RE: [ActiveDir] ADFind Query
It's part of SFU (now in R2), but if you just want a downloadable grep for Windows, you could try http://www.wingrep.com Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Tuesday, August 15, 2006 12:28 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADFind Query Im familiar with grep on *nix, but didnt realize it was available on Windows. Where did you get your port of grep for Windows at? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, August 14, 2006 6:16 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADFind Query Yeah something like adfind -sc s:* ldapdisplayname attributeid -csv |grep -i 1.3.6.1.4.1.14376 would work fine. But still... the OP is hopefully prefixing schema attributes and classes with a corporate value... Otherwise they could run into collisions withvendors with bad schema practices. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Monday, August 14, 2006 6:17 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] ADFind Query If not, though less efficient, dump them all and pipe it through find --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, August 14, 2006 5:53 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADFind Query You shouldn't be getting that error with that command... Even if the attribute name was incorrect you wouldn't get that error, you would get 0 objects returned as the query processor doesn't output errors because of incorrect attributes being specified. However, that being said, this isn't going to work. You can't wildcard OIDs (or more accurately 2.5.5.2/6 data types). Hopefully you guys prefixes all of the classes and attributes you added with a company prefix so you can search on that like so adfind -schema -f name=joeware* ldapdisplayname -sl or the shortcut adfind -sc sl:joeware* -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Monday, August 14, 2006 5:29 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] ADFind Query Hey guys, Simple question. Im trying to perform a search to locate all the schema extensions that have been added in by our company. I thought some simple syntax like this would work to find all schema attributes with an attrbituteID prefixed with our OID. adfind -schema -f attributeID=1.3.6.1.4.1.14376.* ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such Attribute Im obviously missing something, any thoughts? Thanks, ~Ben
Re: [ActiveDir] ADFind Query
Yeah right! Our customers still have hundreds of NT 4 boxes... I saw some (three) production 3.51 boxes four months ago... --Paul - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, August 15, 2006 2:34 AM Subject: RE: [ActiveDir] ADFind Query P.S. http://support.microsoft.com/lifecycle/?p1=7274 Mainstream support on 2K Server ended 6/30/2005... Get off of 2K servers folks -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 14, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind Query Ah W2K. It is probably reporting the error incorrectly which is why you don't see the problem on K3. The issue is you can't wildcard the OID, the attribute does obviously exist. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 6:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ADFind Query I get the error Ben got with W2K. W2k3 doesnt give that error. The VM I have here is W2k3 with SP3. M@ On 8/14/06, joe [EMAIL PROTECTED] wrote: You shouldn't be getting that error with that command... Even if the attribute name was incorrect you wouldn't get that error, you would get 0 objects returned as the query processor doesn't output errors because of incorrect attributes being specified. However, that being said, this isn't going to work. You can't wildcard OIDs (or more accurately 2.5.5.2/6 data types). Hopefully you guys prefixes all of the classes and attributes you added with a company prefix so you can search on that like so adfind -schema -f name=joeware* ldapdisplayname -sl or the shortcut adfind -sc sl:joeware* -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Monday, August 14, 2006 5:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADFind Query Hey guys, Simple question. I'm trying to perform a search to locate all the schema extensions that have been added in by our company. I thought some simple syntax like this would work to find all schema attributes with an attrbituteID prefixed with our OID. adfind -schema -f attributeID=1.3.6.1.4.1.14376.* ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such Attribute I'm obviously missing something, any thoughts? Thanks, ~Ben List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADFind Query
http://unxutils.sourceforge.net/ On 8/15/06, WATSON, BEN [EMAIL PROTECTED] wrote: I'm familiar with grep on *nix, but didn't realize it was available on Windows. Where did you get your port of grep for Windows at? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 14, 2006 6:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind Query To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind Query Yeah something like adfind -sc s:* ldapdisplayname attributeid -csv |grep -i 1.3.6.1.4.1.14376 would work fine. But still... the OP is hopefully prefixing schema attributes and classes with a corporate value... Otherwise they could run into collisions with vendors with bad schema practices. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, August 14, 2006 6:17 PM To: Send - AD mailing list Subject: RE: [ActiveDir] ADFind Query If not, though less efficient, dump them all and pipe it through find … -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 14, 2006 5:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind Query You shouldn't be getting that error with that command... Even if the attribute name was incorrect you wouldn't get that error, you would get 0 objects returned as the query processor doesn't output errors because of incorrect attributes being specified. However, that being said, this isn't going to work. You can't wildcard OIDs (or more accurately 2.5.5.2/6 data types). Hopefully you guys prefixes all of the classes and attributes you added with a company prefix so you can search on that like so adfind -schema -f name=joeware* ldapdisplayname -sl or the shortcut adfind -sc sl:joeware* -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Monday, August 14, 2006 5:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADFind Query Hey guys, Simple question. I'm trying to perform a search to locate all the schema extensions that have been added in by our company. I thought some simple syntax like this would work to find all schema attributes with an attrbituteID prefixed with our OID. adfind -schema -f attributeID=1.3.6.1.4.1.14376.* ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such Attribute I'm obviously missing something, any thoughts? Thanks, ~Ben
RE: [ActiveDir] ADFind Query
Mine specifically came from Borland... http://info.borland.com/devsupport/borlandcpp/GREP5P1.ZIP Tons of ports though. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Tuesday, August 15, 2006 12:28 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADFind Query Im familiar with grep on *nix, but didnt realize it was available on Windows. Where did you get your port of grep for Windows at? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, August 14, 2006 6:16 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADFind Query Yeah something like adfind -sc s:* ldapdisplayname attributeid -csv |grep -i 1.3.6.1.4.1.14376 would work fine. But still... the OP is hopefully prefixing schema attributes and classes with a corporate value... Otherwise they could run into collisions withvendors with bad schema practices. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Monday, August 14, 2006 6:17 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] ADFind Query If not, though less efficient, dump them all and pipe it through find --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, August 14, 2006 5:53 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADFind Query You shouldn't be getting that error with that command... Even if the attribute name was incorrect you wouldn't get that error, you would get 0 objects returned as the query processor doesn't output errors because of incorrect attributes being specified. However, that being said, this isn't going to work. You can't wildcard OIDs (or more accurately 2.5.5.2/6 data types). Hopefully you guys prefixes all of the classes and attributes you added with a company prefix so you can search on that like so adfind -schema -f name=joeware* ldapdisplayname -sl or the shortcut adfind -sc sl:joeware* -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Monday, August 14, 2006 5:29 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] ADFind Query Hey guys, Simple question. Im trying to perform a search to locate all the schema extensions that have been added in by our company. I thought some simple syntax like this would work to find all schema attributes with an attrbituteID prefixed with our OID. adfind -schema -f attributeID=1.3.6.1.4.1.14376.* ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such Attribute Im obviously missing something, any thoughts? Thanks, ~Ben
RE: [ActiveDir] ADFind Query
Yep, I see them too. Well not 3.51, I have to say it has been at least 4 years since I saw 3.51 and I didn't see them after that because some anonymous remote exploit virus had its way with them and completely shredded them. That app that was so critically important that it couldn't be moved off of the OS was down for months. I was expecting to see the NT4 stuff start dropping quick because of lack of hardware but the virtualization world has saved it. However, if a virus rips through NT4, I will have a hard time controlling my laughing when someone is impacted. If they don't take security seriously, why I should I take it seriously on their behalf? Yes, NT4 worked great when it was prime but the world has changed, failure to grasp change has been a point of failure for many though there is little reason it should occur here because it has been quite well publicized. Live by the thought that you don't know for sure when you are compromised. Not every person using exploits is trying to knock your server down or infect hundreds or thousands of others... joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, August 15, 2006 4:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ADFind Query Yeah right! Our customers still have hundreds of NT 4 boxes... I saw some (three) production 3.51 boxes four months ago... --Paul - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, August 15, 2006 2:34 AM Subject: RE: [ActiveDir] ADFind Query P.S. http://support.microsoft.com/lifecycle/?p1=7274 Mainstream support on 2K Server ended 6/30/2005... Get off of 2K servers folks -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 14, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind Query Ah W2K. It is probably reporting the error incorrectly which is why you don't see the problem on K3. The issue is you can't wildcard the OID, the attribute does obviously exist. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 6:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ADFind Query I get the error Ben got with W2K. W2k3 doesnt give that error. The VM I have here is W2k3 with SP3. M@ On 8/14/06, joe [EMAIL PROTECTED] wrote: You shouldn't be getting that error with that command... Even if the attribute name was incorrect you wouldn't get that error, you would get 0 objects returned as the query processor doesn't output errors because of incorrect attributes being specified. However, that being said, this isn't going to work. You can't wildcard OIDs (or more accurately 2.5.5.2/6 data types). Hopefully you guys prefixes all of the classes and attributes you added with a company prefix so you can search on that like so adfind -schema -f name=joeware* ldapdisplayname -sl or the shortcut adfind -sc sl:joeware* -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Monday, August 14, 2006 5:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADFind Query Hey guys, Simple question. I'm trying to perform a search to locate all the schema extensions that have been added in by our company. I thought some simple syntax like this would work to find all schema attributes with an attrbituteID prefixed with our OID. adfind -schema -f attributeID=1.3.6.1.4.1.14376.* ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such Attribute I'm obviously missing something, any thoughts? Thanks, ~Ben List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] ADFind Query
