RE: [ActiveDir] [ActiveDir[OT]] Search Mailbox
ExMerge allows you to search on certain parameters such as subject, attachments, date/time, etc. It runs with privileged credentials to access and search through the mailboxes. Downloadable from the MS download page Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefanoSent: Thursday, September 21, 2006 6:02 AMTo: activedir@mail.activedir.orgSubject: [ActiveDir] Search Mailbox Is there any way to search for messages within a mailbox without using Outlook in Exchange 2000; like using System Administrator? Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] Remove Defunct domains..
dusting off old NT 4.0 sectors Check your WINS database if you are using WINS. Part of the browsing data comes from WINS and the database will tell you where those records are coming from. You can address it viathe hosts if it's coming from there or clean up your WINS db. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, August 02, 2006 3:10 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Remove Defunct domains.. Thats a browser function not something in AD. Theres probably still computers joined to those domains (even though they dont exist) or computers in workgroups with the same names Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Wednesday, August 02, 2006 5:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Remove Defunct domains.. You can remove the orphaned domains through NTDSUTIL. Doing a metadata cleanup. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: Wednesday, August 02, 2006 2:46 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Remove Defunct domains.. Whenever i browse Network Neighborhood or view the list of availble networks, there are a few domains that appear that shouldn't. Is there a way to remove these domain/domain entries manually ?ADSI edit ?-- HBooGz:\
RE: [ActiveDir][OT] Is there a way to force users to logon to domain?
I'm getting the list at home and at work. Outlook 2K3 via POP3 is coming in fine. Outlook 2K3 via Exchange and MAPI is coming in blank. Both the non-SP standard builds of Outlook. Exchange is still @ E2K... Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, May 15, 2006 4:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? I just verified and OWA is also throwing garbage characters on the end of the message and when looking at the raw stream it is the list banner. How is O2K7 displaying it? Anyone understand what the full spec is for a message is and how to (or if you can) mix MIME with plain text? I expect either the plain text banner isn't allowed or the list software isn't modifying the header properly for it to tell the clients to expect it. joe Here is Al's message straight from POP without interpretation: retr 39+OKReceived: from mail.activedir.org ([12.168.66.190]) by mbx01.joeware.local with Microsoft SMTPSVC(6.0.3790.211); Mon, 15 May 2006 16:44:34 -0400Received: from wr-out-0506.google.com [64.233.184.234] by mail.activedir.org with ESMTP (SMTPD32-8.15) id A6B67EC012E; Mon, 15 May 2006 16:38:14 -0400Received: by wr-out-0506.google.com with SMTP id i30so871233wra for ActiveDir@mail.activedir.org; Mon, 15 May 2006 13:38:12 -0700 (PDT)DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=otNmqTOJtu6h3lzy946aXK9yGTM5JFr0xZLRCRvkC4134GXBlEVFGTm01oR6Q0alNwcgsKlCdGaf7Oc0P7XzMRmR5td5nR1iLsJQ+rx/bxz1c1RTzynDUZSfLeogbMBIzdfTwsmUbAV2+gfnxk19fHg0GT0mFn8dk97+KotFwWM=Received: by 10.64.10.15 with SMTP id 15mr2454953qbj; Mon, 15 May 2006 13:38:12 -0700 (PDT)Received: by 10.65.253.12 with HTTP; Mon, 15 May 2006 13:38:12 -0700 (PDT)Message-ID: [EMAIL PROTECTED]Date: Mon, 15 May 2006 16:38:12 -0400From: "Al Mulnick" [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Is there a way to force users to logon to domain?In-Reply-To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=UTF-8; format=flowedContent-Transfer-Encoding: base64Content-Disposition: inlineReferences: [EMAIL PROTECTED]Precedence: bulkSender: [EMAIL PROTECTED]Reply-To: ActiveDir@mail.activedir.orgReturn-Path: [EMAIL PROTECTED]X-OriginalArrivalTime: 15 May 2006 20:44:34.0134 (UTC) FILETIME=[5F845760:01C67860] SSB0aGluayB5b3UndmUgc2VlbiBzZXZlcmFsIHdheXMgb2YgYWNoaWV2aW5nIHNvbWV0aGluZyBzaW1pbGFyIHRvCndoYXQgeW91J3ZlIGFza2VkIGZvci4gIEJ1dCBJJ20gY3VyaW91cyBhcyB0byB3aGF0IHlvdSByZWFsbHkgd2FudCB0bwphY2NvbXBsaXNoLiAgWW91J3ZlIHB1dCBzb21ldGhpbmcgdmVyeSBzcGVjaWZpYywgYnV0IHdoYXQgbWFrZXMgeW91CndhbnQgdG8gZm9yY2UgdGhlIGxvZ29uPyAgV2hhdCdzIHRoZSBiYWNrc3Rvcnk/CgpBbAoKT24gNS8xNS8wNiwgSm9lIExhZ3JlY2EgPGxhZ3JlY2FAZ21haWwuY29tPiB3cm90ZToKPiBJcyB0aGVyZSBhIHdheSB0byBmb3JjZSB1c2VycyB0byBsb2dvbiB0byBkb21haW4sIG9yIHRvIGRpc2FibGUgbG9naW5nIGludG8KPiBsb2NhbCBjb21wdXRlciBhY2NvdW50cyB2aWEgR1BPPwo+Cj4gVGhhbmtzLgo+Cg==List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: joe [mailto:[EMAIL PROTECTED] Sent: Monday, May 15, 2006 7:28 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? Al is sending from GMAIL. It appears that GMAIL is mime encoding the messages, and then the list attaches the plain text banner on it and the whole decodes incorrectly. Outlook pre-2007 pukes (probably exceptions out of the rendering phase) and OWA, O2K7, and Thunderbird seem to read it fine but with the possibility of bad characters. If I had to guess, I would guess the bad characters are the plain text banner being decoded as MIME. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Monday, May 15, 2006 6:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is there a way to force users to logon to domain? What about the origin - are they created using OL2k7? If so must be a new bug - I was using a bit older version for quite a while (and everything was readable), but it almost corupted my mailstore - so I switched temporarily back. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Tuesday, May 16, 2006 12:10 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is there a way to force users
RE: [ActiveDir][OT] Is there a way to force users to logon to domain?
The POP3 is just via my local Telco ISP (not a major Telco). I'm not sure what they are using but it's not Exchange. Mirapoint MOS 3.7.0-GA is what I glean from the headers but I'm not familiar with it. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, May 15, 2006 5:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? Interesting, for the O2K3 via POP3 what is the backend? I am doing O2K3 via POP3 backended into Exchange 2003 and getting the blanks. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, DianeSent: Monday, May 15, 2006 8:28 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? I'm getting the list at home and at work. Outlook 2K3 via POP3 is coming in fine. Outlook 2K3 via Exchange and MAPI is coming in blank. Both the non-SP standard builds of Outlook. Exchange is still @ E2K... Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, May 15, 2006 4:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? I just verified and OWA is also throwing garbage characters on the end of the message and when looking at the raw stream it is the list banner. How is O2K7 displaying it? Anyone understand what the full spec is for a message is and how to (or if you can) mix MIME with plain text? I expect either the plain text banner isn't allowed or the list software isn't modifying the header properly for it to tell the clients to expect it. joe Here is Al's message straight from POP without interpretation: retr 39+OKReceived: from mail.activedir.org ([12.168.66.190]) by mbx01.joeware.local with Microsoft SMTPSVC(6.0.3790.211); Mon, 15 May 2006 16:44:34 -0400Received: from wr-out-0506.google.com [64.233.184.234] by mail.activedir.org with ESMTP (SMTPD32-8.15) id A6B67EC012E; Mon, 15 May 2006 16:38:14 -0400Received: by wr-out-0506.google.com with SMTP id i30so871233wra for ActiveDir@mail.activedir.org; Mon, 15 May 2006 13:38:12 -0700 (PDT)DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=otNmqTOJtu6h3lzy946aXK9yGTM5JFr0xZLRCRvkC4134GXBlEVFGTm01oR6Q0alNwcgsKlCdGaf7Oc0P7XzMRmR5td5nR1iLsJQ+rx/bxz1c1RTzynDUZSfLeogbMBIzdfTwsmUbAV2+gfnxk19fHg0GT0mFn8dk97+KotFwWM=Received: by 10.64.10.15 with SMTP id 15mr2454953qbj; Mon, 15 May 2006 13:38:12 -0700 (PDT)Received: by 10.65.253.12 with HTTP; Mon, 15 May 2006 13:38:12 -0700 (PDT)Message-ID: [EMAIL PROTECTED]Date: Mon, 15 May 2006 16:38:12 -0400From: "Al Mulnick" [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Is there a way to force users to logon to domain?In-Reply-To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=UTF-8; format=flowedContent-Transfer-Encoding: base64Content-Disposition: inlineReferences: [EMAIL PROTECTED]Precedence: bulkSender: [EMAIL PROTECTED]Reply-To: ActiveDir@mail.activedir.orgReturn-Path: [EMAIL PROTECTED]X-OriginalArrivalTime: 15 May 2006 20:44:34.0134 (UTC) FILETIME=[5F845760:01C67860] SSB0aGluayB5b3UndmUgc2VlbiBzZXZlcmFsIHdheXMgb2YgYWNoaWV2aW5nIHNvbWV0aGluZyBzaW1pbGFyIHRvCndoYXQgeW91J3ZlIGFza2VkIGZvci4gIEJ1dCBJJ20gY3VyaW91cyBhcyB0byB3aGF0IHlvdSByZWFsbHkgd2FudCB0bwphY2NvbXBsaXNoLiAgWW91J3ZlIHB1dCBzb21ldGhpbmcgdmVyeSBzcGVjaWZpYywgYnV0IHdoYXQgbWFrZXMgeW91CndhbnQgdG8gZm9yY2UgdGhlIGxvZ29uPyAgV2hhdCdzIHRoZSBiYWNrc3Rvcnk/CgpBbAoKT24gNS8xNS8wNiwgSm9lIExhZ3JlY2EgPGxhZ3JlY2FAZ21haWwuY29tPiB3cm90ZToKPiBJcyB0aGVyZSBhIHdheSB0byBmb3JjZSB1c2VycyB0byBsb2dvbiB0byBkb21haW4sIG9yIHRvIGRpc2FibGUgbG9naW5nIGludG8KPiBsb2NhbCBjb21wdXRlciBhY2NvdW50cyB2aWEgR1BPPwo+Cj4gVGhhbmtzLgo+Cg==List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: joe [mailto:[EMAIL PROTECTED] Sent: Monday, May 15, 2006 7:28 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir][OT] Is there a way to force users to logon to domain? Al is sending from GMAIL. It appears that GMAIL is mime encoding the messages, and then the list attaches the plain text banner on it and the whole decodes incorrectly. Outlook pre-2007 pukes (probably exceptions out of the rendering phase) and OWA, O2K7, and Thunderbird seem to read it fine but with the possibility of bad characters. If I had to guess, I would guess the bad characters are the plain text banner being decoded as MIME. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
RE: [ActiveDir] Quiet? DEC? Related?
Maybe we should ask a question on the merits of doubling down on an 11 when the dealer has a face card showing... :-) Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Wednesday, March 29, 2006 9:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Quiet? DEC? Related? Don't worry we're still here.. ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) (Tel : +31-(0)40-29.57.777 (Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Moon, BrendanSent: Wed 2006-03-29 19:26To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Quiet? DEC? Related? Hmm.. everyone must be having fun at DEC... this list has been very quiet this week! - Brendan Moon
RE: [ActiveDir] Single Sign-on
Russ: We pursuing a "reduced" sign on environment as opposed to a single sign on. Fortunately we've been able to leverage AD as our "authoritative source" for IDs and passwords but due to the plethora of heterogeneous applications, not all of them can leverage AD as the authentication and authorization source. In this context, reduced sign on is that the end user will use their AD ID and password in the various enterprise applications but we are purposely requiring the various applications "re-authenticate" the user when the application is launched. We are doing this as opposed to leveraging pass-through authentication for access rights. The thinking is that this reduces risk to the various applications. For example if I have access to a users unlocked work station, I can't launch the financial system app and get access to info that I shouldn't. I would get prompted again for credentials. Most of our enterprise apps are on non-windows systems. The reduced sign-on is part of an overall "identity management" goal for our company so we did not target this specific item. The identity management process encompasses various tools and software components. I can give you more details off line if you wish. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Sunday, January 29, 2006 11:47 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Single Sign-on I think the part that I don't get is what your exact idea of SSO is, Russ. I mean, Active Directory is a great central authentication platform. It has other components that can be useful such as AzMan, ADAM, and WS*. But it wouldn't be much of a deal to cause your applications to use Active Directory as their authentication source instead of installing SSO software on them and using that. Then you'd have no out of pocket expense. Possibly. Depends greatly on what your requirements are in detail and what level of effort you want to expend. Al On 1/29/06, Rodrigo Blanco [EMAIL PROTECTED] wrote: Wiseguard is a cost-efective solution and integrates directly with AD.Regards,Rodrigo.On 1/28/06, Rimmerman, Russ [EMAIL PROTECTED] wrote: ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [List Owner] Mailing list is 5 today!
16 more years and we can start drinking... WooHoo.. My cranial capacity on AD has grown immensely through the sharing on the list. Thanks much to you and the members of the list. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, January 12, 2006 4:57 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] [List Owner] Mailing list is 5 today! Hi all I started this list on 13th January 2001. Thanks to everyone out there for making it a great place to hang out and learn about AD (and more besides!). Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] remove logon script?
Try ADmodify for a GUI tool... Diane http://tinyurl.com/5ruog From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Monday, December 05, 2005 12:40 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] remove logon script? How can I remove the logon.bat from all my user (2000+) accounts at one time in my domain? Ive switch to GPO for the logon scripts. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] Scripting/WMI/MONAD - was FSMO role transfer
IIRC in the conversations that I had with MS around MONAD was that one goal was intended to fix the issue of inconsistencies of the various command line tools (different switches, piping options, etc.). The other goal was to ensure that every option that was available via the GUI was exposed via the command line and vice versa. In essence the GUI was going to be alternate way of generating the MONAD command line entries. One proposal was the you would be able to capture any GUI operations into a MONAD command line script to facilitate batch operations. Kind of a scripting for dummies.. :-) Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, December 01, 2005 5:14 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Scripting/WMI/MONAD - was FSMO role transfer ... so in the demo I saw the guy was calculating the number of days between then and 12/31/2005. As I was watching him do all these command lines... I'm thinkin' in my beancounter side of my brain... you know.. my cell phone has a calculator and I could have figured that number out in half that time :-) What I'm looking forward to it for is that Exchange will have it and all the lovely people that write wizards and tools and scripts and buttons can use the power of it. But yeah... it's a bit whoa.. joe wrote: Question of the day: If .Net = .Fat then does cmdlet = piglet? ROFL! Other than that, I agree, it is the replacement for a shell that is showing its age. On the positive side you can do some cool serialized piping (aka piping objects) instead of just piping text. Very powerful. On the negative side, it is pretty intense all around. It is going to scare some people. Plus there are concerns about how fat and slow it might be. I had a nice conversation with the Exchange Dev folks over at EHLO for instance concerning the MONAD way. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Bernard, Aric *Sent:* Thursday, December 01, 2005 1:08 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Scripting/WMI/MONAD - was FSMO role transfer Speaking from my own personal discoveries In a nutshell, MONAD is supposed to be a new command line shell to replace the relatively stagnant CMD shell. As I understand it, MONAD offers the following capabilities above and beyond what CMD provides: * Ability to leverage system objects at the command line (interactive) as well as through a script. * Ability to leverage nearly anything exposed via the .Net Framework 2.0. * Enhanced security framework which by default only allows interactive input at the command line and blocks the running of scripts - allows provides intermediate levels for code signing of scripts from certain sources. * Provide support for WSH scripts * Provide an experience *similar* to that available in the most widely used *nix shells (Korn, Born, C) So let me now caveat the above by saying I have very little experience working with the MONAD shell (aka MSH). At the very least I can say that MONAD is more useful to me than WSH/VBScript since I am more comfortable with C# and as I can execute nearly every command (for testing purposes) from the command line as opposed to in the body of a script. To date, one of my favorite cmdlets is the get-member which enumerates the properties, methods, and other relevant information that you can use or squeeze out of a given object. So am I sold on it? Not exactly (it is still a little too much like programming) but I do think it is much better than what we have today from a shell perspective. Question of the day: If .Net = .Fat then does cmdlet = piglet? Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, December 01, 2005 6:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting/WMI/MONAD - was FSMO role transfer Just curious - what's MONAD's goal supposed to be, other than having an acronym that sounds like a military facility? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, December 01, 2005 9:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting/WMI/MONAD - was FSMO role transfer You know that the scriptomatic 2 HTA will create Perl script that does WMI right I am not a huge fan of WMI but there are times in the scripting world if you want to stick to pure script it is in the only way to do what you want and I will use it if I don't have time (or ability as in the case of mailbox reconnects or getting info on what DCs are being used by DSACCESS) to write native code to do what I need. If you have perl in your pocket
RE: [ActiveDir] Trusts.....
