RE: [ActiveDir] Locating empty GPOs in a domain / forest

2006-11-16 Thread neil.ruston 
I thought 'Not Defined' meant 'ignore this setting and apply it as set
elsewhere in other GPOs'. i.e. if it were set and then later set to not
defined, the clients would continue to use the setting and ignore the
change from enabled to 'not defined'.
 
e.g. wallpaper set to A, originally. Then wallpaper set to 'not
defined'. I always believed clients would ignore any 'not defined'
settings and thus continue to use wallpaper A.
 
Am I wrong?
 
neil

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: 15 November 2006 18:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


If I set an Admin template policy from "Enabled" to "Not Configured",
then that GPO with "Not Configured" needs to be processed at least once
by the target in order to remove the setting. So, even though GPMC might
report "No Settings" (and frankly I haven't look at how it reports other
areas besides Admin. templates. For example, you can "remove" a software
installation package but it is left in the GPO so that clients can
process the removal. Does that mean that the GPO has "no settings"?) you
might still want that GPO around to be able to undo the client--if only
for a limited period of time.
 
Darren

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, November 15, 2006 9:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


>>>if a GPO had settings and doesn't anymore, it may be needed by users
and computers processing GP to undo settings that were previously
applied
 
IMHO, no settings means all settings in the GPO are set to "Not
Defined". Wouldn't it, for the case you mention, need to have reverse
settings or original settings and thus have settings?
 
jorge
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 

  _  

From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Wed 2006-11-15 17:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


Well, it depends upon the purpose of you quest, but you're correct. For
example, you may not want to delete a GPO that has no settings (but does
have versionNumber >0) because that may be a desirable state for it. In
other words, if a GPO had settings and doesn't anymore, it may be needed
by users and computers processing GP to undo settings that were
previously applied. Unless you know for sure that those settings have
been undone, then you can't be sure the GPO is unused.
 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, November 15, 2006 7:21 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


Thanks Darren - that assumes the GPO is empty and always was empty, of
course :)
 
neil

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: 15 November 2006 15:05
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


Another option is  to perform an LDAP search on the cn=policies,
cn=system container for GPC objects, and on each GPC object, look for a
versionNumber attribute == 0. Its probably slightly faster than first
generating the HTML report and then parsing it.
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, November 15, 2006 5:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


Thanks horhay :-^
 
I'd found the GPMC script but your extra logic is very useful :)
 
neil

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: 15 November 2006 12:19
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


http://blogs.dirteam.com/blogs/jorge/archive/2006/11/15/Finding-unused-G
POs.aspx
 
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 

  _  

From: [EMAIL PROTECTED] on behalf of
[EMAIL PROTECTED]
Sent: Wed 2006-11-15 11:22
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Locating empty GPOs in a domain / forest



Does anyone have a script or know of a process which can be used to
locate empty GPOs? i.e. GPOs which have no settings enabled or set.

The customer has hundreds of GPOs so viewing them one by one using GPMC
is not a viable option :/ 

Many thanks, 
neil 

PLEASE

RE: [ActiveDir] DNS Scavenging

2006-11-16 Thread Rimmerman, Russ 

But I just read in the DNS doc that "You can manually enable or disable
aging and scavenging on a per-server, per-zone, or per-record basis."
This would mean that we CAN enable it on the zone but not at the server
level, wouldn't it?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Longden
Sent: Wednesday, November 15, 2006 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Scavenging

Unless you enable it on a server (or manually initiate it against a
server) nothing's actually being scavenged.  The settings on the zone
only allow the timestamps to replicate and defines what records would be
deleted assuming scavenging is run.  So until a DNS server that hosts a
primary copy of the zone performs the scavenging process you can
continue to watch those duplicates accumulate and your SMS admins
complain.  :)

- Roger

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, November 15, 2006 8:03 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS Scavenging


We're in the middle of an SMS deployment and SMS is making us very aware
that DNS scavenging and WINS tombstoning doesn't appear to be happening
as much as it should.  Looking through our DNS records for our domain,
there's like 2 and 3 machine names for one IP.  Two of them were tossed
in the trash, one is still alive.  We have scavenging set to 7 days on
the zones, but not enabled at the server level (that seems a bit
scarier).  Shouldn't DNS scavenging work if enabled on the zone?  We're
running Win2k3 on our DNS/DCs, some with sp1 some without.

Thanks in advance

~~
This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information of Cameron
and its Operating Divisions. Any unauthorized use or disclosure is
prohibited. If you are not the intended recipient, please contact
the sender by reply email and delete and destroy all copies of the
original message inclusive of any attachments.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

~~
This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information of Cameron
and its Operating Divisions. Any unauthorized use or disclosure is
prohibited. If you are not the intended recipient, please contact
the sender by reply email and delete and destroy all copies of the
original message inclusive of any attachments.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] DNS Scavenging

2006-11-16 Thread neil.ruston 
True, but only servers enabled for scavenging will scavenge records in
zones which they host that also have scavenging enabled.

Here's the logic:

1. Is scavenging enabled for the server?
Yes - continue to 2
No - do not run scavenging thread. We're done.
2. Is scavenging enabled for any zone hosted by server?
Yes - continue and scavenge all zones [DDNS records only] which are
enabled for scavenging as per settings. Then goto 3.
No - do not run scavenging thread. We're done.
- Is scavenging enabled on any static records?
Yes - continue and scavenge all static records which are enabled for
scavenging as per settings
No - we're done 

Make sense?

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 16 November 2006 12:32
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Scavenging


But I just read in the DNS doc that "You can manually enable or disable
aging and scavenging on a per-server, per-zone, or per-record basis."
This would mean that we CAN enable it on the zone but not at the server
level, wouldn't it?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Longden
Sent: Wednesday, November 15, 2006 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Scavenging

Unless you enable it on a server (or manually initiate it against a
server) nothing's actually being scavenged.  The settings on the zone
only allow the timestamps to replicate and defines what records would be
deleted assuming scavenging is run.  So until a DNS server that hosts a
primary copy of the zone performs the scavenging process you can
continue to watch those duplicates accumulate and your SMS admins
complain.  :)

- Roger

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, November 15, 2006 8:03 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS Scavenging


We're in the middle of an SMS deployment and SMS is making us very aware
that DNS scavenging and WINS tombstoning doesn't appear to be happening
as much as it should.  Looking through our DNS records for our domain,
there's like 2 and 3 machine names for one IP.  Two of them were tossed
in the trash, one is still alive.  We have scavenging set to 7 days on
the zones, but not enabled at the server level (that seems a bit
scarier).  Shouldn't DNS scavenging work if enabled on the zone?  We're
running Win2k3 on our DNS/DCs, some with sp1 some without.

Thanks in advance

~~
This email message is for the sole use of the intended recipient(s) and
may contain confidential and privileged information of Cameron and its
Operating Divisions. Any unauthorized use or disclosure is prohibited.
If you are not the intended recipient, please contact the sender by
reply email and delete and destroy all copies of the original message
inclusive of any attachments.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

~~
This email message is for the sole use of the intended recipient(s) and
may contain confidential and privileged information of Cameron and its
Operating Divisions. Any unauthorized use or disclosure is prohibited.
If you are not the intended recipient, please contact the sender by
reply email and delete and destroy all copies of the original message
inclusive of any attachments.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3

RE: [ActiveDir] Locating empty GPOs in a domain / forest

2006-11-16 Thread Laura A. Robinson 
Darren is correct. A quick and simple test- create the following policy and
link it to an OU where you've placed a test user account:
 
1. User Configuration\Administrative Templates\Start Menu and Taskbar\Remove
Documents menu from Start menu- set to enabled
 
2. Run gpupdate if you're logged on with the test account (this assumes the
test account has the appropriate permissions to create the GPO), or log off
and log on as your test user.
 
3. Click on Start button and note disappearance of Documents menu.
 
4. Edit policy and change setting to "Not configured".
 
5. Repeat step 2.
 
6. Repeat step 3 and note reappearance of Documents menu.
 
Having said all of the above, any settings that don't write to one of the
following locations *will* tattoo the registry:
 
HKEY_LOCAL_MACHINE \SOFTWARE\policies

HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies 

HKEY_CURRENT_USER \SOFTWARE\policies

HKEY_ CURRENT_USER \SOFTWARE\Microsoft\Windows\CurrentVersion\policies

A very good tutorial can be found here:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
management/gp/admtgp.mspx

 
Laura
  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, November 16, 2006 4:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest



I thought 'Not Defined' meant 'ignore this setting and apply it as set
elsewhere in other GPOs'. i.e. if it were set and then later set to not
defined, the clients would continue to use the setting and ignore the change
from enabled to 'not defined'.
 
e.g. wallpaper set to A, originally. Then wallpaper set to 'not defined'. I
always believed clients would ignore any 'not defined' settings and thus
continue to use wallpaper A.
 
Am I wrong?
 
neil

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: 15 November 2006 18:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


If I set an Admin template policy from "Enabled" to "Not Configured", then
that GPO with "Not Configured" needs to be processed at least once by the
target in order to remove the setting. So, even though GPMC might report "No
Settings" (and frankly I haven't look at how it reports other areas besides
Admin. templates. For example, you can "remove" a software installation
package but it is left in the GPO so that clients can process the removal.
Does that mean that the GPO has "no settings"?) you might still want that
GPO around to be able to undo the client--if only for a limited period of
time.
 
Darren

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, November 15, 2006 9:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


>>>if a GPO had settings and doesn't anymore, it may be needed by users and
computers processing GP to undo settings that were previously applied
 
IMHO, no settings means all settings in the GPO are set to "Not Defined".
Wouldn't it, for the case you mention, need to have reverse settings or
original settings and thus have settings?
 
jorge
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 

  _  

From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Wed 2006-11-15 17:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


Well, it depends upon the purpose of you quest, but you're correct. For
example, you may not want to delete a GPO that has no settings (but does
have versionNumber >0) because that may be a desirable state for it. In
other words, if a GPO had settings and doesn't anymore, it may be needed by
users and computers processing GP to undo settings that were previously
applied. Unless you know for sure that those settings have been undone, then
you can't be sure the GPO is unused.
 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, November 15, 2006 7:21 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


Thanks Darren - that assumes the GPO is empty and always was empty, of
course :)
 
neil

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: 15 November 2006 15:05
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


Another option is  to perform an LDAP search on the cn=policies, cn=system
container for GPC objects, and on each GPC object, look for a versionNumber
attribute == 0. Its probably slightly faster than first generating the HTML
report and then

RE: [ActiveDir] Locating empty GPOs in a domain / forest

2006-11-16 Thread neil.ruston 
Thanks, Laura.
 
I rarely deal with the out of the box GPO stuff and focus on writing my
own ADM files. I guess a different set of rules applies there
[tattooing] as you suggest.
 
neil

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: 16 November 2006 13:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


Darren is correct. A quick and simple test- create the following policy
and link it to an OU where you've placed a test user account:
 
1. User Configuration\Administrative Templates\Start Menu and
Taskbar\Remove Documents menu from Start menu- set to enabled
 
2. Run gpupdate if you're logged on with the test account (this assumes
the test account has the appropriate permissions to create the GPO), or
log off and log on as your test user.
 
3. Click on Start button and note disappearance of Documents menu.
 
4. Edit policy and change setting to "Not configured".
 
5. Repeat step 2.
 
6. Repeat step 3 and note reappearance of Documents menu.
 
Having said all of the above, any settings that don't write to one of
the following locations *will* tattoo the registry:
 
HKEY_LOCAL_MACHINE \SOFTWARE\policies

HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies 

HKEY_CURRENT_USER \SOFTWARE\policies

HKEY_ CURRENT_USER \SOFTWARE\Microsoft\Windows\CurrentVersion\policies

A very good tutorial can be found here:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/management/gp/admtgp.mspx

 
Laura
  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, November 16, 2006 4:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest



I thought 'Not Defined' meant 'ignore this setting and apply it
as set elsewhere in other GPOs'. i.e. if it were set and then later set
to not defined, the clients would continue to use the setting and ignore
the change from enabled to 'not defined'.
 
e.g. wallpaper set to A, originally. Then wallpaper set to 'not
defined'. I always believed clients would ignore any 'not defined'
settings and thus continue to use wallpaper A.
 
Am I wrong?
 
neil

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: 15 November 2006 18:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain /
forest


If I set an Admin template policy from "Enabled" to "Not
Configured", then that GPO with "Not Configured" needs to be processed
at least once by the target in order to remove the setting. So, even
though GPMC might report "No Settings" (and frankly I haven't look at
how it reports other areas besides Admin. templates. For example, you
can "remove" a software installation package but it is left in the GPO
so that clients can process the removal. Does that mean that the GPO has
"no settings"?) you might still want that GPO around to be able to undo
the client--if only for a limited period of time.
 
Darren

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, November 15, 2006 9:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain /
forest


>>>if a GPO had settings and doesn't anymore, it may be needed
by users and computers processing GP to undo settings that were
previously applied
 
IMHO, no settings means all settings in the GPO are set to "Not
Defined". Wouldn't it, for the case you mention, need to have reverse
settings or original settings and thus have settings?
 
jorge
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 

  _  

From: [EMAIL PROTECTED] on behalf of Darren
Mar-Elia
Sent: Wed 2006-11-15 17:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain /
forest


Well, it depends upon the purpose of you quest, but you're
correct. For example, you may not want to delete a GPO that has no
settings (but does have versionNumber >0) because that may be a
desirable state for it. In other words, if a GPO had settings and
doesn't anymore, it may be needed by users and computers processing GP
to undo settings that were previously applied. Unless you know for sure
that those settings have been undone, then you can't be sure the GPO is
unused.

RE: [ActiveDir] Is it 2000 or 2003?

2006-11-16 Thread Tim Onsomu 
I got curios about this and decide to dcpromo my vm image of windows
2003 R2.

After the AD installation (which sits at Windows 2000 for domain type) I
raised the functionality for the domain and forest.

The result for domain type was windows 2000.

I am not sure it is supposed to be different.

Anybody out there who can say their install says something else?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, November 15, 2006 3:15 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is it 2000 or 2003?

Were these clean installs or inplace?

Bart Van den Wyngaert wrote:
> Well I also have a strange thing... It concerns 2 SBS 2003 systems.
> Some months ago I raised both domain and forrest functional level on 
> those boxes. By reading this thread I decided to have a look...
>
> Both tools report the correct OS actually on both boxes.
>
> The only I wonder is a bit that they both report with the gpresult 
> tool that the domain type is Windows 2000
>
> If I look using GUI, they both report functional level of domain & 
> forest being at 2003.
>
> Don't really get actually. Is this related? Normal or missed something

> when I did raise the functional levels?
>
> Thanks,
> Bart
>
> On 11/10/06, Noah Eiger <[EMAIL PROTECTED]> wrote:
>> Good question. DFL = 2003 and FFL = 2003. So it must just be some 
>> lingering text string. Does anyone think there is more it?
>>
>> Thanks.
>>
>> -- nme
>>
>> -Original Message-
>> From: Clingaman, Bruce [mailto:[EMAIL PROTECTED]
>> Sent: Friday, November 10, 2006 9:39 AM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] Is it 2000 or 2003?
>>
>>
>>
>> What does it say under:  AD Users & Computers | [right click domain 
>> name] | Raise Domain Functional Level...
>>
>> ?
>>
>>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
>> Sent: Friday, November 10, 2006 11:12 AM
>> To: ActiveDir@mail.activedir.org
>> Subject: [ActiveDir] Is it 2000 or 2003?
>>
>> Hi -
>>
>>
>>
>> Several months ago, I upgraded a small, multi-site domain from W2k to

>> W2k3. Or so I thought. The various markings in the schema indicate 
>> that the upgrade was successful. But when I run, for example, 
>> gpresult, it reports a Windows 2000 domain. Is this just some flag or

>> string that did not get set properly or is there really a problem
with the upgrade?
>>
>>
>>
>> Thanks.
>>
>>
>>
>> -- nme
>>
>>
>>
>> P.S. I also just noticed that when I run netdiag on a new W2k3EN DC, 
>> it says "System info: Windows 2000 Server (Build 3790)".
>>
>>
>>
>>
>> --
>> No virus found in this outgoing message.
>> Checked by AVG Free Edition.
>> Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date:
>> 11/7/2006
>>
>>
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive: 
>> http://www.mail-archive.com/activedir@mail.activedir.org/
>>
>> --
>> No virus found in this incoming message.
>> Checked by AVG Free Edition.
>> Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 
>> 11/7/2006
>>
>>
>> --
>> No virus found in this outgoing message.
>> Checked by AVG Free Edition.
>> Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 
>> 11/7/2006
>>
>>
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive: 
>> http://www.mail-archive.com/activedir@mail.activedir.org/
>>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir@mail.activedir.org/
>

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Locating empty GPOs in a domain / forest

2006-11-16 Thread Paul Williams 
Locating empty GPOs in a domain / forestIt varies depending on the CSE Neil.

The behaviour usually reverts with Admin Templates.  Security settings don't 
revert, but can roll back if they're set elsewhere (like you said).  Darren's 
already covered Software installation.

For example, if you set hide shutdown, and then set that option to not defined, 
you'll get it back unless there's another GPO overriding that.


--Paul


  - Original Message - 
  From: [EMAIL PROTECTED] 
  To: ActiveDir@mail.activedir.org 
  Sent: Thursday, November 16, 2006 9:27 AM
  Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


  I thought 'Not Defined' meant 'ignore this setting and apply it as set 
elsewhere in other GPOs'. i.e. if it were set and then later set to not 
defined, the clients would continue to use the setting and ignore the change 
from enabled to 'not defined'.

  e.g. wallpaper set to A, originally. Then wallpaper set to 'not defined'. I 
always believed clients would ignore any 'not defined' settings and thus 
continue to use wallpaper A.

  Am I wrong?

  neil


--
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
  Sent: 15 November 2006 18:38
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


  If I set an Admin template policy from "Enabled" to "Not Configured", then 
that GPO with "Not Configured" needs to be processed at least once by the 
target in order to remove the setting. So, even though GPMC might report "No 
Settings" (and frankly I haven't look at how it reports other areas besides 
Admin. templates. For example, you can "remove" a software installation package 
but it is left in the GPO so that clients can process the removal. Does that 
mean that the GPO has "no settings"?) you might still want that GPO around to 
be able to undo the client--if only for a limited period of time.

  Darren



--
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
  Sent: Wednesday, November 15, 2006 9:39 AM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


  >>>if a GPO had settings and doesn't anymore, it may be needed by users and 
computers processing GP to undo settings that were previously applied

  IMHO, no settings means all settings in the GPO are set to "Not Defined". 
Wouldn't it, for the case you mention, need to have reverse settings or 
original settings and thus have settings?

  jorge

  Met vriendelijke groeten / Kind regards,
  Ing. Jorge de Almeida Pinto
  Senior Infrastructure Consultant
  MVP Windows Server - Directory Services

  LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
  (   Tel : +31-(0)40-29.57.777
  (   Mobile : +31-(0)6-26.26.62.80
  *   E-mail : 


--
  From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
  Sent: Wed 2006-11-15 17:04
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


  Well, it depends upon the purpose of you quest, but you're correct. For 
example, you may not want to delete a GPO that has no settings (but does have 
versionNumber >0) because that may be a desirable state for it. In other words, 
if a GPO had settings and doesn't anymore, it may be needed by users and 
computers processing GP to undo settings that were previously applied. Unless 
you know for sure that those settings have been undone, then you can't be sure 
the GPO is unused.






--
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL 
PROTECTED]
  Sent: Wednesday, November 15, 2006 7:21 AM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


  Thanks Darren - that assumes the GPO is empty and always was empty, of course 
:)

  neil



--
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
  Sent: 15 November 2006 15:05
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


  Another option is  to perform an LDAP search on the cn=policies, cn=system 
container for GPC objects, and on each GPC object, look for a versionNumber 
attribute == 0. Its probably slightly faster than first generating the HTML 
report and then parsing it.




--
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL 
PROTECTED]
  Sent: Wednesday, November 15, 2006 5:54 AM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Locating empty G

Re: [ActiveDir] Strange DC behaviour and error

2006-11-16 Thread hboogz 

the same issue started happening last night about 10:35 last night. this was
after i plugged in my DR link to the ad box out at my disaster recovery
site.

I came in this morning only to find that when i run a NET TIME from my DC's
it was resolving this DR Domain Controller.

i disconnected the link, reset the local machine passwords, rebooted and all
is up now.

what gives ? anyone have any ideas ?

On 11/15/06, hboogz <[EMAIL PROTECTED]> wrote:


Hey Guys,

Thanks for responses.

I've been stuck in the data center for the past few hours.

Here goes:

It all started with this error in the event log:

Event Type:Error
Event Source:Kerberos
Event Category:None
Event ID:4
Date:11/15/2006
Time:03:17:45 PM
User:N/A
Computer:PHMAINDC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/phmaindc1.phippsny.org.  The target name used was cifs/PHMAINDC1. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named  machine accounts in the target realm ( PHIPPSNY.ORG),
and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Then it became all of these:

Event Type:Warning
Event Source:LSASRV
Event Category:SPNEGO (Negotiator)
Event ID:40960
Date:11/15/2006
Time:03:13:19 PM
User:N/A
Computer:PHMAINDC1
Description:
The Security System detected an authentication error for the server
cifs/PHMAINDC1.phippsny.org.  The failure code from authentication protocol
Kerberos was "The attempted logon is invalid. This is either due to a bad
username or authentication information.
 (0xc06d)".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
: 6d 00 00 c0   m..À


Event Type:Error
Event Source:Userenv
Event Category:None
Event ID:1030
Date:11/15/2006
Time:02:58:23 PM
User:PHIPPSNY\Administrator
Computer:PHMAINDC1
Description:
Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type:Error
Event Source:Userenv
Event Category:None
Event ID:1053
Date:11/15/2006
Time:03:03:19 PM
User:NT AUTHORITY\SYSTEM
Computer:PHMAINDC1
Description:
Windows cannot determine the user or computer name. (Access is denied. ).
Group Policy processing aborted.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Strangely, the maindc, phmaindc1, lost its forward lookup zone (ad-int)
and it's reverse lookup zone ( ad-int ) but my second DC maintained them. I
tried adding the zones back into phmaind1, only to get an error indicating
"invalid data".

So, what i did was make all working zones on the working DC primary (
non-ad) and added secondary zones into phmaindc1.

i tried, dcdiag /fix and netdiag /fix - but nothing.

tried restarting the netlogon service - nothing.

I came across the forums that indicated the PTR and A record entries --
didn't find any duplicates or wrong entries, everything is a one-to-one
mapping.

I then looked inside wins, and didn't see any conflicts. Because I've had
issues with wins in the  past, i deleted both wins databases and created new
ones from scratch.

That didn't work.

i then attmpeted a net time from the DC in question and got another DC in
our DR site. This DR server is not holding any roles and isn't accessible to
all of our workstations. I tried to force this server as the authoritative
Time server settings the annouceFlags to A, but it didn't take.

I disabled the link to the DR site, but the problems persisted.

Every time i would attempt a Net Time from a client workstation, i would
get a "Access Denied"

grr

I then came across the recommendation to reset the local machine account
password of the DC's.

using the NETBIOS name of phmaindc1 didn't work, i needed to use the IP.

netdom resetpwd /s:192.168.1.1 /ud:domain\username /pd:*

rebooted ( ran above while KDC service was running )

That didn't work.

