Re: [ActiveDir] Problem in AD
before installing dc01 & dc02 , DC03 was the global cataglog server ..now dc01 & dc02 are global catalog servers On 8/23/06, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote: if it is single domain and not all DCs are a GC, make ALL DCs a GC besides that also make sure a DNS server can be contacted a bit more details please Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of Pankaj Verma Sent: Wed 2006-08-23 19:07 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem in AD Hi All I have 3 domain controllers. I transfer all the FSMO roles from DC03 to DC02 after that I shutdown D03 & I restarted D02 & dC01 but after that I was not able to communicate with active directory then switched on DC03 after that every thing is working fine. If somebody can tell me what could be the problem and after the in event viewer I am getting an error Event id =1030 & 1058 source = usernv -- Rgds Pankaj verma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- RgdsPankaj verma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved
Not sure on if it will be configurable I just happened to run across it on something else I was working on and saw the change request. I would imagine that it will not be configurable as the intended behavior was to check the CRL especially since sensitive operations such as password resets are generally going over LDAPS. However someone who is beta testing Windows Server 2003 SP2 as a customer could verify that the change occurred and then provide feedback if it was undesirable. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 23, 2006 10:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Oh this could catch some folks by surprise... Out of curiosity, is it implemented with a "turn on this reg key to enable this" or will it just occur? I prefer it be something admins turn on, otherwise it will catch people by surprise like the SP1 Service Control Manager ACL. And if it there isn't a reg entry to turn it on, can we have a reg entry to turn it off or do we wait until SP3? :) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, August 23, 2006 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Furthermore the current implementation of wldap32 in Windows Server 2003 SP1 does not request that the certificate be verified. This has been changed in a QFE for Windows Server 2003 SP1 and will be addressed in the next service pack for Windows Server 2003, SP2. So you may see a change in behavior going forward at least on the server platform. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 23, 2006 9:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Windows 2000 RTM, by default, does not perform CRL checking; XP and 2003 do. However, there are behavior variances on an application-by-application basis. For more information: http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl .msp x#ES3AE Laura > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan > Sent: Wednesday, August 23, 2006 10:06 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > It actually depends on the policy defined for the SSL stack. > In Windows, this is typically configured globally for all SSL, > although I'm not sure where. It definiitely used to be the case that > Windows that CRLs were never checked, but I have seen some other SSL > stuff with HTTP actually checking the CRL on 2K3 servers. > > It is also possible in SSPI with Schannel to ignore specific > conditions, so this could be something that is ignored in the default > LDAP SSL routine in Windows, but I doubt it. The callback function > for server certificate verification will give you the error code if > there is a problem and the client can then deal with it as it sees > fit. > > CRLs can definitely be trouble though. They are by far the most > vexing thing to troubleshoot in SSL, and PKI in general. > > Joe > > - Original Message - > From: "Thommes, Michael M." <[EMAIL PROTECTED]> > To: > Sent: Wednesday, August 23, 2006 8:37 PM > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > > Hi joe, > The CRL location is *not* available from the outside. > And since neither adfind, ldp or Outlook Express seemed to care, I am > guessing that not many > (any?) tools require it. Kinda makes ya wonder why you would have it > if it's not used. Sorta like not using the book of bad credit card > numbers when someone handed you a credit card! (maybe some of you are > old enough to remember this safeguard before there were computers > everywhere! LOL!). > > Mike Thommes > > > > From: [EMAIL PROTECTED] on behalf of joe > Sent: Wed 8/23/2006 7:15 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > > Cool, is the CRL available from the outside at all? I am really > curious if that is truly needed from the client when using LDAPS, it > doesn't seem to be needed but my testing has been far from perfect in > that regard. > > joe > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, > Michael M. > Sent: Wednesday, August 23, 2006 8:06 AM > To:
RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved
Oh this could catch some folks by surprise... Out of curiosity, is it implemented with a "turn on this reg key to enable this" or will it just occur? I prefer it be something admins turn on, otherwise it will catch people by surprise like the SP1 Service Control Manager ACL. And if it there isn't a reg entry to turn it on, can we have a reg entry to turn it off or do we wait until SP3? :) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, August 23, 2006 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Furthermore the current implementation of wldap32 in Windows Server 2003 SP1 does not request that the certificate be verified. This has been changed in a QFE for Windows Server 2003 SP1 and will be addressed in the next service pack for Windows Server 2003, SP2. So you may see a change in behavior going forward at least on the server platform. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 23, 2006 9:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Windows 2000 RTM, by default, does not perform CRL checking; XP and 2003 do. However, there are behavior variances on an application-by-application basis. For more information: http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl .msp x#ES3AE Laura > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan > Sent: Wednesday, August 23, 2006 10:06 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > It actually depends on the policy defined for the SSL stack. > In Windows, this is typically configured globally for all SSL, > although I'm not sure where. It definiitely used to be the case that > Windows that CRLs were never checked, but I have seen some other SSL > stuff with HTTP actually checking the CRL on 2K3 servers. > > It is also possible in SSPI with Schannel to ignore specific > conditions, so this could be something that is ignored in the default > LDAP SSL routine in Windows, but I doubt it. The callback function > for server certificate verification will give you the error code if > there is a problem and the client can then deal with it as it sees > fit. > > CRLs can definitely be trouble though. They are by far the most > vexing thing to troubleshoot in SSL, and PKI in general. > > Joe > > - Original Message - > From: "Thommes, Michael M." <[EMAIL PROTECTED]> > To: > Sent: Wednesday, August 23, 2006 8:37 PM > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > > Hi joe, > The CRL location is *not* available from the outside. > And since neither adfind, ldp or Outlook Express seemed to care, I am > guessing that not many > (any?) tools require it. Kinda makes ya wonder why you would have it > if it's not used. Sorta like not using the book of bad credit card > numbers when someone handed you a credit card! (maybe some of you are > old enough to remember this safeguard before there were computers > everywhere! LOL!). > > Mike Thommes > > > > From: [EMAIL PROTECTED] on behalf of joe > Sent: Wed 8/23/2006 7:15 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > > Cool, is the CRL available from the outside at all? I am really > curious if that is truly needed from the client when using LDAPS, it > doesn't seem to be needed but my testing has been far from perfect in > that regard. > > joe > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, > Michael M. > Sent: Wednesday, August 23, 2006 8:06 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem > solved > > > > Thanks to all who responded! The problem was solved by installing our > local root CA cert on the "outside" computer since we are "rolling our > own" and not using one of the well known CAs (Trusted Root > Certification Authorities). > > > > Mike Thommes > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, > Michael M. > Sent: Tuesday, August 22, 2006 9:36 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > > > > Hi Robert, > > Yes, the command is *exactly* the same. We are thinking th
RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved
Furthermore the current implementation of wldap32 in Windows Server 2003 SP1 does not request that the certificate be verified. This has been changed in a QFE for Windows Server 2003 SP1 and will be addressed in the next service pack for Windows Server 2003, SP2. So you may see a change in behavior going forward at least on the server platform. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 23, 2006 9:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Windows 2000 RTM, by default, does not perform CRL checking; XP and 2003 do. However, there are behavior variances on an application-by-application basis. For more information: http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl .msp x#ES3AE Laura > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan > Sent: Wednesday, August 23, 2006 10:06 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > It actually depends on the policy defined for the SSL stack. > In Windows, this is typically configured globally for all SSL, > although I'm not sure where. It definiitely used to be the case that > Windows that CRLs were never checked, but I have seen some other SSL > stuff with HTTP actually checking the CRL on 2K3 servers. > > It is also possible in SSPI with Schannel to ignore specific > conditions, so this could be something that is ignored in the default > LDAP SSL routine in Windows, but I doubt it. The callback function > for server certificate verification will give you the error code if > there is a problem and the client can then deal with it as it sees > fit. > > CRLs can definitely be trouble though. They are by far the most > vexing thing to troubleshoot in SSL, and PKI in general. > > Joe > > - Original Message - > From: "Thommes, Michael M." <[EMAIL PROTECTED]> > To: > Sent: Wednesday, August 23, 2006 8:37 PM > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > > Hi joe, > The CRL location is *not* available from the outside. > And since neither adfind, ldp or Outlook Express seemed to care, I am > guessing that not many > (any?) tools require it. Kinda makes ya wonder why you would have it > if it's not used. Sorta like not using the book of bad credit card > numbers when someone handed you a credit card! (maybe some of you are > old enough to remember this safeguard before there were computers > everywhere! LOL!). > > Mike Thommes > > > > From: [EMAIL PROTECTED] on behalf of joe > Sent: Wed 8/23/2006 7:15 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > > Cool, is the CRL available from the outside at all? I am really > curious if that is truly needed from the client when using LDAPS, it > doesn't seem to be needed but my testing has been far from perfect in > that regard. > > joe > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, > Michael M. > Sent: Wednesday, August 23, 2006 8:06 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem > solved > > > > Thanks to all who responded! The problem was solved by installing our > local root CA cert on the "outside" computer since we are "rolling our > own" and not using one of the well known CAs (Trusted Root > Certification Authorities). > > > > Mike Thommes > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, > Michael M. > Sent: Tuesday, August 22, 2006 9:36 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > > > > Hi Robert, > > Yes, the command is *exactly* the same. We are thinking that our > CRL location is not available outside of the firewall. We generate > our own certificates; we don't use a "well known" provider. > > > > Mike Thommes > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Williams, > Robert > Sent: Tuesday, August 22, 2006 9:16 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > > > > Hey Mike, > > > > When you say "It works fine behind our firewall", are you meaning that > the *exact same* command line works and you get the object returned? > > > > I tried using adfind to connect to my test DC using port 636 > and got the > exact same error...but I don't have a cert instal
RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved
Windows 2000 RTM, by default, does not perform CRL checking; XP and 2003 do. However, there are behavior variances on an application-by-application basis. For more information: http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl.msp x#ES3AE Laura > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan > Sent: Wednesday, August 23, 2006 10:06 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > It actually depends on the policy defined for the SSL stack. > In Windows, this is typically configured globally for all > SSL, although I'm not sure where. It definiitely used to be > the case that Windows that CRLs were never checked, but I > have seen some other SSL stuff with HTTP actually checking > the CRL on 2K3 servers. > > It is also possible in SSPI with Schannel to ignore specific > conditions, so this could be something that is ignored in the > default LDAP SSL routine in Windows, but I doubt it. The > callback function for server certificate verification will > give you the error code if there is a problem and the client > can then deal with it as it sees fit. > > CRLs can definitely be trouble though. They are by far the > most vexing thing to troubleshoot in SSL, and PKI in general. > > Joe > > - Original Message - > From: "Thommes, Michael M." <[EMAIL PROTECTED]> > To: > Sent: Wednesday, August 23, 2006 8:37 PM > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > > Hi joe, > The CRL location is *not* available from the outside. > And since neither adfind, ldp or Outlook Express seemed to > care, I am guessing that not many > (any?) tools require it. Kinda makes ya wonder why you would > have it if it's not used. Sorta like not using the book of > bad credit card numbers when someone handed you a credit > card! (maybe some of you are old enough to remember this > safeguard before there were computers everywhere! LOL!). > > Mike Thommes > > > > From: [EMAIL PROTECTED] on behalf of joe > Sent: Wed 8/23/2006 7:15 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > > Cool, is the CRL available from the outside at all? I am > really curious if > that is truly needed from the client when using LDAPS, it > doesn't seem to be > needed but my testing has been far from perfect in that regard. > > joe > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Thommes, Michael M. > Sent: Wednesday, August 23, 2006 8:06 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem > solved > > > > Thanks to all who responded! The problem was solved by > installing our local > root CA cert on the "outside" computer since we are "rolling > our own" and > not using one of the well known CAs (Trusted Root Certification > Authorities). > > > > Mike Thommes > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Thommes, Michael M. > Sent: Tuesday, August 22, 2006 9:36 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > > > > Hi Robert, > > Yes, the command is *exactly* the same. We are thinking > that our CRL > location is not available outside of the firewall. We > generate our own > certificates; we don't use a "well known" provider. > > > > Mike Thommes > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Williams, Robert > Sent: Tuesday, August 22, 2006 9:16 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > > > > Hey Mike, > > > > When you say "It works fine behind our firewall", are you > meaning that the > *exact same* command line works and you get the object returned? > > > > I tried using adfind to connect to my test DC using port 636 > and got the > exact same error...but I don't have a cert installed on my DC > so I'd expect > mine not to work. > > Robert Williams > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Thommes, Michael M. > Sent: Tuesday, August 22, 2006 6:19 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Secure LDAP queries from the outside > > > > Hi, > >We are trying to set up secure LDAP queries from the > outside to AD for > pulling email addresses but are running into an issue. Port > 636 has been > opened up to our DCs but we get a 0x51 error like the one > shown below in > this
Re: [ActiveDir] Secure LDAP queries from the outside --> problem solved
It actually depends on the policy defined for the SSL stack. In Windows, this is typically configured globally for all SSL, although I'm not sure where. It definiitely used to be the case that Windows that CRLs were never checked, but I have seen some other SSL stuff with HTTP actually checking the CRL on 2K3 servers. It is also possible in SSPI with Schannel to ignore specific conditions, so this could be something that is ignored in the default LDAP SSL routine in Windows, but I doubt it. The callback function for server certificate verification will give you the error code if there is a problem and the client can then deal with it as it sees fit. CRLs can definitely be trouble though. They are by far the most vexing thing to troubleshoot in SSL, and PKI in general. Joe - Original Message - From: "Thommes, Michael M." <[EMAIL PROTECTED]> To: Sent: Wednesday, August 23, 2006 8:37 PM Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Hi joe, The CRL location is *not* available from the outside. And since neither adfind, ldp or Outlook Express seemed to care, I am guessing that not many (any?) tools require it. Kinda makes ya wonder why you would have it if it's not used. Sorta like not using the book of bad credit card numbers when someone handed you a credit card! (maybe some of you are old enough to remember this safeguard before there were computers everywhere! LOL!). Mike Thommes From: [EMAIL PROTECTED] on behalf of joe Sent: Wed 8/23/2006 7:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Cool, is the CRL available from the outside at all? I am really curious if that is truly needed from the client when using LDAPS, it doesn't seem to be needed but my testing has been far from perfect in that regard. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, August 23, 2006 8:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Thanks to all who responded! The problem was solved by installing our local root CA cert on the "outside" computer since we are "rolling our own" and not using one of the well known CAs (Trusted Root Certification Authorities). Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we don't use a "well known" provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Tuesday, August 22, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say "It works fine behind our firewall", are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same error...but I don't have a cert installed on my DC so I'd expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 6:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using "adfind": adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using "ldp", the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32 The information contained in this e-mail message and any attachments may be privileged and confidential. If th
RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved
Hi joe, The CRL location is *not* available from the outside. And since neither adfind, ldp or Outlook Express seemed to care, I am guessing that not many (any?) tools require it. Kinda makes ya wonder why you would have it if it's not used. Sorta like not using the book of bad credit card numbers when someone handed you a credit card! (maybe some of you are old enough to remember this safeguard before there were computers everywhere! LOL!). Mike Thommes From: [EMAIL PROTECTED] on behalf of joe Sent: Wed 8/23/2006 7:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Cool, is the CRL available from the outside at all? I am really curious if that is truly needed from the client when using LDAPS, it doesn't seem to be needed but my testing has been far from perfect in that regard. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, August 23, 2006 8:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Thanks to all who responded! The problem was solved by installing our local root CA cert on the "outside" computer since we are "rolling our own" and not using one of the well known CAs (Trusted Root Certification Authorities). Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we don't use a "well known" provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Tuesday, August 22, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say "It works fine behind our firewall", are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same error...but I don't have a cert installed on my DC so I'd expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 6:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using "adfind": adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using "ldp", the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved
Cool, is the CRL available from the outside at all? I am really curious if that is truly needed from the client when using LDAPS, it doesn't seem to be needed but my testing has been far from perfect in that regard. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Wednesday, August 23, 2006 8:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Thanks to all who responded! The problem was solved by installing our local root CA cert on the “outside” computer since we are “rolling our own” and not using one of the well known CAs (Trusted Root Certification Authorities). Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 9:36 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we don’t use a “well known” provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, RobertSent: Tuesday, August 22, 2006 9:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say “It works fine behind our firewall”, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same error…but I don’t have a cert installed on my DC so I’d expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 6:19 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using “adfind”: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using “ldp”, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] management of group policy links (GPMC)
No, in case you screw up a GPO (vs. deleting it by accident) there's no need to first delete and then restore the backed-up GPO. The values won't be "merged" - the existing one will be completely overwritten. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, August 23, 2006 10:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] management of group policy links (GPMC) Duly noted one other query on a similar note if we do need to restore GPO with GPMC say in the scenario of admin error is it better working practice to DELETE existing GPO, presumably wait for sysvol replication and then restore ?? seems the best way to get the 'clean state' and not have issues say of merged values ?? GT > Yep - but I'd also run the GetReportsForAllGPOs.wsf script during your > backup job - these reports are very useful to discover what may have > changed in a GPO after the last backup... > > /Guido > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner > Sent: Wednesday, August 23, 2006 9:08 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] management of group policy links (GPMC) > > thanks both > > What this is all about is putting in place the necessary operational > practices to > ensure capability to restore in the event of scenario of restore of GPO. > >>From both your notes it seems that with the backups of the GPO's > themselves > (backupallGPOs.wsf) together with the output from ListSOMPolicyTree.wsf > scripts I > have ALL necessary information for the return of the GPO (and the OU to > which it is > linked) to prior state > > Thanks > >> Graham- >> The Inheritance and Delegation tabs (when you're sitting on a > container object > like an OU in GPMC) provides the information indicated below. I guess > I'm > wondering what you're missing from that? Its true that GPMC >> backup/restore does not restore links, link order or Enforced flags, > but there are > 3rd party products that can do this, combining GPO restore with the AD > parts of > that. >> >> Darren >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner > Sent: > Wednesday, August 23, 2006 10:05 AM >> To: activedir@mail.activedir.org >> Subject: [ActiveDir] management of group policy links (GPMC) >> >> Dear all, as i recall / understand group policy links are stored as an > attribute >> (gplink) of the OU. >> >> It seems that GPMC is fine at summarising the links on a per OU basis > as you step > down the forest / domain structure. >> >> However it seems to lack a summary of OU / linked GPO(s) / link order > / security > filtering / delegation >> >> Would seem to be helpful in the context of a documentation of an > Active Directory, > especially given the scenario of restore of a GPO which does not look to > restore > links, let alone the link order which would need to be restored somehow > in the > event of GPO restore. >> >> Thanks, as always >> >> GT >> >> List info : http://www.activedir.org/List.aspx >> List FAQ: http://www.activedir.org/ListFAQ.aspx >> List archive: http://www.activedir.org/ml/threads.aspx >> >> List info : http://www.activedir.org/List.aspx >> List FAQ: http://www.activedir.org/ListFAQ.aspx >> List archive: http://www.activedir.org/ml/threads.aspx >> > > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Exclude from GPO
Yeah, it's called creating a GPO that has that setting disabled (not "not defined", disabled).You could always look at it as having to create a whole new GPO because they want to define whatever that object is on everything else. If they didn't want to define that, you'd be golden and wouldn't have to do it. In other words: Remove the setting from everything or you get to create a GPO to disable that setting.On 8/23/06, Harding, Devon < [EMAIL PROTECTED]> wrote: Is it possible to exclude a group of computers from ONE setting from a particular GPO, but apply everything else in that GPO? I'd have to create a whole new GPO just for one setting. -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
RE: [ActiveDir] management of group policy links (GPMC)
Duly noted one other query on a similar note if we do need to restore GPO with GPMC say in the scenario of admin error is it better working practice to DELETE existing GPO, presumably wait for sysvol replication and then restore ?? seems the best way to get the 'clean state' and not have issues say of merged values ?? GT > Yep - but I'd also run the GetReportsForAllGPOs.wsf script during your > backup job - these reports are very useful to discover what may have > changed in a GPO after the last backup... > > /Guido > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner > Sent: Wednesday, August 23, 2006 9:08 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] management of group policy links (GPMC) > > thanks both > > What this is all about is putting in place the necessary operational > practices to > ensure capability to restore in the event of scenario of restore of GPO. > >>From both your notes it seems that with the backups of the GPO's > themselves > (backupallGPOs.wsf) together with the output from ListSOMPolicyTree.wsf > scripts I > have ALL necessary information for the return of the GPO (and the OU to > which it is > linked) to prior state > > Thanks > >> Graham- >> The Inheritance and Delegation tabs (when you're sitting on a > container object > like an OU in GPMC) provides the information indicated below. I guess > I'm > wondering what you're missing from that? Its true that GPMC >> backup/restore does not restore links, link order or Enforced flags, > but there are > 3rd party products that can do this, combining GPO restore with the AD > parts of > that. >> >> Darren >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner > Sent: > Wednesday, August 23, 2006 10:05 AM >> To: activedir@mail.activedir.org >> Subject: [ActiveDir] management of group policy links (GPMC) >> >> Dear all, as i recall / understand group policy links are stored as an > attribute >> (gplink) of the OU. >> >> It seems that GPMC is fine at summarising the links on a per OU basis > as you step > down the forest / domain structure. >> >> However it seems to lack a summary of OU / linked GPO(s) / link order > / security > filtering / delegation >> >> Would seem to be helpful in the context of a documentation of an > Active Directory, > especially given the scenario of restore of a GPO which does not look to > restore > links, let alone the link order which would need to be restored somehow > in the > event of GPO restore. >> >> Thanks, as always >> >> GT >> >> List info : http://www.activedir.org/List.aspx >> List FAQ: http://www.activedir.org/ListFAQ.aspx >> List archive: http://www.activedir.org/ml/threads.aspx >> >> List info : http://www.activedir.org/List.aspx >> List FAQ: http://www.activedir.org/ListFAQ.aspx >> List archive: http://www.activedir.org/ml/threads.aspx >> > > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Exclude from GPO
Nope – you’ll have to either create a second GPO without the setting and apply appropriate filters to both so that only one GPO is applied to your special set and the other GPO to all others. Or you trim your existing GPO so that it is more generic (i.e. it doesn’t contain the “unwanted” settings for your group of computers) and create another one that only contains the special settings. In later case you’d then only have to apply a filter to the “special settings” GPO so that it’s not applied to your group of computers that shouldn’t get them. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, August 23, 2006 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exclude from GPO Is it possible to exclude a group of computers from ONE setting from a particular GPO, but apply everything else in that GPO? I’d have to create a whole new GPO just for one setting. -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
