RE: [ActiveDir] [ActiveDir[OT]] Search Mailbox

2006-09-21 Thread Ayers, Diane 



ExMerge allows you to search on certain parameters such 
as subject, attachments, date/time, etc. It runs with privileged 
credentials to access and search through the mailboxes. Downloadable from 
the MS download page

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan 
DeStefanoSent: Thursday, September 21, 2006 6:02 AMTo: 
activedir@mail.activedir.orgSubject: [ActiveDir] Search 
Mailbox


Is there any way to search for 
messages within a mailbox without using Outlook in Exchange 2000; like using 
System Administrator?

Dan 
DeStefanoInfo-lution 
Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 
727 
541-5888
If you have 
received this message in error please notify the sender, disregard any 
content and remove it from your possession.

RE: [ActiveDir] Remove Defunct domains..

2006-08-02 Thread Ayers, Diane 



dusting off old NT 4.0 
sectors 

Check your WINS database if you are 
using WINS. Part of the browsing data comes from WINS and the database 
will tell you where those records are coming from. You can address 
it viathe hosts if it's coming from there or clean up your WINS 
db.

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Wednesday, August 02, 2006 3:10 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Remove Defunct 
domains..


Thats 
a browser function not something in AD. Theres probably still computers joined 
to those domains (even though they dont exist) or computers in workgroups with 
the same names


Thanks,
Brian 
Desmond
[EMAIL PROTECTED]

c 
- 312.731.3132




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of WATSON, BENSent: Wednesday, August 02, 2006 5:05 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Remove Defunct domains..

You can 
remove the orphaned domains through NTDSUTIL. Doing a metadata 
cleanup.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of HBooGzSent: Wednesday, August 02, 2006 2:46 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Remove Defunct domains..

Whenever i browse Network Neighborhood or view the list of 
availble networks, there are a few domains that appear that shouldn't. Is there 
a way to remove these domain/domain entries manually ?ADSI edit 
?-- HBooGz:\

RE: [ActiveDir][OT] Is there a way to force users to logon to domain?

2006-05-15 Thread Ayers, Diane 



I'm getting the list at home and at 
work. Outlook 2K3 via POP3 is coming in fine. Outlook 2K3 via 
Exchange and MAPI is coming in blank. Both the non-SP standard builds of 
Outlook. Exchange is still @ E2K...

Diane



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Monday, May 15, 2006 4:36 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
way to force users to logon to domain?

I just verified and OWA is also throwing garbage characters 
on the end of the message and when looking at the raw stream it is the list 
banner.

How is O2K7 displaying it?

Anyone understand what the full spec is for a message is 
and how to (or if you can) mix MIME with plain text? I expect either the plain 
text banner isn't allowed or the list software isn't modifying the header 
properly for it to tell the clients to expect it.

 joe



Here is Al's message straight from POP without 
interpretation:


retr 39+OKReceived: from 
mail.activedir.org ([12.168.66.190]) by mbx01.joeware.local with Microsoft 
SMTPSVC(6.0.3790.211); Mon, 
15 May 2006 16:44:34 -0400Received: from wr-out-0506.google.com 
[64.233.184.234] by mail.activedir.org with ESMTP (SMTPD32-8.15) id 
A6B67EC012E; Mon, 15 May 2006 16:38:14 -0400Received: by 
wr-out-0506.google.com with SMTP id 
i30so871233wra for ActiveDir@mail.activedir.org; Mon, 15 May 2006 13:38:12 -0700 
(PDT)DomainKey-Signature: a=rsa-sha1; q=dns; 
c=nofws; s=beta; 
d=gmail.com; 
h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; 
b=otNmqTOJtu6h3lzy946aXK9yGTM5JFr0xZLRCRvkC4134GXBlEVFGTm01oR6Q0alNwcgsKlCdGaf7Oc0P7XzMRmR5td5nR1iLsJQ+rx/bxz1c1RTzynDUZSfLeogbMBIzdfTwsmUbAV2+gfnxk19fHg0GT0mFn8dk97+KotFwWM=Received: 
by 10.64.10.15 with SMTP id 
15mr2454953qbj; Mon, 15 May 2006 
13:38:12 -0700 (PDT)Received: by 10.65.253.12 with HTTP; Mon, 15 May 2006 
13:38:12 -0700 (PDT)Message-ID: [EMAIL PROTECTED]Date: Mon, 15 May 2006 16:38:12 
-0400From: "Al Mulnick" [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Is there a way to 
force users to logon to domain?In-Reply-To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: 
text/plain; charset=UTF-8; format=flowedContent-Transfer-Encoding: 
base64Content-Disposition: inlineReferences: [EMAIL PROTECTED]Precedence: bulkSender: [EMAIL PROTECTED]Reply-To: ActiveDir@mail.activedir.orgReturn-Path: [EMAIL PROTECTED]X-OriginalArrivalTime: 15 May 2006 
20:44:34.0134 (UTC) FILETIME=[5F845760:01C67860]