I then needed to reset the local machine account for the other DC that was
working fine

once i reset that using netdom and rebooted, everything came back up.


whew!

Now that i've created non AD-int dns zones, i saw somewhere someone
recommended deleting my previous created dns partititions and recreating
them and making the zones AD-int again.

i've tried -- DNSCMD /DELETEDIRECTORYPARTITION

but i need the FQDN of the partition, which i dont know ?

any ideas on what to do to cleanup what's going on ?

or any insight as to why this happened and what

RE: [ActiveDir] Locating empty GPOs in a domain / forest

2006-11-16 Thread Darren Mar-Elia 
Yes and quickly the way this works is, when a client processes registry
policy, it takes all the registry policy from all the GPOs and merges it
into an "archive" file. It applies all those items in the archive file to
the registry--both tattooing "preferences" and true "policies" (as defined
by the 4 keys Laura listed). Then, the next time the client processes
registry policy, it reads that archive file before it does anything, and
removes those policies found in it (but not the preferences). Then it builds
a new archive file composed of any policies that now apply, then it applies
those as before. 
 
I also have a reasonably in-depth discussion of this here:
www.gpoguy.com/faqs/tattoo.htm
 
 
Darren 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, November 16, 2006 5:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


Thanks, Laura.
 
I rarely deal with the out of the box GPO stuff and focus on writing my own
ADM files. I guess a different set of rules applies there [tattooing] as you
suggest.
 
neil

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: 16 November 2006 13:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


Darren is correct. A quick and simple test- create the following policy and
link it to an OU where you've placed a test user account:
 
1. User Configuration\Administrative Templates\Start Menu and Taskbar\Remove
Documents menu from Start menu- set to enabled
 
2. Run gpupdate if you're logged on with the test account (this assumes the
test account has the appropriate permissions to create the GPO), or log off
and log on as your test user.
 
3. Click on Start button and note disappearance of Documents menu.
 
4. Edit policy and change setting to "Not configured".
 
5. Repeat step 2.
 
6. Repeat step 3 and note reappearance of Documents menu.
 
Having said all of the above, any settings that don't write to one of the
following locations *will* tattoo the registry:
 
HKEY_LOCAL_MACHINE \SOFTWARE\policies

HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies 

HKEY_CURRENT_USER \SOFTWARE\policies

HKEY_ CURRENT_USER \SOFTWARE\Microsoft\Windows\CurrentVersion\policies

A very good tutorial can be found here:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
management/gp/admtgp.mspx

 
Laura
  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, November 16, 2006 4:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest



I thought 'Not Defined' meant 'ignore this setting and apply it as set
elsewhere in other GPOs'. i.e. if it were set and then later set to not
defined, the clients would continue to use the setting and ignore the change
from enabled to 'not defined'.
 
e.g. wallpaper set to A, originally. Then wallpaper set to 'not defined'. I
always believed clients would ignore any 'not defined' settings and thus
continue to use wallpaper A.
 
Am I wrong?
 
neil

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: 15 November 2006 18:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


If I set an Admin template policy from "Enabled" to "Not Configured", then
that GPO with "Not Configured" needs to be processed at least once by the
target in order to remove the setting. So, even though GPMC might report "No
Settings" (and frankly I haven't look at how it reports other areas besides
Admin. templates. For example, you can "remove" a software installation
package but it is left in the GPO so that clients can process the removal.
Does that mean that the GPO has "no settings"?) you might still want that
GPO around to be able to undo the client--if only for a limited period of
time.
 
Darren

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, November 15, 2006 9:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


>>>if a GPO had settings and doesn't anymore, it may be needed by users and
computers processing GP to undo settings that were previously applied
 
IMHO, no settings means all settings in the GPO are set to "Not Defined".
Wouldn't it, for the case you mention, need to have reverse settings or
original settings and thus have settings?
 
jorge
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 

  _  

From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Wed 2006-11-15 17:04
To: ActiveDir@mai

RE: [ActiveDir] Is it 2000 or 2003?

2006-11-16 Thread neil.ruston 
I've entered this thread late so apologies if the below has already been
stated:

I recently created a new dev forest, with multiple domains. I too raised
DFL and FFL as soon as all domains were built.

I do not see the issues you describe and would suggest you download the
scripts available here http://www.jadonex.com/

One of the scripts (written by Dean) checks the DFL and FFL for the
forest and across all domains.

For a manual check, I also look here:

FFL
===
CN=Partitions,CN=Configuration,DC=xxx
Attribute msDS-Behavior-Version
0=w2k FFL, 1=interim FFL, 2=w2k3 FFL

DFL
===
CN=,CN=Partitions,CN=Configuration,DC=xxx
Attribute msDS-Behavior-Version
0=w2k DFL, 1=interim DFL, 2=w2k3 DFL

Hope that helps,
neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tim Onsomu
Sent: 16 November 2006 14:35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it 2000 or 2003?

I got curios about this and decide to dcpromo my vm image of windows
2003 R2.

After the AD installation (which sits at Windows 2000 for domain type) I
raised the functionality for the domain and forest.

The result for domain type was windows 2000.

I am not sure it is supposed to be different.

Anybody out there who can say their install says something else?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, November 15, 2006 3:15 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is it 2000 or 2003?

Were these clean installs or inplace?

Bart Van den Wyngaert wrote:
> Well I also have a strange thing... It concerns 2 SBS 2003 systems.
> Some months ago I raised both domain and forrest functional level on 
> those boxes. By reading this thread I decided to have a look...
>
> Both tools report the correct OS actually on both boxes.
>
> The only I wonder is a bit that they both report with the gpresult 
> tool that the domain type is Windows 2000
>
> If I look using GUI, they both report functional level of domain & 
> forest being at 2003.
>
> Don't really get actually. Is this related? Normal or missed something

> when I did raise the functional levels?
>
> Thanks,
> Bart
>
> On 11/10/06, Noah Eiger <[EMAIL PROTECTED]> wrote:
>> Good question. DFL = 2003 and FFL = 2003. So it must just be some 
>> lingering text string. Does anyone think there is more it?
>>
>> Thanks.
>>
>> -- nme
>>
>> -Original Message-
>> From: Clingaman, Bruce [mailto:[EMAIL PROTECTED]
>> Sent: Friday, November 10, 2006 9:39 AM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] Is it 2000 or 2003?
>>
>>
>>
>> What does it say under:  AD Users & Computers | [right click domain 
>> name] | Raise Domain Functional Level...
>>
>> ?
>>
>>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
>> Sent: Friday, November 10, 2006 11:12 AM
>> To: ActiveDir@mail.activedir.org
>> Subject: [ActiveDir] Is it 2000 or 2003?
>>
>> Hi -
>>
>>
>>
>> Several months ago, I upgraded a small, multi-site domain from W2k to

>> W2k3. Or so I thought. The various markings in the schema indicate 
>> that the upgrade was successful. But when I run, for example, 
>> gpresult, it reports a Windows 2000 domain. Is this just some flag or

>> string that did not get set properly or is there really a problem
with the upgrade?
>>
>>
>>
>> Thanks.
>>
>>
>>
>> -- nme
>>
>>
>>
>> P.S. I also just noticed that when I run netdiag on a new W2k3EN DC, 
>> it says "System info: Windows 2000 Server (Build 3790)".
>>
>>
>>
>>
>> --
>> No virus found in this outgoing message.
>> Checked by AVG Free Edition.
>> Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date:
>> 11/7/2006
>>
>>
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive: 
>> http://www.mail-archive.com/activedir@mail.activedir.org/
>>
>> --
>> No virus found in this incoming message.
>> Checked by AVG Free Edition.
>> Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 
>> 11/7/2006
>>
>>
>> --
>> No virus found in this outgoing message.
>> Checked by AVG Free Edition.
>> Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 
>> 11/7/2006
>>
>>
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive: 
>> http://www.mail-archive.com/activedir@mail.activedir.org/
>>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir@mail.activedir.org/
>

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.or

[ActiveDir] OT: GPO Issue - Recycler

2006-11-16 Thread Mark Parris 
All,

Is there a way to get the Recycler out of the my documents folder,  so that 
when a user has folder redirection enabled it does not sync to the network?

Turning the recycle bin off is not an option.


Regards,

Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Strange DC behavior and error

2006-11-16 Thread Scott, Anthony 
Windows is supposed to get it’s time from the PDC role holder, sometimes though 
this does not work as advertised. So I usually issue this command on any new 
DCs I bring up:

W32tm /config /synchfromflags:DOMHIER /update

Then:

Net stop w32time & net start w32time

 

 

Thanks,

Anthony Scott

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 10:21 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange DC behaviour and error

 

the same issue started happening last night about 10:35 last night. this was 
after i plugged in my DR link to the ad box out at my disaster recovery site.

I came in this morning only to find that when i run a NET TIME from my DC's it 
was resolving this DR Domain Controller. 

i disconnected the link, reset the local machine passwords, rebooted and all is 
up now.

what gives ? anyone have any ideas ?

On 11/15/06, hboogz <[EMAIL PROTECTED]> wrote:

Hey Guys,

Thanks for responses.

I've been stuck in the data center for the past few hours.

Here goes:

It all started with this error in the event log:

Event Type:Error
Event Source:Kerberos
Event Category:None
Event ID:4
Date:11/15/2006
Time:03:17:45 PM 
User:N/A 
Computer:PHMAINDC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server 
host/phmaindc1.phippsny.org.  The target name used was cifs/PHMAINDC1. This 
indicates that the password used to encrypt the kerberos service ticket is 
different than that on the target server. Commonly, this is due to identically 
named  machine accounts in the target realm ( PHIPPSNY.ORG), and the client 
realm.   Please contact your system administrator.

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

Then it became all of these:

Event Type:Warning
Event Source:LSASRV
Event Category:SPNEGO (Negotiator) 
Event ID:40960
Date:11/15/2006
Time:03:13:19 PM
User:N/A
Computer:PHMAINDC1
Description: 
The Security System detected an authentication error for the server 
cifs/PHMAINDC1.phippsny.org.  The failure code from authentication protocol 
Kerberos was "The attempted logon is invalid. This is either due to a bad 
username or authentication information. 
 (0xc06d)".

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp .
Data:
: 6d 00 00 c0   m..À


Event Type:Error
Event Source:Userenv 
Event Category:None
Event ID:1030
Date:11/15/2006
Time:02:58:23 PM
User:PHIPPSNY\Administrator
Computer:PHMAINDC1
Description:
Windows cannot query for the list of Group Policy objects. Check the event log 
for possible messages previously logged by the policy engine that describes the 
reason for this. 

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

Event Type:Error
Event Source:Userenv
Event Category:None
Event ID:1053
Date:11/15/2006
Time:03:03:19 PM
User:NT AUTHORITY\SYSTEM
Computer:PHMAINDC1
Description:
Windows cannot determine the user or computer name. (Access is denied. ). Group 
Policy processing aborted. 

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

Strangely, the maindc, phmaindc1, lost its forward lookup zone (ad-int) and 
it's reverse lookup zone ( ad-int ) but my second DC maintained them. I tried 
adding the zones back into phmaind1, only to get an error indicating "invalid 
data". 

So, what i did was make all working zones on the working DC primary ( non-ad) 
and added secondary zones into phmaindc1.

i tried, dcdiag /fix and netdiag /fix - but nothing.

tried restarting the netlogon service - nothing. 

I came across the forums that indicated the PTR and A record entries -- didn't 
find any duplicates or wrong entries, everything is a one-to-one mapping.

I then looked inside wins, and didn't see any conflicts. Because I've had 
issues with wins in the  past, i deleted both wins databases and created new 
ones from scratch. 

That didn't work.

i then attmpeted a net time from the DC in question and got another DC in our 
DR site. This DR server is not holding any roles and isn't accessible to all of 
our workstations. I tried to force this server as the authoritative Time server 
settings the annouceFlags to A, but it didn't take. 

I disabled the link to the DR site, but the problems persisted.

Every time i would attempt a Net Time from a client workstation, i would get a 
"Access Denied"

grr

I then came across the recommendation to reset the local machine account 
password of the DC's. 

using the NETBIOS name of phmaindc1 didn't work, i needed to use the IP.

netdom resetpwd /s:192.168.1.1 /ud:domain\username /pd:*

rebooted ( ran above while KDC service was running ) 

That didn't work.

I

Re: [ActiveDir] Is it 2000 or 2003?

2006-11-16 Thread Paul Williams 
I don't understand where you are seeing this info.  Are you referring to the 
applet that is used to raise the FL?  Or something else?


As for the "flag" that is used to identify the directory, it is usually a 
combination of:


msDS-Behavior-Version
nTMixedDomain
supportedCapabilities


Or at least, that is the way I put info. such as server and directory in 
each of my scripts.  Just like Joe does in ADFIND and ADMOD.  I believe he 
does it the same way too.


Basically, check msDS-Behavior-Version.  If it's 0, check nTMixedDomain.  If 
it's 2, check supportedCapabilities to see whether or not it is ADAM (it's 
ADAM if one of the supportedCapabilities is 1.2.840.113556.1.4.1851 
[LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID]).


In my test lab(s), my directory is considered a 2003 directory.

In my labs, I used either DOMAIN.MSC or ADMOD to increase the FLs.


--Paul


- Original Message - 
From: <[EMAIL PROTECTED]>

To: 
Sent: Thursday, November 16, 2006 3:45 PM
Subject: RE: [ActiveDir] Is it 2000 or 2003?



I've entered this thread late so apologies if the below has already been
stated:

I recently created a new dev forest, with multiple domains. I too raised
DFL and FFL as soon as all domains were built.

I do not see the issues you describe and would suggest you download the
scripts available here http://www.jadonex.com/

One of the scripts (written by Dean) checks the DFL and FFL for the
forest and across all domains.

For a manual check, I also look here:

FFL
===
CN=Partitions,CN=Configuration,DC=xxx
Attribute msDS-Behavior-Version
0=w2k FFL, 1=interim FFL, 2=w2k3 FFL

DFL
===
CN=,CN=Partitions,CN=Configuration,DC=xxx
Attribute msDS-Behavior-Version
0=w2k DFL, 1=interim DFL, 2=w2k3 DFL

Hope that helps,
neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tim Onsomu
Sent: 16 November 2006 14:35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it 2000 or 2003?

I got curios about this and decide to dcpromo my vm image of windows
2003 R2.

After the AD installation (which sits at Windows 2000 for domain type) I
raised the functionality for the domain and forest.

The result for domain type was windows 2000.

I am not sure it is supposed to be different.

Anybody out there who can say their install says something else?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, November 15, 2006 3:15 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is it 2000 or 2003?

Were these clean installs or inplace?

Bart Van den Wyngaert wrote:

Well I also have a strange thing... It concerns 2 SBS 2003 systems.
Some months ago I raised both domain and forrest functional level on
those boxes. By reading this thread I decided to have a look...

Both tools report the correct OS actually on both boxes.

The only I wonder is a bit that they both report with the gpresult
tool that the domain type is Windows 2000

If I look using GUI, they both report functional level of domain &
forest being at 2003.

Don't really get actually. Is this related? Normal or missed something



when I did raise the functional levels?

Thanks,
Bart

On 11/10/06, Noah Eiger <[EMAIL PROTECTED]> wrote:

Good question. DFL = 2003 and FFL = 2003. So it must just be some
lingering text string. Does anyone think there is more it?

Thanks.

-- nme

-Original Message-
From: Clingaman, Bruce [mailto:[EMAIL PROTECTED]
Sent: Friday, November 10, 2006 9:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it 2000 or 2003?



What does it say under:  AD Users & Computers | [right click domain
name] | Raise Domain Functional Level...

?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Friday, November 10, 2006 11:12 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Is it 2000 or 2003?

Hi -



Several months ago, I upgraded a small, multi-site domain from W2k to



W2k3. Or so I thought. The various markings in the schema indicate
that the upgrade was successful. But when I run, for example,
gpresult, it reports a Windows 2000 domain. Is this just some flag or



string that did not get set properly or is there really a problem

with the upgrade?




Thanks.



-- nme



P.S. I also just noticed that when I run netdiag on a new W2k3EN DC,
it says "System info: Windows 2000 Server (Build 3790)".




--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date:
11/7/2006


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date:
11/7/2006


--
No virus found in this outgoing

[ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread hboogz 

I am having continued issues with Kerberos. I tried running tokensz against
the problem server and i get this error message..

C:\Tools>tokensz /compute_tokensize /package:negotiate /use_delegation
/target_s
erver:host/phmaindc1

Name: Negotiate Comment: Microsoft Package Negotiator
Current PackageInfo->MaxToken: 12128

Asked for delegate, but didn't get it.
Check if server is trusted for delegation.

QueryKeyInfo:
Signature algorithm =
Encrypt algorithm = RSADSI RC4
KeySize = 128
Flags = 2001c
Signature Algorithm = -138
Encrypt Algorithm = 26625
QueryContextAttributes (lifespan): Status = 2148074242 0x80090302
SEC_E_NOT_SUPP
ORTED


any ideas ?

I keep getting the following event log message on a domain controller which
prevents users from accessing it and authenticating to it.

Event Type:Error
Event Source:Kerberos
Event Category:None
Event ID:4
Date:11/16/2006
Time:12:02:37 PM
User:N/A
Computer:PHMAINDC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/phmaindc1.phippsny.org.  The target name used was host/phprint1. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named  machine accounts in the target realm (PHIPPSNY.ORG), and
the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Help!



--
HBooGz:\>

RE: [ActiveDir] Strange DC behavior and error

2006-11-16 Thread Laura A. Robinson 
That's not entirely accurate, which may be why you see it not working "as
advertised". :-)
 
http://technet2.microsoft.com/WindowsServer/en/library/71e76587-28f4-4272-a3
d7-7f44ca50c0181033.mspx?mfr=true
 
Laura


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott, Anthony
Sent: Thursday, November 16, 2006 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange DC behavior and error



Windows is supposed to get it’s time from the PDC role holder, sometimes
though this does not work as advertised. So I usually issue this command on
any new DCs I bring up:

W32tm /config /synchfromflags:DOMHIER /update

Then:

Net stop w32time & net start w32time

 

 

Thanks,

Anthony Scott

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 10:21 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange DC behaviour and error

 

the same issue started happening last night about 10:35 last night. this was
after i plugged in my DR link to the ad box out at my disaster recovery
site.

I came in this morning only to find that when i run a NET TIME from my DC's
it was resolving this DR Domain Controller. 

i disconnected the link, reset the local machine passwords, rebooted and all
is up now.

what gives ? anyone have any ideas ?

On 11/15/06, hboogz <[EMAIL PROTECTED]> wrote:

Hey Guys,

Thanks for responses.

I've been stuck in the data center for the past few hours.

Here goes:

It all started with this error in the event log:

Event Type:Error
Event Source:Kerberos
Event Category:None
Event ID:4
Date:11/15/2006
Time:03:17:45 PM 
User:N/A 
Computer:PHMAINDC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/phmaindc1.phippsny.org.  The target name used was cifs/PHMAINDC1. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named  machine accounts in the target realm ( PHIPPSNY.ORG), and
the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Then it became all of these:

Event Type:Warning
Event Source:LSASRV
Event Category:SPNEGO (Negotiator) 
Event ID:40960
Date:11/15/2006
Time:03:13:19 PM
User:N/A
Computer:PHMAINDC1
Description: 
The Security System detected an authentication error for the server
cifs/PHMAINDC1.phippsny.org.  The failure code from authentication protocol
Kerberos was "The attempted logon is invalid. This is either due to a bad
username or authentication information. 
 (0xc06d)".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp .
Data:
: 6d 00 00 c0   m..À


Event Type:Error
Event Source:Userenv 
Event Category:None
Event ID:1030
Date:11/15/2006
Time:02:58:23 PM
User:PHIPPSNY\Administrator
Computer:PHMAINDC1
Description:
Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this. 

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type:Error
Event Source:Userenv
Event Category:None
Event ID:1053
Date:11/15/2006
Time:03:03:19 PM
User:NT AUTHORITY\SYSTEM
Computer:PHMAINDC1
Description:
Windows cannot determine the user or computer name. (Access is denied. ).
Group Policy processing aborted. 

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Strangely, the maindc, phmaindc1, lost its forward lookup zone (ad-int) and
it's reverse lookup zone ( ad-int ) but my second DC maintained them. I
tried adding the zones back into phmaind1, only to get an error indicating
"invalid data". 

So, what i did was make all working zones on the working DC primary (
non-ad) and added secondary zones into phmaindc1.

i tried, dcdiag /fix and netdiag /fix - but nothing.

tried restarting the netlogon service - nothing. 

I came across the forums that indicated the PTR and A record entries --
didn't find any duplicates or wrong entries, everything is a one-to-one
mapping.

I then looked inside wins, and didn't see any conflicts. Because I've had
issues with wins in the  past, i deleted both wins databases and created new
ones from scratch. 

That didn't work.

i then attmpeted a net time from the DC in question and got another DC in
our DR site. This DR server is not holding any roles and isn't accessible to
all of our workstations. I tried to force this server as the authoritative
Time server settings the annouceFlags to A, but it didn't take. 

I disabled the link to the DR site, but the problems persisted.

RE: [ActiveDir] Strange DC behavior and error

2006-11-16 Thread Haritwal, Dhiraj 
You can also forcefully sync the time by changing the registry entry. 
 

 

Then reboot the server.

 

Thanks & Regards,

Dhiraj Haritwal

System Administrator

Sony India Pvt. Ltd.

A-31, Mohan Co-operative Industrial Estate,

Mathura Road, New Delhi - 110 044

Tel. No. : 011-66006276

Fax No. : 011-26959141, 26959143 

Cell No. : 9873585408

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott, Anthony
Sent: Thursday, November 16, 2006 9:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange DC behavior and error

 

Windows is supposed to get it's time from the PDC role holder, sometimes though 
this does not work as advertised. So I usually issue this command on any new 
DCs I bring up:

W32tm /config /synchfromflags:DOMHIER /update

Then:

Net stop w32time & net start w32time

 

 

Thanks,

Anthony Scott

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 10:21 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange DC behaviour and error

 

the same issue started happening last night about 10:35 last night. this was 
after i plugged in my DR link to the ad box out at my disaster recovery site.

I came in this morning only to find that when i run a NET TIME from my DC's it 
was resolving this DR Domain Controller. 

i disconnected the link, reset the local machine passwords, rebooted and all is 
up now.

what gives ? anyone have any ideas ?

On 11/15/06, hboogz <[EMAIL PROTECTED]> wrote:

Hey Guys,

Thanks for responses.

I've been stuck in the data center for the past few hours.

Here goes:

It all started with this error in the event log:

Event Type:Error
Event Source:Kerberos
Event Category:None
Event ID:4
Date:11/15/2006
Time:03:17:45 PM 
User:N/A 
Computer:PHMAINDC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server 
host/phmaindc1.phippsny.org.  The target name used was cifs/PHMAINDC1. This 
indicates that the password used to encrypt the kerberos service ticket is 
different than that on the target server. Commonly, this is due to identically 
named  machine accounts in the target realm ( PHIPPSNY.ORG), and the client 
realm.   Please contact your system administrator.

