Re: [ActiveDir] dsget error
It must be some kind of issue with the DS* tools. I was using a combination of ADFIND and DSMOD last week to enable ~200,000 user objects (I forgot to set a password in a scrpit that created a bunch of objects and therefore had a shed load of objects with uac of 546) and it would die every time with that error after a couple of thousand objects. I figured, but didn't look into it, it's something to do with the fact that DSMOD queries the DN you pass it to check for object type, etc. which means there's loads of queries hitting the DC (one for each mod). This is why Joe's ADMOD (1.7)is going to be loads better, as he only does one extra query which means there's only n + 1 LDAP requests hitting the DC as opposed ton x 2 with DSMOD. --Paul - Original Message - From: Brian Desmond To: ActiveDir@mail.activedir.org Sent: Wednesday, September 13, 2006 2:45 AM Subject: RE: [ActiveDir] dsget error The query is probably timing out. Get Joes ADfind and run something like this: Adfind default f ((objectCategory=person)(objectClass=user)) displayName samAccountName pwdLastSet You can tag a csv on there too Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Tuesday, September 12, 2006 9:29 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] dsget error Any time I try to run a large query using dsquery and dsget where I pipe it to a text file for output, I eventually get a dsget failed:The server is not operational. error from dsget. Ive searched the Internet for this and seen posts from a couple of other people who have had this issue, with no resolution. Am I doing something wrong? Am I stupid? (yes, I probably am) Am I missing some limitation of stdout? Heres the command I was using: dsquery user -name * -limit 0 | dsget -display -samid pwdneverexpires Thnx, JC ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] Locking Down Wireless
Wilson, First, thanks for the suggestion. When I started spent a long time looking at non-Microsoft solutions, because I wanted to avoid updating about 100 laptops from W2K to XP-SP2, but I discarded most of them a long time ago, for a number of reasons. Firstly having already being bitten by 3-COM withdrawing support for their TLS security means that a Vendor solution is not really acceptable, which did not leave much at all. Secondly, as far as I can tell non of them can use the machine credentials to authenticate, so the machine is not on the network until a user logs on. This means policies don't get applied and logon scripts don't run. Then when the user does log on, they don't use the existing credentials, the user needs to re-enter their password to authenticate with the Radius server. (The network teap specified PEAP with Domain Credentials using existing radius servers.) On top of that whilst a large percentage of the systems are IBM we also have a number of non-IBM machines Compaq and Toshiba for example. We also have a large number of IBMs with 3-COM cards (bought to work with our previous security system) which the IBM Software does not manage. I did check out the 3com software and on Windows/XP I could not even get it to work with PEAP and MS-CHAPV2 as specified by the network Team so reverted to the Wireless Zero Config. Dave. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of wilson chang Sent: 12 September 2006 20:57 To: activedir@mail.activedir.org Subject: Re: [ActiveDir] Locking Down Wireless Dave, Are you averse to a non-Microsoft approach? I ask because depending on the make/model of your laptop and/or wireless card, there may be other options. For example, ThinkPads come with the Access Connection Manager - an applet that controls a great many detailed configuration settings pertaining to both wired wireless connections. Specifically, there's an option to only allow Administrators to change settings. Once a connection profile is setup, end users will only be offered those predefined sites and no others! Of course, if the users are local admin ... yada yada yada :-) I believe the Intel ProSet software package also includes similar functionality. There may be others, but these 2 are ones I've used before. Each one also has the ability to import/export the connection profiles, as to facilitate larger rollouts. Thanks, Wilson On 9/12/06, Dave Wade [EMAIL PROTECTED] wrote: Have I missed something in the new XPSP2 wireless configuration stuff. As far as I can see you can't prevent users connecting to non-preferred networks, even with Policy lockdown. Even if you hide the networks page on the adaptor, when the user is in a location where this no network, the connection wizard still pops up. Any one any solution to this? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Handling different schemas - managing maintaining updates
I can't get too specific about the requirements, so please don't ask ;-) I'm looking for your ideas, opinions and experience on how you maintain different sets of schemas for different forests that you manage (for the same customer). Basically, consider this: you have an internal domain (single domain forest) and another (or several) single domain forest(s) in a DMZ. They might have Exchange and one or two other directory-enabled apps that extend the schema, and you have your own standard/default schema. Do you see any security implications in having the same schema in the DMZ-type networksas that of the internal domain? And if not, how do you manage updates and testing, etc? I might have several single domain forests. Internal ones, and serveral of these DMZ based domains. It's not really a DMZ, but is a different network and is considered external to the internal domain(s). This is for a number of interoperability apps, and no we can't use ADAM or equivalent. We're using plenty of ADAM. The main thing I'm intersted here is, as mentioned above, if you were happy to have a consistent schema, how do you maintain that? Would you use a script to compare and export differences, etc.? Or, would you recommend against having a standard schema? I can't see why anyone would recommend against this unless there's a major security concern I've overlooked as it will greatly complicate future extensions, but I'm interested nonetheless. Please assume a large enterprise environment that follows ITIL and has a proper test environment, e.g. ADAM - VM - Dev -Pre-prod -live. Thanks, --Paul
FW: [ActiveDir] Sharepoint in the DMZ
Title: Sharepoint in the DMZ Hi Russ, I have a friend with a lot of experience as Sharepoint administrator in different environments, this is what he suggested. BTW, although he is currently working in the same company than me, he is looking to move to another company, in case you need someone. Rezuma They should only open port 443 from the internet and use SSL if it will be used with AD users. If its dual purpose for outlook web access, it still only needs 443. You can hide the purpose of this port from port scanners by using a load balancer or port redirection. When connecting servers in the DMZ to servers on the inside, the best way is to create a IPSec tunnel from web server to inside (dbase or exchange)) server using the MS built in networking and run the tunnel over a non-standard port such as 5066. That will minimize how many ports are open from the DMZ to inside and will also take care of forgetting to open a port or two when more traffic needs to pass such as NetBIOS or AD type traffic. Because its a non-standard port, it makes it harder to find and identify for specific exploit types such as SQL injection on port 1433 against SQL server. I dont have an opinion on using a child domain, it will work fine but if security is the reason, Id build a separate domain and use a trust maybe. What do you think? Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, RussSent: Tuesday, September 12, 2006 10:45 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Sharepoint in the DMZ Hi all I have a consultant that wants to put Sharepoint into our DMZ. Here is what he is proposing to do: Create a child domain and put the Sharepoint computer account in the child domain Put Sharepoint server in our DMZ. Open up the same ports for Sharepoint that we would open for Outlook Web Access Also open port 1433 for SQL Since I dont know much about Sharepoint, I was hoping someone would be to let me know if this has been done in the past and if it's safe. Thank you Russ
RE: [ActiveDir] OT: Management Solutions
What is the largest environment WSUS can be deployed effectively? At what point youre better off going with something like Shavlik or Patchlink? What do they give you that WSUS doesnt? Were trying to put in place a patch management solution for a company thats midsize (~1700 users), but with offices scattered all over the world. But were not sure how to architect the whole thing (how many servers, layers, and where-whats the cutoff point:bandwidth, # of users?-). The other issue is the industry were in: healthcare. Were constantly audited and for every single task we have to test, write validation and justification. So were not sure how can we do this, with so many patches MS puts out every Tuesday, without going insane! And this is just for desktops; servers are a whole different ball of wax. Anybody out there had to deal with similar issues? Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, September 11, 2006 9:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I use WSUS for patching in some decent size places. My strategy has been to combine a variety of free products into a single system Ive gotten good at it and Ive also written glue when I need to. My overall feeling is that I get more flexibility just gluing things together than with a single baked product. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Monday, September 11, 2006 6:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I agree with Brian that Ghost does tend to be the front runner for imaging (IMHO).. Ive tested and used many but Ghost is a mature project which does what it says on the tin. Youll be surprised how forgiving it is and how much you can do with varying software and hardware with a little work. In terms of helpdesk well its a minefield and a road of I have travelled many times. I have actually found that most of the time its actually easier to get a dev guy to come in and build a system which actually meets your requirements. I have found this to be cheaper (most of the time) in the larger organisations as every organisation has different SLAs, contracts, processes, methods, etc. I just recommend going onto sourceforge.net and typing helpdesk initially. This should get you going and you may find something that suits your needs or something you can amend to fit. Yes, you can go for the bigger boys, i.e. Hornbill but youll pay for it.. have a sniff around and see what fits your requirements. In terms of patch deployment I do like Patchlink. It will give you patch deployment across most applications with good reporting. You also get software and hardware inventory included in the price. Cheers, Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: 11 September 2006 20:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I have a lot of experience using Ghost for all of that but helpdesk. Helpdesk I have worked with Peregrine (will empty your check book very complex), TrackIt (kind of basic but folks seem to like it), and customized free open source package called Liberum (so far my favorite). Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan J. Gendron Sent: Monday, September 11, 2006 3:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Management Solutions I would love some feedback from those that actually use some of these products. We initially started looking at a Helpdesk solution. It has now evolved into an asset management, OS deployment, patch management and license compliance package. I cant tell you whether its evolved to this because the package we are looking at has it or because it was decided we could use the additional functionality. The current front-runner is Altiris. Could anyone provide some helpful insight into this package or a comparable solution we could look at? If were going to spend the money, Id like to see us spend it wisely. Thank you in advance. Alan Alan J. Gendron Senior Network Specialist Lutheran Church Extension Fund Sunset Corporate Center 10733 Sunset Office Drive St. Louis, MO 63127-1219 314.885.6596
RE: [ActiveDir] Locking Down Wireless
Return Receipt Your RE: [ActiveDir] Locking Down Wireless document: wasJason Centenni/CDS/CG/CAPITAL received by: at:09/13/2006 08:22:33 AM CDT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Isolating a DC
Thanks to all for the responses. This (isolating via ipsec) is probably the right direction for me. We're a single site, single domain at a single physical location, but the idea of building another site isn't appealing from a keep it simple perspective. Are there any technical reasons why a separate site would be better than isolation through IPSec? Will I cause clients/apps, who initially don't know they are denied, delays when they try to access the ipsec isolated DC? Bryan Lucas Server Administrator Texas Christian University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Eaton-Lee Sent: Wednesday, September 13, 2006 5:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Isolating a DC Akomolafe, Deji wrote: I highly recommend that you read http://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that they exist. They show you how to restrict communication with a specific server or network using IPSec. I think what you're referring to is the excellent Server and Domain Isolation using IPSec content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/i psec/default.mspx If all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little more concisely, such as this presentation from the Virginia Tech Windows Users Group: http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ips ec%20as%20a%20firewall%22 And also Using IPSec to Lock Down a Server from technet.. http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.ms px Hope that helps! - James. -- James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix) sites: https://www.bsrf.org.uk ~ http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Handling different schemas - managing maintaining updates
Without wishing to appear facetious :)- I would
suggest if the company follows ITIL practices then they already have a change
mgmt and config mgmt process and/or system which helps achieve your
goal.
