RE: [ActiveDir] Server Performance Advisor
Thanks Steve, that worked like a charm. :-) It's interesting that the report compiler chooses to summarise even though the reports themselves are different. Another thing that struck me as a little strange is the fact that only the first LDAP search to trip the rules thresholds generates a warning. In other words, all subsequent searches that exceed the threshold appear in the report without a warning. On the whole I really like it, especially with the detail shown when setting the expert level to 10. Tony -- Original Message -- From: "Steve Linehan" <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org Date: Thu, 24 Aug 2006 20:36:18 -0700 The tracing code still fires even if the data is cached, i.e. an LDAP request is still made. What I believe you are seeing is the report compiler summarizing the results. You can change to expert level to 10 which will cause the report to have all entries in it. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, August 24, 2006 10:23 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Server Performance Advisor Hi all I've been looking at SPA and have been trying to get it to report all LDAP searches. I've managed to get it to report searches, but the results are inconsistent. For example, if I kick off the performance capture and then run an LDAP search that exceeds the configured warning levels I will see something like this in the AD.XML file: 192.168.102.11 deep dc=colours,... SAM Account Name with multiple AND parts and wildcards idx_samaccountname Success 900 900 0.02 103 0.22 If I run a subsequent capture, using the same (or similar) search criteria it doesn't log the LDAP search activity in the AD.XML file. I suspect this perhaps has to with the DC caching search criteria, but I'm not sure. Can anyone shed any light on this? Or, put another way, has anyone successfully and consistently captured all LDAP search activity using SPA? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Server Performance Advisor
The tracing code still fires even if the data is cached, i.e. an LDAP request is still made. What I believe you are seeing is the report compiler summarizing the results. You can change to expert level to 10 which will cause the report to have all entries in it. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, August 24, 2006 10:23 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Server Performance Advisor Hi all I've been looking at SPA and have been trying to get it to report all LDAP searches. I've managed to get it to report searches, but the results are inconsistent. For example, if I kick off the performance capture and then run an LDAP search that exceeds the configured warning levels I will see something like this in the AD.XML file: 192.168.102.11 deep dc=colours,... SAM Account Name with multiple AND parts and wildcards idx_samaccountname Success 900 900 0.02 103 0.22 If I run a subsequent capture, using the same (or similar) search criteria it doesn't log the LDAP search activity in the AD.XML file. I suspect this perhaps has to with the DC caching search criteria, but I'm not sure. Can anyone shed any light on this? Or, put another way, has anyone successfully and consistently captured all LDAP search activity using SPA? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Server Performance Advisor
Hi all I've been looking at SPA and have been trying to get it to report all LDAP searches. I've managed to get it to report searches, but the results are inconsistent. For example, if I kick off the performance capture and then run an LDAP search that exceeds the configured warning levels I will see something like this in the AD.XML file: 192.168.102.11 deep dc=colours,... SAM Account Name with multiple AND parts and wildcards idx_samaccountname Success 900 900 0.02 103 0.22 If I run a subsequent capture, using the same (or similar) search criteria it doesn't log the LDAP search activity in the AD.XML file. I suspect this perhaps has to with the DC caching search criteria, but I'm not sure. Can anyone shed any light on this? Or, put another way, has anyone successfully and consistently captured all LDAP search activity using SPA? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved
Thanks Steve. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 24, 2006 12:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Not sure on if it will be configurable I just happened to run across it on something else I was working on and saw the change request. I would imagine that it will not be configurable as the intended behavior was to check the CRL especially since sensitive operations such as password resets are generally going over LDAPS. However someone who is beta testing Windows Server 2003 SP2 as a customer could verify that the change occurred and then provide feedback if it was undesirable. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 23, 2006 10:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Oh this could catch some folks by surprise... Out of curiosity, is it implemented with a "turn on this reg key to enable this" or will it just occur? I prefer it be something admins turn on, otherwise it will catch people by surprise like the SP1 Service Control Manager ACL. And if it there isn't a reg entry to turn it on, can we have a reg entry to turn it off or do we wait until SP3? :) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, August 23, 2006 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Furthermore the current implementation of wldap32 in Windows Server 2003 SP1 does not request that the certificate be verified. This has been changed in a QFE for Windows Server 2003 SP1 and will be addressed in the next service pack for Windows Server 2003, SP2. So you may see a change in behavior going forward at least on the server platform. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 23, 2006 9:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Windows 2000 RTM, by default, does not perform CRL checking; XP and 2003 do. However, there are behavior variances on an application-by-application basis. For more information: http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl .msp x#ES3AE Laura > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan > Sent: Wednesday, August 23, 2006 10:06 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > It actually depends on the policy defined for the SSL stack. > In Windows, this is typically configured globally for all SSL, > although I'm not sure where. It definiitely used to be the case that > Windows that CRLs were never checked, but I have seen some other SSL > stuff with HTTP actually checking the CRL on 2K3 servers. > > It is also possible in SSPI with Schannel to ignore specific > conditions, so this could be something that is ignored in the default > LDAP SSL routine in Windows, but I doubt it. The callback function > for server certificate verification will give you the error code if > there is a problem and the client can then deal with it as it sees > fit. > > CRLs can definitely be trouble though. They are by far the most > vexing thing to troubleshoot in SSL, and PKI in general. > > Joe > > - Original Message - > From: "Thommes, Michael M." <[EMAIL PROTECTED]> > To: > Sent: Wednesday, August 23, 2006 8:37 PM > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > > Hi joe, > The CRL location is *not* available from the outside. > And since neither adfind, ldp or Outlook Express seemed to care, I am > guessing that not many > (any?) tools require it. Kinda makes ya wonder why you would have it > if it's not used. Sorta like not using the book of bad credit card > numbers when someone handed you a credit card! (maybe some of you are > old enough to remember this safeguard before there were computers > everywhere! LOL!). > > Mike Thommes > > > > From: [EMAIL PROTECTED] on behalf of joe > Sent: Wed 8/23/2006 7:15 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > > Cool, is the CRL available from the outside at all? I am really > curious if that is truly needed from the client when using LDAPS, it > doesn't seem to be needed but my testing has been far from perfect in > that regard. > >
Re: [ActiveDir] OU tareq
Hello tareq, use the restricted group make mydomain\Domain users members of the "Administrators" group. Take care of the way you do it, else it will empty the local group before appending domain users. The GPO is computer based Regards, Mathieu CHATEAU http://lordoftheping.blogspot.com Thursday, August 24, 2006, 4:13:59 PM, you wrote: > dears, How i can build a group policy that permit normal account in the active directory to login as Local Admin for any computer in one OU. tareq All-new Yahoo! Mail - Fire up a more powerful email and get things done faster. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Exchange question
Why aren’t you turning on the teaming for the NICs? That will enable fault-tolerance and reduce the IP addresses to one. I don’t know how your Exchange environment is configured exactly, but unless you’re hosting multiple domains and want to separate them or troubleshooting/logging purposes, or you’re running SBS with CRM, you should not have 2 IP addresses on your Exch box IMHO. Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, August 24, 2006 9:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question It has 2 network cards From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard Sent: Wednesday, August 23, 2006 3:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Glad to hear that. Why is one SMTP server configured with 2 IP addresses? Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Wednesday, August 23, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question I have done the telnet… I think I found the problem, target smtp server was configured to only accept connection from certain ip address, the source smtp server has 2 ip address, only one was in the list…it seems to be working fine now… Thanks all From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kitchens Arthur E Sent: Wednesday, August 23, 2006 12:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question have you looked at this to see if there's any utility for you? http://support.microsoft.com/kb/323350/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Wednesday, August 23, 2006 11:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Thanks for your help. I have found out more about my problem. It looks like the target exchange SMTP server is acting up, I can telnet sometimes and sometimes I cant. Also sometimes I am able to telnet but it is really slow and sometimes it even freezes on me. I am still troubleshooting Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, August 23, 2006 9:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question