Good story of I touched the burner and hurt my fingers so I won't be doing that again anytime soon. :) Thanks for sharing. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, August 15, 2006 12:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind Query Oh yes, we absolutely prefix our extensions... now. A few years ago (before I was here), someone decided to add a UID attribute to the schema with a bad OID, bad syntax, bad everything, and unfortunately this directly collided with the UID attribute that Windows 2003 wanted to add. It required an enormous amount of work to deal with since I don't have the ability to defunct the attribute. _ From: [EMAIL PROTECTED] on behalf of joe Sent: Mon 8/14/2006 6:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind Query Yeah something like adfind -sc s:* ldapdisplayname attributeid -csv |grep -i 1.3.6.1.4.1.14376 would work fine. But still... the OP is hopefully prefixing schema attributes and classes with a corporate value... Otherwise they could run into collisions with vendors with bad schema practices. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, August 14, 2006 6:17 PM To: Send - AD mailing list Subject: RE: [ActiveDir] ADFind Query If not, though less efficient, dump them all and pipe it through find ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 14, 2006 5:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind Query You shouldn't be getting that error with that command... Even if the attribute name was incorrect you wouldn't get that error, you would get 0 objects returned as the query processor doesn't output errors because of incorrect attributes being specified. However, that being said, this isn't going to work. You can't wildcard OIDs (or more accurately 2.5.5.2/6 data types). Hopefully you guys prefixes all of the classes and attributes you added with a company prefix so you can search on that like so adfind -schema -f name=joeware* ldapdisplayname -sl or the shortcut adfind -sc sl:joeware* -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Monday, August 14, 2006 5:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADFind Query Hey guys, Simple question. I'm trying to perform a search to locate all the schema extensions that have been added in by our company. I thought some simple syntax like this would work to find all schema attributes with an attrbituteID prefixed with our OID. adfind -schema -f attributeID=1.3.6.1.4.1.14376.* ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such Attribute I'm obviously missing something, any thoughts? Thanks, ~Ben attachment: winmail.dat
RE: [ActiveDir] Adding the first Win2003 R2 DC
All of the issues I have heard of around R2 ForestPrep have been around the mangling of the SFU attributes that has been discussed here. I am not sure why MSFT is acting surprised about it. Aric Bernard (from the list here) encountered it and told them about it in the beta groups a long long time ago. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim PattonSent: Monday, August 14, 2006 8:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding the first Win2003 R2 DC Did you run into any issues performing this upgrade? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, BryanSent: Thursday, July 27, 2006 10:43 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding the first Win2003 R2 DC Thanks to all for the responses. Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike klineSent: Thursday, July 27, 2006 10:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Adding the first Win2003 R2 DC You need to run forestprep from the R2 CD on your schema master. Paul has a nice summary here: http://www.msresource.net/content/view/60/47/ and more from Microsoft http://technet2.microsoft.com/WindowsServer/en/library/5022eea0-54bc-422f-b98b-ddb836c8ee851033.mspx?mfr=true Thanks Mike On 7/27/06, Lucas, Bryan [EMAIL PROTECTED] wrote: I have 4 DC's that are Win2003 SP1 and 1 DC that is still Win2000 SP4. I'd like to add a new DC that is Win2003 R2. Is there anything special I need to do ( i.e. forestprep/domainprep) or can I join it just like another Win2003 SP1 DC? Thanks, Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] Adding the first Win2003 R2 DC
I fixed this issue with ldp and Steve Linehans instructions to the list about two weeks ago. Microsoft supposedly has an unofficial patch to fix this issue. Talk to your TAM. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 15, 2006 6:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding the first Win2003 R2 DC All of the issues I have heard of around R2 ForestPrep have been around the mangling of the SFU attributes that has been discussed here. I am not sure why MSFT is acting surprised about it. Aric Bernard (from the list here) encountered it and told them about it in the beta groups a long long time ago. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Patton Sent: Monday, August 14, 2006 8:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding the first Win2003 R2 DC Did you run into any issues performing this upgrade? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Thursday, July 27, 2006 10:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding the first Win2003 R2 DC Thanks to all for the responses. Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Thursday, July 27, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adding the first Win2003 R2 DC You need to run forestprep from the R2 CD on your schema master. Paul has a nice summary here: http://www.msresource.net/content/view/60/47/ and more from Microsoft http://technet2.microsoft.com/WindowsServer/en/library/5022eea0-54bc-422f-b98b-ddb836c8ee851033.mspx?mfr=true Thanks Mike On 7/27/06, Lucas, Bryan [EMAIL PROTECTED] wrote: I have 4 DC's that are Win2003 SP1 and 1 DC that is still Win2000 SP4. I'd like to add a new DC that is Win2003 R2. Is there anything special I need to do ( i.e. forestprep/domainprep) or can I join it just like another Win2003 SP1 DC? Thanks, Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] ADFind Query
I'll take that comparison as an inferred compliment ... thanks ;0) Who knows Tony, maybe one day ... but I've got a baby boy on the way so my free-time is likely going to go the wrong way. It's certainly a possibility and high on my list of things I'd choose to do, just not that realistic yet. -- Dean Wells MSEtechnology Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, August 14, 2006 8:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind Query Looks like the same one as on the download (March 2006). Tony PS. We've got JoeWare - when are we going to see DeanWare? -- Original Message -- From: Dean Wells [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Mon, 14 Aug 2006 20:12:19 -0400 Hey Tony, I tried posting it earlier but it hasn't appeared as yet nor did it bounce. I'm uncertain as to the version on the activedir.org site so I've tried posting another, smaller zipped enclosure in the hopes that this one will make it through. -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, August 14, 2006 8:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ADFind Query Have a look at Dean's SchemaDiff on the download page: http://www.activedir.org/Downloads/Downloads.aspx Tony -- Original Message -- From: WATSON, BEN [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Mon, 14 Aug 2006 14:28:47 -0700 Hey guys, Simple question. I'm trying to perform a search to locate all the schema extensions that have been added in by our company. I thought some simple syntax like this would work to find all schema attributes with an attrbituteID prefixed with our OID. adfind -schema -f attributeID=1.3.6.1.4.1.14376.* ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such Attribute I'm obviously missing something, any thoughts? Thanks, ~Ben Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] ADFind Query
I'll assume for the moment that you were able to get it from the web site, let me know if otherwise. -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Monday, August 14, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind Query Hi Dean, Any chance you could password protect that zip and simply place the password in the body of the e-mail? Our e-mail gateway was all too happy to empty out the contents. Thanks, ~Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, August 14, 2006 5:12 PM To: Send - AD mailing list Subject: RE: [ActiveDir] ADFind Query Hey Tony, I tried posting it earlier but it hasn't appeared as yet nor did it bounce. I'm uncertain as to the version on the activedir.org site so I've tried posting another, smaller zipped enclosure in the hopes that this one will make it through. -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, August 14, 2006 8:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ADFind Query Have a look at Dean's SchemaDiff on the download page: http://www.activedir.org/Downloads/Downloads.aspx Tony -- Original Message -- From: WATSON, BEN [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Mon, 14 Aug 2006 14:28:47 -0700 Hey guys, Simple question. I'm trying to perform a search to locate all the schema extensions that have been added in by our company. I thought some simple syntax like this would work to find all schema attributes with an attrbituteID prefixed with our OID. adfind -schema -f attributeID=1.3.6.1.4.1.14376.* ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such Attribute I'm obviously missing something, any thoughts? Thanks, ~Ben Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir][OT]Dean's kick-a## article
Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Dean, you said you didn't mind if we continued to discuss this thread at one point (a at the time highly volatile thread, which I decided to let settle down), do you remember this thread: http://www.mail-archive.com/activedir@mail.activedir.org/msg32470.html Where I think you basically conveyed (IMNHO) I didn't know what I was talking about in regards to what is required for a DS implementation ... From your two emails in that thread, first you said: ... that the process of injecting the phantom isn't a behavioral requirement imposed or carried out by the directory service itself. It is a requirement imposed by the underlying database and is necessary because of the mechanism used by ESE to provide uniform representation of object references (i.e. link pairs). Then in a subsequent email: Nod, I understand your point but, to me, it's a matter of perspective -- where does the directory begin and end? From a developers standpoint, the directory may well be a whole component neatly organized into a single area of a source tree. From my perspective, the term directory (in this context) is used to relay the concept of a (mostly) standards based component with predictable features, interfaces, behaviors, structures, underlying mechanisms, etc. Any directory service has a form of the infrastructure master DN-cleanup problem, when the cross-reference spans replication scopes, irregardless of underlying database technology, ESE, or SQL Server, or anything else you can think of. If they seemingly don't have this problem, then there is some form of replication happening and thus the DN isn't really crossing replication scopes (that's why the GC doesn't have this problem ... as you pointed out in part 1 of the article). So I'd argue the last 2 lines in the first quote were wrong in two ways: (A) ESE doesn't provide uniform representation of object references. That's just patently incorrect. And (B) this isn't an ESE implementation detail, it is a DS implementation detail for being constructed on any kind of database that isn't performing replication (same as SQL, MySQL, BerkleyDB, whatever NDS used, or ESE)? I just want it on record ... 8/17/2005, Dean was wrong once. Thanks, BrettSh ex-Garage Door Operator #7. On Mon, 14 Aug 2006, Dean Wells wrote: Cheeky git . my head, your stomach . at least we'll have the plane to ourselves! :0) Best start working on that pilot's license! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 14, 2006 5:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT]Dean's kick-a## article Hey I sometimes have to ride on planes with that guy, don't swell his ego too much... I want to be able to sit on the plane. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 3:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] joe said pretty decent http://blog.joeware.net/2006/06/08/400/ I think thats an understatement ;-) However, my profuse thanks to joe too. I wasnt aware of the article until he blogged it. M@ On 8/14/06, Dean Wells [EMAIL PROTECTED] wrote: Why thank you . but who said otherwise? ;0) -- Dean Wells MSE technology * Email: [EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 2:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1192821,0 0.html?track=NL-463 http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1192821, 00.html?track=NL-463ad=554811USCAad=554808 ad=554811USCAad=554808 I dont care what anyone says. Thats a damn fine article. I couldnt possibly thank Dean enough for that info. M@ On 8/14/06, Graham Turner [EMAIL PROTECTED] wrote: Alter ego ! my thanks are due worked out a treat - so the GC's are not so ***'d as i thought any info on the concept of the phantoms though ?? GT Hey Robert, In the article you posted, the registry key is incorrect in the KB content. It lists the registry key as: HKCU\Software\Policies\Microsoft\Windows\Directory However, the correct registry key is: HKCU\Software\Policies\Microsoft\Windows\Directory UI I've sent a comment to my former employer to ask for them to fix the article...next time, test it *before* you post!
Re: [ActiveDir] LDAP Logon Name
Hmm... got a blank message again. Hopefully this is not a repeat then. Bind DN: The dn of the account to bind to the AD so you can search for users. User Search: if you try to search by assuming (shame on them for not explaining it better) that your display name and your cn would be close to matching, then shame on HP for such small thinking. That is the default if you use the active directory users and computers tools. However, anyone who has a more mature process and doesn't like unnatural contortionist moves to be able to find things in directories will tell you, you'll have your cn equal to something that's unique and doesn't have any escape characters. If you use the display name, you'll have escape characters so that makes that tough. If, and this is a big IF, you have your mailbox alias, samaccountname (NT logon id), and your cn match, then your search might be a heck of a lot easier. If those are not lined up, then please see the part about the big IF for a better explanation. It's applications like these that have driven me to conclude that those field should match and should be a globally unique id. Having them be domain specific, won't be enough, and forest specific won't be enough either if you ever decide to follow Microsoft's latest idea about multiple forests on a corporate network. ;) That's because when the identities collide, there will be issues. And that would be a bad thing to try and work out because users hate it when you mess with their identity. Ugly things happen in that situation more often than not and it's a shame because they can be avoided so easily IMHO. Al On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:
RE: [ActiveDir][OT]Dean's kick-a## article
Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Remain focused on your own for now. Once you no longer feel the need to wear t-shirts with your own face on them, you can probably rest assured that you're safe to begin on mine ;0) ... uhhh, okey dokes :0/ -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, August 15, 2006 9:12 AM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir][OT]Dean's kick-a## article Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Dean, you said you didn't mind if we continued to discuss this thread at one point (a at the time highly volatile thread, which I decided to let settle down), do you remember this thread: http://www.mail- archive.com/activedir@mail.activedir.org/msg32470.html Where I think you basically conveyed (IMNHO) I didn't know what I was talking about in regards to what is required for a DS implementation ... From your two emails in that thread, first you said: ... that the process of injecting the phantom isn't a behavioral requirement imposed or carried out by the directory service itself. It is a requirement imposed by the underlying database and is necessary because of the mechanism used by ESE to provide uniform representation of object references (i.e. link pairs). Then in a subsequent email: Nod, I understand your point but, to me, it's a matter of perspective -- where does the directory begin and end? From a developers standpoint, the directory may well be a whole component neatly organized into a single area of a source tree. From my perspective, the term directory (in this context) is used to relay the concept of a (mostly) standards based component with predictable features, interfaces, behaviors, structures, underlying mechanisms, etc. Any directory service has a form of the infrastructure master DN- cleanup problem, when the cross-reference spans replication scopes, irregardless of underlying database technology, ESE, or SQL Server, or anything else you can think of. If they seemingly don't have this problem, then there is some form of replication happening and thus the DN isn't really crossing replication scopes (that's why the GC doesn't have this problem ... as you pointed out in part 1 of the article). So I'd argue the last 2 lines in the first quote were wrong in two ways: (A) ESE doesn't provide uniform representation of object references. That's just patently incorrect. And (B) this isn't an ESE implementation detail, it is a DS implementation detail for being constructed on any kind of database that isn't performing replication (same as SQL, MySQL, BerkleyDB, whatever NDS used, or ESE)? I just want it on record ... 8/17/2005, Dean was wrong once. Thanks, BrettSh ex-Garage Door Operator #7. On Mon, 14 Aug 2006, Dean Wells wrote: Cheeky git . my head, your stomach . at least we'll have the plane to ourselves! :0) Best start working on that pilot's license! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 14, 2006 5:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT]Dean's kick-a## article Hey I sometimes have to ride on planes with that guy, don't swell his ego too much... I want to be able to sit on the plane. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 3:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] joe said pretty decent http://blog.joeware.net/2006/06/08/400/ I think thats an understatement ;-) However, my profuse thanks to joe too. I wasnt aware of the article until he blogged it. M@ On 8/14/06, Dean Wells [EMAIL PROTECTED] wrote: Why thank you . but who said otherwise? ;0) -- Dean Wells MSE technology * Email: [EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 2:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1192 821,0 0.html?track=NL-463 http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci119 2821, 00.html?track=NL-463ad=554811USCAad=554808
RE: [ActiveDir][OT]Dean's kick-a## article
