RE: [ActiveDir] Have you built an R2 Forest?
hehe, yep I've seen that (the difference of the Schema.ini files; i.e. missing entry for the tombstonelifetime property) but didn't think too much of it because for now I've only had to handle upgrading from Win2000 or 2003 to R2 where the Schema.ini doesn't play a role. It is "only" used to populate a blank schema at the time that you create a new AD forest - and yes, this means that your tombstone lifetime wouln't match that of other Win2003 forests that were created from a DC that had SP1 applied to it... I agree, not very nice, but easily fixed as you describe. Personally, I don't think too much of the fact that the tombstonelifetime was increased to 180 days in SP1 anyways. This was done to avoid issues for companies with a badly managed AD- I would generally much prefer to adjust the value to what is appropriate for a company's backup recovery strategy. And this usually doesn't mean that you need to keep the "garbage" in your AD for 1/2 a year... Granted, it's the inconsistency here with which MSFT has done the update of the schema.ini files which is not so nice - but the rules are pretty clear on how tombstone lifetime can be evaluated by an admin: if the attribute on the Directory Services object (tombstoneLifetime ð CN=DirectoryService,CN=WindowsNT,CN=Services,CN=Configuration,DC=MyRootDomain) shows NOT SET, then it't the "original" default tombstone lifetime of 60 days. Else it's whatever number of days has been set either by the DCPROMO routine writing a specific value into the attributewhen creating a new forest,or by an admin changing the value to whatever is appropriate. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, July 24, 2006 1:50 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Have you built an R2 Forest? If so... you may want to peek at http://blog.joeware.net/2006/07/23/484/ entitled "R2 tombstoneLifetime boo boo" -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
Re: [ActiveDir] OT: Interview Techniques
Brian, That was a good story, very funny. So what did the guy do? Did he just get up and leave? I know from reading your posts you are usually straight and to the point. I would be sweating if I had to interview with you. Going off course a bit. What are some types of AD questions that you all consider to be "senior level"? For example what if you ask someone how to do a metadata cleanup? Would you all consider that to be a mid level question? Just wondering because I always grapple trying to figure out questions for the mid vs. senior level candidate. On 7/23/06, Brian Desmond [EMAIL PROTECTED] wrote: I've got no second thoughts about being an asshole during a techinterview. I ask the question, you either answer it or tell me you don't know. If you choose not to tell me you don't know and demonstrate thatyou don't know through what you tell me instead, I'm already pretty muchthrough. If you're arrogant like this candidate you describe, I'm likely through as well.My favorite exchange as of late goes like this:Me - Tell me a little bit about your experience migrating Exchange 5.5orgs to 2003Them - blah blah blahMe - Ok, can you name the three types of connection agreements in the ADC?Them - well uh blah blah well uh excuse excuseMe - other questionsMe - So would you be comfortable migrating a 10K user 5.5 org to 2003?Them - AbsolutelyMe - How can you be comfortable doing that when you can't even explain the first step of the migration to me?In any case, others have put some really good advice here. What you wantin a technical lead is someone who can get their hands dirty withoutgetting scared or screwing up. They should also have no second thoughts about delegating work and asking their subordinates for help. Thatperson needs to be able to deal with upper management, and they alsoneed to make sure their self esteem is in check - none of that I did X when all they did is watch. Hiring your new manager can be a littledifficult on both sides from the point of view of why wasn't someone onyour team promoted to that position?Thanks,Brian Desmond [EMAIL PROTECTED]c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Sunday, July 23, 2006 11:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Interview Techniques All I am currently in the process of interviewing job candidates who if successful will become my boss ;-) Basically the manager who will be his boss has asked me to do the technical side of the interview and check if the candidates are OK. I've had the pleasure of interviewing 2 so far and they were pretty weak technically. I am not sure if Ihave been spoilt by the creme-de-la-creme here but I did check them alittle thoroughly especially with the candidate who was bold enough to mention under key skills very strong knowledge of windows 2000/2003 Active Directory. Now I am definitely no expert, but if someone is bold enough to claim that, he better not buckle up under pressure and reply that the questions I am asking are only worthy knowledge to those working at Microsoft. And this is the reply I got when I asked him what the FSMO roles did. Actually, I got a little miffed as the guys had the audacity to demand pretty much twice the pay I am getting and were paper MCSE's. The feedback we received from the candidates afterwards said the interview style was . aggressive. So, my question to you guys is, if you interviewing someone for a Windows tech-lead position (with focus on AD), how technical would you want him to be? This is a guy who would be steering the design of an infrastructure to support tens of thousands of users. Cheers Mudha {Newbie AD Guru wannabe ;0) } __ Do You Yahoo!? Tired of spam?Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Interview Techniques
Oh usually folks stumble all over and give me some bs about how theyre a committed team player. Ive had that exchange three or four times interviewing people for this one project. Metadata cleanup is a midlevel question. Senior level questions I like quizzing people a bit more indepth about FSMO roles importance of the different ones, what happens if certain ones are offline. I sometimes ask when I might want a shortcut trust, asking how do I figure out how much memory I should put in a GC is fun, estimating DIT sizeI like questions where theyre open ended and you have to talk your way through here. Replication questions I usually just make some stuff up on the fly and let them deal with whatever Ive made up. The worst is when I have a problem with my scenario and they figure it out g. Ive been focusing more on Exchange candidates lately asking some eseutl questions like how can I figure out the state of my database (eseutil /mh) and how you would deal with different states is one of my favorites. Asking about disk i/o configs is fun too. A lot of times I just make it up as I go based on the resume I really dont care how good you actually are if I can work with you and like your personality. Sometimes Im a total asshole if I think the resume is some hotshot dude who claims 13 years of experience with insert blah here and hes an expert with insert blah here. I got a resume from some guy who claimed 8 years of expert level experience with Cisco Switches and Routers or some such bs on the first page of his resume so the very first thing I asked him was to explain to me the function of the TCAM table on a layer 3 switch and could he tell me the width of each entry (168 bits), and finally could he explain to me what would happen if I had too many ACLs which utilized port ranges. Uh thats not related to this jobNo but its on your resume and youre an expert so you should be able to tell me all about it right?. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Monday, July 24, 2006 1:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Interview Techniques Brian, That was a good story, very funny. So what did the guy do? Did he just get up and leave? I know from reading your posts you are usually straight and to the point. I would be sweating if I had to interview with you. Going off course a bit. What are some types of AD questions that you all consider to be senior level? For example what if you ask someone how to do a metadata cleanup? Would you all consider that to be a mid level question? Just wondering because I always grapple trying to figure out questions for the mid vs. senior level candidate. On 7/23/06, Brian Desmond [EMAIL PROTECTED] wrote: I've got no second thoughts about being an asshole during a tech interview. I ask the question, you either answer it or tell me you don't know. If you choose not to tell me you don't know and demonstrate that you don't know through what you tell me instead, I'm already pretty much through. If you're arrogant like this candidate you describe, I'm likely through as well. My favorite exchange as of late goes like this: Me - Tell me a little bit about your experience migrating Exchange 5.5 orgs to 2003 Them - blah blah blah Me - Ok, can you name the three types of connection agreements in the ADC? Them - well uh blah blah well uh excuse excuse Me - other questions Me - So would you be comfortable migrating a 10K user 5.5 org to 2003? Them - Absolutely Me - How can you be comfortable doing that when you can't even explain the first step of the migration to me? In any case, others have put some really good advice here. What you want in a technical lead is someone who can get their hands dirty without getting scared or screwing up. They should also have no second thoughts about delegating work and asking their subordinates for help. That person needs to be able to deal with upper management, and they also need to make sure their self esteem is in check - none of that I did X when all they did is watch. Hiring your new manager can be a little difficult on both sides from the point of view of why wasn't someone on your team promoted to that position? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Sunday, July 23, 2006 11:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Interview Techniques All I am currently in the process of interviewing job candidates who if successful will become my boss ;-) Basically the manager who will be his boss has asked me to do the technical side of the interview and check if the candidates are OK. I've had the pleasure of interviewing 2 so far and they were pretty weak
RE: [ActiveDir] Vendor Domain
Just a few thoughts to add since so many others already have given you great answers: - Ive heard that any changes to an network which has production status in a clinic, pharma-manufacturer or supplier will endanger FDA-approval - I know that many clinical devices are specialized workstations which are controlling a devices, such as modern x-rays. They do have network access and may be member of a domain to provide doctors with x-rays a.s.o. Sounds like your manufacturer is talking about such devices and is concerned that a change in a GPO which is affecting his appliance might break its functionality, e.g. putting certain signing or encryption policies in place, but the workstation talks to its hardware via proprietary SMB I just wanted to throw this into discussion if we are talking about such devices/appliances Id also prefer a different domain or even forest to manage them, or want to know very closely what the requirements are and keep an extra eye on those machines. Dont put lives at jeopardy b/c of a misconfigured GPO. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Thursday, July 20, 2006 9:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vendor Domain Thank you all. The vendor in question is bringing in a medical solution. Here is the response from the vendor so far. Mind you that we have lots of medical device solutions that exist in our domain, the FDA card is played as a blanket so you stop asking questions...we ran into the same issue with security patches. why can't I patch that device?. When we've looked at these FDA regulations in the past it turned out that there was more liability by not patching. From the vendor: Let me start by thanking you for considering our support model and continuing to pursue supporting it in your organization. Our designers have architected the system to comply with Microsofts best practices. We have implemented our own .local domain in an effort to provide solid system integrity founded on Kerberos authentication and a single sign-on experience for your clinicians. Our system relies heavily on the integrity of the Active Directory structure. We have integrated the launching of services and control of processes using this Microsoft recommended model. It has been our experience that relying on a hospitals Active Directory structure is a dependency that has opened our customers up to liabilities for the integrity of our regulated medical device. I liken the servers to a respirator. Having an outside person, no matter how qualified, work on a respirator would be a concern from a clinical standpoint. We have witnessed Group Policies applied to servers in a more open environment. This is a liability we do not want to expose our business partners to. Any change, no matter how minute to our system, would endanger our validation and designation as aXXX regulated medical device and would open you to failing FDA auditing. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, July 20, 2006 12:12 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vendor Domain I would tend to agree except in the case of Exchange, I am ALL FOR Exchange being run in a separate single domain forest, it solves an incredible number of problems such as the GC/NSPI problems as well as administrative isolation, etc. The exception there is if Exchange is deployed in a decentralized fashion outto all of the sites you already have DCs at, at that point, you probably want to fight with the issues with it in the main forest. The biggest complaint I have seen for running a separate Single Domain Forest for Exchange is around provisioning and quite frankly, that really isn't all that involved and doesn't necessarily need a full blown MIIS/IIFP solution. It dependson what data isneeded where. If you need all of the GAL info in the main NOS forest as well as the Exchange forest then you looking more into metadat sync tools unless your provisioning is all being handled through a centralized mechanism and then that can be used to send the info in both directions and actual tie between the domains for syncing isn't necessarily required. But if this isn't Exchange, I would be curious to hear the details of the app and why they want a separate forest. Most vendors if they told me they did it in a stupid way that had that requirement I would beat and tell them to fix it. With MSFT and Exchange, that only works a little bit. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, July 20, 2006
RE: [ActiveDir] OT: Interview Techniques
A senior guy IMO should be more focused on "design" aspects than "support" and thus should be able to answer questions along the line of: "How would you design a schema change process, encompassing initial request through to implementation." The answer to the above should help determine alot of info from that person (see below) - even if they cannot answer the question fully. - Does this person think logically - Does this person explain ideas in a cohesive manner - Does this person answer questions with fluff and BS or are they succinct - etc To answer 'what do the FSMOs do?' one can simply state - "I'd look it up in a book". I'd therefore always try to ask questions which can only be answered through experience (where possible) and not just through reading a book. My 2 penneth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike klineSent: 24 July 2006 07:16To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Interview Techniques Brian, That was a good story, very funny. So what did the guy do? Did he just get up and leave? I know from reading your posts you are usually straight and to the point. I would be sweating if I had to interview with you. Going off course a bit. What are some types of AD questions that you all consider to be "senior level"? For example what if you ask someone how to do a metadata cleanup? Would you all consider that to be a mid level question? Just wondering because I always grapple trying to figure out questions for the mid vs. senior level candidate. On 7/23/06, Brian Desmond [EMAIL PROTECTED] wrote: I've got no second thoughts about being an asshole during a techinterview. I ask the question, you either answer it or tell me you don't know. If you choose not to tell me you don't know and demonstrate thatyou don't know through what you tell me instead, I'm already pretty muchthrough. If you're arrogant like this candidate you describe, I'm likely through as well.My favorite exchange as of late goes like this:Me - Tell me a little bit about your experience migrating Exchange 5.5orgs to 2003Them - blah blah blahMe - Ok, can you name the three types of connection agreements in the ADC?Them - well uh blah blah well uh excuse excuseMe - other questionsMe - So would you be comfortable migrating a 10K user 5.5 org to 2003?Them - AbsolutelyMe - How can you be comfortable doing that when you can't even explain the first step of the migration to me?In any case, others have put some really good advice here. What you wantin a technical lead is someone who can get their hands dirty withoutgetting scared or screwing up. They should also have no second thoughts about delegating work and asking their subordinates for help. Thatperson needs to be able to deal with upper management, and they alsoneed to make sure their self esteem is in check - none of that "I did X" when all they did is watch. Hiring your new manager can be a littledifficult on both sides from the point of view of why wasn't someone onyour team promoted to that position?Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Sunday, July 23, 2006 11:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Interview Techniques All I am currently in the process of interviewing job candidates who if successful will become my boss ;-) Basically the manager who will be his boss has asked me to do the technical side of the interview and check if the candidates are OK. I've had the "pleasure" of interviewing 2 so far and they were pretty weak technically. I am not sure if Ihave been spoilt by the creme-de-la-creme here but I did check them alittle thoroughly especially with the candidate who was bold enough to mention under key skills "very strong knowledge of windows 2000/2003 Active Directory". Now I am definitely no expert, but if someone is bold enough to claim that, he better not buckle up under pressure and reply that the questions I am asking are only worthy knowledge to those working at Microsoft. And this is the reply I got when I asked him what the FSMO roles did. Actually, I got a little miffed as the guys had the audacity to demand pretty much twice the pay I am getting and were paper MCSE's. The feedback we received from the candidates afterwards said the interview style was . aggressive. So, my question to you guys is, if you interviewing someone for a Windows tech-lead position (with focus on AD), how technical would you want him to be? This is a guy who would be steering the design of an infrastructure to support tens of thousands of users. Cheers Mudha {Newbie AD Guru wannabe ;0) } __ Do You Yahoo!?
