Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
Thanks all! Now the reason that I want to use the Event Sink way is because there is no more need then that... And like said, GFI is no longer. Neither the doc on Smallbizz. I know there is a manipulation needed on SMTP level, but I just don't see it. If somebody knows the little trick (was it an additional connector or virtual server)...? Thanks for the other inputs so far. Bart On 8/3/06, Joe Kaplan [EMAIL PROTECTED] wrote: Sure, I saw the message and remembered that we were still using a disclaimer script for this, so I thought I'd offer some help, but a word of caution about the fact that the script can get tricky. With only that many users, many of those problems might never show up. We have a few more users than that (ok, 4 orders of magnitude!), so we see a lot of weird stuff that is hard to even imagine when you are testing the code. :) The product is probably a better choice, especially if it is cheap. We really did try to buy a product to do this as we wanted more features and fewer problems (or someone else to blame them on), but only the script had reasonable performance. Everything else brought our gateways to their knees and had to be disabled. I was shocked by this actually. :) Joe K. - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 9:24 PM Subject: Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box This is an SBS box. we may have performance problems.. but it's certainly not caused by a SMTP sink event on that Exchange server ;-) Remember at the most we're only hosting 75 users/devices on that server with a max of 75 gigs (remember no snickering from the Enterprise folks) of Store. (and reading his message.. see why I went with Policypatrol? Joe Kaplan wrote: We actually use a script at work after having tried a few products and having terrible performance problems. If you are interested, I'll ping one of the exchange guys and see if he can provide a little direction. Once you actually get it working from a plumbing standpoint, the script itself is actually a bit trickier to implement than the trivial sample MS shows. You have to decide if you are going to put HTML into HTML body parts, text into text body parts, both into messages that have both, and what to do about signed messages, as the disclaimer will change the data and invalidate the digital signature. You also need to be careful you don't screw up the encoding of messages in non-ASCII or ISO-8859-1 character sets. You can also decide if you want to add the disclaimer to messages that already contain it (sometimes mail routing may cause a message to hit the sink more than once) or not, and if you care about that, how do you decide if the disclaimer is in there? :) Ours still has some issues with a few of these points, but some of the problems were too tough to deal with for the people who were trying to solve them, so they just slid. Joe K. - Original Message - From: Bart Van den Wyngaert [EMAIL PROTECTED] To: ActiveDir ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 3:41 PM Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box Hi guys, I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box. I'm using the EventSink with a .vbs to add the disclaimer. The box is configured with a default SMTP server and a SMTP connector which forwards all external email to the SMTP of the ISP. Anybody who has done the trick already? If so, can you please tell me the little secret for this? *g* Many thanks to all, Bart List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
Are you using the SBS's SMTP connector or using the http://support.microsoft.com/?id=317327 info there? Marette's instructions to remove the SBS's native smtp connection, build a new one that listens on port 26, the time it would have taking me to follow her instructions.. I saved the time and money in getting out my credit card and buying an event sink already done. Bart Van den Wyngaert wrote: Thanks all! Now the reason that I want to use the Event Sink way is because there is no more need then that... And like said, GFI is no longer. Neither the doc on Smallbizz. I know there is a manipulation needed on SMTP level, but I just don't see it. If somebody knows the little trick (was it an additional connector or virtual server)...? Thanks for the other inputs so far. Bart On 8/3/06, Joe Kaplan [EMAIL PROTECTED] wrote: Sure, I saw the message and remembered that we were still using a disclaimer script for this, so I thought I'd offer some help, but a word of caution about the fact that the script can get tricky. With only that many users, many of those problems might never show up. We have a few more users than that (ok, 4 orders of magnitude!), so we see a lot of weird stuff that is hard to even imagine when you are testing the code. :) The product is probably a better choice, especially if it is cheap. We really did try to buy a product to do this as we wanted more features and fewer problems (or someone else to blame them on), but only the script had reasonable performance. Everything else brought our gateways to their knees and had to be disabled. I was shocked by this actually. :) Joe K. - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 9:24 PM Subject: Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box This is an SBS box. we may have performance problems.. but it's certainly not caused by a SMTP sink event on that Exchange server ;-) Remember at the most we're only hosting 75 users/devices on that server with a max of 75 gigs (remember no snickering from the Enterprise folks) of Store. (and reading his message.. see why I went with Policypatrol? Joe Kaplan wrote: We actually use a script at work after having tried a few products and having terrible performance problems. If you are interested, I'll ping one of the exchange guys and see if he can provide a little direction. Once you actually get it working from a plumbing standpoint, the script itself is actually a bit trickier to implement than the trivial sample MS shows. You have to decide if you are going to put HTML into HTML body parts, text into text body parts, both into messages that have both, and what to do about signed messages, as the disclaimer will change the data and invalidate the digital signature. You also need to be careful you don't screw up the encoding of messages in non-ASCII or ISO-8859-1 character sets. You can also decide if you want to add the disclaimer to messages that already contain it (sometimes mail routing may cause a message to hit the sink more than once) or not, and if you care about that, how do you decide if the disclaimer is in there? :) Ours still has some issues with a few of these points, but some of the problems were too tough to deal with for the people who were trying to solve them, so they just slid. Joe K. - Original Message - From: Bart Van den Wyngaert [EMAIL PROTECTED] To: ActiveDir ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 3:41 PM Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box Hi guys, I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box. I'm using the EventSink with a .vbs to add the disclaimer. The box is configured with a default SMTP server and a SMTP connector which forwards all external email to the SMTP of the ISP. Anybody who has done the trick already? If so, can you please tell me the little secret for this? *g* Many thanks to all, Bart List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List
Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
That's what I used, but in VBScript (the brother of the article you send). I indeed can bind that event sink to the default SMTP virtual server, but I don't see the disclaimers on external addresses. Then I saw that Marette had instructions involving some manipulation on SMTP in case you're using SBS. Which also kinda sounds strange. But when I went digging a little bit, I found that clients working with OL, will not have the disclaimer added (MAPI). Finally I'm having the impression that this is kinda made difficult while it should be easy by design... Or I'm a missing something on that point? It's not about the money, at least I don't pay it so don't care. From my point of view, it's the technical aspect that I want to know how it's structured and how to make it work really. That way I gain the knowledge :-) Bart On 8/3/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Are you using the SBS's SMTP connector or using the http://support.microsoft.com/?id=317327 info there? Marette's instructions to remove the SBS's native smtp connection, build a new one that listens on port 26, the time it would have taking me to follow her instructions.. I saved the time and money in getting out my credit card and buying an event sink already done. Bart Van den Wyngaert wrote: Thanks all! Now the reason that I want to use the Event Sink way is because there is no more need then that... And like said, GFI is no longer. Neither the doc on Smallbizz. I know there is a manipulation needed on SMTP level, but I just don't see it. If somebody knows the little trick (was it an additional connector or virtual server)...? Thanks for the other inputs so far. Bart On 8/3/06, Joe Kaplan [EMAIL PROTECTED] wrote: Sure, I saw the message and remembered that we were still using a disclaimer script for this, so I thought I'd offer some help, but a word of caution about the fact that the script can get tricky. With only that many users, many of those problems might never show up. We have a few more users than that (ok, 4 orders of magnitude!), so we see a lot of weird stuff that is hard to even imagine when you are testing the code. :) The product is probably a better choice, especially if it is cheap. We really did try to buy a product to do this as we wanted more features and fewer problems (or someone else to blame them on), but only the script had reasonable performance. Everything else brought our gateways to their knees and had to be disabled. I was shocked by this actually. :) Joe K. - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 9:24 PM Subject: Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box This is an SBS box. we may have performance problems.. but it's certainly not caused by a SMTP sink event on that Exchange server ;-) Remember at the most we're only hosting 75 users/devices on that server with a max of 75 gigs (remember no snickering from the Enterprise folks) of Store. (and reading his message.. see why I went with Policypatrol? Joe Kaplan wrote: We actually use a script at work after having tried a few products and having terrible performance problems. If you are interested, I'll ping one of the exchange guys and see if he can provide a little direction. Once you actually get it working from a plumbing standpoint, the script itself is actually a bit trickier to implement than the trivial sample MS shows. You have to decide if you are going to put HTML into HTML body parts, text into text body parts, both into messages that have both, and what to do about signed messages, as the disclaimer will change the data and invalidate the digital signature. You also need to be careful you don't screw up the encoding of messages in non-ASCII or ISO-8859-1 character sets. You can also decide if you want to add the disclaimer to messages that already contain it (sometimes mail routing may cause a message to hit the sink more than once) or not, and if you care about that, how do you decide if the disclaimer is in there? :) Ours still has some issues with a few of these points, but some of the problems were too tough to deal with for the people who were trying to solve them, so they just slid. Joe K. - Original Message - From: Bart Van den Wyngaert [EMAIL PROTECTED] To: ActiveDir ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 3:41 PM Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box Hi guys, I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box. I'm using the EventSink with a .vbs to add the disclaimer. The box is configured with a default SMTP server and a SMTP connector which forwards all external email to the SMTP of the ISP. Anybody who has done
Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
http://www.msexchange.org/articles/Disclaimer-Fun.html Glutten for punishment aren't ya? Bart Van den Wyngaert wrote: That's what I used, but in VBScript (the brother of the article you send). I indeed can bind that event sink to the default SMTP virtual server, but I don't see the disclaimers on external addresses. Then I saw that Marette had instructions involving some manipulation on SMTP in case you're using SBS. Which also kinda sounds strange. But when I went digging a little bit, I found that clients working with OL, will not have the disclaimer added (MAPI). Finally I'm having the impression that this is kinda made difficult while it should be easy by design... Or I'm a missing something on that point? It's not about the money, at least I don't pay it so don't care. From my point of view, it's the technical aspect that I want to know how it's structured and how to make it work really. That way I gain the knowledge :-) Bart On 8/3/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Are you using the SBS's SMTP connector or using the http://support.microsoft.com/?id=317327 info there? Marette's instructions to remove the SBS's native smtp connection, build a new one that listens on port 26, the time it would have taking me to follow her instructions.. I saved the time and money in getting out my credit card and buying an event sink already done. Bart Van den Wyngaert wrote: Thanks all! Now the reason that I want to use the Event Sink way is because there is no more need then that... And like said, GFI is no longer. Neither the doc on Smallbizz. I know there is a manipulation needed on SMTP level, but I just don't see it. If somebody knows the little trick (was it an additional connector or virtual server)...? Thanks for the other inputs so far. Bart On 8/3/06, Joe Kaplan [EMAIL PROTECTED] wrote: Sure, I saw the message and remembered that we were still using a disclaimer script for this, so I thought I'd offer some help, but a word of caution about the fact that the script can get tricky. With only that many users, many of those problems might never show up. We have a few more users than that (ok, 4 orders of magnitude!), so we see a lot of weird stuff that is hard to even imagine when you are testing the code. :) The product is probably a better choice, especially if it is cheap. We really did try to buy a product to do this as we wanted more features and fewer problems (or someone else to blame them on), but only the script had reasonable performance. Everything else brought our gateways to their knees and had to be disabled. I was shocked by this actually. :) Joe K. - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 9:24 PM Subject: Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box This is an SBS box. we may have performance problems.. but it's certainly not caused by a SMTP sink event on that Exchange server ;-) Remember at the most we're only hosting 75 users/devices on that server with a max of 75 gigs (remember no snickering from the Enterprise folks) of Store. (and reading his message.. see why I went with Policypatrol? Joe Kaplan wrote: We actually use a script at work after having tried a few products and having terrible performance problems. If you are interested, I'll ping one of the exchange guys and see if he can provide a little direction. Once you actually get it working from a plumbing standpoint, the script itself is actually a bit trickier to implement than the trivial sample MS shows. You have to decide if you are going to put HTML into HTML body parts, text into text body parts, both into messages that have both, and what to do about signed messages, as the disclaimer will change the data and invalidate the digital signature. You also need to be careful you don't screw up the encoding of messages in non-ASCII or ISO-8859-1 character sets. You can also decide if you want to add the disclaimer to messages that already contain it (sometimes mail routing may cause a message to hit the sink more than once) or not, and if you care about that, how do you decide if the disclaimer is in there? :) Ours still has some issues with a few of these points, but some of the problems were too tough to deal with for the people who were trying to solve them, so they just slid. Joe K. - Original Message - From: Bart Van den Wyngaert [EMAIL PROTECTED] To: ActiveDir ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 3:41 PM Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box Hi guys, I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box. I'm using the EventSink with a .vbs to add the disclaimer. The box is configured
Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
*NOTE:* For single server configurations there is an issue that may prevent the described method from working as expected. Microsoft had a KB article – Q288756: SMTP Transport Event Does Not Fire For MAPI Messages – which was retired because the provided workaround (creating a second SMTP Virtual Server) did not always worked in a reliable way. The problem occurs for mail that is sent by using a MAPI client, such as Outlook, which is not in SMTP format, therefore changes that are made by the event's code are not persisted. If you are in this situation, my advice is for you to use a third party product. FYI --- It may not work on a SBS box ergo why many of us say buy something. Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: http://www.msexchange.org/articles/Disclaimer-Fun.html Glutten for punishment aren't ya? Bart Van den Wyngaert wrote: That's what I used, but in VBScript (the brother of the article you send). I indeed can bind that event sink to the default SMTP virtual server, but I don't see the disclaimers on external addresses. Then I saw that Marette had instructions involving some manipulation on SMTP in case you're using SBS. Which also kinda sounds strange. But when I went digging a little bit, I found that clients working with OL, will not have the disclaimer added (MAPI). Finally I'm having the impression that this is kinda made difficult while it should be easy by design... Or I'm a missing something on that point? It's not about the money, at least I don't pay it so don't care. From my point of view, it's the technical aspect that I want to know how it's structured and how to make it work really. That way I gain the knowledge :-) Bart On 8/3/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Are you using the SBS's SMTP connector or using the http://support.microsoft.com/?id=317327 info there? Marette's instructions to remove the SBS's native smtp connection, build a new one that listens on port 26, the time it would have taking me to follow her instructions.. I saved the time and money in getting out my credit card and buying an event sink already done. Bart Van den Wyngaert wrote: Thanks all! Now the reason that I want to use the Event Sink way is because there is no more need then that... And like said, GFI is no longer. Neither the doc on Smallbizz. I know there is a manipulation needed on SMTP level, but I just don't see it. If somebody knows the little trick (was it an additional connector or virtual server)...? Thanks for the other inputs so far. Bart On 8/3/06, Joe Kaplan [EMAIL PROTECTED] wrote: Sure, I saw the message and remembered that we were still using a disclaimer script for this, so I thought I'd offer some help, but a word of caution about the fact that the script can get tricky. With only that many users, many of those problems might never show up. We have a few more users than that (ok, 4 orders of magnitude!), so we see a lot of weird stuff that is hard to even imagine when you are testing the code. :) The product is probably a better choice, especially if it is cheap. We really did try to buy a product to do this as we wanted more features and fewer problems (or someone else to blame them on), but only the script had reasonable performance. Everything else brought our gateways to their knees and had to be disabled. I was shocked by this actually. :) Joe K. - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 9:24 PM Subject: Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box This is an SBS box. we may have performance problems.. but it's certainly not caused by a SMTP sink event on that Exchange server ;-) Remember at the most we're only hosting 75 users/devices on that server with a max of 75 gigs (remember no snickering from the Enterprise folks) of Store. (and reading his message.. see why I went with Policypatrol? Joe Kaplan wrote: We actually use a script at work after having tried a few products and having terrible performance problems. If you are interested, I'll ping one of the exchange guys and see if he can provide a little direction. Once you actually get it working from a plumbing standpoint, the script itself is actually a bit trickier to implement than the trivial sample MS shows. You have to decide if you are going to put HTML into HTML body parts, text into text body parts, both into messages that have both, and what to do about signed messages, as the disclaimer will change the data and invalidate the digital signature. You also need to be careful you don't screw up the encoding of messages in non-ASCII or ISO-8859-1 character sets. You can also decide if you want to add the disclaimer to messages that already contain it (sometimes mail routing
Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
I'm blessed I know :-) That article I didn't came accross last night actually. Although the info in that artcile I already did find. Performace isn't an issue btw (min. 10 users). Like I said before: I find this a real missing feature of Exchange... As the author states, it's the most commonly asked question and Exchange doesn't provide a nice GUI in which you can enable it. On 8/3/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: http://www.msexchange.org/articles/Disclaimer-Fun.html Glutten for punishment aren't ya? Bart Van den Wyngaert wrote: That's what I used, but in VBScript (the brother of the article you send). I indeed can bind that event sink to the default SMTP virtual server, but I don't see the disclaimers on external addresses. Then I saw that Marette had instructions involving some manipulation on SMTP in case you're using SBS. Which also kinda sounds strange. But when I went digging a little bit, I found that clients working with OL, will not have the disclaimer added (MAPI). Finally I'm having the impression that this is kinda made difficult while it should be easy by design... Or I'm a missing something on that point? It's not about the money, at least I don't pay it so don't care. From my point of view, it's the technical aspect that I want to know how it's structured and how to make it work really. That way I gain the knowledge :-) Bart On 8/3/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Are you using the SBS's SMTP connector or using the http://support.microsoft.com/?id=317327 info there? Marette's instructions to remove the SBS's native smtp connection, build a new one that listens on port 26, the time it would have taking me to follow her instructions.. I saved the time and money in getting out my credit card and buying an event sink already done. Bart Van den Wyngaert wrote: Thanks all! Now the reason that I want to use the Event Sink way is because there is no more need then that... And like said, GFI is no longer. Neither the doc on Smallbizz. I know there is a manipulation needed on SMTP level, but I just don't see it. If somebody knows the little trick (was it an additional connector or virtual server)...? Thanks for the other inputs so far. Bart On 8/3/06, Joe Kaplan [EMAIL PROTECTED] wrote: Sure, I saw the message and remembered that we were still using a disclaimer script for this, so I thought I'd offer some help, but a word of caution about the fact that the script can get tricky. With only that many users, many of those problems might never show up. We have a few more users than that (ok, 4 orders of magnitude!), so we see a lot of weird stuff that is hard to even imagine when you are testing the code. :) The product is probably a better choice, especially if it is cheap. We really did try to buy a product to do this as we wanted more features and fewer problems (or someone else to blame them on), but only the script had reasonable performance. Everything else brought our gateways to their knees and had to be disabled. I was shocked by this actually. :) Joe K. - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 9:24 PM Subject: Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box This is an SBS box. we may have performance problems.. but it's certainly not caused by a SMTP sink event on that Exchange server ;-) Remember at the most we're only hosting 75 users/devices on that server with a max of 75 gigs (remember no snickering from the Enterprise folks) of Store. (and reading his message.. see why I went with Policypatrol? Joe Kaplan wrote: We actually use a script at work after having tried a few products and having terrible performance problems. If you are interested, I'll ping one of the exchange guys and see if he can provide a little direction. Once you actually get it working from a plumbing standpoint, the script itself is actually a bit trickier to implement than the trivial sample MS shows. You have to decide if you are going to put HTML into HTML body parts, text into text body parts, both into messages that have both, and what to do about signed messages, as the disclaimer will change the data and invalidate the digital signature. You also need to be careful you don't screw up the encoding of messages in non-ASCII or ISO-8859-1 character sets. You can also decide if you want to add the disclaimer to messages that already contain it (sometimes mail routing may cause a message to hit the sink more than once) or not, and if you care about that, how do you decide if the disclaimer is in there? :) Ours still has some issues with a few
RE: [ActiveDir] Remove Defunct domains..
