RE : RE: [ActiveDir] Question about DNS SRV registration.
Hello Ulf,
Thanks so much for such explainations ! That rocks !
2 interesting points you pointed to me
So if i understand, it is good practice, in my case, to disable automatic
site coverage ?
After checking our production, Automatic site coverage is effectively set to
disable (set on default domain controller policy). So it seems that DCa is
still advertising himself as DC in site B. I will look why the process does not
work in our case... :(
We did not configured automatic aging/scavenging, i will look also into this
option.
Thanks again,
Yann
Ulf B. Simon-Weidner [EMAIL PROTECTED] a écrit :
v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);}
Hello Yann,
this is usual and happens because Site B was configured in Active Directory
before DC B was there and assigned to that site. Automatic Site Coverage is the
process which is taking care of this effect. What it does, is making sure that
every site in Active Directory has DCs. If a DC detects a site which has no DCs
assigned to it, it will try to figure out if hes a close DC (not crossing
multiple site-links) and assigning himself to that site.
So since Site B was configured and DC A was the only DC in your environment,
DC A decided to advertise himself as DC in Site B. However since DC B exists
now, DC A will not refresh those records, and if you have aging and scavenging
configured the old records of DC A in Site B will vanish.
You can also delete those records if you wish, as long as the records of DC B
are registered in Site B you can delete the records of DC A in Site B, however
make sure that you are only deleting the SRV-Records underneath the
DNS-Subdomains of the Site-specific Records in the Site B-DNS-Domains (looks
like folders in the DNS Managementconsole).
Gruesse - Sincerely,
Ulf B. Simon-Weidner
Profile Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Dienstag, 23. Januar 2007 22:28
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Question about DNS SRV registration.
Hello all and happy new year:-),
Say:
- Site A with DCa that is also dns (integrated to AD).
- Site B that is a new site.
my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated
to AD).
- DCa DCb belong to the same domain (domain.local).
My AD is w2k3 FFL mode.
In order to add the new DCb in the existing domain.com, DCb is dns client
to DCa.
When dcpromo is finished, i configured:
- DCb as dns client for himself
- DCa as secondary dns sever for DCb.
Everything looks good .. BUT:
When clients in site B ask for all DCs in site B (with netlogon
process),DCb returns DCb and DCa !
a nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2
DCs
- DCa.domain.local
- DCb.domain.local
When i search in dns console, i found that DCa still present in site B, i
think, this is due to the fact that DCb's nic allow dynamic update and thus
dynamically records DCa srv records.
The only way i found to avoid DCb returning DCa to clients in site B is to
delete srv records for DCa in dns (site B).
Question:
What is the best practice to avoid DCb to return DCa to clients and where
in the process i'm wrong ?
Thanks,
Yann
-
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions !
Profitez des connaissances, des opinions et des expériences des internautes sur
Yahoo! Questions/Réponses.
-
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions !
Profitez des connaissances, des opinions et des expériences des internautes sur
Yahoo! Questions/Réponses.
RE : RE: [ActiveDir] Question about DNS SRV registration.
Hi Deji, Good article with lots of usefull informations. Thanks again, Yann Akomolafe, Deji [EMAIL PROTECTED] a écrit : Read http://www.netpro.com/forum/files/authentication_topology.pdf Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon - From: Yann Sent: Tue 1/23/2007 1:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question about DNS SRV registration. Hello all and happy new year:-), Say: - Site A with DCa that is also dns (integrated to AD). - Site B that is a new site. my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to AD). - DCa DCb belong to the same domain (domain.local). My AD is w2k3 FFL mode. In order to add the new DCb in the existing domain.com, DCb is dns client to DCa. When dcpromo is finished, i configured: - DCb as dns client for himself - DCa as secondary dns sever for DCb. Everything looks good .. BUT: When clients in site B ask for all DCs in site B (with netlogon process),DCb returns DCb and DCa ! a nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs - DCa.domain.local - DCb.domain.local When i search in dns console, i found that DCa still present in site B, i think, this is due to the fact that DCb's nic allow dynamic update and thus dynamically records DCa srv records. The only way i found to avoid DCb returning DCa to clients in site B is to delete srv records for DCa in dns (site B). Question: What is the best practice to avoid DCb to return DCa to clients and where in the process i'm wrong ? Thanks, Yann - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses. - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.
RE : RE: RE : RE: [ActiveDir] Question about DNS SRV registration.
