[ActiveDir] OT (sorta) More options on protecting against recent IE vulnerabilities on a domain
If you are looking for options for the recent IE zero day stuff: http://msinfluentials.com/blogs/jesper/archive/2006/09/22/More-options-on-protecting-against-the-VML-vulnerability-on-a-domain.aspx ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Replication Problems and Tombstoned Objects
Title: RE: [ActiveDir] Replication Problems and Tombstoned Objects Can you dump the objectclass attribute on the deleted object mentioned in the error on one of the source servers and a destination server? The second error code in the internal error event log seems to indicate that the objectclass is being updated with a value that is not a subclass. C:\tools\err\Err>err 20b4 # for hex 0x20b4 / decimal 8372 : ERROR_DS_OBJ_CLASS_NOT_SUBCLASS winerror.h # The specified class is not a subclass. # 1 matches found for "20b4" Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Saturday, September 23, 2006 1:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Correction, 10 domain controllers in 9 sites. From: WATSON, BEN Sent: Friday, September 22, 2006 10:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Basic info and troubleshooting I've done to gather symptom information... We are running a single forest, single domain Windows 2000 environment (I know, I know, I'm in the process of getting this ugpraded to Win2k3 R2) with 9 domain controllers and 8 sites. Three of the sites are hub sites, and each hub site has 2 spoke sites. Our main hub site has 2 domain controllers, and all other remote sites have a single domain controller. The replication issues are actually affecting an entire site, unfortunately our main hub site (the one with 2 domain controllers). Oddly enough, it's not Domain Controller specific, the problem is actually site specific, and even more specifically, it's only affecting replication traffic OUTBOUND from the site. Inbound replication traffic works fine as well as replication between the two domain controllers inside the site. At first, I thought the domain controller that was acting as a Bridgehead for our site was having issues, so I forced the other domain controller in the site to be the preferred bridgehead server, deleted all the connection objects, and allowed the KCC to recreate the connection objects. It did this properly. I then attempted to force replication to take place, and the same symptoms still persisted even though it was a completely different domain controller attempting to perform the intersite replication. Here are the results of performing a, "REPADMIN /REPLADMIN /BYSRC /BYDEST /SORT:DELTA" command. Appsig-AV and Appsig-AD are the two domain controllers in the problem site. Appsig-AD was the original DC that began showing problems in the site, and Appsig-AV is the domain controller I switched over to test intersite replication using a different DC. Replication Summary Start Time: 2006-09-22 21:59:43 Beginning data collection for replication summary, this may take awhile: . Source DC largest delta fails/total %% error APPSIG-MDOPC 14m:06s 0 / 18 0 APPSIG-LAOPC 10m:09s 0 / 12 0 APPSIG-TXOPC 09m:52s 0 / 3 0 APPSIG-OCOPC 09m:52s 0 / 3 0 APPSIG-OROPC 02m:48s 0 / 6 0 APPSIG-UTOPC 02m:46s 0 / 6 0 APPSIG-DCOPC 02m:08s 0 / 3 0 APPSIG-VAOPC 02m:08s 0 / 3 0 APPSIG-AV (unknown) 4 / 15 26 (8442) The replication system encountered an internal error. APPSIG-AD (unknown) 4 / 15 26 (8442) The replication system encountered an internal error. Destination DC largest delta fails/total %% error APPSIG-VAOPC 14m:12s 0 / 3 0 APPSIG-TXOPC 10m:12s 0 / 3 0 APPSIG-DCOPC 07m:42s 0 / 3 0 APPSIG-OCOPC 07m:07s 0 / 3 0 APPSIG-AD 04m:33s 0 / 3 0 APPSIG-AV 02m:50s 0 / 15 0 APPSIG-LAOPC (unknown) 2 / 15 13 (8442) The replication system encountered an internal error. APPSIG-UTOPC (unknown) 2 / 9 22 (8442) The replication system encountered an internal error. APPSIG-MDOPC (unknown) 2 / 21 9 (8442) The replication system encountered an internal error. APPSIG-OROPC (unknown) 2 / 9 22 (8442) The replication system encountered an internal error. Now on to event log errors and warnings in the Directory Service event log. Oddly enough, the domain controlllers in the problem site show no real errors or warnings to speak of. However, the domain controllers that have direct site connections to this site have plenty of errors when trying to replicate from these sites. I'm showing 4 errors/warnings when replication is attempted. Here are the errors/events after making the registry changes Steve sugges
RE: [ActiveDir] Replication Problems and Tombstoned Objects
Title: RE: [ActiveDir] Replication Problems and Tombstoned Objects Correction, 10 domain controllers in 9 sites. From: WATSON, BEN Sent: Friday, September 22, 2006 10:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Basic info and troubleshooting I've done to gather symptom information... We are running a single forest, single domain Windows 2000 environment (I know, I know, I'm in the process of getting this ugpraded to Win2k3 R2) with 9 domain controllers and 8 sites. Three of the sites are hub sites, and each hub site has 2 spoke sites. Our main hub site has 2 domain controllers, and all other remote sites have a single domain controller. The replication issues are actually affecting an entire site, unfortunately our main hub site (the one with 2 domain controllers). Oddly enough, it's not Domain Controller specific, the problem is actually site specific, and even more specifically, it's only affecting replication traffic OUTBOUND from the site. Inbound replication traffic works fine as well as replication between the two domain controllers inside the site. At first, I thought the domain controller that was acting as a Bridgehead for our site was having issues, so I forced the other domain controller in the site to be the preferred bridgehead server, deleted all the connection objects, and allowed the KCC to recreate the connection objects. It did this properly. I then attempted to force replication to take place, and the same symptoms still persisted even though it was a completely different domain controller attempting to perform the intersite replication. Here are the results of performing a, "REPADMIN /REPLADMIN /BYSRC /BYDEST /SORT:DELTA" command. Appsig-AV and Appsig-AD are the two domain controllers in the problem site. Appsig-AD was the original DC that began showing problems in the site, and Appsig-AV is the domain controller I switched over to test intersite replication using a different DC. Replication Summary Start Time: 2006-09-22 21:59:43 Beginning data collection for replication summary, this may take awhile: . Source DC largest delta fails/total %% error APPSIG-MDOPC 14m:06s 0 / 18 0 APPSIG-LAOPC 10m:09s 0 / 12 0 APPSIG-TXOPC 09m:52s 0 / 3 0 APPSIG-OCOPC 09m:52s 0 / 3 0 APPSIG-OROPC 02m:48s 0 / 6 0 APPSIG-UTOPC 02m:46s 0 / 6 0 APPSIG-DCOPC 02m:08s 0 / 3 0 APPSIG-VAOPC 02m:08s 0 / 3 0 APPSIG-AV (unknown) 4 / 15 26 (8442) The replication system encountered an internal error. APPSIG-AD (unknown) 4 / 15 26 (8442) The replication system encountered an internal error. Destination DC largest delta fails/total %% error APPSIG-VAOPC 14m:12s 0 / 3 0 APPSIG-TXOPC 10m:12s 0 / 3 0 APPSIG-DCOPC 07m:42s 0 / 3 0 APPSIG-OCOPC 07m:07s 0 / 3 0 APPSIG-AD 04m:33s 0 / 3 0 APPSIG-AV 02m:50s 0 / 15 0 APPSIG-LAOPC (unknown) 2 / 15 13 (8442) The replication system encountered an internal error. APPSIG-UTOPC (unknown) 2 / 9 22 (8442) The replication system encountered an internal error. APPSIG-MDOPC (unknown) 2 / 21 9 (8442) The replication system encountered an internal error. APPSIG-OROPC (unknown) 2 / 9 22 (8442) The replication system encountered an internal error. Now on to event log errors and warnings in the Directory Service event log. Oddly enough, the domain controlllers in the problem site show no real errors or warnings to speak of. However, the domain controllers that have direct site connections to this site have plenty of errors when trying to replicate from these sites. I'm showing 4 errors/warnings when replication is attempted. Here are the errors/events after making the registry changes Steve suggested. Event ID: 1173 - Category: Interneal Processing - Type: Warning Internal event: Exception e0010002 has occurred with parameters 8442 and 20b4 (Internal ID 3050bdc). Event ID: 1084 - Category: Replication - Type: Error Replication error: The directory replication agent (DRA) couldn't update object CN="InfowebAccessDEL:e988-616b-4944-bbe1-c8265cf4cc89",CN=Deleted Objects,DC=appsig,DC=com (GUID e988-616b-4944-bbe1-c8265cf4cc89) on this system with changes which have been received from source server e928ad23-039d-4dbd-b214-f88b4ae54819._msdcs.appsig.com. An error occurred during the application of the changes to the directory database on this system. The error message is: The replication system encountered an in
RE: [ActiveDir] Replication Problems and Tombstoned Objects