The implications are further down the troubleshooting stack IMHO. If you cannot telnet to TCP 25 from the source Exchange server to the target Exchange server, then you have a problem with connectivity. You must be able to do this. Both directions. Until you can successfully do this, then there is nothing more you can hope to accomplish. You can check DNS as well, but you can also find out if basic connectivity is functioning using the ip addresses. If it's not, and it sounds like it's not, then you'll need to address that first. Al On 8/22/06, Ramon Linan <[EMAIL PROTECTED]> wrote: Thank everyone for the response…I am going nuts here, everything is a mess. For some reason I cant telnet into domain1 email server from domain2 , not only that , domain1 has 2 smtp server, one in the port 6000 and the other in the port 25. Also I send an email to my personal account from domain2 and I got something like this in the header: Mail from : [EMAIL PROTECTED] Received: from servername.domain3.com ([ip address] helo=domain3.com So the domain in the user's email address does not match the email server's domain…I am wondering what are the implications of that… Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brandon Pierce Sent: Tuesday, August 22, 2006 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Obviously if the server is running out of space make sure you remediate that first. Second, I would recommend if ServerA cannot send to ServerB, but the reverse is NOT true, then I would suggest trying basic SMTP commands to ServerA from ServerB. Check the following: 1) Is the server responding to SMTP commands? 2) Can the server accept and deliver the mail item to intended recipient? 3) Are the SMTP queues clear in ESM? 4) Is DNS responding correctly (A, PTR, SRV records present?)? Gut feeling...DNS. That's my first shot! Brandon From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Tuesday, August 22, 2006 2:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question Have you seen this already? http://support.microsoft.com/kb/821910/ On 8/22/06, Ramon Linan < [EMAIL PROTECTED]> wrote: Thanks very much, I think my second question was very easy J but wanted to confirm it. The problem now is that we have 500 mg in the hard drive but the smtp queue is still n
Re: [ActiveDir] (OT) Exchange Mail Delivery Delays
I have seen that behavior. Your AV is the prime suspect here. Symantec Mail security has certainly been known to cause it. - Original Message - From: "Robert Rutherford" <[EMAIL PROTECTED]> To: Sent: Wednesday, August 23, 2006 7:57 AM Subject: [ActiveDir] (OT) Exchange Mail Delivery Delays Hi All, Sorry for the OT... I've got an Exch2003 server, SP2 with the following issue :- An External mail user sends a mail to many internal recipients, some users receive immediately. The remaining users receive the mail hours later, sometime 12 hours+ later. Before I up all the logging and spend hours.. has anyone see this and resolved? I've attached an example message tracking log. Cheers, Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved
I hope this will be configurable, if not in the GUI then through a registry key which is published in the MSKB, Andrew Fidel "Steve Linehan" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 08/23/2006 10:37 PM Please respond to ActiveDir@mail.activedir.org To cc Subject RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Furthermore the current implementation of wldap32 in Windows Server 2003 SP1 does not request that the certificate be verified. This has been changed in a QFE for Windows Server 2003 SP1 and will be addressed in the next service pack for Windows Server 2003, SP2. So you may see a change in behavior going forward at least on the server platform. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 23, 2006 9:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Windows 2000 RTM, by default, does not perform CRL checking; XP and 2003 do. However, there are behavior variances on an application-by-application basis. For more information: http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl .msp x#ES3AE Laura > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan > Sent: Wednesday, August 23, 2006 10:06 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > It actually depends on the policy defined for the SSL stack. > In Windows, this is typically configured globally for all SSL, > although I'm not sure where. It definiitely used to be the case that > Windows that CRLs were never checked, but I have seen some other SSL > stuff with HTTP actually checking the CRL on 2K3 servers. > > It is also possible in SSPI with Schannel to ignore specific > conditions, so this could be something that is ignored in the default > LDAP SSL routine in Windows, but I doubt it. The callback function > for server certificate verification will give you the error code if > there is a problem and the client can then deal with it as it sees > fit. > > CRLs can definitely be trouble though. They are by far the most > vexing thing to troubleshoot in SSL, and PKI in general. > > Joe > > - Original Message - > From: "Thommes, Michael M." <[EMAIL PROTECTED]> > To: > Sent: Wednesday, August 23, 2006 8:37 PM > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > > Hi joe, > The CRL location is *not* available from the outside. > And since neither adfind, ldp or Outlook