in ldp I dont know. Everything I do know, I learned fromJohn Craddock's book and the understanding ldap whitepaper from MSFT.
Thanks for all the help so far joe and Dmitri . If I wanted to get myTAM to get the updated version of ldp as it stands, what QFE numbershould I quote?The more I look into this the more insane I get ;-) Why is the
Extended Right is defined with the string "SW" in the sddl format butdsacls uses "WS". Different access masks have different namesdepending on what I read.  "Read permissions" in ldp is "Read Control"
in the docs. "Extended write" in ldp is "Write to self" in dsacls. Atleast thats how I understood it.I may have to make my own notes on this. If I ever have to read thisstuff and the delegation docs I am definitely going to go nuts.
Would it be fare to say we can do all we need definitely usingscripts? Or is that also not definite? You see, until recently I wasreading this delegation doc with a grin from ear-to-ear thinking yeah!And now I am not so 
Before I break down and cry like Homer, I'm gonna go get some Zz!CheersM@On 7/24/06, Dmitri Gavrilov <[EMAIL PROTECTED]
> wrote:> Re "Access System Security" checkbox. We removed it from the latest> versions of ldp.exe because it does not do what you want. Even if you> grant this right to some principal, he will still be unable to read or
> tweak the SACLs. The only way to be able to do this is to grant> SE_ACCESS_SYSTEM_SECURITY privilege. You do this from gpedit.msc> (security settings/User rights assignments).>> On a more general note -- yes, AD security is a mess to manage and to
> understand. We are trying to improve it, but it is super super difficult> task. Not only the rules are difficult to understand and are numerous,> but also we need to respect the existing security setups which use weird
> ACLs. There were several attempts to improve things, but I don't believe> we are getting closer, mostly due to backward compatibility issues, as> well as due to the need to introduce new rules (such as confidentiality
> bit and many new control access rights).>> BTW, the Delegation Wizard is considered to be the "entry-level" ACLing> tool. Alas, it does not work for ADAM.>> Dmitri
>> -Original Message-> From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED]
] On Behalf Of joe> Sent: Monday, July 24, 2006 1:42 PM> To: ActiveDir@mail.activedir.org> Subject: RE: [ActiveDir] ldp in ADAM-SP1>> Yeah what I was doing was setting a FC ACE for connection objects only.
> If you want to cover multiple objects for this you would need to specify> multiple objectclasses which would result in multiple ACEs which is not> a good option. Which means, use a different tool as the bugs in the
> current version of LDP make that difficult for this specific task. In my> tests, I was specifically using LDP from ADAM SP1. But for what you want> to do, use ADUC or DSACLS.>> As an aside, I emailed Matheesha directly a little while ago when my
> first email was lost in limbo waiting to be sent out by the list. A> version of LDP that doesn't have this issue should be in Longhorn when> it is released. The developer quickly fixed the first bug I mentioned
> this morning after I pinged him and it seems the second bug had already> been corrected. This folks is the power of this list Take note.>> I am not entirely positive what the "Access system security" is supposed
> to be... This is not an issue in later versions of LDP...>> I would say read the chapters on security in the AD book, then if you> don't have it, get and read Sakari's book as that has a great chapter on
> AD security and then finally if you still want to learn more, wander> into the MSDN library and start reading about Security Descriptors,> Access Control Lists, and Access Control Entries. Once you understand
> the structures and how they are represented a lot of the security stuff> starts making more and more sense.>>   joe>>> --> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm>>> -Original Message-> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha> Weerasinghe> Sent: Monday, July 24, 2006 2:03 PM> To: 
ActiveDir@mail.activedir.org> Subject: Re: [ActiveDir] ldp in ADAM-SP1>> Joe>> joe I see you were configuring Full Control (GA) for nTDSConnection> objects by configuring perms on the parent nTDSDSA object. I was trying
> to actually configure full control to the nTDSDSA using perms on the> CN=Sites object

Re: [ActiveDir] Managing Third-Party Users

2006-07-24 Thread Joe Kaplan

There are a bunch of products in this space.  The two primary protocols to 
be concerned about are SAML and WS-Federation.  ADFS is WS-Federation only. 
Some other products are SAML only and some support both.