Look for 1b and 1c records in WINS for the defunct domain.
Remove them and wait for WINS replication.
You should also use ntdsutil and remove the redundant AD
objects too.
You can never stop ppl creating new workgroups - you should
be able to determine the IP address of their members however and then track back
to individual machines / users.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
HBooGzSent: 03 August 2006 03:04To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Remove Defunct
domains..
hey guys -
Yes, i'm using wins.
Yes, they are appearing outside of network neighborhood.
what exactly would i examine (node type) that would help me pinpoint where
these are appearing ? and how to get rid of it ?
definitely appears to be a browsing issue ?
how can i force who is the "master browser" for the domain ? all
workstations are windows 2000 and windows xp
i'm also seeing workgroups that should have never been created and i'm now
policing against -- any way to rid myself of this or detect where they are being
generated ?
Thanks
On 8/2/06, Ayers,
Diane [EMAIL PROTECTED]
wrote:
dusting off old NT 4.0 sectors
Check your WINS database if you are using WINS. Part of the
browsing data comes from WINS and the database will tell you where those
records are coming from. You can address it viathe hosts if
it's coming from there or clean up your WINS db.
Diane
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Brian
DesmondSent: Wednesday, August 02, 2006 3:10 PM
To: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Remove Defunct domains..
That's a browser function
not something in AD. There's probably still computers joined to those domains
(even though they don't exist) or computers in workgroups with the same names
Thanks,
Brian
Desmond
[EMAIL PROTECTED]
c -
312.731.3132
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
WATSON, BENSent: Wednesday, August 02, 2006 5:05
PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Remove Defunct domains..
You can remove the orphaned
domains through NTDSUTIL. Doing a metadata cleanup.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
HBooGzSent: Wednesday, August 02, 2006 2:46 PM To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir]
Remove Defunct domains..
Whenever i browse Network Neighborhood or view the list of availble
networks, there are a few domains that appear that shouldn't. Is there a way
to remove these domain/domain entries manually ?ADSI edit ?-- HBooGz:\
-- HBooGz:\
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
[ActiveDir] Setting FFL=2 automatically when building first DC in forest
Title: Setting FFL=2 automatically when building first DC in forest
According to http://support.microsoft.com/kb/223757/en-us the SetForestVersion entry in the dcpromo answer file can only be used to set FFL to 1 or 0 when building a new forest.
Is this correct? I'd like to automate the transition to FFL=2 when building the first DC in a forest (without a script).
Perhaps another change request for Longhorn? :)
neil
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
I've done this a couple of times, but on the exchange gateway servers, not on an SBS box. I've never seen SBS. Anyway, the easiest way to do this is to create a second virtual SMTP server and set it to listen on port 26 (and send on 25). Configure the first virtual server to send on 26 (its already listening on 25). Then register the sink on the second virtual server. The reason is that most of your clients are MAPI clients, so don't trigger the SMTP sink. If you're using a connector, you need to point the second virtual server at the connector (I think, it's been even longer since I did one where they had an SMTP connector). I'm afraid I can't give you the scripts as they're at customer sites, etc. One thing I will say is troubleshooting this is a real pain. On one problem I had Dev Support MSFT people help out. We took it from the bottom up. Unregistered all the sinks (that I'd registered, the VBS script you use to register allows you to view all sinks) and then registered a new one that simply created a text file on the D drive. As you're using VBS, not VB, ensure that you use absolute paths for things like text files, etc. as the script will run and not error without absolute paths but they won't work... --Paul - Original Message - From: Bart Van den Wyngaert [EMAIL PROTECTED] To: ActiveDir ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 9:41 PM Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box Hi guys, I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box. I'm using the EventSink with a .vbs to add the disclaimer. The box is configured with a default SMTP server and a SMTP connector which forwards all external email to the SMTP of the ISP. Anybody who has done the trick already? If so, can you please tell me the little secret for this? *g* Many thanks to all, Bart List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: SBS question
I've never seen SBS, but my younger brother has just started a new job (first one since leaving Uni) and bought a new server and it came with SBS. When he built it it appeared he had no choice but to make it a DC, even though he only wanted it as a member server -there's already an SBS box there. Anyway, we didn't know at the time (this was a phone conversation) so I told him to go ahead with the promotion (thinking it was just a stupid Dell wizard) and demote it later. He did this and now it reboots every day. So, I think I know the answer to this from the tidbits of info. I've seen in the groups and forums, etc. but can the 2nd SBS box be added to the domain with the first SBS or does he need to get a k3 Std. license instead? All he wants at this point in time is a SQL and file server. (As you can guess, this is a small company, he's one of three dev guys there). And, if they wanted to replace the existing SBS box with this new one, how do they go about that if you can't have more than one SBS box? I doubt they want to migrate... Thanks, --Paul - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 3:45 AM Subject: Re: [ActiveDir] Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest: You know us blondes With barely a twig, let alone a tree in our forest...and I'll have you know this twig is clean installed 2k3 domain (I strongly believe in no inplace even in our twig domains down here). (and for the record for everyones trivia tonightwhile I choose to have a single DC (at this time) ... SBS can support additional DCs in our domain hey.. I've even used ntdsutil and ADSIedit even down here ;-) Brett Shirley wrote: Susan, how on earth could _you_ get a lingering object? Seems impossible with only one DC, oh wait did you just forget to delete it? From The Love, -B On Wed, 2 Aug 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest: http://support.microsoft.com/?kbid=910205 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: SBS question
You should only have one SBS per domain, and also per subnet. You should be able to get round this by disabling DHCP on the new server... or putting it on a different subnet, etc. SBS is by it's nature a DC. You can go around hacking bits out of the registry but you will end up violating the EULA. The migration method entirely depends on the size and complexity of the install. You might be better off with a scratch build and build it back, again it depends on the state of play in the domain as it stands, i.e. is it clean? Also, if it's a dev box and they develop for external customers on MS products, then he may be eligible for the Microsoft Action Pack subscription. You can then get a cleaner setup with a 2003 member server loaded with SQL... for a small annual fee. Cheers Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: 03 August 2006 10:00 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: SBS question I've never seen SBS, but my younger brother has just started a new job (first one since leaving Uni) and bought a new server and it came with SBS. When he built it it appeared he had no choice but to make it a DC, even though he only wanted it as a member server -there's already an SBS box there. Anyway, we didn't know at the time (this was a phone conversation) so I told him to go ahead with the promotion (thinking it was just a stupid Dell wizard) and demote it later. He did this and now it reboots every day. So, I think I know the answer to this from the tidbits of info. I've seen in the groups and forums, etc. but can the 2nd SBS box be added to the domain with the first SBS or does he need to get a k3 Std. license instead? All he wants at this point in time is a SQL and file server. (As you can guess, this is a small company, he's one of three dev guys there). And, if they wanted to replace the existing SBS box with this new one, how do they go about that if you can't have more than one SBS box? I doubt they want to migrate... Thanks, --Paul - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 3:45 AM Subject: Re: [ActiveDir] Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest: You know us blondes With barely a twig, let alone a tree in our forest...and I'll have you know this twig is clean installed 2k3 domain (I strongly believe in no inplace even in our twig domains down here). (and for the record for everyones trivia tonightwhile I choose to have a single DC (at this time) ... SBS can support additional DCs in our domain hey.. I've even used ntdsutil and ADSIedit even down here ;-) Brett Shirley wrote: Susan, how on earth could _you_ get a lingering object? Seems impossible with only one DC, oh wait did you just forget to delete it? From The Love, -B On Wed, 2 Aug 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest: http://support.microsoft.com/?kbid=910205 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
Thanks Paul, as they are currently working (GMT+1), I will test again this evening and post my findings here. As you pointed out: troubleshooting is a real pain in the ass... Yes I'm using VBScript, I have more experience with that then VB itself and that makes it more easy for me. Indeed MAPI Clients = Outlook! What a wonderfull world we live in... I thought that they communicate with MAPI towards the Exchange server which sends out in SMTP format. So I have a real problem with understanding why MS didn't provide the feature themselves built-in. Perhaps it's an idea for them for the future releases. They are working on a lot of tools (ex. IMF) themselves to cut the need of third-party tools, but something essential like this (I think it's standard for a company to have a disclaimer, not?) is not available in GUI and needs quiet some manipulation. Additionally the exception of working with SBS and having the SMTP connector to be able to forward mail to the SMTP of your ISP. I know I keep hanging on that point, but I think I'm not the only one. On 8/3/06, Paul Williams [EMAIL PROTECTED] wrote: I've done this a couple of times, but on the exchange gateway servers, not on an SBS box. I've never seen SBS. Anyway, the easiest way to do this is to create a second virtual SMTP server and set it to listen on port 26 (and send on 25). Configure the first virtual server to send on 26 (its already listening on 25). Then register the sink on the second virtual server. The reason is that most of your clients are MAPI clients, so don't trigger the SMTP sink. If you're using a connector, you need to point the second virtual server at the connector (I think, it's been even longer since I did one where they had an SMTP connector). I'm afraid I can't give you the scripts as they're at customer sites, etc. One thing I will say is troubleshooting this is a real pain. On one problem I had Dev Support MSFT people help out. We took it from the bottom up. Unregistered all the sinks (that I'd registered, the VBS script you use to register allows you to view all sinks) and then registered a new one that simply created a text file on the D drive. As you're using VBS, not VB, ensure that you use absolute paths for things like text files, etc. as the script will run and not error without absolute paths but they won't work... --Paul - Original Message - From: Bart Van den Wyngaert [EMAIL PROTECTED] To: ActiveDir ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 9:41 PM Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box Hi guys, I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box. I'm using the EventSink with a .vbs to add the disclaimer. The box is configured with a default SMTP server and a SMTP connector which forwards all external email to the SMTP of the ISP. Anybody who has done the trick already? If so, can you please tell me the little secret for this? *g* Many thanks to all, Bart List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
Perhaps it's an idea for them for the future releases The functionality has been implemented in EX2K7. Cheers, Victor - Oorspronkelijk bericht - Van: Bart Van den Wyngaert [EMAIL PROTECTED] Datum: donderdag, augustus 3, 2006 12:10 pm Onderwerp: Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box Thanks Paul, as they are currently working (GMT+1), I will test again this evening and post my findings here. As you pointed out: troubleshooting is a real pain in the ass... Yes I'm using VBScript, I have more experience with that then VB itself and that makes it more easy for me. Indeed MAPI Clients = Outlook! What a wonderfull world we live in... I thought that they communicate with MAPI towards the Exchange server which sends out in SMTP format. So I have a real problem with understanding why MS didn't provide the feature themselves built-in. Perhaps it's an idea for them for the future releases. They are working on a lot of tools (ex. IMF) themselves to cut the need of third-party tools, but something essential like this (I think it's standard for a company to have a disclaimer, not?) is not available in GUI and needs quiet some manipulation. Additionally the exception of working with SBS and having the SMTP connector to be able to forward mail to the SMTP of your ISP. I know I keep hanging on that point, but I think I'm not the only one. On 8/3/06, Paul Williams [EMAIL PROTECTED] wrote: I've done this a couple of times, but on the exchange gateway servers, not on an SBS box. I've never seen SBS. Anyway, the easiest way to do this is to create a second virtual SMTP server and set it to listen on port 26 (and send on 25). Configure the first virtual server to send on 26 (its already listening on 25). Then register the sink on the second virtual server. The reason is that most of your clients are MAPI clients, so don't trigger the SMTP sink. If you're using a connector, you need to point the second virtual server at the connector (I think, it's been even longer since I did one where they had an SMTP connector). I'm afraid I can't give you the scripts as they're at customer sites, etc. One thing I will say is troubleshooting this is a real pain. On one problem I had Dev Support MSFT people help out. We took it from the bottom up. Unregistered all the sinks (that I'd registered, the VBS script you use to register allows you to view all sinks) and then registered a new one that simply created a text file on the D drive. As you're using VBS, not VB, ensure that you use absolute paths for things like text files, etc. as the script will run and not error without absolute paths but they won't work... --Paul - Original Message - From: Bart Van den Wyngaert [EMAIL PROTECTED] To: ActiveDir ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 9:41 PM Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box Hi guys, I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box. I'm using the EventSink with a .vbs to add the disclaimer. The box is configured with a default SMTP server and a SMTP connector which forwards all external email to the SMTP of the ISP. Anybody who has done the trick already? If so, can you please tell me the little secret for this? *g* Many thanks to all, Bart List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
The feature is in Exchange 2007. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den Wyngaert Sent: Thursday, August 03, 2006 6:10 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box Thanks Paul, as they are currently working (GMT+1), I will test again this evening and post my findings here. As you pointed out: troubleshooting is a real pain in the ass... Yes I'm using VBScript, I have more experience with that then VB itself and that makes it more easy for me. Indeed MAPI Clients = Outlook! What a wonderfull world we live in... I thought that they communicate with MAPI towards the Exchange server which sends out in SMTP format. So I have a real problem with understanding why MS didn't provide the feature themselves built-in. Perhaps it's an idea for them for the future releases. They are working on a lot of tools (ex. IMF) themselves to cut the need of third-party tools, but something essential like this (I think it's standard for a company to have a disclaimer, not?) is not available in GUI and needs quiet some manipulation. Additionally the exception of working with SBS and having the SMTP connector to be able to forward mail to the SMTP of your ISP. I know I keep hanging on that point, but I think I'm not the only one. On 8/3/06, Paul Williams [EMAIL PROTECTED] wrote: I've done this a couple of times, but on the exchange gateway servers, not on an SBS box. I've never seen SBS. Anyway, the easiest way to do this is to create a second virtual SMTP server and set it to listen on port 26 (and send on 25). Configure the first virtual server to send on 26 (its already listening on 25). Then register the sink on the second virtual server. The reason is that most of your clients are MAPI clients, so don't trigger the SMTP sink. If you're using a connector, you need to point the second virtual server at the connector (I think, it's been even longer since I did one where they had an SMTP connector). I'm afraid I can't give you the scripts as they're at customer sites, etc. One thing I will say is troubleshooting this is a real pain. On one problem I had Dev Support MSFT people help out. We took it from the bottom up. Unregistered all the sinks (that I'd registered, the VBS script you use to register allows you to view all sinks) and then registered a new one that simply created a text file on the D drive. As you're using VBS, not VB, ensure that you use absolute paths for things like text files, etc. as the script will run and not error without absolute paths but they won't work... --Paul - Original Message - From: Bart Van den Wyngaert [EMAIL PROTECTED] To: ActiveDir ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 9:41 PM Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box Hi guys, I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box. I'm using the EventSink with a .vbs to add the disclaimer. The box is configured with a default SMTP server and a SMTP connector which forwards all external email to the SMTP of the ISP. Anybody who has done the trick already? If so, can you please tell me the little secret for this? *g* Many thanks to all, Bart List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
Hoorah !! :-) On 8/3/06, Michael B. Smith [EMAIL PROTECTED] wrote: The feature is in Exchange 2007. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den Wyngaert Sent: Thursday, August 03, 2006 6:10 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box Thanks Paul, as they are currently working (GMT+1), I will test again this evening and post my findings here. As you pointed out: troubleshooting is a real pain in the ass... Yes I'm using VBScript, I have more experience with that then VB itself and that makes it more easy for me. Indeed MAPI Clients = Outlook! What a wonderfull world we live in... I thought that they communicate with MAPI towards the Exchange server which sends out in SMTP format. So I have a real problem with understanding why MS didn't provide the feature themselves built-in. Perhaps it's an idea for them for the future releases. They are working on a lot of tools (ex. IMF) themselves to cut the need of third-party tools, but something essential like this (I think it's standard for a company to have a disclaimer, not?) is not available in GUI and needs quiet some manipulation. Additionally the exception of working with SBS and having the SMTP connector to be able to forward mail to the SMTP of your ISP. I know I keep hanging on that point, but I think I'm not the only one. On 8/3/06, Paul Williams [EMAIL PROTECTED] wrote: I've done this a couple of times, but on the exchange gateway servers, not on an SBS box. I've never seen SBS. Anyway, the easiest way to do this is to create a second virtual SMTP server and set it to listen on port 26 (and send on 25). Configure the first virtual server to send on 26 (its already listening on 25). Then register the sink on the second virtual server. The reason is that most of your clients are MAPI clients, so don't trigger the SMTP sink. If you're using a connector, you need to point the second virtual server at the connector (I think, it's been even longer since I did one where they had an SMTP connector). I'm afraid I can't give you the scripts as they're at customer sites, etc. One thing I will say is troubleshooting this is a real pain. On one problem I had Dev Support MSFT people help out. We took it from the bottom up. Unregistered all the sinks (that I'd registered, the VBS script you use to register allows you to view all sinks) and then registered a new one that simply created a text file on the D drive. As you're using VBS, not VB, ensure that you use absolute paths for things like text files, etc. as the script will run and not error without absolute paths but they won't work... --Paul - Original Message - From: Bart Van den Wyngaert [EMAIL PROTECTED] To: ActiveDir ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 9:41 PM Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box Hi guys, I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box. I'm using the EventSink with a .vbs to add the disclaimer. The box is configured with a default SMTP server and a SMTP connector which forwards all external email to the SMTP of the ISP. Anybody who has done the trick already? If so, can you please tell me the little secret for this? *g* Many thanks to all, Bart List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Title: Setting FFL=2 automatically when building first DC in forest
It might be worth looking at the
%systemroot%\system32\schema.ini file again. I just had a poke around in
there after reading Dean's answer to your question yesterday and the first
section, the [DEFAULTROOTDOMAIN] section is setting nTMixedMode.