RE: [ActiveDir] OT: Interview Techniques
the "look it up in a book" or (preferably!) "look it up on the MS web site" is not a bad answer - as Joe said, people can't know everything but should be able to find it out. Given that, I'd be tempted to give them access to the internet and then ask some questions which need both factual knowledge that's looked up and an ability to apply that knowledge. Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: 24 July 2006 08:53To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Interview Techniques A senior guy IMO should be more focused on "design" aspects than "support" and thus should be able to answer questions along the line of: "How would you design a schema change process, encompassing initial request through to implementation." The answer to the above should help determine alot of info from that person (see below) - even if they cannot answer the question fully. - Does this person think logically - Does this person explain ideas in a cohesive manner - Does this person answer questions with fluff and BS or are they succinct - etc To answer 'what do the FSMOs do?' one can simply state - "I'd look it up in a book". I'd therefore always try to ask questions which can only be answered through experience (where possible) and not just through reading a book. My 2 penneth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike klineSent: 24 July 2006 07:16To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Interview Techniques Brian, That was a good story, very funny. So what did the guy do? Did he just get up and leave? I know from reading your posts you are usually straight and to the point. I would be sweating if I had to interview with you. Going off course a bit. What are some types of AD questions that you all consider to be "senior level"? For example what if you ask someone how to do a metadata cleanup? Would you all consider that to be a mid level question? Just wondering because I always grapple trying to figure out questions for the mid vs. senior level candidate. On 7/23/06, Brian Desmond [EMAIL PROTECTED] wrote: I've got no second thoughts about being an asshole during a techinterview. I ask the question, you either answer it or tell me you don't know. If you choose not to tell me you don't know and demonstrate thatyou don't know through what you tell me instead, I'm already pretty muchthrough. If you're arrogant like this candidate you describe, I'm likely through as well.My favorite exchange as of late goes like this:Me - Tell me a little bit about your experience migrating Exchange 5.5orgs to 2003Them - blah blah blahMe - Ok, can you name the three types of connection agreements in the ADC?Them - well uh blah blah well uh excuse excuseMe - other questionsMe - So would you be comfortable migrating a 10K user 5.5 org to 2003?Them - AbsolutelyMe - How can you be comfortable doing that when you can't even explain the first step of the migration to me?In any case, others have put some really good advice here. What you wantin a technical lead is someone who can get their hands dirty withoutgetting scared or screwing up. They should also have no second thoughts about delegating work and asking their subordinates for help. Thatperson needs to be able to deal with upper management, and they alsoneed to make sure their self esteem is in check - none of that "I did X" when all they did is watch. Hiring your new manager can be a littledifficult on both sides from the point of view of why wasn't someone onyour team promoted to that position?Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Sunday, July 23, 2006 11:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Interview Techniques All I am currently in the process of interviewing job candidates who if successful will become my boss ;-) Basically the manager who will be his boss has asked me to do the technical side of the interview and check if the candidates are OK. I've had the "pleasure" of interviewing 2 so far and they were pretty weak technically. I am not sure if Ihave been spoilt by the creme-de-la-creme here but I did check them alittle thoroughly especially with the candidate who was bold enough to mention under key skills "very strong knowledge of windows 2000/2003 Active Directory". Now I am definitely no expert, but if someone is bold enough to claim that, he better not buckle up under pressure and reply that the questions I am asking are only worthy knowledge to those working at Microsoft. And this is the reply I got when I asked him what the FSMO roles did. Actually, I got a little miffed as the guys had the audacity to demand pretty
RE: [ActiveDir] OT: Interview Techniques
I suppose there are several roles that senior people could hold: some are managerial, some are architectural, and some are deeply technical (i.e. high level support). Architects, in that taxonomy, would do design work. Whereas a PSS engineer would probably spend more time with a debugger than using Word and Visio to produce high-level designs. Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, 24 July 2006 5:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Interview Techniques A senior guy IMO should be more focused on design aspects than support and thus should be able to answer questions along the line of: How would you design a schema change process, encompassing initial request through to implementation. The answer to the above should help determine alot of info from that person (see below) - even if they cannot answer the question fully. - Does this person think logically - Does this person explain ideas in a cohesive manner - Does this person answer questions with fluff and BS or are they succinct - etc To answer 'what do the FSMOs do?' one can simply state - I'd look it up in a book. I'd therefore always try to ask questions which can only be answered through experience (where possible) and not just through reading a book. My 2 penneth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: 24 July 2006 07:16 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Interview Techniques Brian, That was a good story, very funny. So what did the guy do? Did he just get up and leave? I know from reading your posts you are usually straight and to the point. I would be sweating if I had to interview with you. Going off course a bit. What are some types of AD questions that you all consider to be senior level? For example what if you ask someone how to do a metadata cleanup? Would you all consider that to be a mid level question? Just wondering because I always grapple trying to figure out questions for the mid vs. senior level candidate. On 7/23/06, Brian Desmond [EMAIL PROTECTED] wrote: I've got no second thoughts about being an asshole during a tech interview. I ask the question, you either answer it or tell me you don't know. If you choose not to tell me you don't know and demonstrate that you don't know through what you tell me instead, I'm already pretty much through. If you're arrogant like this candidate you describe, I'm likely through as well. My favorite exchange as of late goes like this: Me - Tell me a little bit about your experience migrating Exchange 5.5 orgs to 2003 Them - blah blah blah Me - Ok, can you name the three types of connection agreements in the ADC? Them - well uh blah blah well uh excuse excuse Me - other questions Me - So would you be comfortable migrating a 10K user 5.5 org to 2003? Them - Absolutely Me - How can you be comfortable doing that when you can't even explain the first step of the migration to me? In any case, others have put some really good advice here. What you want in a technical lead is someone who can get their hands dirty without getting scared or screwing up. They should also have no second thoughts about delegating work and asking their subordinates for help. That person needs to be able to deal with upper management, and they also need to make sure their self esteem is in check - none of that I did X when all they did is watch. Hiring your new manager can be a little difficult on both sides from the point of view of why wasn't someone on your team promoted to that position?
[ActiveDir] ldp in ADAM-SP1
All Could someone with more experience with ldp provided with ADAM-SP1 tell me how I would go about configuring inherit-only Full Control permissions on nTDSDSA objects in the CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms options is grayed out here and I dont know how to do it. Based on joe's comments I assumed the ldp.exe's ACL editor is the most comprehensive and capable ACL gui editor available. I must be doing something wrong here so I would appreciate some help. Regards M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Raid 1 tangent -- Vendor Domain
I would say it was probably quite low relatively. Quite low is the norm for AD logs and by that it is usually barely registering compared to what you were doing the Log drive would have been hopping. I recall when you were IM'ing about it you mentioned the Log drive IOPS and I was like wow, I don't ever really expect to see those kind of numbers... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, July 24, 2006 1:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Raid 1 tangent -- Vendor Domain The exception to this is the edge case of Eric's big DIT[1] in which he dumped 2TB of data into AD in a month at which point he did something that few people see, pushed the IOPS on the log drive through the roof. Actually, log IOs were quite low, considering. I bet a single spindle pair would have been enough for most of my work. The real killer was random I/O throughout the DB. Here I was pushing 1800 read / 1800 write for most of the run. I really needed more SAN paths because I'm pretty sure that was the bottleneck (it just wasn't set up to have as many redundant paths as I didn't anticipate the bottlenecks hit). I keep meaning to write a follow-up post with a lot of data. I'll do so this week and post it so this sort of stuff is a bit more clear. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, July 22, 2006 9:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Raid 1 tangent -- Vendor Domain Mirrors don't scale. Microsoft's deployment doc mostly just talks about using mirrors (small nod to RAID 10/0+1) so everyone thinks that they should build their Corporate DCs on mirrors, usually 3 - OS, Logs, and DIT. Very few people if anyone would build a corporate Exchange Server on mirrors... Why not? The DB is the same under both of them... What is critical to Exchange? IOPS and that means spindles. If something is really beating on AD and the entire DIT can't be cached, IOPS are critical to AD as well. The main difference is that AD is mostly random read and Exchange is heavy writing and reading. The exception to this is the edge case of Eric's big DIT[1] in which he dumped 2TB of data into AD in a month at which point he did something that few people see, pushed the IOPS on the log drive through the roof. In a smaller environment (very low thousands), or for a low use DC (small WAN site), or a DC with a DIT fully cached a RAID-1 drive for DIT will probably be sufficient, you will note that the only numbers mentioned in the deployment guide are about 5000[2]... That usually means a small DIT and it is extremely likely that a K3 DC will cache the entire DIT. Plus the usage is probably such that the IO capability of two spindles will likely be ok. Let me state though that even in a small user environment if there was an intensive directory based app or a buttload of data that pushes the DIT into GB's instead of MBs I would still be watching my disk queueing pretty close as well as the Read and Write Ops. AD admins who aren't running directory intensive apps (read as Exchange 2000+) usually don't see any issues but then again most aren't looking very closely at the counters because they haven't had a reason too and even if they had some short lived issues they probably wouldn't go look at the counters. At least that has been my experience in dealing with companies. I will admit that prior to implementing Exchange when I did AD Ops with a rather large company I didn't once look at the disk counters, didn't care, everything ran perfectly well and about the only measure of perf was replication latency and does ADUC start fast enough and it always was fine there unless there were network related issues or a DC was having hardware failure. Enter Exchange... Or some other app that pounds your DCs with millions of queries a day and tiny little bits of latency that you didn't previously feel start having an impact. You won't feel 70-80ms of latency in anything you are doing with normal AD tools or NOS ops, not at all. You will feel that with Exchange (and other heavy directory use apps), often with painful results unless it isn't consistent and the directory can unwind itself again and hence allow Exchange to then unwind itself. Now let me point out, I don't deal with tiny companies for work, small to me is less than 40-50k. The smallest I tend to deal with is about 30k. I usually get called to walk in to Exchange issues where Exchange is underperforming or outright hanging, sometimes for hours at a time. There can be all sorts of issues causing this such as O poor disk subsystem design for Exchange (someone say got fancy with a SAN layout and really didn't know what they were doing seems to be popular here) O hardware/drivers on the Exchange server just
RE: [ActiveDir] Have you built an R2 Forest?
This all started due to bad documentation on http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true which states Note the value in the Value column. If the value is not set, the default value is in effect as follows: On a domain controller in a forest that was created on a domain controller running WindowsServer2003 with Service Pack1 (SP1), the default value is 180days. On a domain controller in a forest that was created on a domain controller running Windows2000Server or WindowsServer2003, the default value is 60days. which was confusing a customer. Then after I explained about how 60 days is hardcoded and 180 days was a schema.ini fix he further indicated that he wasn't seeing this in an R2 forest hence his original question. The test R2 forests I have built I never checked TSL, just assumed it was 180 and normally I don't built R2 machines because I really don't much care about R2, SP1 is far more important for the stuff I play with. I mean really, how many people verify the TSL of their forest versus just assuming it was whatever MSFT or someone representing MSFT said it should be. I know I have told a ton of people that after SP1 the value is180 and I want to make sure I tell all of those same people that it really isn't in R2. My concern is for people who have put an R2 forest out there and are under the running assumption that they now have a 180 day TSL and make some decision based on it (yes, it is ok if our DC sits on the doc in Mexican customs for 3 months (this is a real example) because we have a 180 day TSL) and learn after the fact that it was incorrect. It also has backup/restore implications. Hopefully the above docs will be corrected and the word will seep out and people will be aware.This is one of those things where if you find it out after you already had an incident you will be like, WTF Microsoft. It also makes me wonder if there is anything else that was regressed... joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, July 24, 2006 2:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built an R2 Forest? hehe, yep I've seen that (the difference of the Schema.ini files; i.e. missing entry for the tombstonelifetime property) but didn't think too much of it because for now I've only had to handle upgrading from Win2000 or 2003 to R2 where the Schema.ini doesn't play a role. It is "only" used to populate a blank schema at the time that you create a new AD forest - and yes, this means that your tombstone lifetime wouln't match that of other Win2003 forests that were created from a DC that had SP1 applied to it... I agree, not very nice, but easily fixed as you describe. Personally, I don't think too much of the fact that the tombstonelifetime was increased to 180 days in SP1 anyways. This was done to avoid issues for companies with a badly managed AD- I would generally much prefer to adjust the value to what is appropriate for a company's backup recovery strategy. And this usually doesn't mean that you need to keep the "garbage" in your AD for 1/2 a year... Granted, it's the inconsistency here with which MSFT has done the update of the schema.ini files which is not so nice - but the rules are pretty clear on how tombstone lifetime can be evaluated by an admin: if the attribute on the Directory Services object (tombstoneLifetime ð CN=DirectoryService,CN=WindowsNT,CN=Services,CN=Configuration,DC=MyRootDomain) shows NOT SET, then it't the "original" default tombstone lifetime of 60 days. Else it's whatever number of days has been set either by the DCPROMO routine writing a specific value into the attributewhen creating a new forest,or by an admin changing the value to whatever is appropriate. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, July 24, 2006 1:50 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Have you built an R2 Forest? If so... you may want to peek at http://blog.joeware.net/2006/07/23/484/ entitled "R2 tombstoneLifetime boo boo" -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
RE: [ActiveDir] ldp in ADAM-SP1
Beautiful, this is bug week There are actually two bugs here. 1. The inherit only check box is greyed out. This is the checkbox you would need to check in order to specify an inherit only ACE (i.e. Child Objects Only). 2. When you try to work around it and specify the actual object types to inherit to it creates two ACEs instead of one. The first ACE is the FC inherit only to the object class you specify but then there is also a FC to the object itself. In the example below note the TEST\joe ACEs... I only added a single FC for nTDSConnection objects for test\joe but got that AND the non-inheritable Test\joe FC on the object itself. G:\dsacls \\r2dc1\CN=NTDS Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur ation,DC=test,DC=loc Access list: Effective Permissions on this object are: Allow TEST\joe FULL CONTROL Allow TEST\Domain AdminsSPECIAL ACCESS DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY DELETE TREE LIST OBJECT CONTROL ACCESS Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow NT AUTHORITY\SYSTEM FULL CONTROL Allow TEST\Domain AdminsFULL CONTROL Inherited from parent Allow TEST\Enterprise AdminsFULL CONTROL Inherited from parent Permissions inherited to subobjects are: Inherited to all subobjects Allow TEST\Domain AdminsFULL CONTROL Inherited from parent Allow TEST\Enterprise AdminsFULL CONTROL Inherited from parent Inherited to nTDSConnection Allow TEST\joe FULL CONTROL The command completed successfully So in order to generate a generic FC that is only inherited, you can't, because of bug 1 do it with LDP. If you want to create an ACE for a specific objectclass (which nTDSConnection should be ok in terms of what you are trying to delegate) it can do it but you have to go back and clean up the the additional ACE created by bug 2. I will alert MSFT. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 24, 2006 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ldp in ADAM-SP1 All Could someone with more experience with ldp provided with ADAM-SP1 tell me how I would go about configuring inherit-only Full Control permissions on nTDSDSA objects in the CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms options is grayed out here and I dont know how to do it. Based on joe's comments I assumed the ldp.exe's ACL editor is the most comprehensive and capable ACL gui editor available. I must be doing something wrong here so I would appreciate some help. Regards M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Have you built an R2 Forest?
inline From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, July 24, 2006 16:01To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built an R2 Forest? Thanks for this joe. That doc is more than bad - it's plain wrong :( Justtofurtherclarify: 1. If I build a new R2 forest, I should expect a blank TSL - which implies a 60 days TSL. Correct?[JdAP says:]YES (but it should be 180 days!) 2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod or adsiedit or whatever... ? Correct?[JdAP says:]YES, ADDTHE180 VALUE 3. I only need to run the R2 adprep once per forest. [Stated for completeness][JdAP says:]YES 4. Do I need to run the R2 setup on each machine I build? Will this process revert the TSL back to 'not set'?[JdAP says:](1) ONLY IF YOU NEED THE R2 STUFF, (2) NO I'm trying to understand the issue below but also how it is caused and how it may be caused again.[JdAP says:]WRONG SCHEMA.INION THE MEDIA neil PS I agree re R2 and its value above and beyond SP1. But what a great marketing ploy :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 24 July 2006 14:44To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built an R2 Forest? This all started due to bad documentation on http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true which states Note the value in the Value column. If the value is not set, the default value is in effect as follows: On a domain controller in a forest that was created on a domain controller running WindowsServer2003 with Service Pack1 (SP1), the default value is 180days. On a domain controller in a forest that was created on a domain controller running Windows2000Server or WindowsServer2003, the default value is 60days. which was confusing a customer. Then after I explained about how 60 days is hardcoded and 180 days was a schema.ini fix he further indicated that he wasn't seeing this in an R2 forest hence his original question. The test R2 forests I have built I never checked TSL, just assumed it was 180 and normally I don't built R2 machines because I really don't much care about R2, SP1 is far more important for the stuff I play with. I mean really, how many people verify the TSL of their forest versus just assuming it was whatever MSFT or someone representing MSFT said it should be. I know I have told a ton of people that after SP1 the value is180 and I want to make sure I tell all of those same people that it really isn't in R2. My concern is for people who have put an R2 forest out there and are under the running assumption that they now have a 180 day TSL and make some decision based on it (yes, it is ok if our DC sits on the doc in Mexican customs for 3 months (this is a real example) because we have a 180 day TSL) and learn after the fact that it was incorrect. It also has backup/restore implications. Hopefully the above docs will be corrected and the word will seep out and people will be aware.This is one of those things where if you find it out after you already had an incident you will be like, WTF Microsoft. It also makes me wonder if there is anything else that was regressed... joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, July 24, 2006 2:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built an R2 Forest? hehe, yep I've seen that (the difference of the Schema.ini files; i.e. missing entry for the tombstonelifetime property) but didn't think too much of it because for now I've only had to handle upgrading from Win2000 or 2003 to R2 where the Schema.ini doesn't play a role. It is "only" used to populate a blank schema at the time that you create a new AD forest - and yes, this means that your tombstone lifetime wouln't match that of other Win2003 forests that were created from a DC that had SP1 applied to it... I agree, not very nice, but easily fixed as you describe. Personally, I don't think too much of the fact that the tombstonelifetime was increased to 180 days in SP1 anyways. This was done to avoid issues for companies with a badly managed AD- I would generally much prefer to adjust the value to what is appropriate for a company's backup recovery strategy. And this usually doesn't mean that you need to keep the "garbage" in your AD for 1/2 a year... Granted, it's the inconsistency here with which MSFT has done the update of the
Re: [ActiveDir] OT: Interview Techniques
I have to laugh. This thread is starting to sound like the six blind men describing an elephant. As was mentioned, it is very hard to find somebody who can do the high-level design at all 8 layers, manage a staff of people, and still fit that into a 23 hour day. If you find one, keep him or her. If you don't find one, don't be terribly disappointed; look for one that's close and has the right personality to be made into one. There's plenty more of those, but be sure you're ready to keep him/her later because there are others looking for that type of person:) FWIW, I think interviewing wtih Brian might be a laugh. Can you answer all the questions? Nope. Not every one. But you can still enjoy it and I think Neil was wise enough to mention that, no, I don't know it all but I do know how to use a book :) (ok, so I paraphrased. The point is that you use it or lose it. But knowing what questions to ask and where to find the answers is far more resilient than knowing everything there is to know about a product set on a given day. Most of the players on the team that wrote the application or product don't know either. But they do know where to go for the answers) One thing that does come to mind would be to follow Brian's advice and ask open ended questions. Those are going to be the hardest because you're not going to be able to study for that. You'll have to walk through it under the pressure of an interview. That will tell the interviewer a lot about the person and what they would do 6 months from now when the technology is totally different and how they would deal with your unique situations. Best of luck in you hiring endeavors. I for one am interested to hear a follow up in a few months to hear how it went. Al On 7/24/06, Ken Schaefer [EMAIL PROTECTED] wrote: I suppose there are several "roles" that senior people could hold: some are managerial, some are architectural, and some are deeply technical (i.e. high level support). Architects, in that taxonomy, would do design work. Whereas a PSS engineer would probably spend more time with a debugger than using Word and Visio to produce high-level designs. Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of [EMAIL PROTECTED]Sent: Monday, 24 July 2006 5:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Interview Techniques A senior guy IMO should be more focused on design aspects than support and thus should be able to answer questions along the line of: How would you design a schema change process, encompassing initial request through to implementation. The answer to the above should help determine alot of info from that person (see below) - even if they cannot answer the question fully. - Does this person think logically - Does this person explain ideas in a cohesive manner - Does this person answer questions with fluff and BS or are they succinct - etc To answer 'what do the FSMOs do?' one can simply state - I'd look it up in a book. I'd therefore always try to ask questions which can only be answered through experience (where possible) and not just through reading a book. My 2 penneth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of mike klineSent: 24 July 2006 07:16To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Interview Techniques Brian, That was a good story, very funny. So what did the guy do? Did he just get up and leave? I know from reading your posts you are usually straight and to the point. I would be sweating if I had to interview with you. Going off course a bit. What are some types of AD questions that you all consider to be senior level? For example what if you ask someone how to do a metadata cleanup? Would you all consider that to be a mid level question? Just wondering because I always grapple trying to figure out questions for the mid vs. senior level candidate. On 7/23/06, Brian Desmond [EMAIL PROTECTED] wrote: I've got no second thoughts about being an asshole during a techinterview. I ask the question, you either answer it or tell me you don't know. If you choose not to tell me you don't know and demonstrate that you don't know through what you tell me instead, I'm already pretty muchthrough. If you're arrogant like this candidate you describe, I'm likely through as well.My favorite exchange as of late goes like this: Me - Tell me a little bit about your experience migrating Exchange 5.5orgs to 2003Them - blah blah blahMe - Ok, can you name the three types of connection agreements in the ADC?Them - well uh blah blah well uh excuse excuse Me - other questionsMe - So would you be comfortable migrating a 10K user 5.5 org to 2003?Them - AbsolutelyMe - How can you be comfortable doing that when you can't even explain the first step of the migration to me? In any case, others have put some really good advice here. What you wantin a technical lead is someone who can get their hands dirty withoutgetting
Re: [ActiveDir] back up strategies
I think Matt had some really good advice in terms of figuring out what your needs are prior to coming up with a back plan. As I'm fond of pointing out, backups are worthless, but restores are worth their weight in insert precious metal here. It's very important that you know what you need, what you want, and the difference between them. That's to help guage the sticker shock when you have to get it all purchased and configured etc. As Susan points out, tapes might not be enough for you whereas it is for others. Figure out your requirements prior to your strategy and you'll get a much better system in place. Al On 7/24/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Why tapes?(Just wondering as we've found tapes haven't kept up with drive sizesand need for speed during a backup window) NAS, SAN, rotation of harddrives... etc...etc..Matt Hargraves wrote: What is your plan?Do you want speed in restoration or backup?Do you have a 24-hour facility or is it an 8-hour facility?Do you have a tape changer or a single tape unit (changing tapes daily)? If you have an 8-hour facility and the server is close to you, then weekend fulls and differentials is fine.If you have a 24-hour facility, then weekend full and incrementals might be the way to go. If you want to be able to have quick full system restores, then daily full backups is the best, but if you have a 24-hour facility then it's not practical and you're better off going with differentials throughout the week (2-tape restore). I generally recommend more tapes, though.Something more like 20 daily tapes and 5 weekly tapes so that you can always go back at least a month.You don't always realize that something needs to be restored immediately and being able to go back 3-4 weeks without going to the previous month's 'master' backup tape is always nice.Tapes don't cost *that* much and if going back 3 weeks can save an engineer 30 hours of work on a CAD drawing, then it's a good plan.But if you can only go back 1 and a half or 4 weeks back... you just lost 30 hours worth of work at around $75-100 per hour, that's between $2250 and 3k saved by one restoration. On 7/23/06, *Quatro Info* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi all, I am interested in your stories about back up strategies / procedures with all advantages and disadvantages involved. For example: Set up -Weekends full backups 2 tapes -Working days incremental5 tapes -monthly full backups...12 tapes...1 each month. Which strategy is most efficient and reliable? When do you use full, copy, differential, incremental or daily? (Considering windows backup utility) Which software do you use? How often do you test a restore? (a few files) How often do you perform a full restore? If exchange or sql server is involved. For example with veritas remote agents. How often do you perform a restore on exchange databases / sql server databases? Do you keep an exact copy of the backup hardware involved on a external location in case of fire/ theft? All info is very appreciated. Thanks! Jorre List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Have you built an R2 Forest?
