RE: [ActiveDir] Lingering info following domain rename with rendom
Tony, Don't forget to rename the DCs as that is an additional action after the domain rename jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, October 17, 2006 05:48 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Lingering info following domain rename with rendom Aha, the rendom /clean was what I hadn't run. In typical fashion I ignored everything after /rendom /end (and GPFixUp). This is a lab environment after all :-) Thanks Steve - it was driving me nuts. Tony -- Original Message -- From: Steve Linehan [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Mon, 16 Oct 2006 20:10:15 -0700 Have you run the rendom /clean operation yet? Also what is the output of netdom /enumerate:ALLNAMES ? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, October 16, 2006 9:19 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Lingering info following domain rename with rendom Hi all I've renamed a domain using the rendom utility. All appears to have gone well, but I now get 5781 Netlogon errors in the System event log complaining that it can't register DNS records associated with the old domain. This doesn't appear to affect anything, but I'm keen to know why this is happening. The SRV records for the new domain name are all registered correctly (AD integrated DNS). If I look in the netlogon.dns file I see records representing both the old domain name (let's say old.com) and the new domain name (new.com). The old zone was AD integrated, so I've trawled through AD looking for references to the old zone, but I can't find anything. I've looked in the following locations, but all seems normal, i.e. references to the new domain name. CN=MicrosoftDNS,CN=System,DomainDN DC=DomainDNSZones,DomainDN DC-ForestDNSZones,DomainDN I've tried clearing the server cache, but no joy. I've tried deleting the netlogon.dns and netlogon.dnb and restarting the netlogon service, but that didn't help. Each time the newly created netlogon.dns contains records corresponding to the old domain. The netlogon log file (with debugging turned on) contains the following references to the old domain: 10/17 14:26:18 [DOMAIN] NlUpdateDnsRootAlias: Updating DnsDomainNameAlias from (null) to old.com 10/17 14:26:18 [DOMAIN] NlUpdateDnsRootAlias: Updating DnsForestNameAlias from (null) to old.com Any thoughts on where the old domain information might be coming from? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Lingering info following domain rename with rendom
Useful, relevant papers here:
http://www.microsoft.com/technet/downloads/winsrvr/domainrename.mspx
neil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: 17 October 2006 08:49
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Lingering info following domain rename with
rendom
Tony,
Don't forget to rename the DCs as that is an additional action after the
domain rename
jorge
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, October 17, 2006 05:48
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Lingering info following domain rename with
rendom
Aha, the rendom /clean was what I hadn't run. In typical fashion I
ignored everything after /rendom /end (and GPFixUp). This is a lab
environment after all :-)
Thanks Steve - it was driving me nuts.
Tony
-- Original Message --
From: Steve Linehan [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Date: Mon, 16 Oct 2006 20:10:15 -0700
Have you run the rendom /clean operation yet? Also what is the
output of netdom /enumerate:ALLNAMES ?
Thanks,
-Steve
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Monday, October 16, 2006 9:19 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Lingering info following domain rename with
rendom
Hi all
I've renamed a domain using the rendom utility. All appears to have
gone well, but I now get 5781 Netlogon errors in the System event log
complaining that it can't register DNS records associated with the
old domain. This doesn't appear to affect anything, but I'm keen to
know why this is happening.
The SRV records for the new domain name are all registered correctly
(AD integrated DNS).
If I look in the netlogon.dns file I see records representing both
the old domain name (let's say old.com) and the new domain name
(new.com).
The old zone was AD integrated, so I've trawled through AD looking
for references to the old zone, but I can't find anything. I've
looked in the following locations, but all seems normal, i.e.
references to the new domain name.
CN=MicrosoftDNS,CN=System,DomainDN
DC=DomainDNSZones,DomainDN
DC-ForestDNSZones,DomainDN
I've tried clearing the server cache, but no joy.
I've tried deleting the netlogon.dns and netlogon.dnb and restarting
the netlogon service, but that didn't help. Each time the newly
created netlogon.dns contains records corresponding to the old
domain.
The netlogon log file (with debugging turned on) contains the
following references to the old domain:
10/17 14:26:18 [DOMAIN] NlUpdateDnsRootAlias: Updating
DnsDomainNameAlias from (null) to old.com
10/17 14:26:18 [DOMAIN] NlUpdateDnsRootAlias: Updating
DnsForestNameAlias from (null) to old.com
Any thoughts on where the old domain information might be coming
from?
Tony
Sent via the WebMail system at mail.activedir.org
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
Sent via the WebMail system at mail.activedir.org
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please
Re: [ActiveDir] userAccountControl 544
Title: userAccountControl 544
If you create with ADSI, e.g. _vbscript_,
and don't set a password before the initial setInfo you get 2 + 32 + 512.
If you then set the password, you can un-set 32. If you don't set a
password and you have a password restriction policy, you cannot un-set 32 or
2.
Setting the password won't change the
value of userAccountControl, you have to do that by yourself.
Note. Although it doesn't really do
much if you have password policies in place, it is probably not recommended to
set 32, therefore you need to instruct your provisioning people on how to
properly create a user object.
Note also. The cookbook code (http://techtasks.com/code/viewbookcode/1555)
will end up with a value of 544. So you need to take this into account and
set uac at the end in addition to enabling the user (personally, I would not use
accountDisabled() and would set uac to what I want).
If you want to go through what you have
and correct this, assuming all users have a password, you can do this with
ADMOD:
adfind-default -bit -f
"(objectCategory=person)(objectClass=user)(userAccountControl:AND:32)"
userAccountControl -adcsv|admod
userAccountControl::{{userAccountControl::CLR::32}} -unsafe
[Re] Note. If you have a pwd policy
in place, you must set passwords first.
--Paul
- Original Message -
From:
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, October 17, 2006 6:24
AM
Subject: RE: [ActiveDir]
userAccountControl 544
D*mn
Im glad you can understand my gibberish. I reread that post and came up
with a what the h*//???
In
the circumstance w/ ADSI, what would be the proper routine to follow?
After the user is created and the password set, do you change the value of 544
back to 512?
Ive
noticed the same about 544. The user doesnt appear to have sufficient
rights to reset their password to a blank password. The administrator
(or someone with full control on the object have not verified what
permissions exactly) can set their password to null all day long. Thats
kind of dismaying.
Also,
544 doesnt go back to 512 after the user password has changed so its kind of
subject to always holding the capacity for a blank password. Dont
really like that either
Thanks
for the information, as always. I picked up your book, by the way.
Fun read.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joeSent: Tuesday, October 17, 2006 12:43
AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] userAccountControl 544
Depends
on how the user is created. If using ADSI, you cannot specify a password while
creating the user so if you have a password length policy then you have to
create the account disabled or set to allow a blank password or both.
With
the raw LDAP API (and I would expect S.DS.Protocols), you can create an
enabled user because you can specify the password in the ADD op. You can do
that with admod if you like.
Note
that an account set with 544 doesn't necessarily have a blank password, but it
could be.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of [EMAIL PROTECTED]Sent: Monday, October 16, 2006
5:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] userAccountControl 544
I think Ive
figured it out. J Thanks
all.
:m:dsm:cci:mvp|
marcusoh.blogspot.com
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Oh, Marcus (CCI-Atlanta)Sent: Monday, October
16, 2006 11:57 AMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] userAccountControl
544
Trying
to
understand this value. Seeing it set on some of my user objects.
So
512 would be a normal user but 32 means that no password is required.
When a new user object is created, my understanding (by reading quite a few
threads) is that 544 is the default uac. Does this sound
right?
Is there
a point when something doesnt need to listen to domain policy? It
should fail to meet standards by the password length
now, Im not sure how I
can verify the actual
password is set to nothing. One on particular account, Ive tried
logging in with a blank password but get a bad password
failure.
Thanks
all!
RE: [ActiveDir] userAccountControl 544
Title: userAccountControl 544 Yes once the user is created and the password set, change the UAC to 512. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, October 17, 2006 1:24 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] userAccountControl 544 D*mn Im glad you can understand my gibberish. I reread that post and came up with a what the h*//??? In the circumstance w/ ADSI, what would be the proper routine to follow? After the user is created and the password set, do you change the value of 544 back to 512? Ive noticed the same about 544. The user doesnt appear to have sufficient rights to reset their password to a blank password. The administrator (or someone with full control on the object have not verified what permissions exactly) can set their password to null all day long. Thats kind of dismaying. Also, 544 doesnt go back to 512 after the user password has changed so its kind of subject to always holding the capacity for a blank password. Dont really like that either Thanks for the information, as always. I picked up your book, by the way. Fun read. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, October 17, 2006 12:43 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] userAccountControl 544 Depends on how the user is created. If using ADSI, you cannot specify a password while creating the user so if you have a password length policy then you have to create the account disabled or set to allow a blank password or both. With the raw LDAP API (and I would expect S.DS.Protocols), you can create an enabled user because you can specify the password in the ADD op. You can do that with admod if you like. Note that an account set with 544 doesn't necessarily have a blank password, but it could be. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, October 16, 2006 5:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] userAccountControl 544 I think Ive figured it out. J Thanks all. :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oh, Marcus (CCI-Atlanta)Sent: Monday, October 16, 2006 11:57 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] userAccountControl 544 Trying to understand this value. Seeing it set on some of my user objects. So 512 would be a normal user but 32 means that no password is required. When a new user object is created, my understanding (by reading quite a few threads) is that 544 is the default uac. Does this sound right? Is there a point when something doesnt need to listen to domain policy? It should fail to meet standards by the password length now, Im not sure how I can verify the actual password is set to nothing. One on particular account, Ive tried logging in with a blank password but get a bad password failure. Thanks all!
RE: [ActiveDir] Determine disabled computer accounts
Me too. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, October 17, 2006 1:24 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Determine disabled computer accounts I use that quite successfully for user accounts too. J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HPSent: Monday, October 16, 2006 2:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Determine disabled computer accounts Thanks everyone. Three hits same reference. I think Im seeing a pattern here. Checking it out. ;-) ThanksJerry From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, October 16, 2006 1:10 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Determine disabled computer accounts Joe's OldCmp with the -onlydisabled command line switch. http://www.joeware.net/win/free/tools/oldcmp.htm Thanks, Andrew Fidel "Condra, Jerry W Mr HP" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/16/2006 01:50 PM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Determine disabled computer accounts Hello allI'm trying to determine the number of computer accounts as well as whichare disabled for our three domains. I've tried Quest Reporter, ADUC andHyena but I'm not able to get the disabled computers from any of thosetools. I'm assuming at this point it will take a script but I'm not sureof the attribute to use. From what I've gathered from web searches itlooks like I should use the userAccountControl attribute. But thatdoesn't seem to give me the necessary answer either. Any help isappreciated.ThanksJerryList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] userAccountControl 544
The password attribute is unicodePwd.
If you want to see it in action, here is a command that will create 100
enabled userids in a domain. Do a network trace and you will verify that
there is but a single LDAP call for each and every ID.
admod -sc adau:100;SomePassword1!;cn=mytestuser,ou=testou,dc=domain,dc=com
That is a shortcut switch which submits the following real switches to
admod...
Selected Switches
-add
-autobase 100:ou=testou,dc=test,dc=loc
-bmod {{*RDN*}}_{{*cnt*}},{{*parent*}}
-csv
-expand
-exterr
-kerbenc
Selected Attributes
unicodepwd::SomePassword1!
objectclass::user
useraccountcontrol::512
pwdlastset::-1
samaccountname::{{*name*}}_{{*cnt*}}
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: Michael B Allen [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 17, 2006 2:15 AM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] userAccountControl 544
On Tue, 17 Oct 2006 00:42:59 -0400
joe [EMAIL PROTECTED] wrote:
With the raw LDAP API (and I would expect S.DS.Protocols), you can create
an
enabled user because you can specify the password in the ADD op.