Hi Steve, Never mind :-) We're here to learn to each other, that makes life funnier ! Yann Molkentin, Steve [EMAIL PROTECTED] a écrit : Deji, Ulf, All, Good article - thanks. Also thanks to Ulf - that was a much better solution and much better idea than mine. I do not profess to be a DNS legend, but am continuing to learn... themolk. - From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Wednesday, 24 January 2007 8:42 AM To: ActiveDir@mail.activedir.org Subject: RE: RE : RE: [ActiveDir] Question about DNS SRV registration. I would not recommend that you do this. Please read the document I referenced in my previous response. Also, see Ulf's brief description/explanation of the behavior that you are seeing. I really recommend that you try to understand what is going on here. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon - From: Yann Sent: Tue 1/23/2007 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] Question about DNS SRV registration. Steve, Thanks for fast reply; My example is the reflect of what i had in real production. So in my production, i have about 15 sites AD and we are in the process of migration (adding more sites). So you mean that i have to create 15 child dns domain and set each DCs in each site authoriatative for their respective child domain ? It seems to be a lot of work ... but i will follow into your direction. Thanks again, Yann Molkentin, Steve [EMAIL PROTECTED] a écrit : Yann, Create a child DNS domain for the site containing DCb, and establish DCb as the authoritative server for that domain. If you have resources in Sitea you'll then need to ensure there is a forwarder set up for resolution, etc. Remember that separate DNS domains can exist within the one logical windows domain. At least I think this would solve your problem... themolk. - From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Wednesday, 24 January 2007 7:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question about DNS SRV registration. Hello all and happy new year:-), Say: - Site A with DCa that is also dns (integrated to AD). - Site B that is a new site. my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to AD). - DCa DCb belong to the same domain (domain.local). My AD is w2k3 FFL mode. In order to add the new DCb in the existing domain.com, DCb is dns client to DCa. When dcpromo is finished, i configured: - DCb as dns client for himself - DCa as secondary dns sever for DCb. Everything looks good .. BUT: When clients in site B ask for all DCs in site B (with netlogon process),DCb returns DCb and DCa ! a nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs - DCa.domain.local - DCb.domain.local When i search in dns console, i found that DCa still present in site B, i think, this is due to the fact that DCb's nic allow dynamic update and thus dynamically records DCa srv records. The only way i found to avoid DCb returning DCa to clients in site B is to delete srv records for DCa in dns (site B). Question: What is the best practice to avoid DCb to return DCa to clients and where in the process i'm wrong ? Thanks, Yann - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses. This email (including any attachments) contains confidential information and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system and destroy any copies. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. Email transmission cannot be guaranteed to be secure or error-free and emails may be interfered with, may contain computer viruses or other defects and may not be successfully replicated on other systems. The sender does not give any warranties nor accepts any liability in relation to any of
RE: [ActiveDir] adsiedit question
In the post before I indicated the SystemMailboxes were on the wrong databases. Our servers have 3 storage groups and 5 databases each. Somehow 13 of the 15 were on one database and causing problems with event sinks. I've seen this happen on newly built Exchange servers and the fix was easy enough since there were no users. In this case it's a fully populated server so deleting databases and recreating is not an option. In this case the rehome using adsiedit -to me- is much easier than other methods mentioned. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, January 23, 2007 7:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adsiedit question I'm forced to ask - why do you want to move SystemMailboxes? You shouldn't ever need to. There is a reason that the move mailbox wizard doesn't move them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP Sent: Tuesday, January 23, 2007 5:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adsiedit question I needed to move SystemMailboxes which won't move with the wizard. Somehow several were homed on one database and it caused event sink problems. This was the easiest method. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 23, 2007 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adsiedit question Why are you using adsiedit to rehome a mailbox? Doesn't the move mailbox wizard work for your needs? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Condra, Jerry W Mr HP Sent: Tue 1/23/2007 1:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] adsiedit question Hi all I didn't OT this even though I'm making modifications to Exchange since the question seems to be adsiedit related and therefore related to AD. I'm trying to modify an attribute for a mailbox using adsiedit. Particularly I'm rehoming it's database by modifying the homeMDB attribute. The problem I'm running into is I'm getting an error stating The name reference is invalid when I try to apply the change. I've done this a few times but this is the first time I've run into this error. Google doesn't give enough info to determine the cause...or maybe it is and I just don't know enough about the response to see itthat never happens. ;-) If anyone can shed some light it would be greatly appreciated. Many thanks Jerry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] adsiedit question
Por que?? This is not the first time I've had to do it. It's a simple fix. The problem I ran into and posted for was the error in adsiedit which I was able to figure out. The thing I need to figure out now is why/how the SystemMailboxes were homed on the wrong databases. That's a post for another forum. But I'd be happy and appreciative to take any ideas here if offered. Thanks Jerry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, January 23, 2007 7:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adsiedit question You shouldn't be doing this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP Sent: Tuesday, January 23, 2007 5:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adsiedit question I needed to move SystemMailboxes which won't move with the wizard. Somehow several were homed on one database and it caused event sink problems. This was the easiest method. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 23, 2007 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adsiedit question Why are you using adsiedit to rehome a mailbox? Doesn't the move mailbox wizard work for your needs? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Condra, Jerry W Mr HP Sent: Tue 1/23/2007 1:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] adsiedit question Hi all I didn't OT this even though I'm making modifications to Exchange since the question seems to be adsiedit related and therefore related to AD. I'm trying to modify an attribute for a mailbox using adsiedit. Particularly I'm rehoming it's database by modifying the homeMDB attribute. The problem I'm running into is I'm getting an error stating The name reference is invalid when I try to apply the change. I've done this a few times but this is the first time I've run into this error. Google doesn't give enough info to determine the cause...or maybe it is and I just don't know enough about the response to see itthat never happens. ;-) If anyone can shed some light it would be greatly appreciated. Many thanks Jerry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] OT: Network latency on VBScript-mapped drive letters.
Just curious. Are you sure its not something like AV scanning network files on access? Generally once scanned they add them to a temp db of known good list to prevent scanning when accessed later. If so, that would explain slow performance when first accessing the files but better responses when accessing after manually mapping drives. Do you think its worth looking at network traces to see if any SMB errors are occurring? On 1/23/07, Laura E. Hunter [EMAIL PROTECTED] wrote: So I have a VBScript that I use to map a network drive to a DFS share, as follows: strDriveLetter = S: strBaseDrivePath = \\domain name\dfs root\share name\ Set objNetwork = CreateObject(WScript.Network) objNetwork.MapNetworkDrive strDriveLetter, strBaseDrivePath set objNetwork = nothing When I map the DFS root using a drive letter using this code in a login script, I get isolated-but-consistent client reports of network latency when opening or saving a file; Word/Excel/whatever will choke up for a good 5 or 6 seconds at a time. If I disconnect the script-mapped drive and access this resource from the same machine using any other method: * map the drive using the GUI, * map the drive from the CLI using 'net use', or * manually enter the UNC path from the Run line ...all latency goes away. It's not OS-specific as far as I can tell; the machines currently reporting the latency are a handful of XPSP2 and 2KSP4 machines that don't have much else unique in common. I've determined that it's not specifically DFS-related, as I've tested mapping directly to the physical servername instead of the DFS sharename and produced identical results. Neither is it relevant that the script is being run as part of a login script/GPO, as running the script manually from an affected desktop also produces the same behaviour. So it's either a VBScript thing, or it's something client-specific that I haven't isolated on the half-dozen desktops that are experiencing the issue. Google has thus far yielded no joy, has anyone run into this before? -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: RE: [ActiveDir] Question about DNS SRV registration.
Hello Yann, youre welcome! No it is not best practice to disable it. The effect you have is only happening if a Site has no DC assigned to it, or if a single DC of a Site is offline for a while. It is important that the Clients are able to look up a DC, and if you disable Automatic Site Coverage and a Site is without a DC for some time Clients may experience longer logon times, and they might fall back on a DC which is in a site which goes over multiple WAN links. Id say best practice is to keep the Automatic Site Coverage active, and check once in a while if there are wrong registrations which you may delete if the DCs of that Site are back online. They will also dissolve if you enable aging and scavenging. Also what some customers are doing is the following: Assuming a Star-shaped Network Topology with a Hub-Site where each Branch connects to, they are configuring the DCs of the Hub-Site to register their SRV-Records at the Branch Sites with a lower Priority than default, therefore the Branch-Office Clients will use the Branch-Office DC as long as its available but fall back to the Hub DCs when the BO-DC is not available. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Mittwoch, 24. Januar 2007 11:19 To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] Question about DNS SRV registration. Hello Ulf, Thanks so much for such explainations ! That rocks ! 2 interesting points you pointed to me So if i understand, it is good practice, in my case, to disable automatic site coverage ? After checking our production, Automatic site coverage is effectively set to disable (set on default domain controller policy). So it seems that DCa is still advertising himself as DC in site B. I will look why the process does not work in our case... :( We did not configured automatic aging/scavenging, i will look also into this option. Thanks again, Yann Ulf B. Simon-Weidner [EMAIL PROTECTED] a écrit : Hello Yann, this is usual and happens because Site B was configured in Active Directory before DC B was there and assigned to that site. Automatic Site Coverage is the process which is taking care of this effect. What it does, is making sure that every site in Active Directory has DCs. If a DC detects a site which has no DCs assigned to it, it will try to figure out if hes a close DC (not crossing multiple site-links) and assigning himself to that site. So since Site B was configured and DC A was the only DC in your environment, DC A decided to advertise himself as DC in Site B. However since DC B exists now, DC A will not refresh those records, and if you have aging and scavenging configured the old records of DC A in Site B will vanish. You can also delete those records if you wish, as long as the records of DC B are registered in Site B you can delete the records of DC A in Site B, however make sure that you are only deleting the SRV-Records underneath the DNS-Subdomains of the Site-specific Records in the Site B-DNS-Domains (looks like folders in the DNS Managementconsole). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Dienstag, 23. Januar 2007 22:28 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question about DNS SRV registration. Hello all and happy new year:-), Say: - Site A with DCa that is also dns (integrated to AD). - Site B that is a new site. my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to AD). - DCa DCb belong to the same domain (domain.local). My AD is w2k3 FFL mode. In order to add the new DCb in the existing domain.com, DCb is dns client to DCa. When dcpromo is finished, i configured: - DCb as dns client for himself - DCa as secondary dns sever for DCb. Everything looks good .. BUT: When clients in site B ask for all DCs in site B (with netlogon process),DCb returns DCb and DCa ! a nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs - DCa.domain.local - DCb.domain.local When i search in dns console, i found that DCa still present in site B, i think,
RE : RE: RE: [ActiveDir] Question about DNS SRV registration.
Ulf,
Thanks for clarification.
I will follow your advices. :)
Just an OT ... i found your windows server 2003 book on amazon.com here
http://www.amazon.de/exec/obidos/ASIN/3866456042
Do you have english (or french version) of the book available ?
Cheers,
Yann
Ulf B. Simon-Weidner [EMAIL PROTECTED] a écrit :
v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);}
Hello Yann,
youre welcome!
No it is not best practice to disable it. The effect you have is only
happening if a Site has no DC assigned to it, or if a single DC of a Site is
offline for a while. It is important that the Clients are able to look up a DC,
and if you disable Automatic Site Coverage and a Site is without a DC for some
time Clients may experience longer logon times, and they might fall back on a
DC which is in a site which goes over multiple WAN links. Id say best practice
is to keep the Automatic Site Coverage active, and check once in a while if
there are wrong registrations which you may delete if the DCs of that Site are
back online. They will also dissolve if you enable aging and scavenging.
Also what some customers are doing is the following: Assuming a Star-shaped
Network Topology with a Hub-Site where each Branch connects to, they are
configuring the DCs of the Hub-Site to register their SRV-Records at the Branch
Sites with a lower Priority than default, therefore the Branch-Office Clients
will use the Branch-Office DC as long as its available but fall back to the
Hub DCs when the BO-DC is not available.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
Profile Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Mittwoch, 24. Januar 2007 11:19
To: ActiveDir@mail.activedir.org
Subject: RE : RE: [ActiveDir] Question about DNS SRV registration.
Hello Ulf,
Thanks so much for such explainations ! That rocks !
2 interesting points you pointed to me
So if i understand, it is good practice, in my case, to disable automatic
site coverage ?
After checking our production, Automatic site coverage is effectively set
to disable (set on default domain controller policy). So it seems that DCa is
still advertising himself as DC in site B. I will look why the process does not
work in our case... :(
We did not configured automatic aging/scavenging, i will look also into
this option.
Thanks again,
Yann
Ulf B. Simon-Weidner [EMAIL PROTECTED] a écrit :
Hello Yann,
this is usual and happens because Site B was configured in Active Directory
before DC B was there and assigned to that site. Automatic Site Coverage is the
process which is taking care of this effect. What it does, is making sure that
every site in Active Directory has DCs. If a DC detects a site which has no DCs
assigned to it, it will try to figure out if hes a close DC (not crossing
multiple site-links) and assigning himself to that site.
So since Site B was configured and DC A was the only DC in your
environment, DC A decided to advertise himself as DC in Site B. However since
DC B exists now, DC A will not refresh those records, and if you have aging and
scavenging configured the old records of DC A in Site B will vanish.
You can also delete those records if you wish, as long as the records of DC
B are registered in Site B you can delete the records of DC A in Site B,
however make sure that you are only deleting the SRV-Records underneath the
DNS-Subdomains of the Site-specific Records in the Site B-DNS-Domains (looks
like folders in the DNS Managementconsole).
Gruesse - Sincerely,
Ulf B. Simon-Weidner
Profile Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Dienstag, 23. Januar 2007 22:28
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Question about DNS SRV registration.
Hello all and happy new year:-),
Say:
- Site A with DCa that is also dns (integrated to AD).
- Site B that is a new site.
my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns
(integrated to AD).
- DCa DCb belong to the same domain (domain.local).
My AD is w2k3 FFL mode.
In order to add the new DCb in the existing domain.com, DCb is dns
client to DCa.
When dcpromo is finished, i configured:
RE: RE: RE: [ActiveDir] Question about DNS SRV registration.
Hello Yann, unfortunately not MS-Press said they will decide whether its selling well, and it sold very well (and we were asked if wed like to come up with a second release already after a few month), but I doubt theyll do it since the timeframe is getting shorter every day (Longhorns approaching ;-) ). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Mittwoch, 24. Januar 2007 16:23 To: ActiveDir@mail.activedir.org Subject: RE : RE: RE: [ActiveDir] Question about DNS SRV registration. Ulf, Thanks for clarification. I will follow your advices. :) Just an OT ... i found your windows server 2003 book on amazon.com here http://www.amazon.de/exec/obidos/ASIN/3866456042 Do you have english (or french version) of the book available ? Cheers, Yann Ulf B. Simon-Weidner [EMAIL PROTECTED] a écrit : Hello Yann, youre welcome! No it is not best practice to disable it. The effect you have is only happening if a Site has no DC assigned to it, or if a single DC of a Site is offline for a while. It is important that the Clients are able to look up a DC, and if you disable Automatic Site Coverage and a Site is without a DC for some time Clients may experience longer logon times, and they might fall back on a DC which is in a site which goes over multiple WAN links. Id say best practice is to keep the Automatic Site Coverage active, and check once in a while if there are wrong registrations which you may delete if the DCs of that Site are back online. They will also dissolve if you enable aging and scavenging. Also what some customers are doing is the following: Assuming a Star-shaped Network Topology with a Hub-Site where each Branch connects to, they are configuring the DCs of the Hub-Site to register their SRV-Records at the Branch Sites with a lower Priority than default, therefore the Branch-Office Clients will use the Branch-Office DC as long as its available but fall back to the Hub DCs when the BO-DC is not available. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Mittwoch, 24. Januar 2007 11:19 To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] Question about DNS SRV registration. Hello Ulf, Thanks so much for such explainations ! That rocks ! 2 interesting points you pointed to me So if i understand, it is good practice, in my case, to disable automatic site coverage ? After checking our production, Automatic site coverage is effectively set to disable (set on default domain controller policy). So it seems that DCa is still advertising himself as DC in site B. I will look why the process does not work in our case... :( We did not configured automatic aging/scavenging, i will look also into this option. Thanks again, Yann Ulf B. Simon-Weidner [EMAIL PROTECTED] a écrit : Hello Yann, this is usual and happens because Site B was configured in Active Directory before DC B was there and assigned to that site. Automatic Site Coverage is the process which is taking care of this effect. What it does, is making sure that every site in Active Directory has DCs. If a DC detects a site which has no DCs assigned to it, it will try to figure out if hes a close DC (not crossing multiple site-links) and assigning himself to that site. So since Site B was configured and DC A was the only DC in your environment, DC A decided to advertise himself as DC in Site B. However since DC B exists now, DC A will not refresh those records, and if you have aging and scavenging configured the old records of DC A in Site B will vanish. You can also delete those records if you wish, as long as the records of DC B are registered in Site B you can delete the records of DC A in Site B, however make sure that you are only deleting the SRV-Records underneath the DNS-Subdomains of the Site-specific Records in the Site B-DNS-Domains (looks like folders in the DNS Managementconsole). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D
[ActiveDir] Add or Remove Programs GPO
Hi, I've set a GPO for some users that restricts usage of Add or Remove Programs (User Configuration\Administrative Templates\Control Panel\Add or Remove Programs). This GPO is linked to a specific OU where those users reside. But now I have even with admin accounts to which the GPO doesn't apply (totally different OU location and so on...) problems with opening the interface, it refers to security that is not correct on C:\WINNT\System32\rundll32.exe Is this normal?! Did I miss something before setting this GPO? Thanks, Bart
Re: [ActiveDir] Search over SSL hangs
Just to let you know: tried a search using ldapsearch command-line provided by Oracle and it works just nice! ++ [EMAIL PROTECTED] ~]$ ldapsearch -p 636 -h ldap_server -b cn=ouruser,ou=colaboradores,ou=usuarios,ou=brt,o=btp -s sub -w userpass -W file:/etc/ORACLE/WALLETS/mauricio/ -P walletpass -U 2 objectclass=* brtGtifAuth cn=BT050524,ou=colaboradores,ou=usuarios,ou=brt,O=btp brtGtifAuth=TRUE [EMAIL PROTECTED] ~]$ ++ This contributes to point PL/SQL LDAP packages as the problem of the hang! When discover something more, I'll update the thread to help future people that get stucked with this issue. Em Ter, 2007-01-23 às 12:03 -0600, Joe Kaplan escreveu: I know nothing about Oracle (never seen it, never touched it), so I can't help at all there. However, I'd suggest going back to the vendor to help you troubleshoot this. The fact that the issue seems to be restricted to their LDAP/SSL stack suggests that they should be able to help troubleshoot the problem. Joe K. - Original Message - From: Mauricio de Andrade Ramos [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 11:43 AM Subject: Re: [ActiveDir] Search over SSL hangs Joe, List, yes! It does sound like it is something with Oracle SSL engine. I let the process (search) running for more than 3 hours (so I think it is not a problem of slow communication/authentication) and it never returned. When it was issued a CTRL+C to abort the procedure (which was running from a sqlplus), the stack error it returned pointed to a Oracle package (SYS.DBMS_LDAP_API_FFI) in its last level (upper level). The code in Pl/Sql follows (SECURITYSOX is our schema user and LDAP is our user package): ## SQL 1 declare 2 X number; 3 begin 4 X := -1; 5 X := LDAP.VALIDA_USUARIO_LDAP(2,'ldapuser','ldappass'); 6 dbms_output.put_line(X); 7* end; SQL / declare * ERROR at line 1: ORA-01013: user requested cancel of current operation ORA-06512: at SYS.DBMS_LDAP_API_FFI, line 134 ORA-06512: at SYS.DBMS_LDAP, line 253 ORA-06512: at SECURITYSOX.LDAP, line 221 ORA-06512: at SECURITYSOX.LDAP, line 581 ORA-06512: at SECURITYSOX.LDAP, line 181 ORA-06512: at line 5 ## Nothing appears in oracle's alert.log. No traces are generated in bdump, cdump or udump directories like it had nothing to do with/for oracle. The certificates used were provided by our customer and were tested by them and as we can init the session, open the ssl support for that session and even authenticate a ldap user/pass, the certificates are out of the possible causes of this issue. And even more because, as mentioned, we can perform a search over SSL using JXplorer and it is almost immediate, no hangs (for the little they could be), no delays, nothing, just direct to the result! I am trying to contact out customer's LDAP admin in order to get additional info from the server logs. As soon as I can get this, I will update the thread. Thanks you all for your help! Em Ter, 2007-01-23 às 10:51 -0600, Joe Kaplan escreveu: If this can happen with any LDAP directory and not just AD, then it sounds like the issue is with the Oracle SSL stack. Does the search hang permanently or just take a long time to execute? Sometimes an SSL operation is slowed down a lot due to client certificate authentication requested by the server or CRL checking. Does Oracle give you any logs? What SSL stack do they use? Can this issue be reproduced with any other SSL stacks (Windows using ldp.exe for example)? Joe K. - Original Message - From: Mauricio de Andrade Ramos [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 4:28 AM Subject: [ActiveDir] Search over SSL hangs List, surfing google, realized that it is something that happens with a great frequency and not just with this specific directory we are using (Active Directory). Have you ever experienced performing a search to a directory, through SSL, and the search gets hang? It won't happen using a ldap browser client (like JXplorer) but from a PL/Sql procedure from OracleThe curious is that when this very same search is performed through a non-SSL connection (from the database), it won't hang, just through SSL! Took a look in lots of messages, forums, Oracle forums and this issue is reported in enviroments with other configurations (other directories, database, OS...) but a solution or workaround or even the pointing of where is the problem is never explained! Additional info: 2 different certificates were used. Both given by our customer and are a valid ones (tested by them and us, we can connect/authenticate/search through JXplorer and connect/authenticate through Oracle). Can you give us a light? Thanks you all in
RE: [ActiveDir] ftp access
The server virus app is up to date and I just ran a scan and there are no infected files. Other then this issue the server seems to be work great. Once people change there password there is no issue. Antonio _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 23, 2007 8:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ftp access I do. That sounds a lot like a bug to me. What version of IIS? On 1/23/07, Antonio Aranda [EMAIL PROTECTED] wrote: If you mean the command-line, yes. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 23, 2007 2:56 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ftp access do you get same results in Microsoft's client? On 1/23/07, Antonio Aranda [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I'm using IIS and I used ie and smartftp to test. I attached the log that shows when it was working and when it stopped working and then when it started working right after the user changed the password. It seems to stop working not when their password expires but when they start getting the warning that their password is going to expire. It's happened to three different users and the fix has been the same. There is no anonymous access to anything. Thanks for your help Antonio _ From: [EMAIL PROTECTED] [mailto: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, January 22, 2007 7:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ftp access Can you provide some more details? What are they using to access their shares? (client?) What are you using to provide ftp access? (IIS?) How did you prove that this is the case? Log files? Trial and error? Anything else that's relevant? Al On 1/22/07, Antonio Aranda [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I've setup ftp access to users' network drives so they have access to them remotely. I recently notice some thing very peculiar. Their ftp access stops working when they start getting warnings that their password is going to expire. I don't know if this just a coincidence but once they change their password it starts working again. If any one knows anything about this, I would appreciate any advice. Antonio Aranda Network Analyst UT-Permian Basin 432-552-2413
[ActiveDir] [OT] Odd Folder under Forward Lookup Zone
Hi - Under one of our forward lookup zones (AD-integrated), we have the usual folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well as a single folder just named: 1 (without the quotes). There is a single A-record under it for one of our printers. Any idea what this folder is? Thanks. -- nme attachment: winmail.dat
Re: [ActiveDir] ftp access
When I say it sounds like a bug, I'm not thinking it's a virus type of bug. More of a software bug. That's why I asked what version of IIS it is; it's possible that there's a known issue and a fix available. On 1/24/07, Antonio Aranda [EMAIL PROTECTED] wrote: The server virus app is up to date and I just ran a scan and there are no infected files. Other then this issue the server seems to be work great. Once people change there password there is no issue. Antonio -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Tuesday, January 23, 2007 8:21 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] ftp access I do. That sounds a lot like a bug to me. What version of IIS? On 1/23/07, *Antonio Aranda* [EMAIL PROTECTED] wrote: If you mean the command-line, yes. -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Tuesday, January 23, 2007 2:56 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] ftp access do you get same results in Microsoft's client? On 1/23/07, *Antonio Aranda* [EMAIL PROTECTED] wrote: I'm using IIS and I used ie and smartftp to test. I attached the log that shows when it was working and when it stopped working and then when it started working right after the user changed the password. It seems to stop working not when their password expires but when they start getting the warning that their password is going to expire. It's happened to three different users and the fix has been the same. There is no anonymous access to anything. Thanks for your help Antonio -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Monday, January 22, 2007 7:40 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] ftp access Can you provide some more details? What are they using to access their shares? (client?) What are you using to provide ftp access? (IIS?) How did you prove that this is the case? Log files? Trial and error? Anything else that's relevant? Al On 1/22/07, *Antonio Aranda* [EMAIL PROTECTED] wrote: I've setup ftp access to users' network drives so they have access to them remotely. I recently notice some thing very peculiar. Their ftp access stops working when they start getting warnings that their password is going to expire. I don't know if this just a coincidence but once they change their password it starts working again. If any one knows anything about this, I would appreciate any advice. Antonio Aranda Network Analyst UT-Permian Basin 432-552-2413
Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone
What are properties of the 1 zone? On 1/24/07, EIS Lists [EMAIL PROTECTED] wrote: Hi - Under one of our forward lookup zones (AD-integrated), we have the usual folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well as a single folder just named: 1 (without the quotes). There is a single A-record under it for one of our printers. Any idea what this folder is? Thanks. -- nme
RE: [ActiveDir] ftp access
It users IIS 6 on windows 2003 and it has all patches. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, January 24, 2007 1:16 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ftp access When I say it sounds like a bug, I'm not thinking it's a virus type of bug. More of a software bug. That's why I asked what version of IIS it is; it's possible that there's a known issue and a fix available. On 1/24/07, Antonio Aranda [EMAIL PROTECTED] wrote: The server virus app is up to date and I just ran a scan and there are no infected files. Other then this issue the server seems to be work great. Once people change there password there is no issue. Antonio _ From: [EMAIL PROTECTED] [mailto: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 23, 2007 8:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ftp access I do. That sounds a lot like a bug to me. What version of IIS? On 1/23/07, Antonio Aranda [EMAIL PROTECTED] wrote: If you mean the command-line, yes. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 23, 2007 2:56 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ftp access do you get same results in Microsoft's client? On 1/23/07, Antonio Aranda [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I'm using IIS and I used ie and smartftp to test. I attached the log that shows when it was working and when it stopped working and then when it started working right after the user changed the password. It seems to stop working not when their password expires but when they start getting the warning that their password is going to expire. It's happened to three different users and the fix has been the same. There is no anonymous access to anything. Thanks for your help Antonio _ From: [EMAIL PROTECTED] [mailto: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, January 22, 2007 7:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ftp access Can you provide some more details? What are they using to access their shares? (client?) What are you using to provide ftp access? (IIS?) How did you prove that this is the case? Log files? Trial and error? Anything else that's relevant? Al On 1/22/07, Antonio Aranda [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I've setup ftp access to users' network drives so they have access to them remotely. I recently notice some thing very peculiar. Their ftp access stops working when they start getting warnings that their password is going to expire. I don't know if this just a coincidence but once they change their password it starts working again. If any one knows anything about this, I would appreciate any advice. Antonio Aranda Network Analyst UT-Permian Basin 432-552-2413
RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone
Hello nme, quite easy - create a new host with the name test.1 in your domains zone and it'll be created under the same folder. Those folders you see underneath the zone (and Zones are all on the top level, right after Forward Lookup Zones and Reverse Lookup Zones) do not really exist, in DNS only the records exist within a zone and the dns-managementconsole makes those folders up to navigate easily. The folders are displayed with every segment distinguished by a . (dot/point). So for example there's a record _ldap._tcp.Default-First-Site-Name._sites.example.com IN SRV yadda-yadda Which is displayed in dnsmgmt.msc underneath Example.com | +- _sites | | | +- Default-First-Site-Name | | | | | +- _tcp However, if you look in the Active Directory Container which holds the zone (or in the file if DNS is not AD-integrated) you will neither see subcontainers or objects with the names _tcp... or Default-First-Site-Name... or _sites... - they are just made up because there's a single (or multiple records) which have those names between dots. So in your case - if the record was created manually, you might just recreate it without a .1 at the end (test this and verify the printers name), if it was registered automatically you need to change the name of the printer. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EIS Lists Sent: Mittwoch, 24. Januar 2007 20:15 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone Hi - Under one of our forward lookup zones (AD-integrated), we have the usual folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well as a single folder just named: 1 (without the quotes). There is a single A-record under it for one of our printers. Any idea what this folder is? Thanks. -- nme attachment: winmail.dat
RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone
No Zone – no properties ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Mittwoch, 24. Januar 2007 20:24 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone What are properties of the 1 zone? On 1/24/07, EIS Lists [EMAIL PROTECTED] wrote: Hi - Under one of our forward lookup zones (AD-integrated), we have the usual folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well as a single folder just named: 1 (without the quotes). There is a single A-record under it for one of our printers. Any idea what this folder is? Thanks. -- nme
Re: [ActiveDir] ftp access
Then I suggest a call to Microsoft support to find out about that behavior. That behavior rings a bell in my way distant memory, but I don't recall what the resolution was for that, if any. But that behavior is not what I would expect from the FTP server. Especially since it's a Microsoft product using Microsoft security (AD). Al On 1/24/07, Antonio Aranda [EMAIL PROTECTED] wrote: It users IIS 6 on windows 2003 and it has all patches. -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Wednesday, January 24, 2007 1:16 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] ftp access When I say it sounds like a bug, I'm not thinking it's a virus type of bug. More of a software bug. That's why I asked what version of IIS it is; it's possible that there's a known issue and a fix available. On 1/24/07, *Antonio Aranda* [EMAIL PROTECTED] wrote: The server virus app is up to date and I just ran a scan and there are no infected files. Other then this issue the server seems to be work great. Once people change there password there is no issue. Antonio -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Tuesday, January 23, 2007 8:21 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] ftp access I do. That sounds a lot like a bug to me. What version of IIS? On 1/23/07, *Antonio Aranda* [EMAIL PROTECTED] wrote: If you mean the command-line, yes. -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Tuesday, January 23, 2007 2:56 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] ftp access do you get same results in Microsoft's client? On 1/23/07, *Antonio Aranda* [EMAIL PROTECTED] wrote: I'm using IIS and I used ie and smartftp to test. I attached the log that shows when it was working and when it stopped working and then when it started working right after the user changed the password. It seems to stop working not when their password expires but when they start getting the warning that their password is going to expire. It's happened to three different users and the fix has been the same. There is no anonymous access to anything. Thanks for your help Antonio -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Monday, January 22, 2007 7:40 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] ftp access Can you provide some more details? What are they using to access their shares? (client?) What are you using to provide ftp access? (IIS?) How did you prove that this is the case? Log files? Trial and error? Anything else that's relevant? Al On 1/22/07, *Antonio Aranda* [EMAIL PROTECTED] wrote: I've setup ftp access to users' network drives so they have access to them remotely. I recently notice some thing very peculiar. Their ftp access stops working when they start getting warnings that their password is going to expire. I don't know if this just a coincidence but once they change their password it starts working again. If any one knows anything about this, I would appreciate any advice. Antonio Aranda Network Analyst UT-Permian Basin 432-552-2413
Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone
That's what I would expect. But since the original poster called it a zone I figured I'd ask. What are you doing up so late? :) On 1/24/07, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: No Zone – no properties ;-) *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Mittwoch, 24. Januar 2007 20:24 *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone What are properties of the 1 zone? On 1/24/07, *EIS Lists* [EMAIL PROTECTED] wrote: Hi - Under one of our forward lookup zones (AD-integrated), we have the usual folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well as a single folder just named: 1 (without the quotes). There is a single A-record under it for one of our printers. Any idea what this folder is? Thanks. -- nme
RE: [ActiveDir] ftp access
Did you try to change the local Group Policy of the IIS-Machine not to prompt the user to change password before it expires? Maybe it's somehow connected with this mechanism. The GPO is underneath Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options And is named Interactive logon: Prompt user to change password before expiration Just a guess. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: Montag, 22. Januar 2007 23:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ftp access I've setup ftp access to users' network drives so they have access to them remotely. I recently notice some thing very peculiar. Their ftp access stops working when they start getting warnings that their password is going to expire. I don't know if this just a coincidence but once they change their password it starts working again. If any one knows anything about this, I would appreciate any advice. Antonio Aranda Network Analyst UT-Permian Basin 432-552-2413
RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone
Just 9:30 pm here, so not really late. Many are mixing up the zones with the “DNS-Subdomains” or whatever they are actually called. But in this case he even had it right, he said that under the domain zone he has the “_*”-folders as well as a folder “1”. I had to reread too ;-) How are things? See you in March? Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Mittwoch, 24. Januar 2007 21:17 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone That's what I would expect. But since the original poster called it a zone I figured I'd ask. What are you doing up so late? :) On 1/24/07, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: No Zone – no properties ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Mittwoch, 24. Januar 2007 20:24 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone What are properties of the 1 zone? On 1/24/07, EIS Lists [EMAIL PROTECTED] wrote: Hi - Under one of our forward lookup zones (AD-integrated), we have the usual folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well as a single folder just named: 1 (without the quotes). There is a single A-record under it for one of our printers. Any idea what this folder is? Thanks. -- nme
RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone
Thanks, all. Ulf, you explanation was great! I am sure it was someone (probably me!) just typed a .1 in some setting on the printer and allowed it to register in DNS. Many thanks. -- nme Noah Eiger _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, January 24, 2007 12:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone Just 9:30 pm here, so not really late. Many are mixing up the zones with the DNS-Subdomains or whatever they are actually called. But in this case he even had it right, he said that under the domain zone he has the _*-folders as well as a folder 1. I had to reread too ;-) How are things? See you in March? Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Mittwoch, 24. Januar 2007 21:17 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone That's what I would expect. But since the original poster called it a zone I figured I'd ask. What are you doing up so late? :) On 1/24/07, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: No Zone - no properties ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Mittwoch, 24. Januar 2007 20:24 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone What are properties of the 1 zone? On 1/24/07, EIS Lists [EMAIL PROTECTED] wrote: Hi - Under one of our forward lookup zones (AD-integrated), we have the usual folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well as a single folder just named: 1 (without the quotes). There is a single A-record under it for one of our printers. Any idea what this folder is? Thanks. -- nme
RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone
You're welcome! Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EIS Lists Sent: Mittwoch, 24. Januar 2007 22:29 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone Thanks, all. Ulf, you explanation was great! I am sure it was someone (probably me!) just typed a .1 in some setting on the printer and allowed it to register in DNS. Many thanks. -- nme Noah Eiger _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, January 24, 2007 12:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone Just 9:30 pm here, so not really late. Many are mixing up the zones with the DNS-Subdomains or whatever they are actually called. But in this case he even had it right, he said that under the domain zone he has the _*-folders as well as a folder 1. I had to reread too ;-) How are things? See you in March? Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Mittwoch, 24. Januar 2007 21:17 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone That's what I would expect. But since the original poster called it a zone I figured I'd ask. What are you doing up so late? :) On 1/24/07, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: No Zone - no properties ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Mittwoch, 24. Januar 2007 20:24 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone What are properties of the 1 zone? On 1/24/07, EIS Lists [EMAIL PROTECTED] wrote: Hi - Under one of our forward lookup zones (AD-integrated), we have the usual folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well as a single folder just named: 1 (without the quotes). There is a single A-record under it for one of our printers. Any idea what this folder is? Thanks. -- nme
[ActiveDir] OT: TechED 2007 Orlando
Registration is open and any one who wants a decent room - should think about booking it soon. www.msteched.com If it is anything like 2005 - most of the free alcohol (not to be confused with Alcohol Free) nights were spent in the Pointe Orlando (http://www.pointeorlando.com) opposite Hotel number 5, and no not in Hooters. http://download.microsoft.com/download/0/c/7/0c72a317-e619-4410-bd18-3cdea92 24a61/te07_hotel_map.pdf Hope this helps. Regards, Mark Parris Base IT Ltd. Active Directory Consultancy Tel +44(0)7801 690596 Registered in England and Wales. Registered Office; 35 Ballards Lane,London, N3 1XW, England. Registered Number 03540460.
[ActiveDir] PHP Module for Windows
Hi - I reviewed PlexSSO (www.ioplex.com http://www.ioplex.com/ ), but it appears to only run on Linux. Does anyone know of an off the shelf module that will run under Windows? Thanks. -- nme Noah Eiger
RE: [ActiveDir] PHP Module for Windows
Is this what you are looking for? http://www.php.net/downloads.phpI have not used it, however, and can't speak to how well it works but it seems to come from the right place. ;) Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EIS Lists Sent: Wednesday, January 24, 2007 5:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] PHP Module for Windows Hi - I reviewed PlexSSO (www.ioplex.com http://www.ioplex.com/ ), but it appears to only run on Linux. Does anyone know of an off the shelf module that will run under Windows? Thanks. -- nme Noah Eiger
RE: [ActiveDir] Adfind + Admod help
Hi The way to do this with code is to enumerate all users, and their AD attributes and for each user update/check the information from your HR database. Running this daily nobody needs to update your AD manually with HR data. /morten From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: 23. januar 2007 18:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help We have a software developer in our group who has developed a Corporate Directory application that acts as our internal employee directory on our intranet. It also includes an administrative side which gives certain individuals (mostly HR) the ability to create and disable user accounts when people are hired or let go. The need for Active Directory to house information such as department, section, as well as other information unique to our company was mostly done to accommodate this application. It was this administrative portion of our Corporate Directory application that allowed Human Resources to literally go in and do some data entry and make the proper entries for each employee as to their correct department and section. So that answers the question of how the data got in there in the first place. As for how I’ll go about this, it looks like I’ll unfortunately have to go back and bug our software dev for help on this. I hate doing it, because when it comes to things like this I feel like I should be able to do it but unfortunately I just don’t know how to yet apparently. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 23, 2007 9:05 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help What are you comfortable with for administration? How'd the attributes get populated in the first place? joe's tool wouldn't be the tool of choice for this problem. To clarify that, I mean to say that it wouldn't be the only tool because there's logic that has to occur that is specific to your situation. The manual method (non-automated) would be to export the information into spreadsheets and use ldif or csv (comfort level again) to create and populate the group structures as needed. Al On 1/23/07, WATSON, BEN [EMAIL PROTECTED] wrote: Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, Do you already have the department names in a list? Or is that something that you have to gather first?, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example… dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I'm certainly hoping so. J Thanks, ~Ben From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Al Mulnick Sent: Monday, January 22, 2007 5:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help Do you already have the department names in a list? Or is that something that you have to gather first? If you have to gather, then I assume you'll have to iterate each user object and determine the department value. Then, you'll create a group for every single unique instance of department value. After those are created, you'd then create the section sg's and make them members of the relevant department sg. Is there a clean way? I don't think it's something that you can do on a single command line, although I throw that out there mostly as a challenge to joe. He likes that kind of challenge I suspect ;) Couple of options come to mind: You could build a table and based on that table you can create/populate. ADMOD and ADFIND could be useful to you there. You could build a script that uses dictionary objects and creates the unique instances for you and correlates that information to the sections and then creates/populates. It's slightly complex, but... Building the tables, you could then execute manually. Depends on the scope of course. Of
Re: [ActiveDir] PHP Module for Windows
On Wed, 24 Jan 2007 15:26:47 -0800 EIS Lists [EMAIL PROTECTED] wrote: I reviewed PlexSSO (www.ioplex.com http://www.ioplex.com/ ), but it appears to only run on Linux. Does anyone know of an off the shelf module that will run under Windows? A number of people have asked us about this. I've been telling them just use IIS w/ IWA but I must admit I've never tried running PHP w/ IIS so I'm not sure if it would work. If you need the other is_memberof stuff or the AD scripting stuff in 2.0 then I'm afraid there's no way unless you write a C extension (and even then I don't think it would be as nice :-). Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] PHP Module for Windows
Thanks. I had a feeling that was the answer. I will pass it on to our developer. -- nme -Original Message- From: Michael B Allen [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 24, 2007 6:06 PM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] PHP Module for Windows On Wed, 24 Jan 2007 15:26:47 -0800 EIS Lists [EMAIL PROTECTED] wrote: I reviewed PlexSSO (www.ioplex.com http://www.ioplex.com/ ), but it appears to only run on Linux. Does anyone know of an off the shelf module that will run under Windows? A number of people have asked us about this. I've been telling them just use IIS w/ IWA but I must admit I've never tried running PHP w/ IIS so I'm not sure if it would work. If you need the other is_memberof stuff or the AD scripting stuff in 2.0 then I'm afraid there's no way unless you write a C extension (and even then I don't think it would be as nice :-). Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] moving server local groups to AD?
(I sure hope this doesn't sound like too dumb a question!) We have a server where local security groups were created for local file access. The files on this server are going to be moved to a file server cluster. Can ADMT v3 migrate these security groups up to the AD structure with the hopes of retaining SIDHistory and therefore access to the moved files? If ADMT wouldn't work, does anyone have suggestions for this operation? As always, any help is appreciated! Mike Thommes