Ego isn't wearing a t-shirt with your own picture on it, ego is insisting others wear a t-shirt with your picture on it ... So was that it, Dean? Were you conceding my point, I couldn't tell (like maybe the okey dokes was like whatever, blow brett off) ... or do you still feel this is all database specific implementation detail? As opposed to my posistion that this is directory service implementation detail (for AD in the dblayer of the DS)? A directory service needs this in order to function correctly across regular replication scopes. Cheers, BrettSh On Tue, 15 Aug 2006, Dean Wells wrote: Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Remain focused on your own for now. Once you no longer feel the need to wear t-shirts with your own face on them, you can probably rest assured that you're safe to begin on mine ;0) ... uhhh, okey dokes :0/ -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, August 15, 2006 9:12 AM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir][OT]Dean's kick-a## article Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Dean, you said you didn't mind if we continued to discuss this thread at one point (a at the time highly volatile thread, which I decided to let settle down), do you remember this thread: http://www.mail- archive.com/activedir@mail.activedir.org/msg32470.html Where I think you basically conveyed (IMNHO) I didn't know what I was talking about in regards to what is required for a DS implementation ... From your two emails in that thread, first you said: ... that the process of injecting the phantom isn't a behavioral requirement imposed or carried out by the directory service itself. It is a requirement imposed by the underlying database and is necessary because of the mechanism used by ESE to provide uniform representation of object references (i.e. link pairs). Then in a subsequent email: Nod, I understand your point but, to me, it's a matter of perspective -- where does the directory begin and end? From a developers standpoint, the directory may well be a whole component neatly organized into a single area of a source tree. From my perspective, the term directory (in this context) is used to relay the concept of a (mostly) standards based component with predictable features, interfaces, behaviors, structures, underlying mechanisms, etc. Any directory service has a form of the infrastructure master DN- cleanup problem, when the cross-reference spans replication scopes, irregardless of underlying database technology, ESE, or SQL Server, or anything else you can think of. If they seemingly don't have this problem, then there is some form of replication happening and thus the DN isn't really crossing replication scopes (that's why the GC doesn't have this problem ... as you pointed out in part 1 of the article). So I'd argue the last 2 lines in the first quote were wrong in two ways: (A) ESE doesn't provide uniform representation of object references. That's just patently incorrect. And (B) this isn't an ESE implementation detail, it is a DS implementation detail for being constructed on any kind of database that isn't performing replication (same as SQL, MySQL, BerkleyDB, whatever NDS used, or ESE)? I just want it on record ... 8/17/2005, Dean was wrong once. Thanks, BrettSh ex-Garage Door Operator #7. On Mon, 14 Aug 2006, Dean Wells wrote: Cheeky git . my head, your stomach . at least we'll have the plane to ourselves! :0) Best start working on that pilot's license! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 14, 2006 5:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT]Dean's kick-a## article Hey I sometimes have to ride on planes with that guy, don't swell his ego too much... I want to be able to sit on the plane. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 3:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] joe said pretty decent http://blog.joeware.net/2006/06/08/400/ I think thats an understatement ;-) However, my profuse thanks to joe too. I
Re: [ActiveDir][OT]Dean's kick-a## article
Are said TShirts for sale? I can envision the next MVP summit with a room full of Bretts. (www.cafepress.com there can be a Brett Store with Brett merchandise) Brett Shirley wrote: Ego isn't wearing a t-shirt with your own picture on it, ego is insisting others wear a t-shirt with your picture on it ... So was that it, Dean? Were you conceding my point, I couldn't tell (like maybe the okey dokes was like whatever, blow brett off) ... or do you still feel this is all database specific implementation detail? As opposed to my posistion that this is directory service implementation detail (for AD in the dblayer of the DS)? A directory service needs this in order to function correctly across regular replication scopes. Cheers, BrettSh On Tue, 15 Aug 2006, Dean Wells wrote: Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Remain focused on your own for now. Once you no longer feel the need to wear t-shirts with your own face on them, you can probably rest assured that you're safe to begin on mine ;0) ... uhhh, okey dokes :0/ -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, August 15, 2006 9:12 AM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir][OT]Dean's kick-a## article Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Dean, you said you didn't mind if we continued to discuss this thread at one point (a at the time highly volatile thread, which I decided to let settle down), do you remember this thread: http://www.mail- archive.com/activedir@mail.activedir.org/msg32470.html Where I think you basically conveyed (IMNHO) I didn't know what I was talking about in regards to what is required for a DS implementation ... From your two emails in that thread, first you said: ... that the process of injecting the phantom isn't a behavioral requirement imposed or carried out by the directory service itself. It is a requirement imposed by the underlying database and is necessary because of the mechanism used by ESE to provide uniform representation of object references (i.e. link pairs). Then in a subsequent email: Nod, I understand your point but, to me, it's a matter of perspective -- where does the directory begin and end? From a developers standpoint, the directory may well be a whole component neatly organized into a single area of a source tree. From my perspective, the term directory (in this context) is used to relay the concept of a (mostly) standards based component with predictable features, interfaces, behaviors, structures, underlying mechanisms, etc. Any directory service has a form of the infrastructure master DN- cleanup problem, when the cross-reference spans replication scopes, irregardless of underlying database technology, ESE, or SQL Server, or anything else you can think of. If they seemingly don't have this problem, then there is some form of replication happening and thus the DN isn't really crossing replication scopes (that's why the GC doesn't have this problem ... as you pointed out in part 1 of the article). So I'd argue the last 2 lines in the first quote were wrong in two ways: (A) ESE doesn't provide uniform representation of object references. That's just patently incorrect. And (B) this isn't an ESE implementation detail, it is a DS implementation detail for being constructed on any kind of database that isn't performing replication (same as SQL, MySQL, BerkleyDB, whatever NDS used, or ESE)? I just want it on record ... 8/17/2005, Dean was wrong once. Thanks, BrettSh ex-Garage Door Operator #7. On Mon, 14 Aug 2006, Dean Wells wrote: Cheeky git . my head, your stomach . at least we'll have the plane to ourselves! :0) Best start working on that pilot's license! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 14, 2006 5:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT]Dean's kick-a## article Hey I sometimes have to ride on planes with that guy, don't swell his ego too much... I want to be able to sit on the plane. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 3:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] joe said pretty decent http://blog.joeware.net/2006/06/08/400/ I think thats an understatement ;-) However, my profuse thanks to joe too. I wasnt aware of the article
Re: [ActiveDir][OT]Dean's kick-a## article
Wouldn't a t-shirt about defending security infrastructures with Darth Tandon on it be more fun? -Original Message- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] Date: Tue, 15 Aug 2006 09:01:39 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir][OT]Dean's kick-a## article Are said TShirts for sale? I can envision the next MVP summit with a room full of Bretts. (www.cafepress.com there can be a Brett Store with Brett merchandise) Brett Shirley wrote: Ego isn't wearing a t-shirt with your own picture on it, ego is insisting others wear a t-shirt with your picture on it ... So was that it, Dean? Were you conceding my point, I couldn't tell (like maybe the okey dokes was like whatever, blow brett off) ... or do you still feel this is all database specific implementation detail? As opposed to my posistion that this is directory service implementation detail (for AD in the dblayer of the DS)? A directory service needs this in order to function correctly across regular replication scopes. Cheers, BrettSh On Tue, 15 Aug 2006, Dean Wells wrote: Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Remain focused on your own for now. Once you no longer feel the need to wear t-shirts with your own face on them, you can probably rest assured that you're safe to begin on mine ;0) ... uhhh, okey dokes :0/ -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, August 15, 2006 9:12 AM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir][OT]Dean's kick-a## article Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Dean, you said you didn't mind if we continued to discuss this thread at one point (a at the time highly volatile thread, which I decided to let settle down), do you remember this thread: http://www.mail- archive.com/activedir@mail.activedir.org/msg32470.html Where I think you basically conveyed (IMNHO) I didn't know what I was talking about in regards to what is required for a DS implementation ... From your two emails in that thread, first you said: ... that the process of injecting the phantom isn't a behavioral requirement imposed or carried out by the directory service itself. It is a requirement imposed by the underlying database and is necessary because of the mechanism used by ESE to provide uniform representation of object references (i.e. link pairs). Then in a subsequent email: Nod, I understand your point but, to me, it's a matter of perspective -- where does the directory begin and end? From a developers standpoint, the directory may well be a whole component neatly organized into a single area of a source tree. From my perspective, the term directory (in this context) is used to relay the concept of a (mostly) standards based component with predictable features, interfaces, behaviors, structures, underlying mechanisms, etc. Any directory service has a form of the infrastructure master DN- cleanup problem, when the cross-reference spans replication scopes, irregardless of underlying database technology, ESE, or SQL Server, or anything else you can think of. If they seemingly don't have this problem, then there is some form of replication happening and thus the DN isn't really crossing replication scopes (that's why the GC doesn't have this problem ... as you pointed out in part 1 of the article). So I'd argue the last 2 lines in the first quote were wrong in two ways: (A) ESE doesn't provide uniform representation of object references. That's just patently incorrect. And (B) this isn't an ESE implementation detail, it is a DS implementation detail for being constructed on any kind of database that isn't performing replication (same as SQL, MySQL, BerkleyDB, whatever NDS used, or ESE)? I just want it on record ... 8/17/2005, Dean was wrong once. Thanks, BrettSh ex-Garage Door Operator #7. On Mon, 14 Aug 2006, Dean Wells wrote: Cheeky git . my head, your stomach . at least we'll have the plane to ourselves! :0) Best start working on that pilot's license! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 14, 2006 5:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT]Dean's kick-a## article Hey I sometimes have to ride on planes with that guy, don't swell his ego too much... I want to be able to sit on the plane. :) -- O'Reilly Active Directory Third Edition -
RE: [ActiveDir] Adding the first Win2003 R2 DC
Thanks for the info. Im looking at upgrading my DCs from 2003 sp1 to R2. Steve Linehans instructions are very helpful. Jim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 15, 2006 4:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding the first Win2003 R2 DC I fixed this issue with ldp and Steve Linehans instructions to the list about two weeks ago. Microsoft supposedly has an unofficial patch to fix this issue. Talk to your TAM. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 15, 2006 6:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding the first Win2003 R2 DC All of the issues I have heard of around R2 ForestPrep have been around the mangling of the SFU attributes that has been discussed here. I am not sure why MSFT is acting surprised about it. Aric Bernard (from the list here) encountered it and told them about it in the beta groups a long long time ago. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Patton Sent: Monday, August 14, 2006 8:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding the first Win2003 R2 DC Did you run into any issues performing this upgrade? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Thursday, July 27, 2006 10:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding the first Win2003 R2 DC Thanks to all for the responses. Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Thursday, July 27, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adding the first Win2003 R2 DC You need to run forestprep from the R2 CD on your schema master. Paul has a nice summary here: http://www.msresource.net/content/view/60/47/ and more from Microsoft http://technet2.microsoft.com/WindowsServer/en/library/5022eea0-54bc-422f-b98b-ddb836c8ee851033.mspx?mfr=true Thanks Mike On 7/27/06, Lucas, Bryan [EMAIL PROTECTED] wrote: I have 4 DC's that are Win2003 SP1 and 1 DC that is still Win2000 SP4. I'd like to add a new DC that is Win2003 R2. Is there anything special I need to do ( i.e. forestprep/domainprep) or can I join it just like another Win2003 SP1 DC? Thanks, Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir][OT]Dean's kick-a## article
I would wear that... But on the back it has to say Brett Says: FSQL! I've seen some of the SQL MVPs, I think the DS MVPS can take em! The Exchange MVPs can have our backs too... Because we all know what happens to Exchange if AD gets messed up. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, August 15, 2006 12:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir][OT]Dean's kick-a## article Are said TShirts for sale? I can envision the next MVP summit with a room full of Bretts. (www.cafepress.com there can be a Brett Store with Brett merchandise) Brett Shirley wrote: Ego isn't wearing a t-shirt with your own picture on it, ego is insisting others wear a t-shirt with your picture on it ... So was that it, Dean? Were you conceding my point, I couldn't tell (like maybe the okey dokes was like whatever, blow brett off) ... or do you still feel this is all database specific implementation detail? As opposed to my posistion that this is directory service implementation detail (for AD in the dblayer of the DS)? A directory service needs this in order to function correctly across regular replication scopes. Cheers, BrettSh On Tue, 15 Aug 2006, Dean Wells wrote: Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Remain focused on your own for now. Once you no longer feel the need to wear t-shirts with your own face on them, you can probably rest assured that you're safe to begin on mine ;0) ... uhhh, okey dokes :0/ -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, August 15, 2006 9:12 AM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir][OT]Dean's kick-a## article Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Dean, you said you didn't mind if we continued to discuss this thread at one point (a at the time highly volatile thread, which I decided to let settle down), do you remember this thread: http://www.mail- archive.com/activedir@mail.activedir.org/msg32470.html Where I think you basically conveyed (IMNHO) I didn't know what I was talking about in regards to what is required for a DS implementation ... From your two emails in that thread, first you said: ... that the process of injecting the phantom isn't a behavioral requirement imposed or carried out by the directory service itself. It is a requirement imposed by the underlying database and is necessary because of the mechanism used by ESE to provide uniform representation of object references (i.e. link pairs). Then in a subsequent email: Nod, I understand your point but, to me, it's a matter of perspective -- where does the directory begin and end? From a developers standpoint, the directory may well be a whole component neatly organized into a single area of a source tree. From my perspective, the term directory (in this context) is used to relay the concept of a (mostly) standards based component with predictable features, interfaces, behaviors, structures, underlying mechanisms, etc. Any directory service has a form of the infrastructure master DN- cleanup problem, when the cross-reference spans replication scopes, irregardless of underlying database technology, ESE, or SQL Server, or anything else you can think of. If they seemingly don't have this problem, then there is some form of replication happening and thus the DN isn't really crossing replication scopes (that's why the GC doesn't have this problem ... as you pointed out in part 1 of the article). So I'd argue the last 2 lines in the first quote were wrong in two ways: (A) ESE doesn't provide uniform representation of object references. That's just patently incorrect. And (B) this isn't an ESE implementation detail, it is a DS implementation detail for being constructed on any kind of database that isn't performing replication (same as SQL, MySQL, BerkleyDB, whatever NDS used, or ESE)? I just want it on record ... 8/17/2005, Dean was wrong once. Thanks, BrettSh ex-Garage Door Operator #7. On Mon, 14 Aug 2006, Dean Wells wrote: Cheeky git . my head, your stomach . at least we'll have the plane to ourselves! :0) Best start working on that pilot's license! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday,
RE: [ActiveDir][OT]Dean's kick-a## article
Inline ... -- Dean Wells MSEtechnology Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, August 15, 2006 11:31 AM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir][OT]Dean's kick-a## article Ego isn't wearing a t-shirt with your own picture on it, ego is insisting others wear a t-shirt with your picture on it ... Heh, it seems we differ on more than this topic alone then. So was that it, Dean? Were you conceding my point, I couldn't tell (like maybe the okey dokes was like whatever, blow brett off) ... or do you still feel this is all database specific implementation detail? As opposed to my posistion that this is directory service implementation detail (for AD in the dblayer of the DS)? A directory service needs this in order to function correctly across regular replication scopes. You read it correctly, I'm not interested in debating something that was closed with [BrettSh] 8/17/2005, Dean was wrong once ... your intention's clear enough to me. PS - my position hasn't changed. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] ADFind Query
Yes I was Dean, thanks for providing such a great utility. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, August 15, 2006 6:04 AM To: Send - AD mailing list Subject: RE: [ActiveDir] ADFind Query I'll assume for the moment that you were able to get it from the web site, let me know if otherwise. -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Monday, August 14, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind Query Hi Dean, Any chance you could password protect that zip and simply place the password in the body of the e-mail? Our e-mail gateway was all too happy to empty out the contents. Thanks, ~Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, August 14, 2006 5:12 PM To: Send - AD mailing list Subject: RE: [ActiveDir] ADFind Query Hey Tony, I tried posting it earlier but it hasn't appeared as yet nor did it bounce. I'm uncertain as to the version on the activedir.org site so I've tried posting another, smaller zipped enclosure in the hopes that this one will make it through. -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, August 14, 2006 8:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ADFind Query Have a look at Dean's SchemaDiff on the download page: http://www.activedir.org/Downloads/Downloads.aspx Tony -- Original Message -- From: WATSON, BEN [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Mon, 14 Aug 2006 14:28:47 -0700 Hey guys, Simple question. I'm trying to perform a search to locate all the schema extensions that have been added in by our company. I thought some simple syntax like this would work to find all schema attributes with an attrbituteID prefixed with our OID. adfind -schema -f attributeID=1.3.6.1.4.1.14376.* ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such Attribute I'm obviously missing something, any thoughts? Thanks, ~Ben Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir][OT]Dean's kick-a## article
I'll buy a T-shirt. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, August 15, 2006 9:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir][OT]Dean's kick-a## article Are said TShirts for sale? I can envision the next MVP summit with a room full of Bretts. (www.cafepress.com there can be a Brett Store with Brett merchandise) Brett Shirley wrote: Ego isn't wearing a t-shirt with your own picture on it, ego is insisting others wear a t-shirt with your picture on it ... So was that it, Dean? Were you conceding my point, I couldn't tell (like maybe the okey dokes was like whatever, blow brett off) ... or do you still feel this is all database specific implementation detail? As opposed to my posistion that this is directory service implementation detail (for AD in the dblayer of the DS)? A directory service needs this in order to function correctly across regular replication scopes. Cheers, BrettSh On Tue, 15 Aug 2006, Dean Wells wrote: Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Remain focused on your own for now. Once you no longer feel the need to wear t-shirts with your own face on them, you can probably rest assured that you're safe to begin on mine ;0) ... uhhh, okey dokes :0/ -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, August 15, 2006 9:12 AM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir][OT]Dean's kick-a## article Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Dean, you said you didn't mind if we continued to discuss this thread at one point (a at the time highly volatile thread, which I decided to let settle down), do you remember this thread: http://www.mail- archive.com/activedir@mail.activedir.org/msg32470.html Where I think you basically conveyed (IMNHO) I didn't know what I was talking about in regards to what is required for a DS implementation ... From your two emails in that thread, first you said: ... that the process of injecting the phantom isn't a behavioral requirement imposed or carried out by the directory service itself. It is a requirement imposed by the underlying database and is necessary because of the mechanism used by ESE to provide uniform representation of object references (i.e. link pairs). Then in a subsequent email: Nod, I understand your point but, to me, it's a matter of perspective -- where does the directory begin and end? From a developers standpoint, the directory may well be a whole component neatly organized into a single area of a source tree. From my perspective, the term directory (in this context) is used to relay the concept of a (mostly) standards based component with predictable features, interfaces, behaviors, structures, underlying mechanisms, etc. Any directory service has a form of the infrastructure master DN- cleanup problem, when the cross-reference spans replication scopes, irregardless of underlying database technology, ESE, or SQL Server, or anything else you can think of. If they seemingly don't have this problem, then there is some form of replication happening and thus the DN isn't really crossing replication scopes (that's why the GC doesn't have this problem ... as you pointed out in part 1 of the article). So I'd argue the last 2 lines in the first quote were wrong in two ways: (A) ESE doesn't provide uniform representation of object references. That's just patently incorrect. And (B) this isn't an ESE implementation detail, it is a DS implementation detail for being constructed on any kind of database that isn't performing replication (same as SQL, MySQL, BerkleyDB, whatever NDS used, or ESE)? I just want it on record ... 8/17/2005, Dean was wrong once. Thanks, BrettSh ex-Garage Door Operator #7. On Mon, 14 Aug 2006, Dean Wells wrote: Cheeky git . my head, your stomach . at least we'll have the plane to ourselves! :0) Best start working on that pilot's license! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 14, 2006 5:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT]Dean's kick-a## article Hey I sometimes have to ride on planes with that guy, don't swell his ego too much... I want to be able to sit on the plane. :) -- O'Reilly Active Directory Third Edition -
RE: [ActiveDir] ADFind Query
Most welcome, glad it's working out for you. -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, August 15, 2006 12:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind Query Yes I was Dean, thanks for providing such a great utility. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, August 15, 2006 6:04 AM To: Send - AD mailing list Subject: RE: [ActiveDir] ADFind Query I'll assume for the moment that you were able to get it from the web site, let me know if otherwise. -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Monday, August 14, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind Query Hi Dean, Any chance you could password protect that zip and simply place the password in the body of the e-mail? Our e-mail gateway was all too happy to empty out the contents. Thanks, ~Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, August 14, 2006 5:12 PM To: Send - AD mailing list Subject: RE: [ActiveDir] ADFind Query Hey Tony, I tried posting it earlier but it hasn't appeared as yet nor did it bounce. I'm uncertain as to the version on the activedir.org site so I've tried posting another, smaller zipped enclosure in the hopes that this one will make it through. -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, August 14, 2006 8:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ADFind Query Have a look at Dean's SchemaDiff on the download page: http://www.activedir.org/Downloads/Downloads.aspx Tony -- Original Message -- From: WATSON, BEN [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Mon, 14 Aug 2006 14:28:47 -0700 Hey guys, Simple question. I'm trying to perform a search to locate all the schema extensions that have been added in by our company. I thought some simple syntax like this would work to find all schema attributes with an attrbituteID prefixed with our OID. adfind -schema -f attributeID=1.3.6.1.4.1.14376.* ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such Attribute I'm obviously missing something, any thoughts? Thanks, ~Ben Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] ADSIEdit unable to enumerate list of objects that a group can create
Title: ADSIEdit unable to enumerate list of objects that a group can create OK..I'm probably doing something silly here but I need more insight on how ADSIEdit enumerates what object types you can create.. The scenario is I have 1 OU and in that OU I have a Group that I've ACL'd to create/delete ms-DS-Az-Admin-Manager objects and mod some attributes on it in that OU . So I bind up as a User in this Group using ADSIEdit and try to create a instance of this object, well that list is empty..so I can't create jack. What am I missing? I'll write a quick little _vbscript_ to test that out, but in the meantime what gives? Thanks! -Brandon
RE: [ActiveDir][OT]Dean's kick-a## article
So would I...with a picture of a squeaky lobster in the back! Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 15, 2006 1:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT]Dean's kick-a## article I'll buy a T-shirt. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, August 15, 2006 9:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir][OT]Dean's kick-a## article Are said TShirts for sale? I can envision the next MVP summit with a room full of Bretts. (www.cafepress.com there can be a Brett Store with Brett merchandise) Brett Shirley wrote: Ego isn't wearing a t-shirt with your own picture on it, ego is insisting others wear a t-shirt with your picture on it ... So was that it, Dean? Were you conceding my point, I couldn't tell (like maybe the okey dokes was like whatever, blow brett off) ... or do you still feel this is all database specific implementation detail? As opposed to my posistion that this is directory service implementation detail (for AD in the dblayer of the DS)? A directory service needs this in order to function correctly across regular replication scopes. Cheers, BrettSh On Tue, 15 Aug 2006, Dean Wells wrote: Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Remain focused on your own for now. Once you no longer feel the need to wear t-shirts with your own face on them, you can probably rest assured that you're safe to begin on mine ;0) ... uhhh, okey dokes :0/ -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, August 15, 2006 9:12 AM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir][OT]Dean's kick-a## article Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Dean, you said you didn't mind if we continued to discuss this thread at one point (a at the time highly volatile thread, which I decided to let settle down), do you remember this thread: http://www.mail- archive.com/activedir@mail.activedir.org/msg32470.html Where I think you basically conveyed (IMNHO) I didn't know what I was talking about in regards to what is required for a DS implementation ... From your two emails in that thread, first you said: ... that the process of injecting the phantom isn't a behavioral requirement imposed or carried out by the directory service itself. It is a requirement imposed by the underlying database and is necessary because of the mechanism used by ESE to provide uniform representation of object references (i.e. link pairs). Then in a subsequent email: Nod, I understand your point but, to me, it's a matter of perspective -- where does the directory begin and end? From a developers standpoint, the directory may well be a whole component neatly organized into a single area of a source tree. From my perspective, the term directory (in this context) is used to relay the concept of a (mostly) standards based component with predictable features, interfaces, behaviors, structures, underlying mechanisms, etc. Any directory service has a form of the infrastructure master DN- cleanup problem, when the cross-reference spans replication scopes, irregardless of underlying database technology, ESE, or SQL Server, or anything else you can think of. If they seemingly don't have this problem, then there is some form of replication happening and thus the DN isn't really crossing replication scopes (that's why the GC doesn't have this problem ... as you pointed out in part 1 of the article). So I'd argue the last 2 lines in the first quote were wrong in two ways: (A) ESE doesn't provide uniform representation of object references. That's just patently incorrect. And (B) this isn't an ESE implementation detail, it is a DS implementation detail for being constructed on any kind of database that isn't performing replication (same as SQL, MySQL, BerkleyDB, whatever NDS used, or ESE)? I just want it on record ... 8/17/2005, Dean was wrong once. Thanks, BrettSh ex-Garage Door Operator #7. On Mon, 14 Aug 2006, Dean Wells wrote: Cheeky git . my head, your stomach . at least we'll have the plane to ourselves! :0) Best start working on that pilot's license! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 14, 2006 5:09 PM To:
[ActiveDir] use of in DN and CN
Is the use of and restricted/illegal in AD? Even escaped there are attribute errors with ldifde. Thanks
Re: [ActiveDir] use of in DN and CN
The characters are used in a DN to implement platform-specific DN syntaxes. Microsoft uses it for implementing the GUID and SID DN syntaxes, which look like this: GUID=f2c76527-dbb5-4826-94e4-488743d82b69 SID=S-1-427139602-4143570898-3002774972-1124764024-1874728375-2129772970 These can be used interchangeably in LDAP with the normal DN, as they are just different versions of the same thing. It may be possible to escape these characters by using the hex value, but I think you would be best off if you didn't include them at all. You will just be opening yourself up to a world of programming misery when you have to deal with the objects you have created. Run away! :) Joe K. - Original Message - From: Fowler, Otto (GE Indust, GE Fanuc) To: ActiveDir@mail.activedir.org Sent: Tuesday, August 15, 2006 1:15 PM Subject: [ActiveDir] use of in DN and CN Is the use of and restricted/illegal in AD? Even escaped there are attribute errors with ldifde. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir][OT]Dean's kick-a## article