1. Yes 2. Yes 3. Yes, but this doesn't impact this issue because that assumes a pre-R2 forest. This issue is strictly with a forest initially built from an R2 machine. 4. Nope and Nope. The TSL will not revert in an existing forest, MSFT doesn't touch the existing value in a forest. The only time the TSL is modified is when you do it or when the forest is initially built. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, July 24, 2006 10:01 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built an R2 Forest? Thanks for this joe. That doc is more than bad - it's plain wrong :( Justtofurtherclarify: 1. If I build a new R2 forest, I should expect a blank TSL - which implies a 60 days TSL. Correct? 2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod or adsiedit or whatever... ? Correct? 3. I only need to run the R2 adprep once per forest. [Stated for completeness] 4. Do I need to run the R2 setup on each machine I build? Will this process revert the TSL back to 'not set'? I'm trying to understand the issue below but also how it is caused and how it may be caused again. neil PS I agree re R2 and its value above and beyond SP1. But what a great marketing ploy :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 24 July 2006 14:44To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built an R2 Forest? This all started due to bad documentation on http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true which states Note the value in the Value column. If the value is not set, the default value is in effect as follows: On a domain controller in a forest that was created on a domain controller running WindowsServer2003 with Service Pack1 (SP1), the default value is 180days. On a domain controller in a forest that was created on a domain controller running Windows2000Server or WindowsServer2003, the default value is 60days. which was confusing a customer. Then after I explained about how 60 days is hardcoded and 180 days was a schema.ini fix he further indicated that he wasn't seeing this in an R2 forest hence his original question. The test R2 forests I have built I never checked TSL, just assumed it was 180 and normally I don't built R2 machines because I really don't much care about R2, SP1 is far more important for the stuff I play with. I mean really, how many people verify the TSL of their forest versus just assuming it was whatever MSFT or someone representing MSFT said it should be. I know I have told a ton of people that after SP1 the value is180 and I want to make sure I tell all of those same people that it really isn't in R2. My concern is for people who have put an R2 forest out there and are under the running assumption that they now have a 180 day TSL and make some decision based on it (yes, it is ok if our DC sits on the doc in Mexican customs for 3 months (this is a real example) because we have a 180 day TSL) and learn after the fact that it was incorrect. It also has backup/restore implications. Hopefully the above docs will be corrected and the word will seep out and people will be aware.This is one of those things where if you find it out after you already had an incident you will be like, WTF Microsoft. It also makes me wonder if there is anything else that was regressed... joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, July 24, 2006 2:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built an R2 Forest? hehe, yep I've seen that (the difference of the Schema.ini files; i.e. missing entry for the tombstonelifetime property) but didn't think too much of it because for now I've only had to handle upgrading from Win2000 or 2003 to R2 where the Schema.ini doesn't play a role. It is "only" used to populate a blank schema at the time that you create a new AD forest - and yes, this means that your tombstone lifetime wouln't match that of other Win2003 forests that were created from a DC that had SP1 applied to it... I agree, not very nice, but easily fixed as you describe. Personally, I don't think too much of the fact that the tombstonelifetime was increased to 180 days in SP1 anyways. This was done to avoid issues for companies with a badly managed AD- I would generally much prefer to adjust the value to what is appropriate for a company's backup recovery strategy. And this usually doesn't mean that you need to keep the "garbage" in your AD for 1/2 a year... Granted, it's the inconsistency here with which MSFT has done the
RE: [ActiveDir] Have you built an R2 Forest?
just to be clear: step 3 (R2 adprep) is NOT needed at all if you build a new forest - your not doing an upgrade here. Whenever you do an upgrade, you do NOT change the TSL. The documentation is wrong as the TSL is always the hardcoded value of 60, if the value is "not set". If you've created a new forest from an SP1 DC it would be overwritten with an explicit value of 180. This is what we'd also expect on R2, but due to an incomplete schema.ini file (which is missing the explicit setting of the TSL value to 180), a new R2 forest also has this value "not set" = 60. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Monday, July 24, 2006 4:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built an R2 Forest? inline From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, July 24, 2006 16:01To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built an R2 Forest? Thanks for this joe. That doc is more than bad - it's plain wrong :( Justtofurtherclarify: 1. If I build a new R2 forest, I should expect a blank TSL - which implies a 60 days TSL. Correct?[JdAP says:]YES (but it should be 180 days!) 2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod or adsiedit or whatever... ? Correct?[JdAP says:]YES, ADDTHE180 VALUE 3. I only need to run the R2 adprep once per forest. [Stated for completeness][JdAP says:]YES 4. Do I need to run the R2 setup on each machine I build? Will this process revert the TSL back to 'not set'?[JdAP says:](1) ONLY IF YOU NEED THE R2 STUFF, (2) NO I'm trying to understand the issue below but also how it is caused and how it may be caused again.[JdAP says:]WRONG SCHEMA.INION THE MEDIA neil PS I agree re R2 and its value above and beyond SP1. But what a great marketing ploy :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 24 July 2006 14:44To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built an R2 Forest? This all started due to bad documentation on http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true which states Note the value in the Value column. If the value is not set, the default value is in effect as follows: On a domain controller in a forest that was created on a domain controller running WindowsServer2003 with Service Pack1 (SP1), the default value is 180days. On a domain controller in a forest that was created on a domain controller running Windows2000Server or WindowsServer2003, the default value is 60days. which was confusing a customer. Then after I explained about how 60 days is hardcoded and 180 days was a schema.ini fix he further indicated that he wasn't seeing this in an R2 forest hence his original question. The test R2 forests I have built I never checked TSL, just assumed it was 180 and normally I don't built R2 machines because I really don't much care about R2, SP1 is far more important for the stuff I play with. I mean really, how many people verify the TSL of their forest versus just assuming it was whatever MSFT or someone representing MSFT said it should be. I know I have told a ton of people that after SP1 the value is180 and I want to make sure I tell all of those same people that it really isn't in R2. My concern is for people who have put an R2 forest out there and are under the running assumption that they now have a 180 day TSL and make some decision based on it (yes, it is ok if our DC sits on the doc in Mexican customs for 3 months (this is a real example) because we have a 180 day TSL) and learn after the fact that it was incorrect. It also has backup/restore implications. Hopefully the above docs will be corrected and the word will seep out and people will be aware.This is one of those things where if you find it out after you already had an incident you will be like, WTF Microsoft. It also makes me wonder if there is anything else that was regressed... joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, July 24, 2006 2:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built an R2 Forest? hehe, yep I've seen that (the difference of the Schema.ini files; i.e. missing entry for the tombstonelifetime property) but didn't think too much of it because for now I've only had to handle upgrading from Win2000 or 2003 to R2 where the Schema.ini doesn't play a role. It is "only" used
Re: [ActiveDir] ldp in ADAM-SP1
I dunno about you guys but I am very disappointed with the tools available to me for configuring perms. dsacls can configure most perms but cant configure control access rights to certain attribs of certain objects. (e.g. when you configure an attribute as confidential and need to allow certain people the control access right to view the attribute). dsacls also cant display perms that great and gives details as special access. In order to see whats special, I have to use something like acldiag and sdcheck. And then to revoke, yet another tool dsrevoke which only works on domain objects and OUs. After reading joe's book I figured ldp.exe from ADAM-SP1, here I come. Now that also has issues. I know I can write scripts for handling this. But they are cumbersome and slow. I think a nice fast C++ tool that does all this would be much appreciated. I am not sure how hard this is to do. But MSFT certaintly have the expertise. May be longhorn will ship with something like that. But I aint holding my breath. I am no expert and no MVP. I aint convinced my rant is gonna be heeded to. But please, guys out there with the influence (MVPs) help!! M@ P.S Please!!! On 7/24/06, joe [EMAIL PROTECTED] wrote: Beautiful, this is bug week There are actually two bugs here. 1. The inherit only check box is greyed out. This is the checkbox you would need to check in order to specify an inherit only ACE (i.e. Child Objects Only). 2. When you try to work around it and specify the actual object types to inherit to it creates two ACEs instead of one. The first ACE is the FC inherit only to the object class you specify but then there is also a FC to the object itself. In the example below note the TEST\joe ACEs... I only added a single FC for nTDSConnection objects for test\joe but got that AND the non-inheritable Test\joe FC on the object itself. G:\dsacls \\r2dc1\CN=NTDS Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur ation,DC=test,DC=loc Access list: Effective Permissions on this object are: Allow TEST\joe FULL CONTROL Allow TEST\Domain AdminsSPECIAL ACCESS DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY DELETE TREE LIST OBJECT CONTROL ACCESS Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow NT AUTHORITY\SYSTEM FULL CONTROL Allow TEST\Domain AdminsFULL CONTROL Inherited from parent Allow TEST\Enterprise AdminsFULL CONTROL Inherited from parent Permissions inherited to subobjects are: Inherited to all subobjects Allow TEST\Domain AdminsFULL CONTROL Inherited from parent Allow TEST\Enterprise AdminsFULL CONTROL Inherited from parent Inherited to nTDSConnection Allow TEST\joe FULL CONTROL The command completed successfully So in order to generate a generic FC that is only inherited, you can't, because of bug 1 do it with LDP. If you want to create an ACE for a specific objectclass (which nTDSConnection should be ok in terms of what you are trying to delegate) it can do it but you have to go back and clean up the the additional ACE created by bug 2. I will alert MSFT. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 24, 2006 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ldp in ADAM-SP1 All Could someone with more experience with ldp provided with ADAM-SP1 tell me how I would go about configuring inherit-only Full Control permissions on nTDSDSA objects in the CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms options is grayed out here and I dont know how to do it. Based on joe's comments I assumed the ldp.exe's ACL editor is the most comprehensive and capable ACL gui editor available. I must be doing something wrong here so I would appreciate some help. Regards M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ:
[ActiveDir] Reset home page via GPO
Hello, colleagues, Our HR department wants everybody's IE home page reset to our intranet home page. I presume the way to do this is via GPO, and apply it only to the users' OU. Are there any issues (other than political ones, of course) with doing this? (Just an aside: We're back to work following the worst power outtage in St. Louis history. Over 500,000 people without power for several days, and nearly 200,000 still out. Very interesting week we just had.) -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Interview Techniques
LOL. I'd say it's more like watching 6 people describe a "wibble", where none of them has been told what a "wibble" actually is :) As per most responses here (or at least what we *should* respond with) - "it depends". I'd still argue that there's little value in asking very specific in depth technical questions - that's more of a memory test than anything else. I'd rather ask questions that help the candidate show me what he/she *can* do and do know rather than what they cannot do or do not know. I agree that a slightly aggressive approach is useful to determine how the candidate performs under pressure - I would suggest you fore warn the candidate they are going to receive a tech grilling - most won't expect that and so will be rocked onto the back foot when it happens :) Another 2 penneth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 24 July 2006 15:41To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Interview Techniques I have to laugh. This thread is starting to sound like the six blind men describing an elephant. As was mentioned, it is very hard to find somebody who can do the high-level design at all 8 layers, manage a staff of people, and still fit that into a 23 hour day. If you find one, keep him or her. If you don't find one, don't be terribly disappointed; look for one that's close and has the right personality to be made into one. There's plenty more of those, but be sure you're ready to keep him/her later because there are others looking for that type of person:) FWIW, I think interviewing wtih Brian might be a laugh. Can you answer all the questions? Nope. Not every one. But you can still enjoy it and I think Neil was wise enough to mention that, "no, I don't know it all but I do know how to use a book" :) (ok, so I paraphrased. The point is that you use it or lose it. But knowing what questions to ask and where to find the answers is far more resilient than knowing everything there is to know about a product set on a given day. Most of the players on the team that wrote the application or product don't know either. But they do know where to go for the answers) One thing that does come to mind would be to follow Brian's advice and ask open ended questions. Those are going to be the hardest because you're not going to be able to study for that. You'll have to walk through it under the pressure of an interview. That will tell the interviewer a lot about the person and what they would do 6 months from now when the technology is totally different and how they would deal with your unique situations. Best of luck in you hiring endeavors. I for one am interested to hear a follow up in a few months to hear how it went. Al On 7/24/06, Ken Schaefer [EMAIL PROTECTED] wrote: I suppose there are several "roles" that senior people could hold: some are managerial, some are architectural, and some are deeply technical (i.e. high level support). Architects, in that taxonomy, would do design work. Whereas a PSS engineer would probably spend more time with a debugger than using Word and Visio to produce high-level designs. Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of [EMAIL PROTECTED]Sent: Monday, 24 July 2006 5:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Interview Techniques A senior guy IMO should be more focused on "design" aspects than "support" and thus should be able to answer questions along the line of: "How would you design a schema change process, encompassing initial request through to implementation." The answer to the above should help determine alot of info from that person (see below) - even if they cannot answer the question fully. - Does this person think logically - Does this person explain ideas in a cohesive manner - Does this person answer questions with fluff and BS or are they succinct - etc To answer 'what do the FSMOs do?' one can simply state - "I'd look it up in a book". I'd therefore always try to ask questions which can only be answered through experience (where possible) and not just through reading a book. My 2 penneth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of mike klineSent: 24 July 2006 07:16To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Interview Techniques Brian, That was a good story, very funny. So what did the guy do? Did he just get up and leave? I know from reading your posts you are usually straight and to the point. I would be sweating if I had to interview with you. Going off course a bit. What are some types of AD questions that you all consider to be "senior level"? For example what if you ask someone how to do a metadata cleanup? Would you all consider that to
Re: [ActiveDir] OT: Interview Techniques
