Re: [ActiveDir] R2 In-Place Upgrade bug ?
Kurt -I've put several machines into the same switch and fabric of switches. all devices are on the same vlan, the default vlan. Not one machine on the same subnet can ping this box. i even switched ports and staticlly added its mac address to the switch. i ran a trace on the server and noticed that it was receiving an ECHO request from the server to the testing machine, but it didn't send a response to the box.the only time the server sent a response was when it initiatied a ping. The problem server can communicate to all other hosts. there are no problems with replication. i have succesfully ran repadmin /replsum and repadmin /showreps numerous times.ive applied the following hotfix ( even though the server does respond to ping from vpn sites ) http://support.microsoft.com/kb/899657/under the advice of the dell engineer, i've even tried this: http://support.microsoft.com/default.aspx?scid=kb;en-us;325356but couldn't becuase it was hosting DNS,DHCP,WINS and print services for unix and tcpip wont uninstall until those services are not present. On 7/30/06, Kurt Falde [EMAIL PROTECTED] wrote: Is this on a separate network segment then your other boxes that you're utilizing to ping it? If not I would say make sure you put a laptop into a switch port that you are positive is in the same vlan as this server and start doing some testing there to ping the server. Have you taken a network trace on the server side to see if you see any of these connections getting to the server however the response not getting back to the originator? Kurt Falde From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of HBooGz Sent: Sunday, July 30, 2006 6:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] R2 In-Place Upgrade bug ? anywhere i can possibly look ? i'm running out of options and i have a long week ahead with microsoft PSS and Dell. On 7/29/06, HBooGz [EMAIL PROTECTED] wrote: back to square one i presume ? On 7/29/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: I think you are right.. I remember now they sucked in that fix to a later security bulletin. HBooGz wrote: Thank you. So it looks like i should get the hotfix related to this article: http://support.microsoft.com/kb/898060 but it says in that article that the download supplied is superceeded by the hotfix i applied already : Security update 913446 (security bulletin MS06-007) supersedes this update (898060). so which hotfixes do i really need ? what's the mystery is why can the clients and servers outside the subnet connecting via VPN ping this server by name and IP succesfully. On 7/29/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: The trick here is go to the bulletin and check the caveats section http://www.microsoft.com/technet/security/bulletin/MS05-019.mspx Which links to http://support.microsoft.com/kb/893066 Which points to... Network connectivity between clients and servers may not work after you install security update MS05-019. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 898060 /kb/898060/ ( http://support.microsoft.com/kb/898060/) Installing security update MS05-019 or Windows Server 2003 Service Pack 1 may cause network connectivity between clients and servers to fail • For more information, click the following article number to view the article in the Microsoft Knowledge Base: 898542 /kb/898542/ ( http://support.microsoft.com/kb/898542/) Windows Server 2003 systems using IPsec tunnel-mode functionality may experience problems after you install the original version of 893066 HBooGz wrote: I applied the related to article ending with MS06-007.mspx http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx . do you happen to have the hotfix for the other article ? On 7/29/06, *Kurt Falde* [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] wrote: I would definitely get the tcpip.sys hotfixes applied as this sounds very symptomatic of ms05-019 issues. Kurt Falde Sent from my Windows Mobile Phone -Original Message- From: HBooGz [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] Sent: 7/29/06 10:58:58 AM To: ActiveDir@mail.activedir.org mailto: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org mailto: ActiveDir@mail.activedir.org mailto: ActiveDir@mail.activedir.org mailto: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] R2 In-Place Upgrade bug ? I applied no post sp-1 fixes, but i would imagine it's worth a try. do you guys want to hear something even more mind-boggling ? i can ping the server from workstations
Re: [ActiveDir] bulk user creation
Sharif Naser wrote: Hello All, I have a round 350 users to be created with their mailboxes in windows 2003, what is the best way to automate the process or delegate this job to two account operators. Any suggestions are highly recommended. There are number of ways to achieve this but You can script it. Simple script for bulk creation of a users based on semi-colon separated text file: http://www.w2k.pl/tech/sample2_5.txt and here is example how to create mailbox in two different ways: http://www.w2k.pl/tech/sample2_6.txt http://www.w2k.pl/tech/sample2_6_1.txt -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Read-Only Domain Controller and Server Core
Youre right Joe that the RODC PAS would complicate things for the developers. The easy solution would be for developers to use the writeable flag when connecting to a DC, then theyd be guaranteed to not get an RODCbut even that isnt a great solution, and if we get the RODC GC it only becomes more complex. For general background though, the justification for the RODC PAS DCR is actually that there are numerous attributes which contain password hash, or password-like data. Because these attributes arent part of the pre-defined list of secrets, they are replicated normally rather than on-demand via the PRP. It wouldnt do me much good to prevent replication of 5 password attributes, when a 6th one which also includes a hash gets pushed down through normal replication. There needs to be a way for an administrator to define where these secrets live and protect them accordingly. Ive broached the topic of using this method to protect PII data a couple of times in relation to some RODC work were doing internally, and the response is always that its firmly in the realm of unsupported followed with a thatd be a bad idea and some serious head shaking simply because of the way applications behave. Brian From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, July 30, 2006 5:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Read-Only Domain Controller and Server Core I am not sure if I understand where you are going but let me explain where I am coming from. First, the passwords being there or not being there is not important for this talk, that is already built in and will be there, now the discussion is around everything versus an RODC PAS. Everything is already there as well but is an important option because it will be the most used option. Actually I expect to see a ton of RODCs deployed that are configured as replicate everything including passwords so that people get the RO part of the benefit and they don't have to worry about replicating bad stuff back into the real directory and not have to worry about password caching management, if someone logs on somewhere, the password is cached there, bob's your uncle have a nice day. So now we get down to replicating a portion of the normal attribute set. Why would you want to do this? Because you want to minimize the traffic to WAN sites and/or reduced info in some locations in case of compromise. For instance, if the email addresses of everyone in the company isn't on a DC in a WAN site and someone steals that DC hoping to get those email addresses, they are SOL; they missed. However, now think about this from a application developer standpoint and it is the same issue that exists with GCs only worse because it is DCs. If an app developer wants to find something, they need to understand what they can actually find in the GC in terms of what attributes are populated. Maybe they (a) put in a requirement and hope people follow it, maybe they (b) actually try to verify it, maybe they (c) say screw that and query a DC instead because they know all of the data is there for a full query. From what I have seen the likely cases for an app that can handle any query is C, A, and in the absolute blue moon case B. Usually the app will just fail to find what it needs if you specify an attribute that isn't in the GC. How does Exchange do it??? So there are hybrids like where certain things that people KNOW will always be in GC PAS and they will set it up so that queries using those things will use a GC and everything else will go to a DC. We already know that the same override that exists for the GC PAS would have to exist for an RODC PAS so why not just make that the other option and be done with it? I don't really see the majority of developers doing this any better with RODCs than they do with GCs and so it seems like a lot of make work to allow for the flexible handling of that if you just say these are the options. Again also the password thing isn't even worried about at the app level since apps can play with those anyway. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Sunday, July 30, 2006 6:57 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Read-Only Domain Controller and Server Core Um, why? What value at this point? Last I checked it supports limited applications that might want that information. And if you follow ~Eric's logic, they want to be secure out of the box. That would indicate that they want it to be as minimal as possible until and unless told otherwise. To put that information in there by default might be counter to that. Now, if you had some templates or something so that we didn't have to work on the carpal tunnel, that would be something:) On 7/30/06, joe [EMAIL
RE: [ActiveDir] Read-Only Domain Controller and Server Core
RODCs do NOT replicate a subset of objects = right now they basically replicate everything a normal DC has (i.e. the full domain NC, config and schema), less the password hashes of any users. The OU vs. group discussion was solely around configuring the so called Password Replication Policy (bad name) for an RODC and after discussing this here and offline, doing various tests and elaborating about possible usage scenarios, I agree that configuring this policy by OU doesnt really give you enough flexibility. I would actually love to configure it by an LDAP query leveraging any appropriate attributes but this is simply to resource intensive during the authentication. Leveraging groups gives us the option to automatically provision the memberships appropriately though. Dont forget, youll have to do this for users and computers. Why is Password Replication Policy a bad name? Because thats not what it does calling it Password Caching Policy would be more appropriate, as an RODC would never store a users pwd-hash unless he has logged onto that RODC. Once the pwd is changed, an RODC will NOT update the hash it will only be updated the next time a user uses that same RODC. I dont mind this mechanism it provides an automatic cleanup mechanism and thus lowers the attack surface if a policy allowed many RODCs to cache a users PWD. But the name Replication Policy suggests that an RODC would actually replicate the new password when it is changed on a WDC (writeable DC), which is confusing. Replicating only parts of a tree (i.e. only specific OUs) would be a totally different story, which I also hope to see in the future (but wont be part of this version of RODC). However, RODCs will also be able to replicate the GC partitions (making them an ROGC) but from what I understand this will only be sufficient for authenticating, but not to be used as a GC for Exchange (I guess since Exchange simply needs that writeable domain partition). So placing an ROGC in a remote site will not be sufficient if you also have an Exchange server in that site. Exchange 2007 edge servers is yet another different story not sure if they can benefit from RODCs. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Mayes Sent: Monday, July 31, 2006 1:39 AM To: activedir@mail.activedir.org Subject: RE: [ActiveDir] Read-Only Domain Controller and Server Core Apologies as Im reading in digest. But I just wanted to chip something into this surrounding OUs versus groups as it was something that Ive been thinking about on my mind-numbing commute. I understood that RODCs could be configured to be a read only subset of objects (users) from the writeable AD, or that you could set them to cache which would also be useful to catch user population at a given site if this was unknown. I remember there being a long discussion at the back of DEC about people wanting the subset replication to be based around OUs rather than groups, and lots of people being quite passionate about it. The thing that struck me was how would you then deal with group membership where the group was sat in a totally different part of the tree? Somehow youve got to get that closed set to work with, which is very loosely linked to migration strategies. (Blimey I must have paid attention on that migration course all of those years ago.). And then youve got constraints on OU structures for if they are now partitions for replication in some capacity. How wrong is this understanding? If its kind of right, then at some point in the future are we going to see multiple domain partitions hosted on DCs? Cos that would be nice as well as the ability to replicate subsets as read only. Where a GC could hold writeable copies of domain partitions that werent from its particular domain in the forest.. etc mmm DC consolidation, the possibilities! Then going more OT. There were also rumblings about ROGCs so that didnt contain sensitive info and could be used purely for email purposes without the baggage of a full fat DC. Is this correct and how does this relate to Exchange 2007 and its Edge servers, which from what I can gather are looking to suck bits of the AD into an ADAM for kind of the same purpose as an ROGC would perform? I may be totally babbling now. RE: [ActiveDir] Read-Only Domain Controller and Server Core From: Grillenmeier, Guido [EMAIL PROTECTED] Date: Sat, 29 Jul 2006 17:14:51 +0100 Al, thats basically getting back at what Eric said and the more I think about it, the more I have to agree: there is only a certain percentage of companies that are able to setup an OU structure by geography and certainly no single OU structure will fit for all companies. I have myself worked with quite a lot of customers, where OUs by location made sense but also some that had a mix of location-OUs for computers and business units-OUs for users. And others simply adjust it to their helpdesk model
RE: [ActiveDir] Read-Only Domain Controller and Server Core
Not sure if it makes sense, but this could potentially be combined with the confidential flag RODCs wouldnt cache any confidential attributes, unless a Confidential Data Caching Policy would allow them to do so The confidential flag is already used by the Digital Identity Management Service (DIMS) for the Credential Roaming feature. And instead of adding yet another flag to differentiate attributes which contain secrets or sensitive data, this may just be the right flag. Granted, none of this will make life easier for app developers. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Puhl Sent: Monday, July 31, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Read-Only Domain Controller and Server Core Youre right Joe that the RODC PAS would complicate things for the developers. The easy solution would be for developers to use the writeable flag when connecting to a DC, then theyd be guaranteed to not get an RODCbut even that isnt a great solution, and if we get the RODC GC it only becomes more complex. For general background though, the justification for the RODC PAS DCR is actually that there are numerous attributes which contain password hash, or password-like data. Because these attributes arent part of the pre-defined list of secrets, they are replicated normally rather than on-demand via the PRP. It wouldnt do me much good to prevent replication of 5 password attributes, when a 6th one which also includes a hash gets pushed down through normal replication. There needs to be a way for an administrator to define where these secrets live and protect them accordingly. Ive broached the topic of using this method to protect PII data a couple of times in relation to some RODC work were doing internally, and the response is always that its firmly in the realm of unsupported followed with a thatd be a bad idea and some serious head shaking simply because of the way applications behave. Brian From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, July 30, 2006 5:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Read-Only Domain Controller and Server Core I am not sure if I understand where you are going but let me explain where I am coming from. First, the passwords being there or not being there is not important for this talk, that is already built in and will be there, now the discussion is around everything versus an RODC PAS. Everything is already there as well but is an important option because it will be the most used option. Actually I expect to see a ton of RODCs deployed that are configured as replicate everything including passwords so that people get the RO part of the benefit and they don't have to worry about replicating bad stuff back into the real directory and not have to worry about password caching management, if someone logs on somewhere, the password is cached there, bob's your uncle have a nice day. So now we get down to replicating a portion of the normal attribute set. Why would you want to do this? Because you want to minimize the traffic to WAN sites and/or reduced info in some locations in case of compromise. For instance, if the email addresses of everyone in the company isn't on a DC in a WAN site and someone steals that DC hoping to get those email addresses, they are SOL; they missed. However, now think about this from a application developer standpoint and it is the same issue that exists with GCs only worse because it is DCs. If an app developer wants to find something, they need to understand what they can actually find in the GC in terms of what attributes are populated. Maybe they (a) put in a requirement and hope people follow it, maybe they (b) actually try to verify it, maybe they (c) say screw that and query a DC instead because they know all of the data is there for a full query. >From what I have seen the likely cases for an app that can handle any query is C, A, and in the absolute blue moon case B. Usually the app will just fail to find what it needs if you specify an attribute that isn't in the GC. How does Exchange do it??? So there are hybrids like where certain things that people KNOW will always be in GC PAS and they will set it up so that queries using those things will use a GC and everything else will go to a DC. We already know that the same override that exists for the GC PAS would have to exist for an RODC PAS so why not just make that the other option and be done with it? I don't really see the majority of developers doing this any better with RODCs than they do with GCs and so it seems like a lot of make work to allow for the flexible handling of that if you just say these are the options. Again also the password thing isn't even worried about at the app level since apps can play with those anyway. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
Re: [ActiveDir] DNS suffix resolution..