You can change that to 0 (for native) and try adding
mSDS-Behavior-Version and setting it to 2.
I don't know if that will work, but you're
probably in a position to test this...
--Paul
- Original Message -
From:
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, August 03, 2006 9:39
AM
Subject: [ActiveDir] Setting FFL=2
automatically when building first DC in forest
According to http://support.microsoft.com/kb/223757/en-us the SetForestVersion entry
in the dcpromo answer file can only be used to set FFL to 1 or 0 when building
a new forest.
Is this correct? I'd like to automate the
transition to FFL=2 when building the first DC in a forest (without a
script).
Perhaps another change request for Longhorn?
:)
neil
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.
A member of the Nomura group of companies.
RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Title: Setting FFL=2 automatically when building first DC in forest
As we English like to say on an unbelievably regular basis
same again please. In this context however, Im
referring to the file I mentioned earlier this week, the SCHEMA.INI.
Locate the [Partitions] section, roughly 9 or 10 lines below that
youll see the line
msDs-Behavior-Version=$REGISTRY=InstallForestBehaviorVersion
erase the $REGISTRY=InstallForestBehaviorVersion
and hard code the value to 2 (Id recommend taking a copy of the existing
line first and prefixing that copy with a semi-colon to comment it out). The
result should be
msDs-Behavior-Version=2
; msDs-Behavior-Version=$REGISTRY=InstallForestBehaviorVersion
HTH
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Thursday, August 03, 2006 4:40 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Setting FFL=2 automatically when building first DC
in forest
According to
http://support.microsoft.com/kb/223757/en-us the
SetForestVersion
entry in the dcpromo answer file can only be used to set FFL to 1 or 0 when
building a new forest.
Is this
correct? I'd like to automate the transition to FFL=2 when building the first
DC in a forest (without a script).
Perhaps
another change request for Longhorn? :)
neil
PLEASE
READ: The information contained in this email is confidential and
intended
for the named recipient(s) only. If you are not an intended
recipient
of this email please notify the sender immediately and delete your
copy
from your system. You must not copy, distribute or take any further
action
in reliance on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or
(b) the presence of any virus, worm or similar malicious or disabling
code
in, this message or any attachment(s) to it. If verification of this
email
is sought then please request a hard copy. Unless otherwise stated
this
email: (1) is not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the
author and do not necessarily represent those of NIplc; (3) is intended
for
informational purposes only and is not a recommendation, solicitation or
offer
to buy or sell securities or related financial instruments. NIplc
does
not provide investment services to private customers. Authorised and
regulated
by the Financial Services Authority. Registered in England
no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London,
EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Title: Setting FFL=2 automatically when building first DC in forest
Thats v. close my mint-sauce-fearing friend but its
likely that that will set only the dom. func. level to K3 native (though to be
honest Ive not tried). So, since forests tend to drag domains with
them, functional level wise, (i.e. when a new domain is created within an existing
forest), we simply need to tell the forest func. level to seed itself with a
value of 2 see my previous post for instructions on how to do that.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Paul Williams
Sent: Thursday, August 03, 2006 8:18 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Setting FFL=2 automatically when building first
DC in forest
It
might be worth looking at the %systemroot%\system32\schema.ini file
again. I just had a poke around in there after reading Dean's answer to
your question yesterday and the first section, the [DEFAULTROOTDOMAIN] section
is setting nTMixedMode.
You can change that to 0 (for native) and try adding mSDS-Behavior-Version
and setting it to 2.
I
don't know if that will work, but you're probably in a position to test this...
--Paul
-
Original Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, August 03,
2006 9:39 AM
Subject: [ActiveDir] Setting
FFL=2 automatically when building first DC in forest
According to
http://support.microsoft.com/kb/223757/en-us the
SetForestVersion
entry in the dcpromo answer file can only be used to set FFL to 1 or 0 when
building a new forest.
Is this
correct? I'd like to automate the transition to FFL=2 when building the first
DC in a forest (without a script).
Perhaps
another change request for Longhorn? :)
neil
PLEASE
READ: The information contained in this email is confidential and
intended
for the named recipient(s) only. If you are not an intended
recipient
of this email please notify the sender immediately and delete your
copy
from your system. You must not copy, distribute or take any further
action
in reliance on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or
(b) the presence of any virus, worm or similar malicious or disabling
code
in, this message or any attachment(s) to it. If verification of this
email
is sought then please request a hard copy. Unless otherwise stated
this
email: (1) is not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the
author and do not necessarily represent those of NIplc; (3) is intended
for
informational purposes only and is not a recommendation, solicitation or
offer
to buy or sell securities or related financial instruments. NIplc
does
not provide investment services to private customers. Authorised and
regulated
by the Financial Services Authority. Registered in England
no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London,
EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] Remove Defunct domains..
Thanks Neil -How would one determine the IP of the members of a particular workgroup ?RE: NTDSUTIL - just do a search, that matches the whole string, for the domain name ? and remove accordingly ?
On 8/3/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Look for 1b and 1c records in WINS for the defunct domain.
Remove them and wait for WINS replication.
You should also use ntdsutil and remove the redundant AD
objects too.
You can never stop ppl creating new workgroups - you should
be able to determine the IP address of their members however and then track back
to individual machines / users.
neil
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
HBooGzSent: 03 August 2006 03:04To:
ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] Remove Defunct
domains..
hey guys -
Yes, i'm using wins.
Yes, they are appearing outside of network neighborhood.
what exactly would i examine (node type) that would help me pinpoint where
these are appearing ? and how to get rid of it ?
definitely appears to be a browsing issue ?
how can i force who is the master browser for the domain ? all
workstations are windows 2000 and windows xp
i'm also seeing workgroups that should have never been created and i'm now
policing against -- any way to rid myself of this or detect where they are being
generated ?
Thanks
On 8/2/06, Ayers,
Diane [EMAIL PROTECTED]
wrote:
dusting off old NT 4.0 sectors
Check your WINS database if you are using WINS. Part of the
browsing data comes from WINS and the database will tell you where those
records are coming from. You can address it viathe hosts if
it's coming from there or clean up your WINS db.
Diane
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Brian
DesmondSent: Wednesday, August 02, 2006 3:10 PM
To: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Remove Defunct domains..
That's a browser function
not something in AD. There's probably still computers joined to those domains
(even though they don't exist) or computers in workgroups with the same names…
Thanks,
Brian
Desmond
[EMAIL PROTECTED]
c -
312.731.3132
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
WATSON, BENSent: Wednesday, August 02, 2006 5:05
PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Remove Defunct domains..
You can remove the orphaned
domains through NTDSUTIL. Doing a metadata cleanup.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
HBooGzSent: Wednesday, August 02, 2006 2:46 PM To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir]
Remove Defunct domains..
Whenever i browse Network Neighborhood or view the list of availble
networks, there are a few domains that appear that shouldn't. Is there a way
to remove these domain/domain entries manually ?ADSI edit ?-- HBooGz:\
-- HBooGz:\
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
-- HBooGz:\
Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Title: Setting FFL=2 automatically when building first DC in forest
Ah nice, you got there before me with a better
answer! :P
I'm poking around in there now, as I'm in a
similar position to Neil a the mo'.
Question: Can I provide schema.ini as an argument
to the promotion or unattended or do I need to mod the default file prior to
running the unattended script?
mint-sauce-fearing friend
LOL. Yep. I'm adverse to such things
as I'm fed up of the damned English, Scottish, Irish, South African and
Australian (and there's a damned cheek) meet'g and bleh'g at me...
;-)
- Original Message -
From:
Dean
Wells
To: Send - AD mailing list
Sent: Thursday, August 03, 2006 1:30
PM
Subject: RE: [ActiveDir] Setting FFL=2
automatically when building first DC in forest
Thats
v. close my mint-sauce-fearing friend but its likely that that will set only
the dom. func. level to K3 native (though to be honest Ive not tried).
So, since forests tend to drag domains with them, functional level wise, (i.e.
when a new domain is created within an existing forest), we simply need to
tell the forest func. level to seed itself with a value of 2
see my previous
post for instructions on how to do that.
--Dean
WellsMSEtechnology*
Email: [EMAIL PROTECTED]http://msetechnology.com
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Paul WilliamsSent: Thursday, August 03, 2006
8:18 AMTo: ActiveDir@mail.activedir.orgSubject: Re:
[ActiveDir] Setting FFL=2 automatically when building first DC in
forest
It might be worth
looking at the %systemroot%\system32\schema.ini file again. I just had a
poke around in there after reading Dean's answer to your question yesterday
and the first section, the [DEFAULTROOTDOMAIN] section is setting nTMixedMode. You
can change that to 0 (for native) and try adding mSDS-Behavior-Version
and setting it to 2.
I don't know if
that will work, but you're probably in a position to test
this...
--Paul
- Original
Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, August
03, 2006 9:39 AM
Subject: [ActiveDir]
Setting FFL=2 automatically when building first DC in
forest
According to
http://support.microsoft.com/kb/223757/en-us the
SetForestVersion entry in the
dcpromo answer file can only be used to set FFL to 1 or 0 when building a
new forest.
Is this
correct? I'd like to automate the transition to FFL=2 when building the
first DC in a forest (without a script).
Perhaps
another change request for Longhorn? :)
neil
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in
reliance on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1)
is not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.
A member of the Nomura group of companies.
RE: [ActiveDir] Remove Defunct domains..
I’m gonna read between the lines a little and ask if you previously trusted these domains? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz Sent: Wednesday, August 02, 2006 10:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Remove Defunct domains.. hey guys - Yes, i'm using wins. Yes, they are appearing outside of network neighborhood. what exactly would i examine (node type) that would help me pinpoint where these are appearing ? and how to get rid of it ? definitely appears to be a browsing issue ? how can i force who is the master browser for the domain ? all workstations are windows 2000 and windows xp i'm also seeing workgroups that should have never been created and i'm now policing against -- any way to rid myself of this or detect where they are being generated ? Thanks On 8/2/06, Ayers, Diane [EMAIL PROTECTED] wrote: dusting off old NT 4.0 sectors Check your WINS database if you are using WINS. Part of the browsing data comes from WINS and the database will tell you where those records are coming from. You can address it viathe hosts if it's coming from there or clean up your WINS db. Diane From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: Wednesday, August 02, 2006 3:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove Defunct domains.. That's a browser function not something in AD. There's probably still computers joined to those domains (even though they don't exist) or computers in workgroups with the same names… Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BEN Sent: Wednesday, August 02, 2006 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove Defunct domains.. You can remove the orphaned domains through NTDSUTIL. Doing a metadata cleanup. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of HBooGz Sent: Wednesday, August 02, 2006 2:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Remove Defunct domains.. Whenever i browse Network Neighborhood or view the list of availble networks, there are a few domains that appear that shouldn't. Is there a way to remove these domain/domain entries manually ? ADSI edit ? -- HBooGz:\ -- HBooGz:\
RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Title: Setting FFL=2 automatically when building first DC in forest
I dont believe DCpromo accepts an arg. that redirects its
attention to an alternate schema.ini but, to be honest, Ive not looked
that closely since editing is easy enough (opinion-wise though I doubt it
does one of us here would have likely stumbled across it before now).
Re: your 2nd comment hahahaha, LAMO :0)
PS for those not English or confused, sorry the
explanation wouldnt work anyway!
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Paul Williams
Sent: Thursday, August 03, 2006 8:43 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Setting FFL=2 automatically when building first
DC in forest
Ah
nice, you got there before me with a better answer! :P
I'm
poking around in there now, as I'm in a similar position to Neil a the mo'.
Question:
Can I provide schema.ini as an argument to the promotion or unattended or do I
need to mod the default file prior to running the unattended script?
mint-sauce-fearing
friend
LOL.
Yep. I'm adverse to such things as I'm fed up of the damned English,
Scottish, Irish, South African and Australian (and there's a damned cheek)
meet'g and bleh'g at me... ;-)
-
Original Message -
From: Dean Wells
To: Send - AD
mailing list
Sent: Thursday, August 03,
2006 1:30 PM
Subject: RE: [ActiveDir]
Setting FFL=2 automatically when building first DC in forest
Thats v. close my mint-sauce-fearing friend but
its likely that that will set only the dom. func. level to K3 native
(though to be honest Ive not tried). So, since forests tend to
drag domains with them, functional level wise, (i.e. when a new domain is
created within an existing forest), we simply need to tell the forest func.
level to seed itself with a value of 2 see my previous post for
instructions on how to do that.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Paul Williams
Sent: Thursday, August 03, 2006 8:18 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Setting FFL=2 automatically when building first
DC in forest
It
might be worth looking at the %systemroot%\system32\schema.ini file
again. I just had a poke around in there after reading Dean's answer to
your question yesterday and the first section, the [DEFAULTROOTDOMAIN] section
is setting nTMixedMode.
You can change that to 0 (for native) and try adding mSDS-Behavior-Version
and setting it to 2.
I
don't know if that will work, but you're probably in a position to test this...
--Paul
-
Original Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, August 03,
2006 9:39 AM
Subject: [ActiveDir] Setting
FFL=2 automatically when building first DC in forest
According to
http://support.microsoft.com/kb/223757/en-us the
SetForestVersion
entry in the dcpromo answer file can only be used to set FFL to 1 or 0 when
building a new forest.
Is this
correct? I'd like to automate the transition to FFL=2 when building the first
DC in a forest (without a script).
Perhaps
another change request for Longhorn? :)
neil
PLEASE
READ: The information contained in this email is confidential and
intended
for the named recipient(s) only. If you are not an intended
recipient
of this email please notify the sender immediately and delete your
copy
from your system. You must not copy, distribute or take any further
action
in reliance on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or
(b) the presence of any virus, worm or similar malicious or disabling
code
in, this message or any attachment(s) to it. If verification of this
email
is sought then please request a hard copy. Unless otherwise stated
this
email: (1) is not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the
author and do not necessarily represent those of NIplc; (3) is intended
for
informational purposes only and is not a recommendation, solicitation or
offer
to buy or sell securities or related financial instruments. NIplc
does
not provide investment services to private customers. Authorised and
regulated
by the Financial Services Authority. Registered in England
no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London,
EC1A 4NP. A member of the Nomura group of
RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Title: Setting FFL=2 automatically when building first DC in forest
Someone needs to blog / document this file and its features
functionality etc - it's not widely known and understood, I fear :)
[or perhaps it's a well kept secret and I just wasn't allowed to know :)
]
Many thanks again, Dean.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean
WellsSent: 03 August 2006 13:26To: Send - AD mailing
listSubject: RE: [ActiveDir] Setting FFL=2 automatically when
building first DC in forest
As
we English like to say on an unbelievably regular basis same again
please. In this context however, Im referring to the file I mentioned
earlier this week, the SCHEMA.INI.
Locate
the [Partitions] section, roughly 9 or 10 lines below that youll see the line
msDs-Behavior-Version=$REGISTRY=InstallForestBehaviorVersion
erase the $REGISTRY=InstallForestBehaviorVersion and hard code the value to 2
(Id recommend taking a copy of the existing line first and prefixing that copy
with a semi-colon to comment it out). The result should be
msDs-Behavior-Version=2
;
msDs-Behavior-Version=$REGISTRY=InstallForestBehaviorVersion
HTH
--Dean
WellsMSEtechnology* Email:
[EMAIL PROTECTED]http://msetechnology.com
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of [EMAIL PROTECTED]Sent: Thursday, August
03, 2006 4:40 AMTo: ActiveDir@mail.activedir.orgSubject:
[ActiveDir] Setting FFL=2 automatically when building first DC in
forest
According to
http://support.microsoft.com/kb/223757/en-us the
SetForestVersion entry in the dcpromo
answer file can only be used to set FFL to 1 or 0 when building a new
forest.
Is this
correct? I'd like to automate the transition to FFL=2 when building the first DC
in a forest (without a script).
Perhaps
another change request for Longhorn? :)
neil
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance on
it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept responsibility
or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this message
or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do not
necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
OT: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Title: Setting FFL=2 automatically when building first DC in forest
LOL. Yep. I'm
adverse to such things as I'm fed up of the damned English, Scottish, Irish,
South African and Australian (and there's a damned cheek) meet'g and bleh'g at
me... ;-)
O
dear - we'll be seeing posts in Welsh next
:)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
WilliamsSent: 03 August 2006 13:43To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Setting FFL=2
automatically when building first DC in forest
Ah nice, you got there before me with a better
answer! :P
I'm poking around in there now, as I'm in a
similar position to Neil a the mo'.
Question: Can I provide schema.ini as an argument
to the promotion or unattended or do I need to mod the default file prior to
running the unattended script?
mint-sauce-fearing friend
LOL. Yep. I'm adverse to such things
as I'm fed up of the damned English, Scottish, Irish, South African and
Australian (and there's a damned cheek) meet'g and bleh'g at me...
;-)
- Original Message -
From:
Dean
Wells
To: Send - AD mailing list
Sent: Thursday, August 03, 2006 1:30
PM
Subject: RE: [ActiveDir] Setting FFL=2
automatically when building first DC in forest
Thats
v. close my mint-sauce-fearing friend but its likely that that will set only
the dom. func. level to K3 native (though to be honest Ive not tried).
So, since forests tend to drag domains with them, functional level wise, (i.e.
when a new domain is created within an existing forest), we simply need to
tell the forest func. level to seed itself with a value of 2 see my previous
post for instructions on how to do that.
--Dean
WellsMSEtechnology*
Email: [EMAIL PROTECTED]http://msetechnology.com
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Paul WilliamsSent: Thursday, August 03, 2006
8:18 AMTo: ActiveDir@mail.activedir.orgSubject: Re:
[ActiveDir] Setting FFL=2 automatically when building first DC in
forest
It might be worth
looking at the %systemroot%\system32\schema.ini file again. I just had a
poke around in there after reading Dean's answer to your question yesterday
and the first section, the [DEFAULTROOTDOMAIN] section is setting nTMixedMode. You
can change that to 0 (for native) and try adding mSDS-Behavior-Version
and setting it to 2.
I don't know if
that will work, but you're probably in a position to test
this...
--Paul
- Original
Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, August
03, 2006 9:39 AM
Subject: [ActiveDir]
Setting FFL=2 automatically when building first DC in
forest
According to
http://support.microsoft.com/kb/223757/en-us the
SetForestVersion entry in the
dcpromo answer file can only be used to set FFL to 1 or 0 when building a
new forest.
Is this
correct? I'd like to automate the transition to FFL=2 when building the
first DC in a forest (without a script).
Perhaps
another change request for Longhorn? :)
neil
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in
reliance on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1)
is not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
Re: [ActiveDir] Remove Defunct domains..
See kb216498 for the info. on the NTDSUTIL
cleanup. Basically you need to perform a metadata, DNS and FRS
cleanup. ThatKB details all the necessary steps.
You'd determine the IP address of the workgroup
by the 1B and 1C records registered for that name.
The domain master browser is performed by the
PDCe. A master browser is also elected on a per-subnet basis. Check
out the Win2k RK book - TCP/IP core networking guide for more info.
There's an appendix on the browser service.
--Paul
- Original Message -
From:
HBooGz
To: ActiveDir@mail.activedir.org
Sent: Thursday, August 03, 2006 1:33
PM
Subject: Re: [ActiveDir] Remove Defunct
domains..
Thanks Neil -How would one determine the IP of the
members of a particular workgroup ?RE: NTDSUTIL - just do a search,
that matches the whole string, for the domain name ? and remove accordingly
?
On 8/3/06, [EMAIL PROTECTED]
[EMAIL PROTECTED]
wrote:
Look for
1b and 1c records in WINS for the defunct domain. Remove them and wait for
WINS replication.
You
should also use ntdsutil and remove the redundant AD objects
too.
You can
never stop ppl creating new workgroups - you should be able to determine the
IP address of their members however and then track back to individual
machines / users.
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
HBooGz
Sent: 03 August 2006 03:04
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Remove Defunct
domains..
hey guys -
Yes, i'm using wins.
Yes, they are appearing outside of network neighborhood.
what exactly would i examine (node type) that would help me pinpoint
where these are appearing ? and how to get rid of it ?
definitely appears to be a browsing issue ?
how can i force who is the "master browser" for the domain ? all
workstations are windows 2000 and windows xp
i'm also seeing workgroups that should have never been created and i'm
now policing against -- any way to rid myself of this or detect where they
are being generated ?
Thanks
On 8/2/06, Ayers,
Diane [EMAIL PROTECTED]
wrote:
dusting off old NT 4.0 sectors
Check your WINS database if you are using WINS. Part of the
browsing data comes from WINS and the database will tell you where those
records are coming from. You can address it viathe hosts
if it's coming from there or clean up your WINS db.
Diane
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Brian
DesmondSent: Wednesday, August 02, 2006 3:10 PM
To: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Remove Defunct domains..
That's a browser
function not something in AD. There's probably still computers joined to
those domains (even though they don't exist) or computers in workgroups
with the same names…
Thanks,
Brian
Desmond
[EMAIL PROTECTED]
c -
312.731.3132
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
WATSON, BENSent: Wednesday, August 02, 2006 5:05
PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Remove Defunct domains..
You can remove the orphaned
domains through NTDSUTIL. Doing a metadata cleanup.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
HBooGzSent: Wednesday, August 02, 2006 2:46 PM
To: ActiveDir@mail.activedir.orgSubject:
[ActiveDir] Remove Defunct domains..
Whenever i browse Network Neighborhood or view the list of availble
networks, there are a few domains that appear that shouldn't. Is there a
way to remove these domain/domain entries manually ?ADSI edit
?-- HBooGz:\
--
HBooGz:\
PLEASE READ: The information contained in
this email is confidential and
intended for the named recipient(s) only.
If you are not an intended
recipient of this email please notify the
sender immediately and delete your
copy from your system. You must not copy,
distribute or take any further
action in reliance on it. Email is not a
secure method of communication and
Nomura International plc ('NIplc') will
not, to the extent permitted by law,
accept responsibility or liability for
(a) the accuracy or completeness of,
or (b) the presence of any virus, worm or
similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please request a
hard copy.
RE: [ActiveDir] Remove Defunct domains..
... or loadup "browmon". it's been a while since I
used that, so pls, no questions :)
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
WilliamsSent: 03 August 2006 14:17To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Remove Defunct
domains..
See kb216498 for the info. on the NTDSUTIL
cleanup. Basically you need to perform a metadata, DNS and FRS
cleanup. ThatKB details all the necessary steps.
You'd determine the IP address of the workgroup
by the 1B and 1C records registered for that name.
The domain master browser is performed by the
PDCe. A master browser is also elected on a per-subnet basis. Check
out the Win2k RK book - TCP/IP core networking guide for more info.
There's an appendix on the browser service.
--Paul
- Original Message -
From:
HBooGz
To: ActiveDir@mail.activedir.org
Sent: Thursday, August 03, 2006 1:33
PM
Subject: Re: [ActiveDir] Remove Defunct
domains..
Thanks Neil -How would one determine the IP of the
members of a particular workgroup ?RE: NTDSUTIL - just do a search,
that matches the whole string, for the domain name ? and remove accordingly
?
On 8/3/06, [EMAIL PROTECTED]
[EMAIL PROTECTED]
wrote:
Look for
1b and 1c records in WINS for the defunct domain. Remove them and wait for
WINS replication.
You
should also use ntdsutil and remove the redundant AD objects
too.
You can
never stop ppl creating new workgroups - you should be able to determine the
IP address of their members however and then track back to individual
machines / users.
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
HBooGz
Sent: 03 August 2006 03:04
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Remove Defunct
domains..
hey guys -
Yes, i'm using wins.
Yes, they are appearing outside of network neighborhood.
what exactly would i examine (node type) that would help me pinpoint
where these are appearing ? and how to get rid of it ?
definitely appears to be a browsing issue ?
how can i force who is the "master browser" for the domain ? all
workstations are windows 2000 and windows xp
i'm also seeing workgroups that should have never been created and i'm
now policing against -- any way to rid myself of this or detect where they
are being generated ?
Thanks
On 8/2/06, Ayers,
Diane [EMAIL PROTECTED]
wrote:
dusting off old NT 4.0 sectors
Check your WINS database if you are using WINS. Part of the
browsing data comes from WINS and the database will tell you where those
records are coming from. You can address it viathe hosts
if it's coming from there or clean up your WINS db.
Diane
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Brian
DesmondSent: Wednesday, August 02, 2006 3:10 PM
To: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Remove Defunct domains..
That's a browser
function not something in AD. There's probably still computers joined to
those domains (even though they don't exist) or computers in workgroups
with the same names
Thanks,
Brian
Desmond
[EMAIL PROTECTED]
c -
312.731.3132
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
WATSON, BENSent: Wednesday, August 02, 2006 5:05
PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Remove Defunct domains..
You can remove the orphaned
domains through NTDSUTIL. Doing a metadata cleanup.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
HBooGzSent: Wednesday, August 02, 2006 2:46 PM
To: ActiveDir@mail.activedir.orgSubject:
[ActiveDir] Remove Defunct domains..
Whenever i browse Network Neighborhood or view the list of availble
networks, there are a few domains that appear that shouldn't. Is there a
way to remove these domain/domain entries manually ?ADSI edit
?-- HBooGz:\
--
HBooGz:\
PLEASE READ: The information contained in
this email is confidential and
intended for the named recipient(s) only.
If you are not an intended
recipient of this email please notify the
sender immediately and delete your
copy from your system. You must not copy,
distribute or take any further
action in reliance on it. Email is not a
secure method of communication and
Nomura International plc ('NIplc') will
not, to the extent permitted by law,
accept responsibility
Re: [ActiveDir] OT: SBS question
SBS must be a PDC of a network.. you are seeing the effects of SBSCore a dll that checks to make sure you are running SBS as a domain controller and that there are no other SBS servers in the network. If it does, it will say sorry Dude, I ain't running and will reboot constantly. It's a license checking mechanism to ensure you meet the EULA on the box. You can't have two SBS boxes on the same network. Oh..oh when did they buy this? If this is OEM.. and he bought it after March of this year.. there's a technology upgrade program where he can get R2. What's cool about R2 is the license. It allows you to have additional SQL servers in the network without having to buy SQL cals. The SBS cals will cover. But he can't have 2 SBS boxes. But this also depends on if he can run SQL 2005 workgroup as the R2 era has that as it's SQL flavor. As far as replacing the SBS box.. we have a method for that that we recommend at www.sbsmigration.com Please.. by all means... give him my email address. We need to get him to SBS resources. He's got a lot of options here.. but he's now in SBSland and we do things a little differently and this isn't the venue for a SBS discussion. Forward him this email, give him my email addy... we need to talk. He's got options. Paul Williams wrote: I've never seen SBS, but my younger brother has just started a new job (first one since leaving Uni) and bought a new server and it came with SBS. When he built it it appeared he had no choice but to make it a DC, even though he only wanted it as a member server -there's already an SBS box there. Anyway, we didn't know at the time (this was a phone conversation) so I told him to go ahead with the promotion (thinking it was just a stupid Dell wizard) and demote it later. He did this and now it reboots every day. So, I think I know the answer to this from the tidbits of info. I've seen in the groups and forums, etc. but can the 2nd SBS box be added to the domain with the first SBS or does he need to get a k3 Std. license instead? All he wants at this point in time is a SQL and file server. (As you can guess, this is a small company, he's one of three dev guys there). And, if they wanted to replace the existing SBS box with this new one, how do they go about that if you can't have more than one SBS box? I doubt they want to migrate... Thanks, --Paul - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 3:45 AM Subject: Re: [ActiveDir] Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest: You know us blondes With barely a twig, let alone a tree in our forest...and I'll have you know this twig is clean installed 2k3 domain (I strongly believe in no inplace even in our twig domains down here). (and for the record for everyones trivia tonightwhile I choose to have a single DC (at this time) ... SBS can support additional DCs in our domain hey.. I've even used ntdsutil and ADSIedit even down here ;-) Brett Shirley wrote: Susan, how on earth could _you_ get a lingering object? Seems impossible with only one DC, oh wait did you just forget to delete it? From The Love, -B On Wed, 2 Aug 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest: http://support.microsoft.com/?kbid=910205 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Title: Setting FFL=2 automatically when building first DC in forest
Am hwyl, dwi am ymateb drwy beidio a dweud dim
byd mwy nagadlewyrchu dy bwynt!
- Original Message -
From:
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, August 03, 2006 2:10
PM
Subject: OT: [ActiveDir] Setting FFL=2
automatically when building first DC in forest
LOL. Yep. I'm
adverse to such things as I'm fed up of the damned English, Scottish, Irish,
South African and Australian (and there's a damned cheek) meet'g and bleh'g at
me... ;-)
O
dear - we'll be seeing posts in Welsh next
:)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
WilliamsSent: 03 August 2006 13:43To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Setting FFL=2
automatically when building first DC in forest
Ah nice, you got there before me with a better
answer! :P
I'm poking around in there now, as I'm in a
similar position to Neil a the mo'.
Question: Can I provide schema.ini as an
argument to the promotion or unattended or do I need to mod the default file
prior to running the unattended script?
mint-sauce-fearing friend
LOL. Yep. I'm adverse to such
things as I'm fed up of the damned English, Scottish, Irish, South African and
Australian (and there's a damned cheek) meet'g and bleh'g at me...
;-)
- Original Message -
From:
Dean Wells
To: Send - AD mailing list
Sent: Thursday, August 03, 2006 1:30
PM
Subject: RE: [ActiveDir] Setting FFL=2
automatically when building first DC in forest
Thats
v. close my mint-sauce-fearing friend but its likely that that will set
only the dom. func. level to K3 native (though to be honest Ive not
tried). So, since forests tend to drag domains with them, functional
level wise, (i.e. when a new domain is created within an existing forest),
we simply need to tell the forest func. level to seed itself with a value of
2
see my previous post for instructions on how to do
that.
--Dean
WellsMSEtechnology*
Email: [EMAIL PROTECTED]http://msetechnology.com
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
WilliamsSent: Thursday, August 03, 2006 8:18 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Setting
FFL=2 automatically when building first DC in
forest
It might be
worth looking at the %systemroot%\system32\schema.ini file again. I
just had a poke around in there after reading Dean's answer to your question
yesterday and the first section, the [DEFAULTROOTDOMAIN] section is setting
nTMixedMode.
You can change that to 0 (for native) and try adding mSDS-Behavior-Version
and setting it to 2.
I don't know if
that will work, but you're probably in a position to test
this...
--Paul
- Original
Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday,
August 03, 2006 9:39 AM
Subject: [ActiveDir]
Setting FFL=2 automatically when building first DC in
forest
According to
http://support.microsoft.com/kb/223757/en-us the
SetForestVersion entry in the
dcpromo answer file can only be used to set FFL to 1 or 0 when building a
new forest.
Is
this correct? I'd like to automate the transition to FFL=2 when building
the first DC in a forest (without a script).
Perhaps another
change request for Longhorn? :)
neil
PLEASE READ:
The information contained in this email is confidential and
intended for
the named recipient(s) only. If you are not an intended
recipient of
this email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in
reliance on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1)
is not, and should not be treated or relied upon as,
Re: [ActiveDir] OT: SBS question
...and btw we have a lot of SBS boxes installed in homes... in case you ever want to play with active directory in a home environment :-) Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: SBS must be a PDC of a network.. you are seeing the effects of SBSCore a dll that checks to make sure you are running SBS as a domain controller and that there are no other SBS servers in the network. If it does, it will say sorry Dude, I ain't running and will reboot constantly. It's a license checking mechanism to ensure you meet the EULA on the box. You can't have two SBS boxes on the same network. Oh..oh when did they buy this? If this is OEM.. and he bought it after March of this year.. there's a technology upgrade program where he can get R2. What's cool about R2 is the license. It allows you to have additional SQL servers in the network without having to buy SQL cals. The SBS cals will cover. But he can't have 2 SBS boxes. But this also depends on if he can run SQL 2005 workgroup as the R2 era has that as it's SQL flavor. As far as replacing the SBS box.. we have a method for that that we recommend at www.sbsmigration.com Please.. by all means... give him my email address. We need to get him to SBS resources. He's got a lot of options here.. but he's now in SBSland and we do things a little differently and this isn't the venue for a SBS discussion. Forward him this email, give him my email addy... we need to talk. He's got options. Paul Williams wrote: I've never seen SBS, but my younger brother has just started a new job (first one since leaving Uni) and bought a new server and it came with SBS. When he built it it appeared he had no choice but to make it a DC, even though he only wanted it as a member server -there's already an SBS box there. Anyway, we didn't know at the time (this was a phone conversation) so I told him to go ahead with the promotion (thinking it was just a stupid Dell wizard) and demote it later. He did this and now it reboots every day. So, I think I know the answer to this from the tidbits of info. I've seen in the groups and forums, etc. but can the 2nd SBS box be added to the domain with the first SBS or does he need to get a k3 Std. license instead? All he wants at this point in time is a SQL and file server. (As you can guess, this is a small company, he's one of three dev guys there). And, if they wanted to replace the existing SBS box with this new one, how do they go about that if you can't have more than one SBS box? I doubt they want to migrate... Thanks, --Paul - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 3:45 AM Subject: Re: [ActiveDir] Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest: You know us blondes With barely a twig, let alone a tree in our forest...and I'll have you know this twig is clean installed 2k3 domain (I strongly believe in no inplace even in our twig domains down here). (and for the record for everyones trivia tonightwhile I choose to have a single DC (at this time) ... SBS can support additional DCs in our domain hey.. I've even used ntdsutil and ADSIedit even down here ;-) Brett Shirley wrote: Susan, how on earth could _you_ get a lingering object? Seems impossible with only one DC, oh wait did you just forget to delete it? From The Love, -B On Wed, 2 Aug 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest: http://support.microsoft.com/?kbid=910205 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info
RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Title: Setting FFL=2 automatically when building first DC in forest
Nod, but sfkds sdkfk skdwpoe cdof slkap d dkds y dlsdk lspw dod sfd
qwpw slla dsk ccdpow yours too.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Paul Williams
Sent: Thursday, August 03, 2006 9:47 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Setting FFL=2 automatically when building first
DC in forest
Am
hwyl, dwi am ymateb drwy beidio a dweud dim byd mwy nagadlewyrchu dy
bwynt!
-
Original Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, August 03,
2006 2:10 PM
Subject: OT: [ActiveDir]
Setting FFL=2 automatically when building first DC in forest
LOL. Yep. I'm adverse to such things as I'm fed up of
the damned English, Scottish, Irish, South African and Australian (and there's
a damned cheek) meet'g and bleh'g at me... ;-)
O dear - we'll be seeing posts in Welsh next :)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: 03 August 2006 13:43
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Setting FFL=2 automatically when building first
DC in forest
Ah
nice, you got there before me with a better answer! :P
I'm
poking around in there now, as I'm in a similar position to Neil a the mo'.
Question:
Can I provide schema.ini as an argument to the promotion or unattended or do I
need to mod the default file prior to running the unattended script?
mint-sauce-fearing
friend
LOL.
Yep. I'm adverse to such things as I'm fed up of the damned English,
Scottish, Irish, South African and Australian (and there's a damned cheek)
meet'g and bleh'g at me... ;-)
-
Original Message -
From: Dean Wells
To: Send - AD
mailing list
Sent: Thursday, August 03,
2006 1:30 PM
Subject: RE: [ActiveDir]
Setting FFL=2 automatically when building first DC in forest
Thats v. close my mint-sauce-fearing friend but
its likely that that will set only the dom. func. level to K3 native
(though to be honest Ive not tried). So, since forests tend to
drag domains with them, functional level wise, (i.e. when a new domain is created
within an existing forest), we simply need to tell the forest func. level to
seed itself with a value of 2 see my previous post for instructions on
how to do that.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Paul Williams
Sent: Thursday, August 03, 2006 8:18 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Setting FFL=2 automatically when building first
DC in forest
It
might be worth looking at the %systemroot%\system32\schema.ini file
again. I just had a poke around in there after reading Dean's answer to
your question yesterday and the first section, the [DEFAULTROOTDOMAIN] section
is setting nTMixedMode.
You can change that to 0 (for native) and try adding mSDS-Behavior-Version
and setting it to 2.
I
don't know if that will work, but you're probably in a position to test this...
--Paul
-
Original Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, August 03,
2006 9:39 AM
Subject: [ActiveDir] Setting
FFL=2 automatically when building first DC in forest
According to
http://support.microsoft.com/kb/223757/en-us the
SetForestVersion
entry in the dcpromo answer file can only be used to set FFL to 1 or 0 when
building a new forest.
Is this
correct? I'd like to automate the transition to FFL=2 when building the first
DC in a forest (without a script).
Perhaps
another change request for Longhorn? :)
neil
PLEASE
READ: The information contained in this email is confidential and
intended
for the named recipient(s) only. If you are not an intended
recipient
of this email please notify the sender immediately and delete your
copy
from your system. You must not copy, distribute or take any further
action
in reliance on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or
(b) the presence of any virus, worm or similar malicious or disabling
code
in, this message or any attachment(s) to it. If verification of this
email
is sought then please request a hard copy. Unless otherwise stated
this
email: (1) is not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the
author and do not
Re: [ActiveDir] Need some user/group tools...
Hyena from http://www.systemtools.com/ is a great tool for doing this, in fact it can do a lot more =) We use it for compliance reporting, we build up reports including folder ACL's, local group membership, and AD group membership including nested group membership. It has some pretty powerful filtering tools and can save objects so you can run multiple reports while only hitting your DC's once. I don't work for them, just a satisfied admin who likes the productivity boost from good tools =) Thanks, Andrew Fidel Matt Hargraves [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/01/2006 07:28 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Need some user/group tools... This might be something that I can do with a combination of scripts, though I'm not sure where I'd get them from. 1) I need to be able to export a list of users (the userID is fine) with their group memberships. (AD objects) 2) I need to be able to export a list of groups with their list of members and memberships. (AD objects) 3) I need to be able to export a list of groups with their list of members and memberships. (NT objects) Once I get all of that information, I need to 'connect the dots' between domains to determine overall group membership (across domains), including nesting. If the tool doesn't exist to do this last part I'm sure I can find someone to do the gruntwork of putting together a _vbscript_ to do the grunt work of it in Access or something like that. Preferably all of this would go into CSV files so that it can go into Access or maybe pull it all into SQL. Thanks for any help that can be provided.
RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Title: Setting FFL=2 automatically when building first DC in forest
Dont you love online translators
Am hwyl, dwi am ymateb drwy beidio a dweud dim byd mwy
nagadlewyrchu dy bwynt! =
About sail , I am being about answer
through cease I go say anything world more nor reflect he covers point!
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, August 03, 2006
8:47 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Setting
FFL=2 automatically when building first DC in forest
Am hwyl, dwi am ymateb drwy beidio a dweud dim byd mwy
nagadlewyrchu dy bwynt!
- Original Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, August
03, 2006 2:10 PM
Subject: OT: [ActiveDir]
Setting FFL=2 automatically when building first DC in forest
LOL. Yep.
I'm adverse to such things as I'm fed up of the damned English, Scottish,
Irish, South African and Australian (and there's a damned cheek) meet'g and
bleh'g at me... ;-)
O dear - we'll be seeing posts in Welsh
next :)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Paul Williams
Sent: 03 August 2006 13:43
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Setting
FFL=2 automatically when building first DC in forest
Ah nice, you got there before me with a better
answer! :P
I'm poking around in there now, as I'm in a similar
position to Neil a the mo'.
Question: Can I provide schema.ini as an argument to the
promotion or unattended or do I need to mod the default file prior to running
the unattended script?
mint-sauce-fearing friend
LOL. Yep. I'm adverse to such things as I'm
fed up of the damned English, Scottish, Irish, South African and Australian
(and there's a damned cheek) meet'g and bleh'g at me... ;-)
- Original Message -
From: Dean
Wells
To: Send - AD
mailing list
Sent: Thursday, August
03, 2006 1:30 PM
Subject: RE: [ActiveDir]
Setting FFL=2 automatically when building first DC in forest
Thats v.
close my mint-sauce-fearing friend but its likely that that will set
only the dom. func. level to K3 native (though to be honest Ive not
tried). So, since forests tend to drag domains with them, functional
level wise, (i.e. when a new domain is created within an existing forest), we
simply need to tell the forest func. level to seed itself with a value of 2
see my previous post for instructions on how to do that.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, August 03, 2006
8:18 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Setting
FFL=2 automatically when building first DC in forest
It might be worth looking at the
%systemroot%\system32\schema.ini file again. I just had a poke around in
there after reading Dean's answer to your question yesterday and the first
section, the [DEFAULTROOTDOMAIN] section is setting nTMixedMode. You can
change that to 0 (for native) and try adding mSDS-Behavior-Version and
setting it to 2.
I don't know if that will work, but you're probably in a
position to test this...
--Paul
- Original Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, August
03, 2006 9:39 AM
Subject: [ActiveDir]
Setting FFL=2 automatically when building first DC in forest
According
to http://support.microsoft.com/kb/223757/en-us the
SetForestVersion entry in the dcpromo answer file can only be used to set
FFL to 1 or 0 when building a new forest.
Is
this correct? I'd like to automate the transition to FFL=2 when building the
first DC in a forest (without a script).
Perhaps
another change request for Longhorn? :)
neil
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately
and delete your
copy from your system. You must not copy, distribute or take
any further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious
or disabling
code in, this message or any attachment(s) to it. If verification
of this
email is sought then please request a hard copy. Unless
otherwise stated
this email: (1) is not, and should not be treated or relied
upon as,
investment research; (2) contains views or opinions that are
solely those of
the
Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Title: Setting FFL=2 automatically when building first DC in forest Ha ha. (I don't actually speak Welsh. A friend of mine translated my English sentance into Welsh for that witty reply). - Original Message - From: Dean Wells To: Send - AD mailing list Sent: Thursday, August 03, 2006 3:25 PM Subject: RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest Nod, but sfkds sdkfk skdwpoe cdof slkap d dkds y dlsdk lspw dod sfd qwpw slla dsk ccdpow yours too. --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Thursday, August 03, 2006 9:47 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest Am hwyl, dwi am ymateb drwy beidio a dweud dim byd mwy nagadlewyrchu dy bwynt! - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 2:10 PM Subject: OT: [ActiveDir] Setting FFL=2 automatically when building first DC in forest LOL. Yep. I'm adverse to such things as I'm fed up of the damned English, Scottish, Irish, South African and Australian (and there's a damned cheek) meet'g and bleh'g at me... ;-) O dear - we'll be seeing posts in Welsh next :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: 03 August 2006 13:43To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest Ah nice, you got there before me with a better answer! :P I'm poking around in there now, as I'm in a similar position to Neil a the mo'. Question: Can I provide schema.ini as an argument to the promotion or unattended or do I need to mod the default file prior to running the unattended script? mint-sauce-fearing friend LOL. Yep. I'm adverse to such things as I'm fed up of the damned English, Scottish, Irish, South African and Australian (and there's a damned cheek) meet'g and bleh'g at me... ;-) - Original Message - From: Dean Wells To: Send - AD mailing list Sent: Thursday, August 03, 2006 1:30 PM Subject: RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest Thats v. close my mint-sauce-fearing friend but its likely that that will set only the dom. func. level to K3 native (though to be honest Ive not tried). So, since forests tend to drag domains with them, functional level wise, (i.e. when a new domain is created within an existing forest), we simply need to tell the forest func. level to seed itself with a value of 2 see my previous post for instructions on how to do that. --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Thursday, August 03, 2006 8:18 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest It might be worth looking at the %systemroot%\system32\schema.ini file again. I just had a poke around in there after reading Dean's answer to your question yesterday and the first section, the [DEFAULTROOTDOMAIN] section is setting nTMixedMode. You can change that to 0 (for native) and try adding mSDS-Behavior-Version and setting it to 2. I don't know if that will work, but you're probably in a position to test this... --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 9:39 AM Subject: [ActiveDir] Setting FFL=2 automatically when building first DC in forest According to http://support.microsoft.com/kb/223757/en-us the SetForestVersion entry in the dcpromo answer file can only be used to set FFL to 1 or 0 when building a new forest. Is this
Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Title: Setting FFL=2 automatically when building first DC in forest "Am hwyl, dwi am ymateb drwy beidio a dweud dim byd mwy nag adlewyrchu dy bwynt!" = "Just for fun, I'll respond with an answer that says nothing but simply illustrates your point." - Original Message - From: Kevin Brunson To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 3:33 PM Subject: RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest Dont you love online translators Am hwyl, dwi am ymateb drwy beidio a dweud dim byd mwy nagadlewyrchu dy bwynt! = About sail , I am being about answer through cease I go say anything world more nor reflect he covers point! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Thursday, August 03, 2006 8:47 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest Am hwyl, dwi am ymateb drwy beidio a dweud dim byd mwy nagadlewyrchu dy bwynt! - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 2:10 PM Subject: OT: [ActiveDir] Setting FFL=2 automatically when building first DC in forest LOL. Yep. I'm adverse to such things as I'm fed up of the damned English, Scottish, Irish, South African and Australian (and there's a damned cheek) meet'g and bleh'g at me... ;-) O dear - we'll be seeing posts in Welsh next :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: 03 August 2006 13:43To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest Ah nice, you got there before me with a better answer! :P I'm poking around in there now, as I'm in a similar position to Neil a the mo'. Question: Can I provide schema.ini as an argument to the promotion or unattended or do I need to mod the default file prior to running the unattended script? mint-sauce-fearing friend LOL. Yep. I'm adverse to such things as I'm fed up of the damned English, Scottish, Irish, South African and Australian (and there's a damned cheek) meet'g and bleh'g at me... ;-) - Original Message - From: Dean Wells To: Send - AD mailing list Sent: Thursday, August 03, 2006 1:30 PM Subject: RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest Thats v. close my mint-sauce-fearing friend but its likely that that will set only the dom. func. level to K3 native (though to be honest Ive not tried). So, since forests tend to drag domains with them, functional level wise, (i.e. when a new domain is created within an existing forest), we simply need to tell the forest func. level to seed itself with a value of 2 see my previous post for instructions on how to do that. --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Thursday, August 03, 2006 8:18 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest It might be worth looking at the %systemroot%\system32\schema.ini file again. I just had a poke around in there after reading Dean's answer to your question yesterday and the first section, the [DEFAULTROOTDOMAIN] section is setting nTMixedMode. You can change that to 0 (for native) and try adding mSDS-Behavior-Version and setting it to 2. I don't know if that will work, but you're probably in a position to test this... --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 9:39 AM Subject: [ActiveDir] Setting FFL=2 automatically when building first DC in forest According to http://support.microsoft.com/kb/223757/en-us the SetForestVersion entry in the dcpromo answer file can only be used to set FFL
Re: [ActiveDir] Remove Defunct domains..