A lot of what you want to do depends on your scenarios.  Do you just want to 
let your users access partner applications or do you plan to let your 
partners access your applications?  Maybe you need to do both?


Joe K.
- Original Message - 
From: <[EMAIL PROTECTED]>

To: 
Sent: Monday, July 24, 2006 3:50 PM
Subject: RE: [ActiveDir] Managing Third-Party Users


Thanks for your take on it, Joe.  I'm finding the same thing when it comes 
to the ideology.  It's not baked in very well yet... so trying to make a 
judgment on strategy is a bit difficult.  :)  I think I'll start looking 
down what Microsoft offers... problem is I'm not even sure what the 
competitors are ...


:m:dsm:cci:mvp | marcusoh.blogspot.com

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan

Sent: Saturday, July 22, 2006 3:43 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Managing Third-Party Users

Federation is the way of the future in these scenarios.  I'm spending about
50% of my time at work these days helping to build out our federation
infrastructure and imagine that we'll be using it extensively.  We are
already doing some type of federation thing with over 30 vendor-hosted apps
internally (benefits, travel, surveys, etc.).  However, none of these
implemenations are currently using any of the standard federation protocols
(SAML, WS-Fed) and suffer from expensive implementations, no reusability
between implementations and dubious security.

We are also looking at hosting some services internally for clients and
partners and using federation as a way to allow them to authenticate with
their own credentials.

The big challenges right now are that with both SAML and WS-Fed as the
dominate protocols out there (and WS-Fed much further behind in terms of
adoption rates, but gaining due to the popularity of AD and the low cost of
ADFS compared to many solutions), it is hard to say you only want to do
ADFS/WS-Fed.  Our approach is to try to support both for the "outbound"
scenario, where our users are accessing a partner resource, although we are
still trying to pick a SAML 2 product yet.  We'll probably be more picky
about WS-Fed for the opposite scenario as our guys like to use Windows
token-based websites (like SharePoint) for custom dev and only ADFS has a
really flexible solution for supporting this.

The big challenges are that right now, things are still pretty "early
adopter", so it is hard to find a lot of partners that are ready to go with
their infrastructure.  There isn't much expertise out there with these
products yet either, so people are stumbling quite a bit.  In our "inbound"
scenario, we are looking at needing to set up an alternate account store to
host the accounts of partners who aren't "federation-capable" yet, so that's
a drag.  I'm not sure the team building that app has realized yet that the
cost and complexity of the identity and access management work for that
account store will likely outstrip the cost of dev and maintenance on the
app itself by an order of magnitude.  They aren't I&AM people, so they are
just realizing that users of the store will need features like password
change, password reset and password expiration notifications.  BTW, we are
using ADAM for the account store and setting it up as a separate federation
account partner.

Another thing worth noting is that we already have a well-established
process for provisioning accounts for external users and contractors in the
corp forest and we'll continue to use that in scenarios where it is
appropriate.  However, we'll try to do as little as possible of that sort of
thing when simple access to a few web apps is all that's needed.

All in all though, I'm pretty excited about the technology, especially ADFS.
It combines my three favorite tech things, I&AM, web programming and .NET,
so what's not to love?  :)


Joe K.
- Original Message - 
From: [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Saturday, July 22, 2006 12:05 PM
Subject: [ActiveDir] Managing Third-Party Users


My trusted directory resource,

I don't remember if this came up on a previous post. but don't recall seeing
the topic.  As things become more and more integrated w/ some form of ldap
authentication against a common directory, the necessity for managing
outside vendors, contractors, etc is becoming a larger and larger task.  If
you're in a situation where the vendor has a large population of users that
require access . with incredible churn, this becomes a big issue.

I'm curious what, if anything, anyone else is doing to use some sort of
federated system so that user management is left at the hands of the
third-party companies.  I'm curious also if anyone is aware of any
consulting g

[ActiveDir] Mail Run

2006-07-24 Thread Brian Desmond









Does anybody have
recommendations for what attribute to store a user’s mail run in? I’m
looking for something that shows up in the GAL but I’m drawing a blank.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

RE: [ActiveDir] ldp in ADAM-SP1




Al is correct. There is no QFE number at this 
point.
 