SSB0aGluayB5b3UndmUgc2VlbiBzZXZlcmFsIHdheXMgb2YgYWNoaWV2aW5nIHNvbWV0aGluZyBzaW1pbGFyIHRvCndoYXQgeW91J3ZlIGFza2VkIGZvci4gIEJ1dCBJJ20gY3VyaW91cyBhcyB0byB3aGF0IHlvdSByZWFsbHkgd2FudCB0bwphY2NvbXBsaXNoLiAgWW91J3ZlIHB1dCBzb21ldGhpbmcgdmVyeSBzcGVjaWZpYywgYnV0IHdoYXQgbWFrZXMgeW91CndhbnQgdG8gZm9yY2UgdGhlIGxvZ29uPyAgV2hhdCdzIHRoZSBiYWNrc3Rvcnk/CgpBbAoKT24gNS8xNS8wNiwgSm9lIExhZ3JlY2EgPGxhZ3JlY2FAZ21haWwuY29tPiB3cm90ZToKPiBJcyB0aGVyZSBhIHdheSB0byBmb3JjZSB1c2VycyB0byBsb2dvbiB0byBkb21haW4sIG9yIHRvIGRpc2FibGUgbG9naW5nIGludG8KPiBsb2NhbCBjb21wdXRlciBhY2NvdW50cyB2aWEgR1BPPwo+Cj4gVGhhbmtzLgo+Cg==List 
info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/.






--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: joe [mailto:[EMAIL PROTECTED] 
Sent: Monday, May 15, 2006 7:28 PMTo: 
'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir][OT] Is there a 
way to force users to logon to domain?

Al is sending from GMAIL.

It appears that GMAIL is mime encoding the messages, and 
then the list attaches the plain text banner on it and the whole decodes 
incorrectly. Outlook pre-2007 pukes (probably exceptions out of the rendering 
phase) and OWA, O2K7, and Thunderbird seem to read it fine but with the 
possibility of bad characters. If I had to guess, I would guess the bad 
characters are the plain text banner being decoded as MIME.


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: Monday, May 15, 2006 6:39 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is there a way 
to force users to logon to domain?

What 
about the origin - are they created using OL2k7? If so must be a new bug - I was 
using a bit older version for quite a while (and everything was readable), but 
it almost corupted my mailstore - so I switched temporarily 
back.
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tony 
  MurraySent: Tuesday, May 16, 2006 12:10 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is there a way 
  to force users

RE: [ActiveDir][OT] Is there a way to force users to logon to domain?

2006-05-15 Thread Ayers, Diane 



The POP3 is just via my local Telco 
ISP (not a major Telco). I'm not sure what they are using but it's not 
Exchange. Mirapoint MOS 3.7.0-GA is what I glean from the headers but I'm 
not familiar with it.

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Monday, May 15, 2006 5:33 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
way to force users to logon to domain?

Interesting, for the O2K3 via POP3 what is the backend? I 
am doing O2K3 via POP3 backended into Exchange 2003 and getting the blanks. 



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, 
DianeSent: Monday, May 15, 2006 8:28 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
way to force users to logon to domain?