You can? How? What's the name of the attribute?
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Seperating Database and logs on seperate disks
:) Fun issue! I never would have hit it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 2:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperating Database and logs on seperate disks AH HA http://support.microsoft.com/default.aspx?scid=kb;en-us;909265 residual energy drink kicked in Locate the operating system, the database, and the log files according to scenarios 1, 2 or 5. Drive letter assignments on the domain controllers do not have to match those in the table. joe wrote: Wow... That is a psychedelic post... :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 12:45 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperating Database and logs on seperate disks In the back recesses of my brain I seem to remember a KB that indicated issues when one was there and the other was there and then it got moved over there but not consistent with there that not so good things happened. (but I just ran out of Mountain Dew Energy drink so I could be delusional right now) joe wrote: I am surprised there aren't more responses to this. My personal opinion is that a vast majority of installations don't need to separate off the logs for perf. In fact, I have often recommended running everything on a single RAID 0+1/10/5 (partition logically if you want to say separate off the OS and the AD stuff) to get better perf than splitting logs and OS off onto their own disks. Especially in larger orgs for Exchange GCs that tried to follow the deployment docs and do mirror, mirror, mirror or mirror, mirror, 0+1 but didn't have enough disks to get a good 0+1. In every case that I have had to review DCs with questionable disk subsystem perf, the issues are always around the DIT while the disks for the OS and the Logs are snoozing with IOPS sitting there not being used that could have saved the DIT from getting sucked into the mud. Rebuilding the disk subsystem with all disks in one of the above configurations has alleviated the issues in every case. Whether RAID 5 or 0+1/10 is faster you will want to test with your own disk subystems (say with IOMETER), it seems to vary. I have seen RAID-5 faster and I have seen on different machines 0+1/10 faster. A case I am aware of where the logs definitely were good off on their own and would have seriously impacted perf if they weren't was Eric's DIT experiment where he built a 2TB DIT but he was adding objects at a very high rate of speed constantly for quite a while so the logs were being beaten pretty well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Monday, October 16, 2006 11:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperating Database and logs on seperate disks Is there any other reason other then performance to have the Active Directory log files and database on separate disks? Opinions are welcome. Thanks Yves List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] userAccountControl 544
Title: userAccountControl 544
You have to love the new bitwise capabilities of admod... I
love it and and have to say how cool it is even though I wrote the darn
functionality. Very very useful. :) The new admod cuts down considerably
on the _vbscript_ I have to write now.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
WilliamsSent: Tuesday, October 17, 2006 4:48 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
userAccountControl 544
If you create with ADSI, e.g. _vbscript_,
and don't set a password before the initial setInfo you get 2 + 32 + 512.
If you then set the password, you can un-set 32. If you don't set a
password and you have a password restriction policy, you cannot un-set 32 or
2.
Setting the password won't change the
value of userAccountControl, you have to do that by yourself.
Note. Although it doesn't really do
much if you have password policies in place, it is probably not recommended to
set 32, therefore you need to instruct your provisioning people on how to
properly create a user object.
Note also. The cookbook code (http://techtasks.com/code/viewbookcode/1555)
will end up with a value of 544. So you need to take this into account and
set uac at the end in addition to enabling the user (personally, I would not use
accountDisabled() and would set uac to what I want).
If you want to go through what you have
and correct this, assuming all users have a password, you can do this with
ADMOD:
adfind-default -bit -f
"(objectCategory=person)(objectClass=user)(userAccountControl:AND:32)"
userAccountControl -adcsv|admod
userAccountControl::{{userAccountControl::CLR::32}} -unsafe
[Re] Note. If you have a pwd policy
in place, you must set passwords first.
--Paul
- Original Message -
From:
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, October 17, 2006 6:24
AM
Subject: RE: [ActiveDir]
userAccountControl 544
D*mn
Im glad you can understand my gibberish. I reread that post and came up
with a what the h*//???
In
the circumstance w/ ADSI, what would be the proper routine to follow?
After the user is created and the password set, do you change the value of 544
back to 512?
Ive
noticed the same about 544. The user doesnt appear to have sufficient
rights to reset their password to a blank password. The administrator
(or someone with full control on the object have not verified what
permissions exactly) can set their password to null all day long. Thats
kind of dismaying.
Also,
544 doesnt go back to 512 after the user password has changed so its kind of
subject to always holding the capacity for a blank password. Dont
really like that either
Thanks
for the information, as always. I picked up your book, by the way.
Fun read.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joeSent: Tuesday, October 17, 2006 12:43
AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] userAccountControl 544
Depends
on how the user is created. If using ADSI, you cannot specify a password while
creating the user so if you have a password length policy then you have to
create the account disabled or set to allow a blank password or both.
With
the raw LDAP API (and I would expect S.DS.Protocols), you can create an
enabled user because you can specify the password in the ADD op. You can do
that with admod if you like.
Note
that an account set with 544 doesn't necessarily have a blank password, but it
could be.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of [EMAIL PROTECTED]Sent: Monday, October 16, 2006
5:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] userAccountControl 544
I think Ive
figured it out. J Thanks
all.
:m:dsm:cci:mvp|
marcusoh.blogspot.com
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Oh, Marcus (CCI-Atlanta)Sent: Monday, October
16, 2006 11:57 AMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] userAccountControl
544
Trying
to
understand this value. Seeing it set on some of my user objects.
So
512 would be a normal user but 32 means that no password is required.
When a new user object is created, my understanding (by reading quite a few
threads) is that 544 is the default uac. Does this sound
right?
Is there
a point when something doesnt need to listen to domain policy? It
should fail to meet standards by the password length now, Im not sure how I
can verify the actual
password is set to
RE: [ActiveDir] Seperating Database and logs on seperate disks
What were the support reasons? Someone whined until they got the OS on RAID-1 because that is the way everyone says they should do it or another popular one is that is the way we always do it? One of the issues is that most of the machines folks like to make into DCs just don't have enough disk slots to have multiple spindles for the DIT if you take up 4 for the OS and Logs. If you can get away with mirror/mirror/6 disk 0+1/10... Excellent, especially if x64 with sufficient RAM. If the disk counters start to show queuing on the DIT drive greater than what I consider heavy load (~2x#spindles) though I wouldn't hesistate to tear that down and make it into a single 10 disk RAID 0+1/10/5. With x64, as Paul indicated, that generally shouldn't happen though unless you don't have enough memory or possibly you have recently rebooted and are defrosting the cache. Mostly though, people should be looking at their own perf counters and figuring out what they should be doing. Pay especially close attention to Exchange GCs during the morning rush and the after lunch rush, those are the two areas that tend to initially start showing pain. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, October 17, 2006 5:03 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperating Database and logs on seperate disks Having discussed this quite a lot recently, I'll give you all an insight into how I wanted to do it and how we are doing it (support reasons caused me to be overridden): [want] 6 disks in a RAID10 array, with three volumes: OS, DIT Logs, SYSVOL and Scratch area. [reallity] 2 disks in a RAID1 array for OS; 4 disks in a RAID10 array for DIT Logs, with another volume for SYSVOL and scratch. Scratch contains the IFM directory (temporarily) and perf logs, etc. I agree with Joe 100% (probably because we have discussed this offline in depth and he has moulded my opinions g ). Smaller environments don't need to worry about it. Big environments need to think about it. Although, as Joe mentions, it's rare you'll need much space for the log files. Even if you provision a couple of hundred thousand users (which takes an hour or two) you don't need much space for logs. Which is why I hate the 3x RAID1 idea that is out there. Disks are cheap for sure, but that's still a serious waste of two disks where they could be put to use for the DIT, which is being slammed with read requests. Also remember that in smaller environments, or medium-sized environments that have didicated DCs, a DL360 (or equivalent) which only has room for two local disks, will happily run as a DC. A couple of the smaller projects I've worked on in the past (~7,000 users) we used just this. Although in some of those we had to use DL380s at some of the branches as they were also running Exchange! : ( One other thing I'd like to say here, is if you do need to worry about separating your disks, then you really should be looking at x64. You get better throughput with x64 on disk and memory access, and you also have the ability to get all, or at least a chunk of, your DIT data (as in objects that matter to your and your queries) into RAM. Those disk specs above are being implemented with x64 dual-core, dual-proc systems with 32GB of RAM as our standard DCs. (What can I say, I have a reasonable sized DIT ;-) (or so I'm told...) --Paul - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, October 17, 2006 5:36 AM Subject: RE: [ActiveDir] Seperating Database and logs on seperate disks I am surprised there aren't more responses to this. My personal opinion is that a vast majority of installations don't need to separate off the logs for perf. In fact, I have often recommended running everything on a single RAID 0+1/10/5 (partition logically if you want to say separate off the OS and the AD stuff) to get better perf than splitting logs and OS off onto their own disks. Especially in larger orgs for Exchange GCs that tried to follow the deployment docs and do mirror, mirror, mirror or mirror, mirror, 0+1 but didn't have enough disks to get a good 0+1. In every case that I have had to review DCs with questionable disk subsystem perf, the issues are always around the DIT while the disks for the OS and the Logs are snoozing with IOPS sitting there not being used that could have saved the DIT from getting sucked into the mud. Rebuilding the disk subsystem with all disks in one of the above configurations has alleviated the issues in every case. Whether RAID 5 or 0+1/10 is faster you will want to test with your own disk subystems (say with IOMETER), it seems to vary. I have seen RAID-5 faster and I have seen on different machines 0+1/10 faster. A case I am aware of where the
RE: [ActiveDir] Going OT again ... Separating Database and logs on seperate disks
Can anyone see a correlation between Susan's original post and the final KB to which she referred? I must be smoking the wrong type of sh** :-^ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 17 October 2006 13:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperating Database and logs on seperate disks :) Fun issue! I never would have hit it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 2:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperating Database and logs on seperate disks AH HA http://support.microsoft.com/default.aspx?scid=kb;en-us;909265 residual energy drink kicked in Locate the operating system, the database, and the log files according to scenarios 1, 2 or 5. Drive letter assignments on the domain controllers do not have to match those in the table. joe wrote: Wow... That is a psychedelic post... :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 12:45 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperating Database and logs on seperate disks In the back recesses of my brain I seem to remember a KB that indicated issues when one was there and the other was there and then it got moved over there but not consistent with there that not so good things happened. (but I just ran out of Mountain Dew Energy drink so I could be delusional right now) joe wrote: I am surprised there aren't more responses to this. My personal opinion is that a vast majority of installations don't need to separate off the logs for perf. In fact, I have often recommended running everything on a single RAID 0+1/10/5 (partition logically if you want to say separate off the OS and the AD stuff) to get better perf than splitting logs and OS off onto their own disks. Especially in larger orgs for Exchange GCs that tried to follow the deployment docs and do mirror, mirror, mirror or mirror, mirror, 0+1 but didn't have enough disks to get a good 0+1. In every case that I have had to review DCs with questionable disk subsystem perf, the issues are always around the DIT while the disks for the OS and the Logs are snoozing with IOPS sitting there not being used that could have saved the DIT from getting sucked into the mud. Rebuilding the disk subsystem with all disks in one of the above configurations has alleviated the issues in every case. Whether RAID 5 or 0+1/10 is faster you will want to test with your own disk subystems (say with IOMETER), it seems to vary. I have seen RAID-5 faster and I have seen on different machines 0+1/10 faster. A case I am aware of where the logs definitely were good off on their own and would have seriously impacted perf if they weren't was Eric's DIT experiment where he built a 2TB DIT but he was adding objects at a very high rate of speed constantly for quite a while so the logs were being beaten pretty well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Monday, October 16, 2006 11:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperating Database and logs on seperate disks Is there any other reason other then performance to have the Active Directory log files and database on separate disks? Opinions are welcome. Thanks Yves List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura
Re: [ActiveDir] OT:Exchange/outlook auth question