Express seemed to care, I am > guessing that not many > (any?) tools require it. Kinda makes ya wonder why you would have it > if it's not used. Sorta like not using the book of bad credit card > numbers when someone handed you a credit card! (maybe some of you are > old enough to remember this safeguard before there were computers > everywhere! LOL!). > > Mike Thommes > > > > From: [EMAIL PROTECTED] on behalf of joe > Sent: Wed 8/23/2006 7:15 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > > Cool, is the CRL available from the outside at all? I am really > curious if that is truly needed from the client when using LDAPS, it > doesn't seem to be needed but my testing has been far from perfect in > that regard. > > joe > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, > Michael M. > Sent: Wednesday, August 23, 2006 8:06 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem > solved > > > > Thanks to all who responded! The problem was solved by installing our > local root CA cert on the "outside" computer since we are "rolling our > own" and not using one of the well known CAs (Trusted Root > Certification Authorities). > > > > Mike Thommes > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, > Michael M. > Sent: Tuesday, August 22, 2006 9:36 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > > > > Hi Robert, > > Yes, the command is *exactly* the same. We are thinking that our > CRL location is not available outside of the firewall. We generate > our own certificates; we don't use a "well known" provider. > > > > Mike Thommes > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Williams, > Robert > Sent: Tuesday, August 22, 2006 9:16 AM > To: ActiveDir@mail.activedir.org > Subje
RE: [ActiveDir] OU tareq
Create a restricted groups policy and link it to the OU in question. http://support.microsoft.com/Default.aspx?kbid=279301 http://www.windowsecurity.com/articles/Using-Restricted-Groups.html Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of tareq tttSent: Thursday, August 24, 2006 10:14 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OU tareq dears, How i can build a group policy that permit normal account in the active directory to login as Local Admin for any computer in one OU. tareq All-new Yahoo! Mail - Fire up a more powerful email and get things done faster.
RE: [ActiveDir] OU tareq
To do this, I use groups named after the OU (i.e. "OU1 OU Admins," "OU2 OU
Admins," etc.) and a Startup script assigned via a unique GPO on each OU.
Here is the script (VB):
strGroupName = "MyOU OU Admins"
Set objNetwork = CreateObject("Wscript.Network")
Set objLocalGroup = GetObject _
("WinNT://" & objNetwork.ComputerName & "/Administrators,group")
For each objMember in objLocalGroup.Members
If objMember.Name = strGroupName Then
Wscript.Quit
End If
Next
objLocalGroup.Add("WinNT://ARA/" & strGroupName)
So, you would change strGroupName for each OU, then add members to each "OU
Admin" group. As long as your machines are correctly accepting group policy,
this will give local admin rights to anyone in their OU Admin group.
I'm pretty sure other companies are doing similar things, if not this exactly.
Regards,
Neil Frick
Applied Research Associates, Inc.
[EMAIL PROTECTED] (505) 816-6470
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of tareq ttt
> Sent: Thursday, August 24, 2006 8:14 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] OU tareq
>
> dears,
> How i can build a group policy that permit normal account in the active
> directory to login as Local Admin for any computer in one OU.
>
> tareq
>
>
>
> All-new Yahoo! Mail
> mailbeta> - Fire up a more powerful email and get things done faster.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OU tareq
Create a GPO for the computer OU. Edit that GPO, and expand to Computer Configuration>Windows Settings>Security Settings>Restricted Groups. Right-click Restricted Groups and hit Add Group. Add Administrators. Configure membership for this group>Members of this Group> Add domain users, administrators, and domain admins. This literally replaces everything in that group with the ones you specify for the target computers. Set the ACL properties for that GPO to Domain Computers>Apply Policy. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of tareq ttt Sent: Thursday, August 24, 2006 9:14 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OU tareq dears, How i can build a group policy that permit normal account in the active directory to login as Local Admin for any computer in one OU. tareq All-new Yahoo! Mail - Fire up a more powerful email and get things done faster.
RE: [ActiveDir] OU tareq
Create a group in AD and add the users to it. Then use restricted groups (via group policy) to add that group into local admin on the PCs. Cheers Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of tareq ttt Sent: 24 August 2006 15:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OU tareq dears, How i can build a group policy that permit normal account in the active directory to login as Local Admin for any computer in one OU. tareq All-new Yahoo! Mail - Fire up a more powerful email and get things done faster.
[ActiveDir] OU tareq
dears, How i can build a group policy that permit normal account in the active directory to login as Local Admin for any computer in one OU. tareq All-new Yahoo! Mail - Fire up a more powerful email and get things done faster.
RE: [ActiveDir] Exchange question
It has 2 network cards From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard Sent: Wednesday, August 23, 2006 3:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Glad to hear that. Why is one SMTP server configured with 2 IP addresses? Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Wednesday, August 23, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question I have done the telnet… I think I found the problem, target smtp server was configured to only accept connection from certain ip address, the source smtp server has 2 ip address, only one was in the list…it seems to be working fine now… Thanks all From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kitchens Arthur E Sent: Wednesday, August 23, 2006 12:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question have you looked at this to see if there's any utility for you? http://support.microsoft.com/kb/323350/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Wednesday, August 23, 2006 11:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Thanks for your help. I have found out more about my problem. It looks like the target exchange SMTP server is acting up, I can telnet sometimes and sometimes I cant. Also sometimes I am able to telnet but it is really slow and sometimes it even freezes on me. I am still troubleshooting Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, August 23, 2006 9:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question The implications are further down the troubleshooting stack IMHO. If you cannot telnet to TCP 25 from the source Exchange server to the target Exchange server, then you have a problem with connectivity. You must be able to do this. Both directions. Until you can successfully do this, then there is nothing more you can hope to accomplish. You can check DNS as well, but you can also find out if basic connectivity is functioning using the ip addresses. If it's not, and it sounds like it's not, then you'll need to address that first. Al On 8/22/06, Ramon Linan <[EMAIL PROTECTED]> wrote: Thank everyone for the response…I am going nuts here, everything is a mess. For some reason I cant telnet into domain1 email server from domain2 , not only that , domain1 has 2 smtp server, one in the port 6000 and the other in the port 25. Also I send an email to my personal account from domain2 and I got something like this in the header: Mail from : [EMAIL PROTECTED] Received: from servername.domain3.com ([ip address] helo=domain3.com So the domain in the user's email address does not match the email server's domain…I am wondering what are the implications of that… Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brandon Pierce Sent: Tuesday, August 22, 2006 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Obviously if the server is running out of space make sure you remediate that first. Second, I would recommend if ServerA cannot send to ServerB, but the reverse is NOT true, then I would suggest trying basic SMTP commands to ServerA from ServerB. Check the following: 1) Is the server responding to SMTP commands? 2) Can the server accept and deliver the mail item to intended recipient? 3) Are the SMTP queues clear in ESM? 4) Is DNS responding correctly (A, PTR, SRV records present?)? Gut feeling...DNS. That's my first shot! Brandon From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Tuesday, August 22, 2006 2:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question Have you seen this already? http://support.microsoft.com/kb/821910/ On 8/22/06, Ramon Linan < [EMAIL PROTECTED]> wrote: Thanks very much, I think my second question was very easy J but wanted to confirm it. The problem now is that we have 500 mg in the hard drive but the smtp queue is still not delivering the emails from one server to the other. We have 2 emails servers, one holds domain1.com and the other hold domain2.com. domain1.com can send and receive fine but domain2 cant send to domain2, the emails are stuck in the queue with that domain, how do I troubleshoot that? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Akomolafe, Deji Sent: Tuesday, August 22, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question >>>minimum amount of HD space needed for the smtp to work? It depends m
Re: [ActiveDir] Problem in AD
Then your problem is likely a DNS issue. Ensure that all clients are pointing to at least two DCs. Ensure that your DCs are pointing to at least two as well, as they're also DNS clients. --Paul - Original Message - From: "Pankaj Verma" <[EMAIL PROTECTED]> To: Sent: Thursday, August 24, 2006 7:06 AM Subject: Re: [ActiveDir] Problem in AD before installing dc01 & dc02 , DC03 was the global cataglog server ..now dc01 & dc02 are global catalog servers On 8/23/06, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote: if it is single domain and not all DCs are a GC, make ALL DCs a GC besides that also make sure a DNS server can be contacted a bit more details please Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of Pankaj Verma Sent: Wed 2006-08-23 19:07 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem in AD Hi All I have 3 domain controllers. I transfer all the FSMO roles from DC03 to DC02 after that I shutdown D03 & I restarted D02 & dC01 but after that I was not able to communicate with active directory then switched on DC03 after that every thing is working fine. If somebody can tell me what could be the problem and after the in event viewer I am getting an error Event id =1030 & 1058 source = usernv -- Rgds Pankaj verma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- RgdsPankaj verma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