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

Then it became all of these:

Event Type:Warning
Event Source:LSASRV
Event Category:SPNEGO (Negotiator) 
Event ID:40960
Date:11/15/2006
Time:03:13:19 PM
User:N/A
Computer:PHMAINDC1
Description: 
The Security System detected an authentication error for the server 
cifs/PHMAINDC1.phippsny.org.  The failure code from authentication protocol 
Kerberos was "The attempted logon is invalid. This is either due to a bad 
username or authentication information. 
 (0xc06d)".

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp .
Data:
: 6d 00 00 c0   m..À


Event Type:Error
Event Source:Userenv 
Event Category:None
Event ID:1030
Date:11/15/2006
Time:02:58:23 PM
User:PHIPPSNY\Administrator
Computer:PHMAINDC1
Description:
Windows cannot query for the list of Group Policy objects. Check the event log 
for possible messages previously logged by the policy engine that describes the 
reason for this. 

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

Event Type:Error
Event Source:Userenv
Event Category:None
Event ID:1053
Date:11/15/2006
Time:03:03:19 PM
User:NT AUTHORITY\SYSTEM
Computer:PHMAINDC1
Description:
Windows cannot determine the user or computer name. (Access is denied. ). Group 
Policy processing aborted. 

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

Strangely, the maindc, phmaindc1, lost its forward lookup zone (ad-int) and 
it's reverse lookup zone ( ad-int ) but my second DC maintained them. I tried 
adding the zones back into phmaind1, only to get an error indicating "invalid 
data". 

So, what i did was make all working zones on the working DC primary ( non-ad) 
and added secondary zones into phmaindc1.

i tried, dcdiag /fix and netdiag /fix - but nothing.

tried restarting the netlogon service - nothing. 

I came across the forums that indicated the PTR and A record entries -- didn't 
find any duplicates or wrong entries, everything is a one-to-one mapping.

I then looked inside wins, and didn't see any conflicts. Because I've had 
issues with wins in the  past, i deleted both wins databases and created new 
ones from scratch. 

That didn't work.

i then attmpeted a net time from the DC in question and got another DC in our 
DR site. This DR server is not holding any roles and isn't accessible to all of 
our workstations. I tried to force t

RE: [ActiveDir] Strange DC behavior and error

2006-11-16 Thread joe 
Windows machines get time based on their config... if they aren't set to use
a specific server and just follow the Windows architecture, they use the DC
that authenticated the secure channel. This usually means members go to a
local DC, the local DC goes to the PDC of the domain they are in and the
Domain PDCs go to the forest root PDC. 
 
The NET TIME command (except for /querysntp) does not accurately reflect
what DC is being used for the time service. Search on posts from Bob Free in
the archives, he has laid this out in painful detail at least 4 or 5 times
on exactly how it all works. 
 
What specifically have you seen not working as advertised?
 
   joe
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott, Anthony
Sent: Thursday, November 16, 2006 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange DC behavior and error



Windows is supposed to get it’s time from the PDC role holder, sometimes
though this does not work as advertised. So I usually issue this command on
any new DCs I bring up:

W32tm /config /synchfromflags:DOMHIER /update

Then:

Net stop w32time & net start w32time

 

 

Thanks,

Anthony Scott

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 10:21 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange DC behaviour and error

 

the same issue started happening last night about 10:35 last night. this was
after i plugged in my DR link to the ad box out at my disaster recovery
site.

I came in this morning only to find that when i run a NET TIME from my DC's
it was resolving this DR Domain Controller. 

i disconnected the link, reset the local machine passwords, rebooted and all
is up now.

what gives ? anyone have any ideas ?

On 11/15/06, hboogz <[EMAIL PROTECTED]> wrote:

Hey Guys,

Thanks for responses.

I've been stuck in the data center for the past few hours.

Here goes:

It all started with this error in the event log:

Event Type:Error
Event Source:Kerberos
Event Category:None
Event ID:4
Date:11/15/2006
Time:03:17:45 PM 
User:N/A 
Computer:PHMAINDC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/phmaindc1.phippsny.org.  The target name used was cifs/PHMAINDC1. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named  machine accounts in the target realm ( PHIPPSNY.ORG), and
the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Then it became all of these:

Event Type:Warning
Event Source:LSASRV
Event Category:SPNEGO (Negotiator) 
Event ID:40960
Date:11/15/2006
Time:03:13:19 PM
User:N/A
Computer:PHMAINDC1
Description: 
The Security System detected an authentication error for the server
cifs/PHMAINDC1.phippsny.org.  The failure code from authentication protocol
Kerberos was "The attempted logon is invalid. This is either due to a bad
username or authentication information. 
 (0xc06d)".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp .
Data:
: 6d 00 00 c0   m..À


Event Type:Error
Event Source:Userenv 
Event Category:None
Event ID:1030
Date:11/15/2006
Time:02:58:23 PM
User:PHIPPSNY\Administrator
Computer:PHMAINDC1
Description:
Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this. 

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type:Error
Event Source:Userenv
Event Category:None
Event ID:1053
Date:11/15/2006
Time:03:03:19 PM
User:NT AUTHORITY\SYSTEM
Computer:PHMAINDC1
Description:
Windows cannot determine the user or computer name. (Access is denied. ).
Group Policy processing aborted. 

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Strangely, the maindc, phmaindc1, lost its forward lookup zone (ad-int) and
it's reverse lookup zone ( ad-int ) but my second DC maintained them. I
tried adding the zones back into phmaind1, only to get an error indicating
"invalid data". 

So, what i did was make all working zones on the working DC primary (
non-ad) and added secondary zones into phmaindc1.

i tried, dcdiag /fix and netdiag /fix - but nothing.

tried restarting the netlogon service - nothing. 

I came across the forums that indicated the PTR and A record entries --
didn't find any duplicates or wrong entries, everything is a one-to-one
mapping.

I then

RE: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread joe 
Do you have any duplicate SPNs? Well specifically the SPNs mentioned in the
error?
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 12:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Kerberos is Killing Me!



I am having continued issues with Kerberos. I tried running tokensz against
the problem server and i get this error message..

C:\Tools>tokensz /compute_tokensize /package:negotiate /use_delegation
/target_s
erver:host/phmaindc1

Name: Negotiate Comment: Microsoft Package Negotiator
Current PackageInfo->MaxToken: 12128

Asked for delegate, but didn't get it.
Check if server is trusted for delegation.

QueryKeyInfo:
Signature algorithm =
Encrypt algorithm = RSADSI RC4
KeySize = 128
Flags = 2001c
Signature Algorithm = -138
Encrypt Algorithm = 26625
QueryContextAttributes (lifespan): Status = 2148074242 0x80090302
SEC_E_NOT_SUPP 
ORTED


any ideas ?

I keep getting the following event log message on a domain controller which
prevents users from accessing it and authenticating to it.

Event Type:Error
Event Source:Kerberos
Event Category:None
Event ID:4
Date:11/16/2006
Time:12:02:37 PM 
User:N/A
Computer:PHMAINDC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/phmaindc1.phippsny.org.  The target name used was host/phprint1. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named  machine accounts in the target realm ( PHIPPSNY.ORG), and
the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Help!



-- 
HBooGz:\>

RE: [ActiveDir] Is it 2000 or 2003?

2006-11-16 Thread joe 
AdFind only determines the Directory level, it doesn't look for functional
modes or mixed mode. The way I get directory level is through the
supportedCapabilities attribute of the rootdse of the DC. Of course it is
possible to hit one DC looking for info and I pull the ROOTDSE from that DC
and then in the background a referral is processed which ends up getting the
info from another DC in another domain (or same domain if looking at app
parts).

You can get functionality modes from the rootdse attributes
domainFunctionality and forestFunctionality. 

For all of those, just do an 

AdFind -rootdse 

And you will see what I am decoding and logically how I ascertain directory
level. 



Mixed mode versus native you simply use the domain NCs nTMixedDomain
attribute.

   joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, November 16, 2006 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is it 2000 or 2003?

I don't understand where you are seeing this info.  Are you referring to the

applet that is used to raise the FL?  Or something else?

As for the "flag" that is used to identify the directory, it is usually a 
combination of:

msDS-Behavior-Version
nTMixedDomain
supportedCapabilities


Or at least, that is the way I put info. such as server and directory in 
each of my scripts.  Just like Joe does in ADFIND and ADMOD.  I believe he 
does it the same way too.

Basically, check msDS-Behavior-Version.  If it's 0, check nTMixedDomain.  If

it's 2, check supportedCapabilities to see whether or not it is ADAM (it's 
ADAM if one of the supportedCapabilities is 1.2.840.113556.1.4.1851 
[LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID]).

In my test lab(s), my directory is considered a 2003 directory.

In my labs, I used either DOMAIN.MSC or ADMOD to increase the FLs.


--Paul


- Original Message - 
From: <[EMAIL PROTECTED]>
To: 
Sent: Thursday, November 16, 2006 3:45 PM
Subject: RE: [ActiveDir] Is it 2000 or 2003?


> I've entered this thread late so apologies if the below has already been
> stated:
>
> I recently created a new dev forest, with multiple domains. I too raised
> DFL and FFL as soon as all domains were built.
>
> I do not see the issues you describe and would suggest you download the
> scripts available here http://www.jadonex.com/
>
> One of the scripts (written by Dean) checks the DFL and FFL for the
> forest and across all domains.
>
> For a manual check, I also look here:
>
> FFL
> ===
> CN=Partitions,CN=Configuration,DC=xxx
> Attribute msDS-Behavior-Version
> 0=w2k FFL, 1=interim FFL, 2=w2k3 FFL
>
> DFL
> ===
> CN=,CN=Partitions,CN=Configuration,DC=xxx
> Attribute msDS-Behavior-Version
> 0=w2k DFL, 1=interim DFL, 2=w2k3 DFL
>
> Hope that helps,
> neil
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tim Onsomu
> Sent: 16 November 2006 14:35
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Is it 2000 or 2003?
>
> I got curios about this and decide to dcpromo my vm image of windows
> 2003 R2.
>
> After the AD installation (which sits at Windows 2000 for domain type) I
> raised the functionality for the domain and forest.
>
> The result for domain type was windows 2000.
>
> I am not sure it is supposed to be different.
>
> Anybody out there who can say their install says something else?
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
> CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Wednesday, November 15, 2006 3:15 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Is it 2000 or 2003?
>
> Were these clean installs or inplace?
>
> Bart Van den Wyngaert wrote:
>> Well I also have a strange thing... It concerns 2 SBS 2003 systems.
>> Some months ago I raised both domain and forrest functional level on
>> those boxes. By reading this thread I decided to have a look...
>>
>> Both tools report the correct OS actually on both boxes.
>>
>> The only I wonder is a bit that they both report with the gpresult
>> tool that the domain type is Windows 2000
>>
>> If I look using GUI, they both report functional level of domain &
>> forest being at 2003.
>>
>> Don't really get actually. Is this related? Normal or missed something
>
>> when I did raise the functional levels?
>>
>> Thanks,
>> Bart
>>
>> On 11/10/06, Noah Eiger <[EMAIL PROTECTED]> wrote:
>>> Good question. DFL = 2003 and FFL = 2003. So it must just be some
>>> lingering text string. Does anyone think there is more it?
>>>
>>> Thanks.
>>>
>>> -- nme
>>>
>>> -Original Message-
>>> From: Clingaman, Bruce [mailto:[EMAIL PROTECTED]
>>> Sent: Friday, November 10, 2006 9:39 AM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: RE: [ActiveDir] Is it 2000 or 2003?
>>>
>>>
>>>
>>> What does it say under:  AD Users & Computers | [right click doma

Re: [ActiveDir] Strange DC behaviour and error

2006-11-16 Thread Paul Williams 
Pay no attention to NET TIME.  It's using legacy APIs and isn't an accurate 
depiction of what w32time is doing.  If you want to know what server is being 
used, crank up the logging of w32time (there's a KB that explains how to do 
this).  Otherwise, run nltest /dsgetdc:domain-name.com (or SET LOG if you 
logged on without cached credentials) and that will give you a better idea of 
which DC is being used.

Note.  If there are several DCs in the site, the above might not be indicative 
of the actual DC, but will give you a better idea than NET TIME.

As a quick note on time sync.  The PDCe is the authoritative root.  Clients 
will use any DC.  DCs use the PDCe in their domain.  The PDCes use the forest 
root PDCe.


--Paul
  - Original Message - 
  From: hboogz 
  To: ActiveDir@mail.activedir.org 
  Sent: Thursday, November 16, 2006 3:20 PM
  Subject: Re: [ActiveDir] Strange DC behaviour and error


  the same issue started happening last night about 10:35 last night. this was 
after i plugged in my DR link to the ad box out at my disaster recovery site.

  I came in this morning only to find that when i run a NET TIME from my DC's 
it was resolving this DR Domain Controller. 

  i disconnected the link, reset the local machine passwords, rebooted and all 
is up now.

  what gives ? anyone have any ideas ?


  On 11/15/06, hboogz <[EMAIL PROTECTED]> wrote:
Hey Guys,

Thanks for responses.

I've been stuck in the data center for the past few hours.

Here goes:

It all started with this error in the event log:

Event Type:Error
Event Source:Kerberos
Event Category:None
Event ID:4
Date:11/15/2006
Time:03:17:45 PM 
User:N/A 
Computer:PHMAINDC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server 
host/phmaindc1.phippsny.org.  The target name used was cifs/PHMAINDC1. This 
indicates that the password used to encrypt the kerberos service ticket is 
different than that on the target server. Commonly, this is due to identically 
named  machine accounts in the target realm ( PHIPPSNY.ORG), and the client 
realm.   Please contact your system administrator.

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

Then it became all of these:

Event Type:Warning
Event Source:LSASRV
Event Category:SPNEGO (Negotiator) 
Event ID:40960
Date:11/15/2006
Time:03:13:19 PM
User:N/A
Computer:PHMAINDC1
Description: 
The Security System detected an authentication error for the server 
cifs/PHMAINDC1.phippsny.org.  The failure code from authentication protocol 
Kerberos was "The attempted logon is invalid. This is either due to a bad 
username or authentication information. 
 (0xc06d)".

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp .
Data:
: 6d 00 00 c0   m..À


Event Type:Error
Event Source:Userenv 
Event Category:None
Event ID:1030
Date:11/15/2006
Time:02:58:23 PM
User:PHIPPSNY\Administrator
Computer:PHMAINDC1
Description:
Windows cannot query for the list of Group Policy objects. Check the event 
log for possible messages previously logged by the policy engine that describes 
the reason for this. 

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

Event Type:Error
Event Source:Userenv
Event Category:None
Event ID:1053
Date:11/15/2006
Time:03:03:19 PM
User:NT AUTHORITY\SYSTEM
Computer:PHMAINDC1
Description:
Windows cannot determine the user or computer name. (Access is denied. ). 
Group Policy processing aborted. 

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

Strangely, the maindc, phmaindc1, lost its forward lookup zone (ad-int) and 
it's reverse lookup zone ( ad-int ) but my second DC maintained them. I tried 
adding the zones back into phmaind1, only to get an error indicating "invalid 
data". 

So, what i did was make all working zones on the working DC primary ( 
non-ad) and added secondary zones into phmaindc1.

i tried, dcdiag /fix and netdiag /fix - but nothing.

tried restarting the netlogon service - nothing. 

I came across the forums that indicated the PTR and A record entries -- 
didn't find any duplicates or wrong entries, everything is a one-to-one mapping.

I then looked inside wins, and didn't see any conflicts. Because I've had 
issues with wins in the  past, i deleted both wins databases and created new 
ones from scratch. 

That didn't work.

i then attmpeted a net time from the DC in question and got another DC in 
our DR site. This DR serve

Re: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread Al Mulnick 

Do you have identically named hosts?  Maybe nic teaming gone wrong?
Clustering?

Strange DNS?

What exactly is the hostname supposed to be?  host/phprint1?  That's not the
same as the host name you're reporting from (SPN?)

Al

On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote:



I am having continued issues with Kerberos. I tried running tokensz
against the problem server and i get this error message..

C:\Tools>tokensz /compute_tokensize /package:negotiate /use_delegation
/target_s
erver:host/phmaindc1

Name: Negotiate Comment: Microsoft Package Negotiator
Current PackageInfo->MaxToken: 12128

Asked for delegate, but didn't get it.
Check if server is trusted for delegation.

QueryKeyInfo:
Signature algorithm =
Encrypt algorithm = RSADSI RC4
KeySize = 128
Flags = 2001c
Signature Algorithm = -138
Encrypt Algorithm = 26625
QueryContextAttributes (lifespan): Status = 2148074242 0x80090302
SEC_E_NOT_SUPP
ORTED


any ideas ?

I keep getting the following event log message on a domain controller
which prevents users from accessing it and authenticating to it.

Event Type:Error
Event Source:Kerberos
Event Category:None
Event ID:4
Date:11/16/2006
Time:12:02:37 PM
User:N/A
Computer:PHMAINDC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/phmaindc1.phippsny.org.  The target name used was host/phprint1. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named  machine accounts in the target realm ( PHIPPSNY.ORG),
and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Help!



--
HBooGz:\>

RE: [ActiveDir] Strange DC behavior and error

2006-11-16 Thread Scott, Anthony 
Right, I wasn't going to go in to the level of detail in that article. But is 
you were going to call MS about a Kerberos issue one of the first questions 
they would ask is "is time synching correct?"

 

 

Thanks,

Anthony Scott

Microsoft Consultant

Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED]

    

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Thursday, November 16, 2006 12:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange DC behavior and error

 

That's not entirely accurate, which may be why you see it not working "as 
advertised". :-)

 

http://technet2.microsoft.com/WindowsServer/en/library/71e76587-28f4-4272-a3d7-7f44ca50c0181033.mspx?mfr=true

 

Laura

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott, 
Anthony
Sent: Thursday, November 16, 2006 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange DC behavior and error

Windows is supposed to get it's time from the PDC role holder, 
sometimes though this does not work as advertised. So I usually issue this 
command on any new DCs I bring up:

W32tm /config /synchfromflags:DOMHIER /update

Then:

Net stop w32time & net start w32time

 

 

Thanks,

Anthony Scott

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 10:21 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange DC behaviour and error

 

the same issue started happening last night about 10:35 last night. 
this was after i plugged in my DR link to the ad box out at my disaster 
recovery site.

I came in this morning only to find that when i run a NET TIME from my 
DC's it was resolving this DR Domain Controller. 

i disconnected the link, reset the local machine passwords, rebooted 
and all is up now.

what gives ? anyone have any ideas ?

On 11/15/06, hboogz <[EMAIL PROTECTED]> wrote:

Hey Guys,

Thanks for responses.

I've been stuck in the data center for the past few hours.

Here goes:

It all started with this error in the event log:

Event Type:Error
Event Source:Kerberos
Event Category:None
Event ID:4
Date:11/15/2006
Time:03:17:45 PM 
User:N/A 
Computer:PHMAINDC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the 
server host/phmaindc1.phippsny.org.  The target name used was cifs/PHMAINDC1. 
This indicates that the password used to encrypt the kerberos service ticket is 
different than that on the target server. Commonly, this is due to identically 
named  machine accounts in the target realm ( PHIPPSNY.ORG), and the client 
realm.   Please contact your system administrator.

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

Then it became all of these:

Event Type:Warning
Event Source:LSASRV
Event Category:SPNEGO (Negotiator) 
Event ID:40960
Date:11/15/2006
Time:03:13:19 PM
User:N/A
Computer:PHMAINDC1
Description: 
The Security System detected an authentication error for the server 
cifs/PHMAINDC1.phippsny.org.  The failure code from authentication protocol 
Kerberos was "The attempted logon is invalid. This is either due to a bad 
username or authentication information. 
 (0xc06d)".

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp .
Data:
: 6d 00 00 c0   m..À


Event Type:Error
Event Source:Userenv 
Event Category:None
Event ID:1030
Date:11/15/2006
Time:02:58:23 PM
User:PHIPPSNY\Administrator
Computer:PHMAINDC1
Description:
Windows cannot query for the list of Group Policy objects. Check the 
event log for possible messages previously logged by the policy engine that 
describes the reason for this. 

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

Event Type:Error
Event Source:Userenv
Event Category:None
Event ID:1053
Date:11/15/2006
Time:03:03:19 PM
User:NT AUTHORITY\SYSTEM
Computer:PHMAINDC1
Description:
Windows cannot determi

RE: [ActiveDir] Strange DC behavior and error

2006-11-16 Thread Scott, Anthony 
I've installed new DCs that don't replicate at first. As soon as I issue the 
w32tm command I listed below replication kicks off. Not in all cases, but a 
few. 

 

 

Thanks,

Anthony Scott

Microsoft Consultant

Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED]

    

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, November 16, 2006 1:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange DC behavior and error

 

Windows machines get time based on their config... if they aren't set to use a 
specific server and just follow the Windows architecture, they use the DC that 
authenticated the secure channel. This usually means members go to a local DC, 
the local DC goes to the PDC of the domain they are in and the Domain PDCs go 
to the forest root PDC. 

 

The NET TIME command (except for /querysntp) does not accurately reflect what 
DC is being used for the time service. Search on posts from Bob Free in the 
archives, he has laid this out in painful detail at least 4 or 5 times on 
exactly how it all works. 

 

What specifically have you seen not working as advertised?

 

   joe

 

--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott, Anthony
Sent: Thursday, November 16, 2006 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange DC behavior and error

Windows is supposed to get it's time from the PDC role holder, sometimes though 
this does not work as advertised. So I usually issue this command on any new 
DCs I bring up:

W32tm /config /synchfromflags:DOMHIER /update

Then:

Net stop w32time & net start w32time

 

 

Thanks,

Anthony Scott

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 10:21 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange DC behaviour and error

 

the same issue started happening last night about 10:35 last night. this was 
after i plugged in my DR link to the ad box out at my disaster recovery site.

I came in this morning only to find that when i run a NET TIME from my DC's it 
was resolving this DR Domain Controller. 

i disconnected the link, reset the local machine passwords, rebooted and all is 
up now.

what gives ? anyone have any ideas ?

On 11/15/06, hboogz <[EMAIL PROTECTED]> wrote:

Hey Guys,

Thanks for responses.

I've been stuck in the data center for the past few hours.

Here goes:

It all started with this error in the event log:

Event Type:Error
Event Source:Kerberos
Event Category:None
Event ID:4
Date:11/15/2006
Time:03:17:45 PM 
User:N/A 
Computer:PHMAINDC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server 
host/phmaindc1.phippsny.org.  The target name used was cifs/PHMAINDC1. This 
indicates that the password used to encrypt the kerberos service ticket is 
different than that on the target server. Commonly, this is due to identically 
named  machine accounts in the target realm ( PHIPPSNY.ORG), and the client 
realm.   Please contact your system administrator.

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

Then it became all of these:

Event Type:Warning
Event Source:LSASRV
Event Category:SPNEGO (Negotiator) 
Event ID:40960
Date:11/15/2006
Time:03:13:19 PM
User:N/A
Computer:PHMAINDC1
Description: 
The Security System detected an authentication error for the server 
cifs/PHMAINDC1.phippsny.org.  The failure code from authentication protocol 
Kerberos was "The attempted logon is invalid. This is either due to a bad 
username or authentication information. 
 (0xc06d)".

