RE: [ActiveDir] Process on DC stuck on stopping
Yeah, that is the conclusion that I have come to as well. I am undergoing my ADRAP right now and I asked Kurt Falde the same question and he pretty much told me that the server has gotta be bounced if none of those tools help. Thanks, Nate -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 18, 2006 8:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Process on DC stuck on stopping If the software has a tendency to crash out like that if you kill the thread it won't matter how you kill it as they all do it by taking the legs out from under the thread. The app itself is the only thing that can force the thread to exit gracefully. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Wednesday, August 16, 2006 10:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Process on DC stuck on stopping Hey all, I have used pskill.exe, procexp.exe, to try to get a the antivirus service on my dc to stop so I can restart it, but it is hung in the stopping state. Does anybody know a good way that I can kill this process and start it again without causing a stack failure in the kernel? (already experienced that killing a thread a while ago). If anybody knows a good tool to use and possibly where it can be acquired from, I would appreciate it. Otherwise I will have to reboot the DC during downtime, but I don't like it not having protection for that period, I much rather bounce it now. Thanks, Nate List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Secure LDAP queries from the outside
Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes
Re: [ActiveDir] UAC Question
David, I think you just about have to come up with another method. You mentioned earlier that your account lockout policies will unlock the account after a period of time meaning that, as JoeK pointed out, you'd have to constantly hit the account with bad attempts. That would certainly negate any kind of logging/security mechanisms in place to try and find attempts to crack the passwords. It would be lost in the designed attempts, so no point in even trying, right? Anyhow, hopefully the conversations have stimulated some thoughts. Just keep in mind that you're trying to build around a problem that shouldn't even exist. You won't want to perpetuate that thinking or the associated problems if you can help it.Now might be a good time to put some ground work in that guides the next solutions down the road. Good luck. Al On 8/21/06, David Aragon [EMAIL PROTECTED] wrote: Thank you all.I will give a serious look at account expiration, that mightwork also.Again, I was originally looking at account lockout because the tools and permissions already exist to unlock an account by certain helpdesk members and I wouldn't have to provide additional tools and training.David Aragon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Monday, August 21, 2006 3:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] UAC Question Yeah I was thinking about forcing pwdLastSet to 0 or forcing an account expiration (versus password expiration) with the accountExpires attribute. The former can be bypassed if someone knows the password, they can change the old password and be up and running. The other would require an admin interaction.joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Joe Kaplan Sent: Monday, August 21, 2006 5:46 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] UAC Question That's a good explanation.I don't see how you can lock them out programmatically though.The mechanism just isn't designed to do that. You'd have to force bad auth attempts on them constantly. If you can't disable the AD account, what if you expired it? That would prevent login too, right?You could just set the expiration date back to an unexpired value when you need to. Just a thought... Joe K. - Original Message - From: David Aragon To: ActiveDir@mail.activedir.org Sent: Monday, August 21, 2006 3:14 PM Subject: RE: [ActiveDir] UAC Question I think I need to expand the picture here to provide more clarity.At the top of our tree we have openLDAP which we refer to as the Enterprise and which is the authoritative source for all credentials.That feeds several sub-systems, including Active Directory, email, SMB, etc.We have internally developed connectors to provide each sub-system the appropriate user information including passwords (when required by that sub-system). This has afforded us a working single-sign on for multiple platforms (Windows, MAC, Linux).Users can go to any computer, any platform, and their credentials are valid (though there might be local restrictions). Users go to a single point to change their password and that change is then appropriately encrypted and transmitted to each sub-system in a form that is best for that sub-system.This all works quite well, however, because of this we can not change the user's password in AD without causing a break between the Enterprise and AD user objects.Forcing a change in the password of a user object at the Enterprise level would cut the user off from their email, personal network shares, etc. A couple of years ago the telephony group paid a LOT of money for this software (let me repeat here that I was not involved until recently).A few months after the purchase, the company was bought by a larger company who apparently didn't bother keeping any of the original developers, programmers, etc. though they continue to support the software.We have been told on numerous occasions, however, that because we have an unconventional setup, we are virtually on our own and no one wants to cough up another big chunk of money to replace the software.The software requires a voice mailbox be tied to an active Directory user account, but once created, the only check that is made is if the AD user account is enabled or disabled. I recently complained that we were leaving a possible security hole by not doing something with these accounts and, as typically happens, I was tasked with coming up with an appropriate solution.At the time, it seemed the easiest path to follow would be to set the account lockout which would prevent the user from logging into the vast majority of systems, but still allow them the ability to get their email (from off campus), vm (from off campus or on campus), etc.This is still the path I'm pursuing. David Aragon From: [EMAIL PROTECTED] [mailto:[EMAIL