Hey Guys -It's really an OLD NT 4.0 domain that was migrated over to 2k and just recently upgraded to 2003 R2. I'm sure i'd have to probably cleanup the metadata, etc.but anyway to curb the creation of these rogue workgroups ? if i can't curb, how i can succesfully remove or be alerted ? alerting sounds advantageous...On 8/3/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: ... or loadup browmon. it's been a while since I used that, so pls, no questions :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: 03 August 2006 14:17To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Remove Defunct domains.. See kb216498 for the info. on the NTDSUTIL cleanup. Basically you need to perform a metadata, DNS and FRS cleanup. ThatKB details all the necessary steps. You'd determine the IP address of the workgroup by the 1B and 1C records registered for that name. The domain master browser is performed by the PDCe. A master browser is also elected on a per-subnet basis. Check out the Win2k RK book - TCP/IP core networking guide for more info. There's an appendix on the browser service. --Paul - Original Message - From: HBooGz To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 1:33 PM Subject: Re: [ActiveDir] Remove Defunct domains.. Thanks Neil -How would one determine the IP of the members of a particular workgroup ?RE: NTDSUTIL - just do a search, that matches the whole string, for the domain name ? and remove accordingly ? On 8/3/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Look for 1b and 1c records in WINS for the defunct domain. Remove them and wait for WINS replication. You should also use ntdsutil and remove the redundant AD objects too. You can never stop ppl creating new workgroups - you should be able to determine the IP address of their members however and then track back to individual machines / users. neil From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of HBooGz Sent: 03 August 2006 03:04 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Remove Defunct domains.. hey guys - Yes, i'm using wins. Yes, they are appearing outside of network neighborhood. what exactly would i examine (node type) that would help me pinpoint where these are appearing ? and how to get rid of it ? definitely appears to be a browsing issue ? how can i force who is the master browser for the domain ? all workstations are windows 2000 and windows xp i'm also seeing workgroups that should have never been created and i'm now policing against -- any way to rid myself of this or detect where they are being generated ? Thanks On 8/2/06, Ayers, Diane [EMAIL PROTECTED] wrote: dusting off old NT 4.0 sectors Check your WINS database if you are using WINS. Part of the browsing data comes from WINS and the database will tell you where those records are coming from. You can address it viathe hosts if it's coming from there or clean up your WINS db. Diane From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Wednesday, August 02, 2006 3:10 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Remove Defunct domains.. That's a browser function not something in AD. There's probably still computers joined to those domains (even though they don't exist) or computers in workgroups with the same names… Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BENSent: Wednesday, August 02, 2006 5:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Remove Defunct domains.. You can remove the orphaned domains through NTDSUTIL. Doing a metadata cleanup. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of HBooGzSent: Wednesday, August 02, 2006 2:46 PM To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Remove Defunct domains.. Whenever i browse Network Neighborhood or view the list of availble networks, there are a few domains that appear that shouldn't. Is there a way to remove these domain/domain entries manually ?ADSI edit ?-- HBooGz:\ -- HBooGz:\ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not
[ActiveDir] Exchange attributes..
Hey Guys -I don't get the Exchange tabs ( exchange general, exchange tasks, etc ) when i right-click a user account and select properties when i'm accessing this account from ADUC on a domain controller and on my windows xp machine running adminpack. the only place,obviously, is on the ADUC located on the exchange box. The exchange box is running windows 2000 sp4 and exchange 2003.do i have to re-run forestprep and domainprep from the exchange 2003 setup again ? -- HBooGz:\
RE: [ActiveDir] Granting Exchange Mailbox Access
Hi Scott, Thanks for the reply. Unfortunately, it didnt seem to grant access. That was definitely one of the first places I looked to check for permissions that would give me a clue as to why the username that originally installed Exchange 2003 has access to all users mailboxes, yet the Exchange Full Administrators delegated group does not. Oddly enough, I find that the specific account that installed Exchange has the same exact rights as the delegated group. Both have a specific deny set for Send As and Receive As, yet the individual user account can access any mailbox, and the delegated group cannot. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Wednesday, August 02, 2006 4:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Granting Exchange Mailbox Access The perm youre looking for is Receive As on the Mailbox store. The problem is that delegating Exchange Full Administrator adds an explicit Deny ACE to CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com for Receive As and that gets replicated all the way down to the mailboxes. So even if you grant your group the required perms, if theyve been delegated EFA, the Deny will override it. Id imagine you can remove the Deny ACE manually, but we just skipped the delegation wizard and added the ACE for Receive As for our Mailbox Admins. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, August 02, 2006 5:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Granting Exchange Mailbox Access In an effort to cut down on service account abuse, Ive been removing and reducing privileges left and right. I have delegated Exchange Full Administrator rights to a few users who had previously been using the service account we originally installed Exchange 2003. Sometimes, the Exchange Administrators will need to access a users mailbox to assist with various issues, and Im having trouble delegating that right to the members of the Exchange Full Administrators group. I have created a domain security group named simply Exchange Full Administrators, and I delegated Exchange Full Administrator rights to that security group at the organizational level. So anyone in that security group should have full administration rights. Ive had to delegate a few other rights in Active Directory for some other reasons to this new security group (for instance to give this security group rights to modify the dynamic mailing list OU); however Im having trouble finding exactly where to delegate rights to give this security group full access to everyones mailbox. Any thoughts? Thanks, ~Ben
RE: [ActiveDir] Exchange attributes..
Do you have the Exchange System Management Tools installed on the other domain controllers? From the Exchange cd, choose Install System Management Tools Only. Basically you will choose Custom from the Setup and tell it to only install the Tools, not the Exchange services. I would be careful doing this on a workstation with Outlook installed though, there have been some problems with this in the past, depending on which version and all that. It can very easily break Outlook. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz Sent: Thursday, August 03, 2006 10:26 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange attributes.. Hey Guys - I don't get the Exchange tabs ( exchange general, exchange tasks, etc ) when i right-click a user account and select properties when i'm accessing this account from ADUC on a domain controller and on my windows xp machine running adminpack. the only place,obviously, is on the ADUC located on the exchange box. The exchange box is running windows 2000 sp4 and exchange 2003. do i have to re-run forestprep and domainprep from the exchange 2003 setup again ? -- HBooGz:\
RE: [ActiveDir] Exchange attributes..
You need to install the Exch admin tools so that the newer
/ different ADUC snap-in is available.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
HBooGzSent: 03 August 2006 16:26To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange
attributes..
Hey Guys -I don't get the Exchange tabs ( exchange general,
exchange tasks, etc ) when i right-click a user account and select properties
when i'm accessing this account from ADUC on a domain controller and on my
windows xp machine running adminpack. the only place,obviously, is on
the ADUC located on the exchange box. The exchange box is running windows 2000
sp4 and exchange 2003.do i have to re-run forestprep and
domainprep from the exchange 2003 setup again ? --
HBooGz:\ PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Exchange attributes..
No. You need to install the Exchange Management Tools on places where you need those tabs. That begin said, review this article and the linked article: http://blogs.brnets.com/michael/archive/2004/09/14/209.aspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: Thursday, August 03, 2006 11:26 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange attributes.. Hey Guys -I don't get the Exchange tabs ( exchange general, exchange tasks, etc ) when i right-click a user account and select properties when i'm accessing this account from ADUC on a domain controller and on my windows xp machine running adminpack. the only place,obviously, is on the ADUC located on the exchange box. The exchange box is running windows 2000 sp4 and exchange 2003.do i have to re-run forestprep and domainprep from the exchange 2003 setup again ? -- HBooGz:\
[ActiveDir] RE: [ActiveDir] Exchange attributes..
You need to load the ESM on your DCs and/or your XP machine to see the Exchange tabs. You can load it from your Exchange CD. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz Sent: Thursday, August 03, 2006 10:26 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange attributes.. Hey Guys - I don't get the Exchange tabs ( exchange general, exchange tasks, etc ) when i right-click a user account and select properties when i'm accessing this account from ADUC on a domain controller and on my windows xp machine running adminpack. the only place,obviously, is on the ADUC located on the exchange box. The exchange box is running windows 2000 sp4 and exchange 2003. do i have to re-run forestprep and domainprep from the exchange 2003 setup again ? -- HBooGz:\
RE: [ActiveDir] Granting Exchange Mailbox Access
A different approach is for the Exch Full Admin to simply grant him/herself Full Mailbox Access-Allow on an individual,as-needed basis. I prefer this because it requires a conscious effort on the admin's part to access someone else's mailbox, regardless of what your corporate use policies state about email being the company's property. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, ScottSent: Wednesday, August 02, 2006 5:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Granting Exchange Mailbox Access The perm youre looking for is Receive As on the Mailbox store. The problem is that delegating Exchange Full Administrator adds an explicit Deny ACE to CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com for Receive As and that gets replicated all the way down to the mailboxes. So even if you grant your group the required perms, if theyve been delegated EFA, the Deny will override it. Id imagine you can remove the Deny ACE manually, but we just skipped the delegation wizard and added the ACE for Receive As for our Mailbox Admins. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Wednesday, August 02, 2006 5:46 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Granting Exchange Mailbox Access In an effort to cut down on service account abuse, Ive been removing and reducing privileges left and right. I have delegated Exchange Full Administrator rights to a few users who had previously been using the service account we originally installed Exchange 2003. Sometimes, the Exchange Administrators will need to access a users mailbox to assist with various issues, and Im having trouble delegating that right to the members of the Exchange Full Administrators group. I have created a domain security group named simply Exchange Full Administrators, and I delegated Exchange Full Administrator rights to that security group at the organizational level. So anyone in that security group should have full administration rights. Ive had to delegate a few other rights in Active Directory for some other reasons to this new security group (for instance to give this security group rights to modify the dynamic mailing list OU); however Im having trouble finding exactly where to delegate rights to give this security group full access to everyones mailbox. Any thoughts? Thanks, ~Ben
Re: [ActiveDir] Exchange attributes..
You simply need to install the Exchange Admin tools on the system that you want these tabs. Therefore, in your case, you should install them on your computer and possibly on a DC or two too (depending on how you work). --Paul - Original Message - From: HBooGz To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 4:25 PM Subject: [ActiveDir] Exchange attributes.. Hey Guys -I don't get the Exchange tabs ( exchange general, exchange tasks, etc ) when i right-click a user account and select properties when i'm accessing this account from ADUC on a domain controller and on my windows xp machine running adminpack. the only place,obviously, is on the ADUC located on the exchange box. The exchange box is running windows 2000 sp4 and exchange 2003.do i have to re-run forestprep and domainprep from the exchange 2003 setup again ? -- HBooGz:\
Re: [ActiveDir] Exchange attributes..
Thank you gentleman.On 8/3/06, [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
You need to install the Exch admin tools so that the newer
/ different ADUC snap-in is available.
neil
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
HBooGzSent: 03 August 2006 16:26To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange
attributes..