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp .
Data:
: 6d 00 00 c0   m..À


Event Type:Error
Event Source:Userenv 
Event Category:None
Event ID:1030
Date:11/15/2006
Time:02:58:23 PM
User:PHIPPSNY\Administrator
Computer:PHMAINDC1
Description:
Windows cannot query for the list of Group Policy objects. Check the event log 
for possible messages previously logged by the policy engine that describes the 
reason for this. 

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

Event Type:Error
Event Source:Userenv
Event Category:None
Event ID:1053
Date:11/15/2006
Time:03:03:19 PM
User:NT AUTHORITY\SYSTEM
Computer:PHMAINDC1
Description:
Windows cannot determine the user or computer name. (Access is denied. ). Group 
Policy processing aborted. 

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

Strangely, the maindc, phmaindc1, lost its forward lookup z

[ActiveDir] Windows PowerShell now available for download

2006-11-16 Thread Laura A. Robinson 


I may have missed it if somebody already posted this, but Windows PowerShell
is now available for download:

http://www.microsoft.com/downloads/details.aspx?FamilyID=10ee29af-7c3a-4057-
8367-c9c1dab6e2bf&DisplayLang=en 
 
Enjoy!

Laura

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread Michael B Allen 
On Thu, 16 Nov 2006 12:08:46 -0500
hboogz <[EMAIL PROTECTED]> wrote:

> I am having continued issues with Kerberos. I tried running tokensz against
> the problem server and i get this error message..
> 
> C:\Tools>tokensz /compute_tokensize /package:negotiate /use_delegation
> /target_s
> erver:host/phmaindc1
> 
> Name: Negotiate Comment: Microsoft Package Negotiator
> Current PackageInfo->MaxToken: 12128
> 
> Asked for delegate, but didn't get it.
> Check if server is trusted for delegation.
> 
> QueryKeyInfo:
> Signature algorithm =
> Encrypt algorithm = RSADSI RC4
> KeySize = 128
> Flags = 2001c
> Signature Algorithm = -138
> Encrypt Algorithm = 26625
> QueryContextAttributes (lifespan): Status = 2148074242 0x80090302
> SEC_E_NOT_SUPP
> ORTED
> 
> 
> any ideas ?

Run kerbtray and make sure your TGT is forwardable.

Also, run the following:

C:\>dsquery * (dc=X) -filter "(servicePrincipalName=host/phmaindc1)"

to make sure you only have one account.

Mike

> I keep getting the following event log message on a domain controller which
> prevents users from accessing it and authenticating to it.
> 
> Event Type:Error
> Event Source:Kerberos
> Event Category:None
> Event ID:4
> Date:11/16/2006
> Time:12:02:37 PM
> User:N/A
> Computer:PHMAINDC1
> Description:
> The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
> host/phmaindc1.phippsny.org.  The target name used was host/phprint1. This
> indicates that the password used to encrypt the kerberos service ticket is
> different than that on the target server. Commonly, this is due to
> identically named  machine accounts in the target realm (PHIPPSNY.ORG), and
> the client realm.   Please contact your system administrator.

Have you messed with the account at all since logging off and on. Run
kerbtray, purge your tickets and try again.

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread Laura A. Robinson 
Is this the same set of machines that are being talked about in the "strange
DC error" thread? I don't remember who it was who originated that one and I
want to make sure I'm not asking for something you've already provided.
 
So, if the answer to the above is "no", my next question is, can you provide
a little more information about the environment? How long has this DC
existed as a DC? Was there ever another DC with the same name? Was this DC
at any point restored from a backup? Has it been consistently connected to
the network? How about the member server- same questions as the DC
questions.
 
Thanks,
 
Laura


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 12:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Kerberos is Killing Me!



I am having continued issues with Kerberos. I tried running tokensz against
the problem server and i get this error message..

C:\Tools>tokensz /compute_tokensize /package:negotiate /use_delegation
/target_s
erver:host/phmaindc1

Name: Negotiate Comment: Microsoft Package Negotiator
Current PackageInfo->MaxToken: 12128

Asked for delegate, but didn't get it.
Check if server is trusted for delegation.

QueryKeyInfo:
Signature algorithm =
Encrypt algorithm = RSADSI RC4
KeySize = 128
Flags = 2001c
Signature Algorithm = -138
Encrypt Algorithm = 26625
QueryContextAttributes (lifespan): Status = 2148074242 0x80090302
SEC_E_NOT_SUPP 
ORTED


any ideas ?

I keep getting the following event log message on a domain controller which
prevents users from accessing it and authenticating to it.

Event Type:Error
Event Source:Kerberos
Event Category:None
Event ID:4
Date:11/16/2006
Time:12:02:37 PM 
User:N/A
Computer:PHMAINDC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/phmaindc1.phippsny.org.  The target name used was host/phprint1. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named  machine accounts in the target realm ( PHIPPSNY.ORG), and
the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Help!



-- 
HBooGz:\>

Re: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread hboogz 

Joe,

how do i find out if there are any duplicate SPN's ?

On 11/16/06, joe <[EMAIL PROTECTED]> wrote:


 Do you have any duplicate SPNs? Well specifically the SPNs mentioned in
the error?

 --
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm



 --
*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *hboogz
*Sent:* Thursday, November 16, 2006 12 :09 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] Kerberos is Killing Me!


I am having continued issues with Kerberos. I tried running tokensz
against the problem server and i get this error message..

C:\Tools>tokensz /compute_tokensize /package:negotiate /use_delegation
/target_s
erver:host/phmaindc1

Name: Negotiate Comment: Microsoft Package Negotiator
Current PackageInfo->MaxToken: 12128

Asked for delegate, but didn't get it.
Check if server is trusted for delegation.

QueryKeyInfo:
Signature algorithm =
Encrypt algorithm = RSADSI RC4
KeySize = 128
Flags = 2001c
Signature Algorithm = -138
Encrypt Algorithm = 26625
QueryContextAttributes (lifespan): Status = 
21480742420x80090302 SEC_E_NOT_SUPP
ORTED


any ideas ?

I keep getting the following event log message on a domain controller
which prevents users from accessing it and authenticating to it.

Event Type:Error
Event Source:Kerberos
Event Category:None
Event ID:4
Date:11/16/2006
Time:12:02:37 PM
User:N/A
Computer:PHMAINDC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/phmaindc1.phippsny.org.  The target name used was host/phprint1. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named  machine accounts in the target realm ( PHIPPSNY.ORG),
and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Help!



--
HBooGz:\>





--
HBooGz:\>

Re: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread hboogz 

Thanks Michael,

I ran the following command and got the following output.

C:\>dsquery * (dc=phippsny,dc=org) -filter
"(servicePrincipalName=host/phmaindc1)"

dsquery failed:A referral was returned from the server.
type dsquery /? for help.

On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote:


Joe,

how do i find out if there are any duplicate SPN's ?

On 11/16/06, joe <[EMAIL PROTECTED]> wrote:
>
>  Do you have any duplicate SPNs? Well specifically the SPNs mentioned in
> the error?
>
>  --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
>  --
> *From:* [EMAIL PROTECTED] [mailto:
> [EMAIL PROTECTED] *On Behalf Of *hboogz
> *Sent:* Thursday, November 16, 2006 12 :09 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] Kerberos is Killing Me!
>
>
> I am having continued issues with Kerberos. I tried running tokensz
> against the problem server and i get this error message..
>
> C:\Tools>tokensz /compute_tokensize /package:negotiate /use_delegation
> /target_s
> erver:host/phmaindc1
>
> Name: Negotiate Comment: Microsoft Package Negotiator
> Current PackageInfo->MaxToken: 12128
>
> Asked for delegate, but didn't get it.
> Check if server is trusted for delegation.
>
> QueryKeyInfo:
> Signature algorithm =
> Encrypt algorithm = RSADSI RC4
> KeySize = 128
> Flags = 2001c
> Signature Algorithm = -138
> Encrypt Algorithm = 26625
> QueryContextAttributes (lifespan): Status = 2148074242 0x80090302
> SEC_E_NOT_SUPP
> ORTED
>
>
> any ideas ?
>
> I keep getting the following event log message on a domain controller
> which prevents users from accessing it and authenticating to it.
>
> Event Type:Error
> Event Source:Kerberos
> Event Category:None
> Event ID:4
> Date:11/16/2006
> Time:12:02:37 PM
> User:N/A
> Computer:PHMAINDC1
> Description:
> The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
> host/phmaindc1.phippsny.org.  The target name used was host/phprint1. This
> indicates that the password used to encrypt the kerberos service ticket is
> different than that on the target server. Commonly, this is due to
> identically named  machine accounts in the target realm ( PHIPPSNY.ORG),
> and the client realm.   Please contact your system administrator.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> Help!
>
>
>
> --
> HBooGz:\>
>



--
HBooGz:\>





--
HBooGz:\>

[ActiveDir] OT: "Feisty"

2006-11-16 Thread Laura A. Robinson 
It's okay, Joe, you can refer to me as "b!tchy", "ornery" or "pi$$y". I
admit it. :-)
 
Laura


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, November 16, 2006 11:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$


Adrian, of the 41,000+ messages I have archived for this list, this is the
only thread I can find that you have responded to
 
It begs one question? If it is so beneath you and you are so lazy, why
bother?
 
If this is your way of introducing yourself, some will probably consider it
strike 1. While Laura can be feisty, many people do think she is important.
I happen to be one of those people. Certainly she has been extremely helpful
both here and in the newsgroups and is positively great in personal email
and in person though in those forums as well she may get fiesty. Feisty
doesn't bother me, what is important is technical quality and how willing
people are to share that quality and knowledge. I personally can be a
complete ass and kick sand on people, I try to temper it by also being
helpful occasionally. 
 
So while I don't consider this strike 1 for you, I do hope that you
contribute in a positive meaningful manner at some point as Laura has done
on many occasions and hopefully will continue to do so. 
 
 
Also, while this thread and others like it are off base, it is part and
parcel of this list and I don't expect them to go away any time soon. I
don't even wish that they do... If they do, the list might get a little
boring as there are strong "personalities" in this space and the collisions
are inevitable. From the standpoint of someone who has met personally a
great many of the "personalities" on the list and looking forward to meeting
even more, I actually find it oddly enjoyable at times. OT is in the
subject, that is clearly something that folks can filter out if they aren't
thrilled with this type of chatter. 
 
 
My only other comment on this at this point is Deji you boob, even if it
were Laura Hunter, you should have used a smiley. Knowing all of you
personally... I know that either one of them could take you in a fist
fight... ;o)
 
If Gil has his ears on, DEC needs a boxing ring and those sumo outfits so
people can slam each other in person all in fun. We could have side wagers
and everything. Little guys like me won't have a chance but it would be fun
just the same. 
 
  joe
 
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Adrian Teodorescu
Sent: Thursday, November 16, 2006 10:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$



I'm too lazy to write and send you the bill (result : no explanation) and
also I'm too bored to enter in this "game" where you need to be, let's say
"important"

Over and out (mom)

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Thursday, November 16, 2006 3:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$

 

I'm afraid I don't grok what your point is.

 

Laura (Robinson, not Hunter. Also not Chappell.)

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Adrian Teodorescu
Sent: Wednesday, November 15, 2006 4:03 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$

That's love J

Grow up people

Re: [ActiveDir] Strange DC behaviour and error

2006-11-16 Thread hboogz 

Thanks guys that clears up a lot.

I followed this article from Jorge's blog that has helped me resolve the net
time issue on my clients and servers.

http://blogs.dirteam.com/blogs/jorge/archive/2005/11/20/111.aspx

I'm using the PDCe as the forest root and using the internal clock.

however, i have another thread whereby Kerberos is just killing me.





On 11/16/06, Paul Williams <[EMAIL PROTECTED]> wrote:


 Pay no attention to NET TIME.  It's using legacy APIs and isn't an
accurate depiction of what w32time is doing.  If you want to know what
server is being used, crank up the logging of w32time (there's a KB that
explains how to do this).  Otherwise, run nltest /dsgetdc:domain-name.com(or 
SET LOG if you logged on without cached credentials) and that will give
you a better idea of which DC is being used.

Note.  If there are several DCs in the site, the above might not be
indicative of the actual DC, but will give you a better idea than NET TIME.

As a quick note on time sync.  The PDCe is the authoritative root.
Clients will use any DC.  DCs use the PDCe in their domain.  The PDCes use
the forest root PDCe.


--Paul

- Original Message -
*From:* hboogz <[EMAIL PROTECTED]>
*To:* ActiveDir@mail.activedir.org
*Sent:* Thursday, November 16, 2006 3:20 PM
*Subject:* Re: [ActiveDir] Strange DC behaviour and error

the same issue started happening last night about 10:35 last night. this
was after i plugged in my DR link to the ad box out at my disaster recovery
site.

I came in this morning only to find that when i run a NET TIME from my
DC's it was resolving this DR Domain Controller.

i disconnected the link, reset the local machine passwords, rebooted and
all is up now.

what gives ? anyone have any ideas ?

On 11/15/06, hboogz <[EMAIL PROTECTED]> wrote:
>
> Hey Guys,
>
> Thanks for responses.
>
> I've been stuck in the data center for the past few hours.
>
> Here goes:
>
> It all started with this error in the event log:
>
> Event Type:Error
> Event Source:Kerberos
> Event Category:None
> Event ID:4
> Date:11/15/2006
> Time:03:17:45 PM
> User:N/A
> Computer:PHMAINDC1
> Description:
> The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
> host/phmaindc1.phippsny.org.  The target name used was cifs/PHMAINDC1. This
> indicates that the password used to encrypt the kerberos service ticket is
> different than that on the target server. Commonly, this is due to
> identically named  machine accounts in the target realm ( PHIPPSNY.ORG),
> and the client realm.   Please contact your system administrator.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> Then it became all of these:
>
> Event Type:Warning
> Event Source:LSASRV
> Event Category:SPNEGO (Negotiator)
> Event ID:40960
> Date:11/15/2006
> Time:03:13:19 PM
> User:N/A
> Computer:PHMAINDC1
> Description:
> The Security System detected an authentication error for the server
> cifs/PHMAINDC1.phippsny.org.  The failure code from authentication protocol
> Kerberos was "The attempted logon is invalid. This is either due to a bad
> username or authentication information.
>  (0xc06d)".
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp .
> Data:
> : 6d 00 00 c0   m..À
>
>
> Event Type:Error
> Event Source:Userenv
> Event Category:None
> Event ID:1030
> Date:11/15/2006
> Time:02:58:23 PM
> User:PHIPPSNY\Administrator
> Computer:PHMAINDC1
> Description:
> Windows cannot query for the list of Group Policy objects. Check the
> event log for possible messages previously logged by the policy engine that
> describes the reason for this.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> Event Type:Error
> Event Source:Userenv
> Event Category:None
> Event ID:1053
> Date:11/15/2006
> Time:03:03:19 PM
> User:NT AUTHORITY\SYSTEM
> Computer:PHMAINDC1
> Description:
> Windows cannot determine the user or computer name. (Access is denied.
> ). Group Policy processing aborted.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> Strangely, the maindc, phmaindc1, lost its forward lookup zone (ad-int)
> and it's reverse lookup zone ( ad-int ) but my second DC maintained them. I
> tried adding the zones back into phmaind1, only to get an error indicating
> "invalid data".
>
> So, what i did was make all working zones on the working DC primary (
> non-ad) and added secondary zones into phmaindc1.
>
> i tried, dcdiag /fix and netdiag /fix - but nothing.
>
> tried restarting the netlogon service - nothing.
>
> I came across the forums that indicated the PTR and A record entries --
> didn't find any duplicates or wrong entries, everything is a one-to-o

Re: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread hboogz 

I need to be able to find the SPN as the dsquery given didn't work for me.

the host name without the dns suffix -- netbios name is phmaindc1

on top the issues i have now, replication from phmaindc1 doesn't work to the
other dc's, but when i run a repadmin /showreps from the other domain
contollers, replication TO phmaindc1 reports successfully.

i don't have identically named hosts, never did but it sounds like it could
be the issue.

DNS is setup as AD-INT right now on all servers, reverse and forward zones.

I need insight on how to find duplicate SPN's.



On 11/16/06, Al Mulnick <[EMAIL PROTECTED]> wrote:


Do you have identically named hosts?  Maybe nic teaming gone wrong?
Clustering?

Strange DNS?

What exactly is the hostname supposed to be?  host/phprint1?  That's not
the same as the host name you're reporting from (SPN?)

Al

On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote:
>
>
> I am having continued issues with Kerberos. I tried running tokensz
> against the problem server and i get this error message..
>
> C:\Tools>tokensz /compute_tokensize /package:negotiate /use_delegation
> /target_s
> erver:host/phmaindc1
>
> Name: Negotiate Comment: Microsoft Package Negotiator
> Current PackageInfo->MaxToken: 12128
>
> Asked for delegate, but didn't get it.
> Check if server is trusted for delegation.
>
> QueryKeyInfo:
> Signature algorithm =
> Encrypt algorithm = RSADSI RC4
> KeySize = 128
> Flags = 2001c
> Signature Algorithm = -138
> Encrypt Algorithm = 26625
> QueryContextAttributes (lifespan): Status = 
21480742420x80090302 SEC_E_NOT_SUPP
> ORTED
>
>
> any ideas ?
>
> I keep getting the following event log message on a domain controller
> which prevents users from accessing it and authenticating to it.
>
> Event Type:Error
> Event Source:Kerberos
> Event Category:None
> Event ID:4
> Date:11/16/2006
> Time:12:02:37 PM
> User:N/A
> Computer:PHMAINDC1
> Description:
> The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
> host/phmaindc1.phippsny.org.  The target name used was host/phprint1. This
> indicates that the password used to encrypt the kerberos service ticket is
> different than that on the target server. Commonly, this is due to
> identically named  machine accounts in the target realm ( PHIPPSNY.ORG),
> and the client realm.   Please contact your system administrator.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> Help!
>
>
>
> --
> HBooGz:\>






--
HBooGz:\>

Re: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread hboogz 

This is the output i received from adfind.

C:\Tools\AdFind>adfind -default -f
(servicePrincipalName=host/phmaindc1.phippsny
.org) cn

AdFind V01.34.00cpp Joe Richards ([EMAIL PROTECTED]) November 2006

Using server: PHMAINDC1.phippsny.org:389
Directory: Windows Server 2003
Base DN: DC=phippsny,DC=org

dn:CN=PHMAINDC1,OU=Domain Controllers,DC=phippsny,DC=org

cn: PHMAINDC1



1 Objects returned

C:\Tools\AdFind>adfind -default -f
(servicePrincipalName=host/phprint1.phippsny.
org) cn

AdFind V01.34.00cpp Joe Richards ([EMAIL PROTECTED]) November 2006

Using server: PHMAINDC1.phippsny.org:389
Directory: Windows Server 2003
Base DN: DC=phippsny,DC=org

dn:CN=PHPRINT1,OU=Domain Controllers,DC=phippsny,DC=org

cn: PHPRINT1



1 Objects returned


Those are my two domain controllers in the forest root domain ( phippsny.org
)

i have a child domain and will run it against that child domain controller
as well.




On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote:


I need to be able to find the SPN as the dsquery given didn't work for me.

the host name without the dns suffix -- netbios name is phmaindc1

on top the issues i have now, replication from phmaindc1 doesn't work to
the other dc's, but when i run a repadmin /showreps from the other domain
contollers, replication TO phmaindc1 reports successfully.

i don't have identically named hosts, never did but it sounds like it
could be the issue.

DNS is setup as AD-INT right now on all servers, reverse and forward
zones.

I need insight on how to find duplicate SPN's.



On 11/16/06, Al Mulnick <[EMAIL PROTECTED]> wrote:
>
> Do you have identically named hosts?  Maybe nic teaming gone wrong?
> Clustering?
>
> Strange DNS?
>
> What exactly is the hostname supposed to be?  host/phprint1?  That's not
> the same as the host name you're reporting from (SPN?)
>
> Al
>
> On 11/16/06, hboogz < [EMAIL PROTECTED]> wrote:
> >
> >
> > I am having continued issues with Kerberos. I tried running tokensz
> > against the problem server and i get this error message..
> >
> > C:\Tools>tokensz /compute_tokensize /package:negotiate /use_delegation
> > /target_s
> > erver:host/phmaindc1
> >
> > Name: Negotiate Comment: Microsoft Package Negotiator
> > Current PackageInfo->MaxToken: 12128
> >
> > Asked for delegate, but didn't get it.
> > Check if server is trusted for delegation.
> >
> > QueryKeyInfo:
> > Signature algorithm =
> > Encrypt algorithm = RSADSI RC4
> > KeySize = 128
> > Flags = 2001c
> > Signature Algorithm = -138
> > Encrypt Algorithm = 26625
> > QueryContextAttributes (lifespan): Status = 2148074242 0x80090302
> > SEC_E_NOT_SUPP
> > ORTED
> >
> >
> > any ideas ?
> >
> > I keep getting the following event log message on a domain controller
> > which prevents users from accessing it and authenticating to it.
> >
> > Event Type:Error
> > Event Source:Kerberos
> > Event Category:None
> > Event ID:4
> > Date:11/16/2006
> > Time:12:02:37 PM
> > User:N/A
> > Computer:PHMAINDC1
> > Description:
> > The kerberos client received a KRB_AP_ERR_MODIFIED error from the
> > server host/phmaindc1.phippsny.org.  The target name used was host/phprint1.
> > This indicates that the password used to encrypt the kerberos service ticket
> > is different than that on the target server. Commonly, this is due to
> > identically named  machine accounts in the target realm ( PHIPPSNY.ORG),
> > and the client realm.   Please contact your system administrator.
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> >
> >
> > Help!
> >
> >
> >
> > --
> > HBooGz:\>
>
>
>


--
HBooGz:\>





--
HBooGz:\>

[ActiveDir] How to completely isolate a DC?

2006-11-16 Thread Andy Wang 

I need to make a change across our domain. My plan is to make the change on
one DC and test it, then roll out to other 50 DCs.

I tried to temporarily disable outbound replication of Active Directory with
repadmin by doing this:

repadmin /options +DISABLE_OUTBOUND_REPL

To my surprise, the change I made still replicated to other DCs immediately.


So how can I isolate a DC and make sure the change I made not replicate to
other DCs?

Thanks for your help!

Andy

Re: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread hboogz 

This is the output from the child domain controller.

C:\Tools\AdFind>adfind -default -f
(servicePrincipalName=host/phjacdc1.jacwf.p
ppsny.org) cn

AdFind V01.34.00cpp Joe Richards ([EMAIL PROTECTED]) November 2006

Using server: phjacdc1.jacwf.phippsny.org:389
Directory: Windows Server 2003
Base DN: DC=jacwf,DC=phippsny,DC=org

dn:CN=PHJACDC1,OU=Domain Controllers,DC=jacwf,DC=phippsny,DC=org

cn: PHJACDC1



1 Objects returned

On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote:


This is the output i received from adfind.

C:\Tools\AdFind>adfind -default -f
(servicePrincipalName=host/phmaindc1.phippsny
.org) cn

AdFind V01.34.00cpp Joe Richards ([EMAIL PROTECTED] ) November 2006

Using server: PHMAINDC1.phippsny.org:389
Directory: Windows Server 2003
Base DN: DC=phippsny,DC=org

dn:CN=PHMAINDC1,OU=Domain Controllers,DC=phippsny,DC=org
>cn: PHMAINDC1


1 Objects returned

C:\Tools\AdFind>adfind -default -f
(servicePrincipalName=host/phprint1.phippsny.
org) cn

AdFind V01.34.00cpp Joe Richards ( [EMAIL PROTECTED]) November 2006

Using server: PHMAINDC1.phippsny.org:389
Directory: Windows Server 2003
Base DN: DC=phippsny,DC=org

dn:CN=PHPRINT1,OU=Domain Controllers,DC=phippsny,DC=org
>cn: PHPRINT1


1 Objects returned


Those are my two domain controllers in the forest root domain (
phippsny.org)

i have a child domain and will run it against that child domain controller
as well.




