date:20060804

Hadn't heard about "Squeaky Lobster" (shame on me - ex Exchange
admin)...
Just googled it and read Brett's blog ...hilarious!!!

Another good post Susan!

Alex
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Friday, August 04, 2006 3:10 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT:Microsoft Exchange Troubleshooting Assistant
released

Just readin' the blogs ... http://blogs.technet.com... and the EHLO blog

(where I might add is one of the few places in the world that has the 
definitive "Squeaky Lobster" information that all Exchange admins must
know)

mike kline wrote:
> In one of the blog comments Haruya Shida said that
>  
>  
> Exchange Server Performance Troubleshooting Analyzer tool  
> +
> Exchange Disaster Recovery Analyzer
> +
> Exchange Mail Flow troubleshooter
> =
> 
> Exchange Troubleshooting Assistant
>  
> Another tool in our arsenal should be a good thing, good post Susan.
>  
>
>
>  
> On 8/4/06, *Alex Alborzfard* <[EMAIL PROTECTED] 
> > wrote:
>
> I thought they had already released a tool which did similar
> things a while back. I remember using it once or twice.
>
> May be they re-named or improved it?!
>
>  
>
> Thanks for posting this though!
>
>  
>
> Alex
>
>

>
> *From:* [EMAIL PROTECTED]
>  [mailto:
> [EMAIL PROTECTED]
> ] *On Behalf Of *Susan
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> *Sent:* Friday, August 04, 2006 1:26 AM
> *To:* ActiveDir@mail.activedir.org
> 
> *Subject:* [ActiveDir] OT:Microsoft Exchange Troubleshooting
> Assistant released
>
>  
>
>
> *Microsoft Exchange Troubleshooting Assistant released - get
> it here*
>
> Yesterday we released some new tools to help make your life as an
> email admin easier.  It's called the ** Microsoft Exchange
> Troubleshooting Assistant v1.0**.  Here's the description:
>
> The Exchange Troubleshooting Assistant programmatically
> executes a set of troubleshooting steps to identify the root
> cause of performance, mail flow, and database mounting issues.
> The tool automatically determines what set of data is required
> to troubleshoot the identified symptoms and collects
> configuration data, performance counters, event logs and live
> tracing information from an Exchange server and other
> appropriate sources. The tool analyzes each subsystem to
> determine individual bottlenecks and component failures, then
> aggregates the information to provide root cause analysis.
>
> As you can see, there's some good stuff in the new assistant.  Get
> it at
>
http://www.microsoft.com/downloads/details.aspx?familyid=4BDC1D6B-DE34-4
F1C-AEBA-FED1256CAF9A&displaylang=en
>

>
> We'll be demoing this tool and a host of others starting next week
> as we launch the Q1FY07 Microsoft TechNet Seminars.  We start the
> morning off with a **Windows Vista Technical Overview** then later
> do a bunch of fun stuff with **Exchange Server 2003** and *
> *Exchange Server 2007 Beta 2**.  See the description of the events
> at http://www.technetevents.com
> .
>
> Published Thursday, August 03, 2006 11:30 PM by Keith Combs
> 
>
> http://blogs.technet.com/keithcombs/archive/2006/08/03/444904.aspx
>

>
> List info : http://www.activedir.org/List.aspx List FAQ :
> http://www.activedir.org/ListFAQ.aspx List archive:
> http://www.activedir.org/ml/threads.aspx
>
>

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Replication from ASP

2006-08-04 Thread Joe Kaplan

FWIW, Bryan and I have been discussing this offline and it looks like he's 
use ASP.NET 2.0, not ASP.  In .NET 2.0, replication operations are exposed 
one the DomainController class in the 
System.DirectoryServices.ActiveDirectory namespace.  No need for goofy 
shelling out to repadmin.  The .NET wrappers consume the replication RPC 
APIs directly.


Joe K.
- Original Message - 
From: Lucas, Bryan

To: ActiveDir@mail.activedir.org
Sent: Monday, July 31, 2006 4:12 PM
Subject: [ActiveDir] Replication from ASP


Does anyone know how I force replication through ASP 2.0?

My DC's are all local (no WANs) and 2003 SP1.

I have a web page that does account creation and then points the user to a 
portal which attempts to authenticate against AD.  The portal software 
(Peoplesoft) can only attempt against a single DC, so if that user didn't 
create his account there it doesn't work right away.


Bryan Lucas
Server Administrator
Texas Christian University


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Replication from ASP

2006-08-04 Thread Ed Buford









….here’s some links to get you
started with hta’s

 

 

http://msdn.microsoft.com/library/default.asp?url="">

 

http://www.microsoft.com/downloads/details.aspx?FamilyId=231D8143-F21B-4707-B583-AE7B9152E6D9&displaylang=en

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
Sent: Friday, August 04, 2006 3:48
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Replication from ASP



 

See, I knew someone could do something
with that….

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed
 Buford
Sent: Friday, August 04, 2006 2:10
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Replication from ASP



 

And you could take a _vbscript_ and roll it
into a .hta file and then you could access it from a webpage.

 

 

Ed Buford
Network Administrator
Granger Community Church
630
  E. University Drive
Granger, IN 46530
574.243.3506, x386 • 
[EMAIL PROTECTED]

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
 Brunson
Sent: Friday, August 04, 2006 2:57
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Replication from ASP

I have seen a script to do it in _vbscript_,
but not ASP.  Here’s a link to the
_vbscript_, maybe it’ll trigger something. 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Friday, August 04, 2006 1:05
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Replication from ASP



 

Anyone have any thoughts on this?

 

Thanks,

 



Bryan Lucas

Server Administrator

Texas Christian University











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas,
 Bryan
Sent: Monday, July 31, 2006 4:12
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replication
from ASP



 

Does anyone know how I force replication through ASP
2.0?  

 

My DC’s are all local (no WANs) and 2003 SP1.

 

I have a web page that does account creation and then points
the user to a portal which attempts to authenticate against AD.  The
portal software (Peoplesoft) can only attempt against a single DC, so if that
user didn’t create his account there it doesn’t work right
away.  

 

Bryan Lucas

Server Administrator

Texas Christian University

RE: [ActiveDir] Vendor Domain

2006-08-04 Thread Grillenmeier, Guido









Ha, that was easy J

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Figueroa, Johnny
Sent: Friday, August 04, 2006 1:21 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vendor Domain





 

There was no real reason for a separate domain, other than it
simplified the vendor's support. We ended up creating an OU and delegating
administration to it. 

 

Thanks I promised I would get back to you 

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, July 20, 2006 5:46
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vendor Domain

I completely understand. 

 

If a vendor is actively and completely supporting this application
for you ***as a service*** then patching, etc should be something that you
specify the requirements for in the actual contract with the vendor with
penalties, etc associated with it for non-compliance. You should not have
to touch any of it because you shouldn't even have the ability to touch any of
it - that is what the service model is about. 

 

If this is a vendor telling you to create a new domain/forest that
you in any way shape or form have to support for their app, I would tell them
they better have a really amazing explanation because all of the tables
are already against them and if the extra domain/forest gets pushed through you
immediately tell, not ask, the people requiring the application what it is
going to cost to get the extra resources to support the extra domain/forest -
including all licenses for monitoring and other third party tools needed to
properly support the environment.

 

Again, if this is just an application and application support, you
tell the vendor where it goes. If this a service, then listen carefully to the
vendor as they may have a good point and if you force them to deviate there
will be a premium at the minimum associated with it. A new Domain/Forest for a
service model should be a black box to you. 



 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Figueroa,
Johnny
Sent: Thursday, July 20, 2006 8:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vendor Domain

Joe, I can not comment on the specifics just yet
as IT has not actually met with the vendor yet. We received the
requirements and when I read about the separate domain with a trust to our own,
I started to try and build a case for NOT. As I had mentioned earlier. 

 

I will try to keep an open mind on the whole thing but if every
medical vendor came in and asked for their own domain we would have quite a
mess. You then end up with problems like patch compliance, virus definitions
you can not verify or having to provide for some form of isolation of these
environments while allowing them to be functional. This last part turns into
administration overhead and dollars that we try to push back to the vendor, not
always successfully depending on how much the application is needed. 

 

Vendor supported environments inside your own can be a post all of
its own that goes on forever. How many vendors say they will take care of their
devices and you wake up one day only to find out that you are under attack from
one of those vendor "supported" devices. It could be a virus as we
have had happened to us or a misbehaving AV application on the same devices you
don't have admin access to that renders several DFS servers inaccessible with
high CPU usage. 

 

We will try to get to the bottom of it as usual, the devil is in
the details. I promised to report back since many of you have taken the time to
provide your thoughts on the matter.

 

Thanks

 

 

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, July 20, 2006 1:55
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vendor Domain

My first reaction is that that is pretty nebulous and hazy. I don't
think they can compare whatever it is they do to a respirator and have
validity, I think that would be talking apples and olive pits. 

 

Overall it sounds like a move to reduce support and troubleshooting
costs by having a known fixed environment in which their app will run. It could
even mean that they have bad decisions (and coding) in the software itself that
has hard requirements to that specific layout so they don't have to code for a more
generic setup. 

 

Certainly the concern that AD may not be stable is a valid one from
a vendor doing managed service support standpoint as it is something I have
encountered in the field myself. More environments than not that I have
walked into to deploy Exchange the AD folks thought AD was perfectly fine and
were surprised when Exchange dragged their DCs under water and I have to go
through their design and figure out what exactly isn't optimal (hint usually
the disk subsystems - stop using mirrors damnit). But if the customer is

RE: [ActiveDir] Authoritative Restore problems

2006-08-04 Thread Grillenmeier, Guido









Make absolutely sure that you type the DN correctly – I just noticed
you have a SPACE between “user,” and “ou=it” – if you entered the
DN this way, it wouldn’t work…

 

P.S.: won’t read the posts for the next two weeks since I’m taking
off for vacation tomorrow. 

 

 

/Guido

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Mike Hogenauer
Sent: Friday, August 04, 2006 4:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Authoritative Restore problems





 

Guido 

 

Yes, I took a backup of the
system state, rebooted into DSRM -> ran ntbackup and restored the system state,
went to NTDSUTIL and then tried my “Auth Res” and it still failed.  Which
is why I’m confused. 

I actually have read the article
you wrote in your hyperlink, and I know you read these post so I was actually
hoping to get your opinion. 

 

I will try again – and let you
know what happens. 

 

Thanks,

Mike 

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Grillenmeier, Guido
Sent: Thursday, August 03, 2006 11:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Authoritative Restore problems





 

Mike, can you be a little more specific about the steps that you
took to do your restore? This should work fine using the ntdsutil ->
authoritative restore -> restore object “Cn=test user, ou=it,dc=mycorp,dc=com”
command. Obviously provided you previously took a backup, rebooted to DSRM mode
and have restored the AD DB (SystemState) to the DC – the Auth Restore needs to
happen right after the restore of the SystemState, prior to the reboot of the
DC.

 

Check out the whitepaper I wrote with Gil (http://www.netpro.com/media/pdf/NetPro_ADDR_Guide.pdf).
Pages 11 to 13 walk you through how to do an Auth. Restore of objects, and
since you have R2 (includes SP1), you can go right to page 21 to see how to
recover potentially missing links of your recovered object (such as group
membership etc.). Hope you don’t have a multi-domain environment and are
heavily relying on cross populating domain local groups in all the domains in
your forest – this adds extra headaches for the recovery of the links (also
described in the whitepaper).

 

/Guido

 

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Mike Hogenauer
Sent: Friday, August 04, 2006 6:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Authoritative Restore problems





 

I’ve been asked to write a Disaster recovery doc for our
company.  I’m trying to delete a single user account and do an authoritative
restore of that account. 

(in a test environment of course) 

 

Before I deleted the test account I used adsiedit to verify
the path to the account. Cn=test user, ou=it,dc=mycorp,dc=com 

From Directory restore mode, I can start the Authoritative
restore but it always fails with: 

 

Could not find object with the failed DN: failed on
component “cn=test user”. 

 

Authoritative restore failed 

Error 800 parsing input – illegal syntax?

 

 

I’ve reviewed http://support.microsoft.com/?id=840001
and it says I must use quotes – either way it fails. 

 

I’ve even tried the workaround described in here: http://support.microsoft.com/?kbid=886689


Suggestions?  

 

Environment: Windows 2003 R2 

 

Thanks in advance

Mike

RE: [ActiveDir] Replication from ASP

2006-08-04 Thread Bahta, Nathaniel V CTR USAF NASIC/SCNA









See, I knew someone could do something
with that….

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Buford
Sent: Friday, August 04, 2006 2:10
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Replication from ASP



 

And you could take a _vbscript_ and roll it
into a .hta file and then you could access it from a webpage.

 

 

Ed Buford
 Network Administrator
Granger
 Community Church
630 E. University Drive
Granger, IN 46530
574.243.3506, x386 • 
[EMAIL PROTECTED]

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
 Brunson
Sent: Friday, August 04, 2006 2:57
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Replication from ASP

I have seen a script to do it in _vbscript_,
but not ASP.  Here’s a link to the
_vbscript_, maybe it’ll trigger something. 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Friday, August 04, 2006 1:05
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Replication from ASP



 

Anyone have any thoughts on this?

 

Thanks,

 



Bryan Lucas

Server Administrator

Texas Christian University











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas,
 Bryan
Sent: Monday, July 31, 2006 4:12
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replication
from ASP



 

Does anyone know how I force replication through ASP
2.0?  

 

My DC’s are all local (no WANs) and 2003 SP1.

 

I have a web page that does account creation and then points
the user to a portal which attempts to authenticate against AD.  The
portal software (Peoplesoft) can only attempt against a single DC, so if that
user didn’t create his account there it doesn’t work right
away.  

 

Bryan Lucas

Server Administrator

Texas Christian University

RE: [ActiveDir] LDAP Ping

Yes, it sure is. 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Friday, August 04, 2006 3:09 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] LDAP Ping

Is the box a windows 2000 box and it just sits at the windows 2000 blue screen 
- totally pingable but doing nothing else?
-Original Message-
From: "Bahta, Nathaniel V CTR USAF NASIC/SCNA" <[EMAIL PROTECTED]>
Date: Fri, 4 Aug 2006 12:47:15
To:
Subject: RE: [ActiveDir] LDAP Ping

No we cant rdp into the box when it hangs.  We have tools that do everything 
from NetIQ Application manager to HP Openview to Ethereal, but if I get here in 
the morning, and I want to do a quick functions check of the system, I will 
need a compilation of tools that can test things up and down the OSI model, and 
then I will probably parse through that output for sucesses and failures.  Much 
like the eventcomb tool that takes a list of systems and parses through their 
event logs and pulls out things I would want to see, its lightweight and gives 
me only what I request. 