I will absolutely let you know of all the gory details. I sure hope I dont get an $%^$£! for a boss. ;-) Cheers P.S. Anyone want a job? ;0) --- Al Mulnick [EMAIL PROTECTED] wrote: I have to laugh. This thread is starting to sound like the six blind men describing an elephant. As was mentioned, it is very hard to find somebody who can do the high-level design at all 8 layers, manage a staff of people, and still fit that into a 23 hour day. If you find one, keep him or her. If you don't find one, don't be terribly disappointed; look for one that's close and has the right personality to be made into one. There's plenty more of those, but be sure you're ready to keep him/her later because there are others looking for that type of person :) FWIW, I think interviewing wtih Brian might be a laugh. Can you answer all the questions? Nope. Not every one. But you can still enjoy it and I think Neil was wise enough to mention that, no, I don't know it all but I do know how to use a book :) (ok, so I paraphrased. The point is that you use it or lose it. But knowing what questions to ask and where to find the answers is far more resilient than knowing everything there is to know about a product set on a given day. Most of the players on the team that wrote the application or product don't know either. But they do know where to go for the answers) One thing that does come to mind would be to follow Brian's advice and ask open ended questions. Those are going to be the hardest because you're not going to be able to study for that. You'll have to walk through it under the pressure of an interview. That will tell the interviewer a lot about the person and what they would do 6 months from now when the technology is totally different and how they would deal with your unique situations. Best of luck in you hiring endeavors. I for one am interested to hear a follow up in a few months to hear how it went. Al On 7/24/06, Ken Schaefer [EMAIL PROTECTED] wrote: I suppose there are several roles that senior people could hold: some are managerial, some are architectural, and some are deeply technical (i.e. high level support). Architects, in that taxonomy, would do design work. Whereas a PSS engineer would probably spend more time with a debugger than using Word and Visio to produce high-level designs. Cheers Ken *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of * [EMAIL PROTECTED] *Sent:* Monday, 24 July 2006 5:53 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Interview Techniques A senior guy IMO should be more focused on design aspects than support and thus should be able to answer questions along the line of: *How would you design a schema change process, encompassing initial request through to implementation*. The answer to the above should help determine alot of info from that person (see below) - even if they cannot answer the question fully. - Does this person think logically - Does this person explain ideas in a cohesive manner - Does this person answer questions with fluff and BS or are they succinct - etc To answer 'what do the FSMOs do?' one can simply state - I'd look it up in a book. I'd therefore always try to ask questions which can only be answered through experience (where possible) and not just through reading a book. My 2 penneth, neil -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *mike kline *Sent:* 24 July 2006 07:16 *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] OT: Interview Techniques Brian, That was a good story, very funny. So what did the guy do? Did he just get up and leave? I know from reading your posts you are usually straight and to the point. I would be sweating if I had to interview with you. Going off course a bit. What are some types of AD questions that you all consider to be senior level? For example what if you ask someone how to do a metadata cleanup? Would you all consider that to be a mid level question? Just wondering because I always grapple trying to figure out questions for the mid vs. senior level candidate. On 7/23/06, *Brian Desmond* [EMAIL PROTECTED] wrote: I've got no second thoughts about being an asshole during a tech interview. I ask the question, you either answer it or tell me you don't know. If you choose not to tell me you don't know and demonstrate that you don't know through what you tell me instead, I'm already pretty much through. If you're arrogant like this candidate you describe, I'm likely through as well. My favorite exchange as of late goes like this: Me - Tell me a little bit about your experience
RE: [ActiveDir] OT: Interview Techniques
Byron, I thought you might find this a good read. Its an e-mail from Joe Richards (author of the Active Directory OReilly book). Hes talking about why a tech lead (architect here at AppSig) should definitely be a separate role from an actual manager. Much like I would rather hit the role of an architect before I would like to begin thinking of moving into any managerial role. ~Ben Interesting, I have a pretty different view on tech lead. The things you mention (handing out tasks, interfacing with upper management, discipline, etc...) are out and out managerial tasks from my viewpoint and if I had a manager and a tech lead, I wouldn't take any of that from the tech lead. I consider tech lead as senior techy, the guy whom you go to when you are out of ideas on what to do next to solve a technical problem. The manageris you go to for interfacing with anyone outside of the group, personnel issues and getting your tasks.I think the manager and the tech lead need to work very closely but that is mostly to keep the manager in a good place, informed,and pointed in the right direction such that managerial decisions don't adversely impact the technical aspects of the work too much as well as letting the manager know what the technical priorities are from the tech leads viewpoint and so the manager can tell the tech lead what the real priorities are as they are decided by the manager. For instance if going into a meeting with a customer[1] the tech lead feeds the manager with as much knowledge as necessary so the manager isn't completely at a loss in the meeting and as things dive into tech, if they do, the tech lead is either there (if it is known ahead of time it will get deep)or available via phone to help. Tech and managerial pieces do not normally fit together well, very different skill sets and strengths needed to do one or the other well. Very few people, IMO, can be good at tech and good at managerial. Unfortunately many companies do not see this and in order for someone to move up through the ranks they must assume managerial duties when in fact the company should have a managerial track and a technical track for the folks to follow so they can stick with the areas in which they have the greatest strength. Hopefully it is getting more and more obvious to companies that trying to make people spend all of the their time trying to improveon their weaknesses versus utilizing their strengths is a losing proposition. To put it another way, if someone is an amazing techy and a horrible manager, you don't force them to spend their time trying to be a mediocre manager. That is the person that everyone will point at and say they are a sucky manager. joe [1] Define as you wish, different groups have different customers. IT has the business, the business could have another aspect of the business or external, etc. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
RE: [ActiveDir] DNS Issue
Hi Steve Interesting findings. Firstly, yes I am clearing the DNS Cache and not doing ipconfig /flushdns on the DC. I have shown the d2 output below but also see the following: 1. Clear the DNS cache on DC 2. Submit query for server1.nyc.test.com - success 3. Explicitly delete the record for above host from the cache leaving the nyc parent folder in cache. 4. Submit query for server1.nyc.test.com - fail 5. Delete nyc parent folder 6. Submit query for server1.nyc.test.com - success So what I think is happening is when the TTL for the cached record expires it gets deleted (as per the manual deletion above) then subsequent queries fail. Note that the DNS server for test.com are QIP based - may have a bearing? server1.nyc.test.com Server: dns1.int.mycorp.com Address: x.x.x.x SendRequest(), len 62 HEADER: opcode = QUERY, id = 15, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: server1.nyc.test.com.int.mycorp.com, type = A, class = IN Got answer (135 bytes): HEADER: opcode = QUERY, id = 15, rcode = NXDOMAIN header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0 QUESTIONS: server1.nyc.test.com.int.mycorp.com, type = A, class = IN AUTHORITY RECORDS: - int.mycorp.com type = SOA, class = IN, dlen = 47 ttl = 3600 (1 hour) primary name server = dns1.int.mycorp.com responsible mail addr = hostmaster.int.mycorp.com serial = 54966 refresh = 900 (15 mins) retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour) SendRequest(), len 55 HEADER: opcode = QUERY, id = 16, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: server1.nyc.test.com.mycorp.com, type = A, class = IN Got answer (118 bytes): HEADER: opcode = QUERY, id = 16, rcode = NXDOMAIN header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0 QUESTIONS: server1.nyc.test.com.mycorp.com, type = A, class = IN AUTHORITY RECORDS: - mycorp.com type = SOA, class = IN, dlen = 44 ttl = 86400 (1 day) primary name server = name.int.com responsible mail addr = postmaster.int.com serial = 2006072002 refresh = 1800 (30 mins) retry = 900 (15 mins) expire = 604800 (7 days) default TTL = 86400 (1 day) SendRequest(), len 47 HEADER: opcode = QUERY, id = 17, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: server1.nyc.test.com, type = A, class = IN Got answer (47 bytes): HEADER: opcode = QUERY, id = 17, rcode = SERVFAIL header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: server1.nyc.test.com, type = A, class = IN *** dns1.int.mycorp.com can't find server1.nyc.test.com: Server failed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: 24 Jul 2006 3:58 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Issue David, A few more questions. When you state you cleared the cache I want to insure this meant clearing the Cache on the DNS Server not the client resolver cache. Also if you open the DNS snap-in in advanced mode and look in the cache do you see a record for nyc.test.com and if so can you provide a screenshot of the entry from the DNS MMC? Finally can you go the DNS server open a cmd prompt and launch nslookup. Type set d2 without the quotes so that you get additional debug output and then type in nyc.test.com and post the output. Why am I asking all of these questions? Well we had a few issues where the DNS servers cache may not correctly cache entries causing the behavior that you are seeing. Sometimes even though you clear the cache if the record is looked up frequently then even clearing the cache will not resolve the issue long enough to see it corrected. I thought that all of these had been addressed by the build that you are running however the output from the above tests should let us see what is going on. Thanks, -Steve This message
RE: [ActiveDir] OT: Interview Techniques
Well, that was a forwarded e-mail gone wrong. Just ignore my inability to properly replace the TO field with the appropriate e-mail address. L From: WATSON, BEN Sent: Monday, July 24, 2006 8:43 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] OT: Interview Techniques Byron, I thought you might find this a good read. Its an e-mail from Joe Richards (author of the Active Directory OReilly book). Hes talking about why a tech lead (architect here at AppSig) should definitely be a separate role from an actual manager. Much like I would rather hit the role of an architect before I would like to begin thinking of moving into any managerial role. ~Ben Interesting, I have a pretty different view on tech lead. The things you mention (handing out tasks, interfacing with upper management, discipline, etc...) are out and out managerial tasks from my viewpoint and if I had a manager and a tech lead, I wouldn't take any of that from the tech lead. I consider tech lead as senior techy, the guy whom you go to when you are out of ideas on what to do next to solve a technical problem. The manageris you go to for interfacing with anyone outside of the group, personnel issues and getting your tasks.I think the manager and the tech lead need to work very closely but that is mostly to keep the manager in a good place, informed,and pointed in the right direction such that managerial decisions don't adversely impact the technical aspects of the work too much as well as letting the manager know what the technical priorities are from the tech leads viewpoint and so the manager can tell the tech lead what the real priorities are as they are decided by the manager. For instance if going into a meeting with a customer[1] the tech lead feeds the manager with as much knowledge as necessary so the manager isn't completely at a loss in the meeting and as things dive into tech, if they do, the tech lead is either there (if it is known ahead of time it will get deep)or available via phone to help. Tech and managerial pieces do not normally fit together well, very different skill sets and strengths needed to do one or the other well. Very few people, IMO, can be good at tech and good at managerial. Unfortunately many companies do not see this and in order for someone to move up through the ranks they must assume managerial duties when in fact the company should have a managerial track and a technical track for the folks to follow so they can stick with the areas in which they have the greatest strength. Hopefully it is getting more and more obvious to companies that trying to make people spend all of the their time trying to improveon their weaknesses versus utilizing their strengths is a losing proposition. To put it another way, if someone is an amazing techy and a horrible manager, you don't force them to spend their time trying to be a mediocre manager. That is the person that everyone will point at and say they are a sucky manager. joe [1] Define as you wish, different groups have different customers. IT has the business, the business could have another aspect of the business or external, etc. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
RE: [ActiveDir] Have you built an R2 Forest?
thanks horhay :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: 24 July 2006 15:38To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built an R2 Forest? inline From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, July 24, 2006 16:01To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built an R2 Forest? Thanks for this joe. That doc is more than bad - it's plain wrong :( Justtofurtherclarify: 1. If I build a new R2 forest, I should expect a blank TSL - which implies a 60 days TSL. Correct?[JdAP says:]YES (but it should be 180 days!) 2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod or adsiedit or whatever... ? Correct?[JdAP says:]YES, ADDTHE180 VALUE 3. I only need to run the R2 adprep once per forest. [Stated for completeness][JdAP says:]YES 4. Do I need to run the R2 setup on each machine I build? Will this process revert the TSL back to 'not set'?[JdAP says:](1) ONLY IF YOU NEED THE R2 STUFF, (2) NO I'm trying to understand the issue below but also how it is caused and how it may be caused again.[JdAP says:]WRONG SCHEMA.INION THE MEDIA neil PS I agree re R2 and its value above and beyond SP1. But what a great marketing ploy :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 24 July 2006 14:44To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built an R2 Forest? This all started due to bad documentation on http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true which states Note the value in the Value column. If the value is not set, the default value is in effect as follows: On a domain controller in a forest that was created on a domain controller running WindowsServer2003 with Service Pack1 (SP1), the default value is 180days. On a domain controller in a forest that was created on a domain controller running Windows2000Server or WindowsServer2003, the default value is 60days. which was confusing a customer. Then after I explained about how 60 days is hardcoded and 180 days was a schema.ini fix he further indicated that he wasn't seeing this in an R2 forest hence his original question. The test R2 forests I have built I never checked TSL, just assumed it was 180 and normally I don't built R2 machines because I really don't much care about R2, SP1 is far more important for the stuff I play with. I mean really, how many people verify the TSL of their forest versus just assuming it was whatever MSFT or someone representing MSFT said it should be. I know I have told a ton of people that after SP1 the value is180 and I want to make sure I tell all of those same people that it really isn't in R2. My concern is for people who have put an R2 forest out there and are under the running assumption that they now have a 180 day TSL and make some decision based on it (yes, it is ok if our DC sits on the doc in Mexican customs for 3 months (this is a real example) because we have a 180 day TSL) and learn after the fact that it was incorrect. It also has backup/restore implications. Hopefully the above docs will be corrected and the word will seep out and people will be aware.This is one of those things where if you find it out after you already had an incident you will be like, WTF Microsoft. It also makes me wonder if there is anything else that was regressed... joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, July 24, 2006 2:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built an R2 Forest? hehe, yep I've seen that (the difference of the Schema.ini files; i.e. missing entry for the tombstonelifetime property) but didn't think too much of it because for now I've only had to handle upgrading from Win2000 or 2003 to R2 where the Schema.ini doesn't play a role. It is "only" used to populate a blank schema at the time that you create a new AD forest - and yes, this means that your tombstone lifetime wouln't match that of other Win2003 forests that were created from a DC that had SP1 applied to it... I agree, not very nice, but easily fixed as you describe. Personally, I don't think too much of the fact that the tombstonelifetime was increased to 180 days in SP1 anyways. This was done to avoid issues for companies with a badly managed AD- I would generally much prefer to adjust the value to what is appropriate for a company's
RE: [ActiveDir] Have you built an R2 Forest?