Basic info and troubleshooting I've done to gather symptom information... We are running a single forest, single domain Windows 2000 environment (I know, I know, I'm in the process of getting this ugpraded to Win2k3 R2) with 9 domain controllers and 8 sites. Three of the sites are hub sites, and each hub site has 2 spoke sites. Our main hub site has 2 domain controllers, and all other remote sites have a single domain controller. The replication issues are actually affecting an entire site, unfortunately our main hub site (the one with 2 domain controllers). Oddly enough, it's not Domain Controller specific, the problem is actually site specific, and even more specifically, it's only affecting replication traffic OUTBOUND from the site. Inbound replication traffic works fine as well as replication between the two domain controllers inside the site. At first, I thought the domain controller that was acting as a Bridgehead for our site was having issues, so I forced the other domain controller in the site to be the preferred bridgehead server, deleted all the connection objects, and allowed the KCC to recreate the connection objects. It did this properly. I then attempted to force replication to take place, and the same symptoms still persisted even though it was a completely different domain controller attempting to perform the intersite replication. Here are the results of performing a, "REPADMIN /REPLADMIN /BYSRC /BYDEST /SORT:DELTA" command. Appsig-AV and Appsig-AD are the two domain controllers in the problem site. Appsig-AD was the original DC that began showing problems in the site, and Appsig-AV is the domain controller I switched over to test intersite replication using a different DC. Replication Summary Start Time: 2006-09-22 21:59:43 Beginning data collection for replication summary, this may take awhile: . Source DC largest delta fails/total %% error APPSIG-MDOPC 14m:06s0 / 180 APPSIG-LAOPC 10m:09s0 / 120 APPSIG-TXOPC 09m:52s0 / 30 APPSIG-OCOPC 09m:52s0 / 30 APPSIG-OROPC 02m:48s0 / 60 APPSIG-UTOPC 02m:46s0 / 60 APPSIG-DCOPC 02m:08s0 / 30 APPSIG-VAOPC 02m:08s0 / 30 APPSIG-AV (unknown)4 / 15 26 (8442) The replication system encountered an internal error. APPSIG-AD (unknown)4 / 15 26 (8442) The replication system encountered an internal error. Destination DClargest deltafails/total %% error APPSIG-VAOPC 14m:12s0 / 30 APPSIG-TXOPC 10m:12s0 / 30 APPSIG-DCOPC 07m:42s0 / 30 APPSIG-OCOPC 07m:07s0 / 30 APPSIG-AD 04m:33s0 / 30 APPSIG-AV 02m:50s0 / 150 APPSIG-LAOPC(unknown)2 / 15 13 (8442) The replication system encountered an internal error. APPSIG-UTOPC(unknown)2 / 9 22 (8442) The replication system encountered an internal error. APPSIG-MDOPC(unknown)2 / 219 (8442) The replication system encountered an internal error. APPSIG-OROPC(unknown)2 / 9 22 (8442) The replication system encountered an internal error. Now on to event log errors and warnings in the Directory Service event log. Oddly enough, the domain controlllers in the problem site show no real errors or warnings to speak of. However, the domain controllers that have direct site connections to this site have plenty of errors when trying to replicate from these sites. I'm showing 4 errors/warnings when replication is attempted. Here are the errors/events after making the registry changes Steve suggested. Event ID: 1173 - Category: Interneal Processing - Type: Warning Internal event: Exception e0010002 has occurred with parameters 8442 and 20b4 (Internal ID 3050bdc). Event ID: 1084 - Category: Replication - Type: Error Replication error: The directory replication agent (DRA) couldn't update object CN="InfowebAccessDEL:e988-616b-4944-bbe1-c8265cf4cc89",CN=Deleted Objects,DC=appsig,DC=com (GUID e988-616b-4944-bbe1-c8265cf4cc89) on this system with changes which have been received from source server e928ad23-039d-4dbd-b214-f88b4ae54819._msdcs.appsig.com. An error occurred during the application of the changes to the directory database on this system. The error message is: The replication system encountered an internal error. The directory will try to update the object later on the next replication cycle. Synchronization of this server with the source is effectively blocked until the update problem is corrected. If this condition appears to be related to a resource shortage, please stop and restart this Windows Domain Controller. If this condition is an internal error,
Re: [ActiveDir]SUBDOMAIN AND LDAP
Although a do tend to agree that LDAP does not define a good authentication protocol at all, it is definitely the case that LDAP is used as an authentication mechanism all over the place. I also don't thing there is really anything wrong with using it for that per say, as long as it is used correctly. Specifically, it is the LDAP bind operation that is typically used for authentication. The only real problem with using LDAP bind to authenticate a user is that the only binding mechanism defined directly by the LDAP V3 spec is the simple bind. Simple bind is not secure by itself because it passes the user's plaintext credentials over the wire. That is ultra bad, as any snooper can easily recover the user's password. However, when LDAP simple bind is combined with channel level encryption such as SSL, it really isn't that bad. :) Sure, I'd rather use Kerberos, but that isn't always an option. I've heard a few security experts suggest that you are actually safer using HTTP basic authentication with SSL over using NTLM auth over HTTP with no SSL. NTLM is actually that easy to hack. And NTLM actually IS an authentication protocol (albeit a dated, deprecated protocol that we still can't seem to get rid of in Windows over 6 years after it fell out of favor over Kerberos). When using ADAM as an identity store, the primary means you have available to you to authenticate your ADAM users is LDAP simple bind (although digest auth is available if the client knows how to speak it; most don't). If you want to use the fast concurrent bind feature of ADAM or AD, simple bind is the only supported authentication mechanism. The real key is to ensure that simple bind is always combined with SSL (or some other transport layer security like IPSEC). I'd actually love to see an option in AD and ADAM that would only allow simple bind on a secure channel. I think that would be a good product feature, although it would probably have to be off by default. I don't expect to see lots of third party apps moving away from LDAP bind as an authentication mechanism until something else more universal rises up to replace it. I'm hoping that's WS-Federation/WS-Trust, but somehow I doubt we'll see that very soon. :) Joe K. - Original Message - From: "joe" <[EMAIL PROTECTED]> To: Sent: Friday, September 22, 2006 8:07 PM Subject: RE: [ActiveDir]SUBDOMAIN AND LDAP The first thing I would say and I am shocked Al didn't say is LDAP IS NOT AN AUTHENTICATION PROTOCOL For the the managers and vendors let me repeat ;o) LDAP IS NOT AN AUTHENTICATION PROTOCOL LDAP has to authenticate as a part of giving secure access to data but that doesn't make it an authentication protocol. A file server has to authenticate you in some way shape or form for you to safely access files too; I don't see people stumbling over themselves to use that as an authentication protocol. The only reason this comes in from the *NIX world like this is because Kerberos can be a serious pain in the ass there. Tough, use a real authentication protocol. If the vendor is using it to authenticate and that is all they are doing my comment to them is get off your ass and use a real auth protocol and with Windows the proper auth protocol is Kerberos. Most Windows folks don't even have a clue to the technical depth and complexity of Kerberos because Microsoft did such a bang up job of burying the details for most things Windows. So if someone doesn't use it, that is their issue, not Microsoft's. Following up of course with the things JoeK said which I fully concur with. If using LDAP to authenticate though, where in the tree you poke doesn't matter, as long as the user is a member of that forest, if you specify their ID and their password, it will authenticate them by passing the traffic to whatever DC is required. However, the app should be smart enough to ask the proper DC out of the box. And when you specify the ID, specify either UPN or Domain\UserID, do not use DN. Why? Because DN's change and if you allow the apps to say, you have to stick with a certain DN then you have lost a bunch of flexibility of AD. Finally, if they don't do basic things like this right, I wonder what your chances are that they do harder things like attribute ranging and paging right. AD is an extremely robust directory service and have tons of failover and location services built into it. It has been out for 6 years in production now, much longer in beta phases, etc and if apps still don't know what they are doing with it I would greatly question the programmers and the vendor. It is outright stupid to make your robust directory lower itself to the standards of a poorly written app. If the app requires and of the following: 1. Fixed DNs 2. All users under a single base 3. someone to change the ranging values 4. someone to change the paging values 5. a fixed hostname 6. Non-nested groups 7. etc etc etc
RE: [ActiveDir] Replication Problems and Tombstoned Objects
You could also turn up additional logging which would give more details as to what the internal error is. I would suggest starting with the following: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 1. Locate the "5 Replication Events" value under the above key. 2. On the Edit menu, click DWORD, type 4, and then click OK. 3. Locate the "9 Internal Processing" value under the same key. 4. On the Edit menu, click DWORD, type 1, and then click OK. After you do this post the full event text for the error and any additional replication or internal processing errors. I would expect to get back an Exception value with parameters and an internal id. These can be used to determine what is causing the problem. To answer your original question the tombstoned object will only be removed once the tombstone lifetime is reached and garbage collection has run. I would not recommend changing the tombstone lifetime to correct this as it is forest wide and can lead to more serious problems than you currently have. We should be able to determine the cause of the internal error and correct it without taking such risky and drastic measures. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona Sent: Friday, September 22, 2006 9:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects What event id are you seeing associate with this error? Vinnie Cardona Systems Administrator Ernest Health, Inc Information Technology Dept 505.798.6472 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, September 22, 2006 6:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication Problems and Tombstoned Objects Our forest is currently experiencing some replication issues. The common error we have been receiving has revolved around a single object. To summarize, how do you permanently delete Active Directory objects? More specifically, how do you remove an object that is already tombstoned? Here is why I need to do this, here is the full error... --- Replication error: The directory replication agent (DRA) couldn't update object CN=InfowebAccess,OU=InfowebGroups,DC=appsig,DC=com (GUID e988-616b-4944-bbe1-c8265cf4cc89) on this system with changes which have been received from source server e928ad23-039d-4dbd-b214-f88b4ae54819._msdcs.appsig.com. An error occurred during the application of the changes to the directory database on this system. The error message is: The replication system encountered an internal error. The directory will try to update the object later on the next replication cycle. Synchronization of this server with the source is effectively blocked until the update problem is corrected. If this condition appears to be related to a resource shortage, please stop and restart this Windows Domain Controller. If this condition is an internal error, a database error, or an object relationship or constraint error, manual intervention will be required to correct the database and allow the update to proceed. It is valuable to note that the problem is caused by the fact that the change on the remote system cannot be applied locally. Manually updating the objects on the local system in not recommended. Instead, on the source system (which has the changes already), try to reverse or back out the change. Then, on the next replication cycle, observe whether the change can now be applied locally. The record data is the status code. --- After I deleted this object, I continue to get the same error, except it now references the deleted (tombstoned) object as a roadblock. --- Replication error: The directory replication agent (DRA) couldn't update object CN="InfowebAccess DEL:e988-616b-4944-bbe1-c8265cf4cc89",CN=Deleted Objects,DC=appsig,DC=com (GUID e988-616b-4944-bbe1-c8265cf4cc89) etc... (same as error above) --- What would be the proper method to permanently remove a tombstoned object? If I'm following the error messages, then removing the object permanently should (hopefully) resolve the issues. Thanks, ~Ben List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Conditional Forward to a Reverse Zone - Acceptable?
Title: Re: [ActiveDir] Conditional Forward to a Reverse Zone - Acceptable? I meant to type "10.in-addr.arpa", but you get the idea On Fri, 22 Sep 2006 20:23:57 -0700, "RM" <[EMAIL PROTECTED]> said: The GUI will let me add a conditional forward to a 10.in-addr-arpa zone on another box and it changes the name to "10.x.x.x subnet". However, it won't let me edit the forward later. Is this a hack, or is it supported? Thx,RM
[ActiveDir] Conditional Forward to a Reverse Zone - Acceptable?
Title: Conditional Forward to a Reverse Zone - Acceptable? The GUI will let me add a conditional forward to a 10.in-addr-arpa zone on another box and it changes the name to "10.x.x.x subnet". However, it won't let me edit the forward later. Is this a hack, or is it supported? Thx,RM
RE: [ActiveDir] Replication Problems and Tombstoned Objects
What event id are you seeing associate with this error? Vinnie Cardona Systems Administrator Ernest Health, Inc Information Technology Dept 505.798.6472 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, September 22, 2006 6:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication Problems and Tombstoned Objects Our forest is currently experiencing some replication issues. The common error we have been receiving has revolved around a single object. To summarize, how do you permanently delete Active Directory objects? More specifically, how do you remove an object that is already tombstoned? Here is why I need to do this, here is the full error... --- Replication error: The directory replication agent (DRA) couldn't update object CN=InfowebAccess,OU=InfowebGroups,DC=appsig,DC=com (GUID e988-616b-4944-bbe1-c8265cf4cc89) on this system with changes which have been received from source server e928ad23-039d-4dbd-b214-f88b4ae54819._msdcs.appsig.com. An error occurred during the application of the changes to the directory database on this system. The error message is: The replication system encountered an internal error. The directory will try to update the object later on the next replication cycle. Synchronization of this server with the source is effectively blocked until the update problem is corrected. If this condition appears to be related to a resource shortage, please stop and restart this Windows Domain Controller. If this condition is an internal error, a database error, or an object relationship or constraint error, manual intervention will be required to correct the database and allow the update to proceed. It is valuable to note that the problem is caused by the fact that the change on the remote system cannot be applied locally. Manually updating the objects on the local system in not recommended. Instead, on the source system (which has the changes already), try to reverse or back out the change. Then, on the next replication cycle, observe whether the change can now be applied locally. The record data is the status code. --- After I deleted this object, I continue to get the same error, except it now references the deleted (tombstoned) object as a roadblock. --- Replication error: The directory replication agent (DRA) couldn't update object CN="InfowebAccess DEL:e988-616b-4944-bbe1-c8265cf4cc89",CN=Deleted Objects,DC=appsig,DC=com (GUID e988-616b-4944-bbe1-c8265cf4cc89) etc... (same as error above) --- What would be the proper method to permanently remove a tombstoned object? If I'm following the error messages, then removing the object permanently should (hopefully) resolve the issues. Thanks, ~Ben List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir]SUBDOMAIN AND LDAP
LOL. You should have sent this before I started typing. ;o) Why wasn't it in your first answer, you always take that one right out in the first paragraph and when I read your response I was like hey who the heck are you? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Friday, September 22, 2006 8:55 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]SUBDOMAIN AND LDAP I won't put words in his mouth either, but I'll certainly say the same thing. I had to hold back a shudder when I responded earlier 'cause ldap and authentication might be ok in the same paragraph, but never in the same sentence (except to point out that it should not be in the same sentence :) Would it work if you used the parent domain in a contiguous namespace design? Depends on how they wrote the code. If it won't follow referrals then likely it will fail. Try the GC (that is so lame a workaround, but it'll likely work) as Joe suggests and at the same push back on the vendor to get it right or give you your money back else give you a more solid workaround (ADAM?) There. Nothing for joe to tell them about fixing their lame app. -ajm On 9/22/06, Joe Kaplan <[EMAIL PROTECTED]> wrote: You might have them try to work with the GC. You should be able toauthenticate and find users from any domain via the GC. I think Joe Richards might also suggest that the vendor learn what they aredoing and either integrate with AD the right way or don't claim they can.I'll bet they need to talk to a specific domain controller too. I won't put words in Joe's mouth though. :)Joe- Original Message -From: Ramon LinanTo: ActiveDir@mail.activedir.orgSent: Friday, September 22, 2006 3:41 PM Subject: RE: [ActiveDir]SUBDOMAIN AND LDAPThe application designer is telling me it can only be configured for onesource of authentication, so if the use the domain level authentication willthat allow to authenticate users in the subdomain? I.e.domain.comchild.domain.comIf I point the application to use domain.com as authentication source will that also authenticate users from the child domain?ThanksFrom: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Friday, September 22, 2006 4:19 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]SUBDOMAIN AND LDAP sub-domain query base: dc=subdomain,dc=domain,dc=comdomain query base: dc=domain,dc=comWhen the search is initiated, it will start looking at the query base and,if so configured, everything below it (subtree search). In your case, that won't likely happen depending on how you configured it.If you instead change your query base to dc=domain,dc=com (assuming you havea contiguous namespace) then you may get different results. Testing. You can use ldp, adfind, or any other ldap client if your appdoesn't have that functionality built in.Since you're security conscious, be mindful of the cert and the ports you'reusing during your testing :) Permissions? That depends on your configuration and your versions. Windows2000 is pretty much open for searches while 2003 requires authenticatedusers by default.AlOn 9/22/06, Ramon Linan < [EMAIL PROTECTED]> wrote:Hi,I have an application that uses LDAP to authenticate (authenticatesagainst AD).In my AD I have a domain and subdomain or child domain. I assume that both domain and subdomain uses the same LDAP, right?Also, if the application is using a user from the subdomain to query theLDAP, what kind of access will that user have to have to authenticate users at the main domain level.Basically, the application is authenticating fine the users from thesubdomain but cant fine the users from the main domain...Thanks for any advice.Rezuma List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir]SUBDOMAIN AND LDAP
The first thing I would say and I am shocked Al didn't say is LDAP IS NOT AN AUTHENTICATION PROTOCOL For the the managers and vendors let me repeat ;o) LDAP IS NOT AN AUTHENTICATION PROTOCOL LDAP has to authenticate as a part of giving secure access to data but that doesn't make it an authentication protocol. A file server has to authenticate you in some way shape or form for you to safely access files too; I don't see people stumbling over themselves to use that as an authentication protocol. The only reason this comes in from the *NIX world like this is because Kerberos can be a serious pain in the ass there. Tough, use a real authentication protocol. If the vendor is using it to authenticate and that is all they are doing my comment to them is get off your ass and use a real auth protocol and with Windows the proper auth protocol is Kerberos. Most Windows folks don't even have a clue to the technical depth and complexity of Kerberos because Microsoft did such a bang up job of burying the details for most things Windows. So if someone doesn't use it, that is their issue, not Microsoft's. Following up of course with the things JoeK said which I fully concur with. If using LDAP to authenticate though, where in the tree you poke doesn't matter, as long as the user is a member of that forest, if you specify their ID and their password, it will authenticate them by passing the traffic to whatever DC is required. However, the app should be smart enough to ask the proper DC out of the box. And when you specify the ID, specify either UPN or Domain\UserID, do not use DN. Why? Because DN's change and if you allow the apps to say, you have to stick with a certain DN then you have lost a bunch of flexibility of AD. Finally, if they don't do basic things like this right, I wonder what your chances are that they do harder things like attribute ranging and paging right. AD is an extremely robust directory service and have tons of failover and location services built into it. It has been out for 6 years in production now, much longer in beta phases, etc and if apps still don't know what they are doing with it I would greatly question the programmers and the vendor. It is outright stupid to make your robust directory lower itself to the standards of a poorly written app. If the app requires and of the following: 1. Fixed DNs 2. All users under a single base 3. someone to change the ranging values 4. someone to change the paging values 5. a fixed hostname 6. Non-nested groups 7. etc etc etc Then really investigate that app because it is a pain in the ass. The only time you should be talking fixed hostnames versus auto service location is in the case of syncronization. That is the one case where it is a bit difficult to bounce between DCs but I have seen apps that can pull this off, though they are less efficient because they have to regather their bearings every time they jump DCs. Most applications do not have this issue. Especially apps doing basic auth/authz/data lookup. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Friday, September 22, 2006 5:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir]SUBDOMAIN AND LDAP You might have them try to work with the GC. You should be able to authenticate and find users from any domain via the GC. I think Joe Richards might also suggest that the vendor learn what they are doing and either integrate with AD the right way or don't claim they can. I'll bet they need to talk to a specific domain controller too. I won't put words in Joe's mouth though. :) Joe - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Friday, September 22, 2006 3:41 PM Subject: RE: [ActiveDir]SUBDOMAIN AND LDAP The application designer is telling me it can only be configured for one source of authentication, so if the use the domain level authentication will that allow to authenticate users in the subdomain? I.e. domain.com child.domain.com If I point the application to use domain.com as authentication source will that also authenticate users from the child domain? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, September 22, 2006 4:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir]SUBDOMAIN AND LDAP sub-domain query base: dc=subdomain,dc=domain,dc=com domain query base: dc=domain,dc=com When the search is initiated, it will start looking at the query base and, if so configured, everything below it (subtree search). In your case, that won't likely happen depending on how you configured it. If you instead change your query base to dc=domain,dc=com (assuming you have a contiguous namespace) then you may get different results. Testing. You can use ldp, adfind, or any other ldap client if yo
Re: [ActiveDir] Replication Problems and Tombstoned Objects
After you fix the domain controller problem what do you see? You should not remove the item manually at this point because you seem to have a problem with that domain controller. Check the logs and correct what you see. If that doesn't help, then have a look at dcdiag /v output. Repadmin should also be helpful in diagnosing the problem, but I suspect you'll want to rebuild that DC. How long have you been having replication issues in the forest? Longer than a few days right? How big is the forest? How many dc's and how many locations? On 9/22/06, WATSON, BEN <[EMAIL PROTECTED]> wrote: Our forest is currently experiencing some replication issues. Thecommon error we have been receiving has revolved around a single object. To summarize, how do you permanently delete Active Directory objects?More specifically, how do you remove an object that is alreadytombstoned? Here is why I need to do this, here is the full error...--- Replication error: The directory replication agent (DRA) couldn't updateobject CN=InfowebAccess,OU=InfowebGroups,DC=appsig,DC=com (GUIDe988-616b-4944-bbe1-c8265cf4cc89) on this system with changes which have been received from source servere928ad23-039d-4dbd-b214-f88b4ae54819._msdcs.appsig.com. An erroroccurred during the application of the changes to the directory databaseon this system.The error message is: The replication system encountered an internal error.The directory will try to update the object later on the nextreplication cycle. Synchronization of this server with the source iseffectively blocked until the update problem is corrected. If this condition appears to be related to a resource shortage, pleasestop and restart this Windows Domain Controller.If this condition is an internal error, a database error, or an objectrelationship or constraint error, manual intervention will be required to correct the database and allow the update to proceed. It is valuableto note that the problem is caused by the fact that the change on theremote system cannot be applied locally. Manually updating the objects on the local system in not recommended. Instead, on the source system(which has the changes already), try to reverse or back out the change.Then, on the next replication cycle, observe whether the change can now be applied locally.The record data is the status code.---After I deleted this object, I continue to get the same error, except itnow references the deleted (tombstoned) object as a roadblock. ---Replication error: The directory replication agent (DRA) couldn't updateobject CN="InfowebAccessDEL:e988-616b-4944-bbe1-c8265cf4cc89",CN=DeletedObjects,DC=appsig,DC=com (GUID e988-616b-4944-bbe1-c8265cf4cc89) etc... (same as error above)---What would be the proper method to permanently remove a tombstonedobject? If I'm following the error messages, then removing the objectpermanently should (hopefully) resolve the issues. Thanks,~BenList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir]SUBDOMAIN AND LDAP
I won't put words in his mouth either, but I'll certainly say the same thing. I had to hold back a shudder when I responded earlier 'cause ldap and authentication might be ok in the same paragraph, but never in the same sentence (except to point out that it should not be in the same sentence :) Would it work if you used the parent domain in a contiguous namespace design? Depends on how they wrote the code. If it won't follow referrals then likely it will fail. Try the GC (that is so lame a workaround, but it'll likely work) as Joe suggests and at the same push back on the vendor to get it right or give you your money back else give you a more solid workaround (ADAM?) There. Nothing for joe to tell them about fixing their lame app. -ajm On 9/22/06, Joe Kaplan <[EMAIL PROTECTED]> wrote: You might have them try to work with the GC. You should be able toauthenticate and find users from any domain via the GC. I think Joe Richards might also suggest that the vendor learn what they aredoing and either integrate with AD the right way or don't claim they can.I'll bet they need to talk to a specific domain controller too. I won't put words in Joe's mouth though. :)Joe- Original Message -From: Ramon LinanTo: ActiveDir@mail.activedir.orgSent: Friday, September 22, 2006 3:41 PM Subject: RE: [ActiveDir]SUBDOMAIN AND LDAPThe application designer is telling me it can only be configured for onesource of authentication, so if the use the domain level authentication willthat allow to authenticate users in the subdomain? I.e.domain.comchild.domain.comIf I point the application to use domain.com as authentication source will that also authenticate users from the child domain?ThanksFrom: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Friday, September 22, 2006 4:19 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]SUBDOMAIN AND LDAP sub-domain query base: dc=subdomain,dc=domain,dc=comdomain query base: dc=domain,dc=comWhen the search is initiated, it will start looking at the query base and,if so configured, everything below it (subtree search). In your case, that won't likely happen depending on how you configured it.If you instead change your query base to dc=domain,dc=com (assuming you havea contiguous namespace) then you may get different results. Testing. You can use ldp, adfind, or any other ldap client if your appdoesn't have that functionality built in.Since you're security conscious, be mindful of the cert and the ports you'reusing during your testing :) Permissions? That depends on your configuration and your versions. Windows2000 is pretty much open for searches while 2003 requires authenticatedusers by default.AlOn 9/22/06, Ramon Linan < [EMAIL PROTECTED]> wrote:Hi,I have an application that uses LDAP to authenticate (authenticatesagainst AD).In my AD I have a domain and subdomain or child domain. I assume that both domain and subdomain uses the same LDAP, right?Also, if the application is using a user from the subdomain to query theLDAP, what kind of access will that user have to have to authenticate users at the main domain level.Basically, the application is authenticating fine the users from thesubdomain but cant fine the users from the main domain...Thanks for any advice.Rezuma List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC
What is the rev of the DC? Using RPC Dump do you see "MS NT Directory NSP Interface" interfaces listed? joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, September 22, 2006 11:07 AM To: ActiveDir@mail.activedir.org Subject: Re: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC Yeah, I thought so, thanks for the info. The damn thing is that Exchange still throws event 9176: Event ID 9176 from MSExchangeSA occurred 1 times (NSPI Proxy can contact Global Catalog "servername" but it does not support the NSPI service. After a Domain Controller is promoted to a Global Catalog, the Global Catalog must be rebooted to support MAPI Clients. Reboot "servernamerio" as soon as possible. - Oorspronkelijk bericht - Van: joe <[EMAIL PROTECTED]> Datum: vrijdag, september 22, 2006 4:38 pm Onderwerp: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC > This is no longer necessary with current revs of AD. It was necessary > previously to get the NSPI functionality to fire up. Now it does that > automagically. > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of victor- > [EMAIL PROTECTED]: Friday, September 22, 2006 10:31 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] OT: Exchange in environment - reboot > necessary after a > DC has been made a GC > > A question came up wether or not a reboot is really necessary > after a > DC has been made GC and Exchange would need to use this GC. > > I have worked in a pretty large environment (at least to my > standards :- > )). Where DC's did not get rebooted afther having been made GC's. > The > AD admins simply waited until event 1119 appeared. > > I have read the following article which indicates a reboot is > necessary > if you have Exchange in the environment. > > http://support.microsoft.com/kb/304403/ > > But is this really still necessary with Exchange 2003 SP2 and > Windows > 2003 SP1? > > Cheers, > > > Victor > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] [OT] IIFP GAL Sync: X.500 Addresses
Of course you know that stuff with addressing. I'm certainly interested in hearing what you hear from them, but I have to admit I completely expected the IIFP to do that work. It's intended purpose is to join Exchange orgs in the first place and I'd totally expect to have the addresses put in by that product straight out of the box. Why x.500? 'Cause that's the preferred method vs. x.400. I'll keep an eye out for the answer you get back 'cause now I'm crazy curious. :) On 9/22/06, Tony Murray <[EMAIL PROTECTED]> wrote: Thanks both of you. I understand the concept of X.500 addresses beinguseful for maintaining the ability to reply to senders whose mailbox has moved elswhere. It doesn't explain why:A) they are required for the IIFP. At a basic level I can manually emulatethe GAL sync behaviour by creating a Contact object and assigning just anSMTP and X.400 address. Mail flow will work just fine without the need foran X.500 address;B) each user object receives two X.500 addresses (one corresponding to eachExchange organisation);C) the Contact objects also receive two X.500 addresses.I'll run it past some of the guys and the product group and see what comesback.Tony-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tomasz OnyszkoSent: Saturday, 23 September 2006 1:09 a.m.To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] [OT] IIFP GAL Sync: X.500 AddressesAl Mulnick wrote:> There's an additional reason you would want those addresses: replies> to email will work with that address stamped on there. There was a > blog entry last year related to x.500 addresses and their usage on> "you had me at ehlo" or something like that.Yes, that's the case - if something will be sent (for example reply) on this "second" address it will be delivered if You will have this X500 address. IfYou are using standard GAL scenario delivered with IIFP this is correctconfiguration.I think AL is thinking about this post: http://msexchangeteam.com/archive/2004/03/24/95451.aspx--Tomasz Onyszkohttp://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN)List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Replication Problems and Tombstoned Objects
Our forest is currently experiencing some replication issues. The common error we have been receiving has revolved around a single object. To summarize, how do you permanently delete Active Directory objects? More specifically, how do you remove an object that is already tombstoned? Here is why I need to do this, here is the full error... --- Replication error: The directory replication agent (DRA) couldn't update object CN=InfowebAccess,OU=InfowebGroups,DC=appsig,DC=com (GUID e988-616b-4944-bbe1-c8265cf4cc89) on this system with changes which have been received from source server e928ad23-039d-4dbd-b214-f88b4ae54819._msdcs.appsig.com. An error occurred during the application of the changes to the directory database on this system. The error message is: The replication system encountered an internal error. The directory will try to update the object later on the next replication cycle. Synchronization of this server with the source is effectively blocked until the update problem is corrected. If this condition appears to be related to a resource shortage, please stop and restart this Windows Domain Controller. If this condition is an internal error, a database error, or an object relationship or constraint error, manual intervention will be required to correct the database and allow the update to proceed. It is valuable to note that the problem is caused by the fact that the change on the remote system cannot be applied locally. Manually updating the objects on the local system in not recommended. Instead, on the source system (which has the changes already), try to reverse or back out the change. Then, on the next replication cycle, observe whether the change can now be applied locally. The record data is the status code. --- After I deleted this object, I continue to get the same error, except it now references the deleted (tombstoned) object as a roadblock. --- Replication error: The directory replication agent (DRA) couldn't update object CN="InfowebAccess DEL:e988-616b-4944-bbe1-c8265cf4cc89",CN=Deleted Objects,DC=appsig,DC=com (GUID e988-616b-4944-bbe1-c8265cf4cc89) etc... (same as error above) --- What would be the proper method to permanently remove a tombstoned object? If I'm following the error messages, then removing the object permanently should (hopefully) resolve the issues. Thanks, ~Ben List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [OT] IIFP GAL Sync: X.500 Addresses
Thanks both of you. I understand the concept of X.500 addresses being useful for maintaining the ability to reply to senders whose mailbox has moved elswhere. It doesn't explain why: A) they are required for the IIFP. At a basic level I can manually emulate the GAL sync behaviour by creating a Contact object and assigning just an SMTP and X.400 address. Mail flow will work just fine without the need for an X.500 address; B) each user object receives two X.500 addresses (one corresponding to each Exchange organisation); C) the Contact objects also receive two X.500 addresses. I'll run it past some of the guys and the product group and see what comes back. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Saturday, 23 September 2006 1:09 a.m. To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] IIFP GAL Sync: X.500 Addresses Al Mulnick wrote: > There's an additional reason you would want those addresses: replies > to email will work with that address stamped on there. There was a > blog entry last year related to x.500 addresses and their usage on > "you had me at ehlo" or something like that. Yes, that's the case - if something will be sent (for example reply) on this "second" address it will be delivered if You will have this X500 address. If You are using standard GAL scenario delivered with IIFP this is correct configuration. I think AL is thinking about this post: http://msexchangeteam.com/archive/2004/03/24/95451.aspx -- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir]SUBDOMAIN AND LDAP
You might have them try to work with the GC. You should be able to authenticate and find users from any domain via the GC. I think Joe Richards might also suggest that the vendor learn what they are doing and either integrate with AD the right way or don't claim they can. I'll bet they need to talk to a specific domain controller too. I won't put words in Joe's mouth though. :) Joe - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Friday, September 22, 2006 3:41 PM Subject: RE: [ActiveDir]SUBDOMAIN AND LDAP The application designer is telling me it can only be configured for one source of authentication, so if the use the domain level authentication will that allow to authenticate users in the subdomain? I.e. domain.com child.domain.com If I point the application to use domain.com as authentication source will that also authenticate users from the child domain? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, September 22, 2006 4:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir]SUBDOMAIN AND LDAP sub-domain query base: dc=subdomain,dc=domain,dc=com domain query base: dc=domain,dc=com When the search is initiated, it will start looking at the query base and, if so configured, everything below it (subtree search). In your case, that won't likely happen depending on how you configured it. If you instead change your query base to dc=domain,dc=com (assuming you have a contiguous namespace) then you may get different results. Testing. You can use ldp, adfind, or any other ldap client if your app doesn't have that functionality built in. Since you're security conscious, be mindful of the cert and the ports you're using during your testing :) Permissions? That depends on your configuration and your versions. Windows 2000 is pretty much open for searches while 2003 requires authenticated users by default. Al On 9/22/06, Ramon Linan <[EMAIL PROTECTED]> wrote: Hi, I have an application that uses LDAP to authenticate (authenticates against AD). In my AD I have a domain and subdomain or child domain. I assume that both domain and subdomain uses the same LDAP, right? Also, if the application is using a user from the subdomain to query the LDAP, what kind of access will that user have to have to authenticate users at the main domain level. Basically, the application is authenticating fine the users from the subdomain but cant fine the users from the main domain... Thanks for any advice. Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Assign User rights overs computers with AD
Hey Dave. Do you mean separate trees under root "computers"? or Create different OU's for computers?On 9/22/06, Al Mulnick < [EMAIL PROTECTED]> wrote:Separate "Trees"? That seems a little excessive. Or are we just mixing terms? On 9/21/06, Dave Wade < [EMAIL PROTECTED]> wrote:I prefer to keep them in seperate trees. In fact we are just doing that at present... From: [EMAIL PROTECTED] on behalf of Alberto Oviedo Sent: Thu 21/09/2006 17:50To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User rights overs computers with ADThanks for your help. really useful.Is it a good practice to move computer objects to OU where the user of the computer resides? On 9/20/06, Dave Wade <[EMAIL PROTECTED]> wrote:Alberto, Even though we made our users "PowerUsers" we found that we needed to make a number of "tweaks" to cater for poorly written applications. I think we now have about a dozen settings for various ill-behaved applications. The majority of these are to cater for applications that write to places on the "C" drive (other than the windows folders, of course) where applications should not write. We also refreshed permissions on the "all users" profile to make sure users don't delete items from the "all users" desktop or start-menu. I guess the last thing to note is that we rolled the policy out in manageable chunks of PCs, say 100 at a time, so if there were issues we could cope with the service calls,Hope this is useful, Dave.From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: 20 September 2006 14:13To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User rights overs computers with AD You can, but I've yet to see it be so simple. The information you're looking for is "restricted groups" but I HIGHLY advise you to be careful and to TEST that prior to using it on your workstations. I also highly advise that you only apply that type of setting to workstations and not on servers (separate them into different OU's). Another way to do this is with a logon script that adds an account to the local administrators group and removes the user from that group.The testing is a way to ensure that you don't break applications on the workstations. Some of the more poorly written applications require special access and as a default prefer administrative access rights. They work poorly without them. You'll want to test thoroughly so that you can remove the unneeded rights and still allow your user community to work as expected. I'm sure there's more cautions I can suggest, but you get the idea.On 9/20/06, Alberto Oviedo < [EMAIL PROTECTED] > wrote: Hello. My name is Alberto, I'm from NicaraguaIn our company the support team has granted every user administrator rights over their workstation, We recently migrated to Windows 2003 AD and I want to revoke the privileges tha users have on their computers. Can I do this through AD? It's around 300 users and I don't want to visit every single one of them. Thanks for your help.**This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom theyare addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you.http://www.stockport.gov.uk**
RE: [ActiveDir]SUBDOMAIN AND LDAP
The application designer is telling me it can only be configured for one source of authentication, so if the use the domain level authentication will that allow to authenticate users in the subdomain? I.e. domain.com child.domain.com If I point the application to use domain.com as authentication source will that also authenticate users from the child domain? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Friday, September 22, 2006 4:19 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]SUBDOMAIN AND LDAP sub-domain query base: dc=subdomain,dc=domain,dc=comdomain query base: dc=domain,dc=comWhen the search is initiated, it will start looking at the query base and, if so configured, everything below it (subtree search). In your case, that won't likely happen depending on how you configured it. If you instead change your query base to dc=domain,dc=com (assuming you have a contiguous namespace) then you may get different results. Testing. You can use ldp, adfind, or any other ldap client if your app doesn't have that functionality built in. Since you're security conscious, be mindful of the cert and the ports you're using during your testing :) Permissions? That depends on your configuration and your versions. Windows 2000 is pretty much open for searches while 2003 requires authenticated users by default. Al On 9/22/06, Ramon Linan <[EMAIL PROTECTED]> wrote: Hi,I have an application that uses LDAP to authenticate (authenticatesagainst AD).In my AD I have a domain and subdomain or child domain.I assume that both domain and subdomain uses the same LDAP, right? Also, if the application is using a user from the subdomain to query theLDAP, what kind of access will that user have to have to authenticateusers at the main domain level.Basically, the application is authenticating fine the users from the subdomain but cant fine the users from the main domain...Thanks for any advice.RezumaList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir]SUBDOMAIN AND LDAP
sub-domain query base: dc=subdomain,dc=domain,dc=comdomain query base: dc=domain,dc=comWhen the search is initiated, it will start looking at the query base and, if so configured, everything below it (subtree search). In your case, that won't likely happen depending on how you configured it. If you instead change your query base to dc=domain,dc=com (assuming you have a contiguous namespace) then you may get different results. Testing. You can use ldp, adfind, or any other ldap client if your app doesn't have that functionality built in. Since you're security conscious, be mindful of the cert and the ports you're using during your testing :) Permissions? That depends on your configuration and your versions. Windows 2000 is pretty much open for searches while 2003 requires authenticated users by default. Al On 9/22/06, Ramon Linan <[EMAIL PROTECTED]> wrote: Hi,I have an application that uses LDAP to authenticate (authenticatesagainst AD).In my AD I have a domain and subdomain or child domain.I assume that both domain and subdomain uses the same LDAP, right? Also, if the application is using a user from the subdomain to query theLDAP, what kind of access will that user have to have to authenticateusers at the main domain level.Basically, the application is authenticating fine the users from the subdomain but cant fine the users from the main domain...Thanks for any advice.RezumaList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir]SUBDOMAIN AND LDAP
Hi, I have an application that uses LDAP to authenticate (authenticates against AD). In my AD I have a domain and subdomain or child domain. I assume that both domain and subdomain uses the same LDAP, right? Also, if the application is using a user from the subdomain to query the LDAP, what kind of access will that user have to have to authenticate users at the main domain level. Basically, the application is authenticating fine the users from the subdomain but cant fine the users from the main domain... Thanks for any advice. Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] FileSharing Issue
Got a strange issue this morning: Env: Windows 2003 AD Clients: All XP w/sp 2 1) Machine A maps fine to all local wkstn and servers on its domain (Domain A) (firewall service disabled) 2) Other machines (diff subnet but same domain) mapped fine to machine A 3) Machine A cannot map to server in another Domain B, different subnet 4) Other machines in Domain A maps fine to Domain B 5) \\servername prompts for normal windows credentials on Machine A but server does not accept them. No problem from other machines in the same subnet using same GPO Anyone seen this? I thought it could be a winsock issue, but netdiag /test:winsock /v showed no problem with winsock. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC
Yeah, I thought so, thanks for the info. The damn thing is that Exchange still throws event 9176: Event ID 9176 from MSExchangeSA occurred 1 times (NSPI Proxy can contact Global Catalog "servername" but it does not support the NSPI service. After a Domain Controller is promoted to a Global Catalog, the Global Catalog must be rebooted to support MAPI Clients. Reboot "servernamerio" as soon as possible. - Oorspronkelijk bericht - Van: joe <[EMAIL PROTECTED]> Datum: vrijdag, september 22, 2006 4:38 pm Onderwerp: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC > This is no longer necessary with current revs of AD. It was necessary > previously to get the NSPI functionality to fire up. Now it does that > automagically. > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of victor- > [EMAIL PROTECTED]: Friday, September 22, 2006 10:31 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] OT: Exchange in environment - reboot > necessary after a > DC has been made a GC > > A question came up wether or not a reboot is really necessary > after a > DC has been made GC and Exchange would need to use this GC. > > I have worked in a pretty large environment (at least to my > standards :- > )). Where DC's did not get rebooted afther having been made GC's. > The > AD admins simply waited until event 1119 appeared. > > I have read the following article which indicates a reboot is > necessary > if you have Exchange in the environment. > > http://support.microsoft.com/kb/304403/ > > But is this really still necessary with Exchange 2003 SP2 and > Windows > 2003 SP1? > > Cheers, > > > Victor > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] LDAP query assistance
This unfortunately isn't going to work... 1. Global group membership is not maintained in the GC. Depending on the domain the GC you query hosts, your results will vary. If you hit a parent DC GC then you will see memberships for the parent (and Unis). If you hit a child DC GC, then you will see memberships of the child (and Unis). 2. An ASQ query query will only work against objects in the linked attribute that are immediately available. Depending on whether you hit a GC port or the local LDAP port and depending on the info present in that GC instance (see comments above) the results again could vary. The ASQ query does NOT cross DCs to return info. Again since the global group membership of a domain is only maintained on a DC of that domain this will only resolve part of the membership. A couple of examples of ASQ in action... G:\Temp\delete>adfind -e -b "CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com" member AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: 2k3dc02.joe.com:389Directory: Windows Server 2003 dn:CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com>member: CN=Exchange Domain Servers,CN=Users,DC=joe,DC=com>member: CN=Exchange Domain Servers,CN=Users,DC=child1,DC=joe,DC=com>member: CN=Domain Users,CN=Users,DC=joe,DC=com 1 Objects returned G:\Temp\delete>adfind -e -b "CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com" -asq member -f objectclass=* -dn AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: 2k3dc02.joe.com:389Directory: Windows Server 2003 dn:CN=Domain Users,CN=Users,DC=joe,DC=comdn:CN=Exchange Domain Servers,CN=Users,DC=joe,DC=com 2 Objects returned Note that the member attribute of the group has 3 members but the ASQ objectclass=* query only returns 2, that is because doing the LDAP port 389 query, the child1 object is not available. Now change that to a GC query to a GC that is a DC for joe.com and it works G:\Temp\delete>adfind -h 2k3dc02 -gc -b "CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com" -asq member -f objectclass=* -dn AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: 2k3dc02.joe.com:3268Directory: Windows Server 2003 dn:CN=Domain Users,CN=Users,DC=joe,DC=comdn:CN=Exchange Domain Servers,CN=Users,DC=child1,DC=joe,DC=comdn:CN=Exchange Domain Servers,CN=Users,DC=joe,DC=com 3 Objects returned But if I wanted the membership of those three global groups and tried against the same GC you will note that the membership of the child1 domain group is not enumerated... G:\Temp\delete>adfind -h 2k3dc02 -gc -b "CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com" -asq member -f objectclass=* member AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: 2k3dc02.joe.com:3268Directory: Windows Server 2003 dn:CN=Domain Users,CN=Users,DC=joe,DC=com>member: CN=Domain Admins,CN=Users,DC=joe,DC=com>member: CN=administrator,CN=Users,DC=joe,DC=com dn:CN=Exchange Domain Servers,CN=Users,DC=child1,DC=joe,DC=com dn:CN=Exchange Domain Servers,CN=Users,DC=joe,DC=com>member: CN=2K3EXC02,CN=Computers,DC=joe,DC=com>member: CN=2K3EXC01,CN=Computers,DC=joe,DC=com 3 Objects returned But turn it around and use a child1 GC and what do you think you get? G:\Temp\delete>adfind -h 2k3dc10 -gc -b "CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com" -asq member -f objectclass=* member AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: 2k3dc10.child1.joe.com:3268Directory: Windows Server 2003 0 Objects returned That's right... nothing. That makes perfect sense correct? If not, think about what group data is "guaranteed" to be in GCs and for what scope groups... There is, unfortunately, no single LDAP query that can be posed to AD to resolve the membership of three global groups in three different domains. The proper way to handle this would be to use a single Universal group or a Single Domain Local Group, with both, you would add all members to the group directly, not nest. An alternate is to consolidate group membership into an alternate directory, say ADAM, where all groups are represented in ADAM and then the AD users are repesented in ADAM as users or userProxies and those ADAM objects are added to those ADAM groups. Fortunately you can get all memberships of a given user or get the entire user population of a given group by querying one machine. Depending on the actual need, you can populate ADAM with enough info that you are good to go after querying ADAM, but it is also possible you may have to go back to AD to look something up. Again, depends on what exactly you need. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul William
Re: [ActiveDir] Search Mailbox
chiming in late here, but just want to second Larry's Exmerge motion. As far as I know it's the only native way to find a message, but by subject only. I think it may also be possible to turn on full SMTP logging and do a text search of the logs, but I'm not sure about that, and it would be a real pain. - Original Message - From: Dan DeStefano To: ActiveDir@mail.activedir.org Sent: Thursday, September 21, 2006 9:38 AM Subject: RE: [ActiveDir] Search Mailbox Thanks for all your help. I appreciate it. Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Thursday, September 21, 2006 11:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Search Mailbox No – not without a third party product (e.g. Veritas Enterprise Vault or EMC Legato). This feature is native to Exchange 2007. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefanoSent: Thursday, September 21, 2006 9:02 AMTo: activedir@mail.activedir.orgSubject: [ActiveDir] Search Mailbox Is there any way to search for messages within a mailbox without using Outlook in Exchange 2000; like using System Administrator? Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession. Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC
This is no longer necessary with current revs of AD. It was necessary previously to get the NSPI functionality to fire up. Now it does that automagically. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, September 22, 2006 10:31 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC A question came up wether or not a reboot is really necessary after a DC has been made GC and Exchange would need to use this GC. I have worked in a pretty large environment (at least to my standards :- )). Where DC's did not get rebooted afther having been made GC's. The AD admins simply waited until event 1119 appeared. I have read the following article which indicates a reboot is necessary if you have Exchange in the environment. http://support.microsoft.com/kb/304403/ But is this really still necessary with Exchange 2003 SP2 and Windows 2003 SP1? Cheers, Victor List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC
A question came up wether or not a reboot is really necessary after a DC has been made GC and Exchange would need to use this GC. I have worked in a pretty large environment (at least to my standards :- )). Where DC's did not get rebooted afther having been made GC's. The AD admins simply waited until event 1119 appeared. I have read the following article which indicates a reboot is necessary if you have Exchange in the environment. http://support.microsoft.com/kb/304403/ But is this really still necessary with Exchange 2003 SP2 and Windows 2003 SP1? Cheers, Victor List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Assign User rights overs computers with AD
Separate "Trees"? That seems a little excessive. Or are we just mixing terms? On 9/21/06, Dave Wade < [EMAIL PROTECTED]> wrote:I prefer to keep them in seperate trees. In fact we are just doing that at present... From: [EMAIL PROTECTED] on behalf of Alberto OviedoSent: Thu 21/09/2006 17:50To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User rights overs computers with ADThanks for your help. really useful.Is it a good practice to move computer objects to OU where the user of the computer resides? On 9/20/06, Dave Wade <[EMAIL PROTECTED]> wrote:Alberto, Even though we made our users "PowerUsers" we found that we needed to make a number of "tweaks" to cater for poorly written applications. I think we now have about a dozen settings for various ill-behaved applications. The majority of these are to cater for applications that write to places on the "C" drive (other than the windows folders, of course) where applications should not write. We also refreshed permissions on the "all users" profile to make sure users don't delete items from the "all users" desktop or start-menu. I guess the last thing to note is that we rolled the policy out in manageable chunks of PCs, say 100 at a time, so if there were issues we could cope with the service calls,Hope this is useful, Dave.From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: 20 September 2006 14:13To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User rights overs computers with AD You can, but I've yet to see it be so simple. The information you're looking for is "restricted groups" but I HIGHLY advise you to be careful and to TEST that prior to using it on your workstations. I also highly advise that you only apply that type of setting to workstations and not on servers (separate them into different OU's). Another way to do this is with a logon script that adds an account to the local administrators group and removes the user from that group.The testing is a way to ensure that you don't break applications on the workstations. Some of the more poorly written applications require special access and as a default prefer administrative access rights. They work poorly without them. You'll want to test thoroughly so that you can remove the unneeded rights and still allow your user community to work as expected. I'm sure there's more cautions I can suggest, but you get the idea.On 9/20/06, Alberto Oviedo <[EMAIL PROTECTED] > wrote: Hello. My name is Alberto, I'm from NicaraguaIn our company the support team has granted every user administrator rights over their workstation, We recently migrated to Windows 2003 AD and I want to revoke the privileges tha users have on their computers. Can I do this through AD? It's around 300 users and I don't want to visit every single one of them. Thanks for your help.**This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom theyare addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you.http://www.stockport.gov.uk**
Re: [ActiveDir] [OT] IIFP GAL Sync: X.500 Addresses
That's it. Wow, how time fliesOn 9/22/06, Tomasz Onyszko <[EMAIL PROTECTED]> wrote: Al Mulnick wrote:> There's an additional reason you would want those addresses: replies to> email will work with that address stamped on there. There was a blog> entry last year related to x.500 addresses and their usage on "you had > me at ehlo" or something like that.Yes, that's the case - if something will be sent (for example reply) onthis "second" address it will be delivered if You will have this X500address. If You are using standard GAL scenario delivered with IIFP this is correct configuration.I think AL is thinking about this post:http://msexchangeteam.com/archive/2004/03/24/95451.aspx--Tomasz Onyszko http://www.w2k.pl/ - (PL)http://blogs.dirteam.com/blogs/tomek/ - (EN)List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] [OT] IIFP GAL Sync: X.500 Addresses
Al Mulnick wrote: There's an additional reason you would want those addresses: replies to email will work with that address stamped on there. There was a blog entry last year related to x.500 addresses and their usage on "you had me at ehlo" or something like that. Yes, that's the case - if something will be sent (for example reply) on this "second" address it will be delivered if You will have this X500 address. If You are using standard GAL scenario delivered with IIFP this is correct configuration. I think AL is thinking about this post: http://msexchangeteam.com/archive/2004/03/24/95451.aspx -- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] [OT] IIFP GAL Sync: X.500 Addresses