Nate

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL 
PROTECTED]
Sent: Friday, August 04, 2006 11:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping

You can't ask that, coz that'd be troubleshooting :-^

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
Sent: 04 August 2006 15:32
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping

Are you able to RDP to the DC when it "hangs"? 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel 
V CTR USAF NASIC/SCNA
Sent: 04 Aug 2006 14:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping

Its not for troubleshooting, its so we can tell when the DC is hung, you cant 
tell when its hung because our monitoring software only pings by ip and it 
responds.  If it replies, I know it can serve ldap queries, and then i can rpc 
ping it and make sure that authentication requests will be answered.  Its just 
to do a quick check of whats going on first thing in the morning. 

Nate

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL 
PROTECTED]
Sent: Friday, August 04, 2006 9:14 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping

So you ldap ping the DC and it replies or it does not. What does this tell you? 
How does it help troubleshoot the issue? 

I'd suggest more detailed tools are needed such as network / packet sniffers 
etc. They should be able to build a picture of the situation better than a ping 
which offers little more than a 'yes/no' response. 

My 2 penneth :) 

neil

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, 
Nathaniel V CTR USAF NASIC/SCNA
Sent: 04 August 2006 13:54
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP Ping

Hey all, 

Does anyone know of a command line utility that allows you to test ldap 
connections?  We have a dc that hangs, but remains pingable and I would like to 
do ldap pings to it to as well as rpc pings.  I know about the rpc ping 
utility, but I wanted to test for ldap connectivity as well.  Does anyone know 
of a utility like this? 

Thanks, 

Nate
PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended recipient 
of this email please notify the sender immediately and delete your copy from 
your system. You must not copy, distribute or take any further action in 
reliance on it. Email is not a secure method of communication and Nomura 
International plc ('NIplc') will not, to the extent permitted by law, accept 
responsibility or liability for (a) the accuracy or completeness of, or (b) the 
presence of any virus, worm or similar malicious or disabling code in, this 
message or any attachment(s) to it. If verification of this email is sought 
then please request a hard copy. Unless otherwise stated this email: (1) is 
not, and should not be treated or relied upon as, investment research; (2) 
contains views or opinions that are solely those of the author and do not 
necessarily represent those of NIplc; (3) is intended for informational 
purposes only and is not a recommendation, solicitation or offer to buy or sell 
securities or related financial instruments. NIplc does not provide investment 
services to private customers. Authorised and regulated by the Financial 
Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. 
Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the 
Nomura group of companies. 

This message contains confidential information and is intended only 

for the individual or entity named. If yo

Re: [ActiveDir] Using a secret administrator account

2006-08-04 Thread Matheesha Weerasinghe

Well from what I've understood, I dont think your secret administrator is going to be useful in scenarios where you get issues with token limits. In those instances, the only account that is guaranteed to work is the default built-in administrator account. Even if its disabled, you can still use it in Safe mode with Networking. Check 
http://www.microsoft.com/downloads/details.aspx?familyid=22dd9251-0781-42e6-9346-89d577a3e74a&displaylang=en
 for details.Instead you should look to reducing the number of domain administrators in the domain and limiting them to a few trusted users. Auditing will show when passwords are changed on the default administrator account.
HTHM@On 8/4/06, Isenhour, Joseph <[EMAIL PROTECTED]> wrote:
What is the general consensus on the use of back up admin accounts?This is an account that is hidden to most users and has elevatedprivileges in the domain.  The purpose of the account is to be able toquickly react to an attack on the Domain Admin accounts either by a
malicious user, or a bug in a process.The built in Administrator account is a huge target and it's easy tofind even if you rename it.  It can't be deleted but the password can bechanged which can cause a lot of trouble.  That's why I'm starting to
think about this.ThanksList info   : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT:Microsoft Exchange Troubleshooting Assistant released

2006-08-04 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]

Just readin' the blogs ... http://blogs.technet.com... and the EHLO blog
(where I might add is one of the few places in the world that has the
definitive "Squeaky Lobster" information that all Exchange admins must know)

mike kline wrote:

In one of the blog comments Haruya Shida said that

Exchange Server Performance Troubleshooting Analyzer tool
+

Exchange Disaster Recovery Analyzer
+
Exchange Mail Flow troubleshooter
=

Exchange Troubleshooting Assistant

Another tool in our arsenal should be a good thing, good post Susan.

On 8/4/06, *Alex Alborzfard* <[EMAIL PROTECTED]
> wrote:

I thought they had already released a tool which did similar
things a while back. I remember using it once or twice.

May be they re-named or improved it?!

Thanks for posting this though!

Alex

*From:* [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]
] *On Behalf Of *Susan
Bradley, CPA aka Ebitz - SBS Rocks [MVP]
*Sent:* Friday, August 04, 2006 1:26 AM
*To:* ActiveDir@mail.activedir.org

*Subject:* [ActiveDir] OT:Microsoft Exchange Troubleshooting
Assistant released

*Microsoft Exchange Troubleshooting Assistant released - get
it here*

Yesterday we released some new tools to help make your life as an
email admin easier. It's called the ** Microsoft Exchange
Troubleshooting Assistant v1.0**. Here's the description:

The Exchange Troubleshooting Assistant programmatically
executes a set of troubleshooting steps to identify the root
cause of performance, mail flow, and database mounting issues.
The tool automatically determines what set of data is required
to troubleshoot the identified symptoms and collects
configuration data, performance counters, event logs and live
tracing information from an Exchange server and other
appropriate sources. The tool analyzes each subsystem to
determine individual bottlenecks and component failures, then
aggregates the information to provide root cause analysis.

As you can see, there's some good stuff in the new assistant. Get
it at

http://www.microsoft.com/downloads/details.aspx?familyid=4BDC1D6B-DE34-4F1C-AEBA-FED1256CAF9A&displaylang=en

We'll be demoing this tool and a host of others starting next week
as we launch the Q1FY07 Microsoft TechNet Seminars. We start the
morning off with a **Windows Vista Technical Overview** then later
do a bunch of fun stuff with **Exchange Server 2003** and *
*Exchange Server 2007 Beta 2**. See the description of the events
at http://www.technetevents.com
.

Published Thursday, August 03, 2006 11:30 PM by Keith Combs

http://blogs.technet.com/keithcombs/archive/2006/08/03/444904.aspx

List info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.activedir.org/ml/threads.aspx

--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will
hunt you down...
http://blogs.technet.com/sbs

List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Replication from ASP

2006-08-04 Thread Ed Buford




And you could take a _vbscript_ and roll it into a .hta 
file and then you could access it from a webpage.
 
 


Ed 
BufordNetwork 
AdministratorGranger Community Church630 E. University 
DriveGranger, 
IN 46530574.243.3506, x386 • [EMAIL PROTECTED]


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin 
BrunsonSent: Friday, August 04, 2006 2:57 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication from 
ASP


I have seen a script to 
do it in _vbscript_, but not ASP.  Here’s a link to the 
_vbscript_, maybe it’ll trigger something. 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Lucas, 
BryanSent: Friday, August 04, 
2006 1:05 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication from 
ASP
 
Anyone have any 
thoughts on this?
 
Thanks,
 

Bryan 
Lucas
Server 
Administrator
Texas Christian University




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Lucas, BryanSent: Monday, July 31, 2006 4:12 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Replication from 
ASP
 
Does anyone know how I force 
replication through ASP 2.0?  
 
My DC’s are all local (no WANs) and 
2003 SP1.
 
I have a web page that does account 
creation and then points the user to a portal which attempts to authenticate 
against AD.  The portal software (Peoplesoft) can only attempt against a 
single DC, so if that user didn’t create his account there it doesn’t work right 
away.  
 
Bryan 
Lucas
Server 
Administrator
Texas 
Christian University

Re: [ActiveDir] LDAP Ping

2006-08-04 Thread Mark Parris

Is the box a windows 2000 box and it just sits at the windows 2000 blue screen 
- totally pingable but doing nothing else?
-Original Message-
From: "Bahta, Nathaniel V CTR USAF NASIC/SCNA" <[EMAIL PROTECTED]>
Date: Fri, 4 Aug 2006 12:47:15 
To:
Subject: RE: [ActiveDir] LDAP Ping

No we cant rdp into the box when it hangs.  We have tools that do everything 
from NetIQ Application manager to HP Openview to Ethereal, but if I get here in 
the morning, and I want to do a quick functions check of the system, I will 
need a compilation of tools that can test things up and down the OSI model, and 
then I will probably parse through that output for sucesses and failures.  Much 
like the eventcomb tool that takes a list of systems and parses through their 
event logs and pulls out things I would want to see, its lightweight and gives 
me only what I request. 

Nate

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL 
PROTECTED]
Sent: Friday, August 04, 2006 11:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping

You can't ask that, coz that'd be troubleshooting :-^

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
Sent: 04 August 2006 15:32
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping

Are you able to RDP to the DC when it "hangs"? 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel 
V CTR USAF NASIC/SCNA
Sent: 04 Aug 2006 14:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping

Its not for troubleshooting, its so we can tell when the DC is hung, you cant 
tell when its hung because our monitoring software only pings by ip and it 
responds.  If it replies, I know it can serve ldap queries, and then i can rpc 
ping it and make sure that authentication requests will be answered.  Its just 
to do a quick check of whats going on first thing in the morning. 

Nate

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL 
PROTECTED]
Sent: Friday, August 04, 2006 9:14 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping

So you ldap ping the DC and it replies or it does not. What does this tell you? 
How does it help troubleshoot the issue? 

I'd suggest more detailed tools are needed such as network / packet sniffers 
etc. They should be able to build a picture of the situation better than a ping 
which offers little more than a 'yes/no' response. 

My 2 penneth :) 

neil

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, 
Nathaniel V CTR USAF NASIC/SCNA
Sent: 04 August 2006 13:54
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP Ping

Hey all, 

Does anyone know of a command line utility that allows you to test ldap 
connections?  We have a dc that hangs, but remains pingable and I would like to 
do ldap pings to it to as well as rpc pings.  I know about the rpc ping 
utility, but I wanted to test for ldap connectivity as well.  Does anyone know 
of a utility like this? 

Thanks, 

Nate 
PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete your 
copy from your system. You must not copy, distribute or take any further 
action in reliance on it. Email is not a secure method of communication and 
Nomura International plc ('NIplc') will not, to the extent permitted by law, 
accept responsibility or liability for (a) the accuracy or completeness of, 
or (b) the presence of any virus, worm or similar malicious or disabling 
code in, this message or any attachment(s) to it. If verification of this 
email is sought then please request a hard copy. Unless otherwise stated 
this email: (1) is not, and should not be treated or relied upon as, 
investment research; (2) contains views or opinions that are solely those of 
the author and do not necessarily represent those of NIplc; (3) is intended 
for informational purposes only and is not a recommendation, solicitation or 
offer to buy or sell securities or related financial instruments. NIplc 
does not provide investment services to private customers. Authorised and 
regulated by the Financial Services Authority. Registered in England 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A member of the Nomura group of companies. 

This message contains confidential information and is intended only 

for the individual or entity named. If you are not the named addressee 

you should not disseminate, distribute or copy this e-mail. 

Please notify the sender immediately by e-mail if you have received 

this e-mail by mistake and delete this e-mai

RE: [ActiveDir] Replication from ASP

2006-08-04 Thread Coleman, Hunter




Can't you code your ASP so that it points to the same DC 
when it creates the user account that PeopleSoft is using for 
authentication?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Lucas, 
BryanSent: Friday, August 04, 2006 12:05 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication from 
ASP


Anyone have any 
thoughts on this?
 
Thanks,
 

Bryan 
Lucas
Server 
Administrator
Texas Christian University




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Lucas, BryanSent: Monday, July 31, 2006 4:12 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Replication from 
ASP
 
Does anyone know how I force 
replication through ASP 2.0?  
 
My DC’s are all local (no WANs) and 
2003 SP1.
 
I have a web page that does account 
creation and then points the user to a portal which attempts to authenticate 
against AD.  The portal software (Peoplesoft) can only attempt against a 
single DC, so if that user didn’t create his account there it doesn’t work right 
away.  
 
Bryan 
Lucas
Server 
Administrator
Texas 
Christian University

RE: [ActiveDir] Replication from ASP









I have seen a script to do it in _vbscript_,
but not ASP.  Here’s a link to the
_vbscript_, maybe it’ll trigger something. 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Friday, August 04, 2006 1:05
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Replication from ASP



 

Anyone have any thoughts on this?

 

Thanks,

 



Bryan Lucas

Server Administrator

Texas Christian University











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas,
 Bryan
Sent: Monday, July 31, 2006 4:12
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replication
from ASP



 

Does anyone know how I force replication through ASP
2.0?  

 

My DC’s are all local (no WANs) and 2003 SP1.

 

I have a web page that does account creation and then points
the user to a portal which attempts to authenticate against AD.  The
portal software (Peoplesoft) can only attempt against a single DC, so if that
user didn’t create his account there it doesn’t work right
away.  

 

Bryan Lucas

Server Administrator

Texas Christian University

RE: [ActiveDir] Replication from ASP

2006-08-04 Thread Kennedy, Jim









WAG. Skin it from the other direction. Make sure the ASP age
creates the account on the Peoplesoft DC. How…I dunno, but even
replication could take too long if you could trigger it.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Lucas, Bryan
Sent: Friday, August 04, 2006 2:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication from ASP





 

Anyone have any thoughts on this?

 

Thanks,

 



Bryan Lucas

Server Administrator

Texas Christian University











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Monday, July 31, 2006 4:12 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replication from ASP



 

Does
anyone know how I force replication through ASP 2.0?  

 

My
DC’s are all local (no WANs) and 2003 SP1.

 

I
have a web page that does account creation and then points the user to a portal
which attempts to authenticate against AD.  The portal software
(Peoplesoft) can only attempt against a single DC, so if that user didn’t
create his account there it doesn’t work right away.  

 

Bryan
Lucas

Server
Administrator

Texas
Christian University

RE: [ActiveDir] 2003 domain & 2000,









Sorry I wasn’t trying to be snappy. 
I was just afraid I was missing the connection.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert
Sent: Friday, August 04, 2006
11:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003
domain & 2000,



 

We didn’t…I was just
mentioning that with regard to having 2000 DC’s co-existing with 2003
DC’s…I didn’t know that it would matter to you that much I
replied to your message instead of someone else’s reply.

 



Have a great day!

Rob











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
 Brunson
Sent: Friday, August 04, 2006
11:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003
domain & 2000,



 

Sorry…., how did we get to the
topology generator from adprep?

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams,
 Robert
Sent: Friday, August 04, 2006
11:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003
domain & 2000,



 

Hey Kevin, I dunno if you’re already
aware of this or if it even applies in your environment…but if you have
more than one site then the new DC will automatically become the ISTG of the
site you put it into.  Whenever a 2003 DC is added to a site, it will
assume ISTG ownership if there are no other 2003 DC’s in that site. 
Might not even matter for your situation, but the following is a really good
read anyway to understand all the cool replication stuff.