You mention that it is a legacy trust. I don't know how far back it goes legacy wise but I ran into an issue where a legacy trust could not be upgraded (modified) as the trust existed prior to upgrade (way back in NT 4.0 land) and the solution was to delete the trust entirely and recreate. There is a KB article on it which I don't have at my fingertips but the root issue was that the legacy trust did not have the rights GUIDs to be modified. Not sure if this is the situation you are running into or not. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, November 28, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Trusts. Grr. This thing won't budge. I have implemented the settings from the article below, but still no joy. I will hopefully have missed something and will re-check.watch this space. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: 28 November 2005 11:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Trusts. Found it...thanks... http://support.microsoft.com/default.aspx?scid=kb;en-us;889030 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 25 November 2005 16:00 To: ActiveDir.org Subject: Re: [ActiveDir] Trusts. Brad, I am not in the office at the moment but there is a microsoft Kb titled something like creating trusts are not establised as expected, this has about 8 steps you can walk through to trouble shoot. Regards Mark -Original Message- From: Smith, Brad [EMAIL PROTECTED] Date: Fri, 25 Nov 2005 13:56:42 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Trusts. SorryIt is a legacy trust between a W2K Domain (Single Domain, Single Forest) and a W2K3 Domain (Single Domain, Single Forest). I know how to create trusts, that bit is easy enough, what I am having problems with is understanding and troublshooting why it can't create an RPC connection to do the required bits and pieces, I am not even getting to the point where it asks for authentication details, I have only specified the destination domain, and then it fails with a unable to establish RPC type error message. I can resolve the DNS name of domain, ie domain.com any ideas ? From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 24 November 2005 16:18 To: ActiveDir@mail.activedir.org Subject: RE: Trusts. Hi, You do not mention the type of trust you want to create but between a W2K and W2K3 forest you can only create external trusts. For more info see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve rHelp/b30ef067-746e-4453-b879-804259aafdd3.mspx Cheers, Jorge From: [EMAIL PROTECTED] on behalf of Smith, Brad Sent: Thu 11/24/2005 4:15 PM To: ActiveDir@mail.activedir.org Subject: Trusts. Hi List, I am having annoying problems getting two forests to establish a trust (one is W2K, one is W2K3). Has anyone got a reference to what permissions are required TIA, Brad This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] exporting group membership
here is a script that you can use. It dumps the group to a spreadsheet with column headers. Modify as you see fit Diane On Error Resume Next CRLF=CHR(13)+CHR(10) strADName = InputBox("Enter Complete LDAP DN for desired group","Group Name?","")Set GroupObj = GetObject("LDAP://" strADname) wscript.echo ("Getting group Membership for " strADName) if Err.Number 0 thenwscript.echo "Failed to connect to " strADNamewscript.quitend if set memberlist=GroupObj.MembersSet objExcel = WScript.CreateObject("Excel.Application")objExcel.Visible = TrueobjExcel.Workbooks.Add objExcel.ActiveSheet.Name = GroupObj.SAMAccountNameobjExcel.ActiveSheet.Range("A1").ActivateobjExcel.ActiveCell.Value = "ID"'col header 1objExcel.ActiveCell.Offset(0,1).Value = "Last Name"'col header 2objExcel.ActiveCell.Offset(0,2).Value = "First Name"'col header 3objExcel.ActiveCell.Offset(0,3).Value = "Address"'col header 4objExcel.ActiveCell.Offset(0,4).Value = "Office"'col header 5objExcel.ActiveCell.Offset(0,5).Value = "Internal Phone"'col header 6objExcel.ActiveCell.Offset(0,6).Value = "External Phone"'col header 7objExcel.ActiveCell.Offset(0,7).Value = "Mobile"'col header 8objExcel.ActiveCell.Offset(1,0).Activate'move 1 down for each member in memberlistIf Len(member.SAMaccountName)=4 thenobjExcel.ActiveCell.Value = member.SAMAccountNameobjExcel.ActiveCell.Offset(0,1).Value = member.snobjExcel.ActiveCell.Offset(0,2).Value = member.givenNameobjExcel.ActiveCell.Offset(0,3).Value = member.streetAddressobjExcel.ActiveCell.Offset(0,4).Value = member.physicalDeliveryOfficeNameobjExcel.ActiveCell.Offset(0,5).Value = member.telephoneNumberobjExcel.ActiveCell.Offset(0,6).Value = member.otherHomePHoneobjExcel.ActiveCell.Offset(0,7).Value = member.mobileobjExcel.ActiveCell.Offset(1,0).ActivateEnd ifnext set GroupObj = Nothing wscript.echo "Done"wscript.quit From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Friday, November 25, 2005 8:02 AMTo: ActiveSubject: [ActiveDir] exporting group membership I am trying to export the following fields from Active Directory using CSVDE I ran the following command CSVDE -F c:\output.csv -d "ou=security groups,ou=INTARA,dc=COM" -r "(objectclass=group)" -l cn,description,member,whencreated,whenchanged,info,managedby,mail This retrieves the information I want, however, the Member tab displays a list of users full DN in one single cell and makes it difficult to overview the member list. How can I display a list of the users in there own individualcells going downwards (if that makes sense) does CSVDE allow this? If not any other tools out there? Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
RE: [ActiveDir] Schema Updates
Title: Schema Updates You ever find that often times the products are already bought before your input is requested? The better question is when do they ever check with you before they buy a product? Nope... They usually ask someone that has no clue of the impact to the production systems then they bring it to us to "implement" We have Unity and it hashad a major impact toour AD environment although I can say that the users (including me) love it's functionality. What irksme more though is the version that we implemented initially had major schema changes and then the subsequent version decide to move a lot of the data from AD to a separate SQL DB. Why didn't they tell me that BEFORE we irrevocably altered the schema. Another good example is Cisco ICM. The versionprior to the new 7.x version required a separate domain, required domain admin level privileges to operate and schema changes to forest as well as a litany of other "issues". At least version 7.x will integrate into an existing corporate domain although requires a dedicated OU. I really get nervous with applications that want to create user objects wily-nily in orderto operate. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, October 10, 2005 6:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Our movement for Cisco Unity was based strictly on a wholesale move to Cisco VoIP solutions all the way around. Apparently theres some cost savings there somewhere. I dunno regarding the comment joe made about not ever being in your ad environment. Concur 100%. You ever find that often times the products are already bought before your input is requested? I dunno if I have bigger problems with cisco being in the software space or their horrible turnout of applications after theyve acquired them. Unity, call manager, etc one uses ad one uses dirsync in a proprietary ldap server odd stuff like that. Not to mention, it took a nda and massive levels of coercion to get cisco to fess up to what the exact permissions were that are required in order for unity to work successfully. That was a good month long ordeal. Unfortunately nda - so I cant really speak or blog on the exact stuff to correct it. Their reasoning? Most admins have no idea how to configure the ACLs properly to support their application. I digress. :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 7:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates The price tag will definitely drop as soon as Microsoft releases Exchange 12 with UM built in. But, it's not THAT expensive today, and there are some great business pluses to it. We had no problemsshowing ROI on VOIP or UM. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Monday, October 10, 2005 6:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates It's a feature with lots of "gee whiz!" appeal, but once people see the price tag, the response is usually "ouch!" We are still waiting for the "year of UM". I'm betting on 2007. :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP]Sent: Monday, October 10, 2005 6:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates I think this is definitely a case where Moore's Law hasn't been applicable. It's funny how little this story has changed since I saw the first unified messaging demos (then by Octel) about ten years ago. Ed Crowley MCSE+Internet MVPFreelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 1:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Entirely your option. :) Windows 3.11 and Windows NT are really not the same product. Note I am not saying I won't use cisco routers because they sucked 12 years ago. As someone else pointed out, software isn't cisco's ball of wax. There is obviously a little bit of a scary point there when you consider though that the IOS is software... Also as you mentioned, it wasn'tcreatedor even modified much by cisco. So I don't expect it is much different now than what I saw. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 12:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates And I will never run Windows because 3.11 just wasn't that great at networking. ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Being the best available doesn't make something good and doesn't need
RE: [ActiveDir] Modifying Domain Admins Administrators Group
Probably. Never said it was fool-proof but only that it addresses a small part of the total picture. I will let my cohorts speak to the specifics to the process if they choose. Ideally, your admin and security model would prevent any un-authorized changes but the 8th and 9th layer sometimes comes into play... Fortunately we don't have that problem -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 06, 2005 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group How does it work? Do you use LDAP to look at the membership? If so, you probably have a whole in the implementation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Thursday, October 06, 2005 2:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group We run a simple process that monitors the members of elevated privilege groups. Any changes trigger a notification. Doesn't address the prevention but will allow you to capture the occurrence and deal with it appropriately. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Thursday, October 06, 2005 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Modifying Domain Admins Administrators Group Hi, We have about 7 domain administrators in a particular child domain. I just found out someone added the DBA Group to part of the Administrators group in this domain. Not necessary, not required nor is it a policy. Event logs have obviously been overwritten therefore I would like to know the simplest method to avoid this scenario from ever happening again. What are my options? Thank you so much. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Modifying Domain Admins Administrators Group
We run a simple process that monitors the members of elevated privilege groups. Any changes trigger a notification. Doesn't address the prevention but will allow you to capture the occurrence and deal with it appropriately. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Thursday, October 06, 2005 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Modifying Domain Admins Administrators Group Hi, We have about 7 domain administrators in a particular child domain. I just found out someone added the DBA Group to part of the Administrators group in this domain. Not necessary, not required nor is it a policy. Event logs have obviously been overwritten therefore I would like to know the simplest method to avoid this scenario from ever happening again. What are my options? Thank you so much. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Precreating sites and subnets
Tom: I used Robbie Allen's script to do this. You can glean from his script the techniques for doing this. I sent you a copy under a separate email Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, September 01, 2005 11:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Precreating sites and subnets I'm trying to run this script from MS to precreate site and subnet objects in a test forest from a csv file. That works fine but I also would like to add a descritpion for each subnet from the same csv file. How can I edit this script to do that? Thanks. Sorry for being lazy but i'm kinda under the gun(actually this is the IBM AD consultant's homework). Thanks again. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Database Corruption
My preferred approach would be to demote the box to member server and re-promote to a domain controller to ensure a good fresh copy of the DIT. YMMV as the specific requirements at your location may prevent this. We have only run into this once early in our AD days and this was the approach we used with good success. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex FontanaSent: Friday, August 19, 2005 3:29 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Database Corruption Started getting the error below a few weeks ago on one of our DCs. My first reaction is to run a non-auth restore from a day before this started happening and let replication take care of everything else. Any reason NOT to do this? Im concerned that this may happen again and wasnt able to find anything specific to the error below. Besides calling PSS any thing else I should look into before restoring? This box holds all FSMO roles, Win2k3, server for NIS. TIA -alex Event Type: Error Event Source: NTDS ISAM Event Category: Database Page Cache Event ID: 475 Date: 8/19/2005 Time: 2:00:24 PM User: N/A Computer: DC Description: NTDS (528) NTDSA: The database page read from the file "C:\WINNT\NTDS\ntds.dit" at offset 665067520 (0x27a42000) for 8192 (0x2000) bytes failed verification due to a page number mismatch. The expected page number was 81184 (0x00013d20) and the actual page number was 2349964126 (0x8c119b5e). The read operation will fail with error -1018 (0xfc06). If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.
RE: [ActiveDir] Biggest AD Gripes
Not a AD gripe but a tools gripe. The AD Sites and Services snap-in sucks canal water as Laura sez. MS said they would fix it in Win2K3 but it still sucks. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 02, 2005 9:25 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Biggest AD Gripes So what are everyone's biggest AD Gripes? I am not talking about gripes about things that use AD like GPOs[1] or Exchange or NFS or anything else like that. I mean actual AD really missed the boat because of this that or the other thing. Like o I dislike that when you defunct an attribute it doesn't purge the information in the directory for that attribute. o The fact that AD Security policy is managed through a technology dependent on AD and replicates both within AD and the other technology. o I dislike that there is no true schema delete. o I dislike the fact that I can't specify which branches of the tree replicate where. o I dislike the fact that GUIDs are represented in multiple ways in the directory. o I dislike the implementation of property sets especially since they could be so incredible awesomely cool. Specifically I dislike that an attribute can only be in a single property set. o I dislike creator/owner on SDs. o I dislike the lack of configurable business rules. o I dislike the fact that I can't run multiple domains on a single domain controller. Etc etc. I have more but lets see what others say. Everyone pipe up. Let's pretend that MS will actually see this, let's further say let's pretend MS AD Developers will see this. What would you tell them if you were sitting in the room with them? joe [1] I do not consider GPOs to be part of AD. They are a technology that leverages AD. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account lockout
Title: Account lockout Look in the security event logs on the domain controller and it will tell you what machine the lockout is coming from. You will have to check all the DCs until you find the one that is authenticating the account and locking it out. MS has tools to do this for you. http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9Edisplaylang=en From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jake StablSent: Tuesday, August 02, 2005 11:19 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Account lockout WellIdidjustchangepasswordandIdontthinkIambeingaserviceonacomputeranywhere. Ihavechangedmypasswordinthepastroughlyamonthagoandnoproblem..Tryingtofigureouthowtologthisontheservers. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, JoseSent: Tuesday, August 02, 2005 1:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Account lockout Did you recently change your password and now it's occurring? Have you used your account as a service on a server? Jose -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Jake StablSent: Tuesday, August 02, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Account lockout Good day everyone. Here is a crazy problem I am having today. I am logged on to my laptop writing emails and administering my domain and then all of a sudden my account will get locked out.. Just about every 5 minutes this is happening and I dont really know why? Where can I start looking to fix this?? I am lost. Jake
RE: [ActiveDir] Doubletake(OT)
We use DoubleTake on a number of DAS based File/Print servers in our distributed environment that are fairly large (~1 TB). We implemented it when we had some server failures that created extended outages for clients while we recovered data from backup tapes. Our current implementation is locally across a dedicated NIC to a stand by server that can take over if we lose the primary. In our configuration and failover or failback is a manually initiated process. It seems to work pretty well but there are some limitations. We briefly considered using it for Exchange and it may work for smaller environments but I was not comfortable using it in a medium or large exchange shop. I can't speak to SQL. Bottom line, It seems to work well for File servers but I would not go farther than that. There seems to be better ways of addressing the other systems. We are taking a close look at FRS that is in R2. We are hoping that MS got it right this time... ;-) Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, July 06, 2005 11:07 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Doubletake(OT) Anyone using Doubletake out there? My manager is interested in purchasing it and I was wondering what you guys think of it, yea or nay. In my enviorment it doesn't seem to make sense except as to file servers. DC's have built in redundancy if you have more than 1 and we have an active/passive exchange2k3 cluster plus with RSG and/or dial tone restore, it doesn't seem to apply here as well. For MS SQL we are using a log shipping solution. So i was just wondering if any one out there had experience with this or a simillar product and how they are using it and if its worth it to get. Thanks a lot. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Doubletake(OT)
Tom: From the limitations perspective, in our testing, we found that the application worked well on the FP boxes but we found it sensitive to accidental mis-configuration and difficult to recover from these issues. We set a policy that only those trained on the configuration and operation were to do any admin work on the DoubleTake systems. I can go into more issues off list if you want. I was involved in some of the initial work at our Company but that has since moved to another team AS far as exchange, I've work with Exchange since 4.0 and understand the nature of the beast so to speak. With all the inherent issues around I/O as well as the DB being in an inconsistent state from the time you start the services (RAM, Cache, logs, etc) and our perceived touchiness around DoubleTake, I could not see introducing it into out exchange environment (~20K users). Maybe it was an unjustified prejudice. We pride ourselves in running a pretty good exchange shop in regards to availability, etc. and I did not want to risk that. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, July 07, 2005 7:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Doubletake(OT) Can you elaborate further on why you don't feel comfortable using it with Exchange as well as what you think the limitations are, if you don't mind? Thanks a lot. Ayers, Diane wrote: We use DoubleTake on a number of DAS based File/Print servers in our distributed environment that are fairly large (~1 TB). We implemented it when we had some server failures that created extended outages for clients while we recovered data from backup tapes. Our current implementation is locally across a dedicated NIC to a stand by server that can take over if we lose the primary. In our configuration and failover or failback is a manually initiated process. It seems to work pretty well but there are some limitations. We briefly considered using it for Exchange and it may work for smaller environments but I was not comfortable using it in a medium or large exchange shop. I can't speak to SQL. Bottom line, It seems to work well for File servers but I would not go farther than that. There seems to be better ways of addressing the other systems. We are taking a close look at FRS that is in R2. We are hoping that MS got it right this time... ;-) Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, July 06, 2005 11:07 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Doubletake(OT) Anyone using Doubletake out there? My manager is interested in purchasing it and I was wondering what you guys think of it, yea or nay. In my enviorment it doesn't seem to make sense except as to file servers. DC's have built in redundancy if you have more than 1 and we have an active/passive exchange2k3 cluster plus with RSG and/or dial tone restore, it doesn't seem to apply here as well. For MS SQL we are using a log shipping solution. So i was just wondering if any one out there had experience with this or a simillar product and how they are using it and if its worth it to get. Thanks a lot. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Load balancing LDAP request among my DCs
Not to hijack the thread but has anyone used a hardware based load balancer such as a BigIP appliance to load balance and/or fail over LDAP? We have some apps that have to be configured to a specific host and this was one idea floated up. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, June 13, 2005 7:20 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Load balancing LDAP request among my DCs Have you considered altering SRV record weights/priorities in DNS? Check out this article http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/O perations/df86810b-9fc5-49b8-a704-d01c042cf460.mspx - it may relate to the PDC but applies to DCs in general too. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 13 June 2005 15:04 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Load balancing LDAP request among my DCs Hello, I have a site with 4 DCs 2003. It seems that one of my DC can not deal with a large number of LDAP queries, GC Response and NTLM/Kerberos Auth I misunderstand something but is my DC 2003 is able to check that it cannot deserve these queries and forward automatically these queries to another DC that is less busy ? In order wold, can AD 2003 natively load-balance queries to another less busy DC ? Regards, Yann == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] lastlogontimestamp-
I'm staying out of it. I'll let you guys settle it. :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, May 30, 2005 6:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hey I was simply agreeing with Diane, she is the one that knew it was wrong. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, May 29, 2005 5:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- note to Deji You just made joe's head bigger... /note to Deji Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 8:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- I'll yield on this and stand corrected. Although I did not exactly remember reading about (or observing) this behavior, current materials I just consulted say that Joe and Diane are correct - as always. note to self Got to read more. /note to self Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 5/27/2005 6:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Yes, I agree with you, it is incorrect. BDC's weren't entirely read only, non-replicating attributes such as last logon, bad password count, etc were written locally and yes you had to query all DCs to get an accurate accounting of what happened. If this were the architecture of NT4, the PDC would have burned to the ground in any decent sized enterprise. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Friday, May 27, 2005 7:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In NT4, all updates go up to the PDC. This is why you will get a true last login report Not that my small wattage can hold a candle to the brain power for the others on the list but isn't this incorrect? IIRC, under NT 4.0 the last logon went to the authenticating DC. That is why you had to query all the DCs in a domain to get an accurate lastlogon value for an account. Updates to an account such as pwd changes, etc went to the DC. Not that it really matter since NT 4.0 is no longer relevant. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In NT4, all updates go up to the PDC. This is why you will get a true last login report. Post NT4, most updates take place on any DC, and lastlogon is one such update. Because it is possible that a user can be authenticated by different DC at different time, AND because lastlogon is NOT replicated between DCs, you will get different lastlogon report, depending on which DC you are querying for it. The reason you are getting a consistent report today is likely because you are querying the DC that logged you in today. If you query ANOTHER DC now, you will get a different result IF that DC had not authenticated you today. Lastlogontimestamp was introduced in 2K3 to address this lack of correlation in a multi-DC environment. Lastlogontimestamp is eventually replicated and adjusted, so you will get more consistent result if you query multiple DCs for lastlogontimestamp. Before lastlogontimestamp, you will have to query ALL your DCs for lastlogon, then you will have to compare the results they give you and find the most current in order to get a semblance of accurate last logon. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Fri 5/27/2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hi Al, Thank you for taking the time to reply, and I very much appreacite your effort on researching this. You know that I recall using USRSTAT on a NT4 Domain and it would show the Domain Controller that actually authenticated the user account, however it does not seem to display this output in an Active Directory Forrest. Go figure.. BTW: My last logon is the correct time and I have logged in several times today. Have a happy Memorial day weekend! Peace! Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL
RE: [ActiveDir] lastlogontimestamp-
In NT4, all updates go up to the PDC. This is why you will get a true last login report Not that my small wattage can hold a candle to the brain power for the others on the list but isn't this incorrect? IIRC, under NT 4.0 the last logon went to the authenticating DC. That is why you had to query all the DCs in a domain to get an accurate lastlogon value for an account. Updates to an account such as pwd changes, etc went to the DC. Not that it really matter since NT 4.0 is no longer relevant. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 27, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- In NT4, all updates go up to the PDC. This is why you will get a true last login report. Post NT4, most updates take place on any DC, and lastlogon is one such update. Because it is possible that a user can be authenticated by different DC at different time, AND because lastlogon is NOT replicated between DCs, you will get different lastlogon report, depending on which DC you are querying for it. The reason you are getting a consistent report today is likely because you are querying the DC that logged you in today. If you query ANOTHER DC now, you will get a different result IF that DC had not authenticated you today. Lastlogontimestamp was introduced in 2K3 to address this lack of correlation in a multi-DC environment. Lastlogontimestamp is eventually replicated and adjusted, so you will get more consistent result if you query multiple DCs for lastlogontimestamp. Before lastlogontimestamp, you will have to query ALL your DCs for lastlogon, then you will have to compare the results they give you and find the most current in order to get a semblance of accurate last logon. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Fri 5/27/2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hi Al, Thank you for taking the time to reply, and I very much appreacite your effort on researching this. You know that I recall using USRSTAT on a NT4 Domain and it would show the Domain Controller that actually authenticated the user account, however it does not seem to display this output in an Active Directory Forrest. Go figure.. BTW: My last logon is the correct time and I have logged in several times today. Have a happy Memorial day weekend! Peace! Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Al Mulnick Sent: Friday, May 27, 2005 1:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Part of the problem I see with your output below is that it doesn't show which domain controller you last logged on to. While that's not a problem if you have only one DC in your forest, it can be if you have more than that. LastLogon is not replicated. LastLogonTimeStamp is and as such you have to query each possible DC to find out the last logon. To make matters worse, there is a fix out there somewhere that causes ntlm auth to actually update this field (or am I just dreaming it? :) In the end, you'll want more than just the lastlogon to figure out what a user is doing. You may be able to show something close, in which case lastlogontimestamp will show you plenty. I would likely forgo the int8 conversions and opt instead for the IADSUser if you don't need that accuracy. For that matter, I'd likely forgo vbscript if I needed pinpoint accuracy because vbscript won't be as accurate with numbers as something like c# or perl or jscript or... To figure out what users are doing, you'll want to look at the pwdLastSet attribute as well and possibly some other information to get a real feel for the usage patterns before automating some action. If I ever get the time, I still have some code lying around that does that kind of logic and spits out the accounts that way. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, May 27, 2005 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] lastlogontimestamp- Hi Joe, Quick question, I have always just used the NET USER /DOM (username ) at a command prompt which gives me the following output: C:\Documents and Settings\jmedeirosnet user /dom jmedeiros The request will be processed at a domain controller for domain Stargate.sg1.net. User namejmedeiros Full NameMedeiros, Jose Comment User's comment Country code 000 (System Default) Account active
RE: [ActiveDir] Exchange and AD
Brenda: Fire up ADSIedit and take a look at the Exchange Services container in AD.(CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com) and verify that the Exchange groups have been applied to the container correctly. Exchange Domain Servers group "should" (don't have multiple systems to verify) have read access on this container and increased permissions on the "organizational" containers under this.. If they aren't there, then something went fubar in the Exchange setup... Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Monday, April 18, 2005 12:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange and AD Yes, I have connectivity to a GC. The Exchange server is running on W2K3 (on a W2K domain) but is not a DC. Should there still be SRV records for it, and if so where exactly would I look for them aslooking briefly I did not find them? The sites and subnets are defined properly and there is a corresponding subnet for the exchange server and the associated site. Thanks, Brenda From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Monday, April 18, 2005 1:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange and AD Do you have connectivity to a GC? Are the srv records in dns? -Original Message-From: Medeiros, Jose [mailto:[EMAIL PROTECTED]Sent: Monday, April 18, 2005 2:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange and AD Hi Brenda, I would try and run Forestprep and Domainprep a second time. Once it is completed, reinstall Exchange andselect thejust the systems manager option for the install. That should fix it. Jose -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Brenda CaseySent: Monday, April 18, 2005 11:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange and AD Yes we did run setup/domainprep from the exchange cd. We believe that we have followed the entire setup procedure. Thanks, Brenda From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Monday, April 18, 2005 12:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange and AD did you run "Setup/ domainprep" off the exchange cd? -Original Message-From: Brenda Casey [mailto:[EMAIL PROTECTED]Sent: Monday, April 18, 2005 2:39 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange and AD During the install of Exchange, the Microsoft Exchange System Attendant is unable to start. After bypassing the start of this service during the install and then rebooting the server the following error is generated in the Application Log file.Microsoft Exchange System Attendant does not have sufficient rights to read Exchange configuration objects in Active Directory. Wait for replication to complete and then check to make sure the computer account is a member of the "Exchange Domain Servers" security group.For more information, click http://www.microsoft.com/contentredirect.asp.For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.We have read several KB articles, but have been unable to find a solution. Any help would be appreciated! (The Exchange Server computer account is not disable, and does exist in AD). Thanks,Brenda
RE: [ActiveDir] OT: Exchange Transaction logs
If your Exchange backup is working correctly, you don't have to manage the logs. A correctly configures exchange aware backup will purge the logs for you after a successful backup. I suggest that you bone up on your exchange backup and recovery processes. As a start read the Exchange Server 2003 Disaster Recovery Operations Guide http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/disre copgde.mspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, April 12, 2005 7:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange Transaction logs So lets say I get the backup software working correctly (Duh, I forgot to turn on the open file option)...will I ever need the transaction logs from say January of this year? The reason I ask is because for now I have just moved all logs older than February to another machine to free space. If I don't need to ever backup those transaction logs, then I will just delete them once I have verified that the backups are working correctly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Tuesday, April 05, 2005 11:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange Transaction logs Not to be nit picky but it means you are not backing it up _correctly_ As Doug mentions, a correct on-line exchange backup will purge the logs on completion of the backup process. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stelley, Douglas Sent: Tuesday, April 05, 2005 8:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange Transaction logs Transaction logs are automatically deleted upon successful backup of exchange. If your getting a large collection of transaction logs, that means you are not backing up Exchange. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, April 05, 2005 11:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Exchange Transaction logs Just had a couple of questions about a couple things I can't seem to get a straight answer for. Is there a recommended length of time to hold on to Exchange transaction logs? Is there any reason to keep transaction logs around any further back than specified in the checkpoint file? Is it typical to enable circular logging, or does this somehow get you into some issues if a disaster does happen? As always, THANKS for your advice/comments List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Update Your PayPal Account Information
JS/Stealus.gen trojan as well -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Sunday, April 10, 2005 3:40 PM To: [EMAIL PROTECTED] Cc: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Update Your PayPal Account Information Hi all, Anyone with Paypal accounts please do not send any information to this post. This is being forwarded to the Paypal security team. Thanks, Original Message Follows From: io o Reply-To: ActiveDir@mail.activedir.org To: activedir activedir@mail.activedir.org Subject: [ActiveDir] Update Your PayPal Account Information Date: Mon, 11 Apr 2005 00:29:59 +0300 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Exchange Transaction logs
Not to be nit picky but it means you are not backing it up _correctly_ As Doug mentions, a correct on-line exchange backup will purge the logs on completion of the backup process. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stelley, Douglas Sent: Tuesday, April 05, 2005 8:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange Transaction logs Transaction logs are automatically deleted upon successful backup of exchange. If your getting a large collection of transaction logs, that means you are not backing up Exchange. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, April 05, 2005 11:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Exchange Transaction logs Just had a couple of questions about a couple things I can't seem to get a straight answer for. Is there a recommended length of time to hold on to Exchange transaction logs? Is there any reason to keep transaction logs around any further back than specified in the checkpoint file? Is it typical to enable circular logging, or does this somehow get you into some issues if a disaster does happen? As always, THANKS for your advice/comments List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:RPC over HTTP vs OWA
FWIW, there was a long conversation covering PRC over HTTP on the security basics mailing list. You can look at the archives to see if there was anything worth gleaning from the conversation Diane http://www.securityfocus.com/archive/105/389606/2005-02-04/2005-02-10/1 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, JoeSent: Wednesday, March 23, 2005 4:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT:RPC over HTTP vs OWA Thanks for your comments! As I said, Much appreciated! Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. From: Dave A. Marquis [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 22, 2005 3:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT:RPC over HTTP vs OWA Our Org is using both RPC and OWA and I have to say that RPC with ISA 2004 is sweet. My 2 Cents. Dave From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, MichelSent: Tuesday, March 22, 2005 2:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT:RPC over HTTP vs OWA You're right, I meant UNLOCKING accounts not enabling them! As for the lockout time... it is available in 2k too. De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de joeEnvoyé: Tuesday, March 22, 2005 3:13 PMÀ: ActiveDir@mail.activedir.orgObjet: RE: [ActiveDir] OT:RPC over HTTP vs OWA OWA allows for two-factor authentication such as SecurID and Windows Password. RPC over HTTP does not have that capabaility that I have seen. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, JoeSent: Tuesday, March 22, 2005 2:52 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT:RPC over HTTP vs OWA Hey all I was wondering what everyones thoughts were about using RPC over HTTP vs Outlook Web Access ? Is one more secure than the other? What were the reasons you implemented one and not the other? Any insight is always much appreciated! Thanks! Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. This e-mail message, including all attachments, is for the sole use of the intended recipients(s) and may contain confidential and privileged information. You may NOT use, disclose, copy, or disseminate this information. If you are not the intended recipient, please contact the sender by reply e-mail immediately. Please destroy all copies of the original message and all attachments.
