date:20061020

Re: [ActiveDir] OT: DPM now includes Exchange and SQL (and wanna another beta sinceVista is almost done?)

2006-10-20 Thread Mark Parris

Vista SP1 will ship with Longhorn server so the SP1 is a great beta to get on - 
SP1's usually make you go WTF #*!
Regards,

Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596


-Original Message-
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]>
Date: Thu, 19 Oct 2006 17:14:54 
To:ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT:  DPM now includes Exchange and SQL  (and wanna another 
beta since
 Vista is almost done?)

On September 27th, Microsoft announced the public beta of System Center Data 
Protection Manager version 2.
 
 
 
 
 
As part of our Optimizing Core IO customer campaign, DPM fulfills the “Data 
Protection and Recovery” pillar.
 
 
 
 
 
  Data Protection Manager (DPM) is a key member of the Microsoft System Center 
family of management products, designed to help IT Pros manage their Windows 
environment.   
 
 
 
 
 
Today, DPM 2006 delivers centralized backup for branch offices, while providing 
rapid and reliable recovery of files from readily accessible disk instead of 
waiting to locate and mount tapes.  Restores are achieved from an easy-to-use 
IT administrator interface, as well as enabling end-users to restore their own 
data directly from Windows® Explorer or any Microsoft Office™ application.  
 
 
 
 
 
Data Protection Manager (DPM) v2 is the next generation of Microsoft’s data 
protection platform – and the backup/restore tool that administrators of 
Microsoft networks have been asking for.  DPM “v2” sets a new standard for 
Windows backup and recovery -- delivering continuous data protection for 
Microsoft application and file servers to a seamlessly integrated secondary 
disk and tape solution on the DPM server.  DPM enables better backups as well 
as rapid and reliable recoveries for both the IT professional and the 
end-user.  DPM significantly reduces the costs and complexities associated with 
data protection through advanced technology for enterprises of all sizes.
 
 
 
 
 
DPM version 2 provides:
 
 
 
 
 
* Continuous Data Protection for Windows Application and File Servers - DPM 
protects core Windows Server workloads (Exchange, SQL, SharePoint and File) by 
continuously capturing data changes with application-aware block-level agents, 
providing an easy-to-manage and robust disk/tape back end platform, and 
one-click lossless application recovery. 
 
 
 
 
 
* Rapid and Reliable Recovery - DPM enables IT administrators and end-users to 
easily recover data in minutes from easily accessible disk instead of locating 
and restoring from less-reliable tapes. 
 
 
 
 
 
* Advanced Technology for Enterprises of all sizes - DPM brings together the 
best aspects of CDP real-time protection with traditional tape backup/restore 
to provide a comprehensive disktodisktotape data recovery solution.  
Combined with Microsoft’s experience in Windows Server technology, DPM v2 
provides a technically advanced and comprehensive data protection solution for 
the most demanding Windows environments – from the SMB to the Enterprise. 
 
 
 
 
 
When helping customers mature through the stages of Core IO, be aware of 
opportunities for customers to better protect their environments with this new 
Microsoft offering.
 
 
 
 
 
Actions:
 
 
 
 
 
* For information on DPM 2006 and DPM v2, get the new DPM datasheet 
* Read the  Beta Announcement press release. 
* Customers can be directed to www.microsoft.com/DPM: 
 .  Partners go to 
https://partner.microsoft.com/dpm:  .  
Anyone can  send email to [EMAIL PROTECTED]:  for 
more information. 
 -- Letting your vendors set your risk analysis these days? 
http://www.threatcode.com:  If you are a SBSer and 
you don't subscribe to the SBS Blog... man ... I will hunt you down... 
http://blogs.technet.com/sbs:  [EMAIL PROTECTED] 
šŠV«r¯yÊ&ý§-Š÷�Š¹šŠVœ¶+Þv*è®

[ActiveDir] Planning for Active Directory Forest Recovery

2006-10-20 Thread Mark Parris

A new Microsoft Document.

Planning for Active Directory Forest Recovery

http://www.microsoft.com/downloads/details.aspx?FamilyID=afe436fa-8e8a-4
43a-9027-c522dee35d85&DisplayLang=en

Regards,

Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] OT: TechED 2007

2006-10-20 Thread Glenn Corbett


Hey, I'm not adverse to the odd conference in Florida (being from Australia)

*grin*

- Original Message - 
From: "Missy Koslosky" <[EMAIL PROTECTED]>

To: 
Sent: Friday, October 20, 2006 9:36 AM
Subject: RE: [ActiveDir] OT: TechED 2007





I'm SOOO sick of conferences in Florida. 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, October 19, 2006 4:29 AM
To: ActiveDir.org
Subject: [ActiveDir] OT: TechED 2007

It's Florida !


Regards,

Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] OT: TechED 2007

2006-10-20 Thread Molkentin, Steve


Absolutely - somebody send me to Floreda (Oh Homer, you so crazy...)

themolk.


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett
> Sent: Friday, 20 October 2006 8:37 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] OT: TechED 2007
>
> Hey, I'm not adverse to the odd conference in Florida (being
> from Australia)
>
> *grin*
>
> - Original Message -
> From: "Missy Koslosky" <[EMAIL PROTECTED]>
> To: 
> Sent: Friday, October 20, 2006 9:36 AM
> Subject: RE: [ActiveDir] OT: TechED 2007
>
>
> > 
> >
> > I'm SOOO sick of conferences in Florida.
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
> > Sent: Thursday, October 19, 2006 4:29 AM
> > To: ActiveDir.org
> > Subject: [ActiveDir] OT: TechED 2007
> >
> > It's Florida !
> >
> >
> > Regards,
> >
> > Mark Parris
> >
> > Base IT Ltd
> > Active Directory Consultancy
> > Tel +44(0)7801 690596
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ml/threads.aspx
> >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> http://www.mail-archive.com/activedir@mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir@mail.activedir.org/
>

This email (including any attachments)  contains confidential  information and 
is intended only for the named addressee. If you are not the named addressee 
you should not disseminate, distribute or copy this email. Please notify the 
sender immediately by email if you have received this email by mistake and 
delete this email from your system and destroy any copies.

This email is also subject to copyright. No part of it should be reproduced, 
adapted or communicated without the written consent of the copyright owner.

Email transmission cannot be guaranteed to be secure or error-free and  emails 
may be interfered with, may contain computer viruses or other defects and may 
not be successfully replicated on other systems. The sender does not give any 
warranties nor accepts any liability in relation to any of these matters. If 
you have any doubt about the authenticity of an email purportedly sent by us, 
please contact us immediately. 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Blocking IE7

2006-10-20 Thread Rob MOIR

And now I'm really confused. Why make your users admins and then lock down the 
ways they can admin the system?