On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote:
>
> I need to be able to find the SPN as the dsquery given didn't work for
> me.
>
> the host name without the dns suffix -- netbios name is phmaindc1
>
> on top the issues i have now, replication from phmaindc1 doesn't work to
> the other dc's, but when i run a repadmin /showreps from the other domain
> contollers, replication TO phmaindc1 reports successfully.
>
> i don't have identically named hosts, never did but it sounds like it
> could be the issue.
>
> DNS is setup as AD-INT right now on all servers, reverse and forward
> zones.
>
> I need insight on how to find duplicate SPN's.
>
>
>
> On 11/16/06, Al Mulnick < [EMAIL PROTECTED]> wrote:
> >
> > Do you have identically named hosts?  Maybe nic teaming gone wrong?
> > Clustering?
> >
> > Strange DNS?
> >
> > What exactly is the hostname supposed to be?  host/phprint1?  That's
> > not the same as the host name you're reporting from (SPN?)
> >
> > Al
> >
> > On 11/16/06, hboogz < [EMAIL PROTECTED]> wrote:
> > >
> > >
> > > I am having continued issues with Kerberos. I tried running tokensz
> > > against the problem server and i get this error message..
> > >
> > > C:\Tools>tokensz /compute_tokensize /package:negotiate
> > > /use_delegation /target_s
> > > erver:host/phmaindc1
> > >
> > > Name: Negotiate Comment: Microsoft Package Negotiator
> > > Current PackageInfo->MaxToken: 12128
> > >
> > > Asked for delegate, but didn't get it.
> > > Check if server is trusted for delegation.
> > >
> > > QueryKeyInfo:
> > > Signature algorithm =
> > > Encrypt algorithm = RSADSI RC4
> > > KeySize = 128
> > > Flags = 2001c
> > > Signature Algorithm = -138
> > > Encrypt Algorithm = 26625
> > > QueryContextAttributes (lifespan): Status = 2148074242 0x80090302
> > > SEC_E_NOT_SUPP
> > > ORTED
> > >
> > >
> > > any ideas ?
> > >
> > > I keep getting the following event log message on a domain
> > > controller which prevents users from accessing it and authenticating to 
it.
> > >
> > > Event Type:Error
> > > Event Source:Kerberos
> > > Event Category:None
> > > Event ID:4
> > > Date:11/16/2006
> > > Time:12:02:37 PM
> > > User:N/A
> > > Computer:PHMAINDC1
> > > Description:
> > > The kerberos client received a KRB_AP_ERR_MODIFIED error from the
> > > server host/phmaindc1.phippsny.org.  The target name used was 
host/phprint1.
> > > This indicates that the password used to encrypt the kerberos service 
ticket
> > > is different than that on the target server. Commonly, this is due to
> > > identically named  machine accounts in the target realm (
> > > PHIPPSNY.ORG), and the client realm.   Please contact your system
> > > administrator.
> > >
> > > For more information, see Help and Support Center at
> > > http://go.microsoft.com/fwlink/events.asp.
> > >
> > >
> > > Help!
> > >
> > >
> > >
> > > --
> > > HBooGz:\>
> >
> >
> >
>
>
> --
> HBooGz:\>




--
HBooGz:\>





--
HBooGz:\>

Re: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread hboogz 

As a result of the above , i get the following issue when trying to run a
repadmin /showreps from the phmaindc1 DC.

Source: MainOffice\PHPRINT1
*** 194 CONSECUTIVE FAILURES since 2006-11-15 12:39:33
Last error: 8453 (0x2105):
   Replication access was denied.

Source: jacwf\PHJACDC1
*** 110 CONSECUTIVE FAILURES since 2006-11-15 12:38:34
Last error: 8453 (0x2105):
   Replication access was denied.


but from phprint ( another DC in the same domain ) and PHJACDC1 ( child DC
in child domain: jacwf.phippsny.org ) i get succesfully replication entries
when running repadmin /showreps.


I've reset the local machine acount password about 3 times today on all
DC's.



On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote:


This is the output from the child domain controller.

C:\Tools\AdFind>adfind -default -f
(servicePrincipalName=host/phjacdc1.jacwf.p
ppsny.org) cn

AdFind V01.34.00cpp Joe Richards ( [EMAIL PROTECTED]) November 2006

Using server: phjacdc1.jacwf.phippsny.org:389
Directory: Windows Server 2003
Base DN: DC=jacwf,DC=phippsny,DC=org

dn:CN=PHJACDC1,OU=Domain Controllers,DC=jacwf,DC=phippsny,DC=org
>cn: PHJACDC1


1 Objects returned

On 11/16/06, hboogz < [EMAIL PROTECTED]> wrote:
>
> This is the output i received from adfind.
>
> C:\Tools\AdFind>adfind -default -f
> (servicePrincipalName=host/phmaindc1.phippsny
> .org) cn
>
> AdFind V01.34.00cpp Joe Richards ([EMAIL PROTECTED] ) November 2006
>
> Using server: PHMAINDC1.phippsny.org:389
> Directory: Windows Server 2003
> Base DN: DC=phippsny,DC=org
>
> dn:CN=PHMAINDC1,OU=Domain Controllers,DC=phippsny,DC=org
> >cn: PHMAINDC1
>
>
> 1 Objects returned
>
> C:\Tools\AdFind>adfind -default -f
> (servicePrincipalName=host/phprint1.phippsny.
> org) cn
>
> AdFind V01.34.00cpp Joe Richards ( [EMAIL PROTECTED]) November 2006
>
> Using server: PHMAINDC1.phippsny.org:389
> Directory: Windows Server 2003
> Base DN: DC=phippsny,DC=org
>
> dn:CN=PHPRINT1,OU=Domain Controllers,DC=phippsny,DC=org
> >cn: PHPRINT1
>
>
> 1 Objects returned
>
>
> Those are my two domain controllers in the forest root domain (
> phippsny.org)
>
> i have a child domain and will run it against that child domain
> controller as well.
>
>
>
>
> On 11/16/06, hboogz < [EMAIL PROTECTED]> wrote:
> >
> > I need to be able to find the SPN as the dsquery given didn't work for
> > me.
> >
> > the host name without the dns suffix -- netbios name is phmaindc1
> >
> > on top the issues i have now, replication from phmaindc1 doesn't work
> > to the other dc's, but when i run a repadmin /showreps from the other domain
> > contollers, replication TO phmaindc1 reports successfully.
> >
> > i don't have identically named hosts, never did but it sounds like it
> > could be the issue.
> >
> > DNS is setup as AD-INT right now on all servers, reverse and forward
> > zones.
> >
> > I need insight on how to find duplicate SPN's.
> >
> >
> >
> > On 11/16/06, Al Mulnick < [EMAIL PROTECTED]> wrote:
> > >
> > > Do you have identically named hosts?  Maybe nic teaming gone wrong?
> > > Clustering?
> > >
> > > Strange DNS?
> > >
> > > What exactly is the hostname supposed to be?  host/phprint1?  That's
> > > not the same as the host name you're reporting from (SPN?)
> > >
> > > Al
> > >
> > > On 11/16/06, hboogz < [EMAIL PROTECTED]> wrote:
> > > >
> > > >
> > > > I am having continued issues with Kerberos. I tried running
> > > > tokensz against the problem server and i get this error message..
> > > >
> > > > C:\Tools>tokensz /compute_tokensize /package:negotiate
> > > > /use_delegation /target_s
> > > > erver:host/phmaindc1
> > > >
> > > > Name: Negotiate Comment: Microsoft Package Negotiator
> > > > Current PackageInfo->MaxToken: 12128
> > > >
> > > > Asked for delegate, but didn't get it.
> > > > Check if server is trusted for delegation.
> > > >
> > > > QueryKeyInfo:
> > > > Signature algorithm =
> > > > Encrypt algorithm = RSADSI RC4
> > > > KeySize = 128
> > > > Flags = 2001c
> > > > Signature Algorithm = -138
> > > > Encrypt Algorithm = 26625
> > > > QueryContextAttributes (lifespan): Status = 2148074242 0x80090302
> > > > SEC_E_NOT_SUPP
> > > > ORTED
> > > >
> > > >
> > > > any ideas ?
> > > >
> > > > I keep getting the following event log message on a domain
> > > > controller which prevents users from accessing it and authenticating to 
it.
> > > >
> > > > Event Type:Error
> > > > Event Source:Kerberos
> > > > Event Category:None
> > > > Event ID:4
> > > > Date:11/16/2006
> > > > Time:12:02:37 PM
> > > > User:N/A
> > > > Computer:PHMAINDC1
> > > > Description:
> > > > The kerberos client received a KRB_AP_ERR_MODIFIED error from the
> > > > server host/phmaindc1.phippsny.org.  The target name used was 
host/phprint1.
> > > > This indicates that the password used to encrypt the kerberos service 
ticket
> > > > is different than that on the target server. Commonly, this is due to
> > > > identically named  machine accounts in the target realm (
> >

Re: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread hboogz 

This is my kerbtry output, i really don't know how to determine if the
ticket is forwarable.



On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote:


As a result of the above , i get the following issue when trying to run a
repadmin /showreps from the phmaindc1 DC.

Source: MainOffice\PHPRINT1
*** 194 CONSECUTIVE FAILURES since 2006-11-15 12 
:39:33
Last error: 8453 (0x2105):
Replication access was denied.

Source: jacwf\PHJACDC1
*** 110 CONSECUTIVE FAILURES since 2006-11-15 12 
:38:34
Last error: 8453 (0x2105):
Replication access was denied.


but from phprint ( another DC in the same domain ) and PHJACDC1 ( child DC
in child domain: jacwf.phippsny.org ) i get succesfully replication
entries when running repadmin /showreps.


I've reset the local machine acount password about 3 times today on all
DC's.



On 11/16/06, hboogz < [EMAIL PROTECTED]> wrote:
>
> This is the output from the child domain controller.
>
> C:\Tools\AdFind>adfind -default -f
> (servicePrincipalName=host/phjacdc1.jacwf.p
> ppsny.org) cn
>
> AdFind V01.34.00cpp Joe Richards ( [EMAIL PROTECTED]) November 2006
>
> Using server: phjacdc1.jacwf.phippsny.org:389
> Directory: Windows Server 2003
> Base DN: DC=jacwf,DC=phippsny,DC=org
>
> dn:CN=PHJACDC1,OU=Domain Controllers,DC=jacwf,DC=phippsny,DC=org
> >cn: PHJACDC1
>
>
> 1 Objects returned
>
> On 11/16/06, hboogz < [EMAIL PROTECTED]> wrote:
> >
> > This is the output i received from adfind.
> >
> > C:\Tools\AdFind>adfind -default -f
> > (servicePrincipalName=host/phmaindc1.phippsny
> > .org) cn
> >
> > AdFind V01.34.00cpp Joe Richards ([EMAIL PROTECTED] ) November 2006
> >
> > Using server: PHMAINDC1.phippsny.org:389
> > Directory: Windows Server 2003
> > Base DN: DC=phippsny,DC=org
> >
> > dn:CN=PHMAINDC1,OU=Domain Controllers,DC=phippsny,DC=org
> > >cn: PHMAINDC1
> >
> >
> > 1 Objects returned
> >
> > C:\Tools\AdFind>adfind -default -f
> > (servicePrincipalName=host/phprint1.phippsny.
> > org) cn
> >
> > AdFind V01.34.00cpp Joe Richards ( [EMAIL PROTECTED]) November 2006
> >
> > Using server: PHMAINDC1.phippsny.org:389
> > Directory: Windows Server 2003
> > Base DN: DC=phippsny,DC=org
> >
> > dn:CN=PHPRINT1,OU=Domain Controllers,DC=phippsny,DC=org
> > >cn: PHPRINT1
> >
> >
> > 1 Objects returned
> >
> >
> > Those are my two domain controllers in the forest root domain (
> > phippsny.org)
> >
> > i have a child domain and will run it against that child domain
> > controller as well.
> >
> >
> >
> >
> > On 11/16/06, hboogz < [EMAIL PROTECTED]> wrote:
> > >
> > > I need to be able to find the SPN as the dsquery given didn't work
> > > for me.
> > >
> > > the host name without the dns suffix -- netbios name is phmaindc1
> > >
> > > on top the issues i have now, replication from phmaindc1 doesn't
> > > work to the other dc's, but when i run a repadmin /showreps from the other
> > > domain contollers, replication TO phmaindc1 reports successfully.
> > >
> > > i don't have identically named hosts, never did but it sounds like
> > > it could be the issue.
> > >
> > > DNS is setup as AD-INT right now on all servers, reverse and forward
> > > zones.
> > >
> > > I need insight on how to find duplicate SPN's.
> > >
> > >
> > >
> > > On 11/16/06, Al Mulnick < [EMAIL PROTECTED]> wrote:
> > > >
> > > > Do you have identically named hosts?  Maybe nic teaming gone
> > > > wrong? Clustering?
> > > >
> > > > Strange DNS?
> > > >
> > > > What exactly is the hostname supposed to be?  host/phprint1?
> > > > That's not the same as the host name you're reporting from (SPN?)
> > > >
> > > > Al
> > > >
> > > > On 11/16/06, hboogz < [EMAIL PROTECTED]> wrote:
> > > > >
> > > > >
> > > > > I am having continued issues with Kerberos. I tried running
> > > > > tokensz against the problem server and i get this error message..
> > > > >
> > > > > C:\Tools>tokensz /compute_tokensize /package:negotiate
> > > > > /use_delegation /target_s
> > > > > erver:host/phmaindc1
> > > > >
> > > > > Name: Negotiate Comment: Microsoft Package Negotiator
> > > > > Current PackageInfo->MaxToken: 12128
> > > > >
> > > > > Asked for delegate, but didn't get it.
> > > > > Check if server is trusted for delegation.
> > > > >
> > > > > QueryKeyInfo:
> > > > > Signature algorithm =
> > > > > Encrypt algorithm = RSADSI RC4
> > > > > KeySize = 128
> > > > > Flags = 2001c
> > > > > Signature Algorithm = -138
> > > > > Encrypt Algorithm = 26625
> > > > > QueryContextAttributes (lifespan): Status = 21480742420x80090302 
SEC_E_NOT_SUPP
> > > > > ORTED
> > > > >
> > > > >
> > > > > any ideas ?
> > > > >
> > > > > I keep getting the following event log message on a domain
> > > > > controller which prevents users from accessing it and authenticating 
to it.
> > > > >
> > > > > Event Type:Error
> > > > > Event Source:Kerberos
> > > > > Event Category:None
> > > > > Event ID:4
> > > > > Date:11/16/2006
> > > > > Time:12:02:37 PM
> > > > > User:N/A
> > > > > Computer:PHMAINDC1
> > >

Re: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread hboogz 

Just to add another  wrench, i get this DNS error from phmaindc1 when tryin
gto registerdns.

C:\>ipconfig /registerdns

Windows IP Configuration

Registration of DNS records failed: The RPC server is unavailable.

=)

On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote:


This is my kerbtry output, i really don't know how to determine if the
ticket is forwarable.



On 11/16/06, hboogz < [EMAIL PROTECTED]> wrote:
>
> As a result of the above , i get the following issue when trying to run
> a repadmin /showreps from the phmaindc1 DC.
>
> Source: MainOffice\PHPRINT1
> *** 194 CONSECUTIVE FAILURES since 2006-11-15 12:39:33
> Last error: 8453 (0x2105):
> Replication access was denied.
>
> Source: jacwf\PHJACDC1
> *** 110 CONSECUTIVE FAILURES since 2006-11-15 12:38:34
> Last error: 8453 (0x2105):
> Replication access was denied.
>
>
> but from phprint ( another DC in the same domain ) and PHJACDC1 ( child
> DC in child domain: jacwf.phippsny.org ) i get succesfully replication
> entries when running repadmin /showreps.
>
>
> I've reset the local machine acount password about 3 times today on all
> DC's.
>
>
>
> On 11/16/06, hboogz < [EMAIL PROTECTED]> wrote:
> >
> > This is the output from the child domain controller.
> >
> > C:\Tools\AdFind>adfind -default -f
> > (servicePrincipalName=host/phjacdc1.jacwf.p
> > ppsny.org) cn
> >
> > AdFind V01.34.00cpp Joe Richards ( [EMAIL PROTECTED]) November 2006
> >
> > Using server: phjacdc1.jacwf.phippsny.org:389
> > Directory: Windows Server 2003
> > Base DN: DC=jacwf,DC=phippsny,DC=org
> >
> > dn:CN=PHJACDC1,OU=Domain Controllers,DC=jacwf,DC=phippsny,DC=org
> > >cn: PHJACDC1
> >
> >
> > 1 Objects returned
> >
> > On 11/16/06, hboogz < [EMAIL PROTECTED]> wrote:
> > >
> > > This is the output i received from adfind.
> > >
> > > C:\Tools\AdFind>adfind -default -f
> > > (servicePrincipalName=host/phmaindc1.phippsny
> > > .org) cn
> > >
> > > AdFind V01.34.00cpp Joe Richards ([EMAIL PROTECTED] ) November 2006
> > >
> > > Using server: PHMAINDC1.phippsny.org:389
> > > Directory: Windows Server 2003
> > > Base DN: DC=phippsny,DC=org
> > >
> > > dn:CN=PHMAINDC1,OU=Domain Controllers,DC=phippsny,DC=org
> > > >cn: PHMAINDC1
> > >
> > >
> > > 1 Objects returned
> > >
> > > C:\Tools\AdFind>adfind -default -f
> > > (servicePrincipalName=host/phprint1.phippsny.
> > > org) cn
> > >
> > > AdFind V01.34.00cpp Joe Richards ( [EMAIL PROTECTED]) November 2006
> > >
> > > Using server: PHMAINDC1.phippsny.org:389
> > > Directory: Windows Server 2003
> > > Base DN: DC=phippsny,DC=org
> > >
> > > dn:CN=PHPRINT1,OU=Domain Controllers,DC=phippsny,DC=org
> > > >cn: PHPRINT1
> > >
> > >
> > > 1 Objects returned
> > >
> > >
> > > Those are my two domain controllers in the forest root domain (
> > > phippsny.org)
> > >
> > > i have a child domain and will run it against that child domain
> > > controller as well.
> > >
> > >
> > >
> > >
> > > On 11/16/06, hboogz < [EMAIL PROTECTED]> wrote:
> > > >
> > > > I need to be able to find the SPN as the dsquery given didn't work
> > > > for me.
> > > >
> > > > the host name without the dns suffix -- netbios name is phmaindc1
> > > >
> > > > on top the issues i have now, replication from phmaindc1 doesn't
> > > > work to the other dc's, but when i run a repadmin /showreps from the 
other
> > > > domain contollers, replication TO phmaindc1 reports successfully.
> > > >
> > > > i don't have identically named hosts, never did but it sounds like
> > > > it could be the issue.
> > > >
> > > > DNS is setup as AD-INT right now on all servers, reverse and
> > > > forward zones.
> > > >
> > > > I need insight on how to find duplicate SPN's.
> > > >
> > > >
> > > >
> > > > On 11/16/06, Al Mulnick < [EMAIL PROTECTED]> wrote:
> > > > >
> > > > > Do you have identically named hosts?  Maybe nic teaming gone
> > > > > wrong? Clustering?
> > > > >
> > > > > Strange DNS?
> > > > >
> > > > > What exactly is the hostname supposed to be?  host/phprint1?
> > > > > That's not the same as the host name you're reporting from (SPN?)
> > > > >
> > > > > Al
> > > > >
> > > > > On 11/16/06, hboogz < [EMAIL PROTECTED]> wrote:
> > > > > >
> > > > > >
> > > > > > I am having continued issues with Kerberos. I tried running
> > > > > > tokensz against the problem server and i get this error message..
> > > > > >
> > > > > > C:\Tools>tokensz /compute_tokensize /package:negotiate
> > > > > > /use_delegation /target_s
> > > > > > erver:host/phmaindc1
> > > > > >
> > > > > > Name: Negotiate Comment: Microsoft Package Negotiator
> > > > > > Current PackageInfo->MaxToken: 12128
> > > > > >
> > > > > > Asked for delegate, but didn't get it.
> > > > > > Check if server is trusted for delegation.
> > > > > >
> > > > > > QueryKeyInfo:
> > > > > > Signature algorithm =
> > > > > > Encrypt algorithm = RSADSI RC4
> > > > > > KeySize = 128
> > > > > > Flags = 2001c
> > > > > > Signature Algorithm = -138
> > > > > > Encrypt Algorithm = 26625
> > > > > > QueryContextAttributes (

[ActiveDir] Domain and Subdomain. Duplicating accounts

2006-11-16 Thread Ramon Linan 
Hi,

The company I work for has 2 office in 2 different states.

The main office is domain.com and other office is a subdomain
(sub.domain.com).

Our users sometimes go to the other office (sub.domain.com) to work for
a week or so, I just found out that other SA has been creating accounts
for my users in the subdomain.

So now I have "same" user in the domain and subdomain, beside being a
stupid way of doing things is there any technical issue this could
create?


Thanks

Rezuma
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread hboogz 

Hey Laura,

this is the strange DC error guy...unfortunately.

This DC existed for about 4 months. I did a parralle upgrade to 2003 with a
new box and promoting it into a windows 2000 domain using adprep /forestprep
and adprep /domainprep:gprep.

There has never been use of duplicate names.

this DC was never restored from a backup.

there never has been a duplicate name for any member servers nor have their
been any backup restores...

I'm able to update DNS registration from this maindc now, because i needed
to enable the DHCP client service on the machine.

I've tried the following from the problmatic DC:

net stop kdc

purge kerberos ticket cache using kerbtray

reset pwd using netdom

net start kdc

reboot

but i continue to get Replication access denied from one DC to all three of
my DC's.

I've tried the same as above from a second DC without removing the ticket
cahce, but still get the same errors from the phmaindc1 DC.



All other DC's replicate with this DC just fine.

i've checked the zones through dnscmd and made sure they are alike with
regard to zone type.dnscmd /enumzones

C:\>dnscmd /enumzones
Enumerated zone list:

   Zone count = 5

Zone name  Type   Storage Properties

.  Cache  AD-Domain
168.192.in-addr.arpa   PrimaryAD-Domain   Update Rev Aging
31.168.192.in-addr.arpaSecondary  FileRev
jacwf.phippsny.org Secondary  File
phippsny.org   PrimaryAD-Domain   Update Aging

Command completed successfully.

above is PHMAINDC1

Below is PHPRINT1

C:\>dnscmd /enumzones
Enumerated zone list:

   Zone count = 5

Zone name  Type   Storage Properties

.  Cache  AD-Domain
168.192.in-addr.arpa   PrimaryAD-Domain   Update Rev Aging
31.168.192.in-addr.arpaSecondary  FileRev
jacwf.phippsny.org Secondary  File
phippsny.org   PrimaryAD-Domain   Update Aging

Command completed successfully.