Re: [ActiveDir] Secure LDAP queries from the outside
Check the firewall rules to ensure they are correct. Are the packets even getting to the DC? Personally I doubt it. M@ On 8/22/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Secure LDAP queries from the outside
Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same errorbut I dont have a cert installed on my DC so Id expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 6:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
Re: [ActiveDir] Secure LDAP queries from the outside
Thommes, Michael M. wrote: Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using “adfind”: listening network traffic should give You an answer to this question. Do you have root CA certificate installed on this machine, maybe there is a problem with validating DC CA Have You tried to connect to this DC with LDP.EXE - I'm not saying that joe's adfind is worst but maybe You will get some more error messages, but I think Your first approach should be to capture the traffic and check it -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Secure LDAP queries from the outside
Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we dont use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Tuesday, August 22, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same errorbut I dont have a cert installed on my DC so Id expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 6:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] UAC Question
Al et. al., Yes, I definitely have some additional avenues to look down. The original plan was to set the lockout bit, that didn't work. Next was to set the lockoutTime to some future point in time with the anticipation that the lockout bit will set itself, I have not had time yet to test that, but the code had been written. Because of Security logging, etc. I had, early on, ruled out hitting the account with a barrage of bad passwords to force the lockout. Other things we have watching the network would have misinterpreted it as an attack. Should setting the lockoutTime fail then the next path is to test accountExpires and finally setting LogonHours to0(an off-line suggestion). Should either of the latter two suggestions work, this will require developing some additional tools and providing training on their use. Thank you all for your suggestions. You helped turn a dead end path into a multilane road. We shall see where it takes us. David Aragon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, August 22, 2006 6:22 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] UAC Question David, I think you just about have to come up with another method. You mentioned earlier that your account lockout policies will unlock the account after a period of time meaning that, as JoeK pointed out, you'd have to constantly hit the account with bad attempts. That would certainly negate any kind of logging/security mechanisms in place to try and find attempts to crack the passwords. It would be lost in the designed attempts, so no point in even trying, right? Anyhow, hopefully the conversations have stimulated some thoughts. Just keep in mind that you're trying to build around a problem that shouldn't even exist. You won't want to perpetuate that thinking or the associated problems if you can help it.Now might be a good time to put some ground work in that guides the next solutions down the road. Good luck. Al On 8/21/06, David Aragon [EMAIL PROTECTED] wrote: Thank you all.I will give a serious look at account expiration, that mightwork also.Again, I was originally looking at account lockout because the tools and permissions already exist to unlock an account by certain helpdesk members and I wouldn't have to provide additional tools and training.David Aragon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Monday, August 21, 2006 3:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] UAC Question Yeah I was thinking about forcing pwdLastSet to 0 or forcing an account expiration (versus password expiration) with the accountExpires attribute. The former can be bypassed if someone knows the password, they can change the old password and be up and running. The other would require an admin interaction.joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Joe Kaplan Sent: Monday, August 21, 2006 5:46 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] UAC Question That's a good explanation.I don't see how you can lock them out programmatically though.The mechanism just isn't designed to do that. You'd have to force bad auth attempts on them constantly. If you can't disable the AD account, what if you expired it? That would prevent login too, right?You could just set the expiration date back to an unexpired value when you need to. Just a thought... Joe K. - Original Message - From: David Aragon To: ActiveDir@mail.activedir.org Sent: Monday, August 21, 2006 3:14 PM Subject: RE: [ActiveDir] UAC Question I think I need to expand the picture here to provide more clarity.At the top of our tree we have openLDAP which we refer to as the Enterprise and which is the authoritative source for all credentials.That feeds several sub-systems, including Active Directory, email, SMB, etc.We have internally developed connectors to provide each sub-system the appropriate user information including passwords (when required by that sub-system). This has afforded us a working single-sign on for multiple platforms (Windows, MAC, Linux).Users can go to any computer, any platform, and their credentials are valid (though there might be local restrictions). Users go to a single point to change their password and that change is then appropriately encrypted and transmitted to each sub-system in a form that is best for that sub-system.This all works quite well, however, because of this we can not change the user's password in AD without causing a break
RE: [ActiveDir] Secure LDAP queries from the outside
Mike,
Ive been thinking of this answer
for a bit but had to research more to get the info I needed. I wish my
knowledge of Certificates was better, but it would seem there is a way to have
the client log something somewhere saying it cant get to the CRL.maybe
one of the smart folks will speak up J
If your external client cant get to
the CRL, you could possibly bring the CRL to the external clientMaybe
you could publish the CRL to an alternate location which the client can get to?