-- 
Robert Moir
Senior IT Systems Engineer
Luton Sixth Form College


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: 20 October 2006 01:11
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> Yes/No - Because we are an academic environment, the best we could do
> was to make our users domain account a "user" but give them their own
> local admin account.  We use restricted groups to enforce.
> 
> Bryan Lucas
> Server Administrator
> Texas Christian University
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Kevin Brunson
> Sent: Thursday, October 19, 2006 4:10 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> Are your users local admins?  Only admins can approve IE7 for install.
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: Thursday, October 19, 2006 2:49 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> I must be missing something, I read:
> 
> * "The Blocker Toolkit will not prevent users from manually installing
> Internet Explorer 7 as a Recommended update from the Windows Update or
> Microsoft Update sites, from the Microsoft Download Center, or from
> external media.
> 
> So it seems to me a hash rule combined with a filename rule should work
> unless they change both on me.
> 
> Bryan Lucas
> Server Administrator
> Texas Christian University
> 
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Laura A. Robinson
> Sent: Thursday, October 19, 2006 12:40 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> You might want to re-read the page that you linked to below, since it
> answers all of your questions.
> 
> 1. That toolkit is *not* designed to block WSUS deployments. With WSUS,
> you would simply not approve the update.
> 2. That toolkit *is* designed to block both the executable and
> automatic update installations.
> 
> Laura
> 
> 
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: Thursday, October 19, 2006 12:55 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Blocking IE7
> I see how to block IE7 from deploying through WSUS, but what I don't
> see is a way to block a user from manually installing it.
> 
> (http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-
> 5D44-482B-9DBD-869B4A90159C&displaylang=en)
> 
> Our users are 90% XP SP2 and managed through GP.  What about building a
> restricted software GPO that has a hash of iesetup7.exe (if that even
> exists)?
> 
> I want to restrict them from getting it through microsoftupdate.com as
> well.
> 
> Bryan Lucas
> Server Administrator
> Texas Christian University
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] OT: TechED 2007

2006-10-20 Thread Ramon Linan

I did not follow the whole discussion, but...is the TechEd in Orlando or
where in Florida? I would not main my company paying for me to go to
Disney :) 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Molkentin,
Steve
Sent: Friday, October 20, 2006 7:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: TechED 2007

Absolutely - somebody send me to Floreda (Oh Homer, you so crazy...)

themolk.

> -Original Message-
> From: [EMAIL PROTECTED]

> [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett
> Sent: Friday, 20 October 2006 8:37 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] OT: TechED 2007
>

> Hey, I'm not adverse to the odd conference in Florida (being

> from Australia)
>

> *grin*
>

> - Original Message -

> From: "Missy Koslosky" <[EMAIL PROTECTED]>
> To: 
> Sent: Friday, October 20, 2006 9:36 AM
> Subject: RE: [ActiveDir] OT: TechED 2007
>

>

> > 
> >

> > I'm SOOO sick of conferences in Florida.

> >

> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
> > Sent: Thursday, October 19, 2006 4:29 AM
> > To: ActiveDir.org
> > Subject: [ActiveDir] OT: TechED 2007
> >

> > It's Florida !
> >

> >

> > Regards,
> >

> > Mark Parris
> >

> > Base IT Ltd
> > Active Directory Consultancy
> > Tel +44(0)7801 690596
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ml/threads.aspx
> >

> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:

> http://www.mail-archive.com/activedir@mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:

> http://www.mail-archive.com/activedir@mail.activedir.org/
>

This email (including any attachments)  contains confidential
information and is intended only for the named addressee. If you are not
the named addressee you should not disseminate, distribute or copy this
email. Please notify the sender immediately by email if you have
received this email by mistake and delete this email from your system
and destroy any copies.

This email is also subject to copyright. No part of it should be
reproduced, adapted or communicated without the written consent of the
copyright owner.

Email transmission cannot be guaranteed to be secure or error-free and
emails may be interfered with, may contain computer viruses or other
defects and may not be successfully replicated on other systems. The
sender does not give any warranties nor accepts any liability in
relation to any of these matters. If you have any doubt about the
authenticity of an email purportedly sent by us, please contact us
immediately. 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Blocking IE7

2006-10-20 Thread Lucas, Bryan

Being an academic environment, taking administrative rights away from users is 
not an easy thing to accomplish.  The compromise was to have their domain 
account (which they are logged in as 99% of the time) a non-admin, but then 
give them the admin rights in the form of a separate local account unique to 
their workstation.

This makes them safer while browsing and requires them to go through a very 
conscious extra set of steps to install new hw/sw.

It has worked very well, cut down on spyware/junkware as well as served as a 
training ground both for us and the users for the upcoming Vista model.

Bryan Lucas
Server Administrator
Texas Christian University

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
Sent: Friday, October 20, 2006 6:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7

And now I'm really confused. Why make your users admins and then lock down the 
ways they can admin the system?

-- 
Robert Moir
Senior IT Systems Engineer
Luton Sixth Form College


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: 20 October 2006 01:11
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> Yes/No - Because we are an academic environment, the best we could do
> was to make our users domain account a "user" but give them their own
> local admin account.  We use restricted groups to enforce.
> 
> Bryan Lucas
> Server Administrator
> Texas Christian University
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Kevin Brunson
> Sent: Thursday, October 19, 2006 4:10 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> Are your users local admins?  Only admins can approve IE7 for install.
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: Thursday, October 19, 2006 2:49 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> I must be missing something, I read:
> 
> * "The Blocker Toolkit will not prevent users from manually installing
> Internet Explorer 7 as a Recommended update from the Windows Update or
> Microsoft Update sites, from the Microsoft Download Center, or from
> external media.
> 
> So it seems to me a hash rule combined with a filename rule should work
> unless they change both on me.
> 
> Bryan Lucas
> Server Administrator
> Texas Christian University
> 
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Laura A. Robinson
> Sent: Thursday, October 19, 2006 12:40 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> You might want to re-read the page that you linked to below, since it
> answers all of your questions.
> 
> 1. That toolkit is *not* designed to block WSUS deployments. With WSUS,
> you would simply not approve the update.
> 2. That toolkit *is* designed to block both the executable and
> automatic update installations.
> 
> Laura
> 
> 
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: Thursday, October 19, 2006 12:55 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Blocking IE7
> I see how to block IE7 from deploying through WSUS, but what I don't
> see is a way to block a user from manually installing it.
> 
> (http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-
> 5D44-482B-9DBD-869B4A90159C&displaylang=en)
> 
> Our users are 90% XP SP2 and managed through GP.  What about building a
> restricted software GPO that has a hash of iesetup7.exe (if that even
> exists)?
> 
> I want to restrict them from getting it through microsoftupdate.com as
> well.
> 
> Bryan Lucas
> Server Administrator
> Texas Christian University
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] OT: TechED 2007

2006-10-20 Thread Tim Vander Kooi

Title: RE: [ActiveDir] OT: TechED 2007








Wonder where it got stripped on the way to you. It had content
when it left, and it had content when I received it back. Stop strippin’
my mail. ;-)

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Mark Parris
Sent: Thursday, October 19, 2006 6:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: TechED 2007





 

Hey you’re treading on my toes sending blank messages (that’s my job).