Hey Guys -I don't get the Exchange tabs ( exchange general,
exchange tasks, etc ) when i right-click a user account and select properties
when i'm accessing this account from ADUC on a domain controller and on my
windows xp machine running adminpack. the only place,obviously, is on
the ADUC located on the exchange box. The exchange box is running windows 2000
sp4 and exchange 2003.do i have to re-run forestprep and
domainprep from the exchange 2003 setup again ? --
HBooGz:\ PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
-- HBooGz:\
Re: RE: [ActiveDir] Granting Exchange Mailbox Access
Ben, I have dealt with this issue before. What it basically comes down to is creating a new group, putting the member who inherited the deny in that group and then granting that group an explicit allow to the resource in question, which will then override the inheritid deny. See also this article: http://support.microsoft.com/kb/262054/ Cheers, Victor - Oorspronkelijk bericht - Van: WATSON, BEN [EMAIL PROTECTED] Datum: donderdag, augustus 3, 2006 5:32 pm Onderwerp: RE: [ActiveDir] Granting Exchange Mailbox Access Hi Scott, Thanks for the reply. Unfortunately, it didn't seem to grant access. That was definitely one of the first places I looked to check for permissions that would give me a clue as to why the username that originally installed Exchange 2003 has access to all user's mailboxes, yet the Exchange Full Administrators delegated group does not. Oddly enough, I find that the specific account that installed Exchange has the same exact rights as the delegated group. Both have a specific deny set for Send As and Receive As, yet the individual user account can access any mailbox, and the delegated group cannot. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, ScottSent: Wednesday, August 02, 2006 4:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Granting Exchange Mailbox Access The perm you're looking for is Receive As on the Mailbox store. The problem is that delegating Exchange Full Administrator adds an explicitDeny ACE to CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com for Receive As and that gets replicated all the way down to the mailboxes. So even if you grant your group the required perms, if they've been delegated EFA,the Deny will override it. I'd imagine you can remove the Deny ACE manually, but we just skipped the delegation wizard and added the ACE for Receive As for our Mailbox Admins. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, August 02, 2006 5:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Granting Exchange Mailbox Access In an effort to cut down on service account abuse, I've been removing and reducing privileges left and right. I have delegated Exchange FullAdministrator rights to a few users who had previously been using the service account we originally installed Exchange 2003. Sometimes, the Exchange Administrators will need to access a user's mailbox to assist with various issues, and I'm having trouble delegatingthat right to the members of the Exchange Full Administrators group. I have created a domain security group named simply Exchange Full Administrators, and I delegated Exchange Full Administrator rights to that security group at the organizational level. So anyone in that security group should have full administration rights. I've had to delegate a few other rights in Active Directory for some other reasons to this new security group (for instance to give this security group rights to modify the dynamic mailing list OU); however I'm having trouble finding exactly where to delegate rights to give this security group full access to everyone's mailbox. Any thoughts? Thanks, ~Ben List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Granting Exchange Mailbox Access
Thats actually a very good idea, and I may enforce that on them. I suppose if anything, my curiosity is getting the best of me and Im really wondering what is different between that delegated security group and the individual account that installed Exchange which is granting full mailbox access across the board. I just cant find anything that actually is different between the two. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Thursday, August 03, 2006 9:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Granting Exchange Mailbox Access A different approach is for the Exch Full Admin to simply grant him/herself Full Mailbox Access-Allow on an individual,as-needed basis. I prefer this because it requires a conscious effort on the admin's part to access someone else's mailbox, regardless of what your corporate use policies state about email being the company's property. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Wednesday, August 02, 2006 5:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Granting Exchange Mailbox Access The perm youre looking for is Receive As on the Mailbox store. The problem is that delegating Exchange Full Administrator adds an explicit Deny ACE to CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com for Receive As and that gets replicated all the way down to the mailboxes. So even if you grant your group the required perms, if theyve been delegated EFA, the Deny will override it. Id imagine you can remove the Deny ACE manually, but we just skipped the delegation wizard and added the ACE for Receive As for our Mailbox Admins. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, August 02, 2006 5:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Granting Exchange Mailbox Access In an effort to cut down on service account abuse, Ive been removing and reducing privileges left and right. I have delegated Exchange Full Administrator rights to a few users who had previously been using the service account we originally installed Exchange 2003. Sometimes, the Exchange Administrators will need to access a users mailbox to assist with various issues, and Im having trouble delegating that right to the members of the Exchange Full Administrators group. I have created a domain security group named simply Exchange Full Administrators, and I delegated Exchange Full Administrator rights to that security group at the organizational level. So anyone in that security group should have full administration rights. Ive had to delegate a few other rights in Active Directory for some other reasons to this new security group (for instance to give this security group rights to modify the dynamic mailing list OU); however Im having trouble finding exactly where to delegate rights to give this security group full access to everyones mailbox. Any thoughts? Thanks, ~Ben
RE: [ActiveDir] Granting Exchange Mailbox Access
Check to see if someone removed the explicit Deny for the individual account on Send-As/Receive-As at the Exchange Org level, and if not whether it's getting overridden by an explicit Allow further down the hierarchy. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Thursday, August 03, 2006 11:17 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Granting Exchange Mailbox Access Thats actually a very good idea, and I may enforce that on them. I suppose if anything, my curiosity is getting the best of me and Im really wondering what is different between that delegated security group and the individual account that installed Exchange which is granting full mailbox access across the board. I just cant find anything that actually is different between the two. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Thursday, August 03, 2006 9:20 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Granting Exchange Mailbox Access A different approach is for the Exch Full Admin to simply grant him/herself Full Mailbox Access-Allow on an individual,as-needed basis. I prefer this because it requires a conscious effort on the admin's part to access someone else's mailbox, regardless of what your corporate use policies state about email being the company's property. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, ScottSent: Wednesday, August 02, 2006 5:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Granting Exchange Mailbox Access The perm youre looking for is Receive As on the Mailbox store. The problem is that delegating Exchange Full Administrator adds an explicit Deny ACE to CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com for Receive As and that gets replicated all the way down to the mailboxes. So even if you grant your group the required perms, if theyve been delegated EFA, the Deny will override it. Id imagine you can remove the Deny ACE manually, but we just skipped the delegation wizard and added the ACE for Receive As for our Mailbox Admins. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Wednesday, August 02, 2006 5:46 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Granting Exchange Mailbox Access In an effort to cut down on service account abuse, Ive been removing and reducing privileges left and right. I have delegated Exchange Full Administrator rights to a few users who had previously been using the service account we originally installed Exchange 2003. Sometimes, the Exchange Administrators will need to access a users mailbox to assist with various issues, and Im having trouble delegating that right to the members of the Exchange Full Administrators group. I have created a domain security group named simply Exchange Full Administrators, and I delegated Exchange Full Administrator rights to that security group at the organizational level. So anyone in that security group should have full administration rights. Ive had to delegate a few other rights in Active Directory for some other reasons to this new security group (for instance to give this security group rights to modify the dynamic mailing list OU); however Im having trouble finding exactly where to delegate rights to give this security group full access to everyones mailbox. Any thoughts? Thanks, ~Ben
RE: [ActiveDir] Granting Exchange Mailbox Access
Nice pointer Hunter! I had forgotten that tidbit of info I learned awhile ago that a deny doesnt always override a grant privilege. There was indeed an explicit grant privilege set at the server level for that individual user account which overrides the deny privilege set at the organizational level which had propagated downward. I granted my Exchange Full Administrators security group the same grant privilege that the individual account had at the server level, and now everything is working as I was hoping. Thanks to everyone that responded! ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Thursday, August 03, 2006 10:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Granting Exchange Mailbox Access Check to see if someone removed the explicit Deny for the individual account on Send-As/Receive-As at the Exchange Org level, and if not whether it's getting overridden by an explicit Allow further down the hierarchy. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Thursday, August 03, 2006 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Granting Exchange Mailbox Access Thats actually a very good idea, and I may enforce that on them. I suppose if anything, my curiosity is getting the best of me and Im really wondering what is different between that delegated security group and the individual account that installed Exchange which is granting full mailbox access across the board. I just cant find anything that actually is different between the two. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Thursday, August 03, 2006 9:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Granting Exchange Mailbox Access A different approach is for the Exch Full Admin to simply grant him/herself Full Mailbox Access-Allow on an individual,as-needed basis. I prefer this because it requires a conscious effort on the admin's part to access someone else's mailbox, regardless of what your corporate use policies state about email being the company's property. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Wednesday, August 02, 2006 5:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Granting Exchange Mailbox Access The perm youre looking for is Receive As on the Mailbox store. The problem is that delegating Exchange Full Administrator adds an explicit Deny ACE to CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com for Receive As and that gets replicated all the way down to the mailboxes. So even if you grant your group the required perms, if theyve been delegated EFA, the Deny will override it. Id imagine you can remove the Deny ACE manually, but we just skipped the delegation wizard and added the ACE for Receive As for our Mailbox Admins. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, August 02, 2006 5:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Granting Exchange Mailbox Access In an effort to cut down on service account abuse, Ive been removing and reducing privileges left and right. I have delegated Exchange Full Administrator rights to a few users who had previously been using the service account we originally installed Exchange 2003. Sometimes, the Exchange Administrators will need to access a users mailbox to assist with various issues, and Im having trouble delegating that right to the members of the Exchange Full Administrators group. I have created a domain security group named simply Exchange Full Administrators, and I delegated Exchange Full Administrator rights to that security group at the organizational level. So anyone in that security group should have full administration rights. Ive had to delegate a few other rights in Active Directory for some other reasons to this new security group (for instance to give this security group rights to modify the dynamic mailing list OU); however Im having trouble finding exactly where to delegate rights to give this security group full access to everyones mailbox. Any thoughts? Thanks, ~Ben
[ActiveDir] Admt Migration question.
Hey everyone I'm going nuts here and I need some help Am trying to do a security translation on a pc using ADMT v3.0 and it gives me this error Unable to access server service on the machine 'MISMCGOWAN'. Make sure netlogon and workstation services are running and you can authenticate yourself to the machine. hr=0x800706ba. The RPC server is unavailable, We have completed about 30 pc's and this is the first one that is giving us fits... We rename the pc before the migration to confirm to our new naming standards. ( I think this is where the problem lies) This is what we have done so far to troubleshoot this. 1. Made sure services it has mentioned are running. 2. Made sure the Remote registry service is running. 3. Added the Preferred DNS entry of the AD Dns Server and Wins entries to the Ip properties of the nic. 4. Deleted the old wins entries and new ones as well, did a nbtstat -RR at workstation to register the names in wins. 5. Disabled the firewall service and uninstalled another firewall program that was on this pc. 6. Went thru and uninstalled programs that we thought might impact this problem. 7. When we try and do a start, run \\MISMCGOWAN\c$ it won't list the contents' of the C drive from the AD domain Controller that we are migrating this pc from. We are logged in to this DC as a source domain Admin that is a member of the local admin group on the pc. We get this error No network Provider accepted the accepted the given network path 8. Can login to machine as the source domain admin account. 9. Changed the Administrator's name to fit our new naming standard. 10. Changed the password to match the account that is doing the migration. It's a source domain admin account. Thanks in advance for any input.. john List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Vendor Domain
There was no real reason for a separate domain, other than it simplified the vendor's support. We ended up creating an OU and delegating administration to it. Thanks I promised I would get back to you From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, July 20, 2006 5:46To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vendor Domain I completely understand. If a vendor is actively and completely supporting this application for you ***as a service*** then patching, etc should be something that you specify the requirements for in the actual contract with the vendor with penalties, etc associated with it for non-compliance. You shouldnot have to touch any of it because you shouldn't even have the ability to touch any of it - that is what the service model is about. If this is a vendor telling you to create a new domain/forest that you in any way shape or form have to support for their app, I would tell them they better have a reallyamazing explanation because all of the tables are already against them and if the extra domain/forest gets pushed through you immediately tell, not ask, the people requiring the application what it is going to cost to get the extra resources to support the extra domain/forest - including all licenses for monitoring and other third party tools needed to properly support the environment. Again, if this is just an application and application support, you tell the vendor where it goes. If this a service, then listen carefully to the vendor as they may have a good point and if you force them to deviate there will be a premium at the minimum associated with it. A new Domain/Forest for a service model should be a black box to you. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, JohnnySent: Thursday, July 20, 2006 8:23 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vendor Domain Joe, I can not comment on the specifics just yet asIThas not actually met with the vendor yet. We received the requirements and when I read about the separate domain with a trust to our own, I started to try and build a case for NOT. As I had mentioned earlier. I will try to keep an open mind on the whole thing but if every medical vendor came in and asked for their own domain we would have quite a mess. You then end up with problems like patch compliance, virus definitions you can not verify or having to provide for some form of isolation of these environments while allowing them to be functional. This last part turns into administration overhead and dollars that we try to push back to the vendor, not always successfully depending on how much the application is needed. Vendor supported environments inside your own can be a post all of its own that goes on forever. How many vendors say they will take care of their devices and you wake up one day only to find out that you are under attack from one of those vendor "supported" devices. It could be a virus as we have had happened to us or a misbehaving AV application on the same devices you don't have admin access to that renders several DFS servers inaccessible with high CPU usage. We will try to get to the bottom of it as usual, the devil is in the details. I promised to report back since many of you have taken the time to provide your thoughts on the matter. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, July 20, 2006 1:55To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vendor Domain My first reaction is that that is pretty nebulous and hazy. I don't think they can compare whatever it is they do to a respirator and have validity, I think that would be talking apples and olive pits. Overall it sounds like a move to reduce support and troubleshooting costs by having a known fixed environment in which their app will run. It could even mean that they have bad decisions (and coding) in the software itself that has hard requirements to that specific layout so they don't have to code for a more generic setup. Certainly the concern that AD may not be stable is a valid one from a vendor doing managed service support standpoint as it is something I have encountered in the field myself.More environments than not that I have walked into to deploy Exchange the AD folks thought AD was perfectly fine and were surprised when Exchange dragged their DCs under water and I have to go through their design and figure out what exactly isn't optimal (hint usually the disk subsystems - stop using mirrors damnit).But if the customer is willing to accept that risk as a caveat to the support model then the vendor should be able to support it. This can and usually should have some level of impact on costing and possibly support levels and penalties (if they exist). It is cheaper to
RE: [ActiveDir] Admt Migration question.
Fixed...nic driver...uninstalled and reinstalled and it workedgo figure... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky Sent: Thursday, August 03, 2006 2:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Admt Migration question. Hey everyone I'm going nuts here and I need some help Am trying to do a security translation on a pc using ADMT v3.0 and it gives me this error Unable to access server service on the machine 'MISMCGOWAN'. Make sure netlogon and workstation services are running and you can authenticate yourself to the machine. hr=0x800706ba. The RPC server is unavailable, We have completed about 30 pc's and this is the first one that is giving us fits... We rename the pc before the migration to confirm to our new naming standards. ( I think this is where the problem lies) This is what we have done so far to troubleshoot this. 1. Made sure services it has mentioned are running. 2. Made sure the Remote registry service is running. 3. Added the Preferred DNS entry of the AD Dns Server and Wins entries to the Ip properties of the nic. 4. Deleted the old wins entries and new ones as well, did a nbtstat -RR at workstation to register the names in wins. 5. Disabled the firewall service and uninstalled another firewall program that was on this pc. 6. Went thru and uninstalled programs that we thought might impact this problem. 7. When we try and do a start, run \\MISMCGOWAN\c$ it won't list the contents' of the C drive from the AD domain Controller that we are migrating this pc from. We are logged in to this DC as a source domain Admin that is a member of the local admin group on the pc. We get this error No network Provider accepted the accepted the given network path 8. Can login to machine as the source domain admin account. 9. Changed the Administrator's name to fit our new naming standard. 10. Changed the password to match the account that is doing the migration. It's a source domain admin account. Thanks in advance for any input.. john List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Touching schema.ini would qualify as very not supported ...
-B
On Thu, 3 Aug 2006, Paul Williams wrote:
Setting FFL=2 automatically when building first DC in forestIt might be worth
looking at the %systemroot%\system32\schema.ini file again. I just had a
poke around in there after reading Dean's answer to your question yesterday
and the first section, the [DEFAULTROOTDOMAIN] section is setting
nTMixedMode. You can change that to 0 (for native) and try adding
mSDS-Behavior-Version and setting it to 2.
I don't know if that will work, but you're probably in a position to test
this...
--Paul
- Original Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, August 03, 2006 9:39 AM
Subject: [ActiveDir] Setting FFL=2 automatically when building first DC in
forest
According to http://support.microsoft.com/kb/223757/en-us the
SetForestVersion entry in the dcpromo answer file can only be used to set FFL
to 1 or 0 when building a new forest.
Is this correct? I'd like to automate the transition to FFL=2 when building
the first DC in a forest (without a script).
Perhaps another change request for Longhorn? :)
neil
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by
law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those
of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation
or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Is this stuff you can't do in the unattend.txt and specify an answer
file to dcpromo?
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Thursday, August 03, 2006 7:34 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Setting FFL=2 automatically when building
first DC in forest
Touching schema.ini would qualify as very not supported ...
-B
On Thu, 3 Aug 2006, Paul Williams wrote:
Setting FFL=2 automatically when building first DC in forestIt might
be worth looking at the %systemroot%\system32\schema.ini file again.
I
just had a poke around in there after reading Dean's answer to your
question yesterday and the first section, the [DEFAULTROOTDOMAIN]
section is setting nTMixedMode. You can change that to 0 (for native)
and try adding mSDS-Behavior-Version and setting it to 2.
I don't know if that will work, but you're probably in a position to
test this...
--Paul
- Original Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, August 03, 2006 9:39 AM
Subject: [ActiveDir] Setting FFL=2 automatically when building
first DC in forest
According to http://support.microsoft.com/kb/223757/en-us the
SetForestVersion entry in the dcpromo answer file can only be used to
set FFL to 1 or 0 when building a new forest.
Is this correct? I'd like to automate the transition to FFL=2 when
building the first DC in a forest (without a script).
Perhaps another change request for Longhorn? :)
neil
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately and
delete your
copy from your system. You must not copy, distribute or take any
further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious or
disabling
code in, this message or any attachment(s) to it. If verification
of this
email is sought then please request a hard copy. Unless otherwise
stated
this email: (1) is not, and should not be treated or relied upon
as,
investment research; (2) contains views or opinions that are
solely
those of
the author and do not necessarily represent those of NIplc; (3) is
intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial instruments.
NIplc
does not provide investment services to private customers.
Authorised and
regulated by the Financial Services Authority. Registered in
England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-
le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Not that I'm aware of. To my mind, the goal of most unattend files is to
remove or reduce human interaction by answering questions presented by a
user-interface, maybe a wizard-ized process or perhaps even 'tweak' a
behavior slightly. Editing such discreet and specific values of the
resulting system (in this case, system-purposed attributes in AD) is beyond
an unattend file's scope.
--
Dean Wells
MSEtechnology
t Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, August 03, 2006 8:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Setting FFL=2 automatically when building
first DC in forest
Is this stuff you can't do in the unattend.txt and specify an answer
file to dcpromo?
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Thursday, August 03, 2006 7:34 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Setting FFL=2 automatically when building
first DC in forest
Touching schema.ini would qualify as very not supported ...
-B
On Thu, 3 Aug 2006, Paul Williams wrote:
Setting FFL=2 automatically when building first DC in forestIt
might
be worth looking at the %systemroot%\system32\schema.ini file again.