I assume you are using WINS and the DCs of child and parent domainsare registered there. Therefore the netbios names are resolving. What happens when you try to ping the FQDN of the child domain server? Does that work? I think your issue is you want the child domain suffix to be appended automatically. My understanding is that it doesnt happen by default. However the reverse is true. If you are in a child domain and ping or attempt to resolve a name, it tries its own domain suffix before attempting to append the parent domain suffixes. This is true as long as you havent disabled the default behaviour, havent modified this through GPOs etc... You can also specify a list of search suffixes to go through in a certain order if you wish. M@ On 7/30/06, HBooGz [EMAIL PROTECTED] wrote: I have a Forrest with one forest root and one child domain.The child domain is running windows 2000 SP4 and the HQ sites are running windows 2003 R2 standard.I have the the child domain controller setup as an AD-integrated zone and i have the 2003 DNS servers setup to receive that zone as a secondary zone. if i don't include the suffix search order on the nic cards' dns entry page, i just resolve the netbios names of the hosts at the remote site. for example.hq = company.comchild domain = sales.company.comwhen i initiate a ping from any host at HQ to a host in the child domain i only resolve the netbios name. how can i resolve this ?I've tried setting up dns name delegation in the past when i was running a full 2000 domain, but that name resolution never worked right and it wasn't timely.thanks, -- HBooGz:\
RE: [ActiveDir] DNS suffix resolution..
Just a quick addition - ifsuffices are defined then the default (devolution) behaviour is disabled. i.e. you can one or the other and not both! As a result, you need to carefully pick and choose which suffices are added - if the host specified is not found using one of the defined suffices, then the attempt will fail (assuming WINS is not used). Examples below: Devolution (default - machine lives in aaa.bbb.ccc.com): ping bob (assume bob registered in ccc.com) DNS client attempts bob.aaa.bbb.ccc.com, then DNS client attempts bob.bbb.ccc.com DNS client attempts bob.ccc.com***success*** Suffices (suffices aaa.bbb.ccc.com and bbb.ccc.com added): DNS client attempts bob.aaa.bbb.ccc.com, then DNS client attempts bob.bbb.ccc.com No further attempts and the operation fails hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha WeerasingheSent: 31 July 2006 10:14To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS suffix resolution.. I assume you are using WINS and the DCs of child and parent domainsare registered there. Therefore the netbios names are resolving. What happens when you try to ping the FQDN of the child domain server? Does that work? I think your issue is you want the child domain suffix to be appended automatically. My understanding is that it doesnt happen by default. However the reverse is true. If you are in a child domain and ping or attempt to resolve a name, it tries its own domain suffix before attempting to append the parent domain suffixes. This is true as long as you havent disabled the default behaviour, havent modified this through GPOs etc... You can also specify a list of search suffixes to go through in a certain order if you wish. M@ On 7/30/06, HBooGz [EMAIL PROTECTED] wrote: I have a Forrest with one forest root and one child domain.The child domain is running windows 2000 SP4 and the HQ sites are running windows 2003 R2 standard.I have the the child domain controller setup as an AD-integrated zone and i have the 2003 DNS servers setup to receive that zone as a secondary zone. if i don't include the suffix search order on the nic cards' dns entry page, i just resolve the netbios names of the hosts at the remote site. for example.hq = company.comchild domain = sales.company.comwhen i initiate a ping from any host at HQ to a host in the child domain i only resolve the netbios name. how can i resolve this ?I've tried setting up dns name delegation in the past when i was running a full 2000 domain, but that name resolution never worked right and it wasn't timely.thanks,-- HBooGz:\ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] DNS suffix resolution..
just as an FYI: If you specify suffix search list it will override the searching of appending the parent suffix of primary DNS suffix. So if you just specify: domain2.domain1.com domain3.domain1.com and not domain1.com it will not search domain1.com since it is not specified in the Suffix Search List. So if you want to still search the parent suffix, be sure to include it in the SSL. Jef - Original Message - From: Matheesha Weerasinghe To: ActiveDir@mail.activedir.org Sent: Monday, July 31, 2006 4:13 AM Subject: Re: [ActiveDir] DNS suffix resolution.. I assume you are using WINS and the DCs of child and parent domainsare registered there. Therefore the netbios names are resolving. What happens when you try to ping the FQDN of the child domain server? Does that work? I think your issue is you want the child domain suffix to be appended automatically. My understanding is that it doesnt happen by default. However the reverse is true. If you are in a child domain and ping or attempt to resolve a name, it tries its own domain suffix before attempting to append the parent domain suffixes. This is true as long as you havent disabled the default behaviour, havent modified this through GPOs etc... You can also specify a list of search suffixes to go through in a certain order if you wish. M@ On 7/30/06, HBooGz [EMAIL PROTECTED] wrote: I have a Forrest with one forest root and one child domain.The child domain is running windows 2000 SP4 and the HQ sites are running windows 2003 R2 standard.I have the the child domain controller setup as an AD-integrated zone and i have the 2003 DNS servers setup to receive that zone as a secondary zone. if i don't include the suffix search order on the nic cards' dns entry page, i just resolve the netbios names of the hosts at the remote site. for example.hq = company.comchild domain = sales.company.comwhen i initiate a ping from any host at HQ to a host in the child domain i only resolve the netbios name. how can i resolve this ?I've tried setting up dns name delegation in the past when i was running a full 2000 domain, but that name resolution never worked right and it wasn't timely.thanks,-- HBooGz:\
[ActiveDir] W2K3 Upgrade Domain Controller or Exchange Servers?
All, We are rounding home base in our upgrade path to 2K3 and have our Exchange Server Cluster runningW2K and EXCH2K and our Domain Controllers to upgrade lastly. Which of them would you think would be the best to upgrade first? We thought to upgrade the DC's first because it takes care of the extension of the schema and all which has to be done prior to EXCH2K3 anyhow. I cant think of a reason to not upgrade the Domain Controllers before the Exchange Server. Can anyone else? Thanks Nate
RE: [ActiveDir] R2 In-Place Upgrade bug ?
Check your antivirus software to make sure it doesn't include some sort of pseudo-firewall feature. Also make sure the built-in firewall isn't enabled. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: Monday, July 31, 2006 1:15 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] R2 In-Place Upgrade bug ? Kurt -I've put several machines into the same switch and fabric of switches. all devices are on the same vlan, the default vlan. Not one machine on the same subnet can ping this box. i even switched ports and staticlly added its mac address to the switch. i ran a trace on the server and noticed that it was receiving an ECHO request from the server to the testing machine, but it didn't send a response to the box.the only time the server sent a response was when it initiatied a ping. The problem server can communicate to all other hosts. there are no problems with replication. i have succesfully ran repadmin /replsum and repadmin /showreps numerous times.ive applied the following hotfix ( even though the server does respond to ping from vpn sites ) http://support.microsoft.com/kb/899657/under the advice of the dell engineer, i've even tried this:http://support.microsoft.com/default.aspx?scid=kb;en-us;325356but couldn't becuase it was hosting DNS,DHCP,WINS and print services for unix and tcpip wont uninstall until those services are not present. On 7/30/06, Kurt Falde [EMAIL PROTECTED] wrote: Is this on a separate network segment then your other boxes that you're utilizing to ping it? If not I would say make sure you put a laptop into a switch port that you are positive is in the same vlan as this server and start doing some testing there to ping the server. Have you taken a network trace on the server side to see if you see any of these connections getting to the server however the response not getting back to the originator? Kurt Falde From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of HBooGzSent: Sunday, July 30, 2006 6:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] R2 In-Place Upgrade bug ? anywhere i can possibly look ?i'm running out of options and i have a long week ahead with microsoft PSS and Dell. On 7/29/06, HBooGz [EMAIL PROTECTED] wrote: back to square one i presume ? On 7/29/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: I think you are right.. I remember now they sucked in that fix to alater security bulletin.HBooGz wrote: Thank you. So it looks like i should get the hotfix related to this article: http://support.microsoft.com/kb/898060 but it says in that article that the download supplied is superceeded by the hotfix i applied already : Security update 913446 (security bulletin MS06-007) supersedes this update (898060). so which hotfixes do i really need ? what's the mystery is why can the clients and servers outside the subnet connecting via VPN ping this server by name and IP succesfully. On 7/29/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: The trick here is go to the bulletin and check the caveats section http://www.microsoft.com/technet/security/bulletin/MS05-019.mspx Which links to http://support.microsoft.com/kb/893066 Which points to... Network connectivity between clients and servers may not work after you install security update MS05-019. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 898060 /kb/898060/ ( http://support.microsoft.com/kb/898060/) Installing security update MS05-019 or Windows Server 2003 Service Pack 1 may cause network connectivity between clients and servers to fail For more information, click the following article number to view the article in the Microsoft Knowledge Base: 898542 /kb/898542/ ( http://support.microsoft.com/kb/898542/) Windows Server 2003 systems using IPsec tunnel-mode functionality may experience problems after you install the original version of 893066 HBooGz wrote: I applied the related to article ending with MS06-007.mspx http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx . do you happen to have the hotfix for the other article ? On 7/29/06, *Kurt Falde* [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] wrote: I would definitely get the tcpip.sys hotfixes applied as this sounds very
Re: [ActiveDir] DNS suffix resolution..
Hey -from the machines, i can defintely ping the FQDN.If you have hundreds even thousands of workstations, the easiest way to distribute dns suffix search order listing is thhrough group policy ?if you don't have a wins server specified and don't have the dns suffix search order, then name resolution won't work by simply typing in the netbios name -- that can't be default behavior for a windows domain that purportedly doesn't need wins. its for this purpose i still use wins.how are your clients tcp/ip properties set at child domains ? at HQ sites ?i'm curious to know how other admins are setting up dns/tcpip properties in their network/domain. On 7/31/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: just as an FYI: If you specify suffix search list it will override the searching of appending the parent suffix of primary DNS suffix. So if you just specify: domain2.domain1.com domain3.domain1.com and not domain1.com it will not search domain1.com since it is not specified in the Suffix Search List. So if you want to still search the parent suffix, be sure to include it in the SSL. Jef - Original Message - From: Matheesha Weerasinghe To: ActiveDir@mail.activedir.org Sent: Monday, July 31, 2006 4:13 AM Subject: Re: [ActiveDir] DNS suffix resolution.. I assume you are using WINS and the DCs of child and parent domainsare registered there. Therefore the netbios names are resolving. What happens when you try to ping the FQDN of the child domain server? Does that work? I think your issue is you want the child domain suffix to be appended automatically. My understanding is that it doesnt happen by default. However the reverse is true. If you are in a child domain and ping or attempt to resolve a name, it tries its own domain suffix before attempting to append the parent domain suffixes. This is true as long as you havent disabled the default behaviour, havent modified this through GPOs etc... You can also specify a list of search suffixes to go through in a certain order if you wish. M@ On 7/30/06, HBooGz [EMAIL PROTECTED] wrote: I have a Forrest with one forest root and one child domain.The child domain is running windows 2000 SP4 and the HQ sites are running windows 2003 R2 standard.I have the the child domain controller setup as an AD-integrated zone and i have the 2003 DNS servers setup to receive that zone as a secondary zone. if i don't include the suffix search order on the nic cards' dns entry page, i just resolve the netbios names of the hosts at the remote site. for example.hq = company.comchild domain = sales.company.comwhen i initiate a ping from any host at HQ to a host in the child domain i only resolve the netbios name. how can i resolve this ?I've tried setting up dns name delegation in the past when i was running a full 2000 domain, but that name resolution never worked right and it wasn't timely.thanks,-- HBooGz:\ -- HBooGz:\
RE: [ActiveDir] DNS suffix resolution..
Another FYI - Suffix Search List GPO is only available on Windows XP and up OS's. It was not in Win2000 versions. We had to use scripts/reg keys to man age these back in the day.JefKazimer---http://www.jeftek.com Date: Mon, 31 Jul 2006 10:46:38 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS suffix resolution..Hey -from the machines, i can defintely ping the FQDN.If you have hundreds even thousands of workstations, the easiest way to distribute dns suffix search order listing is thhrough group policy ?if you don't have a wins server specified and don't have the dns suffix search order, then name resolution won't work by simply typing in the netbios name -- that can't be default behavior for a windows domain that purportedly doesn't "need" wins. its for this purpose i still use wins.how are your clients tcp/ip properties set at child domains ? at HQ sites ?i'm curious to know how other admins are setting up dns/tcpip properties in their network/domain. On 7/31/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: just as an FYI: If you specify suffix search list it will override the searching of appending the parent suffix of primary DNS suffix. So if you just specify: domain2.domain1.com domain3.domain1.com and not domain1.com it will not search domain1.com since it is not specified in the Suffix Search List. So if you want to still search the parent suffix, be sure to include it in the SSL. Jef - Original Message - From: Matheesha Weerasinghe To: ActiveDir@mail.activedir.org Sent: Monday, July 31, 2006 4:13 AM Subject: Re: [ActiveDir] DNS suffix resolution.. I assume you are using WINS and the DCs of child and parent domainsare registered there. Therefore the netbios names are resolving. What happens when you try to ping the FQDN of the child domain server? Does that work? I think your issue is you want the child domain suffix to be appended automatically. My understanding is that it doesnt happen by default. However the reverse is true. If you are in a child domain and ping or attempt to resolve a name, it tries its own domain suffix before attempting to append the parent domain suffixes. This is true as long as you havent disabled the default behaviour, havent modified this through GPOs etc... You can also specify a list of search suffixes to go through in a certain order if you wish. M@ On 7/30/06, HBooGz [EMAIL PROTECTED] wrote: I have a Forrest with one forest root and one child domain.The child domain is running windows 2000 SP4 and the HQ sites are running windows 2003 R2 standard.I have the the child domain controller setup as an AD-integrated zone and i have the 2003 DNS servers setup to receive that zone as a secondary zone. if i don't include the suffix search order on the nic cards' dns entry page, i just resolve the netbios names of the hosts at the remote site. for example.hq = company.comchild domain = sales.company.comwhen i initiate a ping from any host at HQ to a host in the child domain i only resolve the netbios name. how can i resolve this ?I've tried setting up dns name delegation in the past when i was running a full 2000 domain, but that name resolution never worked right and it wasn't timely.thanks,-- HBooGz:\ -- HBooGz:\ Express yourself instantly with Windows Live Messenger! Windows Live Messenger!