As far
as best practices are concerned, I would aim for a 'core' schema config which is
present in all instances of ADAM or AD schemas but manage differences via the
ITIL framework (mentioned above).
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
WilliamsSent: 13 September 2006 10:39To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Handling different
schemas - managing maintaining updates
I can't get too specific about the
requirements, so please don't ask ;-)
I'm looking for your ideas, opinions and
experience on how you maintain different sets of schemas for different forests
that you manage (for the same customer).
Basically, consider this: you have an
internal domain (single domain forest) and another (or several) single domain
forest(s) in a DMZ. They might have Exchange and one or two other
directory-enabled apps that extend the schema, and you have your own
standard/default schema.
Do you see any security implications in
having the same schema in the DMZ-type networksas that of the internal
domain? And if not, how do you manage updates and
testing, etc?
I might have several single domain
forests. Internal ones, and serveral of these DMZ based domains.
It's not really a DMZ, but is a different network and is considered external to
the internal domain(s). This is for a number of interoperability apps, and
no we can't use ADAM or equivalent. We're using plenty of
ADAM.
The main thing I'm intersted here is, as
mentioned above, if you were happy to have a consistent schema, how do you
maintain that? Would you use a script to compare and export differences,
etc.?
Or, would you recommend against having a
standard schema? I can't see why anyone would recommend against this
unless there's a major security concern I've overlooked as it will greatly
complicate future extensions, but I'm interested nonetheless.
Please assume a large enterprise
environment that follows ITIL and has a proper test environment, e.g. ADAM -
VM - Dev -Pre-prod -live.
Thanks,
--Paul
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
[ActiveDir] Adding another domain via VPN
Good Morning, We are a small company with 2 locations and 2 different AD domains. At the remote location they have 1 W2K server and 25 users. They are connected to us via a dedicated VPN so that they can access our iSeries. Here we have a soon to be Windows 2003 domain with 5 servers and 40 users. We would like to join the two domains together over the VPN with our domain staying the forest root. Is this possible and if so can someone point to the best write up on how to do it as would rather learn how to do it rather than taking someone's time to explain it and walk me though. It's the old teach a man to fish thing. Thanks in advance Bob Anderson IT Guy Kent Sporting Goods 433 Park Ave. S New London OH 44851 419-929-7021 x315 email: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Isolating a DC
Isolating via site will still leave the DC available in case of emergencies (your authentication DCs go down), whereas IPSec makes them completely unavailable for any purposes for clients. I've actually never heard of anyone doing this and would consider it a very bad idea unless you have significant redundancy in your 'normal' environment. BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also. Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than OMG, a (gasp) *user* authenticated against my application DC. On 9/13/06, Lucas, Bryan [EMAIL PROTECTED] wrote: Thanks to all for the responses.This (isolating via ipsec) is probably the right direction for me.We're a single site, single domain at a single physical location, butthe idea of building another site isn't appealing from a keep it simple perspective.Are there any technical reasons why a separate site would be better thanisolation through IPSec?Will I cause clients/apps, who initially don'tknow they are denied, delays when they try to access the ipsec isolated DC?Bryan LucasServer AdministratorTexas Christian University-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of James Eaton-LeeSent: Wednesday, September 13, 2006 5:39 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DCAkomolafe, Deji wrote: I highly recommend that you read http://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that they exist. They show you how to restrict communication with aspecific server or network using IPSec.I think what you're referring to is the excellent Server and DomainIsolation using IPSec content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspxIf all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little moreconcisely, such as this presentation from the Virginia Tech WindowsUsers Group: http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ipsec%20as%20a%20firewall%22And also Using IPSec to Lock Down a Server from technet.. http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspxHope that helps!- James.-- James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix)sites: https://www.bsrf.org.uk ~ http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DNS Entries --Laptop Users--
I swear this is the last question and then I'll make a suggestion. :)Is the DHCP server that the remote clients are getting their ip addr's from the same as the one that you are using for lan connected clients? You are obviously allowing the user's machine to update it's own records, but is that consistent or is the DHCP server on the lan registering the records for you possibly under a different set of credentials or in a different zone? On 9/11/06, Ravi Dogra [EMAIL PROTECTED] wrote: yes its correct.No we have mobile users..On 9/11/06, Al Mulnick [EMAIL PROTECTED] wrote: Besides the obvious of telling Sophos to adjust their management to deal with this, here's what I understand of your problem to date. VPN clients that are also trusted network clients (i.e. mobile users that traverse both trusted and non-trusted networks can end up with seemingly duplicate entries for the same device but different ip addresses. This confuses some antivirus management applications and presumably some management applications such as SMS or similar class of app, that rely on reverse name resolution. Is that correct? Do you have workers that are remote-based only? Al On 9/8/06, Ravi Dogra [EMAIL PROTECTED] wrote: According to Sophos Support if one host has 2 DNS Entries, Sophos Enterprise Manager might not be able to detect this Host and auto update will also dont work. As you know jolly;- We are in process of migration from Trend to Sophos as our Antivirus Solution. Working on a solution will update soon. Thanks Ravi Dogra On 9/8/06, Jaspreet Singh [EMAIL PROTECTED] wrote: Ravi, As Rob said, If your VPN box is forwarding requests to your internal network the your DNS will automatically update the records according to the new IP which in your case is x.x.5.x. Can you explain exactly what is the problem that you are facing due to this? Regards, Jaspreet Singh Jolly On 9/7/06, Al Mulnick [EMAIL PROTECTED] wrote: 1. I Didnt understand what exactly u r asking?2. Yes DHCP Is configured properly. That's not what I asked.I asked if it's updating the records for the device or is it letting the devices update their own? AlOn 9/6/06, Ravi Dogra [EMAIL PROTECTED] wrote:1. I Didnt understand what exactly u r asking? 2. Yes DHCP Is configured properly. 3. Yes it is running on DC 4. No, not running any other credential. 5. VPN Machine is entirely a different BOX on other site. 6. It doesnt register in my DNS. (Will extract other information from Site B Admin) update you very soon... Thanks RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Regards, Jaspreet Singh Jolly-- Ravi Dogra 9899647200 This e-mail, together with any attachments, is confidential. It may be read, copied and used only by the intended recipient. If you have received it in error, please notify the sender immediately by e-mail or telephone. Please then delete it from your computer without making any copies or disclosing it to any other person. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx --Ravi Dogra9899647200This e-mail, together with any attachments, is confidential. It may beread, copied and used only by the intended recipient. If you have received it in error, please notify the sender immediately by e-mailor telephone. Please then delete it from your computer without makingany copies or disclosing it to any other person.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] DCDiag erro from Child Domain
Hey all -I've completed the complete upgrade to Windows 2003 R2 on all 4 of my domain controllers. =)I have two in the forest root domain. And i have one in a child domain. And another in a DR site. When i run dcdiag /e /v from the child domain controller i get the following error from both of the DC's in the parent domain. Starting test: NetLogons * Network Logons Privileges Check Verified share \\PHMAINDC1\netlogon Verified share \\PHMAINDC1\sysvol [PHMAINDC1] User credentials does not have permission to perform this operation. The account used for this test must have network logon privileges for this machine's domain. . PHMAINDC1 failed test NetLogonsI've noticed in the past some account permission issues when admin accounts from my parent domain tried accessing resources in the child domain and vice versa. I ran this test logged in as the Administrator of the child domain -- what permissions need to be in place on the parent domain DC's to allow this child domain admin to run the specified tests ? is this normal ? I also get errors when dcdiag attempts to access the parent DC's event logs with the classic access is deniedI could use a clearing up as to what should be the permission levels for each of the administrative accounts in the parent and child domain. I've added myself as the enterprise admin and on numerous occasions i would still need to supply child domain admin credentials to access resources in that child domain -- what gives ?Thanks.. -- HBooGz:\
Re: [ActiveDir] OT: Management Solutions
www.patchmanagement.org Sign up for the WSUS listserve. 1700 desktops is extremely do-able with WSUS. HIPAA you just have to get a process down. It's a pain in the rear but others are doing it. Sign up for that listserve and start asking the been theres, done thats. Alex Alborzfard wrote: What is the largest environment WSUS can be deployed effectively? At what point you’re better off going with something like Shavlik or Patchlink? What do they give you that WSUS doesn’t? We’re trying to put in place a patch management solution for a company that’s midsize (~1700 users), but with offices scattered all over the world. But we’re not sure how to architect the whole thing (how many servers, layers, and where-what’s the cutoff point:bandwidth, # of users?-). The other issue is the industry we’re in: healthcare. We’re constantly audited and for every single task we have to test, write validation and justification. So we’re not sure how can we do this, with so many patches MS puts out every Tuesday, without going insane! And this is just for desktops; servers are a whole different ball of wax. Anybody out there had to deal with similar issues? Alex *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Brian Desmond *Sent:* Monday, September 11, 2006 9:34 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Management Solutions *I use WSUS for patching in some decent size places. My strategy has been to combine a variety of free products into a single system – I’ve gotten good at it and I’ve also written glue when I need to. My overall feeling is that I get more flexibility just gluing things together than with a single baked product. * * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* Monday, September 11, 2006 6:31 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Management Solutions I agree with Brian that Ghost does tend to be the front runner for imaging (IMHO).. I’ve tested and used many but Ghost is a mature project which does what it says on the tin. You’ll be surprised how forgiving it is and how much you can do with varying software and hardware with a little work. In terms of helpdesk… well it’s a minefield and a road of I have travelled many times. I have actually found that most of the time it’s actually easier to get a dev guy to come in and build a system which actually meets your requirements. I have found this to be cheaper (most of the time) in the larger organisations as every organisation has different SLA’s, contracts, processes, methods, etc. I just recommend going onto sourceforge.net and typing ‘helpdesk’ initially. This should get you going and you may find something that suits your needs or something you can amend to fit. Yes, you can go for the bigger boys, i.e. Hornbill but you’ll pay for it….. have a sniff around and see what fits your requirements. In terms of patch deployment… I do like Patchlink. It will give you patch deployment across most applications with good reporting. You also get software and hardware inventory included in the price. Cheers, Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] W: www.quostar.com http://www.quostar.com *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Brian Desmond *Sent:* 11 September 2006 20:26 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Management Solutions *I have a lot of experience using Ghost for all of that but helpdesk. Helpdesk I have worked with Peregrine (will empty your check book very complex), TrackIt (kind of basic but folks seem to like it), and customized free open source package called Liberum (so far my favorite). * * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]* * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Alan J. Gendron *Sent:* Monday, September 11, 2006 3:16 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] OT: Management Solutions I would love some feedback from those that actually use some of these products. We initially started looking at a Helpdesk solution. It has now evolved into an asset management, OS deployment, patch management and license compliance package. I can’t tell you whether it’s evolved to this because the package we are looking at has it or because it was decided we could use the additional functionality. The current front-runner is Altiris. Could anyone provide some helpful insight into this package or a comparable solution we could look at? If
Re: [ActiveDir] OT: Management Solutions
I think the 'space' question is for OP, but just to make sure: small -- 3 DCs, 80 workstations, 100 users - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, September 12, 2006 7:43 PM Subject: Re: [ActiveDir] OT: Management Solutions How big of space? Not sure what size you are but down here we're Level Platforms, Kasaya, HoundDog, the brand new SCE beta (just opened Friday from Microsoft), but like one of the guys at the SBS summit just recently said... the tool is irrelevant sometimes.. it's the process that counts. Albert Duro wrote: I do not recommend Altiris. At first it was great, except for the incomprehensible report generator. Gradually, weaknesses and annoyances started cropping up, and then the death blow: a major upgrade that destroyed itself, the previous installation, and nearly destroyed the server. So you go to Altiris support, right? Wrong. They don't listen. And they don't talk, unless you fork over gold for every word. I've been spending the past year eradicating Altiris from my workstations, and there was another nasty surprise. It's as hard to get rid of as the worst spyware. You uninstall it, but it's still there, stealthy-like. So you kill the service. But it's still there! Then you go into the registry and rip it out of the Run Key. I'm still not sure if that does it. Anyway, as James Blair indicated in his excellent recommendations, Microsoft and others have vastly improved their offerings in the tasks that Altiris is supposed to perform. - Original Message - *From:* Alan J. Gendron mailto:[EMAIL PROTECTED] *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Sent:* Monday, September 11, 2006 12:16 PM *Subject:* [ActiveDir] OT: Management Solutions I would love some feedback from those that actually use some of these products. We initially started looking at a Helpdesk solution. It has now evolved into an asset management, OS deployment, patch management and license compliance package. I can’t tell you whether it’s evolved to this because the package we are looking at has it or because it was decided we could use the additional functionality. The current front-runner is Altiris. Could anyone provide some helpful insight into this package or a comparable solution we could look at? If we’re going to spend the money, I’d like to see us spend it wisely. Thank you in advance. Alan */Alan J. Gendron/* Senior Network Specialist *^Lutheran **^ Church **^ Extension Fund *** Sunset Corporate Center 10733 Sunset Office Drive St. Louis, MO 63127-1219 314.885.6596 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Adding another domain via VPN
Yes, you can. Hope this link helps. http://support.microsoft.com/default.aspx?scid=kb;en-us;295582 Thank you, Jamison Roderick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Anderson Sent: Wednesday, September 13, 2006 7:23 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Adding another domain via VPN Good Morning, We are a small company with 2 locations and 2 different AD domains. At the remote location they have 1 W2K server and 25 users. They are connected to us via a dedicated VPN so that they can access our iSeries. Here we have a soon to be Windows 2003 domain with 5 servers and 40 users. We would like to join the two domains together over the VPN with our domain staying the forest root. Is this possible and if so can someone point to the best write up on how to do it as would rather learn how to do it rather than taking someone's time to explain it and walk me though. It's the old teach a man to fish thing. Thanks in advance Bob Anderson IT Guy Kent Sporting Goods 433 Park Ave. S New London OH 44851 419-929-7021 x315 email: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] DFS - Null Server-Reference Attributes
Hello, All. Im pretty sure that Im experiencing the Null Server-Reference Attributes issue as described in http://support.microsoft.com/default.aspx?scid=kb;EN-US;312862 My problem Im hitting a wall right out of the gate: In LDP or ADSIedit, copy the DN path of the NTDS Settings object from the Configuration container in the root domain of the forest to Clipboard. Im using ADSIedit, but I cant find the object the article is asking me to copy. Any help would be appreciated, as always. -James
Re: [ActiveDir] Handling different schemas - managing maintaining updates
You know ITIL. It's all guidelines
and advice, etc. It's not hands on processes for you (or if it is, I slept
through all that).
We obviously have a structured process for
testing additions. My question is more around technically implementing
such a process, with minimal intervention, around a whole bunch of schemas, i.e.
would you look at implementing some sort of comparison and export, e.g. schema
analyser from ADAM R2 or a bespoke script that achieves the same
thing?
Good to see you are thinking along the
same lines as me with the default base, but are you suggesting different streams
of schema if and when changes occur in different forests? I don't like
that (at the moment, I might be persuaded otherwise). It will also cause
considerable, additionaleffort in testing new extensions for more than one
schema, as there'll be different objects in each.
--Paul
- Original Message -
From:
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Wednesday, September 13, 2006 2:37
PM
Subject: RE: [ActiveDir] Handling
different schemas - managing maintaining updates
Without wishing to appear facetious :)- I would
suggest if the company follows ITIL practices then they already have a change
mgmt and config mgmt process and/or system which helps achieve your
goal.
As
far as best practices are concerned, I would aim for a 'core' schema config
which is present in all instances of ADAM or AD schemas but manage differences
via the ITIL framework (mentioned above).
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
WilliamsSent: 13 September 2006 10:39To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Handling different
schemas - managing maintaining updates
I can't get too specific about the
requirements, so please don't ask ;-)
I'm looking for your ideas, opinions and
experience on how you maintain different sets of schemas for different forests
that you manage (for the same customer).
Basically, consider this: you have an
internal domain (single domain forest) and another (or several) single domain
forest(s) in a DMZ. They might have Exchange and one or two other
directory-enabled apps that extend the schema, and you have your own
standard/default schema.
Do you see any security implications in
having the same schema in the DMZ-type networksas that of the internal
domain? And if not, how do you manage updates and
testing, etc?
I might have several single domain
forests. Internal ones, and serveral of these DMZ based domains.
It's not really a DMZ, but is a different network and is considered external
to the internal domain(s). This is for a number of interoperability
apps, and no we can't use ADAM or equivalent. We're using plenty of
ADAM.
The main thing I'm intersted here is, as
mentioned above, if you were happy to have a consistent schema, how do you
maintain that? Would you use a script to compare and export differences,
etc.?
Or, would you recommend against having a
standard schema? I can't see why anyone would recommend against this
unless there's a major security concern I've overlooked as it will greatly
complicate future extensions, but I'm interested nonetheless.
Please assume a large enterprise
environment that follows ITIL and has a proper test environment, e.g. ADAM
- VM - Dev -Pre-prod -live.
Thanks,
--Paul
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
RE: [ActiveDir] DFS - Null Server-Reference Attributes
I have found the path to the NTDS Settings
object. Please let me share the problem we are having with you, if anyone has any
ideas or experience with this, please share.
For some time now, we have been receiving 13508 errors in the
event logs between ServerA and ServerB. Coincidently, both servers
participate in DFS. I've traced the problem back to a possible null
server-reference in AD. Below is the output of ntfrsutl ds:
MEMBER: {5EC47DD8-C518-4D90-A424-3417F7592647}
DN :
cn={5ec47dd8-c518-4d90-a424-3417f7592647},cn=service_id|service_id,cn=service_id,cn=dfs
volumes,cn=file replication service,cn=system,dc=domain,dc=com
Guid : 7328d3a9-bf4c-4991-abdfc70835888de6
Server Ref : (null)
Computer Ref : (null)
WhenCreated
: 12/31/2003 13:1:53 Eastern Standard Time Eastern Daylight Time [300]
WhenChanged
: 10/12/2005 17:10:2 Eastern Standard Time Eastern Daylight Time [300]
CXTION:
{1D2056BA-7638-40D8-AB8F-4424B562637E}
DN :
cn={1d2056ba-7638-40d8-ab8f-4424b562637e},cn={5ec47dd8-c518-4d90-a424-3417f7592647},cn=DFSServer1|service_id,cn=DFSServer1,cn=dfs
volumes,cn=file replication service,cn=system,dc=domain,dc=com
Guid : 3b10787d-66b5-49db-b675b4463a28feae
Partner Dn : cn={1d2056ba-7638-40d8-ab8f-4424b562637e},cn=DFSServer1|service_id,cn=service_id,cn=dfs
volumes,cn=file replication service,cn=system,dc=domain,dc=com
Partner Rdn : {1D2056BA-7638-40D8-AB8F-4424B562637E}
Enabled : TRUE
WhenCreated : 12/31/2003 13:1:53 Eastern Standard Time Eastern Daylight
Time [300]
WhenChanged : 10/12/2005 17:10:2 Eastern Standard Time Eastern Daylight
Time [300]
Options : 0x7000 [0x7000 ]
I stumbled across the following Microsoft KB 312862 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;312862)
article explaining how to resolve
this but I wanted to run this by you and get your thoughts on it.
Has anyone heard of this happening before and do you think this
would resolve it?
Basically, FRS is broke between the two servers due to this.
I've verified DNS resolution is working.
Thanks,
James
Re: [ActiveDir] OT: Management Solutions
That's not small to me :-) That's just right above the SBS space but the ones I listed are still valid. Honestly down here we've not yet found the 'silver bullet' and like most say, the tool is irrelevant ..it's the process. We're still having to fill the gaps because there's not a single one that does the process we need. ([EMAIL PROTECTED] is one of the communities that are struggling with this right now) Albert Duro wrote: I think the 'space' question is for OP, but just to make sure: small -- 3 DCs, 80 workstations, 100 users - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, September 12, 2006 7:43 PM Subject: Re: [ActiveDir] OT: Management Solutions How big of space? Not sure what size you are but down here we're Level Platforms, Kasaya, HoundDog, the brand new SCE beta (just opened Friday from Microsoft), but like one of the guys at the SBS summit just recently said... the tool is irrelevant sometimes.. it's the process that counts. Albert Duro wrote: I do not recommend Altiris. At first it was great, except for the incomprehensible report generator. Gradually, weaknesses and annoyances started cropping up, and then the death blow: a major upgrade that destroyed itself, the previous installation, and nearly destroyed the server. So you go to Altiris support, right? Wrong. They don't listen. And they don't talk, unless you fork over gold for every word. I've been spending the past year eradicating Altiris from my workstations, and there was another nasty surprise. It's as hard to get rid of as the worst spyware. You uninstall it, but it's still there, stealthy-like. So you kill the service. But it's still there! Then you go into the registry and rip it out of the Run Key. I'm still not sure if that does it. Anyway, as James Blair indicated in his excellent recommendations, Microsoft and others have vastly improved their offerings in the tasks that Altiris is supposed to perform. - Original Message - *From:* Alan J. Gendron mailto:[EMAIL PROTECTED] *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Sent:* Monday, September 11, 2006 12:16 PM *Subject:* [ActiveDir] OT: Management Solutions I would love some feedback from those that actually use some of these products. We initially started looking at a Helpdesk solution. It has now evolved into an asset management, OS deployment, patch management and license compliance package. I can’t tell you whether it’s evolved to this because the package we are looking at has it or because it was decided we could use the additional functionality. The current front-runner is Altiris. Could anyone provide some helpful insight into this package or a comparable solution we could look at? If we’re going to spend the money, I’d like to see us spend it wisely. Thank you in advance. Alan */Alan J. Gendron/* Senior Network Specialist *^Lutheran **^ Church **^ Extension Fund *** Sunset Corporate Center 10733 Sunset Office Drive St. Louis, MO 63127-1219 314.885.6596 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Management Solutions
At what point youre better off going with something like Shavlik or Patchlink? For a 1700 users environment, WSUS will do. What do they give you that WSUS doesnt? They do give you some bells and whistles, but you will have to download a trial version of each, install them and compare. Then you ask, do you NEED all the other things the other products give you, and is it worth the money you have to pay for those other things? Or, do you like free, even if you have to do some work? But were not sure how to architect the whole thing (how many servers, layers, and where-whats the cutoff point:bandwidth, # of users?-). It's difficult to sit here and answer this query for you. It depends on your environment, structure, policies, etc. So were not sure how can we do this, with so many patches MS puts out every Tuesday You mean every second Tuesday of every month? That too much for you? without going insane! Since you are in healthcare, this should not be an issue, right? I mean, going insane is par for the course for any sys admin, but you are surrounded by healthcare professionals, so you are in good hands :) Anybody out there had to deal with similar issues? Yes. Believe it or not, you are not alone. Nobody is out to get you. We all have to go through similar things. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Alex AlborzfardSent: Wed 9/13/2006 6:22 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Management Solutions What is the largest environment WSUS can be deployed effectively? At what point youre better off going with something like Shavlik or Patchlink? What do they give you that WSUS doesnt? Were trying to put in place a patch management solution for a company thats midsize (~1700 users), but with offices scattered all over the world. But were not sure how to architect the whole thing (how many servers, layers, and where-whats the cutoff point:bandwidth, # of users?-). The other issue is the industry were in: healthcare. Were constantly audited and for every single task we have to test, write validation and justification. So were not sure how can we do this, with so many patches MS puts out every Tuesday, without going insane! And this is just for desktops; servers are a whole different ball of wax. Anybody out there had to deal with similar issues? Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, September 11, 2006 9:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Management Solutions I use WSUS for patching in some decent size places. My strategy has been to combine a variety of free products into a single system Ive gotten good at it and Ive also written glue when I need to. My overall feeling is that I get more flexibility just gluing things together than with a single baked product. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert RutherfordSent: Monday, September 11, 2006 6:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Management Solutions I agree with Brian that Ghost does tend to be the front runner for imaging (IMHO).. Ive tested and used many but Ghost is a mature project which does what it says on the tin. Youll be surprised how forgiving it is and how much you can do with varying software and hardware with a little work. In terms of helpdesk well its a minefield and a road of I have travelled many times. I have actually found that most of the time its actually easier to get a dev guy to come in and build a system which actually meets your requirements. I have found this to be cheaper (most of the time) in the larger organisations as every organisation has different SLAs, contracts, processes, methods, etc. I just recommend going onto sourceforge.net and typing helpdesk initially. This should get you going and you may find something that suits your needs or something you can amend to fit. Yes, you can go for the bigger boys, i.e. Hornbill but youll pay for it.. have a sniff around and see what fits your requirements. In terms of patch deployment I do like Patchlink. It will give you patch deployment across most applications with good reporting. You also get software and hardware inventory included in the price. Cheers, Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: http://www.quostar.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: 11 September 2006 20:26To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Management Solutions I have a lot of experience using Ghost for all of that but
[ActiveDir] Block Inheritance on DC OU
The company I am currently working for has block inheritance enabled for the Domain Controllers OU and apparently whoever enabled this setting is no longer with the company (or they wont fess up to why they did this). Although I am curious, what sort of ramifications does enabling block inheritance on the Domain Controllers OU pose? And what reason would you have to enable this setting on the Domain Controllers OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben
Re: [ActiveDir] OT: Management Solutions
Shavlik/Patchlink means I can in a GUI window patch right NOW WSUS means I have to approve the patch, figure out how to see if I can shove it out faster if I need to, yadda yadda Third party patch programs also patch things other than MS (Java, Flash and Quicktime all have vulnerable software in your network ... and I'll bet many of you haven't even patched Acrobat either) Patch or mitigate. Your choice. For me I patch because that's the process I have a better handle on (Shavlik here) This month is pretty tame as far as patching goes for the new patches, we've got two from the past that are the troublemakers. Akomolafe, Deji wrote: At what point you’re better off going with something like Shavlik or Patchlink? For a 1700 users environment, WSUS will do. What do they give you that WSUS doesn’t? They do give you some bells and whistles, but you will have to download a trial version of each, install them and compare. Then you ask, do you NEED all the other things the other products give you, and is it worth the money you have to pay for those other things? Or, do you like free, even if you have to do some work? But we’re not sure how to architect the whole thing (how many servers, layers, and where-what’s the cutoff point:bandwidth, # of users?-). It's difficult to sit here and answer this query for you. It depends on your environment, structure, policies, etc. So we’re not sure how can we do this, with so many patches MS puts out every Tuesday You mean every second Tuesday of every month? That too much for you? without going insane! Since you are in healthcare, this should not be an issue, right? I mean, going insane is par for the course for any sys admin, but you are surrounded by healthcare professionals, so you are in good hands :) Anybody out there had to deal with similar issues? Yes. Believe it or not, you are not alone. Nobody is out to get you. We all have to go through similar things. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT *-5.75, -3.23* Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon *From:* Alex Alborzfard *Sent:* Wed 9/13/2006 6:22 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Management Solutions What is the largest environment WSUS can be deployed effectively? At what point you’re better off going with something like Shavlik or Patchlink? What do they give you that WSUS doesn’t? We’re trying to put in place a patch management solution for a company that’s midsize (~1700 users), but with offices scattered all over the world. But we’re not sure how to architect the whole thing (how many servers, layers, and where-what’s the cutoff point:bandwidth, # of users?-). The other issue is the industry we’re in: healthcare. We’re constantly audited and for every single task we have to test, write validation and justification. So we’re not sure how can we do this, with so many patches MS puts out every Tuesday, without going insane! And this is just for desktops; servers are a whole different ball of wax. Anybody out there had to deal with similar issues? Alex *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Brian Desmond *Sent:* Monday, September 11, 2006 9:34 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Management Solutions *I use WSUS for patching in some decent size places. My strategy has been to combine a variety of free products into a single system – I’ve gotten good at it and I’ve also written glue when I need to. My overall feeling is that I get more flexibility just gluing things together than with a single baked product. * * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* Monday, September 11, 2006 6:31 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Management Solutions I agree with Brian that Ghost does tend to be the front runner for imaging (IMHO).. I’ve tested and used many but Ghost is a mature project which does what it says on the tin. You’ll be surprised how forgiving it is and how much you can do with varying software and hardware with a little work. In terms of helpdesk… well it’s a minefield and a road of I have travelled many times. I have actually found that most of the time it’s actually easier to get a dev guy to come in and build a system which actually meets your requirements. I have found this to be cheaper (most of the time) in the larger organisations as every organisation has different SLA’s, contracts, processes,
RE: [ActiveDir] Block Inheritance on DC OU
Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 9:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has block inheritance enabled for the Domain Controllers OU and apparently whoever enabled this setting is no longer with the company (or they wont fess up to why they did this). Although I am curious, what sort of ramifications does enabling block inheritance on the Domain Controllers OU pose? And what reason would you have to enable this setting on the Domain Controllers OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben
Re: [ActiveDir] Handling different schemas - managing maintaining updates
I like this advice as well. In terms of some of the nuts and bolts of how one might do this, as a software guy, I'm a huge proponent of source code control/configuration management systems and simple, text-based file formats for the stuff you stick in your source repository. As such, I believe LDIF files are the one true way to maintain your custom schema stuff. The ADSchemaAnalyzer (usually associated with ADAM) is probably a useful tool for doing a lot of the compare and extract work here. Joe K. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, September 13, 2006 8:37 AM Subject: RE: [ActiveDir] Handling different schemas - managing maintaining updates Without wishing to appear facetious :) - I would suggest if the company follows ITIL practices then they already have a change mgmt and config mgmt process and/or system which helps achieve your goal. As far as best practices are concerned, I would aim for a 'core' schema config which is present in all instances of ADAM or AD schemas but manage differences via the ITIL framework (mentioned above). neil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DNS Entries --Laptop Users--
No, Laptop Users are getting IP Addresses from my VPN Box and when they are on site its DHCP. On machines Register in DNS option Is checked, hence machines are attempting to register its own records in DNS. Although i have made my LAN DHCP to register only its Clients in DNS. Credentials used are abviously my Administrator Account. But Al, The Issue we had is laptop users are using LAN DHCP as well as using VPN Connection from home. Both are getting registered in My DNS with different IP. Which is obvious. But the thing is SOPHOS gave us this as one of the reasons for my laptop machines not showing in Sophos Enterprise Console because it uses DNS to build existing machines list. Now everything is working fine and this reason was totally not applicable. but still there are other machines which are only in our network using only my LAN DHCP and are not showing up in EC. Sophos Support team is working on this. Thanks and Regards Ravi Dogra On 9/13/06, Al Mulnick [EMAIL PROTECTED] wrote: I swear this is the last question and then I'll make a suggestion. :) Is the DHCP server that the remote clients are getting their ip addr's from the same as the one that you are using for lan connected clients? You are obviously allowing the user's machine to update it's own records, but is that consistent or is the DHCP server on the lan registering the records for you possibly under a different set of credentials or in a different zone? On 9/11/06, Ravi Dogra [EMAIL PROTECTED] wrote: yes its correct. No we have mobile users.. On 9/11/06, Al Mulnick [EMAIL PROTECTED] wrote: Besides the obvious of telling Sophos to adjust their management to deal with this, here's what I understand of your problem to date. VPN clients that are also trusted network clients (i.e. mobile users that traverse both trusted and non-trusted networks can end up with seemingly duplicate entries for the same device but different ip addresses. This confuses some antivirus management applications and presumably some management applications such as SMS or similar class of app, that rely on reverse name resolution. Is that correct? Do you have workers that are remote-based only? Al On 9/8/06, Ravi Dogra [EMAIL PROTECTED] wrote: According to Sophos Support if one host has 2 DNS Entries, Sophos Enterprise Manager might not be able to detect this Host and auto update will also dont work. As you know jolly;- We are in process of migration from Trend to Sophos as our Antivirus Solution. Working on a solution will update soon. Thanks Ravi Dogra On 9/8/06, Jaspreet Singh [EMAIL PROTECTED] wrote: Ravi, As Rob said, If your VPN box is forwarding requests to your internal network the your DNS will automatically update the records according to the new IP which in your case is x.x.5.x. Can you explain exactly what is the problem that you are facing due to this? Regards, Jaspreet Singh Jolly On 9/7/06, Al Mulnick [EMAIL PROTECTED] wrote: 1. I Didnt understand what exactly u r asking? 2. Yes DHCP Is configured properly. That's not what I asked. I asked if it's updating the records for the device or is it letting the devices update their own? Al On 9/6/06, Ravi Dogra [EMAIL PROTECTED] wrote: 1. I Didnt understand what exactly u r asking? 2. Yes DHCP Is configured properly. 3. Yes it is running on DC 4. No, not running any other credential. 5. VPN Machine is entirely a different BOX on other site. 6. It doesnt register in my DNS. (Will extract other information from Site B Admin) update you very soon... Thanks RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Regards, Jaspreet Singh Jolly -- Ravi Dogra 9899647200 This e-mail, together with any attachments, is confidential. It may be read, copied and used only by the intended recipient. If you have received it in error, please notify the sender immediately by e-mail or telephone. Please then delete it from your computer without making any copies or disclosing it to any other person. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Ravi Dogra 9899647200 This e-mail, together with any attachments, is confidential. It may be read, copied and used only by the intended recipient. If you have received it in error, please notify the sender immediately by e-mail or telephone. Please then delete it from your computer without making any copies or disclosing it to any
Re: [ActiveDir] Isolating a DC
Yeah, I didn't mean to sound so negative it just seems like isolating by site (which is a logical, not physical barrier) is a more holistic solution which provides the isolation required, while allowing the DCs to continue to potentially (in an emergency situation) perform the duties of user authentication without having to change anything. The IPSec solution just seems like serious overkill that's unnecessary.On 9/13/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: I thought his original request was to make sure that no other client talks to the isolated server except those permitted. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt HargravesSent: Wed 9/13/2006 7:26 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DC Isolating via site will still leave the DC available in case of emergencies (your authentication DCs go down), whereas IPSec makes them completely unavailable for any purposes for clients. I've actually never heard of anyone doing this and would consider it a very bad idea unless you have significant redundancy in your 'normal' environment. BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also. Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than OMG, a (gasp) *user* authenticated against my application DC. On 9/13/06, Lucas, Bryan [EMAIL PROTECTED] wrote: Thanks to all for the responses.This (isolating via ipsec) is probably the right direction for me. We're a single site, single domain at a single physical location, butthe idea of building another site isn't appealing from a keep it simple perspective.Are there any technical reasons why a separate site would be better than isolation through IPSec?Will I cause clients/apps, who initially don'tknow they are denied, delays when they try to access the ipsec isolated DC?Bryan LucasServer AdministratorTexas Christian University -Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of James Eaton-LeeSent: Wednesday, September 13, 2006 5:39 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DCAkomolafe, Deji wrote: I highly recommend that you read http://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that they exist. They show you how to restrict communication with aspecific server or network using IPSec.I think what you're referring to is the excellent Server and DomainIsolation using IPSec content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/i psec/default.mspxIf all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little moreconcisely, such as this presentation from the Virginia Tech Windows Users Group:http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ips ec%20as%20a%20firewall%22And also Using IPSec to Lock Down a Server from technet.. http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspxHope that helps!- James.--James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org/Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix)sites: https://www.bsrf.org.uk/ ~ http://www.security-forums.com/ca: https://www.cacert.org/index.php?id=3List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DNS Entries --Laptop Users--
sounds like reverse dns is not the only reason that sophos isn't working then. As for those that are remote, consider removing that 'register in dns' from the vpn adapter (not the nic necessarily, but the vpn adapter depending on the manufacturer.) Since this doesn't seem to be your root problem any longer, I suspect the priority has dropped? If your DHCP server is running under your credentials you may want to reconsider that. That causes the ownership of the records it creates to be set to the account DHCP runs under. That means that the machine accounts won't be able to de-register there own ip address records later. Since the remotely connected users are using a different dhcp server, this would also inevitably result in orphaned records in most cases. There's a KB somewhere that talks about the trade-offs etc. If you need it I may be able to find it. Your remote users don't really need to register their addresses from the sound of it. They can wait until they are back on the lan to get whatever management is needed most likely. Consider blocking the registration completely for those users. It might also be a way for you to get what you need out of the configuration. I suspect this won't be necessary though, if you're getting sophos to fix their issues. AlOn 9/13/06, Ravi Dogra [EMAIL PROTECTED] wrote: No, Laptop Users are getting IP Addresses from my VPN Box and whenthey are on site its DHCP.On machines Register in DNS option Is checked, hence machines areattempting to register its own records in DNS. Although i have made my LAN DHCP to register only its Clients in DNS.Credentials used are abviously my Administrator Account.But Al,The Issue we had is laptop users are using LAN DHCP as well as usingVPN Connection from home. Both are getting registered in My DNS with different IP. Which is obvious.But the thing is SOPHOS gave us this as one of the reasons for mylaptop machines not showing in Sophos Enterprise Console because ituses DNS to build existing machines list. Now everything is working fine and this reason was totally not applicable.but still there are other machines which are only in our network usingonly my LAN DHCP and are not showing up in EC.Sophos Support team is working on this. Thanks and RegardsRavi DograOn 9/13/06, Al Mulnick [EMAIL PROTECTED] wrote: I swear this is the last question and then I'll make a suggestion. :) Is the DHCP server that the remote clients are getting their ip addr's from the same as the one that you are using for lan connected clients? You are obviously allowing the user's machine to update it's own records, but is that consistent or is the DHCP server on the lan registering the records for you possibly under a different set of credentials or in a different zone? On 9/11/06, Ravi Dogra [EMAIL PROTECTED] wrote: yes its correct. No we have mobile users.. On 9/11/06, Al Mulnick [EMAIL PROTECTED] wrote: Besides the obvious of telling Sophos to adjust their management to deal with this, here's what I understand of your problem to date. VPN clients that are also trusted network clients (i.e. mobile users that traverse both trusted and non-trusted networks can end up with seemingly duplicate entries for the same device but different ip addresses. This confuses some antivirus management applications and presumably some management applications such as SMS or similar class of app, that rely on reverse name resolution. Is that correct? Do you have workers that are remote-based only? Al On 9/8/06, Ravi Dogra [EMAIL PROTECTED] wrote:According to Sophos Support if one host has 2 DNS Entries, SophosEnterprise Manager might not be able to detect this Host and auto update will also dont work. As you know jolly;- We are in process of migration from Trend toSophos as our Antivirus Solution. Working on a solution will update soon. ThanksRavi Dogra On 9/8/06, Jaspreet Singh [EMAIL PROTECTED] wrote: Ravi, As Rob said, If your VPN box is forwarding requests to your internal network the your DNS will automatically update the records according to the new IP which in your case is x.x.5.x. Can you explain exactly what is the problem that you are facing due to this? Regards, Jaspreet Singh Jolly On 9/7/06, Al Mulnick [EMAIL PROTECTED] wrote:1. I Didnt understand what exactly u r asking? 2. Yes DHCP Is configured properly. That's not what I asked.I asked if it's updating the records for the device or is it letting the devices update their own? Al On 9/6/06, Ravi Dogra [EMAIL PROTECTED] wrote:1. I Didnt understand what exactly u r asking? 2. Yes DHCP Is configured properly. 3. Yes it is running on DC 4. No, not running any other credential. 5. VPN Machine is entirely a different BOX on other site.
Re: [ActiveDir] DNS Entries --Laptop Users--
I'm not s huge DNS geek, so I'm not sure whether you can do this, but can't you just set the DHCP to have a short expiration (1 hour?) and it will unregister the 'old' entry for a machine? There would be a small amount of vulnerability, but it would go away after the client's reservation expires. On 9/13/06, Ravi Dogra [EMAIL PROTECTED] wrote: No, Laptop Users are getting IP Addresses from my VPN Box and whenthey are on site its DHCP.On machines Register in DNS option Is checked, hence machines areattempting to register its own records in DNS. Although i have made my LAN DHCP to register only its Clients in DNS.Credentials used are abviously my Administrator Account.But Al,The Issue we had is laptop users are using LAN DHCP as well as usingVPN Connection from home. Both are getting registered in My DNS with different IP. Which is obvious.But the thing is SOPHOS gave us this as one of the reasons for mylaptop machines not showing in Sophos Enterprise Console because ituses DNS to build existing machines list. Now everything is working fine and this reason was totally not applicable.but still there are other machines which are only in our network usingonly my LAN DHCP and are not showing up in EC.Sophos Support team is working on this. Thanks and RegardsRavi DograOn 9/13/06, Al Mulnick [EMAIL PROTECTED] wrote: I swear this is the last question and then I'll make a suggestion. :) Is the DHCP server that the remote clients are getting their ip addr's from the same as the one that you are using for lan connected clients? You are obviously allowing the user's machine to update it's own records, but is that consistent or is the DHCP server on the lan registering the records for you possibly under a different set of credentials or in a different zone? On 9/11/06, Ravi Dogra [EMAIL PROTECTED] wrote: yes its correct. No we have mobile users.. On 9/11/06, Al Mulnick [EMAIL PROTECTED] wrote: Besides the obvious of telling Sophos to adjust their management to deal with this, here's what I understand of your problem to date. VPN clients that are also trusted network clients (i.e. mobile users that traverse both trusted and non-trusted networks can end up with seemingly duplicate entries for the same device but different ip addresses. This confuses some antivirus management applications and presumably some management applications such as SMS or similar class of app, that rely on reverse name resolution. Is that correct? Do you have workers that are remote-based only? Al On 9/8/06, Ravi Dogra [EMAIL PROTECTED] wrote:According to Sophos Support if one host has 2 DNS Entries, SophosEnterprise Manager might not be able to detect this Host and auto update will also dont work. As you know jolly;- We are in process of migration from Trend toSophos as our Antivirus Solution. Working on a solution will update soon. ThanksRavi Dogra On 9/8/06, Jaspreet Singh [EMAIL PROTECTED] wrote: Ravi, As Rob said, If your VPN box is forwarding requests to your internal network the your DNS will automatically update the records according to the new IP which in your case is x.x.5.x. Can you explain exactly what is the problem that you are facing due to this? Regards, Jaspreet Singh Jolly On 9/7/06, Al Mulnick [EMAIL PROTECTED] wrote:1. I Didnt understand what exactly u r asking? 2. Yes DHCP Is configured properly. That's not what I asked.I asked if it's updating the records for the device or is it letting the devices update their own? Al On 9/6/06, Ravi Dogra [EMAIL PROTECTED] wrote:1. I Didnt understand what exactly u r asking? 2. Yes DHCP Is configured properly. 3. Yes it is running on DC 4. No, not running any other credential. 5. VPN Machine is entirely a different BOX on other site. 6. It doesnt register in my DNS. (Will extract other information from Site B Admin) update you very soon... Thanks RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Regards, Jaspreet Singh Jolly --Ravi Dogra 9899647200This e-mail, together with any attachments, is confidential. It may beread, copied and used only by the intended recipient. If you have received it in error, please notify the sender immediately by e-mailor telephone. Please then delete it from your computer without makingany copies or disclosing it to any other person. List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Ravi Dogra
Re: [ActiveDir] DNS Entries --Laptop Users--
Personally, for a shop with more than 30 machines I wouldn't recommend this approach. DHCP half-life registrations would start to fly all over the place. That and the DHCP server is not registering for the remote users. On 9/13/06, Matt Hargraves [EMAIL PROTECTED] wrote: I'm not s huge DNS geek, so I'm not sure whether you can do this, but can't you just set the DHCP to have a short expiration (1 hour?) and it will unregister the 'old' entry for a machine? There would be a small amount of vulnerability, but it would go away after the client's reservation expires. On 9/13/06, Ravi Dogra [EMAIL PROTECTED] wrote: No, Laptop Users are getting IP Addresses from my VPN Box and whenthey are on site its DHCP.On machines Register in DNS option Is checked, hence machines areattempting to register its own records in DNS. Although i have made my LAN DHCP to register only its Clients in DNS.Credentials used are abviously my Administrator Account.But Al,The Issue we had is laptop users are using LAN DHCP as well as usingVPN Connection from home. Both are getting registered in My DNS with different IP. Which is obvious.But the thing is SOPHOS gave us this as one of the reasons for mylaptop machines not showing in Sophos Enterprise Console because ituses DNS to build existing machines list. Now everything is working fine and this reason was totally not applicable.but still there are other machines which are only in our network usingonly my LAN DHCP and are not showing up in EC.Sophos Support team is working on this. Thanks and RegardsRavi DograOn 9/13/06, Al Mulnick [EMAIL PROTECTED] wrote: I swear this is the last question and then I'll make a suggestion. :) Is the DHCP server that the remote clients are getting their ip addr's from the same as the one that you are using for lan connected clients? You are obviously allowing the user's machine to update it's own records, but is that consistent or is the DHCP server on the lan registering the records for you possibly under a different set of credentials or in a different zone? On 9/11/06, Ravi Dogra [EMAIL PROTECTED] wrote: yes its correct. No we have mobile users.. On 9/11/06, Al Mulnick [EMAIL PROTECTED] wrote: Besides the obvious of telling Sophos to adjust their management to deal with this, here's what I understand of your problem to date. VPN clients that are also trusted network clients (i.e. mobile users that traverse both trusted and non-trusted networks can end up with seemingly duplicate entries for the same device but different ip addresses. This confuses some antivirus management applications and presumably some management applications such as SMS or similar class of app, that rely on reverse name resolution. Is that correct? Do you have workers that are remote-based only? Al On 9/8/06, Ravi Dogra [EMAIL PROTECTED] wrote:According to Sophos Support if one host has 2 DNS Entries, Sophos Enterprise Manager might not be able to detect this Host and auto update will also dont work. As you know jolly;- We are in process of migration from Trend toSophos as our Antivirus Solution. Working on a solution will update soon. ThanksRavi Dogra On 9/8/06, Jaspreet Singh [EMAIL PROTECTED] wrote: Ravi, As Rob said, If your VPN box is forwarding requests to your internal network the your DNS will automatically update the records according to the new IP which in your case is x.x.5.x. Can you explain exactly what is the problem that you are facing due to this? Regards, Jaspreet Singh Jolly On 9/7/06, Al Mulnick [EMAIL PROTECTED] wrote:1. I Didnt understand what exactly u r asking? 2. Yes DHCP Is configured properly. That's not what I asked.I asked if it's updating the records for the device or is it letting the devices update their own? Al On 9/6/06, Ravi Dogra [EMAIL PROTECTED] wrote:1. I Didnt understand what exactly u r asking? 2. Yes DHCP Is configured properly. 3. Yes it is running on DC 4. No, not running any other credential. 5. VPN Machine is entirely a different BOX on other site. 6. It doesnt register in my DNS. (Will extract other information from Site B Admin) update you very soon... Thanks RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Regards, Jaspreet Singh Jolly --Ravi Dogra 9899647200This e-mail, together with any attachments, is confidential. It may beread, copied and used only by the intended recipient. If you have received it in error, please notify the sender immediately by e-mailor telephone. Please
RE: [ActiveDir] Isolating a DC
I should probably expand on my reasoning. We have 5 DCs now with 2 of them in a separate physical location (same campus) so we do have plenty of redundancy and performance. My issue is I have an account provisioning system that synchronizes various directories including AD. It generates a *ton* of entries in the Security Log. I also have some other apps/appliances that generate some logs as well. Our policy is to collect and archive all DC security logs. If I just dont collect the logs from that DC but I dont isolate it, then I can potentially miss legitimate security logs. I worry that if I isolate it with IPSEC, what tells Exchange dont ever try that DC again. Seems like it would introduce delay while the application/user workstation learns that DC is unavailable. Thanks, Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:26 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Isolating a DC Isolating via site will still leave the DC available in case of emergencies (your authentication DCs go down), whereas IPSec makes them completely unavailable for any purposes for clients. I've actually never heard of anyone doing this and would consider it a very bad idea unless you have significant redundancy in your 'normal' environment. BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also. Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than OMG, a (gasp) *user* authenticated against my application DC. On 9/13/06, Lucas, Bryan [EMAIL PROTECTED] wrote: Thanks to all for the responses. This (isolating via ipsec) is probably the right direction for me. We're a single site, single domain at a single physical location, but the idea of building another site isn't appealing from a keep it simple perspective. Are there any technical reasons why a separate site would be better than isolation through IPSec?Will I cause clients/apps, who initially don't know they are denied, delays when they try to access the ipsec isolated DC? Bryan Lucas Server Administrator Texas Christian University -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of James Eaton-Lee Sent: Wednesday, September 13, 2006 5:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Isolating a DC Akomolafe, Deji wrote: I highly recommend that you read http://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that they exist. They show you how to restrict communication with a specific server or network using IPSec. I think what you're referring to is the excellent Server and Domain Isolation using IPSec content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/i psec/default.mspx If all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little more concisely, such as this presentation from the Virginia Tech Windows Users Group: http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ips ec%20as%20a%20firewall%22 And also Using IPSec to Lock Down a Server from technet.. http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.ms px Hope that helps! - James. -- James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix) sites: https://www.bsrf.org.uk ~ http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Isolating a DC
I worry that if I isolate it with IPSEC, what tells Exchange dont ever try that DC again You should readhttp://support.microsoft.com/kb/250570/ then Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Lucas, BryanSent: Wed 9/13/2006 12:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Isolating a DC I should probably expand on my reasoning. We have 5 DCs now with 2 of them in a separate physical location (same campus) so we do have plenty of redundancy and performance. My issue is I have an account provisioning system that synchronizes various directories including AD. It generates a *ton* of entries in the Security Log. I also have some other apps/appliances that generate some logs as well. Our policy is to collect and archive all DC security logs. If I just dont collect the logs from that DC but I dont isolate it, then I can potentially miss legitimate security logs. I worry that if I isolate it with IPSEC, what tells Exchange dont ever try that DC again. Seems like it would introduce delay while the application/user workstation learns that DC is unavailable. Thanks, Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Wednesday, September 13, 2006 9:26 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DC Isolating via site will still leave the DC available in case of emergencies (your authentication DCs go down), whereas IPSec makes them completely unavailable for any purposes for clients. I've actually never heard of anyone doing this and would consider it a very bad idea unless you have significant redundancy in your 'normal' environment. BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also. Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than "OMG, a (gasp) *user* authenticated against my application DC". On 9/13/06, Lucas, Bryan [EMAIL PROTECTED] wrote: Thanks to all for the responses.This (isolating via ipsec) is probably the right direction for me.We're a single site, single domain at a single physical location, butthe idea of building another site isn't appealing from a "keep it simple" perspective.Are there any technical reasons why a separate site would be better thanisolation through IPSec?Will I cause clients/apps, who initially don'tknow they are denied, delays when they try to access the ipsec isolated DC?Bryan LucasServer AdministratorTexas Christian University-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of James Eaton-LeeSent: Wednesday, September 13, 2006 5:39 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DCAkomolafe, Deji wrote: I highly recommend that you readhttp://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that they exist. They show you how to restrict communication with aspecific server or network using IPSec.I think what you're referring to is the excellent "Server and DomainIsolation using IPSec" content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspxIf all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little moreconcisely, such as this presentation from the Virginia Tech WindowsUsers Group:http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ipsec%20as%20a%20firewall%22And also "Using IPSec to Lock Down a Server" from technet..http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspxHope that helps!- James.--James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org/Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix)sites: https://www.bsrf.org.uk/ ~ http://www.security-forums.com/ca: https://www.cacert.org/index.php?id=3List info : http://www.activedir.org/List.aspxList FAQ:
Re: [ActiveDir] Handling different schemas - managing maintaining updates
Yep, the schema analyzer would be a good tool to have hold of. I have to ask though: is the goal to make this mish-mosh manageable by making it all the same (i.e. cookie-cutter?) Or is there some other goal you're describing? I'm assuming that you want it to be the same across the enterprise to make it more manageable. Often this is done so that a central team to can control it and /or so that people can implement workable IdM systems. Realistically, such a system cannot be implemented without some known similarities so it makes sense. I don't see any particular security related issues with schema entries unless your schema gives away company secrets of some sort. It's just a holder for the most part, and it's the data/information that it contains that would be of value. Knowing that it may exist is of lesser value, but is a risk that must be addressed. ITIL? Nice to have. Of course the term, trust, but verify keeps ringing in my head but it's still nice to have such a process in use. AlOn 9/13/06, Joe Kaplan [EMAIL PROTECTED] wrote: I like this advice as well.In terms of some of the nuts and bolts of howone might do this, as a software guy, I'm a huge proponent of source codecontrol/configuration management systems and simple, text-based file formats for the stuff you stick in your source repository.As such,I believe LDIFfiles are the one true way to maintain your custom schema stuff.The ADSchemaAnalyzer (usually associated with ADAM) is probably a useful tool for doing a lot of the compare and extract work here.Joe K.- Original Message -From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Wednesday, September 13, 2006 8:37 AMSubject: RE: [ActiveDir] Handling different schemas - managing maintainingupdatesWithout wishing to appear facetious :) - I would suggest if the company follows ITIL practices then they already have a change mgmt and config mgmtprocess and/or system which helps achieve your goal.As far as best practices are concerned, I would aim for a 'core' schemaconfig which is present in all instances of ADAM or AD schemas but manage differences via the ITIL framework (mentioned above).neilList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Specifying builtin accounts in GPO settings.
Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks,MattOn 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't – if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, September 12, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
RE: [ActiveDir] Specifying builtin accounts in GPO settings.
No it wouldnt. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks, Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, September 12, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
Re: [ActiveDir] Specifying builtin accounts in GPO settings.
We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks, Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't – if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, September 12, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
RE: [ActiveDir] Specifying builtin accounts in GPO settings.
On W2000 running OWA on a DC this was an issue only case I know of. What are the issues youre having? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 10:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks, Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, September 12, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
Re: [ActiveDir] Specifying builtin accounts in GPO settings.
Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: On W2000 running OWA on a DC this was an issue … only case I know of. What are the issues you're having? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 10:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks, Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't – if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, September 12, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
RE: [ActiveDir] Specifying builtin accounts in GPO settings.
Look at your default recipient policy. What's set there? Just curious. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt HargravesSent: Wed 9/13/2006 8:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: On W2000 running OWA on a DC this was an issue only case I know of. What are the issues you're having? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Wednesday, September 13, 2006 10:49 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the "Log on locally" right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks,Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-EliaSent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out http://www.gpoguy.com/-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, September 12, 2006 10:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying "Builtin\Administrator" would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
Re: [ActiveDir] DNS Entries --Laptop Users--
Al this in not a priority for us now. Earlier i was unaware of our VPN Box settings thats why i was a bit confuse about why these machines are registring there own records in my DNS. Also i am not going to uncheck Register in DNS check box on Client machine as this is not required as if now. I have already set lease period as per our organizational requirement so, again i will not do any change unless it is a must required thing to do. Al i would surely want to have a look on KB you refered to. If possible, do me this favor. Thanks for all your help!!! Ravi Dogra On 9/14/06, Al Mulnick [EMAIL PROTECTED] wrote: Personally, for a shop with more than 30 machines I wouldn't recommend this approach. DHCP half-life registrations would start to fly all over the place. That and the DHCP server is not registering for the remote users. On 9/13/06, Matt Hargraves [EMAIL PROTECTED] wrote: I'm not s huge DNS geek, so I'm not sure whether you can do this, but can't you just set the DHCP to have a short expiration (1 hour?) and it will unregister the 'old' entry for a machine? There would be a small amount of vulnerability, but it would go away after the client's reservation expires. On 9/13/06, Ravi Dogra [EMAIL PROTECTED] wrote: No, Laptop Users are getting IP Addresses from my VPN Box and when they are on site its DHCP. On machines Register in DNS option Is checked, hence machines are attempting to register its own records in DNS. Although i have made my LAN DHCP to register only its Clients in DNS. Credentials used are abviously my Administrator Account. But Al, The Issue we had is laptop users are using LAN DHCP as well as using VPN Connection from home. Both are getting registered in My DNS with different IP. Which is obvious. But the thing is SOPHOS gave us this as one of the reasons for my laptop machines not showing in Sophos Enterprise Console because it uses DNS to build existing machines list. Now everything is working fine and this reason was totally not applicable. but still there are other machines which are only in our network using only my LAN DHCP and are not showing up in EC. Sophos Support team is working on this. Thanks and Regards Ravi Dogra On 9/13/06, Al Mulnick [EMAIL PROTECTED] wrote: I swear this is the last question and then I'll make a suggestion. :) Is the DHCP server that the remote clients are getting their ip addr's from the same as the one that you are using for lan connected clients? You are obviously allowing the user's machine to update it's own records, but is that consistent or is the DHCP server on the lan registering the records for you possibly under a different set of credentials or in a different zone? On 9/11/06, Ravi Dogra [EMAIL PROTECTED] wrote: yes its correct. No we have mobile users.. On 9/11/06, Al Mulnick [EMAIL PROTECTED] wrote: Besides the obvious of telling Sophos to adjust their management to deal with this, here's what I understand of your problem to date. VPN clients that are also trusted network clients (i.e. mobile users that traverse both trusted and non-trusted networks can end up with seemingly duplicate entries for the same device but different ip addresses. This confuses some antivirus management applications and presumably some management applications such as SMS or similar class of app, that rely on reverse name resolution. Is that correct? Do you have workers that are remote-based only? Al On 9/8/06, Ravi Dogra [EMAIL PROTECTED] wrote: According to Sophos Support if one host has 2 DNS Entries, Sophos Enterprise Manager might not be able to detect this Host and auto update will also dont work. As you know jolly;- We are in process of migration from Trend to Sophos as our Antivirus Solution. Working on a solution will update soon. Thanks Ravi Dogra On 9/8/06, Jaspreet Singh [EMAIL PROTECTED] wrote: Ravi, As Rob said, If your VPN box is forwarding requests to your internal network the your DNS will automatically update the records according to the new IP which in your case is x.x.5.x. Can you explain exactly what is the problem that you are facing due to this? Regards, Jaspreet Singh Jolly On 9/7/06, Al Mulnick [EMAIL PROTECTED] wrote: 1. I Didnt understand what exactly u r asking? 2. Yes DHCP Is configured properly. That's not what I asked. I asked if it's updating the records for the device or is it letting the devices update their own? Al On 9/6/06, Ravi Dogra [EMAIL