I
just had a poke around in there after reading Dean's answer to your
question yesterday and the first section, the [DEFAULTROOTDOMAIN]
section is setting nTMixedMode. You can change that to 0 (for
native)
and try adding mSDS-Behavior-Version and setting it to 2.
I don't know if that will work, but you're probably in a position
to
test this...
--Paul
- Original Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, August 03, 2006 9:39 AM
Subject: [ActiveDir] Setting FFL=2 automatically when building
first DC in forest
According to http://support.microsoft.com/kb/223757/en-us the
SetForestVersion entry in the dcpromo answer file can only be used to
set FFL to 1 or 0 when building a new forest.
Is this correct? I'd like to automate the transition to FFL=2
when
building the first DC in a forest (without a script).
Perhaps another change request for Longhorn? :)
neil
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately and
delete your
copy from your system. You must not copy, distribute or take any
further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious or
disabling
code in, this message or any attachment(s) to it. If verification
of this
email is sought then please request a hard copy. Unless otherwise
stated
this email: (1) is not, and should not be treated or relied upon
as,
investment research; (2) contains views or opinions that are
solely
those of
the author and do not necessarily represent those of NIplc; (3)
is
intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial instruments.
NIplc
does not provide investment services to private customers.
Authorised and
regulated by the Financial Services Authority. Registered in
England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-
le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Granted ... though perhaps a moot point to those (on the consumer side of
the fence) capable of using such a tweak since proving such usage is
challenging to say the least.
Aside, since its purpose has been well served twice in as many days and on 2
unrelated topics, maybe it could be considered a feature suggestion ...
--
Dean Wells
MSEtechnology
t Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Thursday, August 03, 2006 8:34 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Setting FFL=2 automatically when building
first DC in forest
Touching schema.ini would qualify as very not supported ...
-B
On Thu, 3 Aug 2006, Paul Williams wrote:
Setting FFL=2 automatically when building first DC in forestIt might
be worth looking at the %systemroot%\system32\schema.ini file again. I
just had a poke around in there after reading Dean's answer to your
question yesterday and the first section, the [DEFAULTROOTDOMAIN]
section is setting nTMixedMode. You can change that to 0 (for native)
and try adding mSDS-Behavior-Version and setting it to 2.
I don't know if that will work, but you're probably in a position to
test this...
--Paul
- Original Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, August 03, 2006 9:39 AM
Subject: [ActiveDir] Setting FFL=2 automatically when building
first DC in forest
According to http://support.microsoft.com/kb/223757/en-us the
SetForestVersion entry in the dcpromo answer file can only be used to
set FFL to 1 or 0 when building a new forest.
Is this correct? I'd like to automate the transition to FFL=2 when
building the first DC in a forest (without a script).
Perhaps another change request for Longhorn? :)
neil
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately and
delete your
copy from your system. You must not copy, distribute or take any
further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious or
disabling
code in, this message or any attachment(s) to it. If verification
of this
email is sought then please request a hard copy. Unless otherwise
stated
this email: (1) is not, and should not be treated or relied upon
as,
investment research; (2) contains views or opinions that are solely
those of
the author and do not necessarily represent those of NIplc; (3) is
intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial instruments.
NIplc
does not provide investment services to private customers.
Authorised and
regulated by the Financial Services Authority. Registered in
England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-
le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Migrating From Windows 2000 AD to Win2k3 AD
Hello, I have some questions about doing a migration from Windows 2000 AD to Win2k3AD. Our current environment entails two Windows 2000 AD domain controllers running DNS,WINS, DHCP. We also have Exchange 2003 installed on a separate Windows 2003 Server. We want to keep the same domain name and move all of the services that run on the old Windows 2000 Domain controllers onto the Exchange server and also our main file server which is Windows 2003 Server. I am a bit of a newbie and would like some guidance on how to perform this upgrade. I appreciate any help. Sorry for asking this question again, but I have misplaced the e-mails from this last discussion. Chris Pohlschneider Holloway SportswearIT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED]
RE: [ActiveDir] Potentially useful tool and sample posted on my blog
Have you tested against other LDAP systems (like SunONE)? Have a client who encountered this little issue. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Thursday, August 03, 2006 8:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Potentially useful tool and sample posted on my blog Hi all, My blog (http://www.joekaplan.net/)has a new article (http://www.joekaplan.net/Example1ForSDSPSSLCertificates.aspx) posted that may be of potential interest to some of you. I mention this here for three reasons: 1) I just started blogging, and some of you who are blog fans may find that interesting in and of itself. I'm mainly writing about the stuff I'm good at, namely .NET directory services programming, Windows security and (now) ADFS. 2.) The article in question is part of a series that explains the differences of the two LDAP stacks in .NET (the ADSI one and the new LDAP API-based one) and shows examples of stuff that actually requires the lower level protocol, since they have a lot of overlap in functionality and it isn't always easy to know when you need the big guns! This topic is marginally relevant to scripters too since they are basically limited to what ADSI gives them, unless they are wrapping joeware tools. :) 3.) The article actually provides a working sample of something that might help some of you get real work done and isn't easy to do otherwise. For those not at all interested in the first 2 points, here's the skinny. The tool is a simple command line app that allows you to enumerate the domain controllers in a domain (specified on the command line) and make an SSL LDAP connection to each one. It then grabs the server's certificate and prepares a list of their expiration dates. When it is done, it dumps out the certificates in order of expiration. This sort of thing is most helpful to those of you who use SSL LDAP and have third-party (non MS CA) certificates that require manual renewal and such (such as our organization). This may help prevent prevent unpleasant application outages due to forgetting to renew a certificate in a timely fashion (not that such a thing has everhappened in ourorganization...cough...). The tool is also multithreaded, so that it attempts to connect to many domain controllers simultaneously, making it vastly faster than something that processed the listserially. It is not a particularly a robust tool with nice error messages and hand-holding. It is not joeware quality, and is more of a scripting sample that demonstrates a technique. However, it may still be useful as is. It does require .NET 2.0 (as that was what this was about in the first place). You can run it on any machine you want. I'm pretty sure it doesn't even need to be domain joined. Source and binary in the download. Let me know what you think. Joe K.
Re: [ActiveDir] Migrating From Windows 2000 AD to Win2k3 AD
Chris, Here is a link to your last question and you can see the follow-ups there too. http://www.activedir.org/ml/msg11411.aspx When you say you want to move all services that run on the old DCs to the exchange 2003 boxand your file server does that mean thatyou want the file server to become the new DC? What other services would you like to run on the exchange box? Check out the link below on exchange servers and domain controllers. http://blogs.brnets.com/michael/archive/2005/01/24/319.aspx Thanks Mike On 8/3/06, Chris Pohlschneider [EMAIL PROTECTED] wrote: Hello, I have some questions about doing a migration from Windows 2000 AD to Win2k3AD. Our current environment entails two Windows 2000 AD domain controllers running DNS,WINS, DHCP. We also have Exchange 2003 installed on a separate Windows 2003 Server. We want to keep the same domain name and move all of the services that run on the old Windows 2000 Domain controllers onto the Exchange server and also our main file server which is Windows 2003 Server. I am a bit of a newbie and would like some guidance on how to perform this upgrade. I appreciate any help. Sorry for asking this question again, but I have misplaced the e-mails from this last discussion. Chris Pohlschneider Holloway SportswearIT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED]
Re: [ActiveDir] Potentially useful tool and sample posted on my blog
Haven't tried it--I don't have any other LDAP servers around that support SSL to play with. :) I know for sure that the part about enumerating the domain controllers won't work. You'd need to supply the list of server names a different way. However, the actually bind/SSL stuff should work fine. I think my code assumes LDAP V3, but that's a pretty good assumption in most cases (and easy to change in the code too). Feel free to pass it along. The source is easy to modify. Joe On 8/3/06, Brian Desmond [EMAIL PROTECTED] wrote: Have you tested against other LDAP systems (like SunONE)? Have a client who encountered this little issue. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Thursday, August 03, 2006 8:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Potentially useful tool and sample posted on my blog Hi all, My blog (http://www.joekaplan.net/) has a new article (http://www.joekaplan.net/Example1ForSDSPSSLCertificates.aspx) posted that may be of potential interest to some of you. I mention this here for three reasons: 1) I just started blogging, and some of you who are blog fans may find that interesting in and of itself. I'm mainly writing about the stuff I'm good at, namely .NET directory services programming, Windows security and (now) ADFS. 2.) The article in question is part of a series that explains the differences of the two LDAP stacks in .NET (the ADSI one and the new LDAP API-based one) and shows examples of stuff that actually requires the lower level protocol, since they have a lot of overlap in functionality and it isn't always easy to know when you need the big guns! This topic is marginally relevant to scripters too since they are basically limited to what ADSI gives them, unless they are wrapping joeware tools. :) 3.) The article actually provides a working sample of something that might help some of you get real work done and isn't easy to do otherwise. For those not at all interested in the first 2 points, here's the skinny. The tool is a simple command line app that allows you to enumerate the domain controllers in a domain (specified on the command line) and make an SSL LDAP connection to each one. It then grabs the server's certificate and prepares a list of their expiration dates. When it is done, it dumps out the certificates in order of expiration. This sort of thing is most helpful to those of you who use SSL LDAP and have third-party (non MS CA) certificates that require manual renewal and such (such as our organization). This may help prevent prevent unpleasant application outages due to forgetting to renew a certificate in a timely fashion (not that such a thing has ever happened in our organization...cough...). The tool is also multithreaded, so that it attempts to connect to many domain controllers simultaneously, making it vastly faster than something that processed the list serially. It is not a particularly a robust tool with nice error messages and hand-holding. It is not joeware quality, and is more of a scripting sample that demonstrates a technique. However, it may still be useful as is. It does require .NET 2.0 (as that was what this was about in the first place). You can run it on any machine you want. I'm pretty sure it doesn't even need to be domain joined. Source and binary in the download. Let me know what you think. Joe K. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Potentially useful tool and sample posted on my blog
I might improve it a bit to work with other sources and run on a timer with email or perhaps integrate with MOM. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Thursday, August 03, 2006 10:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Potentially useful tool and sample posted on my blog Haven't tried it--I don't have any other LDAP servers around that support SSL to play with. :) I know for sure that the part about enumerating the domain controllers won't work. You'd need to supply the list of server names a different way. However, the actually bind/SSL stuff should work fine. I think my code assumes LDAP V3, but that's a pretty good assumption in most cases (and easy to change in the code too). Feel free to pass it along. The source is easy to modify. Joe On 8/3/06, Brian Desmond [EMAIL PROTECTED] wrote: Have you tested against other LDAP systems (like SunONE)? Have a client who encountered this little issue. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Thursday, August 03, 2006 8:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Potentially useful tool and sample posted on my blog Hi all, My blog (http://www.joekaplan.net/) has a new article (http://www.joekaplan.net/Example1ForSDSPSSLCertificates.aspx) posted that may be of potential interest to some of you. I mention this here for three reasons: 1) I just started blogging, and some of you who are blog fans may find that interesting in and of itself. I'm mainly writing about the stuff I'm good at, namely .NET directory services programming, Windows security and (now) ADFS. 2.) The article in question is part of a series that explains the differences of the two LDAP stacks in .NET (the ADSI one and the new LDAP API-based one) and shows examples of stuff that actually requires the lower level protocol, since they have a lot of overlap in functionality and it isn't always easy to know when you need the big guns! This topic is marginally relevant to scripters too since they are basically limited to what ADSI gives them, unless they are wrapping joeware tools. :) 3.) The article actually provides a working sample of something that might help some of you get real work done and isn't easy to do otherwise. For those not at all interested in the first 2 points, here's the skinny. The tool is a simple command line app that allows you to enumerate the domain controllers in a domain (specified on the command line) and make an SSL LDAP connection to each one. It then grabs the server's certificate and prepares a list of their expiration dates. When it is done, it dumps out the certificates in order of expiration. This sort of thing is most helpful to those of you who use SSL LDAP and have third-party (non MS CA) certificates that require manual renewal and such (such as our organization). This may help prevent prevent unpleasant application outages due to forgetting to renew a certificate in a timely fashion (not that such a thing has ever happened in our organization...cough...). The tool is also multithreaded, so that it attempts to connect to many domain controllers simultaneously, making it vastly faster than something that processed the list serially. It is not a particularly a robust tool with nice error messages and hand-holding. It is not joeware quality, and is more of a scripting sample that demonstrates a technique. However, it may still be useful as is. It does require .NET 2.0 (as that was what this was about in the first place). You can run it on any machine you want. I'm pretty sure it doesn't even need to be domain joined. Source and binary in the download. Let me know what you think. Joe K. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Potentially useful tool and sample posted on my blog
There's actually other stuff you can do with MOM. I'm not sure exactly how our MOM AD guy does it, but he has MOM set up to alert him when the local cert on the DC is getting close to expiration. If you are curious, I'll ask him. This tool is more useful for getting a snapshot of the whole domain quickly from one place. Both are useful. It is also nice for us because we don't run MOM in the dev forest, but the certs still expire there too and wreak havoc on the dev and staging apps. I'd love to see what you do with it in any case. Joe K. - Original Message - From: Brian Desmond [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 11:02 PM Subject: RE: [ActiveDir] Potentially useful tool and sample posted on my blog I might improve it a bit to work with other sources and run on a timer with email or perhaps integrate with MOM. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Authoritative Restore problems
Ive been asked to write a Disaster recovery doc for our company. Im trying to delete a single user account and do an authoritative restore of that account. (in a test environment of course) Before I deleted the test account I used adsiedit to verify the path to the account. Cn=test user, ou=it,dc=mycorp,dc=com From Directory restore mode, I can start the Authoritative restore but it always fails with: Could not find object with the failed DN: failed on component cn=test user. Authoritative restore failed Error 800 parsing input illegal syntax? Ive reviewed http://support.microsoft.com/?id=840001 and it says I must use quotes either way it fails. Ive even tried the workaround described in here: http://support.microsoft.com/?kbid=886689 Suggestions? Environment: Windows 2003 R2 Thanks in advance Mike
RE: [ActiveDir] Authoritative Restore problems
Just to make sure, you did a system state restore that includes that user, right? Is there an attribute (group membership?) that you need such that you cant just undelete the user? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, August 03, 2006 11:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Authoritative Restore problems Ive been asked to write a Disaster recovery doc for our company. Im trying to delete a single user account and do an authoritative restore of that account. (in a test environment of course) Before I deleted the test account I used adsiedit to verify the path to the account. Cn=test user, ou=it,dc=mycorp,dc=com From Directory restore mode, I can start the Authoritative restore but it always fails with: Could not find object with the failed DN: failed on component cn=test user. Authoritative restore failed Error 800 parsing input illegal syntax? Ive reviewed http://support.microsoft.com/?id=840001 and it says I must use quotes either way it fails. Ive even tried the workaround described in here: http://support.microsoft.com/?kbid=886689 Suggestions? Environment: Windows 2003 R2 Thanks in advance Mike
[ActiveDir] OT:Microsoft Exchange Troubleshooting Assistant released
Microsoft Exchange Troubleshooting Assistant released - get it here Yesterday we released some new tools to help make your life as an email admin easier. Its called the Microsoft Exchange Troubleshooting Assistant v1.0. Heres the description: The Exchange Troubleshooting Assistant programmatically executes a set of troubleshooting steps to identify the root cause of performance, mail flow, and database mounting issues. The tool automatically determines what set of data is required to troubleshoot the identified symptoms and collects configuration data, performance counters, event logs and live tracing information from an Exchange server and other appropriate sources. The tool analyzes each subsystem to determine individual bottlenecks and component failures, then aggregates the information to provide root cause analysis. As you can see, theres some good stuff in the new assistant.Get it at http://www.microsoft.com/downloads/details.aspx?familyid=4BDC1D6B-DE34-4F1C-AEBA-FED1256CAF9Adisplaylang=en Well be demoing this tool and a host of others starting next week as we launch the Q1FY07 Microsoft TechNet Seminars. We start the morning off with a Windows Vista Technical Overview then later do a bunch of fun stuff with Exchange Server 2003 and Exchange Server 2007 Beta 2. See the description of the events at http://www.technetevents.com. Published Thursday, August 03, 2006 11:30 PM by Keith Combs http://blogs.technet.com/keithcombs/archive/2006/08/03/444904.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