RE: [ActiveDir] DNS suffix resolution..
Hey -from the machines, i can defintely ping the FQDN.[Neil Ruston]indeed - that should always work unless you have basic DNS issuesIf you have hundreds even thousands of workstations, the easiest way to distribute dns suffix search order listing is thhrough group policy ?[Neil Ruston]most likely or some kind of login script. if you don't have a wins server specified and don't have the dns suffix search order, then name resolution won't work by simply typing in the netbios name -- that can't be default behavior for a windows domain that purportedly doesn't "need" wins. [Neil Ruston]Who says 'doesn't need'? Perhaps if you had a single domain forest with no Exchange and other apps you may live without WINS. Otherwise, you need to engineer builds etc very carefully to live without WINS.its for this purpose i still use wins.[Neil Ruston]As above, you can design the need for WINS out.how are your clients tcp/ip properties set at child domains ? at HQ sites ?[Neil Ruston]It depends upon the requirements of each location. In summary - add all suffices needed to each machine in each region. If I assume you have an HQ and branch locations, then consider adding appropriate suffices for the HQ machines and (different?)appropriatesuffices for each branch.i'm curious to know how other admins are setting up dns/tcpip properties in their network/domain. [Neil Ruston]As ever -'it depends' :) On 7/31/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: just as an FYI: If you specify suffix search list it will override the searching of appending the parent suffix of primary DNS suffix. So if you just specify: domain2.domain1.com domain3.domain1.com and not domain1.com it will not search domain1.com since it is not specified in the Suffix Search List. So if you want to still search the parent suffix, be sure to include it in the SSL. Jef - Original Message - From: Matheesha Weerasinghe To: ActiveDir@mail.activedir.org Sent: Monday, July 31, 2006 4:13 AM Subject: Re: [ActiveDir] DNS suffix resolution.. I assume you are using WINS and the DCs of child and parent domainsare registered there. Therefore the netbios names are resolving. What happens when you try to ping the FQDN of the child domain server? Does that work? I think your issue is you want the child domain suffix to be appended automatically. My understanding is that it doesnt happen by default. However the reverse is true. If you are in a child domain and ping or attempt to resolve a name, it tries its own domain suffix before attempting to append the parent domain suffixes. This is true as long as you havent disabled the default behaviour, havent modified this through GPOs etc... You can also specify a list of search suffixes to go through in a certain order if you wish. M@ On 7/30/06, HBooGz [EMAIL PROTECTED] wrote: I have a Forrest with one forest root and one child domain.The child domain is running windows 2000 SP4 and the HQ sites are running windows 2003 R2 standard.I have the the child domain controller setup as an AD-integrated zone and i have the 2003 DNS servers setup to receive that zone as a secondary zone. if i don't include the suffix search order on the nic cards' dns entry page, i just resolve the netbios names of the hosts at the remote site. for example.hq = company.comchild domain = sales.company.comwhen i initiate a ping from any host at HQ to a host in the child domain i only resolve the netbios name. how can i resolve this ?I've tried setting up dns name delegation in the past when i was running a full 2000 domain, but that name resolution never worked right and it wasn't timely.thanks,-- HBooGz:\ -- HBooGz:\ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related
RE: [ActiveDir] bulk user creation
Title: Message I have used a tool called AD Infinitum for this. Granted its not free, but it pays for itself With ease of use and features. Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharif Naser Sent: Monday, July 31, 2006 1:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] bulk user creation Hello All, I have a round 350 users to be created with their mailboxes in windows 2003, what is the best way to automate the process or delegate this job to two account operators. Any suggestions are highly recommended. Regards, DISCLAIMER: This electronic message transmission contains information from Qatar Steel Company (QASCO) which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. Be aware that any disclosure,copying, distribution or use of the contents of this information,including attachments, is prohibited without the written consent of Qatar Steel Company (QASCO).
RE: [ActiveDir] Read-Only Domain Controller and Server Core
We thought about using the confidential flag as the denotation for the RO-PAS, but that would break too many applications. The RO-PAS would only be for applications that wanted to protect their secrets from replicating to a RODC. DIMS (aka cred roaming) is a prime example. Most likely if RO-PAS happens it will be a negative PAS in that the marking in the schema would mean that the attr is NOT replicated. That way new vanilla attributes are replicated to a RODC which would minimize app compat. -Nathan Muggli RODC Program Manager From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, July 31, 2006 1:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Read-Only Domain Controller and Server Core Not sure if it makes sense, but this could potentially be combined with the confidential flag RODCs wouldnt cache any confidential attributes, unless a Confidential Data Caching Policy would allow them to do so The confidential flag is already used by the Digital Identity Management Service (DIMS) for the Credential Roaming feature. And instead of adding yet another flag to differentiate attributes which contain secrets or sensitive data, this may just be the right flag. Granted, none of this will make life easier for app developers. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Puhl Sent: Monday, July 31, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Read-Only Domain Controller and Server Core Youre right Joe that the RODC PAS would complicate things for the developers. The easy solution would be for developers to use the writeable flag when connecting to a DC, then theyd be guaranteed to not get an RODCbut even that isnt a great solution, and if we get the RODC GC it only becomes more complex. For general background though, the justification for the RODC PAS DCR is actually that there are numerous attributes which contain password hash, or password-like data. Because these attributes arent part of the pre-defined list of secrets, they are replicated normally rather than on-demand via the PRP. It wouldnt do me much good to prevent replication of 5 password attributes, when a 6th one which also includes a hash gets pushed down through normal replication. There needs to be a way for an administrator to define where these secrets live and protect them accordingly. Ive broached the topic of using this method to protect PII data a couple of times in relation to some RODC work were doing internally, and the response is always that its firmly in the realm of unsupported followed with a thatd be a bad idea and some serious head shaking simply because of the way applications behave. Brian From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, July 30, 2006 5:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Read-Only Domain Controller and Server Core I am not sure if I understand where you are going but let me explain where I am coming from. First, the passwords being there or not being there is not important for this talk, that is already built in and will be there, now the discussion is around everything versus an RODC PAS. Everything is already there as well but is an important option because it will be the most used option. Actually I expect to see a ton of RODCs deployed that are configured as replicate everything including passwords so that people get the RO part of the benefit and they don't have to worry about replicating bad stuff back into the real directory and not have to worry about password caching management, if someone logs on somewhere, the password is cached there, bob's your uncle have a nice day. So now we get down to replicating a portion of the normal attribute set. Why would you want to do this? Because you want to minimize the traffic to WAN sites and/or reduced info in some locations in case of compromise. For instance, if the email addresses of everyone in the company isn't on a DC in a WAN site and someone steals that DC hoping to get those email addresses, they are SOL; they missed. However, now think about this from a application developer standpoint and it is the same issue that exists with GCs only worse because it is DCs. If an app developer wants to find something, they need to understand what they can actually find in the GC in terms of what attributes are populated. Maybe they (a) put in a requirement and hope people follow it, maybe they (b) actually try to verify it, maybe they (c) say screw that and query a DC instead because they know all of the data is there for a full query. From what I have seen the likely cases for an app that can handle any query is C, A, and in the absolute blue moon case B. Usually the app will just fail to find what it needs if you specify an attribute that isn't in the GC. How does Exchange do it??? So there are hybrids
[ActiveDir] Types of network Card in AD forest like Intel, 3-COM..
Hi, Setup: Windows 2003 + exchange 2003. My AD + Ex setup is running on different hardware. Now what is the best way to find what types of Network (and also how many on one server) cards are installed on my all DCs and Exchange. I need to write a script or a wmi query. Thanks, Manjeet
Re: [ActiveDir] Read-Only Domain Controller and Server Core
See, that's the limitation that for me would make me wonder whether or not in *my* environments I would want to deploy such an animal or go full bore and deploy a full GC. The second biggest problem for me would be to accurately guess where a user might be when they logon to the network. They could be ANYWHERE as far as I'm concerned and still need to be able to logon. Whether it's in city X or branch Y or both in the same day, they may not get what they need if I try to restrict them even by group let alone by OU. It's a much more flat authentication scenario from my perspective and I cannot see impeding business by having them get somewhere and not be able to logon. Might still save some performance in the sense that they can logon and pull GPO etc. And I still need a chance to see the rest of the traffic to test ~Eric's information. (not really test, but rather come up to speed with it). That's why I'm curious how you envision figuring who logs on where and how you'd map that in a way that makes sense. By you I'm referring to anyone who'd like to comment. Al On 7/31/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: RODCs do NOT replicate a subset of objects = right now they basically replicate everything a normal DC has (i.e. the full domain NC, config and schema), less the password hashes of any users. The OU vs. group discussion was solely around configuring the so called "Password Replication Policy" (bad name) for an RODC – and after discussing this here and offline, doing various tests and elaborating about possible usage scenarios, I agree that configuring this policy by OU doesn't really give you enough flexibility. I would actually love to configure it by an LDAP query leveraging any appropriate attributes – but this is simply to resource intensive during the authentication. Leveraging groups gives us the option to automatically provision the memberships appropriately though. Don't forget, you'll have to do this for users and computers. Why is "Password Replication Policy" a bad name? Because that's not what it does – calling it "Password Caching Policy" would be more appropriate, as an RODC would never store a users pwd-hash unless he has logged onto that RODC. Once the pwd is changed, an RODC will NOT update the hash – it will only be updated the next time a user uses that same RODC. I don't mind this mechanism – it provides an automatic "cleanup" mechanism and thus lowers the attack surface if a policy allowed many RODCs to cache a users PWD. But the name "Replication Policy" suggests that an RODC would actually replicate the new password when it is changed on a WDC (writeable DC), which is confusing. Replicating only parts of a tree (i.e. only specific OUs) would be a totally different story, which I also hope to see in the future (but won't be part of this version of RODC). However, RODCs will also be able to replicate the GC partitions (making them an ROGC) – but from what I understand this will only be sufficient for authenticating, but not to be used as a GC for Exchange (I guess since Exchange simply needs that writeable domain partition). So placing an ROGC in a remote site will not be sufficient if you also have an Exchange server in that site. Exchange 2007 edge servers is yet another different story – not sure if they can benefit from RODCs. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul MayesSent: Monday, July 31, 2006 1:39 AMTo: activedir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core Apologies as I'm reading in digest. But I just wanted to chip something into this surrounding OU's versus groups as it was something that I've been thinking about on my mind-numbing commute. I understood that RODC's could be configured to be a read only subset of objects (users) from the writeable AD, or that you could set them to cache which would also be useful to catch user population at a given site if this was unknown. I remember there being a long discussion at the back of DEC about people wanting the subset replication to be based around OU's rather than groups, and lots of people being quite passionate about it. The thing that struck me was how would you then deal with group membership where the group was sat in a totally different part of the tree? Somehow you've got to get that closed set to work with, which is very loosely linked to migration strategies. (Blimey I must have paid attention on that migration course all of those years ago.). And then you've got constraints on OU structures for if they are now partitions for replication in some capacity. How wrong is this understanding? If it's kind of right, then at some point in the future are we going to see multiple domain partitions hosted on DC's? 'Cos that would be nice as well as the ability to replicate subsets as read only. Where a GC could hold writeable copies of domain partitions that weren't from it's particular domain in the
RE: [ActiveDir] W2K3 Upgrade Domain Controller or Exchange Servers?
Hi Nate, Just in case you hadnt seen this before, you might want to keep your eye on this KB article. http://support.microsoft.com/kb/314649 Good luck with your upgrade! ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Monday, July 31, 2006 6:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] W2K3 Upgrade Domain Controller or Exchange Servers? All, We are rounding home base in our upgrade path to 2K3 and have our Exchange Server Cluster runningW2K and EXCH2K and our Domain Controllers to upgrade lastly. Which of them would you think would be the best to upgrade first? We thought to upgrade the DC's first because it takes care of the extension of the schema and all which has to be done prior to EXCH2K3 anyhow. I cant think of a reason to not upgrade the Domain Controllers before the Exchange Server. Can anyone else? Thanks Nate
RE: [ActiveDir] Types of network Card in AD forest like Intel, 3-COM..