crap, incomplete answer. thanks guido. correct, my answer for (3) should have been (in addition to what guido said): * YES, but only when upgrading (from either W2K, W2K3/W2K3SP1) AND R2 functionality is needed that requires the schema extension (DFS-R, Printer Connections through GPOs, UnixIDm) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, July 24, 2006 17:25To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built an R2 Forest? just to be clear: step 3 (R2 adprep) is NOT needed at all if you build a new forest - your not doing an upgrade here. Whenever you do an upgrade, you do NOT change the TSL. The documentation is wrong as the TSL is always the hardcoded value of 60, if the value is "not set". If you've created a new forest from an SP1 DC it would be overwritten with an explicit value of 180. This is what we'd also expect on R2, but due to an incomplete schema.ini file (which is missing the explicit setting of the TSL value to 180), a new R2 forest also has this value "not set" = 60. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Monday, July 24, 2006 4:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built an R2 Forest? inline From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, July 24, 2006 16:01To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built an R2 Forest? Thanks for this joe. That doc is more than bad - it's plain wrong :( Justtofurtherclarify: 1. If I build a new R2 forest, I should expect a blank TSL - which implies a 60 days TSL. Correct?[JdAP says:]YES (but it should be 180 days!) 2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod or adsiedit or whatever... ? Correct?[JdAP says:]YES, ADDTHE180 VALUE 3. I only need to run the R2 adprep once per forest. [Stated for completeness][JdAP says:]YES 4. Do I need to run the R2 setup on each machine I build? Will this process revert the TSL back to 'not set'?[JdAP says:](1) ONLY IF YOU NEED THE R2 STUFF, (2) NO I'm trying to understand the issue below but also how it is caused and how it may be caused again.[JdAP says:]WRONG SCHEMA.INION THE MEDIA neil PS I agree re R2 and its value above and beyond SP1. But what a great marketing ploy :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 24 July 2006 14:44To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built an R2 Forest? This all started due to bad documentation on http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true which states Note the value in the Value column. If the value is not set, the default value is in effect as follows: On a domain controller in a forest that was created on a domain controller running WindowsServer2003 with Service Pack1 (SP1), the default value is 180days. On a domain controller in a forest that was created on a domain controller running Windows2000Server or WindowsServer2003, the default value is 60days. which was confusing a customer. Then after I explained about how 60 days is hardcoded and 180 days was a schema.ini fix he further indicated that he wasn't seeing this in an R2 forest hence his original question. The test R2 forests I have built I never checked TSL, just assumed it was 180 and normally I don't built R2 machines because I really don't much care about R2, SP1 is far more important for the stuff I play with. I mean really, how many people verify the TSL of their forest versus just assuming it was whatever MSFT or someone representing MSFT said it should be. I know I have told a ton of people that after SP1 the value is180 and I want to make sure I tell all of those same people that it really isn't in R2. My concern is for people who have put an R2 forest out there and are under the running assumption that they now have a 180 day TSL and make some decision based on it (yes, it is ok if our DC sits on the doc in Mexican customs for 3 months (this is a real example) because we have a 180 day TSL) and learn after the fact that it was incorrect. It also has backup/restore implications. Hopefully the above docs will be corrected and the word will seep out and people will be aware.This is one of those things where if you find it out after
RE: [ActiveDir] Reset home page via GPO
This IE setting can be applied via policy mode or preferences mode. Policy mode is what you normally think of when configuring GPO settings in that it'll be reset if a user ever changes it. Preferences mode only changes the initial value but allows the user to change it afterwards if they like without having it switch back each time GPOs are applied. Instead, it is only reset if the GPO itself is modified. Also, if by chance you're using NT authentication to browse to that homepage be sure the web servers and DCs servicing them can support the load. You might also consider anonymous access to the homepage itself and then authentication to the sites off it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Monday, July 24, 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Reset home page via GPO Hello, colleagues, Our HR department wants everybody's IE home page reset to our intranet home page. I presume the way to do this is via GPO, and apply it only to the users' OU. Are there any issues (other than political ones, of course) with doing this? (Just an aside: We're back to work following the worst power outtage in St. Louis history. Over 500,000 people without power for several days, and nearly 200,000 still out. Very interesting week we just had.) -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Reset home page via GPO
My labs are set up so that way. Users can add as many links as they care to, but at 3:00AM every morning the labs reboot all their links will be gone excepts the links specified with GPO. -Z.V. Larry Wahlers wrote: Hello, colleagues, Our HR department wants everybody's IE home page reset to our intranet home page. I presume the way to do this is via GPO, and apply it only to the users' OU. Are there any issues (other than political ones, of course) with doing this? (Just an aside: We're back to work following the worst power outtage in St. Louis history. Over 500,000 people without power for several days, and nearly 200,000 still out. Very interesting week we just had.) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Reset home page via GPO
I have done this in the past and the only issue I am aware of is users not liking your choice of home page! User Configuration\Windows Settings\Internet Explorer Maintenance\URLs Tim Date: Mon, 24 Jul 2006 10:33:41 -0500 From: [EMAIL PROTECTED] Subject: [ActiveDir] Reset home page via GPO To: ActiveDir@mail.activedir.org Hello,colleagues, OurHRdepartmentwantseverybody'sIEhomepageresettoourintranet homepage.IpresumethewaytodothisisviaGPO,andapplyitonlyto theusers'OU. Arethereanyissues(otherthanpoliticalones,ofcourse)withdoing this? (Justanaside:We'rebacktoworkfollowingtheworstpowerouttagein St.Louishistory.Over500,000peoplewithoutpowerforseveraldays, andnearly200,000stillout.Veryinterestingweekwejusthad.) -- LarryWahlers ConcordiaTechnologies TheLutheranChurch-MissouriSynod mailto:[EMAIL PROTECTED] directofficeline:(314)996-1876 Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Reset home page via GPO
Larry- Yes, you can do this with IE maintenance policy (User Configuration\Windows Settings\IE Maintenance). Let us know if this causes you any issues. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide, the definitive resource for Group Policy information. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Monday, July 24, 2006 8:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Reset home page via GPO Hello, colleagues, Our HR department wants everybody's IE home page reset to our intranet home page. I presume the way to do this is via GPO, and apply it only to the users' OU. Are there any issues (other than political ones, of course) with doing this? (Just an aside: We're back to work following the worst power outtage in St. Louis history. Over 500,000 people without power for several days, and nearly 200,000 still out. Very interesting week we just had.) -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Interview Techniques
Forgive the reply to my own email. I purposely prevented typing a word that rhymes with bassdole below, but my reply with contents included someone else using the same word in its orginal format! And I've just been sent an email from the nice postmaster at sx3 and the administrator at yahoo that I shouldnt swear. Define irony! I *swear* I didnt say it. I only said $%^$£! M@ --- Mudha Godasa [EMAIL PROTECTED] wrote: I will absolutely let you know of all the gory details. I sure hope I dont get an $%^$£! for a boss. ;-) Cheers __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Reset home page via GPO
We do it without issues. Only in case you have a large number of users, it can give a load on your intranet ofcourse (each time IE is opened, hitting your intranet). I see most companies implementing that GPO. Not always that funny, but you get used to it... :-) Regards, Bart On 7/24/06, Larry Wahlers [EMAIL PROTECTED] wrote: Hello, colleagues, Our HR department wants everybody's IE home page reset to our intranet home page. I presume the way to do this is via GPO, and apply it only to the users' OU. Are there any issues (other than political ones, of course) with doing this? (Just an aside: We're back to work following the worst power outtage in St. Louis history. Over 500,000 people without power for several days, and nearly 200,000 still out. Very interesting week we just had.) -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] ldp in ADAM-SP1
Yes the tools are not quite what they could be. A lot of this is based on the complexity of the subject. The model is quite cool but it is also quite complex and getting more so. Look at the confidential attribute hack and the extended rights for protecting userAccountControl (Update Password Not Required Bit, etc). When you take into account all of the special rules in the DIT (usually around SAM attributes) which conflict with schema definitions as well as the special cases of ACLing like the confidentiality bit and the userAccountControl modifiers etc, the inheritence model it is very difficult to write one tool to handle all of the various cases to tell you what you have and to help you get to what you want. An additional difficulty is that Microsoft isn't quick with updating tools to handle new features. Now third parties get into this realm and start playing but for many people that just pisses them off and makes them say... Hey Microsoft should already be supplying this, I'm not buying something. That combined with the fact that just maybe MSFT will realize they should correct this will tend to kill most third party folks from even going into that realm. Oh another additional complexity and LDP actually exposes this. You could create a tool that could build any kind of ACL you want without making any judgements on what is being done so that at a later time if something changes the tool doesn't have to be corrected. However, there are few people who understand how ACLs really work and are configured to the point that the tool would really be useful to any large number of people. Something we recommended previously to MSFT is that we need to radically update the ACL dialog editors for ADUC, etc so that they have an easy mode and an advanced mode for those who really understand what they are doing. The challenge to MSFT is to work out the easy mode, you don't want it too simply and ineffective and the advanced you still have to be careful with because there are a lot of people out there who think they are advanced security/AD people and they really don't have enough of a clue other than to really hurt themselves. But yes, every MSFT security tool out there has some shortcoming in it. The new LDP is the most flexible and has the most capability but as you have found, there are some bugs in it. We have reported those bugs, hopefully they will be corrected. The issue then becomes one of release. More than likely I expect we wouldn't see something before Longhorn and maybe not even before Longhorn R2. I hope that isn't the case, but expect it will be Longhorn timeframe. So the question comes down to are people willing to spend $1000 or $2000 or $5000 or more on tools to manage the ACLing in their directory? If so, third party tools are the answer. I am aware of a couple of tools that do things in this area, BindView (BVAdmin/BVControl) and Active Roles. However again, usually people immediately start talking about costs and the fact that MSFT should be supplying the tools to do this. I am not arguing the point, but that is where we are at at the moment. I will say this, writing c code around ACLing is not trivial. From what I understand the NET 2.0 framework is alleged to make this much easier. Usually easier means less flexibility and builtin assumptions but I don't know enough about it to speak to it for the NET Framework. As a sidenote... I just this second received an email from the developer working on LDP and can say that he is digging into this. I can't say much more than that though. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 24, 2006 11:32 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ldp in ADAM-SP1 I dunno about you guys but I am very disappointed with the tools available to me for configuring perms. dsacls can configure most perms but cant configure control access rights to certain attribs of certain objects. (e.g. when you configure an attribute as confidential and need to allow certain people the control access right to view the attribute). dsacls also cant display perms that great and gives details as special access. In order to see whats special, I have to use something like acldiag and sdcheck. And then to revoke, yet another tool dsrevoke which only works on domain objects and OUs. After reading joe's book I figured ldp.exe from ADAM-SP1, here I come. Now that also has issues. I know I can write scripts for handling this. But they are cumbersome and slow. I think a nice fast C++ tool that does all this would be much appreciated. I am not sure how hard this is to do. But MSFT certaintly have the expertise. May be longhorn will ship with something like that. But I aint holding my breath. I am no expert and no MVP. I aint convinced my rant is gonna be heeded to. But please, guys
Re: [ActiveDir] Have you built an R2 Forest?
And Joseph. -Original Message- From: [EMAIL PROTECTED] Date: Mon, 24 Jul 2006 16:54:41 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? thanks horhay :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 24 July 2006 15:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? inline From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, July 24, 2006 16:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? Thanks for this joe. That doc is more than bad - it's plain wrong :( Just to further clarify: 1. If I build a new R2 forest, I should expect a blank TSL - which implies a 60 days TSL. Correct? [JdAP says:] YES (but it should be 180 days!) 2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod or adsiedit or whatever... ? Correct? [JdAP says:] YES, ADD THE 180 VALUE 3. I only need to run the R2 adprep once per forest. [Stated for completeness] [JdAP says:] YES 4. Do I need to run the R2 setup on each machine I build? Will this process revert the TSL back to 'not set'? [JdAP says:] (1) ONLY IF YOU NEED THE R2 STUFF, (2) NO I'm trying to understand the issue below but also how it is caused and how it may be caused again. [JdAP says:] WRONG SCHEMA.INI ON THE MEDIA neil PS I agree re R2 and its value above and beyond SP1. But what a great marketing ploy :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 24 July 2006 14:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? This all started due to bad documentation on http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true: http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true which states Note the value in the Value column. If the value is not set, the default value is in effect as follows: • On a domain controller in a forest that was created on a domain controller running Windows Server 2003 with Service Pack 1 (SP1), the default value is 180 days. • On a domain controller in a forest that was created on a domain controller running Windows 2000 Server or Windows Server 2003, the default value is 60 days. which was confusing a customer. Then after I explained about how 60 days is hardcoded and 180 days was a schema.ini fix he further indicated that he wasn't seeing this in an R2 forest hence his original question. The test R2 forests I have built I never checked TSL, just assumed it was 180 and normally I don't built R2 machines because I really don't much care about R2, SP1 is far more important for the stuff I play with. I mean really, how many people verify the TSL of their forest versus just assuming it was whatever MSFT or someone representing MSFT said it should be. I know I have told a ton of people that after SP1 the value is 180 and I want to make sure I tell all of those same people that it really isn't in R2. My concern is for people who have put an R2 forest out there and are under the running assumption that they now have a 180 day TSL and make some decision based on it (yes, it is ok if our DC sits on the doc in Mexican customs for 3 months (this is a real example) because we have a 180 day TSL) and learn after the fact that it was incorrect. It also has backup/restore implications. Hopefully the above docs will be corrected and the word will seep out and people will be aware.This is one of those things where if you find it out after you already had an incident you will be like, WTF Microsoft. It also makes me wonder if there is anything else that was regressed... joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm: http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, July 24, 2006 2:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? hehe, yep I've seen that (the difference of the Schema.ini files; i.e. missing entry for the tombstonelifetime property) but didn't think too much of it because for now I've only had to handle upgrading from Win2000 or 2003 to R2 where the Schema.ini doesn't play a role. It is only used to populate a blank schema at the time that you create a new AD forest - and yes, this means that your tombstone lifetime wouln't match that of other Win2003 forests that were created from a DC that had SP1 applied to it... I agree, not very nice, but easily fixed as you describe. Personally, I don't think too much of the fact that the tombstonelifetime was
[ActiveDir] LDAP Queries across WAN links
Im am LDAP-challenged. We have an application that appears to be performing LDAP authentication to a Domain Controller at a remote location vs. the local DC. Is there a comprehensive site for coming up to speed on LDAP, how its used, how to adjust its performance, etc? Is ntdsutil.exe the correct utility to modify how applications interact with LDAP? Al Garrett SWCCD
RE: [ActiveDir] OT: Interview Techniques
Does it pay well with good bene's? While I have a nice job now, I always look at available opportunities. :) Don't have Brian interview me though, I expect I would come up short and I would have to show how much I like the phrases it depends and I don't know. I have no doubt that Brian could bury me in an interview, or anyone for that matter if they have a good understanding of the product and can find the focuses I have and avoid those areas and stick to areas they focus on. Again... No one can answer any question anyone can ask about AD. I am sure that most everyone on this list has probably seen something that most others haven't seen. For instance, right up until yesterday I could have been tripped up on what the default tombstone lifetime is in a freshly built R2 forest. I would have quoted what the correct answer should have been, not what it actually was. The only people who would have known different are those that would have had some reason to do it and noticed the value or have read something written about it or windiffed the schema.ini file for some reason against the SP1 version. Basically there are two types of knowing... Experience and theoretical where theoretical is what you have read or been told or what you derive yourself based on what you have experienced or been told or read. No one has experienced it all though people in key spots will have been in a position to have heard of a lot of things. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mudha Godasa Sent: Monday, July 24, 2006 11:38 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Interview Techniques I will absolutely let you know of all the gory details. I sure hope I dont get an $%^$£! for a boss. ;-) Cheers P.S. Anyone want a job? ;0) --- Al Mulnick [EMAIL PROTECTED] wrote: I have to laugh. This thread is starting to sound like the six blind men describing an elephant. As was mentioned, it is very hard to find somebody who can do the high-level design at all 8 layers, manage a staff of people, and still fit that into a 23 hour day. If you find one, keep him or her. If you don't find one, don't be terribly disappointed; look for one that's close and has the right personality to be made into one. There's plenty more of those, but be sure you're ready to keep him/her later because there are others looking for that type of person :) FWIW, I think interviewing wtih Brian might be a laugh. Can you answer all the questions? Nope. Not every one. But you can still enjoy it and I think Neil was wise enough to mention that, no, I don't know it all but I do know how to use a book :) (ok, so I paraphrased. The point is that you use it or lose it. But knowing what questions to ask and where to find the answers is far more resilient than knowing everything there is to know about a product set on a given day. Most of the players on the team that wrote the application or product don't know either. But they do know where to go for the answers) One thing that does come to mind would be to follow Brian's advice and ask open ended questions. Those are going to be the hardest because you're not going to be able to study for that. You'll have to walk through it under the pressure of an interview. That will tell the interviewer a lot about the person and what they would do 6 months from now when the technology is totally different and how they would deal with your unique situations. Best of luck in you hiring endeavors. I for one am interested to hear a follow up in a few months to hear how it went. Al On 7/24/06, Ken Schaefer [EMAIL PROTECTED] wrote: I suppose there are several roles that senior people could hold: some are managerial, some are architectural, and some are deeply technical (i.e. high level support). Architects, in that taxonomy, would do design work. Whereas a PSS engineer would probably spend more time with a debugger than using Word and Visio to produce high-level designs. Cheers Ken *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of * [EMAIL PROTECTED] *Sent:* Monday, 24 July 2006 5:53 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Interview Techniques A senior guy IMO should be more focused on design aspects than support and thus should be able to answer questions along the line of: *How would you design a schema change process, encompassing initial request through to implementation*. The answer to the above should help determine alot of info from that person (see below) - even if they cannot answer the question fully. - Does this person think logically - Does this person explain ideas in a cohesive manner - Does this person answer