RE: [ActiveDir] AD Database Corrupt
The one instance that we had a corrupt database, we used this method as well. Fortunately we had enough redundancy to allow the demotion of the server and not affect any services. Is was also fortunate that we had high connectivity between the DCs to allow a full copy of the directory to be replicated to the newly re-promoted server. The initial triage process that we started was similar to what ~Eric suggested but it made sense to just demote and start over with a new clean copy of the directory. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, March 08, 2005 7:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Database Corrupt I would have to tend to agree with this. I am also a fan of wipe the machine, test for hardware issues, and start over. You may find the issue if you troubleshoot but in every occasion where I have gone into the troubleshooting process on a dead DIT I ended up rebuilding anyway, usually have the DC sitting there dead a day or four with no answers. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Tuesday, March 08, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Database Corrupt If possible, remove the DC from the domain, and do the NTDSUTIL clean-up, and just rebuild it. Check your Anti-virus comfit to make sure it isn't possibly configured to scan the AD databases. Also check the hardware to make sure you don't have a controller card or HD issue. Unless there is a reason to try to save the box, I would just rebuild them. Todd -Original Message- From: Jacob Walker [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 08, 2005 7:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Database Corrupt One of our 60 AD DC's has stopped replicating. All of the others are still replicating fine. On the problem DC, where are seeing the following in the Directory Service log in event viewer: Event Source: NTDS ISAM Event Category: Database Corruption Event ID: 467 Description: NTDS (536) NTDSA: Index INDEX_00020078 of table datatable is corrupted (0). Event Source: NTDS Replication Event Category: Replication Event ID: 1084 Description: Internal event: Active Directory could not update the following object with changes received from the following source domain controller. This is because an error occurred during the application of the changes to Active Directory on the domain controller. Object: distinguished_name_path_of_object_that_failed_to_write_to_local_database Object GUID: 32_character_alpha-numeric_object_GUID Source domain controller:object_GUID_for_source_domain_controller's_NTDSDSA_object._ms dcs. forest root domain Synchronization of the local domain controller with the source domain controller is blocked until this update problem is corrected. This operation will be tried again at the next scheduled replication. We have looked at MS article 837932, but nothing seems to apply. And, the corruption location seems to be in the domain database from what we see in the details of the one error above and from the results of repladmin /showreps. At this point, is there anything that can be done for this DC other than restoring or demoting and re-promoting. Unfortunately, we will be unable to do a restore because we backup the System State on some of our DC's, but not this particular one. The one saving grace is that it is a remote office DC and not one of our primary DC's or FSMO role holders. Any suggestions? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Citrix GPO Application
We have a very similar situation. The Citrix MetaFrame boxes are the same OU as other servers. We created two policies for the Citrix settings. One for the machine policies and one for the user policies. We also created two groups, one for the Citrix machines and one for the Citrix users. The machine policy is filtered so that it only applies to the members of the citric servers group in that OU. The Citrix user policies are applied via loop back processing and filtered by the Citrix Users group so that the user policies are only applied to members of the Citrix Users group when they log onto the meta frame servers (including terminal sessions). Just don't put your Citrix admins in the Citrix users group and they wont have the policies applied when the log onto the box. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, James Sent: Tuesday, February 08, 2005 7:38 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Citrix GPO Application I'm struggling with an issue that I'd like to get some insight on. I'm building a new Citrix Metaframe XPs machine that I need to apply a group policy to. However, I don't want this policy to affect administrators, only users. Because of the way our AD is structured, I can only apply these settings to the OU with the server, not to the OU's with the users. Is there any way I can tell the GPO to ignore administrative users and only apply to regular users that log in to the machine? -James R. Rogers List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Printing Distribution Lists
here's my "I'm not a programmer but I play one on TV" approach... Dumps to an excel spreadsheet. Easily modifiable to even the programming challenged like me... Diane --- On Error Resume Next CRLF=CHR(13)+CHR(10) strADName = InputBox("Enter Complete LDAP DN for desired group","Group Name?","CN=Listname,OU=Groups,DC=Company,DC=COM")Set GroupObj = GetObject("LDAP://" strADname) wscript.echo ("Getting group Membership for " strADName) if Err.Number 0 thenwscript.echo "Failed to connect to " strADNamewscript.quitend if set memberlist=GroupObj.MembersSet objExcel = WScript.CreateObject("Excel.Application")objExcel.Visible = TrueobjExcel.Workbooks.Add objExcel.ActiveSheet.Name = GroupObj.SAMAccountNameobjExcel.ActiveSheet.Range("A1").ActivateobjExcel.ActiveCell.Value = "ID"'col header 1objExcel.ActiveCell.Offset(0,1).Value = "Last Name"'col header 2objExcel.ActiveCell.Offset(0,2).Value = "First Name"'col header 3objExcel.ActiveCell.Offset(0,3).Value = "Address"'col header 4objExcel.ActiveCell.Offset(0,4).Value = "Office"'col header 5objExcel.ActiveCell.Offset(0,5).Value = "Internal Phone"'col header 6objExcel.ActiveCell.Offset(0,6).Value = "External Phone"'col header 7objExcel.ActiveCell.Offset(0,7).Value = "Mobile"'col header 8objExcel.ActiveCell.Offset(1,0).Activate'move 1 down for each member in memberlistIf Len(member.SAMaccountName)=4 thenobjExcel.ActiveCell.Value = member.SAMAccountNameobjExcel.ActiveCell.Offset(0,1).Value = member.snobjExcel.ActiveCell.Offset(0,2).Value = member.givenNameobjExcel.ActiveCell.Offset(0,3).Value = member.streetAddressobjExcel.ActiveCell.Offset(0,4).Value = member.physicalDeliveryOfficeNameobjExcel.ActiveCell.Offset(0,5).Value = member.telephoneNumberobjExcel.ActiveCell.Offset(0,6).Value = member.otherHomePHoneobjExcel.ActiveCell.Offset(0,7).Value = member.mobileobjExcel.ActiveCell.Offset(1,0).ActivateEnd ifnext set GroupObj = Nothing wscript.echo "Done"wscript.quit From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine AllenSent: Monday, December 13, 2004 11:49 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Printing Distribution Lists Running Exchange 2003 and ad 2000 (not on the same box). Is there a way to allow user to print out DL membership? Thanks. -ChristineChristine N. AllenCitrix/Windows 2000 EngineerBMC Healthnet PlanOne Design Center PlaceBoston, MA 02210Work: 617-748-6034Cell: 617-290-4407
RE: [ActiveDir] Exchange Latency
One option is to have the users switch to Outlook 2003 and run it in "local cached mode" Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefanoSent: Monday, December 06, 2004 9:06 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Exchange Latency A couple of our users who split their time between two of our sites (NY, LA). The problem is that no matter where we storethese user's mailboxes, when they are at the other site, they experience latency. I am not sure there is much that can be done about this, but I have been asked to see if the problem can be alleviated. One suggestion I got was to have the users' mailboxes replicated between the two sites. Another suggestion was to have the users' mailboxes stored on a network drive on one site that is mapped to the other site. I am not sure the first suggestion is possible and I do not see the point of the second solution. Anyway, does anybody have any suggestions? _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
RE: [ActiveDir] Exchange Latency
You can use Outlook 2003 against Exchange 2000. The local cached mode is a specific configuration of the Outlook 2003 on the client side, No server config work is required. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefanoSent: Monday, December 06, 2004 9:57 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exchange Latency The problem is that we are not upgrading to Ex2k3 and have no plans to do so in the near future. _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Michael B. SmithSent: Monday, December 06, 2004 12:13 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exchange Latency I'm not quite sure what you mean by latency. But cached mode in Outlook 2003 goes a long way to alleviating many of these types of complaints. If you can combine that with Exchange 2003 on the backend, so you get compression and buffer packing, that can help a great deal as well. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefanoSent: Monday, December 06, 2004 12:06 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Exchange Latency A couple of our users who split their time between two of our sites (NY, LA). The problem is that no matter where we storethese user's mailboxes, when they are at the other site, they experience latency. I am not sure there is much that can be done about this, but I have been asked to see if the problem can be alleviated. One suggestion I got was to have the users' mailboxes replicated between the two sites. Another suggestion was to have the users' mailboxes stored on a network drive on one site that is mapped to the other site. I am not sure the first suggestion is possible and I do not see the point of the second solution. Anyway, does anybody have any suggestions? _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
RE: [ActiveDir] Stress testing and performance analysis of domain controllers
Wouldn't this be dependent on the volume of changes that you see in your environment? With Exchange and its accompanying volume of changes, moving the log files to separate spindles is as you say, a no no-brainer. However in our AD environment, we see very low volume of changes. We get maybe 50 MB of log files a day at most.. Our server design for our Win2K AD deployment was to design a DC like an Exchange server with oddles of disks and separate spindle sets for the OS, DB and logs but we found that this layout was a major overkill. For our Win2K3 upgrades to our domain controllers, we are using less dsiks and combining the OS and log spindles. We are still beefing up the memory and processors which in our environment seem to be the most critical components. Our DIT is ~1 GB. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, December 06, 2004 10:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Stress testing and performance analysis of domain controllers Definitely, putting DIT and logs on separate spindles is a no-brainer and guaranteed to improve things. Gil I agree with everything Al has ever said Kirkpatrick CTO, NetPro -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, December 06, 2004 10:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Stress testing and performance analysis of domain controllers I think you can get what you want using the below tool in conjunction with http://www.microsoft.com/downloads/details.aspx?FamilyID=4814fe3f-92ce-4 871- b8a4-99f98b3f4338DisplayLang=en Using the /3gb switch is often recommended, but your biggest benefit will likely come from the disk layout. If you can get both, that's great, but the disk would be the one to really fight for if something has to give. That said, it's rumored that 64bit Windows does a nice job as well. I couldn't speak that however. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Singler Sent: Monday, December 06, 2004 12:04 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Stress testing and performance analysis of domain controllers maybe the Server Performance Advisor? : http://www.microsoft.com/downloads/details.aspx?FamilyID=61a41d78-e4aa-4 7b9- 901b-cf85da075a73displaylang=en or http://tinyurl.com/46wd3 hth, john Ruston, Neil wrote: As part of a more general AD design refresh, I am re-visiting the DC hardware and OS configuration. I am proposing several changes to the DC spec, including the adoption of the following: * Use 4Gb RAM * Use /3gb switch * Place AD logs and database on separate disk spindles In order to 'sell' this idea, I would like to demonstrate the effective increase in 'horse power' that the above offers. I am therefore looking for a tool which can help me to show that a DC with config A can handle load x whilst DC spec B can handle load y. Ideally, this tool will act much like loadsim and simulate a load on the DC so as to identify the maximum load that each config is capable of handling. Is there such a tool available on the market? Thanks in advance, Neil List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Master Browser
Dusting off the old NT 4.0 memories... Key point is that browsing is not related to name resolution at all. Browsing is a simple NetBIOS based directory that allows users to find resources. Conecting to the resource either by clicking on an object in the browse list or by manually connecting (via the run command, net use, etc.) still relys on the underlying name resoution process in your environment (WINS, etc.) Browse list functionaltiy may be hit or miss. My favorite line was browsing sucks. If your name resoution process is working an robust then let the Network Neighborhood stuff do it's thing... Just educate the users on the nature of the beast. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Monday, November 15, 2004 11:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser So, really the only thing this service does is allow users to click through the Network Neighborhood (or its successors). Is it correct that it does not prevent users from finding devices from the run line or (obviously) from mapped drives? As for publishing shares from workstations ... (zoinks!) you may have bigger fish to fry! ;-) -- nme -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, November 15, 2004 10:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser I personally favor disabling it on all workstation machines. There's little harm in leaving it running on servers, even non DC's. The big question is whether or not its needed - are the browse list issues relevant enough to fix. In other words, is there a minor change to usage that would eliminate the issue entirely? The biggest place I'd expect to see this is if users are publishing shares from their own machines. Roger Seielstad E-mail Geek MS-MVP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tyson Leslie Sent: Monday, November 15, 2004 4:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser Do you still suggest turning it off on all servers and workstations (as per your KB article), even in an all W2K or better environment? We have done so (via group policy) for quite some time, but recently ended up having to defend this decision to an admin in one of our other offices, because he was encountering browse list issues in his domain. (We have left it running on the Domain Controllers only.) Tyson. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Monday, November 15, 2004 10:46 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Master Browser Turning off the service is a *much* better approach and doesn't generate any errors in the EventLog. - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Mon, 15 Nov 2004 12:34:06 -0500, Craig Cerino [EMAIL PROTECTED] wrote: I wouldn't turn of the service - -I would ( and do) go into the registry and tell the box it is NOT a Master Browser and NOT to maintain a list From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Monday, November 15, 2004 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser To stop this error message, you will need to turn off the Computer Browser service. The error message is actually an informational message telling you about the browser status of computer CCDC01. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Monday, November 15, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Master Browser One of my DC's is returning the following error and I'm not sure what to do: The browser has received a server announcement indicating that the computer CCDC01 is a master browser, but this computer is not a master browser. Event ID 8005 This DC holds none of the FSMO roles so I'm not sure what I need to tell this server so I don't get this error anymore. Thanks Jake List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Master Browser
IIRC domain master browsers will register themselves with WINS (don't recall the hex code anymore) and the subnet master browsers will use this info to populate the list of domains. However the mechanism for resolving the host name to an IP address is separate.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Tuesday, November 16, 2004 7:53 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Master Browser If I remember right, I thought WINS would make your browse list if the Master Browser on Subnets were not available. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Tuesday, November 16, 2004 9:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser Dusting off the old NT 4.0 memories... Key point is that browsing is not related to name resolution at all. Browsing is a simple NetBIOS based directory that allows users to find resources. Conecting to the resource either by clicking on an object in the browse list or by manually connecting (via the run command, net use, etc.) still relys on the underlying name resoution process in your environment (WINS, etc.) Browse list functionaltiy may be hit or miss. My favorite line was browsing sucks. If your name resoution process is working an robust then let the Network Neighborhood stuff do it's thing... Just educate the users on the nature of the beast. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Monday, November 15, 2004 11:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser So, really the only thing this service does is allow users to click through the Network Neighborhood (or its successors). Is it correct that it does not prevent users from finding devices from the run line or (obviously) from mapped drives? As for publishing shares from workstations ... (zoinks!) you may have bigger fish to fry! ;-) -- nme -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, November 15, 2004 10:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser I personally favor disabling it on all workstation machines. There's little harm in leaving it running on servers, even non DC's. The big question is whether or not its needed - are the browse list issues relevant enough to fix. In other words, is there a minor change to usage that would eliminate the issue entirely? The biggest place I'd expect to see this is if users are publishing shares from their own machines. Roger Seielstad E-mail Geek MS-MVP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tyson Leslie Sent: Monday, November 15, 2004 4:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser Do you still suggest turning it off on all servers and workstations (as per your KB article), even in an all W2K or better environment? We have done so (via group policy) for quite some time, but recently ended up having to defend this decision to an admin in one of our other offices, because he was encountering browse list issues in his domain. (We have left it running on the Domain Controllers only.) Tyson. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Monday, November 15, 2004 10:46 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Master Browser Turning off the service is a *much* better approach and doesn't generate any errors in the EventLog. - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Mon, 15 Nov 2004 12:34:06 -0500, Craig Cerino [EMAIL PROTECTED] wrote: I wouldn't turn of the service - -I would ( and do) go into the registry and tell the box it is NOT a Master Browser and NOT to maintain a list From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Monday, November 15, 2004 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser To stop this error message, you will need to turn off the Computer Browser service. The error message is actually an informational message telling you about the browser status of computer CCDC01. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Monday, November 15, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Master Browser One of my DC's is returning the following error and I'm not sure what to do: The browser has received a server announcement indicating that the computer CCDC01 is a master browser, but this computer is not a master browser. Event ID 8005 This DC holds none
RE: [ActiveDir] 64 Bit?