You can start with this http://www.microsoft.com/technet/scriptcenter/scripts/network/client/list/nwlsvb05.mspx?mfr=trueand add in some logic to query AD for DCs and Exchange servers and then run the scriptcenter code against those particular servers. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet SinghSent: Monday, July 31, 2006 10:51 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Types of network Card in AD forest like Intel, 3-COM.. Hi, Setup: Windows 2003 + exchange 2003. My AD + Ex setup is running on different hardware. Now what is the best way to find what types of Network (and also how many on one server) cards are installed on my all DCs and Exchange. I need to write a script or a wmi query. Thanks, Manjeet
Re: [ActiveDir] ldp in ADAM-SP1
You and joe are in the same boat :) I understand where the logic for the generalization comes from. My experience and instinct tell me to disagree with the both of you and to interpret the generalization in a different manner. I've worked with and met WAY too many programmers to think that I'd prefer them writing tools vs. a script writer to get the job done. At the end of it all, it really comes down to the right tool for the job. I see no difference between a person writing a script to get something done and somebody writing a tool that the person who otherwise would have written a script would now have to write a batch file to use. Not sure the best written tool would be any better and the person writing the batch wrapper would have even less understanding of the underpinnings of the tasks than they would if they wrote the script. C'est la vie, no? On 7/30/06, Ken Schaefer [EMAIL PROTECTED] wrote: Hi Al, I'm going to have to disagree here. I'd wager that the average programmer has a better understanding of writing code that has: a) proper specifications and design b) robust error handling c) strong typing d) etc Of course, there are always deadlines that result in shoddy code, and there are certainly some shoddy programmers. But the average scripter (in my experience) seems to have far fewer clues on how to write robust, reusable, defensive code than the average programmer. The average scripter doesn't know much about IDEs, debugging, source control, unit tests and all the other goodies that make maintaining large bodies of code easy. There's nothing wrong with writing scripts – especially for things that just require a few lines of code. Trying to maintain something that has 1000+ lines of code is a nightmare when scripted using VBS/JScript Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Sunday, 30 July 2006 10:17 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] ldp in ADAM-SP1 I have to say that's weak logic joe. Well, good logic, but weak assumptions. Tool writers are no more likely to prevent unforseen mistakes than a script writer. On the plus side, if you write your own script, you'll have plenty of time to test it and will have gained a great deal more knowledge than you previously had. Mostly about how not to do it, but that's better than figuring that out in production or worse, trusting the tool writer to have done the work for you and to have guessed what you wanted done. joeware tools excepted in most cases of course ;) On 7/29/06, joe [EMAIL PROTECTED] wrote: I am curious about this statement While you can use the command line tools as much as possible, as joe and Guido both pointed out, consider rolling your own scripts if you absolutely cannot do what you *need* to do at the GUI. In general, scripts are more dangerous than the command line tools because there are a lot of screwups you can make in a script that a tool may not make because hopefully a full blown tool writer understand the permissioning model and the dev work behind it than a script writer. It is quite easy to use a script and to add 30 duplicate ACEs to an ACL. I can't count the number of times I have seen things like that. There is no guarantee that a commandline tool won't do the same but there are fewer and hopefully more experienced people writing command line tools than scripts. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
RE: [ActiveDir] DNS suffix resolution..
This is probably going to be a "hit-and-run" reply from me. I just have to jump in because wheneverI see a "Need WINS" argument, I feel the urgent need to bursta ventricle or two. if you don't have a wins server specified and don't have the dns suffix search order, then name resolution won't work by simply typing in the netbios name -- that can't be default behavior for a windows domain that purportedly doesn't "need" wins. [Neil Ruston]Who says 'doesn't need'? Perhaps if you had a single domain forest with no Exchange and other apps you may live without WINS. Otherwise, you need to engineer builds etc very carefully to live without WINS. IF "need" is the operative word, even a multi-domain Forest does NOT NEED WINS for NetBIOS name resolution. Will such Forest benefit from WINS availability? Sure, but only IF the Forest has been configured in such a way that makes WINS presence beneficial. Does this mean that WINS is required? No. It means that the said Forest requires WINS due to configuration decisions made at some point in time, not because of technical or technological dependencies imposed by the Operating System. IF you have a properly defined naming convention (that is to say all your kids are not named "joe") AND you utilize a logical and effective suffix search list (that is to say everyone in your family tree knows everybody else's surname), then your FOREST does not NEED WINS - multi-domain or not, and regardless of the NetBIOS-consumption-propensity of any application. Now you can argue that "proper naming convention" is too fluid and highly unrealistic, and I may not argue with you. You may point out that "appropriate suffix list" in a Forest that has a bazillion and one domain is impractical, and I may let it slide. But . both arguments do not support the assertion that "AD NEEDS WINS". WINS is necessary where both conditions are not met. Where that is not the case, you can happily give the middle finger to WINS. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Mon 7/31/2006 8:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS suffix resolution.. Hey -from the machines, i can defintely ping the FQDN.[Neil Ruston]indeed - that should always work unless you have basic DNS issuesIf you have hundreds even thousands of workstations, the easiest way to distribute dns suffix search order listing is thhrough group policy ?[Neil Ruston]most likely or some kind of login script. if you don't have a wins server specified and don't have the dns suffix search order, then name resolution won't work by simply typing in the netbios name -- that can't be default behavior for a windows domain that purportedly doesn't "need" wins. [Neil Ruston]Who says 'doesn't need'? Perhaps if you had a single domain forest with no Exchange and other apps you may live without WINS. Otherwise, you need to engineer builds etc very carefully to live without WINS.its for this purpose i still use wins.[Neil Ruston]As above, you can design the need for WINS out.how are your clients tcp/ip properties set at child domains ? at HQ sites ?[Neil Ruston]It depends upon the requirements of each location. In summary - add all suffices needed to each machine in each region. If I assume you have an HQ and branch locations, then consider adding appropriate suffices for the HQ machines and (different?)appropriatesuffices for each branch.i'm curious to know how other admins are setting up dns/tcpip properties in their network/domain. [Neil Ruston]As ever -'it depends' :) On 7/31/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: just as an FYI: If you specify suffix search list it will override the searching of appending the parent suffix of primary DNS suffix. So if you just specify: domain2.domain1.com domain3.domain1.com and not domain1.com it will not search domain1.com since it is not specified in the Suffix Search List. So if you want to still search the parent suffix, be sure to include it in the SSL. Jef - Original Message - From: Matheesha Weerasinghe To: ActiveDir@mail.activedir.org Sent: Monday, July 31, 2006 4:13 AM Subject: Re: [ActiveDir] DNS suffix resolution.. I assume you are using WINS and the DCs of child and parent domainsare registered there. Therefore the netbios names are resolving. What happens when you try to ping the FQDN of the child domain server? Does that work? I think your issue is you want the child domain suffix to be appended automatically. My understanding is that it doesnt happen by default. However the reverse is true. If you are in a child domain and ping or attempt to resolve a name, it tries its own domain suffix before attempting to append the parent domain suffixes. This is true as long as you
RE: [ActiveDir] Types of network Card in AD forest like Intel, 3-COM..
Try http://www.microsoft.com/downloads/details.aspx?FamilyID=2cc30a64-ea15-4661-8da4-55bbc145c30eDisplayLang=en Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Manjeet SinghSent: Mon 7/31/2006 9:50 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Types of network Card in AD forest like Intel, 3-COM.. Hi, Setup: Windows 2003 + exchange 2003. My AD + Ex setup is running on different hardware. Now what is the best way to find what types of Network (and also how many on one server) cards are installed on my all DCs and Exchange. I need to write a script or a wmi query. Thanks, Manjeet
RE: [ActiveDir] Read-Only Domain Controller and Server Core
Hey Brian, good to see your name on the list... I got pinged offline on the basis behind this functionality. I admit to being a little shocked that someone was tossing password type info into other attributes especially with AD being so generally open to viewing, especially whenusing thePre-W2K Compat group with auth'ed usersallowed to see all attributes by default which most domains still seem to be in due to fears in what will break if it is turned off. If this is purely based on security concerns, I would be more apt to tell people to install ADAM on the DCs and put the data there. At least you know that is severely locked down by default and not having to be worried what side direction someone might come in and pop you from. From the standpoint of less crap being sent down to WAN DCs I like the idea. I realize I can't have branch level replication but at least being able to weed out all of the non-essential attributes would be a nice start for tiny branches with 10 users in domains with tens of thousands of users. I actually recently had to say it didn't make any sense to move from Novell to AD for a customer because of that very issue. You can't imagine how much that pained me to say. In cases like that if there is no real strategic reason to move to AD, it is better to stay on Novell because of the replication model. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian PuhlSent: Monday, July 31, 2006 4:05 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core Youre right Joe that the RODC PAS would complicate things for the developers. The easy solution would be for developers to use the writeable flag when connecting to a DC, then theyd be guaranteed to not get an RODCbut even that isnt a great solution, and if we get the RODC GC it only becomes more complex. For general background though, the justification for the RODC PAS DCR is actually that there are numerous attributes which contain password hash, or password-like data. Because these attributes arent part of the pre-defined list of secrets, they are replicated normally rather than on-demand via the PRP. It wouldnt do me much good to prevent replication of 5 password attributes, when a 6th one which also includes a hash gets pushed down through normal replication. There needs to be a way for an administrator to define where these secrets live and protect them accordingly. Ive broached the topic of using this method to protect PII data a couple of times in relation to some RODC work were doing internally, and the response is always that its firmly in the realm of unsupported followed with a thatd be a bad idea and some serious head shaking simply because of the way applications behave. Brian From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, July 30, 2006 5:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core I am not sure if I understand where you are going but let me explain where I am coming from. First, the passwords being there or not being there is not important for this talk, that is already built in and will be there, now the discussion is around everything versus an RODC PAS. Everything is already there as well but is an important option because it will be the most used option. Actually I expect to see a ton of RODCs deployed that are configured as replicate everything including passwords so that people get the RO part of the benefit and they don't have to worry about replicating bad stuff back into the "real directory" and not have to worry about password caching management, if someone logs on somewhere, the password is cached there, bob's your uncle have a nice day. So now we get down to replicating a portion of the normal attribute set. Why would you want to do this? Because you want to minimize the traffic to WAN sites and/or reduced info in some locations in case of compromise. For instance, if the email addresses of everyone in the company isn't on a DC in a WAN site and someone steals that DC hoping to get those email addresses, they are SOL; they missed. However, now think about this from a application developer standpoint and it is the same issue that exists with GCs only worse because it is DCs. If an app developer wants to find something, they need to understand what they can actually find in the GC in terms of what attributes are populated. Maybe they (a) put in a requirement and hope people follow it, maybe they (b) actually try to verify it, maybe they (c) say screw that and query a DC instead because they know all of the data is there for a full query. From what I have seen the likely cases for an app that can handle any query is C, A, and in the absolute blue moon case B. Usually the app will just
RE: [ActiveDir] Read-Only Domain Controller and Server Core
For Exchange, there has been a lot around Exchange. At no point though have I heard that they were even going to start consider supporting Exchange with RODCs. I have hear a lot of absolutely we will not support Exchange that way. If Exchange were supported, not to be a pain, but I can't imagine what a horrible mess that would turn into to support. It isn't my opinion that the Exchange team has been wonderfully good at writing code to utilize AD as it is already and it is currently relatively simple. I agree on the naming with Guido. Though straw poll now for the folks who plan on using RODCs, who plans to just tell them to cache all passwords as necessary (excluding admin accounts of course)? Or to put it another way, who plans to use RODCs and then actively try to manage where passwords can be cached? I would not be surprised to hear that RODCs are going out the door with the dial all the way to the right (or left if you prefer) and everything but admin passwords are being cached. It still gives a ton of benefit, i.e. someone screws with it and that can't (allegedly) get back to the "real" directory and not all password hashes would be on all RODCs, it would be based on who actually auth'ed at the local DC. If I could do it dynamically, I would like to do something like, if the user/computer has attempted to log into RODC(x) more than y times in the last z days, then cache the password locally. If the user/computer hasn't authed there inv times in the last w days, then remove them from the policy for that RODC again. My theory is that unless this management is extremely simple and mostly automated, most folks won't use it because the security concerns probably aren't all that high since most users won't be authenticating (and therefore caching) their passwords on most RODCs. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, July 31, 2006 4:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core RODCs do NOT replicate a subset of objects = right now they basically replicate everything a normal DC has (i.e. the full domain NC, config and schema), less the password hashes of any users. The OU vs. group discussion was solely around configuring the so called Password Replication Policy (bad name) for an RODC and after discussing this here and offline, doing various tests and elaborating about possible usage scenarios, I agree that configuring this policy by OU doesnt really give you enough flexibility. I would actually love to configure it by an LDAP query leveraging any appropriate attributes but this is simply to resource intensive during the authentication. Leveraging groups gives us the option to automatically provision the memberships appropriately though. Dont forget, youll have to do this for users and computers. Why is Password Replication Policy a bad name? Because thats not what it does calling it Password Caching Policy would be more appropriate, as an RODC would never store a users pwd-hash unless he has logged onto that RODC. Once the pwd is changed, an RODC will NOT update the hash it will only be updated the next time a user uses that same RODC. I dont mind this mechanism it provides an automatic cleanup mechanism and thus lowers the attack surface if a policy allowed many RODCs to cache a users PWD. But the name Replication Policy suggests that an RODC would actually replicate the new password when it is changed on a WDC (writeable DC), which is confusing. Replicating only parts of a tree (i.e. only specific OUs) would be a totally different story, which I also hope to see in the future (but wont be part of this version of RODC). However, RODCs will also be able to replicate the GC partitions (making them an ROGC) but from what I understand this will only be sufficient for authenticating, but not to be used as a GC for Exchange (I guess since Exchange simply needs that writeable domain partition). So placing an ROGC in a remote site will not be sufficient if you also have an Exchange server in that site. Exchange 2007 edge servers is yet another different story not sure if they can benefit from RODCs. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul MayesSent: Monday, July 31, 2006 1:39 AMTo: activedir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core Apologies as Im reading in digest. But I just wanted to chip something into this surrounding OUs versus groups as it was something that Ive been thinking about on my mind-numbing commute. I understood that RODCs could be configured to be a read only subset of objects (users) from the writeable AD, or that you could set them to cache which would also be useful to catch user population at a given site if this
RE: [ActiveDir] W2K3 Upgrade Domain Controller or Exchange Servers?