Re: [ActiveDir] ldp in ADAM-SP1
Joe joe I see you were configuring Full Control (GA) for nTDSConnection objects by configuring perms on the parent nTDSDSA object. I was trying to actually configure full control to the nTDSDSA using perms on the CN=Sites object but the principal is the same I guess. The only thing is nTDSConnection objects cant have child objects can they? Still I am having some issues repro'ing. You said your workaround was to configure on the object types. Did you mean to configure explicitly on the object or on the parent with the child's object type specified in the ACE? I cant repro here and I am not sure whether you used dsacls or ldp to repro. And why does it not choose the Access System Security option when you edit a Full Control ACE? Is that expected? I thought full control meant everything. Not everything but Access System Security. Also how come there is no string defined for Access System Security? There is for all other access masks. I freely admit I know very little in this arena. Any lesson offered is most appreciated. I am already reading technet and many books by the fine guys on here. I just havent finished them yet ;-) Thanks to everyone who's read this so far and for all the help I am offered. I truly appreciate it. Sincerely M@ On 7/24/06, joe [EMAIL PROTECTED] wrote: Beautiful, this is bug week There are actually two bugs here. 1. The inherit only check box is greyed out. This is the checkbox you would need to check in order to specify an inherit only ACE (i.e. Child Objects Only). 2. When you try to work around it and specify the actual object types to inherit to it creates two ACEs instead of one. The first ACE is the FC inherit only to the object class you specify but then there is also a FC to the object itself. In the example below note the TEST\joe ACEs... I only added a single FC for nTDSConnection objects for test\joe but got that AND the non-inheritable Test\joe FC on the object itself. G:\dsacls \\r2dc1\CN=NTDS Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur ation,DC=test,DC=loc Access list: Effective Permissions on this object are: Allow TEST\joe FULL CONTROL Allow TEST\Domain AdminsSPECIAL ACCESS DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY DELETE TREE LIST OBJECT CONTROL ACCESS Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow NT AUTHORITY\SYSTEM FULL CONTROL Allow TEST\Domain AdminsFULL CONTROL Inherited from parent Allow TEST\Enterprise AdminsFULL CONTROL Inherited from parent Permissions inherited to subobjects are: Inherited to all subobjects Allow TEST\Domain AdminsFULL CONTROL Inherited from parent Allow TEST\Enterprise AdminsFULL CONTROL Inherited from parent Inherited to nTDSConnection Allow TEST\joe FULL CONTROL The command completed successfully So in order to generate a generic FC that is only inherited, you can't, because of bug 1 do it with LDP. If you want to create an ACE for a specific objectclass (which nTDSConnection should be ok in terms of what you are trying to delegate) it can do it but you have to go back and clean up the the additional ACE created by bug 2. I will alert MSFT. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 24, 2006 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ldp in ADAM-SP1 All Could someone with more experience with ldp provided with ADAM-SP1 tell me how I would go about configuring inherit-only Full Control permissions on nTDSDSA objects in the CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms options is grayed out here and I dont know how to do it. Based on joe's comments I assumed the ldp.exe's ACL editor is the most comprehensive and capable ACL gui editor available. I must be doing something wrong here so I would appreciate some help. Regards M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] DNS Issue
This is similar to the problem that we had seen before with caching and TTLs and I believe may be addressed by this fix: http://support.microsoft.com/kb/903720/en-us. You could confirm it by disabling the cache but your performance will suffer. It has been a while since I actually looked at this type of failure but I believe we worked around the issue temporarily by using stub zones. Since it looks like a possible issue with caching and TTL I would consider opening a case with Product Support Services (PSS) to get to the bottom of it. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David Sent: Monday, July 24, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Issue Hi Steve Interesting findings. Firstly, yes I am clearing the DNS Cache and not doing ipconfig /flushdns on the DC. I have shown the d2 output below but also see the following: 1. Clear the DNS cache on DC 2. Submit query for server1.nyc.test.com - success 3. Explicitly delete the record for above host from the cache leaving the nyc parent folder in cache. 4. Submit query for server1.nyc.test.com - fail 5. Delete nyc parent folder 6. Submit query for server1.nyc.test.com - success So what I think is happening is when the TTL for the cached record expires it gets deleted (as per the manual deletion above) then subsequent queries fail. Note that the DNS server for test.com are QIP based - may have a bearing? server1.nyc.test.com Server: dns1.int.mycorp.com Address: x.x.x.x SendRequest(), len 62 HEADER: opcode = QUERY, id = 15, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: server1.nyc.test.com.int.mycorp.com, type = A, class = IN Got answer (135 bytes): HEADER: opcode = QUERY, id = 15, rcode = NXDOMAIN header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0 QUESTIONS: server1.nyc.test.com.int.mycorp.com, type = A, class = IN AUTHORITY RECORDS: - int.mycorp.com type = SOA, class = IN, dlen = 47 ttl = 3600 (1 hour) primary name server = dns1.int.mycorp.com responsible mail addr = hostmaster.int.mycorp.com serial = 54966 refresh = 900 (15 mins) retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour) SendRequest(), len 55 HEADER: opcode = QUERY, id = 16, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: server1.nyc.test.com.mycorp.com, type = A, class = IN Got answer (118 bytes): HEADER: opcode = QUERY, id = 16, rcode = NXDOMAIN header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0 QUESTIONS: server1.nyc.test.com.mycorp.com, type = A, class = IN AUTHORITY RECORDS: - mycorp.com type = SOA, class = IN, dlen = 44 ttl = 86400 (1 day) primary name server = name.int.com responsible mail addr = postmaster.int.com serial = 2006072002 refresh = 1800 (30 mins) retry = 900 (15 mins) expire = 604800 (7 days) default TTL = 86400 (1 day) SendRequest(), len 47 HEADER: opcode = QUERY, id = 17, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: server1.nyc.test.com, type = A, class = IN Got answer (47 bytes): HEADER: opcode = QUERY, id = 17, rcode = SERVFAIL header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: server1.nyc.test.com, type = A, class = IN *** dns1.int.mycorp.com can't find server1.nyc.test.com: Server failed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: 24 Jul 2006 3:58 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Issue David, A few more questions. When you state you cleared the cache I want to insure this meant clearing the Cache on the DNS Server not the client resolver cache. Also if you open the DNS snap-in in advanced mode and look in the cache do you see a record for nyc.test.com and if so can you provide a screenshot of the entry from the DNS MMC? Finally can you go the DNS server open a cmd prompt and launch
Re: [ActiveDir] OT: Interview Techniques
The only true way to be sure you don't get one of those for a boss is to not invite me to interview for it ;) On 7/24/06, Mudha Godasa [EMAIL PROTECTED] wrote: I will absolutely let you know of all the gorydetails. I sure hope I dont get an $%^$£! for a boss. ;-)CheersP.S. Anyone want a job? ;0)--- Al Mulnick [EMAIL PROTECTED] wrote: I have to laugh.This thread is starting to sound like the six blind men describing an elephant. As was mentioned, it is very hard to find somebody who can do the high-level design at all 8 layers, manage a staff of people, and still fit that into a 23 hour day. If you find one, keep him or her. If you don't find one, don't be terribly disappointed; look for one that's close and has the right personality to be made into one. There's plenty more of those, but be sure you're ready to keep him/her later because there are others looking for that type of person :) FWIW, I think interviewing wtih Brian might be a laugh.Can you answer all the questions?Nope.Not every one. But you can still enjoy it and I think Neil was wise enough to mention that, no, I don't know it all but I do know how to use a book :)(ok, so I paraphrased.The point is that you use it or lose it.But knowing what questions to ask and where to find the answers is far more resilient than knowing everything there is to know about a product set on a given day.Most of the players on the team that wrote the application or product don't know either.But they do know where to go for the answers) One thing that does come to mind would be to follow Brian's advice and ask open ended questions.Those are going to be the hardest because you're not going to be able to study for that. You'll have to walk through it under the pressure of an interview.That will tell the interviewer a lot about the person and what they would do 6 months from now when the technology is totally different and how they would deal with your unique situations. Best of luck in you hiring endeavors. I for one am interested to hear a follow up in a few months to hear how it went. Al On 7/24/06, Ken Schaefer [EMAIL PROTECTED] wrote: I suppose there are several roles that senior people could hold: some are managerial, some are architectural, and some are deeply technical (i.e. high level support). Architects, in that taxonomy, would do design work. Whereas a PSS engineer would probably spend more time with a debugger than using Word and Visio to produce high-level designs. Cheers Ken *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] *On Behalf Of * [EMAIL PROTECTED] *Sent:* Monday, 24 July 2006 5:53 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Interview Techniques A senior guy IMO should be more focused on design aspects than support and thus should be able to answer questions along the line of: *How would you design a schema change process, encompassing initial request through to implementation*. The answer to the above should help determine alot of info from that person (see below) - even if they cannot answer the question fully.- Does this person think logically - Does this person explain ideas in a cohesive manner - Does this person answer questions with fluff and BS or are they succinct - etc To answer 'what do the FSMOs do?' one can simply state - I'd look it up in a book. I'd therefore always try to ask questions which can only be answered through experience (where possible) and not just through reading a book. My 2 penneth, neil -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] *On Behalf Of *mike kline *Sent:* 24 July 2006 07:16 *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] OT: Interview Techniques Brian, That was a good story, very funny.So what did the guy do? Did he just get up and leave?I know from reading your posts you are usually straight and to the point. I would be sweating if I had to interview with you. Going off course a bit.What are some types of AD questions that you all consider to be senior level? For example what if you ask someone how to do a metadata cleanup?Would you all consider that to be a mid level question? Just wondering because I always grapple trying to figure out questions for the mid vs. senior level candidate. On 7/23/06, *Brian Desmond* [EMAIL PROTECTED] wrote: I've got no second thoughts about being an asshole during a tech interview. I ask the question, you either answer it or tell me you don't know. If you choose not to tell me you don't know and demonstrate that you don't know through what you tell me instead, I'm already pretty much through. If you're arrogant like this candidate you describe, I'm likely through as well. My favorite exchange as of late goes like this: Me - Tell me a little bit about your experience migrating Exchange 5.5 orgs to 2003 Them - blah blah blah Me - Ok, can you name
RE: [ActiveDir] Have you built an R2 Forest?
shit I need to submit a bug fix for that! ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Mon 2006-07-24 17:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? thanks horhay :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 24 July 2006 15:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? inline From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, July 24, 2006 16:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? Thanks for this joe. That doc is more than bad - it's plain wrong :( Just to further clarify: 1. If I build a new R2 forest, I should expect a blank TSL - which implies a 60 days TSL. Correct? [JdAP says:] YES (but it should be 180 days!) 2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod or adsiedit or whatever... ? Correct? [JdAP says:] YES, ADD THE 180 VALUE 3. I only need to run the R2 adprep once per forest. [Stated for completeness] [JdAP says:] YES 4. Do I need to run the R2 setup on each machine I build? Will this process revert the TSL back to 'not set'? [JdAP says:] (1) ONLY IF YOU NEED THE R2 STUFF, (2) NO I'm trying to understand the issue below but also how it is caused and how it may be caused again. [JdAP says:] WRONG SCHEMA.INI ON THE MEDIA neil PS I agree re R2 and its value above and beyond SP1. But what a great marketing ploy :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 24 July 2006 14:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? This all started due to bad documentation on http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true which states Note the value in the Value column. If the value is not set, the default value is in effect as follows: *On a domain controller in a forest that was created on a domain controller running Windows Server 2003 with Service Pack 1 (SP1), the default value is 180 days. *On a domain controller in a forest that was created on a domain controller running Windows 2000 Server or Windows Server 2003, the default value is 60 days. which was confusing a customer. Then after I explained about how 60 days is hardcoded and 180 days was a schema.ini fix he further indicated that he wasn't seeing this in an R2 forest hence his original question. The test R2 forests I have built I never checked TSL, just assumed it was 180 and normally I don't built R2 machines because I really don't much care about R2, SP1 is far more important for the stuff I play with. I mean really, how many people verify the TSL of their forest versus just assuming it was whatever MSFT or someone representing MSFT said it should be. I know I have told a ton of people that after SP1 the value is 180 and I want to make sure I tell all of those same people that it really isn't in R2. My concern is for people who have put an R2 forest out there and are under the running assumption that they now have a 180 day TSL and make some decision based on it (yes, it is ok if our DC sits on the doc in Mexican customs for 3 months (this is a real example) because we have a 180 day TSL) and learn after the fact that it was incorrect. It also has backup/restore implications. Hopefully the above docs will be corrected and the word will seep out and people will be aware.This is one of those things where if you find it out after you already had an incident you will be like, WTF Microsoft. It also makes me wonder if there is anything else that was regressed... joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, July 24, 2006 2:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2
RE: [ActiveDir] Have you built an R2 Forest?
a justice! ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Mon 2006-07-24 19:16 To: ActiveDir.org Subject: Re: [ActiveDir] Have you built an R2 Forest? And Joseph. -Original Message- From: [EMAIL PROTECTED] Date: Mon, 24 Jul 2006 16:54:41 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? thanks horhay :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 24 July 2006 15:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? inline From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, July 24, 2006 16:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? Thanks for this joe. That doc is more than bad - it's plain wrong :( Just to further clarify: 1. If I build a new R2 forest, I should expect a blank TSL - which implies a 60 days TSL. Correct? [JdAP says:] YES (but it should be 180 days!) 2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod or adsiedit or whatever... ? Correct? [JdAP says:] YES, ADD THE 180 VALUE 3. I only need to run the R2 adprep once per forest. [Stated for completeness] [JdAP says:] YES 4. Do I need to run the R2 setup on each machine I build? Will this process revert the TSL back to 'not set'? [JdAP says:] (1) ONLY IF YOU NEED THE R2 STUFF, (2) NO I'm trying to understand the issue below but also how it is caused and how it may be caused again. [JdAP says:] WRONG SCHEMA.INI ON THE MEDIA neil PS I agree re R2 and its value above and beyond SP1. But what a great marketing ploy :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 24 July 2006 14:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? This all started due to bad documentation on http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true: http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true which states Note the value in the Value column. If the value is not set, the default value is in effect as follows: * On a domain controller in a forest that was created on a domain controller running Windows Server 2003 with Service Pack 1 (SP1), the default value is 180 days. * On a domain controller in a forest that was created on a domain controller running Windows 2000 Server or Windows Server 2003, the default value is 60 days. which was confusing a customer. Then after I explained about how 60 days is hardcoded and 180 days was a schema.ini fix he further indicated that he wasn't seeing this in an R2 forest hence his original question. The test R2 forests I have built I never checked TSL, just assumed it was 180 and normally I don't built R2 machines because I really don't much care about R2, SP1 is far more important for the stuff I play with. I mean really, how many people verify the TSL of their forest versus just assuming it was whatever MSFT or someone representing MSFT said it should be. I know I have told a ton of people that after SP1 the value is 180 and I want to make sure I tell all of those same people that it really isn't in R2. My concern is for people who have put an R2 forest out there and are under the running assumption that they now have a 180 day TSL and make some decision based on it (yes, it is ok if our DC sits on the doc in Mexican customs for 3 months (this is a real example) because we have a 180 day TSL) and learn after the fact that it was incorrect. It also has backup/restore implications. Hopefully the above docs will be corrected and the word will seep out and people will be aware.This is one of those things where if you find it out after you already had an incident you will be like, WTF Microsoft. It also makes me wonder if there is anything else that was regressed... joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm: http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, July 24, 2006 2:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? hehe, yep I've seen that (the difference of the Schema.ini files; i.e. missing entry for the tombstonelifetime property) but didn't think too much of it because for now I've only had to handle upgrading from Win2000 or
RE: [ActiveDir] OT: Interview Techniques
Yeah but see when I focus in on the areas you're weak in you could still talk your way out of it instead of making up some goofy ass bs that I have to write down when I get off the phone and file in my resumes and interviews folder. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of joe Sent: Monday, July 24, 2006 12:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Interview Techniques Does it pay well with good bene's? While I have a nice job now, I always look at available opportunities. :) Don't have Brian interview me though, I expect I would come up short and I would have to show how much I like the phrases it depends and I don't know. I have no doubt that Brian could bury me in an interview, or anyone for that matter if they have a good understanding of the product and can find the focuses I have and avoid those areas and stick to areas they focus on. Again... No one can answer any question anyone can ask about AD. I am sure that most everyone on this list has probably seen something that most others haven't seen. For instance, right up until yesterday I could have been tripped up on what the default tombstone lifetime is in a freshly built R2 forest. I would have quoted what the correct answer should have been, not what it actually was. The only people who would have known different are those that would have had some reason to do it and noticed the value or have read something written about it or windiffed the schema.ini file for some reason against the SP1 version. Basically there are two types of knowing... Experience and theoretical where theoretical is what you have read or been told or what you derive yourself based on what you have experienced or been told or read. No one has experienced it all though people in key spots will have been in a position to have heard of a lot of things. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mudha Godasa Sent: Monday, July 24, 2006 11:38 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Interview Techniques I will absolutely let you know of all the gory details. I sure hope I dont get an $%^$£! for a boss. ;-) Cheers P.S. Anyone want a job? ;0) --- Al Mulnick [EMAIL PROTECTED] wrote: I have to laugh. This thread is starting to sound like the six blind men describing an elephant. As was mentioned, it is very hard to find somebody who can do the high-level design at all 8 layers, manage a staff of people, and still fit that into a 23 hour day. If you find one, keep him or her. If you don't find one, don't be terribly disappointed; look for one that's close and has the right personality to be made into one. There's plenty more of those, but be sure you're ready to keep him/her later because there are others looking for that type of person :) FWIW, I think interviewing wtih Brian might be a laugh. Can you answer all the questions? Nope. Not every one. But you can still enjoy it and I think Neil was wise enough to mention that, no, I don't know it all but I do know how to use a book :) (ok, so I paraphrased. The point is that you use it or lose it. But knowing what questions to ask and where to find the answers is far more resilient than knowing everything there is to know about a product set on a given day. Most of the players on the team that wrote the application or product don't know either. But they do know where to go for the answers) One thing that does come to mind would be to follow Brian's advice and ask open ended questions. Those are going to be the hardest because you're not going to be able to study for that. You'll have to walk through it under the pressure of an interview. That will tell the interviewer a lot about the person and what they would do 6 months from now when the technology is totally different and how they would deal with your unique situations. Best of luck in you hiring endeavors. I for one am interested to hear a follow up in a few months to hear how it went. Al On 7/24/06, Ken Schaefer [EMAIL PROTECTED] wrote: I suppose there are several roles that senior people could hold: some are managerial, some are architectural, and some are deeply technical (i.e. high level support). Architects, in that taxonomy, would do design work. Whereas a PSS engineer would probably spend more time with a debugger than using Word and Visio to produce high-level designs. Cheers Ken *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of * [EMAIL PROTECTED] *Sent:* Monday, 24 July 2006 5:53 PM *To:*