Title: RE: [ActiveDir] 64 Bit? I guess my questions are general. I can see some advantages on shifting to a 64 bit platform for AD services but since the company I work for is definitely not bleeding edge, I was looking for what the general adoption rate of the 64 bit platform was. Our deployment can be considered (as compared to some of the more global deployments) some was centralized. Our DIT is ~1GB in size. The down side is that the "3rd party" tools and products have not really jumped on the 64 bit bandwagon yet. The main focus of my original question was more along the lines of whether other organizations had plans to shift to the 64 bit platform and when. If you've already shifted, what were some of the benefits and issues you saw. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Monday, November 08, 2004 6:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 64 Bit? I have worked with several environments that had 64bit DCs. All had DITs that were =8GB in size. What sorts of questions do you have? ~Eric _From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ayers, DianeSent: Monday, November 08, 2004 6:58 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 64 Bit? All: Is anyone looking at using the 64 bit platform for their AD domain controllers? We're doing a life cycle replacement of our hardware next year and was wondering if anyone has gone down this path. I sat though some of the Web casts but is there anyone running 64 bit in the "real world" ;-) Diane
[ActiveDir] 64 Bit?
All: Is anyone looking at using the 64 bit platform for their AD domain controllers? We're doing a life cycle replacement of our hardware next year and was wondering if anyone has gone down this path. I sat though some of the Web casts but is there anyone running 64 bit in the real world ;-) Diane attachment: winmail.dat
RE: [ActiveDir] AD OpenLDAP
Just to Echo Justin's comment, the BIG difference between NT 4.0 and Active Directory is the integration/dependence on your DNS environment. In addition to the integration into your other LDAP sources, DNS is an area that you should focus some time on before you create your Active directory namespace. Based on your environment, I'm assuming that you are ruining BIND for your DNS services. BIND fully supports AD but there are a couple of items that you'll need to address. Cricket Liu has some good info on BIND and Active directory that you can read to help get you up to speed. http://www.google.com/search?num=20hl=enlr=newwindow=1q=Cricket+Liu+ DNS+Active+Directory Of course, if your not running BIND, you can ignore this email... ;-) Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, November 04, 2004 6:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD OpenLDAP AD comes with Windows 2003 you just have to run DCPROMO on the server and be sure that you have DNS configured since AD cannot exist without DNS -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Romeyn Prescott Sent: Thursday, November 04, 2004 9:12 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD OpenLDAP Greetings. I have just joined this list and I know next to nothing about Active Directory. We support most of our services with Linux whenever possible and still have an NT4 Domain Controller which will soon be replaced by a Linux box running Samba. The NT PDC is NOT the authoritative source for our user account info, however. That is sync'd with another server via some custom code that was written by one of our sysadmins. My chief responsibility is Computer Lab/Classroom support, and I have been stuck using gpedit at the local level, not having had a Win2000 or 2003 server to play with, let alone AD. That is changing. We have just purchased a Windows 2003 server to meet another need, and I have a couple of questions which I hope are not out of line for this list: 1) Does Active Directory come with Server 2003, or is it some sort of add-on which must be purchased separately. (Microsoft's web site seems, in at least one location, to indicate that it comes with it, but I just want to be sure.) 2) We have a relatively new OpenLDAP server (also running on Linux) which also mirrors our account base. Given that we do NOT want the Windows 2003 server to be the source for our user accounts, is it possible to tell it to synchronize with an OpenLDAP server? Is such a task trivial, complicated, or impossible? I thank you in advance for your time, ...ROMeyn -- signat-url: http://www2.potsdam.edu/prescor/signat-url.htm List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Mac OS X and SMB
I don't know squat about apple but you probably have SMB signing set in your domain policies and Apple probably does not support SMB signing. Once you moved the server into AD, it received the domain policies and breaking the Apple access. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, JoeSent: Thursday, November 04, 2004 11:59 AMTo: [EMAIL PROTECTED]Cc: Canzoneri, Kurt; Kusch, TomSubject: [ActiveDir] Mac OS X and SMB Hello! We had an issue last night where we took a Windows 2003 Server and moved it to our 2003 AD. We have macs that access shares on that server and after the move to AD we were unable to open files in Quark 6 via SMB. AppleTalk worked fine but the file association with SMB was wrong. Any clues?! Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent.
RE: [ActiveDir] BDC upgrade
Title: RE: [ActiveDir] BDC upgrade Ditto. Used it once to "demote" a BDC that was also a time source in the NT 4.0 world. wanted to keep the server but didn't want it to be a BDC anymore. Best $99 bucks spent as far as saved time, etc. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stockbrugger, Brian L.Sent: Wednesday, October 20, 2004 4:35 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] BDC upgrade We have used this tool on two occasions and it worked flawlessly both times. We went into it knowing the risks and ramifications. In the end it saved us days of work which was the alternative and well worth the risk. ~Brian From: Robert Rutherford [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 20, 2004 4:21 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] BDC upgrade http://utools.com/UPromote.asp BR Rob From: [EMAIL PROTECTED] on behalf of Perdue David J Contr InDyne/Enterprise ITSent: Wed 20/10/2004 23:59To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] BDC upgrade I think this is the one you are talking about Brian. It's formerly Aelita,but now is Quest.http://wm.quest.com/products/domainmigrationwizard/They've got a a product that will "demote" a NT4 PDC/BDC. It's prettyslick. And totally not supported by MS.DaveDavid J. PerdueMCSE 2000, MCSE NT, MCSA, MCP+I-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Wednesday, October 20, 2004 3:37 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] BDC upgradeHave you looked into the File Server Migration Toolkit from MS? It's autility for moving file servers and it includes a patch for 2003 that makesit so the old server name still works - utilizes aSP1 feature called DFSConsolidation Roots.That aside, I forget who (been awhile), but somebody makes a hundred dollarutility which will let you convert a BDC to a member server. It's totallyunsupported by MS, so if stuff breaks, you may be out of luck. I'd looktowards the migration kit mentioned above, myself.Thanks.--Brian Desmond[EMAIL PROTECTED]Payton on the web! www.wpcp.orgv - 773.534.0034 x135f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Janson Anderson Sent: Wednesday, October 20, 2004 5:29 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] BDC upgrade Hi all, I'm merging/upgrading some NT 4 domains together. Domain A and Domain B are both account and resource domains. I've upgraded Domain A to 2003, and am planning to migrate users and computers from Domain B into Domain A using ADMT v2. Domain B is small. In fact when I took over it consisted of a single PDC that had all files on it. I've since added a second DC and transfered the PDC role to it. So, to get to my question: The BDC in Domain B has all the files of the Users I am going to be transfering. Is there any way to upgrade this BDC to a 2003 member server without upgrading the domain to 2k3 AD first? I would then just move it to domain A as a member server using ADMT. From what I've read it seems the only way would be to upgrade the PDC to 2k3, then upgrade this bdc to 2k3 then dcpromo it down to a member server. Is this the route I have to take, or is there an easier way? Thanks in advance for the help. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/=== Scanned for virus infection by Messagelabs===
RE: Re[2]: [ActiveDir] DNS naming confused
Your Exchange STMP addresses are assigned separately. Your domain could be JoeBagOfDoughnuts.com and your email address can be DoughnutHoles.com Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sveta Sent: Saturday, October 16, 2004 5:35 PM To: Deji Akomolafe Subject: Re[2]: [ActiveDir] DNS naming confused Hi Deji, Thank how it will look if I install exchange server on top of it if I call it company.com and one of the clients ( of cause president ) goes to trip with the laptop , then if I send e-mail to [EMAIL PROTECTED] it will stay in local exchange mailbox , it will never will go out to isp company.com email server Sveta -- Best regards, Sveta mailto:[EMAIL PROTECTED] Saturday, October 16, 2004, 5:42:00 PM, you wrote: You could name it anything you want. You could call it company.local. Or you could call it company.com. If you call it company.com, be prepared to host and maintain an internal company.com zone, which MUST be separate from your external company.com zone and must not be hosted on the same DNS server. The most important point (IMO) is that you MUST ensure that ALL your internal servers and clients are configured to use ONLY the INTERNAL DNS server(s) in TCP/IP. No room for external DNS servers anywhere in your internal Domain, except on the Forwarders tab of your DNS server configuration - if you want them to do forwarding. Another important thing is that you should NOT name it company (single-label). Single-label will hurt you. Hope I haven't confused you too much :) Sincerely, Dhjl Aksmvlafi, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Sveta Sent: Sat 10/16/2004 12:29 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS naming confused Hi I have scenario , one server win 2003 std , confused with the dns naming , we have company.com , but it hosted somewhere else mail and web , what I should name my new installation only one server 10 users file server ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Off-topic sorta
Bad idea to place an exchange server in the DMZ. Better choice would be to use ISA 2004 in the DMZ to publish OWA. OMA and http over RPC to the external users. See http://www.isaserver.org for more info. I was fairly impressed with ISA 2004. Not as a firewall but being able to securely publish internal content. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, October 06, 2004 1:51 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Off-topic sorta I've been asked to open ports: tcp 135 tcp/udp 389 tcp/udp 88 tcp 3268 tcp 691 So we can have an exchange front end server on our DMZ talk to exchange backend server on our internal network. Has anyone done this and what's the security implications of this? ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] Off-topic sorta
I'm not a DMZ/firewall person but generally the shear number of ports, etc that you have to open between the DMZ and the internal network is not a "good thing". Additionally for boxes that are in the DMZ, they should be configured as highly secure boxes and that tends to break Exchange. I have never seen any of the exchange "pundits" recommend placing an exchange server in the DMZ... Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, October 06, 2004 2:06 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Off-topic sorta Even though its just a front-end server? What are the security implications? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Ayers, DianeSent: Wednesday, October 06, 2004 3:58 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Off-topic sorta Bad idea to place an exchange server in the DMZ. Better choice would be to use ISA 2004 in the DMZ to publish OWA. OMA and http over RPC to the external users. See http://www.isaserver.org for more info. I was fairly impressed with ISA 2004. Not as a firewall but being able to securely publish internal content. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, October 06, 2004 1:51 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Off-topic sorta I've been asked to open ports: tcp 135 tcp/udp 389 tcp/udp 88 tcp 3268 tcp 691 So we can have an exchange front end server on our DMZ talk to exchange backend server on our internal network. Has anyone done this and what's the security implications of this? ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] Off-topic sorta
As my co-worker says... Harumph (I agree) :-) Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, October 06, 2004 5:06 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Off-topic sorta I second that, and deduct a DINING Services point from Douglas M :) Russ, ISA is not that expensive. It's the best way (IMNSHO) to go. Given the amount of open ports and gyrations you'd have to do if you don't use ISA (or similar), you are buying a lot of eases (ease of deployment, ease of management/administration, ease of being able to sleep well at night -with both eyes closed) and the added satisfaction of knowing that you've done it the right way and made it difficult for the malicious ones to attack you. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Rick Boza Sent: Wed 10/6/2004 2:47 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Off-topic sorta Actually, it's not necessarily a bad thing to drop a front end server into the DMZ, but to do so you will most certainly want to be sure to apply the hack to the end-point mapper (which will allow you to control the precise port used by RPC). There are plenty of good articles and papers for using an FE server in the DMZ (for example, check http://support.microsoft.com/default.aspx?scid=kb;en-us;280132 for info on the ports needed). At that point, it becomes very important to monitor all the traffic passing thru those ports. The reverse proxy solution is simpler and more secure. You don't need to drop a domain member into the DMZ, you drop a stand-alone server with ISA on it and let it handle everything through a single port. Typical scenarios have 443 on the public firewall open to the ISA box, and a single port (usually a remapped port, but could be 443 again or even 80) open between the ISA box and your front-end server on the internal-facing firewall. You can even wrap that one in IPSec if you want. The other nice plus with using ISA is it will do a stateful packet inspection as it proxies, giving you even more added security - a nice bonus if you're a fan of defense in depth. Point being, ISA (or for that matter, any server capable of reverse-proxy functions) is the preferred method from most Exchange folks these days, and Microsoft endorses this as well. It can be done with just a FE server, but using ISA would be safer and more secure. From: [EMAIL PROTECTED] on behalf of Ayers, Diane Sent: Wed 10/6/2004 5:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Off-topic sorta I'm not a DMZ/firewall person but generally the shear number of ports, etc that you have to open between the DMZ and the internal network is not a good thing®. Additionally for boxes that are in the DMZ, they should be configured as highly secure boxes and that tends to break Exchange. I have never seen any of the exchange pundits recommend placing an exchange server in the DMZ... Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, October 06, 2004 2:06 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Off-topic sorta Even though its just a front-end server? What are the security implications? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ayers, Diane Sent: Wednesday, October 06, 2004 3:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Off-topic sorta Bad idea to place an exchange server in the DMZ. Better choice would be to use ISA 2004 in the DMZ to publish OWA. OMA and http over RPC to the external users. See http://www.isaserver.org for more info. I was fairly impressed with ISA 2004. Not as a firewall but being able to securely publish internal content. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, October 06, 2004 1:51 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Off-topic sorta I've been asked to open ports: tcp 135 tcp/udp 389 tcp/udp 88 tcp 3268 tcp 691 So we can have an exchange front end server on our DMZ talk to exchange backend server on our internal network. Has anyone done this and what's the security implications of this? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential
RE: [ActiveDir] OT:Exhange size limit require restart?
It takes a while to take affect (~ 2 hrs). Take a look at the KB below to see how to modify this behavior Diane http://support.microsoft.com/default.aspx?scid=kb;%5bLN%5d;327378 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Thursday, September 23, 2004 7:20 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT:Exhange size limit require restart? Does anyone know if there is something that has to be restarted if you change the Sending message size and Receiving message size limits are changed (Global Settings)? I have increased the size of both, and it doesnt seem like they took affect. Exchange 2003 ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] Unauthorized DHCP Requests
Hunter: With Cisco ACS, how are you going to deal with non-MS based devices that get DHCP addresses? That's always been the hang-up for us to shift to a setup like you describe. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Monday, September 13, 2004 6:41 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Unauthorized DHCP Requests Our network folks are starting to roll out Cisco's Access Control Server. They plan to tie it into our AD, and eventually configure all of the network devices so that machines won't get on the network unless they're joined to the AD and have successfully authenticated. I'm not sure who else besides Cisco has this kind of thing, but I suspect they're not the only one. Hunter From: Joe L. Casale [mailto:[EMAIL PROTECTED] Sent: Sunday, September 12, 2004 4:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Unauthorized DHCP Requests Yea, it's ugly as heck to manage though. Mac reservations for all, but anyone can spoof that if they have a wit. Your problem is a common one, but not a simple one. If you hear of a slicker solution then that, pray tell! jlc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Thursday, September 09, 2004 4:21 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Unauthorized DHCP Requests Our domain is using a Win2K3 server which is also a domain controller as its DHCP solution. Often I look at the DHCP tables and notice that there are unauthorized machines that connect to our network. This seems to occur from employees who bring in their laptop during the weekend when the workload is light and management does not have as much a presence. The workstations within the domain all follow a naming scheme. For example, ORL-RM3-204-2 which means, the server is located in Orlando, physically located in Room3, desk number 204 and the number of times that that particular workstation has been replaced. So if I see a workstation in the DHCP tables that does not follow that naming scheme, then I know that something else has managed to get an IP Address from the network. Is there a way to prevent unauthorized machines from retrieving an IP address? If so, is there also a way to make an exception to the rule should a non-standard naming convention machine require authorized access to the network? Thank you all for your replies. Edwin
RE: [ActiveDir] OT: Server backup
Backup to disks IMHO will become more the norm as the disk capacity continue to outstrip the tape backup capabilities. We do this for all our Exchange boxes and has worked very well. We keep 2-3days of backup files on a secondary server. All backups are sucked off the disks onto tape(s) for longer term recovery. If configured correctly, it will greatly speed up your backup/recovery times over tape. For our configs we use a dedicated secondary server for each exchange server and use a dedicated GB IP connection between the primary and secondary server. The connection is configured w/ a private IP address and specifically use this connection for the backup process removing this traffic from the end user data path. The backup files on the secondary servers are ether backed up to tape or an enterprise backup system. Since the data is now on the secondary box, you can do this backup during production hours. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, August 31, 2004 7:12 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Server backup Is it acceptable to backup to local disk (using NTbackup) and then copy that file to a machine with a tape drive, and back that backup file up to tape? Example:1. Backup an Exchange Server locally 2. Copy that backup file to a machine with a tape drive 3. Backup that file to tape I would be doing this for both an Exchange Server, and my DCs. This is my only option to get this stuff onto tape, so I hope it is acceptable. What problems my I run into? As always, THANKS List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt
Thanks for checking. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Thursday, August 05, 2004 10:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Unfortunately, I don't know, and the SAP guy who installed it doesn't remember either. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Wednesday, August 04, 2004 7:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Ken: Do you recall which version of the SAP portal it was that made the schema changes? I'm asking since we are testing the SAP portal against AD in our lab with our SAP folks. I know that the initial version that they came to us with required a schema change (version 5?) and before we got it set up they came back with the newer version that supposedly did not require a change. IIRC that was version 6. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 04, 2004 12:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Well side by side we see: MS UID dn: CN=uid,CN=Schema,CN=Configuration,DC=X changetype: ntdsSchemaAdd objectClass: attributeSchema ldapDisplayName: uid adminDisplayName: uid adminDescription: A user ID. attributeId: 0.9.2342.19200300.100.1.1 attributeSyntax: 2.5.5.12 omSyntax: 64 isSingleValued: FALSE systemOnly: FALSE searchFlags: 8 schemaIdGuid:: oPywC4ken0KQGhQTiU2fWQ== attributeSecurityGuid:: Qi+6WaJ50BGQIADAT8LTzw== showInAdvancedViewOnly: FALSE systemFlags: 0 SAP UID dn: CN=uid,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC=com changetype: add adminDisplayName: uid attributeID: 1.2.840.113556.1.4.7000.233.28688.28684.8.464850.1724825.154498.1299246. 15 attributeSyntax: 2.5.5.4 cn: uid instanceType: 4 isSingleValued: TRUE lDAPDisplayName: uid distinguishedName: CN=uid,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC=com objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC= com objectClass: attributeSchema objectGUID:: f1Sz+++ZY0eIH7t1mStJIA== oMSyntax: 20 name: uid schemaIDGUID:: Qy93MDGWsEqRfKr837RfzA== showInAdvancedViewOnly: TRUE The main diffs being O attributeSyntax/omsyntax - ci unicode string for MS, ci string for SAP - SAP shouldn't have an issue unless someone uses some multibytes in the uid. O schemaIDGuid - shouldn't be an issue unless there are property sets involved for security O attributeID - if SAP uses the ldapdisplayname in class definitions instead of the attributeIDs they should be ok. O MS is multi-valued, SAP is single valued - This could be painful if using ADSI due to the difference in how it handles mv versus sv, but if using LDAP this shouldn't be too bad, just would only use the first value in the attribute. Definitely there are points that could cause pain but wouldn't expect it would be overly difficult for SAP to correct and use the MS definition versus theirs. Unless they use UID as a unique identifier within the database in which case the multi-value could cause some serious key issues. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, August 04, 2004 3:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Thanks Joe, I saw that (rare for me lately). Just curious if SAP and Active Directory could play well together or not. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 04, 2004 3:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt I would expect it would really dork it up pretty well... However there are two compensating things. 1. SAP shouldn't have done this. Ok so that isn't really a compensating factor but they really shouldn't have! 2. He already said that they aren't using it so breaking SAP doesn't matter. Now for the part I don't know: how do I fix it? The SAP portal was tested, but was back-burned indefinately, so I don't have to worry about breaking it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, August 04, 2004 2:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Anyone have the impact that would have on SAP application by chance? Just curious really. Don't have SAP handy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 04, 2004 12:51 PM To: [EMAIL PROTECTED] Cc: 'Eric Fleischman' Subject: RE: [ActiveDir] Schema Gurus
RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt
Ken: Do you recall which version of the SAP portal it was that made the schema changes? I'm asking since we are testing the SAP portal against AD in our lab with our SAP folks. I know that the initial version that they came to us with required a schema change (version 5?) and before we got it set up they came back with the newer version that supposedly did not require a change. IIRC that was version 6. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 04, 2004 12:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Well side by side we see: MS UID dn: CN=uid,CN=Schema,CN=Configuration,DC=X changetype: ntdsSchemaAdd objectClass: attributeSchema ldapDisplayName: uid adminDisplayName: uid adminDescription: A user ID. attributeId: 0.9.2342.19200300.100.1.1 attributeSyntax: 2.5.5.12 omSyntax: 64 isSingleValued: FALSE systemOnly: FALSE searchFlags: 8 schemaIdGuid:: oPywC4ken0KQGhQTiU2fWQ== attributeSecurityGuid:: Qi+6WaJ50BGQIADAT8LTzw== showInAdvancedViewOnly: FALSE systemFlags: 0 SAP UID dn: CN=uid,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC=com changetype: add adminDisplayName: uid attributeID: 1.2.840.113556.1.4.7000.233.28688.28684.8.464850.1724825.154498.1299246. 15 attributeSyntax: 2.5.5.4 cn: uid instanceType: 4 isSingleValued: TRUE lDAPDisplayName: uid distinguishedName: CN=uid,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC=com objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC= com objectClass: attributeSchema objectGUID:: f1Sz+++ZY0eIH7t1mStJIA== oMSyntax: 20 name: uid schemaIDGUID:: Qy93MDGWsEqRfKr837RfzA== showInAdvancedViewOnly: TRUE The main diffs being O attributeSyntax/omsyntax - ci unicode string for MS, ci string for SAP - SAP shouldn't have an issue unless someone uses some multibytes in the uid. O schemaIDGuid - shouldn't be an issue unless there are property sets involved for security O attributeID - if SAP uses the ldapdisplayname in class definitions instead of the attributeIDs they should be ok. O MS is multi-valued, SAP is single valued - This could be painful if using ADSI due to the difference in how it handles mv versus sv, but if using LDAP this shouldn't be too bad, just would only use the first value in the attribute. Definitely there are points that could cause pain but wouldn't expect it would be overly difficult for SAP to correct and use the MS definition versus theirs. Unless they use UID as a unique identifier within the database in which case the multi-value could cause some serious key issues. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, August 04, 2004 3:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Thanks Joe, I saw that (rare for me lately). Just curious if SAP and Active Directory could play well together or not. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 04, 2004 3:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt I would expect it would really dork it up pretty well... However there are two compensating things. 1. SAP shouldn't have done this. Ok so that isn't really a compensating factor but they really shouldn't have! 2. He already said that they aren't using it so breaking SAP doesn't matter. Now for the part I don't know: how do I fix it? The SAP portal was tested, but was back-burned indefinately, so I don't have to worry about breaking it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, August 04, 2004 2:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Anyone have the impact that would have on SAP application by chance? Just curious really. Don't have SAP handy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 04, 2004 12:51 PM To: [EMAIL PROTECTED] Cc: 'Eric Fleischman' Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 upgrade attempt Great, you have to love that! ~Eric have them fix their sheet! Here is a little article about defuncting attribs/classes so you can learn about it http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/d isab ling_existing_classes_and_attributes.asp Unfortunately, defuncting is something you can only do in an FFL 2K3 forest... Or you can delete stuff but I think you have to be pre-W2K SP2. OEM will definitely let you do it. Robbie published a nice little article on this a ways back. MS got pissed and made it so you couldn't do it any more... However I
RE: [ActiveDir] AD and printer admins
I'm sorry, I must be missing something. Can't you just add them desktop support team to the local power users group on the servers that you create the print shares on? That what we do and it seems to work. The only thing that they can't do is to create new IP ports for shares if they are required but there are some reg permission changes that you can do to allow that. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Thursday, July 29, 2004 7:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and printer admins Currently Right now our Desktop support group has been added to the local admin group of our Server so they can create new printers. We really don't want them to have local admin permissions. Just permissions to create printers. Current I cannot use Printer operators or a printer OU to do that as we are in the middle of a lengthy migration from an NT domain. Any ideas? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, July 28, 2004 9:05 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD and printer admins What is the full detail of what the solution needs to be able to accomplish? Also, have you seen what the built-in Print Operators group can do for you? :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Tuesday, July 27, 2004 5:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and printer admins That lets them modify current printers yes. But not create new ones. Which is my dilemma. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info Sent: Tuesday, July 27, 2004 4:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and printer admins Make an OU for desktop support add users there In printer propertiessecurity tab add OU there and give full rights... Never tried but guess that's the way. Gr J -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Cothern Jeff D. Team EITC Verzonden: dinsdag 27 juli 2004 22:21 Aan: [EMAIL PROTECTED] Onderwerp: [ActiveDir] AD and printer admins Is there a way within AD and other security settings to allow a Desktop Support section the ability to create and maintain printers without putting them into the local admin group on the servers. Currently we are not using the Printers OU for AD. The printers are added the old way thru the add printer wizard. Jeff List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LSASS.EXE!
My bets are on Sasser. Reapply MS04-011 and reboot. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, July 27, 2004 7:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LSASS.EXE! What started this? Was it after a specific patch? -Original Message- From: Jacob Stabl [mailto:[EMAIL PROTECTED] Sent: 27 July 2004 15:21 To: [EMAIL PROTECTED] Subject: [ActiveDir] LSASS.EXE! Ok I have been having this problem for quite a while and I have been ignoring it because I thought it was just a freak error. My main directory server has been saying lsass.exe application error then I click OK then it says its going restart in 60 seconds. I have checked for all the viruses, sasser, blaster and all of the above. All the updates have always been up to date, sophos anti virus always runs on it. I have no idea what to do next, I am starting to get scared since it is my main directory server. -- Jacob Stabl Network Engineer Plain Local Schools http://eagle.stark.k12.oh.us Work: 330.492.3500 x.383 Cell: 330.495.7243 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] win2k pro or server?
It may be more than you want but what the heck. I'm not a programmer so YMMV Diane - On Error Resume Next Set Network = WScript.CreateObject(WScript.Network) strComputer = InputBox (Enter NETBIOS name of computer, GetComputerLocation In AD, Network.ComputerName ) Set objWMIService = GetObject(winmgmts:\\ strComputer \root\cimv2) Set colItems = objWMIService.ExecQuery(Select * from Win32_OperatingSystem,,48) For Each objItem in colItems Wscript.Echo BootDevice: objItem.BootDevice Wscript.Echo BuildNumber: objItem.BuildNumber Wscript.Echo BuildType: objItem.BuildType Wscript.Echo Caption: objItem.Caption Wscript.Echo CodeSet: objItem.CodeSet Wscript.Echo CountryCode: objItem.CountryCode Wscript.Echo CreationClassName: objItem.CreationClassName Wscript.Echo CSCreationClassName: objItem.CSCreationClassName Wscript.Echo CSDVersion: objItem.CSDVersion Wscript.Echo CSName: objItem.CSName Wscript.Echo CurrentTimeZone: objItem.CurrentTimeZone Wscript.Echo Debug: objItem.Debug Wscript.Echo Description: objItem.Description Wscript.Echo Distributed: objItem.Distributed Wscript.Echo EncryptionLevel: objItem.EncryptionLevel Wscript.Echo ForegroundApplicationBoost: objItem.ForegroundApplicationBoost Wscript.Echo FreePhysicalMemory: objItem.FreePhysicalMemory Wscript.Echo FreeSpaceInPagingFiles: objItem.FreeSpaceInPagingFiles Wscript.Echo FreeVirtualMemory: objItem.FreeVirtualMemory Wscript.Echo InstallDate: objItem.InstallDate Wscript.Echo LargeSystemCache: objItem.LargeSystemCache Wscript.Echo LastBootUpTime: objItem.LastBootUpTime Wscript.Echo LocalDateTime: objItem.LocalDateTime Wscript.Echo Locale: objItem.Locale Wscript.Echo Manufacturer: objItem.Manufacturer Wscript.Echo MaxNumberOfProcesses: objItem.MaxNumberOfProcesses Wscript.Echo MaxProcessMemorySize: objItem.MaxProcessMemorySize Wscript.Echo Name: objItem.Name Wscript.Echo NumberOfLicensedUsers: objItem.NumberOfLicensedUsers Wscript.Echo NumberOfProcesses: objItem.NumberOfProcesses Wscript.Echo NumberOfUsers: objItem.NumberOfUsers Wscript.Echo Organization: objItem.Organization Wscript.Echo OSLanguage: objItem.OSLanguage Wscript.Echo OSProductSuite: objItem.OSProductSuite Wscript.Echo OSType: objItem.OSType Wscript.Echo OtherTypeDescription: objItem.OtherTypeDescription Wscript.Echo PlusProductID: objItem.PlusProductID Wscript.Echo PlusVersionNumber: objItem.PlusVersionNumber Wscript.Echo Primary: objItem.Primary Wscript.Echo ProductType: objItem.ProductType Wscript.Echo QuantumLength: objItem.QuantumLength Wscript.Echo QuantumType: objItem.QuantumType Wscript.Echo RegisteredUser: objItem.RegisteredUser Wscript.Echo SerialNumber: objItem.SerialNumber Wscript.Echo ServicePackMajorVersion: objItem.ServicePackMajorVersion Wscript.Echo ServicePackMinorVersion: objItem.ServicePackMinorVersion Wscript.Echo SizeStoredInPagingFiles: objItem.SizeStoredInPagingFiles Wscript.Echo Status: objItem.Status Wscript.Echo SuiteMask: objItem.SuiteMask Wscript.Echo SystemDevice: objItem.SystemDevice Wscript.Echo SystemDirectory: objItem.SystemDirectory Wscript.Echo SystemDrive: objItem.SystemDrive Wscript.Echo TotalSwapSpaceSize: objItem.TotalSwapSpaceSize Wscript.Echo TotalVirtualMemorySize: objItem.TotalVirtualMemorySize Wscript.Echo TotalVisibleMemorySize: objItem.TotalVisibleMemorySize Wscript.Echo Version: objItem.Version Wscript.Echo WindowsDirectory: objItem.WindowsDirectory Next -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectory Sent: Wednesday, July 21, 2004 7:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] win2k pro or server? Is there a way to tell via vbs? Thank you, Mitch Lawrence -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brown, Bill [contractor] Posted At: Tuesday, July 20, 2004 1:21 PM Posted To: ~AD Discussion~ Conversation: win2k pro or server? Subject: RE: [ActiveDir] win2k pro or server? If you hit the start button - there is a vertical bar that displays this information... R/Bill -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 2:14 PM To: ActiveDir (E-mail) Subject:[ActiveDir] win2k pro or server? Sorry if this is really basic and covered before- but whats the quickest way(via script or gui admin tool) to tell if a particular pc/server is running win2k pro or server? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] Moving Roaming profiles
It seems that outside of the FRS / replication issues, using DFS would be a good way of virtualizing the storage location of the profiles. If you used a DFS root to designate your storage location and you needed to migrate/replace this location, you could update the DFS root without having to modify any user attributes. Basically make the management of the profile data a backroom thing. Using FRS would make the whole setup somewhat ugly. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Wednesday, June 02, 2004 9:15 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Moving Roaming profiles It is indeed NOT a good thing. I would not do this. FRS is not meant to replicate this type of dynamic data (profiles) you may experience data loss or perhaps FRS breakdowns (depending on size, number of files, and amount of change per file). Clarification on the data loss - this would not be due to FRS or 'corrupt' files, but rather the natural way FRS works - which is on a last writer wins basis. my .02 -steve - Original Message - From: Malachi Burke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 8:16 PM Subject: [ActiveDir] Moving Roaming profiles I want to move roaming profiles from our regular share into a DFS folder. The setup is straightforward. Two DC's, DFS replicate to each other, highly available roaming profiles. A sanity check that this is indeed a good thing would be nice. I am also a bit concerned about DFS because the documentation is so verbose (i.e. makes my brain hurt figuring it all out). Scenario: DC1 and DC2 both are hosting DFS root \\testroot\root. They are hosting their own corresponding file shares (say \\DC1\root and \\DC2\root). Am I right in expecting that EITHER DC1 or DC2 can go offline, and \\testroot\root will still be available? Lastly, moving the profiles looks like you have to muck with ownership and permissions. I was able to brute-force move one this way (by forcefully claiming ownership and subsequent permission of the entire profile tree), but a more graceful method would be appreciated. Malachi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] exchange 5.5, active directory and ADC
I'll second Nick's comment to test your implementation in a lab setup first before doing it live. There are some subtle (and not so subtle) things that you can do to hose your production setup. The first lab run we did hosed our lab but we learned. That's what labs are for Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas BlankSent: Tuesday, June 01, 2004 3:11 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] exchange 5.5, active directory and ADC Correct, suggest since you havent worked with the ADC before that you lab/vmware this at least once, and document your process before trying this in production. This way youll have something to work with without being tempted to tick any options you havent seen work in the lab before. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chaudhary, AmitSent: 01 June 2004 11:49 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] exchange 5.5, active directory and ADC Sorry But want to make sure Im understanding you here. You suggesting set schedule to never, until the ADC is inplace and working ok? Then moving it to a schedule? We dont plan to completely shut down the old exchange server for a few weeks at least. Anything else I should be aware off adding the ADC in terms of this migration to Exchange 2003 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas BlankSent: 01 June 2004 10:39To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] exchange 5.5, active directory and ADC Yip, the AD container/OU is selectable whilst creating the recipient agreement connection. Suggest the first thing you configure is setting your schedule to NEVER, and finish your other bits and pieces. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chaudhary, AmitSent: 01 June 2004 11:21 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] exchange 5.5, active directory and ADC Nick Cheers, can you configure ADC to create any accounts it needs to in a separate container in the AD? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas BlankSent: 01 June 2004 10:04To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] exchange 5.5, active directory and ADC Amit, Depending on how the accounts were created, it is possible to use the ADC to match accounts already existing in AD. If no match is found for a 5.5 mailbox, a duplicate account will be created in AD. The default matching rule will match the 5.5 associated-NT-Account field to the AD accounts sid or sidHistory attribute. You may extend the matching rules in the ADC so that you can match RDN to CN or a mail alias to samaccountname ifyou have a match between those. I strongly suggest you read the article below: Understanding and Deploying Exchange 2000 Active Directory Connector http://www.microsoft.com/downloads/details.aspx?FamilyID=c763b584-c511-4687-b27f-a13a8f82d4c8displaylang=en If you configure your ADC incorrectly, you may only have duplicate accounts, but at worst case you might lose mail. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chaudhary, AmitSent: 01 June 2004 10:13 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] exchange 5.5, active directory and ADC Hi This maybe a bit of topic but I was hoping to get some advice from the list. I have a Windows 2000 active directory environment, one of my Windows 2000 servers is running exchange 5.5 (not a DC). We have been considering moving to exchange 2003, the migration method was to join exchange 2003 to the existing site, move the mailboxes and then bring down the old server. The problem is that I have come across the Active Directory Connector and I wanted to get some more information on this, as I have been told it has not been installed on my site. I.e. the5.5 directory is not updating the active directory and vice versa. If we were to install the Active Directory Connector, would exchange create new accounts in my AD for all the mailboxes I have in my mail system, or will it see that active directory accounts are already created? The AD accounts are created as firstname lastname, but the display names for our email accounts are lastname, firstname. What will be the overall affect on my AD of installing this connector and enabling bi-directional communication? Regards Amit
RE: [ActiveDir] Mixed network PC and Mac - AD or XServe
Don't even get me started on PERC raid controllers... I'll share my stories after a few "adult beverages"... Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent WestmorelandSent: Tuesday, May 18, 2004 4:02 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Mixed network PC and Mac - AD or XServe You would genuinely use anything that has a perc raid controller? ewww, I feel dirty all of a sudden. On May 18, 2004, at 12:44 AM, joe wrote: I was laughing pretty good even before I got to the information on the new book Out of the hardware vendors mentioned I would say I like Dell the best. I really dislike IBM unless you like to overpay for everything plus I have seen hellacious motherboard failures and the RSA solution is only about 5-10 years behind the DRAC solution from Dell. Haven't even seen an ACER in like 8-10 years, and would have thrown something at one at that pointas they were ~= to packard bell. Also if building check out newegg.com pricing. I have built some very nice systems very cheaply through newegg. As for Exchange. I would have to agree unless thecustomer wants the integrated calendaring or the integrated IM or the other little things that Exchange adds on. At that point Exchange starts winning. Mostly the calendaring is the big thing. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent Westmoreland Sent: Monday, May 17, 2004 7:09 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Mixed network PC and Mac - AD or XServe In regard to cost estimates you probably can get Dell hardware to fulfill that role, you can also get some Gateway servers, and probably Acer has some offerings as well. For that matter, you could even build your own clone servers and save a pantload from pricewatch.com. There are always ways to leverage costs with Intel Based hardware. Personally, I wouldn't implement the smallest of server projects with less than IBM or HP hardware, but that is a personal preference. And even with those options, you could probably still find some cost comparable options. I didn't get quotes from 3 vendors before posting to the list. In regard to exchange, If you want it then don't even consider going apple. Exchange needs Active Directory, so a duplication of directories in this instance would be fruitless. In regard to file service performance, it depends on who you ask... pc vendors will tell you that theirs is faster, Apple puts this up: http://www.apple.com/xserve/performance.html In the end file services are file services, its pretty much like taking an airplane from washington to newark or taking a train from washington to newark, either way your trip will take about the same. Now as a stickler you can benchmark the f*_k out of it and say either a x86 is faster by 3 microseconds or a mac is faster by 4, but we're talking about 70 users!?!?! Now, lets talk about AFP. Dump it... Get rid of it... it is as 80's as Ferris Bueller and while it may work in movies, technology needs upgrades. (chicka chicka... chicka chicka... omp omp O Yeahhh! Sorry little bit of 'yellow fever') No wonder Microsoft is getting rid of it, Apple should too. Macs do great with smb:// cifs:// ftp://, etc. , I haven't noticed any difference in file services to smb shares between a pc and a mac connected to the same share over the same network. Yes, you can setup AD to authorize mac and pc machines to file services, it requires a little tweaking and if you end up needing assistance with it I'll answer any questions you might have. For planning resources on the OS X side, hit www.macwindows.com www.macosxlabs.org and you will definitely need the os x manuals at http://docs.info.apple.com/article.html?artnum=107912 for SSO interoperability, you should read the O'Reilly Kerberos book written by Jason Garmon, and for the AD side check out anything by Robbie Allen et al. Finally, if you are in on the Cats Dogs discussion check out the yet to be released title Cats and Domain Local Groups by Joe Richards. I still stick by my original recommendation that AD and now the apparent Exchange plans are bad news for your client, its like shooting a gnat with an RPG and then finding out you could have bought a fly swatter at your local flea market (that was better suited to the original task) for $0.98 and no client access licenses. And really, really finally if you are still concerned about OS X reliability consider that Yahoo, Hotmail, IBM, the International Space Station, and others use BSD for critical applications. http://www.apple.com/macosx/features/unix/ 'nuff said. On May 17, 2004, at 2:16 PM, Noah Eiger wrote: Thanks Brent and Robbie. A bit of a surprising response from an AD list. Brent, maybe you can shed some light on the cost calculations you offered. To me, I look at the XServe for about $3000 with no storage (80 GB SATA) and then an array for $6000 (1TB,
RE: [ActiveDir] OT: explorer.exe hangs on folder access
SWAG but we've run into issues with the thumbs.db file being corrupted. thumbs.db (hidden system) is created when you do the thumbnails view. Try deleting that and see if it helps. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Tuesday, May 18, 2004 11:42 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe hangs on folder access Doesn't appear so :-( I took a look through every log for the past 3 days and there doesn't seem to be anything abnormal happening (not logged atleast). Would a corruptedMFT entry restore itself upon restart? I appreciate all of the help by the way Al. Like I said this has happened once before and coincidentally it happened to my boss so I spent a few hours scratching my head trying to figure it out and sure enough I restarted the server that evening and everything was fine afterwards. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, May 18, 2004 2:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe hangs on folder access Nothing in there about disk errors that might explain something about a corrupted MFT entry maybe? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Tuesday, May 18, 2004 2:11 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe hangs on folder access The only events logged are informational success notifications and success audit security logs I do not see any relevant Warning or Error events logged :-( Serverspecs:2xPIII 600, 1GB RAM, 2 RAID-1 arrays The server functions as a file/print server as well as a DC holding all roles for the domain. Domain has100 +/-users/groups. Backup client installed, exchange admin tools, resource kit tools, support tools From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, May 18, 2004 1:38 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe hangs on folder access Any relevance? Does that mean there is nothing or nothing that seems related? If there is something else going on, it would be helpful to know. I'd be particularly interested in anything in the system log. While we're investigating the scope of this, what else is on the machine? How is the machine configured? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Tuesday, May 18, 2004 12:14 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe hangs on folder access There is nothing abnormal shown in the event logs onclient or server with any relevance :-( From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, May 18, 2004 11:18 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe hangs on folder access Log entries? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Tuesday, May 18, 2004 10:27 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: explorer.exe hangs on folder access This is a very strange problem I experienced a few weeks ago and just yesterday I've noticed it happen again. This only happens with a single folder, all others are fine. This particular instance the folder is completely empty except for "My Pictures" being automatically created within. Expected cause: User Personal (My Documents) folders are redirected to a central location on the file server. User is not granted exclusive rights to their user folders rights are inherited from parent. User folders are automatically created when user first logs into the domain. Symptom: When user attempts to log in the explorer.exe process hangs and the desktop is never created. User can log off by using Task Manager, or forcing a logoff/shutdown using shutdown.exe. Explorer.exe hangs when any PC attempts to access the user folder (including locally on the server). Strangely enough, I am able to copy the contents of the folder elsewhere using the explorer interface and am able to retrieve a directory listing using command prompt. Taking ownership of the folder does not resolve the issue. Desktop.inishowsbeing accessed by whichever user is attempting to access the folder, visible using computer management mmc snap-in. Forcibely closing all instances does not resolve the issue. Resolution: Restarting the server resolves the issue. Does anyone have ANY clue what this might be? Server is running Windows Server 2003 Std. Ive considering calling M$FT on the issue but I'm sure they'll suggest that I restart the server. TIA for any input.