 

Here’s a snippet from the following
URL:

http://technet2.microsoft.com/WindowsServer/en/library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx?mfr=true





ISTG Role Ownership and Viability

The owner of the ISTG role is communicated through normal
Active Directory replication. Initially, the first domain controller in the
site is the ISTG role owner. It communicates its role ownership to other domain
controllers in the site by writing the distinguished name of its child NTDS
Settings object to the interSiteTopologyGenerator attribute of the NTDS Site
Settings object for the site. As a change to the configuration directory
partition, this value is replicated to all domain controllers in the forest. 

The ISTG role owner is selected automatically. The role
ownership does not change unless:

• The current ISTG role owner becomes unavailable.

• All domain controllers in the site are running
Windows 2000 and one of them is upgraded to Windows Server 2003.

If at least one domain controller in a site is running
Windows Server 2003, the ISTG role is assumed by a domain controller that is
running Windows Server 2003.Robert Williams 


Have a great day!

Robert Williams 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
 Brunson
Sent: Friday, August 04, 2006 9:32
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003
domain & 2000,



 

They will be able to coexist with no
problems, assuming you take all of the appropriate steps before you
upgrade.  You will need to run adprep to prepare the forest and domain for
the 2003 schema.  Run adprep /forestprep on the schema master, and adprep
/domainprep on the infrastructure master.  If you haven’t moved
these roles, they will be installed on the first domain controller that was put
into place.  

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of shereen naser
Sent: Friday, August 04, 2006 8:21
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 domain
& 2000,



 



We have 5 domain controllers all 2000, one forest, now we want to add
one more domain controller, and the sever is 2003, if we add 2003 domain
controller is there going to be any issues with the 2000? compatibility issues,
replicaiton issues, errors that will show? any thing I should be worried about
when the 2 domain controllers (2000 and 2003) coexist? 





thank you

[ActiveDir] Using a secret administrator account

2006-08-04 Thread Isenhour, Joseph

What is the general consensus on the use of back up admin accounts?
This is an account that is hidden to most users and has elevated
privileges in the domain.  The purpose of the account is to be able to
quickly react to an attack on the Domain Admin accounts either by a
malicious user, or a bug in a process.

The built in Administrator account is a huge target and it's easy to
find even if you rename it.  It can't be deleted but the password can be
changed which can cause a lot of trouble.  That's why I'm starting to
think about this.

Thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Replication from ASP

2006-08-04 Thread Lucas, Bryan









Anyone have any thoughts on this?

 

Thanks,

 



Bryan Lucas

Server Administrator

Texas Christian University











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas,
 Bryan
Sent: Monday, July 31, 2006 4:12
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replication
from ASP



 

Does anyone know how I force replication through ASP
2.0?  

 

My DC’s are all local (no WANs) and 2003 SP1.

 

I have a web page that does account creation and then points
the user to a portal which attempts to authenticate against AD.  The
portal software (Peoplesoft) can only attempt against a single DC, so if that
user didn’t create his account there it doesn’t work right
away.  

 

Bryan Lucas

Server Administrator

Texas Christian University

RE: [ActiveDir] LDAP Ping

2006-08-04 Thread Myrick, Todd \(NIH/CC/DCRI\) [E]

Title: Message








Try portqry from Microsoft.  

 

Nice features of this utility is that it
can do initial binds to ports like SMTP and LDAP.

 

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

 

H:\>portqry -n yourdc -e 389 -p both

 

You can probably have this scripted in a
batch file and schedule to run every minute to test connectivity like a ping.  

 

Querying target system called:

 

yourdc

 

Attempting to resolve name to IP
address...

 

Name resolved to x.y.z.a

 

 

TCP port 389 (ldap service): LISTENING

 

Sending LDAP query to TCP port 389...

 

LDAP query response:

 

 

currentdate: 08/04/2006 17:53:22
(unadjusted GMT)

subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=AD,DC=LO

CAL

dsServiceName: CN=NTDS Settings,CN=yourDC,CN=Servers,CN=NIH-MD-location,CN=Sites,

CN=Configuration,DC=Security,DC=LOCAL

namingContexts: CN=Configuration,DC=SSECURITY,DC=LOCAL

defaultNamingContext: DC=nih,DC=gov

schemaNamingContext:
CN=Schema,CN=Configuration,DC=SSECURITY,DC=LOCAL

configurationNamingContext:
CN=Configuration,DC=SSECURITY,DC=LOCAL

rootDomainNamingContext: DC=SSECURITY,DC=LOCAL

supportedControl: 1.2.840.113556.1.4.319

supportedLDAPVersion: 3

supportedLDAPPolicies: MaxPoolThreads

highestCommittedUSN: 4918641

supportedSASLMechanisms: GSSAPI

dnsHostName: NIHDC.nih.gov

ldapServiceName: SECURITY.LOCAL:[EMAIL PROTECTED]

serverName: CN=yourDC,CN=Servers,CN=MD-location,CN=Sites,CN=Configuration,DC=

SECURITY,DC=LOCAL

supportedCapabilities:
1.2.840.113556.1.4.800

isSynchronized: TRUE

isGlobalCatalogReady: FALSE

domainFunctionality: 2

forestFunctionality: 0

domainControllerFunctionality: 2

 

 

 End of LDAP query response


 

UDP port 389 (unknown service): LISTENING
or FILTERED

 

Sending LDAP query to UDP port 389...

 

LDAP query response:

 

 

currentdate: 08/04/2006 17:53:26
(unadjusted GMT)

subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=DHHSSECURITY,DC=LO

CAL

dsServiceName: CN=NTDS
Settings,CN=NIHDC,CN=Servers,CN=NIH-MD-Bethesda,CN=Sites,

CN=Configuration,DC=DHHSSECURITY,DC=LOCAL

namingContexts: CN=Configuration,DC=DHHSSECURITY,DC=LOCAL

defaultNamingContext: DC=nih,DC=gov

schemaNamingContext:
CN=Schema,CN=Configuration,DC=DHHSSECURITY,DC=LOCAL

configurationNamingContext:
CN=Configuration,DC=DHHSSECURITY,DC=LOCAL

rootDomainNamingContext: DC=DHHSSECURITY,DC=LOCAL

supportedControl: 1.2.840.113556.1.4.319

supportedLDAPVersion: 3

supportedLDAPPolicies: MaxPoolThreads

highestCommittedUSN: 4918645

supportedSASLMechanisms: GSSAPI

dnsHostName: NIHDC.nih.gov

ldapServiceName:
DHHSSECURITY.LOCAL:[EMAIL PROTECTED]

serverName: CN=NIHDC,CN=Servers,CN=NIH-MD-Bethesda,CN=Sites,CN=Configuration,DC=

DHHSSECURITY,DC=LOCAL

supportedCapabilities:
1.2.840.113556.1.4.800

isSynchronized: TRUE

isGlobalCatalogReady: FALSE

domainFunctionality: 2

forestFunctionality: 0

domainControllerFunctionality: 2

 

 

 End of LDAP query response


 

UDP port 389 is LISTENING

 

 

H:\>

 









From: Bahta, Nathaniel
V CTR USAF NASIC/SCNA [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 04, 2006
10:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping



 

No, nothing, the rdp client does not
respond.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
Sent: Friday, August 04, 2006
10:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping



Are you able to RDP to the DC when it
"hangs"?





 





-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF
NASIC/SCNA
Sent: 04 Aug 2006 14:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping

Its not for troubleshooting, its so we can
tell when the DC is hung, you cant tell when its hung because our monitoring
software only pings by ip and it responds.  If it replies, I know it can
serve ldap queries, and then i can rpc ping it and make sure that
authentication requests will be answered.  Its just to do a quick check of
whats going on first thing in the morning.

 

Nate

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, August 04, 2006 9:14
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping

So you ldap ping the DC and it replies or
it does not. What does this tell you? How does it help troubleshoot the issue?

 

I'd suggest more detailed tools are needed
such as network / packet sniffers etc. They should be able to build a picture
of the situation better than a ping which offers little more than a 'yes/no'
response. 

 

My 2 penneth :)

 

neil







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF
NASIC/SCNA
Sent: 04 August 2006 13:54
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP Ping

Hey all,

 

Does anyone know of a command line utility that allo

Re: [ActiveDir] LDAP Ping

2006-08-04 Thread Al Mulnick

Still seems like you're doing it the hard way.  If you don't trust that dc, is there a reason it cannot be rebuilt? I'm guessing that's not the only dc and that it's the only one giving you issues. 
 
 
On 8/4/06, Bahta, Nathaniel V CTR USAF NASIC/SCNA <[EMAIL PROTECTED]> wrote:



No we cant rdp into the box when it hangs.  We have tools that do everything from NetIQ Application manager to HP Openview to Ethereal, but if I get here in the morning, and I want to do a quick functions check of the system, I will need a compilation of tools that can test things up and down the OSI model, and then I will probably parse through that output for sucesses and failures.  Much like the eventcomb tool that takes a list of systems and parses through their event logs and pulls out things I would want to see, its lightweight and gives me only what I request.

 
Nate



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, August 04, 2006 11:07 AM
To: ActiveDir@mail.activedir.orgSubject:
 RE: [ActiveDir] LDAP Ping
 


You can't ask that, coz that'd be troubleshooting :-^ 


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Wyatt, DavidSent: 04 August 2006 15:32To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP Ping 

Are you able to RDP to the DC when it "hangs"?
 


-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
Bahta, Nathaniel V CTR USAF NASIC/SCNASent: 04 Aug 2006 14:36To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping
Its not for troubleshooting, its so we can tell when the DC is hung, you cant tell when its hung because our monitoring software only pings by ip and it responds.  If it replies, I know it can serve ldap queries, and then i can rpc ping it and make sure that authentication requests will be answered.  Its just to do a quick check of whats going on first thing in the morning.

 
Nate


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 04, 2006 9:14 AM
To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP Ping
 

So you ldap ping the DC and it replies or it does not. What does this tell you? How does it help troubleshoot the issue?
 
I'd suggest more detailed tools are needed such as network / packet sniffers etc. They should be able to build a picture of the situation better than a ping which offers little more than a 'yes/no' response. 

 
My 2 penneth :)
 
neil 


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: 04 August 2006 13:54To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Ping 

Hey all,
 
Does anyone know of a command line utility that allows you to test ldap connections?  We have a dc that hangs, but remains pingable and I would like to do ldap pings to it to as well as rpc pings.  I know about the rpc ping utility, but I wanted to test for ldap connectivity as well.  Does anyone know of a utility like this?

 
 
Thanks,
 
Nate
PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete your 
copy from your system. You must not copy, distribute or take any further 
action in reliance on it. Email is not a secure method of communication and 
Nomura International plc ('NIplc') will not, to the extent permitted by law, 
accept responsibility or liability for (a) the accuracy or completeness of, 
or (b) the presence of any virus, worm or similar malicious or disabling 
code in, this message or any attachment(s) to it. If verification of this 
email is sought then please request a hard copy. Unless otherwise stated 
this email: (1) is not, and should not be treated or relied upon as, 
investment research; (2) contains views or opinions that are solely those of 
the author and do not necessarily represent those of NIplc; (3) is intended 
for informational purposes only and is not a recommendation, solicitation or 
offer to buy or sell securities or related financial instruments. NIplc 
does not provide investment services to private customers. Authorised and 
regulated by the Financial Services Authority. Registered in England 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A member of the Nomura group of companies. 
 
This message contains confidential information and is intended only 
for the individual or entity named. If you are not the named addressee 
you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately by e-mail if you have received 
this e-mail by mistake and delete this e-mail from your system. 
E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lo

RE: [ActiveDir] OT:Microsoft Exchange Troubleshooting Assistant released









Ok it makes sense now. The first one (Exch
PTA) is the one I was talking about.

I knew I had used it, but couldn’t
remember the name. 

Thanks Mike! 

 



Alex











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline
Sent: Friday, August 04, 2006 1:00
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
OT:Microsoft Exchange Troubleshooting Assistant released



 



In one of the blog comments Haruya Shida said that 





 





 





Exchange Server Performance Troubleshooting Analyzer tool   





+





Exchange Disaster Recovery Analyzer





+





Exchange Mail Flow troubleshooter





=











Exchange Troubleshooting Assistant 





 





Another tool in our arsenal should be a good thing, good
post Susan. 





 







 





On 8/4/06, Alex Alborzfard <[EMAIL PROTECTED]>
wrote: 







I thought they had already released a tool which did similar
things a while back. I remember using it once or twice. 

May be they re-named or improved it?!

 

Thanks for posting this though!

 



Alex











From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Friday, August 04, 2006 1:26
AM 
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT:Microsoft
Exchange Troubleshooting Assistant released







 

Microsoft Exchange Troubleshooting Assistant released - get
it here

Yesterday we released some new tools to help make your life as an
email admin easier.  It's called the Microsoft Exchange Troubleshooting Assistant v1.0. 
Here's the description:



The Exchange Troubleshooting Assistant programmatically
executes a set of troubleshooting steps to identify the root cause of
performance, mail flow, and database mounting issues. The tool automatically
determines what set of data is required to troubleshoot the identified symptoms
and collects configuration data, performance counters, event logs and live
tracing information from an Exchange server and other appropriate sources. The
tool analyzes each subsystem to determine individual bottlenecks and component
failures, then aggregates the information to provide root cause analysis. 



As you can see, there's some good stuff in the new
assistant.  Get it at http://www.microsoft.com/downloads/details.aspx?familyid=4BDC1D6B-DE34-4F1C-AEBA-FED1256CAF9A&displaylang=en

We'll be demoing this tool and a host of others starting next week
as we launch the Q1FY07 Microsoft TechNet Seminars.  We start the morning
off with a Windows Vista Technical
Overview then later do a bunch of fun stuff with Exchange Server 2003 and Exchange Server 2007 Beta 2. 
See the description of the events at http://www.technetevents.com.




Published Thursday, August 03, 2006 11:30 PM by Keith Combs 

http://blogs.technet.com/keithcombs/archive/2006/08/03/444904.aspx














List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Migrating From Windows 2000 AD to Win2k3 AD

2006-08-04 Thread Chris Pohlschneider

Hello Mike,

We are trying to get away from using the
old DC’s for anything because they are a “white box” computer
and we are trying to get the DC’s to be on our HP servers. Unfortunately,
our options are limited and that is why we were looking at the Exchange Server
to be a DC.

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of mike kline
Sent: Friday, August 04, 2006 1:07
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Migrating
>From Windows 2000 AD to Win2k3 AD

Running
 DC promo is what would change the
role on the Exchange box to a DC.  It's not supported:

http://support.microsoft.com/kb/822179
Overview of operating system and Active Directory requirements for Exchange
Server 2003

Why don't you go ahead and make the file server a  2003 DC and
then then either promote one of the old DC's to 2003 or you could wipe one of
the old DC's (after gracefully demoting the box)  and start from
scratch and do a clean install of 2003 and make that your second DC. 