Mark Parris

Base IT Ltd

Active Directory Consultancy

+44 (0)7801 690596

_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Tim Vander
Kooi
Sent: 19 October 2006 22:40
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: TechED 2007

RE: [ActiveDir] Linked Attributes Replication

2006-10-20 Thread David Loder

joe and I talked offline.  Neither of us think it's a
lingering object (but that was his first guess too). 
He was thinking it was a phantom but I'm not sure
since I see it in a GC - which never has a need to
create a phantom.

Layout is a follows.

Domain0 is empty root, with child domains 1-6.

Manager previously existed in Domain1.  User still
exists in Domain2.

Manager has been verified to not exist on any DC in
Domain1.

Some (not all) of Domain2's DCs and GCs show the user
having a manager.  Some (not all) of Domain1's GCs
show the user having a manager.  Some (not all) of
Domain3's GCs show the user having a manager.  None of
Domain0's GCs or 4-6 show the user having a manager.

Around the time this happened back in 2003 there had
been some incorrect Infrastructure Master placements. 
However, Domain2's IM appears to have been correctly
configured.  Not sure if that is just a red-herring to
lead us down the phantom path.


--- Eric Fleischman <[EMAIL PROTECTED]>
wrote:

> >From the data provided below it sounds like you
> have a lingering object
> & a lingering link value...not tragic, pretty
> straight forward to clean
> up. If you could be more specific as to domain
> layout & in which domain
> each user resides we could likely provide steps to
> fix this up.
> 
> If you search KB for lingering object you'll find
> all sorts of mention
> of them. I say that you must have a lingering object
> as link values need
> point so some object (they are nothing more than a
> DNT pointer really)
> so it sounds like you have an object in the partial
> NC on the GC which
> still represents that manager.
> 
> ~Eric
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of David Loder
> Sent: Thursday, October 19, 2006 8:36 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Linked Attributes Replication
> 
> We've found something unusual in our forest and are
> hoping someone may have insight as to root-cause.
> 
> Sometime back in 2003, when our forest was running
> W2K
> SP3, someone's manager was deleted, and that event
> was
> faithfully replicated around the originating domain
> and the forest GCs.  The manager doesn't exist
> anywhere.
> 
> Fast forward to today, forest now running W2K3 SP1. 
> About 20% of the DCs (both originating domain DCs
> and
> forest GCs) show that the user still has a manager
> because the manager attribute contains a DN that no
> longer exists in the forest.
> 
> Let me repeat that statement.  If I look at GC_1 it
> shows the employee's manager is .  If I
> look
> at GC_2 it shows manager is
> CN=Someone_that_no_longer_exists_in_the_forest.  Yet
> both GC_1 and GC_2 show the same metadata for the
> manager attribute.
> 
> At this point we're theorizing that when the user's
> manager was deleted, that change was faithfully
> replicated around the forest.  However, the linked
> attribute update is not a replicated event - each DC
> is personally responsible for updating the backlink,
> and we had one W2K DC that didn't do it.  Fast
> forward
> to today where 100% of the DCs have been reinstalled
> and repromoed as W2K3.  Depending on which DC they
> sourced their promo from we now have the
> "corruption"
> spread we see today where some 20% of the DCs have
> the
> incorrect value.
> 
> Has anyone else ever encountered this or have some
> idea what may that caused the initial "corruption"?
> 
> 
> __
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> http://mail.yahoo.com 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.activedir.org/ml/threads.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.activedir.org/ml/threads.aspx
> 


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] OT: TechED 2007

2006-10-20 Thread Mark Parris

Orlando
Regards,

Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596


-Original Message-
From: "Ramon Linan" <[EMAIL PROTECTED]>
Date: Fri, 20 Oct 2006 10:34:35 
To:
Subject: RE: [ActiveDir] OT: TechED 2007

I did not follow the whole discussion, but...is the TechEd in Orlando or
where in Florida? I would not main my company paying for me to go to
Disney :) 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Molkentin,
Steve
Sent: Friday, October 20, 2006 7:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: TechED 2007


Absolutely - somebody send me to Floreda (Oh Homer, you so crazy...)

themolk.



> -Original Message-
> From: [EMAIL PROTECTED]

> [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett
> Sent: Friday, 20 October 2006 8:37 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] OT: TechED 2007
>

> Hey, I'm not adverse to the odd conference in Florida (being

> from Australia)
>

> *grin*
>

> - Original Message -

> From: "Missy Koslosky" <[EMAIL PROTECTED]>
> To: 
> Sent: Friday, October 20, 2006 9:36 AM
> Subject: RE: [ActiveDir] OT: TechED 2007
>

>

> > 
> >

> > I'm SOOO sick of conferences in Florida.

> >

> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
> > Sent: Thursday, October 19, 2006 4:29 AM
> > To: ActiveDir.org
> > Subject: [ActiveDir] OT: TechED 2007
> >

> > It's Florida !
> >

> >

> > Regards,
> >

> > Mark Parris
> >

> > Base IT Ltd
> > Active Directory Consultancy
> > Tel +44(0)7801 690596
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ml/threads.aspx
> >

> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:

> http://www.mail-archive.com/activedir@mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:

> http://www.mail-archive.com/activedir@mail.activedir.org/
>


This email (including any attachments)  contains confidential
information and is intended only for the named addressee. If you are not
the named addressee you should not disseminate, distribute or copy this
email. Please notify the sender immediately by email if you have
received this email by mistake and delete this email from your system
and destroy any copies.

This email is also subject to copyright. No part of it should be
reproduced, adapted or communicated without the written consent of the
copyright owner.


Email transmission cannot be guaranteed to be secure or error-free and
emails may be interfered with, may contain computer viruses or other
defects and may not be successfully replicated on other systems. The
sender does not give any warranties nor accepts any liability in
relation to any of these matters. If you have any doubt about the
authenticity of an email purportedly sent by us, please contact us
immediately. 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Linked Attributes Replication

2006-10-20 Thread Eric Fleischman

You can certainly kick GC off by hand to clear that up.
If you have the problem on a GC though, how are you to blame a phantom?
If you navigate to the partial NC on the GC, do you see the object? I
assume the answer is yes (but if not please let me know what you do
see).

~Eric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Loder
Sent: Friday, October 20, 2006 8:06 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Linked Attributes Replication

joe and I talked offline.  Neither of us think it's a
lingering object (but that was his first guess too). 
He was thinking it was a phantom but I'm not sure
since I see it in a GC - which never has a need to
create a phantom.

Layout is a follows.

Domain0 is empty root, with child domains 1-6.

Manager previously existed in Domain1.  User still
exists in Domain2.

Manager has been verified to not exist on any DC in
Domain1.

Some (not all) of Domain2's DCs and GCs show the user
having a manager.  Some (not all) of Domain1's GCs
show the user having a manager.  Some (not all) of
Domain3's GCs show the user having a manager.  None of
Domain0's GCs or 4-6 show the user having a manager.