=\

i'm stuck.



On 11/16/06, Laura A. Robinson <[EMAIL PROTECTED]> wrote:


 Is this the same set of machines that are being talked about in the
"strange DC error" thread? I don't remember who it was who originated that
one and I want to make sure I'm not asking for something you've already
provided.

So, if the answer to the above is "no", my next question is, can you
provide a little more information about the environment? How long has this
DC existed as a DC? Was there ever another DC with the same name? Was this
DC at any point restored from a backup? Has it been consistently connected
to the network? How about the member server- same questions as the DC
questions.

Thanks,

Laura

 --
*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *hboogz
*Sent:* Thursday, November 16, 2006 12 :09 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] Kerberos is Killing Me!


I am having continued issues with Kerberos. I tried running tokensz
against the problem server and i get this error message..

C:\Tools>tokensz /compute_tokensize /package:negotiate /use_delegation
/target_s
erver:host/phmaindc1

Name: Negotiate Comment: Microsoft Package Negotiator
Current PackageInfo->MaxToken: 12128

Asked for delegate, but didn't get it.
Check if server is trusted for delegation.

QueryKeyInfo:
Signature algorithm =
Encrypt algorithm = RSADSI RC4
KeySize = 128
Flags = 2001c
Signature Algorithm = -138
Encrypt Algorithm = 26625
QueryContextAttributes (lifespan): Status = 
21480742420x80090302 SEC_E_NOT_SUPP
ORTED


any ideas ?

I keep getting the following event log message on a domain controller
which prevents users from accessing it and authenticating to it.

Event Type:Error
Event Source:Kerberos
Event Category:None
Event ID:4
Date:11/16/2006
Time:12:02:37 PM
User:N/A
Computer:PHMAINDC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/phmaindc1.phippsny.org.  The target name used was host/phprint1. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named  machine accounts in the target realm ( PHIPPSNY.ORG),
and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Help!



--
HBooGz:\>





--
HBooGz:\>

RE: [ActiveDir] Strange DC behavior and error

2006-11-16 Thread Laura A. Robinson 
I'm inclined to attribute that to luck as opposed to some magic that's
happening under the covers. The process of making the machine a DC is going
to ensure that there's time sync, and there's a whole bunch of stuff going
on at that first boot after promotion. Just because you don't "see"
replication happening doesn't mean it isn't happening. For that matter, it
already *has* happened by then- during dcpromo.
 
I can pretty well guarantee that your issuing the w32tm command is having
absolutely zero effect on the process.
 
Laura


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott, Anthony
Sent: Thursday, November 16, 2006 2:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange DC behavior and error



I’ve installed new DCs that don’t replicate at first. As soon as I issue the
w32tm command I listed below replication kicks off. Not in all cases, but a
few. 

 

 

Thanks,

Anthony Scott

Microsoft Consultant

Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED]

   Berbee

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, November 16, 2006 1:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange DC behavior and error

 

Windows machines get time based on their config... if they aren't set to use
a specific server and just follow the Windows architecture, they use the DC
that authenticated the secure channel. This usually means members go to a
local DC, the local DC goes to the PDC of the domain they are in and the
Domain PDCs go to the forest root PDC. 

 

The NET TIME command (except for /querysntp) does not accurately reflect
what DC is being used for the time service. Search on posts from Bob Free in
the archives, he has laid this out in painful detail at least 4 or 5 times
on exactly how it all works. 

 

What specifically have you seen not working as advertised?

 

   joe

 

--

O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

 

 

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott, Anthony
Sent: Thursday, November 16, 2006 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange DC behavior and error

Windows is supposed to get it’s time from the PDC role holder, sometimes
though this does not work as advertised. So I usually issue this command on
any new DCs I bring up:

W32tm /config /synchfromflags:DOMHIER /update

Then:

Net stop w32time & net start w32time

 

 

Thanks,

Anthony Scott

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 10:21 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange DC behaviour and error

 

the same issue started happening last night about 10:35 last night. this was
after i plugged in my DR link to the ad box out at my disaster recovery
site.

I came in this morning only to find that when i run a NET TIME from my DC's
it was resolving this DR Domain Controller. 

i disconnected the link, reset the local machine passwords, rebooted and all
is up now.

what gives ? anyone have any ideas ?

On 11/15/06, hboogz <[EMAIL PROTECTED]> wrote:

Hey Guys,

Thanks for responses.

I've been stuck in the data center for the past few hours.

Here goes:

It all started with this error in the event log:

Event Type:Error
Event Source:Kerberos
Event Category:None
Event ID:4
Date:11/15/2006
Time:03:17:45 PM 
User:N/A 
Computer:PHMAINDC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/phmaindc1.phippsny.org.  The target name used was cifs/PHMAINDC1. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named  machine accounts in the target realm ( PHIPPSNY.ORG), and
the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Then it became all of these:

Event Type:Warning
Event Source:LSASRV
Event Category:SPNEGO (Negotiator) 
Event ID:40960
Date:11/15/2006
Time:03:13:19 PM
User:N/A
Computer:PHMAINDC1
Description: 
The Security System detected an authentication error for the server
cifs/PHMAINDC1.phippsny.org.  The failure code from authentication protocol
Kerberos was "The attempted logon is invalid. This is either due to a bad
username or authentication information. 
 (0xc06d)".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp .
Data:
: 6d 00 00 c0   m..À


Event Type:Error
Event Source:Userenv 
Event Category:None
Event ID:1030
Date:11/15/2006
Time:02:58:23 PM
User:PHIPPSNY\Administrator
Computer:PHMAINDC1
Description:
Windows cannot query for the list

Re: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread Michael B Allen 
Try it again but specify the full DN to the Comptuers container.

Mike

On Thu, 16 Nov 2006 14:41:41 -0500
hboogz <[EMAIL PROTECTED]> wrote:

> Thanks Michael,
> 
> I ran the following command and got the following output.
> 
> C:\>dsquery * (dc=phippsny,dc=org) -filter
> "(servicePrincipalName=host/phmaindc1)"
> 
> dsquery failed:A referral was returned from the server.
> type dsquery /? for help.

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread Laura A. Robinson 
1. Is phmaindc1 a DC for PHIPPSNY.ORG?
2. Is phprint1 a member of PHIPPSNY.ORG?
3. Are you able to provide any of the other information I asked about in my
other response? 
 
Laura


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 2:42 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!


Thanks Michael,

I ran the following command and got the following output.

C:\>dsquery * (dc=phippsny,dc=org) -filter
"(servicePrincipalName=host/phmaindc1)"

dsquery failed:A referral was returned from the server. 
type dsquery /? for help.


On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote: 

Joe,

how do i find out if there are any duplicate SPN's ? 



On 11/16/06, joe <   [EMAIL PROTECTED]>
wrote: 

Do you have any duplicate SPNs? Well specifically the SPNs mentioned in the
error?
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 12 :09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Kerberos is Killing Me!




I am having continued issues with Kerberos. I tried running tokensz against
the problem server and i get this error message..

C:\Tools>tokensz /compute_tokensize /package:negotiate /use_delegation
/target_s
erver:host/phmaindc1

Name: Negotiate Comment: Microsoft Package Negotiator
Current PackageInfo->MaxToken: 12128

Asked for delegate, but didn't get it.
Check if server is trusted for delegation.

QueryKeyInfo:
Signature algorithm =
Encrypt algorithm = RSADSI RC4
KeySize = 128
Flags = 2001c
Signature Algorithm = -138
Encrypt Algorithm = 26625
QueryContextAttributes (lifespan): Status = 2148074242 0x80090302
SEC_E_NOT_SUPP 
ORTED


any ideas ?

I keep getting the following event log message on a domain controller which
prevents users from accessing it and authenticating to it.

Event Type:Error
Event Source:Kerberos
Event Category:None
Event ID:4
Date:11/16/2006
Time:12:02:37 PM 
User:N/A
Computer:PHMAINDC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/phmaindc1.phippsny.org.  The target name used was host/phprint1. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named  machine accounts in the target realm ( PHIPPSNY.ORG), and
the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Help!



-- 
HBooGz:\> 




-- 
HBooGz:\> 




-- 
HBooGz:\>

RE: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread Laura A. Robinson 
Why I asked the questions I asked:
 
http://www.eventid.net/display.asp?eventid=4
 &eventno=1968&source=Kerberos&phase=1


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 2:42 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!


Thanks Michael,

I ran the following command and got the following output.

C:\>dsquery * (dc=phippsny,dc=org) -filter
"(servicePrincipalName=host/phmaindc1)"

dsquery failed:A referral was returned from the server. 
type dsquery /? for help.


On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote: 

Joe,

how do i find out if there are any duplicate SPN's ? 



On 11/16/06, joe <   [EMAIL PROTECTED]>
wrote: 

Do you have any duplicate SPNs? Well specifically the SPNs mentioned in the
error?
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 12 :09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Kerberos is Killing Me!




I am having continued issues with Kerberos. I tried running tokensz against
the problem server and i get this error message..

C:\Tools>tokensz /compute_tokensize /package:negotiate /use_delegation
/target_s
erver:host/phmaindc1

Name: Negotiate Comment: Microsoft Package Negotiator
Current PackageInfo->MaxToken: 12128

Asked for delegate, but didn't get it.
Check if server is trusted for delegation.

QueryKeyInfo:
Signature algorithm =
Encrypt algorithm = RSADSI RC4
KeySize = 128
Flags = 2001c
Signature Algorithm = -138
Encrypt Algorithm = 26625
QueryContextAttributes (lifespan): Status = 2148074242 0x80090302
SEC_E_NOT_SUPP 
ORTED


any ideas ?

I keep getting the following event log message on a domain controller which
prevents users from accessing it and authenticating to it.

Event Type:Error
Event Source:Kerberos
Event Category:None
Event ID:4
Date:11/16/2006
Time:12:02:37 PM 
User:N/A
Computer:PHMAINDC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/phmaindc1.phippsny.org.  The target name used was host/phprint1. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named  machine accounts in the target realm ( PHIPPSNY.ORG), and
the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Help!



-- 
HBooGz:\> 




-- 
HBooGz:\> 




-- 
HBooGz:\>

Re: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread hboogz 

when i run a

dcdiag /test:replications from the problematic controller, i get something
i've seen before.

The machine account for the destination PHMAINDC1.
is not configured properly.
Check the userAccountControl field.
Kerberos Error.

i think this may be the source of my issue, the useraccountcontrol field and
adjusting it to reflect that the computer account PHMAINDC1 is actually a
server account.

I also get this related message from DCDAIG:

 Starting test: MachineAccount
Checking machine account for DC PHMAINDC1 on DC PHMAINDC1.
The account PHMAINDC1 is not trusted for delegation.  It cannot
replica
te.
The account PHMAINDC1 is not a DC account.  It cannot replicate.
Warning:  Attribute userAccountControl of PHMAINDC1 is: 0x1000 = (
UF_W
ORKSTATION_TRUST_ACCOUNT )
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT |
UF_TR
USTED_FOR_DELEGATION )
This may be affecting replication?
* SPN found :LDAP/PHMAINDC1.phippsny.org/phippsny.org
* SPN found :LDAP/PHMAINDC1.phippsny.org
* SPN found :LDAP/PHMAINDC1
* SPN found :LDAP/PHMAINDC1.phippsny.org/PHIPPSNY
* SPN found
:LDAP/f1da285e-a98b-40d3-abcc-f69057435ed8._msdcs.phippsny.
org
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/f1da285e-a98b-40d3-ab
cc-f69057435ed8/phippsny.org
* SPN found :HOST/PHMAINDC1.phippsny.org/phippsny.org
* SPN found :HOST/PHMAINDC1.phippsny.org
* SPN found :HOST/PHMAINDC1
* SPN found :HOST/PHMAINDC1.phippsny.org/PHIPPSNY
* SPN found :GC/PHMAINDC1.phippsny.org/phippsny.org
. PHMAINDC1 failed test MachineAccount

i aslo get this meesage when running a netdiag:

The Record is different on DNS server '192.168.1.1'.
DNS server has more than one entries for this name, usually this means there
are
multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.1.1', no need to
re-register

but the i dont have multiple records associating with 192.168.1.1, i just
don't see them..

should i manually delete all records and PTR's to 1.1 and registrdns ?



On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote:


Hey Laura,

this is the strange DC error guy...unfortunately.

This DC existed for about 4 months. I did a parralle upgrade to 2003 with
a new box and promoting it into a windows 2000 domain using adprep
/forestprep and adprep /domainprep:gprep.

There has never been use of duplicate names.

this DC was never restored from a backup.

there never has been a duplicate name for any member servers nor have
their been any backup restores...

I'm able to update DNS registration from this maindc now, because i needed
to enable the DHCP client service on the machine.

I've tried the following from the problmatic DC:

net stop kdc

purge kerberos ticket cache using kerbtray

reset pwd using netdom

net start kdc

reboot

but i continue to get Replication access denied from one DC to all three
of my DC's.

I've tried the same as above from a second DC without removing the ticket
cahce, but still get the same errors from the phmaindc1 DC.



All other DC's replicate with this DC just fine.

i've checked the zones through dnscmd and made sure they are alike with
regard to zone type.dnscmd /enumzones

C:\>dnscmd /enumzones
Enumerated zone list:

Zone count = 5

 Zone name  Type   Storage Properties

 .  Cache  AD-Domain
 168.192.in-addr.arpa   PrimaryAD-Domain   Update Rev
Aging
 31.168.192.in-addr.arpaSecondary  FileRev
 jacwf.phippsny.org Secondary  File
 phippsny.org   PrimaryAD-Domain   Update Aging

Command completed successfully.

above is PHMAINDC1

Below is PHPRINT1

C:\>dnscmd /enumzones
Enumerated zone list:

Zone count = 5

 Zone name  Type   Storage Properties

 .  Cache  AD-Domain
 168.192.in-addr.arpa   PrimaryAD-Domain   Update Rev
Aging
 31.168.192.in-addr.arpaSecondary  FileRev
 jacwf.phippsny.org Secondary  File
 phippsny.org   PrimaryAD-Domain   Update Aging

Command completed successfully.



=\

i'm stuck.



On 11/16/06, Laura A. Robinson < [EMAIL PROTECTED]> wrote:
>
>  Is this the same set of machines that are being talked about in the
> "strange DC error" thread? I don't remember who it was who originated that
> one and I want to make sure I'm not asking for something you've already
> provided.
>
> So, if the answer to the above is "no", my next question is, can you
> provide a little more information about the environment? How long has this
> DC existed as a DC? Was there ever another DC with the same name? Was this
> DC at any point restored from a backup? Has it been consistently connected
> to the network? How about the member server- same

RE: [ActiveDir] Strange DC behaviour and error

2006-11-16 Thread Laura A. Robinson 
Then answer my questions! ;-)
 
Laura


  

however, i have another thread whereby Kerberos is just killing me.




-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.

Re: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread hboogz 

**Update***

i changed the user account control attribute using the following direction:

Did you follow:
When using adsiedit:
* Connect to the domain NC
* Navigate to the Domain Controllers OU
* Right click on the DC for which you want to change the
UserAccountControl value and select properties
* Goto the UserAccountControl attribute
* You should see a value (from what you have described):
536576
* Change that value to: 532480 

i teh followed the instructions found here: Re: access denied

http://technet2.microsoft.com/WindowsServer/en/library/22764cb5-9860-4f8f-95e7-337df24edf741033.mspx?mfr=true

i did this from the phmaindc1 server

net stop kdc

clear ticket cache

reset machine pawd

open sites and services and forced replication with phprint -- which
succeced

opened replmon and synchronized with phprint1.

net start kdc

ran: repadmin /showreps.

replication to phprint1 came up as succesfull

however, i still get an error to the child domain indicating access denied.

should i wait for AD replication for this to work ?



On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote:


when i run a

dcdiag /test:replications from the problematic controller, i get something
i've seen before.

The machine account for the destination PHMAINDC1.
is not configured properly.
Check the userAccountControl field.
Kerberos Error.

i think this may be the source of my issue, the useraccountcontrol field
and adjusting it to reflect that the computer account PHMAINDC1 is actually
a server account.

I also get this related message from DCDAIG:

  Starting test: MachineAccount
 Checking machine account for DC PHMAINDC1 on DC PHMAINDC1.
 The account PHMAINDC1 is not trusted for delegation.  It cannot
replica
te.
 The account PHMAINDC1 is not a DC account.  It cannot replicate.
 Warning:  Attribute userAccountControl of PHMAINDC1 is: 0x1000 =
( UF_W
ORKSTATION_TRUST_ACCOUNT )
 Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT |
UF_TR
USTED_FOR_DELEGATION )
 This may be affecting replication?
 * SPN found :LDAP/PHMAINDC1.phippsny.org/phippsny.org
 * SPN found :LDAP/PHMAINDC1.phippsny.org
 * SPN found :LDAP/PHMAINDC1
 * SPN found :LDAP/PHMAINDC1.phippsny.org/PHIPPSNY
 * SPN found
:LDAP/f1da285e-a98b-40d3-abcc-f69057435ed8._msdcs.phippsny.
org
 * SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/f1da285e-a98b-40d3-ab
cc-f69057435ed8/phippsny.org
 * SPN found :HOST/PHMAINDC1.phippsny.org/phippsny.org
 * SPN found :HOST/PHMAINDC1.phippsny.org
 * SPN found :HOST/PHMAINDC1
 * SPN found :HOST/PHMAINDC1.phippsny.org/PHIPPSNY
 * SPN found :GC/PHMAINDC1.phippsny.org/phippsny.org
 . PHMAINDC1 failed test MachineAccount

i aslo get this meesage when running a netdiag:

The Record is different on DNS server '192.168.1.1'.
DNS server has more than one entries for this name, usually this means
there are
 multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.1.1', no need to
re-register

but the i dont have multiple records associating with 192.168.1.1, i just
don't see them..

should i manually delete all records and PTR's to 1.1 and registrdns ?



On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote:
>
> Hey Laura,
>
> this is the strange DC error guy...unfortunately.
>
> This DC existed for about 4 months. I did a parralle upgrade to 2003
> with a new box and promoting it into a windows 2000 domain using adprep
> /forestprep and adprep /domainprep:gprep.
>
> There has never been use of duplicate names.
>
> this DC was never restored from a backup.
>
> there never has been a duplicate name for any member servers nor have
> their been any backup restores...
>
> I'm able to update DNS registration from this maindc now, because i
> needed to enable the DHCP client service on the machine.
>
> I've tried the following from the problmatic DC:
>
> net stop kdc
>
> purge kerberos ticket cache using kerbtray
>
> reset pwd using netdom
>
> net start kdc
>
> reboot
>
> but i continue to get Replication access denied from one DC to all three
> of my DC's.
>
> I've tried the same as above from a second DC without removing the
> ticket cahce, but still get the same errors from the phmaindc1 DC.
>
>
>
> All other DC's replicate with this DC just fine.
>
> i've checked the zones through dnscmd and made sure they are alike with
> regard to zone type.dnscmd /enumzones
>
> C:\>dnscmd /enumzones
> Enumerated zone list:
>
> Zone count = 5
>
>  Zone name  Type   Storage Properties
>
>  .  Cache  AD-Domain
>  168.192.in-addr.arpa   PrimaryAD-Domain   Update Rev
> Aging
>  31.168.192.in-addr.arpaSecondary  FileRev
>   jacwf.phippsny.org Secondary  File
>  phippsny.org   PrimaryAD-Domain   Update Aging
>
> Command completed

Re: [ActiveDir] Is it 2000 or 2003?

2006-11-16 Thread Bart Van den Wyngaert 

Well actually I didn't use the adfind tool yet, when I read the
beginning of this thread I looked in the GUI "Active Directory Domains
and Trust" where is listed that my functional level of domain &
forrest is W2K3 (which I raised some months ago and seems correct).
But when I run the gpresult tool, it states that my domain type is
"Windows 2000", which I find a bit odd. Did I miss something in the
upgrade process or something? Is it an issue?

On 11/16/06, joe <[EMAIL PROTECTED]> wrote:

AdFind only determines the Directory level, it doesn't look for functional
modes or mixed mode. The way I get directory level is through the
supportedCapabilities attribute of the rootdse of the DC. Of course it is
possible to hit one DC looking for info and I pull the ROOTDSE from that DC
and then in the background a referral is processed which ends up getting the
info from another DC in another domain (or same domain if looking at app
parts).

You can get functionality modes from the rootdse attributes
domainFunctionality and forestFunctionality.

For all of those, just do an

AdFind -rootdse

And you will see what I am decoding and logically how I ascertain directory
level.



Mixed mode versus native you simply use the domain NCs nTMixedDomain
attribute.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, November 16, 2006 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is it 2000 or 2003?

I don't understand where you are seeing this info.  Are you referring to the

applet that is used to raise the FL?  Or something else?

As for the "flag" that is used to identify the directory, it is usually a
combination of:

msDS-Behavior-Version
nTMixedDomain
supportedCapabilities


Or at least, that is the way I put info. such as server and directory in
each of my scripts.  Just like Joe does in ADFIND and ADMOD.  I believe he
does it the same way too.

Basically, check msDS-Behavior-Version.  If it's 0, check nTMixedDomain.  If

it's 2, check supportedCapabilities to see whether or not it is ADAM (it's
ADAM if one of the supportedCapabilities is 1.2.840.113556.1.4.1851
[LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID]).

In my test lab(s), my directory is considered a 2003 directory.

In my labs, I used either DOMAIN.MSC or ADMOD to increase the FLs.


--Paul


- Original Message -
From: <[EMAIL PROTECTED]>
To: 
Sent: Thursday, November 16, 2006 3:45 PM
Subject: RE: [ActiveDir] Is it 2000 or 2003?


> I've entered this thread late so apologies if the below has already been
> stated:
>
> I recently created a new dev forest, with multiple domains. I too raised
> DFL and FFL as soon as all domains were built.
>
> I do not see the issues you describe and would suggest you download the
> scripts available here http://www.jadonex.com/
>
> One of the scripts (written by Dean) checks the DFL and FFL for the
> forest and across all domains.
>
> For a manual check, I also look here:
>
> FFL
> ===
> CN=Partitions,CN=Configuration,DC=xxx
> Attribute msDS-Behavior-Version
> 0=w2k FFL, 1=interim FFL, 2=w2k3 FFL
>
> DFL
> ===
> CN=,CN=Partitions,CN=Configuration,DC=xxx
> Attribute msDS-Behavior-Version
> 0=w2k DFL, 1=interim DFL, 2=w2k3 DFL
>
> Hope that helps,
> neil
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tim Onsomu
> Sent: 16 November 2006 14:35
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Is it 2000 or 2003?
>
> I got curios about this and decide to dcpromo my vm image of windows
> 2003 R2.
>
> After the AD installation (which sits at Windows 2000 for domain type) I
> raised the functionality for the domain and forest.
>
> The result for domain type was windows 2000.
>
> I am not sure it is supposed to be different.
>
> Anybody out there who can say their install says something else?
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
> CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Wednesday, November 15, 2006 3:15 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Is it 2000 or 2003?
>
> Were these clean installs or inplace?
>
> Bart Van den Wyngaert wrote:
>> Well I also have a strange thing... It concerns 2 SBS 2003 systems.
>> Some months ago I raised both domain and forrest functional level on
>> those boxes. By reading this thread I decided to have a look...
>>
>> Both tools report the correct OS actually on both boxes.
>>
>> The only I wonder is a bit that they both report with the gpresult
>> tool that the domain type is Windows 2000
>>
>> If I look using GUI, they both report functional level of domain &
>> forest being at 2003.
>>
>> Don't really get actually. Is this related? Normal or missed something
>
>> when I did raise the functional levels?
>>
>> Thanks,
>> Bart
>>
>> On 11/10/06, Noah Eiger <[EMAIL

Re: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread hboogz 

Replcation only from the DsnDomainPartition came up as succesfull,
everything else still failed with an access denied.

and it gets better.

when i reun an

nltest /sc_query:phippsny from phmaindc1, i get this.