Your back needs a lot of Exchange folk behind it to ensure coverage. And anyway, what makes you so sure us Special boys will take care of you? I mean, we Exchange folk can live quite happily without Active Dire, oh, wait, I found a flaw. Rats. Sent from my SPV. Please Excuse typo's. -Original Message- From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 15/08/2006 18:27 Subject: RE: [ActiveDir][OT]Dean's kick-a## article I would wear that... But on the back it has to say Brett Says: FSQL! I've seen some of the SQL MVPs, I think the DS MVPS can take em! The Exchange MVPs can have our backs too... Because we all know what happens to Exchange if AD gets messed up. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, August 15, 2006 12:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir][OT]Dean's kick-a## article Are said TShirts for sale? I can envision the next MVP summit with a room full of Bretts. (www.cafepress.com there can be a Brett Store with Brett merchandise) Brett Shirley wrote: Ego isn't wearing a t-shirt with your own picture on it, ego is insisting others wear a t-shirt with your picture on it ... So was that it, Dean? Were you conceding my point, I couldn't tell (like maybe the okey dokes was like whatever, blow brett off) ... or do you still feel this is all database specific implementation detail? As opposed to my posistion that this is directory service implementation detail (for AD in the dblayer of the DS)? A directory service needs this in order to function correctly across regular replication scopes. Cheers, BrettSh On Tue, 15 Aug 2006, Dean Wells wrote: Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Remain focused on your own for now. Once you no longer feel the need to wear t-shirts with your own face on them, you can probably rest assured that you're safe to begin on mine ;0) ... uhhh, okey dokes :0/ -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, August 15, 2006 9:12 AM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir][OT]Dean's kick-a## article Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Dean, you said you didn't mind if we continued to discuss this thread at one point (a at the time highly volatile thread, which I decided to let settle down), do you remember this thread: http://www.mail- archive.com/activedir@mail.activedir.org/msg32470.html Where I think you basically conveyed (IMNHO) I didn't know what I was talking about in regards to what is required for a DS implementation ... From your two emails in that thread, first you said: ... that the process of injecting the phantom isn't a behavioral requirement imposed or carried out by the directory service itself. It is a requirement imposed by the underlying database and is necessary because of the mechanism used by ESE to provide uniform representation of object references (i.e. link pairs). Then in a subsequent email: Nod, I understand your point but, to me, it's a matter of perspective -- where does the directory begin and end? From a developers standpoint, the directory may well be a whole component neatly organized into a single area of a source tree. From my perspective, the term directory (in this context) is used to relay the concept of a (mostly) standards based component with predictable features, interfaces, behaviors, structures, underlying mechanisms, etc. Any directory service has a form of the infrastructure master DN- cleanup problem, when the cross-reference spans replication scopes, irregardless of underlying database technology, ESE, or SQL Server, or anything else you can think of. If they seemingly don't have this problem, then there is some form of replication happening and thus the DN isn't really crossing replication scopes (that's why the GC doesn't have this problem ... as you pointed out in part 1 of the article). So I'd argue the last 2 lines in the first quote were wrong in two ways: (A) ESE doesn't provide uniform representation of object references. That's just patently incorrect. And (B) this isn't an ESE implementation detail, it is a DS implementation detail for being constructed on any kind of database that isn't performing replication (same as SQL, MySQL, BerkleyDB, whatever NDS used, or ESE)? I just want it on record ... 8/17/2005, Dean was wrong once. Thanks, BrettSh
RE: [ActiveDir][OT]Dean's kick-a## article
I don't think I ever actually said that ... Cheers Mate, -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Tue, 15 Aug 2006, Michael B. Smith wrote: And we share a DB platform. :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 15, 2006 12:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT]Dean's kick-a## article I would wear that... But on the back it has to say Brett Says: FSQL! I've seen some of the SQL MVPs, I think the DS MVPS can take em! The Exchange MVPs can have our backs too... Because we all know what happens to Exchange if AD gets messed up. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, August 15, 2006 12:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir][OT]Dean's kick-a## article Are said TShirts for sale? I can envision the next MVP summit with a room full of Bretts. (www.cafepress.com there can be a Brett Store with Brett merchandise) Brett Shirley wrote: Ego isn't wearing a t-shirt with your own picture on it, ego is insisting others wear a t-shirt with your picture on it ... So was that it, Dean? Were you conceding my point, I couldn't tell (like maybe the okey dokes was like whatever, blow brett off) ... or do you still feel this is all database specific implementation detail? As opposed to my posistion that this is directory service implementation detail (for AD in the dblayer of the DS)? A directory service needs this in order to function correctly across regular replication scopes. Cheers, BrettSh On Tue, 15 Aug 2006, Dean Wells wrote: Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Remain focused on your own for now. Once you no longer feel the need to wear t-shirts with your own face on them, you can probably rest assured that you're safe to begin on mine ;0) ... uhhh, okey dokes :0/ -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, August 15, 2006 9:12 AM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir][OT]Dean's kick-a## article Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Dean, you said you didn't mind if we continued to discuss this thread at one point (a at the time highly volatile thread, which I decided to let settle down), do you remember this thread: http://www.mail- archive.com/activedir@mail.activedir.org/msg32470.html Where I think you basically conveyed (IMNHO) I didn't know what I was talking about in regards to what is required for a DS implementation ... From your two emails in that thread, first you said: ... that the process of injecting the phantom isn't a behavioral requirement imposed or carried out by the directory service itself. It is a requirement imposed by the underlying database and is necessary because of the mechanism used by ESE to provide uniform representation of object references (i.e. link pairs). Then in a subsequent email: Nod, I understand your point but, to me, it's a matter of perspective -- where does the directory begin and end? From a developers standpoint, the directory may well be a whole component neatly organized into a single area of a source tree. From my perspective, the term directory (in this context) is used to relay the concept of a (mostly) standards based component with predictable features, interfaces, behaviors, structures, underlying mechanisms, etc. Any directory service has a form of the infrastructure master DN- cleanup problem, when the cross-reference spans replication scopes, irregardless of underlying database technology, ESE, or SQL Server, or anything else you can think of. If they seemingly don't have this problem, then there is some form of replication happening and thus the DN isn't really crossing replication scopes (that's why the GC doesn't have this problem ... as you pointed out in part 1 of the article). So I'd argue the last 2 lines in the first quote were wrong in two ways: (A) ESE doesn't provide uniform representation of object references. That's just patently incorrect. And (B) this isn't an ESE implementation detail, it is a DS implementation detail for being constructed on any kind
[ActiveDir] MS Schema GUIDS different from my Forest to MSDN
Title: MS Schema GUIDS different from my Forest to MSDN Answer to my question below: I'm missing an ACE for ms-DS-Az-Admin-Manager but what's interesting is that I'm using the Schema GUID from MSDN and for some reason that different from what I have in production (verified using ADFind to dump all the Classes ObjectGUID in the Schema). I asked someone who implemented the Schema here why and they said they ran across the same issue and it was told it wasn't a big deal..I disagree, since if that was the case my code would be working and this note wouldnt exist. Anyone seen this before? -Brandon _ From: Bernier, Brandon (.) Sent: Tuesday, August 15, 2006 1:24 PM To: 'ActiveDir@mail.activedir.org' Subject: ADSIEdit unable to enumerate list of objects that a group can create OK..I'm probably doing something silly here but I need more insight on how ADSIEdit enumerates what object types you can create.. The scenario is I have 1 OU and in that OU I have a Group that I've ACL'd to create/delete ms-DS-Az-Admin-Manager objects and mod some attributes on it in that OU . So I bind up as a User in this Group using ADSIEdit and try to create a instance of this object, well that list is empty..so I can't create jack. What am I missing? I'll write a quick little _vbscript_ to test that out, but in the meantime what gives? Thanks! -Brandon
RE: [ActiveDir][OT]Dean's kick-a## article
Shh Brett I'm on your side as far as you know... ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, August 15, 2006 5:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT]Dean's kick-a## article I don't think I ever actually said that ... Cheers Mate, -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Tue, 15 Aug 2006, Michael B. Smith wrote: And we share a DB platform. :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 15, 2006 12:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT]Dean's kick-a## article I would wear that... But on the back it has to say Brett Says: FSQL! I've seen some of the SQL MVPs, I think the DS MVPS can take em! The Exchange MVPs can have our backs too... Because we all know what happens to Exchange if AD gets messed up. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, August 15, 2006 12:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir][OT]Dean's kick-a## article Are said TShirts for sale? I can envision the next MVP summit with a room full of Bretts. (www.cafepress.com there can be a Brett Store with Brett merchandise) Brett Shirley wrote: Ego isn't wearing a t-shirt with your own picture on it, ego is insisting others wear a t-shirt with your picture on it ... So was that it, Dean? Were you conceding my point, I couldn't tell (like maybe the okey dokes was like whatever, blow brett off) ... or do you still feel this is all database specific implementation detail? As opposed to my posistion that this is directory service implementation detail (for AD in the dblayer of the DS)? A directory service needs this in order to function correctly across regular replication scopes. Cheers, BrettSh On Tue, 15 Aug 2006, Dean Wells wrote: Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Remain focused on your own for now. Once you no longer feel the need to wear t-shirts with your own face on them, you can probably rest assured that you're safe to begin on mine ;0) ... uhhh, okey dokes :0/ -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, August 15, 2006 9:12 AM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir][OT]Dean's kick-a## article Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Dean, you said you didn't mind if we continued to discuss this thread at one point (a at the time highly volatile thread, which I decided to let settle down), do you remember this thread: http://www.mail- archive.com/activedir@mail.activedir.org/msg32470.html Where I think you basically conveyed (IMNHO) I didn't know what I was talking about in regards to what is required for a DS implementation ... From your two emails in that thread, first you said: ... that the process of injecting the phantom isn't a behavioral requirement imposed or carried out by the directory service itself. It is a requirement imposed by the underlying database and is necessary because of the mechanism used by ESE to provide uniform representation of object references (i.e. link pairs). Then in a subsequent email: Nod, I understand your point but, to me, it's a matter of perspective -- where does the directory begin and end? From a developers standpoint, the directory may well be a whole component neatly organized into a single area of a source tree. From my perspective, the term directory (in this context) is used to relay the concept of a (mostly) standards based component with predictable features, interfaces, behaviors, structures, underlying mechanisms, etc. Any directory service has a form of the infrastructure master DN- cleanup problem, when the cross-reference spans replication scopes, irregardless of underlying database technology, ESE, or SQL Server, or anything else you can think of. If they seemingly don't have this problem, then there is some form of replication happening and thus the DN isn't really crossing replication scopes (that's why the GC doesn't have