RE: [ActiveDir] VPN users and their AD passwords
Gee... you givethem remote access to the company via the internet from anywhere and their complaining about having to hit cancel? I would tell them to get over it... :-) Actually with my client, I can just type in my password in the ctrl-alt-del login box and just ignore the VPN client if I am on the compnay network. It will authenticate via normal channels. Externally, I can choose to authenticate via the VPN client. Only if you don't let the VPN client initialize fully do you get the big cancel button when you hit ctrl-alt-del. Either hit cancel or wait for the VPN client to initialize before they hit the keyboard. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Tuesday, May 18, 2004 4:34 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] VPN users and their AD passwords The complaint here from users is that if they ARE on the network, they have to hit cancel on the Cisco VPN client login so they can get to the CTRL-ALT-DEL screen. Is there any workaround for this, or just tell the users to get over it? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Ayers, DianeSent: Tuesday, May 18, 2004 4:15 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] VPN users and their AD passwords I'm running v 4.0.3(D) of Cisco VPN client and it is configured as Jeff describes below (logon to VPN before laptop logon). I had my domain password "expire"andIIRC,I was able to change my password at my usual ctrl-alt-del logon after I had done my VPN login. This was after a few adult beverages so I may have been confused... :-) Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff SalisburySent: Tuesday, May 18, 2004 1:21 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] VPN users and their AD passwords Russ - With the newer versions of the Cisco VPN client you canconfigure the client to allow logon to the network via VPN before you logon to the notebook. When you first start up the system and hit Ctrl-Alt-Del to get the regular logon box, a Cisco VPN connection dialog comes up instead. Youuse this dialog to connect by VPN first so that you are actually authenticating your account with a domain controller, then you get a logon box again for logging on to the machine. This keeps the cached account information and the domain account information in synch. If users change their password while connected by VPN, the cached credentials on the notebook are not updated. If they restart the notebook, they have to logon using their old password. When they next connect by VPN they will have to provide their new password. As soon as their machine tries to access network resources, it passes the old password information and causes the user's account to lockout very quickly (assuming you have account lockout enabled). On the 3.6.3 client, you would go into Options - Windows Logon Properties and select Enable Start Before Logon. You would also want to select Disconnect VPN Connection While Logging Off. I believe this requires a system restart so that it hooks into the security dialog (msgina?). If you need to go update your remote clients and you use SMS 2003, you may also want to upgrade your VPN clients at the same time to the 4.x VPN Client.Microsoft's notes say that the 4.x client will accurately report theIP address assigned by your VPN concentrator, as opposed to the IP address the notebook has on the user's personal network, so that the SMS 2003 Client boundary calculations will work properly. We also have a ton of users with non-expiring passwords because theyneeded remote access in the past. One of my tasks this week is to get them to change their passwords, then we will set them to start expiring. We still need to figure out how to take care of remote users who only connect by dial-up direct toour company (no broadband available). Jeff Salisbury Network Infrastructure and Security Manager Belkin Corporation Information Services 310 604-2061 310 604-2022 fax www.belkin.com -Original Message-From: Rimmerman, Russ [mailto:[EMAIL PROTECTED]Sent: Tuesday, May 18, 2004 12:19 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] VPN users and their AD passwords How do your VPN only users who never attach their laptop to your network change their AD passwords when they expire? We're having an issue where we have to make all our VPN users "Password never expires" because they cannot change their password when it does expire, because they're only coming in via a Cisco VPN client. Thanks ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron
RE: [ActiveDir] OT: Ad hoc queries from within Excel
We wrote a basic one that allows users to dump DL memberships to a spreadsheet w some of the attributes. Basically it was for the clerical folks that create phone lists for depts. and floors. I don't know if we can share. Also It's hard coded to our domains and OUs Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, May 14, 2004 6:46 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Ad hoc queries from within Excel Im constantly having users ask me to do some ad-hoc query on AD, and send them the output. Seems like it would be pretty cool to create an Excel add-in that would allow someone to import AD data directly into Excel. Ive seen a few add-ins that query a SQL database like that, but has anyone already seen such a thing for AD? I dont want to reinvent the wheel just not finding anything so far on Google Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] HELP I just deleted an OU
Unplug a DC before it replicates From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grantham, CaronSent: Monday, May 03, 2004 10:05 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] HELP I just deleted an OU How can I get the OU with all objectes restored immediately
RE: [ActiveDir] AD screw up
Title: Message Have you read the Branch Office guides? http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/branchoffice/default.aspfor Windows 2000 http://www.microsoft.com/downloads/details.aspx?FamilyID=9353a4f6-a8a8-40bb-9fa7-3a95c9540112DisplayLang=enfor Windows 2003 Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Drew GainorSent: Friday, April 16, 2004 9:26 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD screw up I suppose I could. Where can I find information on setting that up? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Friday, April 16, 2004 9:18 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD screw up You could do that, but are you sure you cant accomplish what you want to do with just one domain and a detailed OU strcture? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Drew GainorSent: Friday, April 16, 2004 12:06 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] AD screw up Not knowing what I was doing I set up an AD at my company corporate office. I then converted everyone over to it along with my Exchange server. Now I also have a couple of branch offices and want to create children. The mistake I made was that I did not set up an Empty Root Domain first. Isetup the corporate domain as the first server. This is what I would like to do. Tell me if I am wrong or if you have any other suggestions. Root - ADRoot child - corp.ADRoot child - branch1.ADRoot child - branch2.ADRoot I do not want the domains to be internet FQDN. Drew
RE: [ActiveDir] Password Never Expires...
Also, just as an FYI, If you're on XP, you can use the Win2K3version ADUC which allows you to build a query in the GUI itself for all accounts that are configured as you described. It will work aganst both Win2K and Win2K3 domains. Diane -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Rod TrentSent: Friday, April 02, 2004 4:48 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Password Never Expires... Here's a script to find those accounts and throw them into a spreadsheet: http://www.myitforum.com/articles/11/view.asp?id=3102 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Friday, April 02, 2004 7:46 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Password Never Expires... Hi, One of our helpdesk technicians has been creating new user accounts with the 'Password Never Expires' tab selected. does anyone know a way of how I can find out which accounts are set to 'Password Not Expire' and if there is an automated way to reset these? thanks... -frank Do you Yahoo!?Yahoo! Small Business $15K Web Design Giveaway - Enter today
RE: [ActiveDir] [MailServer Notification]To Recipient file blocking settings matched and action taken.
Crap. Our bad too. sorry guys... Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 11, 2004 7:00 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] [MailServer Notification]To Recipient file blocking settings matched and action taken. ScanMail for Microsoft Exchange has blocked an attachment. Sender = [EMAIL PROTECTED] Recipient(s) = [EMAIL PROTECTED] Subject = RE: [ActiveDir] Finding users who must change pw Scanning time = 03/11/2004 09:59:43 Action on file blocking: The attachment USERDUMP.zip matches the file blocking settings. ScanMail has Quarantined it. The attachment was quarantined to C:\Program Files\Trend\Smex\Alert\USERDUMP40507edf815.zip_. An attachment has been blocked. The email had the following subject RE: [ActiveDir] Finding users who must change pw. It was sent on 03/11/2004 at 09:59 AM from [EMAIL PROTECTED] The following action was taken USERDUMP.zip/Quarantined . If this was in error, please contact Gregg Porter. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ .+-wi0-+YbmPi0-+bf.+-j! 0j!oryIV+v*
RE: [ActiveDir] Experiences with DFS.....
We looked at a DFS / FRS combo and quickly rejected it based on the problems with FRS. For data replication, FRS is a PoS (to be brutally honest). MS needs to start from scrtach on that one. Any efficient data replication scheme would utilize a block level or some other low levelreplication process and not be based on file level replication. A single change to, say a 10 MB file, should not trigger the replication of the entire 10 MB file. We're looking at several third party replication tools but the jury is still out on the optimal solution. Diane -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Brent WestmorelandSent: Thursday, March 11, 2004 8:25 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Experiences with DFS. Yes, You need to become familiar with the FRS registry settings and the staging directory. Try these links to get you started: http://www.jsiinc.com/SUBI/tip4100/rh4104.htm http://www.jsiinc.com/SUBL/tip5900/rh5973.htm Also, definitely consider moving your staging directory to a large volume follow the instructions in KB291823. On Mar 11, 2004, at 11:00 AM, Chris Flesher wrote: We are thinking of using DFS in order to add redundancy to our NAS offerings. My main question is does anyone have experience using DFS to replicate/keep in sync large amounts of info, i.e. 200+GB, between two or more servers? As always, thank you for the help. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 Brent Westmoreland BMW Group - Data Center Americas Business: 864.989.6567
RE: [ActiveDir] Experiences with DFS.....
Title: Message Yes. FRS today would trigger the replication of the entire file with a change to that file. There are also issues with open files. You coulod configure a less frequent replication schedule but... Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris FlesherSent: Thursday, March 11, 2004 9:32 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Experiences with DFS. Well, to give a little more info, we have 1,000,000+ files on our NAS. This machine is accessed pretty hard by ~1,000 users, housing .pst files and eudora data store files. If you are saying that each time there is a change in a file, it is replicated, would it constantly replicate email data files each time an email comes to the user? That could get ugly. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, DianeSent: Thursday, March 11, 2004 10:52 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Experiences with DFS. We looked at a DFS / FRS combo and quickly rejected it based on the problems with FRS. For data replication, FRS is a PoS (to be brutally honest). MS needs to start from scrtach on that one. Any efficient data replication scheme would utilize a block level or some other low levelreplication process and not be based on file level replication. A single change to, say a 10 MB file, should not trigger the replication of the entire 10 MB file. We're looking at several third party replication tools but the jury is still out on the optimal solution. Diane -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Brent WestmorelandSent: Thursday, March 11, 2004 8:25 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Experiences with DFS. Yes, You need to become familiar with the FRS registry settings and the staging directory. Try these links to get you started: http://www.jsiinc.com/SUBI/tip4100/rh4104.htm http://www.jsiinc.com/SUBL/tip5900/rh5973.htm Also, definitely consider moving your staging directory to a large volume follow the instructions in KB291823. On Mar 11, 2004, at 11:00 AM, Chris Flesher wrote: We are thinking of using DFS in order to add redundancy to our NAS offerings. My main question is does anyone have experience using DFS to replicate/keep in sync large amounts of info, i.e. 200+GB, between two or more servers? As always, thank you for the help. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 Brent Westmoreland BMW Group - Data Center Americas Business: 864.989.6567
RE: [ActiveDir] OU design quandary
For us, our user management is centralized so the user objects were placed in a single OU broken into sub OUs by type (users, administrators, service, restricted). Computer support is more decentralized so we have computer objects in geographic based OUs with sub OUs by function (servers, workstations, etc.) Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino Sent: Thursday, March 04, 2004 9:19 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OU design quandary All, We are in the final stages of a global AD design for our company. The design will have two user domains -- one for North America and one for Europe -- and it will have an empty root. Each of the user domains will have approximately 35,000 users. Software distribution will be via Tivoli. Two camps have emerged regarding OU structure and there's a rather large gap between them. I'm asking for your expert and experienced input to help resolve this issue. Camp one: We're going to search instead of browse. So put all users in a single users OU, put all desktop machines in a single desktops OU, put all laptops in a single laptops OU, put all IIS servers in a single OU, all SQL servers in a single, etc, etc, etc. Manage by groups instead of by OU in which the object resides. Camp two: Regardless of whether we're going to search or browse, at some point having office heirarchy in the OU design will be helpful enough that it's necessary to build it now. Users, desktops and laptops will be grouped as child OUs to the office OUs. Servers for applications will be grouped by function and then by the , by the application suite or ASP that is responsible for the application. Allows more granular delegation and application of group policy. We have too little actual deployement and management experience in Active Directory, especially this size, to make a definitive decision so I would appreciate any and all feedback regarding the pros and cons. Thanks, Mike *** PLEASE NOTE *** This E-Mail/telefax message and any documents accompanying this transmission may contain privileged and/or confidential information and is intended solely for the addressee(s) named above. If you are not the intended addressee/recipient, you are hereby notified that any use of, disclosure, copying, distribution, or reliance on the contents of this E-Mail/telefax information is strictly prohibited and may result in legal action against you. Please reply to the sender advising of the error in transmission and immediately delete/destroy the message and any accompanying documents. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Site Configurations and SMS2003
Title: RE: [ActiveDir] Site Configurations and SMS2003 No, with wasn't Microsoft but a consultant. Normally I'd insert a smart-ass remark here about consultants but other than our disagreement about how to configure sites, it was a very well informed exchange of information. You and I are on the same page with having to hack something (e.g. DNS SRV records) that should be automatic. I think that I'll to read Robbie's chapter on Site configurations to kick my understanding up a notch Thanks for everyone's input. Diane _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Wednesday, February 18, 2004 4:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Site Configurations and SMS2003 Right off the bat, smack the person who said to hack the dns entries Hard. If that recommendation came from MS please let me know offline as I want to pass it up the line as that isn't good advice to be giving out. Anytime someone wants to take something automatic and make it manual, it is generally not good and crutching something that is misdesigned or misunderstood. Either way, something needs fixed. If you build the topology correctly in sites and services then you don't have to hack anything, the proper DC will cover the proper sites automagically. I pretty much always set up specific sites for every location whether they have a DC or not. Both to keep them logically separate but also because I figured some day MS or someone else would say why heck, we have all of this info for site location already let's use it. Logical progression. Sounds like from the quick read that I did that you want to set up a standard hub and spoke topology with some 5 hubs. You interconnect the hubs with site links (probably a mesh), then you set up site links from each wan site back to the hub site it should be tied to and disable automatic site link bridging [1] so the KDC doesn't have nightmares. The sites will either use the local DC or the DC that is closest via the site link back to the hub. If they did SMS correctly, you should just be able to drop in the SMS Servers and the machines that should use them should find them logically. joe [1] Make your site links intransitive. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ayers, Diane Sent: Wednesday, February 18, 2004 11:18 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Site Configurations and SMS2003 All: I know that this is somewhat off topic (SMS) but I had a recent conversation with some folks in regards to AD and SMS 2003. We are looking at possibly deploying SMS 2003 and looking at some deployment scenarios. Anyway the conversation turn to the AD sites and what is the best configuration for sites in an organization. Briefly we have a highly connected backbone with DCs spread around key nodes on this backbone to support the geographical locations spurred off of this backbone. We developed our AD sites around these nodes (5 geo locations, 5 AD sites) with all the downstream geographic locations for each DC being rolled into the site. It was recommend that we make each geographic location that are rolled up to the main sites we have now a separate site in AD irregardless if this geographic location has DC or not. Site connectors would be built between those sites that have DCs and for those sites that don't have DCs, we'd have to go in and hack the _kerberos._tcp.site name._sites and the _ldap._tcp.site name._sites SRV records so that they would refer to the correct DC. I'm still trying to grasp the nuances of sites in AD but this seemed to be an usual approach to sites in AD. Granted that SMS 2003 does bring some twists to the picture as a client will need to identify a distribution point from it's AD site. We have over 200 individual geographic sites with approx 180 software distribution boxes that we'd make distribution points. That would translate to 180 AD sites (sites mapped to distribution points). My basic understanding of sites is that the should be built around DCs. This is a simply summary of what was discussed but I was wondering if there was some opinions one way or another over the best way to approach sites in AD. Obviously each case is different but wanted to capture folks thoughts. Diane
[ActiveDir] Site Configurations and SMS2003
All: I know that this is somewhat off topic (SMS) but I had a recent conversation with some folks in regards to AD and SMS 2003. We are looking at possibly deploying SMS 2003 and looking at some deployment scenarios. Anyway the conversation turn to the AD sites and what is the best configuration for sites in an organization. Briefly we have a highly connected backbone with DCs spread around key nodes on this backbone to support the geographical locations spurred off of this backbone. We developed our AD sites around these nodes (5 geo locations, 5 AD sites) with all the downstream geographic locations for each DC being rolled into the site. It was recommend that we make each geographic location that are rolled up to the main sites we have now a separate site in AD irregardless if this geographic location has DC or not. Site connectors would be built between those sites that have DCs and for those sites that don't have DCs, we'd have to go in and hack the _kerberos._tcp.site name._sites and the _ldap._tcp.site name._sites SRV records so that they would refer to the correct DC. I'm still trying to grasp the nuances of sites in AD but this seemed to be an usual approach to sites in AD. Granted that SMS 2003 does bring some twists to the picture as a client will need to identify a distribution point from it's AD site. We have over 200 individual geographic sites with approx 180 software distribution boxes that we'd make distribution points. That would translate to 180 AD sites (sites mapped to distribution points). My basic understanding of sites is that the should be built around DCs. This is a simply summary of what was discussed but I was wondering if there was some opinions one way or another over the best way to approach sites in AD. Obviously each case is different but wanted to capture folks thoughts. Diane attachment: winmail.dat
RE: [ActiveDir] Site Configurations and SMS2003
Title: RE: [ActiveDir] Site Configurations and SMS2003 That was my argument in the "discussion". I looked at sites as replication boundaries and localization of authentication and directory services. The counterpoint was "why maintain sites in two locations?". One in AD and one SMS. The angle was to simplify site management. However I was not comfortable with the proposed changes to AD sites to accommodate the needed SMS sites. However I was not 100% certain that the proposed AD site design to accommodate SMS was going to be a "bad thing" Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Wednesday, February 18, 2004 9:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Site Configurations and SMS2003 I've heard the same thing - with AD it doesn't make any sense to have a site that doesn't have a DC in it - sites are used for replication and if there's nothing to replicate to in a site then why would you create an AD site? But with SMS, you can define SMS Site Boundaries and Roaming Boundaries with either subnets or AD Sites... guess which is easier to do for the SMS admin? So if the AD admins create a site for every area you'll have a DP in, then it makes it easy to set up boundaries. That is, it's easy if you trust that they are putting the right subnets in the right AD sites, and you get the right AD sites in the right SMS assignment boxes and spell them correctly. Barring all that, you could just add the subnets in the appropriate places in SMS and ignore the AD sites. Rich _From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John McGlincheySent: Wednesday, February 18, 2004 10:49 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Site Configurations and SMS2003 Sites are a collection of "Well Connected" subnets. That said, one persons definition of "well connected" can be completely different from another's. It really depends upon the bandwidth and network utilization between locations on your network. On some site designs I've set every location to be a site no matter what the bandwidth while on others I have groups locations together into a single site where bandwidth was "good enough" and the load put onto the network was deemed to be minimal. So, the answer is, it depends! I would think that adding SMS would make you rethink how you have grouped your sites to optimize the use of the SMS distribution points. Too many users hitting the distribution points will put a significant load on the location to location links and that would move you towards defining a location to be in a separate site. Just my $.02. Coming out of lurking mode. Great list. Thanks for being here. John McGlinchey, MCSA, MCSE, CCNA Bristol-Myers Squibb Company _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ayers, Diane Sent: Wednesday, February 18, 2004 11:18 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Site Configurations and SMS2003 All: I know that this is somewhat off topic (SMS) but I had a recent conversation with some folks in regards to AD and SMS 2003. We are looking at possibly deploying SMS 2003 and looking at some deployment scenarios. Anyway the conversation turn to the AD sites and what is the best configuration for sites in an organization. Briefly we have a highly connected backbone with DCs spread around key nodes on this backbone to support the geographical locations spurred off of this backbone. We developed our AD sites around these nodes (5 geo locations, 5 AD sites) with all the "downstream" geographic locations for each DC being rolled into the site. It was recommend that we make each geographic location that are rolled up to the main sites we have now a separate site in AD irregardless if this geographic location has DC or not. Site connectors would be built between those sites that have DCs and for those sites that don't have DCs, we'd have to go in and hack the _kerberos._tcp.site name._sites and the _ldap._tcp.site name._sites SRV records so that they would refer to the correct DC. I'm still trying to grasp the nuances of sites in AD but this seemed to be an usual approach to sites in AD. Granted that SMS 2003 does bring some twists to the picture as a client will need to identify a distribution point from it's AD site. We have over 200 individual geographic sites with approx 180 software distribution boxes that we'd make distribution points. That would translate to 180 AD sites (sites mapped to distribution points). My basic understanding of sites is that the should be built around DCs. This is a simply summary of what was discussed but I was wondering if there was some opinions one way or another over the best way t
RE: [ActiveDir] MS04-007 checking
You have any pointers to info the "proof of concept"? I'm not interested in code but would like to look at the info and we may want to pull the trigger at our organization. We're working the rollout for 007but may want to deployquicker than we currently have mapped out. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji AgbaSent: Saturday, February 14, 2004 6:10 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] MS04-007 checking In case anyone here is having difficulties justifying (to management)the "urgent" need patch systems against this new vulnerability, here's one for your ammunition: There is now a "Proof of Concept" exploit code that exploits this vulnerability. The clock is now ticking in the race for another Blaster. I am not sure if it's OK to post URL to exploits here, so I will err on the side of prudence and say if you need to know where, email me. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rimmerman, RussSent: Fri 2/13/2004 9:21 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] MS04-007 checking Might check with RetinA (http://www.eeye.com/). We're using Patchlink to not only detect, but patch and deploy software as well. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Friday, February 13, 2004 11:06 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] MS04-007 checkingDoes anyone know of a tool to make sure that all the users have this patch applied? I know Microsoft had something for the Blaster and was wondering if anyone has anything that would check to make sure this patch has been applied? Thanks again Ryan McDonald ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Where did Additional Acct Info tab go to?