There's an additional reason you would want those addresses: replies to email will work with that address stamped on there. There was a blog entry last year related to x.500 addresses and their usage on "you had me at ehlo" or something like that. I haven't used the IIFP, but I would expect to have one x.500 from each forest for Exchange mail to work properly. AlOn 9/22/06, Tony Murray <[EMAIL PROTECTED]> wrote:Two forest scenario. IIFP 1a. Both forests Windows 2003 SP1 and Exchange 2003 SP2. After initial setup and synchronisation I notice that my synced users (and their corresponding Contact objects in the second forest) acquire two new X500 addresses (one for each Exchange org).Simple question really. Is this normal and expected or have I misconfigured something? I assume the X500 address is to uniquely identify them in the metaverse, but having two seems excessive! ThanksTonySent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Urgent DFS Configuration
Slighlty hijacking the thread, if I have a 2003 DFS with replication running and would like to make it 2003 R2 DFSR can I: Upgrade to 2003 R2 Magically convert from DFS to DFSR If so, is there a guide anywhere to what to do? Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, SteveSent: 22 September 2006 00:52To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS Configuration Additionally.. there are many catches with DFS when you start replicating files (if you were intending to). As a (R1 speak) root link, it is pretty simple, however you have to ensure you have your NTFS and share permissions set correctly before you create the DFS root and additional links or folders, etc, etc, etc. If you are planning to replicate files, then MAKE SURE you are running R2 otherwise you'll have all sorts of file replication traumas using FRS... I love DFSR! themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott, AnthonySent: Friday, 22 September 2006 6:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS Configuration Are you trying to access the folders that DFS created or the actual shares themselves? See this (it applies to 2003 also): http://support.microsoft.com/default.aspx?scid=kb;en-us;q246888 Thanks, Anthony Scott Microsoft Consultant Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, JuanSent: Thursday, September 21, 2006 2:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS Configuration That would be 2. Juan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Thursday, September 21, 2006 10:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS Configuration which server hosts the stand alone root? server 1 or 2? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, JuanSent: Thursday, September 21, 2006 17:34To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Urgent DFS ConfigurationImportance: High All, I need some input on DFS. I am trying to set up DFS on a file server, well in reality two. I am configuring server1 with a standalone root, when asked for the “host” server I enter server2 and select the share drive I want to use. I then create DFS links to subfolders and they create just fine. The problem: When I try to access the links I created I can’t “Access Denied” even though I share the folders in advance with appropriate permissions, and of course at this point the security tab from the shares disappears. So I can’t make changes, and when I go and try to open from DFS I get an error “Failed to launch explorer home at \\pathname. I also rebooted both servers and when they come up the DFS root is gone from server1 but remains on server 2 along with all the DFS links. Please let me know what I am doing wrong. Thanks, Juan This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] How are folks setting hidden user attribs?
Alex, The AF is using NetIQ's DRA as the GUI to create and maintain accounts in AD. Have created custom screens that expose those attributes and several others used to support CAC login. Eric From: [EMAIL PROTECTED] on behalf of Alex FontanaSent: Thu 9/21/2006 3:03 AMTo: ActiveDir@mail.activedir.orgSubject: How are folks setting hidden user attribs? Hey guys, I’m curious how people are populating attributes such as employeeid, employeetype, etc, specifically when creating\modifying accounts using the GUI (ADUC)? Besides me writing something to populate the fields what other resources do I have to allow other selected users (account creators) to populate these fields? TIA -alex
Re: [ActiveDir] LDAP query assistance
Something like this, against a GC: (|(&(objectCategory=person)(memberOf=))(&(objectCategory=person)(memberOf=))(&(objectCategory=person)(memberOf=))) You can also do it the way you want using ASQ if you don't mind DN as the output. Here's an example using ADFIND: adfind -b "cn=group,ou=groups,dc=domain-name,dc=com" -asq member -f "objectCategory=group" member -list --Paul - Original Message - From: Amanda Rose To: ActiveDir Mailing List Sent: Friday, September 22, 2006 10:02 AM Subject: [ActiveDir] LDAP query assistance Hello! I work in a small company where we have need of some LDAP query assistance to identify a group of users out of AD. We only have basic LDAP knowledge in house and our query is not finding what we need. I would really appreciate any assistance you could lend to the following: We are trying to identify synchronize a group called LLUsers within AD with an external application- so that we can do single-sign-on (AD Authentication) Our Active Directory is structured as follows: Parent Domain contains global security group called LLUsers Two child domains each contains a Global Security Group called LLUsers In the Parent Domain, there is an additional Local Security Group called LLUsersLocal whose members are the LLUsers groups from all three domains. We want to construct a single LDAP query that will return the Users from all three LLUsers groups. Right now, the LDAP query we have pulls individual users added to the LLUsers group in the parent domain. Is there a way to create a nested or OR query that can look in LLUsersLocal and pull out the Individual Users in each group within? This is the current LDAP query (&(objectcategory=user)(memberOf=CN=LLUsers,CN=users,DC=res-ltd,DC=com)) We have tried many others often a variation of: (&(objectcategory=user)(|(memberOf=CN=LLUsersLocal,CN=users,DC=res-ltd,DC=com)(memberOf=CN=LLUserslocal,CN=users,DC=glasgow,DC=res-ltd,DC=com)(memberOf=CN=LLUserslocal,CN=users,DC=austin,DC=res-ltd,DC=com))) Or perhaps the AD design with Parent and Child directories makes this impossible? We have received some advice that we should move to a flat structure with only one domain and use work groups within. Amanda Rose, Renewable Energy Systems [EMAIL PROTECTED] (email)www.res-americas.com or www.res-ltd.com
[ActiveDir] LDAP query assistance
Hello! I work in a small company where we have need of some LDAP query assistance to identify a group of users out of AD. We only have basic LDAP knowledge in house and our query is not finding what we need. I would really appreciate any assistance you could lend to the following: We are trying to identify synchronize a group called “LLUsers” within AD with an external application- so that we can do single-sign-on (AD Authentication) Our Active Directory is structured as follows: Parent Domain – contains global security group called “LLUsers” Two child domains – each contains a Global Security Group called “LLUsers” In the Parent Domain, there is an additional Local Security Group called “LLUsersLocal” whose members are the “LLUsers” groups from all three domains. We want to construct a single LDAP query that will return the Users from all three “LLUsers” groups. Right now, the LDAP query we have pulls individual users added to the LLUsers group in the parent domain. Is there a way to create a nested or “OR” query that can look in “LLUsersLocal – and pull out the Individual Users in each group within? This is the current LDAP query (&(objectcategory=user)(memberOf=CN=LLUsers,CN=users,DC=res-ltd,DC=com)) We have tried many others – often a variation of: (&(objectcategory=user)(|(memberOf=CN=LLUsersLocal,CN=users,DC=res-ltd,DC=com)(memberOf=CN=LLUserslocal,CN=users,DC=glasgow,DC=res-ltd,DC=com)(memberOf=CN=LLUserslocal,CN=users,DC=austin,DC=res-ltd,DC=com))) Or – perhaps the AD design with Parent and Child directories makes this impossible? We have received some advice that we should move to a flat structure with only one domain and use work groups within. Amanda Rose, Renewable Energy Systems [EMAIL PROTECTED] (email) www.res-americas.com or www.res-ltd.com
RE: [ActiveDir] SID History.
Matt, When you logon, you are 'given' a token which includes a list of groups (group SIDs actually) to which you have membership. This list includes groups you are directly a member of, groups you have membership of via nesting but also groups you have membership of via SIDhistory. When you attempt to access a resource on the server, you will present your token and list of groups to the server. The server then tries to match a group SID to a SID which in contained in the ACL for the resource being accessed. If a match is found, you gain access, if not or a deny is matched, you are not granted access. Hope that helps, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: 21 September 2006 21:59To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] SID History. Conceptual situation:User domainResource domain (s)I bring all users into a single AD environment, bringing over SID History information.Now I start moving over file servers from the resource domain to the AD environment. One of the file servers has groups ACL'd from the resource domain. When the server goes to check for access rights, will it pull over *all* group memberships from the appropriate resource domain or simply pull over the single group membership and append that to the user's token? Mostly just looking at SID history impact between semi-active resource domains that are being decomissioned and current domains. Microsoft's site mostly seems to point to groups that are pointing to SID history objects that are within the AD environment, not cross-domain SID history impact. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.