[ActiveDir] Exclude from GPO
Is it possible to exclude a group of computers from ONE setting from a particular GPO, but apply everything else in that GPO? I’d have to create a whole new GPO just for one setting. -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
RE: [ActiveDir] management of group policy links (GPMC)
Yep - but I'd also run the GetReportsForAllGPOs.wsf script during your backup job - these reports are very useful to discover what may have changed in a GPO after the last backup... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, August 23, 2006 9:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] management of group policy links (GPMC) thanks both What this is all about is putting in place the necessary operational practices to ensure capability to restore in the event of scenario of restore of GPO. >From both your notes it seems that with the backups of the GPO's themselves (backupallGPOs.wsf) together with the output from ListSOMPolicyTree.wsf scripts I have ALL necessary information for the return of the GPO (and the OU to which it is linked) to prior state Thanks > Graham- > The Inheritance and Delegation tabs (when you're sitting on a container object like an OU in GPMC) provides the information indicated below. I guess I'm wondering what you're missing from that? Its true that GPMC > backup/restore does not restore links, link order or Enforced flags, but there are 3rd party products that can do this, combining GPO restore with the AD parts of that. > > Darren > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, August 23, 2006 10:05 AM > To: activedir@mail.activedir.org > Subject: [ActiveDir] management of group policy links (GPMC) > > Dear all, as i recall / understand group policy links are stored as an attribute > (gplink) of the OU. > > It seems that GPMC is fine at summarising the links on a per OU basis as you step down the forest / domain structure. > > However it seems to lack a summary of OU / linked GPO(s) / link order / security filtering / delegation > > Would seem to be helpful in the context of a documentation of an Active Directory, especially given the scenario of restore of a GPO which does not look to restore links, let alone the link order which would need to be restored somehow in the event of GPO restore. > > Thanks, as always > > GT > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Exchange question
Glad to hear that. Why is one SMTP server configured with 2 IP addresses? Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Wednesday, August 23, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question I have done the telnet… I think I found the problem, target smtp server was configured to only accept connection from certain ip address, the source smtp server has 2 ip address, only one was in the list…it seems to be working fine now… Thanks all From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kitchens Arthur E Sent: Wednesday, August 23, 2006 12:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question have you looked at this to see if there's any utility for you? http://support.microsoft.com/kb/323350/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Wednesday, August 23, 2006 11:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Thanks for your help. I have found out more about my problem. It looks like the target exchange SMTP server is acting up, I can telnet sometimes and sometimes I cant. Also sometimes I am able to telnet but it is really slow and sometimes it even freezes on me. I am still troubleshooting Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, August 23, 2006 9:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question The implications are further down the troubleshooting stack IMHO. If you cannot telnet to TCP 25 from the source Exchange server to the target Exchange server, then you have a problem with connectivity. You must be able to do this. Both directions. Until you can successfully do this, then there is nothing more you can hope to accomplish. You can check DNS as well, but you can also find out if basic connectivity is functioning using the ip addresses. If it's not, and it sounds like it's not, then you'll need to address that first. Al On 8/22/06, Ramon Linan <[EMAIL PROTECTED]> wrote: Thank everyone for the response…I am going nuts here, everything is a mess. For some reason I cant telnet into domain1 email server from domain2 , not only that , domain1 has 2 smtp server, one in the port 6000 and the other in the port 25. Also I send an email to my personal account from domain2 and I got something like this in the header: Mail from : [EMAIL PROTECTED] Received: from servername.domain3.com ([ip address] helo=domain3.com So the domain in the user's email address does not match the email server's domain…I am wondering what are the implications of that… Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brandon Pierce Sent: Tuesday, August 22, 2006 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Obviously if the server is running out of space make sure you remediate that first. Second, I would recommend if ServerA cannot send to ServerB, but the reverse is NOT true, then I would suggest trying basic SMTP commands to ServerA from ServerB. Check the following: 1) Is the server responding to SMTP commands? 2) Can the server accept and deliver the mail item to intended recipient? 3) Are the SMTP queues clear in ESM? 4) Is DNS responding correctly (A, PTR, SRV records present?)? Gut feeling...DNS. That's my first shot! Brandon From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Tuesday, August 22, 2006 2:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question Have you seen this already? http://support.microsoft.com/kb/821910/ On 8/22/06, Ramon Linan < [EMAIL PROTECTED]> wrote: Thanks very much, I think my second question was very easy J but wanted to confirm it. The problem now is that we have 500 mg in the hard drive but the smtp queue is still not delivering the emails from one server to the other. We have 2 emails servers, one holds domain1.com and the other hold domain2.com. domain1.com can send and receive fine but domain2 cant send to domain2, the emails are stuck in the queue with that domain, how do I troubleshoot that? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Akomolafe, Deji Sent: Tuesday, August 22, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question >>>minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. >>> Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /)
RE: [ActiveDir] Exchange question
I have done the telnet… I think I found the problem, target smtp server was configured to only accept connection from certain ip address, the source smtp server has 2 ip address, only one was in the list…it seems to be working fine now… Thanks all From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kitchens Arthur E Sent: Wednesday, August 23, 2006 12:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question have you looked at this to see if there's any utility for you? http://support.microsoft.com/kb/323350/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Wednesday, August 23, 2006 11:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Thanks for your help. I have found out more about my problem. It looks like the target exchange SMTP server is acting up, I can telnet sometimes and sometimes I cant. Also sometimes I am able to telnet but it is really slow and sometimes it even freezes on me. I am still troubleshooting Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, August 23, 2006 9:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question The implications are further down the troubleshooting stack IMHO. If you cannot telnet to TCP 25 from the source Exchange server to the target Exchange server, then you have a problem with connectivity. You must be able to do this. Both directions. Until you can successfully do this, then there is nothing more you can hope to accomplish. You can check DNS as well, but you can also find out if basic connectivity is functioning using the ip addresses. If it's not, and it sounds like it's not, then you'll need to address that first. Al On 8/22/06, Ramon Linan <[EMAIL PROTECTED]> wrote: Thank everyone for the response…I am going nuts here, everything is a mess. For some reason I cant telnet into domain1 email server from domain2 , not only that , domain1 has 2 smtp server, one in the port 6000 and the other in the port 25. Also I send an email to my personal account from domain2 and I got something like this in the header: Mail from : [EMAIL PROTECTED] Received: from servername.domain3.com ([ip address] helo=domain3.com So the domain in the user's email address does not match the email server's domain…I am wondering what are the implications of that… Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brandon Pierce Sent: Tuesday, August 22, 2006 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Obviously if the server is running out of space make sure you remediate that first. Second, I would recommend if ServerA cannot send to ServerB, but the reverse is NOT true, then I would suggest trying basic SMTP commands to ServerA from ServerB. Check the following: 1) Is the server responding to SMTP commands? 2) Can the server accept and deliver the mail item to intended recipient? 3) Are the SMTP queues clear in ESM? 4) Is DNS responding correctly (A, PTR, SRV records present?)? Gut feeling...DNS. That's my first shot! Brandon From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Tuesday, August 22, 2006 2:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question Have you seen this already? http://support.microsoft.com/kb/821910/ On 8/22/06, Ramon Linan < [EMAIL PROTECTED]> wrote: Thanks very much, I think my second question was very easy J but wanted to confirm it. The problem now is that we have 500 mg in the hard drive but the smtp queue is still not delivering the emails from one server to the other. We have 2 emails servers, one holds domain1.com and the other hold domain2.com. domain1.com can send and receive fine but domain2 cant send to domain2, the emails are stuck in the queue with that domain, how do I troubleshoot that? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Akomolafe, Deji Sent: Tuesday, August 22, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question >>>minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. >>> Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that
