date:20070116

RE: [ActiveDir] File replication setup problem

2007-01-16 Thread Molkentin, Steve


Steve,

A little of column A and a little of column B.

DFSR is what you'd use if you were running R2. DFS is standard to
Win2K3, and uses FRS to do the replication (if used). Don't be afraid -
it's easier than FRS alone... although, I can tell you that you'd be
1000% better off replicating using DFSR (FRS is kludgy at best).

My $0.02 inc GST.

themolk.





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan
(Temp)
Sent: Tuesday, 16 January 2007 1:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] File replication setup problem



If I'm reading the Microsoft instructions correctly, all you
have to run FRS is 2003 with SP1.  Am I wrong, people?  I am aware that
DFS will require R2...



FYI, none of the servers in question are running 2003R2.



Steve Egan







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Monday, January 15, 2007 6:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] File replication setup problem



Steve-



Is the box running R2? You need to upgrade to schema v31 (r2) if
so.



If not I tend to think your DNS is busted.



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan
(Temp)
Sent: Monday, January 15, 2007 8:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] File replication setup problem



Howdy, Brain Trust:



I have two servers, one on Poland, the other in Sweden, that I
want to install FRS on (and later upgrade to DFS) so that I can back
up these remote location files locally on a high-speed offsite backup
here in the States.  I'm attempting to go slow and do a little bit at a
time.



When I Run the New Replication Group Wizard and name the
replication group and hit Next, the following error happens:

company.com: The Active Directory schema on domain controller
ftp server.domain.com cannot be read.  This error might be caused by
a schema that has not been extended, or was extended improperly.  See
Help and Support Center for information about extending the Active
Directory schema.  A class schema object cannot be found.



I've tried and tried to extend the schema, the results are
normal (no errors), and still the AD schema is broken. It swears up and
down that it is a 2003 schema.  I can't install AD on the Sweden server
because something ain't right with it (schema), and now this.  I have
two servers running here in the states as DC's, and they both think they
are the top dog controller because whenever I try to do something like
this it tells me the schema is broken.  The FTP server and the mail
server are both set up as DC's, both have AD on them.  How do I tell one
of them that they are no longer the master?  Can I just delete (remove)
the AD schema from the ftp server and reinstall it without serious
breakage?  I'm not sure that a simple demote will do the trick. I'm
enough of a thumb-fingered idiot when it comes to AD that I live in fear
of really screwing the pooch if I do something like this - but I have to
get it solved somehow.



Somebody got a life preserver?



Steve Egan (temp)

Systems/Network Engineer

Occasional AD fumble-fingered idiot



This email (including any attachments)  contains confidential  information and 
is intended only for the named addressee. If you are not the named addressee 
you should not disseminate, distribute or copy this email. Please notify the 
sender immediately by email if you have received this email by mistake and 
delete this email from your system and destroy any copies.

This email is also subject to copyright. No part of it should be reproduced, 
adapted or communicated without the written consent of the copyright owner.

Email transmission cannot be guaranteed to be secure or error-free and  emails 
may be interfered with, may contain computer viruses or other defects and may 
not be successfully replicated on other systems. The sender does not give any 
warranties nor accepts any liability in relation to any of these matters. If 
you have any doubt about the authenticity of an email purportedly sent by us, 
please contact us immediately.

Re: [ActiveDir] OT: Who needs that much ram anyway?

2007-01-16 Thread Martin Tuip



I can think of quite a few situations.  RAM is cheap aswell compared to the 
early days.



Martin Tuip
Exchange MVP

- Original Message - 
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
[EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Tuesday, January 16, 2007 1:00 AM
Subject: [ActiveDir] OT: Who needs that much ram anyway?




 The Microsoft Exchange Information Store service stops responding on a
 computer that is running Windows Server 2003 and Exchange Server 2007

http://support.microsoft.com/?kbid=928368

This problem occurs if Exchange Server 2007 is installed on a computer 
that has more than 4 gigabytes (GB) of RAM.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] OT: Who needs that much ram anyway?

2007-01-16 Thread Matheesha Weerasinghe


All

Put your hands up if you are using this hotfix  to its full potential ;-)

http://support.microsoft.com/kb/918844

On 1/16/07, Martin Tuip [EMAIL PROTECTED] wrote:


I can think of quite a few situations.  RAM is cheap aswell compared to the
early days.


Martin Tuip
Exchange MVP

- Original Message -
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, January 16, 2007 1:00 AM
Subject: [ActiveDir] OT: Who needs that much ram anyway?



  The Microsoft Exchange Information Store service stops responding on a
  computer that is running Windows Server 2003 and Exchange Server 2007

 http://support.microsoft.com/?kbid=928368

 This problem occurs if Exchange Server 2007 is installed on a computer
 that has more than 4 gigabytes (GB) of RAM.

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Policy Failing to apply

2007-01-16 Thread Dave Wade

I have checked and there is no folder redirection in place, either by policy, 
or manually applied:-( 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
 Sent: 15 January 2007 22:48
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Policy Failing to apply

 Just to add the detail to prove I am not totally mad.

 http://support.microsoft.com/kb/888254

 You cannot set the Folder Redirection policy setting on a 
 Windows XP SP2-based computer that also uses Group Policy 
 settings to customize Internet Explorer

 Note: Group Policy settings that can customize Internet 
 Explorer include Proxy Settings and Start Page.

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
 Sent: 15 January 2007 17:15
 To: ActiveDir.org
 Subject: Re: [ActiveDir] Policy Failing to apply

 Do you use Folder redirection too?

 I have come across an issue a couple of times where IE  is 
 customised in some way and folder redirection is enabled - 
 this can cause GP not to be applied.

 There is a hotfix but I cannot look it up at the moment and I 
 am not sure if it was fixed in SP2 or not.

 Regards,

 Mark Parris

 Base IT Ltd
 Active Directory Consultancy
 Tel +44(0)7801 690596

 -Original Message-
 From: Dave Wade [EMAIL PROTECTED]
 Date: Mon, 15 Jan 2007 16:30:37
 To:ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Policy Failing to apply

 Oh yes, no one can surf the net without it. We do get 
 occasional issues where it does not apply, and some times we 
 set it manually while we sort the problem out. Normally if we 
 do this the settings stick and don't get wiped when the 
 policy refreshes. However in this case they are wiped when 
 the user logs in. It appears to be some issue with the users 
 settings as the problem follows her from PC to PC.

  From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Darren Mar-Elia
 Sent: 15 January 2007 15:24
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Policy Failing to apply

 Dave-

 Does that same proxy policy work for any other users correctly? 

 Darren

 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
 Sent: Monday, January 15, 2007 3:49 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Policy Failing to apply

 Folks,

  I have a user for whom the Internet Explorer Proxy settings 
 are not applying correctly. They are set in the user portion 
 of the Default Domain Policy. I have checked with Group 
 Policy Results tool in the Group Policy Management snap in 
 and it reports that they have been applied. But when the user 
 tries to surf the net they can't, and on checking in IE the 
 proxy fields are blank.

 To make matters worse if I manually set the proxy, and then 
 do a gpupdate /force they are cleared. 

 I have checked the event log on the machine and there is 
 nothing obvious amiss there. Has any one any idea why this is 
 happening before I start turning on userenv debugging?

 Not this is an isolated incident, and it appears to follow 
 the user rather than being machine specific.

 Dave Wade

 0161 474 5456

  cid:119482216@15012007-1017 

 **
 This email, and any files transmitted with it, is 
 confidential and intended solely for the use of the 
 individual or entity to whom they are addressed. As a public 
 body, the Council may be required to disclose this email, or 
 any response to it, under the Freedom of Information Act 
 2000, unless the information in it is covered by one of the 
 exemptions in the Act. 

 If you receive this email in error please notify Stockport 
 e-Services via [EMAIL PROTECTED] and then 
 permanently remove it from your system. 

 Thank you.

 http://www.stockport.gov.uk
 **
 .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§Ã¶v®k}µ

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx

**
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk

RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)

2007-01-16 Thread Donavon Yelton

I moved to another switch and I still get the same issue and I can't go any 
further with drivers.  I suppose the step I need to take now is to purchase a 
new NIC.  Since everyone has strong feelings for Intel I wanted to ask what you 
guys suggest.  This is a HP DL585 G2 server (rackmount) with PCI-X slots.

Donavon

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Monday, January 15, 2007 9:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)

I've seen errors like this on a server that either had a back NIC, bad drivers 
or was connected to a bad port on a switch. The only way I was able to correct 
it was to switch the primary IP address to another NIC in the server what was 
connected but not configured. It was an interesting exercise at the time since 
I couldn't get to the console.

In my experience, that kind of DNS response is indicative of packet corruption 
of some sort.

Wook

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton
Sent: Monday, January 15, 2007 1:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)

Well, in doing that it did pop up a couple of things.  I'm certainly nowhere 
close to an advisor on this so if one of you more familiar could help me out on 
deciphering the code on a couple of things.  Are the following two items normal 
(they didn't look right to me):

1) DNS: Question Section: 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN. of type Unknown 
Type on class Unknown Class
DNS: 0x32E3:Std Qry Resp. for [EMAIL PROTECTED]

2) DNS: Question Section: 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain. of type Unknown 
Type on class Unknown Class
DNS: 0xB4E5:Std Qry Resp. for . of type Unknown Type on class Unknown Class

You may need more information so if I can get you anything else let me know.  
These entries just seem out of place to me, especially the one that has been 
displayed as [EMAIL PROTECTED]

Donavon

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, January 15, 2007 4:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)

The other thing that would probably be worthwhile is to do a sniffer trace from 
this server during the GP processing cycle. That may point out some network 
issues that are not coming out of the userenv log.

Darren


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, January 15, 2007 12:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

Sorry, just catching up here. In terms of updating the driver, if it's a MS 
provided driver, I think it would say it in the Driver Details. You might want 
to run Windows Update and see if there are any optional updates for that NIC 
driver--if MS provided it originally they may have a Windows Update way of 
getting it.

In terms of disabling slow link for all users, that's a toughie, because that 
key is in HKEY_CURRENT_USER, which means a user has to be logged on to deliver 
it, but its also in the policies key, which is permissioned away from regular 
users by default. If you can get GP to process at least once when the user logs 
on, then you can deliver it using the User Configuration GP setting. However, 
if per-user GP processing is not working, its kinda of a chicken-and-egg thing. 
The not-so-fun way of doing this would be to temporarily make all users logging 
into that MS a member of the local Administrators group, and then deliver the 
slow link disabling registry entry via logon script. But, that is not ideal of 
course.

Darren


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton
Sent: Monday, January 15, 2007 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

I'm not about to give up on the Broadcom NICs as this is a brand new server 
that cost as much as a Honda Accord.  I'm not sure I can believe that HP would 
put a defective card in such a machine.  You'd think others would have the same 
issues in mass quantity if that were the case.  I'm also using Broadcoms in 
other HP servers here (including the two DCs) and they have not had any issues. 
 It is all too easy to chalk up a problem like this to network cards, but I 
don't think it explains why the GPO is applied successfully without issues 
within the first 15 minutes or so after a reboot.  There are no other problems 
cropping up from these Broadcoms either.

Now for a question, how do I disable slow link detection for all terminal 
service users on this problem server since that seems

RE: [ActiveDir] push a URL in the trusted zone with GPO...

2007-01-16 Thread Bruyere, Michel

Hi, 
Sorry for the late response, I was in a Go Live so I didn't
watch/post to the list for many days.

Thanks for the answer, I corrected it by removing the IE7 settings (yes,
we are stuck with IE6 on most stations; our ERP doesn't support IE7
yet). 

Thanks! 



- -Original Message-
- From: [EMAIL PROTECTED] [mailto:ActiveDir-
- [EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
- Sent: January 6, 2007 12:18 PM
- To: ActiveDir@mail.activedir.org
- Subject: RE: [ActiveDir] push a URL in the trusted zone with GPO...
- 
- Could be an issue if the lists ever differ. I don't remember how they
- merge
- (or don't). Probably best to put it in one place.
- 
- -Original Message-
- From: [EMAIL PROTECTED]
- [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere,
Michel
- Sent: Saturday, January 06, 2007 7:37 AM
- To: ActiveDir@mail.activedir.org
- Subject: RE: [ActiveDir] push a URL in the trusted zone with GPO...
- 
- Thanks, I have both, so I replicated the settings in both places. Do
you
- think this can cause me problems?
- 
- 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?)

2007-01-16 Thread Javier Jarava

Sorry for the delay on getting back on this, had a few things piled up after
New Year's...

You're right on the fact that routers isolating the VLANs limit the impact
of this issue... The problem is that the idea is to re-configure routers
to forward DHCP traffic, so that we get DHCP service on all VLANs from one/a
few DHCP servers, instead of having to setup a DHCP server on each VLAN.

Somebody suggested having a multi-homed DHCP server, with a leg on each
VLAN, so that we get containment and DHCP service on every VLAN. I don't
know at the moment if that's possible (I have to check with the client, to
see if their network topology has a hub where all VLANs come close).
OTOH, I am wondering if it'd be possible to configure the routers so that
they only allow DHCP OFFER/ACK/NACK from auth. DHCP servers (something
similar to what we've done with the local filtering on the workstations)...
We'd still have problems with a rogue DHCP server in a VLAN, but we wouldn't
have to go the multi-homed server route...

Thanks a lot for the input received so far. It's made me explore several
options that I had not considered ;)

As always, a pleasure.