On 8/4/06, Chris
Pohlschneider <[EMAIL PROTECTED]>
wrote: 

Does changing the role on the Exchange server run the DC
PROMO utility to make the server a domain controller? We want to have two DC's
for 2003 and then once those are up and running, demote the old ones. I did not
know if there was a way to make a server a domain controller without running
the DCPROMO utility. 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Kevin Brunson
Sent: Friday, August 04, 2006
10:38 AM

To: ActiveDir@mail.activedir.org

Subject: RE:
[ActiveDir] Migrating >From Windows 2000 AD to Win2k3 AD

If you promote that Exchange box to a domain controller, it
really will break a lot of stuff.  You will be able to recover from most
of it, but it will be a pain.  Then in the future, if you ever want to
make it NOT a DC again, it will break that same stuff, and then you will
probably NOT be able to recover it.  You WILL break OWA. 
Guaranteed.  You might very well kill some other Exchange functionality as
well.  It is possible you could get OWA back after a tremendous amount of
effort, but you really don't want to promote that Exchange box. 

Kevin Brunson

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Chris Pohlschneider
Sent: Friday, August 04, 2006 7:17
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating
>From Windows 2000 AD to Win2k3 AD

Hi Mike,

Our intention is to have the Exchange 2003 Box and the file
server to be our new DC's. We want both of these boxes to be running WINS, DNS,
DHCP. This is what our current DC's are running and we just want to move
everything to newer hardware and move to AD 2003. 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of mike kline
Sent: Thursday, August 03, 2006
11:43 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Migrating
>From Windows 2000 AD to Win2k3 AD

Chris,

Here is a
link to your last question and you can see the follow-ups there too.

http://www.activedir.org/ml/msg11411.aspx

When you
say you want to move all services that run on the old DCs to the exchange 2003
box and your file server does that mean that you want the file server
to become the new DC?  

What
other services would you like to run on the exchange box?  Check out the
link below on exchange servers and domain controllers.

http://blogs.brnets.com/michael/archive/2005/01/24/319.aspx 

Thanks

Mike

On
8/3/06, Chris Pohlschneider <
[EMAIL PROTECTED]> wrote: 

Hello,

I
have some questions about doing a migration from Windows 2000 AD to Win2k3AD.
Our current environment entails two Windows 2000 AD domain controllers running
DNS,WINS, DHCP. We also have Exchange 2003 installed on a separate Windows 2003
Server. We want to keep the same domain name and move all of the services that
run on the old Windows 2000 Domain controllers onto the Exchange server and
also our main file server which is Windows 2003 Server. I am a bit of a newbie
and would like some guidance on how to perform this upgrade. I appreciate any
help. Sorry for asking this question again, but I have misplaced the e-mails
from this last discussion. 

Chris Pohlschneider

Holloway Sportswear IT

937-494-2559

937-497-7300 (Fax)

[EMAIL PROTECTED]

RE: [ActiveDir] OT:Microsoft Exchange Troubleshooting Assistant released

2006-08-04 Thread Bahta, Nathaniel V CTR USAF NASIC/SCNA









Exch BPA is an entirely different tool. In
my consulting days, I used to run it not so much for troubleshooting, but to
primarily get documentation

of Exch and fine-tune current configuration,
if needed. 

For troubleshooting issues like sending/receiving
email, I like their SMTPdiag tool. I’ve used it few times and it worked
great.

 



Alex











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Kevin Brunson
Sent: Friday, August 04, 2006
12:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
OT:Microsoft Exchange Troubleshooting Assistant released



 

The only thing I have ever seen is the
Exchange Best Practices Analyzer.  I can’t think of a time that ever
helped me troubleshoot a problem, although PSS always insists on running
it.  If it is the same thing, then what was described below looks like it
would be a significant improvement.

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alex Alborzfard
Sent: Friday, August 04, 2006
11:14 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
OT:Microsoft Exchange Troubleshooting Assistant released



 

I thought they had already released a tool
which did similar things a while back. I remember using it once or twice.

May be they re-named or improved it?!

 

Thanks for posting this though!

 



Alex











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Friday, August 04, 2006 1:26
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT:Microsoft
Exchange Troubleshooting Assistant released



 

Microsoft Exchange Troubleshooting Assistant released - get it here

Yesterday
we released some new tools to help make your life as an email admin
easier.  It’s called the Microsoft
Exchange Troubleshooting Assistant v1.0.  Here’s
the description:



The Exchange Troubleshooting Assistant programmatically
executes a set of troubleshooting steps to identify the root cause of
performance, mail flow, and database mounting issues. The tool automatically
determines what set of data is required to troubleshoot the identified symptoms
and collects configuration data, performance counters, event logs and live
tracing information from an Exchange server and other appropriate sources. The
tool analyzes each subsystem to determine individual bottlenecks and component
failures, then aggregates the information to provide root cause analysis.



As
you can see, there’s some good stuff in the new assistant.  Get
it at http://www.microsoft.com/downloads/details.aspx?familyid=4BDC1D6B-DE34-4F1C-AEBA-FED1256CAF9A&displaylang=en

We’ll
be demoing this tool and a host of others starting next week as we launch the
Q1FY07 Microsoft TechNet Seminars.  We start the morning off with a Windows Vista Technical Overview
then later do a bunch of fun stuff with Exchange
Server 2003 and Exchange
Server 2007 Beta 2.  See the description of the events
at http://www.technetevents.com.




Published Thursday, August 03, 2006 11:30 PM by Keith Combs 

http://blogs.technet.com/keithcombs/archive/2006/08/03/444904.aspx








List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Migrating From Windows 2000 AD to Win2k3 AD

2006-08-04 Thread mike kline

Running DC promo is what would change the role on the Exchange box to a DC.  It's not supported:
 
http://support.microsoft.com/kb/822179Overview of operating system and Active Directory requirements for Exchange Server 2003
 
Why don't you go ahead and make the file server a  2003 DC and then then either promote one of the old DC's to 2003 or you could wipe one of the old DC's (after gracefully demoting the box)  and start from scratch and do a clean install of 2003 and make that your second DC.

 
 
On 8/4/06, Chris Pohlschneider <[EMAIL PROTECTED]> wrote:




Does changing the role on the Exchange server run the DC PROMO utility to make the server a domain controller? We want to have two DC's for 2003 and then once those are up and running, demote the old ones. I did not know if there was a way to make a server a domain controller without running the DCPROMO utility.

 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Kevin BrunsonSent: Friday, August 04, 2006 10:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating >From Windows 2000 AD to Win2k3 AD



 
If you promote that Exchange box to a domain controller, it really will break a lot of stuff.  You will be able to recover from most of it, but it will be a pain.  Then in the future, if you ever want to make it NOT a DC again, it will break that same stuff, and then you will probably NOT be able to recover it.  You WILL break OWA.  Guaranteed.  You might very well kill some other Exchange functionality as well.  It is possible you could get OWA back after a tremendous amount of effort, but you really don't want to promote that Exchange box.

Kevin Brunson
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Chris PohlschneiderSent: Friday, August 04, 2006 7:17 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migrating >From Windows 2000 AD to Win2k3 AD
 
Hi Mike,
 
Our intention is to have the Exchange 2003 Box and the file server to be our new DC's. We want both of these boxes to be running WINS, DNS, DHCP. This is what our current DC's are running and we just want to move everything to newer hardware and move to AD 2003.

 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of mike klineSent: Thursday, August 03, 2006 11:43 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Migrating >From Windows 2000 AD to Win2k3 AD
 

Chris,

 

Here is a link to your last question and you can see the follow-ups there too.

 

http://www.activedir.org/ml/msg11411.aspx


 

 

When you say you want to move all services that run on the old DCs to the exchange 2003 box and your file server does that mean that you want the file server to become the new DC?  


 

What other services would you like to run on the exchange box?  Check out the link below on exchange servers and domain controllers.


 

http://blogs.brnets.com/michael/archive/2005/01/24/319.aspx


 

Thanks

Mike

 

 

 

On 8/3/06, Chris Pohlschneider <
[EMAIL PROTECTED]> wrote: 



Hello,
 
I have some questions about doing a migration from Windows 2000 AD to Win2k3AD. Our current environment entails two Windows 2000 AD domain controllers running DNS,WINS, DHCP. We also have Exchange 2003 installed on a separate Windows 2003 Server. We want to keep the same domain name and move all of the services that run on the old Windows 2000 Domain controllers onto the Exchange server and also our main file server which is Windows 2003 Server. I am a bit of a newbie and would like some guidance on how to perform this upgrade. I appreciate any help. Sorry for asking this question again, but I have misplaced the e-mails from this last discussion. 

 
Chris Pohlschneider
Holloway Sportswear IT
937-494-2559
937-497-7300 (Fax)

[EMAIL PROTECTED]

Re: [ActiveDir] OT:Microsoft Exchange Troubleshooting Assistant released

2006-08-04 Thread mike kline

In one of the blog comments Haruya Shida said that 
 
 
Exchange Server Performance Troubleshooting Analyzer tool   
+
Exchange Disaster Recovery Analyzer
+
Exchange Mail Flow troubleshooter
=

Exchange Troubleshooting Assistant 
 
Another tool in our arsenal should be a good thing, good post Susan. 
 
 
On 8/4/06, Alex Alborzfard <[EMAIL PROTECTED]> wrote:




I thought they had already released a tool which did similar things a while back. I remember using it once or twice.

May be they re-named or improved it?!
 
Thanks for posting this though!
 

Alex




From:
 [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Friday, August 04, 2006 1:26 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT:Microsoft Exchange Troubleshooting Assistant released

 
Microsoft Exchange Troubleshooting Assistant released - get it here
Yesterday we released some new tools to help make your life as an email admin easier.  It's called the 
Microsoft Exchange Troubleshooting Assistant v1.0.  Here's the description:

The Exchange Troubleshooting Assistant programmatically executes a set of troubleshooting steps to identify the root cause of performance, mail flow, and database mounting issues. The tool automatically determines what set of data is required to troubleshoot the identified symptoms and collects configuration data, performance counters, event logs and live tracing information from an Exchange server and other appropriate sources. The tool analyzes each subsystem to determine individual bottlenecks and component failures, then aggregates the information to provide root cause analysis.

As you can see, there's some good stuff in the new assistant.  Get it at 
http://www.microsoft.com/downloads/details.aspx?familyid=4BDC1D6B-DE34-4F1C-AEBA-FED1256CAF9A&displaylang=en
We'll be demoing this tool and a host of others starting next week as we launch the Q1FY07 Microsoft TechNet Seminars.  We start the morning off with a 
Windows Vista Technical Overview then later do a bunch of fun stuff with Exchange Server 2003 and 
Exchange Server 2007 Beta 2.  See the description of the events at 
http://www.technetevents.com. 

Published Thursday, August 03, 2006 11:30 PM by 
Keith Combs http://blogs.technet.com/keithcombs/archive/2006/08/03/444904.aspx


List info : http://www.activedir.org/List.aspx List FAQ : 
http://www.activedir.org/ListFAQ.aspx List archive: 
http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] LDAP Ping

Title: Message



No we cant rdp into the box when it hangs.  We have 
tools that do everything from NetIQ Application manager to HP Openview to 
Ethereal, but if I get here in the morning, and I want to do a quick functions 
check of the system, I will need a compilation of tools that can test things up 
and down the OSI model, and then I will probably parse through that output for 
sucesses and failures.  Much like the eventcomb tool that takes a list of 
systems and parses through their event logs and pulls out things I would want to 
see, its lightweight and gives me only what I request.
 
Nate


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, August 04, 2006 11:07 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
LDAP Ping

You can't ask that, coz that'd be troubleshooting 
:-^


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, 
DavidSent: 04 August 2006 15:32To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP 
Ping

Are 
you able to RDP to the DC when it "hangs"?
 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: 04 
  Aug 2006 14:36To: ActiveDir@mail.activedir.orgSubject: 
  RE: [ActiveDir] LDAP Ping
  Its not for troubleshooting, its so we can tell when the 
  DC is hung, you cant tell when its hung because our monitoring software only 
  pings by ip and it responds.  If it replies, I know it can serve ldap 
  queries, and then i can rpc ping it and make sure that authentication requests 
  will be answered.  Its just to do a quick check of whats going on first 
  thing in the morning.
   
  Nate
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, August 04, 2006 9:14 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] LDAP Ping
  
  So you ldap ping the DC and it replies or it does not. 
  What does this tell you? How does it help troubleshoot the 
  issue?
   
  I'd suggest more detailed tools are needed such as 
  network / packet sniffers etc. They should be able to build a picture of the 
  situation better than a ping which offers little more than a 'yes/no' 
  response. 
   
  My 2 penneth :)
   
  neil
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, 
  Nathaniel V CTR USAF NASIC/SCNASent: 04 August 2006 
  13:54To: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] LDAP Ping
  
  Hey all,
   
  Does anyone know of a command line utility that 
  allows you to test ldap connections?  We have a dc that hangs, but 
  remains pingable and I would like to do ldap pings to it to as well as rpc 
  pings.  I know about the rpc ping utility, but I wanted to test for ldap 
  connectivity as well.  Does anyone know of a utility like 
  this?
   
   
  Thanks,
   
  Nate
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure method of communication and 
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  this email: (1) is 
  not, and should not be treated or relied upon as, 
  investment 
  research; (2) contains views or opinions that are solely those of 
  
  the author and do 
  not necessarily represent those of NIplc; (3) is intended 
  for informational 
  purposes only and is not a recommendation, solicitation or 

  offer to buy or 
  sell securities or related financial instruments. NIplc 
  does not provide 
  investment services to private customers. Authorised and 
  regulated by the 
  Financial Services Authority. Registered in England 
  no. 1550505 VAT 
  No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
  
  London, EC1A 4NP. 
  A member of the Nomura group of companies. 
 

This message contains confidential 
information and is intended only 
for the individual or entity named. 
If you are not the named addressee 
you should not disseminate, 
distribute or copy this e-mail. 
Please notify the sender 
immediately by e-mail if you have received 
this e-mail by mistake and delete 
this e-mail from your system. 
E-mail transmission cannot be 
guaranteed to be secure or error-free 
as information could be 
intercepted, corrupted, lost, destroyed, arriv

RE: [ActiveDir] 2003 domain & 2000,

2006-08-04 Thread Williams, Robert









We didn’t…I was just
mentioning that with regard to having 2000 DC’s co-existing with 2003 DC’s…I
didn’t know that it would matter to you that much I replied to your
message instead of someone else’s reply.

 



Have a great day!

Rob











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
Sent: Friday, August 04, 2006
11:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003
domain & 2000,



 

Sorry…., how did we get to the
topology generator from adprep?