Around the time this happened back in 2003 there had
been some incorrect Infrastructure Master placements. 
However, Domain2's IM appears to have been correctly
configured.  Not sure if that is just a red-herring to
lead us down the phantom path.

--- Eric Fleischman <[EMAIL PROTECTED]>
wrote:

> >From the data provided below it sounds like you
> have a lingering object
> & a lingering link value...not tragic, pretty
> straight forward to clean
> up. If you could be more specific as to domain
> layout & in which domain
> each user resides we could likely provide steps to
> fix this up.
> 
> If you search KB for lingering object you'll find
> all sorts of mention
> of them. I say that you must have a lingering object
> as link values need
> point so some object (they are nothing more than a
> DNT pointer really)
> so it sounds like you have an object in the partial
> NC on the GC which
> still represents that manager.
> 
> ~Eric
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of David Loder
> Sent: Thursday, October 19, 2006 8:36 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Linked Attributes Replication
> 
> We've found something unusual in our forest and are
> hoping someone may have insight as to root-cause.
> 
> Sometime back in 2003, when our forest was running
> W2K
> SP3, someone's manager was deleted, and that event
> was
> faithfully replicated around the originating domain
> and the forest GCs.  The manager doesn't exist
> anywhere.
> 
> Fast forward to today, forest now running W2K3 SP1. 
> About 20% of the DCs (both originating domain DCs
> and
> forest GCs) show that the user still has a manager
> because the manager attribute contains a DN that no
> longer exists in the forest.
> 
> Let me repeat that statement.  If I look at GC_1 it
> shows the employee's manager is .  If I
> look
> at GC_2 it shows manager is
> CN=Someone_that_no_longer_exists_in_the_forest.  Yet
> both GC_1 and GC_2 show the same metadata for the
> manager attribute.
> 
> At this point we're theorizing that when the user's
> manager was deleted, that change was faithfully
> replicated around the forest.  However, the linked
> attribute update is not a replicated event - each DC
> is personally responsible for updating the backlink,
> and we had one W2K DC that didn't do it.  Fast
> forward
> to today where 100% of the DCs have been reinstalled
> and repromoed as W2K3.  Depending on which DC they
> sourced their promo from we now have the
> "corruption"
> spread we see today where some 20% of the DCs have
> the
> incorrect value.
> 
> Has anyone else ever encountered this or have some
> idea what may that caused the initial "corruption"?
> 
> 
> __
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> http://mail.yahoo.com 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.activedir.org/ml/threads.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.activedir.org/ml/threads.aspx
> 

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Linked Attributes Replication

2006-10-20 Thread Brett Shirley

I suspect ... and winging it here ...

if you truly have a DC _that isn't a GC_ for the domain (domain2 I
believe) of the user object with the dangling manager link ... move IM for
domain2 to that DC ... wait four days for IM to make the rounds ... he
should [re?]generate a infrastructure update ... watch event logs to see
if AD is having trouble with IM duties ... possibly regularly query AD for
new infrastructure update objects, hint they're deleted objects ... see if
the problem rectifies itself ...

If domain2's IM is already on (for 4+ days) a DC with the dangling manager
link, then in theory you've already unintentionally followed my
suggestion, and well the problem is non-obvious to me ...

-BrettSh

This posting is provided "AS IS" with no warranties, and confers
no rights.

On Fri, 20 Oct 2006, David Loder wrote:

> joe and I talked offline.  Neither of us think it's a
> lingering object (but that was his first guess too). 
> He was thinking it was a phantom but I'm not sure
> since I see it in a GC - which never has a need to
> create a phantom.
> 
> Layout is a follows.
> 
> Domain0 is empty root, with child domains 1-6.
> 
> Manager previously existed in Domain1.  User still
> exists in Domain2.
> 
> Manager has been verified to not exist on any DC in
> Domain1.
> 
> Some (not all) of Domain2's DCs and GCs show the user
> having a manager.  Some (not all) of Domain1's GCs
> show the user having a manager.  Some (not all) of
> Domain3's GCs show the user having a manager.  None of
> Domain0's GCs or 4-6 show the user having a manager.
> 
> Around the time this happened back in 2003 there had
> been some incorrect Infrastructure Master placements. 
> However, Domain2's IM appears to have been correctly
> configured.  Not sure if that is just a red-herring to
> lead us down the phantom path.
> 
> 
> --- Eric Fleischman <[EMAIL PROTECTED]>
> wrote:
> 
> > >From the data provided below it sounds like you
> > have a lingering object
> > & a lingering link value...not tragic, pretty
> > straight forward to clean
> > up. If you could be more specific as to domain
> > layout & in which domain
> > each user resides we could likely provide steps to
> > fix this up.
> > 
> > If you search KB for lingering object you'll find
> > all sorts of mention
> > of them. I say that you must have a lingering object
> > as link values need
> > point so some object (they are nothing more than a
> > DNT pointer really)
> > so it sounds like you have an object in the partial
> > NC on the GC which
> > still represents that manager.
> > 
> > ~Eric
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On
> > Behalf Of David Loder
> > Sent: Thursday, October 19, 2006 8:36 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Linked Attributes Replication
> > 
> > We've found something unusual in our forest and are
> > hoping someone may have insight as to root-cause.
> > 
> > Sometime back in 2003, when our forest was running
> > W2K
> > SP3, someone's manager was deleted, and that event
> > was
> > faithfully replicated around the originating domain
> > and the forest GCs.  The manager doesn't exist
> > anywhere.
> > 
> > Fast forward to today, forest now running W2K3 SP1. 
> > About 20% of the DCs (both originating domain DCs
> > and
> > forest GCs) show that the user still has a manager
> > because the manager attribute contains a DN that no
> > longer exists in the forest.
> > 
> > Let me repeat that statement.  If I look at GC_1 it
> > shows the employee's manager is .  If I
> > look
> > at GC_2 it shows manager is
> > CN=Someone_that_no_longer_exists_in_the_forest.  Yet
> > both GC_1 and GC_2 show the same metadata for the
> > manager attribute.
> > 
> > At this point we're theorizing that when the user's
> > manager was deleted, that change was faithfully
> > replicated around the forest.  However, the linked
> > attribute update is not a replicated event - each DC
> > is personally responsible for updating the backlink,
> > and we had one W2K DC that didn't do it.  Fast
> > forward
> > to today where 100% of the DCs have been reinstalled
> > and repromoed as W2K3.  Depending on which DC they
> > sourced their promo from we now have the
> > "corruption"
> > spread we see today where some 20% of the DCs have
> > the
> > incorrect value.
> > 
> > Has anyone else ever encountered this or have some
> > idea what may that caused the initial "corruption"?
> > 
> > 
> > __
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> > protection around 
> > http://mail.yahoo.com 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.activedir.org/ml/threads.aspx
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.activedir.org/ml/th

RE: [ActiveDir] Linked Attributes Replication

2006-10-20 Thread David Loder

I find nothing.