C:\>nltest /sc_query:phippsny
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN



On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote:


**Update***

i changed the user account control attribute using the following
direction:

Did you follow:
When using adsiedit:
* Connect to the domain NC
* Navigate to the Domain Controllers OU
* Right click on the DC for which you want to change the
UserAccountControl value and select properties
* Goto the UserAccountControl attribute
* You should see a value (from what you have described): 536576
* Change that value to: 532480

i teh followed the instructions found here: Re: access denied


http://technet2.microsoft.com/WindowsServer/en/library/22764cb5-9860-4f8f-95e7-337df24edf741033.mspx?mfr=true

i did this from the phmaindc1 server

net stop kdc

clear ticket cache

reset machine pawd

open sites and services and forced replication with phprint -- which
succeced

opened replmon and synchronized with phprint1.

net start kdc

ran: repadmin /showreps.

replication to phprint1 came up as succesfull

however, i still get an error to the child domain indicating access
denied.

should i wait for AD replication for this to work ?



On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote:
>
> when i run a
>
> dcdiag /test:replications from the problematic controller, i get
> something i've seen before.
>
> The machine account for the destination PHMAINDC1.
> is not configured properly.
> Check the userAccountControl field.
> Kerberos Error.
>
> i think this may be the source of my issue, the useraccountcontrol field
> and adjusting it to reflect that the computer account PHMAINDC1 is actually
> a server account.
>
> I also get this related message from DCDAIG:
>
>   Starting test: MachineAccount
>  Checking machine account for DC PHMAINDC1 on DC PHMAINDC1.
>  The account PHMAINDC1 is not trusted for delegation.  It cannot
> replica
> te.
>  The account PHMAINDC1 is not a DC account.  It cannot
> replicate.
>  Warning:  Attribute userAccountControl of PHMAINDC1 is: 0x1000
> = ( UF_W
> ORKSTATION_TRUST_ACCOUNT )
>  Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT
> | UF_TR
> USTED_FOR_DELEGATION )
>  This may be affecting replication?
>  * SPN found :LDAP/PHMAINDC1.phippsny.org/phippsny.org
>  * SPN found :LDAP/PHMAINDC1.phippsny.org
>  * SPN found :LDAP/PHMAINDC1
>  * SPN found :LDAP/PHMAINDC1.phippsny.org/PHIPPSNY
>  * SPN found
> :LDAP/f1da285e-a98b-40d3-abcc-f69057435ed8._msdcs.phippsny.
> org
>  * SPN found
> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/f1da285e-a98b-40d3-ab
> cc-f69057435ed8/phippsny.org
>  * SPN found :HOST/PHMAINDC1.phippsny.org/phippsny.org
>  * SPN found :HOST/PHMAINDC1.phippsny.org
>  * SPN found :HOST/PHMAINDC1
>  * SPN found :HOST/PHMAINDC1.phippsny.org/PHIPPSNY
>  * SPN found :GC/PHMAINDC1.phippsny.org/phippsny.org
>  . PHMAINDC1 failed test MachineAccount
>
> i aslo get this meesage when running a netdiag:
>
> The Record is different on DNS server ' 192.168.1.1'.
> DNS server has more than one entries for this name, usually this means
> there are
>  multiple DCs for this domain.
> Your DC entry is one of them on DNS server ' 192.168.1.1', no need to
> re-register
>
> but the i dont have multiple records associating with 192.168.1.1, i
> just don't see them..
>
> should i manually delete all records and PTR's to 1.1 and registrdns ?
>
>
>
> On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote:
> >
> > Hey Laura,
> >
> > this is the strange DC error guy...unfortunately.
> >
> > This DC existed for about 4 months. I did a parralle upgrade to 2003
> > with a new box and promoting it into a windows 2000 domain using adprep
> > /forestprep and adprep /domainprep:gprep.
> >
> > There has never been use of duplicate names.
> >
> > this DC was never restored from a backup.
> >
> > there never has been a duplicate name for any member servers nor have
> > their been any backup restores...
> >
> > I'm able to update DNS registration from this maindc now, because i
> > needed to enable the DHCP client service on the machine.
> >
> > I've tried the following from the problmatic DC:
> >
> > net stop kdc
> >
> > purge kerberos ticket cache using kerbtray
> >
> > reset pwd using netdom
> >
> > net start kdc
> >
> > reboot
> >
> > but i continue to get Replication access denied from one DC to all
> > three of my DC's.
> >
> > I've tried the same as above from a second DC without removing the
> > ticket cahce, but still get the same errors from the phmaindc1 DC.
> >
> >
> >
> > All other DC's replicate with this DC just fine.
> >
> > i've checked the zones through dnscmd and made s

Re: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread hboogz 

hey Laura -

i did respond to your inquriy, i've actually posted a lot since then, but
the answers to your questions are:

this is the strange DC error guy...unfortunately.

This DC existed for about 4 months. I did a parallel upgrade to 2003 with a
new box and promoting it into a windows 2000 domain using adprep /forestprep
and adprep /domainprep:gprep.

There has never been use of duplicate names.

this DC was never restored from a backup.

there never has been a duplicate name for any member servers nor have their
been any backup restores...

I'm able to update DNS registration from this maindc now, because i needed
to enable the DHCP client service on the machine.

phmaindc1 is a DC and PDCe for Domain: Phippsny.org

phprint1 is a DC for Domain: phippsny.org.

I managed to get replication working between phmaindc1 and all my DC's!

i had to do the following from phmaindc1:

net stop kdc

set the startup type to Manual

netdom resetpwd /s:phmaindc1 /ud:domain\administrator /pd:*

reboot

start the kdc and set the statup type to Automatic.

i performed a repadmin /showreps and eerything is succesful and remains
succusfull for now.

however, i still receive the following kerberos error!

Event Type:Error
Event Source:Kerberos
Event Category:None
Event ID:4
Date:11/16/2006
Time:7:51:02 PM
User:N/A
Computer:PHMAINDC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/phmaindc1.phippsny.org.  The target name used was
ldap/PHMAINDC1.phippsny.org/[EMAIL PROTECTED] This indicates that
the password used to encrypt the kerberos service ticket is different than
that on the target server. Commonly, this is due to identically named
machine accounts in the target realm (PHIPPSNY.ORG), and the client realm.
Please contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


And i get the following Group Policy Error:

Event Type:Error
Event Source:Userenv
Event Category:None
Event ID:1030
Date:11/16/2006
Time:8:06:33 PM
User:PHIPPSNY\Administrator
Computer:PHMAINDC1
Description:
Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Although, when i run a gpresult i get some of the GPO's applied.






On 11/16/06, Laura A. Robinson <[EMAIL PROTECTED]> wrote:


 1. Is phmaindc1 a DC for PHIPPSNY.ORG?
2. Is phprint1 a member of PHIPPSNY.ORG?
3. Are you able to provide any of the other information I asked about in
my other response?

Laura

 --
*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *hboogz
*Sent:* Thursday, November 16, 2006 2:42 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Kerberos is Killing Me!

Thanks Michael,

I ran the following command and got the following output.

C:\>dsquery * (dc=phippsny,dc=org) -filter
"(servicePrincipalName=host/phmaindc1)"

dsquery failed:A referral was returned from the server.
type dsquery /? for help.

On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote:
>
> Joe,
>
> how do i find out if there are any duplicate SPN's ?
>
> On 11/16/06, joe < [EMAIL PROTECTED]> wrote:
> >
> >  Do you have any duplicate SPNs? Well specifically the SPNs mentioned
> > in the error?
> >
> >  --
> > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> >
> >  --
> > *From:* [EMAIL PROTECTED] [mailto:
> > [EMAIL PROTECTED] *On Behalf Of *hboogz
> > *Sent:* Thursday, November 16, 2006 12 :09 PM
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* [ActiveDir] Kerberos is Killing Me!
> >
> >
> > I am having continued issues with Kerberos. I tried running tokensz
> > against the problem server and i get this error message..
> >
> > C:\Tools>tokensz /compute_tokensize /package:negotiate /use_delegation
> > /target_s
> > erver:host/phmaindc1
> >
> > Name: Negotiate Comment: Microsoft Package Negotiator
> > Current PackageInfo->MaxToken: 12128
> >
> > Asked for delegate, but didn't get it.
> > Check if server is trusted for delegation.
> >
> > QueryKeyInfo:
> > Signature algorithm =
> > Encrypt algorithm = RSADSI RC4
> > KeySize = 128
> > Flags = 2001c
> > Signature Algorithm = -138
> > Encrypt Algorithm = 26625
> > QueryContextAttributes (lifespan): Status = 2148074242 0x80090302
> > SEC_E_NOT_SUPP
> > ORTED
> >
> >
> > any ideas ?
> >
> > I keep getting the following event log message on a domain controller
> > which prevents users from accessing it and authenticating to it.
> >
> > Event Type:Error
> > Event Source:Kerberos
> > Event Category:None
> > Event ID:4
> > Date:11/16/2006
> > Time:12:02:37 PM
> > User:N/A
> > Co

RE: [ActiveDir] Domain and Subdomain. Duplicating accounts

2006-11-16 Thread Laura A. Robinson 
Besides significantly increasing the likelihood of people logging onto the
wrong domain and generating support calls along the lines of "where's my
stuff?"

Not really. AD accommodates the same name in multiple domains, as long as
the UPNs are different (which they are, or account creation would have
failed).

Why doesn't the other SA just let people use their regular accounts?

Laura 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
> Sent: Thursday, November 16, 2006 4:48 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Domain and Subdomain. Duplicating accounts
> 
> Hi,
> 
> The company I work for has 2 office in 2 different states.
> 
> The main office is domain.com and other office is a subdomain 
> (sub.domain.com).
> 
> Our users sometimes go to the other office (sub.domain.com) 
> to work for a week or so, I just found out that other SA has 
> been creating accounts for my users in the subdomain.
> 
> So now I have "same" user in the domain and subdomain, beside 
> being a stupid way of doing things is there any technical 
> issue this could create?
> 
> 
> Thanks
> 
> Rezuma
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir@mail.activedir.org/
> 
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> 
>  
> 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.

 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread Laura A. Robinson 
Okay, so basically I can think of a few quickish options:
 
1. Let somebody who geeks out on this stuff poke around in your DCs. There
are obviously lots of caveats around that one (like, why would you let a
stranger poke around in your AD, why would somebody want to take on that
liability, how would you determine that somebody wasn't a cluebie, etc.)
 
2. Call PSS and get the benefit of all the warranties and liabilities that
come with the support agreement, and let them poke around in your AD.
 
3. Find a willing geek to get on the phone with you, 'cause typing all this
stuff up has to be as difficult for you as it is for the people trying to
make heads or tails of the situation.
 
4. Scrap trying to track down the problem and demote the problem DC, then
re-promote it. I hate offering that as a solution as I usually like to dig
around and figure out what's causing things, but in this situation it's
really hard to troubleshoot your environment simply because there are so
many different factors that could come into play that would need to be
looked at. And honestly, this smells like there was an imaged DC or
something similar somewhere along the line. I believe you that there wasn't;
it's just the same kind of behavior that you see in scenarios like that.
 
Wait, hold on a sec... what does "a parallel upgrade" mean?
 
Laura


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 5:10 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!


Hey Laura,

this is the strange DC error guy...unfortunately.

This DC existed for about 4 months. I did a parralle upgrade to 2003 with a
new box and promoting it into a windows 2000 domain using adprep /forestprep
and adprep /domainprep:gprep. 

There has never been use of duplicate names.

this DC was never restored from a backup.

there never has been a duplicate name for any member servers nor have their
been any backup restores...

I'm able to update DNS registration from this maindc now, because i needed
to enable the DHCP client service on the machine. 

I've tried the following from the problmatic DC:

net stop kdc

purge kerberos ticket cache using kerbtray

reset pwd using netdom

net start kdc

reboot

but i continue to get Replication access denied from one DC to all three of
my DC's. 

I've tried the same as above from a second DC without removing the ticket
cahce, but still get the same errors from the phmaindc1 DC.



All other DC's replicate with this DC just fine.

i've checked the zones through dnscmd and made sure they are alike with
regard to zone type.dnscmd /enumzones

C:\>dnscmd /enumzones
Enumerated zone list:

Zone count = 5

 Zone name  Type   Storage Properties

 .  Cache  AD-Domain 
 168.192.in-addr.arpa   PrimaryAD-Domain   Update Rev Aging
 31.168.192.in-addr.arpaSecondary  FileRev
 HYPERLINK "http://jacwf.phippsny.org"jacwf.phippsny.org
Secondary  File 
 HYPERLINK "http://phippsny.org"phippsny.org   Primary
AD-Domain   Update Aging

Command completed successfully.

above is PHMAINDC1

Below is PHPRINT1

C:\>dnscmd /enumzones 
Enumerated zone list:

Zone count = 5

 Zone name  Type   Storage Properties

 .  Cache  AD-Domain
 168.192.in-addr.arpa   PrimaryAD-Domain   Update Rev Aging 
 31.168.192.in-addr.arpaSecondary  FileRev
 HYPERLINK "http://jacwf.phippsny.org"jacwf.phippsny.org
Secondary  File
 HYPERLINK "http://phippsny.org"phippsny.org   Primary
AD-Domain   Update Aging 

Command completed successfully.



=\

i'm stuck.




On 11/16/06, Laura A. Robinson mailto:[EMAIL PROTECTED]"
[EMAIL PROTECTED]> wrote: 

Is this the same set of machines that are being talked about in the "strange
DC error" thread? I don't remember who it was who originated that one and I
want to make sure I'm not asking for something you've already provided.
 
So, if the answer to the above is "no", my next question is, can you provide
a little more information about the environment? How long has this DC
existed as a DC? Was there ever another DC with the same name? Was this DC
at any point restored from a backup? Has it been consistently connected to
the network? How about the member server- same questions as the DC
questions.
 
Thanks,

 
Laura



   _  

From: HYPERLINK "mailto:[EMAIL PROTECTED]"
[EMAIL PROTECTED] [mailto:HYPERLINK
"mailto:[EMAIL PROTECTED]"
[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16,HYPERLINK "javascript:void(0)" 2006 12 :09 PM
To: HYPERLINK "mailto:ActiveDir@mail.activedir.org";
[EMAIL PROTECTED]
Subject: [ActiveDir] Kerberos is Killing Me!



I am having continued issues with Kerberos. I tried running tokensz against
the problem server and i get this error message..

C:\Too

Re: [ActiveDir] Strange DC behaviour and error

2006-11-16 Thread hboogz 

lol.

i did laura -- i think I've poured my life out in that thread.

=)

On 11/16/06, Laura A. Robinson <[EMAIL PROTECTED]> wrote:


 Then answer my questions! ;-)

Laura

  

however, i have another thread whereby Kerberos is just killing me.


--
No virus found in this outgoing message.
Checked by AVG Free Edition.





--
HBooGz:\>

RE: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread Laura A. Robinson 
I apologize if I keep asking questions you've already answered, but how many
sites are involved here?
 
Of course, by the time this hits the list, any replication that hasn't yet
occurred probably will have. :-)
 
Laura


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 5:49 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!


**Update***

i changed the user account control attribute using the following direction:

Did you follow: 
When using adsiedit: 
* Connect to the domain NC 
* Navigate to the Domain Controllers OU 
* Right click on the DC for which you want to change the 
UserAccountControl value and select properties 
* Goto the UserAccountControl attribute 
* You should see a value (from what you have described): HYPERLINK
"javascript:void(0)"536576 
* Change that value to:HYPERLINK "javascript:void(0)" 532480 

i teh followed the instructions found here: Re: access denied

HYPERLINK
"http://technet2.microsoft.com/WindowsServer/en/library/22764cb5-9860-4f8f-9
5e7-337df24edf741033.mspx?mfr=true"http://technet2.microsoft.com/WindowsServ
er/en/library/22764cb5-9860-4f8f-95e7-337df24edf741033.mspx?mfr=true

i did this from the phmaindc1 server 

net stop kdc

clear ticket cache

reset machine pawd 

open sites and services and forced replication with phprint -- which
succeced

opened replmon and synchronized with phprint1.

net start kdc

ran: repadmin /showreps.

replication to phprint1 came up as succesfull 

however, i still get an error to the child domain indicating access denied.

should i wait for AD replication for this to work ?




-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.

RE: [ActiveDir] Is it 2000 or 2003?

2006-11-16 Thread Free, Bob 
If you follow the thread's consensus, it is that it's just a bug in
gpresult. I have a forest built from scratch on 2003 that's never seen
hide nor hair of anything w2k and gpresult still reports it as 2000. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den
Wyngaert
Sent: Thursday, November 16, 2006 3:07 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is it 2000 or 2003?

Well actually I didn't use the adfind tool yet, when I read the
beginning of this thread I looked in the GUI "Active Directory Domains
and Trust" where is listed that my functional level of domain & forrest
is W2K3 (which I raised some months ago and seems correct).
But when I run the gpresult tool, it states that my domain type is
"Windows 2000", which I find a bit odd. Did I miss something in the
upgrade process or something? Is it an issue?

On 11/16/06, joe <[EMAIL PROTECTED]> wrote:
> AdFind only determines the Directory level, it doesn't look for 
> functional modes or mixed mode. The way I get directory level is 
> through the supportedCapabilities attribute of the rootdse of the DC. 
> Of course it is possible to hit one DC looking for info and I pull the

> ROOTDSE from that DC and then in the background a referral is 
> processed which ends up getting the info from another DC in another 
> domain (or same domain if looking at app parts).
>
> You can get functionality modes from the rootdse attributes 
> domainFunctionality and forestFunctionality.
>
> For all of those, just do an
>
> AdFind -rootdse
>
> And you will see what I am decoding and logically how I ascertain 
> directory level.
>
>
>
> Mixed mode versus native you simply use the domain NCs nTMixedDomain 
> attribute.
>
>   joe
>
>
> --
> O'Reilly Active Directory Third Edition - 
> http://www.joeware.net/win/ad3e.htm
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
> Sent: Thursday, November 16, 2006 11:50 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Is it 2000 or 2003?
>
> I don't understand where you are seeing this info.  Are you referring 
> to the
>
> applet that is used to raise the FL?  Or something else?
>
> As for the "flag" that is used to identify the directory, it is 
> usually a combination of:
>
> msDS-Behavior-Version
> nTMixedDomain
> supportedCapabilities
>
>
> Or at least, that is the way I put info. such as server and directory 
> in each of my scripts.  Just like Joe does in ADFIND and ADMOD.  I 
> believe he does it the same way too.
>
> Basically, check msDS-Behavior-Version.  If it's 0, check 
> nTMixedDomain.  If
>
> it's 2, check supportedCapabilities to see whether or not it is ADAM 
> (it's ADAM if one of the supportedCapabilities is 
> 1.2.840.113556.1.4.1851 [LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID]).
>
> In my test lab(s), my directory is considered a 2003 directory.
>
> In my labs, I used either DOMAIN.MSC or ADMOD to increase the FLs.
>
>
> --Paul
>
>
> - Original Message -
> From: <[EMAIL PROTECTED]>
> To: 
> Sent: Thursday, November 16, 2006 3:45 PM
> Subject: RE: [ActiveDir] Is it 2000 or 2003?
>
>
> > I've entered this thread late so apologies if the below has already 
> > been
> > stated:
> >
> > I recently created a new dev forest, with multiple domains. I too 
> > raised DFL and FFL as soon as all domains were built.
> >
> > I do not see the issues you describe and would suggest you download 
> > the scripts available here http://www.jadonex.com/
> >
> > One of the scripts (written by Dean) checks the DFL and FFL for the 
> > forest and across all domains.
> >
> > For a manual check, I also look here:
> >
> > FFL
> > ===
> > CN=Partitions,CN=Configuration,DC=xxx
> > Attribute msDS-Behavior-Version
> > 0=w2k FFL, 1=interim FFL, 2=w2k3 FFL
> >
> > DFL
> > ===
> > CN=,CN=Partitions,CN=Configuration,DC=xxx
> > Attribute msDS-Behavior-Version
> > 0=w2k DFL, 1=interim DFL, 2=w2k3 DFL
> >
> > Hope that helps,
> > neil
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Tim Onsomu
> > Sent: 16 November 2006 14:35
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Is it 2000 or 2003?
> >
> > I got curios about this and decide to dcpromo my vm image of windows
> > 2003 R2.
> >
> > After the AD installation (which sits at Windows 2000 for domain 
> > type) I raised the functionality for the domain and forest.
> >
> > The result for domain type was windows 2000.
> >
> > I am not sure it is supposed to be different.
> >
> > Anybody out there who can say their install says something else?
> >
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Susan 
> > Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> > Sent: Wednesday, November 15, 2006 3:15 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Is it 2000 or 2003?
> >
> > Were these clean installs or inpla

Re: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread hboogz 

Thanks Laura.

I've been thinking about the demotion, but one question would be is should i
keep the same computer name ?

I consider myself a geek, probably not an AD-geek, but i try =\

Re: parallel upgrade. In other words what i did was--- Introduce a new box
with a freshly installed win 2003 standard r2 OS and adprep the win2k domain
before introducing this new box into the win2k domain.

by parallel i meant to say i was running win2k3 and win2kd parallel to each
other before i decommissioned the win2k DC's.



On 11/16/06, Laura A. Robinson <[EMAIL PROTECTED]> wrote:


 Okay, so basically I can think of a few quickish options:

1. Let somebody who geeks out on this stuff poke around in your DCs. There
are obviously lots of caveats around that one (like, why would you let a
stranger poke around in your AD, why would somebody want to take on that
liability, how would you determine that somebody wasn't a cluebie, etc.)

2. Call PSS and get the benefit of all the warranties and liabilities that
come with the support agreement, and let them poke around in your AD.

3. Find a willing geek to get on the phone with you, 'cause typing all
this stuff up has to be as difficult for you as it is for the people trying
to make heads or tails of the situation.

4. Scrap trying to track down the problem and demote the problem DC, then
re-promote it. I hate offering that as a solution as I usually like to dig
around and figure out what's causing things, but in this situation it's
really hard to troubleshoot your environment simply because there are so
many different factors that could come into play that would need to be
looked at. And honestly, this smells like there was an imaged DC or
something similar somewhere along the line. I believe you that there wasn't;
it's just the same kind of behavior that you see in scenarios like that.

Wait, hold on a sec... what does "a parallel upgrade" mean?

Laura

 --
*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *hboogz
*Sent:* Thursday, November 16, 2006 5:10 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Kerberos is Killing Me!

Hey Laura,

this is the strange DC error guy...unfortunately.

This DC existed for about 4 months. I did a parralle upgrade to 2003 with
a new box and promoting it into a windows 2000 domain using adprep
/forestprep and adprep /domainprep:gprep.

There has never been use of duplicate names.

this DC was never restored from a backup.

there never has been a duplicate name for any member servers nor have
their been any backup restores...

I'm able to update DNS registration from this maindc now, because i needed
to enable the DHCP client service on the machine.

I've tried the following from the problmatic DC:

net stop kdc

purge kerberos ticket cache using kerbtray

reset pwd using netdom

net start kdc

reboot

but i continue to get Replication access denied from one DC to all three
of my DC's.

I've tried the same as above from a second DC without removing the ticket
cahce, but still get the same errors from the phmaindc1 DC.



All other DC's replicate with this DC just fine.

i've checked the zones through dnscmd and made sure they are alike with
regard to zone type.dnscmd /enumzones

C:\>dnscmd /enumzones
Enumerated zone list:

Zone count = 5

 Zone name  Type   Storage Properties

 .  Cache  AD-Domain
 168.192.in-addr.arpa   PrimaryAD-Domain   Update Rev
Aging
 31.168.192.in-addr.arpaSecondary  FileRev
 jacwf.phippsny.org Secondary  File
 phippsny.org   PrimaryAD-Domain   Update Aging

Command completed successfully.

above is PHMAINDC1

Below is PHPRINT1

C:\>dnscmd /enumzones
Enumerated zone list:

Zone count = 5

 Zone name  Type   Storage Properties

 .  Cache  AD-Domain
 168.192.in-addr.arpa   PrimaryAD-Domain   Update Rev
Aging
 31.168.192.in-addr.arpaSecondary  FileRev
 jacwf.phippsny.org Secondary  File
 phippsny.org   PrimaryAD-Domain   Update Aging

Command completed successfully.



=\

i'm stuck.



On 11/16/06, Laura A. Robinson < [EMAIL PROTECTED]> wrote:
>
>  Is this the same set of machines that are being talked about in the
> "strange DC error" thread? I don't remember who it was who originated that
> one and I want to make sure I'm not asking for something you've already
> provided.
>
> So, if the answer to the above is "no", my next question is, can you
> provide a little more information about the environment? How long has this
> DC existed as a DC? Was there ever another DC with the same name? Was this
> DC at any point restored from a backup? Has it been consistently connected
> to the network? How about the member server- same questions as the DC
> questions.
>
> Thanks,
>
>

RE: [ActiveDir] Is it 2000 or 2003?

2006-11-16 Thread Laura A. Robinson 
It's not an issue.

Laura 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Bart 
> Van den Wyngaert
> Sent: Thursday, November 16, 2006 6:07 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Is it 2000 or 2003?
> 
> Well actually I didn't use the adfind tool yet, when I read 
> the beginning of this thread I looked in the GUI "Active 
> Directory Domains and Trust" where is listed that my 
> functional level of domain & forrest is W2K3 (which I raised 
> some months ago and seems correct).
> But when I run the gpresult tool, it states that my domain 
> type is "Windows 2000", which I find a bit odd. Did I miss 
> something in the upgrade process or something? Is it an issue?
> 
> On 11/16/06, joe <[EMAIL PROTECTED]> wrote:
> > AdFind only determines the Directory level, it doesn't look for 
> > functional modes or mixed mode. The way I get directory level is 
> > through the supportedCapabilities attribute of the rootdse 
> of the DC. 
> > Of course it is possible to hit one DC looking for info and 
> I pull the 
> > ROOTDSE from that DC and then in the background a referral is 
> > processed which ends up getting the info from another DC in another 
> > domain (or same domain if looking at app parts).
> >
> > You can get functionality modes from the rootdse attributes 
> > domainFunctionality and forestFunctionality.
> >
> > For all of those, just do an
> >
> > AdFind -rootdse
> >
> > And you will see what I am decoding and logically how I ascertain 
> > directory level.
> >
> >
> >
> > Mixed mode versus native you simply use the domain NCs 
> nTMixedDomain 
> > attribute.
> >
> >   joe
> >
> >
> > --
> > O'Reilly Active Directory Third Edition - 
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> Paul Williams
> > Sent: Thursday, November 16, 2006 11:50 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Is it 2000 or 2003?
> >
> > I don't understand where you are seeing this info.  Are you 
> referring 
> > to the
> >
> > applet that is used to raise the FL?  Or something else?
> >
> > As for the "flag" that is used to identify the directory, it is 
> > usually a combination of:
> >
> > msDS-Behavior-Version
> > nTMixedDomain
> > supportedCapabilities
> >
> >
> > Or at least, that is the way I put info. such as server and 
> directory 
> > in each of my scripts.  Just like Joe does in ADFIND and ADMOD.  I 
> > believe he does it the same way too.
> >
> > Basically, check msDS-Behavior-Version.  If it's 0, check 
> > nTMixedDomain.  If
> >
> > it's 2, check supportedCapabilities to see whether or not 
> it is ADAM 
> > (it's ADAM if one of the supportedCapabilities is 
> > 1.2.840.113556.1.4.1851 [LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID]).
> >
> > In my test lab(s), my directory is considered a 2003 directory.
> >
> > In my labs, I used either DOMAIN.MSC or ADMOD to increase the FLs.
> >
> >
> > --Paul
> >
> >
> > - Original Message -
> > From: <[EMAIL PROTECTED]>
> > To: 
> > Sent: Thursday, November 16, 2006 3:45 PM
> > Subject: RE: [ActiveDir] Is it 2000 or 2003?
> >
> >
> > > I've entered this thread late so apologies if the below 
> has already 
> > > been
> > > stated:
> > >
> > > I recently created a new dev forest, with multiple domains. I too 
> > > raised DFL and FFL as soon as all domains were built.
> > >
> > > I do not see the issues you describe and would suggest 
> you download 
> > > the scripts available here http://www.jadonex.com/
> > >
> > > One of the scripts (written by Dean) checks the DFL and 
> FFL for the 
> > > forest and across all domains.
> > >
> > > For a manual check, I also look here:
> > >
> > > FFL
> > > ===
> > > CN=Partitions,CN=Configuration,DC=xxx
> > > Attribute msDS-Behavior-Version
> > > 0=w2k FFL, 1=interim FFL, 2=w2k3 FFL
> > >
> > > DFL
> > > ===
> > > CN=,CN=Partitions,CN=Configuration,DC=xxx
> > > Attribute msDS-Behavior-Version
> > > 0=w2k DFL, 1=interim DFL, 2=w2k3 DFL
> > >
> > > Hope that helps,
> > > neil
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of 
> Tim Onsomu
> > > Sent: 16 November 2006 14:35
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] Is it 2000 or 2003?
> > >
> > > I got curios about this and decide to dcpromo my vm image 
> of windows
> > > 2003 R2.
> > >
> > > After the AD installation (which sits at Windows 2000 for domain 
> > > type) I raised the functionality for the domain and forest.
> > >
> > > The result for domain type was windows 2000.
> > >
> > > I am not sure it is supposed to be different.
> > >
> > > Anybody out there who can say their install says something else?
> > >
> > >
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Susan 
> > > Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> > > Sent: W

Re: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread hboogz 

AD sites.

3 one including the DR-site.

regarding the question about demoting then promoting...if i have to go that
route, should i keep the same server name ?

On 11/16/06, Laura A. Robinson <[EMAIL PROTECTED]> wrote:


 I apologize if I keep asking questions you've already answered, but how
many sites are involved here?

Of course, by the time this hits the list, any replication that hasn't yet
occurred probably will have. :-)

Laura

 --
*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *hboogz
*Sent:* Thursday, November 16, 2006 5:49 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Kerberos is Killing Me!

**Update***

i changed the user account control attribute using the following
direction:

Did you follow:
When using adsiedit:
* Connect to the domain NC
* Navigate to the Domain Controllers OU
* Right click on the DC for which you want to change the
UserAccountControl value and select properties
* Goto the UserAccountControl attribute
* You should see a value (from what you have described): 536576
* Change that value to: 532480

i teh followed the instructions found here: Re: access denied


http://technet2.microsoft.com/WindowsServer/en/library/22764cb5-9860-4f8f-95e7-337df24edf741033.mspx?mfr=true

i did this from the phmaindc1 server

net stop kdc

clear ticket cache

reset machine pawd

open sites and services and forced replication with phprint -- which
succeced

opened replmon and synchronized with phprint1.

net start kdc

ran: repadmin /showreps.

replication to phprint1 came up as succesfull

however, i still get an error to the child domain indicating access
denied.

should i wait for AD replication for this to work ?


--
No virus found in this outgoing message.
Checked by AVG Free Edition.





--
HBooGz:\>

Re: [ActiveDir] OT: M$

2006-11-16 Thread ASB 

Which I was able to avoid, until you had to go an mention it directly... :)

-ASB


On 11/16/06, Laura A. Robinson <[EMAIL PROTECTED]> wrote:


 Boobier?

That brings up some seriously disturbing imagery...

Laura

 --
*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji
*Sent:* Thursday, November 16, 2006 4:37 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] OT: M$


  >>>you should have used a smiley
There was a time, way back when so way back we may need a time machine
.. that malicious intentions are not the default attributions to every
public discourse. In those days, there was no such thing as "smiley", yet
humans go along fine. OK, maybe not "fine", but we did survive. And yes, not
all interactions were in-person in those eons gone by. Tattooing those Avian
Carriers [1] with colorful smileys would have been painful and awkward, no?
Please don't equate the non-existence of smiley with malice.

In my case, lack of the approximate voice inflection or facial expression
was not responsible for the faux pas. The attempt at levity wouldn't have
gone over correctly, regardless of how many grinning mascots I could have
inscribed therein. The audience was wrong. Simple. "Know your audience" is a
time-tested maxim, and I just failed to do so in this case. Boob doesn't
even accurately describe it. So, let's say Boobier.

>>>Little guys like me won't have a chance but it would be fun just the
same.

IF you think spelling your name with a little "j" makes you "little", then
you are even boobier than me[2]


[1]For the overly-curious - http://www.faqs.org/rfcs/rfc2549.html and
http://www.faqs.org/rfcs/rfc1149.html
[2]OK, so now I owe you a smiley, eh? I'm keeping it warm for you, and
I'll pull it out and show it to you when I see you. I promise not to type
with it until then.


Sincerely,
   _
  (, /  |  /)   /) /)
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
   (/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
*-5.75, -3.23*
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon


--
*From:* joe
*Sent:* Thu 11/16/2006 8:12 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] OT: M$


 Adrian, of the 41,000+ messages I have archived for this list, this is
the only thread I can find that you have responded to

It begs one question? If it is so beneath you and you are so lazy, why
bother?

If this is your way of introducing yourself, some will probably consider
it strike 1. While Laura can be feisty, many people do think she is
important. I happen to be one of those people. Certainly she has been
extremely helpful both here and in the newsgroups and is positively great in
personal email and in person though in those forums as well she may get
fiesty. Feisty doesn't bother me, what is important is technical quality and
how willing people are to share that quality and knowledge. I personally can
be a complete ass and kick sand on people, I try to temper it by also being
helpful occasionally.

So while I don't consider this strike 1 for you, I do hope that you
contribute in a positive meaningful manner at some point as Laura has done
on many occasions and hopefully will continue to do so.


Also, while this thread and others like it are off base, it is part and
parcel of this list and I don't expect them to go away any time soon. I
don't even wish that they do... If they do, the list might get a little
boring as there are strong "personalities" in this space and the collisions
are inevitable. From the standpoint of someone who has met personally a
great many of the "personalities" on the list and looking forward to meeting
even more, I actually find it oddly enjoyable at times. OT is in the
subject, that is clearly something that folks can filter out if they aren't
thrilled with this type of chatter.


My only other comment on this at this point is Deji you boob, even if it
were Laura Hunter, you should have used a smiley. Knowing all of you
personally... I know that either one of them could take you in a fist
fight... ;o)

If Gil has his ears on, DEC needs a boxing ring and those sumo outfits so
people can slam each other in person all in fun. We could have side wagers
and everything. Little guys like me won't have a chance but it would be fun
just the same.

  joe


 --
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm



 --
*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Adrian Teodorescu
*Sent:* Thursday, November 16, 2006 10:35 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] OT: M$



I'm too lazy to write and send you the bill (result : no explanation) and
also I'm too bored to enter in this "game" where you need to be, let's sa

RE: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread Akomolafe, Deji 

I believe I recommended this early on in the thread. Sometimes, it's easier 
(wiser) to not fight the fire. Demote, clean it out of AD/DNS/Sites. If you 
have the luxury, wipe and reinstall the box, otherwise, just do a rename of the 
box. Renaming it is strongly recommended unless you have scripts and 
applications into which you have hard-coded the name.


Sincerely, 
  _
 (, /  |  /)   /) /)   
   /---| (/_  __   ___// _   //  _ 
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
  (/   
Microsoft MVP - Directory Services

www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: hboogz
Sent: Thu 11/16/2006 7:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!


AD sites.

3 one including the DR-site.

regarding the question about demoting then promoting...if i have to go that 
route, should i keep the same server name ?


On 11/16/06, Laura A. Robinson <[EMAIL PROTECTED]> wrote: 
I apologize if I keep asking questions you've already answered, but how many sites are involved here?


Of course, by the time this hits the list, any replication that hasn't yet 
occurred probably will have. :-)

Laura




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 5:49 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!


**Update***

i changed the user account control attribute using the following direction:

Did you follow: 
When using adsiedit: 
* Connect to the domain NC 
* Navigate to the Domain Controllers OU 
* Right click on the DC for which you want to change the 
UserAccountControl value and select properties 
* Goto the UserAccountControl attribute 
* You should see a value (from what you have described): 536576 
* Change that value to: 532480 


i teh followed the instructions found here: Re: access denied

http://technet2.microsoft.com/WindowsServer/en/library/22764cb5-9860-4f8f-95e7-337df24edf741033.mspx?mfr=true

i did this from the phmaindc1 server 


net stop kdc

clear ticket cache

reset machine pawd 


open sites and services and forced replication with phprint -- which succeced

opened replmon and synchronized with phprint1.

net start kdc

ran: repadmin /showreps.

replication to phprint1 came up as succesfull 


however, i still get an error to the child domain indicating access denied.

should i wait for AD replication for this to work ?




--
No virus found in this outgoing message.
Checked by AVG Free Edition.





--
HBooGz:\>

RE: [ActiveDir] Domain and Subdomain. Duplicating accounts

2006-11-16 Thread Brian Desmond 
What Laura said, plus - why do you have two domains for this scenario. I know 
nothing about your environment, but my instinct says that you don't need them.
 
Thanks,
Brian



From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Thu 11/16/2006 7:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain and Subdomain. Duplicating accounts



Besides significantly increasing the likelihood of people logging onto the
wrong domain and generating support calls along the lines of "where's my
stuff?"

Not really. AD accommodates the same name in multiple domains, as long as
the UPNs are different (which they are, or account creation would have
failed).

Why doesn't the other SA just let people use their regular accounts?

Laura

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
> Sent: Thursday, November 16, 2006 4:48 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Domain and Subdomain. Duplicating accounts
>
> Hi,
>
> The company I work for has 2 office in 2 different states.
>
> The main office is domain.com and other office is a subdomain
> (sub.domain.com).
>
> Our users sometimes go to the other office (sub.domain.com)
> to work for a week or so, I just found out that other SA has
> been creating accounts for my users in the subdomain.
>
> So now I have "same" user in the domain and subdomain, beside
> being a stupid way of doing things is there any technical
> issue this could create?
>
>
> Thanks
>
> Rezuma
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir@mail.activedir.org/
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
>
> 
>

--
No virus found in this outgoing message.
Checked by AVG Free Edition.



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/


<>

Re: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread hboogz 

Thanks Deji.

I understand.

I will re-examine the event log in the morning and plan for a demotion over
the weekend.

besides removing the reference from AD/DNS/Sites, is there something else i
should do or look to remove the reference ?

Also, should i change the IP address ? This i really don't want to do if i
really don't have to... ?

Thanks.

On 11/16/06, Akomolafe, Deji <[EMAIL PROTECTED]> wrote:


 I believe I recommended this early on in the thread. Sometimes, it's
easier (wiser) to not fight the fire. Demote, clean it out of AD/DNS/Sites.
If you have the luxury, wipe and reinstall the box, otherwise, just do a
rename of the box. Renaming it is strongly recommended unless you have
scripts and applications into which you have hard-coded the name.


Sincerely,
   _
  (, /  |  /)   /) /)
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
   (/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
*-5.75, -3.23*
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

--
*From:* hboogz
*Sent:* Thu 11/16/2006 7:35 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Kerberos is Killing Me!

AD sites.

3 one including the DR-site.

regarding the question about demoting then promoting...if i have to go
that route, should i keep the same server name ?

On 11/16/06, Laura A. Robinson <[EMAIL PROTECTED]> wrote:
>
>  I apologize if I keep asking questions you've already answered, but how
> many sites are involved here?
>
> Of course, by the time this hits the list, any replication that hasn't
> yet occurred probably will have. :-)
>
> Laura
>
>  --
> *From:* [EMAIL PROTECTED] [mailto:
> [EMAIL PROTECTED] *On Behalf Of *hboogz
> *Sent:* Thursday, November 16, 2006 5:49 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Kerberos is Killing Me!
>
> **Update***
>
> i changed the user account control attribute using the following
> direction:
>
> Did you follow:
> When using adsiedit:
> * Connect to the domain NC
> * Navigate to the Domain Controllers OU
> * Right click on the DC for which you want to change the
> UserAccountControl value and select properties
> * Goto the UserAccountControl attribute
> * You should see a value (from what you have described): 536576
> * Change that value to: 532480
>
> i teh followed the instructions found here: Re: access denied
>
>
> 
http://technet2.microsoft.com/WindowsServer/en/library/22764cb5-9860-4f8f-95e7-337df24edf741033.mspx?mfr=true
>
> i did this from the phmaindc1 server
>
> net stop kdc
>
> clear ticket cache
>
> reset machine pawd
>
> open sites and services and forced replication with phprint -- which
> succeced
>
> opened replmon and synchronized with phprint1.
>
> net start kdc
>
> ran: repadmin /showreps.
>
> replication to phprint1 came up as succesfull
>
> however, i still get an error to the child domain indicating access
> denied.
>
> should i wait for AD replication for this to work ?
>
>
>  --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
>
>


--
HBooGz:\>





--
HBooGz:\>

RE: [ActiveDir] Kerberos is Killing Me!

2006-11-16 Thread Laura A. Robinson 
You can leave the IP the same. If the demotion fails or goes awry in some
respect, you may have to do some metadata cleanup in addition to the DNS
cleanup (which I'm guessing is what Deji meant by "AD/DNS/Sites", but just
in case...). Given the, um, quirkiness of this environment, I suspect you
may have a difficult demotion ahead. I assume you've done metadata cleanup
before? If not, feel free to post, or just spend a lot of time typing "?" at
the ntdstuil prompts. I know there's a really good how-to out there
somewhere on using NTDSUTIL for this purpose, but to be honest, I'm pooped
and I have to be up early to talk NAP with one customer and convince another
that Volume License Activation isn't Evil Empire Voodoo designed to suck all
of the money out of their bank accounts. Otherwise, I'd dig it up for you.
Then again, I may be thinking of something I wrote, in which case it'll be
hard to find by searching the Internet. ;-) Seriously, though, if you can't
find anything helpful, I'm sure any number of people on this list have
either great links or great documents they wrote on using NTDSUTIL for
metadata cleanup.
 
Laura
 


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Friday, November 17, 2006 2:09 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!


Thanks Deji.

I understand.

I will re-examine the event log in the morning and plan for a demotion over
the weekend.

besides removing the reference from AD/DNS/Sites, is there something else i
should do or look to remove the reference ? 

Also, should i change the IP address ? This i really don't want to do if i
really don't have to... ?

Thanks.


On 11/16/06, Akomolafe, Deji mailto:[EMAIL PROTECTED]"[EMAIL PROTECTED]> wrote: 

I believe I recommended this early on in the thread. Sometimes, it's easier
(wiser) to not fight the fire. Demote, clean it out of AD/DNS/Sites. If you
have the luxury, wipe and reinstall the box, otherwise, just do a rename of
the box. Renaming it is strongly recommended unless you have scripts and
applications into which you have hard-coded the name. 
 


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon 

   _  

From: hboogz
Sent: Thu 11/16/2006 7:35 PM 

To: HYPERLINK "mailto:ActiveDir@mail.activedir.org";
[EMAIL PROTECTED]
Subject: Re: [ActiveDir] Kerberos is Killing Me!



AD sites.

3 one including the DR-site.

regarding the question about demoting then promoting...if i have to go that
route, should i keep the same server name ?


On 11/16/06, Laura A. Robinson mailto:[EMAIL PROTECTED]"
[EMAIL PROTECTED] > wrote: 

I apologize if I keep asking questions you've already answered, but how many
sites are involved here?
 
Of course, by the time this hits the list, any replication that hasn't yet
occurred probably will have. :-)
 
Laura


   _  

From: HYPERLINK "mailto:[EMAIL PROTECTED]"
[EMAIL PROTECTED] [mailto:HYPERLINK
"mailto:[EMAIL PROTECTED]" \n
[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 5:49 PM
To: HYPERLINK "mailto:ActiveDir@mail.activedir.org";
[EMAIL PROTECTED]
Subject: Re: [ActiveDir] Kerberos is Killing Me!



**Update***

i changed the user account control attribute using the following direction:

Did you follow: 
When using adsiedit: 
* Connect to the domain NC 
* Navigate to the Domain Controllers OU 
* Right click on the DC for which you want to change the 
UserAccountControl value and select properties 
* Goto the UserAccountControl attribute 
* You should see a value (from what you have described): 536576 
* Change that value to: 532480 

i teh followed the instructions found here: Re: access denied 

HYPERLINK
"http://technet2.microsoft.com/WindowsServer/en/library/22764cb5-9860-4f8f-9
5e7-337df24edf741033.mspx?mfr=true"
\nhttp://technet2.microsoft.com/WindowsServer/en/library/22764cb5-9860-4f8f-
95e7-337df24edf741033.mspx?mfr=true 

i did this from the phmaindc1 server 

net stop kdc

clear ticket cache

reset machine pawd 

open sites and services and forced replication with phprint -- which
succeced

opened replmon and synchronized with phprint1. 

net start kdc

ran: repadmin /showreps.

replication to phprint1 came up as succesfull 

however, i still get an error to the child domain indicating access denied.

should i wait for AD replication for this to work ? 




--
No virus found in this outgoing message.
Checked by AVG Free Edition.






-- 
HBooGz:\> 




-- 
HBooGz:\> 


--
No virus found in this incoming message.
Checked by AVG Free Edition.




-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.

RE: [ActiveDir] Strange DC behaviour and error

2006-11-16 Thread Laura A. Robinson 
Indeed you have! ;-)
 
Laura


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 8:44 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange DC behaviour and error


lol.

i did laura -- i think I've poured my life out in that thread.

=)


On 11/16/06, Laura A. Robinson mailto:[EMAIL PROTECTED]"
[EMAIL PROTECTED]> wrote: 

Then answer my questions! ;-)
 
Laura


  

however, i have another thread whereby Kerberos is just killing me.






--
No virus found in this outgoing message.
Checked by AVG Free Edition.






-- 
HBooGz:\> 


--
No virus found in this incoming message.
Checked by AVG Free Edition.




-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.