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams,
 Robert
Sent: Friday, August 04, 2006
11:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003
domain & 2000,



 

Hey Kevin, I dunno if you’re already
aware of this or if it even applies in your environment…but if you have
more than one site then the new DC will automatically become the ISTG of the
site you put it into.  Whenever a 2003 DC is added to a site, it will
assume ISTG ownership if there are no other 2003 DC’s in that site. 
Might not even matter for your situation, but the following is a really good
read anyway to understand all the cool replication stuff.

 

Here’s a snippet from the following
URL:

http://technet2.microsoft.com/WindowsServer/en/library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx?mfr=true





ISTG Role Ownership and Viability

The owner of the ISTG role is communicated through normal
Active Directory replication. Initially, the first domain controller in the
site is the ISTG role owner. It communicates its role ownership to other domain
controllers in the site by writing the distinguished name of its child NTDS
Settings object to the interSiteTopologyGenerator attribute of the NTDS Site
Settings object for the site. As a change to the configuration directory
partition, this value is replicated to all domain controllers in the forest. 

The ISTG role owner is selected automatically. The role
ownership does not change unless:

• The current ISTG role owner becomes unavailable.

• All domain controllers in the site are running
Windows 2000 and one of them is upgraded to Windows Server 2003.

If at least one domain controller in a site is running
Windows Server 2003, the ISTG role is assumed by a domain controller that is
running Windows Server 2003.Robert Williams 


Have a great day!

Robert Williams 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
 Brunson
Sent: Friday, August 04, 2006 9:32
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003
domain & 2000,



 

They will be able to coexist with no
problems, assuming you take all of the appropriate steps before you
upgrade.  You will need to run adprep to prepare the forest and domain for
the 2003 schema.  Run adprep /forestprep on the schema master, and adprep
/domainprep on the infrastructure master.  If you haven’t moved
these roles, they will be installed on the first domain controller that was put
into place.  

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser
Sent: Friday, August 04, 2006 8:21
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 domain
& 2000,



 



We have 5 domain controllers all 2000, one forest, now we want to add
one more domain controller, and the sever is 2003, if we add 2003 domain
controller is there going to be any issues with the 2000? compatibility issues,
replicaiton issues, errors that will show? any thing I should be worried about
when the 2 domain controllers (2000 and 2003) coexist? 





thank you

RE: [ActiveDir] OT:Microsoft Exchange Troubleshooting Assistant released









The only thing I have ever seen is the
Exchange Best Practices Analyzer.  I can’t think of a time that ever
helped me troubleshoot a problem, although PSS always insists on running it. 
If it is the same thing, then what was described below looks like it would be a
significant improvement.

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alex Alborzfard
Sent: Friday, August 04, 2006
11:14 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:Microsoft
Exchange Troubleshooting Assistant released



 

I thought they had already released a tool
which did similar things a while back. I remember using it once or twice.

May be they re-named or improved it?!

 

Thanks for posting this though!

 



Alex











From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, August 04, 2006 1:26
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT:Microsoft
Exchange Troubleshooting Assistant released



 

Microsoft Exchange Troubleshooting Assistant released - get it here

Yesterday
we released some new tools to help make your life as an email admin
easier.  It’s called the Microsoft
Exchange Troubleshooting Assistant v1.0.  Here’s
the description:



The Exchange Troubleshooting Assistant programmatically
executes a set of troubleshooting steps to identify the root cause of
performance, mail flow, and database mounting issues. The tool automatically
determines what set of data is required to troubleshoot the identified symptoms
and collects configuration data, performance counters, event logs and live
tracing information from an Exchange server and other appropriate sources. The
tool analyzes each subsystem to determine individual bottlenecks and component
failures, then aggregates the information to provide root cause analysis.



As
you can see, there’s some good stuff in the new assistant.  Get
it at http://www.microsoft.com/downloads/details.aspx?familyid=4BDC1D6B-DE34-4F1C-AEBA-FED1256CAF9A&displaylang=en

We’ll
be demoing this tool and a host of others starting next week as we launch the
Q1FY07 Microsoft TechNet Seminars.  We start the morning off with a Windows Vista Technical Overview
then later do a bunch of fun stuff with Exchange
Server 2003 and Exchange
Server 2007 Beta 2.  See the description of the events
at http://www.technetevents.com.




Published Thursday, August 03, 2006 11:30 PM by Keith Combs 

http://blogs.technet.com/keithcombs/archive/2006/08/03/444904.aspx








List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] 2003 domain & 2000,









Sorry…., how did we get to the
topology generator from adprep?

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert
Sent: Friday, August 04, 2006
11:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003
domain & 2000,



 

Hey Kevin, I dunno if you’re already
aware of this or if it even applies in your environment…but if you have
more than one site then the new DC will automatically become the ISTG of the
site you put it into.  Whenever a 2003 DC is added to a site, it will
assume ISTG ownership if there are no other 2003 DC’s in that site. 
Might not even matter for your situation, but the following is a really good
read anyway to understand all the cool replication stuff.

 

Here’s a snippet from the following
URL:

http://technet2.microsoft.com/WindowsServer/en/library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx?mfr=true





ISTG Role Ownership and Viability

The owner of the ISTG role is communicated through normal
Active Directory replication. Initially, the first domain controller in the
site is the ISTG role owner. It communicates its role ownership to other domain
controllers in the site by writing the distinguished name of its child NTDS
Settings object to the interSiteTopologyGenerator attribute of the NTDS Site
Settings object for the site. As a change to the configuration directory
partition, this value is replicated to all domain controllers in the forest. 

The ISTG role owner is selected automatically. The role
ownership does not change unless:

• The current ISTG role owner becomes unavailable.

• All domain controllers in the site are running
Windows 2000 and one of them is upgraded to Windows Server 2003.

If at least one domain controller in a site is running
Windows Server 2003, the ISTG role is assumed by a domain controller that is
running Windows Server 2003.Robert Williams 


Have a great day!

Robert Williams 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
 Brunson
Sent: Friday, August 04, 2006 9:32
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003
domain & 2000,



 

They will be able to coexist with no
problems, assuming you take all of the appropriate steps before you
upgrade.  You will need to run adprep to prepare the forest and domain for
the 2003 schema.  Run adprep /forestprep on the schema master, and adprep
/domainprep on the infrastructure master.  If you haven’t moved
these roles, they will be installed on the first domain controller that was put
into place.  

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser
Sent: Friday, August 04, 2006 8:21
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 domain
& 2000,



 



We have 5 domain controllers all 2000, one forest, now we want to add
one more domain controller, and the sever is 2003, if we add 2003 domain
controller is there going to be any issues with the 2000? compatibility issues,
replicaiton issues, errors that will show? any thing I should be worried about
when the 2 domain controllers (2000 and 2003) coexist? 





thank you

RE: [ActiveDir] OT:Microsoft Exchange Troubleshooting Assistant released









I thought they had already released a tool
which did similar things a while back. I remember using it once or twice.

May be they re-named or improved it?!

 

Thanks for posting this though!

 



Alex











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Friday, August 04, 2006 1:26
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT:Microsoft
Exchange Troubleshooting Assistant released



 

Microsoft Exchange Troubleshooting Assistant released - get it here

Yesterday
we released some new tools to help make your life as an email admin
easier.  It’s called the Microsoft
Exchange Troubleshooting Assistant v1.0.  Here’s
the description:



The Exchange Troubleshooting Assistant programmatically
executes a set of troubleshooting steps to identify the root cause of
performance, mail flow, and database mounting issues. The tool automatically
determines what set of data is required to troubleshoot the identified symptoms
and collects configuration data, performance counters, event logs and live
tracing information from an Exchange server and other appropriate sources. The
tool analyzes each subsystem to determine individual bottlenecks and component
failures, then aggregates the information to provide root cause analysis.



As
you can see, there’s some good stuff in the new assistant.  Get
it at http://www.microsoft.com/downloads/details.aspx?familyid=4BDC1D6B-DE34-4F1C-AEBA-FED1256CAF9A&displaylang=en

We’ll
be demoing this tool and a host of others starting next week as we launch the
Q1FY07 Microsoft TechNet Seminars.  We start the morning off with a Windows Vista Technical Overview
then later do a bunch of fun stuff with Exchange
Server 2003 and Exchange
Server 2007 Beta 2.  See the description of the events
at http://www.technetevents.com.




Published Thursday, August 03, 2006 11:30 PM by Keith Combs 

http://blogs.technet.com/keithcombs/archive/2006/08/03/444904.aspx








List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] 2003 domain & 2000,

2006-08-04 Thread Williams, Robert









Hey Kevin, I dunno if you’re already
aware of this or if it even applies in your environment…but if you have
more than one site then the new DC will automatically become the ISTG of the
site you put it into.  Whenever a 2003 DC is added to a site, it will
assume ISTG ownership if there are no other 2003 DC’s in that site. 
Might not even matter for your situation, but the following is a really good
read anyway to understand all the cool replication stuff.

 

Here’s a snippet from the following
URL:

http://technet2.microsoft.com/WindowsServer/en/library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx?mfr=true





ISTG Role Ownership and Viability

The owner of the ISTG role is communicated through normal
Active Directory replication. Initially, the first domain controller in the
site is the ISTG role owner. It communicates its role ownership to other domain
controllers in the site by writing the distinguished name of its child NTDS
Settings object to the interSiteTopologyGenerator attribute of the NTDS Site
Settings object for the site. As a change to the configuration directory
partition, this value is replicated to all domain controllers in the forest. 

The ISTG role owner is selected automatically. The role
ownership does not change unless:

• The current ISTG role owner becomes unavailable.

• All domain controllers in the site are running
Windows 2000 and one of them is upgraded to Windows Server 2003.

If at least one domain controller in a site is running
Windows Server 2003, the ISTG role is assumed by a domain controller that is
running Windows Server 2003.Robert Williams 


Have a great day!

Robert Williams 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
Sent: Friday, August 04, 2006 9:32
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003
domain & 2000,



 

They will be able to coexist with no
problems, assuming you take all of the appropriate steps before you
upgrade.  You will need to run adprep to prepare the forest and domain for
the 2003 schema.  Run adprep /forestprep on the schema master, and adprep
/domainprep on the infrastructure master.  If you haven’t moved
these roles, they will be installed on the first domain controller that was put
into place.  

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser
Sent: Friday, August 04, 2006 8:21
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 domain
& 2000,



 



We have 5 domain controllers all 2000, one forest, now we want to add
one more domain controller, and the sever is 2003, if we add 2003 domain
controller is there going to be any issues with the 2000? compatibility issues,
replicaiton issues, errors that will show? any thing I should be worried about
when the 2 domain controllers (2000 and 2003) coexist? 





thank you

RE: [ActiveDir] Migrating From Windows 2000 AD to Win2k3 AD

2006-08-04 Thread Chris Pohlschneider

Does changing the role on the Exchange
server run the DC PROMO utility to make the server a domain controller? We want
to have two DC’s for 2003 and then once those are up and running, demote
the old ones. I did not know if there was a way to make a server a domain
controller without running the DCPROMO utility.

From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
Sent: Friday, August 04, 2006
10:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating
>From Windows 2000 AD to Win2k3 AD

If you promote that Exchange box to a
domain controller, it really will break a lot of stuff.  You will be able
to recover from most of it, but it will be a pain.  Then in the future, if
you ever want to make it NOT a DC again, it will break that same stuff, and
then you will probably NOT be able to recover it.  You WILL break
OWA.  Guaranteed.  You might very well kill some other Exchange
functionality as well.  It is possible you could get OWA back after a
tremendous amount of effort, but you really don’t want to promote that
Exchange box.

Kevin Brunson

From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Pohlschneider
Sent: Friday, August 04, 2006 7:17
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating
>From Windows 2000 AD to Win2k3 AD

Hi Mike,

Our intention is to have the Exchange 2003
Box and the file server to be our new DC’s. We want both of these boxes
to be running WINS, DNS, DHCP. This is what our current DC’s are running
and we just want to move everything to newer hardware and move to AD 2003.

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of mike kline
Sent: Thursday, August 03, 2006
11:43 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Migrating
>From Windows 2000 AD to Win2k3 AD

Chris,

Here is a link to your last question and you can see the follow-ups
there too.

http://www.activedir.org/ml/msg11411.aspx

When you say you want to move all services that run on the old DCs to the
exchange 2003 box and your file server does that mean that you want
the file server to become the new DC?  

What other services would you like to run on the exchange box? 
Check out the link below on exchange servers and domain controllers.

http://blogs.brnets.com/michael/archive/2005/01/24/319.aspx

Thanks

Mike

On 8/3/06, Chris
Pohlschneider <[EMAIL PROTECTED]>
wrote: 

Hello,

I
have some questions about doing a migration from Windows 2000 AD to Win2k3AD.
Our current environment entails two Windows 2000 AD domain controllers running
DNS,WINS, DHCP. We also have Exchange 2003 installed on a separate Windows 2003
Server. We want to keep the same domain name and move all of the services that
run on the old Windows 2000 Domain controllers onto the Exchange server and
also our main file server which is Windows 2003 Server. I am a bit of a newbie
and would like some guidance on how to perform this upgrade. I appreciate any
help. Sorry for asking this question again, but I have misplaced the e-mails
from this last discussion. 

Chris Pohlschneider

Holloway Sportswear IT

937-494-2559

937-497-7300 (Fax)

[EMAIL PROTECTED]

RE: [ActiveDir] LDAP Ping

Title: Message



You can't ask that, coz that'd be troubleshooting 
:-^


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, 
DavidSent: 04 August 2006 15:32To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP 
Ping

Are 
you able to RDP to the DC when it "hangs"?
 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: 04 
  Aug 2006 14:36To: ActiveDir@mail.activedir.orgSubject: 
  RE: [ActiveDir] LDAP Ping
  Its not for troubleshooting, its so we can tell when the 
  DC is hung, you cant tell when its hung because our monitoring software only 
  pings by ip and it responds.  If it replies, I know it can serve ldap 
  queries, and then i can rpc ping it and make sure that authentication requests 
  will be answered.  Its just to do a quick check of whats going on first 
  thing in the morning.
   
  Nate
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, August 04, 2006 9:14 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] LDAP Ping
  
  So you ldap ping the DC and it replies or it does not. 
  What does this tell you? How does it help troubleshoot the 
  issue?
   
  I'd suggest more detailed tools are needed such as 
  network / packet sniffers etc. They should be able to build a picture of the 
  situation better than a ping which offers little more than a 'yes/no' 
  response. 
   
  My 2 penneth :)
   
  neil
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, 
  Nathaniel V CTR USAF NASIC/SCNASent: 04 August 2006 
  13:54To: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] LDAP Ping
  
  Hey all,
   
  Does anyone know of a command line utility that 
  allows you to test ldap connections?  We have a dc that hangs, but 
  remains pingable and I would like to do ldap pings to it to as well as rpc 
  pings.  I know about the rpc ping utility, but I wanted to test for ldap 
  connectivity as well.  Does anyone know of a utility like 
  this?
   
