Re: [ActiveDir] Discovering LDAPS availability
The project that I'm working on makes heavy use of LDAPS. However, at the moment, we favour the latter statement - the built DCs don't leave staging until the certs are pulled. They must be signed off, and that's one of the last items on the deployment check list. We'll probably automate this check soon, but we're too busy with automating the buillds at the moment. Personally, I like the idea of _ldaps SRV RRs. Although I can appreciate there's a bit more to it from MSFTs point of view than simply getting NETLOGON to register them in DNS. --Paul - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, October 10, 2006 10:45 PM Subject: RE: [ActiveDir] Discovering LDAPS availability Hmm doesn't look like anyone else has figured this out or just doesn't deploy LDAPS or alternately makes sure every DC is capable of LDAPS. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Loder Sent: Friday, October 06, 2006 8:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Discovering LDAPS availability joe's absolutely right. What's trying to be accomplished is to publish new LDAPS SRV records for a 300+ DC environment. But I don't want to just blindly assume each DC properly enrolled with the CA (we had problems like that at the beginning), and I'd really like to avoid the overhead of touching each DC. Unfortunately, that's about the only viable method I see. We have a DCR in with MS to change the behavior so that the DCs automatically publish LDAPS if it's available. But what we're hearing right now is that it's probably not in the pipeline until LH SP1. --- joe [EMAIL PROTECTED] wrote: LDAPS records aren't published by DCs, only LDAP records. I can assure you if it were that easy, David wouldn't have had an issue. From what I have seen, if a secure LDAP connection is required, the internal routines from MSFT simply locate a DC and go to the port. If LDAPS isn't hot, the connection is dropped with server down error. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 05, 2006 6:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Discovering LDAPS availability Couldn't you just query the DNS for the SRV record advertising it... Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | David Loder| | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/10/2006 08:56 a.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --- ---| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: [ActiveDir] Discovering LDAPS availability | --- ---| Other than directly testing the 636 port on each DC, can anyone suggest a method for an unprivledged client to discover whether or not LDAPS should be available on a specific DC? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx
RE: [ActiveDir] Forest trust divestitures
very very true interim forests... AND another part is responsability...first it's mine and THEN it is yours (and there is very little to nothing in between). In other words... a clear hand-over moment. although the selling company is responsable for the first phase the buying company should be involved in the first phase (although not leading) to be sure they know what they get and of course also how they get it. The buying company should setup requirements and discuss these with the selling company jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Tuesday, October 10, 2006 21:45To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Forest trust divestitures If I were the security officer for Company B, I would have real issues with this plan. Most companies with sufficient understanding of AD Security would not want any of their DCs placed in any location where the other companys network is still active (i.e. DCs from company A and company B on same network). Thats different in a merger, where the full IT infrastructure will be merged anyways. But youre talking about a divestiture of a PART of a company. The plan youre describing doesnt really scale well over time not sure if youre considering issues youre experiencing during the migration how long are you willing to run forest B without PDC/RID etc? What Ive done in similar situations is to implement an interims forest. Step 1: implement Interims Forest C in Company As network migrate objects and resources from divested BU over from Forest A to C. Test that the divested BU works in Forest C and that other Company A Bus continue to work fine as well. Potentially change naming convention of objects to that of Company B during the migration to Forest C. Troubleshoot as necessary. Step2: when ready separate network of Forest C from Company A and integrated it with network from Company B Step3: with sufficient time for planning the integration, migrate objects and resources from Forest C to B. If not done previously, adjust naming of objects convention during this migration. This sounds like a whole lot of extra work, but usually it pays off: it is the most secure way to separate the divested part of the company and doesnt put either company at (unwanted) risks. It also gives you more flexibility on when to do which step and wont cause any issues with either of the operational forests. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harvey KamangwitzSent: Monday, October 09, 2006 7:58 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Forest trust divestitures Hi all, I'm consulting on a divestiture, and naturally the companies want their respective AD forests to have the minimum amount of contact necessary to migrate the security principals in the divestiture from company A to company B. I wanted to sanity check with this brain trust that we can do a one-wayforest trust in this firewalled situation. (They're going to use Quest Migration Manager for AD, and though technically it doesn't REQUIRE a one-way trust, the Quest SE says it's an order of magnitude easier. A one-way outgoing trust has been approved by the various security players so it can be done.) - ForestA (multiple domains) and ForestB (single domain). In the beginning, no communication between them. - ForestB DCs are physically landed at various Company A locations in pocket networks that can talk back to Company B, so they're healthy.Though they're at Company A, they are firewalled from A until D-day. All forest B pocket network DCs can talk to each other as well as back home. D-Day: - Transfer PDC and RID FSMOs toone of company B'spocket network DCs. (see next step for why.) - Firewall off communication to company B's network, and open up comm to company A's network. This will make for a temporarily unhappy company B forest, but it will be okay for the duration of the migration. More importantly, it'll make the PDC available on the company A network for the forest trust setup and the RID master also available to hand out more RIDs during the migration. There should now be a functional company B forest on company A's network (though it'll be complaining about missing DCs). - Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa. Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs. - Establish the forest trust from A to B. Would selective authentication on the trust protect the visibility of A's security principals? It's mainly designed to
RE: [ActiveDir] Forest trust divestitures
I didnt read Harveys comment ForestB DCs are physically landed at various Company A locations in pocket networks that can talk back as something that already exists today. I would have thought is part of his plan and that today there are no DCs from Company B in any of Company A locations. So were using different assumptions in our discussion Harvey, can you clarify? Also note Jorges very valid comment on responsibility: the interims forest C has a clear hand-over of responsibility of the BU being divested. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, October 11, 2006 3:12 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Forest trust divestitures Agreed that the risk is there. Good idea to spell it out, but I got the sense that much gnashing of teeth was already had over the decision to create a one-way trust or not. And because the dc's already share a network (even though firewalled from time to time) I'm not seeing how the forest C topology helps to mitigate the risk you describe? They'll still have possession of a DC from a previously trusted (and therefore suspect) forest. No difference there. Unless Forest A keeps control of the demilitarized forest C. But then how does Forest B learn to trust them? :) In any event, I see a double migration without much mitigation of risk nor benefit. I'm guessing I'm missing something in the description of the problem else not asking the right question(s). I'm curious if that's the case? If so, is there more information to be aware of in this scenario that can be shared? On 10/10/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: Al, what risk has been assumed? You're assuming everyone understands all the potential risks of binding two AD infrastructures together as suggested, and that we're all playing nice to another? I'm not assuming that. I'm always assuming that there is potential for the bad guys to be around. And if they are, the original plan allows the wrong people (read: Admins of Domain A) to have access to DCs of Domain B. And potentially also the other way around. Not good. Unless merger and we're talking the same company but that's not the case here these are two different companies. A firewall doesn't protect from a compromised DC, especially if you bring that DC back into your production forest /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Tuesday, October 10, 2006 11:44 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Forest trust divestitures curious. I'm not seeing the same things as Guido here. PDC/RID will remain on the forest, but it will be blocked for the duration of the migration while A forest and B forest are not firewalled in that one site. (as I read it). But what makes me curious is this: The risk has already been assumed. What is the advantage here of adding forest C? I see that it's extra steps, but I don't see the connection to the drawn out go-at-your-own-pace migration. I'm interested in having it spelled out for me though. Please. :) On 10/10/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote: I certainly wouldn't allow it if I were security either, but they said it was okay. Probably has something to do with the fact the acquisition will almost double the size of the company :). The interim forest is a great idea. I had intended to bring up a test forest to dry-run the migration in company A environment, but I didn't follow the train of thought through to suggest that the actual migration be done to that forest, and moved to the target company. On 10/10/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: If I were the security officer for Company B, I would have real issues with this plan. Most companies with sufficient understanding of AD Security would not want any of their DCs placed in any location where the other company's network is still active (i.e. DCs from company A and company B on same network). That's different in a merger, where the full IT infrastructure will be merged anyways. But you're talking about a divestiture of a PART of a company. The plan you're describing doesn't really scale well over time not sure if you're considering issues you're experiencing during the migration how long are you willing to run forest B without PDC/RID etc? What I've done in similar situations is to implement an interims forest. Step 1: implement Interims Forest C in Company A's network migrate objects and resources from divested BU over from Forest A to C. Test that the divested BU works in Forest C and that other Company A Bus continue to work fine as well. Potentially change naming convention of objects to that of Company B during the migration to Forest C. Troubleshoot as necessary.
RE: [ActiveDir] OT: Ello!
You only have yourself to blame for pointing me to it, young man! That brings the amount of possible ways to annoy you to.. 7. Muahaha. Getting scared yet ? :P Paul -Original Message- From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, October 11, 2006 12:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Ello! sh!t..he found the list...and I hoped he would never find it well... I guess it did not work when I told him it was something like edir.org ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 *E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Paul van Geldrop Sent: Tue 2006-10-10 17:37 To: ActiveDir Subject: [ActiveDir] OT: Ello! Ello! Just thought I'd at least have the decency to announce my presence on this list. ;) Joined today and looking forward to learning from all the grey matter frequenting this list! Regards, Paul attachment: winmail.dat
RE: [ActiveDir] recover a file server in Windows 2003
How exactly do you plan to failover to this server (at least, thats what I presume you want to do) ? First option that springs to mind is setting up a two-node cluster, letting the cluster-resources reside on the SAN disks. That way, if one of the servers fails, everythingll smoothly transfer to the other server. Keep in mind, however, that during the transfer connections to open files will hiccup (or even completely falter). The nice part about clustering the lot is that you can just maintain the resource per se, instead of having to configure folders etc on two separate servers. Regards, Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philobatheer Guirgis Sent: Wednesday, October 11, 2006 2:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] recover a file server in Windows 2003 Hi, I am working on building a recovery server for a Windows 2003 file server. This file server is connected to the SAN and contains many shared folders. How could I configure the recovery server with the same shared folder if I connected it to the same SAN volumes.? Thanks, Philo
Re: [ActiveDir] OT: Ello!
... Dutch men :-)) On 10/11/06, Paul van Geldrop [EMAIL PROTECTED] wrote: You only have yourself to blame for pointing me to it, young man! That brings the amount of possible ways to annoy you to.. 7. Muahaha. Getting scared yet ? :P Paul -Original Message- From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, October 11, 2006 12:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Ello! sh!t..he found the list...and I hoped he would never find it well... I guess it did not work when I told him it was something like edir.org ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 *E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Paul van Geldrop Sent: Tue 2006-10-10 17:37 To: ActiveDir Subject: [ActiveDir] OT: Ello! Ello! Just thought I'd at least have the decency to announce my presence on this list. ;) Joined today and looking forward to learning from all the grey matter frequenting this list! Regards, Paul List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Jason Centenni is Out Of Town
I will be out of the office starting 10/11/2006 and will not return until 10/16/2006. If you have an urgent question concerning Active Directory please contact JHRH or DSC On-call. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Flags Attribute?
Title: RE: Flags Attribute? That did it. Thanks joe! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, October 10, 2006 5:02 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Flags Attribute? For the first part, what about just using LDIFDE to export from AD? dn: CN=Flags,CN=Schema,CN=Configuration,DC=test,DC=locchangetype: addobjectClass: attributeSchemaattributeID: 1.2.840.113556.1.4.38attributeSyntax: 2.5.5.9isSingleValued: TRUEshowInAdvancedViewOnly: TRUEadminDisplayName: FlagsadminDescription: FlagsoMSyntax: 2searchFlags: 0lDAPDisplayName: flagsname: FlagsschemaIDGUID:: dnmWv+YN0BGihQCqADBJ4g==systemOnly: FALSEsystemFlags: 16isMemberOfPartialAttributeSet: TRUE Alternately you can pull this # Attribute: flagsdn: cn=Flags,cn=Schema,cn=Configuration,dc=Xchangetype: ntdsschemaaddobjectClass: attributeSchemaattributeId: 1.2.840.113556.1.4.38ldapDisplayName: flagsattributeSyntax: 2.5.5.9adminDescription: FlagsadminDisplayName: Flags# schemaIDGUID: bf967976-0de6-11d0-a285-00aa003049e2schemaIDGUID:: dnmWv+YN0BGihQCqADBJ4g==oMSyntax: 2systemFlags: 16isMemberOfPartialAttributeSet: TRUEisSingleValued: TRUEsystemOnly: FALSE from the %windir%\adam\MS-AdamSchemaW2K3.LDF file in ADAM SP1. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)Sent: Tuesday, October 10, 2006 4:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Flags Attribute? Nevermind the second part of my question. I figured out what I was doing wrong, my LDIF syntax was messed up when I tried to modify MayContain. _ From: Bernier, Brandon (.) Sent: Tuesday, October 10, 2006 3:05 PM To: 'ActiveDir@mail.activedir.org' Subject: Flags Attribute? Ok, I think I'm going crazy here... I need to add the Flags attribute into an ADAM instance and can't find it in any of LDF files that ship with W2K/W2K3/R2/ADAM. While I can do a ADFind on this attribute and dump the needed properties into a LDIF file, I'd like to steal as much as possible that what was originally imported into AD. Also, when I'm creating an attribute how do I have it change the SystemMayContain/MayContain attribute on a existing structural Class? I know they are construcuted and I can't modify the Class directly, but know there must be a way to do it. Thanks for the help! -Brandon
RE: [ActiveDir] OT: WSS and AD. WebPart user information
Frustrating!, :) sounds very hard to do for a .net newbie like me. I have work with Zope and Plone before and everything is much easier... Unluckily, we cant use Plone or other CMS I am more familiar with, and I need to create this tool, webpart or whatever so the users can update their contact info. I have done a few scripts in asp to display information from AD even to change information in AD, my problem is how to do that inside SharePoint, unless I can create an external page to do this and have a link in the SharePoint site... Anyway, thanks for the info, I will get your book to see if figure things out. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Tuesday, October 10, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: WSS and AD. WebPart user information Ryan and I wrote a whole book that is essentially all about how you might write such a thing (www.directoryprogramming.net), but we don't have any pre-baked web parts in the samples. All the code is lower level than that. We also have such a thing that we use internally (actually a server control, not a full web part) that uses Ajax and a popup query form to implement an AD picker. Unfortunately, I can't share it outside the company. The key to something like this is deciding how you want the security model to work. You can basically either use the trusted subsystem design (use a service account to query AD) or use the delegated model (flow the authenticated user's security context through to AD). Since SharePoint uses impersonation by default, the delegated model is what you'll get unless you change something to implement the trusted subsystem model. Delegation is hard to get working, as it requires implementing Kerberos delegation, one of the black arts of Windows AD configuration stuff. SharePoint tends to fight delegation as well, as versions before SP2 actually disable Kerberos authentication in the IIS metabase when it is installed. You have to undo that or get protocol transition working. It can be icky. :) Joe K. - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Tuesday, October 10, 2006 2:30 PM Subject: [ActiveDir] OT: WSS and AD. WebPart user information Hi everyone, Does anyone knows of a web part for Windows SharePoint services 2 or 3 to grab information from AD users? I want to create a web part that will allow the user to update their contact information and update AD at the same time. Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Discovering LDAPS availability
The alternate solution I previously mentioned to David and his cohorts in crime was a distasteful but functional solution of writing their own service or script to register the records based on that script/service querying the DCs and getting their LDAPS capability at any given point and then being aware that there will be some level of latency there. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Wednesday, October 11, 2006 3:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Discovering LDAPS availability The project that I'm working on makes heavy use of LDAPS. However, at the moment, we favour the latter statement - the built DCs don't leave staging until the certs are pulled. They must be signed off, and that's one of the last items on the deployment check list. We'll probably automate this check soon, but we're too busy with automating the buillds at the moment. Personally, I like the idea of _ldaps SRV RRs. Although I can appreciate there's a bit more to it from MSFTs point of view than simply getting NETLOGON to register them in DNS. --Paul - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, October 10, 2006 10:45 PM Subject: RE: [ActiveDir] Discovering LDAPS availability Hmm doesn't look like anyone else has figured this out or just doesn't deploy LDAPS or alternately makes sure every DC is capable of LDAPS. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Loder Sent: Friday, October 06, 2006 8:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Discovering LDAPS availability joe's absolutely right. What's trying to be accomplished is to publish new LDAPS SRV records for a 300+ DC environment. But I don't want to just blindly assume each DC properly enrolled with the CA (we had problems like that at the beginning), and I'd really like to avoid the overhead of touching each DC. Unfortunately, that's about the only viable method I see. We have a DCR in with MS to change the behavior so that the DCs automatically publish LDAPS if it's available. But what we're hearing right now is that it's probably not in the pipeline until LH SP1. --- joe [EMAIL PROTECTED] wrote: LDAPS records aren't published by DCs, only LDAP records. I can assure you if it were that easy, David wouldn't have had an issue. From what I have seen, if a secure LDAP connection is required, the internal routines from MSFT simply locate a DC and go to the port. If LDAPS isn't hot, the connection is dropped with server down error. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 05, 2006 6:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Discovering LDAPS availability Couldn't you just query the DNS for the SRV record advertising it... Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | David Loder| | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/10/2006 08:56 a.m. | | | Please respond to | | | ActiveDir | | | | |-+-- -- - ---| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: [ActiveDir] Discovering LDAPS availability | -- - ---| Other than directly testing the 636 port on each DC, can anyone suggest a method for an unprivledged client to discover whether or not LDAPS should be available on a specific DC? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best
RE: [ActiveDir] Discovering LDAPS availability
In this context, would it make sense to write/use a servicePrincipalName value? (maybe even using admod/adfind 8-) ) Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, October 11, 2006 9:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Discovering LDAPS availability The alternate solution I previously mentioned to David and his cohorts in crime was a distasteful but functional solution of writing their own service or script to register the records based on that script/service querying the DCs and getting their LDAPS capability at any given point and then being aware that there will be some level of latency there. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Wednesday, October 11, 2006 3:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Discovering LDAPS availability The project that I'm working on makes heavy use of LDAPS. However, at the moment, we favour the latter statement - the built DCs don't leave staging until the certs are pulled. They must be signed off, and that's one of the last items on the deployment check list. We'll probably automate this check soon, but we're too busy with automating the buillds at the moment. Personally, I like the idea of _ldaps SRV RRs. Although I can appreciate there's a bit more to it from MSFTs point of view than simply getting NETLOGON to register them in DNS. --Paul - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, October 10, 2006 10:45 PM Subject: RE: [ActiveDir] Discovering LDAPS availability Hmm doesn't look like anyone else has figured this out or just doesn't deploy LDAPS or alternately makes sure every DC is capable of LDAPS. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Loder Sent: Friday, October 06, 2006 8:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Discovering LDAPS availability joe's absolutely right. What's trying to be accomplished is to publish new LDAPS SRV records for a 300+ DC environment. But I don't want to just blindly assume each DC properly enrolled with the CA (we had problems like that at the beginning), and I'd really like to avoid the overhead of touching each DC. Unfortunately, that's about the only viable method I see. We have a DCR in with MS to change the behavior so that the DCs automatically publish LDAPS if it's available. But what we're hearing right now is that it's probably not in the pipeline until LH SP1. --- joe [EMAIL PROTECTED] wrote: LDAPS records aren't published by DCs, only LDAP records. I can assure you if it were that easy, David wouldn't have had an issue. From what I have seen, if a secure LDAP connection is required, the internal routines from MSFT simply locate a DC and go to the port. If LDAPS isn't hot, the connection is dropped with server down error. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 05, 2006 6:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Discovering LDAPS availability Couldn't you just query the DNS for the SRV record advertising it... Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | David Loder| | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/10/2006 08:56 a.m. | | | Please respond to | | | ActiveDir | | | | |-+-- -- - ---| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: [ActiveDir] Discovering LDAPS availability |
[ActiveDir] Configuring Logon Hours in time execution
Title: Configuring Logon Hours in time execution Hi everybody, I need to configure the logon hour option of the user object in my _vbscript_. I know it is possible by copy but I need to give more flexibility in hour configuration. Somebody can help me? Any suggestion will be appreciated. Thanks. Atila Essa mensagem e destinada exclusivamente ao seu destinatario e pode conter informacoes confidenciais, protegidas por sigilo profissional ou cuja divulgacao seja proibida por lei. O uso nao autorizado de tais informacoes e proibido e esta sujeito as penalidades cabiveis.This message is intended exclusively for its addressee and may contain information that is confidential and protected by a professional privilege or whose disclosure is prohibited by law. Unauthorized use of such information is prohibited and subject to applicable penalties.
RE: [ActiveDir] OT: WSS and AD. WebPart user information
You'll have to download the Sharepoint templates from Microsoft for Visual Studio and work on making a web part. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Wednesday, October 11, 2006 9:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: WSS and AD. WebPart user information Frustrating!, :) sounds very hard to do for a .net newbie like me. I have work with Zope and Plone before and everything is much easier... Unluckily, we cant use Plone or other CMS I am more familiar with, and I need to create this tool, webpart or whatever so the users can update their contact info. I have done a few scripts in asp to display information from AD even to change information in AD, my problem is how to do that inside SharePoint, unless I can create an external page to do this and have a link in the SharePoint site... Anyway, thanks for the info, I will get your book to see if figure things out. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Tuesday, October 10, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: WSS and AD. WebPart user information Ryan and I wrote a whole book that is essentially all about how you might write such a thing (www.directoryprogramming.net), but we don't have any pre-baked web parts in the samples. All the code is lower level than that. We also have such a thing that we use internally (actually a server control, not a full web part) that uses Ajax and a popup query form to implement an AD picker. Unfortunately, I can't share it outside the company. The key to something like this is deciding how you want the security model to work. You can basically either use the trusted subsystem design (use a service account to query AD) or use the delegated model (flow the authenticated user's security context through to AD). Since SharePoint uses impersonation by default, the delegated model is what you'll get unless you change something to implement the trusted subsystem model. Delegation is hard to get working, as it requires implementing Kerberos delegation, one of the black arts of Windows AD configuration stuff. SharePoint tends to fight delegation as well, as versions before SP2 actually disable Kerberos authentication in the IIS metabase when it is installed. You have to undo that or get protocol transition working. It can be icky. :) Joe K. - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Tuesday, October 10, 2006 2:30 PM Subject: [ActiveDir] OT: WSS and AD. WebPart user information Hi everyone, Does anyone knows of a web part for Windows SharePoint services 2 or 3 to grab information from AD users? I want to create a web part that will allow the user to update their contact information and update AD at the same time. Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] RealVNC removal
On 09/10/06, Matt Hargraves [EMAIL PROTECTED] wrote: I'd go with just disabling the service and setting it so that only Domain Admins and System can even manage and/or see the service. This is a 10-minute solution, whereas the others could take quite a bit of time to research how to do correctly. Since I put together a kludge to get UltraVNC config'd and out across a few thousand machines a few months back, I've had to deal with the removal of other VNCs Running winvnc.exe -unregister should remove it from the list of services. If you want to go a step further (as you'll need to in order to get UltraVNC's domain auth to work), you'll want to get rid of c:\progra~1\RealVnc\*.* /s and get rid of keys under HKCU and HKLM: Software\RealVNC Software\ORL Bit late in replying, but hey-ho, I still have 1,263 other mails to attend to -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: WSS and AD. WebPart user information
The actual code for programming AD in .NET is pretty similar to ADSI (since it uses ADSI under the hood). There is a more powerful, strongly typed search interface called the DirectorySearcher that is actually much more powerful an easier to use than ADO for searching. All in all, it really isn't that hard. The difficult part is the security aspects of connecting to the directory. There really aren't any shortcuts here, and most of the same issues would exist in an ASP page (you actually have fewer choices in ASP, but the same basic problems). Once you decide if you want trusted subsystem or delegated model for authentication, the rest falls into place. The other issue is that you'll likely spend more time on the HTML/UI aspects of the control than you will on the LDAP parts. That's the way it always seems to work out. :) Joe K. On 10/11/06, Ramon Linan [EMAIL PROTECTED] wrote: Frustrating!, :) sounds very hard to do for a .net newbie like me. I have work with Zope and Plone before and everything is much easier... Unluckily, we cant use Plone or other CMS I am more familiar with, and I need to create this tool, webpart or whatever so the users can update their contact info. I have done a few scripts in asp to display information from AD even to change information in AD, my problem is how to do that inside SharePoint, unless I can create an external page to do this and have a link in the SharePoint site... Anyway, thanks for the info, I will get your book to see if figure things out. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: File Server Permissions Design Question
I've had difficulty finding a better forum in which to ask this. And since it involves AD Security Groups I thought I could get away with it. We're in the process of migrating to a new file server. Our shared drive has a basic structure of: Shared\Department\Sub-Department\one public folder one private folder Our original thought was to have one Read and one Read/Write group for each public and private folder. Those groups would then be populated by role based groups (department groups, position groups (ex all management)). I've written a script that you can point to a directory structure and it creates the appropriate groups and assigns the security permissions. However I end up creating a lot of groups. Just in ITS (for example) we have 15 sub-departments so that will produce 60 groups right there. On the other hand everything is very structured and in theory you can mange file security permissions from within AD. Since everything is scripted you never need to go and look at folder permissions (except for the file server admin guys when troubleshooting). I'm also concerned that users will end up being in groups that are nested in a substantial number of groups. For instance most of the public-read groups for ITS will contain the group ITS - All Staff. That means any given ITS employee will have 30 security group tokens just from this. Any thoughts or opinions? Steve Evans List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Groups membership question
I have one for you guys. I have been puzzling over for a while. Seems simple, but I havent found a good solution. Domain A one way trusts Domain B Group in Domain A, contains members from Domain B. Enumerate groups in Domain A, include membership for all members in Domain B. Or for the real answer. Find user in Domain B, and tell me all group memberships from Domain A and Domain B. Any ideas? Ive tried adfind queries, Ive visited the windows scripting center and am at a loss. Thanks for your help. /aaron Aaron Steele Mobile: 773.580.8099 [EMAIL PROTECTED] Main: 312.334.1900 Fax: 312.224.4789 _ pointbridge.com -Microsofts 2005 Advanced Infrastructure Partner of the Year -Microsofts 2005 Exchange Solution of the Year Winner
RE: [ActiveDir] recover a file server in Windows 2003
Hi Paul, Unfortunately, this server is not clustered. I built another server similar to it. The production server is connected to the SAN. Suppose I want to disconnect the SAN and reconnect it to the new lab server; I think the shared folders will not be shared anymore on the lab server.Do you know where in the registry the sharenames are located?I would like to copy the registry key from one server to another. Or I need a script that copies the sharenames from the old server to the new server without losing any data.Thanks,PhilPaul van Geldrop [EMAIL PROTECTED] wrote:How exactly do you plan to failover to this server (at least, thats what I presume you want to do) ? First option that springs to mind is setting up a two-node cluster, letting the cluster-resources reside on the SAN disks. That way, if one of the servers fails, everythingll smoothly transfer to the other server. Keep in mind, however, that during the transfer connections to open files will hiccup (or even completely falter). The nice part about clustering the lot is that you can just maintain the resource per se, instead of having to configure folders etc on two separate servers.Regards, Paul-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philobatheer GuirgisSent: Wednesday, October 11, 2006 2:18 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] recover a file server in Windows 2003Hi,I am working on building a recovery server for a Windows 2003 file server. This file server is connected to the SAN and contains many shared folders. How could I configure the recovery server with the same shared folder if I connected it to the same SAN volumes.?Thanks,Philo
Re: [ActiveDir] OT: File Server Permissions Design Question
Have you looked at installing the Access based Enumeration feature pack and basing the permissioning on this type of model? Assuming W2003. Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: Steve Evans [EMAIL PROTECTED] Date: Wed, 11 Oct 2006 12:57:52 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: File Server Permissions Design Question I've had difficulty finding a better forum in which to ask this. And since it involves AD Security Groups I thought I could get away with it. We're in the process of migrating to a new file server. Our shared drive has a basic structure of: Shared\Department\Sub-Department\one public folder one private folder Our original thought was to have one Read and one Read/Write group for each public and private folder. Those groups would then be populated by role based groups (department groups, position groups (ex all management)). I've written a script that you can point to a directory structure and it creates the appropriate groups and assigns the security permissions. However I end up creating a lot of groups. Just in ITS (for example) we have 15 sub-departments so that will produce 60 groups right there. On the other hand everything is very structured and in theory you can mange file security permissions from within AD. Since everything is scripted you never need to go and look at folder permissions (except for the file server admin guys when troubleshooting). I'm also concerned that users will end up being in groups that are nested in a substantial number of groups. For instance most of the public-read groups for ITS will contain the group ITS - All Staff. That means any given ITS employee will have 30 security group tokens just from this. Any thoughts or opinions? Steve Evans List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx [EMAIL PROTECTED])
[ActiveDir] Account migration within the same Forest...
Title: Account migration within the same Forest... Hi all, are there any simple 3rd party tools for copying a user account from one domain to another within the same forest? ADMT is overkill and it does way more than I want/need it to do. All I need is a copy of the account and for SIDhistory to be populated. Thanks!RM
RE: [ActiveDir] recover a file server in Windows 2003
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares Saving and restoring existing Windows shares: http://support.microsoft.com/kb/125996 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philobatheer Guirgis Sent: Wednesday, October 11, 2006 2:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] recover a file server in Windows 2003 Hi Paul, Unfortunately, this server is not clustered. I built another server similar to it. The production server is connected to the SAN. Suppose I want to disconnect the SAN and reconnect it to the new lab server; I think the shared folders will not be shared anymore on the lab server. Do you know where in the registry the sharenames are located? I would like to copy the registry key from one server to another. Or I need a script that copies the sharenames from the old server to the new server without losing any data. Thanks, Phil Paul van Geldrop [EMAIL PROTECTED] wrote: How exactly do you plan to failover to this server (at least, that's what I presume you want to do) ? First option that springs to mind is setting up a two-node cluster, letting the cluster-resources reside on the SAN disks. That way, if one of the servers fails, everything'll smoothly transfer to the other server. Keep in mind, however, that during the transfer connections to open files will hiccup (or even completely falter). The nice part about clustering the lot is that you can just maintain the resource per se, instead of having to configure folders etc on two separate servers. Regards, Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philobatheer Guirgis Sent: Wednesday, October 11, 2006 2:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] recover a file server in Windows 2003 Hi, I am working on building a recovery server for a Windows 2003 file server. This file server is connected to the SAN and contains many shared folders. How could I configure the recovery server with the same shared folder if I connected it to the same SAN volumes.? Thanks, Philo List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Groups membership question
Can memberof.exe do this? (Another joeware gem.) I've never tried to run it against multiple domain memberships, but I know it chases nested memberships beautifully - if I'm not mistaken, that's why joe originally whipped it up. - Laura On 10/11/06, Aaron Steele [EMAIL PROTECTED] wrote: I have one for you guys. I have been puzzling over for a while. Seems simple, but I haven't found a good solution. Domain A one way trusts Domain B Group in Domain A, contains members from Domain B. Enumerate groups in Domain A, include membership for all members in Domain B. Or for the real answer. Find user in Domain B, and tell me all group memberships from Domain A and Domain B. Any ideas? I've tried adfind queries, I've visited the windows scripting center and am at a loss. Thanks for your help. /aaron Aaron Steele Mobile: 773.580.8099 [EMAIL PROTECTED] Main: 312.334.1900Fax: 312.224.4789 _ pointbridge.com - Microsoft's 2005 Advanced Infrastructure Partner of the Year - Microsoft's 2005 Exchange Solution of the Year Winner -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC
I can't for the life of me recall the name at the moment. NSPItool.exe ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 10, 2006 3:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC The only other way I know to test if NSPI is working is to actually send NSPI calls to the GC. There is a little unsupported command line tool out there than can do that but I can't for the life of me recall the name at the moment. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 27, 2006 7:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC I was misinformed, the rev of the DC is W2K, not W2K3 SP1. So that clears up why Exchange is complaining about the GC needing a reboot since it wasn't rebooted after it had been made a GC. Interesting tool, RPC Dump, unfortunately I didnt get it to work just yet. It gave me an error: The NTVDM CPU has encountered an illegal instruction, when I choose Ignore the Command.com or Cmd.exe starts using 100% cpu. Out of curiosity; is there another way to check if the MS NT Directory NSP Interface is listed? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: zaterdag 23 september 2006 2:52 To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC What is the rev of the DC? Using RPC Dump do you see MS NT Directory NSP Interface interfaces listed? joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of victor- [EMAIL PROTECTED] Sent: Friday, September 22, 2006 11:07 AM To: ActiveDir@mail.activedir.org Subject: Re: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC Yeah, I thought so, thanks for the info. The damn thing is that Exchange still throws event 9176: Event ID 9176 from MSExchangeSA occurred 1 times (NSPI Proxy can contact Global Catalog servername but it does not support the NSPI service. After a Domain Controller is promoted to a Global Catalog, the Global Catalog must be rebooted to support MAPI Clients. Reboot servernamerio as soon as possible. - Oorspronkelijk bericht - Van: joe [EMAIL PROTECTED] Datum: vrijdag, september 22, 2006 4:38 pm Onderwerp: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC This is no longer necessary with current revs of AD. It was necessary previously to get the NSPI functionality to fire up. Now it does that automagically. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of victor- [EMAIL PROTECTED]: Friday, September 22, 2006 10:31 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC A question came up wether or not a reboot is really necessary after a DC has been made GC and Exchange would need to use this GC. I have worked in a pretty large environment (at least to my standards :- )). Where DC's did not get rebooted afther having been made GC's. The AD admins simply waited until event 1119 appeared. I have read the following article which indicates a reboot is necessary if you have Exchange in the environment. http://support.microsoft.com/kb/304403/ But is this really still necessary with Exchange 2003 SP2 and Windows 2003 SP1? Cheers, Victor List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info :
RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC
That's it! -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, October 11, 2006 7:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC I can't for the life of me recall the name at the moment. NSPItool.exe ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 10, 2006 3:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC The only other way I know to test if NSPI is working is to actually send NSPI calls to the GC. There is a little unsupported command line tool out there than can do that but I can't for the life of me recall the name at the moment. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 27, 2006 7:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC I was misinformed, the rev of the DC is W2K, not W2K3 SP1. So that clears up why Exchange is complaining about the GC needing a reboot since it wasn't rebooted after it had been made a GC. Interesting tool, RPC Dump, unfortunately I didnt get it to work just yet. It gave me an error: The NTVDM CPU has encountered an illegal instruction, when I choose Ignore the Command.com or Cmd.exe starts using 100% cpu. Out of curiosity; is there another way to check if the MS NT Directory NSP Interface is listed? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: zaterdag 23 september 2006 2:52 To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC What is the rev of the DC? Using RPC Dump do you see MS NT Directory NSP Interface interfaces listed? joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of victor- [EMAIL PROTECTED] Sent: Friday, September 22, 2006 11:07 AM To: ActiveDir@mail.activedir.org Subject: Re: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC Yeah, I thought so, thanks for the info. The damn thing is that Exchange still throws event 9176: Event ID 9176 from MSExchangeSA occurred 1 times (NSPI Proxy can contact Global Catalog servername but it does not support the NSPI service. After a Domain Controller is promoted to a Global Catalog, the Global Catalog must be rebooted to support MAPI Clients. Reboot servernamerio as soon as possible. - Oorspronkelijk bericht - Van: joe [EMAIL PROTECTED] Datum: vrijdag, september 22, 2006 4:38 pm Onderwerp: RE: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC This is no longer necessary with current revs of AD. It was necessary previously to get the NSPI functionality to fire up. Now it does that automagically. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of victor- [EMAIL PROTECTED]: Friday, September 22, 2006 10:31 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Exchange in environment - reboot necessary after a DC has been made a GC A question came up wether or not a reboot is really necessary after a DC has been made GC and Exchange would need to use this GC. I have worked in a pretty large environment (at least to my standards :- )). Where DC's did not get rebooted afther having been made GC's. The AD admins simply waited until event 1119 appeared. I have read the following article which indicates a reboot is necessary if you have Exchange in the environment. http://support.microsoft.com/kb/304403/ But is this really still necessary with Exchange 2003 SP2 and Windows 2003 SP1? Cheers, Victor List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] OT: wikis
42 -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, October 10, 2006 6:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis So, where would the ant be 5 seconds after the box started to tumble, assuming it walks at 1 inch per hour (really slow ant). I'd really like to know :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 10, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis And also, IMO, to help people realize they should question established thought patterns. I found it interesting that you teach math to children yet you don't get enough math until pretty well into university that you can understand how it actually works. Mostly though I found the story problems fun, like when you have to build an equation that will give you the point in space at any given point in time where an ant is if he is walking towards the center of a 78 RPM record at x inches per hour that is in a box that is tumbling at some fixed interval falling off the edge of the grand canyon. Completely worthless in terms useful info but a great mental exercise type problem. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Monday, October 09, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis They like it because it shows that division by zero can bite you without being obvious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, October 08, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis I've seen that stunt a few times. I'm not sure the point of showing it but math teachers love to demonstrate it for some reason. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 05, 2006 2:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis Careful, I recall a math professor in my differential equations class or maybe it was higher throwing a proof up on the board showing that 1 + 1 != 2 and it wasn't a numberical base trick I didn't follow through it, I just closed my eyes and shook my head and thought forward to my communications class as the sights were easier on the eyes... I still wonder why I went into a field with such a high ratio of men to women... :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, October 05, 2006 12:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis 999,998 + 2 = 1,000,000, not 100,000. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Nims Sent: Thursday, October 05, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: wikis It's funny how we quote wikis as definitive sources of information, when they can be edited by anyone and everyone :) Who vets the edits and how much does that person know about the subject matter?? Anyone can edit, which is why they are generally correct. When 100,000 people view a record, and 2 people want to change it to be incorrect, 999,998 will want to correct it. I wouldn't use a wiki as a great historical or technical source. But for encyclopedia entries, which give a good summation of a subject, they are great. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] Configuring Logon Hours in time execution
Title: Configuring Logon Hours in time execution This is, to my knowledge, an unpublished blob. However I seem to recall it was not very difficult to break apart. Your real problem is doing that in _vbscript_ because quite frankly, _vbscript_ sucks for things like this (as well as many other things). I would, in your shoes, go out into the public AD newsgroups and start looking for posts by Richard Mueller as he is one of the best for pulling stuff off in _vbscript_ in relation to AD out there. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Atila FirminoSent: Wednesday, October 11, 2006 11:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Configuring Logon Hours in time execution Hi everybody, I need to configure the logon hour option of the user object in my _vbscript_. I know it is possible by copy but I need to give more flexibility in hour configuration. Somebody can help me? Any suggestion will be appreciated. Thanks. Atila Essa mensagem e destinada exclusivamente ao seu destinatario e pode conter informacoes confidenciais, protegidas por sigilo profissional ou cuja divulgacao seja proibida por lei. O uso nao autorizado de tais informacoes e proibido e esta sujeito as penalidades cabiveis. This message is intended exclusively for its addressee and may contain information that is confidential and protected by a professional privilege or whose disclosure is prohibited by law. Unauthorized use of such information is prohibited and subject to applicable penalties.
RE: [ActiveDir] Discovering LDAPS availability
Not really. Certainly it is an option as would any normal AD attribute (existing or you create), but you would end up binding to a DC to search it to find a DC to bind to. A DNS record makes the most sense as you simply ask for the site/domain specific LDAPS record, just like you do for LDAP. Probably be good to implement a GCS as well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, October 11, 2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Discovering LDAPS availability In this context, would it make sense to write/use a servicePrincipalName value? (maybe even using admod/adfind 8-) ) Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, October 11, 2006 9:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Discovering LDAPS availability The alternate solution I previously mentioned to David and his cohorts in crime was a distasteful but functional solution of writing their own service or script to register the records based on that script/service querying the DCs and getting their LDAPS capability at any given point and then being aware that there will be some level of latency there. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Wednesday, October 11, 2006 3:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Discovering LDAPS availability The project that I'm working on makes heavy use of LDAPS. However, at the moment, we favour the latter statement - the built DCs don't leave staging until the certs are pulled. They must be signed off, and that's one of the last items on the deployment check list. We'll probably automate this check soon, but we're too busy with automating the buillds at the moment. Personally, I like the idea of _ldaps SRV RRs. Although I can appreciate there's a bit more to it from MSFTs point of view than simply getting NETLOGON to register them in DNS. --Paul - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, October 10, 2006 10:45 PM Subject: RE: [ActiveDir] Discovering LDAPS availability Hmm doesn't look like anyone else has figured this out or just doesn't deploy LDAPS or alternately makes sure every DC is capable of LDAPS. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Loder Sent: Friday, October 06, 2006 8:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Discovering LDAPS availability joe's absolutely right. What's trying to be accomplished is to publish new LDAPS SRV records for a 300+ DC environment. But I don't want to just blindly assume each DC properly enrolled with the CA (we had problems like that at the beginning), and I'd really like to avoid the overhead of touching each DC. Unfortunately, that's about the only viable method I see. We have a DCR in with MS to change the behavior so that the DCs automatically publish LDAPS if it's available. But what we're hearing right now is that it's probably not in the pipeline until LH SP1. --- joe [EMAIL PROTECTED] wrote: LDAPS records aren't published by DCs, only LDAP records. I can assure you if it were that easy, David wouldn't have had an issue. From what I have seen, if a secure LDAP connection is required, the internal routines from MSFT simply locate a DC and go to the port. If LDAPS isn't hot, the connection is dropped with server down error. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 05, 2006 6:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Discovering LDAPS availability Couldn't you just query the DNS for the SRV record advertising it... Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | David Loder| | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | |
RE: [ActiveDir] Account migration within the same Forest...
Title: Account migration within the same Forest... AdMod will do it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of RMSent: Wednesday, October 11, 2006 5:46 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Account migration within the same Forest... Hi all, are there any simple 3rd party tools forcopying a useraccount from one domain to another within the same forest? ADMT is overkill and it does way more than I want/need it to do. All I need is a copy of the account and for SIDhistory to be populated. Thanks! RM
RE: [ActiveDir] OT: A short and sweet KB
Dmitri... for you I am tempted... I am not sure how well the MVP program would treat me afterward though... Maybe if I can somehow do it with Dean's credentials... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dmitri GavrilovSent: Tuesday, October 10, 2006 5:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: A short and sweet KB Do you mind writing a KB with the following content: Whatever you are trying to do is not supported. It would be a great KB to refer folks to. I really need it quite often. I would memorize the KB number. Hell, I would include it into my signature. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, October 10, 2006 2:21 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: A short and sweet KB LOL that is great... I have thought about using my MVP Super Powers to write small KBs like that in the past so I could point at it for people to read when I said something simple that isn't specifically documented but they wanted to see documents on Microsoft's site stating what I said... In the end I didn't do it because, well it just doesn't seem right. ;) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, October 10, 2006 9:37 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: A short and sweet KB It's tough to decide what to do with so much information. The symptoms or introduction section really does overload one's information bucket. :) On 10/9/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Do not run a service by using a service account that belongs to adifferent domain:http://support.microsoft.com/?kbid=925099--Letting your vendors set your risk analysis these days? http://www.threatcode.comIf you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: A short and sweet KB
Admin: It hurts when I do this... MSKB: Stop doing that. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Tuesday, October 10, 2006 7:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: A short and sweet KB Or a corrolary KB to that one: What you are trying to do is downright foolish. Please stop. On 10/10/06, Dmitri Gavrilov [EMAIL PROTECTED] wrote: Do you mind writing a KB with the following content: Whatever you are trying to do is not supported. It would be a great KB to refer folks to. I really need it quite often. I would memorize the KB number. Hell, I would include it into my signature. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 10, 2006 2:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: A short and sweet KB LOL that is great... I have thought about using my MVP Super Powers to write small KBs like that in the past so I could point at it for people to read when I said something simple that isn't specifically documented but they wanted to see documents on Microsoft's site stating what I said... In the end I didn't do it because, well it just doesn't seem right. ;) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, October 10, 2006 9:37 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: A short and sweet KB It's tough to decide what to do with so much information. The symptoms or introduction section really does overload one's information bucket. :) On 10/9/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Do not run a service by using a service account that belongs to a different domain: http://support.microsoft.com/?kbid=925099 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: wikis
Ummm, what's 6 X 9 ?? Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, October 11, 2006 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis 42 -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, October 10, 2006 6:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis So, where would the ant be 5 seconds after the box started to tumble, assuming it walks at 1 inch per hour (really slow ant). I'd really like to know :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 10, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis And also, IMO, to help people realize they should question established thought patterns. I found it interesting that you teach math to children yet you don't get enough math until pretty well into university that you can understand how it actually works. Mostly though I found the story problems fun, like when you have to build an equation that will give you the point in space at any given point in time where an ant is if he is walking towards the center of a 78 RPM record at x inches per hour that is in a box that is tumbling at some fixed interval falling off the edge of the grand canyon. Completely worthless in terms useful info but a great mental exercise type problem. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Monday, October 09, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis They like it because it shows that division by zero can bite you without being obvious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, October 08, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis I've seen that stunt a few times. I'm not sure the point of showing it but math teachers love to demonstrate it for some reason. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 05, 2006 2:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis Careful, I recall a math professor in my differential equations class or maybe it was higher throwing a proof up on the board showing that 1 + 1 != 2 and it wasn't a numberical base trick I didn't follow through it, I just closed my eyes and shook my head and thought forward to my communications class as the sights were easier on the eyes... I still wonder why I went into a field with such a high ratio of men to women... :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, October 05, 2006 12:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis 999,998 + 2 = 1,000,000, not 100,000. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Nims Sent: Thursday, October 05, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: wikis It's funny how we quote wikis as definitive sources of information, when they can be edited by anyone and everyone :) Who vets the edits and how much does that person know about the subject matter?? Anyone can edit, which is why they are generally correct. When 100,000 people view a record, and 2 people want to change it to be incorrect, 999,998 will want to correct it. I wouldn't use a wiki as a great historical or technical source. But for encyclopedia entries, which give a good summation of a subject, they are great. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] Groups membership question
The users from Domain B in the Domain A groups will be represented as FSPs (remember you are outside of your forest). So there will be no direct linkage capability to do this in any single query. In order to find thememberships of a Domain B user(userDomB) in Domain A,you will need to find the FSP foruserDomB in Domain A and then look at the memberships of that FSP. This you can either do by looking at the memberof attribute of the FSP or doing a query against Domain B. So you could do something like adfind -b DN_FOR_DOM_A-f name=userDomB_SID memberof You always hear that SIDs go into groups and that is what is stored, yes, except for AD groups, those store DNs, that is why you can add OU's or Contacts or printers or any kind of object you want to an AD group but can't do the same on a machine that uses a registry based SAM DB and why you have to use FSPs for references to objects outside of the local forest. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron SteeleSent: Wednesday, October 11, 2006 4:19 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Groups membership question I have one for you guys. I have been puzzling over for a while. Seems simple, but I havent found a good solution. Domain A one way trusts Domain B Group in Domain A, contains members from Domain B. Enumerate groups in Domain A, include membership for all members in Domain B. Or for the real answer. Find user in Domain B, and tell me all group memberships from Domain A and Domain B. Any ideas? Ive tried adfind queries, Ive visited the windows scripting center and am at a loss. Thanks for your help. /aaron Aaron Steele Mobile: 773.580.8099 [EMAIL PROTECTED] Main: 312.334.1900 Fax: 312.224.4789 _ pointbridge.com -Microsofts 2005 Advanced Infrastructure Partner of the Year -Microsofts 2005 Exchange Solution of the Year Winner
RE: [ActiveDir] Account becomes disabled by DCs when it logs in.
Ok I expect you mean it gets disabled, not deleted. What happens if you try to logon to the account normally or with an ldap bind? I.E. If the service isn't involved, what happens? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Tuesday, October 10, 2006 9:47 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Account becomes disabled by DCs when it logs in. This is a non-interactive account, but when the service that uses the account goes to login to the PDC emulators, the account gets deleted.This is only happening to 1 account, we have deleted and recreated the account, have created a new account with the same name (and rights) after renaming the old account, no matter what we do the account (call it disableduser for simplicity's sake), it gets disabled every time it tries to do what it does. Oh yeah, the account was running for well over a year without a problem. The PDC emulators are Win2k running in a 2003 mixed mode environment (our backup and auditing tools don't support our 64-bit 2003 DCs yet, waiting on those to be updated before moving the roles over to a 2003 DC) and the GPOs on the Domain Controllers OU haven't changed in quite some time (or at the domain level). The account hasn't expired and every time the account logs in (non-interactively), the DC Service account (servername$) disables the account with a 642 event and *not* a 629 event. I've banged my head against this for a day or so and figured I'd fire off something here before calling MS. This is a service-type account and changing the name would take a lot of time adjusting the environment to reflect the new name. Is there some MS patch that might be biting us in the rear that may have been applied in the last 2-3 weeks? I'm just kinda baffled on this, never seen a DC disable an account for apparently no reason.
Re: [ActiveDir] OT: wikis
In base 13. On 10/11/06, Steve Egan (Temp) [EMAIL PROTECTED] wrote: Ummm, what's 6 X 9 ?? Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, October 11, 2006 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis 42 -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, October 10, 2006 6:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis So, where would the ant be 5 seconds after the box started to tumble, assuming it walks at 1 inch per hour (really slow ant). I'd really like to know :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 10, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis And also, IMO, to help people realize they should question established thought patterns. I found it interesting that you teach math to children yet you don't get enough math until pretty well into university that you can understand how it actually works. Mostly though I found the story problems fun, like when you have to build an equation that will give you the point in space at any given point in time where an ant is if he is walking towards the center of a 78 RPM record at x inches per hour that is in a box that is tumbling at some fixed interval falling off the edge of the grand canyon. Completely worthless in terms useful info but a great mental exercise type problem. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Monday, October 09, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis They like it because it shows that division by zero can bite you without being obvious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, October 08, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis I've seen that stunt a few times. I'm not sure the point of showing it but math teachers love to demonstrate it for some reason. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 05, 2006 2:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis Careful, I recall a math professor in my differential equations class or maybe it was higher throwing a proof up on the board showing that 1 + 1 != 2 and it wasn't a numberical base trick I didn't follow through it, I just closed my eyes and shook my head and thought forward to my communications class as the sights were easier on the eyes... I still wonder why I went into a field with such a high ratio of men to women... :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, October 05, 2006 12:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis 999,998 + 2 = 1,000,000, not 100,000. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Nims Sent: Thursday, October 05, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: wikis It's funny how we quote wikis as definitive sources of information, when they can be edited by anyone and everyone :) Who vets the edits and how much does that person know about the subject matter?? Anyone can edit, which is why they are generally correct. When 100,000 people view a record, and 2 people want to change it to be incorrect, 999,998 will want to correct it. I wouldn't use a wiki as a great historical or technical source. But for encyclopedia entries, which give a good summation of a subject, they are great. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
[ActiveDir] RE: [ActiveDir] OT: wikis
Richard Nixon? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Wednesday, October 11, 2006 6:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis Ummm, what's 6 X 9 ?? Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, October 11, 2006 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis 42 -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, October 10, 2006 6:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis So, where would the ant be 5 seconds after the box started to tumble, assuming it walks at 1 inch per hour (really slow ant). I'd really like to know :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 10, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis And also, IMO, to help people realize they should question established thought patterns. I found it interesting that you teach math to children yet you don't get enough math until pretty well into university that you can understand how it actually works. Mostly though I found the story problems fun, like when you have to build an equation that will give you the point in space at any given point in time where an ant is if he is walking towards the center of a 78 RPM record at x inches per hour that is in a box that is tumbling at some fixed interval falling off the edge of the grand canyon. Completely worthless in terms useful info but a great mental exercise type problem. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Monday, October 09, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis They like it because it shows that division by zero can bite you without being obvious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, October 08, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis I've seen that stunt a few times. I'm not sure the point of showing it but math teachers love to demonstrate it for some reason. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 05, 2006 2:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis Careful, I recall a math professor in my differential equations class or maybe it was higher throwing a proof up on the board showing that 1 + 1 != 2 and it wasn't a numberical base trick I didn't follow through it, I just closed my eyes and shook my head and thought forward to my communications class as the sights were easier on the eyes... I still wonder why I went into a field with such a high ratio of men to women... :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, October 05, 2006 12:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis 999,998 + 2 = 1,000,000, not 100,000. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Nims Sent: Thursday, October 05, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: wikis It's funny how we quote wikis as definitive sources of information, when they can be edited by anyone and everyone :) Who vets the edits and how much does that person know about the subject matter?? Anyone can edit, which is why they are generally correct. When 100,000 people view a record, and 2 people want to change it to be incorrect, 999,998 will want to correct it. I wouldn't use a wiki as a great historical or technical source. But for encyclopedia entries, which give a good summation of a subject, they are great. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] RE: [ActiveDir] OT: wikis
AuH2O -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi Sent: Wednesday, October 11, 2006 8:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] RE: [ActiveDir] OT: wikis Richard Nixon? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Wednesday, October 11, 2006 6:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis Ummm, what's 6 X 9 ?? Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, October 11, 2006 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis 42 -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, October 10, 2006 6:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis So, where would the ant be 5 seconds after the box started to tumble, assuming it walks at 1 inch per hour (really slow ant). I'd really like to know :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 10, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis And also, IMO, to help people realize they should question established thought patterns. I found it interesting that you teach math to children yet you don't get enough math until pretty well into university that you can understand how it actually works. Mostly though I found the story problems fun, like when you have to build an equation that will give you the point in space at any given point in time where an ant is if he is walking towards the center of a 78 RPM record at x inches per hour that is in a box that is tumbling at some fixed interval falling off the edge of the grand canyon. Completely worthless in terms useful info but a great mental exercise type problem. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Monday, October 09, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis They like it because it shows that division by zero can bite you without being obvious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, October 08, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis I've seen that stunt a few times. I'm not sure the point of showing it but math teachers love to demonstrate it for some reason. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 05, 2006 2:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis Careful, I recall a math professor in my differential equations class or maybe it was higher throwing a proof up on the board showing that 1 + 1 != 2 and it wasn't a numberical base trick I didn't follow through it, I just closed my eyes and shook my head and thought forward to my communications class as the sights were easier on the eyes... I still wonder why I went into a field with such a high ratio of men to women... :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, October 05, 2006 12:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis 999,998 + 2 = 1,000,000, not 100,000. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Nims Sent: Thursday, October 05, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: wikis It's funny how we quote wikis as definitive sources of information, when they can be edited by anyone and everyone :) Who vets the edits and how much does that person know about the subject matter?? Anyone can edit, which is why they are generally correct. When 100,000 people view a record, and 2 people want to change it to be incorrect, 999,998 will want to correct it. I wouldn't use a wiki as a great historical or technical source. But for encyclopedia entries, which give a good summation of a subject, they are great. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
Re: [ActiveDir] OT: WSS and AD. WebPart user information. How to configure IIS so my asp script can change user's attr in AD
See, I told you the security was the hard part. :) This is no different in .NET. Like I said, the first thing to decide is whether you want to use trusted subsystem or delegation as your security architecture. That will determine the settings to use and any additional configuration. Remember that in ASP, impersonation is ALWAYS on (you can't disable it like you can in .NET), so your code will not execute with the permissions of the process account, only the authenticated user. The authenticated user will either be the anonymous IIS user (if you have anonymous checked) or the browser user if you are using IWA or Basic. By default, the anonymous user is a local machine account, so you can't use that to access AD. You'd need to change that to a service account. That would give you a trusted subsystem. Another way to create a trusted subsystem is to just pass in plaintext credentials to ADSI (using OpenDSObject and the equivalent in ADO). This allows you to avoid dealing with the from the Windows security perspective. If you want to use the authenticated user's credentials and use IWA, you must get Kerberos delegation working like Tomasz said. This is fun. :) Joe K. - Original Message - From: Tomasz Onyszko [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, October 11, 2006 4:19 PM Subject: Re: [ActiveDir] OT: WSS and AD. WebPart user information. How to configure IIS so my asp script can change user's attr in AD Ramon Linan wrote: I decided to go with asp, I exclude a path from SharePoint and use asp, that will make things easier at first. Now the problem that I am having is, how do I configure IIS so the authenticated users can see/modify some of their attributes in AD? If I use the default AD IUSR for that server (IUSR_servername, in the directory security under anonymous access, that user cant change things in AD, but I cant use an administrator account neither for security reason...so how should I configure IIS so it lets query and change user's attributes in AD? You have two options: 1. Configure IIS application pool with account which will have rights to modify attributes in AD 2. Use Kerberos delegation to impersonate user and make changes in security context of user who is logged on to web page http://support.microsoft.com/kb/810572/ ad.1. The problem is that You have to put some control mechanisms in place on web page to protect users from changing other users details etc. as in this model Your application pool account is capable of making changes to objects and attributes. This is controlled via ACLs on directory object ad.2 in this case You are using user's context to access DS and to make changes to attributes which user has right to access. With Windows 2003 You can use constrained Kerberos delgation. When You wil use delegation just remember that sensitive accounts (like Ent. Admins, domain admins) should not be allowed to be delgated (this is option for AD account). -- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