We thought to upgrade the DC's first because it takes care of the extension of the schema and all which has to be done prior to EXCH2K3 anyhow The upgrade of the DCs does not take care of the schema extension youll have to prepare your schema as a separate step prior to being able to upgrade any DC. And while youre updating the schema for your Win2k3 DCs, you may as well update the schema for E2k3 as well. Best procedure is actually to first update the schema with the E2k3 extensions, let it replicate, and then do the W2k3 schema extensions (this way you wont have the E2k schema conflicts with the W2k3 schema). And instead of using the base W2k3 schema, it doesnt hurt you to use the W2k3 R2 extensions. After extending the schema appropriately, it doesnt really matter if you first take care of your Exchange Servers or the DCs. Just need to make sure that you upgrade the Exchange app itself to 2003, prior to upgrading the WinOS of the cluster to W2k3. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Monday, July 31, 2006 3:37 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] W2K3 Upgrade Domain Controller or Exchange Servers? All, We are rounding home base in our upgrade path to 2K3 and have our Exchange Server Cluster runningW2K and EXCH2K and our Domain Controllers to upgrade lastly. Which of them would you think would be the best to upgrade first? We thought to upgrade the DC's first because it takes care of the extension of the schema and all which has to be done prior to EXCH2K3 anyhow. I cant think of a reason to not upgrade the Domain Controllers before the Exchange Server. Can anyone else? Thanks Nate
RE: [ActiveDir] Read-Only Domain Controller and Server Core
Whoa... Nathan too. This list is hopping... For those folks who don't know Nathan... Read his signature carefully and realize the level of people this list is seen by. And don't email him directly unless you found a world ending issue with Longhorn DCs, he is a busy guy about right now. :) I could easily bother Nathan with about 40 emails a day but try to leave him completely alone. All I say is if this stuff is implemented, please please please please have the details in the Platform SDK ASAP. Actualy flag values and meanings and caveates and everything else. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan MuggliSent: Monday, July 31, 2006 12:18 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core We thought about using the confidential flag as the denotation for the RO-PAS, but that would break too many applications. The RO-PAS would only be for applications that wanted to protect their secrets from replicating to a RODC. DIMS (aka cred roaming) is a prime example. Most likely if RO-PAS happens it will be a negative PAS in that the marking in the schema would mean that the attr is NOT replicated. That way new vanilla attributes are replicated to a RODC which would minimize app compat. -Nathan Muggli RODC Program Manager From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, July 31, 2006 1:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core Not sure if it makes sense, but this could potentially be combined with the confidential flag RODCs wouldnt cache any confidential attributes, unless a Confidential Data Caching Policy would allow them to do so The confidential flag is already used by the Digital Identity Management Service (DIMS) for the Credential Roaming feature. And instead of adding yet another flag to differentiate attributes which contain secrets or sensitive data, this may just be the right flag. Granted, none of this will make life easier for app developers. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian PuhlSent: Monday, July 31, 2006 10:05 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core Youre right Joe that the RODC PAS would complicate things for the developers. The easy solution would be for developers to use the writeable flag when connecting to a DC, then theyd be guaranteed to not get an RODCbut even that isnt a great solution, and if we get the RODC GC it only becomes more complex. For general background though, the justification for the RODC PAS DCR is actually that there are numerous attributes which contain password hash, or password-like data. Because these attributes arent part of the pre-defined list of secrets, they are replicated normally rather than on-demand via the PRP. It wouldnt do me much good to prevent replication of 5 password attributes, when a 6th one which also includes a hash gets pushed down through normal replication. There needs to be a way for an administrator to define where these secrets live and protect them accordingly. Ive broached the topic of using this method to protect PII data a couple of times in relation to some RODC work were doing internally, and the response is always that its firmly in the realm of unsupported followed with a thatd be a bad idea and some serious head shaking simply because of the way applications behave. Brian From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, July 30, 2006 5:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core I am not sure if I understand where you are going but let me explain where I am coming from. First, the passwords being there or not being there is not important for this talk, that is already built in and will be there, now the discussion is around everything versus an RODC PAS. Everything is already there as well but is an important option because it will be the most used option. Actually I expect to see a ton of RODCs deployed that are configured as replicate everything including passwords so that people get the RO part of the benefit and they don't have to worry about replicating bad stuff back into the "real directory" and not have to worry about password caching management, if someone logs on somewhere, the password is cached there, bob's your uncle have a nice day. So now we get down to replicating a portion of the normal attribute set. Why would you want to do this? Because you want to minimize the traffic to WAN sites and/or reduced info in some locations in case of compromise. For instance, if the email addresses of everyone in the company isn't on a DC
RE: [ActiveDir] Read-Only Domain Controller and Server Core
This is why I expect most people won't be managing the policy that closely. I see RODCs going out with a policy to cache all passwords but admin passwords. You get the benefits and don't deal with additional management overhead. Some places will care enough to do the extra work and some more will as well if the toolsets make it trivially easy to manage. If it gets down to anything resembling real work load and resource dedication, not going to happen in most places. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Monday, July 31, 2006 12:50 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Read-Only Domain Controller and Server Core See, that's the limitation that for me would make me wonder whether or not in *my* environments I would want to deploy such an animal or go full bore and deploy a full GC. The second biggest problem for me would be to accurately guess where a user might be when they logon to the network. They could be ANYWHERE as far as I'm concerned and still need to be able to logon. Whether it's in city X or branch Y or both in the same day, they may not get what they need if I try to restrict them even by group let alone by OU. It's a much more flat authentication scenario from my perspective and I cannot see impeding business by having them get somewhere and not be able to logon. Might still save some performance in the sense that they can logon and pull GPO etc. And I still need a chance to see the rest of the traffic to test ~Eric's information. (not really test, but rather come up to speed with it). That's why I'm curious how you envision figuring who logs on where and how you'd map that in a way that makes sense. By "you" I'm referring to anyone who'd like to comment. Al On 7/31/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: RODCs do NOT replicate a subset of objects = right now they basically replicate everything a normal DC has (i.e. the full domain NC, config and schema), less the password hashes of any users. The OU vs. group discussion was solely around configuring the so called "Password Replication Policy" (bad name) for an RODC and after discussing this here and offline, doing various tests and elaborating about possible usage scenarios, I agree that configuring this policy by OU doesn't really give you enough flexibility. I would actually love to configure it by an LDAP query leveraging any appropriate attributes but this is simply to resource intensive during the authentication. Leveraging groups gives us the option to automatically provision the memberships appropriately though. Don't forget, you'll have to do this for users and computers. Why is "Password Replication Policy" a bad name? Because that's not what it does calling it "Password Caching Policy" would be more appropriate, as an RODC would never store a users pwd-hash unless he has logged onto that RODC. Once the pwd is changed, an RODC will NOT update the hash it will only be updated the next time a user uses that same RODC. I don't mind this mechanism it provides an automatic "cleanup" mechanism and thus lowers the attack surface if a policy allowed many RODCs to cache a users PWD. But the name "Replication Policy" suggests that an RODC would actually replicate the new password when it is changed on a WDC (writeable DC), which is confusing. Replicating only parts of a tree (i.e. only specific OUs) would be a totally different story, which I also hope to see in the future (but won't be part of this version of RODC). However, RODCs will also be able to replicate the GC partitions (making them an ROGC) but from what I understand this will only be sufficient for authenticating, but not to be used as a GC for Exchange (I guess since Exchange simply needs that writeable domain partition). So placing an ROGC in a remote site will not be sufficient if you also have an Exchange server in that site. Exchange 2007 edge servers is yet another different story not sure if they can benefit from RODCs. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul MayesSent: Monday, July 31, 2006 1:39 AMTo: activedir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core Apologies as I'm reading in digest. But I just wanted to chip something into this surrounding OU's versus groups as it was something that I've been thinking about on my mind-numbing commute. I understood that RODC's could be configured to be a read only subset of objects (users) from the writeable AD, or that you could set them to cache which would also be useful to catch user population at a given site if this was unknown. I remember there being a long
RE: [ActiveDir] bulk user creation
Title: Message Hi. _vbscript_ may be used to do that. Atila Firmino From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex AlborzfardSent: segunda-feira, 31 de julho de 2006 13:18To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] bulk user creation I have used a tool called AD Infinitum for this. Granted its not free, but it pays for itself With ease of use and features. Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharif NaserSent: Monday, July 31, 2006 1:27 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] bulk user creation Hello All, I have a round 350 users to be created with their mailboxes in windows 2003, what is the best way to automate the process or delegate this job to two account operators. Any suggestions are highly recommended. Regards, DISCLAIMER:This electronic message transmission contains information from Qatar Steel Company (QASCO)which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. Be aware that any disclosure,copying, distribution or use of the contents of this information,including attachments, is prohibited without the written consent of Qatar Steel Company (QASCO).Essa mensagem e destinada exclusivamente ao seu destinatario e pode conter informacoes confidenciais, protegidas por sigilo profissional ou cuja divulgacao seja proibida por lei. O uso nao autorizado de tais informacoes e proibido e esta sujeito as penalidades cabiveis.This message is intended exclusively for its addressee and may contain information that is confidential and protected by a professional privilege or whose disclosure is prohibited by law. Unauthorized use of such information is prohibited and subject to applicable penalties.
RE: [ActiveDir] DNS suffix resolution..
One word... disjoint name space. AD itself doesn't need WINS unless DNS is broken because it uses FQDNs. It is everything else. If you have a simple single domain setup, you are probably going to be able to remove WINS requirements unless you have legacy apps that actually force a lookup of a specific type of NetBIOS record or do the lookups themselves with the NetBIOS calls. As you add more domains it becomes more complicated. As you add more trees or go to disjoint namespaces the work required isn't worth the benefit. Personally I like WINS, I have had very very few issues with it even at the Enterprise scale. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Monday, July 31, 2006 2:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS suffix resolution.. This is probably going to be a "hit-and-run" reply from me. I just have to jump in because wheneverI see a "Need WINS" argument, I feel the urgent need to bursta ventricle or two. if you don't have a wins server specified and don't have the dns suffix search order, then name resolution won't work by simply typing in the netbios name -- that can't be default behavior for a windows domain that purportedly doesn't "need" wins. [Neil Ruston]Who says 'doesn't need'? Perhaps if you had a single domain forest with no Exchange and other apps you may live without WINS. Otherwise, you need to engineer builds etc very carefully to live without WINS. IF "need" is the operative word, even a multi-domain Forest does NOT NEED WINS for NetBIOS name resolution. Will such Forest benefit from WINS availability? Sure, but only IF the Forest has been configured in such a way that makes WINS presence beneficial. Does this mean that WINS is required? No. It means that the said Forest requires WINS due to configuration decisions made at some point in time, not because of technical or technological dependencies imposed by the Operating System. IF you have a properly defined naming convention (that is to say all your kids are not named "joe") AND you utilize a logical and effective suffix search list (that is to say everyone in your family tree knows everybody else's surname), then your FOREST does not NEED WINS - multi-domain or not, and regardless of the NetBIOS-consumption-propensity of any application. Now you can argue that "proper naming convention" is too fluid and highly unrealistic, and I may not argue with you. You may point out that "appropriate suffix list" in a Forest that has a bazillion and one domain is impractical, and I may let it slide. But . both arguments do not support the assertion that "AD NEEDS WINS". WINS is necessary where both conditions are not met. Where that is not the case, you can happily give the middle finger to WINS. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Mon 7/31/2006 8:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS suffix resolution.. Hey -from the machines, i can defintely ping the FQDN.[Neil Ruston]indeed - that should always work unless you have basic DNS issuesIf you have hundreds even thousands of workstations, the easiest way to distribute dns suffix search order listing is thhrough group policy ?[Neil Ruston]most likely or some kind of login script. if you don't have a wins server specified and don't have the dns suffix search order, then name resolution won't work by simply typing in the netbios name -- that can't be default behavior for a windows domain that purportedly doesn't "need" wins. [Neil Ruston]Who says 'doesn't need'? Perhaps if you had a single domain forest with no Exchange and other apps you may live without WINS. Otherwise, you need to engineer builds etc very carefully to live without WINS.its for this purpose i still use wins.[Neil Ruston]As above, you can design the need for WINS out.how are your clients tcp/ip properties set at child domains ? at HQ sites ?[Neil Ruston]It depends upon the requirements of each location. In summary - add all suffices needed to each machine in each region. If I assume you have an HQ and branch locations, then consider adding appropriate suffices for the HQ machines and (different?)appropriatesuffices for each branch.i'm curious to know how other admins are setting up dns/tcpip properties in their network/domain. [Neil Ruston]As ever -'it depends' :) On 7/31/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: just as an FYI: If you specify suffix search list it will override the searching of appending the parent suffix of primary DNS suffix. So if you just
[ActiveDir] Revoke domain administrator's right to create GPO?
Hi,I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible? Thanks in advance.Andy
[ActiveDir] A saturaday getaway.. ?