RE: [ActiveDir] management of group policy links (GPMC)
thanks both What this is all about is putting in place the necessary operational practices to ensure capability to restore in the event of scenario of restore of GPO. >From both your notes it seems that with the backups of the GPO's themselves (backupallGPOs.wsf) together with the output from ListSOMPolicyTree.wsf scripts I have ALL necessary information for the return of the GPO (and the OU to which it is linked) to prior state Thanks > Graham- > The Inheritance and Delegation tabs (when you're sitting on a container object like an OU in GPMC) provides the information indicated below. I guess I'm wondering what you're missing from that? Its true that GPMC > backup/restore does not restore links, link order or Enforced flags, but > there are 3rd party products that can do this, combining GPO restore with the AD parts of that. > > Darren > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, August 23, 2006 10:05 AM > To: activedir@mail.activedir.org > Subject: [ActiveDir] management of group policy links (GPMC) > > Dear all, as i recall / understand group policy links are stored as an > attribute > (gplink) of the OU. > > It seems that GPMC is fine at summarising the links on a per OU basis as you > step down the forest / domain structure. > > However it seems to lack a summary of OU / linked GPO(s) / link order / > security filtering / delegation > > Would seem to be helpful in the context of a documentation of an Active > Directory, especially given the scenario of restore of a GPO which does not look to restore links, let alone the link order which would need to be restored somehow in the event of GPO restore. > > Thanks, as always > > GT > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Best Practice for replacing a DC
Somewhere in there you're going to want to update the schema (it's implied, but figured I'd spell it out since it's a newbie and all :) You can read the steps for the install in the readme if I recall correctly. the one part that bothers me is that you mention it's a replacement. Does the name/ip address have to stay the same? That would be harder if it does. On 8/23/06, Mathieu CHATEAU <[EMAIL PROTECTED]> wrote: Hello Bob,-Buy the new server-Install W2K3 SP1 + Full update-dcpromo to the domain-Transfer all 5 FSMO roles to this new server -Make this new server Global catalog-Checkup DNS, DHCP if applicable-Wait for replicationThen you should poweroff the old one to be sure everything is ok.If ok,-power on the old one-dcpromo the old one (and NO, It's not the last of the domain) -power offYou should always have at least 2 DC and 2 global catalog.When all DC are W2K3, you can raise the forest and domain to nativeW2K3my 2 centsRegards,Mathieu CHATEAU http://lordoftheping.blogspot.comWednesday, August 23, 2006, 8:15:33 PM, you wrote:BA> Good Afternoon,BA> This is a rather newbie question. We have an aging HP server BA> that is our present DC it is running W2K. We would like to replace itBA> with a new box running Windows 2003 Std R2.BA> What is the best practice on bringing the new DC online andBA> decommissioning the old server. The new server will replace the DC and BA> another member server. We also have a windows 3003 Exchange Server and aBA> Windows 200 SQL Server machine that will be staying. Eventually we willBA> upgrade the Windows 2000 box to 2003 giving us a full windows 2003 BA> domain.BA> ThanksBA> Bob AndersonBA> IT GuyBA> Kent Sporting Goods.BA> List info : http://www.activedir.org/List.aspx BA> List FAQ: http://www.activedir.org/ListFAQ.aspxBA> List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Problem in AD
Title: [ActiveDir] Problem in AD if it is single domain and not all DCs are a GC, make ALL DCs a GC besides that also make sure a DNS server can be contacted a bit more details please Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of Pankaj VermaSent: Wed 2006-08-23 19:07To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Problem in AD Hi AllI have 3 domain controllers. I transfer all the FSMO roles from DC03to DC02 after that I shutdown D03 & I restarted D02 & dC01 but afterthat I was not able to communicate with active directory then switchedon DC03 after that every thing is working fine. If somebody can tellme what could be the problem and after the in event viewer I amgetting an error Event id =1030 & 1058 source = usernv--RgdsPankaj vermaList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Best Practice for replacing a DC
Hello Bob, -Buy the new server -Install W2K3 SP1 + Full update -dcpromo to the domain -Transfer all 5 FSMO roles to this new server -Make this new server Global catalog -Checkup DNS, DHCP if applicable -Wait for replication Then you should poweroff the old one to be sure everything is ok. If ok, -power on the old one -dcpromo the old one (and NO, It's not the last of the domain) -power off You should always have at least 2 DC and 2 global catalog. When all DC are W2K3, you can raise the forest and domain to native W2K3 my 2 cents Regards, Mathieu CHATEAU http://lordoftheping.blogspot.com Wednesday, August 23, 2006, 8:15:33 PM, you wrote: BA> Good Afternoon, BA> This is a rather newbie question. We have an aging HP server BA> that is our present DC it is running W2K. We would like to replace it BA> with a new box running Windows 2003 Std R2. BA> What is the best practice on bringing the new DC online and BA> decommissioning the old server. The new server will replace the DC and BA> another member server. We also have a windows 3003 Exchange Server and a BA> Windows 200 SQL Server machine that will be staying. Eventually we will BA> upgrade the Windows 2000 box to 2003 giving us a full windows 2003 BA> domain. BA> Thanks BA> Bob Anderson BA> IT Guy BA> Kent Sporting Goods. BA> List info : http://www.activedir.org/List.aspx BA> List FAQ: http://www.activedir.org/ListFAQ.aspx BA> List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Best Practice for replacing a DC
Good Afternoon, This is a rather newbie question. We have an aging HP server that is our present DC it is running W2K. We would like to replace it with a new box running Windows 2003 Std R2. What is the best practice on bringing the new DC online and decommissioning the old server. The new server will replace the DC and another member server. We also have a windows 3003 Exchange Server and a Windows 200 SQL Server machine that will be staying. Eventually we will upgrade the Windows 2000 box to 2003 giving us a full windows 2003 domain. Thanks Bob Anderson IT Guy Kent Sporting Goods. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Problem in AD
I'm afraid you need to give a little more detail than that. What do you mean not able to communicate with AD? M@ On 8/23/06, Pankaj Verma <[EMAIL PROTECTED]> wrote: Hi AllI have 3 domain controllers. I transfer all the FSMO roles from DC03to DC02 after that I shutdown D03 & I restarted D02 & dC01 but after that I was not able to communicate with active directory then switchedon DC03 after that every thing is working fine. If somebody can tellme what could be the problem and after the in event viewer I amgetting an error Event id =1030 & 1058 source = usernv--RgdsPankaj vermaList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] management of group policy links (GPMC)
Graham- The Inheritance and Delegation tabs (when you're sitting on a container object like an OU in GPMC) provides the information indicated below. I guess I'm wondering what you're missing from that? Its true that GPMC backup/restore does not restore links, link order or Enforced flags, but there are 3rd party products that can do this, combining GPO restore with the AD parts of that. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, August 23, 2006 10:05 AM To: activedir@mail.activedir.org Subject: [ActiveDir] management of group policy links (GPMC) Dear all, as i recall / understand group policy links are stored as an attribute (gplink) of the OU. It seems that GPMC is fine at summarising the links on a per OU basis as you step down the forest / domain structure. However it seems to lack a summary of OU / linked GPO(s) / link order / security filtering / delegation Would seem to be helpful in the context of a documentation of an Active Directory, especially given the scenario of restore of a GPO which does not look to restore links, let alone the link order which would need to be restored somehow in the event of GPO restore. Thanks, as always GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Problem in AD
"not able to communicate with active directory " - can you give more details? Was DC03 the only Global Catalog? If yes, this could be the cause of your problem. Tim > Date: Wed, 23 Aug 2006 21:07:50 +0400> From: [EMAIL PROTECTED]> To: ActiveDir@mail.activedir.org> Subject: [ActiveDir] Problem in AD> > Hi All> > > I have 3 domain controllers. I transfer all the FSMO roles from DC03> to DC02 after that I shutdown D03 & I restarted D02 & dC01 but after> that I was not able to communicate with active directory then switched> on DC03 after that every thing is working fine. If somebody can tell> me what could be the problem and after the in event viewer I am> getting an error> > Event id =1030 & 1058 source = usernv> > > > -- > Rgds> Pankaj verma> List info : http://www.activedir.org/List.aspx> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] management of group policy links (GPMC)
The GPMC scripts include the ListSOMPolicyTree.wsf script which at least creates a useful text report of which GPOs are linked to which OUs (and sites). Combine this script with the BackupAllGPOs.wsf and the GetReportsForAllGPOs.wsf to be well prepared to restore GPOs (and then link them back to where they were linked prior to deletion). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, August 23, 2006 7:05 PM To: activedir@mail.activedir.org Subject: [ActiveDir] management of group policy links (GPMC) Dear all, as i recall / understand group policy links are stored as an attribute (gplink) of the OU. It seems that GPMC is fine at summarising the links on a per OU basis as you step down the forest / domain structure. However it seems to lack a summary of OU / linked GPO(s) / link order / security filtering / delegation Would seem to be helpful in the context of a documentation of an Active Directory, especially given the scenario of restore of a GPO which does not look to restore links, let alone the link order which would need to be restored somehow in the event of GPO restore. Thanks, as always GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Problem in AD
Hi All I have 3 domain controllers. I transfer all the FSMO roles from DC03 to DC02 after that I shutdown D03 & I restarted D02 & dC01 but after that I was not able to communicate with active directory then switched on DC03 after that every thing is working fine. If somebody can tell me what could be the problem and after the in event viewer I am getting an error Event id =1030 & 1058 source = usernv -- Rgds Pankaj verma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] management of group policy links (GPMC)
Dear all, as i recall / understand group policy links are stored as an attribute (gplink) of the OU. It seems that GPMC is fine at summarising the links on a per OU basis as you step down the forest / domain structure. However it seems to lack a summary of OU / linked GPO(s) / link order / security filtering / delegation Would seem to be helpful in the context of a documentation of an Active Directory, especially given the scenario of restore of a GPO which does not look to restore links, let alone the link order which would need to be restored somehow in the event of GPO restore. Thanks, as always GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Exchange question
have you looked at this to see if there's any utility for you? http://support.microsoft.com/kb/323350/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Wednesday, August 23, 2006 11:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange question Thanks for your help. I have found out more about my problem. It looks like the target exchange SMTP server is acting up, I can telnet sometimes and sometimes I cant. Also sometimes I am able to telnet but it is really slow and sometimes it even freezes on me. I am still troubleshooting Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, August 23, 2006 9:09 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange question The implications are further down the troubleshooting stack IMHO. If you cannot telnet to TCP 25 from the source Exchange server to the target Exchange server, then you have a problem with connectivity. You must be able to do this. Both directions. Until you can successfully do this, then there is nothing more you can hope to accomplish. You can check DNS as well, but you can also find out if basic connectivity is functioning using the ip addresses. If it's not, and it sounds like it's not, then you'll need to address that first. Al On 8/22/06, Ramon Linan <[EMAIL PROTECTED]> wrote: Thank everyone for the response…I am going nuts here, everything is a mess. For some reason I cant telnet into domain1 email server from domain2 , not only that , domain1 has 2 smtp server, one in the port 6000 and the other in the port 25. Also I send an email to my personal account from domain2 and I got something like this in the header: Mail from : [EMAIL PROTECTED] Received: from servername.domain3.com ([ip address] helo=domain3.com So the domain in the user's email address does not match the email server's domain…I am wondering what are the implications of that… Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brandon PierceSent: Tuesday, August 22, 2006 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Obviously if the server is running out of space make sure you remediate that first. Second, I would recommend if ServerA cannot send to ServerB, but the reverse is NOT true, then I would suggest trying basic SMTP commands to ServerA from ServerB. Check the following: 1) Is the server responding to SMTP commands? 2) Can the server accept and deliver the mail item to intended recipient? 3) Are the SMTP queues clear in ESM? 4) Is DNS responding correctly (A, PTR, SRV records present?)? Gut feeling...DNS. That's my first shot! Brandon From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Tuesday, August 22, 2006 2:04 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange question Have you seen this already? http://support.microsoft.com/kb/821910/ On 8/22/06, Ramon Linan < [EMAIL PROTECTED]> wrote: Thanks very much, I think my second question was very easy J but wanted to confirm it. The problem now is that we have 500 mg in the hard drive but the smtp queue is still not delivering the emails from one server to the other. We have 2 emails servers, one holds domain1.com and the other hold domain2.com. domain1.com can send and receive fine but domain2 cant send to domain2, the emails are stuck in the queue with that domain, how do I troubleshoot that? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Akomolafe, DejiSent: Tuesday, August 22, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question >>>minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. >>> Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT -5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon LinanSent: Tue 8/22/2006 11:51 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange question Hi, I have 2 emails server in 2 different locations. All the sudden emails are not coming from one server to the other, I found out that smtp queue folder was in a hard drive that was running out of space. Do you guys know what is the minimum amount of HD space needed for the smtp to work? Also, if the hard drive gets full will that stop the queue from delivering the emai
RE: [ActiveDir] Exchange question
I would also make sure all Exchange services are running and restart SMTP service. Run MS SMTPdiag tool on both servers to test SMTP connectivity between the servers. If that doesn’t work, I would also run MailFlow Troubleshooter from MS EXCH Troubleshooting Assistant. In addition if all fails, I would run offline defrag to reclaim hard drive space, after backing up your .edb files and making sure deleted item retention is unchecked. Then restart Exchange services Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Wednesday, August 23, 2006 11:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Thanks for your help. I have found out more about my problem. It looks like the target exchange SMTP server is acting up, I can telnet sometimes and sometimes I cant. Also sometimes I am able to telnet but it is really slow and sometimes it even freezes on me. I am still troubleshooting Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, August 23, 2006 9:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question The implications are further down the troubleshooting stack IMHO. If you cannot telnet to TCP 25 from the source Exchange server to the target Exchange server, then you have a problem with connectivity. You must be able to do this. Both directions. Until you can successfully do this, then there is nothing more you can hope to accomplish. You can check DNS as well, but you can also find out if basic connectivity is functioning using the ip addresses. If it's not, and it sounds like it's not, then you'll need to address that first. Al On 8/22/06, Ramon Linan <[EMAIL PROTECTED]> wrote: Thank everyone for the response…I am going nuts here, everything is a mess. For some reason I cant telnet into domain1 email server from domain2 , not only that , domain1 has 2 smtp server, one in the port 6000 and the other in the port 25. Also I send an email to my personal account from domain2 and I got something like this in the header: Mail from : [EMAIL PROTECTED] Received: from servername.domain3.com ([ip address] helo=domain3.com So the domain in the user's email address does not match the email server's domain…I am wondering what are the implications of that… Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brandon Pierce Sent: Tuesday, August 22, 2006 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Obviously if the server is running out of space make sure you remediate that first. Second, I would recommend if ServerA cannot send to ServerB, but the reverse is NOT true, then I would suggest trying basic SMTP commands to ServerA from ServerB. Check the following: 1) Is the server responding to SMTP commands? 2) Can the server accept and deliver the mail item to intended recipient? 3) Are the SMTP queues clear in ESM? 4) Is DNS responding correctly (A, PTR, SRV records present?)? Gut feeling...DNS. That's my first shot! Brandon From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Tuesday, August 22, 2006 2:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question Have you seen this already? http://support.microsoft.com/kb/821910/ On 8/22/06, Ramon Linan < [EMAIL PROTECTED]> wrote: Thanks very much, I think my second question was very easy J but wanted to confirm it. The problem now is that we have 500 mg in the hard drive but the smtp queue is still not delivering the emails from one server to the other. We have 2 emails servers, one holds domain1.com and the other hold domain2.com. domain1.com can send and receive fine but domain2 cant send to domain2, the emails are stuck in the queue with that domain, how do I troubleshoot that? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Akomolafe, Deji Sent: Tuesday, August 22, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question >>>minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. >>> Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon Fro
RE: [ActiveDir] Active Directory Delegation & Management tools...
Glad to help. I can't say enough how important it is to really have your requirements locked down before going into this process, and absolutely don't make a decision until you evaluate your short list of products in your own labs, without the vendor standing over your shoulder. Experience as both a customer and vendor has taught me that customers tend to think they need everything and vendors tend to tell you they can do everything. Somewhere in between is the truth. Evaluate a vendor's products not only their features (both stated and real) but also on the company's understanding of what they are selling. In other words, if you're buying AD products and the vendor's folks understand AD and its problems less than you do, then that is probably a good indicator of how they will support you down the line. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teo De Las HerasSent: Wednesday, August 23, 2006 5:26 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Active Directory Delegation & Management tools... Darren, Thanks for the insight!! We're in the same boat as well and currently developing an RFI. We're also considering ScriptLogic, Quest, NetIQ and NetPro. Teo On 8/23/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote: James-Its been a while, but since it was my job to know this stuff, I can give you some general comments here. First off, its important to know your requiirements before asking the various vendors how they can help. What do you need to manage AD here? One thing I can tell you about the Scriptlogic tool vs. the tools from NetIQ and Quest is that Active Administrator attempts to combine a number of different management functions into a single tool. For example, AA includes AD delegation, Group Policy change control, AD restore and some reporting into a single console. Compared to this, the DRA and ActiveRoles products (there are two versions of ActiveRoles--I'm talking about the server version here) are primarily geared towards controlled management of AD data (although both include some resource management as well). In order to get all of the basic functionality that AA provides from these other vendors you would have to buy several of their other products for things like GP management, AD restore, etc.. However, I think what you'll find is that the AA functionality is pretty basic across each of the categories, so its important to know what you need in each area. Also, from an architectural perspective, the Scriptlogic product is a client-based solution,and the NetIQ and Quest products are client-server based. Given that, the Scriptlogic product is more geared towards small environments and does an OK job in each of the categories they provide solutions for. But the NetIQ and Quest products are built with larger enterprises in mind and have features that accomodate those kinds of environments better. I would also take a look at what NetPro has to offer in these areas. I know they have some offering around AD management, depending upon your requirements.Hope that helps. Again, its really all about your requirements. If you have some specific requirements that you would care to share here, I can probably give you more pointed advice. Darren-Original message-From: James Carter [EMAIL PROTECTED]Date: Wed, 23 Aug 2006 05:31:40 -0400To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Active Directory Delegation & Management tools...>> Hi everyone,>> Does anyone have any experience with a product called Active Administrator from Scriptlogic? >> How does it compare with products such as NetIQ DRA or Quests Active Roles?>> What type of questions should I be asking the vendor regarding this product?>> thanks> > James>>> -> Do you Yahoo!?> Everyone is raving about the all-new Yahoo! Mail.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Exchange question
Thanks for your help. I have found out more about my problem. It looks like the target exchange SMTP server is acting up, I can telnet sometimes and sometimes I cant. Also sometimes I am able to telnet but it is really slow and sometimes it even freezes on me. I am still troubleshooting Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, August 23, 2006 9:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question The implications are further down the troubleshooting stack IMHO. If you cannot telnet to TCP 25 from the source Exchange server to the target Exchange server, then you have a problem with connectivity. You must be able to do this. Both directions. Until you can successfully do this, then there is nothing more you can hope to accomplish. You can check DNS as well, but you can also find out if basic connectivity is functioning using the ip addresses. If it's not, and it sounds like it's not, then you'll need to address that first. Al On 8/22/06, Ramon Linan <[EMAIL PROTECTED]> wrote: Thank everyone for the response…I am going nuts here, everything is a mess. For some reason I cant telnet into domain1 email server from domain2 , not only that , domain1 has 2 smtp server, one in the port 6000 and the other in the port 25. Also I send an email to my personal account from domain2 and I got something like this in the header: Mail from : [EMAIL PROTECTED] Received: from servername.domain3.com ([ip address] helo=domain3.com So the domain in the user's email address does not match the email server's domain…I am wondering what are the implications of that… Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brandon Pierce Sent: Tuesday, August 22, 2006 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Obviously if the server is running out of space make sure you remediate that first. Second, I would recommend if ServerA cannot send to ServerB, but the reverse is NOT true, then I would suggest trying basic SMTP commands to ServerA from ServerB. Check the following: 1) Is the server responding to SMTP commands? 2) Can the server accept and deliver the mail item to intended recipient? 3) Are the SMTP queues clear in ESM? 4) Is DNS responding correctly (A, PTR, SRV records present?)? Gut feeling...DNS. That's my first shot! Brandon From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Tuesday, August 22, 2006 2:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question Have you seen this already? http://support.microsoft.com/kb/821910/ On 8/22/06, Ramon Linan < [EMAIL PROTECTED]> wrote: Thanks very much, I think my second question was very easy J but wanted to confirm it. The problem now is that we have 500 mg in the hard drive but the smtp queue is still not delivering the emails from one server to the other. We have 2 emails servers, one holds domain1.com and the other hold domain2.com. domain1.com can send and receive fine but domain2 cant send to domain2, the emails are stuck in the queue with that domain, how do I troubleshoot that? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Akomolafe, Deji Sent: Tuesday, August 22, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question >>>minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. >>> Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Tue 8/22/2006 11:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange question Hi, I have 2 emails server in 2 different locations. All the sudden emails are not coming from one server to the other, I found out that smtp queue folder was in a hard drive that was running out of space. Do you guys know what is the minimum amount of HD space needed for the smtp to work? Also, if the hard drive gets full will that stop the queue from delivering the emails? Thanks Rezuma
Re: [ActiveDir] [OT] Process for requesting, authorizing and creating shares?
Ai Chung, That's an excellent thought - money certainly does talk, and I can well imagine that PMs will be anxious to stop the bleeding, as it were. :-) Thanks! -- Idan On Mon, 21 Aug 2006, Chong Ai Chung wrote: Answer for where to to put the share will normally decided by which server is nearer to the user who need to access to it. "How do you tell that the project has wound down, and it's a good time to recover that disk space for new work?" I remember there is one large organisation have a system to charge respective project cost center for the amount of disk space that user/department request for. When the PM know that they will be charge for the amount that they request for, they will tend to avoid to request for the quota that they will never reach. The PM will also be the one who will automatically come to tell File Share administrator to reclaim the disk space when it's no longer needed to avoid unnecessary cost from charge to their cost center. Regards, Ai Chung On 8/21/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Thanks, Joe. I tend to agree regarding standard names, no random driver letters, etc. (which you could probably already infer from my initial e-mail/post). However, that doesn't really answer the question of what the process should look like when, for example, creating a new PROJ-related share and/or folder? Example - a new, large project starts up, and a PM asks to allocate a 50GB share somewhere. How do you figure out where to put it? What if there is no available server with adequate free space? How do you tell that the project has wound down, and it's a good time to recover that disk space for new work? What happened in this scenario when you worked at that Fortune-5 where you used to (still do?) work? Cheers, -- Idan -- Forwarded message -- Date: Fri, 18 Aug 2006 21:00:58 -0400 From: joe <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Process for requesting, authorizing and creating shares? Resent-Date: Sun, 20 Aug 2006 21:37:10 -0600 (MDT) Resent-From: Idan <[EMAIL PROTECTED]> Resent-To: Idan Shoham <[EMAIL PROTECTED]> Resent-Subject: RE: [ActiveDir] [OT] Process for requesting, authorizing and creating shares? In general I think it is better for larger orgs to have a very locked down strong share policy. Even down to specifying specific standard share names, permissions (like auth users FC and then locking with NTFS unless there will be no change access then R). For instance names like APPS, PROJ, DATA, BINS, etc. One large multinational you are familiar with has shares for users as username$, then shared file served applications or application installation packages are located in APPS, and all group shared data goes into a share called PROJ and permissioning is handled at the folder level. The software delivery system uses another hidden share but it is a single name across the entire enterprise. The only thing that varies are the servers. This makes life easier for the users and the administrators. People aren't browsing to find things and/or trying to recall what the sharename was... I like having as few shares as possible because I have seen too many cases of alphabet soup with connected drive letters where users get to the point that they only know what drive letters they had, not what they were connected to. I recall in a job back in the mid-90's where any given user of about 2000 at the local site was connected to about 10-12 shares but what shares they were connected to depended on what part of the building they were in and what department they were in. We had to carry around a pocket guide to the areas so when someone said I need my I: drive back you knew exactly what share to connect for them. If someone would rather have an ad hoc system, I would say follow any normal provisioning process with workflow. I wouldn't want to have to come in and clean that up in 5 years though once someone finally realizes how ridiculous it is because everyone is running out of drive letters to use. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 15, 2006 9:21 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Process for requesting, authorizing and creating shares? Hi folks, Slightly off-topic here -- i.e,. related to managing Windows environments generally, rather than just Active Directory. I'm wondering whether any of you have seen good business processes for managing share creation (and for that matter, deletion)? We are working with a large multi-national where the current process by which business users request new shares (i.e., network-attached, shared, access-controlled disk space), and by which those requests are approved and implemented, is pretty weak. We are hoping to help
RE: [ActiveDir] (OT) Exchange Mail Delivery Delays
Recipients include Universal groups? If so check access to a global catalog from the exchange server. Avoid Universal groups if possible on distribution lists. > -Original Message- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Robert Rutherford > Sent: Wednesday, August 23, 2006 10:58 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] (OT) Exchange Mail Delivery Delays > > Hi All, > > Sorry for the OT... > > I've got an Exch2003 server, SP2 with the following issue :- > > An External mail user sends a mail to many internal recipients, some > users receive immediately. The remaining users receive the mail hours > later, sometime 12 hours+ later. > > Before I up all the logging and spend hours.. has anyone see this and > resolved? > > I've attached an example message tracking log. > > Cheers, > > Rob > > Robert Rutherford > QuoStar Solutions Limited > > T:+44 (0) 8456 440 331 > F:+44 (0) 8456 440 332 > M:+44 (0) 7974 249 494 > E:[EMAIL PROTECTED] > W:www.quostar.com > > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Exchange question
The implications are further down the troubleshooting stack IMHO. If you cannot telnet to TCP 25 from the source Exchange server to the target Exchange server, then you have a problem with connectivity. You must be able to do this. Both directions. Until you can successfully do this, then there is nothing more you can hope to accomplish. You can check DNS as well, but you can also find out if basic connectivity is functioning using the ip addresses. If it's not, and it sounds like it's not, then you'll need to address that first. Al On 8/22/06, Ramon Linan <[EMAIL PROTECTED]> wrote: Thank everyone for the response…I am going nuts here, everything is a mess. For some reason I cant telnet into domain1 email server from domain2 , not only that , domain1 has 2 smtp server, one in the port 6000 and the other in the port 25. Also I send an email to my personal account from domain2 and I got something like this in the header: Mail from : [EMAIL PROTECTED] Received: from servername.domain3.com ([ip address] helo=domain3.com So the domain in the user's email address does not match the email server's domain…I am wondering what are the implications of that… Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brandon PierceSent: Tuesday, August 22, 2006 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Obviously if the server is running out of space make sure you remediate that first. Second, I would recommend if ServerA cannot send to ServerB, but the reverse is NOT true, then I would suggest trying basic SMTP commands to ServerA from ServerB. Check the following: 1) Is the server responding to SMTP commands? 2) Can the server accept and deliver the mail item to intended recipient? 3) Are the SMTP queues clear in ESM? 4) Is DNS responding correctly (A, PTR, SRV records present?)? Gut feeling...DNS. That's my first shot! Brandon From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Tuesday, August 22, 2006 2:04 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange question Have you seen this already? http://support.microsoft.com/kb/821910/ On 8/22/06, Ramon Linan < [EMAIL PROTECTED]> wrote: Thanks very much, I think my second question was very easy J but wanted to confirm it. The problem now is that we have 500 mg in the hard drive but the smtp queue is still not delivering the emails from one server to the other. We have 2 emails servers, one holds domain1.com and the other hold domain2.com. domain1.com can send and receive fine but domain2 cant send to domain2, the emails are stuck in the queue with that domain, how do I troubleshoot that? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Akomolafe, DejiSent: Tuesday, August 22, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question >>>minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. >>> Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon LinanSent: Tue 8/22/2006 11:51 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange question Hi, I have 2 emails server in 2 different locations. All the sudden emails are not coming from one server to the other, I found out that smtp queue folder was in a hard drive that was running out of space. Do you guys know what is the minimum amount of HD space needed for the smtp to work? Also, if the hard drive gets full will that stop the queue from delivering the emails? Thanks Rezuma
Re: [ActiveDir] Active Directory Delegation & Management tools...
Darren, Thanks for the insight!! We're in the same boat as well and currently developing an RFI. We're also considering ScriptLogic, Quest, NetIQ and NetPro. Teo On 8/23/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote: James-Its been a while, but since it was my job to know this stuff, I can give you some general comments here. First off, its important to know your requiirements before asking the various vendors how they can help. What do you need to manage AD here? One thing I can tell you about the Scriptlogic tool vs. the tools from NetIQ and Quest is that Active Administrator attempts to combine a number of different management functions into a single tool. For example, AA includes AD delegation, Group Policy change control, AD restore and some reporting into a single console. Compared to this, the DRA and ActiveRoles products (there are two versions of ActiveRoles--I'm talking about the server version here) are primarily geared towards controlled management of AD data (although both include some resource management as well). In order to get all of the basic functionality that AA provides from these other vendors you would have to buy several of their other products for things like GP management, AD restore, etc.. However, I think what you'll find is that the AA functionality is pretty basic across each of the categories, so its important to know what you need in each area. Also, from an architectural perspective, the Scriptlogic product is a client-based solution,and the NetIQ and Quest products are client-server based. Given that, the Scriptlogic product is more geared towards small environments and does an OK job in each of the categories they provide solutions for. But the NetIQ and Quest products are built with larger enterprises in mind and have features that accomodate those kinds of environments better. I would also take a look at what NetPro has to offer in these areas. I know they have some offering around AD management, depending upon your requirements.Hope that helps. Again, its really all about your requirements. If you have some specific requirements that you would care to share here, I can probably give you more pointed advice. Darren-Original message-From: James Carter [EMAIL PROTECTED]Date: Wed, 23 Aug 2006 05:31:40 -0400To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Active Directory Delegation & Management tools...>> Hi everyone,>> Does anyone have any experience with a product called Active Administrator from Scriptlogic? >> How does it compare with products such as NetIQ DRA or Quests Active Roles?>> What type of questions should I be asking the vendor regarding this product?>> thanks> > James>>> -> Do you Yahoo!?> Everyone is raving about the all-new Yahoo! Mail.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Active Directory Delegation & Management tools...
James- Its been a while, but since it was my job to know this stuff, I can give you some general comments here. First off, its important to know your requiirements before asking the various vendors how they can help. What do you need to manage AD here? One thing I can tell you about the Scriptlogic tool vs. the tools from NetIQ and Quest is that Active Administrator attempts to combine a number of different management functions into a single tool. For example, AA includes AD delegation, Group Policy change control, AD restore and some reporting into a single console. Compared to this, the DRA and ActiveRoles products (there are two versions of ActiveRoles--I'm talking about the server version here) are primarily geared towards controlled management of AD data (although both include some resource management as well). In order to get all of the basic functionality that AA provides from these other vendors you would have to buy several of their other products for things like GP management, AD restore, etc.. However, I think what you'll find is that the AA functionality is pretty basic across each of the categories, so its important to know what you need in each area. Also, from an architectural perspective, the Scriptlogic product is a client-based solution,and the NetIQ and Quest products are client-server based. Given that, the Scriptlogic product is more geared towards small environments and does an OK job in each of the categories they provide solutions for. But the NetIQ and Quest products are built with larger enterprises in mind and have features that accomodate those kinds of environments better. I would also take a look at what NetPro has to offer in these areas. I know they have some offering around AD management, depending upon your requirements. Hope that helps. Again, its really all about your requirements. If you have some specific requirements that you would care to share here, I can probably give you more pointed advice. Darren -Original message- From: James Carter [EMAIL PROTECTED] Date: Wed, 23 Aug 2006 05:31:40 -0400 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Delegation & Management tools... > > Hi everyone, > > Does anyone have any experience with a product called Active Administrator > from Scriptlogic? > > How does it compare with products such as NetIQ DRA or Quests Active Roles? > > What type of questions should I be asking the vendor regarding this > product? > > thanks > > James > > > - > Do you Yahoo!? > Everyone is raving about the all-new Yahoo! Mail. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved
Thanks to all who responded! The problem was solved by installing our local root CA cert on the “outside” computer since we are “rolling our own” and not using one of the well known CAs (Trusted Root Certification Authorities). Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we don’t use a “well known” provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Tuesday, August 22, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say “It works fine behind our firewall”, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same error…but I don’t have a cert installed on my DC so I’d expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 6:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using “adfind”: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using “ldp”, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
[ActiveDir] Active Directory Delegation & Management tools...
Hi everyone, Does anyone have any experience with a product called Active Administrator from Scriptlogic? How does it compare with products such as NetIQ DRA or Quests Active Roles? What type of questions should I be asking the vendor regarding this product? thanks James Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail.