RE: [ActiveDir] File replication setup problem
Steve, A little of column A and a little of column B. DFSR is what you'd use if you were running R2. DFS is standard to Win2K3, and uses FRS to do the replication (if used). Don't be afraid - it's easier than FRS alone... although, I can tell you that you'd be 1000% better off replicating using DFSR (FRS is kludgy at best). My $0.02 inc GST. themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Tuesday, 16 January 2007 1:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] File replication setup problem If I'm reading the Microsoft instructions correctly, all you have to run FRS is 2003 with SP1. Am I wrong, people? I am aware that DFS will require R2... FYI, none of the servers in question are running 2003R2. Steve Egan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, January 15, 2007 6:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] File replication setup problem Steve- Is the box running R2? You need to upgrade to schema v31 (r2) if so. If not I tend to think your DNS is busted. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Monday, January 15, 2007 8:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] File replication setup problem Howdy, Brain Trust: I have two servers, one on Poland, the other in Sweden, that I want to install FRS on (and later upgrade to DFS) so that I can back up these remote location files locally on a high-speed offsite backup here in the States. I'm attempting to go slow and do a little bit at a time. When I Run the New Replication Group Wizard and name the replication group and hit Next, the following error happens: company.com: The Active Directory schema on domain controller ftp server.domain.com cannot be read. This error might be caused by a schema that has not been extended, or was extended improperly. See Help and Support Center for information about extending the Active Directory schema. A class schema object cannot be found. I've tried and tried to extend the schema, the results are normal (no errors), and still the AD schema is broken. It swears up and down that it is a 2003 schema. I can't install AD on the Sweden server because something ain't right with it (schema), and now this. I have two servers running here in the states as DC's, and they both think they are the top dog controller because whenever I try to do something like this it tells me the schema is broken. The FTP server and the mail server are both set up as DC's, both have AD on them. How do I tell one of them that they are no longer the master? Can I just delete (remove) the AD schema from the ftp server and reinstall it without serious breakage? I'm not sure that a simple demote will do the trick. I'm enough of a thumb-fingered idiot when it comes to AD that I live in fear of really screwing the pooch if I do something like this - but I have to get it solved somehow. Somebody got a life preserver? Steve Egan (temp) Systems/Network Engineer Occasional AD fumble-fingered idiot This email (including any attachments) contains confidential information and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system and destroy any copies. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. Email transmission cannot be guaranteed to be secure or error-free and emails may be interfered with, may contain computer viruses or other defects and may not be successfully replicated on other systems. The sender does not give any warranties nor accepts any liability in relation to any of these matters. If you have any doubt about the authenticity of an email purportedly sent by us, please contact us immediately.
Re: [ActiveDir] OT: Who needs that much ram anyway?
I can think of quite a few situations. RAM is cheap aswell compared to the early days. Martin Tuip Exchange MVP - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 16, 2007 1:00 AM Subject: [ActiveDir] OT: Who needs that much ram anyway? The Microsoft Exchange Information Store service stops responding on a computer that is running Windows Server 2003 and Exchange Server 2007 http://support.microsoft.com/?kbid=928368 This problem occurs if Exchange Server 2007 is installed on a computer that has more than 4 gigabytes (GB) of RAM. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] OT: Who needs that much ram anyway?
All Put your hands up if you are using this hotfix to its full potential ;-) http://support.microsoft.com/kb/918844 On 1/16/07, Martin Tuip [EMAIL PROTECTED] wrote: I can think of quite a few situations. RAM is cheap aswell compared to the early days. Martin Tuip Exchange MVP - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 16, 2007 1:00 AM Subject: [ActiveDir] OT: Who needs that much ram anyway? The Microsoft Exchange Information Store service stops responding on a computer that is running Windows Server 2003 and Exchange Server 2007 http://support.microsoft.com/?kbid=928368 This problem occurs if Exchange Server 2007 is installed on a computer that has more than 4 gigabytes (GB) of RAM. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Policy Failing to apply
I have checked and there is no folder redirection in place, either by policy, or manually applied:-( -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 15 January 2007 22:48 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policy Failing to apply Just to add the detail to prove I am not totally mad. http://support.microsoft.com/kb/888254 You cannot set the Folder Redirection policy setting on a Windows XP SP2-based computer that also uses Group Policy settings to customize Internet Explorer Note: Group Policy settings that can customize Internet Explorer include Proxy Settings and Start Page. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 15 January 2007 17:15 To: ActiveDir.org Subject: Re: [ActiveDir] Policy Failing to apply Do you use Folder redirection too? I have come across an issue a couple of times where IE is customised in some way and folder redirection is enabled - this can cause GP not to be applied. There is a hotfix but I cannot look it up at the moment and I am not sure if it was fixed in SP2 or not. Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: Dave Wade [EMAIL PROTECTED] Date: Mon, 15 Jan 2007 16:30:37 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policy Failing to apply Oh yes, no one can surf the net without it. We do get occasional issues where it does not apply, and some times we set it manually while we sort the problem out. Normally if we do this the settings stick and don't get wiped when the policy refreshes. However in this case they are wiped when the user logs in. It appears to be some issue with the users settings as the problem follows her from PC to PC. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 15 January 2007 15:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policy Failing to apply Dave- Does that same proxy policy work for any other users correctly? Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Monday, January 15, 2007 3:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Policy Failing to apply Folks, I have a user for whom the Internet Explorer Proxy settings are not applying correctly. They are set in the user portion of the Default Domain Policy. I have checked with Group Policy Results tool in the Group Policy Management snap in and it reports that they have been applied. But when the user tries to surf the net they can't, and on checking in IE the proxy fields are blank. To make matters worse if I manually set the proxy, and then do a gpupdate /force they are cleared. I have checked the event log on the machine and there is nothing obvious amiss there. Has any one any idea why this is happening before I start turning on userenv debugging? Not this is an isolated incident, and it appears to follow the user rather than being machine specific. Dave Wade 0161 474 5456 cid:119482216@15012007-1017 ** This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§Ã¶v®k}µ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx ** This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
I moved to another switch and I still get the same issue and I can't go any further with drivers. I suppose the step I need to take now is to purchase a new NIC. Since everyone has strong feelings for Intel I wanted to ask what you guys suggest. This is a HP DL585 G2 server (rackmount) with PCI-X slots. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Monday, January 15, 2007 9:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I've seen errors like this on a server that either had a back NIC, bad drivers or was connected to a bad port on a switch. The only way I was able to correct it was to switch the primary IP address to another NIC in the server what was connected but not configured. It was an interesting exercise at the time since I couldn't get to the console. In my experience, that kind of DNS response is indicative of packet corruption of some sort. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 1:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Well, in doing that it did pop up a couple of things. I'm certainly nowhere close to an advisor on this so if one of you more familiar could help me out on deciphering the code on a couple of things. Are the following two items normal (they didn't look right to me): 1) DNS: Question Section: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN. of type Unknown Type on class Unknown Class DNS: 0x32E3:Std Qry Resp. for [EMAIL PROTECTED] 2) DNS: Question Section: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain. of type Unknown Type on class Unknown Class DNS: 0xB4E5:Std Qry Resp. for . of type Unknown Type on class Unknown Class You may need more information so if I can get you anything else let me know. These entries just seem out of place to me, especially the one that has been displayed as [EMAIL PROTECTED] Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 15, 2007 4:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) The other thing that would probably be worthwhile is to do a sniffer trace from this server during the GP processing cycle. That may point out some network issues that are not coming out of the userenv log. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 15, 2007 12:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Sorry, just catching up here. In terms of updating the driver, if it's a MS provided driver, I think it would say it in the Driver Details. You might want to run Windows Update and see if there are any optional updates for that NIC driver--if MS provided it originally they may have a Windows Update way of getting it. In terms of disabling slow link for all users, that's a toughie, because that key is in HKEY_CURRENT_USER, which means a user has to be logged on to deliver it, but its also in the policies key, which is permissioned away from regular users by default. If you can get GP to process at least once when the user logs on, then you can deliver it using the User Configuration GP setting. However, if per-user GP processing is not working, its kinda of a chicken-and-egg thing. The not-so-fun way of doing this would be to temporarily make all users logging into that MS a member of the local Administrators group, and then deliver the slow link disabling registry entry via logon script. But, that is not ideal of course. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 12:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I'm not about to give up on the Broadcom NICs as this is a brand new server that cost as much as a Honda Accord. I'm not sure I can believe that HP would put a defective card in such a machine. You'd think others would have the same issues in mass quantity if that were the case. I'm also using Broadcoms in other HP servers here (including the two DCs) and they have not had any issues. It is all too easy to chalk up a problem like this to network cards, but I don't think it explains why the GPO is applied successfully without issues within the first 15 minutes or so after a reboot. There are no other problems cropping up from these Broadcoms either. Now for a question, how do I disable slow link detection for all terminal service users on this problem server since that seems
RE: [ActiveDir] push a URL in the trusted zone with GPO...
Hi, Sorry for the late response, I was in a Go Live so I didn't watch/post to the list for many days. Thanks for the answer, I corrected it by removing the IE7 settings (yes, we are stuck with IE6 on most stations; our ERP doesn't support IE7 yet). Thanks! - -Original Message- - From: [EMAIL PROTECTED] [mailto:ActiveDir- - [EMAIL PROTECTED] On Behalf Of Darren Mar-Elia - Sent: January 6, 2007 12:18 PM - To: ActiveDir@mail.activedir.org - Subject: RE: [ActiveDir] push a URL in the trusted zone with GPO... - - Could be an issue if the lists ever differ. I don't remember how they - merge - (or don't). Probably best to put it in one place. - - -Original Message- - From: [EMAIL PROTECTED] - [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel - Sent: Saturday, January 06, 2007 7:37 AM - To: ActiveDir@mail.activedir.org - Subject: RE: [ActiveDir] push a URL in the trusted zone with GPO... - - Thanks, I have both, so I replicated the settings in both places. Do you - think this can cause me problems? - - List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?)
