RE: [ActiveDir] OT: Exchange daylight savings patch
Has anyone seen the Microsoft Exchange Calendar Update tool yet, the link off the Exchange 2003 SP2 patch page is bad, and a search of the MS downloads site, Google, and others doesn't find anything of the such. EZ Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 9:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Exchange daylight savings patch http://www.microsoft.com/downloads/details.aspx?familyid=c16aea4a-ed33-4 cd9-a7c3-8b5df5471b7adisplaylang=entm http://www.microsoft.com/downloads/details.aspx?familyid=c16aea4a-ed33- 4cd9-a7c3-8b5df5471b7adisplaylang=entm Update for Daylight Saving Time changes in 2007 for Exchange Server 2003 Service Pack 2 (SP2). Ensure servers+Exchange+Sharepoint are patch (now to go figure out how my phones will handle this) -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] Unable to logon after DCPromo - oddness
Dear collective, I'm hoping somebody can help out with a little problem I've got here. I've got a Windows 2003 R2 Server, which I've joined to a domain, and dcpromo'd. After the dcpromo and subsequent reboot, I can't logon to the server, either 'interactively' or via RDP, or using PsExec. I can access file shares, like c$, and I can point MMC snap-ins to the computer without problems. The fact that the server is now a DC seems to have replicated around just fine (all DCs show that the server is now in the Domain Controllers OU), but all the SRV records are missing. The system log is full of Netlogon 5774 events, suggesting I run dcdiag, which is a nice suggestion, but I can't log on to the server to do it. Another (healthy) DC's directory service logs shows plenty of event 1699s, complaining: The local domain controller failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send the change requests to the domain controller at the following network address. Directory partition: CN=RID Manager$,CN=System,DC=domain,DC=co,DC=uk Network address: a5859b6d-e8a7-4b50-aab8-ba0e03d259f3._msdcs.domain.co.uk Extended request code: 2 Additional Data Error value: 8453 Replication access was denied. Has something gone horribly wrong here, or am I overlooking something simple that I'm going to kick myself about later? Any ideas appreciated, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Unable to logon after DCPromo - oddness
Since you can get to C$ can you get the dcpromo*.log files which may help determine what is going on. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 17, 2007 7:07 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unable to logon after DCPromo - oddness Dear collective, I'm hoping somebody can help out with a little problem I've got here. I've got a Windows 2003 R2 Server, which I've joined to a domain, and dcpromo'd. After the dcpromo and subsequent reboot, I can't logon to the server, either 'interactively' or via RDP, or using PsExec. I can access file shares, like c$, and I can point MMC snap-ins to the computer without problems. The fact that the server is now a DC seems to have replicated around just fine (all DCs show that the server is now in the Domain Controllers OU), but all the SRV records are missing. The system log is full of Netlogon 5774 events, suggesting I run dcdiag, which is a nice suggestion, but I can't log on to the server to do it. Another (healthy) DC's directory service logs shows plenty of event 1699s, complaining: The local domain controller failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send the change requests to the domain controller at the following network address. Directory partition: CN=RID Manager$,CN=System,DC=domain,DC=co,DC=uk Network address: a5859b6d-e8a7-4b50-aab8-ba0e03d259f3._msdcs.domain.co.uk Extended request code: 2 Additional Data Error value: 8453 Replication access was denied. Has something gone horribly wrong here, or am I overlooking something simple that I'm going to kick myself about later? Any ideas appreciated, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Unable to logon after DCPromo - oddness
Adam, SRV records are missing Question: Has the server actually got write rights to the relevant DNS Zones? Have you got the flag set on the DNS settings on the net adapter register in DNS? Can you rcmd or go over an RSB\RIB Board Have you actually tried running: dcdiag /test:RegisterInDNS /DnsDomain:XXX Regards Will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Mittwoch, 17. Januar 2007 14:07 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unable to logon after DCPromo - oddness Dear collective, I'm hoping somebody can help out with a little problem I've got here. I've got a Windows 2003 R2 Server, which I've joined to a domain, and dcpromo'd. After the dcpromo and subsequent reboot, I can't logon to the server, either 'interactively' or via RDP, or using PsExec. I can access file shares, like c$, and I can point MMC snap-ins to the computer without problems. The fact that the server is now a DC seems to have replicated around just fine (all DCs show that the server is now in the Domain Controllers OU), but all the SRV records are missing. The system log is full of Netlogon 5774 events, suggesting I run dcdiag, which is a nice suggestion, but I can't log on to the server to do it. Another (healthy) DC's directory service logs shows plenty of event 1699s, complaining: The local domain controller failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send the change requests to the domain controller at the following network address. Directory partition: CN=RID Manager$,CN=System,DC=domain,DC=co,DC=uk Network address: a5859b6d-e8a7-4b50-aab8-ba0e03d259f3._msdcs.domain.co.uk Extended request code: 2 Additional Data Error value: 8453 Replication access was denied. Has something gone horribly wrong here, or am I overlooking something simple that I'm going to kick myself about later? Any ideas appreciated, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Computer accounts getting deleted by unknown process
Thanks Al and Steve. Oh and Steve, you forgot the name of the Shared Computer Toolkit? J Such a nice tool… Of course, Vista’s new multiple local GPO sorta almost makes it obsolete, but it’s still a nice tool… --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- ”I love the smell of red herrings in the morning” - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 16, 2007 6:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process Since I'm 2 points down XPe machines typically do same. Oddly the machines described are no different than how many of the XPe machines are setup so using the same docs to disable the password changes and any other changes that you may deem as similar enough to be useful. I strongly suggest checking out the configuration docs on products such as WYSE or iGEL to see if those types of settings and control apply to you now that you've deployed DF. Microsoft may have some similar docs as well I suppose :) On 1/16/07, Steve Linehan [EMAIL PROTECTED] wrote: Password change for the machine account is handled by the client and you could disable this so that you do not have the problem on the machines that are deep freezed. We also have a tool that education users often leverage that does something similar however we implemented a way to update the password secrete in the machines registry to avoid the rollback issue. The DC will remember the current and one previous password. If the machine comes up and uses the previous password then it will fall back however if the machine goes through two resets, by default 30 days+random offset up to 24 hours, then potentially when you fall back the trust relationship would not work as the DC only knows about the last two passwords. That being said other ISVs simply disable password changes on these systems since the password is randomly generated and generally strong for workstation class machines. As for the deletion that is not normal which is why I would be interested in the metadata if the objects are indeed in deleted items. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, January 16, 2007 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process Thanks Deji, I'll see what I can do (pun sorta intended) --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 16, 2007 3:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process I had this issue a long time back with a similar product made by a previous employer. I won't go back into the details, but the problem is that computer passwords were being restored to previous states that no longer match those on the DCs at the present state. A manual or scripted rejoin is usually the cure. However, the computer objects themselves were not actually cleaned up, unlike in the case that Rich is now describing. Rich needs to eye-ball the directory itself and see whether or not the object actually disappeared when the problem manifests itself. Third-party eyes relaying information to the troubleshooter - not always reliable. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Al Mulnick Sent: Tue 1/16/2007 1:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process In that case, you'll want to check out Steve's post and follow some of that advice. Since it's a computer resource domain topology, it should be relatively low traffic and easier to spot. Can you recreate it? Or is this just being reported retroactively? Better yet, how close are
RE: [ActiveDir] Unable to logon after DCPromo - oddness
If you can view the event logs remotely, then you should be able to run DCDIAG remotely as well as REPADMIN. DCDIAG /S:remoteDCname REPADMIN /showrepl remoteDCname Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 17, 2007 7:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Unable to logon after DCPromo - oddness On 17/01/07, Holt, Will [EMAIL PROTECTED] wrote: Adam, SRV records are missing Question: Has the server actually got write rights to the relevant DNS Zones? Yes, it certainly has Have you got the flag set on the DNS settings on the net adapter register in DNS? Check Can you rcmd or go over an RSB\RIB Board Have you actually tried running: dcdiag /test:RegisterInDNS /DnsDomain:XXX Haven't tried rcmd, but was unable to use PsExec. The server's being rebuilt at the moment, so hopefully I won't get the chance to find out. Regards Will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Mittwoch, 17. Januar 2007 14:07 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unable to logon after DCPromo - oddness Dear collective, I'm hoping somebody can help out with a little problem I've got here. I've got a Windows 2003 R2 Server, which I've joined to a domain, and dcpromo'd. After the dcpromo and subsequent reboot, I can't logon to the server, either 'interactively' or via RDP, or using PsExec. I can access file shares, like c$, and I can point MMC snap-ins to the computer without problems. The fact that the server is now a DC seems to have replicated around just fine (all DCs show that the server is now in the Domain Controllers OU), but all the SRV records are missing. The system log is full of Netlogon 5774 events, suggesting I run dcdiag, which is a nice suggestion, but I can't log on to the server to do it. Another (healthy) DC's directory service logs shows plenty of event 1699s, complaining: The local domain controller failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send the change requests to the domain controller at the following network address. Directory partition: CN=RID Manager$,CN=System,DC=domain,DC=co,DC=uk Network address: a5859b6d-e8a7-4b50-aab8-ba0e03d259f3._msdcs.domain.co.uk Extended request code: 2 Additional Data Error value: 8453 Replication access was denied. Has something gone horribly wrong here, or am I overlooking something simple that I'm going to kick myself about later? Any ideas appreciated, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Computer accounts getting deleted by unknown process
For the edification of some on the list who might not be familiar with tracking down the perpetrators of an object deletion: You should take a look at the object metadata for those deleted computer accounts. The DC where the deletion occurred will be listed as the DC where the name attribute was changed. Keep note of the exact timestamp. Then you need to check that DC for deletion events in the security event log, assuming you have those turned on. That should get you info on what account did the deletion. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Wednesday, January 17, 2007 7:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process Thanks Al and Steve. Oh and Steve, you forgot the name of the Shared Computer Toolkit? J Such a nice tool... Of course, Vista's new multiple local GPO sorta almost makes it obsolete, but it's still a nice tool... --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 16, 2007 6:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process Since I'm 2 points down XPe machines typically do same. Oddly the machines described are no different than how many of the XPe machines are setup so using the same docs to disable the password changes and any other changes that you may deem as similar enough to be useful. I strongly suggest checking out the configuration docs on products such as WYSE or iGEL to see if those types of settings and control apply to you now that you've deployed DF. Microsoft may have some similar docs as well I suppose :) On 1/16/07, Steve Linehan [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: Password change for the machine account is handled by the client and you could disable this so that you do not have the problem on the machines that are deep freezed. We also have a tool that education users often leverage that does something similar however we implemented a way to update the password secrete in the machines registry to avoid the rollback issue. The DC will remember the current and one previous password. If the machine comes up and uses the previous password then it will fall back however if the machine goes through two resets, by default 30 days+random offset up to 24 hours, then potentially when you fall back the trust relationship would not work as the DC only knows about the last two passwords. That being said other ISVs simply disable password changes on these systems since the password is randomly generated and generally strong for workstation class machines. As for the deletion that is not normal which is why I would be interested in the metadata if the objects are indeed in deleted items. Thanks, -Steve From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED]] On Behalf Of Rich Milburn Sent: Tuesday, January 16, 2007 4:09 PM To: ActiveDir@mail.activedir.orgmailto:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process Thanks Deji, I'll see what I can do (pun sorta intended) --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED]] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 16, 2007 3:47 PM To: ActiveDir@mail.activedir.orgmailto:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process I had this issue a long time back with a similar product made by a previous employer. I won't go back into the details, but the problem is that computer passwords were being restored to previous states that no longer match those on the DCs at the present state. A manual or scripted rejoin is usually the cure. However, the computer objects themselves were not actually cleaned up, unlike in the case that Rich is now describing. Rich needs to eye-ball the directory itself and see whether or not the object actually disappeared when the problem manifests itself. Third-party eyes relaying information to the troubleshooter - not always reliable.
RE: [ActiveDir] OT: Exchange daylight savings patch
Try this link, but its not available yet... http://office.microsoft.com/en-us/outlook/HA102086071033.aspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ziots, Edward Sent: Wednesday, January 17, 2007 4:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange daylight savings patch Has anyone seen the Microsoft Exchange Calendar Update tool yet, the link off the Exchange 2003 SP2 patch page is bad, and a search of the MS downloads site, Google, and others doesn't find anything of the such. EZ Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 9:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Exchange daylight savings patch http://www.microsoft.com/downloads/details.aspx?familyid=c16aea4a-ed33-4 cd9-a7c3-8b5df5471b7adisplaylang=entm http://www.microsoft.com/downloads/details.aspx?familyid=c16aea4a-ed33- 4cd9-a7c3-8b5df5471b7adisplaylang=entm Update for Daylight Saving Time changes in 2007 for Exchange Server 2003 Service Pack 2 (SP2). Ensure servers+Exchange+Sharepoint are patch (now to go figure out how my phones will handle this) -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] OT: Exchange daylight savings patch
Looked at it, but there is no update as of yet. I know they just released the Exchange 2K3 patch, I am sure the update tool is not far behind. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky Sent: Wednesday, January 17, 2007 11:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange daylight savings patch Try this link, but its not available yet... http://office.microsoft.com/en-us/outlook/HA102086071033.aspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ziots, Edward Sent: Wednesday, January 17, 2007 4:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange daylight savings patch Has anyone seen the Microsoft Exchange Calendar Update tool yet, the link off the Exchange 2003 SP2 patch page is bad, and a search of the MS downloads site, Google, and others doesn't find anything of the such. EZ Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 9:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Exchange daylight savings patch http://www.microsoft.com/downloads/details.aspx?familyid=c16aea4a-ed33-4 cd9-a7c3-8b5df5471b7adisplaylang=entm http://www.microsoft.com/downloads/details.aspx?familyid=c16aea4a-ed33- 4cd9-a7c3-8b5df5471b7adisplaylang=entm Update for Daylight Saving Time changes in 2007 for Exchange Server 2003 Service Pack 2 (SP2). Ensure servers+Exchange+Sharepoint are patch (now to go figure out how my phones will handle this) -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Who needs that much ram anyway?
So you might have had a bit too much of the Microsoft Cool-Aid :) Exchange 2007 may not have memory limits that you'd reach - but there are limits as to what makes sense to use with E2k7 (32GB are being communicated by MSFT). And of course there are limits as to how much memory a 64bit OS supports: theoretically you could address a max of 16 exa-bytes with a 64bit address space, that is 16 billion GB... - however, the 64bit Windows OSs only support up to 16 TB virtual address space (split half/half for kernel and user memory) and only up to 1TB RAM (will increase to 2TB with SP2). Don't misunderstand the term only here, since there isn't much Windows hardware out there that can cope with more than 1TB of RAM right now anyways. Not to say that these are any limits that you'd reach anytime soon with Exchange 2007. Note that the /3GB switch is not supported on Windows 64bit Oss - there is no reason to use it either, since both the virtual kernel and the user-memory are increased dramatically (up to 8 TB each). The /3GB switch is used on 32bit boxes to influence how the max of 4GB virtual memory that is addressable by 32bit is split up between kernel and user memory - you increase the user memory (used by apps such as Exchange) at the cost of reducing the kernel memory. This is no longer required with 64bit boxes... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Dienstag, 16. Januar 2007 23:48 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Who needs that much ram anyway? Judging by the Exchange 2007 Microsoft Across America Launch Event that I attended this morning, Exchange 2007 has no limits period. If you want it to block spam, it blocks spam. If you want it to run with a 2000TB store on Standard, it will do it. If you want it to cook you breakfast, that might require the /baconandeggs switch, but it should be able to do that as well. The /baconandeggs switch might be undocumented... Seriously though, I know PAE is not supported on 64-bit, and I think I remember reading that /3GB is required on 64-bit OS -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros Sent: Tuesday, January 16, 2007 4:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who needs that much ram anyway? What about the 3Gb switch in the boot.in that is required to take advantage of the additional memory. Also depending on the age of the server and CPU, you may also need a PAE / AWE switch. http://support.microsoft.com/kb/283037 Since the final realease of Exchange 2007 will only be 64 bit and require a 64 bit version of Windows 2003 or Longhorn, I am not sure if the switch will be required, any one else know? Jose - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 16, 2007 8:47 AM Subject: Re: [ActiveDir] OT: Who needs that much ram anyway? Personally I was surprised that a Windows 2003 server and Exchange 2007 would need a patch to run more than 4 gigs because This problem occurs because of a problem in the Windows kernel Seems to me in the x64 era, we're all going to be running more than 4 gigs so they should bundle this up in the Exchange 2007 installer from the get go rather than having everyone stumble across a KB article. I'm assuming it's discussed in the readme that no one reads? Brian Desmond wrote: The more you can get in memory, the better. 32GB is the threshold for Exchange before it stops making sense. I've remoted into SQL servers with dozens of CPUs and dozens of gigs of ram before... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 4:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Who needs that much ram anyway? The Microsoft Exchange Information Store service stops responding on a computer that is running Windows Server 2003 and Exchange Server 2007 http://support.microsoft.com/?kbid=928368 This problem occurs if Exchange Server 2007 is installed on a computer that has more than 4 gigabytes (GB) of RAM. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ
RE: [ActiveDir] Unable to logon after DCPromo - oddness
Hi Adam, I used to have similar problems after DCpromo - can you verify that the in the server properties (AD user and Computers) the flag is set to trust this computer? At least this was reason missing for my servers after checking the box it was working fine (btw. I found later out that the admin before me changed permissions for the Enterprise Admin account which resulted in these problems) Hope that helps. Cheers, Kat MCSA -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Thursday, 18 January 2007 12:07 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unable to logon after DCPromo - oddness Dear collective, I'm hoping somebody can help out with a little problem I've got here. I've got a Windows 2003 R2 Server, which I've joined to a domain, and dcpromo'd. After the dcpromo and subsequent reboot, I can't logon to the server, either 'interactively' or via RDP, or using PsExec. I can access file shares, like c$, and I can point MMC snap-ins to the computer without problems. The fact that the server is now a DC seems to have replicated around just fine (all DCs show that the server is now in the Domain Controllers OU), but all the SRV records are missing. The system log is full of Netlogon 5774 events, suggesting I run dcdiag, which is a nice suggestion, but I can't log on to the server to do it. Another (healthy) DC's directory service logs shows plenty of event 1699s, complaining: The local domain controller failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send the change requests to the domain controller at the following network address. Directory partition: CN=RID Manager$,CN=System,DC=domain,DC=co,DC=uk Network address: a5859b6d-e8a7-4b50-aab8-ba0e03d259f3._msdcs.domain.co.uk Extended request code: 2 Additional Data Error value: 8453 Replication access was denied. Has something gone horribly wrong here, or am I overlooking something simple that I'm going to kick myself about later? Any ideas appreciated, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] Test of daylight patch
So I patched the workstations, the server, the exchange and did a 'fake' appointment for everyone at 4/1/2007 at 1 a.m. My Windows Mobile 3/sync to the server phones sync'd to the server and said the appointment was 12 a.m. http://support.microsoft.com/kb/923953 Oh boy are we going to have fun... How to configure daylight saving time for the United States and Canada in 2007 and in subsequent years on Windows Mobile-based devices http://www.microsoft.com/windows/timezone/dst2007.mspx Ladies and Gentlemen check those phones. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Computer accounts getting deleted by unknown process
We set up a rule to grab the deletion events They tend to scroll off our log in about a day so there are no reference events from which to grab this info from...yet. Thanks though. I'm not sure if we've had success yet with viewing the deleted objects via adrestore (sysinternals tool, thanks Mark R), but I sent them info on how to do so along with a screen shot of what they should see. Went through a KB article about using ldp to do it. Yuck! What a mess. I'd include a link to that but I'd rather save the innocents from that mess. I'm sure there are other good ways to do it but... Step 27) ... copy the long number in front of DELETED OBJECTS after the second colon up to the 3rd colon and paste it... --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Wednesday, January 17, 2007 9:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process For the edification of some on the list who might not be familiar with tracking down the perpetrators of an object deletion: You should take a look at the object metadata for those deleted computer accounts. The DC where the deletion occurred will be listed as the DC where the name attribute was changed. Keep note of the exact timestamp. Then you need to check that DC for deletion events in the security event log, assuming you have those turned on. That should get you info on what account did the deletion. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Wednesday, January 17, 2007 7:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process Thanks Al and Steve. Oh and Steve, you forgot the name of the Shared Computer Toolkit? J Such a nice tool... Of course, Vista's new multiple local GPO sorta almost makes it obsolete, but it's still a nice tool... --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 16, 2007 6:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process Since I'm 2 points down XPe machines typically do same. Oddly the machines described are no different than how many of the XPe machines are setup so using the same docs to disable the password changes and any other changes that you may deem as similar enough to be useful. I strongly suggest checking out the configuration docs on products such as WYSE or iGEL to see if those types of settings and control apply to you now that you've deployed DF. Microsoft may have some similar docs as well I suppose :) On 1/16/07, Steve Linehan [EMAIL PROTECTED] wrote: Password change for the machine account is handled by the client and you could disable this so that you do not have the problem on the machines that are deep freezed. We also have a tool that education users often leverage that does something similar however we implemented a way to update the password secrete in the machines registry to avoid the rollback issue. The DC will remember the current and one previous password. If the machine comes up and uses the previous password then it will fall back however if the machine goes through two resets, by default 30 days+random offset up to 24 hours, then potentially when you fall back the trust relationship would not work as the DC only knows about the last two passwords. That being said other ISVs simply disable password changes on these systems since the password is randomly generated and generally strong for workstation class machines. As for the deletion that is not normal which is why I would be interested in the metadata if the objects are indeed in deleted items. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, January 16, 2007 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process Thanks Deji, I'll see what I can do (pun sorta intended) --- Rich Milburn MCSE, Microsoft MVP -