Microsoft has been shying away from PF's for years. When it happens, it'll be a happy day. But I may be retired by then if I eat right and continue to exercise and get plenty of sleep. :)Between Exchange 5.5 and Exchange 200x there was a major change to the way that permissions for folders were enacted. It's one of the hardest parts of an upgrade because the acl's were changed from the proprietary 5.5 to the AD type of acl's (pTagAcl if I recall correctly). For those in mixed environments, that creates all kinds of difficulty. It also impacts the sizing of servers and speed of migration because the store has to convert those acls on all folders (not just pf's). In the early part of the lifecycle, there were a lot of issues around this where the store didn't deal with errors very well. At the same time, there was a change to prevent administrative accounts from being able to logon to people's mailboxes. One of the biggest complaints was that administration and mailbox rights were too loose. Not that it changed a whole lot for the better, but you do have to work at allowing privileged account to be able to access other mailboxes than it's own. What you're seeing is odd and you may be looking too deep for what you want to accomplish. The deep layer you're looking at might eplain why you are seeing the mapi ace missing. The rights should be associated with the AD Account and not the mailbox (that was another change that precipitated the change to the AD acl style from the old 5.5 acl style). Because you're having to use MAPI, you have to have the MAPI expected pieces in line in order to effect the changes you want. This infers (although I can't remember if this the case) that you have a translation going on. That's messy. Have your admins use the administrator interface for public folders vs. the mapi interface. There's no reason to mailbox enable the administrative accounts (not for this anyway). Al On 10/17/06, joe [EMAIL PROTECTED] wrote: Well just because Outlook doesn't throw an error doesn't mean it ishappening. Outlook has HORRENDOUS error checking. It can completely fail anoperation but it will updates its internal cached view of an object and you will think you did what you expected.I haven't looked at monkeying with PFs like this. Actually I try to stayaway from PFs, seems MSFT is going that way too. :)--O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Saturday, October 14, 2006 7:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT:Exchange/outlook auth questionI add myself as owner of the PF(which Outlook lets me do) and thenwhen I try to create a subfolder, I get an permissions error. When i check back on the perms, my MAPI ACE is missing.This is logged in as a Exchange Full Admin user while opening thenon-admin user's mailbox in Outlook.When I add the non-admin user to a Exchange Full admin group and then log in as the previous Exchange admin and open the former non-adminbox and try to modifiy a PF, it works fine.Does that make any sense?I'm asking mostly because, I'd like to know how Exchange checks for perms in this situation(I can't seem to get anything out of theWorking with Store Permissions whitepaper on this particularsenario).Also, if this is true, then that would suck as I would have to mail-box enable my Exchange Admin accounts as if they were regularacconts to create any non post mapi PF's like calender or contactitems.And i'm sure once I do that, my Exchange Admins will start logging in with these privileged accounts to start checking their mail and donormal tasks.ThanksOn 10/13/06, joe [EMAIL PROTECTED] wrote: Is it doing it and then getting changed as you mention or is it not doing it? When you put the user in the full admin group are you then logging on asthe user or are you logging on as the other user accessing the first user's mailbox? This could be something specific to public folders. The Exchange permissioning model is a big messed up hodgepodge and a combination ofwhat I call real permissions (those in AD) and mapi properties in mailboxes and other constructs in the store. I guess it is possible something goofy goes on between the mailbox and the PF, but you can be sure the mailbox isbeing accessed as the user logged in. You can easily ascertain that looking atthe logon properties of the mailbox. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Friday, October 13, 2006 5:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT:Exchange/outlook auth question The i'm curious why Exchange won't let me change the perms on a PF through Outlook when logged into that user's mailbox but logged into the domain as a Exchange Full Admin. If i put the mailbox enabled user account
[ActiveDir] I'm shareing the Best Kept Secret I know.
Top Ten Things Men Understand About Women 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Dave FlemingNetwork AdministratorDouglas-Omaha Technology Commission408 So. 18th St.Omaha NE 68102[EMAIL PROTECTED](402) 444-6290
RE: [ActiveDir] I'm shareing the Best Kept Secret I know.
Something tells me you should be ducking and running Original Message Subject: [ActiveDir] I'm shareing the Best Kept Secret I know. From: Fleming, Dave (DotComm) [EMAIL PROTECTED] Date: Tue, October 17, 2006 6:29 am To: Top Ten Things Men Understand About Women 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Dave Fleming Network Administrator Douglas-Omaha Technology Commission 408 So. 18th St. Omaha NE 68102 [EMAIL PROTECTED] (402) 444-6290 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] WAY WAY OT: I'm shareing the Best Kept Secret I know.
1 nothing 2 nothing 3 nothing 4 nothing 5 nothing 6 nothing 7 nothing 8 nothing 9 nothing 10 nothing (just to be sure) ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fleming, Dave (DotComm)Sent: Tuesday, October 17, 2006 15:29Subject: [ActiveDir] I'm shareing the "Best Kept Secret" I know. Top Ten Things Men Understand About Women 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Dave FlemingNetwork AdministratorDouglas-Omaha Technology Commission408 So. 18th St.Omaha NE 68102[EMAIL PROTECTED](402) 444-6290 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Seperating Database and logs on seperate disks
The latter - we always have OS on a RAID1 set. That's a fair argument - if the company has a hardware standard then it should be adhered to, if feasible. AD is just an app that sits on hardware as do other apps. Each app doesn't necessarily need a hardware spec all of its own. Standards lead to lower TCO so it's always worth striving for. [Simpler procurement, support, maintenance etc] Caveat: On the flip side, we all to get the best from our solutions and the corp standard may not achieve that optimal 'best'. I've never encountered a large company who'll happily change or allow exceptions re hardware standards without a very strong argument. My 2 penneth, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: 17 October 2006 14:31 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperating Database and logs on seperate disks What were the support reasons? Someone whined until they got the OS on RAID-1 because that is the way everyone says they should do it or another popular one is that is the way we always do it? The latter - we always have OS on a RAID1 set. I've managed to swing RAID10 on the remaining 4 disks, and x64 and 32GB RAM. I can't get them (support folks) to take on support for pure RAID10. --Paul - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, October 17, 2006 1:46 PM Subject: RE: [ActiveDir] Seperating Database and logs on seperate disks What were the support reasons? Someone whined until they got the OS on RAID-1 because that is the way everyone says they should do it or another popular one is that is the way we always do it? One of the issues is that most of the machines folks like to make into DCs just don't have enough disk slots to have multiple spindles for the DIT if you take up 4 for the OS and Logs. If you can get away with mirror/mirror/6 disk 0+1/10... Excellent, especially if x64 with sufficient RAM. If the disk counters start to show queuing on the DIT drive greater than what I consider heavy load (~2x#spindles) though I wouldn't hesistate to tear that down and make it into a single 10 disk RAID 0+1/10/5. With x64, as Paul indicated, that generally shouldn't happen though unless you don't have enough memory or possibly you have recently rebooted and are defrosting the cache. Mostly though, people should be looking at their own perf counters and figuring out what they should be doing. Pay especially close attention to Exchange GCs during the morning rush and the after lunch rush, those are the two areas that tend to initially start showing pain. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, October 17, 2006 5:03 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperating Database and logs on seperate disks Having discussed this quite a lot recently, I'll give you all an insight into how I wanted to do it and how we are doing it (support reasons caused me to be overridden): [want] 6 disks in a RAID10 array, with three volumes: OS, DIT Logs, SYSVOL and Scratch area. [reallity] 2 disks in a RAID1 array for OS; 4 disks in a RAID10 array for DIT Logs, with another volume for SYSVOL and scratch. Scratch contains the IFM directory (temporarily) and perf logs, etc. I agree with Joe 100% (probably because we have discussed this offline in depth and he has moulded my opinions g ). Smaller environments don't need to worry about it. Big environments need to think about it. Although, as Joe mentions, it's rare you'll need much space for the log files. Even if you provision a couple of hundred thousand users (which takes an hour or two) you don't need much space for logs. Which is why I hate the 3x RAID1 idea that is out there. Disks are cheap for sure, but that's still a serious waste of two disks where they could be put to use for the DIT, which is being slammed with read requests. Also remember that in smaller environments, or medium-sized environments that have didicated DCs, a DL360 (or equivalent) which only has room for two local disks, will happily run as a DC. A couple of the smaller projects I've worked on in the past (~7,000 users) we used just this. Although in some of those we had to use DL380s at some of the branches as they were also running Exchange! : ( One other thing I'd like to say here, is if you do need to worry about separating your disks, then you really should be looking at x64. You get better throughput with x64 on disk and memory access, and you also have the ability to get all, or at least a chunk of, your DIT data (as in objects that matter to your and your queries) into RAM. Those disk specs above are being implemented with x64 dual-core,
[ActiveDir] The remote computer has ended the connection.
Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error "The remote computer has ended the connection".However if i am using mstsc /v:IP Address /console it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! Ravi
RE: [ActiveDir] The remote computer has ended the connection.
I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? Unknown at this time. -vC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Tuesday, October 17, 2006 8:28 AM To: activedir@mail.activedir.org Subject: [ActiveDir] The remote computer has ended the connection. Importance: High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error The remote computer has ended the connection.However if i am using mstsc /v:IP Address /console it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! Ravi
RE: [ActiveDir] The remote computer has ended the connection.
I have also seen where a second reboot is necessary for RDP to work. I have not determined the cause of this yet. It does not happen on all servers. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona Sent: Tuesday, October 17, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? Unknown at this time. -vC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Tuesday, October 17, 2006 8:28 AM To: activedir@mail.activedir.org Subject: [ActiveDir] The remote computer has ended the connection. Importance: High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error The remote computer has ended the connection.However if i am using mstsc /v:IP Address /console it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! Ravi
RE: [ActiveDir] Seperating Database and logs on seperate disks
I love standards, there's so many to pick from. Andrew Fidel [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/17/2006 10:16 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Seperating Database and logs on seperate disks The latter - we always have OS on a RAID1 set. That's a fair argument - if the company has a hardware standard then it should be adhered to, if feasible. AD is just an app that sits on hardware as do other apps. Each app doesn't necessarily need a hardware spec all of its own. Standards lead to lower TCO so it's always worth striving for. [Simpler procurement, support, maintenance etc] Caveat: On the flip side, we all to get the best from our solutions and the corp standard may not achieve that optimal 'best'. I've never encountered a large company who'll happily change or allow exceptions re hardware standards without a very strong argument. My 2 penneth, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: 17 October 2006 14:31 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperating Database and logs on seperate disks What were the support reasons? Someone whined until they got the OS on RAID-1 because that is the way everyone says they should do it or another popular one is that is the way we always do it? The latter - we always have OS on a RAID1 set. I've managed to swing RAID10 on the remaining 4 disks, and x64 and 32GB RAM. I can't get them (support folks) to take on support for pure RAID10. --Paul - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, October 17, 2006 1:46 PM Subject: RE: [ActiveDir] Seperating Database and logs on seperate disks What were the support reasons? Someone whined until they got the OS on RAID-1 because that is the way everyone says they should do it or another popular one is that is the way we always do it? One of the issues is that most of the machines folks like to make into DCs just don't have enough disk slots to have multiple spindles for the DIT if you take up 4 for the OS and Logs. If you can get away with mirror/mirror/6 disk 0+1/10... Excellent, especially if x64 with sufficient RAM. If the disk counters start to show queuing on the DIT drive greater than what I consider heavy load (~2x#spindles) though I wouldn't hesistate to tear that down and make it into a single 10 disk RAID 0+1/10/5. With x64, as Paul indicated, that generally shouldn't happen though unless you don't have enough memory or possibly you have recently rebooted and are defrosting the cache. Mostly though, people should be looking at their own perf counters and figuring out what they should be doing. Pay especially close attention to Exchange GCs during the morning rush and the after lunch rush, those are the two areas that tend to initially start showing pain. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, October 17, 2006 5:03 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperating Database and logs on seperate disks Having discussed this quite a lot recently, I'll give you all an insight into how I wanted to do it and how we are doing it (support reasons caused me to be overridden): [want] 6 disks in a RAID10 array, with three volumes: OS, DIT Logs, SYSVOL and Scratch area. [reallity] 2 disks in a RAID1 array for OS; 4 disks in a RAID10 array for DIT Logs, with another volume for SYSVOL and scratch. Scratch contains the IFM directory (temporarily) and perf logs, etc. I agree with Joe 100% (probably because we have discussed this offline in depth and he has moulded my opinions g ). Smaller environments don't need to worry about it. Big environments need to think about it. Although, as Joe mentions, it's rare you'll need much space for the log files. Even if you provision a couple of hundred thousand users (which takes an hour or two) you don't need much space for logs. Which is why I hate the 3x RAID1 idea that is out there. Disks are cheap for sure, but that's still a serious waste of two disks where they could be put to use for the DIT, which is being slammed with read requests. Also remember that in smaller environments, or medium-sized environments that have didicated DCs, a DL360 (or equivalent) which only has room for two local disks, will happily run as a DC. A couple of the smaller projects I've worked on in the past (~7,000 users) we used just this. Although in some of those we had to use DL380s at some of the branches as they were also running Exchange! : ( One other thing I'd like to say here, is if you do need to worry about separating your disks, then you really should be
Re: [ActiveDir] The remote computer has ended the connection.