adfind -h Domain1GC -gc -b dc=Domain2,dc=x,dc=y -f
"name=UserABC" manager

AdFind V01.32.00cpp Joe Richards ([EMAIL PROTECTED])
October 2006

Using server: Domain1GC:3268
Directory: Windows Server 2003

dn:CN=UserABC,OU=USERIDS,dc=Domain2,dc=x,dc=y
>manager:
CN=Manager123,OU=USERIDS,DC=Domain1,DC=x,DC=y


1 Objects returned

adfind -h Domain1GC -gc -b
CN=Manager123,OU=USERIDS,DC=Domain1,DC=x,DC=y

AdFind V01.32.00cpp Joe Richards ([EMAIL PROTECTED])
October 2006

Using server: Domain1GC:3268
Directory: Windows Server 2003

ldap_get_next_page_s: [Domain1GC] Error 0x20 (32) - No
Such Object

Best Match of: 'OU=USERIDS,DC=Domain1,DC=x,DC=y'

0 Objects returned



--- Eric Fleischman <[EMAIL PROTECTED]>
wrote:

> You can certainly kick GC off by hand to clear that
> up.
> If you have the problem on a GC though, how are you
> to blame a phantom?
> If you navigate to the partial NC on the GC, do you
> see the object? I
> assume the answer is yes (but if not please let me
> know what you do
> see).
> 
> ~Eric
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of David Loder
> Sent: Friday, October 20, 2006 8:06 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Linked Attributes
> Replication
> 
> joe and I talked offline.  Neither of us think it's
> a
> lingering object (but that was his first guess too).
> 
> He was thinking it was a phantom but I'm not sure
> since I see it in a GC - which never has a need to
> create a phantom.
> 
> Layout is a follows.
> 
> Domain0 is empty root, with child domains 1-6.
> 
> Manager previously existed in Domain1.  User still
> exists in Domain2.
> 
> Manager has been verified to not exist on any DC in
> Domain1.
> 
> Some (not all) of Domain2's DCs and GCs show the
> user
> having a manager.  Some (not all) of Domain1's GCs
> show the user having a manager.  Some (not all) of
> Domain3's GCs show the user having a manager.  None
> of
> Domain0's GCs or 4-6 show the user having a manager.
> 
> Around the time this happened back in 2003 there had
> been some incorrect Infrastructure Master
> placements. 
> However, Domain2's IM appears to have been correctly
> configured.  Not sure if that is just a red-herring
> to
> lead us down the phantom path.
> 
> 
> --- Eric Fleischman <[EMAIL PROTECTED]>
> wrote:
> 
> > >From the data provided below it sounds like you
> > have a lingering object
> > & a lingering link value...not tragic, pretty
> > straight forward to clean
> > up. If you could be more specific as to domain
> > layout & in which domain
> > each user resides we could likely provide steps to
> > fix this up.
> > 
> > If you search KB for lingering object you'll find
> > all sorts of mention
> > of them. I say that you must have a lingering
> object
> > as link values need
> > point so some object (they are nothing more than a
> > DNT pointer really)
> > so it sounds like you have an object in the
> partial
> > NC on the GC which
> > still represents that manager.
> > 
> > ~Eric
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On
> > Behalf Of David Loder
> > Sent: Thursday, October 19, 2006 8:36 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Linked Attributes Replication
> > 
> > We've found something unusual in our forest and
> are
> > hoping someone may have insight as to root-cause.
> > 
> > Sometime back in 2003, when our forest was running
> > W2K
> > SP3, someone's manager was deleted, and that event
> > was
> > faithfully replicated around the originating
> domain
> > and the forest GCs.  The manager doesn't exist
> > anywhere.
> > 
> > Fast forward to today, forest now running W2K3
> SP1. 
> > About 20% of the DCs (both originating domain DCs
> > and
> > forest GCs) show that the user still has a manager
> > because the manager attribute contains a DN that
> no
> > longer exists in the forest.
> > 
> > Let me repeat that statement.  If I look at GC_1
> it
> > shows the employee's manager is .  If I
> > look
> > at GC_2 it shows manager is
> > CN=Someone_that_no_longer_exists_in_the_forest. 
> Yet
> > both GC_1 and GC_2 show the same metadata for the
> > manager attribute.
> > 
> > At this point we're theorizing that when the
> user's
> > manager was deleted, that change was faithfully
> > replicated around the forest.  However, the linked
> > attribute update is not a replicated event - each
> DC
> > is personally responsible for updating the
> backlink,
> > and we had one W2K DC that didn't do it.  Fast
> > forward
> > to today where 100% of the DCs have been
> reinstalled
> > and repromoed as W2K3.  Depending on which DC they
> > sourced their promo from we now have the
> > "corruption"
> > spread we see today where some 20% of the DCs have
> > the
> > incorrect value.
> > 
> > Has anyone else ever encountered this or have some
> > idea what may that caused the initial
> "corruption"?
> > 
> > 
> >

Re: [ActiveDir] Blocking IE7

2006-10-20 Thread Matt Hargraves

You could be correct, it's been about 7 or 8 years since I worked with government institutions.  I know that for K12 they were able to filter, but he's at a university and I didn't notice until later that it's (probably) a private institution that probably doesn't get money from the federal government.  I know that when I worked for a library though, they were not able to filter at all (I asked what software they used and they said that they couldn't filter because they received government funds).. I assume that it's the same at a university, where everyone is expected to be an adult.  Again though, he appears to be at a private institution, where those rules wouldn't apply.
On 10/19/06, Brian Desmond <[EMAIL PROTECTED]> wrote:













You might want to check on that again. To even qualify for erate
funds as a K12 you need to be doing web content filtering. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 







From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On
Behalf Of Matt Hargraves
Sent: Thursday, October 19, 2006 1:49 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Blocking IE7





 

I believe that disabling the
Automatic Updates service via GPO will block them from installing it, not 100%
sure though.

Since you're in an educational environment, things can be a little dicey
there.  You can't restrict the internet (government funds thing) and I
don't know offhand whether the IE7 installs through Windows Update are running
as Local System or as the user that is logged in.  If it's running as the
user account, you can simply deny them the right to install software, but if
it's running as the local System, things are a little more ugly. 





On 10/19/06, Lucas, Bryan <[EMAIL PROTECTED]> wrote:





I see how to
block IE7 from deploying through WSUS, but what I don't see is a way to block a
user from manually installing it.

 

(

http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en)

 

Our users
are 90% XP SP2 and managed through GP.  What about building a restricted
software GPO that has a hash of iesetup7.exe (if that even exists)?

 

I want to
restrict them from getting it through microsoftupdate.com as well.