   
  Thanks,
   
  Nate
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure method of communication and 
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  this email: (1) is 
  not, and should not be treated or relied upon as, 
  investment 
  research; (2) contains views or opinions that are solely those of 
  
  the author and do 
  not necessarily represent those of NIplc; (3) is intended 
  for informational 
  purposes only and is not a recommendation, solicitation or 

  offer to buy or 
  sell securities or related financial instruments. NIplc 
  does not provide 
  investment services to private customers. Authorised and 
  regulated by the 
  Financial Services Authority. Registered in England 
  no. 1550505 VAT 
  No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
  
  London, EC1A 4NP. 
  A member of the Nomura group of companies. 
 

This message contains confidential 
information and is intended only 
for the individual or entity named. 
If you are not the named addressee 
you should not disseminate, 
distribute or copy this e-mail. 
Please notify the sender 
immediately by e-mail if you have received 
this e-mail by mistake and delete 
this e-mail from your system. 
E-mail transmission cannot be 
guaranteed to be secure or error-free 
as information could be 
intercepted, corrupted, lost, destroyed, arrive 
late or incomplete, or contain 
viruses. The sender therefore does not 
accept liability for any errors or 
omissions in the contents of this 
message which arise as a result of 
e-mail transmission. 
If verification is required please 
request a hard-copy version. 
This message is provided for 
informational purposes and should not 
be construed as an invitation or 
offer to buy or sell any securities or 
related financial 
instruments. 
GAM operates in many jurisdictions 
and is 
regulated or licensed in those 
jurisdictions as required. 
 
PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipien

Re: [ActiveDir] LDAP Ping

2006-08-04 Thread Al Mulnick

I think what Neil is indicating is that just because LDAP will answer does not a healthy DC make. It just means that LDAP is answering.  Admittedly, that's a step up from the ping-are-you-alive test that many monitoring software packages implement, but it's not the whole picture.  

 
Sounds like you're aware of that, but I think it's a good idea to point that out. 
 
Al 
On 8/4/06, Bahta, Nathaniel V CTR USAF NASIC/SCNA <[EMAIL PROTECTED]> wrote:



Its not for troubleshooting, its so we can tell when the DC is hung, you cant tell when its hung because our monitoring software only pings by ip and it responds.  If it replies, I know it can serve ldap queries, and then i can rpc ping it and make sure that authentication requests will be answered.  Its just to do a quick check of whats going on first thing in the morning.

 
Nate


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 04, 2006 9:14 AM

To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping 


So you ldap ping the DC and it replies or it does not. What does this tell you? How does it help troubleshoot the issue?
 
I'd suggest more detailed tools are needed such as network / packet sniffers etc. They should be able to build a picture of the situation better than a ping which offers little more than a 'yes/no' response. 

 
My 2 penneth :)
 
neil 


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: 04 August 2006 13:54To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Ping 

Hey all,
 
Does anyone know of a command line utility that allows you to test ldap connections?  We have a dc that hangs, but remains pingable and I would like to do ldap pings to it to as well as rpc pings.  I know about the rpc ping utility, but I wanted to test for ldap connectivity as well.  Does anyone know of a utility like this?

 
 
Thanks,
 
Nate
PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete your 
copy from your system. You must not copy, distribute or take any further 
action in reliance on it. Email is not a secure method of communication and 
Nomura International plc ('NIplc') will not, to the extent permitted by law, 
accept responsibility or liability for (a) the accuracy or completeness of, 
or (b) the presence of any virus, worm or similar malicious or disabling 
code in, this message or any attachment(s) to it. If verification of this 
email is sought then please request a hard copy. Unless otherwise stated 
this email: (1) is not, and should not be treated or relied upon as, 
investment research; (2) contains views or opinions that are solely those of 
the author and do not necessarily represent those of NIplc; (3) is intended 
for informational purposes only and is not a recommendation, solicitation or 
offer to buy or sell securities or related financial instruments. NIplc 
does not provide investment services to private customers. Authorised and 
regulated by the Financial Services Authority. Registered in England 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A member of the Nomura group of companies.

RE: [ActiveDir] LDAP Ping

2006-08-04 Thread Bahta, Nathaniel V CTR USAF NASIC/SCNA









Does your monitoring software monitor
services? If not, I would use or get a tool that does.

It could be a service malfunctioning
(memory leak, etc.) that’s causing the server to hang.

You can also use a security port scanning tool
to see which ports are open and responding.

 



Alex











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF
NASIC/SCNA
Sent: Friday, August 04, 2006 9:36
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping



 

Its not for troubleshooting, its so we can
tell when the DC is hung, you cant tell when its hung because our monitoring
software only pings by ip and it responds.  If it replies, I know it can
serve ldap queries, and then i can rpc ping it and make sure that
authentication requests will be answered.  Its just to do a quick check of
whats going on first thing in the morning.

 

Nate

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, August 04, 2006 9:14
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping

So you ldap ping the DC and it replies or
it does not. What does this tell you? How does it help troubleshoot the issue?

 

I'd suggest more detailed tools are needed
such as network / packet sniffers etc. They should be able to build a picture
of the situation better than a ping which offers little more than a 'yes/no'
response. 

 

My 2 penneth :)

 

neil







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF
NASIC/SCNA
Sent: 04 August 2006 13:54
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP Ping

Hey all,

 

Does anyone know of a command line utility that allows you
to test ldap connections?  We have a dc that hangs, but remains pingable
and I would like to do ldap pings to it to as well as rpc pings.  I know
about the rpc ping utility, but I wanted to test for ldap connectivity as
well.  Does anyone know of a utility like this?

 

 

Thanks,

 

Nate



PLEASE READ: The information contained in this email is
confidential and 





intended for the named recipient(s) only. If you are not an
intended 





recipient of this email please notify the sender immediately
and delete your 





copy from your system. You must not copy, distribute or take
any further 





action in reliance on it. Email is not a secure method of
communication and 





Nomura International plc ('NIplc') will not, to the extent
permitted by law, 





accept responsibility or liability for (a) the accuracy or
completeness of, 





or (b) the presence of any virus, worm or similar malicious
or disabling 





code in, this message or any attachment(s) to it. If
verification of this 





email is sought then please request a hard copy. Unless otherwise
stated 





this email: (1) is not, and should not be treated or relied
upon as, 





investment research; (2) contains views or opinions that are
solely those of 





the author and do not necessarily represent those of NIplc;
(3) is intended 





for informational purposes only and is not a recommendation,
solicitation or 





offer to buy or sell securities or related financial
instruments. NIplc 





does not provide investment services to private customers.
Authorised and 





regulated by the Financial Services Authority. Registered in
England






no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 





London, EC1A 4NP. A member of the
Nomura group of companies.

RE: [ActiveDir] LDAP Ping

Title: Message



No, nothing, the rdp client does not 
respond.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, 
DavidSent: Friday, August 04, 2006 10:32 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP 
Ping

Are 
you able to RDP to the DC when it "hangs"?
 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: 04 
  Aug 2006 14:36To: ActiveDir@mail.activedir.orgSubject: 
  RE: [ActiveDir] LDAP Ping
  Its not for troubleshooting, its so we can tell when the 
  DC is hung, you cant tell when its hung because our monitoring software only 
  pings by ip and it responds.  If it replies, I know it can serve ldap 
  queries, and then i can rpc ping it and make sure that authentication requests 
  will be answered.  Its just to do a quick check of whats going on first 
  thing in the morning.
   
  Nate
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, August 04, 2006 9:14 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] LDAP Ping
  
  So you ldap ping the DC and it replies or it does not. 
  What does this tell you? How does it help troubleshoot the 
  issue?
   
  I'd suggest more detailed tools are needed such as 
  network / packet sniffers etc. They should be able to build a picture of the 
  situation better than a ping which offers little more than a 'yes/no' 
  response. 
   
  My 2 penneth :)
   
  neil
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, 
  Nathaniel V CTR USAF NASIC/SCNASent: 04 August 2006 
  13:54To: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] LDAP Ping
  
  Hey all,
   
  Does anyone know of a command line utility that 
  allows you to test ldap connections?  We have a dc that hangs, but 
  remains pingable and I would like to do ldap pings to it to as well as rpc 
  pings.  I know about the rpc ping utility, but I wanted to test for ldap 
  connectivity as well.  Does anyone know of a utility like 
  this?
   
   
  Thanks,
   
  Nate
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure method of communication and 
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  this email: (1) is 
  not, and should not be treated or relied upon as, 
  investment 
  research; (2) contains views or opinions that are solely those of 
  
  the author and do 
  not necessarily represent those of NIplc; (3) is intended 
  for informational 
  purposes only and is not a recommendation, solicitation or 

  offer to buy or 
  sell securities or related financial instruments. NIplc 
  does not provide 
  investment services to private customers. Authorised and 
  regulated by the 
  Financial Services Authority. Registered in England 
  no. 1550505 VAT 
  No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
  
  London, EC1A 4NP. 
  A member of the Nomura group of companies. 
 

This message contains confidential 
information and is intended only 
for the individual or entity named. 
If you are not the named addressee 
you should not disseminate, 
distribute or copy this e-mail. 
Please notify the sender 
immediately by e-mail if you have received 
this e-mail by mistake and delete 
this e-mail from your system. 
E-mail transmission cannot be 
guaranteed to be secure or error-free 
as information could be 
intercepted, corrupted, lost, destroyed, arrive 
late or incomplete, or contain 
viruses. The sender therefore does not 
accept liability for any errors or 
omissions in the contents of this 
message which arise as a result of 
e-mail transmission. 
If verification is required please 
request a hard-copy version. 
This message is provided for 
informational purposes and should not 
be construed as an invitation or 
offer to buy or sell any securities or 
related financial 
instruments. 
GAM operates in many jurisdictions 
and is 
regulated or licensed in those 
jurisdictions as required.

RE: [ActiveDir] 2003 domain & 2000,









As far as I know 2K and 2K3 DCs can
coexist together just fine, but what is the reason for another adding the new
DC?

Are you trying to migrate to AD 2K3 and
move your 2K DCs to 2K3 later?

 



Alex











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser
Sent: Friday, August 04, 2006 9:21
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 domain
& 2000,



 



We have 5 domain controllers all 2000, one forest, now we want to add
one more domain controller, and the sever is 2003, if we add 2003 domain
controller is there going to be any issues with the 2000? compatibility issues,
replicaiton issues, errors that will show? any thing I should be worried about
when the 2 domain controllers (2000 and 2003) coexist? 





thank you

RE: [ActiveDir] Migrating From Windows 2000 AD to Win2k3 AD

If you promote that Exchange box to a
domain controller, it really will break a lot of stuff.  You will be able
to recover from most of it, but it will be a pain.  Then in the future, if
you ever want to make it NOT a DC again, it will break that same stuff, and
then you will probably NOT be able to recover it.  You WILL break
OWA.  Guaranteed.  You might very well kill some other Exchange
functionality as well.  It is possible you could get OWA back after a
tremendous amount of effort, but you really don’t want to promote that
Exchange box.

Kevin Brunson

From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Pohlschneider
Sent: Friday, August 04, 2006 7:17
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating
>From Windows 2000 AD to Win2k3 AD

Hi Mike,

Our intention is to have the Exchange 2003
Box and the file server to be our new DC’s. We want both of these boxes
to be running WINS, DNS, DHCP. This is what our current DC’s are running
and we just want to move everything to newer hardware and move to AD 2003.

From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline
Sent: Thursday, August 03, 2006
11:43 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Migrating
>From Windows 2000 AD to Win2k3 AD

Chris,

Here is a link to your last question and you can see the follow-ups
there too.

http://www.activedir.org/ml/msg11411.aspx

When you say you want to move all services that run on the old DCs to
the exchange 2003 box and your file server does that mean that you
want the file server to become the new DC?  

What other services would you like to run on the exchange box? 
Check out the link below on exchange servers and domain controllers.

http://blogs.brnets.com/michael/archive/2005/01/24/319.aspx

Thanks

Mike

On 8/3/06, Chris
Pohlschneider <[EMAIL PROTECTED]>
wrote: 

Hello,

I
have some questions about doing a migration from Windows 2000 AD to Win2k3AD.
Our current environment entails two Windows 2000 AD domain controllers running
DNS,WINS, DHCP. We also have Exchange 2003 installed on a separate Windows 2003
Server. We want to keep the same domain name and move all of the services that
run on the old Windows 2000 Domain controllers onto the Exchange server and
also our main file server which is Windows 2003 Server. I am a bit of a newbie
and would like some guidance on how to perform this upgrade. I appreciate any
help. Sorry for asking this question again, but I have misplaced the e-mails
from this last discussion. 

Chris Pohlschneider

Holloway Sportswear IT

937-494-2559

937-497-7300 (Fax)

[EMAIL PROTECTED]

RE: [ActiveDir] 2003 domain & 2000,

2006-08-04 Thread Bahta, Nathaniel V CTR USAF NASIC/SCNA









They will be able to coexist with no
problems, assuming you take all of the appropriate steps before you upgrade. 
You will need to run adprep to prepare the forest and domain for the 2003
schema.  Run adprep /forestprep on the schema master, and adprep /domainprep on
the infrastructure master.  If you haven’t moved these roles, they will
be installed on the first domain controller that was put into place.  

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser
Sent: Friday, August 04, 2006 8:21
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 domain
& 2000,



 



We have 5 domain controllers all 2000, one forest, now we want to add
one more domain controller, and the sever is 2003, if we add 2003 domain
controller is there going to be any issues with the 2000? compatibility issues,
replicaiton issues, errors that will show? any thing I should be worried about
when the 2 domain controllers (2000 and 2003) coexist? 





thank you

RE: [ActiveDir] LDAP Ping

2006-08-04 Thread Wyatt, David

Title: Message



Are 
you able to RDP to the DC when it "hangs"?
 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: 04 
  Aug 2006 14:36To: ActiveDir@mail.activedir.orgSubject: 
  RE: [ActiveDir] LDAP Ping
  Its not for troubleshooting, its so we can tell when the 
  DC is hung, you cant tell when its hung because our monitoring software only 
  pings by ip and it responds.  If it replies, I know it can serve ldap 
  queries, and then i can rpc ping it and make sure that authentication requests 
  will be answered.  Its just to do a quick check of whats going on first 
  thing in the morning.
   
  Nate
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, August 04, 2006 9:14 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] LDAP Ping
  
  So you ldap ping the DC and it replies or it does not. 
  What does this tell you? How does it help troubleshoot the 
  issue?
   
  I'd suggest more detailed tools are needed such as 
  network / packet sniffers etc. They should be able to build a picture of the 
  situation better than a ping which offers little more than a 'yes/no' 
  response. 
   