dope slap to self on forehead No wonder I could never make that DLL work. Ipretty much use the find function exclusively. I too ass-umed it was me... Diane From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Monday, February 09, 2004 7:21 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Where did "Additional Acct Info" tab go to? Let me guess... you are doing a "find" in ADUC, and you are then looking at the object's properties from the result of the "find". Correct? Try drilling down to where the account is located and then looking at the properties directly, you will very likely see the "additional account info" tab there. I submitted this to MS a long time ago, but I didn't hear back, so I concluded it "must be me" :). Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Thommes, Michael M.Sent: Mon 2/9/2004 6:30 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] Where did "Additional Acct Info" tab go to? Hi, This morning I noticed that the "Additional Acct Info" (sp?) tab in ADUC on my Windows 2000 DCs (withextra "acctinfo.dll" installed) and on my Windows 2003 DC (additional info by default) is no longer there. While I don't use this feature on a daily basis, I am sure I have used it in the last few weeks. I even tried logging on with the principle domain admin account after my normal admin failed to show this feature; that also didn't work. Has anyone experienced this? Thanks for any help! Mike Thommes
RE: [ActiveDir] Other Listsrvs
Ditto I dropped all the sunbelt lists due to the high signal-to-noise ratio Diane -Original Message- From: Martin Tuip [mailto:[EMAIL PROTECTED] Sent: Monday, February 09, 2004 1:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Other Listsrvs Personally I'm not too fond of the Sunbelt one due to the lower technical level of the list compared to others. Martin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wilson, Julie Sent: Monday, February 09, 2004 1:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Other Listsrvs Try this one: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kleciak, Clint D B270 Sent: Monday, February 09, 2004 3:02 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Other Listsrvs Anyone have any for Exchange? -Original Message- From: Steve Shaff [mailto:[EMAIL PROTECTED] Sent: Monday, February 09, 2004 1:58 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Other Listsrvs This is a general question for the group. I am in charge more than just the active directory, schema, trusts, etc. I have found that this has been a valuable source of information and I would like to know if anyone knows of other listsrvs that deal with SMS and/or exchange, that are as good as this one? Thanks, S CONFIDENTIALITY NOTICE: If you have received this e-mail in error, please immediately notify the sender by e-mail at the address shown. This e-mail transmission may contain confidential information. This information is intended only for the use of the individual(s) or entity to whom it is intended even if addressed incorrectly. Please delete it from your files if you are not the intended recipient. Thank you for your compliance. Copyright (c) 2004 CIGNA List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Other Listsrvs
Sorry if it came across arrogantly. Wasn't meant to be so. Several good lists have already been mentioned Diane -Original Message- From: Wilson, Julie [mailto:[EMAIL PROTECTED] Sent: Monday, February 09, 2004 2:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Other Listsrvs I hope you didn't mean that as arrogantly as it sounds. :) But I do agree it's a little to much for me sometimes too. So tell me what lists do you consider the best ones for Exchange? Thanks, Julie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Monday, February 09, 2004 3:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Other Listsrvs Ditto I dropped all the sunbelt lists due to the high signal-to-noise ratio Diane -Original Message- From: Martin Tuip [mailto:[EMAIL PROTECTED] Sent: Monday, February 09, 2004 1:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Other Listsrvs Personally I'm not too fond of the Sunbelt one due to the lower technical level of the list compared to others. Martin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wilson, Julie Sent: Monday, February 09, 2004 1:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Other Listsrvs Try this one: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kleciak, Clint D B270 Sent: Monday, February 09, 2004 3:02 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Other Listsrvs Anyone have any for Exchange? -Original Message- From: Steve Shaff [mailto:[EMAIL PROTECTED] Sent: Monday, February 09, 2004 1:58 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Other Listsrvs This is a general question for the group. I am in charge more than just the active directory, schema, trusts, etc. I have found that this has been a valuable source of information and I would like to know if anyone knows of other listsrvs that deal with SMS and/or exchange, that are as good as this one? Thanks, S CONFIDENTIALITY NOTICE: If you have received this e-mail in error, please immediately notify the sender by e-mail at the address shown. This e-mail transmission may contain confidential information. This information is intended only for the use of the individual(s) or entity to whom it is intended even if addressed incorrectly. Please delete it from your files if you are not the intended recipient. Thank you for your compliance. Copyright (c) 2004 CIGNA List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] I: Quest to aquire Aelita
But they wouldn't be able to shift to a new paradigm... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Thursday, January 29, 2004 6:05 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] I: Quest to aquire Aelita Wouldnt it be refreshing just once to read about a merger/acquisition that didnt contain the word synergies? ;-) mc -Original Message-From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 28, 2004 10:57 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] I: Quest to aquire Aelita This will be interessting for many folks on this list: http://biz.yahoo.com/bw/040128/285921_1.html /Guido
RE: [ActiveDir] GPO and the Outlook Dumpster
Title: Message Following this thread, a related question (taking it even more OT) comes up. Often in email discovery cases, we use ExMerge to suck the dumpster off a server to look at what's there. Would DumpsterAlwaysOn on the host that ExMerge is run from have an effect on what data is recovered from the Dumpster? Diane From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:57 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I get different results. Feeling inaccurate, I went and enabled dumpsteralwayson on my computer. Shift+Delete the message. Check the folder it was deleted from and voila (that's my extent of French) it was in the deleted items recovery. Not too happy about that, I removed the setting, and this time went to an IMAP client. DumpsterAlwaysOn was not set at this point. I deleted and purged a message. Closed the IMAP client, and opened Outlook (XP) after resetting the key to 1. Check that folder with deleted items recovery and the message was there to be recovered. Try Shift+Delete on another message, and then was able to recover it. Bottom line, Roger and Ollyare right. The message doesn't go away regardless of client or hard delete. It's marked for deletion and is later purged. You have to go into the deleted item recoveryand purge the message to makeit gone from all but abackup of the mailstore. One note: I didn't need the registry setting to enable the use of recovery on the deleted items folder. That was there by default. I need the registry setting to see the form for other folders however. Thanks for clearing that up :) -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 11:09 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster That is exactly how it operates in the field. UNLESS you have manually enabled DumpsterAlwaysOn on a client, when a client SHIFT-DELETES a piece of mail, that mail is GONE and NOT recoverable without going through an interesting hoop. That hoop involves looking for the most recent backup of the user'sMailbox Server's Information Store. This is what my initial response to Oliver said Now, I'm done. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Oliver MarshallSent: Thu 1/15/2004 7:16 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster Thanks for the interesting comments on this thread. I have had official word from several MS support peeps that would seem to resolve the issue. It would seem that SHIFT+DELETE marks a message as deleted immediately without it being moved to the delted items first. As the message is only MARKED as deleted but not actually deleted it is simply not visible to the user but does still remain in the datastore. If items are sent to the deleted items they are simply moved to the deleted items. Emptying the deleted items marks all the items in that folder as deleted. So SHIFT+DELETE doesn't permanently delete emails, just permanently hides them from the user. The DUMPSTERON reg trick simply makes the dumpster menu item visible on all folders rather than just the deleted items folder. Hope that helps. Olly -Original Message- From: deji Agba [mailto:[EMAIL PROTECTED] Sent: 15 January 2004 07:18 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I usually refrain from adding to a thread more than once, except to occasionally concur. I have always thought that, all things being equal, Shift-Delete is indeed a permanent delete, given the following circumstances: Assuming you DON'T have deleted item retention enabled - which is the default configuration You have not enabled DumpsterAlwaysOn -which is the default configuration You don't do brick-level backup, you don't have an offline Exchange server you test restore to, AND you are not willing to interrupt other users' access to do a live restore I've been known to be wrong before, but I don't think this is one of those moments :-p Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger Seielstad Sent: Wed 1/14/2004 4:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO and the Outlook Dumpster But Shift-Delete is not a permanent delete. Assuming you have deleted item retension enabled, shift-delete simply marks the message for deletion, but it is still available within that folder's dumpster until the DIR time expires, and is accessible using the DumpsterAlwaysOn registry setting for Outlook. Scared the crap out of my desktop guy who thought he could hide email... Roger
RE: [ActiveDir] Search for phone numbers????
We simply modified the form for address book searches to include phone number. Individuals can now search one phone numbers for those mail enabled objects in AD. For us that meet the requirements 99% of the time. Diane -Original Message- From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 10:17 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Search for phone numbers Is there a way to add a field in the Search for people to allow searching for a phone number, or other attributes that are specified in the Active Directory? If not, how can a user search for other attributes that are defined in the AD? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Inter-site Urgent replication
Title: RE: [ActiveDir] Inter-site Urgent replication All: Thanks for the tips and hints. It seems that urgent replication is working better this AM. I tracked a locked account from the source DC to the replication partners and it seems to be bypassing the replication schedule. Too cool... I'm still seeing some delay between the DCs that are "second hop" from the source via the replication topology but it seems to be a result of the new replication topology as opposed to anything else. As Joe mentioned, the bridgehead server issue between sites comes into play. I was curious if anyone has tweaked the holdback timing and pause rates. I'm inclined to tweak those settings to see better replication times as it seems that it has been tweaked already in 2003. We're planning to go to 2003 after the holidays but want to see if anyone has taken the plunge in Win2K. Diane From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2003 1:14 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Inter-site Urgent replication this is not only useful in the scenario described in this thread - if you generally want to speed up intra-site replication between DCs, you'd also want to work on these settings (not in 2k3, where it's as quick as it can get anyways and where the registry key is removed by default): Registry Key to change Windows 2000 Replication behavior HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters- Replicator notify pause between DSAs (secs) = pause between notifications- Replicator notify pause after modify (secs) = pause to send first notification after a changeDefault values: pause after modify / pause between DSAs Windows 2000: registry values 5 minutes / 30 seconds Windows 2003: new default values if registry keys are not set 15 seconds / 3 seconds _ From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Dienstag, 18. November 2003 05:34 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Inter-site Urgent replication So, you're thinking with ATM between DCs I can crank up the holdback timing and pause rates? Neat. ;op Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Joe Sent: Monday, November 17, 2003 10:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Inter-site Urgent replication Cool in that case I would do the same... Also if it is W2K and your bandwidth can truly handle it I would turn down the timing for holdback and pause between dsa's. joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Diane Ayers Sent: Monday, November 17, 2003 9:09 PM To: [EMAIL PROTECTED] The biggest concern is not really the replication traffic and wanting to throttle the traffic but trying to localize the authentication. I've turned on change notifications and we'll see how this works. Thanks for the refresher on urgent replication and good point on the bridge head traffic. Diane _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Joe Sent: Monday, November 17, 2003 5:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Inter-site Urgent replication Urgent replication really isn't... It is urgent queuing of a replication request in actuality or at least from what I have observed. Basically you quickly stick a replication request into the queue of all change notification partners. They process it in the order and priority received... i.e. it would happen before a previously queued GC partition replication but after a previously queued domain partition replication. You would need to enable change notification between sites to start to see the urgent queuing and doing that will blow out your replication schedules and most all benefits of compression. HOWEVER, if you were happy with a single site setup, this all would be fine for you... Note however all traffic will STILL go through the bridgeheads. You won't set up a large ring like you had within a single site. joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ayers, Diane Sent: Monday, November 17, 2003 6:04 PM To: [EMAIL PROTECTED] Greetings In an effort to localize our authentication traffic, we recently implemented a multi-site configuration moving away from our single mega-site (single domain). All DCs are on high bandwidth links but we are trying to reduce authentication across the WAN. All inter-site transports are configured for a maximum replication frequency (15 minutes). An assumption on my part (an
RE: [ActiveDir] Inter-site Urgent replication
Title: RE: Inter-site Urgent replication We are at SP3. I've gone through most of those articles already. re-reading 232690 it does refer to my issue: "Windows 2000 enables change notifications to propagate across inter-site connections. This is administratively configured on each site-link. Enabling change notifications across site-links propagates all change notifications. This enables urgent changes and all other replication events to propagate to a remote site with the same frequency as within the source site." I can't find anymore info on "Enabling change notifications" other than "ignore replication schedule" on the IP transport. Doh! Diane From: Fuller, Stuart [mailto:[EMAIL PROTECTED] Sent: Monday, November 17, 2003 4:12 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Inter-site Urgent replication Diane, What service pack level are you at? A lot of fixes for password lockout and urgent replication were put into SP3 andmore in SP4. The following MS articles may be relevant to your question: Urgent Replication Triggers in Windows 2000 - http://support.microsoft.com/?kbid=232690 Account Unlocks and Manual Password Expirations Are Not Replicated Urgently - http://support.microsoft.com/?kbid=306133 Service Packs and Hotfixes that are available to resolve account lockout issues - http://support.microsoft.com/?kbid=817701 If you are having a lot ofaccount lockout issues, this web cast is"must see TV" - http://support.microsoft.com/?kbid=813500 Cheers, Stuart From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Monday, November 17, 2003 4:42 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Inter-site Urgent replication Hi Diane, My understanding (haven't tried it myself) is that urgent intersite replication observes the intersite replication schedule. You can work around this by enabling intersite notifications, but then that effectively circumvents any replication schedule. That's my understanding anyway. -gil -----Original Message- From: Ayers, Diane [mailto:[EMAIL PROTECTED]] On Behalf Of Ayers, Diane Sent: Monday, November 17, 2003 4:04 PM To: [EMAIL PROTECTED] Subject: Inter-site Urgent replication Greetings In an effort to localize our authentication traffic, we recently implemented a multi-site configuration moving away from our single mega-site (single domain). All DCs are on high bandwidth links but we are trying to reduce authentication across the WAN. All inter-site transports are configured for a maximum replication frequency (15 minutes). An assumption on my part (and probably erroneous) is that urgent replication triggers such as account lockouts will still bypass inter-site replication schedules and be replicated to all DCs in the domain. We're getting a smattering of reports that the events such as account lockouts are not getting replicated quickly. Putting 2 and 2 together, it looks like urgent replication is not carried between sites. Is my assumption correct and can I enabled urgent replication between sites? Diane
RE: [ActiveDir] Inter-site Urgent replication
Title: RE: Inter-site Urgent replication Never mind. Google to the rescue... Thanks for your help. Diane Change Notification Between Sites By default, changes are replicated between sites according to a schedule and not according to when changes occur. For this reason, the greatest replication latency across the forest is the sum of the greatest replication latencies along the single longest replication path of any directory partition. For special circumstances, you can configure change notifications on connections between sites. By modifying the site link object, you can enable change notification between sites for all connections that occur over that link. Use ADSI Edit to enable change notification between sites. To enable change notification between sites In ADSI Edit, expand the Configuration container. Navigate to the Inter-Site Transports container, and select CN=IP. (You cannot enable change notification for SMTP links.) Right-click the site link object for the sites for which you want to enable change notification, and then click Properties. In the Select a property to view box, select options. In the Edit Attribute box, if the Value(s) box shows not set, type 1 in the Edit Attribute box. If the Value(s) box contains a value, you must derive the new value by using a Boolean BITWISE-OR calculation on the old value, as follows: old_valueBITWISE-OR1. For example, if the value in the Value(s) box is2, calculate 0010 OR 0001 to equal0011. Type the integer value of the result in the Edit Attribute box; for this example, the value is3. Click OK. Enabling change notifications across site links propagates all change notifications. With change notification between sites set, changes propagate to the remote site with the same frequency that they are propagated within the source site, including changes that warrant urgent replication. From: Ayers, Diane Sent: Monday, November 17, 2003 5:02 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Inter-site Urgent replication We are at SP3. I've gone through most of those articles already. re-reading 232690 it does refer to my issue: "Windows 2000 enables change notifications to propagate across inter-site connections. This is administratively configured on each site-link. Enabling change notifications across site-links propagates all change notifications. This enables urgent changes and all other replication events to propagate to a remote site with the same frequency as within the source site." I can't find anymore info on "Enabling change notifications" other than "ignore replication schedule" on the IP transport. Doh! Diane From: Fuller, Stuart [mailto:[EMAIL PROTECTED] Sent: Monday, November 17, 2003 4:12 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Inter-site Urgent replication Diane, What service pack level are you at? A lot of fixes for password lockout and urgent replication were put into SP3 andmore in SP4. The following MS articles may be relevant to your question: Urgent Replication Triggers in Windows 2000 - http://support.microsoft.com/?kbid=232690 Account Unlocks and Manual Password Expirations Are Not Replicated Urgently - http://support.microsoft.com/?kbid=306133 Service Packs and Hotfixes that are available to resolve account lockout issues - http://support.microsoft.com/?kbid=817701 If you are having a lot ofaccount lockout issues, this web cast is"must see TV" - http://support.microsoft.com/?kbid=813500 Cheers, Stuart From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Monday, November 17, 2003 4:42 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Inter-site Urgent replication Hi Diane, My understanding (haven't tried it myself) is that urgent intersite replication observes the intersite replication schedule. You can work around this by enabling intersite notifications, but then that effectively circumvents any replication schedule. That's my understanding anyway. -gil -----Original Message- From: Ayers, Diane [mailto:[EMAIL PROTECTED]] On Behalf Of Ayers, Diane Sent: Monday, November 17, 2003 4:04 PM To: [EMAIL PROTECTED] Subject: Inter-site Urgent replication Greetings In an effort to localize our authentication traffic, we recently implemented a multi-site configuration moving away from our single mega-site (single domain). All DCs are on high bandwidth links but we are trying to reduce authentication across the WAN. All inter-site transports are configured for a maximum replication frequency (15 minutes). An assumption on my part (and probably erroneous) is that urgent replication triggers such as account lockouts will still bypass inter-site replication schedules and be replicated to all DCs in the domain. We're getting a smattering of reports that the events such as account lockouts are not getting replicated quickly. Putting 2
RE: [ActiveDir] NTDIS Size
Breaking the DB, logs and SysVol into separate logical partitions on the same physical spindles doesn't buy youmuch. Your still sharing the same spindles, head and I/O amongst the three logical partitions. I'd just create a D: volume and be done with it but that's just my opinion. Diane From: George Arezina [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 2:33 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] NTDIS Size Unfortunately, Management wants us to abide by their budget for the year. Therefore, we have to be within budget goals when it comes to spending money on hardware. How about this hdd configuration: First Mirror: System Partition (18GB) Second Mirror: 72GB broken into D, E, F volumes. Database location: D:\NTDS Log location: E:\NTDS SYSVOL Location: F:\SYSVOL From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nadalin, Oliver (REA - AUS)Sent: Tuesday, October 14, 2003 11:15 AMTo: '[EMAIL PROTECTED]' you could probably have the AD DB log files on a separate mirror - if your budget allows it. -Original Message-From: George Arezina [mailto:[EMAIL PROTECTED]Sent: Tuesday, 14 October 2003 7:00 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] NTDIS Size Hi people, Can someone please confirm that I have given enough GB for 1500 users in my AD database? I plan to install two mirrored drives on my server. One Mirror will be the system partition (18GB) and the second mirror will be 72GB where my ndts.dit database will be located. Thanks George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. * E-mail: [EMAIL PROTECTED] ( Phone:+381 (11) 3202-474 ( GSM: +381 (63) 342-321 This e-mail is for the use of the intended recipient(s) only. If you have received this e-mail in error, please notify the sender immediately and then delete it. If you are not the intended recipient, you must not use, disclose or distribute this e-mail without the author's permission. We have taken precautions to minimise the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this e-mail. We cannot accept liability for any loss or damage caused by software viruses. image001.jpg
RE: [ActiveDir] Editing directory permissions
Title: Message If you want a GUI, I recommend "Security Explorer" from Small Wonders. I've found it to be very useful at times Diane http://www.smallwonders.com/SecurityExplorer.htm -Original Message-From: Abbiss, Mark [mailto:[EMAIL PROTECTED]Sent: Wednesday, September 17, 2003 2:55 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Editing directory permissions Please can anyone recommend a good utility (not xcacls) that will help me add additional security permissons to a directory structure on one of our W2K servers. I want the existing ACL info to remain but want to append another set. Many thanks, Mark
RE: [ActiveDir] Windows 2003 DC issue
Title: Message We use a type of ACL for our Bind stuff. Only our DCs have the "rights" to do dynamic updates to our AD zoneon the bind server. Other hosts are updated in DNS via the DHCP server (Cisco) or other processes. The access rights are based on the source IP address. Not 100% secure but it has worked well for us so far (knock on wood). DCs are still at Win2K. Diane -Original Message-From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]Sent: Wednesday, September 10, 2003 3:35 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Windows 2003 DC issue Does BIND provide for ACLs on RRs? I didn't know that... -g Gil KirkpatrickCTO, NetPro -Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 10, 2003 12:40 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Windows 2003 DC issue While you're checking that, you might also want to check that your new server is not prevented from creating new records by ACLs on the BIND server. Should show in the logs, but it would be good to check. Al -Original Message-From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 10, 2003 12:18 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2003 DC issue Same Bind server. Unfortunately, I don't run the Bind server. I'll talk with the powers that be and get a response if anything looked weird. Did not run NETMON, but will to see more. Thanks for the leads. I'll let you know how it goes. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, September 10, 2003 11:12 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Windows 2003 DC issue The only change in 2003 re SRV publication that I can recall is that the default update interval is 15 minutes in W2K3 vs. 60 minutes in W2K. Some questions: Is it the same BIND server that worked with W2K? Did you check the BIND logs? And if there was nothing there, did you run NETMON or some other network trace program? -gil -Original Message-From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 10, 2003 7:43 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Windows 2003 DC issue We started playing with 2003 in our test environment. We came across a problem with how dynamic updates are done on 2003. Dynamic updates are done on a Sun Bind server. For some reason, the SRV records would not update on the Bind server. However, we can do dynamic update on 2000 DC to theBind DNS. I'm just wondering if there is somethingnew in 2003 with regards to how SRV records are created? Or maybe I'm just missing something completely. Any ideas would be appreciated. We ended up using 2003 DNS for the DC's. That worked, but isn't a representation of how production will be. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477
RE: [ActiveDir] Adding machines to OU directly
Title: Message I couldn't help but laugh reading this. How true. In our internal documentation, we discribe this setting and that they need to change when setting up computer accounts. We even have a huge screenshot with red circles and big arrows highlighting the point. I still get calls on "not being able to join the domain" Sigh... -Original Message-From: Coleman, Hunter [mailto:[EMAIL PROTECTED]Sent: Wednesday, July 16, 2003 11:09 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Adding machines to OU directly When your junior lads create the computer account in the correct OU, are they changing the field "The following user or group can join this computer to a domain"? This defaults to Domain Admins, and IIRC they'll need to change it to their own account or a security group that they're a member of. Hunter From: Mayet, Yusuf Y [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 10:27 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Adding machines to OU directly So correct me if I am wrong but what you are saying is that even though I have given them the right over the OU to add computer objects I would still have to go to the Domain Policy and specify the groups that can add workstations to the domain? From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: 16 July, 2003 18:20 PMTo: [EMAIL PROTECTED] Hmmm, what error? When the computer joins the domain?... I wonder if it is a permissions issue on the "join domain" part. The user actually joining from the computer need to have that right this can be done through GP. The right is given by default with the msDsMachineAccountQuota. Every user, by default, can add 10 computers to the domain if this has been turned off or the 10 limit has been reached you need to give the rights our for individuals to 'Join Computers to Domain'... Kevin From: Mayet, Yusuf Y [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 12:01 PMTo: '[EMAIL PROTECTED]' Well seeing this discussion has started I would like to throw a curve ball. In my environment I have chosen the route to train the junior lads into pre-creating the computer account into the relative OU. I have delegated the following permission over "Computer Objects" to "Add and Remove computer objects" The problem I am experiencing is that if the computer account already exists in the OU the error received is "access Denied" Thanks in advance Yusuf From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: 16 July, 2003 17:14 PMTo: [EMAIL PROTECTED] You don't need to give them account operator rights. You give them 'specific' delegated rights. There could be some complex solutions that involve automating the process of looking through the computers container and moving computer account to the appropriate container (that is if you know the appropriate container via a name designation or something). This can be automated and scheduled but if you are too understaffed I doubt you will be able to find the time to develop this kind of solution. To have full functionality to address some of the complexities of AD management easily you will probably want to evaluate third part administrative tools. (plugOh, yeah, my company has one./plug) Kevin Sullivan Aelita Software www.aelita.com From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 11:07 AMTo: [EMAIL PROTECTED] I saw that out on Technet. That's great as long as there is a person/group to handle that. We are understaffed and are looking for the OU admins to take care of this without giving them Account Operator rights. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rakes, Brandon A. NMIMC ContractorSent: Wednesday, July 16, 2003 9:58 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Adding machines to OU directly The way we have done it is to delegate administrative rights to the OU and then create the computer account in that OU first and then add the computer. If there is another way to automatically make it go in the desired OU I would love to hear how. Brandon -Original Message-From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 10:33 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Adding machines to OU directly Is there a way to delegate to a user the right to not only add machines to a domain, but place the user into the OU of their choice? I'm looking for an easy way to allow OU administrators to add machines and then
RE: [ActiveDir] AD, Logon times Custom messages
Title: Message I stil prefer the upgraded version, bIg stIck® Diane -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]Sent: Tuesday, July 08, 2003 7:37 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages I ordered 10 StIcK's (tm) and they work great. I name my StIck's for the special purposes they serve. The best thing is one size fits all! Toddler -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 8:56 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages The StIcK(tm) is a wonderful tool for addressing those issues which aren't quite technological in nature. Its generally applied, somewhat liberally, by a trained professional. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Mr Clark [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 7:47 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD, Logon times Custom messages And what, exactly would be StIck? How would ISA server, or a web filter program change/customize the logon message? Thanks. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, July 08, 2003 06:43To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages The right tool for this job might just be the StIcK(tm) ;) Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 1:20 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD, Logon times Custom messages The right tool for the right job. I do not think the place you are looking at is the right place for this job. May I suggest ISA server, or similar web filter programs.HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Roger SeielstadSent: Mon 7/7/2003 8:59 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages The reject should be logged automatically, but I haven't checked for sure--Roger D. Seielstad - MTS MCSE MS-MVPSr. Systems AdministratorInovis Inc. -Original Message- From: Mr Clark [mailto:[EMAIL PROTECTED]] Sent: Monday, July 07, 2003 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD, Logon times Custom messages Well, I just wanted to customize the message for my kids when they try to *sneak* on the computer during the middle of the night. :) As another thought, is there a way to "log" when someone tries to sign on at a restricted time? Charlie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Seielstad Sent: Monday, July 07, 2003 09:43 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD, Logon times Custom messages Best guess is that you cannot modify the message. As is pretty much standard for that type of message in Microsoft products, its coded into a DLL, and the only supportable way to do that would be to engage Microsoft Consulting Services to modify the DLL. However, since I believe that's part of the LSASS process on the client, and that gets patched somewhat regularly by service packs, etc, you'd have to reenage them for every new service pack. IMO, its not worth it. What are you trying to accomplish? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Mr Clark [mailto:[EMAIL PROTECTED]] Sent: Monday, July 07, 2003 9:36 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD, Logon times
RE: [ActiveDir] Domain Rename
Jan: I was browsing the Win2K tools page and saw this. Not sure if you've seen these or not. Windows Server 2003 Domain Rename Tools http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx Diane -Original Message- From: Jan Wilson [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 01, 2003 4:28 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain Rename As it happens to many we need to rename our W2K domain. Our plan is to upgrade our DCs to W3K then rename. Has anyone ventured down this road (to hell) yet? The amount of work looks daunting! Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain Rename
thread hijack H Out of curiosity, has anyone moved their production domains to Win2K Forest Functional Mode yet? Diane /thread hijack -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 01, 2003 5:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Rename Jan, Key point is that you must be in Windows Server 2003 Forest Functional Mode - only W2k3 DCs in the forest. It's not anywhere near as bad as it looks. Not anywhere as daunting as the road to Windows 2000 Native Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jan Wilson Sent: Tuesday, July 01, 2003 6:28 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain Rename As it happens to many we need to rename our W2K domain. Our plan is to upgrade our DCs to W3K then rename. Has anyone ventured down this road (to hell) yet? The amount of work looks daunting! Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Updating pwdLastSet
IIRC, that is not a writeable attribute. We went through a similar exercise and found that we could not change that attribute. Diane -Original Message- From: Rex Wheeler [mailto:[EMAIL PROTECTED] Sent: Monday, June 16, 2003 10:05 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Updating pwdLastSet We are doing some integration work allowing other platforms (unix) to authenticate against Active Directory. We have succeeded in making this happen but are running into testing challenges. We would like to be able to write test scripts to verify that account and password expiration logic is working correctly. For example we want to test that if you have a policy that says you must change your password every 30 days and you last changed your password 25 days ago, you should get a warning message saying that you have 5 days to change your password. The problem is that we can't seem to update the pwdLastSet attribute. How can the value of this attribute be set? If it can not, does anyone have any ideas how to test such expiration logic without spending days of wall clock time? Thanks, Rex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT- Quest Fastlane tools (maybe not OT?)
Title: OT- Quest Fastlane tools (maybe not OT?) Stephen: We have gone through an evaluation of products including the ActiveRoles and Migrator tools. Contact me off list and I can give you some input on what we found. Diane AyersTeam Lead, System Server SupportPacific Gas Electric Co.Sacramento/San Francisco -Original Message-From: Wilkinson, Stephen (DrKW) [mailto:[EMAIL PROTECTED]Sent: Wednesday, June 04, 2003 8:15 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] OT- Quest Fastlane tools (maybe not OT?) Does anyone have any feedback- positive and negative - on using Active Roles and Migrator from Quest software. We are looking at these products for migrating from a complex NT4 model and further ongoing security admin of the AD. At a cost of around $20 per user and 8000 users this is a large cost - we are really interested if people have had good or bad experiences with these tools during a migration and day-to-day operations. Fyi we are migrating NT4-Win2k3 (no upgrade -building separate Win2k3 single forest single domain) and not worrying about exchange (stay on 5.5 until next year). Thanks Stephen WilkinsonExtension 59276DDI +44(0)207 4759276Mobile +44(0)7973 143970E-Mail: [EMAIL PROTECTED] --If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender.--
RE: [ActiveDir] AD/Exchange Question
One forest = One exchange Org irregardless of the domains within the forest. Diane -Original Message- From: Ellis, Debbie [mailto:[EMAIL PROTECTED] Sent: Thursday, May 29, 2003 6:35 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD/Exchange Question My company is getting ready to migrate to Windows 2003 Active Directory from NT 4.0. Our design is to have separate trees in the enterprise forest. Do we have to have separate Exchange Organizations or is there a work around to still have one? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] admt v2.0
Hmm... We just did a test and migrated accounts w/ passwords without configuring the PES servers for the source NT 4.0 domain. We verified that the accounts were migrated w/ passwords intact. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tony Murray Sent: Wednesday, February 19, 2003 12:43 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] admt v2.0 Graham, Diane The PES is required if you want to migrate passwords from NT4 to W2K. It can be installed on NT4 BDCs or PDCs, although the PDC is generally preferable as ADMT talks to it anyway. The controller running the PES must have the high encryption pack installed. Tony -- Original Message -- From: Ayers, Diane [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 18 Feb 2003 14:56:56 -0800 Graham: The password export server is only required for migration of accounts from Win2K to Win2K. It is not required for NT 4.0 to Win2K migrations. Diane -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 10:40 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] admt v2.0 Dear All, have picked up many useful pointers towards a version of ADMT v2.0 that is shipped with .NET RC1 (i think). keen to research the use of password export server and the processes of password migration which is new to v2.0 on the basis of planned migration from a source NT4 domain to Win2k, have reviewed the Technet document Chapter 9: migration of Windows NT4.0 account domain to AD presumably this documents ADMT v1.0 and as such does not indicate any configuration relating to pwd migration at what at the moment is an educated guess any options (???) for pwd migration would be available from the password options dialog ?? any info on the operation of the password export server would be well received - Technet seems a bit thin on searches for this, and the readme.doc with ADMT2 is a bit brief - NO real specific questions here sorry ! it does also document issues with the migration of local user profiles - any further confirmed instances of this List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] admt v2.0
Graham: The password export server is only required for migration of accounts from Win2K to Win2K. It is not required for NT 4.0 to Win2K migrations. Diane -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 10:40 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] admt v2.0 Dear All, have picked up many useful pointers towards a version of ADMT v2.0 that is shipped with .NET RC1 (i think). keen to research the use of password export server and the processes of password migration which is new to v2.0 on the basis of planned migration from a source NT4 domain to Win2k, have reviewed the Technet document Chapter 9: migration of Windows NT4.0 account domain to AD presumably this documents ADMT v1.0 and as such does not indicate any configuration relating to pwd migration at what at the moment is an educated guess any options (???) for pwd migration would be available from the password options dialog ?? any info on the operation of the password export server would be well received - Technet seems a bit thin on searches for this, and the readme.doc with ADMT2 is a bit brief - NO real specific questions here sorry ! it does also document issues with the migration of local user profiles - any further confirmed instances of this List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Authentication ?
Title: Message Ditto for us. Heavily mixed environment (~20K users) with no impact from going native. Go for it :-) Diane -Original Message-From: Fugleberg, David A [mailto:[EMAIL PROTECTED]]Sent: Thursday, January 16, 2003 8:54 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Authentication ? We had no issues when we went native...similar situation: Single domain, lots of NT4 clients and member servers, as well as W2K clients and member servers. A month or so afterthe last of the NT4 BDCs was removed, we made the switch with no complaints. This domain had been upgraded from NT4 back in 2000, so there's all kinds of old stuff on it. YMMV if your old stuff is not similar to our old stuff, but that was our experience. Dave -Original Message-From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]]Sent: Thursday, January 16, 2003 10:29 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Authentication ? Let me clear upmy question! I have NO 4.0 BDCs, AllWin2k DC's, but have a lot of legacy clients and applications. Switching to native mode, I'm assuming should have NOT impact on these applications or systems. -Original Message-From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:14 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Authentication ? Unless I am reading his email wrong - - - He is considering going to NATIVE mode which means one of two things: He already HAS Win2K Srv and a few 2k servers on the wire He is planning to purchase WIN2K Srv In EITHER case (which is just assumed since he is considering migrating) he would still have to RUN DCPROMO to upgrade the PDC and BDCs or make them member servers or remove them from the domain. Don - we haven't heard form you since you opened the thread - - please let us know what is the case so we can stop bickering and help you. Guys - -I am not trying to argue - - unfortunately vocal inflection and tone just don't translate well via email - - - my apologies if it appears as if I'm yelling or picking a fight. -Original Message-From: Kevin Gent [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:13 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Authentication ? The only way his NT 4 PDCs and BDCs are going to become DCs in a Win2K domain is to purchase W2K and upgrade them. - Original Message - From: Craig Cerino To: [EMAIL PROTECTED] Sent: Thursday, January 16, 2003 8:07 AM Subject: RE: [ActiveDir] Authentication ? Right - - but if he wants to keep what used to be his PDC and BDC's in the loop they will either have to be made DCs by running DCPROM - - or get them out of the replication loop by making them member servers or removing them from the domain -Original Message-From: EALES, Jack - FPIL [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:51 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Authentication ? switching to native mode means having NO more NT4.0 BDC's... that's when it becomes a Native domain - rather than mixed... -Original Message-From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: 16 January 2003 12:41To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Authentication ? If you run DCPROMO on them and make them a DC they will. Which you'll have to do anyway or downgrade them to member servers -Original Message-From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:16 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Authentication ? Considering switching to native mode within a month. Is there any different in authentication methods in native mode than mixed? Some reason their seems to be a debate around my company about some applications may be affected? It's my understanding that
RE: [ActiveDir] AD restore to dissimilar hardware
Is this the only DC you have? If not, why don't you just build a new box and run DCpromo to make it a DC with new data replicated from your other DCs? Diane -Original Message- From: osman filiz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 07, 2003 5:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD restore to dissimilar hardware i have read this document and i apply the steps i repaired the windows but still there is blue screen... From: Jimmy Andersson [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD restore to dissimilar hardware Date: Tue, 7 Jan 2003 13:59:23 +0100 Disaster Recovery of Active Directory on Dissimilar Hardware: http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q263532; Regards, /Jimmy -- Jimmy Andersson, Q Advice AB Microsoft MVP - Active Directory www.qadvice.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of osman filiz Sent: Tuesday, January 07, 2003 1:30 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD restore to dissimilar hardware Hi, I have one domain controller that has hardware problem about RAID Card; now i cannot fix it and i want to restore active directory to another pc with IDE controller.But i can't...After restoring active directory it gives the blue screen message while startup : 0x007B INACCESSIBLE BOOT DEVICE. Ýs it possible to restore AD to dissimilar hard disk controller platform? Any comment? _ Help STOP SPAM: Try the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADMT 2.0
Even though ADMT is on the .Net RC CD, the tool itself (IIRC) is not a beta version. Diane -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad MartinSent: Monday, December 23, 2002 7:55 AMTo: Active Directory Mailing ListSubject: [ActiveDir] ADMT 2.0 Any know where I can find a beta version of Microsoft Active Directory Migration Tool 2.0? Im doing an upgrade/migration at the end of this week (nothing like a last minute deployment) and it would be really useful to have it. Thanks. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] Script to find last logged on date
Title: Message How about this? http://cwashington.netreach.net/depo/view.asp?Index=717ScriptType=vbscript -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Byrne, SteveSent: Monday, December 16, 2002 6:59 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Script to find last logged on date Hi, I'm looking for a way to find user accounts that have not been used for more than 6 months. Does anyone know where I can find a script to do this?Thanks, SB
RE: [ActiveDir] Anyone Heard of UltraBac?
We use Ultrabac in our org as our standard backup product for single server tape backup. We have been pretty happy with it as far as backup to tape goes. You can email me direct if you want more info. Diane -Original Message- From: Eric [mailto:Eric;ch13-12westtex.org] Sent: Wednesday, November 13, 2002 1:36 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Anyone Heard of UltraBac? Supposedly it can perform a backup quicker than Veritas and the services for Exchange and SQL do not have to be stopped. Can anyone lend any feedback? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Exchange install
Our Exchange boxes have 4 GB of memory. Initial plan was to run standard version. Our first live box began generating memory fragmentation issues. Supposedly this was fixed in SP3 as per PSS but no go. The only fix was to upgrade to Advanced and use the /3gb switch in the boot.ini (only supported in advanced) -Original Message- From: Weston Rogers [mailto:wrogers;targettire.com] Sent: Wednesday, November 13, 2002 10:41 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Exchange install No, But from what I've heard, if you have over 3 gig of memory on the box and its going to run e2k, its recommended to install adv server, but I dunno how accurate that statement is. -Original Message- From: Sheri Brown [mailto:sbrown;c-s-d.org] Sent: Wednesday, November 13, 2002 12:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Exchange install Do you have to have Windows 2000 Advanced Server to install Exchange? Sheri L. Brown, Systems Administrator CSD Headquarters -- Technology Department 102 North Krohn Place Sioux Falls, SD 57103 (605) 367-5760 ext 3202 [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Exchange install
That was our feeling too. It kick up costs for both the OS and the monitoring layer since the monitoring ven-duh license was significantly higher for advanced server. Sigh -Original Message- From: Weston Rogers [mailto:wrogers;targettire.com] Sent: Wednesday, November 13, 2002 12:26 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Exchange install That's _GREAT_ to hear. My company isn't going to spend 8 g's to go to advanced server just because e2k won't run on our 3gb win2k servers. I only have 150 mailboxes on a NT box with like 96 mb of ram (lol) so hopefully by the time it gets errors I'll be long gone. -Original Message- From: Ayers, Diane [mailto:DMA8;pge.com] Sent: Wednesday, November 13, 2002 2:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Exchange install Our Exchange boxes have 4 GB of memory. Initial plan was to run standard version. Our first live box began generating memory fragmentation issues. Supposedly this was fixed in SP3 as per PSS but no go. The only fix was to upgrade to Advanced and use the /3gb switch in the boot.ini (only supported in advanced) -Original Message- From: Weston Rogers [mailto:wrogers;targettire.com] Sent: Wednesday, November 13, 2002 10:41 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Exchange install No, But from what I've heard, if you have over 3 gig of memory on the box and its going to run e2k, its recommended to install adv server, but I dunno how accurate that statement is. -Original Message- From: Sheri Brown [mailto:sbrown;c-s-d.org] Sent: Wednesday, November 13, 2002 12:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Exchange install Do you have to have Windows 2000 Advanced Server to install Exchange? Sheri L. Brown, Systems Administrator CSD Headquarters -- Technology Department 102 North Krohn Place Sioux Falls, SD 57103 (605) 367-5760 ext 3202 [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question about Active Directory
Very early in our AD deployment we had one server reporting AD corruption. The other servers were OK. We simply demoted the server, waited for replication so that the server was removed from AD and re-promoted the server. At this point it got a new copy of the database and problem solved. Not that this would work for everyone due to band width, etc, but seemed to work for us. Diane -Original Message- From: Tim HInes [mailto:nupe009;carolina.rr.com] Sent: Tuesday, November 12, 2002 11:42 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Question about Active Directory Yes it can. It is sometimes possible to repair it with ntdsutil or esentutl. see http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q315131 and http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q305500 Tim Hines, MCSA, MCSE (2000 NT4) MVP - Active Directory - Original Message - From: Eric [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 12, 2002 2:29 PM Subject: [ActiveDir] Question about Active Directory Can AD become corrupted? If so, can it be fixed with anything other than restoring from backup? Eric Etheredge, MCDBA Systems Manager Office of the Standing Trustee Walter O'Cheskey, Trustee Lubbock, Texas Trustee's Website: www.ch13-12westtex.org Case Information Website: www.trustee13.com This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Psched error?
Are you running NetIQ AppManager agents on this box by chance? -Original Message- From: Chris J. Popp [mailto:chris.popp;sharpeengineering.com] Sent: Thursday, November 07, 2002 12:58 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Psched error? I am constantly getting the following in Win2K SP3's App Log. Time and date changes (of course) when it occurs: Event Type: Error Event Source: Perflib Event Category: None Event ID: 1008 Date: 11/7/2002 Time: 11:32:18 AM User: N/A Computer: PACKERS Description: The Open Procedure for service PSched in DLL C:\WINNT\system32\pschdprf.dll failed. Performance data for this service will not be available. Status code returned is data DWORD 0. Data: : 02 00 00 00 Any ideas? MS's site came up blank on this. Thanks, Chris List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/