Re: [ActiveDir] OT: Interview Techniques
Now Al, have you been making your employees drop and give you 20 again? Really, I thought we'd talked about that? ;-) - Laura On 7/24/06, Al Mulnick [EMAIL PROTECTED] wrote: The only true way to be sure you don't get one of those for a boss is to not invite me to interview for it ;) On 7/24/06, Mudha Godasa [EMAIL PROTECTED] wrote: I will absolutely let you know of all the gory details. I sure hope I dont get an $%^$£! for a boss. ;-) Cheers P.S. Anyone want a job? ;0) --- Al Mulnick [EMAIL PROTECTED] wrote: I have to laugh. This thread is starting to sound like the six blind men describing an elephant. As was mentioned, it is very hard to find somebody who can do the high-level design at all 8 layers, manage a staff of people, and still fit that into a 23 hour day. If you find one, keep him or her. If you don't find one, don't be terribly disappointed; look for one that's close and has the right personality to be made into one. There's plenty more of those, but be sure you're ready to keep him/her later because there are others looking for that type of person :) FWIW, I think interviewing wtih Brian might be a laugh. Can you answer all the questions? Nope. Not every one. But you can still enjoy it and I think Neil was wise enough to mention that, no, I don't know it all but I do know how to use a book :) (ok, so I paraphrased. The point is that you use it or lose it. But knowing what questions to ask and where to find the answers is far more resilient than knowing everything there is to know about a product set on a given day. Most of the players on the team that wrote the application or product don't know either. But they do know where to go for the answers) One thing that does come to mind would be to follow Brian's advice and ask open ended questions. Those are going to be the hardest because you're not going to be able to study for that. You'll have to walk through it under the pressure of an interview. That will tell the interviewer a lot about the person and what they would do 6 months from now when the technology is totally different and how they would deal with your unique situations. Best of luck in you hiring endeavors. I for one am interested to hear a follow up in a few months to hear how it went. Al On 7/24/06, Ken Schaefer [EMAIL PROTECTED] wrote: I suppose there are several roles that senior people could hold: some are managerial, some are architectural, and some are deeply technical (i.e. high level support). Architects, in that taxonomy, would do design work. Whereas a PSS engineer would probably spend more time with a debugger than using Word and Visio to produce high-level designs. Cheers Ken *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] *On Behalf Of * [EMAIL PROTECTED] *Sent:* Monday, 24 July 2006 5:53 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Interview Techniques A senior guy IMO should be more focused on design aspects than support and thus should be able to answer questions along the line of: *How would you design a schema change process, encompassing initial request through to implementation*. The answer to the above should help determine alot of info from that person (see below) - even if they cannot answer the question fully. - Does this person think logically - Does this person explain ideas in a cohesive manner - Does this person answer questions with fluff and BS or are they succinct - etc To answer 'what do the FSMOs do?' one can simply state - I'd look it up in a book. I'd therefore always try to ask questions which can only be answered through experience (where possible) and not just through reading a book. My 2 penneth, neil -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *mike kline *Sent:* 24 July 2006 07:16 *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] OT: Interview Techniques Brian, That was a good story, very funny. So what did the guy do? Did he just get up and leave? I know from reading your posts you are usually straight and to the point. I would be sweating if I had to interview with you. Going off course a bit. What are some types of AD questions that you all consider to be senior level? For example what if you ask someone how to do a metadata cleanup? Would you all consider that to be a mid level question? Just wondering because I always grapple trying to figure out questions for the mid vs. senior level candidate. On 7/23/06, *Brian
RE: [ActiveDir] Reset home page via GPO
Thanks, everybody, for your replies. I thought it would work fine with no technical issues (political ones are inevitable, of course). Meanwhile, David Adner wrote: This IE setting can be applied via policy mode or preferences mode. Policy mode is what you normally think of when configuring GPO settings in that it'll be reset if a user ever changes it. Preferences mode only changes the initial value but allows the user to change it afterwards if they like without having it switch back each time GPOs are applied. Instead, it is only reset if the GPO itself is modified. I can't seem to find those distinctions. I'd love to be able to reset everybody's home page just for their initial login after all the training is done, and let them reset it if they want to, and let it stay that way. I see where you can set it as enforced which I did not do, but our testing shows that everytime somebody logs off and then on again, they'll get the intranet start page regardless of whether they changed it or not. In fact, one of our testers discovered that if she closes all instances of IE, then waits five minutes or so, starting IE back up again once again resets her homepage, even if she didn't log off the machine. Gotta love all this fun we're having! In a few days, it'll be a moot point. Some exec will decide they don't like it, and I'll be instructed to take it off. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] LDAP Queries across WAN links
Couple of things to get you started down the right path: 1) ldap is not an authentication protocol. Remember that as there will be a test later. 2) NTDSUTIL is not the tool to test with. LDP.EXE or one of the joeware tools might be better. There are several freeware tools that are also out there, but I've found that LDP is one of the easiest for a GUI based tool. 3) There are RFC's, books, websites, etc. What have you read so far and what types of questions does that lead you to? What I'm looking for is what aspect of LDAP you're wanting to follow. The field is wide, and we may need to narrow it down a bit to save time. Also, can you describe the problems that you see? I mean, some details would be helpful. What language it's written in, how it was configured, what problem you see vs. what you expect to see, etc. would be really helpful. LDAP, in it's native state is not going to just pick a server out of a hat. Instead, it can either be told which server to use else use root dse (see RFC 2251for explanation but basically it's a way to use name resolution to find directory servers.) Using root dse methodsmight make ldap seem less predictable in some cases. Al On 7/24/06, Al Garrett [EMAIL PROTECTED] wrote: I'm am LDAP-challenged. We have an application that appears to be performing LDAP authentication to a Domain Controller at a remote location vs. the local DC. Is there a comprehensive site for coming up to speed on LDAP, how it's used, how to adjust it's performance, etc? Is ntdsutil.exe the correct utility to modify how applications interact with LDAP? Al Garrett SWCCD
Re: [ActiveDir] Reset home page via GPO
That's the point, but they will get used to it. It's like implementing strong password policy in an environment which doesn't have it yet. First there will be complaints, but after a while they stop nagging and just follow the flow :-) Bart On 7/24/06, Tim Foster [EMAIL PROTECTED] wrote: I have done this in the past and the only issue I am aware of is users not liking your choice of home page! User Configuration\Windows Settings\Internet Explorer Maintenance\URLs Tim Date: Mon, 24 Jul 2006 10:33:41 -0500 From: [EMAIL PROTECTED] Subject: [ActiveDir] Reset home page via GPO To: ActiveDir@mail.activedir.org Hello, colleagues, Our HR department wants everybody's IE home page reset to our intranet home page. I presume the way to do this is via GPO, and apply it only to the users' OU. Are there any issues (other than political ones, of course) with doing this? (Just an aside: We're back to work following the worst power outtage in St. Louis history. Over 500,000 people without power for several days, and nearly 200,000 still out. Very interesting week we just had.) -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] LDAP Queries across WAN links
I should have answered my own post, my apologies for being slack. The symptoms were slow application launch on the first occurrence, faster the 2nd and subsequent launches. We solved the problem in the low-tech method.LMHOSTS to direct use of the local DCs. Thanks for the reply. Al -Original Message- From: Al Mulnick [mailto:[EMAIL PROTECTED] Sent: Monday, July 24, 2006 12:59 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Queries across WAN links Couple of things to get you started down the right path: 1) ldap is not an authentication protocol. Remember that as there will be a test later. 2) NTDSUTIL is not the tool to test with. LDP.EXE or one of the joeware tools might be better. There are several freeware tools that are also out there, but I've found that LDP is one of the easiest for a GUI based tool. 3) There are RFC's, books, websites, etc. What have you read so far and what types of questions does that lead you to? What I'm looking for is what aspect of LDAP you're wanting to follow. The field is wide, and we may need to narrow it down a bit to save time. Also, can you describe the problems that you see? I mean, some details would be helpful. What language it's written in, how it was configured, what problem you see vs. what you expect to see, etc. would be really helpful. LDAP, in it's native state is not going to just pick a server out of a hat. Instead, it can either be told which server to use else use root dse (see RFC 2251for explanation but basically it's a way to use name resolution to find directory servers.) Using root dse methodsmight make ldap seem less predictable in some cases. Al On 7/24/06, Al Garrett [EMAIL PROTECTED] wrote: I'm am LDAP-challenged. We have an application that appears to be performing LDAP authentication to a Domain Controller at a remote location vs. the local DC. Is there a comprehensive site for coming up to speed on LDAP, how it's used, how to adjust it's performance, etc? Is ntdsutil.exe the correct utility to modify how applications interact with LDAP? Al Garrett SWCCD
RE: [ActiveDir] [OT] Have you built an R2 Forest?
Settle down princess -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, July 24, 2006 3:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? a justice! ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Mon 2006-07-24 19:16 To: ActiveDir.org Subject: Re: [ActiveDir] Have you built an R2 Forest? And Joseph. -Original Message- From: [EMAIL PROTECTED] Date: Mon, 24 Jul 2006 16:54:41 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? thanks horhay :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 24 July 2006 15:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? inline From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, July 24, 2006 16:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? Thanks for this joe. That doc is more than bad - it's plain wrong :( Just to further clarify: 1. If I build a new R2 forest, I should expect a blank TSL - which implies a 60 days TSL. Correct? [JdAP says:] YES (but it should be 180 days!) 2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod or adsiedit or whatever... ? Correct? [JdAP says:] YES, ADD THE 180 VALUE 3. I only need to run the R2 adprep once per forest. [Stated for completeness] [JdAP says:] YES 4. Do I need to run the R2 setup on each machine I build? Will this process revert the TSL back to 'not set'? [JdAP says:] (1) ONLY IF YOU NEED THE R2 STUFF, (2) NO I'm trying to understand the issue below but also how it is caused and how it may be caused again. [JdAP says:] WRONG SCHEMA.INI ON THE MEDIA neil PS I agree re R2 and its value above and beyond SP1. But what a great marketing ploy :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 24 July 2006 14:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? This all started due to bad documentation on http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-98 23-4e51fbd3422a1033.mspx?mfr=true: http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9 823-4e51fbd3422a1033.mspx?mfr=true which states Note the value in the Value column. If the value is not set, the default value is in effect as follows: • On a domain controller in a forest that was created on a domain controller running Windows Server 2003 with Service Pack 1 (SP1), the default value is 180 days. • On a domain controller in a forest that was created on a domain controller running Windows 2000 Server or Windows Server 2003, the default value is 60 days. which was confusing a customer. Then after I explained about how 60 days is hardcoded and 180 days was a schema.ini fix he further indicated that he wasn't seeing this in an R2 forest hence his original question. The test R2 forests I have built I never checked TSL, just assumed it was 180 and normally I don't built R2 machines because I really don't much care about R2, SP1 is far more important for the stuff I play with. I mean really, how many people verify the TSL of their forest versus just assuming it was whatever MSFT or someone representing MSFT said it should be. I know I have told a ton of people that after SP1 the value is 180 and I want to make sure I tell all of those same people that it really isn't in R2. My concern is for people who have put an R2 forest out there and are under the running assumption that they now have a 180 day TSL and make some decision based on it (yes, it is ok if our DC sits on the doc in Mexican customs for 3 months (this is a real example) because we have a 180 day TSL) and learn after the fact that it was incorrect. It also has backup/restore implications. Hopefully the above docs will be corrected and the word will seep out and people will be aware.This is one of those things where if you find it out after you already had an incident you will be like, WTF Microsoft. It also makes me wonder if there is anything else that was regressed... joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm: http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, July 24, 2006 2:12 AM To:
RE: [ActiveDir] LDAP Queries across WAN links
Yeah from your initial description I am guessing you specified your domain name for host. If you do that, depending on the underlying code for the resolution to a specific domain controller you can get ANY DC in the forest. This is a very common issue with folks using LDAP libraries that aren't the MSFT ones. They built a lot of cool logic into their libraries and if you aren't running on Windows you should try and duplicate and if you are, you should be using. I am not sure I would solve this with lmhosts and short hostnames. The best solutions I have seen to date 1. Duplicate the DNS lookups that MSFT does for the locator service. This really isn't too hard and just takes a little bit of DNS code which you should find several examples in the UNIX world. You can even make it considerably smarter than the current Windows location services like looking at site link costs etc to get the next closest site for instance. 2. Have a perl script (or some script)that does the DNS lookups manually and inserts the resultsinto the application configuration every couple of hours or if there is a failure. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al GarrettSent: Monday, July 24, 2006 4:16 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP Queries across WAN links I should have answered my own post, my apologies for being slack. The symptoms were slow application launch on the first occurrence, faster the 2nd and subsequent launches. We solved the problem in the low-tech method.LMHOSTS to direct use of the local DCs. Thanks for the reply. Al -Original Message-From: Al Mulnick [mailto:[EMAIL PROTECTED] Sent: Monday, July 24, 2006 12:59 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] LDAP Queries across WAN links Couple of things to get you started down the right path: 1) ldap is not an authentication protocol. Remember that as there will be a test later. 2) NTDSUTIL is not the tool to test with. LDP.EXE or one of the joeware tools might be better. There are several freeware tools that are also out there, but I've found that LDP is one of the easiest for a GUI based tool. 3) There are RFC's, books, websites, etc. What have you read so far and what types of questions does that lead you to? What I'm looking for is what aspect of LDAP you're wanting to follow. The field is wide, and we may need to narrow it down a bit to save time. Also, can you describe the problems that you see? I mean, some details would be helpful. What language it's written in, how it was configured, what problem you see vs. what you expect to see, etc. would be really helpful. LDAP, in it's native state is not going to just pick a server out of a hat. Instead, it can either be told which server to use else use root dse (see RFC 2251for explanation but basically it's a way to use name resolution to find directory servers.) Using root dse methodsmight make ldap seem less predictable in some cases. Al On 7/24/06, Al Garrett [EMAIL PROTECTED] wrote: I'm am LDAP-challenged. We have an application that appears to be performing LDAP authentication to a Domain Controller at a remote location vs. the local DC. Is there a comprehensive site for coming up to speed on LDAP, how it's used, how to adjust it's performance, etc? Is ntdsutil.exe the correct utility to modify how applications interact with LDAP? Al Garrett SWCCD
RE: [ActiveDir] ldp in ADAM-SP1
Yeah what I was doing was setting a FC ACE for connection objects only. If you want to cover multiple objects for this you would need to specify multiple objectclasses which would result in multiple ACEs which is not a good option. Which means, use a different tool as the bugs in the current version of LDP make that difficult for this specific task. In my tests, I was specifically using LDP from ADAM SP1. But for what you want to do, use ADUC or DSACLS. As an aside, I emailed Matheesha directly a little while ago when my first email was lost in limbo waiting to be sent out by the list. A version of LDP that doesn't have this issue should be in Longhorn when it is released. The developer quickly fixed the first bug I mentioned this morning after I pinged him and it seems the second bug had already been corrected. This folks is the power of this list Take note. I am not entirely positive what the Access system security is supposed to be... This is not an issue in later versions of LDP... I would say read the chapters on security in the AD book, then if you don't have it, get and read Sakari's book as that has a great chapter on AD security and then finally if you still want to learn more, wander into the MSDN library and start reading about Security Descriptors, Access Control Lists, and Access Control Entries. Once you understand the structures and how they are represented a lot of the security stuff starts making more and more sense. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 24, 2006 2:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ldp in ADAM-SP1 Joe joe I see you were configuring Full Control (GA) for nTDSConnection objects by configuring perms on the parent nTDSDSA object. I was trying to actually configure full control to the nTDSDSA using perms on the CN=Sites object but the principal is the same I guess. The only thing is nTDSConnection objects cant have child objects can they? Still I am having some issues repro'ing. You said your workaround was to configure on the object types. Did you mean to configure explicitly on the object or on the parent with the child's object type specified in the ACE? I cant repro here and I am not sure whether you used dsacls or ldp to repro. And why does it not choose the Access System Security option when you edit a Full Control ACE? Is that expected? I thought full control meant everything. Not everything but Access System Security. Also how come there is no string defined for Access System Security? There is for all other access masks. I freely admit I know very little in this arena. Any lesson offered is most appreciated. I am already reading technet and many books by the fine guys on here. I just havent finished them yet ;-) Thanks to everyone who's read this so far and for all the help I am offered. I truly appreciate it. Sincerely M@ On 7/24/06, joe [EMAIL PROTECTED] wrote: Beautiful, this is bug week There are actually two bugs here. 1. The inherit only check box is greyed out. This is the checkbox you would need to check in order to specify an inherit only ACE (i.e. Child Objects Only). 2. When you try to work around it and specify the actual object types to inherit to it creates two ACEs instead of one. The first ACE is the FC inherit only to the object class you specify but then there is also a FC to the object itself. In the example below note the TEST\joe ACEs... I only added a single FC for nTDSConnection objects for test\joe but got that AND the non-inheritable Test\joe FC on the object itself. G:\dsacls \\r2dc1\CN=NTDS Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur ation,DC=test,DC=loc Access list: Effective Permissions on this object are: Allow TEST\joe FULL CONTROL Allow TEST\Domain AdminsSPECIAL ACCESS DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY DELETE TREE LIST OBJECT CONTROL ACCESS Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow NT AUTHORITY\SYSTEM
RE: [ActiveDir] [OT] Have you built an R2 Forest?