 

Bryan Lucas

Server
Administrator

Texas
Christian University

RE: [ActiveDir] Linked Attributes Replication

2006-10-20 Thread Eric Fleischman

Let's take this offline.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Loder
Sent: Friday, October 20, 2006 9:15 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Linked Attributes Replication

I find nothing.

adfind -h Domain1GC -gc -b dc=Domain2,dc=x,dc=y -f
"name=UserABC" manager

AdFind V01.32.00cpp Joe Richards ([EMAIL PROTECTED])
October 2006

Using server: Domain1GC:3268
Directory: Windows Server 2003

dn:CN=UserABC,OU=USERIDS,dc=Domain2,dc=x,dc=y
>manager:
CN=Manager123,OU=USERIDS,DC=Domain1,DC=x,DC=y


1 Objects returned

adfind -h Domain1GC -gc -b
CN=Manager123,OU=USERIDS,DC=Domain1,DC=x,DC=y

AdFind V01.32.00cpp Joe Richards ([EMAIL PROTECTED])
October 2006

Using server: Domain1GC:3268
Directory: Windows Server 2003

ldap_get_next_page_s: [Domain1GC] Error 0x20 (32) - No
Such Object

Best Match of: 'OU=USERIDS,DC=Domain1,DC=x,DC=y'

0 Objects returned



--- Eric Fleischman <[EMAIL PROTECTED]>
wrote:

> You can certainly kick GC off by hand to clear that
> up.
> If you have the problem on a GC though, how are you
> to blame a phantom?
> If you navigate to the partial NC on the GC, do you
> see the object? I
> assume the answer is yes (but if not please let me
> know what you do
> see).
> 
> ~Eric
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of David Loder
> Sent: Friday, October 20, 2006 8:06 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Linked Attributes
> Replication
> 
> joe and I talked offline.  Neither of us think it's
> a
> lingering object (but that was his first guess too).
> 
> He was thinking it was a phantom but I'm not sure
> since I see it in a GC - which never has a need to
> create a phantom.
> 
> Layout is a follows.
> 
> Domain0 is empty root, with child domains 1-6.
> 
> Manager previously existed in Domain1.  User still
> exists in Domain2.
> 
> Manager has been verified to not exist on any DC in
> Domain1.
> 
> Some (not all) of Domain2's DCs and GCs show the
> user
> having a manager.  Some (not all) of Domain1's GCs
> show the user having a manager.  Some (not all) of
> Domain3's GCs show the user having a manager.  None
> of
> Domain0's GCs or 4-6 show the user having a manager.
> 
> Around the time this happened back in 2003 there had
> been some incorrect Infrastructure Master
> placements. 
> However, Domain2's IM appears to have been correctly
> configured.  Not sure if that is just a red-herring
> to
> lead us down the phantom path.
> 
> 
> --- Eric Fleischman <[EMAIL PROTECTED]>
> wrote:
> 
> > >From the data provided below it sounds like you
> > have a lingering object
> > & a lingering link value...not tragic, pretty
> > straight forward to clean
> > up. If you could be more specific as to domain
> > layout & in which domain
> > each user resides we could likely provide steps to
> > fix this up.
> > 
> > If you search KB for lingering object you'll find
> > all sorts of mention
> > of them. I say that you must have a lingering
> object
> > as link values need
> > point so some object (they are nothing more than a
> > DNT pointer really)
> > so it sounds like you have an object in the
> partial
> > NC on the GC which
> > still represents that manager.
> > 
> > ~Eric
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On
> > Behalf Of David Loder
> > Sent: Thursday, October 19, 2006 8:36 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Linked Attributes Replication
> > 
> > We've found something unusual in our forest and
> are
> > hoping someone may have insight as to root-cause.
> > 
> > Sometime back in 2003, when our forest was running
> > W2K
> > SP3, someone's manager was deleted, and that event
> > was
> > faithfully replicated around the originating
> domain
> > and the forest GCs.  The manager doesn't exist
> > anywhere.
> > 
> > Fast forward to today, forest now running W2K3
> SP1. 
> > About 20% of the DCs (both originating domain DCs
> > and
> > forest GCs) show that the user still has a manager
> > because the manager attribute contains a DN that
> no
> > longer exists in the forest.
> > 
> > Let me repeat that statement.  If I look at GC_1
> it
> > shows the employee's manager is .  If I
> > look
> > at GC_2 it shows manager is
> > CN=Someone_that_no_longer_exists_in_the_forest. 
> Yet
> > both GC_1 and GC_2 show the same metadata for the
> > manager attribute.
> > 
> > At this point we're theorizing that when the
> user's
> > manager was deleted, that change was faithfully
> > replicated around the forest.  However, the linked
> > attribute update is not a replicated event - each
> DC
> > is personally responsible for updating the
> backlink,
> > and we had one W2K DC that didn't do it.  Fast
> > forward
> > to today where 100% of the DCs have been
> reinstalled
> > and repromoed as W2K3.  Depending on which DC they
> > sourced their promo from we now h

RE : [ActiveDir] Planning for Active Directory Forest Recovery

2006-10-20 Thread Yann

Great !

Thanks for the info Mark :)

Yann

--- Mark Parris <[EMAIL PROTECTED]> a écrit :

> A new Microsoft Document.
> 
> Planning for Active Directory Forest Recovery
> 
>
http://www.microsoft.com/downloads/details.aspx?FamilyID=afe436fa-8e8a-4
> 43a-9027-c522dee35d85&DisplayLang=en
> 
> Regards,
> 
> Mark Parris
> 
> Base IT Ltd
> Active Directory Consultancy
> Tel +44(0)7801 690596
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
>
http://www.mail-archive.com/activedir@mail.activedir.org/
> 







___ 
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! 
Demandez à ceux qui savent sur Yahoo! Questions/Réponses
http://fr.answers.yahoo.com
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] LDAP Scripting Language Binding Design

2006-10-20 Thread Michael B Allen

Hi,

I'm desiging a scripting language binding for interfacing with AD
(and other LDAP services). Currentlyy the target language is PHP but I
will likey be doing Python as well as possibly others. Anyway I thought
I would consult the community before writing this up so if you have the
time (this is somewhat lengthy) I would apprecitate your feedback.

The only requirements for the binding is that it have full coverage WRT
getting, modifying, adding, deleting, and searching and that it be
as simple as possible but no simpler as one would expect when using a
scripting language.

The simplest "getting" case is easy. You create an associative array with
the names of the attributes you're interested in and call a function that
returns an associative array of attributes with values. Consider the
following script:

  $attrs = array("userPrincipalName", "userAccountControl");
  $acct = account_get(NULL, "[EMAIL PROTECTED]", $attrs);
  echo "userPrincipalName: " . $acct['userPrincipalName'] . "\n";
  echo "userAccountControl: " . $acct['userAccountControl'] . "\n";

This might print:

  userPrincipalName: [EMAIL PROTECTED]
  userAccountControl: 544

This doesn't address data type issues however. How do I specify that
an attribute is a string, binary and/or multivalued? It seems there are
three solutions to this.

1) Create a local database of metadata indicating that an attribute is
multivalued or not and string or binary. This is pretty much what Java's
JNDI does (albeit somewhat clumsey IMO).

2) Provide functions to query the context object such as account_get_str
or account_get_binary, account_get_multivalued_str, .. etc. This is
pretty much what the Microsoft ADSI providers do.

3) Provide attribute modifiers with the attribute names array to tell
the binding to construct arrays for multivalued attributes, convert
strings, etc.

The first option is a reasonable solution.  The second option seems like
it's not "as simple as possible but not simpler" as it is tantamount to
explicit type casting and the scriptor is required to repeatedly assert
the type by using the approriate function.  The third option is nice
because the objects are automatically typed correctly.

If we explore the 3rd option, consider the following code that prints
all memberOf attributes:

  $attrs = array("multivalued(memberOf)");
  $acct = account_get(NULL, "[EMAIL PROTECTED]", $attrs);
  $mos = $acct['memberOf'];
  foreach ($mos as $mo) {
  echo "memberOf: $mo\n";
  }

The key part above is the "multivalued(...)" function-like modifier
which indicates that $acct['memberOf'] should be an array of strings.
A function-like modifier is used to clearly separate it from existing
attribute modifiers like 'jpegPhoto;binary' that are passed through to
the raw LDAP api.

If no attribute modifiers or function-like modifers are specified the
attribute is assumed to be a string and will be converted from UTF-8 to
the locale encoding. To specify a multivalued binary array is desired
one would use "multivalued(name;binary)".

This method is also extensible. There could be function-like modfiers
for converting values to base64 or converting a binary sid to a sid
string (this would not be reasonable with the first option). Consider
the following example:

  $attrs = array("userPrincipalName",
  "base64(objectGUID;binary)",
  "sidstr(objectSid;binary)",
  "multivalued(memberOf)");
  $acct = account_get(NULL, "[EMAIL PROTECTED]", $attrs);
  foreach ($acct as $name => $value) {
  if (!is_array($value)) {
  echo "$name: $value\n";
  } else {
  foreach ($value as $v) {
  echo "$name: $v\n";
  }
  }
  }

This might print the following:

  userPrincipalName: [EMAIL PROTECTED]
  objectGUID: Szm2n2e8M0SA1Hz0QGgOnw==
  objectSid: S-1-5-21-4133388447-792352518-2001609813-1159
  memberOf: CN=Managers,CN=Users,DC=example,DC=com
  memberOf: CN=CMS Admin,CN=Users,DC=example,DC=com

To modify an entry the $attrs array is reused like:

  $attrs = array("distingushedName", "displayName");
  $acct = account_get(NULL, "[EMAIL PROTECTED]", $attrs);
  $acct['displayName'] = "James T. Kirk";
  account_modify(NULL, $acct, $attrs);

Searching might look like the following:

  $attrs = array("userPrincipalName", "multivalued(memberOf)");
  $accts = account_search(NULL,
  "DC=example,DC=com", "sub", $attrs, "(objectClass=user)");
  foreach ($accts as $acct) {
  echo "userPrincipalName: " . $acct['userPrincipalName'] . "\n";
  $mos = $acct['memberOf'];
  foreach ($mos as $mo) {
  echo "  memberOf: $mo\n";
  }
  }

So what do you think? Does anyone see any problem with any of this? Does
anyone have any ideas for improvments?

Thanks for your time,
Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/a

Re: [ActiveDir] Forest trust & divestitures

2006-10-20 Thread Harvey Kamangwitz

Thank you all for your comments. My apologies on the slow response; I was on vacation and I try not to check ActiveDir then :). 
 
We did modify our plans to use the interim domain because it provides time ahead of the cutover day to move the resources, doesn't impact the receiving domain with cut-off FSMOs, etc. (BTW, the team nicknamed it the "Kamangwitz two-step", but I told them the "Guido two-step" would be both more accurate and easy to say! But the hand-off issues and the like are there. Our core directory team was going to build the migration domain, it so we knew would be perfect :).

 
And for all that, I just learned that with the Quest consultant onsite, they're going to do a no-trust migration with Migration Manager after all. So all that thrashing for nuthin'. I told the team, "I'm trying to keep my distance on this rollercoaster ride - they make me sick".

 
Thanks again,
Harvey 
On 10/11/06, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote:



I didn't read Harvey's comment "ForestB DCs are physically landed at various Company A locations in pocket networks that can talk back
" as something that already exists today.  I would have thought is part of his plan and that today there are no DCs from Company B in any of Company A locations. 

 
So we're using different assumptions in our discussion – Harvey, can you clarify?
 
Also note Jorge's very valid comment on responsibility: the interims forest C has a clear hand-over of responsibility of the BU being divested.
 
/Guido
 

From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent:
 Wednesday, October 11, 2006 3:12 AM 
To: ActiveDir@mail.activedir.orgSubject:
 Re: [ActiveDir] Forest trust & divestitures


 

Agreed that the risk is there.  Good idea to spell it out, but I got the sense that much gnashing of teeth was already had over the decision to create a one-way trust or not.  

And because the dc's already share a network (even though firewalled from time to time) I'm not seeing how the forest C topology helps to mitigate the risk you describe? They'll still have possession of a DC from a previously trusted (and therefore suspect) forest. No difference there. Unless Forest A keeps control of the "demilitarized" forest C. But then how does Forest B learn to trust them? :) 


 

In any event, I see a double migration without much mitigation of risk nor benefit. I'm guessing I'm missing something in the description of the problem else not asking the right question(s).  

 

I'm curious if that's the case?  

 

If so, is there more information to be aware of in this scenario that can be shared? 

 

 

On 10/10/06, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote: 


Al, what risk has been assumed?  You're assuming everyone understands all the potential risks of binding two AD infrastructures together as suggested, and that we're all playing nice to another?  I'm not assuming that.  

 
I'm always assuming that there is potential for the bad guys to be around. And if they are, the original plan allows the wrong people (read: Admins of Domain A) to have access to DCs of Domain B. And potentially also the other way around. Not good. Unless merger and we're talking the same company – but that's not the case here – these are two different companies. 

 
A firewall doesn't protect from a compromised DC, especially if you bring that DC back into your production forest… 
 
/Guido
 

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent:
 Tuesday, October 10, 2006 11:44 PMTo: ActiveDir@mail.activedir.orgSubject:
 Re: [ActiveDir] Forest trust & divestitures

 

curious.  

 

I'm not seeing the same things as Guido here.  

 

PDC/RID will remain on the forest, but it will be blocked for the duration of the migration while A forest and B forest are not firewalled in that one site. (as I read it). 

 

But what makes me curious is this: 

The risk has already been assumed.  What is the advantage here of adding forest C? I see that it's extra steps, but I don't see the connection to the drawn out go-at-your-own-pace migration. 

 

I'm interested in having it spelled out for me though.  Please. :) 

On 10/10/06, Harvey Kamangwitz <[EMAIL PROTECTED]> wrote: 

I certainly wouldn't allow it if I were security either, but they said it was okay. Probably has something to do with the fact the acquisition will almost double the size of the company :).

 

The interim forest is a great idea. I had intended to bring up a test forest to dry-run the migration in company A environment, but I didn't follow the train of thought through to suggest that the actual migration be done to that forest, and moved to the target company. 
 


On 10/10/06, Grillenmeier, Guido <[EMAIL PROTECTED] > wrote: 


If I were the security officer for Company B, I would have real issues with this plan. 
 
Most companies with sufficient understanding of AD Security would not want any of their DCs placed in any location where the other company's

[ActiveDir] Security-enable all your distribution lists?

2006-10-20 Thread Harvey Kamangwitz

Hi all,
I'm interested in your opinion here, and perhaps a heads-up on requirements that may be coming your way.
We have a request from the sharepoint team to security-enable all of our 18,000 distribution lists. Our concern, naturally, is token size. What will this do to Joe User's access token? The issue is tied in to Sharepoint.

Setting permissions on Sharepoint sites has always been kind of a pain, partly because of Sharepoint itself but also because of the nature of what you're doing. (DISCLAIMER: I'm nothing more than a just-beyond-basic Sharepoint user.) When you set up a teamsite for a project, you want to enable access to the site to the project people. Typically you use an existing group of people in your org (
e.g. your work group for a weekly meeting site), or you create a new group to manage access.
Most work groups have mailing distribution lists, but I'll bet most are not security-enabled. So when you set up your teamsite, you have to wait and ask for IT to security-enable your DL so you can use it on your shiny new teamsite. (Unless you're one of us, in which case you can do it yourself :) In the current version of sharepoint, you can work around this by going to the GAL and manually adding individual users to site access.

Apparently the next version of Sharepoint does not allow you to do this, forcing everyone that needs group access to security-enable their group. That's why they want to enable ALL of them, not just piecemeal.

Our analysis shows that the MEDIAN number of distribution lists per user is relatively small (5-6) and the MEDIAN number of groups in Joe User's token is relatively small (40-50). But we have lots of users in the 100+ groups range, and the winner for greatest number of groups is 400!

So...we have to do what we can to mitigate the impact for the large--token people. Do you folks have any feel for a "you really don't want to go beyond there" limit on token size? Any direct experience? There's no way we can know all the apps out there that might be affected by this.

Thanks,
Harvey

[ActiveDir] List Attribute Syntaxes?

2006-10-20 Thread Michael B Allen

How can I get a list of attribute syntaxes? For each attribute used by
a system I would like to know if it is a multivalue attribute and if it
is binary or text.

Can I get such a list using an LDAP query?

If not can I use ldifde?

Thanks,
Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] List Attribute Syntaxes?

2006-10-20 Thread joe

First off... anything you do with LDIF will be an LDAP query... It speaks
pure LDAP.

Next off, if I understand what you are asking, yes, you query the schema and
you can find all attribute syntaxes assigned, it won't tell you what they
are, but you will know all in use. Multivalue status has nothing to do with
attribute syntax, that is separate. Whether something is binary or text
depends on what you ask for and how you ask for it. You can ask for anything
to come back in a binary format with the standard LDAP binary modifier. What
that exactly means though depends on the attribute, asking, for instance for
a unicode text field in binary really isn't going to look all that different
to you either way. But asking for say one of the replication attributes will
result in dramatically different results being returned. 


  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen
Sent: Friday, October 20, 2006 8:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] List Attribute Syntaxes?

How can I get a list of attribute syntaxes? For each attribute used by
a system I would like to know if it is a multivalue attribute and if it
is binary or text.

Can I get such a list using an LDAP query?

If not can I use ldifde?

Thanks,
Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] List Attribute Syntaxes?

2006-10-20 Thread Michael B Allen

Hi Joe,

Actually I think my terminology is a little off. From snooping around
a bit I think I want the attributeSchema information under
CN=Schema,CN=Configuration,DC=example,DC=com. What I was thinking of
originally are the "attribute syntax" definitions like:

  ( 2.5.18.3 NAME 'creatorsName' EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )

But it's clear now that AD doesn't really use these textual definitions
(at least not anywhere I can see).

Anyway, the overall objective here is to do is to give my custom LDAP
client API intellegence (see previous post about scripting language
binding) about attributeSchema information so that the API can properly
type attribute values. In particular I need to create a table of at least
lDAPDisplayName, isSingleValued, and attributeSyntax. This table
will be consulted by the API to determine how to compare and present
values whether they be binary, multivalued, strings, etc.

To make it efficient I will need an index which will be just a hashmap
where the lDAPDisplayName is the key and the attributeSchema entry
is the datum. Additionally the attributeSyntax value should be one
of several predefined OID constants (e.g. ADSTYPE_CASE_IGNORE_STRING)
so that attributeSyntaxes can be comared logically.

Does any of this make sense? I suppose you don't get a little programmer
double talk here :-)

Mike

On Fri, 20 Oct 2006 23:50:03 -0400
"joe" <[EMAIL PROTECTED]> wrote:

> First off... anything you do with LDIF will be an LDAP query... It speaks
> pure LDAP.
> 
> Next off, if I understand what you are asking, yes, you query the schema and
> you can find all attribute syntaxes assigned, it won't tell you what they
> are, but you will know all in use. Multivalue status has nothing to do with
> attribute syntax, that is separate. Whether something is binary or text
> depends on what you ask for and how you ask for it. You can ask for anything
> to come back in a binary format with the standard LDAP binary modifier. What
> that exactly means though depends on the attribute, asking, for instance for
> a unicode text field in binary really isn't going to look all that different
> to you either way. But asking for say one of the replication attributes will
> result in dramatically different results being returned. 
> 
> 
>   joe
> 
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen
> Sent: Friday, October 20, 2006 8:49 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] List Attribute Syntaxes?
> 
> How can I get a list of attribute syntaxes? For each attribute used by
> a system I would like to know if it is a multivalue attribute and if it
> is binary or text.
> 
> Can I get such a list using an LDAP query?
> 
> If not can I use ldifde?
> 
> Thanks,
> Mike
> 
> -- 
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
> 

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] OT: DPM now includes Exchange and SQL (and wanna another beta sinceVista is almost done?)

[ActiveDir] Planning for Active Directory Forest Recovery

Re: [ActiveDir] OT: TechED 2007

RE: [ActiveDir] OT: TechED 2007

RE: [ActiveDir] Blocking IE7

RE: [ActiveDir] OT: TechED 2007

RE: [ActiveDir] Blocking IE7

RE: [ActiveDir] OT: TechED 2007

RE: [ActiveDir] Linked Attributes Replication

Re: [ActiveDir] OT: TechED 2007

RE: [ActiveDir] Linked Attributes Replication

RE: [ActiveDir] Linked Attributes Replication

RE: [ActiveDir] Linked Attributes Replication

Re: [ActiveDir] Blocking IE7

RE: [ActiveDir] Linked Attributes Replication

RE : [ActiveDir] Planning for Active Directory Forest Recovery

[ActiveDir] LDAP Scripting Language Binding Design

Re: [ActiveDir] Forest trust & divestitures

[ActiveDir] Security-enable all your distribution lists?

[ActiveDir] List Attribute Syntaxes?

RE: [ActiveDir] List Attribute Syntaxes?

Re: [ActiveDir] List Attribute Syntaxes?

22 matches

Site Navigation

Mail list logo

Footer information