Can you PLEASE call into Microsoft PSS or your tam or pam or whatever and report this? Along with anyone else seeing this issue? I know that calling into PSS can be a pain, but please report this issue. We are seeing this more and more and I need to have bodies called in. We seriously need to get to the bottom of this because in the SBS space we do a lot of remote management and if the RDP dies we have to fall back to ILOs and this isn't acceptable in my book for patching to do this. Do you rely on WSUS? Vinnie Cardona wrote: I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? /Unknown /at this time. -vC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Technical Support *Sent:* Tuesday, October 17, 2006 8:28 AM *To:* activedir@mail.activedir.org *Subject:* [ActiveDir] The remote computer has ended the connection. *Importance:* High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error /*/The remote computer has ended the connection/*/. However if i am using /*/_mstsc /v:IP Address /console_/*/ it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! /*/Ravi/*/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] The remote computer has ended the connection.
Again, please call in and report this. Thommes, Michael M. wrote: I have also seen where a second reboot is necessary for RDP to work. I have not determined the cause of this yet. It does not happen on all servers. Mike Thommes *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Vinnie Cardona *Sent:* Tuesday, October 17, 2006 10:29 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] The remote computer has ended the connection. I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? /Unknown /at this time. -vC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Technical Support *Sent:* Tuesday, October 17, 2006 8:28 AM *To:* activedir@mail.activedir.org *Subject:* [ActiveDir] The remote computer has ended the connection. *Importance:* High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error /*/The remote computer has ended the connection/*/. However if i am using /*/_mstsc /v:IP Address /console_/*/ it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! /*/Ravi/*/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] The remote computer has ended the connection.
Yes it doesnt happened with any other serves but i have rebooted it more than twice. but no gud luck. what do you guys suggest in this case? did only rebooting second time resolved the issue for you? It worked for me when i have disjoined from my domain. but i am sure this has nothing to do with anyGPO. Also same thing happened for me when i joined this to any other domain. other than the previous one. Thanks!!! Ravi From: [EMAIL PROTECTED] on behalf of Thommes, Michael M.Sent: Tue 10/17/2006 8:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] The remote computer has ended the connection. I have also seen where a second reboot is necessary for RDP to work. I have not determined the cause of this yet. It does not happen on all servers. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie CardonaSent: Tuesday, October 17, 2006 10:29 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] The remote computer has ended the connection. I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? Unknown at this time. -vC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical SupportSent: Tuesday, October 17, 2006 8:28 AMTo: activedir@mail.activedir.orgSubject: [ActiveDir] The remote computer has ended the connection.Importance: High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error "The remote computer has ended the connection".However if i am using mstsc /v:IP Address /console it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! Ravi
[ActiveDir] Cleanup of NETLOGON.LOGs
I just did a netlogon AD site cleanup process and want to delete all netlogon.logs from all DCs in our domain. I noticed you can't delete it while the netlogon service is running. Is there a better way to keep these netlogon file sizes down, or delete them regularly than to stop, delete, and restart services on each? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] The remote computer has ended the connection.
Hi Susan, I didn't mean to imply that this was just with the last set of patches. I think your note says that you have been seeing this for a while. We have too. One of the guys in my group uses Update Expert to patch and he sees it more often than I do. Of course, he patches a lot more servers than I do. Another part of the group uses WSUS and they have not mentioned any issues; but then again, they don't TS into computers much. And yes, I will bring it up with my TAM (again?). I think I had mentioned it to him previously but never started anything formal on it. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] The remote computer has ended the connection. Can you PLEASE call into Microsoft PSS or your tam or pam or whatever and report this? Along with anyone else seeing this issue? I know that calling into PSS can be a pain, but please report this issue. We are seeing this more and more and I need to have bodies called in. We seriously need to get to the bottom of this because in the SBS space we do a lot of remote management and if the RDP dies we have to fall back to ILOs and this isn't acceptable in my book for patching to do this. Do you rely on WSUS? Vinnie Cardona wrote: I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? /Unknown /at this time. -vC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Technical Support *Sent:* Tuesday, October 17, 2006 8:28 AM *To:* activedir@mail.activedir.org *Subject:* [ActiveDir] The remote computer has ended the connection. *Importance:* High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error /*/The remote computer has ended the connection/*/. However if i am using /*/_mstsc /v:IP Address /console_/*/ it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! /*/Ravi/*/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] The remote computer has ended the connection.
Susan, We don't have a MS support contract. Unfortunately rebooting the server was cheaper than paying MS $245. Never used WSUS until this month. I am currently running WSUS 3.0. Now for those of you who have experienced this bug and do not have a support contract: Just contacted MS @ (800) 936-4900 (option 2) and asked if I can just report a bug without having to pay and he informed me that I will have to report the bug via mail to the development team. The address he gave me was: Microsoft Corporation 1 Microsoft Way Redmond, WA 98052 Attention would be to the Development Team. Include the product name and bug. SusanI think informing MS in some way or form of this potential bug is a good idea -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 9:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] The remote computer has ended the connection. Can you PLEASE call into Microsoft PSS or your tam or pam or whatever and report this? Along with anyone else seeing this issue? I know that calling into PSS can be a pain, but please report this issue. We are seeing this more and more and I need to have bodies called in. We seriously need to get to the bottom of this because in the SBS space we do a lot of remote management and if the RDP dies we have to fall back to ILOs and this isn't acceptable in my book for patching to do this. Do you rely on WSUS? Vinnie Cardona wrote: I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? /Unknown /at this time. -vC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Technical Support *Sent:* Tuesday, October 17, 2006 8:28 AM *To:* activedir@mail.activedir.org *Subject:* [ActiveDir] The remote computer has ended the connection. *Importance:* High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error /*/The remote computer has ended the connection/*/. However if i am using /*/_mstsc /v:IP Address /console_/*/ it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! /*/Ravi/*/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Cleanup of NETLOGON.LOGs
Turn logging down to 0. I would note that there is no notion of log generations, so your worst case here is 2* log size (where log size defaults to 10MB), so worst case it should only be 20MB, and deleting the archive is of course trivial. More generally, we do reserve the right to write to this log recreate it as needed as sometimes there are things we need to log so you can figure out what went wrong should something turn south. So even a log level of 0 does not guarantee no logging, it just means not much logging you could say. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 17, 2006 9:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Cleanup of NETLOGON.LOGs I just did a netlogon AD site cleanup process and want to delete all netlogon.logs from all DCs in our domain. I noticed you can't delete it while the netlogon service is running. Is there a better way to keep these netlogon file sizes down, or delete them regularly than to stop, delete, and restart services on each? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] The remote computer has ended the connection.
Is this 2003 server? What about Term Services ? Sometimes that gets enabled/installed by mistake (because shouldnot be needed for simply remote admin). I can't recall, but maybe it locks you out of those 2 sessions when it can't contact a licensing server after a certain time period. Could you have hit that? If so, you should be able toremove the service (as long as you are ONLY using this for remote admin that is!). -DaveC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical SupportSent: Tuesday, October 17, 2006 12:01 PMTo: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] The remote computer has ended the connection. Yes it doesnt happened with any other serves but i have rebooted it more than twice. but no gud luck. what do you guys suggest in this case? did only rebooting second time resolved the issue for you? It worked for me when i have disjoined from my domain. but i am sure this has nothing to do with anyGPO. Also same thing happened for me when i joined this to any other domain. other than the previous one. Thanks!!! Ravi From: [EMAIL PROTECTED] on behalf of Thommes, Michael M.Sent: Tue 10/17/2006 8:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] The remote computer has ended the connection. I have also seen where a second reboot is necessary for RDP to work. I have not determined the cause of this yet. It does not happen on all servers. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie CardonaSent: Tuesday, October 17, 2006 10:29 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] The remote computer has ended the connection. I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? Unknown at this time. -vC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical SupportSent: Tuesday, October 17, 2006 8:28 AMTo: activedir@mail.activedir.orgSubject: [ActiveDir] The remote computer has ended the connection.Importance: High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error "The remote computer has ended the connection".However if i am using mstsc /v:IP Address /console it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! Ravi This email was sent to you by Reuters, the global news and information company. To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
RE: [ActiveDir] The remote computer has ended the connection.
Are there any error messages in the event log? There are several problems I have seen where some kind of message will show up in the logs that tell you where to start looking. The most common one I have seen lately, if you see an error in the system event log that says The RDP protocol component DATA ENCRYPTION detected an error in the protocol stream and has disconnected the client. http://support.microsoft.com/default.aspx?scid=kb;en-us;323497 Also, is the server running in Remote Desktop mode or Terminal Services mode? If Terminal Services is checked in the Windows Components Wizard, then it is in Terminal Services mode. Otherwise, it is just a Remote Desktop. If it is in Terminal Services mode, then you need to make sure it is talking to a Terminal Services Licensing server. You would see errors in the event log for this too. Kevin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Tuesday, October 17, 2006 11:01 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. Yes it doesnt happened with any other serves but i have rebooted it more than twice. but no gud luck. what do you guys suggest in this case? did only rebooting second time resolved the issue for you? It worked for me when i have disjoined from my domain. but i am sure this has nothing to do with anyGPO. Also same thing happened for me when i joined this to any other domain. other than the previous one. Thanks!!! Ravi From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Tue 10/17/2006 8:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. I have also seen where a second reboot is necessary for RDP to work. I have not determined the cause of this yet. It does not happen on all servers. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona Sent: Tuesday, October 17, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? Unknown at this time. -vC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Tuesday, October 17, 2006 8:28 AM To: activedir@mail.activedir.org Subject: [ActiveDir] The remote computer has ended the connection. Importance: High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error The remote computer has ended the connection.However if i am using mstsc /v:IP Address /console it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! Ravi
Re: [ActiveDir] The remote computer has ended the connection.
Agreed, this isn't just this month. This is been happening with consistency about the last three to four months that we've been tracking it. Perhaps longer, but that's about the time those of us in the SBS MVP listserve started realizing that all of us were having to figure out alternative means to get to RDP sessions that were not coming back after patching/rebooting. In the SBS world it can be Exchange grabbing the TS port of 3389 as it reboots which can be fixed with a reg edit...but mostly we're seeing boxes, Windows server (and even workstations) flavors of all variety that are either getting stuck on the way down, or we see that they get the reboot command and then they don't reboot. Currently everyone is just 'working around it' by using Ilo, or getting remotely into another server or workstation and doing a remote shutdown command... but I'd/we'd like to get to the bottom of it if we can. It is consistently happening way too often and I'm seeing it reported much too often. Thommes, Michael M. wrote: Hi Susan, I didn't mean to imply that this was just with the last set of patches. I think your note says that you have been seeing this for a while. We have too. One of the guys in my group uses Update Expert to patch and he sees it more often than I do. Of course, he patches a lot more servers than I do. Another part of the group uses WSUS and they have not mentioned any issues; but then again, they don't TS into computers much. And yes, I will bring it up with my TAM (again?). I think I had mentioned it to him previously but never started anything formal on it. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] The remote computer has ended the connection. Can you PLEASE call into Microsoft PSS or your tam or pam or whatever and report this? Along with anyone else seeing this issue? I know that calling into PSS can be a pain, but please report this issue. We are seeing this more and more and I need to have bodies called in. We seriously need to get to the bottom of this because in the SBS space we do a lot of remote management and if the RDP dies we have to fall back to ILOs and this isn't acceptable in my book for patching to do this. Do you rely on WSUS? Vinnie Cardona wrote: I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? /Unknown /at this time. -vC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Technical Support *Sent:* Tuesday, October 17, 2006 8:28 AM *To:* activedir@mail.activedir.org *Subject:* [ActiveDir] The remote computer has ended the connection. *Importance:* High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error /*/The remote computer has ended the connection/*/. However if i am using /*/_mstsc /v:IP Address /console_/*/ it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! /*/Ravi/*/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] The remote computer has ended the connection.
Not sure if this will work or not. I seem to remember something like this a long time ago. It was a registry key: HKLM\System\CurrentcontrolSet\Control\Terminal Server\fDenyTSConnections and set it to 0 I think I had to create it at the time. Hope this helps, John Thommes, Michael M. [EMAIL PROTECTED] To ActiveDir@mail.activedir.org Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject RE: [ActiveDir] The remote computer has ended the connection. 10/17/2006 11:22 AM Please respond to [EMAIL PROTECTED] tivedir.org Hi Susan, I didn't mean to imply that this was just with the last set of patches. I think your note says that you have been seeing this for a while. We have too. One of the guys in my group uses Update Expert to patch and he sees it more often than I do. Of course, he patches a lot more servers than I do. Another part of the group uses WSUS and they have not mentioned any issues; but then again, they don't TS into computers much. And yes, I will bring it up with my TAM (again?). I think I had mentioned it to him previously but never started anything formal on it. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] The remote computer has ended the connection. Can you PLEASE call into Microsoft PSS or your tam or pam or whatever and report this? Along with anyone else seeing this issue? I know that calling into PSS can be a pain, but please report this issue. We are seeing this more and more and I need to have bodies called in. We seriously need to get to the bottom of this because in the SBS space we do a lot of remote management and if the RDP dies we have to fall back to ILOs and this isn't acceptable in my book for patching to do this. Do you rely on WSUS? Vinnie Cardona wrote: I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? /Unknown /at this time. -vC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Technical Support *Sent:* Tuesday, October 17, 2006 8:28 AM *To:* activedir@mail.activedir.org *Subject:* [ActiveDir] The remote computer has ended the connection. *Importance:* High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error /*/The remote computer has ended the connection/*/. However if i am using /*/_mstsc /v:IP Address /console_/*/ it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! /*/Ravi/*/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx
RE: [ActiveDir] The remote computer has ended the connection.
I wish that were a bad joke but I can visualize the support line saying it... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie CardonaSent: Tuesday, October 17, 2006 12:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] The remote computer has ended the connection. Susan, We don't have a MS support contract. Unfortunately rebooting the server was cheaper than paying MS $245. Never used WSUS until this month. I am currently running WSUS 3.0. Now for those of you who have experienced this bug and do not have a support contract: Just contacted MS @ (800) 936-4900 (option 2) and asked if I can just report a bug without having to pay and he informed me that I will have to report the bug via mail to the development team. The address he gave me was: Microsoft Corporation 1 Microsoft Way Redmond, WA 98052 Attention would be to the Development Team. Include the product name and bug. SusanI think informing MS in some way or form of this potential bug is a good idea -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, October 17, 2006 9:54 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] The remote computer has ended the connection. Can you PLEASE call into Microsoft PSS or your tam or pam or whatever and report this? Along with anyone else seeing this issue? I know that calling into PSS can be a pain, but please report this issue. We are seeing this more and more and I need to have bodies called in. We seriously need to get to the bottom of this because in the SBS space we do a lot of remote management and if the RDP dies we have to fall back to ILOs and this isn't acceptable in my book for patching to do this. Do you rely on WSUS? Vinnie Cardona wrote: I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? /Unknown /at this time. -vC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Technical Support *Sent:* Tuesday, October 17, 2006 8:28 AM *To:* activedir@mail.activedir.org *Subject:* [ActiveDir] The remote computer has ended the connection. *Importance:* High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error "/*/The remote computer has ended the connection/*/". However if i am using /*/_mstsc /v:IP Address /console_/*/ it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! /*/Ravi/*/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] The remote computer has ended the connection.
I have used both UpdateExpert and WSUS3.0 and for me, I have seen the same issue. Again...it happens to about 1-3 servers out of about 50. The next time this happens I will take the effort to dig deeper into finding a root cause or at least have some form of data for MS to look into. -vC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, October 17, 2006 10:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. Hi Susan, I didn't mean to imply that this was just with the last set of patches. I think your note says that you have been seeing this for a while. We have too. One of the guys in my group uses Update Expert to patch and he sees it more often than I do. Of course, he patches a lot more servers than I do. Another part of the group uses WSUS and they have not mentioned any issues; but then again, they don't TS into computers much. And yes, I will bring it up with my TAM (again?). I think I had mentioned it to him previously but never started anything formal on it. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] The remote computer has ended the connection. Can you PLEASE call into Microsoft PSS or your tam or pam or whatever and report this? Along with anyone else seeing this issue? I know that calling into PSS can be a pain, but please report this issue. We are seeing this more and more and I need to have bodies called in. We seriously need to get to the bottom of this because in the SBS space we do a lot of remote management and if the RDP dies we have to fall back to ILOs and this isn't acceptable in my book for patching to do this. Do you rely on WSUS? Vinnie Cardona wrote: I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? /Unknown /at this time. -vC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Technical Support *Sent:* Tuesday, October 17, 2006 8:28 AM *To:* activedir@mail.activedir.org *Subject:* [ActiveDir] The remote computer has ended the connection. *Importance:* High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error /*/The remote computer has ended the connection/*/. However if i am using /*/_mstsc /v:IP Address /console_/*/ it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! /*/Ravi/*/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] The remote computer has ended the connection.
(sigh) I'll take it up the backchannel method. Thank you Vince. Vinnie Cardona wrote: Susan, We don't have a MS support contract. Unfortunately rebooting the server was cheaper than paying MS $245. Never used WSUS until this month. I am currently running WSUS 3.0. Now for those of you who have experienced this bug and do not have a support contract: Just contacted MS @ (800) 936-4900 (option 2) and asked if I can just report a bug without having to pay and he informed me that I will have to report the bug via mail to the development team. The address he gave me was: Microsoft Corporation 1 Microsoft Way Redmond, WA 98052 Attention would be to the Development Team. Include the product name and bug. Susan…I think informing MS in some way or form of this potential /bug/ is a good idea… -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 9:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] The remote computer has ended the connection. Can you PLEASE call into Microsoft PSS or your tam or pam or whatever and report this? Along with anyone else seeing this issue? I know that calling into PSS can be a pain, but please report this issue. We are seeing this more and more and I need to have bodies called in. We seriously need to get to the bottom of this because in the SBS space we do a lot of remote management and if the RDP dies we have to fall back to ILOs and this isn't acceptable in my book for patching to do this. Do you rely on WSUS? Vinnie Cardona wrote: I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? /Unknown /at this time. -vC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Technical Support *Sent:* Tuesday, October 17, 2006 8:28 AM *To:* activedir@mail.activedir.org *Subject:* [ActiveDir] The remote computer has ended the connection. *Importance:* High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error /*/The remote computer has ended the connection/*/. However if i am using /*/_mstsc /v:IP Address /console_/*/ it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! /*/Ravi/*/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] The remote computer has ended the connection.
Yes. Although, rebooting the second time is not an acceptable long term fix. Reading the previous threads tells me this is not an isolated issue. So the next time this happens I will take the time to jot down details of this bug. CuriousHave you looked into MS article: 186645 for further troubleshooting? -vC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Tuesday, October 17, 2006 10:01 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. Yes it doesnt happened with any other serves but i have rebooted it more than twice. but no gud luck. what do you guys suggest in this case? did only rebooting second time resolved the issue for you? It worked for me when i have disjoined from my domain. but i am sure this has nothing to do with anyGPO. Also same thing happened for me when i joined this to any other domain. other than the previous one. Thanks!!! Ravi From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Tue 10/17/2006 8:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. I have also seen where a second reboot is necessary for RDP to work. I have not determined the cause of this yet. It does not happen on all servers. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona Sent: Tuesday, October 17, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? Unknown at this time. -vC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Tuesday, October 17, 2006 8:28 AM To: activedir@mail.activedir.org Subject: [ActiveDir] The remote computer has ended the connection. Importance: High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error The remote computer has ended the connection.However if i am using mstsc /v:IP Address /console it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! Ravi
RE: [ActiveDir] The remote computer has ended the connection.
In the Windows Server 2003 Service Pack 1 Administration Tools pack theres a utility we use a lot called Remote Desktops. Its really just a way to have all the servers you need RDP access to in one place so you can bounce around without having all those windows open. We found after upgrading to Win2k3 that only one person could use the Connect to Console feature at a time. It wasnt so in Win2k. By unchecking the box for Connect to Console you can get the usual two low-level admins in at a time PLUS have a console session available for a regular admin. AL Garrett swccd.edu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Tuesday, October 17, 2006 7:28 AM To: activedir@mail.activedir.org Subject: [ActiveDir] The remote computer has ended the connection. Importance: High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error The remote computer has ended the connection.However if i am using mstsc /v:IP Address /console it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! Ravi
RE: [ActiveDir] Cleanup of NETLOGON.LOGs
There is a GPO setting (never tried it) located here: \Computer Configuration\Administrative Templates\System\Net Logon\Maximum Log File Size Description as explained by GPO setting: Specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled. By default, the maximum size of the log file is 20MB. If this policy is enabled, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified. If this policy is disabled or not configured, the default behavior occurs as indicated above. -vC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, October 17, 2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cleanup of NETLOGON.LOGs Turn logging down to 0. I would note that there is no notion of log generations, so your worst case here is 2* log size (where log size defaults to 10MB), so worst case it should only be 20MB, and deleting the archive is of course trivial. More generally, we do reserve the right to write to this log recreate it as needed as sometimes there are things we need to log so you can figure out what went wrong should something turn south. So even a log level of 0 does not guarantee no logging, it just means not much logging you could say. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 17, 2006 9:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Cleanup of NETLOGON.LOGs I just did a netlogon AD site cleanup process and want to delete all netlogon.logs from all DCs in our domain. I noticed you can't delete it while the netlogon service is running. Is there a better way to keep these netlogon file sizes down, or delete them regularly than to stop, delete, and restart services on each? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
[ActiveDir] Reverse lookup Zone (Integration with Bind and AD-DNS)
Hello all, Here is the scenario: Bind DNS 9.2 - test.com Active Directory integrated-DNS - ad.test.com (delegated sub domain) Ad.test.com configured to forward to test.com DNS servers All clients point to ad.test.com DNS servers What has been the overall consensus as it relates to placement of reverse lookup zones in this config? I have typically left the reverse lookup zones in the root in this situation (test.com). Tia, RC
RE: [ActiveDir] The remote computer has ended the connection.