If thats not possible which makes
sense, maybe you can set up your CA to publish the CRL to another location and
then take that CRL and copy it to the location on the client where the CRL is cached.
This is the information Ive been hunting for the past 20 minutes or soI
think you can read about it here:
http://www.microsoft.com/technet/prodtechnol/winxppro/support/tshtcrl.mspx
SNIP
Certificates are cached when CryptoAPI
retrieves them from a certificate store or a URL. The cache location varies
depending on the source where a certificate or a CRL was retrieved. A
certificate or a CRL can exist in one or several of the following locations.
Memory All valid
certificates and CRLs that have been touched by the chain-building engine since
the last reboot are cached in memory.
Certificate Store All
certificates that are not treated as root CA certificates and that have been
retrieved from an HTTP, LDAP or FILEURL reference via the
AIA certificate extension are cached in the certificate store if the
certificates are found to be part of a valid chain by the CryptAPI. Root CA
certificates are not automatically cached and must be added explicitly by the
interactive user to the corresponding certificate store.
Local File System When a
certificate or CRL is retrieved via LDAP or HTTP by a Windows 2000 client with
MS04-11, Windows XP SP2 client, or Windows Server 2003 client, it is cached by
CAPI in the Application Data folder. The per-user cache location
is C:\Documents and Settings\{user name}\Application
Data\Microsoft\CryptnetUrlCache and the per-machine cache location is
%WINDIR%\System32\config\SystemProfile\Application
Data\Microsoft\CryptnetUrlCache.
Windows 2000 with MS04-11, Windows XP, and
Windows Server 2003 handle caching for HTTP, LDAP, or
FILEURL references exclusively with CAPI. Earlier versions of CryptoAPI
used WinInet instead of CAPI for this purpose.
Note On computers where the Windows
Server 2003 version of certutil is available, cached CRLs can be listed by
typing Certutil urlcache CRL at a command-line prompt. This command is
also available on Windows XP computers that have the Windows Server 2003
Administration Pack installed.
/SNIP
The following link may help too. It
talks about an offline CAwhich for all apparent purposes, from the
perspective of your client, the CA would seem to be offline:
http://technet2.microsoft.com/WindowsServer/en/library/45c28bf8-9952-4ca1-b124-7d86afb83f691033.mspx?mfr=true
Thanks for the questionI like the learning!
Have a great day!
Robert Williams
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Tuesday, August 22, 2006
9:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure
LDAP queries from the outside
Hi Robert,
Yes, the command is *exactly* the same. We are thinking
that our CRL location is not available outside of the firewall. We
generate our own certificates; we dont use a well known
provider.
Mike Thommes
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams,
Robert
Sent: Tuesday, August 22, 2006
9:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure
LDAP queries from the outside
Hey Mike,
When you say It works fine behind
our firewall, are you meaning that the *exact same* command line works and you get the object
returned?
I tried using adfind to connect to my test
DC using port 636 and got the exact same errorbut I dont have a
cert installed on my DC so Id expect mine not to work.
Robert
Williams
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Tuesday, August 22, 2006
6:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Secure LDAP
queries from the outside
Hi,
We are trying to set up secure LDAP queries
from the outside to AD for pulling email addresses but are running into an
issue. Port 636 has been opened up to our DCs but we get a 0x51 error
like the one shown below in this example of using adfind:
adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up *
-default -nodn -f sn=thommes extensionAttribute2
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February
2005
LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down
Terminating program.
(extensionAttribute2 is used for email address)
Portqry shows that the DC is listening on port 636.