Since we're all pretty busy with work , school , raiding corporations (Rich), planning a group vacation this summer is pretty hard.I'd like to hit either Miami or Montreal next weekend for a few days, but I'm not sure who can make it, if anyone at all. that being said, I'm thinking we all should use a Saturday to hit a camp site that has a lake, outdoor grill, etc. We can do an all day thing which shouldn't affect anyone's schedule and wallet ( hopefully ) I've mentioned this to a few of you and I've gotten some feedback. So - if most of you are down and interested, lets start planning -- plan for a rain date as well.Consider this an open-invitation. -- hs
RE: [ActiveDir] Read-Only Domain Controller and Server Core
Joe, isn't the below kind of like yelling, "OMG! Elvis!" in a McDonald's restaurant in Kalamazoo and following it up with, "nobody ask for his autograph"? ;-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, July 31, 2006 3:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core Whoa... Nathan too. This list is hopping... For those folks who don't know Nathan... Read his signature carefully and realize the level of people this list is seen by. And don't email him directly unless you found a world ending issue with Longhorn DCs, he is a busy guy about right now. :) I could easily bother Nathan with about 40 emails a day but try to leave him completely alone. All I say is if this stuff is implemented, please please please please have the details in the Platform SDK ASAP. Actualy flag values and meanings and caveates and everything else. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan MuggliSent: Monday, July 31, 2006 12:18 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core We thought about using the confidential flag as the denotation for the RO-PAS, but that would break too many applications. The RO-PAS would only be for applications that wanted to protect their secrets from replicating to a RODC. DIMS (aka cred roaming) is a prime example. Most likely if RO-PAS happens it will be a negative PAS in that the marking in the schema would mean that the attr is NOT replicated. That way new vanilla attributes are replicated to a RODC which would minimize app compat. -Nathan Muggli RODC Program Manager From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, July 31, 2006 1:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core Not sure if it makes sense, but this could potentially be combined with the confidential flag RODCs wouldnt cache any confidential attributes, unless a Confidential Data Caching Policy would allow them to do so The confidential flag is already used by the Digital Identity Management Service (DIMS) for the Credential Roaming feature. And instead of adding yet another flag to differentiate attributes which contain secrets or sensitive data, this may just be the right flag. Granted, none of this will make life easier for app developers. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian PuhlSent: Monday, July 31, 2006 10:05 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core Youre right Joe that the RODC PAS would complicate things for the developers. The easy solution would be for developers to use the writeable flag when connecting to a DC, then theyd be guaranteed to not get an RODCbut even that isnt a great solution, and if we get the RODC GC it only becomes more complex. For general background though, the justification for the RODC PAS DCR is actually that there are numerous attributes which contain password hash, or password-like data. Because these attributes arent part of the pre-defined list of secrets, they are replicated normally rather than on-demand via the PRP. It wouldnt do me much good to prevent replication of 5 password attributes, when a 6th one which also includes a hash gets pushed down through normal replication. There needs to be a way for an administrator to define where these secrets live and protect them accordingly. Ive broached the topic of using this method to protect PII data a couple of times in relation to some RODC work were doing internally, and the response is always that its firmly in the realm of unsupported followed with a thatd be a bad idea and some serious head shaking simply because of the way applications behave. Brian From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, July 30, 2006 5:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core I am not sure if I understand where you are going but let me explain where I am coming from. First, the passwords being there or not being there is not important for this talk, that is already built in and will be there, now the discussion is around everything versus an RODC PAS. Everything is already there as well but is an important option because it will be the most used option. Actually I expect to see a ton of
RE: [ActiveDir] Revoke domain administrator's right to create GPO?
Hehe. Wrong list for this kind of question. Put on a helmet. But... yes you can, for as long as the DAs decide to let it be that way. They will have no issues switching it right back. You CANNOT prevent DAs from doing anything they want in the domain or the forest. You can try likelike a duckling can try and put out the flames of a volcanoe with the beating of his wings and you will be just as successful. There is no such thing as Domain Administrator and Super Domain Administrator. Once you get even administrator rights on a DC, you pretty much do what you want when you want. It really doesn't even take that much but we will start there. The answer you are looking for is to reduce the number of DAs in the entire forest to 5 or less. You don't work for a large enough company to actually qualify to use LOTS of Domain Administrators unless there are lots of forests and only afew DAs in each. AD should be delegated or provisioned, it shouldn't have a bunch of folks with native high level rights. No this isn't impossible to do, some of us have done it in Fortune 5 companies and of course also in smaller companies. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy WangSent: Monday, July 31, 2006 3:42 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Revoke domain administrator's right to create GPO? Hi,I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible? Thanks in advance.Andy
RE: [ActiveDir][OT] A saturaday getaway.. ?
Miami or Montreal, quite a range there! Do you want to speak French or Spanish? :o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: Monday, July 31, 2006 3:53 PMTo: ActiveDir@mail.activedir.org; Dre; Michah Castrenbaumawitz; [EMAIL PROTECTED]; mark; Nick Roman; Richard A. Celestin; Tommy Hong; Richad Hamon PonceCc: [EMAIL PROTECTED]Subject: [ActiveDir] A saturaday getaway.. ? Since we're all pretty busy with work , school , raiding corporations (Rich), planning a group vacation this summer is pretty hard.I'd like to hit either Miami or Montreal next weekend for a few days, but I'm not sure who can make it, if anyone at all. that being said, I'm thinking we all should use a Saturday to hit a camp site that has a lake, outdoor grill, etc. We can do an all day thing which shouldn't affect anyone's schedule and wallet ( hopefully )I've mentioned this to a few of you and I've gotten some feedback. So - if most of you are down and interested, lets start planning -- plan for a rain date as well.Consider this an open-invitation.-- hs
RE: [ActiveDir] A saturaday getaway.. ?
Wow! You are one very generous list member :) Can I bring the family along? With the dog and my favorite neighbor? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Mon 7/31/2006 12:53 PMTo: ActiveDir@mail.activedir.org; Dre; Michah Castrenbaumawitz; [EMAIL PROTECTED]; mark; Nick Roman; Richard A. Celestin; Tommy Hong; Richad Hamon PonceCc: [EMAIL PROTECTED]Subject: [ActiveDir] A saturaday getaway.. ? Since we're all pretty busy with work , school , raiding corporations (Rich), planning a group vacation this summer is pretty hard.I'd like to hit either Miami or Montreal next weekend for a few days, but I'm not sure who can make it, if anyone at all. that being said, I'm thinking we all should use a Saturday to hit a camp site that has a lake, outdoor grill, etc. We can do an all day thing which shouldn't affect anyone's schedule and wallet ( hopefully )I've mentioned this to a few of you and I've gotten some feedback. So - if most of you are down and interested, lets start planning -- plan for a rain date as well.Consider this an open-invitation.-- hs
RE: [ActiveDir] DNS suffix resolution..
Understood. I made similar arguments in some places you will come to see in the very near future. I will beg to differ on the "worth the benefit" claim vis-à-vis the headaches associated with WINS and how less resilient I've found INS to be compared to DNS. However, my focus is on demystifying the "NEED" assertion. Ilike to take every opportunity I get to point out that, even with Exchange/multi-domain/disjointed names/etc all thrown into the mix, AD still does NOT NEED WINS[1]. AD is capable of functioning correctly (thank you very much) IF efforts are made to do the leg work "upfront". WINS is a substitute ..for the inability/unwillingness/some-other-obstacles to do the necessary due diligence necessary to be WINS-less. I call it a crutch and its continued existence and usage speaks more to our comfort level with it, our tendency to go for the quickest fix for any given "issue", and our buying into the oft-repeated claim that WINS is NEEDED. [1] OK, disclosure. The main reason I popped in today to post the original response was to elicit further comment and discussion of this "NEED" thing, with the hope that I may have every side covered thoroughly in some places that will remain nameless for now. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Mon 7/31/2006 12:23 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS suffix resolution.. One word... disjoint name space. AD itself doesn't need WINS unless DNS is broken because it uses FQDNs. It is everything else. If you have a simple single domain setup, you are probably going to be able to remove WINS requirements unless you have legacy apps that actually force a lookup of a specific type of NetBIOS record or do the lookups themselves with the NetBIOS calls. As you add more domains it becomes more complicated. As you add more trees or go to disjoint namespaces the work required isn't worth the benefit. Personally I like WINS, I have had very very few issues with it even at the Enterprise scale. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Monday, July 31, 2006 2:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS suffix resolution.. This is probably going to be a "hit-and-run" reply from me. I just have to jump in because wheneverI see a "Need WINS" argument, I feel the urgent need to bursta ventricle or two. if you don't have a wins server specified and don't have the dns suffix search order, then name resolution won't work by simply typing in the netbios name -- that can't be default behavior for a windows domain that purportedly doesn't "need" wins. [Neil Ruston]Who says 'doesn't need'? Perhaps if you had a single domain forest with no Exchange and other apps you may live without WINS. Otherwise, you need to engineer builds etc very carefully to live without WINS. IF "need" is the operative word, even a multi-domain Forest does NOT NEED WINS for NetBIOS name resolution. Will such Forest benefit from WINS availability? Sure, but only IF the Forest has been configured in such a way that makes WINS presence beneficial. Does this mean that WINS is required? No. It means that the said Forest requires WINS due to configuration decisions made at some point in time, not because of technical or technological dependencies imposed by the Operating System. IF you have a properly defined naming convention (that is to say all your kids are not named "joe") AND you utilize a logical and effective suffix search list (that is to say everyone in your family tree knows everybody else's surname), then your FOREST does not NEED WINS - multi-domain or not, and regardless of the NetBIOS-consumption-propensity of any application. Now you can argue that "proper naming convention" is too fluid and highly unrealistic, and I may not argue with you. You may point out that "appropriate suffix list" in a Forest that has a bazillion and one domain is impractical, and I may let it slide. But . both arguments do not support the assertion that "AD NEEDS WINS". WINS is necessary where both conditions are not met. Where that is not the case, you can happily give the middle finger to WINS. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Mon 7/31/2006 8:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS suffix resolution.. Hey -from the machines, i can defintely ping the FQDN.[Neil Ruston]indeed - that
RE: [ActiveDir] Revoke domain administrator's right to create GPO?
Is it possible to change who can create and/or edit GPOs? Sure. Will what you propose accomplish what you want it to? Nope. Your Domain Admins can just put themselves into the GP Creator Owners group, for example. Or in the root domain, they could put themselves into the Enterprise Admins group. Or they could just grant themselves permission again. Or they could...well, you get the idea. Your company needs fewer members of the Domain Admins group(s). Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy WangSent: Monday, July 31, 2006 3:42 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Revoke domain administrator's right to create GPO? Hi,I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible? Thanks in advance.Andy
RE: [ActiveDir] Revoke domain administrator's right to create GPO?
Time for a cyclical answer. IF you figure out a way to prevent a DA from creating GPO, and it works against a certain DA, then that DA does NOT deserve to be a DA. So, just save yourself the research and just remove that DA from the DA group right now. IF you have a DA whose skills or judgment you don't trust enough to entrust your GPO to, save yourself the research and just remove the said DA from the DA group. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Andy WangSent: Mon 7/31/2006 12:41 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Revoke domain administrator's right to create GPO? Hi,I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible? Thanks in advance.Andy
RE: [ActiveDir] A saturaday getaway.. ?
Hey that sounds like fun!!! Consider me down for either locations. J Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz Sent: Monday, July 31, 2006 3:53 PM To: ActiveDir@mail.activedir.org; Dre; Michah Castrenbaumawitz; [EMAIL PROTECTED]; mark; Nick Roman; Richard A. Celestin; Tommy Hong; Richad Hamon Ponce Cc: [EMAIL PROTECTED] Subject: [ActiveDir] A saturaday getaway.. ? Since we're all pretty busy with work , school , raiding corporations (Rich), planning a group vacation this summer is pretty hard. I'd like to hit either Miami or Montreal next weekend for a few days, but I'm not sure who can make it, if anyone at all. that being said, I'm thinking we all should use a Saturday to hit a camp site that has a lake, outdoor grill, etc. We can do an all day thing which shouldn't affect anyone's schedule and wallet ( hopefully ) I've mentioned this to a few of you and I've gotten some feedback. So - if most of you are down and interested, lets start planning -- plan for a rain date as well. Consider this an open-invitation. -- hs
[ActiveDir] Replication from ASP
Does anyone know how I force replication through ASP 2.0? My DCs are all local (no WANs) and 2003 SP1. I have a web page that does account creation and then points the user to a portal which attempts to authenticate against AD. The portal software (Peoplesoft) can only attempt against a single DC, so if that user didnt create his account there it doesnt work right away. Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] Revoke domain administrator's right to create GPO?
Andy- Yes, its possible. There are actually two steps here. If you have GPMC, highlight the Group Policy Objects node on your domain and choose the Delegation tab. From here, you can delegate which groups can create GPOs in the domain. However, even if you remove Domain Admins from this list, what you will notice is that, when a GPO gets created by someone legitimately, the Domain Admins group will still have edit rights over that GPO. This is because the defaultSecurityDescriptor attribute on the groupPolicyContainer schema class object includes this group when any new objects are created. In order to change this, you will need to modify this attribute in the schema (e.g. using ADSIEdit) to remove that group from the SDDL list stored in that attribute. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy WangSent: Monday, July 31, 2006 12:42 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Revoke domain administrator's right to create GPO? Hi,I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible? Thanks in advance.Andy
Re: [ActiveDir] Revoke domain administrator's right to create GPO?
By revoking Domain Admins I mean revoking their membership...On 7/31/06, Matt Hargraves [EMAIL PROTECTED] wrote: I'd think of revoking Domain Admins and grant them their rights via an RBS group in AD. Changing the rights of the builtin admin groups isn't something that you should necessarily do, primarily because so many applications out there require special privileges and fail out because the application doesn't check to see if the user has the required rights, but instead checks to see if they're a member of the Domain Admins group. Domain and Enterprise Admins are a very powerful group of people. If you don't trust them to be able to do what they can do (or better yet, not do what they don't know how to do), then they shouldn't have those rights. I know that it's a constant battle to try and keep our membership in these groups down. Seriously... RBS is your friend. Rip those people out of the Domain Admins group. You can grant them the ability to do whatever they need to on users, computers or even OUs via AD security. Do it there and keep people out of the Domain Admins group if you can. On 7/31/06, Andy Wang [EMAIL PROTECTED] wrote: Hi,I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible? Thanks in advance.Andy
Re: [ActiveDir] Revoke domain administrator's right to create GPO?