Sorry for the delay on getting back on this, had a few things piled up after New Year's... You're right on the fact that routers isolating the VLANs limit the impact of this issue... The problem is that the idea is to re-configure routers to forward DHCP traffic, so that we get DHCP service on all VLANs from one/a few DHCP servers, instead of having to setup a DHCP server on each VLAN. Somebody suggested having a multi-homed DHCP server, with a leg on each VLAN, so that we get containment and DHCP service on every VLAN. I don't know at the moment if that's possible (I have to check with the client, to see if their network topology has a hub where all VLANs come close). OTOH, I am wondering if it'd be possible to configure the routers so that they only allow DHCP OFFER/ACK/NACK from auth. DHCP servers (something similar to what we've done with the local filtering on the workstations)... We'd still have problems with a rogue DHCP server in a VLAN, but we wouldn't have to go the multi-homed server route... Thanks a lot for the input received so far. It's made me explore several options that I had not considered ;) As always, a pleasure. Javier -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: martes, 09 de enero de 2007 9:35 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Your last statement is true but then if routers restrict BOOTP traffic as I describe, then the rogue DHCP server will only affect the VLAN on which it exists. At least that way, you've reduced the impact. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 08 January 2007 17:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Hi, Neil!! That's another thing I'll have to look into :) I am aware that it's possile to do DHCP-proxy to pass along the DHCP requests to the proper servers. That's something that will have to be done, as the client's network is split in different VLAN segments, and in multiple locations/sites, and they'd like to have a reduced number of DHCP servers. But, useful and necessary as it is, this won't prevent a rogue/malicious DHCP server on the same LAN segment from playing havoc with the systems. Thanks for the heads-up though. Javier Jarava -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: lunes, 08 de enero de 2007 14:33 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) In addition to the below, routers can be configured to only forward BOOTP packets to/from 'authorised' DHCP servers. neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc Telephone: +44 (0) 20 7521 3481 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: 08 January 2007 13:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 08 January 2007 12:20 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Hi all! Just wondering, is there a way to prevent a rogue DCHP server from playing havoc with a network? I have been digging into dhcp security but I haven't really found anything that makes it possible to auth. a DHCP server, so that the clients don't fall for a rogue one. From what I've seen, the approach MS follows is that IF your DHCP server is Windows-based, you have to auth it on the Domain. That prevents the AD/infrastructure admins from shooting themselves on the foot by having too many/improperly configured servers.. But that won't stop a rogue VM from being a nuisance... I've found this problem in one of our customers sites. They use static IP addressing, but we were setting up a few of their computers with a different sw load and configuration, and they wanted to use DHCP to make config changes more dynamic. When running on an isolated netowork segment, all was fine, but once we moved into their network (to do a pilot test) we found a DHCP server serving a range outside their own, and really messing things up. You could try using DHCP classid. If you set it on your clients when you build them they will ignore anything with the wrong classid. I think you can also control via group policy. What's more, nmap'ing the server, it had a VMWARE-owned MAC and no open ports whatsoever (tcp/udp), at least that I could
[ActiveDir] Delegating Permissions
Hi, I have a question regarding access permissions within Active Directory and Local Servers. Basically, Information Security would like to have the ability to have access to all of Active Directory, Logon to Servers and access File Shares/Exchange Mailboxes. Is this achievable without making them domain admins? What do you do for Information Security in your orgs? thanks Frank - Get your own web address. Have a HUGE year through Yahoo! Small Business.
RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?)
OTOH, I am wondering if it'd be possible to configure the routers so that they only allow DHCP OFFER/ACK/NACK from auth. In case you weren't sure - this is exactly what I was suggesting you consider, in my first post :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 16 January 2007 13:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Sorry for the delay on getting back on this, had a few things piled up after New Year's... You're right on the fact that routers isolating the VLANs limit the impact of this issue... The problem is that the idea is to re-configure routers to forward DHCP traffic, so that we get DHCP service on all VLANs from one/a few DHCP servers, instead of having to setup a DHCP server on each VLAN. Somebody suggested having a multi-homed DHCP server, with a leg on each VLAN, so that we get containment and DHCP service on every VLAN. I don't know at the moment if that's possible (I have to check with the client, to see if their network topology has a hub where all VLANs come close). OTOH, I am wondering if it'd be possible to configure the routers so that they only allow DHCP OFFER/ACK/NACK from auth. DHCP servers (something similar to what we've done with the local filtering on the workstations)... We'd still have problems with a rogue DHCP server in a VLAN, but we wouldn't have to go the multi-homed server route... Thanks a lot for the input received so far. It's made me explore several options that I had not considered ;) As always, a pleasure. Javier -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: martes, 09 de enero de 2007 9:35 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Your last statement is true but then if routers restrict BOOTP traffic as I describe, then the rogue DHCP server will only affect the VLAN on which it exists. At least that way, you've reduced the impact. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 08 January 2007 17:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Hi, Neil!! That's another thing I'll have to look into :) I am aware that it's possile to do DHCP-proxy to pass along the DHCP requests to the proper servers. That's something that will have to be done, as the client's network is split in different VLAN segments, and in multiple locations/sites, and they'd like to have a reduced number of DHCP servers. But, useful and necessary as it is, this won't prevent a rogue/malicious DHCP server on the same LAN segment from playing havoc with the systems. Thanks for the heads-up though. Javier Jarava -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: lunes, 08 de enero de 2007 14:33 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) In addition to the below, routers can be configured to only forward BOOTP packets to/from 'authorised' DHCP servers. neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc Telephone: +44 (0) 20 7521 3481 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: 08 January 2007 13:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 08 January 2007 12:20 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Hi all! Just wondering, is there a way to prevent a rogue DCHP server from playing havoc with a network? I have been digging into dhcp security but I haven't really found anything that makes it possible to auth. a DHCP server, so that the clients don't fall for a rogue one. From what I've seen, the approach MS follows is that IF your DHCP server is Windows-based, you have to auth it on the Domain. That prevents the AD/infrastructure admins from shooting themselves on the foot by having too many/improperly configured servers.. But that won't stop a rogue VM from being a nuisance... I've found this problem in one of our customers sites. They use static IP addressing, but we were setting up a few of their computers with a different sw load and configuration, and they wanted to use DHCP to make config changes more dynamic. When running on an
RE: [ActiveDir] Delegating Permissions
That's a very 'it depends' type question, but here's a rough framework: 1. Sit down with the IS guys and discuss at length their requirements 2. Create additional (secondary) user IDs for the IS people, based upon their requirements 3. Ensure that these secondary logons' usage is monitored I would suggest you grant the guys the minimum privileges required, but this can only be achieved by spending time at stage 1, above. I'm sure others will chip in with their experiences too, but hopefully the above helps you make a start. neil _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale Sent: 16 January 2007 13:48 To: Active Subject: [ActiveDir] Delegating Permissions Hi, I have a question regarding access permissions within Active Directory and Local Servers. Basically, Information Security would like to have the ability to have access to all of Active Directory, Logon to Servers and access File Shares/Exchange Mailboxes. Is this achievable without making them domain admins? What do you do for Information Security in your orgs? thanks Frank _ Get your own web address. http://us.rd.yahoo.com/evt=49678/*http://smallbusiness.yahoo.com/domain s/?p=BESTDEAL Have a HUGE year through Yahoo! Small Business. http://us.rd.yahoo.com/evt=49678/*http://smallbusiness.yahoo.com/domain s/?p=BESTDEAL PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
[ActiveDir] adminsdholder
Dear all, i think we experieincing issues re not being able to reset permissions on an object that was previously member of protected groups i have read that the issue is around the reset of the value of 'admincount' attribute. as i learn this gets set to 1 when it is becomes a member of protected groups, but ju i wanted to confirm that is a 'supported' operation to merely reset this data to 0 to undo the effect of adminssdholder ?? or whether there are other changes that need to be considered. ? G List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
Considering a HP NC360T card for my problem server. Anyone have any objections to using this card? It is Intel based (Intel 82571EB). Thanks for all of the help! Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Tuesday, January 16, 2007 8:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I moved to another switch and I still get the same issue and I can't go any further with drivers. I suppose the step I need to take now is to purchase a new NIC. Since everyone has strong feelings for Intel I wanted to ask what you guys suggest. This is a HP DL585 G2 server (rackmount) with PCI-X slots. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Monday, January 15, 2007 9:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I've seen errors like this on a server that either had a back NIC, bad drivers or was connected to a bad port on a switch. The only way I was able to correct it was to switch the primary IP address to another NIC in the server what was connected but not configured. It was an interesting exercise at the time since I couldn't get to the console. In my experience, that kind of DNS response is indicative of packet corruption of some sort. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 1:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Well, in doing that it did pop up a couple of things. I'm certainly nowhere close to an advisor on this so if one of you more familiar could help me out on deciphering the code on a couple of things. Are the following two items normal (they didn't look right to me): 1) DNS: Question Section: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN. of type Unknown Type on class Unknown Class DNS: 0x32E3:Std Qry Resp. for [EMAIL PROTECTED] 2) DNS: Question Section: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain. of type Unknown Type on class Unknown Class DNS: 0xB4E5:Std Qry Resp. for . of type Unknown Type on class Unknown Class You may need more information so if I can get you anything else let me know. These entries just seem out of place to me, especially the one that has been displayed as [EMAIL PROTECTED] Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 15, 2007 4:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) The other thing that would probably be worthwhile is to do a sniffer trace from this server during the GP processing cycle. That may point out some network issues that are not coming out of the userenv log. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 15, 2007 12:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Sorry, just catching up here. In terms of updating the driver, if it's a MS provided driver, I think it would say it in the Driver Details. You might want to run Windows Update and see if there are any optional updates for that NIC driver--if MS provided it originally they may have a Windows Update way of getting it. In terms of disabling slow link for all users, that's a toughie, because that key is in HKEY_CURRENT_USER, which means a user has to be logged on to deliver it, but its also in the policies key, which is permissioned away from regular users by default. If you can get GP to process at least once when the user logs on, then you can deliver it using the User Configuration GP setting. However, if per-user GP processing is not working, its kinda of a chicken-and-egg thing. The not-so-fun way of doing this would be to temporarily make all users logging into that MS a member of the local Administrators group, and then deliver the slow link disabling registry entry via logon script. But, that is not ideal of course. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 12:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I'm not about to give up on the Broadcom NICs as this is a brand new server that cost as much as a Honda Accord. I'm not sure I can believe that HP would put a defective card in such a machine. You'd think others would have the same issues in mass quantity if that were the case. I'm also using Broadcoms in other HP servers here (including the two DCs) and
Re: [ActiveDir] OT: Who needs that much ram anyway?
(it was a joke) I'm just surprised it needs a fix already. Martin Tuip wrote: I can think of quite a few situations. RAM is cheap aswell compared to the early days. Martin Tuip Exchange MVP - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 16, 2007 1:00 AM Subject: [ActiveDir] OT: Who needs that much ram anyway? The Microsoft Exchange Information Store service stops responding on a computer that is running Windows Server 2003 and Exchange Server 2007 http://support.microsoft.com/?kbid=928368 This problem occurs if Exchange Server 2007 is installed on a computer that has more than 4 gigabytes (GB) of RAM. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] Computer accounts getting deleted by unknown process
I've found a little bit of info on this googling, and the results I'm finding seem to be related to replication problems, lack of SP1, or other issues with DCs that need to be reinstalled (reason not identified). What's happening is that computer accounts are getting deleted - most of them are ones that can't update their passwords because they have been turned off, or in the case of a group of users, their computers have Deep Freeze running on them, and those computers update their passwords but apparently the computers reset when they are rebooted so the password is reset to the old one too. But the issues are not isolated to these accounts. We do not have an automated process set up to delete these accounts. This is Server 2003, non-SP1 (that's scheduled for this Friday). There are no discovered replication errors, they have checked for those. We only have 6 DCs, two each for a root and two child domains, and this is happening in one of the child domains. Here is an example event that we are getting. If anyone has seen this before or has any ideas, we'll be most appreciative. Event Type: Error Event Source:NETLOGON Event Category: None Event ID: 5723 Date:1/16/2007 Time:9:21:28 AM User:N/A Computer: CORPDC2 Description: The session setup from computer 'ACCT-95XDP11' failed because the security database does not contain a trust account 'ACCT-95XDP11$' referenced by the specified computer. USER ACTION If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem: If 'ACCT-95XDP11$' is a legitimate machine account for the computer 'ACCT-95XDP11', then 'ACCT-95XDP11' should be rejoined to the domain. If 'ACCT-95XDP11$' is a legitimate interdomain trust account, then the trust should be recreated. Otherwise, assuming that 'ACCT-95XDP11$' is not a legitimate account, the following action should be taken on 'ACCT-95XDP11': If 'ACCT-95XDP11' is a Domain Controller, then the trust associated with 'ACCT-95XDP11$' should be deleted. If 'ACCT-95XDP11' is not a Domain Controller, it should be disjoined from the domain. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: : 8b 01 00 c0 --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] R2 Schema
Thanks to everyone for the feedback. It was very helpful. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, January 12, 2007 6:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema No. I've done numerous upgrades in this scenario. It takes like five minutes. There's a known issue someone here will/probably has commented on with SFU I believe but other than that its good. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, January 12, 2007 5:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] R2 Schema I have a customer that is really pushing to have the R2 schema loaded in our W2K3 SP1 environment. The plan is to take advantage of the new DFS extensions. We don't have any plans to upgrade to R2 in the foreseeable future so we'd basically be running W2K3 with the R2 schema for several months or years. Does anyone see any potential issues with that? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] OT: Who needs that much ram anyway?
The more you can get in memory, the better. 32GB is the threshold for Exchange before it stops making sense. I've remoted into SQL servers with dozens of CPUs and dozens of gigs of ram before... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 4:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Who needs that much ram anyway? The Microsoft Exchange Information Store service stops responding on a computer that is running Windows Server 2003 and Exchange Server 2007 http://support.microsoft.com/?kbid=928368 This problem occurs if Exchange Server 2007 is installed on a computer that has more than 4 gigabytes (GB) of RAM. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] adminsdholder
setting the attribute to 0 only will not help to stop the adminsdholder from managing a certain group/user you either: * remove it from a protected group, check inheritance and reset admincount to not set * configure dsheuristics (forest-wide config) as mentioned in http://support.microsoft.com/?id=817433 for some default protected groups (not recommended as you should not use the default admin groups, but instead delegate stuff) also see: http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Graham Turner Sent: Tue 2007-01-16 15:37 To: activedir@mail.activedir.org Subject: [ActiveDir] adminsdholder Dear all, i think we experieincing issues re not being able to reset permissions on an object that was previously member of protected groups i have read that the issue is around the reset of the value of 'admincount' attribute. as i learn this gets set to 1 when it is becomes a member of protected groups, but ju i wanted to confirm that is a 'supported' operation to merely reset this data to 0 to undo the effect of adminssdholder ?? or whether there are other changes that need to be considered. ? G List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] adminsdholder
You'll also need to re-enable inheritance on the affected account. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, January 16, 2007 6:37 AM To: activedir@mail.activedir.org Subject: [ActiveDir] adminsdholder Dear all, i think we experieincing issues re not being able to reset permissions on an object that was previously member of protected groups i have read that the issue is around the reset of the value of 'admincount' attribute. as i learn this gets set to 1 when it is becomes a member of protected groups, but ju i wanted to confirm that is a 'supported' operation to merely reset this data to 0 to undo the effect of adminssdholder ?? or whether there are other changes that need to be considered. ? G List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?)
Not sure about other switch brandswe've been Cisco-centric for years. The command in Cisco IOS is ip helper-address x.x.x.x to tell DHCP packets where to go across VLANsbut This still doesn't prevent a rogue DHCP server from popping up on a VLAN. (Think about a Linksys wired/wireless router brought to work by a well-meaning but technically-challenged person and plugged into a local port in order to get wireless in their cubicle/office) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, January 16, 2007 6:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) OTOH, I am wondering if it'd be possible to configure the routers so that they only allow DHCP OFFER/ACK/NACK from auth. In case you weren't sure - this is exactly what I was suggesting you consider, in my first post :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 16 January 2007 13:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Sorry for the delay on getting back on this, had a few things piled up after New Year's... You're right on the fact that routers isolating the VLANs limit the impact of this issue... The problem is that the idea is to re-configure routers to forward DHCP traffic, so that we get DHCP service on all VLANs from one/a few DHCP servers, instead of having to setup a DHCP server on each VLAN. Somebody suggested having a multi-homed DHCP server, with a leg on each VLAN, so that we get containment and DHCP service on every VLAN. I don't know at the moment if that's possible (I have to check with the client, to see if their network topology has a hub where all VLANs come close). OTOH, I am wondering if it'd be possible to configure the routers so that they only allow DHCP OFFER/ACK/NACK from auth. DHCP servers (something similar to what we've done with the local filtering on the workstations)... We'd still have problems with a rogue DHCP server in a VLAN, but we wouldn't have to go the multi-homed server route... Thanks a lot for the input received so far. It's made me explore several options that I had not considered ;) As always, a pleasure. Javier -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: martes, 09 de enero de 2007 9:35 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Your last statement is true but then if routers restrict BOOTP traffic as I describe, then the rogue DHCP server will only affect the VLAN on which it exists. At least that way, you've reduced the impact. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 08 January 2007 17:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Hi, Neil!! That's another thing I'll have to look into :) I am aware that it's possile to do DHCP-proxy to pass along the DHCP requests to the proper servers. That's something that will have to be done, as the client's network is split in different VLAN segments, and in multiple locations/sites, and they'd like to have a reduced number of DHCP servers. But, useful and necessary as it is, this won't prevent a rogue/malicious DHCP server on the same LAN segment from playing havoc with the systems. Thanks for the heads-up though. Javier Jarava -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: lunes, 08 de enero de 2007 14:33 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) In addition to the below, routers can be configured to only forward BOOTP packets to/from 'authorised' DHCP servers. neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc Telephone: +44 (0) 20 7521 3481 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: 08 January 2007 13:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 08 January 2007 12:20 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Hi all! Just wondering, is there a way to prevent a rogue DCHP server from playing havoc with a network? I have been digging into dhcp
RE: [ActiveDir] adminsdholder
Jorge, thanks for your reply post i certainly favour the former option on account of the other being a forest-wide configuration. on this basis if we have removed the user from protected groups then doesn't setting do the job ? the permission we are 'losing' is not one that is set at parent OU level and set explicitly on the object so inheritance of the permission is not OR is there something else that needs to be re-enabled by changing the inhertiance on the user object ?? GT 1. removed user from all protected groups setting the attribute to 0 only will not help to stop the adminsdholder from managing a certain group/user you either: * remove it from a protected group, check inheritance and reset admincount to not set * configure dsheuristics (forest-wide config) as mentioned in http://support.microsoft.com/?id=817433 for some default protected groups (not recommended as you should not use the default admin groups, but instead delegate stuff) also see: http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Graham Turner Sent: Tue 2007-01-16 15:37 To: activedir@mail.activedir.org Subject: [ActiveDir] adminsdholder Dear all, i think we experieincing issues re not being able to reset permissions on an object that was previously member of protected groups i have read that the issue is around the reset of the value of 'admincount' attribute. as i learn this gets set to 1 when it is becomes a member of protected groups, but ju i wanted to confirm that is a 'supported' operation to merely reset this data to 0 to undo the effect of adminssdholder ?? or whether there are other changes that need to be considered. ? G List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?)
On Cisco's you should be looking at a switchport level feature called DHCP snooping. ip helper-address does more than just forward DHCP packets just an FYI. The term I use for the issue with the routers is that they're plugged in backwards when someone gets the WAN and LAN confused. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Tuesday, January 16, 2007 11:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Not sure about other switch brandswe've been Cisco-centric for years. The command in Cisco IOS is ip helper-address x.x.x.x to tell DHCP packets where to go across VLANsbut This still doesn't prevent a rogue DHCP server from popping up on a VLAN. (Think about a Linksys wired/wireless router brought to work by a well-meaning but technically-challenged person and plugged into a local port in order to get wireless in their cubicle/office) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, January 16, 2007 6:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) OTOH, I am wondering if it'd be possible to configure the routers so that they only allow DHCP OFFER/ACK/NACK from auth. In case you weren't sure - this is exactly what I was suggesting you consider, in my first post :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 16 January 2007 13:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Sorry for the delay on getting back on this, had a few things piled up after New Year's... You're right on the fact that routers isolating the VLANs limit the impact of this issue... The problem is that the idea is to re-configure routers to forward DHCP traffic, so that we get DHCP service on all VLANs from one/a few DHCP servers, instead of having to setup a DHCP server on each VLAN. Somebody suggested having a multi-homed DHCP server, with a leg on each VLAN, so that we get containment and DHCP service on every VLAN. I don't know at the moment if that's possible (I have to check with the client, to see if their network topology has a hub where all VLANs come close). OTOH, I am wondering if it'd be possible to configure the routers so that they only allow DHCP OFFER/ACK/NACK from auth. DHCP servers (something similar to what we've done with the local filtering on the workstations)... We'd still have problems with a rogue DHCP server in a VLAN, but we wouldn't have to go the multi-homed server route... Thanks a lot for the input received so far. It's made me explore several options that I had not considered ;) As always, a pleasure. Javier -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: martes, 09 de enero de 2007 9:35 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Your last statement is true but then if routers restrict BOOTP traffic as I describe, then the rogue DHCP server will only affect the VLAN on which it exists. At least that way, you've reduced the impact. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 08 January 2007 17:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Hi, Neil!! That's another thing I'll have to look into :) I am aware that it's possile to do DHCP-proxy to pass along the DHCP requests to the proper servers. That's something that will have to be done, as the client's network is split in different VLAN segments, and in multiple locations/sites, and they'd like to have a reduced number of DHCP servers. But, useful and necessary as it is, this won't prevent a rogue/malicious DHCP server on the same LAN segment from playing havoc with the systems. Thanks for the heads-up though. Javier Jarava -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: lunes, 08 de enero de 2007 14:33 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) In addition to the below, routers can be configured to only forward BOOTP packets to/from 'authorised' DHCP servers. neil ___ Neil Ruston Global
RE: [ActiveDir] OT: Who needs that much ram anyway?
Windows Team != Exchange Team We've (Exchange MVPs) pushed and pushed for this for several patches over the last few years. Approval cycles, timeframes, requirements, etc. all differ between the teams. I'm sure politics are involved too. I think the closest we got was that Exchange 2003 sp2 wouldn't install if a couple of particular Windows hotfixes weren't already installed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 11:47 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Who needs that much ram anyway? Personally I was surprised that a Windows 2003 server and Exchange 2007 would need a patch to run more than 4 gigs because This problem occurs because of a problem in the Windows kernel Seems to me in the x64 era, we're all going to be running more than 4 gigs so they should bundle this up in the Exchange 2007 installer from the get go rather than having everyone stumble across a KB article. I'm assuming it's discussed in the readme that no one reads? Brian Desmond wrote: The more you can get in memory, the better. 32GB is the threshold for Exchange before it stops making sense. I've remoted into SQL servers with dozens of CPUs and dozens of gigs of ram before... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 4:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Who needs that much ram anyway? The Microsoft Exchange Information Store service stops responding on a computer that is running Windows Server 2003 and Exchange Server 2007 http://support.microsoft.com/?kbid=928368 This problem occurs if Exchange Server 2007 is installed on a computer that has more than 4 gigabytes (GB) of RAM. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] OT: Who needs that much ram anyway?
Exchange should not be in the business of patching kernels. It's just bad form. That said, it's not clear to me what the right answer is either. You want to get people the fix that need it but you don't want to go out there and start swapping kernel components on a user. That's just not the right way for a piece of software to work. How would the SBS crowd feel if an app changed the kernel out from under them? You run a lot of apps on that box. I think the options we have today are: readme + ExBPA + perhaps offering the patch via WU when we see Exchange installed. But the last point there is contentious, I knowit's merely an option to consider and give us feedback on. :) I remember watching this issue being debugged when it was hit and it's worth proactively patching. Exchange put a lot of energy in to finding this one and getting root cause + a fix prior to RTM. Hard issue to hit, but not impossible either. Honestly, on this one, I think they served their customers well. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 8:47 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Who needs that much ram anyway? Personally I was surprised that a Windows 2003 server and Exchange 2007 would need a patch to run more than 4 gigs because This problem occurs because of a problem in the Windows kernel Seems to me in the x64 era, we're all going to be running more than 4 gigs so they should bundle this up in the Exchange 2007 installer from the get go rather than having everyone stumble across a KB article. I'm assuming it's discussed in the readme that no one reads? Brian Desmond wrote: The more you can get in memory, the better. 32GB is the threshold for Exchange before it stops making sense. I've remoted into SQL servers with dozens of CPUs and dozens of gigs of ram before... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 4:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Who needs that much ram anyway? The Microsoft Exchange Information Store service stops responding on a computer that is running Windows Server 2003 and Exchange Server 2007 http://support.microsoft.com/?kbid=928368 This problem occurs if Exchange Server 2007 is installed on a computer that has more than 4 gigabytes (GB) of RAM. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] OT: Who needs that much ram anyway?
(oh he goes for below the belt with the SBS remark) ;-) But yes, I'd argue it should be MU'd when Exchange is there. Eric Fleischman wrote: Exchange should not be in the business of patching kernels. It's just bad form. That said, it's not clear to me what the right answer is either. You want to get people the fix that need it but you don't want to go out there and start swapping kernel components on a user. That's just not the right way for a piece of software to work. How would the SBS crowd feel if an app changed the kernel out from under them? You run a lot of apps on that box. I think the options we have today are: readme + ExBPA + perhaps offering the patch via WU when we see Exchange installed. But the last point there is contentious, I knowit's merely an option to consider and give us feedback on. :) I remember watching this issue being debugged when it was hit and it's worth proactively patching. Exchange put a lot of energy in to finding this one and getting root cause + a fix prior to RTM. Hard issue to hit, but not impossible either. Honestly, on this one, I think they served their customers well. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 8:47 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Who needs that much ram anyway? Personally I was surprised that a Windows 2003 server and Exchange 2007 would need a patch to run more than 4 gigs because This problem occurs because of a problem in the Windows kernel Seems to me in the x64 era, we're all going to be running more than 4 gigs so they should bundle this up in the Exchange 2007 installer from the get go rather than having everyone stumble across a KB article. I'm assuming it's discussed in the readme that no one reads? Brian Desmond wrote: The more you can get in memory, the better. 32GB is the threshold for Exchange before it stops making sense. I've remoted into SQL servers with dozens of CPUs and dozens of gigs of ram before... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 4:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Who needs that much ram anyway? The Microsoft Exchange Information Store service stops responding on a computer that is running Windows Server 2003 and Exchange Server 2007 http://support.microsoft.com/?kbid=928368 This problem occurs if Exchange Server 2007 is installed on a computer that has more than 4 gigabytes (GB) of RAM. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] adminsdholder
either explicit or inherited permissions will be replaced by the permissions defined on the adminsdholder object so if re-applying inheritance is not enough... you would need to define explicit defined permissions... for the default perms you can use the DEFAULT button and all custom added permissions would need to be defined again Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Graham Turner Sent: Tue 2007-01-16 17:37 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adminsdholder Jorge, thanks for your reply post i certainly favour the former option on account of the other being a forest-wide configuration. on this basis if we have removed the user from protected groups then doesn't setting do the job ? the permission we are 'losing' is not one that is set at parent OU level and set explicitly on the object so inheritance of the permission is not OR is there something else that needs to be re-enabled by changing the inhertiance on the user object ?? GT 1. removed user from all protected groups setting the attribute to 0 only will not help to stop the adminsdholder from managing a certain group/user you either: * remove it from a protected group, check inheritance and reset admincount to not set * configure dsheuristics (forest-wide config) as mentioned in http://support.microsoft.com/?id=817433 for some default protected groups (not recommended as you should not use the default admin groups, but instead delegate stuff) also see: http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Graham Turner Sent: Tue 2007-01-16 15:37 To: activedir@mail.activedir.org Subject: [ActiveDir] adminsdholder Dear all, i think we experieincing issues re not being able to reset permissions on an object that was previously member of protected groups i have read that the issue is around the reset of the value of 'admincount' attribute. as i learn this gets set to 1 when it is becomes a member of protected groups, but ju i wanted to confirm that is a 'supported' operation to merely reset this data to 0 to undo the effect of adminssdholder ?? or whether there are other changes that need to be considered. ? G List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx winmail.dat
Re: [ActiveDir] Computer accounts getting deleted by unknown process
What's unique about the domain this is happening to? That strikes me as odd that it's occurring in one domain, but not all. I have yet to see accounts get deleted in Active Directory (any version) without a process that removes them. This could be a new experience for me, but I'm skeptical that a process doesn't exist that is removing accounts or preventing the replication (you did say they checked, but like I said, I'm skeptical of any process that picks on computer account security principals but leaves user security principals alone.) I have seen strange issues occur when anti virus apps that run on the domain controllers were thought to have been configured properly but weren't. I've seen instances where similar symptoms were presented but in the end we found out that a process was running that caused this issue. I've seen issues of DC promotions and DNS that ate the DNS zones, but that's not what you describe. So I'm interested to know what's unique about the domain it occurs in. I'm interested to know why it doesn't occur in the other domains? SP1 is highly recommended of course - lots of bug fixes and additional security changes. I'm not familiar with the client side apps you mention, but if the environment I work in currently is any indication old computer accounts don't become suicidal without provocation. Shame too On 1/16/07, Rich Milburn [EMAIL PROTECTED] wrote: I've found a little bit of info on this googling, and the results I'm finding seem to be related to replication problems, lack of SP1, or other issues with DCs that need to be reinstalled (reason not identified). What's happening is that computer accounts are getting deleted - most of them are ones that can't update their passwords because they have been turned off, or in the case of a group of users, their computers have Deep Freeze running on them, and those computers update their passwords but apparently the computers reset when they are rebooted so the password is reset to the old one too. But the issues are not isolated to these accounts. We do not have an automated process set up to delete these accounts. This is Server 2003, non-SP1 (that's scheduled for this Friday). There are no discovered replication errors, they have checked for those. We only have 6 DCs, two each for a root and two child domains, and this is happening in one of the child domains. Here is an example event that we are getting. If anyone has seen this before or has any ideas, we'll be most appreciative. Event Type: Error Event Source:NETLOGON Event Category: None Event ID: 5723 Date:1/16/2007 Time:9:21:28 AM User:N/A Computer: CORPDC2 Description: The session setup from computer 'ACCT-95XDP11' failed because the security database does not contain a trust account 'ACCT-95XDP11$' referenced by the specified computer. USER ACTION If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem: If 'ACCT-95XDP11$' is a legitimate machine account for the computer 'ACCT-95XDP11', then 'ACCT-95XDP11' should be rejoined to the domain. If 'ACCT-95XDP11$' is a legitimate interdomain trust account, then the trust should be recreated. Otherwise, assuming that 'ACCT-95XDP11$' is not a legitimate account, the following action should be taken on 'ACCT-95XDP11': If 'ACCT-95XDP11' is a Domain Controller, then the trust associated with 'ACCT-95XDP11$' should be deleted. If 'ACCT-95XDP11' is not a Domain Controller, it should be disjoined from the domain. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: : 8b 01 00 c0 --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor
RE: [ActiveDir] Computer accounts getting deleted by unknown process
Well assuming that the deletion occurred recently I would go look in the deleted items folder and see if you have an object by that name in there. You can then look at the replication metadata and see where the delete originated. From that see if they are all coming from one DC or if there are patterns. If you have auditing turned up you could see who/what is deleting them. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 16, 2007 1:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process What's unique about the domain this is happening to? That strikes me as odd that it's occurring in one domain, but not all. I have yet to see accounts get deleted in Active Directory (any version) without a process that removes them. This could be a new experience for me, but I'm skeptical that a process doesn't exist that is removing accounts or preventing the replication (you did say they checked, but like I said, I'm skeptical of any process that picks on computer account security principals but leaves user security principals alone.) I have seen strange issues occur when anti virus apps that run on the domain controllers were thought to have been configured properly but weren't. I've seen instances where similar symptoms were presented but in the end we found out that a process was running that caused this issue. I've seen issues of DC promotions and DNS that ate the DNS zones, but that's not what you describe. So I'm interested to know what's unique about the domain it occurs in. I'm interested to know why it doesn't occur in the other domains? SP1 is highly recommended of course - lots of bug fixes and additional security changes. I'm not familiar with the client side apps you mention, but if the environment I work in currently is any indication old computer accounts don't become suicidal without provocation. Shame too On 1/16/07, Rich Milburn [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: I've found a little bit of info on this googling, and the results I'm finding seem to be related to replication problems, lack of SP1, or other issues with DCs that need to be reinstalled (reason not identified). What's happening is that computer accounts are getting deleted - most of them are ones that can't update their passwords because they have been turned off, or in the case of a group of users, their computers have Deep Freeze running on them, and those computers update their passwords but apparently the computers reset when they are rebooted so the password is reset to the old one too. But the issues are not isolated to these accounts. We do not have an automated process set up to delete these accounts. This is Server 2003, non-SP1 (that's scheduled for this Friday). There are no discovered replication errors, they have checked for those. We only have 6 DCs, two each for a root and two child domains, and this is happening in one of the child domains. Here is an example event that we are getting. If anyone has seen this before or has any ideas, we'll be most appreciative. Event Type: Error Event Source:NETLOGON Event Category: None Event ID: 5723 Date:1/16/2007 Time:9:21:28 AM User:N/A Computer: CORPDC2 Description: The session setup from computer 'ACCT-95XDP11' failed because the security database does not contain a trust account 'ACCT-95XDP11$' referenced by the specified computer. USER ACTION If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem: If 'ACCT-95XDP11$' is a legitimate machine account for the computer 'ACCT-95XDP11', then 'ACCT-95XDP11' should be rejoined to the domain. If 'ACCT-95XDP11$' is a legitimate interdomain trust account, then the trust should be recreated. Otherwise, assuming that 'ACCT-95XDP11$' is not a legitimate account, the following action should be taken on 'ACCT-95XDP11': If 'ACCT-95XDP11' is a Domain Controller, then the trust associated with 'ACCT-95XDP11$' should be deleted. If 'ACCT-95XDP11' is not a Domain Controller, it should be disjoined from the domain. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: : 8b 01 00 c0 --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION
RE: [ActiveDir] Computer accounts getting deleted by unknown process
Thanks Al. It’s not that the domain is different, just that only one domain is used for computer accounts. The forest root isn’t, and the other domain is relatively inactive until we put another area on AD, though it has a couple of user accounts. So all the computer accounts are in this domain (as well as almost all user accounts). I agree it’s weird that nothing is touching user accounts. We do use Sophos, and Sophos is often referred to with 4 letters lately around here so I’ll mention that to them… Deep Freeze apparently resets the computer to the state it was in before, so people can’t change it. I’m not sure that the computer account password getting reset as part of it is a problem, I’ve been out of the loop on it. But it’s not just those computers. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- ”I love the smell of red herrings in the morning” - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 16, 2007 1:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process What's unique about the domain this is happening to? That strikes me as odd that it's occurring in one domain, but not all. I have yet to see accounts get deleted in Active Directory (any version) without a process that removes them. This could be a new experience for me, but I'm skeptical that a process doesn't exist that is removing accounts or preventing the replication (you did say they checked, but like I said, I'm skeptical of any process that picks on computer account security principals but leaves user security principals alone.) I have seen strange issues occur when anti virus apps that run on the domain controllers were thought to have been configured properly but weren't. I've seen instances where similar symptoms were presented but in the end we found out that a process was running that caused this issue. I've seen issues of DC promotions and DNS that ate the DNS zones, but that's not what you describe. So I'm interested to know what's unique about the domain it occurs in. I'm interested to know why it doesn't occur in the other domains? SP1 is highly recommended of course - lots of bug fixes and additional security changes. I'm not familiar with the client side apps you mention, but if the environment I work in currently is any indication old computer accounts don't become suicidal without provocation. Shame too On 1/16/07, Rich Milburn [EMAIL PROTECTED] wrote: I've found a little bit of info on this googling, and the results I'm finding seem to be related to replication problems, lack of SP1, or other issues with DCs that need to be reinstalled (reason not identified). What's happening is that computer accounts are getting deleted - most of them are ones that can't update their passwords because they have been turned off, or in the case of a group of users, their computers have Deep Freeze running on them, and those computers update their passwords but apparently the computers reset when they are rebooted so the password is reset to the old one too. But the issues are not isolated to these accounts. We do not have an automated process set up to delete these accounts. This is Server 2003, non-SP1 (that's scheduled for this Friday). There are no discovered replication errors, they have checked for those. We only have 6 DCs, two each for a root and two child domains, and this is happening in one of the child domains. Here is an example event that we are getting. If anyone has seen this before or has any ideas, we'll be most appreciative. Event Type: Error Event Source:NETLOGON Event Category: None Event ID: 5723 Date:1/16/2007 Time:9:21:28 AM User:N/A Computer: CORPDC2 Description: The session setup from computer 'ACCT-95XDP11' failed because the security database does not contain a trust account 'ACCT-95XDP11$' referenced by the specified computer. USER ACTION If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem: If 'ACCT-95XDP11$' is a legitimate machine account for the computer 'ACCT-95XDP11', then 'ACCT-95XDP11' should be rejoined to the domain. If 'ACCT-95XDP11$' is a legitimate interdomain trust account, then the trust should be recreated. Otherwise, assuming that 'ACCT-95XDP11$' is not a legitimate account, the following action should be taken on 'ACCT-95XDP11': If 'ACCT-95XDP11' is a
RE: [ActiveDir] DNS problem. Periodically have to clear the cache
Hi, I have 4 DNS servers, they are all AD integrated. 2 of them are supposed to be for internal used only, and the other 2 for the internet domain we have, unluckily they we never configured to be split DNS. Anyway, every none and then I have to clear the cache for the internal ones because they stop resolving for certain addresses. Sometimes I also have to update server data files for the DNS server to resolved certain names. Any help on how to troubleshoot this? Thanks Rezuma
RE: [ActiveDir] adminsdholder
Jorge, thanks for the mail back i am duly noted on the re-enabling of the inheritance if i may develop this thread a little further .. is there any specific logging of the activity of the adminsdholder process or do we have to fall back to the directory auditing ?? presumably as i understand, there would be a number of elements to this; i. enumeration of objects that are members of protected groups (is this constrained to user objects ??) ii. change of admincount attribute iii. change of inheritance iv. reset of permissions on objects G either explicit or inherited permissions will be replaced by the permissions defined on the adminsdholder object so if re-applying inheritance is not enough... you would need to define explicit defined permissions... for the default perms you can use the DEFAULT button and all custom added permissions would need to be defined again Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Graham Turner Sent: Tue 2007-01-16 17:37 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adminsdholder Jorge, thanks for your reply post i certainly favour the former option on account of the other being a forest-wide configuration. on this basis if we have removed the user from protected groups then doesn't setting do the job ? the permission we are 'losing' is not one that is set at parent OU level and set explicitly on the object so inheritance of the permission is not OR is there something else that needs to be re-enabled by changing the inhertiance on the user object ?? GT 1. removed user from all protected groups setting the attribute to 0 only will not help to stop the adminsdholder from managing a certain group/user you either: * remove it from a protected group, check inheritance and reset admincount to not set * configure dsheuristics (forest-wide config) as mentioned in http://support.microsoft.com/?id=817433 for some default protected groups (not recommended as you should not use the default admin groups, but instead delegate stuff) also see: http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Graham Turner Sent: Tue 2007-01-16 15:37 To: activedir@mail.activedir.org Subject: [ActiveDir] adminsdholder Dear all, i think we experieincing issues re not being able to reset permissions on an object that was previously member of protected groups i have read that the issue is around the reset of the value of 'admincount' attribute. as i learn this gets set to 1 when it is becomes a member of protected groups, but ju i wanted to confirm that is a 'supported' operation to merely reset this data to 0 to undo the effect of adminssdholder ?? or whether there are other changes that need to be considered. ? G List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Computer accounts getting deleted by unknown process
In that case, you'll want to check out Steve's post and follow some of that advice. Since it's a computer resource domain topology, it should be relatively low traffic and easier to spot. Can you recreate it? Or is this just being reported retroactively? Better yet, how close are you to the situation? On 1/16/07, Rich Milburn [EMAIL PROTECTED] wrote: Thanks Al. It's not that the domain is different, just that only one domain is used for computer accounts. The forest root isn't, and the other domain is relatively inactive until we put another area on AD, though it has a couple of user accounts. So all the computer accounts are in this domain (as well as almost all user accounts). I agree it's weird that nothing is touching user accounts. We do use Sophos, and Sophos is often referred to with 4 letters lately around here so I'll mention that to them… Deep Freeze apparently resets the computer to the state it was in before, so people can't change it. I'm not sure that the computer account password getting reset as part of it is a problem, I've been out of the loop on it. But it's not just those computers. *--- **Rich Milburn** **MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc.** **4551 W. 107th St** **Overland Park, KS 66207** **913-967-2819** **--** **I love the smell of red herrings in the morning - anonymous* *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Tuesday, January 16, 2007 1:22 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Computer accounts getting deleted by unknown process What's unique about the domain this is happening to? That strikes me as odd that it's occurring in one domain, but not all. I have yet to see accounts get deleted in Active Directory (any version) without a process that removes them. This could be a new experience for me, but I'm skeptical that a process doesn't exist that is removing accounts or preventing the replication (you did say they checked, but like I said, I'm skeptical of any process that picks on computer account security principals but leaves user security principals alone.) I have seen strange issues occur when anti virus apps that run on the domain controllers were thought to have been configured properly but weren't. I've seen instances where similar symptoms were presented but in the end we found out that a process was running that caused this issue. I've seen issues of DC promotions and DNS that ate the DNS zones, but that's not what you describe. So I'm interested to know what's unique about the domain it occurs in. I'm interested to know why it doesn't occur in the other domains? SP1 is highly recommended of course - lots of bug fixes and additional security changes. I'm not familiar with the client side apps you mention, but if the environment I work in currently is any indication old computer accounts don't become suicidal without provocation. Shame too On 1/16/07, *Rich Milburn* [EMAIL PROTECTED] wrote: I've found a little bit of info on this googling, and the results I'm finding seem to be related to replication problems, lack of SP1, or other issues with DCs that need to be reinstalled (reason not identified). What's happening is that computer accounts are getting deleted - most of them are ones that can't update their passwords because they have been turned off, or in the case of a group of users, their computers have Deep Freeze running on them, and those computers update their passwords but apparently the computers reset when they are rebooted so the password is reset to the old one too. But the issues are not isolated to these accounts. We do not have an automated process set up to delete these accounts. This is Server 2003, non-SP1 (that's scheduled for this Friday). There are no discovered replication errors, they have checked for those. We only have 6 DCs, two each for a root and two child domains, and this is happening in one of the child domains. Here is an example event that we are getting. If anyone has seen this before or has any ideas, we'll be most appreciative. Event Type: Error Event Source:NETLOGON Event Category: None Event ID: 5723 Date:1/16/2007 Time:9:21:28 AM User:N/A Computer: CORPDC2 Description: The session setup from computer 'ACCT-95XDP11' failed because the security database does not contain a trust account 'ACCT-95XDP11$' referenced by the specified computer. USER ACTION If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem: If 'ACCT-95XDP11$' is a legitimate machine
RE: [ActiveDir] DNS problem. Periodically have to clear the cache
How are these servers configured in TCP/IP? Who is forwarding to whom? And what is the SP level? If you want to take this off-list, you can do so by directly emailing me. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Tue 1/16/2007 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache Hi, I have 4 DNS servers, they are all AD integrated. 2 of them are supposed to be for internal used only, and the other 2 for the internet domain we have, unluckily they we never configured to be split DNS. Anyway, every none and then I have to clear the cache for the internal ones because they stop resolving for certain addresses. Sometimes I also have to update server data files for the DNS server to resolved certain names. Any help on how to troubleshoot this? Thanks Rezuma
RE: [ActiveDir] Computer accounts getting deleted by unknown process
I had this issue a long time back with a similar product made by a previous employer. I won't go back into the details, but the problem is that computer passwords were being restored to previous states that no longer match those on the DCs at the present state. A manual or scripted rejoin is usually the cure. However, the computer objects themselves were not actually cleaned up, unlike in the case that Rich is now describing. Rich needs to eye-ball the directory itself and see whether or not the object actually disappeared when the problem manifests itself. Third-party eyes relaying information to the troubleshooter - not always reliable. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Al Mulnick Sent: Tue 1/16/2007 1:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process In that case, you'll want to check out Steve's post and follow some of that advice. Since it's a computer resource domain topology, it should be relatively low traffic and easier to spot. Can you recreate it? Or is this just being reported retroactively? Better yet, how close are you to the situation? On 1/16/07, Rich Milburn [EMAIL PROTECTED] wrote: Thanks Al. It's not that the domain is different, just that only one domain is used for computer accounts. The forest root isn't, and the other domain is relatively inactive until we put another area on AD, though it has a couple of user accounts. So all the computer accounts are in this domain (as well as almost all user accounts). I agree it's weird that nothing is touching user accounts. We do use Sophos, and Sophos is often referred to with 4 letters lately around here so I'll mention that to them. Deep Freeze apparently resets the computer to the state it was in before, so people can't change it. I'm not sure that the computer account password getting reset as part of it is a problem, I've been out of the loop on it. But it's not just those computers. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: mailto:[EMAIL PROTECTED]:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 16, 2007 1:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process What's unique about the domain this is happening to? That strikes me as odd that it's occurring in one domain, but not all. I have yet to see accounts get deleted in Active Directory (any version) without a process that removes them. This could be a new experience for me, but I'm skeptical that a process doesn't exist that is removing accounts or preventing the replication (you did say they checked, but like I said, I'm skeptical of any process that picks on computer account security principals but leaves user security principals alone.) I have seen strange issues occur when anti virus apps that run on the domain controllers were thought to have been configured properly but weren't. I've seen instances where similar symptoms were presented but in the end we found out that a process was running that caused this issue. I've seen issues of DC promotions and DNS that ate the DNS zones, but that's not what you describe. So I'm interested to know what's unique about the domain it occurs in. I'm interested to know why it doesn't occur in the other domains? SP1 is highly recommended of course - lots of bug fixes and additional security changes. I'm not familiar with the client side apps you mention, but if the environment I work in currently is any indication old computer accounts don't become suicidal without provocation. Shame too On 1/16/07, Rich Milburn [EMAIL PROTECTED] wrote: I've found a little bit of info on this googling, and the results I'm finding seem to be related to replication problems, lack of SP1, or other issues with DCs that need to be reinstalled (reason not identified). What's happening is that computer accounts are getting deleted - most of them are ones that can't update their passwords because they have been turned off, or in the case of a group of users, their computers have Deep Freeze running on them, and those computers update their passwords but apparently the computers reset when they are rebooted so the password is reset
[ActiveDir] Who needs that much ram anyway?
What about the 3Gb switch in the boot.in that is required to take advantage of the additional memory. Also depending on the age of the server and CPU, you may also need a PAE / AWE switch. http://support.microsoft.com/kb/283037 Since the final realease of Exchange 2007 will only be 64 bit and require a 64 bit version of Windows 2003 or Longhorn, I am not sure if the switch will be required, any one else know? Jose - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 16, 2007 8:47 AM Subject: Re: [ActiveDir] OT: Who needs that much ram anyway? Personally I was surprised that a Windows 2003 server and Exchange 2007 would need a patch to run more than 4 gigs because This problem occurs because of a problem in the Windows kernel Seems to me in the x64 era, we're all going to be running more than 4 gigs so they should bundle this up in the Exchange 2007 installer from the get go rather than having everyone stumble across a KB article. I'm assuming it's discussed in the readme that no one reads? Brian Desmond wrote: The more you can get in memory, the better. 32GB is the threshold for Exchange before it stops making sense. I've remoted into SQL servers with dozens of CPUs and dozens of gigs of ram before... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 4:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Who needs that much ram anyway? The Microsoft Exchange Information Store service stops responding on a computer that is running Windows Server 2003 and Exchange Server 2007 http://support.microsoft.com/?kbid=928368 This problem occurs if Exchange Server 2007 is installed on a computer that has more than 4 gigabytes (GB) of RAM. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Computer accounts getting deleted by unknown process
Ah good detective work my friend… I’m not very close to the situation. But -2 points for the resource domain. We have the forest root, then a child root for our support center, which is on AD and which has users and computers, and then we have our restaurant domain, which is there for a handful or less of user accounts, and no computer accounts yet except the DCs. One day we might join computers to that domain. But for now, only the other domain really has computer accounts, and that is where we see the issue. But with only 2 domain controllers, which sit side-by-side, there’s not a lot of replication issue to troubleshoot. I forwarded on Steve’s comments, so we’ll see if that helps anything. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- ”I love the smell of red herrings in the morning” - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 16, 2007 3:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process In that case, you'll want to check out Steve's post and follow some of that advice. Since it's a computer resource domain topology, it should be relatively low traffic and easier to spot. Can you recreate it? Or is this just being reported retroactively? Better yet, how close are you to the situation? On 1/16/07, Rich Milburn [EMAIL PROTECTED] wrote: Thanks Al. It's not that the domain is different, just that only one domain is used for computer accounts. The forest root isn't, and the other domain is relatively inactive until we put another area on AD, though it has a couple of user accounts. So all the computer accounts are in this domain (as well as almost all user accounts). I agree it's weird that nothing is touching user accounts. We do use Sophos, and Sophos is often referred to with 4 letters lately around here so I'll mention that to them… Deep Freeze apparently resets the computer to the state it was in before, so people can't change it. I'm not sure that the computer account password getting reset as part of it is a problem, I've been out of the loop on it. But it's not just those computers. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 16, 2007 1:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process What's unique about the domain this is happening to? That strikes me as odd that it's occurring in one domain, but not all. I have yet to see accounts get deleted in Active Directory (any version) without a process that removes them. This could be a new experience for me, but I'm skeptical that a process doesn't exist that is removing accounts or preventing the replication (you did say they checked, but like I said, I'm skeptical of any process that picks on computer account security principals but leaves user security principals alone.) I have seen strange issues occur when anti virus apps that run on the domain controllers were thought to have been configured properly but weren't. I've seen instances where similar symptoms were presented but in the end we found out that a process was running that caused this issue. I've seen issues of DC promotions and DNS that ate the DNS zones, but that's not what you describe. So I'm interested to know what's unique about the domain it occurs in. I'm interested to know why it doesn't occur in the other domains? SP1 is highly recommended of course - lots of bug fixes and additional security changes. I'm not familiar with the client side apps you mention, but if the environment I work in currently is any indication old computer accounts don't become suicidal without provocation. Shame too On 1/16/07, Rich Milburn [EMAIL PROTECTED] wrote: I've found a little bit of info on this googling, and the results I'm finding seem to be related to replication problems, lack of SP1, or other issues with DCs that need to be reinstalled (reason not identified). What's happening is that computer accounts are getting deleted - most of them are ones that can't update their passwords because they have been turned off, or in the case of a group of users, their computers have Deep
RE: [ActiveDir] Computer accounts getting deleted by unknown process
Thanks Deji, I'll see what I can do (pun sorta intended) --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 16, 2007 3:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process I had this issue a long time back with a similar product made by a previous employer. I won't go back into the details, but the problem is that computer passwords were being restored to previous states that no longer match those on the DCs at the present state. A manual or scripted rejoin is usually the cure. However, the computer objects themselves were not actually cleaned up, unlike in the case that Rich is now describing. Rich needs to eye-ball the directory itself and see whether or not the object actually disappeared when the problem manifests itself. Third-party eyes relaying information to the troubleshooter - not always reliable. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Al Mulnick Sent: Tue 1/16/2007 1:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process In that case, you'll want to check out Steve's post and follow some of that advice. Since it's a computer resource domain topology, it should be relatively low traffic and easier to spot. Can you recreate it? Or is this just being reported retroactively? Better yet, how close are you to the situation? On 1/16/07, Rich Milburn [EMAIL PROTECTED] wrote: Thanks Al. It's not that the domain is different, just that only one domain is used for computer accounts. The forest root isn't, and the other domain is relatively inactive until we put another area on AD, though it has a couple of user accounts. So all the computer accounts are in this domain (as well as almost all user accounts). I agree it's weird that nothing is touching user accounts. We do use Sophos, and Sophos is often referred to with 4 letters lately around here so I'll mention that to them... Deep Freeze apparently resets the computer to the state it was in before, so people can't change it. I'm not sure that the computer account password getting reset as part of it is a problem, I've been out of the loop on it. But it's not just those computers. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: mailto:[EMAIL PROTECTED]:[EMAIL PROTECTED] tivedir.org] On Behalf Of Al Mulnick Sent: Tuesday, January 16, 2007 1:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process What's unique about the domain this is happening to? That strikes me as odd that it's occurring in one domain, but not all. I have yet to see accounts get deleted in Active Directory (any version) without a process that removes them. This could be a new experience for me, but I'm skeptical that a process doesn't exist that is removing accounts or preventing the replication (you did say they checked, but like I said, I'm skeptical of any process that picks on computer account security principals but leaves user security principals alone.) I have seen strange issues occur when anti virus apps that run on the domain controllers were thought to have been configured properly but weren't. I've seen instances where similar symptoms were presented but in the end we found out that a process was running that caused this issue. I've seen issues of DC promotions and DNS that ate the DNS zones, but that's not what you describe. So I'm interested to know what's unique about the domain it occurs in. I'm interested to know why it doesn't occur in the other domains? SP1 is highly recommended of course - lots of bug fixes and additional security changes. I'm not familiar with the client side
RE: [ActiveDir] Who needs that much ram anyway?
Judging by the Exchange 2007 Microsoft Across America Launch Event that I attended this morning, Exchange 2007 has no limits period. If you want it to block spam, it blocks spam. If you want it to run with a 2000TB store on Standard, it will do it. If you want it to cook you breakfast, that might require the /baconandeggs switch, but it should be able to do that as well. The /baconandeggs switch might be undocumented... Seriously though, I know PAE is not supported on 64-bit, and I think I remember reading that /3GB is required on 64-bit OS -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros Sent: Tuesday, January 16, 2007 4:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who needs that much ram anyway? What about the 3Gb switch in the boot.in that is required to take advantage of the additional memory. Also depending on the age of the server and CPU, you may also need a PAE / AWE switch. http://support.microsoft.com/kb/283037 Since the final realease of Exchange 2007 will only be 64 bit and require a 64 bit version of Windows 2003 or Longhorn, I am not sure if the switch will be required, any one else know? Jose - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 16, 2007 8:47 AM Subject: Re: [ActiveDir] OT: Who needs that much ram anyway? Personally I was surprised that a Windows 2003 server and Exchange 2007 would need a patch to run more than 4 gigs because This problem occurs because of a problem in the Windows kernel Seems to me in the x64 era, we're all going to be running more than 4 gigs so they should bundle this up in the Exchange 2007 installer from the get go rather than having everyone stumble across a KB article. I'm assuming it's discussed in the readme that no one reads? Brian Desmond wrote: The more you can get in memory, the better. 32GB is the threshold for Exchange before it stops making sense. I've remoted into SQL servers with dozens of CPUs and dozens of gigs of ram before... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 4:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Who needs that much ram anyway? The Microsoft Exchange Information Store service stops responding on a computer that is running Windows Server 2003 and Exchange Server 2007 http://support.microsoft.com/?kbid=928368 This problem occurs if Exchange Server 2007 is installed on a computer that has more than 4 gigabytes (GB) of RAM. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Who needs that much ram anyway?
Sorry, that was supposed to say NOT required -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Tuesday, January 16, 2007 4:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Who needs that much ram anyway? Judging by the Exchange 2007 Microsoft Across America Launch Event that I attended this morning, Exchange 2007 has no limits period. If you want it to block spam, it blocks spam. If you want it to run with a 2000TB store on Standard, it will do it. If you want it to cook you breakfast, that might require the /baconandeggs switch, but it should be able to do that as well. The /baconandeggs switch might be undocumented... Seriously though, I know PAE is not supported on 64-bit, and I think I remember reading that /3GB is required on 64-bit OS -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros Sent: Tuesday, January 16, 2007 4:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who needs that much ram anyway? What about the 3Gb switch in the boot.in that is required to take advantage of the additional memory. Also depending on the age of the server and CPU, you may also need a PAE / AWE switch. http://support.microsoft.com/kb/283037 Since the final realease of Exchange 2007 will only be 64 bit and require a 64 bit version of Windows 2003 or Longhorn, I am not sure if the switch will be required, any one else know? Jose - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 16, 2007 8:47 AM Subject: Re: [ActiveDir] OT: Who needs that much ram anyway? Personally I was surprised that a Windows 2003 server and Exchange 2007 would need a patch to run more than 4 gigs because This problem occurs because of a problem in the Windows kernel Seems to me in the x64 era, we're all going to be running more than 4 gigs so they should bundle this up in the Exchange 2007 installer from the get go rather than having everyone stumble across a KB article. I'm assuming it's discussed in the readme that no one reads? Brian Desmond wrote: The more you can get in memory, the better. 32GB is the threshold for Exchange before it stops making sense. I've remoted into SQL servers with dozens of CPUs and dozens of gigs of ram before... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 4:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Who needs that much ram anyway? The Microsoft Exchange Information Store service stops responding on a computer that is running Windows Server 2003 and Exchange Server 2007 http://support.microsoft.com/?kbid=928368 This problem occurs if Exchange Server 2007 is installed on a computer that has more than 4 gigabytes (GB) of RAM. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Computer accounts getting deleted by unknown process
Password change for the machine account is handled by the client and you could disable this so that you do not have the problem on the machines that are deep freezed. We also have a tool that education users often leverage that does something similar however we implemented a way to update the password secrete in the machines registry to avoid the rollback issue. The DC will remember the current and one previous password. If the machine comes up and uses the previous password then it will fall back however if the machine goes through two resets, by default 30 days+random offset up to 24 hours, then potentially when you fall back the trust relationship would not work as the DC only knows about the last two passwords. That being said other ISVs simply disable password changes on these systems since the password is randomly generated and generally strong for workstation class machines. As for the deletion that is not normal which is why I would be interested in the metadata if the objects are indeed in deleted items. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, January 16, 2007 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process Thanks Deji, I'll see what I can do (pun sorta intended) --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 16, 2007 3:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process I had this issue a long time back with a similar product made by a previous employer. I won't go back into the details, but the problem is that computer passwords were being restored to previous states that no longer match those on the DCs at the present state. A manual or scripted rejoin is usually the cure. However, the computer objects themselves were not actually cleaned up, unlike in the case that Rich is now describing. Rich needs to eye-ball the directory itself and see whether or not the object actually disappeared when the problem manifests itself. Third-party eyes relaying information to the troubleshooter - not always reliable. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.comx-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Al Mulnick Sent: Tue 1/16/2007 1:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process In that case, you'll want to check out Steve's post and follow some of that advice. Since it's a computer resource domain topology, it should be relatively low traffic and easier to spot. Can you recreate it? Or is this just being reported retroactively? Better yet, how close are you to the situation? On 1/16/07, Rich Milburn [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: Thanks Al. It's not that the domain is different, just that only one domain is used for computer accounts. The forest root isn't, and the other domain is relatively inactive until we put another area on AD, though it has a couple of user accounts. So all the computer accounts are in this domain (as well as almost all user accounts). I agree it's weird that nothing is touching user accounts. We do use Sophos, and Sophos is often referred to with 4 letters lately around here so I'll mention that to them... Deep Freeze apparently resets the computer to the state it was in before, so people can't change it. I'm not sure that the computer account password getting reset as part of it is a problem, I've been out of the loop on it. But it's not just those computers. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: mailto:[EMAIL PROTECTED]:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Tuesday, January 16, 2007 1:22 PM To:
RE: [ActiveDir] Computer accounts getting deleted by unknown process
And because I figure someone will ask what is this tool you talk about, did not have the link handy when I sent the mail. It is called the Microsoft shared Computer Toolkit for Windows XP which can be found here:http://www.microsoft.com/windowsxp/sharedaccess/default.mspx. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, January 16, 2007 5:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process Password change for the machine account is handled by the client and you could disable this so that you do not have the problem on the machines that are deep freezed. We also have a tool that education users often leverage that does something similar however we implemented a way to update the password secrete in the machines registry to avoid the rollback issue. The DC will remember the current and one previous password. If the machine comes up and uses the previous password then it will fall back however if the machine goes through two resets, by default 30 days+random offset up to 24 hours, then potentially when you fall back the trust relationship would not work as the DC only knows about the last two passwords. That being said other ISVs simply disable password changes on these systems since the password is randomly generated and generally strong for workstation class machines. As for the deletion that is not normal which is why I would be interested in the metadata if the objects are indeed in deleted items. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, January 16, 2007 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process Thanks Deji, I'll see what I can do (pun sorta intended) --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 16, 2007 3:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process I had this issue a long time back with a similar product made by a previous employer. I won't go back into the details, but the problem is that computer passwords were being restored to previous states that no longer match those on the DCs at the present state. A manual or scripted rejoin is usually the cure. However, the computer objects themselves were not actually cleaned up, unlike in the case that Rich is now describing. Rich needs to eye-ball the directory itself and see whether or not the object actually disappeared when the problem manifests itself. Third-party eyes relaying information to the troubleshooter - not always reliable. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.comx-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Al Mulnick Sent: Tue 1/16/2007 1:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process In that case, you'll want to check out Steve's post and follow some of that advice. Since it's a computer resource domain topology, it should be relatively low traffic and easier to spot. Can you recreate it? Or is this just being reported retroactively? Better yet, how close are you to the situation? On 1/16/07, Rich Milburn [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: Thanks Al. It's not that the domain is different, just that only one domain is used for computer accounts. The forest root isn't, and the other domain is relatively inactive until we put another area on AD, though it has a couple of user accounts. So all the computer accounts are in this domain (as well as almost all user accounts). I agree it's weird that nothing is touching user accounts. We do use Sophos, and Sophos is often referred to with 4 letters lately around here so I'll mention that to them... Deep Freeze apparently resets the computer to the state it was in before, so people can't change it. I'm not sure that the computer account password getting reset as part of it is a problem, I've been out of the loop on it. But it's not just those computers.
RE: [ActiveDir] DNS problem. Periodically have to clear the cache
I am also interested in the answers to these questions especially OS version and SP level. We had a few issues with caching around in RTM and a few others around SP1. It is a long story but has to do with how the cache entries are organized in memory. The net affect was that certain lookups would cause the cache to have bad data that would cause the behavior you mention. If you could provide the version of DNS.EXE, full build number using something like filever.exe, that would also be helpful. The last issue I was aware of that exhibited these behaviors is documented here: http://support.microsoft.com/kb/903720/en-us . So I would be interested if you were experiencing the issue with a build beyond that one. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 16, 2007 3:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache How are these servers configured in TCP/IP? Who is forwarding to whom? And what is the SP level? If you want to take this off-list, you can do so by directly emailing me. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.comx-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Tue 1/16/2007 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache Hi, I have 4 DNS servers, they are all AD integrated. 2 of them are supposed to be for internal used only, and the other 2 for the internet domain we have, unluckily they we never configured to be split DNS. Anyway, every none and then I have to clear the cache for the internal ones because they stop resolving for certain addresses. Sometimes I also have to update server data files for the DNS server to resolved certain names. Any help on how to troubleshoot this? Thanks Rezuma
Re: [ActiveDir] Computer accounts getting deleted by unknown process
Since I'm 2 points down XPe machines typically do same. Oddly the machines described are no different than how many of the XPe machines are setup so using the same docs to disable the password changes and any other changes that you may deem as similar enough to be useful. I strongly suggest checking out the configuration docs on products such as WYSE or iGEL to see if those types of settings and control apply to you now that you've deployed DF. Microsoft may have some similar docs as well I suppose :) On 1/16/07, Steve Linehan [EMAIL PROTECTED] wrote: Password change for the machine account is handled by the client and you could disable this so that you do not have the problem on the machines that are deep freezed. We also have a tool that education users often leverage that does something similar however we implemented a way to update the password secrete in the machines registry to avoid the rollback issue. The DC will remember the current and one previous password. If the machine comes up and uses the previous password then it will fall back however if the machine goes through two resets, by default 30 days+random offset up to 24 hours, then potentially when you fall back the trust relationship would not work as the DC only knows about the last two passwords. That being said other ISVs simply disable password changes on these systems since the password is randomly generated and generally strong for workstation class machines. As for the deletion that is not normal which is why I would be interested in the metadata if the objects are indeed in deleted items. Thanks, -Steve *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Rich Milburn *Sent:* Tuesday, January 16, 2007 4:09 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer accounts getting deleted by unknown process Thanks Deji, I'll see what I can do (pun sorta intended) *--- **Rich Milburn **MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc.** **4551 W. 107th St** **Overland Park, KS 66207** **913-967-2819** **--** **I love the smell of red herrings in the morning - anonymous* *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji *Sent:* Tuesday, January 16, 2007 3:47 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Computer accounts getting deleted by unknown process I had this issue a long time back with a similar product made by a previous employer. I won't go back into the details, but the problem is that computer passwords were being restored to previous states that no longer match those on the DCs at the present state. A manual or scripted rejoin is usually the cure. However, the computer objects themselves were not actually cleaned up, unlike in the case that Rich is now describing. Rich needs to eye-ball the directory itself and see whether or not the object actually disappeared when the problem manifests itself. Third-party eyes relaying information to the troubleshooter - not always reliable. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT *-5.75, -3.23* Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -- *From:* Al Mulnick *Sent:* Tue 1/16/2007 1:35 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Computer accounts getting deleted by unknown process In that case, you'll want to check out Steve's post and follow some of that advice. Since it's a computer resource domain topology, it should be relatively low traffic and easier to spot. Can you recreate it? Or is this just being reported retroactively? Better yet, how close are you to the situation? On 1/16/07, *Rich Milburn* [EMAIL PROTECTED] wrote: Thanks Al. It's not that the domain is different, just that only one domain is used for computer accounts. The forest root isn't, and the other domain is relatively inactive until we put another area on AD, though it has a couple of user accounts. So all the computer accounts are in this domain (as well as almost all user accounts). I agree it's weird that nothing is touching user accounts. We do use Sophos, and Sophos is often referred to with 4 letters lately around here so I'll mention that to them… Deep Freeze apparently resets the computer to the state it was in before, so people can't change it. I'm not sure that the computer account password getting reset as part of it is a problem, I've been out of the loop on it. But it's not just those computers.
RE: [ActiveDir] Who needs that much ram anyway?
My understanding is as follows: All three switches address the 32-bit architecture only. Exchange has never supported AWE. Exchange 2007 has RTM'd. Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros Sent: Tuesday, January 16, 2007 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who needs that much ram anyway? What about the 3Gb switch in the boot.in that is required to take advantage of the additional memory. Also depending on the age of the server and CPU, you may also need a PAE / AWE switch. http://support.microsoft.com/kb/283037 Since the final realease of Exchange 2007 will only be 64 bit and require a 64 bit version of Windows 2003 or Longhorn, I am not sure if the switch will be required, any one else know? Jose - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 16, 2007 8:47 AM Subject: Re: [ActiveDir] OT: Who needs that much ram anyway? Personally I was surprised that a Windows 2003 server and Exchange 2007 would need a patch to run more than 4 gigs because This problem occurs because of a problem in the Windows kernel Seems to me in the x64 era, we're all going to be running more than 4 gigs so they should bundle this up in the Exchange 2007 installer from the get go rather than having everyone stumble across a KB article. I'm assuming it's discussed in the readme that no one reads? Brian Desmond wrote: The more you can get in memory, the better. 32GB is the threshold for Exchange before it stops making sense. I've remoted into SQL servers with dozens of CPUs and dozens of gigs of ram before... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 4:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Who needs that much ram anyway? The Microsoft Exchange Information Store service stops responding on a computer that is running Windows Server 2003 and Exchange Server 2007 http://support.microsoft.com/?kbid=928368 This problem occurs if Exchange Server 2007 is installed on a computer that has more than 4 gigabytes (GB) of RAM. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] DNS problem. Periodically have to clear the cache
That's what I was getting at, too. Sorry to sound selfish and ask him to take it off-list :) He hasn't sent anything yet, though. If he does, I'll send him your way. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Steve Linehan Sent: Tue 1/16/2007 4:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache I am also interested in the answers to these questions especially OS version and SP level. We had a few issues with caching around in RTM and a few others around SP1. It is a long story but has to do with how the cache entries are organized in memory. The net affect was that certain lookups would cause the cache to have bad data that would cause the behavior you mention. If you could provide the version of DNS.EXE, full build number using something like filever.exe, that would also be helpful. The last issue I was aware of that exhibited these behaviors is documented here: http://support.microsoft.com/kb/903720/en-us . So I would be interested if you were experiencing the issue with a build beyond that one. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 16, 2007 3:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache How are these servers configured in TCP/IP? Who is forwarding to whom? And what is the SP level? If you want to take this off-list, you can do so by directly emailing me. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Tue 1/16/2007 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache Hi, I have 4 DNS servers, they are all AD integrated. 2 of them are supposed to be for internal used only, and the other 2 for the internet domain we have, unluckily they we never configured to be split DNS. Anyway, every none and then I have to clear the cache for the internal ones because they stop resolving for certain addresses. Sometimes I also have to update server data files for the DNS server to resolved certain names. Any help on how to troubleshoot this? Thanks Rezuma
RE: [ActiveDir] Who needs that much ram anyway?
One little addition: There is a 32-bit version of E2K7, although it neither intended to be used in production, nor supported if choose to ignore the caveat. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Bernard, Aric Sent: Tue 1/16/2007 5:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Who needs that much ram anyway? My understanding is as follows: All three switches address the 32-bit architecture only. Exchange has never supported AWE. Exchange 2007 has RTM'd. Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros Sent: Tuesday, January 16, 2007 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who needs that much ram anyway? What about the 3Gb switch in the boot.in that is required to take advantage of the additional memory. Also depending on the age of the server and CPU, you may also need a PAE / AWE switch. http://support.microsoft.com/kb/283037 Since the final realease of Exchange 2007 will only be 64 bit and require a 64 bit version of Windows 2003 or Longhorn, I am not sure if the switch will be required, any one else know? Jose - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 16, 2007 8:47 AM Subject: Re: [ActiveDir] OT: Who needs that much ram anyway? Personally I was surprised that a Windows 2003 server and Exchange 2007 would need a patch to run more than 4 gigs because This problem occurs because of a problem in the Windows kernel Seems to me in the x64 era, we're all going to be running more than 4 gigs so they should bundle this up in the Exchange 2007 installer from the get go rather than having everyone stumble across a KB article. I'm assuming it's discussed in the readme that no one reads? Brian Desmond wrote: The more you can get in memory, the better. 32GB is the threshold for Exchange before it stops making sense. I've remoted into SQL servers with dozens of CPUs and dozens of gigs of ram before... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 4:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Who needs that much ram anyway? The Microsoft Exchange Information Store service stops responding on a computer that is running Windows Server 2003 and Exchange Server 2007 http://support.microsoft.com/?kbid=928368 This problem occurs if Exchange Server 2007 is installed on a computer that has more than 4 gigabytes (GB) of RAM. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] OT: Exchange daylight savings patch
http://www.microsoft.com/downloads/details.aspx?familyid=c16aea4a-ed33-4cd9-a7c3-8b5df5471b7adisplaylang=entm http://www.microsoft.com/downloads/details.aspx?familyid=c16aea4a-ed33-4cd9-a7c3-8b5df5471b7adisplaylang=entm Update for Daylight Saving Time changes in 2007 for Exchange Server 2003 Service Pack 2 (SP2). Ensure servers+Exchange+Sharepoint are patch (now to go figure out how my phones will handle this) -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Who needs that much ram anyway?
And performance of same is quite poor. There are a few feature removals as well. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 16, 2007 8:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Who needs that much ram anyway? One little addition: There is a 32-bit version of E2K7, although it neither intended to be used in production, nor supported if choose to ignore the caveat. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Bernard, Aric Sent: Tue 1/16/2007 5:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Who needs that much ram anyway? My understanding is as follows: All three switches address the 32-bit architecture only. Exchange has never supported AWE. Exchange 2007 has RTM'd. Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros Sent: Tuesday, January 16, 2007 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who needs that much ram anyway? What about the 3Gb switch in the boot.in that is required to take advantage of the additional memory. Also depending on the age of the server and CPU, you may also need a PAE / AWE switch. http://support.microsoft.com/kb/283037 Since the final realease of Exchange 2007 will only be 64 bit and require a 64 bit version of Windows 2003 or Longhorn, I am not sure if the switch will be required, any one else know? Jose - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 16, 2007 8:47 AM Subject: Re: [ActiveDir] OT: Who needs that much ram anyway? Personally I was surprised that a Windows 2003 server and Exchange 2007 would need a patch to run more than 4 gigs because This problem occurs because of a problem in the Windows kernel Seems to me in the x64 era, we're all going to be running more than 4 gigs so they should bundle this up in the Exchange 2007 installer from the get go rather than having everyone stumble across a KB article. I'm assuming it's discussed in the readme that no one reads? Brian Desmond wrote: The more you can get in memory, the better. 32GB is the threshold for Exchange before it stops making sense. I've remoted into SQL servers with dozens of CPUs and dozens of gigs of ram before... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 4:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Who needs that much ram anyway? The Microsoft Exchange Information Store service stops responding on a computer that is running Windows Server 2003 and Exchange Server 2007 http://support.microsoft.com/?kbid=928368 This problem occurs if Exchange Server 2007 is installed on a computer that has more than 4 gigabytes (GB) of RAM. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx