RE: [ActiveDir] Active Directory Cookbooks...

2006-09-16 Thread Richard Kline 
Altering the subject a mite:
I've not yet purchased these books and so am not completely familiar
with the content...

Does anyone have a recommendation for AD programming using .NET?   
VB is my personal poison of choice.  

VBS would probably suffice for my anticipated needs but I do wish to get
more fully familiar with the .NET workings

Thank you.

Richard

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, September 15, 2006 11:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Cookbooks...

If you mean you purchased Active Directory Second Edition... Ebay it and
just start reading the Third Edition, I made considerable changes
through it and not just for new stuff. The security and schema chapters
and most all of the scripts got massive work done to them to correct
issues, etc. 

Now if you mean you bought the AD Cookbook Second Edition, I would
actually recommend reading Active Directory Third Edition first, then
reading the cookbook as it will make more sense. Alternately, don't read
the cookbook and just treat it as a cookbook where when you need to do
something, you look up the recipe. 

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 14, 2006 11:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Cookbooks...

I have just purchased the 2nd one and will be on to the 3rd one as soon
as I have finished that...

Cheers,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+-->
| |  |
| |  |
| |  |
| |   "joe"  |
| |   <[EMAIL PROTECTED]> |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   15/09/2006 03:14 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+-->
 
>---
>
---|
  |
|
  |To:  
|
  |cc:
|
  |Subject: RE: [ActiveDir] Active Directory Cookbooks...
|
 
>---
>
---|



Actually I did the Active Directory Third Edition. The Active Directory
Cookbook is in the Second Edition now and that was done by Laura Hunter.
My book you can find in my signature, the Cookbook you can find at

http://www.amazon.com/gp/product/059610202X/ref=pd_cp_b_title/002-499163
1-48

70433?ie=UTF8


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 14, 2006 10:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Cookbooks...

hahaha no worries cheers for that i'll just swim around the fish bowl
one
more time...;-)

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+-->
| |  |
| |  |
| |  |
| |   "David Adner"  |
| |   <[EMAIL PROTECTED]> |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   15/09/2006 02:21 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+-->

>---
>

---|
  |
|
  |To:  
|
  |cc:
|
  |Subject: RE: [ActiveDir] Active Directory Cookbooks...
|

>--

RE: [ActiveDir] Active Directory Cookbooks...

2006-09-16 Thread Richard Kline 
Please ignore this post:  I just read Joe's other note about
http://directoryprogramming.net/default.aspx

Sorry!   So much to read so little time...

Thanks! 

-Original Message-
From: Richard Kline 
Sent: Saturday, September 16, 2006 9:00 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Active Directory Cookbooks...

Altering the subject a mite:
I've not yet purchased these books and so am not completely familiar
with the content...

Does anyone have a recommendation for AD programming using .NET?   
VB is my personal poison of choice.  

VBS would probably suffice for my anticipated needs but I do wish to get
more fully familiar with the .NET workings

Thank you.

Richard

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, September 15, 2006 11:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Cookbooks...

If you mean you purchased Active Directory Second Edition... Ebay it and
just start reading the Third Edition, I made considerable changes
through it and not just for new stuff. The security and schema chapters
and most all of the scripts got massive work done to them to correct
issues, etc. 

Now if you mean you bought the AD Cookbook Second Edition, I would
actually recommend reading Active Directory Third Edition first, then
reading the cookbook as it will make more sense. Alternately, don't read
the cookbook and just treat it as a cookbook where when you need to do
something, you look up the recipe. 

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 14, 2006 11:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Cookbooks...

I have just purchased the 2nd one and will be on to the 3rd one as soon
as I have finished that...

Cheers,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+-->
| |  |
| |  |
| |  |
| |   "joe"  |
| |   <[EMAIL PROTECTED]> |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   15/09/2006 03:14 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+-->
 
>---
>
---|
  |
|
  |To:  
|
  |cc:
|
  |Subject: RE: [ActiveDir] Active Directory Cookbooks...
|
 
>---
>
---|



Actually I did the Active Directory Third Edition. The Active Directory
Cookbook is in the Second Edition now and that was done by Laura Hunter.
My book you can find in my signature, the Cookbook you can find at

http://www.amazon.com/gp/product/059610202X/ref=pd_cp_b_title/002-499163
1-48

70433?ie=UTF8


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 14, 2006 10:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Cookbooks...

hahaha no worries cheers for that i'll just swim around the fish bowl
one
more time...;-)

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+-->
| |  |
| |  |
| |  |
| |   "David Adner"  |
| |   <[EMAIL PROTECTED]> |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   15/09/2006 02:21 p.m.  |
| |   Please respond to  |
| |   ActiveDir

Re: [ActiveDir] RPC Over HTTPS Problem....

2006-09-16 Thread victor-w 
Take a look at this as well and verify you have set everything up as 
it should:

http://msexchange.me.uk/rpchttpsproblems.htm

Cheers,


Victor

- Oorspronkelijk bericht -
Van: Ravi Dogra <[EMAIL PROTECTED]>
Datum: zaterdag, september 16, 2006 0:59 am
Onderwerp: [ActiveDir] RPC Over HTTPS Problem

> Hi,
> 
> I am facing a weird problem here is some required information.
> 
> Frontend - Backend Structure.
> Exchange with SP2 on Win2k3 SP1 on all Servers.
> FE1 and BE1 is on a different site,
> BE2 is on my Site.
> Configured RPC Over Https on Frontend Server. OWA (SSL) is working 
> fine.
> Now here is the situation:-
> I have configured my client for RPC over Https. When client machine
> tries to establish connection with my Exchange Server it prompts me
> for User Name and Password.
> 
> When i am providing my credentials it is not accepting and keeps me
> prompting for same.
> 
> Also while doing this when i use Ctrl + Right click on Outlook 
> icon on
> rightside of taskbar and then selecting connection it never shows me
> established. It remains on Connecting and tries to connect my BE2
> server where my mailbox resides.
> 
> What could be the possible reason for this? If any other information
> is required please let me know.
> 
> 
> -- 
> Ravi Dogra
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Is a Global Security group being used?

2006-09-16 Thread Joe Kaplan 
This is a really great analysis (as usual).  From the perspective of how my 
company works, the problem is completely intractable because most of our 
usage of groups fall into the 2-6 category.  There is just no way to track 
down application usage of groups, especially when they start doing LDAP 
calls to figure out what's in the directory.  Our enterprise is not as large 
as the very large organization that Joe used to run, but we've got about 
130K users and about 70K groups, so we have a lot of stuff to look after.


Our Director of Security frequently asks me if we can figure out how a given 
group is used and I tell him no.  The other more insidious thing is that 
they often tell me that they want/need a tool that allows them to manage all 
of the application usage of groups from some sort of central system. 
Frequently, some vendor will come in with a web access control product that 
can supposedly do this that a high level exec will get excited about.


The problem is that these things can't really work.  For web access control 
products, they can generally only integrate at the web server level, so they 
can only apply security based on URLs.  This is way to simplistic to even 
begin to cover the various types of role-based security that applications 
really need, so it provides little benefit to central management (the apps 
will use some code to implement the rest of their role-based security that 
won't use the central tool).  Additionally, these tools are inevitably 
difficult to integrate with servers and apps and won't integrate with all of 
them, especially if you have lots of platforms and lots of vendor apps 
written in different technologies that cost money.  Plus, there is a huge 
cost to retrofitting the apps you do control.  Since these systems don't 
really solve the problem unless they cover everything and they will never 
cover everything, they don't solve the problem and waste a ton of money 
trying to.


A framework like AzMan from MS actually has the potential to cover all of 
the granular security needs of an app and be able to store the policy 
centrally in AD or ADAM, so it seems like it would be just what you want. 
However, I'm never going to get SAP, Siebel or SharePoint to work with AzMan 
(maybe SharePoint someday, but I'm not holding my breath), so already it is 
a niche for just a few apps which are basically custom and written in ASP or 
.NET.  The integration effort to retrofit it to an existing app is not small 
and is the kind of thing that will always get chopped by budget priorities, 
especially if new features for the app are needed or it is supposedly 
"frozen" in maintenance mode.


An externally imposed web access control system like RSA ClearTrust works on 
whole URLs, so it can't even handle a scenario as simple as having a web 
page render different content for different users based on role on the same 
page.  Since you frequently need to do that (and much more complicated 
security stuff when you get into multi-tier), it is already relegated to a 
partial solution.


The process-based suggestion that Joe suggests is really just about the only 
way you can practically begin to cobble together a solution.  The main 
drawback with such a thing is that since it is process-based, it is not 
really a source of truth for what is really going on.  You are 100% 
dependent on people following the process and keeping the documentation up 
to date for the data generated by the process to be reliable.  It is at 
least something you can try that might provide some value without wasting a 
ton of money on false promises.


Joe K.

- Original Message - 
From: "joe" <[EMAIL PROTECTED]>

To: 
Sent: Saturday, September 16, 2006 12:12 AM
Subject: RE: [ActiveDir] Is a Global Security group being used?


Yep, as sucky as a method as it is it is something that has been floating 
around as *a* method for years and years to work out the Windows security 
related uses. I know I started mentioning it to folks once I noticed 
non-security groups maintained their SID. I find causing temporary easy to 
reverse pain much more desirable than deleting it and finding slightly 
longer lived pain.


For the general question though, actually chasing down everywhere a group is 
used is a tremendously difficult task and I am not aware of any tool that 
can do it for every single possible use. The solution is truly to have very 
good process around the use of groups and a tight support definition around 
their use. This is one of the reasons why I like local and domain local 
resource groups, the scope is naturally limited.


So, you may ask where all can the groups be used? The answer is anywhere 
that a SID or a DN can be specified. To name a few...


1. Windows Security Descriptors - this includes any kernel securable objects 
that can accept a security descriptor as well as many other objects that 
have "customized" ACL-like definitions like the customSD for event logs. A 
partial

Re: [ActiveDir] Active Directory Cookbooks...

2006-09-16 Thread Joe Kaplan 
I hope you aren't frustrated by the book being written in C# rather than 
VB.NET.  That rule was imposed by my coauthor and the publisher.  All of the 
code samples are re-written in VB.NET and posted on the website, so 
hopefully that works for you.


For the most part, the actual VB and C# code aren't very different 
(sometimes you just put a ";" at the end of the line :)), so hopefully 
you'll be able to follow along with the gist of the C# in the book.


Someday I'd like to seriously tackle the .NET/scripting angle of DS 
programming by tackling all this stuff from the PowerShell perspective.  I 
think there's a huge audience for that in the future.  It will be 
interesting to see how that works out as well, since the scripting world is 
usually covered by other people (Joe, Robbie, Laura, etc.), but most of them 
haven't done .NET yet.  The theme of my talk at DEC was suggesting that all 
of the DS programmers will eventually end up in the .NET world, as that's 
where all of Microsoft's programming model investment is going.  Joe 
Richards will almost certainly be the last to go (unless he discovers how 
cool PowerShell really is and becomes addicted).


Joe K.

- Original Message - 
From: "Richard Kline" <[EMAIL PROTECTED]>

To: 
Sent: Saturday, September 16, 2006 8:03 AM
Subject: RE: [ActiveDir] Active Directory Cookbooks...


Please ignore this post:  I just read Joe's other note about
http://directoryprogramming.net/default.aspx

Sorry!   So much to read so little time...

Thanks!

-Original Message-
From: Richard Kline
Sent: Saturday, September 16, 2006 9:00 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Active Directory Cookbooks...

Altering the subject a mite:
I've not yet purchased these books and so am not completely familiar
with the content...

Does anyone have a recommendation for AD programming using .NET?
VB is my personal poison of choice.

VBS would probably suffice for my anticipated needs but I do wish to get
more fully familiar with the .NET workings

Thank you.

Richard

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, September 15, 2006 11:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Cookbooks...

If you mean you purchased Active Directory Second Edition... Ebay it and
just start reading the Third Edition, I made considerable changes
through it and not just for new stuff. The security and schema chapters
and most all of the scripts got massive work done to them to correct
issues, etc.

Now if you mean you bought the AD Cookbook Second Edition, I would
actually recommend reading Active Directory Third Edition first, then
reading the cookbook as it will make more sense. Alternately, don't read
the cookbook and just treat it as a cookbook where when you need to do
something, you look up the recipe.

 joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 14, 2006 11:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Cookbooks...

I have just purchased the 2nd one and will be on to the 3rd one as soon
as I have finished that...

Cheers,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+-->
| |  |
| |  |
| |  |
| |   "joe"  |
| |   <[EMAIL PROTECTED]> |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   15/09/2006 03:14 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+-->


---


---|
 |
|
 |To:  
|
 |cc:
|
 |Subject: RE: [ActiveDir] Active Directory Cookbooks...
|


---


---|



Actually I did the Active Directory Third Edition. The Active Directory
Cookbook is in the Second Edition now and that was done by Laura Hunter.
My book you can find in my signature, the Cookbook you can find at

http://www.amazon.com/gp/product/059610202X/ref=pd_cp_b_title/002-499163
1-48

704

Re: [ActiveDir] Block Inheritance on DC OU

2006-09-16 Thread Kamlesh Parmar 
Agreed, And I don't believe somehow policies become easier to troubleshoot with exclusions, specially in a very large environment with high level of delegation coupled with varying level of skill sets.
 
In fact the way "Enforced" or "Block Policy" are visually marked in GPMC console, I wish there was 
something to visually point at particular policy with explicit exclusions. or it would have been easier if they had
given another Area on Scope tab between "security filtering" and "WMI Filtering" stating the explicit exclusions.
 
--
Kamlesh
 
On 9/16/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote:



Yes, but there are times when you want to affect all machines or users in a domain and its a pain to have to link those policies to every OU. Domain-linked GPOs are useful but you do have to be explicitly aware of what you're targeting. That's why I like using explicit security group filtering rather than implicit blocking or enforcing. Its easier to troubleshoot (esp. on Win2K without RSOP). 

 
Darren
 


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Derek HarrisSent: Friday, September 15, 2006 3:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Block Inheritance on DC OU 


It seems to me that a better solution is to only put the password policy into the default domain GPO, and create a separate GPO for any other settings to apply to the OUs. 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 2:38 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Block Inheritance on DC OU 
Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings.So they didn't wanted many of those GPOs to be applied to domain controllers. 
Above that, they have "block inheritance" enabled at various sub-OU levels.So only thing we could come up with to achieve what we wanted was to.1) Block policy at DC OU2) Create Password Policy at Domain level and enforce it. 
This helped for keeping a consistent password policy across all OUs and Domain.And also "saving" DCs from domain level general purpose GPOs.Long term, soln is to rethink the OU structure.
Kamlesh
On 9/13/06, Darren Mar-Elia <[EMAIL PROTECTED]
> wrote: 



Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. 

 
Darren


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 9:37 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on DC OU 



The company I am currently working for has "block inheritance" enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this).

 
Although I am curious, what sort of ramifications does enabling "block inheritance" on the Domain Controller's OU pose?  And what reason would you have to enable this setting on the Domain Controller's OU?  With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation.

 
Thanks as always for your input,
~Ben
-- ~Short-term actions X time = long-term accomplishments.~ 
-- ~Short-term actions X time = long-term accomplishments.~

RE: [ActiveDir] Active Directory Cookbooks...

2006-09-16 Thread joe 
LOL. 

I really actually like LDAP and Win32 API type coding. I do understand
though the draw for some folks for .NET. Just not for me, especially as I
play more and more in the FreeBSD space. ;)

ASP.NET I expect will be the first thing I go into when/if I make a step in
that direction. Something that is completely server side controlled. 

I was into MONAD when it was first announced and very early in the
design/development/beta but they kept cutting back what they initially said
they were going to do with it and I ended up losing interest. I have fear in
how "fat" things are going to get with it. Certainly I am not thrilled with
the stuff being done in Exchange with it that I have seen/heard about. For
example, if I want a list of mailbox sizes of all mailboxes in an org you
need to pull back to the client running the script EVERYTHING about EVERY
mailbox. That may work in a small org but is not optimal in a large size
distributed environment. When I pointed that out I was simply told that is
the MONAD way... That isn't really encouraging for someone who normally
works on environments greater than 100k seats. 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Saturday, September 16, 2006 10:06 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Active Directory Cookbooks...

I hope you aren't frustrated by the book being written in C# rather than 
VB.NET.  That rule was imposed by my coauthor and the publisher.  All of the

code samples are re-written in VB.NET and posted on the website, so 
hopefully that works for you.

For the most part, the actual VB and C# code aren't very different 
(sometimes you just put a ";" at the end of the line :)), so hopefully 
you'll be able to follow along with the gist of the C# in the book.

Someday I'd like to seriously tackle the .NET/scripting angle of DS 
programming by tackling all this stuff from the PowerShell perspective.  I 
think there's a huge audience for that in the future.  It will be 
interesting to see how that works out as well, since the scripting world is 
usually covered by other people (Joe, Robbie, Laura, etc.), but most of them

haven't done .NET yet.  The theme of my talk at DEC was suggesting that all 
of the DS programmers will eventually end up in the .NET world, as that's 
where all of Microsoft's programming model investment is going.  Joe 
Richards will almost certainly be the last to go (unless he discovers how 
cool PowerShell really is and becomes addicted).

Joe K.

- Original Message - 
From: "Richard Kline" <[EMAIL PROTECTED]>
To: 
Sent: Saturday, September 16, 2006 8:03 AM
Subject: RE: [ActiveDir] Active Directory Cookbooks...


Please ignore this post:  I just read Joe's other note about
http://directoryprogramming.net/default.aspx

Sorry!   So much to read so little time...

Thanks!

-Original Message-
From: Richard Kline
Sent: Saturday, September 16, 2006 9:00 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Active Directory Cookbooks...

Altering the subject a mite:
I've not yet purchased these books and so am not completely familiar
with the content...

Does anyone have a recommendation for AD programming using .NET?
VB is my personal poison of choice.

VBS would probably suffice for my anticipated needs but I do wish to get
more fully familiar with the .NET workings

Thank you.

Richard

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, September 15, 2006 11:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Cookbooks...

If you mean you purchased Active Directory Second Edition... Ebay it and
just start reading the Third Edition, I made considerable changes
through it and not just for new stuff. The security and schema chapters
and most all of the scripts got massive work done to them to correct
issues, etc.

Now if you mean you bought the AD Cookbook Second Edition, I would
actually recommend reading Active Directory Third Edition first, then
reading the cookbook as it will make more sense. Alternately, don't read
the cookbook and just treat it as a cookbook where when you need to do
something, you look up the recipe.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 14, 2006 11:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Cookbooks...

I have just purchased the 2nd one and will be on to the 3rd one as soon
as I have finished that...

Cheers,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellingto

Re: [ActiveDir] splitting a domain into two

2006-09-16 Thread Kamlesh Parmar 
Well :-)
I suppose, you are looking at tiny figure of 300 users and why not choosing option 1 straight away.
If only every IT manager was as forceful and articulate about danger of short term decisions as you are. 
About migrating to corporate domain, that is achievable as both sites are not going to get links simultaneously
so who ever gets link first, it gets migrated first with security translation as preferred method, and we basically have a policy to remove sidhistory along with demotion of old domain. And here it will be serialized migration one after another rather than simultaneous.

 
Assumption here being, once the trust with one domain is established, machines migrated, trust broken. 
I suppose creating trust again with same domain name at different site should not be a issue.
 
--
Kamlesh 
On 9/16/06, joe <[EMAIL PROTECTED]> wrote:



First impression: Yuck.
 
The main thing that caught my attention is the "migrate into a corporate domain at a later time". I assume you mean both of these "separated" domains would be migrated? If so, how do you plan to do the migration? You won't be able to have name res for the trusts, even if you could you would most likely run into SID issues if you maintained SID History. 

 

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 4:57 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] splitting a domain into two 

Dear All,Scenario : Single regional domain , two sites , both sites having separate links to Internet and direct WAN connectivity with each other.AD Integrated DNSsite1: 300 userssite2: 400 users
Now, due to restructuring, they have decided to get rid of WAN link joining the two sites immediately, as both sites will have separate individual WAN connectivity with some corporate hub site. And this domain will be migrated to corporate domain in due course. 
Problem here is the WAN connectivity to hub site will be commissioned at different times (one month apart) and they want to get rid of WAN link joining site1 with site2 NOW. Other problems like mail access and stuff will be handled thru' Internet link. 
Now issue is, what to do about AD Domain? as DCs will lose the direct network connectivity.Solution we are looking at is 1) Migrate one of the locations into separate domain, and thus break the dependence of both sites on single domain. 
2) Just break the network link as requested and here comes the crummy part :)    instead of migrating one of the site to new domain, you just split the domain into two isolated networks, where each site DC will  think it is the only DC handling all the stuff for that domain. 
Basically, 1) break the link 2) Point DC to themselves for DNS 3) seize all the roles 4) do meta data & DNS cleanup of other DCnet result : each DC believes they own the domain. Just make sure they don't talk to each other directly ever. 
Now, Any foreseeable issues with 2nd approach.Please don't include layer 8 issues ;), I am purely looking at technical feasibility and precautions if we go ahead.-- Kamlesh~ 
Short-term actions X time = long-term accomplishments.~ 
-- ~Short-term actions X time = long-term accomplishments.~

Re: [ActiveDir] Active Directory Cookbooks...

2006-09-16 Thread Joe Kaplan 
Someday you need to take a spin through System.DirectoryServices.Protocols 
(.NET 2.0) in C# and see if you like it.  It is a direct interop layer over 
wldap32, exposing the entire feature surface.  It does impose an OO model on 
top of the API, but it is done in a very LDAP-centric way, using the 
connection as the core object and the metaphor of sending and receiving 
messages against that connection.  Everything translates directly to what is 
actually going on.  It is kind of the opposite of ADSI, in which the 
directory objects are the primary metaphor and all of the implementation 
details are buried in the abstraction.  I can totally see why you wouldn't 
want to release a tool based on it, as you take hard dependencies on .NET 
2.0 to use it, but one advantage is that you get free optimized X64 support 
with the same binaries.  :)  For your own stuff that never sees the light of 
day, it might be something you enjoy.


I totally hear you with PowerShell.  My take on it is that the actual core 
of PowerShell is revolutionary and an extremely powerful and well-designed 
thing.  It is also exceptionally harder to learn, so I think that is its 
greatest weakness.


The actual providers that plug into the core are going to be hit and miss 
most likely.  The Exchange stuff is certainly implemented as an extension 
and is not part of the core, so any suckiness in the Exchange programming 
model for PowerShell has to fall on the Exchange team and not reflect on 
PowerShell as a whole.  The Exchange team seems to have a glorious history 
of providing us with terrible APIs (CDOEXM, WebDav, etc.), so I'm not at all 
surprised to hear that their PowerShell implementation will miss the mark.


My solution to this is to always try to avoid having to program Exchange.  I 
didn't even mention it in my book.  :)


Joe K.

- Original Message - 
From: "joe" <[EMAIL PROTECTED]>

To: 
Sent: Saturday, September 16, 2006 11:33 AM
Subject: RE: [ActiveDir] Active Directory Cookbooks...



LOL.

I really actually like LDAP and Win32 API type coding. I do understand
though the draw for some folks for .NET. Just not for me, especially as I
play more and more in the FreeBSD space. ;)

ASP.NET I expect will be the first thing I go into when/if I make a step 
in

that direction. Something that is completely server side controlled.

I was into MONAD when it was first announced and very early in the
design/development/beta but they kept cutting back what they initially 
said
they were going to do with it and I ended up losing interest. I have fear 
in
how "fat" things are going to get with it. Certainly I am not thrilled 
with

the stuff being done in Exchange with it that I have seen/heard about. For
example, if I want a list of mailbox sizes of all mailboxes in an org you
need to pull back to the client running the script EVERYTHING about EVERY
mailbox. That may work in a small org but is not optimal in a large size
distributed environment. When I pointed that out I was simply told that is
the MONAD way... That isn't really encouraging for someone who normally
works on environments greater than 100k seats.


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Saturday, September 16, 2006 10:06 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Active Directory Cookbooks...

I hope you aren't frustrated by the book being written in C# rather than
VB.NET.  That rule was imposed by my coauthor and the publisher.  All of 
the


code samples are re-written in VB.NET and posted on the website, so
hopefully that works for you.

For the most part, the actual VB and C# code aren't very different
(sometimes you just put a ";" at the end of the line :)), so hopefully
you'll be able to follow along with the gist of the C# in the book.

Someday I'd like to seriously tackle the .NET/scripting angle of DS
programming by tackling all this stuff from the PowerShell perspective.  I
think there's a huge audience for that in the future.  It will be
interesting to see how that works out as well, since the scripting world 
is
usually covered by other people (Joe, Robbie, Laura, etc.), but most of 
them


haven't done .NET yet.  The theme of my talk at DEC was suggesting that 
all

of the DS programmers will eventually end up in the .NET world, as that's
where all of Microsoft's programming model investment is going.  Joe
Richards will almost certainly be the last to go (unless he discovers how
cool PowerShell really is and becomes addicted).

Joe K.

- Original Message - 
From: "Richard Kline" <[EMAIL PROTECTED]>

To: 
Sent: Saturday, September 16, 2006 8:03 AM
Subject: RE: [ActiveDir] Active Directory Cookbooks...


Please ignore this post:  I just read Joe's other note about
http://directoryprogramming.net/default.aspx

Sorry!   So much to read so little time...

Thanks!

-Original

Re: [ActiveDir] RPC Over HTTPS Problem....

2006-09-16 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
In a moment of  me too!  here's the SBS version of how to 
setup Outlook over http:



1.  Run the connect to Internet and email wizard on the todo list
2.  Choose the GUI button that enables Outlook over the Internet
3.  Now log into the GUI remote portal http://domainname/remote
4.  Click on the button that talks about Outlook over the Internet
5.  Follow instructions

If you have a SBS box that you are in charge of ... don't follow any of 
the manual how to setup instructions... get the GUI out and follow the 
wizards.


[EMAIL PROTECTED] wrote:
Take a look at this as well and verify you have set everything up as 
it should:


http://msexchange.me.uk/rpchttpsproblems.htm

Cheers,


Victor

- Oorspronkelijk bericht -
Van: Ravi Dogra <[EMAIL PROTECTED]>
Datum: zaterdag, september 16, 2006 0:59 am
Onderwerp: [ActiveDir] RPC Over HTTPS Problem

  

Hi,

I am facing a weird problem here is some required information.

Frontend - Backend Structure.
Exchange with SP2 on Win2k3 SP1 on all Servers.
FE1 and BE1 is on a different site,
BE2 is on my Site.
Configured RPC Over Https on Frontend Server. OWA (SSL) is working 
fine.

Now here is the situation:-
I have configured my client for RPC over Https. When client machine
tries to establish connection with my Exchange Server it prompts me
for User Name and Password.

When i am providing my credentials it is not accepting and keeps me
prompting for same.

Also while doing this when i use Ctrl + Right click on Outlook 
icon on

rightside of taskbar and then selecting connection it never shows me
established. It remains on Connecting and tries to connect my BE2
server where my mailbox resides.

What could be the possible reason for this? If any other information
is required please let me know.


--
Ravi Dogra
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

  

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Elevating privileges from DA to EA

2006-09-16 Thread Brian Desmond 
With the IFM feature in 2003 the promotion issue is not that much of an
issue. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
> Sent: Friday, September 15, 2006 1:15 PM
> To: ActiveDir@mail.activedir.org
> Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] Elevating privileges from DA to EA
> 
> Hi All
> 
> I wanted to weigh in with two comments.
> 1) Elevating priveledges from DA to EA (or from physical DC access to
> EA) is simple - it takes about 45 minutes and unless you have some
very
> good active monitoring is difficult to detect.  There are automated
> tools out there for doing this.  I have been known to use the term
lazy
> EAs to refer to domain admins.
> 
> 2) Replication boundaries is another reason for separate domains.  a
> million objects can lead to huge DITs and very slow replication -
> especially in a build a new DC case.  Separating that into multiple
> domains
> - to put smaller load on locations where bandwidth is an issue is
worth
> considering.  For example.
>   90,000 users.  200 of those are in Alaska
>   The rest of the world has good bandwidth, Alaska locations all
> have the equivalent of 56K modem speed.
>   DIT and Sysvol size is about 7G, but for Alaska users there are
> only
> 3 GPOs that affect them
>   Rather then doing 1 domain I can put the 200 Alaska users in
> their own domain.  Security wise, there is no advantage.  Replication
> wise, the Global Catalgue is a fraction the size of the full database,
> the Sysvol
> never replicates anywhere in Alaska,and replicaiton for
> that
> domain will cause less strain on their bandwidth - 200 users will
> create a much lower amount of changes then 90,000 users.
> 
> Regards;
> 
> James R. Day
> Active Directory Core Team
> Office of the Chief Information Officer
> National Park Service
> 202-230-2983
> [EMAIL PROTECTED]
> 
> 
> 
>  "Al Mulnick"
>  <[EMAIL PROTECTED]
>  om>
> To
>  Sent by:  ActiveDir@mail.activedir.org
>  [EMAIL PROTECTED]
> cc
>  ail.activedir.org
> 
> Subject
>Re: [ActiveDir] Elevating
>  09/15/2006 11:34  privileges from DA to EA
>  AM AST
> 
> 
>  Please respond to
>  [EMAIL PROTECTED]
> tivedir.org
> 
> 
> 
> 
> 
> 
> I agree and add to that some additional thoughts:
> Not long ago there was some conversation around a suggestion that
> [EMAIL PROTECTED] put out regarding the idea of using multiple
> forests vs. domains in such a model.  Personally, I disagree with that
> recommendation as given.  I think A LOT more additional information is
> required before saying that, but I digress.
> 
> If you decide to use the multi-domain model, I have to assume that you
> either have different password policies or a strong layer-8 contingent
> driving things. If the latter, I hate it for you.
> 
> If you have a requirement to separate the domains from the forest,
your
> workload just went through the roof, and with that your costs.
> 
> Was it me I'd want to learn from my past mistakes ;0) and approach
this
> by reversing the conversation.  By that I mean I'd want each potential
> domain owner to absolutely and in a detailed manner specify the
> functions they need to execute.  From there, we'll encompass the
rights
> needed for each of those functions. I think what you'll find is that
> you can do almost all of it with a single domain if different password
> policies are not needed (mostly, but you know all of that anyway).
From
> there, I'd be sure to spell all of that out the project sponsor
because
> the costs (both ongoing and up
> front) can be significant.  The amount of complexity and issues with
> other directory based applications alone can be enough to put them off
> and actually follow a recommendation such as this. The push obviously
> is to get as few actual DA's as possible.
> 
> Is the threat real? Yes.  If you feel you should have multiple
domains,
> chances are good you really need OU's and a better admin model that
> includes less complexity and fewer moving parts.
> 
> Oh, one other thing that might be of interst to your planning group:
> ask them about their restoration requirements.  In that model,
> restoration can be a bloody nightmare especially if the layer-8 issues
> are not resolved up front.
> 
> Al
> 
> 
> 
> On 9/15/06, Paul Williams <[EMAIL PROTECTED]> wrote:
>   Neil,
> 
>   Try a re-read of the first couple of chapters of the first part of
> the
>   deployment guide book designing and deploying directory and security
>   services.  Obviously it doesn't spell out how to do this -it doesn't
> even
>   allude to how this is done- but does emphasise when and when not to
> go
>   with the regional do

RE: [ActiveDir] Elevating privileges from DA to EA

2006-09-16 Thread Brian Desmond 








Another example of that regional forest type model I’ve noticed
dealing in the state/local space is that sometimes you have organizations like
the police/sheriff or an auditor which has to be separate. You end up standing
up a forest for a hundred users or something, but, those groups always have the
same (and solid) argument. It’s not political really, just if you look at it from
a high level they need to limit who has access to their data. 

 



Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Friday, September 15, 2006 10:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Elevating privileges from DA to EA





 

I am the type that argues that 3-5 EA/DA folks is good for any
size org. Showing that the large companies with hundreds of thousands of seats
can accomplish it helps illustrate that smaller companies should be able to
accomplish it and that instead of making the job harder,it makes it easier. It
may be tougher up front while you fight the political battles and learn how
your environment and processes really work but once that is done, life is much
easier as AD doesn't tend to just break on its own, people screw up. The less
chances available for those screwups the smoother things run. 

 

When I see companies with tens or hundreds or even thousands of
folks with admin (or other native built in group) access in a forest I just get
an upset stomach because I know that things are almost certainly not running as
smoothly as they could be. In fact, from my experiences, the more admins there
are, it seems the more harried and running they all are. 

 

Getting down to a few EA/DAs is all about process and automation.
Do it right, it is feasible and works great. Do it wrong, you have admins
burning out every 3 months. I understand that admins don't have time to
automate things and make the environment better. I have been in similar
positions, positions where I had no choice but to work 80-100 a week every week
always carrying a pager, etc. When in those positions I made the conscious
choice to make sure I found a little time every day (even 30 minutes) to do
some little bit. This slowly adds up. If you attack the items you are spending
the most time on during the day, you slowly start freeing yourself up more and
more and if it is to automate something that is being done manually more than
likely you are saving even more time when that something is done correctly and
consistently every time (everyone makes mistakes when doing things manually). 

 

Absolutely you need to be running separate admin and normal user
IDs for admins. You could be the best admin in the world but it is stupid not
to take care to make sure that if for some reason you make some small slip, the
chances are reduced that something bad can result. My general recommendation is
normal ID and dollar sign ID, e.g. jricha34 and $jricha34. Maybe even going to
double dollar for enterprise admin to make that stand out even more so
jricha34, $jricha34, and $$jricha34. Also make sure that these IDs are not
used interactively on workstations and avoid logging into any servers that you
don't fully trust (i.e. you own and only the DAs can log into or manipulate). 

 

Now for the regional forest... I haven't heard a good reason for
one yet. I haven't heard a good reason for separate DAs for geographies. The
best reasons I have heard are in relation to divisions within a company, say
like a financial division of a company that's main business is manufacturing or
distribution or something. The banking laws in some companies can be a bit
involved and in _some_ of those cases there may be a need for a separate
forest. There needs to be really good documentation of all of the why's
though. A company is often better served as a whole if divisions and
geographies bow down and let one group handle the overall functioning of the AD
service. Assuming the group doing the work actually knows what it is doing,
things will usually be much better off. Politics tends to get in the way here
until someone gets sick of the politics and either makes an executive decision
or stages a coup and forcefully takes control. 

 

I am with James that policy and replication boundaries are valid
reasons for separate domains. Perfect world is single forest domain, things
from Microsoft just work better in those environments. But as James pointed out
with his example, with the current replication model, a single domain forest
just can't work sometimes even if the policy is the same in all domains. 

 



 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Friday, September 15, 2006 12:22 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Elevating privileges from DA to EA

I agree with the people who are
say

Re: [ActiveDir] Elevating privileges from DA to EA

2006-09-16 Thread Al Mulnick 
Replication is certainly a good reason to separate.  Not a common one however from what I've seen.  African continent might be in a similar boat for some international companies. There are some other reasons as well, but they have been very far and few between from my experience.  I can't talk to the others with any credibility. 

 
56K?  That's being optimistic isn't it? Some of the ones I've seen for some other government offices was more like 9.6 on a good day :) 
On 9/15/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]
> wrote:
Hi AllI wanted to weigh in with two comments.1) Elevating priveledges from DA to EA (or from physical DC access to EA)
is simple - it takes about 45 minutes and unless you have some very goodactive monitoring is difficult to detect.  There are automated tools outthere for doing this.  I have been known to use the term lazy EAs to refer
to domain admins.2) Replication boundaries is another reason for separate domains.  amillion objects can lead to huge DITs and very slow replication -especially in a build a new DC case.  Separating that into multiple domains
- to put smaller load on locations where bandwidth is an issue is worthconsidering.  For example. 90,000 users.  200 of those are in Alaska The rest of the world has good bandwidth, Alaska locations all have
the equivalent of 56K modem speed. DIT and Sysvol size is about 7G, but for Alaska users there are only3 GPOs that affect them Rather then doing 1 domain I can put the 200 Alaska users in their
own domain.  Security wise, there is no advantage.  Replication wise, theGlobal Catalgue is a fraction the size of the full database, the Sysvolnever replicates anywhere in Alaska,and replicaiton for that
domain will cause less strain on their bandwidth - 200 users will create amuch lower amount of changes then 90,000 users.Regards;James R. DayActive Directory Core TeamOffice of the Chief Information Officer
National Park Service202-230-2983[EMAIL PROTECTED]"Al Mulnick"<
[EMAIL PROTECTED]om>ToSent by:  ActiveDir@mail.activedir.org
[EMAIL PROTECTED]  ccail.activedir.org  Subject
  Re: [ActiveDir] Elevating09/15/2006 11:34  privileges from DA to EAAM ASTPlease respond to
[EMAIL PROTECTED]   tivedir.orgI agree and add to that some additional thoughts:Not long ago there was some conversation around a suggestion that
[EMAIL PROTECTED] put out regarding the idea of using multiple forestsvs. domains in such a model.  Personally, I disagree with thatrecommendation as given.  I think A LOT more additional information is
required before saying that, but I digress.If you decide to use the multi-domain model, I have to assume that youeither have different password policies or a strong layer-8 contingentdriving things. If the latter, I hate it for you.
If you have a requirement to separate the domains from the forest, yourworkload just went through the roof, and with that your costs.Was it me I'd want to learn from my past mistakes ;0) and approach this by
reversing the conversation.  By that I mean I'd want each potential domainowner to absolutely and in a detailed manner specify the functions theyneed to execute.  From there, we'll encompass the rights needed for each of
those functions. I think what you'll find is that you can do almost all ofit with a single domain if different password policies are not needed(mostly, but you know all of that anyway). From there, I'd be sure to spell
all of that out the project sponsor because the costs (both ongoing and upfront) can be significant.  The amount of complexity and issues with otherdirectory based applications alone can be enough to put them off and
actually follow a recommendation such as this. The push obviously is to getas few actual DA's as possible.Is the threat real? Yes.  If you feel you should have multiple domains,chances are good you really need OU's and a better admin model that
includes less complexity and fewer moving parts.Oh, one other thing that might be of interst to your planning group: askthem about their restoration requirements.  In that model, restoration canbe a bloody nightmare especially if the layer-8 issues are not resolved up
front.AlOn 9/15/06, Paul Williams <[EMAIL PROTECTED]> wrote:Neil,Try a re-read of the first couple of chapters of the first part of the
deployment guide book designing and deploying directory and securityservices.  Obviously it doesn't spell out how to do this -it doesn't evenallude to how this is done- but does emphasise when and when not to go
with the regional domain model.I'm not disputing what anyone is saying here -I agree.  I just happen tothink the regional model can be a

RE: [ActiveDir] Elevating privileges from DA to EA

2006-09-16 Thread James_Day 
"Elevating priveledges from DA to EA (or from physical DC access to EA)
is simple"

This requires physical access to any DC in the same forest.  A cross forest
/ cross domain trust would require some additional configuration done to
the forest to be able to do the same thing.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
202-230-2983
[EMAIL PROTECTED]


   
 "Kevin Brunson"   
 <[EMAIL PROTECTED] 
 undtech.com>   To 
 Sent by:
 [EMAIL PROTECTED]  cc 
 ail.activedir.org 
   Subject 
   RE: [ActiveDir] Elevating   
 09/15/2006 03:41  privileges from DA to EA
 PM EST
   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org
   
   




"Elevating priveledges from DA to EA (or from physical DC access to EA)
is simple"

Is this physical access to a DC in the root domain or physical access to
a DC with a forest trust to the root domain?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, September 15, 2006 12:15 PM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Elevating privileges from DA to EA

Hi All

I wanted to weigh in with two comments.
1) Elevating priveledges from DA to EA (or from physical DC access to
EA)
is simple - it takes about 45 minutes and unless you have some very good
active monitoring is difficult to detect.  There are automated tools out
there for doing this.  I have been known to use the term lazy EAs to
refer
to domain admins.

2) Replication boundaries is another reason for separate domains.  a
million objects can lead to huge DITs and very slow replication -
especially in a build a new DC case.  Separating that into multiple
domains
- to put smaller load on locations where bandwidth is an issue is worth
considering.  For example.
  90,000 users.  200 of those are in Alaska
  The rest of the world has good bandwidth, Alaska locations all
have
the equivalent of 56K modem speed.
  DIT and Sysvol size is about 7G, but for Alaska users there are
only
3 GPOs that affect them
  Rather then doing 1 domain I can put the 200 Alaska users in their
own domain.  Security wise, there is no advantage.  Replication wise,
the
Global Catalgue is a fraction the size of the full database, the Sysvol
never replicates anywhere in Alaska,and replicaiton for that
domain will cause less strain on their bandwidth - 200 users will create
a
much lower amount of changes then 90,000 users.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
202-230-2983
[EMAIL PROTECTED]




 "Al Mulnick"

 <[EMAIL PROTECTED]

 om>
To
 Sent by:  ActiveDir@mail.activedir.org

 [EMAIL PROTECTED]
cc
 ail.activedir.org


Subject
   Re: [ActiveDir] Elevating

 09/15/2006 11:34  privileges from DA to EA

 AM AST





 Please respond to

 [EMAIL PROTECTED]

tivedir.org









I agree and add to that some additional thoughts:
Not long ago there was some conversation around a suggestion that
[EMAIL PROTECTED] put out regarding the idea of using multiple
forests
vs. domains in such a model.  Personally, I disagree with that
recommendation as given.  I think A LOT more additional information is
required before saying that, but I digress.

If you decide to use the multi-domain model, I have to assume that you
either have different password policies or a strong layer-8 contingent
driving things. If the latter, I hate it for you.

If you have a requirement to separate the domains from the forest, your
workload just went through the roof, and with that your costs.

Was it me I'd want to learn from my past mistakes ;0) and approach

Re: [ActiveDir] splitting a domain into two

2006-09-16 Thread Al Mulnick 
Yeah.  See the problem with that "policy" concept is that in your environment you've already noticed that good ideas are seldom given a chance to live long enough to make it to your level :)
 
That said, I would think it's extremely dangerous to try and break it like that.  Although, it could work, the risk is pretty high that your networks will be connected long before you have a chance to decommission the domains leaving you with a potentially difficult name resolution issue to resolve. There would likely be much wailing and gnashing of teeth as well. 

 
I think in this case, option 3 would be preferred: 
3) Leave the domains alone and allow the break of network to occur. When the WAN links are created to the central hub, migrate as fast as your legs will carry you.  Remember that at that time, your replication will likely resume.  Try to keep a change freeze as long as you can if the networks will be able to see each other. 

 
It might not be a bad idea to check on the tombstone time and raise that if you can.  WAN links are known to take longer to bring up than any planning might assume. Put another way, network folks tend to be overly optimistic when it comes to timing of WAN link configurations. 

 
Be sure to communicate as much as possible about the risks and tradeoffs.  That way you can stick your tongue out later and sing, "I told ya so!" at the top of your lungs (likely after work and out of earshot of those that might take offense, but you can at least do so with a clear conscience.)

 
 
My $0.04 (USD) anyway. 
 
Al 
On 9/16/06, Kamlesh Parmar <[EMAIL PROTECTED]> wrote:


Well :-)
I suppose, you are looking at tiny figure of 300 users and why not choosing option 1 straight away.
If only every IT manager was as forceful and articulate about danger of short term decisions as you are. 
About migrating to corporate domain, that is achievable as both sites are not going to get links simultaneously
so who ever gets link first, it gets migrated first with security translation as preferred method, and we basically have a policy to remove sidhistory along with demotion of old domain. And here it will be serialized migration one after another rather than simultaneous. 

 
Assumption here being, once the trust with one domain is established, machines migrated, trust broken. 
I suppose creating trust again with same domain name at different site should not be a issue.
 
--

Kamlesh 

On 9/16/06, joe <[EMAIL PROTECTED]> wrote:
 



First impression: Yuck.
 
The main thing that caught my attention is the "migrate into a corporate domain at a later time". I assume you mean both of these "separated" domains would be migrated? If so, how do you plan to do the migration? You won't be able to have name res for the trusts, even if you could you would most likely run into SID issues if you maintained SID History. 

 

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 4:57 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] splitting a domain into two 

Dear All,Scenario : Single regional domain , two sites , both sites having separate links to Internet and direct WAN connectivity with each other.AD Integrated DNSsite1: 300 userssite2: 400 users 
Now, due to restructuring, they have decided to get rid of WAN link joining the two sites immediately, as both sites will have separate individual WAN connectivity with some corporate hub site. And this domain will be migrated to corporate domain in due course. 
Problem here is the WAN connectivity to hub site will be commissioned at different times (one month apart) and they want to get rid of WAN link joining site1 with site2 NOW. Other problems like mail access and stuff will be handled thru' Internet link. 
Now issue is, what to do about AD Domain? as DCs will lose the direct network connectivity.Solution we are looking at is 1) Migrate one of the locations into separate domain, and thus break the dependence of both sites on single domain. 
2) Just break the network link as requested and here comes the crummy part :)    instead of migrating one of the site to new domain, you just split the domain into two isolated networks, where each site DC will  think it is the only DC handling all the stuff for that domain. 
Basically, 1) break the link 2) Point DC to themselves for DNS 3) seize all the roles 4) do meta data & DNS cleanup of other DCnet result : each DC believes they own the domain. Just make sure they don't talk to each other directly ever. 
Now, Any foreseeable issues with 2nd approach.Please don't include layer 8 issues ;), I am purely looking at technical feasibility and precautions if we go ahead.-- Kamlesh~ 
Short-term actions X time = long-term accomplishments.~ 

-- ~
Short-term actions X time = long-term ac