you're getting slow joe? it took you about an hour! ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of joe Sent: Mon 2006-07-24 22:25 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Have you built an R2 Forest? Settle down princess -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, July 24, 2006 3:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? a justice! ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Mon 2006-07-24 19:16 To: ActiveDir.org Subject: Re: [ActiveDir] Have you built an R2 Forest? And Joseph. -Original Message- From: [EMAIL PROTECTED] Date: Mon, 24 Jul 2006 16:54:41 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? thanks horhay :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 24 July 2006 15:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? inline From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, July 24, 2006 16:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? Thanks for this joe. That doc is more than bad - it's plain wrong :( Just to further clarify: 1. If I build a new R2 forest, I should expect a blank TSL - which implies a 60 days TSL. Correct? [JdAP says:] YES (but it should be 180 days!) 2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod or adsiedit or whatever... ? Correct? [JdAP says:] YES, ADD THE 180 VALUE 3. I only need to run the R2 adprep once per forest. [Stated for completeness] [JdAP says:] YES 4. Do I need to run the R2 setup on each machine I build? Will this process revert the TSL back to 'not set'? [JdAP says:] (1) ONLY IF YOU NEED THE R2 STUFF, (2) NO I'm trying to understand the issue below but also how it is caused and how it may be caused again. [JdAP says:] WRONG SCHEMA.INI ON THE MEDIA neil PS I agree re R2 and its value above and beyond SP1. But what a great marketing ploy :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 24 July 2006 14:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? This all started due to bad documentation on http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true: http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true which states Note the value in the Value column. If the value is not set, the default value is in effect as follows: * On a domain controller in a forest that was created on a domain controller running Windows Server 2003 with Service Pack 1 (SP1), the default value is 180 days. * On a domain controller in a forest that was created on a domain controller running Windows 2000 Server or Windows Server 2003, the default value is 60 days. which was confusing a customer. Then after I explained about how 60 days is hardcoded and 180 days was a schema.ini fix he further indicated that he wasn't seeing this in an R2 forest hence his original question. The test R2 forests I have built I never checked TSL, just assumed it was 180 and normally I don't built R2 machines because I really don't much care about R2, SP1 is far more important for the stuff I play with. I mean really, how many people verify the TSL of their forest versus just assuming it was whatever MSFT or someone representing MSFT said it should be. I know I have told a ton of people that after SP1 the value is 180 and I want to make sure I tell all of those same people that it really isn't in R2. My concern is for people who have put an R2 forest out there and are under the running assumption that they now have a 180 day TSL and make some decision based on it (yes, it is ok if our DC sits on the doc in Mexican customs for 3 months (this is a real example) because we have a 180 day TSL) and learn after the fact that it was incorrect. It also has
RE: [ActiveDir] Managing Third-Party Users
Thanks for your take on it, Joe. I'm finding the same thing when it comes to the ideology. It's not baked in very well yet... so trying to make a judgment on strategy is a bit difficult. :) I think I'll start looking down what Microsoft offers... problem is I'm not even sure what the competitors are ... :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Saturday, July 22, 2006 3:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Managing Third-Party Users Federation is the way of the future in these scenarios. I'm spending about 50% of my time at work these days helping to build out our federation infrastructure and imagine that we'll be using it extensively. We are already doing some type of federation thing with over 30 vendor-hosted apps internally (benefits, travel, surveys, etc.). However, none of these implemenations are currently using any of the standard federation protocols (SAML, WS-Fed) and suffer from expensive implementations, no reusability between implementations and dubious security. We are also looking at hosting some services internally for clients and partners and using federation as a way to allow them to authenticate with their own credentials. The big challenges right now are that with both SAML and WS-Fed as the dominate protocols out there (and WS-Fed much further behind in terms of adoption rates, but gaining due to the popularity of AD and the low cost of ADFS compared to many solutions), it is hard to say you only want to do ADFS/WS-Fed. Our approach is to try to support both for the outbound scenario, where our users are accessing a partner resource, although we are still trying to pick a SAML 2 product yet. We'll probably be more picky about WS-Fed for the opposite scenario as our guys like to use Windows token-based websites (like SharePoint) for custom dev and only ADFS has a really flexible solution for supporting this. The big challenges are that right now, things are still pretty early adopter, so it is hard to find a lot of partners that are ready to go with their infrastructure. There isn't much expertise out there with these products yet either, so people are stumbling quite a bit. In our inbound scenario, we are looking at needing to set up an alternate account store to host the accounts of partners who aren't federation-capable yet, so that's a drag. I'm not sure the team building that app has realized yet that the cost and complexity of the identity and access management work for that account store will likely outstrip the cost of dev and maintenance on the app itself by an order of magnitude. They aren't IAM people, so they are just realizing that users of the store will need features like password change, password reset and password expiration notifications. BTW, we are using ADAM for the account store and setting it up as a separate federation account partner. Another thing worth noting is that we already have a well-established process for provisioning accounts for external users and contractors in the corp forest and we'll continue to use that in scenarios where it is appropriate. However, we'll try to do as little as possible of that sort of thing when simple access to a few web apps is all that's needed. All in all though, I'm pretty excited about the technology, especially ADFS. It combines my three favorite tech things, IAM, web programming and .NET, so what's not to love? :) Joe K. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, July 22, 2006 12:05 PM Subject: [ActiveDir] Managing Third-Party Users My trusted directory resource, I don't remember if this came up on a previous post. but don't recall seeing the topic. As things become more and more integrated w/ some form of ldap authentication against a common directory, the necessity for managing outside vendors, contractors, etc is becoming a larger and larger task. If you're in a situation where the vendor has a large population of users that require access . with incredible churn, this becomes a big issue. I'm curious what, if anything, anyone else is doing to use some sort of federated system so that user management is left at the hands of the third-party companies. I'm curious also if anyone is aware of any consulting groups that have done this sort of thing w/ an agnostic approach that can fit most environments. I'd love to get an idea of where the industry is heading with this sort of thing. I'm sure the topic probably came up at DEC which I didn't have the luxury of attending. Thanks all! marcus c. oh | cox communications, inc. | 404.847.6117 | marcusoh.blogspot.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info :
[ActiveDir] Securing DFS
We built a DFS Root on a windows 2000 domain controller and the root of the share has Everyone Full Control. E.g. if I go to \\domain.com, right click on the dfs roots properties, the security tab. Can I simply take FC away? Im a bit hesitant because it lives on the DC and came this way by default. Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] Securing DFS
I have never had any problems caused by changing permissions on a DFS root. One thing to consider before you move too far down the road of configuration though is if you really want to invest in a 2000 DFS structure when the 2003 R2 DFS structure is so much more robust and reliable. I have had and heard of countless problems with 2000 DFS. I have not had any problems with 2003 R2 DFS at all. If you decide to move forward with 2000 DFS, be aware that they will probably stop replicating occasionally. You will then spend hours troubleshooting. Seriously it is worth building this on 2003 R2 servers even if you dont currently have any, if you are doing anything with DFS. I know that is not what you are asking, sorry. Anyone disagree? Kevin Brunson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Monday, July 24, 2006 4:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Securing DFS We built a DFS Root on a windows 2000 domain controller and the root of the share has Everyone Full Control. E.g. if I go to \\domain.com, right click on the dfs roots properties, the security tab. Can I simply take FC away? Im a bit hesitant because it lives on the DC and came this way by default. Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] ldp in ADAM-SP1
Re Access System Security checkbox. We removed it from the latest versions of ldp.exe because it does not do what you want. Even if you grant this right to some principal, he will still be unable to read or tweak the SACLs. The only way to be able to do this is to grant SE_ACCESS_SYSTEM_SECURITY privilege. You do this from gpedit.msc (security settings/User rights assignments). On a more general note -- yes, AD security is a mess to manage and to understand. We are trying to improve it, but it is super super difficult task. Not only the rules are difficult to understand and are numerous, but also we need to respect the existing security setups which use weird ACLs. There were several attempts to improve things, but I don't believe we are getting closer, mostly due to backward compatibility issues, as well as due to the need to introduce new rules (such as confidentiality bit and many new control access rights). BTW, the Delegation Wizard is considered to be the entry-level ACLing tool. Alas, it does not work for ADAM. Dmitri -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, July 24, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ldp in ADAM-SP1 Yeah what I was doing was setting a FC ACE for connection objects only. If you want to cover multiple objects for this you would need to specify multiple objectclasses which would result in multiple ACEs which is not a good option. Which means, use a different tool as the bugs in the current version of LDP make that difficult for this specific task. In my tests, I was specifically using LDP from ADAM SP1. But for what you want to do, use ADUC or DSACLS. As an aside, I emailed Matheesha directly a little while ago when my first email was lost in limbo waiting to be sent out by the list. A version of LDP that doesn't have this issue should be in Longhorn when it is released. The developer quickly fixed the first bug I mentioned this morning after I pinged him and it seems the second bug had already been corrected. This folks is the power of this list Take note. I am not entirely positive what the Access system security is supposed to be... This is not an issue in later versions of LDP... I would say read the chapters on security in the AD book, then if you don't have it, get and read Sakari's book as that has a great chapter on AD security and then finally if you still want to learn more, wander into the MSDN library and start reading about Security Descriptors, Access Control Lists, and Access Control Entries. Once you understand the structures and how they are represented a lot of the security stuff starts making more and more sense. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 24, 2006 2:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ldp in ADAM-SP1 Joe joe I see you were configuring Full Control (GA) for nTDSConnection objects by configuring perms on the parent nTDSDSA object. I was trying to actually configure full control to the nTDSDSA using perms on the CN=Sites object but the principal is the same I guess. The only thing is nTDSConnection objects cant have child objects can they? Still I am having some issues repro'ing. You said your workaround was to configure on the object types. Did you mean to configure explicitly on the object or on the parent with the child's object type specified in the ACE? I cant repro here and I am not sure whether you used dsacls or ldp to repro. And why does it not choose the Access System Security option when you edit a Full Control ACE? Is that expected? I thought full control meant everything. Not everything but Access System Security. Also how come there is no string defined for Access System Security? There is for all other access masks. I freely admit I know very little in this arena. Any lesson offered is most appreciated. I am already reading technet and many books by the fine guys on here. I just havent finished them yet ;-) Thanks to everyone who's read this so far and for all the help I am offered. I truly appreciate it. Sincerely M@ On 7/24/06, joe [EMAIL PROTECTED] wrote: Beautiful, this is bug week There are actually two bugs here. 1. The inherit only check box is greyed out. This is the checkbox you would need to check in order to specify an inherit only ACE (i.e. Child Objects Only). 2. When you try to work around it and specify the actual object types to inherit to it creates two ACEs instead of one. The first ACE is the FC inherit only to the object class you specify but then there is also a FC to the object itself. In the example below note the TEST\joe ACEs... I only added a single FC for nTDSConnection objects for test\joe but got that AND the non-inheritable Test\joe FC on the object
RE: [ActiveDir] Reset home page via GPO
Look here: http://technet2.microsoft.com/WindowsServer/en/library/1f105ee4-b025-478c-a0 3e-77fcd91a64e41033.mspx?mfr=true -Original Message- This IE setting can be applied via policy mode or preferences mode. Policy mode is what you normally think of when configuring GPO settings in that it'll be reset if a user ever changes it. Preferences mode only changes the initial value but allows the user to change it afterwards if they like without having it switch back each time GPOs are applied. Instead, it is only reset if the GPO itself is modified. I can't seem to find those distinctions. I'd love to be able to reset everybody's home page just for their initial login after all the training is done, and let them reset it if they want to, and let it stay that way. I see where you can set it as enforced which I did not do, but our testing shows that everytime somebody logs off and then on again, they'll get the intranet start page regardless of whether they changed it or not. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [OT] Have you built an R2 Forest?
Not working today, just running around doing errands and popping in and looking at email occasionally. The rest of the week I will probably be even slower. I decided to take the week off and get caught up on things that I have been putting off. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, July 24, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Have you built an R2 Forest? you're getting slow joe? it took you about an hour! ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of joe Sent: Mon 2006-07-24 22:25 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Have you built an R2 Forest? Settle down princess -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, July 24, 2006 3:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? a justice! ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Mon 2006-07-24 19:16 To: ActiveDir.org Subject: Re: [ActiveDir] Have you built an R2 Forest? And Joseph. -Original Message- From: [EMAIL PROTECTED] Date: Mon, 24 Jul 2006 16:54:41 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? thanks horhay :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 24 July 2006 15:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? inline From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, July 24, 2006 16:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? Thanks for this joe. That doc is more than bad - it's plain wrong :( Just to further clarify: 1. If I build a new R2 forest, I should expect a blank TSL - which implies a 60 days TSL. Correct? [JdAP says:] YES (but it should be 180 days!) 2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod or adsiedit or whatever... ? Correct? [JdAP says:] YES, ADD THE 180 VALUE 3. I only need to run the R2 adprep once per forest. [Stated for completeness] [JdAP says:] YES 4. Do I need to run the R2 setup on each machine I build? Will this process revert the TSL back to 'not set'? [JdAP says:] (1) ONLY IF YOU NEED THE R2 STUFF, (2) NO I'm trying to understand the issue below but also how it is caused and how it may be caused again. [JdAP says:] WRONG SCHEMA.INI ON THE MEDIA neil PS I agree re R2 and its value above and beyond SP1. But what a great marketing ploy :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 24 July 2006 14:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have you built an R2 Forest? This all started due to bad documentation on http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-98 23-4e51fbd3422a1033.mspx?mfr=true: http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9 823-4e51fbd3422a1033.mspx?mfr=true which states Note the value in the Value column. If the value is not set, the default value is in effect as follows: • On a domain controller in a forest that was created on a domain controller running Windows Server 2003 with Service Pack 1 (SP1), the default value is 180 days. • On a domain controller in a forest that was created on a domain controller running Windows 2000 Server or Windows Server 2003, the default value is 60 days. which was confusing a customer. Then after I explained about how 60 days is hardcoded and 180 days was a schema.ini fix he further indicated that he wasn't seeing this in an R2 forest hence his original question. The test R2 forests I have built I never checked TSL, just assumed it was 180 and normally I don't built R2 machines because I really don't much care about R2, SP1 is far more important for the stuff I play with. I mean really, how many people verify the TSL of their forest versus just assuming it was whatever MSFT or someone representing MSFT said it should be. I know I have told a ton of people that
[ActiveDir] Mail Run
Does anybody have recommendations for what attribute to store a users mail run in? Im looking for something that shows up in the GAL but Im drawing a blank. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] ldp in ADAM-SP1
Al is correct. There is no QFE number at this point. The first step would be to present a solid business case and then Microsoft would officially review it and determine if a QFE which would mean an official pback port makes sense. A QFE is an official release and takes some work to get done so there has to be good justification behind it. The more I think about this, the tougher I think it would be to get a QFE for LDP.But again if you have the business case, it might get through. So is this a case of simply wanting it or this is the only way? From what I have heard it doesn't sound like this is the only way to go forward but I am not sure if I know everything required. What I see right now is objects by configuring perms on the parent nTDSDSA object. I was trying to actually configure full control to the nTDSDSA using perms on the CN=Sites object but the principal is the same I guess. The only thing is nTDSConnection objects cant have child objects can they? which doesn't really tell me what you are trying to do. Are you trying to delegate the ability to manipulate connection objectsor ntdsdsa objects or what? If you are trying to just delegate those two pieces and trying to do it from the sites level on down, you will have to use at a minimum two ACEs, one for ntdsdsa objects and one for connection objects. Alternately you will have to add an ACE at the ntdsdsa object level under every server and every site. Again, all of the ACL tools have different shortcomings, there is no one tool that handles everything perfectly from MSFT at this point in time and even LDP which is one of the more flexible tools after the mentioned bug fixes is still going to fall short in people's eyes because the interface is too low level for some people. This is where the next pieces comes into it on terms and names comes in. RE: terms and names and etc, yes, it is all over the map. Asking questions of WHY is this named that and the same thing named something else in another tool are going to feel good to askbut aren't likely to be answered because it isn't constructive to answer those questions. Yes security is tricky and messy and everyone understands that and attempts are being made to make it better, but as Dmitri indicated and I indicated, it isn't easy. There are a lot of special cases to take into account and trying to force one good easy solution at this point has potential to break a lot of things which will just instigate more WHY questions. Even from the start the flexibility built into the ACLing model made it complex, it has only gotten more so as people demanded more granularity and capability. I can say the same things about my tools and they are ultra simple next to something like the permissioning model. But as I or others pushed for more features and capability and I actually added it complexity increased considerably to the point where I am at some point going to release a whole new version of the tools based on a whole new code base or framework. This is "easy" for me to do relative to Microsoft as my support base is not even a rounding error to the MSFT support base and it still will be quite hard. So why is it SW in SDDL and WS in DSACLS? Answer: because that is the way it is. :) Read permissions could be stated as Read Permissions or Read Properties or Read Control or just Read or circumflexuremititis whatever. Why? See above. The actual reason behind "because" could be lots of things - it depends. You would need to talk to the developers of each component. I expect it wasn't a mass conspiracy to confuse anyone. More likely it is actually dev people trying to help others with maybe more descriptive terms or possibly they didn't fully understand the thing themselves in the first place. As Dmitri mentioned with the "Access system security", they put it in and found out later things just didn't work the way they expected. Heck if they had asked me I could have told them it doesn't work that way, it could break thesecurity model if it did. However I wasn't asked. On the contrary though, there are probably a ton of other things I would have done wrong that I wasn't aware of because I didn't have a chance to experience them. I got a chance to read something from Guido recently on some ACL stuff and it completely stunned me and made me bang my head on the desk for a little bit. It is a complex complex product and complex complex security model. Though to be blunt, I don't think I have seen a simple but flexible and granular security model yet that lends itself both to easy programming and easy user comprehension. At this point you have it easy, you are only looking at AD permissions. Once you step out from that tiny little aspect of where this ACLing is used you start to see all sorts of fun stuff where different bits mean different things in ACLs for different objects and in some cases another completely different mechanism