I'd think of revoking Domain Admins and grant them their rights via an RBS group in AD. Changing the rights of the builtin admin groups isn't something that you should necessarily do, primarily because so many applications out there require special privileges and fail out because the application doesn't check to see if the user has the required rights, but instead checks to see if they're a member of the Domain Admins group. Domain and Enterprise Admins are a very powerful group of people. If you don't trust them to be able to do what they can do (or better yet, not do what they don't know how to do), then they shouldn't have those rights. I know that it's a constant battle to try and keep our membership in these groups down. Seriously... RBS is your friend. Rip those people out of the Domain Admins group. You can grant them the ability to do whatever they need to on users, computers or even OUs via AD security. Do it there and keep people out of the Domain Admins group if you can. On 7/31/06, Andy Wang [EMAIL PROTECTED] wrote: Hi,I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible? Thanks in advance.Andy
RE: [ActiveDir] Read-Only Domain Controller and Server Core
The Netware partial-replica model immediately jumped to mind when the RODC-PAS idea was broached. I can see a lot of customers trying to use this feature to create partial-replicas way beyond concerns of preventing replication of sensitive data. I suppose one big difference (making an assumption here) is the RODC-PAS will be global and not specific to each RODC. Still, I can see customers wanting to "strip out" all sorts of data they don't feel needs to be in the branches in order to reduce WAN utilization, database sizes, memory consumption, etc. Based on personal experience this would probably be a more common reason to deploy an RODC than concerns about physical security (not that I agree with them, of course). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, July 31, 2006 1:53 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core Hey Brian, good to see your name on the list... I got pinged offline on the basis behind this functionality. I admit to being a little shocked that someone was tossing password type info into other attributes especially with AD being so generally open to viewing, especially whenusing thePre-W2K Compat group with auth'ed usersallowed to see all attributes by default which most domains still seem to be in due to fears in what will break if it is turned off. If this is purely based on security concerns, I would be more apt to tell people to install ADAM on the DCs and put the data there. At least you know that is severely locked down by default and not having to be worried what side direction someone might come in and pop you from. From the standpoint of less crap being sent down to WAN DCs I like the idea. I realize I can't have branch level replication but at least being able to weed out all of the non-essential attributes would be a nice start for tiny branches with 10 users in domains with tens of thousands of users. I actually recently had to say it didn't make any sense to move from Novell to AD for a customer because of that very issue. You can't imagine how much that pained me to say. In cases like that if there is no real strategic reason to move to AD, it is better to stay on Novell because of the replication model. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian PuhlSent: Monday, July 31, 2006 4:05 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core Youre right Joe that the RODC PAS would complicate things for the developers. The easy solution would be for developers to use the writeable flag when connecting to a DC, then theyd be guaranteed to not get an RODCbut even that isnt a great solution, and if we get the RODC GC it only becomes more complex. For general background though, the justification for the RODC PAS DCR is actually that there are numerous attributes which contain password hash, or password-like data. Because these attributes arent part of the pre-defined list of secrets, they are replicated normally rather than on-demand via the PRP. It wouldnt do me much good to prevent replication of 5 password attributes, when a 6th one which also includes a hash gets pushed down through normal replication. There needs to be a way for an administrator to define where these secrets live and protect them accordingly. Ive broached the topic of using this method to protect PII data a couple of times in relation to some RODC work were doing internally, and the response is always that its firmly in the realm of unsupported followed with a thatd be a bad idea and some serious head shaking simply because of the way applications behave. Brian From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, July 30, 2006 5:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core I am not sure if I understand where you are going but let me explain where I am coming from. First, the passwords being there or not being there is not important for this talk, that is already built in and will be there, now the discussion is around everything versus an RODC PAS. Everything is already there as well but is an important option because it will be the most used option. Actually I expect to see a ton of RODCs deployed that are configured as replicate everything including passwords so that people get the RO part of the benefit and they don't have to worry about replicating bad stuff back into the "real directory" and not have to worry about password caching management, if someone logs on somewhere,
Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?
I guess the gist of what everyone is saying can be summed up with the following:What does the current environment look like?How extensive is your Exchange deployment going to be?Without some of that information, it's only going to be a vague guess that anyone can give. I seriously doubt you need to worry about breaking 1.25 GB, which is still well within the capability of a 32-bit server to handle.On 7/29/06, joe [EMAIL PROTECTED] wrote: To further add to this, it depends considerably on how populated you want your GAL to be. Some people just let the mandatory Exchange attributes get populated, others want the GAL to be the one stop shop for info on employees so everything goes into the GAL which means everything goes into AD. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Grillenmeier, GuidoSent: Friday, July 28, 2006 4:41 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? Assuming this is after defrag, 650MB without Exchange is quite a large AD – guess you'd be close to 100k users in your forest, if you've used the "standard" attributes of the objects in AD (and haven't added stuff like thumbnail pictures to your users…). After adding the Exchange schema mods, the DIT shouldn't grow substantially, since AD doesn't use any space for unused attributes – and the Exchange attributes for your object won't be filled magically, until you mail-enable them. But once they are filled, it will impact your AD (e.g. E2k3 adds 130 attributes to the Public Information property set used by user class objects) It is very tough to make a guess at the actual size you'd have with a fully deployed Exchange, but if you do mail-enable the majority of your users (i.e. give them Exchange mailboxes) and add DLs etc. and assuming my guess with 100k users is in the right ballpark your AD DIT would easily grow to 3-5 GB. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of RMSent: Thursday, July 27, 2006 6:46 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? NTDS.DIT is currently 650megs. Once Exchange has been fully deployed, any guesses as to how much larger it will become? Just looking for a ballpark figure... thx, RM
Re: [ActiveDir] Firewall block Group Policy
Thanks Dareen and Za.What if DCs already configured to use specific port for RPC/DCOM (http://support.microsoft.com/kb/224196/) ? I think it will can be used by clients as well, right? Another word, if I follow KB224196, do I need to open more based on the doc you provide (msdn_dcomfirewall.asp)?AndyOn 7/27/06, Za Vue [EMAIL PROTECTED] wrote: The article below works well. I push the registry to my machines via GPO. My ports used are 5001-5051. -Z.V. Darren Mar-Elia wrote: Check out this article for restricting the range of dynamic ports used by RPC/DCOM. http://msdn.microsoft.com/library/default.asp?url=""> Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andy Wang Sent: Thursday, July 27, 2006 12:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Firewall block Group Policy Hi, When user on VPN network, they can not apply Group Policy since there is a firewall between VPN network and Internal network. Now, I need to find out how many ports are required to allow clients to successfully apply group policy. Based on KB832017, To successfully apply Group Policy, a client must be able to contact a domain controller over the DCOM, ICMP, LDAP, SMB, and RPC protocols. Here is the list port information: Application protocol Protocol Ports DCOM TCP + UDP random port number between 1024 - 65534 ICMP (ping) ICMP 20 LDAP TCP 389 SMB TCP 445 RPC TCP 135, random port number between 1024 - 65534 It is not feasible to open up so many high ports (1024 - 65534). So do you have any recommendation for this issue? Thanks in advance! Andy
Re: [ActiveDir] Read-Only Domain Controller and Server Core
The way I read that was as follows: 20% means that 20% of your assets are unprotected 1/5 of sensitive data is not managed like it should be, controlled, audited, protected etc. 20% of laptops with mobile data isn't encrypted. 20% of desktops unpatched 20% of servers unpatched. You get the idea... I seriously doubt that the guys that do the IT in MSland could have a 20% failure rate and not be taking remedial action to change a process or fix something. My guess is you'd like more like a 95 to 99% on that? A 20% failure rate on patching for example is not acceptable and I'd be calling MS and letting them know we got dead bodies that need cleaned up. Which begs the question.. I have seen on the PatchManagement.org listserve a 95% to 97% patch rate being striven for what's the normal % success factor of managed machines do you achieve? Alex Alborzfard wrote: Can you elaborate on why you think 80/20 concept in security is sloppy joe (no pun intended!)? Alex *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *joe *Sent:* Monday, July 31, 2006 3:14 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Read-Only Domain Controller and Server Core It is a sensitive spot with me, I think 80/20 is a great concept, but in security it is a bit sloppy. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Monday, July 31, 2006 12:29 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Read-Only Domain Controller and Server Core Darned if you weren't the only one to pick up on it. :) On 7/30/06, *joe* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Argh there it is 80/20 in a security discussion. Oi! :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Al Mulnick *Sent:* Saturday, July 29, 2006 10:06 AM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject: *Re: [ActiveDir] Read-Only Domain Controller and Server Core Agreed. Very useful. Guido, I'm curious. You mentioned this: However, many companies have organized their AD with a geographic OU structure, which doesn't necessarily match 100% to their site structure, but certainly gets pretty close. And since the delegation model is often configured such that local admins manage particular aspects of the users and computers in their site, it is a common practice to move a user account from one OU to another when the user is relocated to a different location within the company. As such the OU structure is often a good starting base to build policies for which credentials to replicate to which RODC… How many of your customers do you see that travel between those sites and what would be the implications in your scenario/s? This has been a problem that I have seen many times in the past. I'm just curious what you've seen and how it's been solved. In my case, I see everything from no technical resource on site (sometimes not even opposable thumbs that we can count on) to a local administrator. Often this depends on historical vs. business logic. To date, most designs I have been involved with have been the 80/20 of yep, that'll take care of most of your issues, but there will be exceptions and here's the plan for that. Some have also favored business unit logical lines. What I mean by that is a business unit's computing resources are deployed as cookie cutter as possible with the idea that almost the entire business unit will not need what a different business unit needs per se. Another factor is the geographical and co-location of business units and some shared resources that the units might have. Typically a blend of the two approaches(base for *all* users anywhere, and business unit centric) has worked out since the co-location of business units makes sense for some organizations. But I'm wondering if you've seen differently? If anyone else sees another way of solving the issue, I'm interested in hearing about it if you can share. I wonder about it because trying to get them to fit into an OU by geography can be a tough approach with lots of touch times. They will constantly move in and out of many different geo's during a given time period. The users move around a lot as well and some have high turnover. Interesting. Al On 7/29/06, *Grillenmeier, Guido* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: But very useful idle chatter nonetheless ;-) /Guido *From:* [EMAIL PROTECTED] mailto:[EMAIL
Re: [ActiveDir] schema extensions for Vista wireless networking GP support
I thought all that stuff was part of the Server 2003 R2 schema extensions and would work in XP also.On 7/28/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: In case anyone is interested, here's a doc that describes the AD schema extensions that will be required to support the new wireless networking Group Policy stuff in Vista: http://www.microsoft.com/technet/itsolutions/network/wifi/vista_ad_ext.mspx Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information.
RE: [ActiveDir] Revoke domain administrator's right to create GPO?
not an argument for implementing bad securityI think we all know how bad it is to have hoards of DAs. We also know that it is the reality in many large and small orgs. and we also know that it is sometimes unavoidable for purely non-technical reasons. The bottom line is that many of those DAs probably don't know how to undo something that you take away from them, so security by obscurity, while pretty awful, sometimes actuallyworks. /not an argument for implementing bad security From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, July 31, 2006 1:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Revoke domain administrator's right to create GPO? Hehe. Wrong list for this kind of question. Put on a helmet. But... yes you can, for as long as the DAs decide to let it be that way. They will have no issues switching it right back. You CANNOT prevent DAs from doing anything they want in the domain or the forest. You can try likelike a duckling can try and put out the flames of a volcanoe with the beating of his wings and you will be just as successful. There is no such thing as Domain Administrator and Super Domain Administrator. Once you get even administrator rights on a DC, you pretty much do what you want when you want. It really doesn't even take that much but we will start there. The answer you are looking for is to reduce the number of DAs in the entire forest to 5 or less. You don't work for a large enough company to actually qualify to use LOTS of Domain Administrators unless there are lots of forests and only afew DAs in each. AD should be delegated or provisioned, it shouldn't have a bunch of folks with native high level rights. No this isn't impossible to do, some of us have done it in Fortune 5 companies and of course also in smaller companies. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy WangSent: Monday, July 31, 2006 3:42 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Revoke domain administrator's right to create GPO? Hi,I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible? Thanks in advance.Andy
Re: [ActiveDir] DNS oddities?
Thanks Dean. I didnt quite understand your explanation of the tokens for the dhcp client service. If it works for a subset of records, why not for all?Anyways, I tried repro'ing. The 1st time I tried none of your recommendations worked other than ipconfig /registerdns. I deleted the zone on parent and recreated a secure update zone and rebooted the DC. None of the records were registered and all were rejected according to the network trace. restarting dhcp client fixed it this time even though it didnt before. Once the box was up, I deleted the zone and restarted dhcpclient. Did the A record but not the SRV records (excluding the ones beneath _msdcs which was in a different zone and I didnt clean them up). Restarting netlogon fixed that. So looks ike a combination of both restarting netlogon and dhcpclient is required. Then deleted and recreated zone, restarted client DC. All DDNS update records were refused. restarting dhcpclient was also not working with all records refused. After a while some of the records appeared minus the A record. Restarted dhcpclient again and the A record appeared. However hosting the child domain's zone on the child dc doesnt seem to cause any issues.I know whats required to to fix it. Thanks for the further clarification. Just would have been nice to see some consistency in the results. M@On 7/30/06, Dean Wells [EMAIL PROTECTED] wrote: I bugged the behavior many moons ago … to my knowledge, no fix has appeared as yet. The precise cause escapes me but IIR it was related to the ticket/token attached to the DHCP client service on the newly-born domain's DC. Two immediate solutions exist - 1. reboot the new DC one more time 2. or - a. temporarily configure the zone to permit non-secure updates b. on the new DC, run ipconfig /registerdns or restart the DHCP client HTH -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Sunday, July 30, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS oddities? All Can someone please explain the following observation? Installed a new R2 DC forest with one DC/DNS. created a new dns zone for use by a child domain (yet to be created). The zone is replicated to all domain controllers of the root domain. Enabled secure dynamic update only. Installed a new child domain and pointed to root domain DC/DNS. All records required were created apart from the A record for the child DC. How come it can create all records other than the A record?. If I delete the child donain's zone from the parent domain DC/DNS server, and recreate it, then use netdiag /test:dns /fix on the child DC. It does the same. Creates all records except for the A. I am puzzled as if the secure dynamic updates allow all these records to be created, whats up with the A record? Also netdiag /test:dns on child DC reports all required everything as OK even though the A record is missing in the child domain zone. Thoughts? Cheers M~
Re: [ActiveDir] OT: A saturaday getaway.. ?