Javier

-Mensaje original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] En nombre de
[EMAIL PROTECTED]
Enviado el: martes, 09 de enero de 2007 9:35
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP
servers? (or how do you find it?)

Your last statement is true but then if routers restrict BOOTP traffic
as I describe, then the rogue DHCP server will only affect the VLAN on
which it exists. At least that way, you've reduced the impact.

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
Sent: 08 January 2007 17:24
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP
servers? (or how do you find it?)

Hi, Neil!!

That's another thing I'll have to look into :) I am aware that it's
possile to do DHCP-proxy to pass along the DHCP requests to the proper
servers.
That's something that will have to be done, as the client's network is
split in different VLAN segments, and in multiple locations/sites, and
they'd like to have a reduced number of DHCP servers.

But, useful and necessary as it is, this won't prevent a rogue/malicious
DHCP server on the same LAN segment from playing havoc with the systems.

Thanks for the heads-up though.

Javier Jarava

-Mensaje original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] En nombre de
[EMAIL PROTECTED] Enviado el: lunes, 08 de enero de 2007 14:33
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP
servers? (or how do you find it?)

In addition to the below, routers can be configured to only forward
BOOTP packets to/from 'authorised' DHCP servers.

neil


___
Neil Ruston
Global Technology Infrastructure
Nomura International plc
Telephone: +44 (0) 20 7521 3481 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: 08 January 2007 13:27
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP
servers? (or how do you find it?)

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
 Sent: 08 January 2007 12:20
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP 
 servers? (or how do you find it?)
 
 Hi all!
 
 Just wondering, is there a way to prevent a rogue DCHP server from 
 playing havoc with a network?
 
 I have been digging into dhcp security but I haven't really found 
 anything that makes it possible to auth. a DHCP server, so that the 
 clients don't fall for a rogue one.
 
 From what I've seen, the approach MS follows is that IF your DHCP 
 server is
 Windows-based, you have to auth it on the Domain. That prevents the 
 AD/infrastructure admins from shooting themselves on the foot by 
 having too many/improperly configured servers.. But that won't stop a 
 rogue VM from being a nuisance...
 
 I've found this problem in one of our customers sites. They use static

 IP addressing, but we were setting up a few of their computers with a 
 different sw load and configuration, and they wanted to use DHCP to 
 make config changes more dynamic. When running on an isolated netowork

 segment, all was fine, but once we moved into their network (to do a

 pilot test) we found a DHCP server serving a range outside their own, 
 and really messing things up.

You could try using DHCP classid. If you set it on your clients when you
build them they will ignore anything with the wrong classid. I think
you can also control via group policy.


 What's more, nmap'ing the server, it had a VMWARE-owned MAC and no 
 open ports whatsoever (tcp/udp), at least that I could

[ActiveDir] Delegating Permissions

2007-01-16 Thread Frank Abagnale

Hi,
  I have a question regarding access permissions within Active Directory and 
Local Servers.
  Basically, Information Security would like to have the ability to have access 
to all of Active Directory, Logon to Servers and access File Shares/Exchange 
Mailboxes.
  Is this achievable without making them domain admins? What do you do for 
Information Security in your orgs?
  thanks Frank

 
-
 Get your own web address.
 Have a HUGE year through Yahoo! Small Business.

RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?)

2007-01-16 Thread neil.ruston

OTOH, I am wondering if it'd be possible to configure the routers so
that they only allow DHCP OFFER/ACK/NACK from auth.

In case you weren't sure - this is exactly what I was suggesting you
consider, in my first post :)

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
Sent: 16 January 2007 13:35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP
servers? (or how do you find it?)

Sorry for the delay on getting back on this, had a few things piled up
after New Year's...

You're right on the fact that routers isolating the VLANs limit the
impact of this issue... The problem is that the idea is to
re-configure routers to forward DHCP traffic, so that we get DHCP
service on all VLANs from one/a few DHCP servers, instead of having to
setup a DHCP server on each VLAN.

Somebody suggested having a multi-homed DHCP server, with a leg on
each VLAN, so that we get containment and DHCP service on every VLAN. I
don't know at the moment if that's possible (I have to check with the
client, to see if their network topology has a hub where all VLANs
come close).
OTOH, I am wondering if it'd be possible to configure the routers so
that they only allow DHCP OFFER/ACK/NACK from auth. DHCP servers
(something similar to what we've done with the local filtering on the
workstations)...
We'd still have problems with a rogue DHCP server in a VLAN, but we
wouldn't have to go the multi-homed server route...

Thanks a lot for the input received so far. It's made me explore several
options that I had not considered ;)

As always, a pleasure.

Javier

-Mensaje original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] En nombre de
[EMAIL PROTECTED] Enviado el: martes, 09 de enero de 2007 9:35
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP
servers? (or how do you find it?)

Your last statement is true but then if routers restrict BOOTP traffic
as I describe, then the rogue DHCP server will only affect the VLAN on
which it exists. At least that way, you've reduced the impact.

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
Sent: 08 January 2007 17:24
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP
servers? (or how do you find it?)

Hi, Neil!!

That's another thing I'll have to look into :) I am aware that it's
possile to do DHCP-proxy to pass along the DHCP requests to the proper
servers.
That's something that will have to be done, as the client's network is
split in different VLAN segments, and in multiple locations/sites, and
they'd like to have a reduced number of DHCP servers.

But, useful and necessary as it is, this won't prevent a rogue/malicious
DHCP server on the same LAN segment from playing havoc with the systems.

Thanks for the heads-up though.

Javier Jarava

-Mensaje original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] En nombre de
[EMAIL PROTECTED] Enviado el: lunes, 08 de enero de 2007 14:33
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP
servers? (or how do you find it?)

In addition to the below, routers can be configured to only forward
BOOTP packets to/from 'authorised' DHCP servers.

neil


___
Neil Ruston
Global Technology Infrastructure
Nomura International plc
Telephone: +44 (0) 20 7521 3481 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: 08 January 2007 13:27
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP
servers? (or how do you find it?)

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
 Sent: 08 January 2007 12:20
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP 
 servers? (or how do you find it?)
 
 Hi all!
 
 Just wondering, is there a way to prevent a rogue DCHP server from 
 playing havoc with a network?
 
 I have been digging into dhcp security but I haven't really found 
 anything that makes it possible to auth. a DHCP server, so that the 
 clients don't fall for a rogue one.
 
 From what I've seen, the approach MS follows is that IF your DHCP 
 server is
 Windows-based, you have to auth it on the Domain. That prevents the 
 AD/infrastructure admins from shooting themselves on the foot by 
 having too many/improperly configured servers.. But that won't stop a 
 rogue VM from being a nuisance...
 
 I've found this problem in one of our customers sites. They use static

 IP addressing, but we were setting up a few of their computers with a 
 different sw load and configuration, and they wanted to use DHCP to 
 make config changes more dynamic. When running on an

RE: [ActiveDir] Delegating Permissions

2007-01-16 Thread neil.ruston

That's a very 'it depends' type question, but here's a rough framework:
 
1. Sit down with the IS guys and discuss at length their requirements
2. Create additional (secondary) user IDs for the IS people, based upon
their requirements
3. Ensure that these secondary logons' usage is monitored
 
I would suggest you grant the guys the minimum privileges required, but
this can only be achieved by spending time at stage 1, above.
 
I'm sure others will chip in with their experiences too, but hopefully
the above helps you make a start.
 
neil

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: 16 January 2007 13:48
To: Active
Subject: [ActiveDir] Delegating Permissions


Hi,
I have a question regarding access permissions within Active Directory
and Local Servers.
Basically, Information Security would like to have the ability to have
access to all of Active Directory, Logon to Servers and access File
Shares/Exchange Mailboxes.
Is this achievable without making them domain admins? What do you do for
Information Security in your orgs?
thanks Frank

  _  

Get your own web address.
http://us.rd.yahoo.com/evt=49678/*http://smallbusiness.yahoo.com/domain
s/?p=BESTDEAL 
Have a HUGE year through Yahoo! Small Business.
http://us.rd.yahoo.com/evt=49678/*http://smallbusiness.yahoo.com/domain
s/?p=BESTDEAL 

PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Financial Services Authority.  Registered in England
no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.  A member of the Nomura group of companies.

[ActiveDir] adminsdholder

2007-01-16 Thread Graham Turner

Dear all, i think we experieincing issues re not being able to reset 
permissions on
an object that was previously member of protected groups

i have read that the issue is around the reset of the value of 'admincount' 
attribute.

as i learn this gets set to 1 when it is becomes a member of protected groups, 
but ju

i wanted to confirm that is a 'supported' operation to merely reset this data 
to 0
to undo the effect of adminssdholder ??

or whether there are other changes that need to be considered. ?

G










List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)

2007-01-16 Thread Donavon Yelton

Considering a HP NC360T card for my problem server.  Anyone have any objections 
to using this card?  It is Intel based (Intel 82571EB).

Thanks for all of the help!

Donavon 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton
Sent: Tuesday, January 16, 2007 8:03 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)

I moved to another switch and I still get the same issue and I can't go any 
further with drivers.  I suppose the step I need to take now is to purchase a 
new NIC.  Since everyone has strong feelings for Intel I wanted to ask what you 
guys suggest.  This is a HP DL585 G2 server (rackmount) with PCI-X slots.

Donavon

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Monday, January 15, 2007 9:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)

I've seen errors like this on a server that either had a back NIC, bad drivers 
or was connected to a bad port on a switch. The only way I was able to correct 
it was to switch the primary IP address to another NIC in the server what was 
connected but not configured. It was an interesting exercise at the time since 
I couldn't get to the console.

In my experience, that kind of DNS response is indicative of packet corruption 
of some sort.

Wook

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton
Sent: Monday, January 15, 2007 1:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)

Well, in doing that it did pop up a couple of things.  I'm certainly nowhere 
close to an advisor on this so if one of you more familiar could help me out on 
deciphering the code on a couple of things.  Are the following two items normal 
(they didn't look right to me):

1) DNS: Question Section: 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN. of type Unknown 
Type on class Unknown Class
DNS: 0x32E3:Std Qry Resp. for [EMAIL PROTECTED]

2) DNS: Question Section: 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain. of type Unknown 
Type on class Unknown Class
DNS: 0xB4E5:Std Qry Resp. for . of type Unknown Type on class Unknown Class

You may need more information so if I can get you anything else let me know.  
These entries just seem out of place to me, especially the one that has been 
displayed as [EMAIL PROTECTED]

Donavon

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, January 15, 2007 4:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)

The other thing that would probably be worthwhile is to do a sniffer trace from 
this server during the GP processing cycle. That may point out some network 
issues that are not coming out of the userenv log.

Darren


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, January 15, 2007 12:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

Sorry, just catching up here. In terms of updating the driver, if it's a MS 
provided driver, I think it would say it in the Driver Details. You might want 
to run Windows Update and see if there are any optional updates for that NIC 
driver--if MS provided it originally they may have a Windows Update way of 
getting it.

In terms of disabling slow link for all users, that's a toughie, because that 
key is in HKEY_CURRENT_USER, which means a user has to be logged on to deliver 
it, but its also in the policies key, which is permissioned away from regular 
users by default. If you can get GP to process at least once when the user logs 
on, then you can deliver it using the User Configuration GP setting. However, 
if per-user GP processing is not working, its kinda of a chicken-and-egg thing. 
The not-so-fun way of doing this would be to temporarily make all users logging 
into that MS a member of the local Administrators group, and then deliver the 
slow link disabling registry entry via logon script. But, that is not ideal of 
course.

Darren


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton
Sent: Monday, January 15, 2007 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

I'm not about to give up on the Broadcom NICs as this is a brand new server 
that cost as much as a Honda Accord.  I'm not sure I can believe that HP would 
put a defective card in such a machine.  You'd think others would have the same 
issues in mass quantity if that were the case.  I'm also using Broadcoms in 
other HP servers here (including the two DCs) and

Re: [ActiveDir] OT: Who needs that much ram anyway?

2007-01-16 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]


(it was a joke)  I'm just surprised it needs a fix already.

Martin Tuip wrote:


I can think of quite a few situations.  RAM is cheap aswell compared 
to the early days.



Martin Tuip
Exchange MVP

- Original Message - From: Susan Bradley, CPA aka Ebitz - SBS 
Rocks [MVP] [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Tuesday, January 16, 2007 1:00 AM
Subject: [ActiveDir] OT: Who needs that much ram anyway?




 The Microsoft Exchange Information Store service stops responding on a
 computer that is running Windows Server 2003 and Exchange Server 2007

http://support.microsoft.com/?kbid=928368

This problem occurs if Exchange Server 2007 is installed on a 
computer that has more than 4 gigabytes (GB) of RAM.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

[ActiveDir] Computer accounts getting deleted by unknown process

2007-01-16 Thread Rich Milburn

I've found a little bit of info on this googling, and the results I'm
finding seem to be related to replication problems, lack of SP1, or
other issues with DCs that need to be reinstalled (reason not
identified).  What's happening is that computer accounts are getting
deleted - most of them are ones that can't update their passwords
because they have been turned off, or in the case of a group of users,
their computers have Deep Freeze running on them, and those computers
update their passwords but apparently the computers reset when they are
rebooted so the password is reset to the old one too.  But the issues
are not isolated to these accounts. 

We do not have an automated process set up to delete these accounts.

This is Server 2003, non-SP1 (that's scheduled for this Friday).  There
are no discovered replication errors, they have checked for those.  We
only have 6 DCs, two each for a root and two child domains, and this is
happening in one of the child domains.

Here is an example event that we are getting.  If anyone has seen this
before or has any ideas, we'll be most appreciative.

Event Type:   Error
Event Source:NETLOGON
Event Category: None
Event ID:   5723
Date:1/16/2007
Time:9:21:28 AM
User:N/A
Computer: CORPDC2
Description:
The session setup from computer 'ACCT-95XDP11' failed because the
security database does not contain a trust account 'ACCT-95XDP11$'
referenced by the specified computer.  

USER ACTION  
If this is the first occurrence of this event for the specified computer
and account, this may be a transient issue that doesn't require any
action at this time. Otherwise, the following steps may be taken to
resolve this problem:  

If 'ACCT-95XDP11$' is a legitimate machine account for the computer
'ACCT-95XDP11', then 'ACCT-95XDP11' should be rejoined to the domain.  

If 'ACCT-95XDP11$' is a legitimate interdomain trust account, then the
trust should be recreated.  

Otherwise, assuming that 'ACCT-95XDP11$' is not a legitimate account,
the following action should be taken on 'ACCT-95XDP11':  

If 'ACCT-95XDP11' is a Domain Controller, then the trust associated with
'ACCT-95XDP11$' should be deleted.  

If 'ACCT-95XDP11' is not a Domain Controller, it should be disjoined
from the domain.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
: 8b 01 00 c0

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
I love the smell of red herrings in the morning - anonymous

---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED 
/ 
CONFIDENTIAL INFORMATION may be contained in this message or any attachments. 
This information is strictly confidential and may be subject to attorney-client 
privilege. This message is intended only for the use of the named addressee. If 
you are not the intended recipient of this message, unauthorized forwarding, 
printing, copying, distribution, or using such information is strictly 
prohibited and may be unlawful. If you have received this in error, you should 
kindly notify the sender by reply e-mail and immediately destroy this message. 
Unauthorized interception of this e-mail is a violation of federal criminal 
law. 
Applebee's International, Inc. reserves the right to monitor and review the 
content of all messages sent to and from this e-mail address. Messages sent to 
or from this e-mail address may be stored on the Applebee's International, Inc. 
e-mail system.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] R2 Schema

2007-01-16 Thread Isenhour, Joseph

Thanks to everyone for the feedback.  It was very helpful.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Friday, January 12, 2007 6:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Schema

No. I've done numerous upgrades in this scenario. It takes like five
minutes.

There's a known issue someone here will/probably has commented on with
SFU I believe but other than that its good.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Friday, January 12, 2007 5:11 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] R2 Schema

I have a customer that is really pushing to have the R2 schema loaded in
our W2K3 SP1 environment.  The plan is to take advantage of the new DFS
extensions.

We don't have any plans to upgrade to R2 in the foreseeable future so
we'd basically be running W2K3 with the R2 schema for several months or
years.  Does anyone see any potential issues with that?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] OT: Who needs that much ram anyway?

2007-01-16 Thread Brian Desmond

The more you can get in memory, the better. 32GB is the threshold for
Exchange before it stops making sense.

I've remoted into SQL servers with dozens of CPUs and dozens of gigs of
ram before...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz -
 SBS Rocks [MVP]
 Sent: Tuesday, January 16, 2007 4:01 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: Who needs that much ram anyway?
 
 
   The Microsoft Exchange Information Store service stops responding on
 a
   computer that is running Windows Server 2003 and Exchange Server
2007
 
 http://support.microsoft.com/?kbid=928368
 
 This problem occurs if Exchange Server 2007 is installed on a computer
 that has more than 4 gigabytes (GB) of RAM.
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] adminsdholder

2007-01-16 Thread Almeida Pinto, Jorge de

setting the attribute to 0 only will not help
 
to stop the adminsdholder from managing a certain group/user you either:
* remove it from a protected group, check inheritance and reset admincount to 
not set
* configure dsheuristics (forest-wide config) as mentioned in 
http://support.microsoft.com/?id=817433 for some default protected groups (not 
recommended as you should not use the default admin groups, but instead 
delegate stuff)
 
also see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Graham Turner
Sent: Tue 2007-01-16 15:37
To: activedir@mail.activedir.org
Subject: [ActiveDir] adminsdholder



Dear all, i think we experieincing issues re not being able to reset 
permissions on
an object that was previously member of protected groups

i have read that the issue is around the reset of the value of 'admincount' 
attribute.

as i learn this gets set to 1 when it is becomes a member of protected groups, 
but ju

i wanted to confirm that is a 'supported' operation to merely reset this data 
to 0
to undo the effect of adminssdholder ??

or whether there are other changes that need to be considered. ?

G










List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] adminsdholder

2007-01-16 Thread O'Brien, Cathy

You'll also need to re-enable inheritance on the affected account. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Tuesday, January 16, 2007 6:37 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] adminsdholder

Dear all, i think we experieincing issues re not being able to reset
permissions on an object that was previously member of protected groups

i have read that the issue is around the reset of the value of 'admincount'
attribute.

as i learn this gets set to 1 when it is becomes a member of protected
groups, but ju

i wanted to confirm that is a 'supported' operation to merely reset this
data to 0 to undo the effect of adminssdholder ??

or whether there are other changes that need to be considered. ?

G

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?)

2007-01-16 Thread Al Garrett

Not sure about other switch brandswe've been Cisco-centric for
years.

The command in Cisco IOS is ip helper-address x.x.x.x to tell DHCP
packets where to go across VLANsbut

This still doesn't prevent a rogue DHCP server from popping up on a
VLAN. (Think about a Linksys wired/wireless router brought to work by a
well-meaning but technically-challenged person and plugged into a local
port in order to get wireless in their cubicle/office)

Al

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, January 16, 2007 6:14 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP
servers? (or how do you find it?)

OTOH, I am wondering if it'd be possible to configure the routers so
that they only allow DHCP OFFER/ACK/NACK from auth.

In case you weren't sure - this is exactly what I was suggesting you
consider, in my first post :)

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
Sent: 16 January 2007 13:35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP
servers? (or how do you find it?)

Sorry for the delay on getting back on this, had a few things piled up
after New Year's...

You're right on the fact that routers isolating the VLANs limit the
impact of this issue... The problem is that the idea is to
re-configure routers to forward DHCP traffic, so that we get DHCP
service on all VLANs from one/a few DHCP servers, instead of having to
setup a DHCP server on each VLAN.

Somebody suggested having a multi-homed DHCP server, with a leg on
each VLAN, so that we get containment and DHCP service on every VLAN. I
don't know at the moment if that's possible (I have to check with the
client, to see if their network topology has a hub where all VLANs
come close).
OTOH, I am wondering if it'd be possible to configure the routers so
that they only allow DHCP OFFER/ACK/NACK from auth. DHCP servers
(something similar to what we've done with the local filtering on the
workstations)...
We'd still have problems with a rogue DHCP server in a VLAN, but we
wouldn't have to go the multi-homed server route...

Thanks a lot for the input received so far. It's made me explore several
options that I had not considered ;)

As always, a pleasure.

Javier

-Mensaje original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] En nombre de
[EMAIL PROTECTED] Enviado el: martes, 09 de enero de 2007 9:35
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP
servers? (or how do you find it?)

Your last statement is true but then if routers restrict BOOTP traffic
as I describe, then the rogue DHCP server will only affect the VLAN on
which it exists. At least that way, you've reduced the impact.

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
Sent: 08 January 2007 17:24
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP
servers? (or how do you find it?)

Hi, Neil!!

That's another thing I'll have to look into :) I am aware that it's
possile to do DHCP-proxy to pass along the DHCP requests to the proper
servers.
That's something that will have to be done, as the client's network is
split in different VLAN segments, and in multiple locations/sites, and
they'd like to have a reduced number of DHCP servers.

But, useful and necessary as it is, this won't prevent a rogue/malicious
DHCP server on the same LAN segment from playing havoc with the systems.

Thanks for the heads-up though.

Javier Jarava

-Mensaje original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] En nombre de
[EMAIL PROTECTED] Enviado el: lunes, 08 de enero de 2007 14:33
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP
servers? (or how do you find it?)

In addition to the below, routers can be configured to only forward
BOOTP packets to/from 'authorised' DHCP servers.

neil


___
Neil Ruston
Global Technology Infrastructure
Nomura International plc
Telephone: +44 (0) 20 7521 3481 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: 08 January 2007 13:27
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP
servers? (or how do you find it?)

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
 Sent: 08 January 2007 12:20
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP 
 servers? (or how do you find it?)
 
 Hi all!
 
 Just wondering, is there a way to prevent a rogue DCHP server from 
 playing havoc with a network?
 
 I have been digging into dhcp

RE: [ActiveDir] adminsdholder

2007-01-16 Thread Graham Turner

Jorge, thanks for your reply post

i certainly favour the former option on account of the other being a forest-wide
configuration.

on this basis if we have removed the user from protected groups then doesn't 
setting
do the job ?

the permission we are 'losing' is not one that is set at parent OU level and set
explicitly on the object so inheritance of the permission is not

OR is there something else that needs to be re-enabled by changing the 
inhertiance
on the user object ??

GT


1. removed user from all protected groups


 setting the attribute to 0 only will not help

 to stop the adminsdholder from managing a certain group/user you either:
 * remove it from a protected group, check inheritance and reset admincount to 
 not
 set
 * configure dsheuristics (forest-wide config) as mentioned in
 http://support.microsoft.com/?id=817433 for some default protected groups (not
 recommended as you should not use the default admin groups, but instead 
 delegate
 stuff)

 also see:
 http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx

 Met vriendelijke groeten / Kind regards,
 Ing. Jorge de Almeida Pinto
 Senior Infrastructure Consultant
 MVP Windows Server - Directory Services

 LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
 (   Tel : +31-(0)40-29.57.777
 (   Mobile : +31-(0)6-26.26.62.80
 *   E-mail : see sender address

 

 From: [EMAIL PROTECTED] on behalf of Graham Turner
 Sent: Tue 2007-01-16 15:37
 To: activedir@mail.activedir.org
 Subject: [ActiveDir] adminsdholder



 Dear all, i think we experieincing issues re not being able to reset 
 permissions on
 an object that was previously member of protected groups

 i have read that the issue is around the reset of the value of 'admincount'
 attribute.

 as i learn this gets set to 1 when it is becomes a member of protected 
 groups, but
 ju

 i wanted to confirm that is a 'supported' operation to merely reset this data 
 to 0
 to undo the effect of adminssdholder ??

 or whether there are other changes that need to be considered. ?

 G










 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx




 This e-mail and any attachment is for authorised use by the intended 
 recipient(s)
 only. It may contain proprietary material, confidential information and/or be
 subject to legal privilege. It should not be copied, disclosed to, retained 
 or used
 by, any other party. If you are not an intended recipient then please promptly
 delete this e-mail and any attachment and all copies and inform the sender. 
 Thank
 you.




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?)

2007-01-16 Thread Brian Desmond

On Cisco's you should be looking at a switchport level feature called
DHCP snooping.

ip helper-address does more than just forward DHCP packets just an FYI.

The term I use for the issue with the routers is that they're plugged in
backwards when someone gets the WAN and LAN confused. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Al Garrett
 Sent: Tuesday, January 16, 2007 11:29 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue
DHCP
 servers? (or how do you find it?)
 
 Not sure about other switch brandswe've been Cisco-centric for
 years.
 
 The command in Cisco IOS is ip helper-address x.x.x.x to tell DHCP
 packets where to go across VLANsbut
 
 This still doesn't prevent a rogue DHCP server from popping up on a
 VLAN. (Think about a Linksys wired/wireless router brought to work by
a
 well-meaning but technically-challenged person and plugged into a
local
 port in order to get wireless in their cubicle/office)
 
 Al
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 [EMAIL PROTECTED]
 Sent: Tuesday, January 16, 2007 6:14 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue
DHCP
 servers? (or how do you find it?)
 
 OTOH, I am wondering if it'd be possible to configure the routers so
 that they only allow DHCP OFFER/ACK/NACK from auth.
 
 In case you weren't sure - this is exactly what I was suggesting you
 consider, in my first post :)
 
 neil
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
 Sent: 16 January 2007 13:35
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue
DHCP
 servers? (or how do you find it?)
 
 Sorry for the delay on getting back on this, had a few things piled up
 after New Year's...
 
 You're right on the fact that routers isolating the VLANs limit the
 impact of this issue... The problem is that the idea is to
 re-configure routers to forward DHCP traffic, so that we get DHCP
 service on all VLANs from one/a few DHCP servers, instead of having to
 setup a DHCP server on each VLAN.
 
 Somebody suggested having a multi-homed DHCP server, with a leg on
 each VLAN, so that we get containment and DHCP service on every VLAN.
I
 don't know at the moment if that's possible (I have to check with the
 client, to see if their network topology has a hub where all VLANs
 come close).
 OTOH, I am wondering if it'd be possible to configure the routers so
 that they only allow DHCP OFFER/ACK/NACK from auth. DHCP servers
 (something similar to what we've done with the local filtering on the
 workstations)...
 We'd still have problems with a rogue DHCP server in a VLAN, but we
 wouldn't have to go the multi-homed server route...
 
 Thanks a lot for the input received so far. It's made me explore
 several
 options that I had not considered ;)
 
 As always, a pleasure.
 
   Javier
 
 -Mensaje original-
 De: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] En nombre de
 [EMAIL PROTECTED] Enviado el: martes, 09 de enero de 2007 9:35
 Para: ActiveDir@mail.activedir.org
 Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP
 servers? (or how do you find it?)
 