Using ldp, the bind operation seems to want to default to
port 389
RE: [ActiveDir] Secure LDAP queries from the outside
I hate troubleshooting SSL but here it goes... First, have you installed the Cert Chain on the machine you are querying AD from? Second, is the DNS name of the DC you querying exactly what is in the DCs cert? I don't think you need anything open other than 636. The way the MSFT LDAP API works if you specify 636 it will attempt an SSLconnectioneven if not explicity specified, however, try adding the -ssl switch to adfind. The main thing you want to do is get a trace and see where it is failing at. The sequence will be something like Client- Server TCP LDAPS SYN Server-Client TCP LDAPS SYN, ACK Client- Server TCP LDAPS ACK Client- Server SSLV2LDAPS Client Hello Server-Client TCP LDAPS one or more packets in response Client- Server TCP LDAPS ACK Server-Client TCP LDAPS one or more packets Server-Client TLSLDAPS Server Hello, Certificate, Certificate Request, Server Hello Done Client- Server TCPLDAPS ACK Client- Server TLSLDAPS Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message Server-Client TLSLDAPS Change Cypher Spec, Encrypted Handshake Message ...then you will see TLS Application Data packets... Now if you don't have the the DNS hostname right or don't have the Cert chain on the local machine you will see (or least I always recall seeing) something like Client- Server TCP LDAPS SYN Server-Client TCP LDAPS SYN, ACK Client- Server TCP LDAPS ACK Client- Server SSLV2 LDAPS Client Hello Server-Client TCP LDAPS one or more packets in response Client- Server TCP LDAPS ACK Server-Client TCP LDAPS one or more packets Server-Client TLS LDAPS Server Hello, Certificate, Certificate Request, Server Hello Done Client- Server TCP LDAPS ACK Client- Server TCP LDAPS RST,ACK I could easily be wrong as I am not a SSL kind of guy but I am not positive if the CRL is required for this communication. I know I have seen this work without a current or in fact any CRL from the authority on the client side. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 7:19 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes
RE: [ActiveDir] Secure LDAP queries from the outside
Areyou publishing a CRL? If so then it must use the path to theCRL that's specified in the certificate or it bombs out (latency to the hosting CRL serverwill kill it too..forgot the exact value). Why do you need CRL checking on your DC's? Doesn't that make you question who is on your DC's that would make you revoke a cert among other things? I would modify the template (ifyour using a Enterprise CA) andreissue the certs without a CRL and make sure the clients have the public key to your Root CA in their trusted root store. Something to ponder. -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 10:36 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we dont use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, RobertSent: Tuesday, August 22, 2006 9:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same errorbut I dont have a cert installed on my DC so Id expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 6:19 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
Re: [ActiveDir] Secure LDAP queries from the outside
You cannot remove a CDP extension from a specific template - it is configured for all certs issued from the issuing CA. If he plans to have clients from outside his network access the DC's of LDAPS - he should reconfigure the CA to include a CDP which is available outside of his network. my .02 steve - Original Message - From: Bernier, Brandon (.) To: ActiveDir@mail.activedir.org Sent: Tuesday, August 22, 2006 9:14 AM Subject: RE: [ActiveDir] Secure LDAP queries from the outside Areyou publishing a CRL? If so then it must use the path to theCRL that's specified in the certificate or it bombs out (latency to the hosting CRL serverwill kill it too..forgot the exact value). Why do you need CRL checking on your DC's? Doesn't that make you question who is on your DC's that would make you revoke a cert among other things? I would modify the template (ifyour using a Enterprise CA) andreissue the certs without a CRL and make sure the clients have the public key to your Root CA in their trusted root store. Something to ponder. -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 10:36 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we dont use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, RobertSent: Tuesday, August 22, 2006 9:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same error but I dont have a cert installed on my DC so Id expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 6:19 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
[ActiveDir] Exchange question
Hi, I have 2 emails server in 2 different locations. All the sudden emails are not coming from one server to the other, I found out that smtp queue folder was in a hard drive that was running out of space. Do you guys know what is the minimum amount of HD space needed for the smtp to work? Also, if the hard drive gets full will that stop the queue from delivering the emails? Thanks Rezuma
[ActiveDir] LDAP queries and FERPA
The recent discussion of LDAP queries from the outside brings to mind a question regarding FERPA for those of us working in the education arena. See http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html How do you deal with hiding directory data for individuals who have elected to not have their directory data exposed? I'm sure there are several solutions in current use. -- Michael J. Miller Computing Services College of Veterinary Medicine, UIUC _ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Exchange question
minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon LinanSent: Tue 8/22/2006 11:51 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange question Hi, I have 2 emails server in 2 different locations. All the sudden emails are not coming from one server to the other, I found out that smtp queue folder was in a hard drive that was running out of space. Do you guys know what is the minimum amount of HD space needed for the smtp to work? Also, if the hard drive gets full will that stop the queue from delivering the emails? Thanks Rezuma
RE: [ActiveDir] Exchange question
Thanks very much, I think my second question was very easy J but wanted to confirm it. The problem now is that we have 500 mg in the hard drive but the smtp queue is still not delivering the emails from one server to the other. We have 2 emails servers, one holds domain1.com and the other hold domain2.com. domain1.com can send and receive fine but domain2 cant send to domain2, the emails are stuck in the queue with that domain, how do I troubleshoot that? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, August 22, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Tue 8/22/2006 11:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange question Hi, I have 2 emails server in 2 different locations. All the sudden emails are not coming from one server to the other, I found out that smtp queue folder was in a hard drive that was running out of space. Do you guys know what is the minimum amount of HD space needed for the smtp to work? Also, if the hard drive gets full will that stop the queue from delivering the emails? Thanks Rezuma
Re: [ActiveDir] Exchange question
Just to add my $0.04 worth: By the time you ask what's the minimum, it's usually too late and not enough. The SMTP queue drive should, as a general rule, not get below 10% free space. The way the product works, every smtp message is accepted then acted upon. What that means to you is that SMTP messages are going to hit the disk hard. This indicates that you want to separate that I/O from the rest of the server where possible. That would mean that you'd typically place this directory on a dedicated set of spindles and the smallest drive size you'll likely find these days is a 72GB drive. If your average message is ~100KB, then you have approximately 72GB/(100KB-10%) of space before you would even want to consider that your drive should stop. That's a lot of a messages for most corporate implementations and could easily translate into several days worth of mail at those numbers. Wouldn't you want your mail system to stop sending at some point like that? So that you go find the issue and resolve it? Honestly, I think the better questions to ask are going to be along the lines of what is the typical formula for figuring out drive performance and sizing of Exchange server drives for the various i/o types? That will give you the better idea of what you can and should not get away with on those disks if you need to make changes. If you don't make changes, at least you'll know the areas to be aware of. My thoughts anyway. al On 8/22/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon LinanSent: Tue 8/22/2006 11:51 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange question Hi, I have 2 emails server in 2 different locations. All the sudden emails are not coming from one server to the other, I found out that smtp queue folder was in a hard drive that was running out of space. Do you guys know what is the minimum amount of HD space needed for the smtp to work? Also, if the hard drive gets full will that stop the queue from delivering the emails? Thanks Rezuma
Re: [ActiveDir] Exchange question
Have you seen this already? http://support.microsoft.com/kb/821910/ On 8/22/06, Ramon Linan [EMAIL PROTECTED] wrote: Thanks very much, I think my second question was very easy J but wanted to confirm it. The problem now is that we have 500 mg in the hard drive but the smtp queue is still not delivering the emails from one server to the other. We have 2 emails servers, one holds domain1.com and the other hold domain2.com. domain1.com can send and receive fine but domain2 cant send to domain2, the emails are stuck in the queue with that domain, how do I troubleshoot that? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Akomolafe, DejiSent: Tuesday, August 22, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT -5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon LinanSent: Tue 8/22/2006 11:51 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange question Hi, I have 2 emails server in 2 different locations. All the sudden emails are not coming from one server to the other, I found out that smtp queue folder was in a hard drive that was running out of space. Do you guys know what is the minimum amount of HD space needed for the smtp to work? Also, if the hard drive gets full will that stop the queue from delivering the emails? Thanks Rezuma
RE: [ActiveDir] Exchange question
I dont guess I ever thought about moving mailroot, but that is a really good idea. Heres an article that tells how to do it just so no one has to go looking.. http://support.microsoft.com/?kbid=822933 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, August 22, 2006 3:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question Just to add my $0.04 worth: By the time you ask what's the minimum, it's usually too late and not enough. The SMTP queue drive should, as a general rule, not get below 10% free space. The way the product works, every smtp message is accepted then acted upon. What that means to you is that SMTP messages are going to hit the disk hard. This indicates that you want to separate that I/O from the rest of the server where possible. That would mean that you'd typically place this directory on a dedicated set of spindles and the smallest drive size you'll likely find these days is a 72GB drive. If your average message is ~100KB, then you have approximately 72GB/(100KB-10%) of space before you would even want to consider that your drive should stop. That's a lot of a messages for