  My 2 penneth :)
   
  neil
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, 
  Nathaniel V CTR USAF NASIC/SCNASent: 04 August 2006 
  13:54To: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] LDAP Ping
  
  Hey all,
   
  Does anyone know of a command line utility that 
  allows you to test ldap connections?  We have a dc that hangs, but 
  remains pingable and I would like to do ldap pings to it to as well as rpc 
  pings.  I know about the rpc ping utility, but I wanted to test for ldap 
  connectivity as well.  Does anyone know of a utility like 
  this?
   
   
  Thanks,
   
  Nate
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure method of communication and 
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  this email: (1) is 
  not, and should not be treated or relied upon as, 
  investment 
  research; (2) contains views or opinions that are solely those of 
  
  the author and do 
  not necessarily represent those of NIplc; (3) is intended 
  for informational 
  purposes only and is not a recommendation, solicitation or 

  offer to buy or 
  sell securities or related financial instruments. NIplc 
  does not provide 
  investment services to private customers. Authorised and 
  regulated by the 
  Financial Services Authority. Registered in England 
  no. 1550505 VAT 
  No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
  
  London, EC1A 4NP. 
  A member of the Nomura group of companies. 



This message contains confidential information and is intended only 

for the individual or entity named.  If you are not the named addressee

you should not disseminate, distribute or copy this e-mail.  

Please notify the sender immediately by e-mail if you have received 

this e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free

as information could be intercepted, corrupted, lost, destroyed, arrive

late or incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of this 

message which arise as a result of e-mail transmission.  

If verification is required please request a hard-copy version.

This message is provided for informational purposes and should not

be construed as an invitation or offer to buy or sell any securities or

related financial instruments.

GAM operates in many jurisdictions and is 

regulated or licensed in those jurisdictions as required.

RE: [ActiveDir] Authoritative Restore problems

2006-08-04 Thread Mike Hogenauer









Guido 

 

Yes, I took a backup of the
system state, rebooted into DSRM -> ran ntbackup and restored the system
state, went to NTDSUTIL and then tried my “Auth Res” and it still failed.  Which
is why I’m confused. 

I actually have read the article
you wrote in your hyperlink, and I know you read these post so I was actually
hoping to get your opinion. 

 

I will try again – and let you know
what happens. 

 

Thanks,

Mike 

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Grillenmeier, Guido
Sent: Thursday, August 03, 2006 11:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Authoritative Restore problems





 

Mike, can you be a little more specific about the steps that you
took to do your restore? This should work fine using the ntdsutil ->
authoritative restore -> restore object “Cn=test user,
ou=it,dc=mycorp,dc=com” command. Obviously provided you previously took a
backup, rebooted to DSRM mode and have restored the AD DB (SystemState) to the
DC – the Auth Restore needs to happen right after the restore of the
SystemState, prior to the reboot of the DC.

 

Check out the whitepaper I wrote with Gil (http://www.netpro.com/media/pdf/NetPro_ADDR_Guide.pdf).
Pages 11 to 13 walk you through how to do an Auth. Restore of objects, and since
you have R2 (includes SP1), you can go right to page 21 to see how to recover
potentially missing links of your recovered object (such as group membership
etc.). Hope you don’t have a multi-domain environment and are heavily relying
on cross populating domain local groups in all the domains in your forest –
this adds extra headaches for the recovery of the links (also described in the
whitepaper).

 

/Guido

 

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Mike Hogenauer
Sent: Friday, August 04, 2006 6:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Authoritative Restore problems





 

I’ve been asked to write a Disaster recovery doc for our
company.  I’m trying to delete a single user account and do an
authoritative restore of that account. 

(in a test environment of course) 

 

Before I deleted the test account I used adsiedit to verify
the path to the account. Cn=test user, ou=it,dc=mycorp,dc=com 

From Directory restore mode, I can start the Authoritative
restore but it always fails with: 

 

Could not find object with the failed DN: failed on
component “cn=test user”. 

 

Authoritative restore failed 

Error 800 parsing input – illegal syntax?

 

 

I’ve reviewed http://support.microsoft.com/?id=840001
and it says I must use quotes – either way it fails. 

 

I’ve even tried the workaround described in here: http://support.microsoft.com/?kbid=886689


Suggestions?  

 

Environment: Windows 2003 R2 

 

Thanks in advance

Mike

Re: [ActiveDir] LDAP Ping

2006-08-04 Thread Matheesha Weerasinghe

But you are troubleshooting it right? ;-)
 
Cheers
 
M@ 
On 8/4/06, Bahta, Nathaniel V CTR USAF NASIC/SCNA <[EMAIL PROTECTED]> wrote:



Its not for troubleshooting, its so we can tell when the DC is hung, you cant tell when its hung because our monitoring software only pings by ip and it responds.  If it replies, I know it can serve ldap queries, and then i can rpc ping it and make sure that authentication requests will be answered.  Its just to do a quick check of whats going on first thing in the morning.

 
Nate


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 04, 2006 9:14 AM

To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping 


So you ldap ping the DC and it replies or it does not. What does this tell you? How does it help troubleshoot the issue?
 
I'd suggest more detailed tools are needed such as network / packet sniffers etc. They should be able to build a picture of the situation better than a ping which offers little more than a 'yes/no' response. 

 
My 2 penneth :)
 
neil 


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: 04 August 2006 13:54To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Ping 

Hey all,
 
Does anyone know of a command line utility that allows you to test ldap connections?  We have a dc that hangs, but remains pingable and I would like to do ldap pings to it to as well as rpc pings.  I know about the rpc ping utility, but I wanted to test for ldap connectivity as well.  Does anyone know of a utility like this?

 
 
Thanks,
 
Nate
PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete your 
copy from your system. You must not copy, distribute or take any further 
action in reliance on it. Email is not a secure method of communication and 
Nomura International plc ('NIplc') will not, to the extent permitted by law, 
accept responsibility or liability for (a) the accuracy or completeness of, 
or (b) the presence of any virus, worm or similar malicious or disabling 
code in, this message or any attachment(s) to it. If verification of this 
email is sought then please request a hard copy. Unless otherwise stated 
this email: (1) is not, and should not be treated or relied upon as, 
investment research; (2) contains views or opinions that are solely those of 
the author and do not necessarily represent those of NIplc; (3) is intended 
for informational purposes only and is not a recommendation, solicitation or 
offer to buy or sell securities or related financial instruments. NIplc 
does not provide investment services to private customers. Authorised and 
regulated by the Financial Services Authority. Registered in England 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A member of the Nomura group of companies.

RE: [ActiveDir] LDAP Ping




Its not for troubleshooting, its so we can tell when the DC 
is hung, you cant tell when its hung because our monitoring software only pings 
by ip and it responds.  If it replies, I know it can serve ldap queries, 
and then i can rpc ping it and make sure that authentication requests will be 
answered.  Its just to do a quick check of whats going on first thing in 
the morning.
 
Nate


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, August 04, 2006 9:14 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
LDAP Ping

So you ldap ping the DC and it replies or it does not. What 
does this tell you? How does it help troubleshoot the issue?
 
I'd suggest more detailed tools are needed such as network 
/ packet sniffers etc. They should be able to build a picture of the situation 
better than a ping which offers little more than a 'yes/no' response. 

 
My 2 penneth :)
 
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel 
V CTR USAF NASIC/SCNASent: 04 August 2006 13:54To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP 
Ping

Hey all,
 
Does anyone know of a command line utility that allows 
you to test ldap connections?  We have a dc that hangs, but remains 
pingable and I would like to do ldap pings to it to as well as rpc pings.  
I know about the rpc ping utility, but I wanted to test for ldap connectivity as 
well.  Does anyone know of a utility like this?
 
 
Thanks,
 
Nate
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 
regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT No. 
447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A 
member of the Nomura group of companies.

[ActiveDir] 2003 domain & 2000,

2006-08-04 Thread shereen naser

We have 5 domain controllers all 2000, one forest, now we want to add one more domain controller, and the sever is 2003, if we add 2003 domain controller is there going to be any issues with the 2000? compatibility issues, replicaiton issues, errors that will show? any thing I should be worried about when the 2 domain controllers (2000 and 2003) coexist?

thank you

RE: [ActiveDir] LDAP Ping

2006-08-04 Thread Bahta, Nathaniel V CTR USAF NASIC/SCNA




So you ldap ping the DC and it replies or it does not. What 
does this tell you? How does it help troubleshoot the issue?
 
I'd suggest more detailed tools are needed such as network 
/ packet sniffers etc. They should be able to build a picture of the situation 
better than a ping which offers little more than a 'yes/no' response. 

 
My 2 penneth :)
 
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel 
V CTR USAF NASIC/SCNASent: 04 August 2006 13:54To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP 
Ping

Hey all,
 
Does anyone know of a command line utility that allows 
you to test ldap connections?  We have a dc that hangs, but remains 
pingable and I would like to do ldap pings to it to as well as rpc pings.  
I know about the rpc ping utility, but I wanted to test for ldap connectivity as 
well.  Does anyone know of a utility like this?
 
 
Thanks,
 
NatePLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.

RE: [ActiveDir] LDAP Ping

2006-08-04 Thread Dean Wells









Microsoft’s PORTQRY v2 will do this and a great deal more …
hopefully, not too much for your requirements.  For example –

 

C:\>portqry -n falcon.msetechnology.lab -e 389

 

Querying target system called:

 

 falcon.msetechnology.lab

 

Attempting to resolve name to IP address...

 

 

Name resolved to 172.30.0.201

 

querying...

 

TCP port 389 (ldap service): LISTENING

 

Using ephemeral source port

Sending LDAP query to TCP port 389...

 

LDAP query response:

 

 

currentdate: 08/04/2006 13:05:03 (unadjusted GMT)

subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=mset,DC=lab

dsServiceName: CN=NTDS
Settings,CN=FALCON,CN=Servers,CN=Office,CN=Sites,CN=Configuration,DC=mse

t,DC=lab

namingContexts: DC=mset,DC=lab

defaultNamingContext: DC=mset,DC=lab

schemaNamingContext: CN=Schema,CN=Configuration,DC=mset,DC=lab

configurationNamingContext: CN=Configuration,DC=mset,DC=lab

rootDomainNamingContext: DC=mset,DC=lab

supportedControl: 1.2.840.113556.1.4.319

supportedLDAPVersion: 3

supportedLDAPPolicies: MaxPoolThreads

highestCommittedUSN: 10452139

supportedSASLMechanisms: GSSAPI

dnsHostName: falcon.msetechnology.lab

ldapServiceName: mset.lab:[EMAIL PROTECTED]

serverName:
CN=FALCON,CN=Servers,CN=Office,CN=Sites,CN=Configuration,DC=mset,DC=lab

supportedCapabilities: 1.2.840.113556.1.4.800

isSynchronized: TRUE

isGlobalCatalogReady: TRUE

domainFunctionality: 2

forestFunctionality: 2

domainControllerFunctionality: 2

 

 

 End of LDAP query response 

 

 













--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com













 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA
Sent: Friday, August 04, 2006 8:54 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP Ping





 

Hey
all,

 

Does
anyone know of a command line utility that allows you to test ldap
connections?  We have a dc that hangs, but remains pingable and I would
like to do ldap pings to it to as well as rpc pings.  I know about the rpc
ping utility, but I wanted to test for ldap connectivity as well.  Does
anyone know of a utility like this?

 

 

Thanks,

 

Nate

Re: [ActiveDir] LDAP Ping

2006-08-04 Thread Matheesha Weerasinghe

Why not use ldp.exe and just try connecting? Or you could also use adfind and doing a rootdse lookup when you want at regular intervals and check the output?
Well, Its what I'd do. But someone may have a better suggestion. I'd run a netmon/ethereal/wireshark session as well to see what happens when the ldap open/bind is done.
 
Cheers
 
M@ 
On 8/4/06, Bahta, Nathaniel V CTR USAF NASIC/SCNA <[EMAIL PROTECTED]> wrote:



Hey all,
 
Does anyone know of a command line utility that allows you to test ldap connections?  We have a dc that hangs, but remains pingable and I would like to do ldap pings to it to as well as rpc pings.  I know about the rpc ping utility, but I wanted to test for ldap connectivity as well.  Does anyone know of a utility like this?

 
 
Thanks,
 
Nate

[ActiveDir] LDAP Ping




Hey all,
 
Does anyone know of a command line utility that allows 
you to test ldap connections?  We have a dc that hangs, but remains 
pingable and I would like to do ldap pings to it to as well as rpc pings.  
I know about the rpc ping utility, but I wanted to test for ldap connectivity as 
well.  Does anyone know of a utility like this?
 
 
Thanks,
 
Nate

RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest

2006-08-04 Thread Dean Wells

Resolved offline, a policy issue ... not a technical one.

--
Dean Wells
MSEtechnology
t Email: [EMAIL PROTECTED]
http://msetechnology.com


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Dean Wells
> Sent: Friday, August 04, 2006 8:10 AM
> To: Send - AD mailing list
> Subject: RE: [ActiveDir] Setting FFL=2 automatically when building
> first DC in forest
> 
> Can you elaborate as to the NC-repl-locations update issue?
> 
> --
> Dean Wells
> MSEtechnology
> t Email: [EMAIL PROTECTED]
> http://msetechnology.com
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:ActiveDir-
> > [EMAIL PROTECTED] On Behalf Of Paul Williams
> > Sent: Friday, August 04, 2006 3:29 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Setting FFL=2 automatically when building
> > first DC in forest
> >
> > This is a real problem for me.  I've got no qualms about doing things
> > in an unsupported fashion, as I feel I know what I'm doing.  However,
> > our customers won't have any of it.  Especially as we won't be around
> > to help support it, etc.
> >
> > Another example is replicating NDNCs.  Apparently, I can't script the
> > population of mSDS-NC-Replica-Locations, I can only get bridgeheads
> > that don't, for example, run DNS to replicate the DNS NDNCs by using
> > the applicable NTDSUTIL options.  I doubt NTDSUTIL is doing anything
> > different to my script (in this one instance of course) but the DSE
> > said that my script was unsupported.
> >
> > I'd be interested in knowing why some of these switches in the answer
> > file only work under select circumstances.  As it seems that doing so
> > is going to force some people to do one of two things:
> >  -- Perform "unsupported" tasks to automate their DC promotions
> >  -- Write a number of pre- and post-promotion scripts, which can be a
> > pain as it adds additional complexity to the automation environment,
> > etc.
> >
> > [I hope] Longhorn should have better support for these options as the
> > new DCPROMO UI alows you to select GC, etc.
> >
> >
> > --Paul
> >
> > - Original Message -
> > From: "Dean Wells" <[EMAIL PROTECTED]>
> > To: "Send - AD mailing list" <[EMAIL PROTECTED]>
> > Sent: Friday, August 04, 2006 2:32 AM
> > Subject: RE: [ActiveDir] Setting FFL=2 automatically when building
> > first DC in forest
> >
> >
> > > Granted ... though perhaps a moot point to those (on the consumer
> > side of
> > > the fence) capable of using such a tweak since proving such usage
> is
> > > challenging to say the least.
> > >
> > > Aside, since its purpose has been well served twice in as many days
> > and on
> > > 2
> > > unrelated topics, maybe it could be considered a feature suggestion
> > ...
> > >
> > > --
> > > Dean Wells
> > > MSEtechnology
> > > t Email: [EMAIL PROTECTED]
> > > http://msetechnology.com
> > >
> > >
> > >> -Original Message-
> > >> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> > >> [EMAIL PROTECTED] On Behalf Of Brett Shirley
> > >> Sent: Thursday, August 03, 2006 8:34 PM
> > >> To: ActiveDir@mail.activedir.org
> > >> Subject: Re: [ActiveDir] Setting FFL=2 automatically when building
> > >> first DC in forest
> > >>
> > >> Touching schema.ini would qualify as very not supported ...
> > >>
> > >> -B
> > >>
> > >> On Thu, 3 Aug 2006, Paul Williams wrote:
> > >>
> > >> > Setting FFL=2 automatically when building first DC in forestIt
> > might
> > >> be worth looking at the %systemroot%\system32\schema.ini file
> again.
> > I
> > >> just had a poke around in there after reading Dean's answer to
> your
> > >> question yesterday and the first section, the [DEFAULTROOTDOMAIN]
> > >> section is setting nTMixedMode.  You can change that to 0 (for
> > native)
> > >> and try adding mSDS-Behavior-Version and setting it to 2.
> > >> >
> > >> > I don't know if that will work, but you're probably in a
> position
> > to
> > >> test this...
> > >> >
> > >> >
> > >> > --Paul
> > >> >
> > >> >   - Original Message -
> > >> >   From: [EMAIL PROTECTED]
> > >> >   To: ActiveDir@mail.activedir.org
> > >> >   Sent: Thursday, August 03, 2006 9:39 AM
> > >> >   Subject: [ActiveDir] Setting FFL=2 automatically when building
> > >> first DC in forest
> > >> >
> > >> >
> > >> >   According to http://support.microsoft.com/kb/223757/en-us the
> > >> SetForestVersion entry in the dcpromo answer file can only be used
> > to
> > >> set FFL to 1 or 0 when building a new forest.
> > >> >
> > >> >   Is this correct? I'd like to automate the transition to FFL=2
> > when
> > >> building the first DC in a forest (without a script).
> > >> >
> > >> >   Perhaps another change request for Longhorn? :)
> > >> >
> > >> >   neil
> > >> >
> > >> >   PLEASE READ: The information contained in this email is
> > >> confidential and
> > >> >   intended for the named recipient(s) only. If you are not an
> > >> intended
> > >> >   recipient of this email please notify the sender immediat

RE: [ActiveDir] Migrating From Windows 2000 AD to Win2k3 AD

2006-08-04 Thread Chris Pohlschneider









Hi Mike,

 

Our intention is to have the Exchange 2003
Box and the file server to be our new DC’s. We want both of these boxes
to be running WINS, DNS, DHCP. This is what our current DC’s are running
and we just want to move everything to newer hardware and move to AD 2003.

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of mike kline
Sent: Thursday, August 03, 2006
11:43 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Migrating
>From Windows 2000 AD to Win2k3 AD



 



Chris,





 





Here is a link to your last question and you can see the follow-ups
there too.





 





http://www.activedir.org/ml/msg11411.aspx





 





 





When you say you want to move all services that run on the old DCs to
the exchange 2003 box and your file server does that mean that you
want the file server to become the new DC?  





 





What other services would you like to run on the exchange box? 
Check out the link below on exchange servers and domain controllers.





 





http://blogs.brnets.com/michael/archive/2005/01/24/319.aspx





 





Thanks





Mike





 





 







 





On 8/3/06, Chris
Pohlschneider <[EMAIL PROTECTED]>
wrote: 







Hello,

 

I
have some questions about doing a migration from Windows 2000 AD to Win2k3AD.
Our current environment entails two Windows 2000 AD domain controllers running
DNS,WINS, DHCP. We also have Exchange 2003 installed on a separate Windows 2003
Server. We want to keep the same domain name and move all of the services that
run on the old Windows 2000 Domain controllers onto the Exchange server and
also our main file server which is Windows 2003 Server. I am a bit of a newbie
and would like some guidance on how to perform this upgrade. I appreciate any
help. Sorry for asking this question again, but I have misplaced the e-mails
from this last discussion. 

 

Chris Pohlschneider

Holloway Sportswear IT

937-494-2559

937-497-7300 (Fax)

[EMAIL PROTECTED]

RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest

2006-08-04 Thread Dean Wells

Can you elaborate as to the NC-repl-locations update issue?

--
Dean Wells
MSEtechnology
t Email: [EMAIL PROTECTED]
http://msetechnology.com


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Paul Williams
> Sent: Friday, August 04, 2006 3:29 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Setting FFL=2 automatically when building
> first DC in forest
> 
> This is a real problem for me.  I've got no qualms about doing things
> in an unsupported fashion, as I feel I know what I'm doing.  However,
> our customers won't have any of it.  Especially as we won't be around
> to help support it, etc.
> 
> Another example is replicating NDNCs.  Apparently, I can't script the
> population of mSDS-NC-Replica-Locations, I can only get bridgeheads
> that don't, for example, run DNS to replicate the DNS NDNCs by using
> the applicable NTDSUTIL options.  I doubt NTDSUTIL is doing anything
> different to my script (in this one instance of course) but the DSE
> said that my script was unsupported.
> 
> I'd be interested in knowing why some of these switches in the answer
> file only work under select circumstances.  As it seems that doing so
> is going to force some people to do one of two things:
>  -- Perform "unsupported" tasks to automate their DC promotions
>  -- Write a number of pre- and post-promotion scripts, which can be a
> pain as it adds additional complexity to the automation environment,
> etc.
> 
> [I hope] Longhorn should have better support for these options as the
> new DCPROMO UI alows you to select GC, etc.
> 
> 
> --Paul
> 
> - Original Message -
> From: "Dean Wells" <[EMAIL PROTECTED]>
> To: "Send - AD mailing list" <[EMAIL PROTECTED]>
> Sent: Friday, August 04, 2006 2:32 AM
> Subject: RE: [ActiveDir] Setting FFL=2 automatically when building
> first DC
> in forest
> 
> 
> > Granted ... though perhaps a moot point to those (on the consumer
> side of
> > the fence) capable of using such a tweak since proving such usage is
> > challenging to say the least.
> >
> > Aside, since its purpose has been well served twice in as many days
> and on
> > 2
> > unrelated topics, maybe it could be considered a feature suggestion
> ...
> >
> > --
> > Dean Wells
> > MSEtechnology
> > t Email: [EMAIL PROTECTED]
> > http://msetechnology.com
> >
> >
> >> -Original Message-
> >> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> >> [EMAIL PROTECTED] On Behalf Of Brett Shirley
> >> Sent: Thursday, August 03, 2006 8:34 PM
> >> To: ActiveDir@mail.activedir.org
> >> Subject: Re: [ActiveDir] Setting FFL=2 automatically when building
> >> first DC in forest
> >>
> >> Touching schema.ini would qualify as very not supported ...
> >>
> >> -B
> >>
> >> On Thu, 3 Aug 2006, Paul Williams wrote:
> >>
> >> > Setting FFL=2 automatically when building first DC in forestIt
> might
> >> be worth looking at the %systemroot%\system32\schema.ini file again.
> I
> >> just had a poke around in there after reading Dean's answer to your
> >> question yesterday and the first section, the [DEFAULTROOTDOMAIN]
> >> section is setting nTMixedMode.  You can change that to 0 (for
> native)
> >> and try adding mSDS-Behavior-Version and setting it to 2.
> >> >
> >> > I don't know if that will work, but you're probably in a position
> to
> >> test this...
> >> >
> >> >
> >> > --Paul
> >> >
> >> >   - Original Message -
> >> >   From: [EMAIL PROTECTED]
> >> >   To: ActiveDir@mail.activedir.org
> >> >   Sent: Thursday, August 03, 2006 9:39 AM
> >> >   Subject: [ActiveDir] Setting FFL=2 automatically when building
> >> first DC in forest
> >> >
> >> >
> >> >   According to http://support.microsoft.com/kb/223757/en-us the
> >> SetForestVersion entry in the dcpromo answer file can only be used
> to
> >> set FFL to 1 or 0 when building a new forest.
> >> >
> >> >   Is this correct? I'd like to automate the transition to FFL=2
> when
> >> building the first DC in a forest (without a script).
> >> >
> >> >   Perhaps another change request for Longhorn? :)
> >> >
> >> >   neil
> >> >
> >> >   PLEASE READ: The information contained in this email is
> >> confidential and
> >> >   intended for the named recipient(s) only. If you are not an
> >> intended
> >> >   recipient of this email please notify the sender immediately and
> >> delete your
> >> >   copy from your system. You must not copy, distribute or take any
> >> further
> >> >   action in reliance on it. Email is not a secure method of
> >> communication and
> >> >   Nomura International plc ('NIplc') will not, to the extent
> >> permitted by law,
> >> >   accept responsibility or liability for (a) the accuracy or
> >> completeness of,
> >> >   or (b) the presence of any virus, worm or similar malicious or
> >> disabling
> >> >   code in, this message or any attachment(s) to it. If
> verification
> >> of this
> >> >   email is sought then please request a hard copy. Unless
> otherwise
> >> stated
> >> >   this email:

Re: [ActiveDir] OT: DNS entry

2006-08-04 Thread Paul Williams




If you've got the necessary auditing enabled in 
your domain, and you had auditing ACEs configured on the DNS zone (location 
depends, generally you'd set it on CN=MicrosoftDNS folder) then yes, you 
can.  But you'll have to search each DCs security event log for this 
info.
 
Otherwise, you can't get this info.  You can 
check the whenChanged attribute on the tombstoned record for a rough 
idea of when the deletion occurred and try and move from there by looking at 
logon events, again if you have auditing enabled.
 
If you're not using AD-Integrated DNS, then none 
of the above will really help.
 
 
--Paul

  - Original Message - 
  From: 
  James Carter 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, August 04, 2006 12:09 
  PM
  Subject: [ActiveDir] OT: DNS entry
  
   
  We had a static Server DNS entry deleted over the weekend.
   
  Is there anyway to find out who deleted this entry? This is a Windows 
  2003 R2 server/domain
   
  thanks
   
  JAmes
  
  
  Do you Yahoo!?Next-gen email? Have it all with the all-new 
  Yahoo! Mail Beta.

RE: [ActiveDir] OT: DNS entry




If the zone is stored in BIND (text) format then you'll 
struggle. 
 
If it's stored in AD and auditing is enabled, then an event 
should exist in the Security event log on the DC which received the delete 
request.
 
Do you have an enterprise security monitoring 
system?
 
 
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of James 
CarterSent: 04 August 2006 12:10To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: DNS 
entry

 
We had a static Server DNS entry deleted over the weekend.
 
Is there anyway to find out who deleted this entry? This is a Windows 2003 
R2 server/domain
 
thanks
 
JAmes


Do you Yahoo!?Next-gen email? Have it all with the all-new 
Yahoo! Mail Beta.PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.

[ActiveDir] OT: DNS entry

2006-08-04 Thread James Carter

   We had a static Server DNS entry deleted over the weekend.     Is there anyway to find out who deleted this entry? This is a Windows 2003 R2 server/domain     thanks     JAmes 
		Do you Yahoo!? Next-gen email? Have it all with the  all-new Yahoo! Mail Beta.

Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest

2006-08-04 Thread Paul Williams


Yes, I'll do the same then...

This particular customer should have a lot of weight.


--Paul

- Original Message - 
From: <[EMAIL PROTECTED]>

To: 
Sent: Friday, August 04, 2006 9:09 AM
Subject: RE: [ActiveDir] Setting FFL=2 automatically when building first DC 
in forest




Let's just hope that Longhorn enables us to build machines (DCs) in a
truly unattended fashion then :) only then can I avoid touching
schema.ini. [I don't consider post build scripts to acceptable.]

MS will be ratifying our designs late this year - I think I can lean
hard enough on the MS guys to persuade them to support us :)

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: 04 August 2006 01:34
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Setting FFL=2 automatically when building first
DC in forest

Touching schema.ini would qualify as very not supported ...

-B

On Thu, 3 Aug 2006, Paul Williams wrote:


Setting FFL=2 automatically when building first DC in forestIt might

be worth looking at the %systemroot%\system32\schema.ini file again.  I
just had a poke around in there after reading Dean's answer to your
question yesterday and the first section, the [DEFAULTROOTDOMAIN]
section is setting nTMixedMode.  You can change that to 0 (for native)
and try adding mSDS-Behavior-Version and setting it to 2.


I don't know if that will work, but you're probably in a position to

test this...



--Paul

  - Original Message - 
  From: [EMAIL PROTECTED]

  To: ActiveDir@mail.activedir.org
  Sent: Thursday, August 03, 2006 9:39 AM
  Subject: [ActiveDir] Setting FFL=2 automatically when building first



DC in forest


  According to http://support.microsoft.com/kb/223757/en-us the

SetForestVersion entry in the dcpromo answer file can only be used to
set FFL to 1 or 0 when building a new forest.


  Is this correct? I'd like to automate the transition to FFL=2 when

building the first DC in a forest (without a script).


  Perhaps another change request for Longhorn? :)

  neil

  PLEASE READ: The information contained in this email is confidential

and

  intended for the named recipient(s) only. If you are not an intended



  recipient of this email please notify the sender immediately and

delete your

  copy from your system. You must not copy, distribute or take any

further

  action in reliance on it. Email is not a secure method of

communication and

  Nomura International plc ('NIplc') will not, to the extent permitted

by law,

  accept responsibility or liability for (a) the accuracy or

completeness of,

  or (b) the presence of any virus, worm or similar malicious or

disabling

  code in, this message or any attachment(s) to it. If verification of

this

  email is sought then please request a hard copy. Unless otherwise

stated

  this email: (1) is not, and should not be treated or relied upon as,



  investment research; (2) contains views or opinions that are solely

those of

  the author and do not necessarily represent those of NIplc; (3) is

intended

  for informational purposes only and is not a recommendation,

solicitation or

  offer to buy or sell securities or related financial instruments.

NIplc

  does not provide investment services to private customers.

Authorised and

  regulated by the Financial Services Authority. Registered in England



  no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St

Martin's-le-Grand,

  London, EC1A 4NP. A member of the Nomura group of companies.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete 
your

copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication 
and
Nomura International plc ('NIplc') will not, to the extent permitted by 
law,
accept responsibility or liability for (a) the accuracy or completeness 
of,

or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those 
of
the author and do not necessarily represent those of NIplc; (3) is 
intended
for informational purposes only and is not a recommendation, solicitation 
or

offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Financial Services Authority.  Registered in England
no. 1550505 VAT No. 447

RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest