Re: [ActiveDir] Seperate forest migration notes
The most simple way is to migate the computers with the admin of the source domain (should be admin on all computers). This admin should be admin in the target domain, or at least you should delegate the appropriate rights in the target domain (add computers). cheers Hans --- Danny <[EMAIL PROTECTED]> wrote: > I found some more information, however, in the > "Before using ADMT v3" help > document included with ADMT, is states that the > account that I am running > ADMT, must be a member of the administrators group > on all computers that I > want to migrate. How would I accomplish this? > > Thanks, > > ...D > > On 9/5/06, Danny <[EMAIL PROTECTED]> wrote: > > > > Thank you, Al! I will provide an updated outline > of our plan based on your > > suggestions. > > > > One question, though: Does anyone know what ADMT > v3 is not capable of > > migrating in the environment I outlined? > > > > > > On 8/29/06, Al Mulnick <[EMAIL PROTECTED]> wrote: > > > > > > Overall, that's pretty good for the plan. If you > haven't already seen > > > it, there's a migration cookbook available on > Microsoft's website. Some > > > things to pay attention to: name resolution for > the clients - it's important > > > :) Trust configurations - if a recent enough > version, there are some > > > security components that you'll want to be aware > of - specifically > > > quarrantine and sidfiltering. Be sure those are > configured appropriately for > > > your environment. > > > > > > Order of migration: > > > Be sure to understand the impacts of the order > that you migrate the > > > users. I don't know enough about the versions of > Exchange, but it would make > > > sense to move the users after or before you move > the mailboxes. All the > > > users or all the mailboxes pretty much. If you > try to do both at the same > > > time, it can be difficult to troubleshoot and > you'll slow your migration > > > down trying to chase the issues. > > > > > > That leads to expectations: > > > Be sure that nobody expects to stay in the > partially-migrated state for > > > very long while you chase down integration > issues. Once you start, be > > > prepared to sprint to the finish line. > Co-existence sucks. No doubts about > > > that. If you try to continue on with migration > and coexistence and new > > > projects and...etc you'll be torn to the winds. > Your best bet is to > > > continue to push regardless of the issues once > you begin (post pilot of > > > course). > > > > > > Did I mention name resolution? That's important, > so I don't mind > > > mentioning it twice. > > > > > > Planning is your friend when it comes to > migrations. > > > > > > I imagine that Guido might chime in here. I > hear he's done this once or > > > twice. :) > > > > > > > > > On 8/29/06, Danny <[EMAIL PROTECTED]> wrote: > > > > > > > > A company was acquired. Seperate 2000/2003 > forest, now a two-way trust > > > > exists, but we are looking at migrating their > users, mailboxes, computers, > > > > and servers into our forest. > > > > > > > > Working on a plan to test moving a user, > mailbox, computer, and server > > > > into our forest. Plan: > > > > > > > > Select test users and computers > > > > Install ADMT > > > > Test user migration via ADMT > > > > Test computer migration via RDP manaully or > script (must locate) > > > > Test mailbox migration via Exchange Migration > Wizard > > > > Login as user and test services/access > > > > > > > > Am I missing anything? Any tips? > > > > > > > > Thanks, > > > > > > > > ...D > > > > > > > > > > > > -- > > > > CPDE - Certified Petroleum Distribution > Engineer > > > > CCBC - Certified Canadian Beer Consumer > > > > > > > > > > > > > > > > -- > > CPDE - Certified Petroleum Distribution Engineer > > CCBC - Certified Canadian Beer Consumer > > > > > > -- > CPDE - Certified Petroleum Distribution Engineer > CCBC - Certified Canadian Beer Consumer > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Strange password issue
Have you actually seen this
behaviour? As it was my understanding that this particular policy is
processed by SCE outside of normal policy application (by the PDCe - I can't
remember how often, 60 minutes comes to mind but I don't know why). I've
tried to document this here:
-- http://www.msresource.net/content/view/36/46/
--Paul
- Original Message -
From:
Passo,
Larry
To: ActiveDir@mail.activedir.org
Sent: Sunday, September 10, 2006 3:19
AM
Subject: RE: [ActiveDir] Strange password
issue
If
the Domain Controllers OU is set to block GPO inheritance, and the domain GPO
that sets the password policy isn't set for No Override, then the domain
policies might not get set properly.
-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent:
Friday, September 08, 2006 1:16 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange
password issue
err, actually the password policy is stored in the
machine portion of the GPO and thus applies to all machines and therefore
all local user objects too.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
RobinsonSent: 06 September 2006 17:27To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange
password issue
Impossible/irrelevant. If it's a domain account, the policy
applies regardless, because the account is stored in AD. If it's a local
account, then the policy doesn't apply regardless; domain account policies
don't apply to local accounts. Is this a local account or a domain
account?
Laura
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom
KernSent: Wednesday, September 06, 2006 11:44 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange
password issue
If you mean before the policy was set up, then, no.
This policy has been in effect for a couple of years and
the account was created a month ago..
Maybe the PC is not getting the Default Domain Policy?
On 9/6/06, Williams, Robert <[EMAIL PROTECTED]>
wrote:
Tom,
This is just a
stab in the dark but is it possible that this user's password was set
prior to the Default Domain Policy being in effect?
Robert
Williams
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006
9:39 AMTo:
activedirectorySubject: [ActiveDir] Strange
password issue
I'm
having this weird issue where I have a user account who is able to
log in with a blank password.
The
Default Domain Policy is set to a min password length of 6
characters.
The
userAccountControl on the user is set to 512.
The
Domain is at win2k3 DFL and FFL.
Is
there any other way besides a migration tool like Quest that could
circumvent this policy and allow blank
passwords?
Thanks
2006-09-06, 11:32:05The information contained in this e-mail
message and any attachments may be privileged and confidential. If the
reader of this message is not the intended recipient or an agent
responsible for delivering it to the intended recipient, you are hereby
notified that any review, dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this
communication in error, please notify the sender immediately by replying
to this e-mail and delete the message and any attachments from your
computer.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of
this email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in
reliance on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
[ActiveDir] Seized the roles of a failed DC
Hey all, I have a little question here, just a sanity check for the most part. We had a DC that got its registry ripped to shreds by some hardware folks, the end result was the OS no longer recognized TCP/IP interfaces, even after a system state restore of the registry component. This resulted in an offline DC which was only the Domain Naming Master and one of 2 GC's. Our domain is very small with only 4 DCs and the AD database is small as well. Previously when an Operations master (Infrastructure Master) went offline and would not be online for at least another 24 hours, rather than let the time elapse for the maintenance they requested we transfer the role to another server immediately, so we complied. The issue is, this last time a DC failed and the transfer could not take place, so I seized the roles and brought them online on another DC as well as made another DC a GC. The problem is that, since I seized the roles I realized I could not use the previous DC's name again in AD, based upon previous experience, lots of articles, and other admins in the past's personal preferences for AD recovery. I got my head chewed off by the entire organization from this renaming of the DC and have undergone many meetings and attacks from people I had not even worked with before. I am just wondering what are some of your practices in this situation. Recap: 1) Failed DC with no network connectivity 2) Organization wants role holders online at all times 3) Removed DC manually and did cleanup of AD database 4) Built new DC and used a new name 5) Forced through a modern day spanish inquisition 6) What would you have done? Thanks, Nate Bahta General Dynamics Information Technology Sr. Systems Administrator "Certo Dirgo Ictu"
RE: [ActiveDir] Seized the roles of a failed DC
Nate- You can use the old name again, you just need to clean the broken DC up in AD & rebuild the box. Either search the KB for metadata cleanup or below is the steps off the top of my head: Ntdsutil Metadata cleanup Connections Connect to server SomeDC Exit Sel op tar Lis dom Sel dom #OfDomain Lis site Sel site #OfSite Lis ser in site Sel ser #OfServer Exit Rem sel ser Exit Exit Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Monday, September 11, 2006 6:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seized the roles of a failed DC Hey all, I have a little question here, just a sanity check for the most part. We had a DC that got its registry ripped to shreds by some hardware folks, the end result was the OS no longer recognized TCP/IP interfaces, even after a system state restore of the registry component. This resulted in an offline DC which was only the Domain Naming Master and one of 2 GC's. Our domain is very small with only 4 DCs and the AD database is small as well. Previously when an Operations master (Infrastructure Master) went offline and would not be online for at least another 24 hours, rather than let the time elapse for the maintenance they requested we transfer the role to another server immediately, so we complied. The issue is, this last time a DC failed and the transfer could not take place, so I seized the roles and brought them online on another DC as well as made another DC a GC. The problem is that, since I seized the roles I realized I could not use the previous DC's name again in AD, based upon previous experience, lots of articles, and other admins in the past's personal preferences for AD recovery. I got my head chewed off by the entire organization from this renaming of the DC and have undergone many meetings and attacks from people I had not even worked with before. I am just wondering what are some of your practices in this situation. Recap: 1) Failed DC with no network connectivity 2) Organization wants role holders online at all times 3) Removed DC manually and did cleanup of AD database 4) Built new DC and used a new name 5) Forced through a modern day spanish inquisition 6) What would you have done? Thanks, Nate Bahta General Dynamics Information Technology Sr. Systems Administrator "Certo Dirgo Ictu"
RE: [ActiveDir] Seized the roles of a failed DC
Yeah that was done, everything is clean. Just used a different name when I rebuilt the server to be on the safe side and to keep things clean. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, September 11, 2006 9:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seized the roles of a failed DC Nate- You can use the old name again, you just need to clean the broken DC up in AD & rebuild the box. Either search the KB for metadata cleanup or below is the steps off the top of my head: Ntdsutil Metadata cleanup Connections Connect to server SomeDC Exit Sel op tar Lis dom Sel dom #OfDomain Lis site Sel site #OfSite Lis ser in site Sel ser #OfServer Exit Rem sel ser Exit Exit Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Monday, September 11, 2006 6:04 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Seized the roles of a failed DC Hey all, I have a little question here, just a sanity check for the most part. We had a DC that got its registry ripped to shreds by some hardware folks, the end result was the OS no longer recognized TCP/IP interfaces, even after a system state restore of the registry component. This resulted in an offline DC which was only the Domain Naming Master and one of 2 GC's. Our domain is very small with only 4 DCs and the AD database is small as well. Previously when an Operations master (Infrastructure Master) went offline and would not be online for at least another 24 hours, rather than let the time elapse for the maintenance they requested we transfer the role to another server immediately, so we complied. The issue is, this last time a DC failed and the transfer could not take place, so I seized the roles and brought them online on another DC as well as made another DC a GC. The problem is that, since I seized the roles I realized I could not use the previous DC's name again in AD, based upon previous experience, lots of articles, and other admins in the past's personal preferences for AD recovery. I got my head chewed off by the entire organization from this renaming of the DC and have undergone many meetings and attacks from people I had not even worked with before. I am just wondering what are some of your practices in this situation. Recap: 1) Failed DC with no network connectivity 2) Organization wants role holders online at all times 3) Removed DC manually and did cleanup of AD database 4) Built new DC and used a new name 5) Forced through a modern day spanish inquisition 6) What would you have done? Thanks, Nate Bahta General Dynamics Information Technology Sr. Systems Administrator "Certo Dirgo Ictu"
Re: [ActiveDir] Strange password issue
My understanding was that the Password Policies are applied similarly to any other Group Policy. I do recall doing some testing some time ago where by using various security filtering on Group Policies I was able to set up two DC's with two different effective policies and so two different values for Password length. The thing to remember is that domain password changes etc are processed by a domain controller. You therefore need to check whether the Password policy is being applied to all of the domain controllers. As Larry said, if there is blocking on the OU for Domain Controllers and the Default Domain Policy does not have "No Override" then the DC will not get the policy. Similarly, it is possible that security filtering has been applied to the Default Domain Policy that stops it from getting applied etc. However these things would be "permanent" so you would still have a DC with the Policy not applied. However, my guess is that something was wrong a month ago on a Domain Controller which processed the Password reset. It is possible that it is still a problem (i.e. if blocking was the culprit), but it is more likely to have cleared up. Is it possible that there was a DC added briefly at the time that was not processing Policies for some reason? Is it feasible to check all of the event logs on all DC's at the time the password was created? It may show Group Policy Processing errors at the time. Alan Cuthbertson Policy Management Software:-http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtmlADM Template Editor:-http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtmlPolicy Log Reporter(Free)http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml- Original Message - From: Paul Williams To: ActiveDir@mail.activedir.org Sent: Monday, September 11, 2006 7:06 PM Subject: Re: [ActiveDir] Strange password issue Have you actually seen this behaviour? As it was my understanding that this particular policy is processed by SCE outside of normal policy application (by the PDCe - I can't remember how often, 60 minutes comes to mind but I don't know why). I've tried to document this here: -- http://www.msresource.net/content/view/36/46/ --Paul - Original Message - From: Passo, Larry To: ActiveDir@mail.activedir.org Sent: Sunday, September 10, 2006 3:19 AM Subject: RE: [ActiveDir] Strange password issue If the Domain Controllers OU is set to block GPO inheritance, and the domain GPO that sets the password policy isn't set for No Override, then the domain policies might not get set properly. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Friday, September 08, 2006 1:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue err, actually the password policy is stored in the machine portion of the GPO and thus applies to all machines and therefore all local user objects too. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: 06 September 2006 17:27To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for a couple of years and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert <[EMAIL PROTECTED]> wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue
Re: [ActiveDir] DNS Entries --Laptop Users--
Besides the obvious of telling Sophos to adjust their management to deal with this, here's what I understand of your problem to date. VPN clients that are also trusted network clients (i.e. mobile users that traverse both trusted and non-trusted networks can end up with seemingly duplicate entries for the same device but different ip addresses. This confuses some antivirus management applications and presumably some management applications such as SMS or similar class of app, that rely on reverse name resolution. Is that correct? Do you have workers that are remote-based only? Al On 9/8/06, Ravi Dogra < [EMAIL PROTECTED]> wrote:According to Sophos Support if one host has 2 DNS Entries, Sophos Enterprise Manager might not be able to detect this Host and autoupdate will also dont work.As you know jolly;- We are in process of migration from Trend toSophos as our Antivirus Solution.Working on a solution will update soon. ThanksRavi DograOn 9/8/06, Jaspreet Singh <[EMAIL PROTECTED]> wrote:>> Ravi,> As Rob said, If your VPN box is forwarding requests to your internal network > the your DNS will automatically update the records according to the new IP> which in your case is "x.x.5.x".>> Can you explain exactly what is the problem that you are facing due to this? >> Regards,> Jaspreet Singh Jolly On 9/7/06, Al Mulnick <[EMAIL PROTECTED]> wrote:> >> >> > 1. I Didnt understand what exactly u r asking? > > 2. Yes DHCP Is configured properly.> >> >> > That's not what I asked. I asked if it's updating the records for the> device or is it letting the devices update their own? > >> >> >> > Al> >> >> >> >> > On 9/6/06, Ravi Dogra <[EMAIL PROTECTED] > wrote: > >> > > 1. I Didnt understand what exactly u r asking?> > > 2. Yes DHCP Is configured properly.> > > 3. Yes it is running on DC> > > 4. No, not running any other credential. > > > 5. VPN Machine is entirely a different BOX on other site.> > > 6. It doesnt register in my DNS. (Will extract other information from> > > Site B Admin)> > >> > > update you very soon... > > >> > > Thanks> > > RD> > > List info : http://www.activedir.org/List.aspx> > > List FAQ: http://www.activedir.org/ListFAQ.aspx> > > List archive: http://www.activedir.org/ml/threads.aspx> > >> >> >> > --> Regards,> Jaspreet Singh Jolly--Ravi Dogra9899647200This e-mail, together with any attachments, is confidential. It may beread, copied and used only by the intended recipient. If you have received it in error, please notify the sender immediately by e-mailor telephone. Please then delete it from your computer without makingany copies or disclosing it to any other person.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Seized the roles of a failed DC
Ah ok, well, that wasn’t necessary. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Monday, September 11, 2006 9:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seized the roles of a failed DC Yeah that was done, everything is clean. Just used a different name when I rebuilt the server to be on the safe side and to keep things clean. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, September 11, 2006 9:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seized the roles of a failed DC Nate- You can use the old name again, you just need to clean the broken DC up in AD & rebuild the box. Either search the KB for metadata cleanup or below is the steps off the top of my head: Ntdsutil Metadata cleanup Connections Connect to server SomeDC Exit Sel op tar Lis dom Sel dom #OfDomain Lis site Sel site #OfSite Lis ser in site Sel ser #OfServer Exit Rem sel ser Exit Exit Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Monday, September 11, 2006 6:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seized the roles of a failed DC Hey all, I have a little question here, just a sanity check for the most part. We had a DC that got its registry ripped to shreds by some hardware folks, the end result was the OS no longer recognized TCP/IP interfaces, even after a system state restore of the registry component. This resulted in an offline DC which was only the Domain Naming Master and one of 2 GC's. Our domain is very small with only 4 DCs and the AD database is small as well. Previously when an Operations master (Infrastructure Master) went offline and would not be online for at least another 24 hours, rather than let the time elapse for the maintenance they requested we transfer the role to another server immediately, so we complied. The issue is, this last time a DC failed and the transfer could not take place, so I seized the roles and brought them online on another DC as well as made another DC a GC. The problem is that, since I seized the roles I realized I could not use the previous DC's name again in AD, based upon previous experience, lots of articles, and other admins in the past's personal preferences for AD recovery. I got my head chewed off by the entire organization from this renaming of the DC and have undergone many meetings and attacks from people I had not even worked with before. I am just wondering what are some of your practices in this situation. Recap: 1) Failed DC with no network connectivity 2) Organization wants role holders online at all times 3) Removed DC manually and did cleanup of AD database 4) Built new DC and used a new name 5) Forced through a modern day spanish inquisition 6) What would you have done? Thanks, Nate Bahta General Dynamics Information Technology Sr. Systems Administrator "Certo Dirgo Ictu"
Re: [ActiveDir] Seperate forest migration notes
Yep, that would be one of the easiest ways. Put the source migration account into the source domain admins (domain admins is in the workstation administrators by default) and into the target domain built-in\administrators group. If you've modified the group membership of the source domain local workstations from default, you'll want to use some of the other methods mentioned without question. The changes to the registry of the xp sp2 workstations is a good thing to be aware of as is the changes to the W2K3 SP1 servers if that's where you run the tool. Check the readme and be sure your hotfixes are up to date. AlOn 9/11/06, Hans Halbmayr <[EMAIL PROTECTED]> wrote: The most simple way is to migate the computers withthe admin of the source domain (should be admin on allcomputers). This admin should be admin in the targetdomain, or at least you should delegate theappropriate rights in the target domain (add computers).cheersHans--- Danny <[EMAIL PROTECTED]> wrote:> I found some more information, however, in the> "Before using ADMT v3" help > document included with ADMT, is states that the> account that I am running> ADMT, must be a member of the administrators group> on all computers that I> want to migrate. How would I accomplish this? >> Thanks,>> ...D>> On 9/5/06, Danny <[EMAIL PROTECTED]> wrote:> >> > Thank you, Al! I will provide an updated outline > of our plan based on your> > suggestions.> >> > One question, though: Does anyone know what ADMT> v3 is not capable of> > migrating in the environment I outlined? > >> >> > On 8/29/06, Al Mulnick <[EMAIL PROTECTED]> wrote:> > >> > > Overall, that's pretty good for the plan. If you > haven't already seen> > > it, there's a migration cookbook available on> Microsoft's website. Some> > > things to pay attention to: name resolution for> the clients - it's important > > > :) Trust configurations - if a recent enough> version, there are some> > > security components that you'll want to be aware> of - specifically> > > quarrantine and sidfiltering. Be sure those are > configured appropriately for> > > your environment.> > >> > > Order of migration:> > > Be sure to understand the impacts of the order> that you migrate the > > > users. I don't know enough about the versions of> Exchange, but it would make> > > sense to move the users after or before you move> the mailboxes. All the> > > users or all the mailboxes pretty much. If you > try to do both at the same> > > time, it can be difficult to troubleshoot and> you'll slow your migration> > > down trying to chase the issues.> > >> > > That leads to expectations: > > > Be sure that nobody expects to stay in the> partially-migrated state for> > > very long while you chase down integration> issues. Once you start, be> > > prepared to sprint to the finish line. > Co-existence sucks. No doubts about> > > that. If you try to continue on with migration> and coexistence and new> > > projects and...etc you'll be torn to the winds.> Your best bet is to > > > continue to push regardless of the issues once> you begin (post pilot of> > > course).> > >> > > Did I mention name resolution? That's important,> so I don't mind > > > mentioning it twice.> > >> > > Planning is your friend when it comes to> migrations.> > >> > > I imagine that Guido might chime in here. I > hear he's done this once or> > > twice. :)> > >> > >> > > On 8/29/06, Danny <[EMAIL PROTECTED]> wrote:> > > > > > > > A company was acquired. Seperate 2000/2003> forest, now a two-way trust> > > > exists, but we are looking at migrating their> users, mailboxes, computers,> > > > and servers into our forest. > > > >> > > > Working on a plan to test moving a user,> mailbox, computer, and server> > > > into our forest. Plan:> > > >> > > > Select test users and computers > > > > Install ADMT> > > > Test user migration via ADMT> > > > Test computer migration via RDP manaully or> script (must locate)> > > > Test mailbox migration via Exchange Migration > Wizard> > > > Login as user and test services/access> > > >> > > > Am I missing anything? Any tips?> > > >> > > > Thanks,> > > > > > > > ...D> > > >> > > >> > > > --> > > > CPDE - Certified Petroleum Distribution> Engineer> > > > CCBC - Certified Canadian Beer Consumer > > > >> > >> > >> >> >> > --> > CPDE - Certified Petroleum Distribution Engineer> > CCBC - Certified Canadian Beer Consumer> > --> CPDE - Certified Petroleum Distribution Engineer> CCBC - Certified Canadian Beer Consumer>__Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection aroundhttp://mail.yahoo.comList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Strange password issue
Can you re-enable the source and see if it allows you to logon with the blank password? Based on the description, I doubt it, but it would be interesting to see. Since the user logged on with the old password for a month prior to having this happen, then something else outside the process(?) occurred that caused the blank password. In line with the rest of the questions to date, what was the last modification date of the domain password policy? I realize there's a lot of speculation that could go on. But I am curious how the user's password got set to be nothing - especially since it was after the migration had already set it properly. What other processes can touch and modify the user objects? Any IdM products in use? Have you confirmed that the password is blank personally? Or was that done via some other team member? Al On 9/7/06, Tom Kern < [EMAIL PROTECTED]> wrote:Sorry, I was distracted by other stuff here. We are in a migration state with 2 Forests. Source forest is win2k native and target forest is win2k3 FFL/DFL. Both Forests have same password policy Using Quest AD Migration Manager. The user was created in the source and then migrated about a month ago. The way this was discovered was, the user's password no longer worked and user claimed to be able to log on with no password(confirmed by help desk staff). Apparently,according to the user and help desk, he was able to log in with his old password for a month until last week when the system would no longer accept his password and then he tried the null password route and it worked. Then, i tried logging in as that user with a null password and confirmed it. When i said UAC was 512, I meant just that- the user was a normal enabled user without the password_notreqd bit set. When I looked in the history in the Quest console, I saw the user was migrated with "copy password" set to true. A seperate provisioning group creates users. They have been delegated that right through AD. We only have 2 EA/DA's here and i'm one of them. I delegated the Quest util to allow this same group to migrate users. Once migrated, the user can no longer log into the source forest. We have no other directory servers. At the moment,users can only change their passwords when they expire and windows prompts them. The Change Password button on the gina has been disabled via GPO. This probably sounds more convoluted than it is, so I apologize and we can just drop this thread if you feel there are way too many unknown variables. Thanks for all your help and interest,guys. On 9/7/06, Al Mulnick <[EMAIL PROTECTED]> wrote: I saw it this morning. Not sure if it was last night, today, yesterday... curiuos thread though. I suppose if Tom misinterpreted the uac flag meaning, it is also possible that he type-o'd the actuall value. Tom, how about some more details? What clued you into the user having a blank password? What does the user say about it? How long has it been this way? Was this user migrated (reference to the Quest tool)? How was the user account created (you said ADUC, but were you the one that created it?) How'd the user find out that the password was blank? I think some history of the issue and how the user came to be configured this way is needed. Also, what does the user community use to change passwords? Any meta directories? Any password management solutions in place? Al On 9/7/06, Laura A. Robinson <[EMAIL PROTECTED] > wrote: Since the OP has said that the accounts' UAC flags are 512, not 544, the entire discussion around this is moot. BTW, did anybody notice if my post about the 512/544 value hit the list yesterday? I don't remember seeing it and am wondering if I actually sent it. :-) Thanks, Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: Thursday, September 07, 2006 7:36 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets U
Re: [ActiveDir] OT: admin account in Vista
Yes Ken, I believe it is a departure to write down the admin password for every single workstation out there. Those "defcon" envelopes mentioned earlier in thread are usually intended for critical systems vs. your user community desktops. In a company such as the one I'm at now that would be a huge burden to the way the organization (I use that term loosely of course) operates. This is not an uncommon organization structure from what I've seen. There are several workstation configuration groups that are all semi-autonomous and aligned with the LOB's. They certainly can't share the passwords. For many years the best practices have been to create passwords that were difficult but able to be remembered so they would not have to be written down. Writing it down, the thinking goes, increases the risk that it would be seen by somebody else. I guess I could just buy a gimongous safe to put all of those envelopes in, but that seems a strange departure to me. My guess is that the call comes from Jessper J (confirmed here: http://www.theregister.co.uk/2005/07/19/password_schneier/ http://software.silicon.com/security/0,39024655,39130618,00.htm ) I strongly disagree with the assertion and reversal of thinking. I believe that what's really being said is that, "well, we give up. We can't find any other way outside of causing all computer users to also carry a wallet. No purses, money-carrying socks, or running shorts if they have no pockets when you use the computer. We don't know how to change the world so that we have less than 68 passwords." Maybe I just need more information about this change in concept and what's really being said vs. what's printed in that article and the others like it (Sun has similar statements out there - big surprise, right?) Of course, if he's right about the number of passwords not being reduced, then he's likely also right about the number of people that use the LCD password and spray it across all systems thereby dumbing down the password strength across the systems. I love the back and forth thinking that comes with this and look forward to the steady and long term thinking that allows folks to get a handle on this problem. I'm not sure I appreciate the way this is going however. Obfuscating my passwords on my desk? Hmm... I would have thought we could do better. I know we should. I know we can. I know one-size fits all is not high on my list of appreciated approaches. I do agree, Ken, that it's all about acceptable risk and that not all risk is accepted equally. On that we agree 120%. For all the time that has been put into Vista to make it more security friendly, I hate to see them throw in the hat on this one though. I suspect that's a recommendation that may change in Vista sp1 time-frame similar to using empty root domains ;-) AlOn 9/8/06, Craig Cerino <[EMAIL PROTECTED]> wrote: Agreed From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Ken Schaefer Sent: Friday, September 08, 2006 7:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: admin account in Vista Is it a departure really? I'm always pretty sure that the advice has been to avoid writing down your username/password and storing it in an *insecure* location (i.e. taped to your monitor at work) On the other hand, if you write down the details and store it in a safe place (e.g. place it into a safe) then surely you are relying on the security of the physical device to protect you. That may be an acceptable risk. I'm pretty sure if you wrote down your admin password at home, and stored the piece of paper underneath your keyboard, you probably wouldn't have that much to worry about (unless you couldn't trust whoever else was living in the house/unit/apartment). Anyone breaking into your house has full physical access anyway… Cheers Ken From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Friday, 8 September 2006 1:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: admin account in Vista "Write down your username and password and store it in a safe location." That's an interesting departure from the usual recommendations. ;-) On 9/6/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote: Windows Vista Security : Built-in Administrator Account Disabled: http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/27/windowsvistasecurity_.aspx
Re: [ActiveDir] Strange password issue
The only way that I'm aware of where you can have different lengths (without your own filters, etc.) is if you deny the domain controllers from reading the necessary attributes on the NC head. By doing this, and then having multiple policies, I believe you can achieve what you are talking about. I've not tested this - I'm basing this on a conversation I had with someone who has tested this (Mr. Wells) -although we had had a lot to drink at the time, and I might have got things muddled up (very possible). Under those circumstances, I assume the values defined in the GPO work. It seems to be that the DCs favour the values on the NC head. The values on the NC head are written by the PDCe -that reads the domain polcies and applies the values to the domain. I haven't got round to getting my source access sorted yet, so can't verify. Hopefully someone with access to the code can chip in here. I'm not disputing what you're saying re. blocking. That will probably stop the PDCe applying this. However, I don't think the other DCs process this in the same way. Unless there's a fall back, and you're achieving that via specific filtering, e.g. DC computer objects or custom groups, i.e. some DCs getting one, and others getting another... Interesting. I'll have to try and repro (which is going to take some time with the current work load). --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, September 11, 2006 3:02 PM Subject: Re: [ActiveDir] Strange password issue My understanding was that the Password Policies are applied similarly to any other Group Policy. I do recall doing some testing some time ago where by using various security filtering on Group Policies I was able to set up two DC's with two different effective policies and so two different values for Password length. The thing to remember is that domain password changes etc are processed by a domain controller. You therefore need to check whether the Password policy is being applied to all of the domain controllers. As Larry said, if there is blocking on the OU for Domain Controllers and the Default Domain Policy does not have "No Override" then the DC will not get the policy. Similarly, it is possible that security filtering has been applied to the Default Domain Policy that stops it from getting applied etc. However these things would be "permanent" so you would still have a DC with the Policy not applied. However, my guess is that something was wrong a month ago on a Domain Controller which processed the Password reset. It is possible that it is still a problem (i.e. if blocking was the culprit), but it is more likely to have cleared up. Is it possible that there was a DC added briefly at the time that was not processing Policies for some reason? Is it feasible to check all of the event logs on all DC's at the time the password was created? It may show Group Policy Processing errors at the time. Alan Cuthbertson Policy Management Software:-http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtmlADM Template Editor:-http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtmlPolicy Log Reporter(Free)http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml- Original Message - From: Paul Williams To: ActiveDir@mail.activedir.org Sent: Monday, September 11, 2006 7:06 PM Subject: Re: [ActiveDir] Strange password issue Have you actually seen this behaviour? As it was my understanding that this particular policy is processed by SCE outside of normal policy application (by the PDCe - I can't remember how often, 60 minutes comes to mind but I don't know why). I've tried to document this here: -- http://www.msresource.net/content/view/36/46/ --Paul - Original Message - From: Passo, Larry To: ActiveDir@mail.activedir.org Sent: Sunday, September 10, 2006 3:19 AM Subject: RE: [ActiveDir] Strange password issue If the Domain Controllers OU is set to block GPO inheritance, and the domain GPO that sets the password policy isn't set for No Override, then the domain policies might not get set properly. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Friday, September 08, 2006 1:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue err, actually the password policy is stored in the machine portion of the GPO and thus applies to all machines and therefore all local user objects too. neil From: [EMAIL PROTECTED]
[ActiveDir] OT: Management Solutions
I would love some feedback from those that actually use some of these products. We initially started looking at a Helpdesk solution. It has now evolved into an asset management, OS deployment, patch management and license compliance package. I can’t tell you whether it’s evolved to this because the package we are looking at has it or because it was decided we could use the additional functionality. The current front-runner is Altiris. Could anyone provide some helpful insight into this package or a comparable solution we could look at? If we’re going to spend the money, I’d like to see us spend it wisely. Thank you in advance. Alan Alan J. Gendron Senior Network Specialist Lutheran Church Extension Fund Sunset Corporate Center 10733 Sunset Office Drive St. Louis, MO 63127-1219 314.885.6596
RE: [ActiveDir] OT: Management Solutions
I have a lot of experience using Ghost for all of that but helpdesk. Helpdesk I have worked with Peregrine (will empty your check book & very complex), TrackIt (kind of basic but folks seem to like it), and customized free open source package called Liberum (so far my favorite). Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan J. Gendron Sent: Monday, September 11, 2006 3:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Management Solutions I would love some feedback from those that actually use some of these products. We initially started looking at a Helpdesk solution. It has now evolved into an asset management, OS deployment, patch management and license compliance package. I can’t tell you whether it’s evolved to this because the package we are looking at has it or because it was decided we could use the additional functionality. The current front-runner is Altiris. Could anyone provide some helpful insight into this package or a comparable solution we could look at? If we’re going to spend the money, I’d like to see us spend it wisely. Thank you in advance. Alan Alan J. Gendron Senior Network Specialist Lutheran Church Extension Fund Sunset Corporate Center 10733 Sunset Office Drive St. Louis, MO 63127-1219 314.885.6596
[ActiveDir] Citrix (OT)
Anyone know of issues with Citrix Secure Access Manager in a 2 Forest set up(2-way external trust)? I have the Citrix SAM in a source forest and I'm having issues trying to give access to log to the Presentation Server to a user from the target forest. Here's my setup- The user is given access by virtue of nested group membership. The user is a member of a global group in the target which is nested into a local group in the target which is then given access in the SAM. The weird thing is, this only works if the target global group has been migrated(has sIDHistory enabled). If I just create a new global group in the target and nest it into the local group that has access, the user gets access denied. If i migrate the target global group from the source to target and then put that group into the local target group with access, it works. I feel there is some underlining group type thing here going on but I'm not sure what. Any ideas would be great! The source Forest is win2k native and the target is win2k3 D/FFL. I migrate using Quest AD Migration Manager. Thanks
RE: [ActiveDir] OT: Management Solutions
Alan- I ran one of these evalutions a while back for a 25,000 desktop environment. I would highly advise putting together a spreadsheet of your *real* requirements prior to narrowing the vendor list. Don't let the vendor tell you what you need or the choice will become obvious. Apart from that the following list (in no particular order) includes most of the larger vendors in this space. Most if not all of them include the features you're looking for, at varying levels of integration. You should at least compare features across these to your requirements before evaluating: -- BMC Marimba -- Microsoft SMS (or Deployment Manager or whatever its called now :-)) -- HP Novadigm -- Attachmate WinInstall -- Managesoft There are probably a dozen smaller companies out there doing this. Its a crowded market so it pays to shop around. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan J. GendronSent: Monday, September 11, 2006 12:16 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Management Solutions I would love some feedback from those that actually use some of these products. We initially started looking at a Helpdesk solution. It has now evolved into an asset management, OS deployment, patch management and license compliance package. I can’t tell you whether it’s evolved to this because the package we are looking at has it or because it was decided we could use the additional functionality. The current front-runner is Altiris. Could anyone provide some helpful insight into this package or a comparable solution we could look at? If we’re going to spend the money, I’d like to see us spend it wisely. Thank you in advance. Alan Alan J. Gendron Senior Network Specialist Lutheran Church Extension Fund Sunset Corporate Center 10733 Sunset Office Drive St. Louis, MO 63127-1219 314.885.6596
[ActiveDir] Restore left Info store in an inconsistant state.
Title: Message Tried moving my dying ex 5.5 server to new hardware this weekend and it failed because the restore did not bring over a log file and left the dbase in an inconsistent state. Lucky for me I has a recovery plan and was able to bring the old server back online. Has any one had this happen to them or heard of this happening. Using VERITAS backup Exec 10.d, I remember reading during my haste to find out what was wrong that anti-virus and some backup software will hold on to the edb log file, tried searching for the article that I read but cant find it The error I received when I tried to start the dbase after the restore was: EVENT ID 5000, could not start the information store, 0x8004010f in the app log, and in the system log was the info store service terminated with service specific error, 2147746063. Another question, since my dbase is 26gb and I can't copy it across the wan, can do I a save with the services shutdown and restore the dbase and work dbase to the new server? thanks,john
RE: [ActiveDir] Restore left Info store in an inconsistant state.
Title: Message Hi John, You can get it to start with eseutil and roll forward to the last log available. What you’re going to need to do with your method is restore the backup and then copy the logs over (which shouldn’t be many). You can just copy the database and logs over the wire and mount them at the other end, I don’t rmember how to do this on 5.5 though. Why aren’t you moving to 2003? 5.5 and 2000 are end of life products. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky Sent: Monday, September 11, 2006 4:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Restore left Info store in an inconsistant state. Tried moving my dying ex 5.5 server to new hardware this weekend and it failed because the restore did not bring over a log file and left the dbase in an inconsistent state. Lucky for me I has a recovery plan and was able to bring the old server back online. Has any one had this happen to them or heard of this happening. Using VERITAS backup Exec 10.d, I remember reading during my haste to find out what was wrong that anti-virus and some backup software will hold on to the edb log file, tried searching for the article that I read but cant find it The error I received when I tried to start the dbase after the restore was: EVENT ID 5000, could not start the information store, 0x8004010f in the app log, and in the system log was the info store service terminated with service specific error, 2147746063. Another question, since my dbase is 26gb and I can't copy it across the wan, can do I a save with the services shutdown and restore the dbase and work dbase to the new server? thanks, john
RE: [ActiveDir] Restore left Info store in an inconsistant state.
Title: Message Hey Brian, thanks for the response, we in the process of moving to ex 2003 but in the AD migration part and this server external disk array is dying and sorry Ed, they don't trust the move server method as we have to move roles so since I've done a restore to a new server with win2k 3 years ago with Microsoft's help and was using the same process. (i.e. rename all dbdata and mdbdata directories and rename server to same name, same EX services, restore dbase etc etc) and this error did not happen with that restore but the info store would not start because of an index problem which Microsoft said would happen so I did a defrag on that server and every thing worked on that server, but when I restored this dbase for the second time after renaming the directories etc, to check to see if I was doing everything ok, and did an eseutil /mh on the priv dbase before I tried and start the info store it said it was in an inconsistent state, which blew me away...as I just did a restore of this dbase to my recovery server to recover some email the 2 weeks before and now my boss's are questioning the savesSo I'm trying to come up with another plan and I was thinking of doing an offline save of this server as we cant copy a 26gb file across the wan, restore the logs/dbase/working dbase to same directory's on the new server and then try and bring up the dbase...any thoughts.. john From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, September 11, 2006 1:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restore left Info store in an inconsistant state. Hi John, You can get it to start with eseutil and roll forward to the last log available. What you’re going to need to do with your method is restore the backup and then copy the logs over (which shouldn’t be many). You can just copy the database and logs over the wire and mount them at the other end, I don’t rmember how to do this on 5.5 though. Why aren’t you moving to 2003? 5.5 and 2000 are end of life products. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John StrongoskySent: Monday, September 11, 2006 4:07 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Restore left Info store in an inconsistant state. Tried moving my dying ex 5.5 server to new hardware this weekend and it failed because the restore did not bring over a log file and left the dbase in an inconsistent state. Lucky for me I has a recovery plan and was able to bring the old server back online. Has any one had this happen to them or heard of this happening. Using VERITAS backup Exec 10.d, I remember reading during my haste to find out what was wrong that anti-virus and some backup software will hold on to the edb log file, tried searching for the article that I read but cant find it The error I received when I tried to start the dbase after the restore was: EVENT ID 5000, could not start the information store, 0x8004010f in the app log, and in the system log was the info store service terminated with service specific error, 2147746063. Another question, since my dbase is 26gb and I can't copy it across the wan, can do I a save with the services shutdown and restore the dbase and work dbase to the new server? thanks,john
RE: [ActiveDir] Restore left Info store in an inconsistant state.
Title: Message Sorry posted this in the wrong group not a good week for me... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John StrongoskySent: Monday, September 11, 2006 1:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restore left Info store in an inconsistant state. Hey Brian, thanks for the response, we in the process of moving to ex 2003 but in the AD migration part and this server external disk array is dying and sorry Ed, they don't trust the move server method as we have to move roles so since I've done a restore to a new server with win2k 3 years ago with Microsoft's help and was using the same process. (i.e. rename all dbdata and mdbdata directories and rename server to same name, same EX services, restore dbase etc etc) and this error did not happen with that restore but the info store would not start because of an index problem which Microsoft said would happen so I did a defrag on that server and every thing worked on that server, but when I restored this dbase for the second time after renaming the directories etc, to check to see if I was doing everything ok, and did an eseutil /mh on the priv dbase before I tried and start the info store it said it was in an inconsistent state, which blew me away...as I just did a restore of this dbase to my recovery server to recover some email the 2 weeks before and now my boss's are questioning the savesSo I'm trying to come up with another plan and I was thinking of doing an offline save of this server as we cant copy a 26gb file across the wan, restore the logs/dbase/working dbase to same directory's on the new server and then try and bring up the dbase...any thoughts.. john From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, September 11, 2006 1:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restore left Info store in an inconsistant state. Hi John, You can get it to start with eseutil and roll forward to the last log available. What you’re going to need to do with your method is restore the backup and then copy the logs over (which shouldn’t be many). You can just copy the database and logs over the wire and mount them at the other end, I don’t rmember how to do this on 5.5 though. Why aren’t you moving to 2003? 5.5 and 2000 are end of life products. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John StrongoskySent: Monday, September 11, 2006 4:07 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Restore left Info store in an inconsistant state. Tried moving my dying ex 5.5 server to new hardware this weekend and it failed because the restore did not bring over a log file and left the dbase in an inconsistent state. Lucky for me I has a recovery plan and was able to bring the old server back online. Has any one had this happen to them or heard of this happening. Using VERITAS backup Exec 10.d, I remember reading during my haste to find out what was wrong that anti-virus and some backup software will hold on to the edb log file, tried searching for the article that I read but cant find it The error I received when I tried to start the dbase after the restore was: EVENT ID 5000, could not start the information store, 0x8004010f in the app log, and in the system log was the info store service terminated with service specific error, 2147746063. Another question, since my dbase is 26gb and I can't copy it across the wan, can do I a save with the services shutdown and restore the dbase and work dbase to the new server? thanks,john
RE: [ActiveDir] [OT] Restore left Info store in an inconsistant state.
Title: Message Your better course of action (besides upgrading from a dead version but that is another thread) is build the new server as a second server in your organization and moving the mailboxes. You get a clean db and a fresh start. Forget trying to migrate the DB like you would an application database. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John StrongoskySent: Monday, September 11, 2006 1:07 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Restore left Info store in an inconsistant state. Tried moving my dying ex 5.5 server to new hardware this weekend and it failed because the restore did not bring over a log file and left the dbase in an inconsistent state. Lucky for me I has a recovery plan and was able to bring the old server back online. Has any one had this happen to them or heard of this happening. Using VERITAS backup Exec 10.d, I remember reading during my haste to find out what was wrong that anti-virus and some backup software will hold on to the edb log file, tried searching for the article that I read but cant find it The error I received when I tried to start the dbase after the restore was: EVENT ID 5000, could not start the information store, 0x8004010f in the app log, and in the system log was the info store service terminated with service specific error, 2147746063. Another question, since my dbase is 26gb and I can't copy it across the wan, can do I a save with the services shutdown and restore the dbase and work dbase to the new server? thanks,john
[ActiveDir] Windows Mobile enabled user
Hi, What is the best to query the number of windows mobile messaging enabled user in an exchange 2003 server? I need to run a remote query for this.
RE: [ActiveDir] [OT] Restore left Info store in an inconsistant s tate.
Title: Message Diane, thanks for the response tried to convince my manages that this is the way to go but since this is the first server in the site and has all the roles assigned to it, and I submitted a plan using Ed's move server method (thanks Ed ) my mangers are reluctant to do this because some might break when we set up PF replication and move free/busy info as we use the calendar sharing function of outlook allot here My biggest concern is the backups...why did this happen. I'm up the preverbal puddle without a paddle... john From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, DianeSent: Monday, September 11, 2006 2:07 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Restore left Info store in an inconsistant state. Your better course of action (besides upgrading from a dead version but that is another thread) is build the new server as a second server in your organization and moving the mailboxes. You get a clean db and a fresh start. Forget trying to migrate the DB like you would an application database. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John StrongoskySent: Monday, September 11, 2006 1:07 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Restore left Info store in an inconsistant state. Tried moving my dying ex 5.5 server to new hardware this weekend and it failed because the restore did not bring over a log file and left the dbase in an inconsistent state. Lucky for me I has a recovery plan and was able to bring the old server back online. Has any one had this happen to them or heard of this happening. Using VERITAS backup Exec 10.d, I remember reading during my haste to find out what was wrong that anti-virus and some backup software will hold on to the edb log file, tried searching for the article that I read but cant find it The error I received when I tried to start the dbase after the restore was: EVENT ID 5000, could not start the information store, 0x8004010f in the app log, and in the system log was the info store service terminated with service specific error, 2147746063. Another question, since my dbase is 26gb and I can't copy it across the wan, can do I a save with the services shutdown and restore the dbase and work dbase to the new server? thanks,john
[ActiveDir] OT:Anyone noticed this issue? - MS06-049 Causing Silent Data Corruption"
http://it.slashdot.org/article.pl?sid=06/09/11/1342224 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Management Solutions
I agree with Brian that Ghost does tend to be the front runner for imaging (IMHO).. I’ve tested and used many but Ghost is a mature project which does what it says on the tin. You’ll be surprised how forgiving it is and how much you can do with varying software and hardware with a little work. In terms of helpdesk… well it’s a minefield and a road of I have travelled many times. I have actually found that most of the time it’s actually easier to get a dev guy to come in and build a system which actually meets your requirements. I have found this to be cheaper (most of the time) in the larger organisations as every organisation has different SLA’s, contracts, processes, methods, etc. I just recommend going onto sourceforge.net and typing ‘helpdesk’ initially. This should get you going and you may find something that suits your needs or something you can amend to fit. Yes, you can go for the bigger boys, i.e. Hornbill but you’ll pay for it….. have a sniff around and see what fits your requirements. In terms of patch deployment… I do like Patchlink. It will give you patch deployment across most applications with good reporting. You also get software and hardware inventory included in the price. Cheers, Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: 11 September 2006 20:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I have a lot of experience using Ghost for all of that but helpdesk. Helpdesk I have worked with Peregrine (will empty your check book & very complex), TrackIt (kind of basic but folks seem to like it), and customized free open source package called Liberum (so far my favorite). Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan J. Gendron Sent: Monday, September 11, 2006 3:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Management Solutions I would love some feedback from those that actually use some of these products. We initially started looking at a Helpdesk solution. It has now evolved into an asset management, OS deployment, patch management and license compliance package. I can’t tell you whether it’s evolved to this because the package we are looking at has it or because it was decided we could use the additional functionality. The current front-runner is Altiris. Could anyone provide some helpful insight into this package or a comparable solution we could look at? If we’re going to spend the money, I’d like to see us spend it wisely. Thank you in advance. Alan Alan J. Gendron Senior Network Specialist Lutheran Church Extension Fund Sunset Corporate Center 10733 Sunset Office Drive St. Louis, MO 63127-1219 314.885.6596
Re: [ActiveDir] DNS Entries --Laptop Users--
yes its correct. No we have mobile users.. On 9/11/06, Al Mulnick <[EMAIL PROTECTED]> wrote: Besides the obvious of telling Sophos to adjust their management to deal with this, here's what I understand of your problem to date. VPN clients that are also trusted network clients (i.e. mobile users that traverse both trusted and non-trusted networks can end up with seemingly duplicate entries for the same device but different ip addresses. This confuses some antivirus management applications and presumably some management applications such as SMS or similar class of app, that rely on reverse name resolution. Is that correct? Do you have workers that are remote-based only? Al On 9/8/06, Ravi Dogra < [EMAIL PROTECTED]> wrote: > According to Sophos Support if one host has 2 DNS Entries, Sophos > Enterprise Manager might not be able to detect this Host and auto > update will also dont work. > > As you know jolly;- We are in process of migration from Trend to > Sophos as our Antivirus Solution. > > Working on a solution will update soon. > > Thanks > Ravi Dogra > > On 9/8/06, Jaspreet Singh <[EMAIL PROTECTED]> wrote: > > > > Ravi, > > As Rob said, If your VPN box is forwarding requests to your internal network > > the your DNS will automatically update the records according to the new IP > > which in your case is "x.x.5.x". > > > > Can you explain exactly what is the problem that you are facing due to this? > > > > Regards, > > Jaspreet Singh Jolly > > > > > > > > On 9/7/06, Al Mulnick <[EMAIL PROTECTED]> wrote: > > > > > > > > > 1. I Didnt understand what exactly u r asking? > > > 2. Yes DHCP Is configured properly. > > > > > > > > > That's not what I asked. I asked if it's updating the records for the > > device or is it letting the devices update their own? > > > > > > > > > > > > Al > > > > > > > > > > > > > > > On 9/6/06, Ravi Dogra <[EMAIL PROTECTED] > wrote: > > > > > > > 1. I Didnt understand what exactly u r asking? > > > > 2. Yes DHCP Is configured properly. > > > > 3. Yes it is running on DC > > > > 4. No, not running any other credential. > > > > 5. VPN Machine is entirely a different BOX on other site. > > > > 6. It doesnt register in my DNS. (Will extract other information from > > > > Site B Admin) > > > > > > > > update you very soon... > > > > > > > > Thanks > > > > RD > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > > > List archive: http://www.activedir.org/ml/threads.aspx > > > > > > > > > > > > > > > > > > > > > -- > > Regards, > > Jaspreet Singh Jolly > > > -- > Ravi Dogra > 9899647200 > This e-mail, together with any attachments, is confidential. It may be > read, copied and used only by the intended recipient. If you have > received it in error, please notify the sender immediately by e-mail > or telephone. Please then delete it from your computer without making > any copies or disclosing it to any other person. > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > -- Ravi Dogra 9899647200 This e-mail, together with any attachments, is confidential. It may be read, copied and used only by the intended recipient. If you have received it in error, please notify the sender immediately by e-mail or telephone. Please then delete it from your computer without making any copies or disclosing it to any other person. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: admin account in Vista
--- Original Message --- : From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick : Sent: Tuesday, 12 September 2006 12:47 AM : To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] OT: admin account in Vista : : Yes Ken, I believe it is a departure to write down the admin password for every single : workstation out there. Certainly that is a departure. : For many years the best practices have been to create passwords that were : difficult but able to be remembered so they would not have to be written down. : Writing it down, the thinking goes, increases the risk that it would be seen by : somebody else. Sure. But forcing people to memorize numerous passwords also has its own risks. So we have tradeoffs here. I think all that Jesper (et al) are saying is that blanket prohibitions on writing down passwords tend to ignore the real reason why those prohibitions came about in the first place. The password is the shared secret that enables you to authenticate yourself. The shared secret must not be compromised, and generally if you write down the password it can be compromised, because the written down password tends to be easily accessible (e.g. taped to the user's monitor). However *if* you are able to secure the written down password (e.g. by using your own password manager application, or a physical safe, or your wallet, or whatever), then the increased risk of compromise may be acceptable because it allows you to maintain a more diverse, complex, set of passwords for systems you need to connect to. If you can not secure the secret, then do not write it down. I don't think there's anything really radical in that argument. It's just that the caveat (security around the secret) has been lost, and the exhortation not to write down the password has remained. : I strongly disagree with the assertion and reversal of thinking. Fair enough. But the original blog post cited did say (emphasis added): we recommend the follow tips for *home* users As I mentioned before, for your home PC, if you write down the admin password and store it under your keyboard are you really risking much (assuming you live alone or can trust your housemates)? Anyone who has access to that piece of paper has already probably already broken into your house. You probably have other worries which are much more pressing than having your computer's admin password compromised :-) At the risk of repeating what we already know - security is about risk management. We need to know what risks we're facing. Home users have more physical security they can rely on than the average corporate cubicle. Relying on that physical security may be an acceptable risk. Cheers Ken [EMAIL PROTECTED])
RE: [ActiveDir] OT: Management Solutions
I use WSUS for patching in some decent size places. My strategy has been to combine a variety of free products into a single system – I’ve gotten good at it and I’ve also written glue when I need to. My overall feeling is that I get more flexibility just gluing things together than with a single baked product. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Monday, September 11, 2006 6:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I agree with Brian that Ghost does tend to be the front runner for imaging (IMHO).. I’ve tested and used many but Ghost is a mature project which does what it says on the tin. You’ll be surprised how forgiving it is and how much you can do with varying software and hardware with a little work. In terms of helpdesk… well it’s a minefield and a road of I have travelled many times. I have actually found that most of the time it’s actually easier to get a dev guy to come in and build a system which actually meets your requirements. I have found this to be cheaper (most of the time) in the larger organisations as every organisation has different SLA’s, contracts, processes, methods, etc. I just recommend going onto sourceforge.net and typing ‘helpdesk’ initially. This should get you going and you may find something that suits your needs or something you can amend to fit. Yes, you can go for the bigger boys, i.e. Hornbill but you’ll pay for it….. have a sniff around and see what fits your requirements. In terms of patch deployment… I do like Patchlink. It will give you patch deployment across most applications with good reporting. You also get software and hardware inventory included in the price. Cheers, Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: 11 September 2006 20:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I have a lot of experience using Ghost for all of that but helpdesk. Helpdesk I have worked with Peregrine (will empty your check book & very complex), TrackIt (kind of basic but folks seem to like it), and customized free open source package called Liberum (so far my favorite). Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan J. Gendron Sent: Monday, September 11, 2006 3:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Management Solutions I would love some feedback from those that actually use some of these products. We initially started looking at a Helpdesk solution. It has now evolved into an asset management, OS deployment, patch management and license compliance package. I can’t tell you whether it’s evolved to this because the package we are looking at has it or because it was decided we could use the additional functionality. The current front-runner is Altiris. Could anyone provide some helpful insight into this package or a comparable solution we could look at? If we’re going to spend the money, I’d like to see us spend it wisely. Thank you in advance. Alan Alan J. Gendron Senior Network Specialist Lutheran Church Extension Fund Sunset Corporate Center 10733 Sunset Office Drive St. Louis, MO 63127-1219 314.885.6596
RE: [ActiveDir] OT: Management Solutions
Have you tried HelpStar – works great. Inventory - use Kace box running FreeBSD. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, September 11, 2006 9:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I use WSUS for patching in some decent size places. My strategy has been to combine a variety of free products into a single system – I’ve gotten good at it and I’ve also written glue when I need to. My overall feeling is that I get more flexibility just gluing things together than with a single baked product. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Monday, September 11, 2006 6:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I agree with Brian that Ghost does tend to be the front runner for imaging (IMHO).. I’ve tested and used many but Ghost is a mature project which does what it says on the tin. You’ll be surprised how forgiving it is and how much you can do with varying software and hardware with a little work. In terms of helpdesk… well it’s a minefield and a road of I have travelled many times. I have actually found that most of the time it’s actually easier to get a dev guy to come in and build a system which actually meets your requirements. I have found this to be cheaper (most of the time) in the larger organisations as every organisation has different SLA’s, contracts, processes, methods, etc. I just recommend going onto sourceforge.net and typing ‘helpdesk’ initially. This should get you going and you may find something that suits your needs or something you can amend to fit. Yes, you can go for the bigger boys, i.e. Hornbill but you’ll pay for it….. have a sniff around and see what fits your requirements. In terms of patch deployment… I do like Patchlink. It will give you patch deployment across most applications with good reporting. You also get software and hardware inventory included in the price. Cheers, Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: 11 September 2006 20:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I have a lot of experience using Ghost for all of that but helpdesk. Helpdesk I have worked with Peregrine (will empty your check book & very complex), TrackIt (kind of basic but folks seem to like it), and customized free open source package called Liberum (so far my favorite). Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan J. Gendron Sent: Monday, September 11, 2006 3:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Management Solutions I would love some feedback from those that actually use some of these products. We initially started looking at a Helpdesk solution. It has now evolved into an asset management, OS deployment, patch management and license compliance package. I can’t tell you whether it’s evolved to this because the package we are looking at has it or because it was decided we could use the additional functionality. The current front-runner is Altiris. Could anyone provide some helpful insight into this package or a comparable solution we could look at? If we’re going to spend the money, I’d like to see us spend it wisely. Thank you in advance. Alan Alan J. Gendron Senior Network Specialist Lutheran Church Extension Fund Sunset Corporate Center 10733 Sunset Office Drive St. Louis, MO 63127-1219 314.885.6596
RE: [ActiveDir] OT: Management Solutions
Never used/heard of Kace. Looks like a kind of limited use appliance? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Paul Sent: Monday, September 11, 2006 10:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions Have you tried HelpStar – works great. Inventory - use Kace box running FreeBSD. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, September 11, 2006 9:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I use WSUS for patching in some decent size places. My strategy has been to combine a variety of free products into a single system – I’ve gotten good at it and I’ve also written glue when I need to. My overall feeling is that I get more flexibility just gluing things together than with a single baked product. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Monday, September 11, 2006 6:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I agree with Brian that Ghost does tend to be the front runner for imaging (IMHO).. I’ve tested and used many but Ghost is a mature project which does what it says on the tin. You’ll be surprised how forgiving it is and how much you can do with varying software and hardware with a little work. In terms of helpdesk… well it’s a minefield and a road of I have travelled many times. I have actually found that most of the time it’s actually easier to get a dev guy to come in and build a system which actually meets your requirements. I have found this to be cheaper (most of the time) in the larger organisations as every organisation has different SLA’s, contracts, processes, methods, etc. I just recommend going onto sourceforge.net and typing ‘helpdesk’ initially. This should get you going and you may find something that suits your needs or something you can amend to fit. Yes, you can go for the bigger boys, i.e. Hornbill but you’ll pay for it….. have a sniff around and see what fits your requirements. In terms of patch deployment… I do like Patchlink. It will give you patch deployment across most applications with good reporting. You also get software and hardware inventory included in the price. Cheers, Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: 11 September 2006 20:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I have a lot of experience using Ghost for all of that but helpdesk. Helpdesk I have worked with Peregrine (will empty your check book & very complex), TrackIt (kind of basic but folks seem to like it), and customized free open source package called Liberum (so far my favorite). Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan J. Gendron Sent: Monday, September 11, 2006 3:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Management Solutions I would love some feedback from those that actually use some of these products. We initially started looking at a Helpdesk solution. It has now evolved into an asset management, OS deployment, patch management and license compliance package. I can’t tell you whether it’s evolved to this because the package we are looking at has it or because it was decided we could use the additional functionality. The current front-runner is Altiris. Could anyone provide some helpful insight into this package or a comparable solution we could look at? If we’re going to spend the money, I’d like to see us spend it wisely. Thank you in advance. Alan Alan J. Gendron Senior Network Specialist Lutheran Church Extension Fund Sunset Corporate Center 10733 Sunset Office Drive St. Louis, MO 63127-1219 314.885.6596