Is the Enable Remote Desktop on this computer with the Remote tab of the System Properties checked? Or grayed out? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Tuesday, October 17, 2006 11:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. Is this 2003 server? What about Term Services ? Sometimes that gets enabled/installed by mistake (because shouldnot be needed for simply remote admin). I can't recall, but maybe it locks you out of those 2 sessions when it can't contact a licensing server after a certain time period. Could you have hit that? If so, you should be able toremove the service (as long as you are ONLY using this for remote admin that is!). -DaveC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Tuesday, October 17, 2006 12:01 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. Yes it doesnt happened with any other serves but i have rebooted it more than twice. but no gud luck. what do you guys suggest in this case? did only rebooting second time resolved the issue for you? It worked for me when i have disjoined from my domain. but i am sure this has nothing to do with anyGPO. Also same thing happened for me when i joined this to any other domain. other than the previous one. Thanks!!! Ravi From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Tue 10/17/2006 8:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. I have also seen where a second reboot is necessary for RDP to work. I have not determined the cause of this yet. It does not happen on all servers. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona Sent: Tuesday, October 17, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? Unknown at this time. -vC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Tuesday, October 17, 2006 8:28 AM To: activedir@mail.activedir.org Subject: [ActiveDir] The remote computer has ended the connection. Importance: High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error The remote computer has ended the connection.However if i am using mstsc /v:IP Address /console it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! Ravi This email was sent to you by Reuters, the global news and information company. To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
RE: [ActiveDir] The remote computer has ended the connection.
I have seen this problem over the past two years or so, including this Sunday when I applied patches to servers. I even opened an MS case once but they couldn't find any evidence of a problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 10:21 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] The remote computer has ended the connection. Agreed, this isn't just this month. This is been happening with consistency about the last three to four months that we've been tracking it. Perhaps longer, but that's about the time those of us in the SBS MVP listserve started realizing that all of us were having to figure out alternative means to get to RDP sessions that were not coming back after patching/rebooting. In the SBS world it can be Exchange grabbing the TS port of 3389 as it reboots which can be fixed with a reg edit...but mostly we're seeing boxes, Windows server (and even workstations) flavors of all variety that are either getting stuck on the way down, or we see that they get the reboot command and then they don't reboot. Currently everyone is just 'working around it' by using Ilo, or getting remotely into another server or workstation and doing a remote shutdown command... but I'd/we'd like to get to the bottom of it if we can. It is consistently happening way too often and I'm seeing it reported much too often. Thommes, Michael M. wrote: Hi Susan, I didn't mean to imply that this was just with the last set of patches. I think your note says that you have been seeing this for a while. We have too. One of the guys in my group uses Update Expert to patch and he sees it more often than I do. Of course, he patches a lot more servers than I do. Another part of the group uses WSUS and they have not mentioned any issues; but then again, they don't TS into computers much. And yes, I will bring it up with my TAM (again?). I think I had mentioned it to him previously but never started anything formal on it. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] The remote computer has ended the connection. Can you PLEASE call into Microsoft PSS or your tam or pam or whatever and report this? Along with anyone else seeing this issue? I know that calling into PSS can be a pain, but please report this issue. We are seeing this more and more and I need to have bodies called in. We seriously need to get to the bottom of this because in the SBS space we do a lot of remote management and if the RDP dies we have to fall back to ILOs and this isn't acceptable in my book for patching to do this. Do you rely on WSUS? Vinnie Cardona wrote: I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? /Unknown /at this time. -vC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Technical Support *Sent:* Tuesday, October 17, 2006 8:28 AM *To:* activedir@mail.activedir.org *Subject:* [ActiveDir] The remote computer has ended the connection. *Importance:* High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error /*/The remote computer has ended the connection/*/. However if i am using /*/_mstsc /v:IP Address /console_/*/ it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! /*/Ravi/*/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] The remote computer has ended the connection.
I read this and all I can think is that something happend to your Terminal Server mode on this server. Sometimes settings get changed when you install a security patch, you might want to verify your TS settings and make sure that it's in application mode (non-app mode means that only admins can connect). Also, go into Terminal Services Configuration and make sure that RDP isn't restricted to the local Administrators group. Is there anything else special about this server? Is it a DC? Does it have Exchange or something else installed on it?On 10/17/06, Technical Support [EMAIL PROTECTED] wrote: Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error The remote computer has ended the connection.However if i am using mstsc /v:IP Address /console it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! Ravi
Re: [ActiveDir] The remote computer has ended the connection.
When ever I have had an issue due to installing a hotfix, the support has been free as long as you state that it occured as a result of the hotfix. I had one last month with an outlook patch and it was resolved FOC. I assume this is the case globally - not just in the UK. Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: Vinnie Cardona [EMAIL PROTECTED] Date: Tue, 17 Oct 2006 10:57:54 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. Susan, We don't have a MS support contract. Unfortunately rebooting the server was cheaper than paying MS $245. Never used WSUS until this month. I am currently running WSUS 3.0. Now for those of you who have experienced this bug and do not have a support contract: Just contacted MS @ (800) 936-4900 (option 2) and asked if I can just report a bug without having to pay and he informed me that I will have to report the bug via mail to the development team. The address he gave me was: Microsoft Corporation 1 Microsoft Way Redmond, WA 98052 Attention would be to the Development Team. Include the product name and bug. Susan…I think informing MS in some way or form of this potential bug is a good idea… -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 9:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] The remote computer has ended the connection. Can you PLEASE call into Microsoft PSS or your tam or pam or whatever and report this? Along with anyone else seeing this issue? I know that calling into PSS can be a pain, but please report this issue. We are seeing this more and more and I need to have bodies called in. We seriously need to get to the bottom of this because in the SBS space we do a lot of remote management and if the RDP dies we have to fall back to ILOs and this isn't acceptable in my book for patching to do this. Do you rely on WSUS? Vinnie Cardona wrote: I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? /Unknown /at this time. -vC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Technical Support *Sent:* Tuesday, October 17, 2006 8:28 AM *To:* activedir@mail.activedir.org *Subject:* [ActiveDir] The remote computer has ended the connection. *Importance:* High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error /*/The remote computer has ended the connection/*/. However if i am using /*/_mstsc /v:IP Address /console_/*/ it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! /*/Ravi/*/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx [EMAIL PROTECTED])
RE: [ActiveDir] The remote computer has ended the connection.
Do you have an account manager at MS? Thats another avenue you can take. WSUS3.0 is beta SW so shouldnt be running it in production. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona Sent: Tuesday, October 17, 2006 12:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. Susan, We don't have a MS support contract. Unfortunately rebooting the server was cheaper than paying MS $245. Never used WSUS until this month. I am currently running WSUS 3.0. Now for those of you who have experienced this bug and do not have a support contract: Just contacted MS @ (800) 936-4900 (option 2) and asked if I can just report a bug without having to pay and he informed me that I will have to report the bug via mail to the development team. The address he gave me was: Microsoft Corporation 1 Microsoft Way Redmond, WA 98052 Attention would be to the Development Team. Include the product name and bug. SusanI think informing MS in some way or form of this potential bug is a good idea -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 9:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] The remote computer has ended the connection. Can you PLEASE call into Microsoft PSS or your tam or pam or whatever and report this? Along with anyone else seeing this issue? I know that calling into PSS can be a pain, but please report this issue. We are seeing this more and more and I need to have bodies called in. We seriously need to get to the bottom of this because in the SBS space we do a lot of remote management and if the RDP dies we have to fall back to ILOs and this isn't acceptable in my book for patching to do this. Do you rely on WSUS? Vinnie Cardona wrote: I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? /Unknown /at this time. -vC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Technical Support *Sent:* Tuesday, October 17, 2006 8:28 AM *To:* activedir@mail.activedir.org *Subject:* [ActiveDir] The remote computer has ended the connection. *Importance:* High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error /*/The remote computer has ended the connection/*/. However if i am using /*/_mstsc /v:IP Address /console_/*/ it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! /*/Ravi/*/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] The remote computer has ended the connection.
Susan, I too have seen the situation where a shutdown command issued through an RDP session fails to actually reboot the computer. One recent example has these two event log entries: The process Explorer.EXE has initiated the restart of computer SERVER on behalf of user Domain\Local Admin UserID for the following reason: Application: Maintenance (Planned) Reason Code: 0x84040001 Shutdown Type: restart Comment: For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. The process svchost.exe has initiated the restart of computer SERVER on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found Reason Code: 0x80070020 Shutdown Type: restart Comment: For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. The two entries are 9 seconds apart in the order shown here. The next couple entries are 6013 uptime logs until the server is rebooted from the console a couple days later. Not sure what's causing the double shutdown or why it stops the shutdown process from actually happening but it's awfully annoying. Andrew Fidel Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/17/2006 01:20 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject Re: [ActiveDir] The remote computer has ended the connection. Agreed, this isn't just this month. This is been happening with consistency about the last three to four months that we've been tracking it. Perhaps longer, but that's about the time those of us in the SBS MVP listserve started realizing that all of us were having to figure out alternative means to get to RDP sessions that were not coming back after patching/rebooting. In the SBS world it can be Exchange grabbing the TS port of 3389 as it reboots which can be fixed with a reg edit...but mostly we're seeing boxes, Windows server (and even workstations) flavors of all variety that are either getting stuck on the way down, or we see that they get the reboot command and then they don't reboot. Currently everyone is just 'working around it' by using Ilo, or getting remotely into another server or workstation and doing a remote shutdown command... but I'd/we'd like to get to the bottom of it if we can. It is consistently happening way too often and I'm seeing it reported much too often. Thommes, Michael M. wrote: Hi Susan, I didn't mean to imply that this was just with the last set of patches. I think your note says that you have been seeing this for a while. We have too. One of the guys in my group uses Update Expert to patch and he sees it more often than I do. Of course, he patches a lot more servers than I do. Another part of the group uses WSUS and they have not mentioned any issues; but then again, they don't TS into computers much. And yes, I will bring it up with my TAM (again?). I think I had mentioned it to him previously but never started anything formal on it. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] The remote computer has ended the connection. Can you PLEASE call into Microsoft PSS or your tam or pam or whatever and report this? Along with anyone else seeing this issue? I know that calling into PSS can be a pain, but please report this issue. We are seeing this more and more and I need to have bodies called in. We seriously need to get to the bottom of this because in the SBS space we do a lot of remote management and if the RDP dies we have to fall back to ILOs and this isn't acceptable in my book for patching to do this. Do you rely on WSUS? Vinnie Cardona wrote: I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? /Unknown /at this time. -vC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Technical Support *Sent:* Tuesday, October 17, 2006 8:28 AM *To:* activedir@mail.activedir.org *Subject:* [ActiveDir] The remote computer has ended the connection. *Importance:* High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error /*/The remote computer has ended the connection/*/. However if i am using /*/_mstsc /v:IP Address /console_/*/ it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode.
[ActiveDir] WinNT ADSI provider
I have a customer who wants to write their authentication DLL using the WinNT ADSI provider instead of LDAP provider for simplicity. Does anyone know if there will be any supportability issues with this option going forward? Is Longhorn going to support it? BTW, the app is written in vb6 so System.DirectoryServices is out. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: Small Number of Video iPods Shipped With Windows Virus !!!!!!
Chuckle Chuckle http://www.apple.com/support/windowsvirus/ Anyone know where TechED 07 is yet? attachment: winmail.dat
RE: [ActiveDir] The remote computer has ended the connection.