We'll write this off as a one-off addressing error, shall we? Tony PS. Is Saturaday a wet Saturday? -- Original Message -- From: HBooGz [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Mon, 31 Jul 2006 15:53:02 -0400 Since we're all pretty busy with work , school , raiding corporations (Rich), planning a group vacation this summer is pretty hard. I'd like to hit either Miami or Montreal next weekend for a few days, but I'm not sure who can make it, if anyone at all. that being said, I'm thinking we all should use a Saturday to hit a camp site that has a lake, outdoor grill, etc. We can do an all day thing which shouldn't affect anyone's schedule and wallet ( hopefully ) I've mentioned this to a few of you and I've gotten some feedback. So - if most of you are down and interested, lets start planning -- plan for a rain date as well. Consider this an open-invitation. -- hs Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Read-Only Domain Controller and Server Core
Certainly I know of a couple of customers who could immediately make use of it in exactly that way right now. The first thing I would be doing once that feature hit is finding out how much I could strip out and then find ways to strip out even more because honestly, most of that Cat-1 base schema stuff really isn't necessary everywhere. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David AdnerSent: Monday, July 31, 2006 5:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core The Netware partial-replica model immediately jumped to mind when the RODC-PAS idea was broached. I can see a lot of customers trying to use this feature to create partial-replicas way beyond concerns of preventing replication of sensitive data. I suppose one big difference (making an assumption here) is the RODC-PAS will be global and not specific to each RODC. Still, I can see customers wanting to "strip out" all sorts of data they don't feel needs to be in the branches in order to reduce WAN utilization, database sizes, memory consumption, etc. Based on personal experience this would probably be a more common reason to deploy an RODC than concerns about physical security (not that I agree with them, of course). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, July 31, 2006 1:53 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core Hey Brian, good to see your name on the list... I got pinged offline on the basis behind this functionality. I admit to being a little shocked that someone was tossing password type info into other attributes especially with AD being so generally open to viewing, especially whenusing thePre-W2K Compat group with auth'ed usersallowed to see all attributes by default which most domains still seem to be in due to fears in what will break if it is turned off. If this is purely based on security concerns, I would be more apt to tell people to install ADAM on the DCs and put the data there. At least you know that is severely locked down by default and not having to be worried what side direction someone might come in and pop you from. From the standpoint of less crap being sent down to WAN DCs I like the idea. I realize I can't have branch level replication but at least being able to weed out all of the non-essential attributes would be a nice start for tiny branches with 10 users in domains with tens of thousands of users. I actually recently had to say it didn't make any sense to move from Novell to AD for a customer because of that very issue. You can't imagine how much that pained me to say. In cases like that if there is no real strategic reason to move to AD, it is better to stay on Novell because of the replication model. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian PuhlSent: Monday, July 31, 2006 4:05 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core Youre right Joe that the RODC PAS would complicate things for the developers. The easy solution would be for developers to use the writeable flag when connecting to a DC, then theyd be guaranteed to not get an RODCbut even that isnt a great solution, and if we get the RODC GC it only becomes more complex. For general background though, the justification for the RODC PAS DCR is actually that there are numerous attributes which contain password hash, or password-like data. Because these attributes arent part of the pre-defined list of secrets, they are replicated normally rather than on-demand via the PRP. It wouldnt do me much good to prevent replication of 5 password attributes, when a 6th one which also includes a hash gets pushed down through normal replication. There needs to be a way for an administrator to define where these secrets live and protect them accordingly. Ive broached the topic of using this method to protect PII data a couple of times in relation to some RODC work were doing internally, and the response is always that its firmly in the realm of unsupported followed with a thatd be a bad idea and some serious head shaking simply because of the way applications behave. Brian From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, July 30, 2006 5:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Read-Only Domain Controller and Server Core I am not sure if I understand where you are going but let me explain where I am coming from. First, the
Re: [ActiveDir] A saturaday getaway.. ?
Hey - even though i mistakenly added you guys gals to this e-mail, it doesn't take away the invitation.we all need a few days of RR! e.g. see below..! thanks for the sense of humor!On 7/31/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Giant Steps on the Palisades - Day Hike and Light Scramble Saturday,August 12 w/ Sherpa HodderEntry Level Kilimanjaro/ Machu PicchuTraining Camp with a500 foot ascent... 3 Scrambling Fields for full body exercise... Short but intense... For you to bring:lunch, sandwiches, picnic, water, liquids... and good spirits !! Upon return to the van, you will be greeted by beer, water, and gatorade... and some snacks for the way back... Meeting / Departure: 9.00 am Upper East Side 9.15 am Union Square 9.30 am on the Upper West Side Returning: ca. 3.00 pm or sooner Cost: $45 Will include transport ! and some snacks plus BEER ! for the way backPlus: lunch snack provided by: A healthy choicetogo: http://www.e4b.com/ Questions / RSVP: [EMAIL PROTECTED] Moonlight Rafting Adventure *New Event *With scheduled meteor shower !! Saturday, August 12 Start at sunset and raft into the night... bring your headlamps... Fully Guided River Adventure: All levels, no prior experience necessaryAfter your journey get cozy by the bonfire, roast some marshmallows, enjoy cheese, crackers, and a glass or two of wine...on us! PLUS: The Perseid meteor shower peaks on August 12th. Despite the full moon, this is the best night to watch the shower. The show starts at 9pm and continues through dawn. Locate Perseus in the sky, then wait and watch. You'll see 15-20 meteors per hour, plus earth grazers, meteors that skim the horizon. Make a wish. Departure from Manhattan: 5.00 pmReturn: ca. 1.30 am Cost: $125Included: roundtrip transport ! rafts and guides, paddles and life vests.plus beer, wine cheese are served. Questions / RSVP: [EMAIL PROTECTED] RAIN DATE: Overlander - Lake to Lake - Light to Intermediate Day Hike SwimSunday, August 20 With the prospect ofa hot August day,we will now include 2 lakes on the way...AND our final stop will be: the beach of Lake Tiorati !Join us for asummer hike: Transportation provided !! into the Harriman Highlands for a fun and invigorating day in nature... Long loop for advanced and shorter loop for intermediate hikers both available and guided... Meeting:3 pick-up locations in Manhattan, UES, 14th Street, UWSDeparture:9.00 amReturn: ca.6.00 pmCost: $45 - Includes transport,water,gatorade, beer !!and some snacks for the way back Plus: lunch snack provided by: A healthy choicetogo: http://www.e4b.com/ Questions/ RSVP: [EMAIL PROTECTED] -- HBooGz:\
Re: [ActiveDir] schema extensions for Vista wireless networking GP support
No, this is for the new Wireless policy features that are specific to Vista. R2 does not include them. Server 2003 included the schema extensions for Wireless policy that first appeared in XP, but this is new stuff. From: "Matt Hargraves" [EMAIL PROTECTED]Sent: Monday, July 31, 2006 5:38 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] schema extensions for Vista wireless networking GP support I thought all that stuff was part of the Server 2003 R2 schema extensions and would work in XP also.On 7/28/06, Darren Mar-Elia [EMAIL PROTECTED] wrote:In case anyone is interested, here's a doc that describes the AD schema extensions that will be required to support the new wireless networking Group Policy stuff in Vista: http://www.microsoft.com/technet/itsolutions/network/wifi/vista_ad_ext.mspx Darren Darren Mar-EliaFor comprehensive Windows Group Policy Information, check outwww.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide, the definitive resource for Group Policy information.
RE: [ActiveDir] Revoke domain administrator's right to create GPO?
Yeah I know where you are coming from Darren but absolutely can't say it is ok because I do not believe it is ok at all. I think saying it is ok or that it is understandable will relax people about it and people absolutely should not be relaxed about it or feel that they can't do anything about it and that it isn't their responsibility to try and get corrected. It is a very bad thing and they need to always have that spectre over them where they know it. That helps, I think, in making it so it isn't a surprise when something inevitably screws up and no one can sit there saying, wow, I had no idea it was that bad of a thing. People need to be working towards locking down their environment every moment and looking for bad things and removing them every second. It is a long slow climb uphill but if the work isn't done, it will never happen until maybe, hopefully not, something absolutely blows and everyone has to jump and try to figure out how to do it in one fell swoop. I saw the same logic of "the people really don't know what they can do"... used for running an Enterprise Data Center back in 1999 and this was with hundreds of NT servers and many domains and application owners were just given admin rights over all of these boxes and it was status quo; none of the people had a clue what kind of rights they had and figured anything bad they were actually protected from doing because it would be stupid to let them be able to do something bad Everyone said it was fine and didn't cause issues until I came in and started looking at it and got sick of running around working on stupid preventable stuff so started making sure every issue was reported and floated up. While it made me and my group look bad initially because the availability of the servers appeared to have plummetted from where it was before, it was only that it appeared that way because we actually reported the problems where the previous folks hid everything under the carpet and that slowly became apparent. It slowly gave us the permission to fix stupid things that the previous group said was impossible to get changed. It was a lot of hard work but by the end of it, things actually did run well and stable. I know probably better than most the politics and the outright pain and difficulty involved because I lived through 80 and 100+ hour weeks of it in a very high pressure Fortune 5 environment where I had plant managers and VPs of manufacturing who had no problem screaming at me but I also realize the huge benefits you get out of that work and I think any admins who are serious about doing a good job will keep it up and keep tryingto fight the good fight. In the long run, they will look better for it, the company will be better off, and their lives, if they stick around for the benefits will be easier. Folks who don't point out the bad things when they see them and push for better solutions aren't doing any favors for their employers, they are taking the easy route and it is counterproductive long term. I don't do it so much for myself and the long term benefits for me as I never seemed to stay inthe positions to benefit for longer than 3-4 years before I ran off and dived into another mess but instead do it because I think that is what my job description as an Admin is. To do the absolute best job I know how to do and work towards making the best environment I can visualize. If luck is a component of the security model or the recovery model or the admin model, I don't consider that to be very good and I know you Darren don't either. You are just nicer than I am in saying it. :) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Monday, July 31, 2006 7:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Revoke domain administrator's right to create GPO? not an argument for implementing bad securityI think we all know how bad it is to have hoards of DAs. We also know that it is the reality in many large and small orgs. and we also know that it is sometimes unavoidable for purely non-technical reasons. The bottom line is that many of those DAs probably don't know how to undo something that you take away from them, so security by obscurity, while pretty awful, sometimes actuallyworks. /not an argument for implementing bad security From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, July 31, 2006 1:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Revoke domain administrator's right to create GPO? Hehe. Wrong list for this kind of question. Put on a helmet. But... yes you can, for as long as the DAs decide to let it be that way. They will have no issues switching it right back. You CANNOT prevent DAs from doing anything they want in the domain or the forest. You can try likelike a duckling can try
RE: [ActiveDir] DNS oddities?
If it works for a subset of records, why not for all? Subsets of records are probably working because you have different services responsible for the different records which also means different SPNs used to generate the kerberos tickets for the services. Just would have been nice to see some consistency in the results. Oh now you are just asking for the moon ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha WeerasingheSent: Monday, July 31, 2006 7:10 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS oddities? Thanks Dean. I didnt quite understand your explanation of the tokens for the dhcp client service. If it works for a subset of records, why not for all?Anyways, I tried repro'ing. The 1st time I tried none of your recommendations worked other than ipconfig /registerdns. I deleted the zone on parent and recreated a secure update zone and rebooted the DC. None of the records were registered and all were rejected according to the network trace. restarting dhcp client fixed it this time even though it didnt before. Once the box was up, I deleted the zone and restarted dhcpclient. Did the "A" record but not the SRV records (excluding the ones beneath _msdcs which was in a different zone and I didnt clean them up). Restarting netlogon fixed that. So looks ike a combination of both restarting netlogon and dhcpclient is required. Then deleted and recreated zone, restarted client DC. All DDNS update records were refused. restarting dhcpclient was also not working with all records refused. After a while some of the records appeared minus the "A" record. Restarted dhcpclient again and the "A" record appeared. However hosting the child domain's zone on the child dc doesnt seem to cause any issues.I know whats required to to fix it. Thanks for the further clarification. Just would have been nice to see some consistency in the results. M@ On 7/30/06, Dean Wells [EMAIL PROTECTED] wrote: I bugged the behavior many moons ago to my knowledge, no fix has appeared as yet. The precise cause escapes me but IIR it was related to the ticket/token attached to the DHCP client service on the newly-born domain's DC. Two immediate solutions exist - 1. reboot the new DC one more time 2. or - a. temporarily configure the zone to permit non-secure updates b. on the new DC, run ipconfig /registerdns or restart the DHCP client HTH --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha WeerasingheSent: Sunday, July 30, 2006 3:07 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS oddities? AllCan someone please explain the following observation?Installed a new R2 DC forest with one DC/DNS.created a new dns zone for use by a child domain (yet to be created). The zone is replicated to all domain controllers of the root domain. Enabled secure dynamic update only. Installed a new child domain and pointed to root domain DC/DNS. All records required were created apart from the A record for the child DC. How come it can create all records other than the "A" record?. If I delete the child donain's zone from the parent domain DC/DNS server, and recreate it, then use "netdiag /test:dns /fix" on the child DC. It does the same. Creates all records except for the "A". I am puzzled as if the secure dynamic updates allow all these records to be created, whats up with the "A" record?Also netdiag /test:dns on child DC reports all required everything as OK even though the "A" record is missing in the child domain zone. Thoughts?CheersM~