most corporate implementations and could easily translate into several days worth of mail at those numbers. Wouldn't you want your mail system to stop sending at some point like that? So that you go find the issue and resolve it? Honestly, I think the better questions to ask are going to be along the lines of what is the typical formula for figuring out drive performance and sizing of Exchange server drives for the various i/o types? That will give you the better idea of what you can and should not get away with on those disks if you need to make changes. If you don't make changes, at least you'll know the areas to be aware of. My thoughts anyway. al On 8/22/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Tue 8/22/2006 11:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange question Hi, I have 2 emails server in 2 different locations. All the sudden emails are not coming from one server to the other, I found out that smtp queue folder was in a hard drive that was running out of space. Do you guys know what is the minimum amount of HD space needed for the smtp to work? Also, if the hard drive gets full will that stop the queue from delivering the emails? Thanks Rezuma
RE: [ActiveDir] Exchange question
Thanks, I will start theremy biggest problem is that I am new in this job and I still dont know how they have the exchange servers configured, something that I am seeing in the event log is the error Event id 3017 A non-delivery report with a status code of 5.3.5 was generated for recipient rfc822;[EMAIL PROTECTED] (Message-ID [EMAIL PROTECTED]). Causes: A looping condition was detected. (The server is configured to route mail back to itself). If you have multiple SMTP Virtual Servers configured on your Exchange server, make sure they are defined by a unique incoming port and that the outgoing SMTP port configuration is valid to avoid looping between local virtual servers. Solution: Check the configuration of the virtual serverÆs connectors for loops and ensure each virtual server is defined by a unique incoming port. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, August 22, 2006 4:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question Have you seen this already? http://support.microsoft.com/kb/821910/ On 8/22/06, Ramon Linan [EMAIL PROTECTED] wrote: Thanks very much, I think my second question was very easy J but wanted to confirm it. The problem now is that we have 500 mg in the hard drive but the smtp queue is still not delivering the emails from one server to the other. We have 2 emails servers, one holds domain1.com and the other hold domain2.com. domain1.com can send and receive fine but domain2 cant send to domain2, the emails are stuck in the queue with that domain, how do I troubleshoot that? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Akomolafe, Deji Sent: Tuesday, August 22, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Tue 8/22/2006 11:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange question Hi, I have 2 emails server in 2 different locations. All the sudden emails are not coming from one server to the other, I found out that smtp queue folder was in a hard drive that was running out of space. Do you guys know what is the minimum amount of HD space needed for the smtp to work? Also, if the hard drive gets full will that stop the queue from delivering the emails? Thanks Rezuma
RE: [ActiveDir] Exchange question
Obviously if the server is running out of space make sure you remediate that first. Second, I would recommend ifServerA cannot send to ServerB, but the reverse is NOT true, then I would suggest trying basic SMTP commands toServerA from ServerB.Check the following: 1) Is the server responding to SMTP commands? 2)Can the server accept and deliver the mail item to intended recipient? 3) Are the SMTP queues clear in ESM? 4) Is DNS responding correctly (A, PTR, SRV records present?)? Gut feeling...DNS. That's my first shot! Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, August 22, 2006 2:04 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange question Have you seen this already? http://support.microsoft.com/kb/821910/ On 8/22/06, Ramon Linan [EMAIL PROTECTED] wrote: Thanks very much, I think my second question was very easy J but wanted to confirm it. The problem now is that we have 500 mg in the hard drive but the smtp queue is still not delivering the emails from one server to the other. We have 2 emails servers, one holds domain1.com and the other hold domain2.com. domain1.com can send and receive fine but domain2 cant send to domain2, the emails are stuck in the queue with that domain, how do I troubleshoot that? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Akomolafe, DejiSent: Tuesday, August 22, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT -5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon LinanSent: Tue 8/22/2006 11:51 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange question Hi, I have 2 emails server in 2 different locations. All the sudden emails are not coming from one server to the other, I found out that smtp queue folder was in a hard drive that was running out of space. Do you guys know what is the minimum amount of HD space needed for the smtp to work? Also, if the hard drive gets full will that stop the queue from delivering the emails? Thanks Rezuma
Re[2]: [ActiveDir] Exchange question