RE: [ActiveDir][OT]Dean's kick-a## article
Yeah good old Exchange... Just a little bit slow... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Arnold Sent: Tuesday, August 15, 2006 3:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT]Dean's kick-a## article Your back needs a lot of Exchange folk behind it to ensure coverage. And anyway, what makes you so sure us Special boys will take care of you? I mean, we Exchange folk can live quite happily without Active Dire, oh, wait, I found a flaw. Rats. Sent from my SPV. Please Excuse typo's. -Original Message- From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 15/08/2006 18:27 Subject: RE: [ActiveDir][OT]Dean's kick-a## article I would wear that... But on the back it has to say Brett Says: FSQL! I've seen some of the SQL MVPs, I think the DS MVPS can take em! The Exchange MVPs can have our backs too... Because we all know what happens to Exchange if AD gets messed up. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, August 15, 2006 12:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir][OT]Dean's kick-a## article Are said TShirts for sale? I can envision the next MVP summit with a room full of Bretts. (www.cafepress.com there can be a Brett Store with Brett merchandise) Brett Shirley wrote: Ego isn't wearing a t-shirt with your own picture on it, ego is insisting others wear a t-shirt with your picture on it ... So was that it, Dean? Were you conceding my point, I couldn't tell (like maybe the okey dokes was like whatever, blow brett off) ... or do you still feel this is all database specific implementation detail? As opposed to my posistion that this is directory service implementation detail (for AD in the dblayer of the DS)? A directory service needs this in order to function correctly across regular replication scopes. Cheers, BrettSh On Tue, 15 Aug 2006, Dean Wells wrote: Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Remain focused on your own for now. Once you no longer feel the need to wear t-shirts with your own face on them, you can probably rest assured that you're safe to begin on mine ;0) ... uhhh, okey dokes :0/ -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, August 15, 2006 9:12 AM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir][OT]Dean's kick-a## article Maybe I can help w/ the ego (after all I consider trimming Dean's ego one of my higher callings in life ;-) ... Dean, you said you didn't mind if we continued to discuss this thread at one point (a at the time highly volatile thread, which I decided to let settle down), do you remember this thread: http://www.mail- archive.com/activedir@mail.activedir.org/msg32470.html Where I think you basically conveyed (IMNHO) I didn't know what I was talking about in regards to what is required for a DS implementation ... From your two emails in that thread, first you said: ... that the process of injecting the phantom isn't a behavioral requirement imposed or carried out by the directory service itself. It is a requirement imposed by the underlying database and is necessary because of the mechanism used by ESE to provide uniform representation of object references (i.e. link pairs). Then in a subsequent email: Nod, I understand your point but, to me, it's a matter of perspective -- where does the directory begin and end? From a developers standpoint, the directory may well be a whole component neatly organized into a single area of a source tree. From my perspective, the term directory (in this context) is used to relay the concept of a (mostly) standards based component with predictable features, interfaces, behaviors, structures, underlying mechanisms, etc. Any directory service has a form of the infrastructure master DN- cleanup problem, when the cross-reference spans replication scopes, irregardless of underlying database technology, ESE, or SQL Server, or anything else you can think of. If they seemingly don't have this problem, then there is some form of replication happening and thus the DN isn't really crossing replication scopes (that's why the GC doesn't have this problem ... as you pointed out in part 1 of the article). So I'd argue the last 2 lines in the first quote were wrong in two ways: (A) ESE doesn't provide uniform representation of
Re: [ActiveDir] MS Schema GUIDS different from my Forest to MSDN
MS Schema GUIDS different from my Forest to MSDNobjectGUID and schemaIDGUID are not the same thing. objectGUID will always be randomly generated when an object is created and will differ between different forests for schema. schemaIDGUID can and usually is (at least for schema from MS) set when the object is created, so those tend to be the same between all installations*. Did you look at the schemaIDGUID attribute to compare there? Joe K. * If schemaIDGUID isn't specified at create time, AD and ADAM will happily create a random one for you. It is generally considered to be a best practice to specify the schemaIDGUID though so that it can be published as a static value. Letting the directory create it for you is generally considered hackish. - Original Message - From: Bernier, Brandon (.) To: ActiveDir@mail.activedir.org Sent: Tuesday, August 15, 2006 4:26 PM Subject: [ActiveDir] MS Schema GUIDS different from my Forest to MSDN Answer to my question below: I'm missing an ACE for ms-DS-Az-Admin-Manager. but what's interesting is that I'm using the Schema GUID from MSDN and for some reason that different from what I have in production (verified using ADFind to dump all the Classes ObjectGUID in the Schema). I asked someone who implemented the Schema here why and they said they ran across the same issue and it was told it wasn't a big deal...I disagree, since if that was the case my code would be working and this note wouldn't exist. Anyone seen this before? -Brandon _ From: Bernier, Brandon (.) Sent: Tuesday, August 15, 2006 1:24 PM To: 'ActiveDir@mail.activedir.org' Subject:ADSIEdit unable to enumerate list of objects that a group can create OK..I'm probably doing something silly here but I need more insight on how ADSIEdit enumerates what object types you can create.. The scenario is I have 1 OU and in that OU I have a Group that I've ACL'd to create/delete ms-DS-Az-Admin-Manager objects and mod some attributes on it in that OU . So I bind up as a User in this Group using ADSIEdit and try to create a instance of this object, well that list is empty..so I can't create jack. What am I missing? I'll write a quick little VBScript to test that out, but in the meantime what gives? Thanks! -Brandon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Process for requesting, authorizing and creating shares?
Hi folks, Slightly off-topic here -- i.e,. related to managing Windows environments generally, rather than just Active Directory. I'm wondering whether any of you have seen good business processes for managing share creation (and for that matter, deletion)? We are working with a large multi-national where the current process by which business users request new shares (i.e., network-attached, shared, access-controlled disk space), and by which those requests are approved and implemented, is pretty weak. We are hoping to help them automate this process, but would obviously like to lock it down first. For example -- can any user request creation of a new share? -- If not, who can/can't? Should users specify a share name, server name and disk volume or should these variables be calculated based on variables such as the user's location and amount of disk space requested? -- If you do let users choose, how would they know which server and disk volume to pick? -- If you automate server/share name/volume assignment, do you have standards for things like new share names? Do you typically apply quotas to new shares? Do you typically over-subscribe disk? i.e., user A asks for 10GB, user B asks for 20GB, you create 2 shares on a 25GB disk volume on the theory -- like the airlines use -- that actual usage will be less than reserved usage. How should a file server be assigned? -- What happens if there is not already a server with adequate disk space? -- How does the server-selection process escalate to requisitioning physical hardware? Once a server and disk volume have been assigned, should someone (e.g., like a server owner or disk space owner) approve the request before it is authorized? -- If so, how do you assign owners/authorizers to servers? Should requests include timeouts and renewals, such that un-renewed requests are auto-terminated (share deleted)? -- If so, do you give users advance warning and an opportunity to renew? How do you handle cases where shares get full? -- Can users ask for more space? -- Do you have system monitoring software alert someone that a given disk volume is getting full? Do you normally setup shares as visible to all users, and manage ACLs on NTFS, or do you also apply ACLs to the shares directly? Do you generally ask users to define ACLs using existing AD groups, or require the creation of new AD groups? -- What scope of groups do you typically use in ACLs? (Universal, domain global, domain local, or even server local?) Does NAS change any of the above? Is there anything else I should ask about? :-) I hope to assemble some best practices from your responses, and set our customer off in the right direction from the start. Since this is a rather lengthy inquiry, and the results might be valuable to everyone, I promise to summarize any and all good advice and post back to this list in a single, legible e-mail. Thanks! -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com For more information on M-Tech's Regulatory Compliance Solution visit: http://mtechIT.com/compliance/ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