The first step would be to present a solid business case 
and then Microsoft would officially review it and determine if a QFE which would 
mean an official pback port makes sense. A QFE is an official release and takes 
some work to get done so there has to be good justification behind it. The more 
I think about this, the tougher I think it would be to get a QFE for 
LDP. But again if you have the business case, it might get 
through.
 
So is this a case of simply wanting it or this is the only 
way? From what I have heard it doesn't sound like this is the only way to go 
forward but I am not sure if I know everything required. 
 
What I see right now is
 
> 
objects by configuring perms on the parent nTDSDSA object. I was trying > 
to actually configure full control to the nTDSDSA using perms on the> 
CN=Sites object but the principal is the same I guess. The only thing is> 
nTDSConnection objects cant have child objects can they? 

which doesn't really tell me what you are trying to do. Are 
you trying to delegate the ability to manipulate connection objects or 
ntdsdsa objects or what? If you are trying to just delegate those two pieces and 
trying to do it from the sites level on down, you will have to use at a minimum 
two ACEs, one for ntdsdsa objects and one for connection objects. Alternately 
you will have to add an ACE at the ntdsdsa object level under every server and 
every site. 
 
Again, all of the ACL tools have different shortcomings, 
there is no one tool that handles everything perfectly from MSFT at this point 
in time and even LDP which is one of the more flexible tools after the mentioned 
bug fixes is still going to fall short in people's eyes because the interface is 
too low level for some people. This is where the next pieces comes into it on 
terms and names comes in.
 
 
RE: terms and names and etc, yes, it is all over the map. 
Asking questions of WHY is this named that and the same thing named something 
else in another tool are going to feel good to ask but aren't likely to be 
answered because it isn't constructive to answer those questions. Yes security 
is tricky and messy and everyone understands that and attempts are being made to 
make it better, but as Dmitri indicated and I indicated, it isn't easy. There 
are a lot of special cases to take into account and trying to force one good 
easy solution at this point has potential to break a lot of things which will 
just instigate more WHY questions. Even from the start the flexibility built 
into the ACLing model made it complex, it has only gotten more so as people 
demanded more granularity and capability. I can say the same things about my 
tools and they are ultra simple next to something like the permissioning model. 
But as I or others pushed for more features and capability and I actually added 
it complexity increased considerably to the point where I am at some point going 
to release a whole new version of the tools based on a whole new code base or 
framework. This is "easy" for me to do relative to Microsoft as my support base 
is not even a rounding error to the MSFT support base and it still will be quite 
hard. 
 
 
So why is it SW in SDDL and WS in DSACLS? Answer: 
 because that is the way it is. :)
 
Read permissions could be stated as Read Permissions or 
Read Properties or Read Control or just Read or circumflexuremititis whatever. 
Why? See above.
 
 
The actual reason behind "because" could be lots of things 
- it depends. You would need to talk to the developers of each component. I 
expect it wasn't a mass conspiracy to confuse anyone. More likely it is actually 
dev people trying to help others with maybe more descriptive terms or possibly 
they didn't fully understand the thing themselves in the first place. As Dmitri 
mentioned with the "Access system security", they put it in and found out later 
things just didn't work the way they expected. Heck if they had asked me I could 
have told them it doesn't work that way, it could break the security model 
if it did. However I wasn't asked. On the contrary though, there are probably a 
ton of other things I would have done wrong that I wasn't aware of because I 
didn't have a chance to experience them. I got a chance to read something from 
Guido recently on some ACL stuff and it completely stunned me and made me bang 
my head on the desk for a little bit. It is a complex complex product and 
complex complex security model. Though to be blunt, I don't think I have seen a 
simple but flexible and granular security model yet that lends itself both to 
easy programming and easy user comprehension.
 
At this point you have it easy, you are only looking at AD 
permissions. Once you step out from that tiny little aspect of where this ACLing 
is used you start to see all sorts of fun stuff where different bits mean 
different things in ACLs for different objects and in some cases another 
completely

RE: [ActiveDir] Securing DFS