It all depend on the smtp traffic your company has... And how fast you server process mail.. in the MS doc "ExchangeServer 2003 Design and Architecture at Microsoft " MS use a 50GB partition to hold the SMTP Queue. In my opnion, it also depends who sends mail to the internet. If you have a dedicated smtp gateway, then your exchange will empty it's queue on the smtp gateway (will always success) while your smtp gateway will have to do many retries on many domain... my two cents, Regards, Mathieu CHATEAU http://lordoftheping.blogspot.com Tuesday, August 22, 2006, 10:14:09 PM, you wrote: I dont guess I ever thought about moving mailroot, but that is a really good idea. Heres an article that tells how to do it just so no one has to go looking.. http://support.microsoft.com/?kbid=822933 From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfAl Mulnick Sent:Tuesday, August 22, 2006 3:02 PM To:ActiveDir@mail.activedir.org Subject:Re: [ActiveDir] Exchange question Just to add my $0.04 worth: By the time you ask what's the minimum, it's usually too late and not enough. The SMTP queue drive should, as a general rule, not get below 10% free space. The way the product works, every smtp message is accepted then acted upon. What that means to you is that SMTP messages are going to hit the disk hard. This indicates that you want to separate that I/O from the rest of the server where possible. That would mean that you'd typically place this directory on a dedicated set of spindles and the smallest drive size you'll likely find these days is a 72GB drive. If your average message is ~100KB, then you have approximately 72GB/(100KB-10%) of space before you would even want to consider that your drive should stop. That's a lot of a messages for most corporate implementations and could easily translate into several days worth of mail at those numbers. Wouldn't you want your mail system to stop sending at some point like that? So that you go find the issue and resolve it? Honestly, I think the better questions to ask are going to be along the lines of what is the typical formula for figuring out drive performance and sizing of Exchange server drives for the various i/o types? That will give you the better idea of what you can and should not get away with on those disks if you need to make changes. If you don't make changes, at least you'll know the areas to be aware of. My thoughts anyway. al On 8/22/06,Akomolafe, Deji[EMAIL PROTECTED] wrote: minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /)/) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From:Ramon Linan Sent:Tue 8/22/2006 11:51 AM To:ActiveDir@mail.activedir.org Subject:[ActiveDir] Exchange question Hi, I have 2 emails server in 2 different locations. All the sudden emails are not coming from one server to the other, I found out that smtp queue folder was in a hard drive that was running out of space. Do you guys know what is the minimum amount of HD space needed for the smtp to work? Also, if the hard drive gets full will that stop the queue from delivering the emails? Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re[3]: [ActiveDir] Exchange question
Just to add that they also put 5000 Mailboxes of 250MB on the server. 50GB / 5000 mailboxes = 10,24 MB of smtp queue/mailbox on average. Of course you will want a minimum size, anyway the number of mailboxes! Regards, Mathieu CHATEAU http://lordoftheping.blogspot.com Tuesday, August 22, 2006, 10:45:44 PM, you wrote: It all depend on the smtp traffic your company has... And how fast you server process mail.. in the MS doc "Exchange Server 2003 Design and Architecture at Microsoft " MS use a 50GB partition to hold the SMTP Queue. In my opnion, it also depends who sends mail to the internet. If you have a dedicated smtp gateway, then your exchange will empty it's queue on the smtp gateway (will always success) while your smtp gateway will have to do many retries on many domain... my two cents, Regards, Mathieu CHATEAU http://lordoftheping.blogspot.com Tuesday, August 22, 2006, 10:14:09 PM, you wrote: I dont guess I ever thought about moving mailroot, but that is a really good idea. Heres an article that tells how to do it just so no one has to go looking.. http://support.microsoft.com/?kbid=822933 From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf OfAl Mulnick Sent:Tuesday, August 22, 2006 3:02 PM To:ActiveDir@mail.activedir.org Subject:Re: [ActiveDir] Exchange question Just to add my $0.04 worth: By the time you ask what's the minimum, it's usually too late and not enough. The SMTP queue drive should, as a general rule, not get below 10% free space. The way the product works, every smtp message is accepted then acted upon. What that means to you is that SMTP messages are going to hit the disk hard. This indicates that you want to separate that I/O from the rest of the server where possible. That would mean that you'd typically place this directory on a dedicated set of spindles and the smallest drive size you'll likely find these days is a 72GB drive. If your average message is ~100KB, then you have approximately 72GB/(100KB-10%) of space before you would even want to consider that your drive should stop. That's a lot of a messages for most corporate implementations and could easily translate into several days worth of mail at those numbers. Wouldn't you want your mail system to stop sending at some point like that? So that you go find the issue and resolve it? Honestly, I think the better questions to ask are going to be along the lines of what is the typical formula for figuring out drive performance and sizing of Exchange server drives for the various i/o types? That will give you the better idea of what you can and should not get away with on those disks if you need to make changes. If you don't make changes, at least you'll know the areas to be aware of. My thoughts anyway. al On 8/22/06,Akomolafe, Deji[EMAIL PROTECTED] wrote: minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /)/) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From:Ramon Linan Sent:Tue 8/22/2006 11:51 AM To:ActiveDir@mail.activedir.org Subject:[ActiveDir] Exchange question Hi, I have 2 emails server in 2 different locations. All the sudden emails are not coming from one server to the other, I found out that smtp queue folder was in a hard drive that was running out of space. Do you guys know what is the minimum amount of HD space needed for the smtp to work? Also, if the hard drive gets full will that stop the queue from delivering the emails? Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Exchange question