 Your last statement is true but then if routers restrict BOOTP traffic
 as I describe, then the rogue DHCP server will only affect the VLAN on
 which it exists. At least that way, you've reduced the impact.
 
 neil
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
 Sent: 08 January 2007 17:24
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue
DHCP
 servers? (or how do you find it?)
 
 Hi, Neil!!
 
 That's another thing I'll have to look into :) I am aware that it's
 possile to do DHCP-proxy to pass along the DHCP requests to the proper
 servers.
 That's something that will have to be done, as the client's network is
 split in different VLAN segments, and in multiple locations/sites, and
 they'd like to have a reduced number of DHCP servers.
 
 But, useful and necessary as it is, this won't prevent a
 rogue/malicious
 DHCP server on the same LAN segment from playing havoc with the
 systems.
 
 Thanks for the heads-up though.
 
   Javier Jarava
 
 -Mensaje original-
 De: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] En nombre de
 [EMAIL PROTECTED] Enviado el: lunes, 08 de enero de 2007 14:33
 Para: ActiveDir@mail.activedir.org
 Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP
 servers? (or how do you find it?)
 
 In addition to the below, routers can be configured to only forward
 BOOTP packets to/from 'authorised' DHCP servers.
 
 neil
 
 
 ___
 Neil Ruston
 Global

RE: [ActiveDir] OT: Who needs that much ram anyway?

2007-01-16 Thread Michael B. Smith

Windows Team != Exchange Team

We've (Exchange MVPs) pushed and pushed for this for several patches
over the last few years. Approval cycles, timeframes, requirements, etc.
all differ between the teams. I'm sure politics are involved too.

I think the closest we got was that Exchange 2003 sp2 wouldn't install
if a couple of particular Windows hotfixes weren't already installed.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, January 16, 2007 11:47 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Who needs that much ram anyway?

Personally I was surprised that a Windows 2003 server and Exchange 2007 
would need a patch to run more than 4 gigs because
This problem occurs because of a problem in the Windows kernel

Seems to me in the x64 era, we're all going to be running more than 4 
gigs so they should bundle this up in the Exchange 2007 installer from 
the get go rather than having everyone stumble across a KB article.

I'm assuming it's discussed in the readme that no one reads?


Brian Desmond wrote:
 The more you can get in memory, the better. 32GB is the threshold for
 Exchange before it stops making sense.

 I've remoted into SQL servers with dozens of CPUs and dozens of gigs
of
 ram before...

 Thanks,
 Brian Desmond
 [EMAIL PROTECTED]

 c - 312.731.3132


   
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz -
 SBS Rocks [MVP]
 Sent: Tuesday, January 16, 2007 4:01 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: Who needs that much ram anyway?


   The Microsoft Exchange Information Store service stops responding
on
 a
   computer that is running Windows Server 2003 and Exchange Server
 
 2007
   
 http://support.microsoft.com/?kbid=928368

 This problem occurs if Exchange Server 2007 is installed on a
computer
 that has more than 4 gigabytes (GB) of RAM.

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx

   

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] OT: Who needs that much ram anyway?

2007-01-16 Thread Eric Fleischman

Exchange should not be in the business of patching kernels. It's just
bad form.

That said, it's not clear to me what the right answer is either. You
want to get people the fix that need it but you don't want to go out
there and start swapping kernel components on a user. That's just not
the right way for a piece of software to work. How would the SBS crowd
feel if an app changed the kernel out from under them? You run a lot of
apps on that box.

I think the options we have today are: readme + ExBPA + perhaps offering
the patch via WU when we see Exchange installed. But the last point
there is contentious, I knowit's merely an option to consider and
give us feedback on. :)

I remember watching this issue being debugged when it was hit and it's
worth proactively patching. Exchange put a lot of energy in to finding
this one and getting root cause + a fix prior to RTM. Hard issue to hit,
but not impossible either.
Honestly, on this one, I think they served their customers well.

~Eric



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, January 16, 2007 8:47 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Who needs that much ram anyway?

Personally I was surprised that a Windows 2003 server and Exchange 2007 
would need a patch to run more than 4 gigs because
This problem occurs because of a problem in the Windows kernel

Seems to me in the x64 era, we're all going to be running more than 4 
gigs so they should bundle this up in the Exchange 2007 installer from 
the get go rather than having everyone stumble across a KB article.

I'm assuming it's discussed in the readme that no one reads?


Brian Desmond wrote:
 The more you can get in memory, the better. 32GB is the threshold for
 Exchange before it stops making sense.

 I've remoted into SQL servers with dozens of CPUs and dozens of gigs
of
 ram before...

 Thanks,
 Brian Desmond
 [EMAIL PROTECTED]

 c - 312.731.3132


   
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz -
 SBS Rocks [MVP]
 Sent: Tuesday, January 16, 2007 4:01 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: Who needs that much ram anyway?


   The Microsoft Exchange Information Store service stops responding
on
 a
   computer that is running Windows Server 2003 and Exchange Server
 
 2007
   
 http://support.microsoft.com/?kbid=928368

 This problem occurs if Exchange Server 2007 is installed on a
computer
 that has more than 4 gigabytes (GB) of RAM.

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx

   

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] OT: Who needs that much ram anyway?

2007-01-16 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]


(oh he goes for below the belt with the SBS remark)  ;-)

But yes, I'd argue it should be MU'd when Exchange is there.

Eric Fleischman wrote:

Exchange should not be in the business of patching kernels. It's just
bad form.

That said, it's not clear to me what the right answer is either. You
want to get people the fix that need it but you don't want to go out
there and start swapping kernel components on a user. That's just not
the right way for a piece of software to work. How would the SBS crowd
feel if an app changed the kernel out from under them? You run a lot of
apps on that box.

I think the options we have today are: readme + ExBPA + perhaps offering
the patch via WU when we see Exchange installed. But the last point
there is contentious, I knowit's merely an option to consider and
give us feedback on. :)

I remember watching this issue being debugged when it was hit and it's
worth proactively patching. Exchange put a lot of energy in to finding
this one and getting root cause + a fix prior to RTM. Hard issue to hit,
but not impossible either.
Honestly, on this one, I think they served their customers well.

~Eric



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, January 16, 2007 8:47 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Who needs that much ram anyway?

Personally I was surprised that a Windows 2003 server and Exchange 2007 
would need a patch to run more than 4 gigs because

This problem occurs because of a problem in the Windows kernel

Seems to me in the x64 era, we're all going to be running more than 4 
gigs so they should bundle this up in the Exchange 2007 installer from 
the get go rather than having everyone stumble across a KB article.


I'm assuming it's discussed in the readme that no one reads?


Brian Desmond wrote:
  

The more you can get in memory, the better. 32GB is the threshold for
Exchange before it stops making sense.

I've remoted into SQL servers with dozens of CPUs and dozens of gigs


of
  

ram before...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


  


-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz -
SBS Rocks [MVP]
Sent: Tuesday, January 16, 2007 4:01 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Who needs that much ram anyway?


  The Microsoft Exchange Information Store service stops responding
  

on
  

a
  computer that is running Windows Server 2003 and Exchange Server

  

2007
  


http://support.microsoft.com/?kbid=928368

This problem occurs if Exchange Server 2007 is installed on a
  

computer
  

that has more than 4 gigabytes (GB) of RAM.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

  

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

  



  


--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] adminsdholder

2007-01-16 Thread Almeida Pinto, Jorge de

either explicit or inherited permissions will be replaced by the 
permissions defined on the adminsdholder object
 
so if re-applying inheritance is not enough... you would need to define 
explicit defined permissions...
 
for the default perms you can use the DEFAULT button and all custom added 
permissions would need to be defined again
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Graham Turner
Sent: Tue 2007-01-16 17:37
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] adminsdholder



Jorge, thanks for your reply post

i certainly favour the former option on account of the other being a forest-wide
configuration.

on this basis if we have removed the user from protected groups then doesn't 
setting
do the job ?

the permission we are 'losing' is not one that is set at parent OU level and set
explicitly on the object so inheritance of the permission is not

OR is there something else that needs to be re-enabled by changing the 
inhertiance
on the user object ??

GT


1. removed user from all protected groups


 setting the attribute to 0 only will not help

 to stop the adminsdholder from managing a certain group/user you either:
 * remove it from a protected group, check inheritance and reset admincount to 
 not
 set
 * configure dsheuristics (forest-wide config) as mentioned in
 http://support.microsoft.com/?id=817433 for some default protected groups (not
 recommended as you should not use the default admin groups, but instead 
 delegate
 stuff)

 also see:
 http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx

 Met vriendelijke groeten / Kind regards,
 Ing. Jorge de Almeida Pinto
 Senior Infrastructure Consultant
 MVP Windows Server - Directory Services

 LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
 (   Tel : +31-(0)40-29.57.777
 (   Mobile : +31-(0)6-26.26.62.80
 *   E-mail : see sender address

 

 From: [EMAIL PROTECTED] on behalf of Graham Turner
 Sent: Tue 2007-01-16 15:37
 To: activedir@mail.activedir.org
 Subject: [ActiveDir] adminsdholder



 Dear all, i think we experieincing issues re not being able to reset 
 permissions on
 an object that was previously member of protected groups

 i have read that the issue is around the reset of the value of 'admincount'
 attribute.

 as i learn this gets set to 1 when it is becomes a member of protected 
 groups, but
 ju

 i wanted to confirm that is a 'supported' operation to merely reset this data 
 to 0
 to undo the effect of adminssdholder ??

 or whether there are other changes that need to be considered. ?

 G










 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx




 This e-mail and any attachment is for authorised use by the intended 
 recipient(s)
 only. It may contain proprietary material, confidential information and/or be
 subject to legal privilege. It should not be copied, disclosed to, retained 
 or used
 by, any other party. If you are not an intended recipient then please promptly
 delete this e-mail and any attachment and all copies and inform the sender. 
 Thank
 you.




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx


winmail.dat

Re: [ActiveDir] Computer accounts getting deleted by unknown process

2007-01-16 Thread Al Mulnick


What's unique about the domain this is happening to? That strikes me as odd
that it's occurring in one domain, but not all.

I have yet to see accounts get deleted in Active Directory (any version)
without a process that removes them.  This could be a new experience for me,
but I'm skeptical that a process doesn't exist that is removing accounts or
preventing the replication (you did say they checked, but like I said, I'm
skeptical of any process that picks on computer account security principals
but leaves user security principals alone.)

I have seen strange issues occur when anti virus apps that run on the domain
controllers were thought to have been configured properly but weren't. I've
seen instances where similar symptoms were presented but in the end we found
out that a process was running that caused this issue. I've seen issues of
DC promotions and DNS that ate the DNS zones, but that's not what you
describe.

So I'm interested to know what's unique about the domain it occurs in.  I'm
interested to know why it doesn't occur in the other domains?

SP1 is highly recommended of course - lots of bug fixes and additional
security changes.

I'm not familiar with the client side apps you mention, but if the
environment I work in currently is any indication old computer accounts
don't become suicidal without provocation.  Shame too



On 1/16/07, Rich Milburn [EMAIL PROTECTED] wrote:


I've found a little bit of info on this googling, and the results I'm
finding seem to be related to replication problems, lack of SP1, or
other issues with DCs that need to be reinstalled (reason not
identified).  What's happening is that computer accounts are getting
deleted - most of them are ones that can't update their passwords
because they have been turned off, or in the case of a group of users,
their computers have Deep Freeze running on them, and those computers
update their passwords but apparently the computers reset when they are
rebooted so the password is reset to the old one too.  But the issues
are not isolated to these accounts.

We do not have an automated process set up to delete these accounts.

This is Server 2003, non-SP1 (that's scheduled for this Friday).  There
are no discovered replication errors, they have checked for those.  We
only have 6 DCs, two each for a root and two child domains, and this is
happening in one of the child domains.

Here is an example event that we are getting.  If anyone has seen this
before or has any ideas, we'll be most appreciative.

Event Type:   Error
Event Source:NETLOGON
Event Category: None
Event ID:   5723
Date:1/16/2007
Time:9:21:28 AM
User:N/A
Computer: CORPDC2
Description:
The session setup from computer 'ACCT-95XDP11' failed because the
security database does not contain a trust account 'ACCT-95XDP11$'
referenced by the specified computer.

USER ACTION
If this is the first occurrence of this event for the specified computer
and account, this may be a transient issue that doesn't require any
action at this time. Otherwise, the following steps may be taken to
resolve this problem:

If 'ACCT-95XDP11$' is a legitimate machine account for the computer
'ACCT-95XDP11', then 'ACCT-95XDP11' should be rejoined to the domain.

If 'ACCT-95XDP11$' is a legitimate interdomain trust account, then the
trust should be recreated.

Otherwise, assuming that 'ACCT-95XDP11$' is not a legitimate account,
the following action should be taken on 'ACCT-95XDP11':

If 'ACCT-95XDP11' is a Domain Controller, then the trust associated with
'ACCT-95XDP11$' should be deleted.

If 'ACCT-95XDP11' is not a Domain Controller, it should be disjoined
from the domain.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
: 8b 01 00 c0

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
I love the smell of red herrings in the morning - anonymous

---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---
PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any
attachments.
This information is strictly confidential and may be subject to
attorney-client
privilege. This message is intended only for the use of the named
addressee. If
you are not the intended recipient of this message, unauthorized
forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you
should
kindly notify the sender by reply e-mail and immediately destroy this
message.
Unauthorized interception of this e-mail is a violation of federal
criminal law.
Applebee's International, Inc. reserves the right to monitor

RE: [ActiveDir] Computer accounts getting deleted by unknown process

2007-01-16 Thread Steve Linehan

Well assuming that the deletion occurred recently I would go look in the 
deleted items folder and see if you have an object by that name in there.  You 
can then look at the replication metadata and see where the delete originated.  
From that see if they are all coming from one DC or if there are patterns.  If 
you have auditing turned up you could see who/what is deleting them.

Thanks,

-Steve

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, January 16, 2007 1:22 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process

What's unique about the domain this is happening to? That strikes me as odd 
that it's occurring in one domain, but not all.

I have yet to see accounts get deleted in Active Directory (any version) 
without a process that removes them.  This could be a new experience for me, 
but I'm skeptical that a process doesn't exist that is removing accounts or 
preventing the replication (you did say they checked, but like I said, I'm 
skeptical of any process that picks on computer account security principals but 
leaves user security principals alone.)

I have seen strange issues occur when anti virus apps that run on the domain 
controllers were thought to have been configured properly but weren't. I've 
seen instances where similar symptoms were presented but in the end we found 
out that a process was running that caused this issue. I've seen issues of DC 
promotions and DNS that ate the DNS zones, but that's not what you describe.

So I'm interested to know what's unique about the domain it occurs in.  I'm 
interested to know why it doesn't occur in the other domains?

SP1 is highly recommended of course - lots of bug fixes and additional security 
changes.

I'm not familiar with the client side apps you mention, but if the environment 
I work in currently is any indication old computer accounts don't become 
suicidal without provocation.  Shame too


On 1/16/07, Rich Milburn [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote:
I've found a little bit of info on this googling, and the results I'm
finding seem to be related to replication problems, lack of SP1, or
other issues with DCs that need to be reinstalled (reason not
identified).  What's happening is that computer accounts are getting
deleted - most of them are ones that can't update their passwords
because they have been turned off, or in the case of a group of users,
their computers have Deep Freeze running on them, and those computers
update their passwords but apparently the computers reset when they are
rebooted so the password is reset to the old one too.  But the issues
are not isolated to these accounts.

We do not have an automated process set up to delete these accounts.

This is Server 2003, non-SP1 (that's scheduled for this Friday).  There
are no discovered replication errors, they have checked for those.  We
only have 6 DCs, two each for a root and two child domains, and this is
happening in one of the child domains.

Here is an example event that we are getting.  If anyone has seen this
before or has any ideas, we'll be most appreciative.

Event Type:   Error
Event Source:NETLOGON
Event Category: None
Event ID:   5723
Date:1/16/2007
Time:9:21:28 AM
User:N/A
Computer: CORPDC2
Description:
The session setup from computer 'ACCT-95XDP11' failed because the
security database does not contain a trust account 'ACCT-95XDP11$'
referenced by the specified computer.

USER ACTION
If this is the first occurrence of this event for the specified computer
and account, this may be a transient issue that doesn't require any
action at this time. Otherwise, the following steps may be taken to
resolve this problem:

If 'ACCT-95XDP11$' is a legitimate machine account for the computer
'ACCT-95XDP11', then 'ACCT-95XDP11' should be rejoined to the domain.

If 'ACCT-95XDP11$' is a legitimate interdomain trust account, then the
trust should be recreated.

Otherwise, assuming that 'ACCT-95XDP11$' is not a legitimate account,
the following action should be taken on 'ACCT-95XDP11':

If 'ACCT-95XDP11' is a Domain Controller, then the trust associated with
'ACCT-95XDP11$' should be deleted.

If 'ACCT-95XDP11' is not a Domain Controller, it should be disjoined
from the domain.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
: 8b 01 00 c0

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
I love the smell of red herrings in the morning - anonymous

---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED /
CONFIDENTIAL INFORMATION

RE: [ActiveDir] Computer accounts getting deleted by unknown process

2007-01-16 Thread Rich Milburn

Thanks Al.  It’s not that the domain is different, just that only one domain is 
used for computer accounts.  The forest root isn’t, and the other domain is 
relatively inactive until we put another area on AD, though it has a couple of 
user accounts.  So all the computer accounts are in this domain (as well as 
almost all user accounts).

 

I agree it’s weird that nothing is touching user accounts.  We do use Sophos, 
and Sophos is often referred to with 4 letters lately around here so I’ll 
mention that to them…

 

Deep Freeze apparently resets the computer to the state it was in before, so 
people can’t change it.  I’m not sure that the computer account password 
getting reset as part of it is a problem, I’ve been out of the loop on it.  But 
it’s not just those computers. 

 

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
”I love the smell of red herrings in the morning” - anonymous

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, January 16, 2007 1:22 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process

 

What's unique about the domain this is happening to? That strikes me as odd 
that it's occurring in one domain, but not all. 

I have yet to see accounts get deleted in Active Directory (any version) 
without a process that removes them.  This could be a new experience for me, 
but I'm skeptical that a process doesn't exist that is removing accounts or 
preventing the replication (you did say they checked, but like I said, I'm 
skeptical of any process that picks on computer account security principals but 
leaves user security principals alone.) 

I have seen strange issues occur when anti virus apps that run on the domain 
controllers were thought to have been configured properly but weren't. I've 
seen instances where similar symptoms were presented but in the end we found 
out that a process was running that caused this issue. I've seen issues of DC 
promotions and DNS that ate the DNS zones, but that's not what you describe. 

So I'm interested to know what's unique about the domain it occurs in.  I'm 
interested to know why it doesn't occur in the other domains? 

SP1 is highly recommended of course - lots of bug fixes and additional security 
changes. 

I'm not familiar with the client side apps you mention, but if the environment 
I work in currently is any indication old computer accounts don't become 
suicidal without provocation.  Shame too




On 1/16/07, Rich Milburn [EMAIL PROTECTED] wrote:

I've found a little bit of info on this googling, and the results I'm
finding seem to be related to replication problems, lack of SP1, or
other issues with DCs that need to be reinstalled (reason not
identified).  What's happening is that computer accounts are getting 
deleted - most of them are ones that can't update their passwords
because they have been turned off, or in the case of a group of users,
their computers have Deep Freeze running on them, and those computers
update their passwords but apparently the computers reset when they are
rebooted so the password is reset to the old one too.  But the issues
are not isolated to these accounts.

We do not have an automated process set up to delete these accounts. 

This is Server 2003, non-SP1 (that's scheduled for this Friday).  There
are no discovered replication errors, they have checked for those.  We
only have 6 DCs, two each for a root and two child domains, and this is 
happening in one of the child domains.

Here is an example event that we are getting.  If anyone has seen this
before or has any ideas, we'll be most appreciative.

Event Type:   Error
Event Source:NETLOGON 
Event Category: None
Event ID:   5723
Date:1/16/2007
Time:9:21:28 AM
User:N/A
Computer: CORPDC2
Description:
The session setup from computer 'ACCT-95XDP11' failed because the 
security database does not contain a trust account 'ACCT-95XDP11$'
referenced by the specified computer.

USER ACTION
If this is the first occurrence of this event for the specified computer
and account, this may be a transient issue that doesn't require any 
action at this time. Otherwise, the following steps may be taken to
resolve this problem:

If 'ACCT-95XDP11$' is a legitimate machine account for the computer
'ACCT-95XDP11', then 'ACCT-95XDP11' should be rejoined to the domain. 

If 'ACCT-95XDP11$' is a legitimate interdomain trust account, then the
trust should be recreated.

Otherwise, assuming that 'ACCT-95XDP11$' is not a legitimate account,
the following action should be taken on 'ACCT-95XDP11': 

If 'ACCT-95XDP11' is a

RE: [ActiveDir] DNS problem. Periodically have to clear the cache

2007-01-16 Thread Ramon Linan

Hi,
 
I have 4 DNS servers, they are all AD integrated.
 
2 of them are supposed to be for internal used only, and the other 2 for
the internet domain we have, unluckily they we never configured to be
split DNS.
 
Anyway, every none and then I have to clear the cache  for the internal
ones because they stop resolving for certain addresses.
 
Sometimes I also have to update server data files for the DNS server to
resolved certain names.
 
 
Any help on how to troubleshoot this?
 
Thanks
 
Rezuma

RE: [ActiveDir] adminsdholder

2007-01-16 Thread Graham Turner

Jorge, thanks for the mail back

i am duly noted on the re-enabling of the inheritance

if i may develop this thread a little further ..

is there any specific logging of the activity of the adminsdholder process or 
do we
have to fall back to the directory auditing ??

presumably as i understand, there would be a number of elements to this;

i. enumeration of objects that are members of protected groups (is this 
constrained
to user objects ??)
ii. change of admincount attribute
iii. change of inheritance
iv. reset of permissions on objects

G


 either explicit or inherited permissions will be replaced by the 
 permissions
 defined on the adminsdholder object

 so if re-applying inheritance is not enough... you would need to define 
 explicit
 defined permissions...

 for the default perms you can use the DEFAULT button and all custom added
 permissions would need to be defined again

 Met vriendelijke groeten / Kind regards,
 Ing. Jorge de Almeida Pinto
 Senior Infrastructure Consultant
 MVP Windows Server - Directory Services

 LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
 (   Tel : +31-(0)40-29.57.777
 (   Mobile : +31-(0)6-26.26.62.80
 *   E-mail : see sender address

 

 From: [EMAIL PROTECTED] on behalf of Graham Turner
 Sent: Tue 2007-01-16 17:37
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] adminsdholder



 Jorge, thanks for your reply post

 i certainly favour the former option on account of the other being a 
 forest-wide
 configuration.

 on this basis if we have removed the user from protected groups then doesn't 
 setting
 do the job ?

 the permission we are 'losing' is not one that is set at parent OU level and 
 set
 explicitly on the object so inheritance of the permission is not

 OR is there something else that needs to be re-enabled by changing the 
 inhertiance
 on the user object ??

 GT


 1. removed user from all protected groups


 setting the attribute to 0 only will not help

 to stop the adminsdholder from managing a certain group/user you either:
 * remove it from a protected group, check inheritance and reset admincount 
 to not
 set
 * configure dsheuristics (forest-wide config) as mentioned in
 http://support.microsoft.com/?id=817433 for some default protected groups 
 (not
 recommended as you should not use the default admin groups, but instead 
 delegate
 stuff)

 also see:
 http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx

 Met vriendelijke groeten / Kind regards,
 Ing. Jorge de Almeida Pinto
 Senior Infrastructure Consultant
 MVP Windows Server - Directory Services

 LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
 (   Tel : +31-(0)40-29.57.777
 (   Mobile : +31-(0)6-26.26.62.80
 *   E-mail : see sender address

 

 From: [EMAIL PROTECTED] on behalf of Graham Turner
 Sent: Tue 2007-01-16 15:37
 To: activedir@mail.activedir.org
 Subject: [ActiveDir] adminsdholder



 Dear all, i think we experieincing issues re not being able to reset 
 permissions
 on
 an object that was previously member of protected groups

 i have read that the issue is around the reset of the value of 'admincount'
 attribute.

 as i learn this gets set to 1 when it is becomes a member of protected 
 groups, but
 ju

 i wanted to confirm that is a 'supported' operation to merely reset this 
 data to 0
 to undo the effect of adminssdholder ??

 or whether there are other changes that need to be considered. ?

 G










 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx




 This e-mail and any attachment is for authorised use by the intended 
 recipient(s)
 only. It may contain proprietary material, confidential information and/or be
 subject to legal privilege. It should not be copied, disclosed to, retained 
 or
 used
 by, any other party. If you are not an intended recipient then please 
 promptly
 delete this e-mail and any attachment and all copies and inform the sender. 
 Thank
 you.




 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx






List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] Computer accounts getting deleted by unknown process

2007-01-16 Thread Al Mulnick


In that case, you'll want to check out Steve's post and follow some of that
advice.  Since it's a computer resource domain topology, it should be
relatively low traffic and easier to spot.

Can you recreate it? Or is this just being reported retroactively? Better
yet, how close are you to the situation?


On 1/16/07, Rich Milburn [EMAIL PROTECTED] wrote:


 Thanks Al. It's not that the domain is different, just that only one
domain is used for computer accounts. The forest root isn't, and the other
domain is relatively inactive until we put another area on AD, though it has
a couple of user accounts. So all the computer accounts are in this domain
(as well as almost all user accounts).



I agree it's weird that nothing is touching user accounts. We do use
Sophos, and Sophos is often referred to with 4 letters lately around here so
I'll mention that to them…



Deep Freeze apparently resets the computer to the state it was in before,
so people can't change it. I'm not sure that the computer account password
getting reset as part of it is a problem, I've been out of the loop on it.
But it's not just those computers.



*---
**Rich Milburn**
**MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.**
**4551 W. 107th St**
**Overland Park, KS 66207**
**913-967-2819**
**--**
**I love the smell of red herrings in the morning - anonymous*





*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Al Mulnick
*Sent:* Tuesday, January 16, 2007 1:22 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Computer accounts getting deleted by unknown
process



What's unique about the domain this is happening to? That strikes me as
odd that it's occurring in one domain, but not all.

I have yet to see accounts get deleted in Active Directory (any version)
without a process that removes them.  This could be a new experience for me,
but I'm skeptical that a process doesn't exist that is removing accounts or
preventing the replication (you did say they checked, but like I said, I'm
skeptical of any process that picks on computer account security principals
but leaves user security principals alone.)

I have seen strange issues occur when anti virus apps that run on the
domain controllers were thought to have been configured properly but
weren't. I've seen instances where similar symptoms were presented but in
the end we found out that a process was running that caused this issue. I've
seen issues of DC promotions and DNS that ate the DNS zones, but that's
not what you describe.

So I'm interested to know what's unique about the domain it occurs in.
I'm interested to know why it doesn't occur in the other domains?

SP1 is highly recommended of course - lots of bug fixes and additional
security changes.

I'm not familiar with the client side apps you mention, but if the
environment I work in currently is any indication old computer accounts
don't become suicidal without provocation.  Shame too


 On 1/16/07, *Rich Milburn* [EMAIL PROTECTED] wrote:

I've found a little bit of info on this googling, and the results I'm
finding seem to be related to replication problems, lack of SP1, or
other issues with DCs that need to be reinstalled (reason not
identified).  What's happening is that computer accounts are getting
deleted - most of them are ones that can't update their passwords
because they have been turned off, or in the case of a group of users,
their computers have Deep Freeze running on them, and those computers
update their passwords but apparently the computers reset when they are
rebooted so the password is reset to the old one too.  But the issues
are not isolated to these accounts.

We do not have an automated process set up to delete these accounts.

This is Server 2003, non-SP1 (that's scheduled for this Friday).  There
are no discovered replication errors, they have checked for those.  We
only have 6 DCs, two each for a root and two child domains, and this is
happening in one of the child domains.

Here is an example event that we are getting.  If anyone has seen this
before or has any ideas, we'll be most appreciative.

Event Type:   Error
Event Source:NETLOGON
Event Category: None
Event ID:   5723
Date:1/16/2007
Time:9:21:28 AM
User:N/A
Computer: CORPDC2
Description:
The session setup from computer 'ACCT-95XDP11' failed because the
security database does not contain a trust account 'ACCT-95XDP11$'
referenced by the specified computer.

USER ACTION
If this is the first occurrence of this event for the specified computer
and account, this may be a transient issue that doesn't require any
action at this time. Otherwise, the following steps may be taken to
resolve this problem:

If 'ACCT-95XDP11$' is a legitimate machine

RE: [ActiveDir] DNS problem. Periodically have to clear the cache

2007-01-16 Thread Akomolafe, Deji

How are these servers configured in TCP/IP? Who is forwarding to whom? And what 
is the SP level? If you want to take this off-list, you can do so by directly 
emailing me.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Ramon Linan
Sent: Tue 1/16/2007 12:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache


Hi,

I have 4 DNS servers, they are all AD integrated.

2 of them are supposed to be for internal used only, and the other 2 for the 
internet domain we have, unluckily they we never configured to be split DNS.

Anyway, every none and then I have to clear the cache  for the internal ones 
because they stop resolving for certain addresses.

Sometimes I also have to update server data files for the DNS server to 
resolved certain names.


Any help on how to troubleshoot this?

Thanks

Rezuma

RE: [ActiveDir] Computer accounts getting deleted by unknown process

2007-01-16 Thread Akomolafe, Deji


I had this issue a long time back with a similar product made by a previous 
employer. I won't go back into the details, but the problem is that computer 
passwords were being restored to previous states that no longer match those on 
the DCs at the present state. A manual or scripted rejoin is usually the cure. 
However, the computer objects themselves were not actually cleaned up, unlike 
in the case that Rich is now describing. Rich needs to eye-ball the directory 
itself and see whether or not the object actually disappeared when the problem 
manifests itself. Third-party eyes relaying information to the troubleshooter - 
not always reliable.


Sincerely, 
  _
 (, /  |  /)   /) /)   
   /---| (/_  __   ___// _   //  _ 
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
  (/   
Microsoft MVP - Directory Services

www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Al Mulnick
Sent: Tue 1/16/2007 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process


In that case, you'll want to check out Steve's post and follow some of that advice.  Since it's a computer resource domain topology, it should be relatively low traffic and easier to spot. 

Can you recreate it? Or is this just being reported retroactively? Better yet, how close are you to the situation? 



On 1/16/07, Rich Milburn [EMAIL PROTECTED] wrote: 
Thanks Al. It's not that the domain is different, just that only one domain is used for computer accounts. The forest root isn't, and the other domain is relatively inactive until we put another area on AD, though it has a couple of user accounts. So all the computer accounts are in this domain (as well as almost all user accounts). 

I agree it's weird that nothing is touching user accounts. We do use Sophos, and Sophos is often referred to with 4 letters lately around here so I'll mention that to them. 

Deep Freeze apparently resets the computer to the state it was in before, so people can't change it. I'm not sure that the computer account password getting reset as part of it is a problem, I've been out of the loop on it. But it's not just those computers. 


---
Rich Milburn 
MCSE, Microsoft MVP - Directory Services

Sr Network Analyst, Field Platform Development
Applebee's International, Inc. 
4551 W. 107th St

Overland Park, KS 66207
913-967-2819
--
I love the smell of red herrings in the morning - anonymous


From: mailto:[EMAIL PROTECTED]:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, January 16, 2007 1:22 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process 

What's unique about the domain this is happening to? That strikes me as odd that it's occurring in one domain, but not all. 

I have yet to see accounts get deleted in Active Directory (any version) without a process that removes them.  This could be a new experience for me, but I'm skeptical that a process doesn't exist that is removing accounts or preventing the replication (you did say they checked, but like I said, I'm skeptical of any process that picks on computer account security principals but leaves user security principals alone.) 

I have seen strange issues occur when anti virus apps that run on the domain controllers were thought to have been configured properly but weren't. I've seen instances where similar symptoms were presented but in the end we found out that a process was running that caused this issue. I've seen issues of DC promotions and DNS that ate the DNS zones, but that's not what you describe. 

So I'm interested to know what's unique about the domain it occurs in.  I'm interested to know why it doesn't occur in the other domains? 

SP1 is highly recommended of course - lots of bug fixes and additional security changes. 


I'm not familiar with the client side apps you mention, but if the environment 
I work in currently is any indication old computer accounts don't become 
suicidal without provocation.  Shame too



On 1/16/07, Rich Milburn [EMAIL PROTECTED] wrote:
I've found a little bit of info on this googling, and the results I'm
finding seem to be related to replication problems, lack of SP1, or
other issues with DCs that need to be reinstalled (reason not
identified).  What's happening is that computer accounts are getting 
deleted - most of them are ones that can't update their passwords

because they have been turned off, or in the case of a group of users,
their computers have Deep Freeze running on them, and those computers
update their passwords but apparently the computers reset when they are
rebooted so the password is reset

[ActiveDir] Who needs that much ram anyway?

2007-01-16 Thread Jose Medeiros

What about the 3Gb switch in the boot.in that is required to take advantage 
of the additional memory.
Also depending on the age of the server and CPU, you may also need a PAE / 
AWE switch.

http://support.microsoft.com/kb/283037

Since the final realease of Exchange 2007 will only be 64 bit and require a 
64 bit version of Windows 2003 or Longhorn, I am not sure if the switch will 
be required, any one else know?


Jose


- Original Message - 
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
[EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Tuesday, January 16, 2007 8:47 AM
Subject: Re: [ActiveDir] OT: Who needs that much ram anyway?


Personally I was surprised that a Windows 2003 server and Exchange 2007 
would need a patch to run more than 4 gigs because

This problem occurs because of a problem in the Windows kernel

Seems to me in the x64 era, we're all going to be running more than 4 gigs 
so they should bundle this up in the Exchange 2007 installer from the get 
go rather than having everyone stumble across a KB article.


I'm assuming it's discussed in the readme that no one reads?


Brian Desmond wrote:

The more you can get in memory, the better. 32GB is the threshold for
Exchange before it stops making sense.

I've remoted into SQL servers with dozens of CPUs and dozens of gigs of
ram before...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132




-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz -
SBS Rocks [MVP]
Sent: Tuesday, January 16, 2007 4:01 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Who needs that much ram anyway?


  The Microsoft Exchange Information Store service stops responding on
a
  computer that is running Windows Server 2003 and Exchange Server


2007


http://support.microsoft.com/?kbid=928368

This problem occurs if Exchange Server 2007 is installed on a computer
that has more than 4 gigabytes (GB) of RAM.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx




--
Letting your vendors set your risk analysis these days? 
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I 
will hunt you down...

http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Computer accounts getting deleted by unknown process

2007-01-16 Thread Rich Milburn

Ah good detective work my friend… I’m not very close to the situation.  But -2 
points for the resource domain.  We have the forest root, then a child root for 
our support center, which is on AD and which has users and computers, and then 
we have our restaurant domain, which is there for a handful or less of user 
accounts, and no computer accounts yet except the DCs.  One day we might join 
computers to that domain.  But for now, only the other domain really has 
computer accounts, and that is where we see the issue.  But with only 2 domain 
controllers, which sit side-by-side, there’s not a lot of replication issue to 
troubleshoot.

 

I forwarded on Steve’s comments, so we’ll see if that helps anything.

 

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
”I love the smell of red herrings in the morning” - anonymous

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, January 16, 2007 3:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process

 

In that case, you'll want to check out Steve's post and follow some of that 
advice.  Since it's a computer resource domain topology, it should be 
relatively low traffic and easier to spot. 

 

Can you recreate it? Or is this just being reported retroactively? Better yet, 
how close are you to the situation? 

 

On 1/16/07, Rich Milburn [EMAIL PROTECTED] wrote: 

Thanks Al. It's not that the domain is different, just that only one domain is 
used for computer accounts. The forest root isn't, and the other domain is 
relatively inactive until we put another area on AD, though it has a couple of 
user accounts. So all the computer accounts are in this domain (as well as 
almost all user accounts). 

 

I agree it's weird that nothing is touching user accounts. We do use Sophos, 
and Sophos is often referred to with 4 letters lately around here so I'll 
mention that to them… 

 

Deep Freeze apparently resets the computer to the state it was in before, so 
people can't change it. I'm not sure that the computer account password getting 
reset as part of it is a problem, I've been out of the loop on it. But it's not 
just those computers. 

 

---
Rich Milburn 
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc. 
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
I love the smell of red herrings in the morning - anonymous

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, January 16, 2007 1:22 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process 

 

What's unique about the domain this is happening to? That strikes me as odd 
that it's occurring in one domain, but not all. 

I have yet to see accounts get deleted in Active Directory (any version) 
without a process that removes them.  This could be a new experience for me, 
but I'm skeptical that a process doesn't exist that is removing accounts or 
preventing the replication (you did say they checked, but like I said, I'm 
skeptical of any process that picks on computer account security principals but 
leaves user security principals alone.) 

I have seen strange issues occur when anti virus apps that run on the domain 
controllers were thought to have been configured properly but weren't. I've 
seen instances where similar symptoms were presented but in the end we found 
out that a process was running that caused this issue. I've seen issues of DC 
promotions and DNS that ate the DNS zones, but that's not what you describe. 

So I'm interested to know what's unique about the domain it occurs in.  I'm 
interested to know why it doesn't occur in the other domains? 

SP1 is highly recommended of course - lots of bug fixes and additional security 
changes. 

I'm not familiar with the client side apps you mention, but if the environment 
I work in currently is any indication old computer accounts don't become 
suicidal without provocation.  Shame too



On 1/16/07, Rich Milburn [EMAIL PROTECTED] wrote:

I've found a little bit of info on this googling, and the results I'm
finding seem to be related to replication problems, lack of SP1, or
other issues with DCs that need to be reinstalled (reason not
identified).  What's happening is that computer accounts are getting 
deleted - most of them are ones that can't update their passwords
because they have been turned off, or in the case of a group of users,
their computers have Deep

RE: [ActiveDir] Computer accounts getting deleted by unknown process

2007-01-16 Thread Rich Milburn

Thanks Deji, I'll see what I can do (pun sorta intended)

 

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
I love the smell of red herrings in the morning - anonymous

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Tuesday, January 16, 2007 3:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown
process

 

I had this issue a long time back with a similar product made by a
previous employer. I won't go back into the details, but the problem is
that computer passwords were being restored to previous states that no
longer match those on the DCs at the present state. A manual or scripted
rejoin is usually the cure. However, the computer objects themselves
were not actually cleaned up, unlike in the case that Rich is now
describing. Rich needs to eye-ball the directory itself and see whether
or not the object actually disappeared when the problem manifests
itself. Third-party eyes relaying information to the troubleshooter -
not always reliable.

 


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com  - we
know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

 



From: Al Mulnick
Sent: Tue 1/16/2007 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown
process

In that case, you'll want to check out Steve's post and follow some of
that advice.  Since it's a computer resource domain topology, it
should be relatively low traffic and easier to spot. 

 

Can you recreate it? Or is this just being reported retroactively?
Better yet, how close are you to the situation? 

 

On 1/16/07, Rich Milburn [EMAIL PROTECTED] wrote: 

Thanks Al. It's not that the domain is different, just that only one
domain is used for computer accounts. The forest root isn't, and the
other domain is relatively inactive until we put another area on AD,
though it has a couple of user accounts. So all the computer accounts
are in this domain (as well as almost all user accounts). 

 

I agree it's weird that nothing is touching user accounts. We do use
Sophos, and Sophos is often referred to with 4 letters lately around
here so I'll mention that to them... 

 

Deep Freeze apparently resets the computer to the state it was in
before, so people can't change it. I'm not sure that the computer
account password getting reset as part of it is a problem, I've been out
of the loop on it. But it's not just those computers. 

 

---
Rich Milburn 
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc. 
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
I love the smell of red herrings in the morning - anonymous

 

 

From:
mailto:[EMAIL PROTECTED]:[EMAIL PROTECTED]
tivedir.org] On Behalf Of Al Mulnick
Sent: Tuesday, January 16, 2007 1:22 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown
process 

 

What's unique about the domain this is happening to? That strikes me as
odd that it's occurring in one domain, but not all. 

I have yet to see accounts get deleted in Active Directory (any version)
without a process that removes them.  This could be a new experience for
me, but I'm skeptical that a process doesn't exist that is removing
accounts or preventing the replication (you did say they checked, but
like I said, I'm skeptical of any process that picks on computer account
security principals but leaves user security principals alone.) 

I have seen strange issues occur when anti virus apps that run on the
domain controllers were thought to have been configured properly but
weren't. I've seen instances where similar symptoms were presented but
in the end we found out that a process was running that caused this
issue. I've seen issues of DC promotions and DNS that ate the DNS
zones, but that's not what you describe. 

So I'm interested to know what's unique about the domain it occurs in.
I'm interested to know why it doesn't occur in the other domains? 

SP1 is highly recommended of course - lots of bug fixes and additional
security changes. 

I'm not familiar with the client side

RE: [ActiveDir] Who needs that much ram anyway?

2007-01-16 Thread Kevin Brunson

Judging by the Exchange 2007 Microsoft Across America Launch Event that
I attended this morning, Exchange 2007 has no limits period.  If you
want it to block spam, it blocks spam.  If you want it to run with a
2000TB store on Standard, it will do it.  If you want it to cook you
breakfast, that might require the /baconandeggs switch, but it should be
able to do that as well.  The /baconandeggs switch might be
undocumented...

Seriously though, I know PAE is not supported on 64-bit, and I think I
remember reading that /3GB is required on 64-bit OS

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros
Sent: Tuesday, January 16, 2007 4:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Who needs that much ram anyway?

What about the 3Gb switch in the boot.in that is required to take
advantage 
of the additional memory.
Also depending on the age of the server and CPU, you may also need a PAE
/ 
AWE switch.
http://support.microsoft.com/kb/283037

Since the final realease of Exchange 2007 will only be 64 bit and
require a 
64 bit version of Windows 2003 or Longhorn, I am not sure if the switch
will 
be required, any one else know?

Jose


- Original Message - 
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, January 16, 2007 8:47 AM
Subject: Re: [ActiveDir] OT: Who needs that much ram anyway?


 Personally I was surprised that a Windows 2003 server and Exchange
2007 
 would need a patch to run more than 4 gigs because
 This problem occurs because of a problem in the Windows kernel

 Seems to me in the x64 era, we're all going to be running more than 4
gigs 
 so they should bundle this up in the Exchange 2007 installer from the
get 
 go rather than having everyone stumble across a KB article.

 I'm assuming it's discussed in the readme that no one reads?


 Brian Desmond wrote:
 The more you can get in memory, the better. 32GB is the threshold for
 Exchange before it stops making sense.

 I've remoted into SQL servers with dozens of CPUs and dozens of gigs
of
 ram before...

 Thanks,
 Brian Desmond
 [EMAIL PROTECTED]

 c - 312.731.3132



 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz
-
 SBS Rocks [MVP]
 Sent: Tuesday, January 16, 2007 4:01 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: Who needs that much ram anyway?


   The Microsoft Exchange Information Store service stops responding
on
 a
   computer that is running Windows Server 2003 and Exchange Server

 2007

 http://support.microsoft.com/?kbid=928368

 This problem occurs if Exchange Server 2007 is installed on a
computer
 that has more than 4 gigabytes (GB) of RAM.

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx



 -- 
 Letting your vendors set your risk analysis these days? 
 http://www.threatcode.com

 If you are a SBSer and you don't subscribe to the SBS Blog... man ...
I 
 will hunt you down...
 http://blogs.technet.com/sbs

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Who needs that much ram anyway?

2007-01-16 Thread Kevin Brunson

Sorry, that was supposed to say NOT required

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
Sent: Tuesday, January 16, 2007 4:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Who needs that much ram anyway?

Judging by the Exchange 2007 Microsoft Across America Launch Event that
I attended this morning, Exchange 2007 has no limits period.  If you
want it to block spam, it blocks spam.  If you want it to run with a
2000TB store on Standard, it will do it.  If you want it to cook you
breakfast, that might require the /baconandeggs switch, but it should be
able to do that as well.  The /baconandeggs switch might be
undocumented...

Seriously though, I know PAE is not supported on 64-bit, and I think I
remember reading that /3GB is required on 64-bit OS

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros
Sent: Tuesday, January 16, 2007 4:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Who needs that much ram anyway?

What about the 3Gb switch in the boot.in that is required to take
advantage 
of the additional memory.
Also depending on the age of the server and CPU, you may also need a PAE
/ 
AWE switch.
http://support.microsoft.com/kb/283037

Since the final realease of Exchange 2007 will only be 64 bit and
require a 
64 bit version of Windows 2003 or Longhorn, I am not sure if the switch
will 
be required, any one else know?

Jose

- Original Message - 
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, January 16, 2007 8:47 AM
Subject: Re: [ActiveDir] OT: Who needs that much ram anyway?

 Personally I was surprised that a Windows 2003 server and Exchange
2007 
 would need a patch to run more than 4 gigs because
 This problem occurs because of a problem in the Windows kernel

 Seems to me in the x64 era, we're all going to be running more than 4
gigs 
 so they should bundle this up in the Exchange 2007 installer from the
get 
 go rather than having everyone stumble across a KB article.

 I'm assuming it's discussed in the readme that no one reads?

 Brian Desmond wrote:
 The more you can get in memory, the better. 32GB is the threshold for
 Exchange before it stops making sense.

 I've remoted into SQL servers with dozens of CPUs and dozens of gigs
of
 ram before...

 Thanks,
 Brian Desmond
 [EMAIL PROTECTED]

 c - 312.731.3132

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz
-
 SBS Rocks [MVP]
 Sent: Tuesday, January 16, 2007 4:01 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: Who needs that much ram anyway?

   The Microsoft Exchange Information Store service stops responding
on
 a
   computer that is running Windows Server 2003 and Exchange Server

 2007

 http://support.microsoft.com/?kbid=928368

 This problem occurs if Exchange Server 2007 is installed on a
computer
 that has more than 4 gigabytes (GB) of RAM.

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx

 -- 
 Letting your vendors set your risk analysis these days? 
 http://www.threatcode.com

 If you are a SBSer and you don't subscribe to the SBS Blog... man ...
I 
 will hunt you down...
 http://blogs.technet.com/sbs

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Computer accounts getting deleted by unknown process

2007-01-16 Thread Steve Linehan

Password change for the machine account is handled by the client and you could 
disable this so that you do not have the problem on the machines that are deep 
freezed.  We also have a tool that education users often leverage that does 
something similar however we implemented a way to update the password secrete 
in the machines registry to avoid the rollback issue.  The DC will remember the 
current and one previous password.  If the machine comes up and uses the 
previous password then it will fall back however if the machine goes through 
two resets, by default 30 days+random offset up to 24 hours, then potentially 
when you fall back the trust relationship would not work as the DC only knows 
about the last two passwords.  That being said other ISVs simply disable 
password changes on these systems since the password is randomly generated and 
generally strong for workstation class machines.  As for the deletion that is 
not normal which is why I would be interested in the metadata if the objects 
are indeed in deleted items.

Thanks,

-Steve

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Tuesday, January 16, 2007 4:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process

Thanks Deji, I'll see what I can do (pun sorta intended)

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
I love the smell of red herrings in the morning - anonymous
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Tuesday, January 16, 2007 3:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process

I had this issue a long time back with a similar product made by a previous 
employer. I won't go back into the details, but the problem is that computer 
passwords were being restored to previous states that no longer match those on 
the DCs at the present state. A manual or scripted rejoin is usually the cure. 
However, the computer objects themselves were not actually cleaned up, unlike 
in the case that Rich is now describing. Rich needs to eye-ball the directory 
itself and see whether or not the object actually disappeared when the problem 
manifests itself. Third-party eyes relaying information to the troubleshooter - 
not always reliable.


Sincerely,
   _
  (, /  |  /)   /) /)
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
   (/
Microsoft MVP - Directory Services
www.akomolafe.comx-excid://3277/uri:http:/www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon


From: Al Mulnick
Sent: Tue 1/16/2007 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process
In that case, you'll want to check out Steve's post and follow some of that 
advice.  Since it's a computer resource domain topology, it should be 
relatively low traffic and easier to spot.

Can you recreate it? Or is this just being reported retroactively? Better yet, 
how close are you to the situation?


On 1/16/07, Rich Milburn [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote:

Thanks Al. It's not that the domain is different, just that only one domain is 
used for computer accounts. The forest root isn't, and the other domain is 
relatively inactive until we put another area on AD, though it has a couple of 
user accounts. So all the computer accounts are in this domain (as well as 
almost all user accounts).



I agree it's weird that nothing is touching user accounts. We do use Sophos, 
and Sophos is often referred to with 4 letters lately around here so I'll 
mention that to them...



Deep Freeze apparently resets the computer to the state it was in before, so 
people can't change it. I'm not sure that the computer account password getting 
reset as part of it is a problem, I've been out of the loop on it. But it's not 
just those computers.



---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
I love the smell of red herrings in the morning - anonymous





From: mailto:[EMAIL PROTECTED]:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED]] On 
Behalf Of Al Mulnick
Sent: Tuesday, January 16, 2007 1:22 PM
To:

RE: [ActiveDir] Computer accounts getting deleted by unknown process

2007-01-16 Thread Steve Linehan

And because I figure someone will ask what is this tool you talk about, did not 
have the link handy when I sent the mail.  It is called the Microsoft shared 
Computer Toolkit for Windows XP which can be found 
here:http://www.microsoft.com/windowsxp/sharedaccess/default.mspx.

Thanks,

-Steve

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Tuesday, January 16, 2007 5:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process

Password change for the machine account is handled by the client and you could 
disable this so that you do not have the problem on the machines that are deep 
freezed.  We also have a tool that education users often leverage that does 
something similar however we implemented a way to update the password secrete 
in the machines registry to avoid the rollback issue.  The DC will remember the 
current and one previous password.  If the machine comes up and uses the 
previous password then it will fall back however if the machine goes through 
two resets, by default 30 days+random offset up to 24 hours, then potentially 
when you fall back the trust relationship would not work as the DC only knows 
about the last two passwords.  That being said other ISVs simply disable 
password changes on these systems since the password is randomly generated and 
generally strong for workstation class machines.  As for the deletion that is 
not normal which is why I would be interested in the metadata if the objects 
are indeed in deleted items.

Thanks,

-Steve

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Tuesday, January 16, 2007 4:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process

Thanks Deji, I'll see what I can do (pun sorta intended)

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
I love the smell of red herrings in the morning - anonymous
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Tuesday, January 16, 2007 3:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process

I had this issue a long time back with a similar product made by a previous 
employer. I won't go back into the details, but the problem is that computer 
passwords were being restored to previous states that no longer match those on 
the DCs at the present state. A manual or scripted rejoin is usually the cure. 
However, the computer objects themselves were not actually cleaned up, unlike 
in the case that Rich is now describing. Rich needs to eye-ball the directory 
itself and see whether or not the object actually disappeared when the problem 
manifests itself. Third-party eyes relaying information to the troubleshooter - 
not always reliable.


Sincerely,
   _
  (, /  |  /)   /) /)
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
   (/
Microsoft MVP - Directory Services
www.akomolafe.comx-excid://3277/uri:http:/www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon


From: Al Mulnick
Sent: Tue 1/16/2007 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process
In that case, you'll want to check out Steve's post and follow some of that 
advice.  Since it's a computer resource domain topology, it should be 
relatively low traffic and easier to spot.

Can you recreate it? Or is this just being reported retroactively? Better yet, 
how close are you to the situation?


On 1/16/07, Rich Milburn [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote:

Thanks Al. It's not that the domain is different, just that only one domain is 
used for computer accounts. The forest root isn't, and the other domain is 
relatively inactive until we put another area on AD, though it has a couple of 
user accounts. So all the computer accounts are in this domain (as well as 
almost all user accounts).



I agree it's weird that nothing is touching user accounts. We do use Sophos, 
and Sophos is often referred to with 4 letters lately around here so I'll 
mention that to them...



Deep Freeze apparently resets the computer to the state it was in before, so 
people can't change it. I'm not sure that the computer account password getting 
reset as part of it is a problem, I've been out of the loop on it. But it's not 
just those computers.

RE: [ActiveDir] DNS problem. Periodically have to clear the cache

2007-01-16 Thread Steve Linehan

I am also interested in the answers to these questions especially OS version 
and SP level.  We had a few issues with caching around in RTM and a few others 
around SP1.  It is a long story but has to do with how the cache entries are 
organized in memory.  The net affect was that certain lookups would cause the 
cache to have bad data that would cause the behavior you mention.  If you could 
provide the version of DNS.EXE, full build number using something like 
filever.exe, that would also be helpful.  The last issue I was aware of that 
exhibited these behaviors is documented here: 
http://support.microsoft.com/kb/903720/en-us .  So I would be interested if you 
were experiencing the issue with a build beyond that one.

Thanks,

-Steve

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Tuesday, January 16, 2007 3:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache

How are these servers configured in TCP/IP? Who is forwarding to whom? And what 
is the SP level? If you want to take this off-list, you can do so by directly 
emailing me.


Sincerely,
   _
  (, /  |  /)   /) /)
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
   (/
Microsoft MVP - Directory Services
www.akomolafe.comx-excid://3277/uri:http:/www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon


From: Ramon Linan
Sent: Tue 1/16/2007 12:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache
Hi,

I have 4 DNS servers, they are all AD integrated.

2 of them are supposed to be for internal used only, and the other 2 for the 
internet domain we have, unluckily they we never configured to be split DNS.

Anyway, every none and then I have to clear the cache  for the internal ones 
because they stop resolving for certain addresses.

Sometimes I also have to update server data files for the DNS server to 
resolved certain names.


Any help on how to troubleshoot this?

Thanks

Rezuma

Re: [ActiveDir] Computer accounts getting deleted by unknown process

2007-01-16 Thread Al Mulnick


Since I'm 2 points down

XPe machines typically do same.  Oddly the machines described are no
different than how many of the XPe machines are setup so using the same docs
to disable the password changes and any other changes that you may deem as
similar enough to be useful.  I strongly suggest checking out the
configuration docs on products such as WYSE or iGEL to see if those types of
settings and control apply to you now that you've deployed DF. Microsoft may
have some similar docs as well I suppose :)


On 1/16/07, Steve Linehan [EMAIL PROTECTED] wrote:


 Password change for the machine account is handled by the client and you
could disable this so that you do not have the problem on the machines that
are deep freezed.  We also have a tool that education users often leverage
that does something similar however we implemented a way to update the
password secrete in the machines registry to avoid the rollback issue.  The
DC will remember the current and one previous password.  If the machine
comes up and uses the previous password then it will fall back however if
the machine goes through two resets, by default 30 days+random offset up to
24 hours, then potentially when you fall back the trust relationship would
not work as the DC only knows about the last two passwords.  That being said
other ISVs simply disable password changes on these systems since the
password is randomly generated and generally strong for workstation class
machines.  As for the deletion that is not normal which is why I would be
interested in the metadata if the objects are indeed in deleted items.



Thanks,



-Steve



*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Rich Milburn
*Sent:* Tuesday, January 16, 2007 4:09 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Computer accounts getting deleted by unknown
process



Thanks Deji, I'll see what I can do (pun sorta intended)



*---
**Rich Milburn
**MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.**
**4551 W. 107th St**
**Overland Park, KS 66207**
**913-967-2819**
**--**
**I love the smell of red herrings in the morning - anonymous*

*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji
*Sent:* Tuesday, January 16, 2007 3:47 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Computer accounts getting deleted by unknown
process



I had this issue a long time back with a similar product made by a
previous employer. I won't go back into the details, but the problem is that
computer passwords were being restored to previous states that no longer
match those on the DCs at the present state. A manual or scripted rejoin is
usually the cure. However, the computer objects themselves were not actually
cleaned up, unlike in the case that Rich is now describing. Rich needs to
eye-ball the directory itself and see whether or not the object actually
disappeared when the problem manifests itself. Third-party eyes relaying
information to the troubleshooter - not always reliable.




Sincerely,
   _
  (, /  |  /)   /) /)
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
   (/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
*-5.75, -3.23*
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon


 --

*From:* Al Mulnick
*Sent:* Tue 1/16/2007 1:35 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Computer accounts getting deleted by unknown
process

In that case, you'll want to check out Steve's post and follow some of
that advice.  Since it's a computer resource domain topology, it should be
relatively low traffic and easier to spot.



Can you recreate it? Or is this just being reported retroactively? Better
yet, how close are you to the situation?



On 1/16/07, *Rich Milburn* [EMAIL PROTECTED] wrote:

Thanks Al. It's not that the domain is different, just that only one
domain is used for computer accounts. The forest root isn't, and the other
domain is relatively inactive until we put another area on AD, though it has
a couple of user accounts. So all the computer accounts are in this domain
(as well as almost all user accounts).



I agree it's weird that nothing is touching user accounts. We do use
Sophos, and Sophos is often referred to with 4 letters lately around here so
I'll mention that to them…



Deep Freeze apparently resets the computer to the state it was in before,
so people can't change it. I'm not sure that the computer account password
getting reset as part of it is a problem, I've been out of the loop on it.
But it's not just those computers.

RE: [ActiveDir] Who needs that much ram anyway?

2007-01-16 Thread Bernard, Aric

My understanding is as follows:

All three switches address the 32-bit architecture only.
Exchange has never supported AWE.
Exchange 2007 has RTM'd.


Aric

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros
Sent: Tuesday, January 16, 2007 2:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Who needs that much ram anyway?

What about the 3Gb switch in the boot.in that is required to take advantage
of the additional memory.
Also depending on the age of the server and CPU, you may also need a PAE /
AWE switch.
http://support.microsoft.com/kb/283037

Since the final realease of Exchange 2007 will only be 64 bit and require a
64 bit version of Windows 2003 or Longhorn, I am not sure if the switch will
be required, any one else know?

Jose


- Original Message -
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, January 16, 2007 8:47 AM
Subject: Re: [ActiveDir] OT: Who needs that much ram anyway?


 Personally I was surprised that a Windows 2003 server and Exchange 2007
 would need a patch to run more than 4 gigs because
 This problem occurs because of a problem in the Windows kernel

 Seems to me in the x64 era, we're all going to be running more than 4 gigs
 so they should bundle this up in the Exchange 2007 installer from the get
 go rather than having everyone stumble across a KB article.

 I'm assuming it's discussed in the readme that no one reads?


 Brian Desmond wrote:
 The more you can get in memory, the better. 32GB is the threshold for
 Exchange before it stops making sense.

 I've remoted into SQL servers with dozens of CPUs and dozens of gigs of
 ram before...

 Thanks,
 Brian Desmond
 [EMAIL PROTECTED]

 c - 312.731.3132



 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz -
 SBS Rocks [MVP]
 Sent: Tuesday, January 16, 2007 4:01 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: Who needs that much ram anyway?


   The Microsoft Exchange Information Store service stops responding on
 a
   computer that is running Windows Server 2003 and Exchange Server

 2007

 http://support.microsoft.com/?kbid=928368

 This problem occurs if Exchange Server 2007 is installed on a computer
 that has more than 4 gigabytes (GB) of RAM.

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx



 --
 Letting your vendors set your risk analysis these days?
 http://www.threatcode.com

 If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
 will hunt you down...
 http://blogs.technet.com/sbs

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] DNS problem. Periodically have to clear the cache

2007-01-16 Thread Akomolafe, Deji

That's what I was getting at, too. Sorry to sound selfish and ask him to take 
it off-list :)

He hasn't sent anything yet, though. If he does, I'll send him your way.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Steve Linehan
Sent: Tue 1/16/2007 4:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache


I am also interested in the answers to these questions especially OS version 
and SP level.  We had a few issues with caching around in RTM and a few others 
around SP1.  It is a long story but has to do with how the cache entries are 
organized in memory.  The net affect was that certain lookups would cause the 
cache to have bad data that would cause the behavior you mention.  If you could 
provide the version of DNS.EXE, full build number using something like 
filever.exe, that would also be helpful.  The last issue I was aware of that 
exhibited these behaviors is documented here: 
http://support.microsoft.com/kb/903720/en-us .  So I would be interested if you 
were experiencing the issue with a build beyond that one.
 
Thanks,
 
-Steve
 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Tuesday, January 16, 2007 3:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache
 
How are these servers configured in TCP/IP? Who is forwarding to whom? And what 
is the SP level? If you want to take this off-list, you can do so by directly 
emailing me.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon
 



From: Ramon Linan
Sent: Tue 1/16/2007 12:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache
Hi,
 
I have 4 DNS servers, they are all AD integrated.
 
2 of them are supposed to be for internal used only, and the other 2 for the 
internet domain we have, unluckily they we never configured to be split DNS.
 
Anyway, every none and then I have to clear the cache  for the internal ones 
because they stop resolving for certain addresses.
 
Sometimes I also have to update server data files for the DNS server to 
resolved certain names.
 
 
Any help on how to troubleshoot this?
 
Thanks
 
Rezuma

RE: [ActiveDir] Who needs that much ram anyway?

2007-01-16 Thread Akomolafe, Deji

One little addition:

There is a 32-bit version of E2K7, although it neither intended to be used in 
production, nor supported if choose to ignore the caveat.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Bernard, Aric
Sent: Tue 1/16/2007 5:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]  Who needs that much ram anyway?


My understanding is as follows:

All three switches address the 32-bit architecture only.
Exchange has never supported AWE.
Exchange 2007 has RTM'd.


Aric

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros
Sent: Tuesday, January 16, 2007 2:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Who needs that much ram anyway?

What about the 3Gb switch in the boot.in that is required to take advantage
of the additional memory.
Also depending on the age of the server and CPU, you may also need a PAE /
AWE switch.
http://support.microsoft.com/kb/283037

Since the final realease of Exchange 2007 will only be 64 bit and require a
64 bit version of Windows 2003 or Longhorn, I am not sure if the switch will
be required, any one else know?

Jose


- Original Message -
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, January 16, 2007 8:47 AM
Subject: Re: [ActiveDir] OT: Who needs that much ram anyway?


 Personally I was surprised that a Windows 2003 server and Exchange 2007
 would need a patch to run more than 4 gigs because
 This problem occurs because of a problem in the Windows kernel

 Seems to me in the x64 era, we're all going to be running more than 4 gigs
 so they should bundle this up in the Exchange 2007 installer from the get
 go rather than having everyone stumble across a KB article.

 I'm assuming it's discussed in the readme that no one reads?


 Brian Desmond wrote:
 The more you can get in memory, the better. 32GB is the threshold for
 Exchange before it stops making sense.

 I've remoted into SQL servers with dozens of CPUs and dozens of gigs of
 ram before...

 Thanks,
 Brian Desmond
 [EMAIL PROTECTED]

 c - 312.731.3132



 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz -
 SBS Rocks [MVP]
 Sent: Tuesday, January 16, 2007 4:01 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: Who needs that much ram anyway?


   The Microsoft Exchange Information Store service stops responding on
 a
   computer that is running Windows Server 2003 and Exchange Server

 2007

 http://support.microsoft.com/?kbid=928368

 This problem occurs if Exchange Server 2007 is installed on a computer
 that has more than 4 gigabytes (GB) of RAM.

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx



 --
 Letting your vendors set your risk analysis these days?
 http://www.threatcode.com

 If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
 will hunt you down...
 http://blogs.technet.com/sbs

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

[ActiveDir] OT: Exchange daylight savings patch

2007-01-16 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]

http://www.microsoft.com/downloads/details.aspx?familyid=c16aea4a-ed33-4cd9-a7c3-8b5df5471b7adisplaylang=entm 
http://www.microsoft.com/downloads/details.aspx?familyid=c16aea4a-ed33-4cd9-a7c3-8b5df5471b7adisplaylang=entm


Update for Daylight Saving Time changes in 2007 for Exchange Server 2003 
Service Pack 2 (SP2).


Ensure servers+Exchange+Sharepoint are patch (now to go figure out how 
my phones will handle this)


--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Who needs that much ram anyway?

2007-01-16 Thread Michael B. Smith

And performance of same is quite poor. There are a few feature removals
as well.

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Tuesday, January 16, 2007 8:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Who needs that much ram anyway?

One little addition:

There is a 32-bit version of E2K7, although it neither intended to be
used in production, nor supported if choose to ignore the caveat.

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com  -
we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

From: Bernard, Aric
Sent: Tue 1/16/2007 5:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]  Who needs that much ram anyway?

My understanding is as follows:

All three switches address the 32-bit architecture only.
Exchange has never supported AWE.
Exchange 2007 has RTM'd.

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros
Sent: Tuesday, January 16, 2007 2:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Who needs that much ram anyway?

What about the 3Gb switch in the boot.in that is required to take
advantage
of the additional memory.
Also depending on the age of the server and CPU, you may also need a PAE
/
AWE switch.
http://support.microsoft.com/kb/283037

Since the final realease of Exchange 2007 will only be 64 bit and
require a
64 bit version of Windows 2003 or Longhorn, I am not sure if the switch
will
be required, any one else know?

Jose

- Original Message -
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, January 16, 2007 8:47 AM
Subject: Re: [ActiveDir] OT: Who needs that much ram anyway?

 Personally I was surprised that a Windows 2003 server and Exchange
2007
 would need a patch to run more than 4 gigs because
 This problem occurs because of a problem in the Windows kernel

 Seems to me in the x64 era, we're all going to be running more than 4
gigs
 so they should bundle this up in the Exchange 2007 installer from the
get
 go rather than having everyone stumble across a KB article.

 I'm assuming it's discussed in the readme that no one reads?

 Brian Desmond wrote:
 The more you can get in memory, the better. 32GB is the threshold for
 Exchange before it stops making sense.

 I've remoted into SQL servers with dozens of CPUs and dozens of gigs
of
 ram before...

 Thanks,
 Brian Desmond
 [EMAIL PROTECTED]

 c - 312.731.3132

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz
-
 SBS Rocks [MVP]
 Sent: Tuesday, January 16, 2007 4:01 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: Who needs that much ram anyway?

   The Microsoft Exchange Information Store service stops responding
on
 a
   computer that is running Windows Server 2003 and Exchange Server

 2007

 http://support.microsoft.com/?kbid=928368

 This problem occurs if Exchange Server 2007 is installed on a
computer
 that has more than 4 gigabytes (GB) of RAM.

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx

 --
 Letting your vendors set your risk analysis these days?
 http://www.threatcode.com

 If you are a SBSer and you don't subscribe to the SBS Blog... man ...
I
 will hunt you down...
 http://blogs.technet.com/sbs

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

47 matches

Mail list logo