Dont have an account manager. WSUS3.0 beta is on our Dev sideUpdateExpert is on Prod. Thanks, From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, October 17, 2006 12:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. Do you have an account manager at MS? Thats another avenue you can take. WSUS3.0 is beta SW so shouldnt be running it in production. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona Sent: Tuesday, October 17, 2006 12:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. Susan, We don't have a MS support contract. Unfortunately rebooting the server was cheaper than paying MS $245. Never used WSUS until this month. I am currently running WSUS 3.0. Now for those of you who have experienced this bug and do not have a support contract: Just contacted MS @ (800) 936-4900 (option 2) and asked if I can just report a bug without having to pay and he informed me that I will have to report the bug via mail to the development team. The address he gave me was: Microsoft Corporation 1 Microsoft Way Redmond, WA 98052 Attention would be to the Development Team. Include the product name and bug. SusanI think informing MS in some way or form of this potential bug is a good idea -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 9:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] The remote computer has ended the connection. Can you PLEASE call into Microsoft PSS or your tam or pam or whatever and report this? Along with anyone else seeing this issue? I know that calling into PSS can be a pain, but please report this issue. We are seeing this more and more and I need to have bodies called in. We seriously need to get to the bottom of this because in the SBS space we do a lot of remote management and if the RDP dies we have to fall back to ILOs and this isn't acceptable in my book for patching to do this. Do you rely on WSUS? Vinnie Cardona wrote: I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? /Unknown /at this time. -vC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Technical Support *Sent:* Tuesday, October 17, 2006 8:28 AM *To:* activedir@mail.activedir.org *Subject:* [ActiveDir] The remote computer has ended the connection. *Importance:* High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error /*/The remote computer has ended the connection/*/. However if i am using /*/_mstsc /v:IP Address /console_/*/ it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! /*/Ravi/*/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Latency in List
I initially sent a reply with to this thread (below) at 19:43 BST yet I only receive it back at 21:37 BST nearly two hours later, is anyone else experiencing latency or is just me? Let's see what this message does! Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 17 October 2006 19:43 To: ActiveDir.org Subject: Re: [ActiveDir] The remote computer has ended the connection. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] WinNT ADSI provider
What simplicity will this offer? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, October 17, 2006 4:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WinNT ADSI provider I have a customer who wants to write their authentication DLL using the WinNT ADSI provider instead of LDAP provider for simplicity. Does anyone know if there will be any supportability issues with this option going forward? Is Longhorn going to support it? BTW, the app is written in vb6 so System.DirectoryServices is out. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Small Number of Video iPods Shipped With Windows Virus !!!!!!
Sorry just read this bit!!! As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 17 October 2006 21:12 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Small Number of Video iPods Shipped With Windows Virus !! Chuckle Chuckle http://www.apple.com/support/windowsvirus/ Anyone know where TechED 07 is yet? attachment: winmail.dat
RE: [ActiveDir] The remote computer has ended the connection.
Are you really sure the system rebooted the first time? Ive seen this twice in the last two months and all the machines I got to before someone rebooted them never actually shut down the first time. Connect and look at the logs or use the uptime command to check when the last reboot was. I think youll find it never really went down. You do however get the very familiar disconnect message which leads you to believe the machine is going down. For VIP systems I like to ping t IPAddress and see that it goes down and comes back up. With that said Ive never had a problem with patching from RDP (using WSUS) and then signing off to later send a reboot command over the wire. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Tuesday, October 17, 2006 12:01 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. Yes it doesnt happened with any other serves but i have rebooted it more than twice. but no gud luck. what do you guys suggest in this case? did only rebooting second time resolved the issue for you? It worked for me when i have disjoined from my domain. but i am sure this has nothing to do with anyGPO. Also same thing happened for me when i joined this to any other domain. other than the previous one. Thanks!!! Ravi From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Tue 10/17/2006 8:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. I have also seen where a second reboot is necessary for RDP to work. I have not determined the cause of this yet. It does not happen on all servers. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona Sent: Tuesday, October 17, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? Unknown at this time. -vC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Tuesday, October 17, 2006 8:28 AM To: activedir@mail.activedir.org Subject: [ActiveDir] The remote computer has ended the connection. Importance: High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error The remote computer has ended the connection.However if i am using mstsc /v:IP Address /console it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! Ravi
RE: [ActiveDir] OT: Small Number of Video iPods Shipped With Windows Virus !!!!!!
Read the same story. Very clever of Apple to say that and they were more upset with themselves for not catching it. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Mark Parris [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/17/2006 04:22 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] OT: Small Number of Video iPods Shipped With Windows Virus !! Sorry just read this bit!!! As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 17 October 2006 21:12 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Small Number of Video iPods Shipped With Windows Virus !! Chuckle Chuckle http://www.apple.com/support/windowsvirus/ Anyone know where TechED 07 is yet? Message scanned by TrendMicro Message scanned by TrendMicro winmail.dat Description: Binary data
RE: [ActiveDir] Latency in List
I've been noticing the latency for some time. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, October 17, 2006 5:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Latency in List I initially sent a reply with to this thread (below) at 19:43 BST yet I only receive it back at 21:37 BST nearly two hours later, is anyone else experiencing latency or is just me? Let's see what this message does! Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 17 October 2006 19:43 To: ActiveDir.org Subject: Re: [ActiveDir] The remote computer has ended the connection. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Latency in List
Yeah, I get an average of 20 mins delay... it does mess with the flow of threads. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 17 October 2006 22:09 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Latency in List I initially sent a reply with to this thread (below) at 19:43 BST yet I only receive it back at 21:37 BST nearly two hours later, is anyone else experiencing latency or is just me? Let's see what this message does! Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 17 October 2006 19:43 To: ActiveDir.org Subject: Re: [ActiveDir] The remote computer has ended the connection. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Latency in List
Yep, definitely been latency for a while. In fact I sent this response two hours before you sent your message so it could get back through the system quickly. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, October 17, 2006 5:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Latency in List I initially sent a reply with to this thread (below) at 19:43 BST yet I only receive it back at 21:37 BST nearly two hours later, is anyone else experiencing latency or is just me? Let's see what this message does! Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 17 October 2006 19:43 To: ActiveDir.org Subject: Re: [ActiveDir] The remote computer has ended the connection. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Going OT again ... Separating Database and logs on seperate disks
I could only correlate sender... Susan is in California, all sorts of interesting things to experiment with out there. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 17, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Going OT again ... Separating Database and logs on seperate disks Can anyone see a correlation between Susan's original post and the final KB to which she referred? I must be smoking the wrong type of sh** :-^ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 17 October 2006 13:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperating Database and logs on seperate disks :) Fun issue! I never would have hit it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 2:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperating Database and logs on seperate disks AH HA http://support.microsoft.com/default.aspx?scid=kb;en-us;909265 residual energy drink kicked in Locate the operating system, the database, and the log files according to scenarios 1, 2 or 5. Drive letter assignments on the domain controllers do not have to match those in the table. joe wrote: Wow... That is a psychedelic post... :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 12:45 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperating Database and logs on seperate disks In the back recesses of my brain I seem to remember a KB that indicated issues when one was there and the other was there and then it got moved over there but not consistent with there that not so good things happened. (but I just ran out of Mountain Dew Energy drink so I could be delusional right now) joe wrote: I am surprised there aren't more responses to this. My personal opinion is that a vast majority of installations don't need to separate off the logs for perf. In fact, I have often recommended running everything on a single RAID 0+1/10/5 (partition logically if you want to say separate off the OS and the AD stuff) to get better perf than splitting logs and OS off onto their own disks. Especially in larger orgs for Exchange GCs that tried to follow the deployment docs and do mirror, mirror, mirror or mirror, mirror, 0+1 but didn't have enough disks to get a good 0+1. In every case that I have had to review DCs with questionable disk subsystem perf, the issues are always around the DIT while the disks for the OS and the Logs are snoozing with IOPS sitting there not being used that could have saved the DIT from getting sucked into the mud. Rebuilding the disk subsystem with all disks in one of the above configurations has alleviated the issues in every case. Whether RAID 5 or 0+1/10 is faster you will want to test with your own disk subystems (say with IOMETER), it seems to vary. I have seen RAID-5 faster and I have seen on different machines 0+1/10 faster. A case I am aware of where the logs definitely were good off on their own and would have seriously impacted perf if they weren't was Eric's DIT experiment where he built a 2TB DIT but he was adding objects at a very high rate of speed constantly for quite a while so the logs were being beaten pretty well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Monday, October 16, 2006 11:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperating Database and logs on seperate disks Is there any other reason other then performance to have the Active Directory log files and database on separate disks? Opinions are welcome. Thanks Yves List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx
RE: [ActiveDir] WinNT ADSI provider
You don't have to do an LDAP query first You can bind in LDAP with domain\user, UPN, or DN and just ask for a well known object, say the domain head or config head, etc. I still think either one is a poor authentication mechanism though. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, October 17, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinNT ADSI provider Not having to do an LDAP query prior to connecting to the user. So they will not have to store a lookup account and baseDN type info. I think that adding the LDAP features is pretty simple, but I don't want to make them do it if it's not necessary. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, October 17, 2006 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinNT ADSI provider What simplicity will this offer? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, October 17, 2006 4:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WinNT ADSI provider I have a customer who wants to write their authentication DLL using the WinNT ADSI provider instead of LDAP provider for simplicity. Does anyone know if there will be any supportability issues with this option going forward? Is Longhorn going to support it? BTW, the app is written in vb6 so System.DirectoryServices is out. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] WinNT ADSI provider
Oh ya, duh. Good point. Do you think that one is better than the other? I agree they are both bad options. The app runs on IIS so using integrated auth would be s easy; however, it requires more code changes on their end and they are trying to get this done for regulatory compliance reasons. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 17, 2006 4:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinNT ADSI provider You don't have to do an LDAP query first You can bind in LDAP with domain\user, UPN, or DN and just ask for a well known object, say the domain head or config head, etc. I still think either one is a poor authentication mechanism though. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, October 17, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinNT ADSI provider Not having to do an LDAP query prior to connecting to the user. So they will not have to store a lookup account and baseDN type info. I think that adding the LDAP features is pretty simple, but I don't want to make them do it if it's not necessary. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, October 17, 2006 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinNT ADSI provider What simplicity will this offer? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, October 17, 2006 4:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WinNT ADSI provider I have a customer who wants to write their authentication DLL using the WinNT ADSI provider instead of LDAP provider for simplicity. Does anyone know if there will be any supportability issues with this option going forward? Is Longhorn going to support it? BTW, the app is written in vb6 so System.DirectoryServices is out. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] The remote computer has ended the connection.
Thanks for the follow up From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Tuesday, October 17, 2006 6:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. You can report bugs via the Feedback/Bugs form at http://connect.microsoft.com (you need a Passport/Live account to signin, and if you havent already, join the WSUS v3 open beta). PSS generally does not support products that are in beta that is handled by the product team. Different products have different feedback mechanisms for reporting bugs. As the products moves closer to release, support is transitioned across to PSS. If you have a problem with a product that is PSS supported, and the problem is in the Microsoft product, you do not have to pay $245. Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona Sent: Wednesday, 18 October 2006 7:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. Dont have an account manager. WSUS3.0 beta is on our Dev sideUpdateExpert is on Prod. Thanks, From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, October 17, 2006 12:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. Do you have an account manager at MS? Thats another avenue you can take. WSUS3.0 is beta SW so shouldnt be running it in production. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona Sent: Tuesday, October 17, 2006 12:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. Susan, We don't have a MS support contract. Unfortunately rebooting the server was cheaper than paying MS $245. Never used WSUS until this month. I am currently running WSUS 3.0. Now for those of you who have experienced this bug and do not have a support contract: Just contacted MS @ (800) 936-4900 (option 2) and asked if I can just report a bug without having to pay and he informed me that I will have to report the bug via mail to the development team. The address he gave me was: Microsoft Corporation 1 Microsoft Way Redmond, WA 98052 Attention would be to the Development Team. Include the product name and bug. SusanI think informing MS in some way or form of this potential bug is a good idea
Re: [ActiveDir] The remote computer has ended the connection.
Because it occurs even while rebooting in general... therefore it's not considered a security patch issue per se. What can I say? I have a receipt for $245 in my email box. Ken Schaefer wrote: : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - : SBS Rocks [MVP] : Sent: Wednesday, 18 October 2006 10:45 AM : To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] The remote computer has ended the connection. : : There is no line item in there for feedback on existing products in the : current Connect.microsoft.com feedback. I didn't read the whole thread. I saw Brian's post about WSUS 3.0 and assumed it was an issue with WSUS 3.0, for which you can report bugs via Connect. : You have to pay the $245 to start the call process... they will not set : up a support case to take you to the next level to begin the : investigation until you pay the Server call. Well that seems to vary between countries then. I have been asked to supply credit card details, but not been charged. Additionally, as someone else mentioned, security hotfix support should be free shouldn't it? Chees Ken : I just paid it earlier today to get into the queue. : : Ken Schaefer wrote: : : You can report bugs via the Feedback/Bugs form at : http://connect.microsoft.com (you need a Passport/Live account to : signin, and if you haven't already, join the WSUS v3 open beta). : : PSS generally does not support products that are in beta - that is : handled by the product team. Different products have different : feedback mechanisms for reporting bugs. As the products moves closer : to release, support is transitioned across to PSS. If you have a : problem with a product that is PSS supported, and the problem is in : the Microsoft product, you do not have to pay $245. : : Cheers : : Ken : : -- : : My Blog: www.adOpenStatic.com/cs/blogs/ken : http://www.adopenstatic.com/cs/blogs/ken : : *From:* [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] *On Behalf Of *Vinnie : Cardona : *Sent:* Wednesday, 18 October 2006 7:08 AM : *To:* ActiveDir@mail.activedir.org : *Subject:* RE: [ActiveDir] The remote computer has ended the : connection. : : Don't have an account manager. : : WSUS3.0 beta is on our Dev side...UpdateExpert is on Prod. : : Thanks, : : - : --- : : *From:* [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] *On Behalf Of *Brian : Desmond : *Sent:* Tuesday, October 17, 2006 12:49 PM : *To:* ActiveDir@mail.activedir.org : *Subject:* RE: [ActiveDir] The remote computer has ended the : connection. : : *Do you have an account manager at MS? That's another avenue you can : take. * : : * * : : *WSUS3.0 is beta SW so shouldn't be running it in production. * : : * * : : *Thanks,* : : *Brian Desmond* : : [EMAIL PROTECTED] : : * * : : *c - 312.731.3132* : : * * : : *From:* [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] *On Behalf Of *Vinnie : Cardona : *Sent:* Tuesday, October 17, 2006 12:58 PM : *To:* ActiveDir@mail.activedir.org : *Subject:* RE: [ActiveDir] The remote computer has ended the : connection. : : Susan, : : We don't have a MS support contract. Unfortunately rebooting the : server was cheaper than paying MS $245. : : Never used WSUS until this month. I am currently running WSUS 3.0. : : Now for those of you who have experienced this bug and do not have a : support contract: : : Just contacted MS @ (800) 936-4900 (option 2) and asked if I can just : report a bug without having to pay and he informed me that I will : have : to report the bug via mail to the development team. The address he : gave me was: : : Microsoft Corporation : : 1 Microsoft Way : : Redmond, WA 98052 : : Attention would be to the Development Team. Include the product name : and bug. : : Susan...I think informing MS in some way or form of this potential : /bug/ : is a good idea... List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Reverse lookup Zone (Integration with Bind and AD-DNS)
Unless you have some reason to use the reverse lookup zone from your test.comId leave the reverse lookup zones in the ad.test.com (integrated) since all of your computers are already pointing to ad.test.com for resolution and youve delegated ad.test.com (integrated as well). Configure conditional forwarding for All other DNS domains to point to at least two of your BIND servers and check the Do not use recursion for this domain (Im sure you dont want to have your internal DCs roaming the internet for name servers) My penny worth -vC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 17, 2006 12:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Reverse lookup Zone (Integration with Bind and AD-DNS) Hello all, Here is the scenario: Bind DNS 9.2 - test.com Active Directory integrated-DNS - ad.test.com (delegated sub domain) Ad.test.com configured to forward to test.com DNS servers All clients point to ad.test.com DNS servers What has been the overall consensus as it relates to placement of reverse lookup zones in this config? I have typically left the reverse lookup zones in the root in this situation (test.com). Tia, RC
Re: [ActiveDir] WinNT ADSI provider
One thing to keep in mind is that ADSI is not good for authentication in general as it has scalability issues. If the application must support many simultaneous users, it will likely blow up. I've seen this happen many times. If one must use LDAP auth, it is better to do it directly against the LDAP API, as you can manage the connection that way and won't run out of wildcard ports. Unfortunately, VB6 doesn't have a good LDAP API wrapper that I know of (except ADSI, which is the problem in this case). I think the WinNT provider is a bad idea, as it is notorious for having problems when using OpenDSObject with credentials in general. I wouldn't do it. FWIW, System.DirectoryServices in .NET is just an ADSI wrapper and has the exact same problem. If they can't use integrated auth (or Basic/SSL for that matter) and you must do forms auth in code, calling the LogonUser API is the best way to go. This may be possible in VB6 (haven't tried; cake in C++ or .NET) and will work fine as long as the web server is a domain member. I dislike vendor apps that require logon security but don't provide a nice pluggable model to insert different mechanisms into the pipeline. It is such a common thing to have to do, and not having this nicely abstracted so they can be flexible in their clients' environments is silly. Soapbox off. :) Joe K. - Original Message - From: Isenhour, Joseph [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, October 17, 2006 6:40 PM Subject: RE: [ActiveDir] WinNT ADSI provider Oh ya, duh. Good point. Do you think that one is better than the other? I agree they are both bad options. The app runs on IIS so using integrated auth would be s easy; however, it requires more code changes on their end and they are trying to get this done for regulatory compliance reasons. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 17, 2006 4:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinNT ADSI provider You don't have to do an LDAP query first You can bind in LDAP with domain\user, UPN, or DN and just ask for a well known object, say the domain head or config head, etc. I still think either one is a poor authentication mechanism though. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, October 17, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinNT ADSI provider Not having to do an LDAP query prior to connecting to the user. So they will not have to store a lookup account and baseDN type info. I think that adding the LDAP features is pretty simple, but I don't want to make them do it if it's not necessary. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, October 17, 2006 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinNT ADSI provider What simplicity will this offer? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, October 17, 2006 4:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WinNT ADSI provider I have a customer who wants to write their authentication DLL using the WinNT ADSI provider instead of LDAP provider for simplicity. Does anyone know if there will be any supportability issues with this option going forward? Is Longhorn going to support it? BTW, the app is written in vb6 so System.DirectoryServices is out. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Going OT again ... Separating Database and logs on seperate disks
Yeah and I'm bummed that I can't find any Pitch Black Mountain Dew this Halloween season (okay that's realllyy off topic) joe wrote: I could only correlate sender... Susan is in California, all sorts of interesting things to experiment with out there. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 17, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Going OT again ... Separating Database and logs on seperate disks Can anyone see a correlation between Susan's original post and the final KB to which she referred? I must be smoking the wrong type of sh** :-^ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 17 October 2006 13:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperating Database and logs on seperate disks :) Fun issue! I never would have hit it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 2:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperating Database and logs on seperate disks AH HA http://support.microsoft.com/default.aspx?scid=kb;en-us;909265 residual energy drink kicked in Locate the operating system, the database, and the log files according to scenarios 1, 2 or 5. Drive letter assignments on the domain controllers do not have to match those in the table. joe wrote: Wow... That is a psychedelic post... :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 12:45 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperating Database and logs on seperate disks In the back recesses of my brain I seem to remember a KB that indicated issues when one was there and the other was there and then it got moved over there but not consistent with there that not so good things happened. (but I just ran out of Mountain Dew Energy drink so I could be delusional right now) joe wrote: I am surprised there aren't more responses to this. My personal opinion is that a vast majority of installations don't need to separate off the logs for perf. In fact, I have often recommended running everything on a single RAID 0+1/10/5 (partition logically if you want to say separate off the OS and the AD stuff) to get better perf than splitting logs and OS off onto their own disks. Especially in larger orgs for Exchange GCs that tried to follow the deployment docs and do mirror, mirror, mirror or mirror, mirror, 0+1 but didn't have enough disks to get a good 0+1. In every case that I have had to review DCs with questionable disk subsystem perf, the issues are always around the DIT while the disks for the OS and the Logs are snoozing with IOPS sitting there not being used that could have saved the DIT from getting sucked into the mud. Rebuilding the disk subsystem with all disks in one of the above configurations has alleviated the issues in every case. Whether RAID 5 or 0+1/10 is faster you will want to test with your own disk subystems (say with IOMETER), it seems to vary. I have seen RAID-5 faster and I have seen on different machines 0+1/10 faster. A case I am aware of where the logs definitely were good off on their own and would have seriously impacted perf if they weren't was Eric's DIT experiment where he built a 2TB DIT but he was adding objects at a very high rate of speed constantly for quite a while so the logs were being beaten pretty well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Monday, October 16, 2006 11:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperating Database and logs on seperate disks Is there any other reason other then performance to have the Active Directory log files and database on separate disks? Opinions are welcome. Thanks Yves List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] Going OT again ... Separating Database and logs on seperate disks
Okay - I just HAVE to ask... What does it Dew for you?? (ducks!) Steve Egan (Temp) Network/Systems Engineer Purcell Systems One Unix to rule them all, One Resolver to find them, One IP to bring them all, And in the Zone to Bind them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 8:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Going OT again ... Separating Database and logs on seperate disks Yeah and I'm bummed that I can't find any Pitch Black Mountain Dew this Halloween season (okay that's realllyy off topic) joe wrote: I could only correlate sender... Susan is in California, all sorts of interesting things to experiment with out there. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm SNIP List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Reverse lookup Zone (Integration with Bind and AD-DNS)
Robert, I've only seen this type of configuration in higher-ed environments, where the legacy DNS predates Active Directory and there are security, configuration or political reasons for reverse zones staying on the BIND servers. A few thoughts: Caching the entire zone for test.com by putting a secondary copy of that zone on the ad.test.com DNS servers may prove useful. By default, Windows servers will want to dynamically register PTR records - something not allowed with a typical BIND config (and probably not allowed in this scenario, or ad.test.com would probably be a BIND zone) Some 3rd party applications can get picky or even break if you're not careful about name resolution. Licensing based on host name, in particular. I've also seen some applications break if you have forward lookups in a BIND zone and in AD DNS (dc1.sub.test.com and dc1.ad.test.com). I spent all weekend diagnosing an AD sync for an application that would crash out because it was pointed to dc1.sub.test.com instead of dc1.ad.test.com. I can only gather that somehow, an LDAP query told it the AD domain FQDN and it got confused... My $0.02, James Wells From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 17, 2006 1:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Reverse lookup Zone (Integration with Bind and AD-DNS) Hello all, Here is the scenario: Bind DNS 9.2 - test.com Active Directory integrated-DNS - ad.test.com (delegated sub domain) Ad.test.com configured to forward to test.com DNS servers All clients point to ad.test.com DNS servers What has been the overall consensus as it relates to placement of reverse lookup zones in this config? I have typically left the reverse lookup zones in the root in this situation (test.com). Tia, RC List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