Thank everyone for the responseI am going nuts here, everything is a mess. For some reason I cant telnet into domain1 email server from domain2 , not only that , domain1 has 2 smtp server, one in the port 6000 and the other in the port 25. Also I send an email to my personal account from domain2 and I got something like this in the header: Mail from :[EMAIL PROTECTED] Received: from servername.domain3.com ([ip address] helo=domain3.com So the domain in the users email address does not match the email servers domainI am wondering what are the implications of that Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brandon Pierce Sent: Tuesday, August 22, 2006 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Obviously if the server is running out of space make sure you remediate that first. Second, I would recommend ifServerA cannot send to ServerB, but the reverse is NOT true, then I would suggest trying basic SMTP commands toServerA from ServerB.Check the following: 1) Is the server responding to SMTP commands? 2)Can the server accept and deliver the mail item to intended recipient? 3) Are the SMTP queues clear in ESM? 4) Is DNS responding correctly (A, PTR, SRV records present?)? Gut feeling...DNS. That's my first shot! Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, August 22, 2006 2:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question Have you seen this already? http://support.microsoft.com/kb/821910/ On 8/22/06, Ramon Linan [EMAIL PROTECTED] wrote: Thanks very much, I think my second question was very easy J but wanted to confirm it. The problem now is that we have 500 mg in the hard drive but the smtp queue is still not delivering the emails from one server to the other. We have 2 emails servers, one holds domain1.com and the other hold domain2.com. domain1.com can send and receive fine but domain2 cant send to domain2, the emails are stuck in the queue with that domain, how do I troubleshoot that? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Akomolafe, Deji Sent: Tuesday, August 22, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Tue 8/22/2006 11:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange question Hi, I have 2 emails server in 2 different locations. All the sudden emails are not coming from one server to the other, I found out that smtp queue folder was in a hard drive that was running out of space. Do you guys know what is the minimum amount of HD space needed for the smtp to work? Also, if the hard drive gets full will that stop the queue from delivering the emails? Thanks Rezuma
RE: [ActiveDir] LDAP queries and FERPA
Here's what we do: 1. Have a script that goes through all users in the FERPA OU and remove the ACE for Authenticated Users. 2. The account provisiong system uses a GUID for the CN instead of the standard First+Last or username. This is necessary because even with step 1 you can still list the contents of the OU, and the DN of the user will be viewable in groups they are members of. Steve Evans -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Tuesday, August 22, 2006 12:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP queries and FERPA The recent discussion of LDAP queries from the outside brings to mind a question regarding FERPA for those of us working in the education arena. See http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html How do you deal with hiding directory data for individuals who have elected to not have their directory data exposed? I'm sure there are several solutions in current use. -- Michael J. Miller Computing Services College of Veterinary Medicine, UIUC _ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Secure LDAP queries from the outside
This might be already tried, but did you try running pkiview.msc from the machine? This checks the availability of the CRL from the current client against the CRL locations of http and/or AD. I had an issue awhile back when trying to read a http based CRL, that it could not connect due to an issue in the internal PAC script, which was not directing the client correctly. Jef - Original Message - From: steve patrick To: ActiveDir@mail.activedir.org Sent: Tuesday, August 22, 2006 11:53 AM Subject: Re: [ActiveDir] Secure LDAP queries from the outside You cannot remove a CDP extension from a specific template - it is configured for all certs issued from the issuing CA. If he plans to have clients from outside his network access the DC's of LDAPS - he should reconfigure the CA to include a CDP which is available outside of his network. my .02 steve - Original Message - From: Bernier, Brandon (.) To: ActiveDir@mail.activedir.org Sent: Tuesday, August 22, 2006 9:14 AM Subject: RE: [ActiveDir] Secure LDAP queries from the outside Areyou publishing a CRL? If so then it must use the path to theCRL that's specified in the certificate or it bombs out (latency to the hosting CRL serverwill kill it too..forgot the exact value). Why do you need CRL checking on your DC's? Doesn't that make you question who is on your DC's that would make you revoke a cert among other things? I would modify the template (ifyour using a Enterprise CA) andreissue the certs without a CRL and make sure the clients have the public key to your Root CA in their trusted root store. Something to ponder. -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 10:36 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we dont use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, RobertSent: Tuesday, August 22, 2006 9:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same error but I dont have a cert installed on my DC so Id expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 6:19 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