I'm getting the list at home and at 
work. Outlook 2K3 via POP3 is coming in fine. Outlook 2K3 via 
Exchange and MAPI is coming in blank. Both the non-SP standard builds of 
Outlook. Exchange is still @ E2K...

Diane



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Monday, May 15, 2006 4:36 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] Is there a 
way to force users to logon to domain?

I just verified and OWA is also throwing garbage characters 
on the end of the message and when looking at the raw stream it is the list 
banner.

How is O2K7 displaying it?

Anyone understand what the full spec is for a message is 
and how to (or if you can) mix MIME with plain text? I expect either the plain 
text banner isn't allowed or the list software isn't modifying the header 
properly for it to tell the clients to expect it.

 joe



Here is Al's message straight from POP without 
interpretation:


retr 39+OKReceived: from 
mail.activedir.org ([12.168.66.190]) by mbx01.joeware.local with Microsoft 
SMTPSVC(6.0.3790.211); Mon, 
15 May 2006 16:44:34 -0400Received: from wr-out-0506.google.com 
[64.233.184.234] by mail.activedir.org with ESMTP (SMTPD32-8.15) id 
A6B67EC012E; Mon, 15 May 2006 16:38:14 -0400Received: by 
wr-out-0506.google.com with SMTP id 
i30so871233wra for ActiveDir@mail.activedir.org; Mon, 15 May 2006 13:38:12 -0700 
(PDT)DomainKey-Signature: a=rsa-sha1; q=dns; 
c=nofws; s=beta; 
d=gmail.com; 
h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; 
b=otNmqTOJtu6h3lzy946aXK9yGTM5JFr0xZLRCRvkC4134GXBlEVFGTm01oR6Q0alNwcgsKlCdGaf7Oc0P7XzMRmR5td5nR1iLsJQ+rx/bxz1c1RTzynDUZSfLeogbMBIzdfTwsmUbAV2+gfnxk19fHg0GT0mFn8dk97+KotFwWM=Received: 
by 10.64.10.15 with SMTP id 
15mr2454953qbj; Mon, 15 May 2006 
13:38:12 -0700 (PDT)Received: by 10.65.253.12 with HTTP; Mon, 15 May 2006 
13:38:12 -0700 (PDT)Message-ID: [EMAIL PROTECTED]Date: Mon, 15 May 2006 16:38:12 
-0400From: "Al Mulnick" [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Is there a way to 
force users to logon to domain?In-Reply-To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: 
text/plain; charset=UTF-8; format=flowedContent-Transfer-Encoding: 
base64Content-Disposition: inlineReferences: [EMAIL PROTECTED]Precedence: bulkSender: [EMAIL PROTECTED]Reply-To: ActiveDir@mail.activedir.orgReturn-Path: [EMAIL PROTECTED]X-OriginalArrivalTime: 15 May 2006 
20:44:34.0134 (UTC) FILETIME=[5F845760:01C67860]

SSB0aGluayB5b3UndmUgc2VlbiBzZXZlcmFsIHdheXMgb2YgYWNoaWV2aW5nIHNvbWV0aGluZyBzaW1pbGFyIHRvCndoYXQgeW91J3ZlIGFza2VkIGZvci4gIEJ1dCBJJ20gY3VyaW91cyBhcyB0byB3aGF0IHlvdSByZWFsbHkgd2FudCB0bwphY2NvbXBsaXNoLiAgWW91J3ZlIHB1dCBzb21ldGhpbmcgdmVyeSBzcGVjaWZpYywgYnV0IHdoYXQgbWFrZXMgeW91CndhbnQgdG8gZm9yY2UgdGhlIGxvZ29uPyAgV2hhdCdzIHRoZSBiYWNrc3Rvcnk/CgpBbAoKT24gNS8xNS8wNiwgSm9lIExhZ3JlY2EgPGxhZ3JlY2FAZ21haWwuY29tPiB3cm90ZToKPiBJcyB0aGVyZSBhIHdheSB0byBmb3JjZSB1c2VycyB0byBsb2dvbiB0byBkb21haW4sIG9yIHRvIGRpc2FibGUgbG9naW5nIGludG8KPiBsb2NhbCBjb21wdXRlciBhY2NvdW50cyB2aWEgR1BPPwo+Cj4gVGhhbmtzLgo+Cg==List 
info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/.






--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: joe [mailto:[EMAIL PROTECTED] 
Sent: Monday, May 15, 2006 7:28 PMTo: 
'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir][OT] Is there a 
way to force users to logon to domain?

Al is sending from GMAIL.

It appears that GMAIL is mime encoding the messages, and 
then the list attaches the plain text banner on it and the whole decodes 
incorrectly. Outlook pre-2007 pukes (probably exceptions out of the rendering 
phase) and OWA, O2K7, and Thunderbird seem to read it fine but with the 
possibility of bad characters. If I had to guess, I would guess the bad 
characters are the plain text banner being decoded as MIME.


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

RE: [ActiveDir] Quiet? DEC? Related?

2006-03-29 Thread Ayers, Diane 



Maybe we should ask a question on the 
merits of doubling down on an 11 when the dealer has a face card 
showing... :-)

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge deSent: Wednesday, March 29, 2006 9:35 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Quiet? DEC? 
Related?


Don't worry we're still 
here.. ;-)



Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server- Directory Services


LogicaCMG 
Nederland B.V. (BU RTINC Eindhoven)
(Tel 
: +31-(0)40-29.57.777
(Mobile: +31-(0)6-26.26.62.80
* E-mail: see sender 
address


From: [EMAIL PROTECTED] on 
behalf of Moon, BrendanSent: Wed 2006-03-29 19:26To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Quiet? DEC? 
Related?

Hmm.. everyone must be 
having fun at DEC... this list has been very quiet this 
week!

- Brendan 
Moon

RE: [ActiveDir] Single Sign-on

2006-01-29 Thread Ayers, Diane 



Russ:

We pursuing a "reduced" sign on 
environment as opposed to a single sign on. Fortunately we've been able to 
leverage AD as our "authoritative source" for IDs and passwords but due to the 
plethora of heterogeneous applications, not all of them can leverage AD as the 
authentication and authorization source. 

In this context, reduced sign on is 
that the end user will use their AD ID and password in the various enterprise 
applications but we are purposely requiring the various applications 
"re-authenticate" the user when the application is launched. We are doing 
this as opposed to leveraging pass-through authentication for access 
rights. The thinking is that this reduces risk to the various 
applications. For example if I have access to a users unlocked work 
station, I can't launch the financial system app and get access to info that I 
shouldn't. I would get prompted again for credentials. Most of our 
enterprise apps are on non-windows systems. 

The reduced sign-on is part of an 
overall "identity management" goal for our company so we did not target this 
specific item. The identity management process encompasses various tools 
and software components. I can give you more details off line if you 
wish.

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Sunday, January 29, 2006 11:47 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Single 
Sign-on

I think the part that I don't get is what your exact idea of SSO is, 
Russ. I mean, Active Directory is a great central authentication 
platform. It has other components that can be useful such as AzMan, ADAM, 
and WS*. But it wouldn't be much of a deal to cause your applications to use 
Active Directory as their authentication source instead of installing SSO 
software on them and using that. Then you'd have no out of pocket expense. 
Possibly. Depends greatly on what your requirements are in detail and what level 
of effort you want to expend. 

Al


On 1/29/06, Rodrigo 
Blanco [EMAIL PROTECTED] 
wrote: 
Wiseguard 
  is a cost-efective solution and integrates directly with 
  AD.Regards,Rodrigo.On 1/28/06, Rimmerman, Russ 
  [EMAIL PROTECTED] 
  wrote: ~~ This 
  e-mail is confidential, may contain proprietary information  of the 
  Cooper Cameron Corporation and its operating Divisions and may be 
  confidential or privileged. This e-mail should be read, 
  copied, disseminated and/or used only by the addressee. If you have 
  received this message in error please  delete it, together with any 
  attachments, from your system. 
  ~~List 
  info : http://www.activedir.org/List.aspx 
  List FAQ: http://www.activedir.org/ListFAQ.aspxList 
  archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] [List Owner] Mailing list is 5 today!

2006-01-13 Thread Ayers, Diane 
16 more years and we can start drinking...  WooHoo..

My cranial capacity on AD has grown immensely through the sharing on the
list.  Thanks much to you and the members of the list.

Diane 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Thursday, January 12, 2006 4:57 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] [List Owner] Mailing list is 5 today!

Hi all

I started this list on 13th January 2001. Thanks to everyone out there
for making it a great place to hang out and learn about AD (and more
besides!).

Tony

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] remove logon script?

2005-12-05 Thread Ayers, Diane 



Try ADmodify for a GUI 
tool...

Diane

http://tinyurl.com/5ruog


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
DevonSent: Monday, December 05, 2005 12:40 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] remove logon 
script?





How can I remove the logon.bat from 
all my user (2000+) accounts at one time in my domain? Ive switch to GPO 
for the logon scripts.

Devon 
Harding
Windows Systems 
Engineer
Southern Wine  Spirits 
- BSG
954-602-2469





__This message and any 
attachments are solely for the intended recipientand may contain 
confidential or privileged information. If you are notthe intended 
recipient, any disclosure, copying, use or distribution ofthe information 
included in the message and any attachments isprohibited. If you have 
received this communication in error, pleasenotify us by reply e-mail and 
immediately and permanently delete thismessage and any attachments. Thank 
You.

RE: [ActiveDir] Scripting/WMI/MONAD - was FSMO role transfer

2005-12-01 Thread Ayers, Diane 
IIRC in the conversations that I had with MS around MONAD was that one
goal was intended to fix the issue of inconsistencies of the various
command line tools (different switches, piping options, etc.).  The
other goal was to ensure that every option that was available via the
GUI was exposed via the command line and vice versa.  In essence the GUI
was going to be alternate way of generating the MONAD command line
entries.  

One proposal was the you would be able to capture any GUI operations
into a MONAD command line script to facilitate batch operations.  Kind
of a scripting for dummies.. :-)

Diane

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, December 01, 2005 5:14 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Scripting/WMI/MONAD - was FSMO role transfer

... so in the demo I saw the guy was calculating the number of days
between then and 12/31/2005. As I was watching him do all these command
lines... I'm thinkin' in my beancounter side of my brain... you know.. 
my cell phone has a calculator and I could have figured that number out
in half that time

:-)

What I'm looking forward to it for is that Exchange will have it and all
the lovely people that write wizards and tools and scripts and buttons
can use the power of it.

But yeah... it's a bit whoa..

joe wrote:

 Question of the day: If .Net = .Fat then does cmdlet = piglet?

 ROFL!
 Other than that, I agree, it is the replacement for a shell that is 
 showing its age. On the positive side you can do some cool serialized 
 piping (aka piping objects) instead of just piping text. Very 
 powerful. On the negative side, it is pretty intense all around. It is

 going to scare some people. Plus there are concerns about how fat and 
 slow it might be. I had a nice conversation with the Exchange Dev 
 folks over at EHLO for instance concerning the MONAD way.

 --
 --
 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Bernard, 
 Aric
 *Sent:* Thursday, December 01, 2005 1:08 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Scripting/WMI/MONAD - was FSMO role 
 transfer

 Speaking from my own personal discoveries

 In a nutshell, MONAD is supposed to be a new command line shell to 
 replace the relatively stagnant CMD shell. As I understand it, MONAD 
 offers the following capabilities above and beyond what CMD provides:

 * Ability to leverage system objects at the command line (interactive)

 as well as through a script.
 * Ability to leverage nearly anything exposed via the .Net Framework
2.0.
 * Enhanced security framework which by default only allows interactive

 input at the command line and blocks the running of scripts - allows 
 provides intermediate levels for code signing of scripts from certain 
 sources.

 * Provide support for WSH scripts
 * Provide an experience *similar* to that available in the most widely

 used *nix shells (Korn, Born, C)

 So let me now caveat the above by saying I have very little experience

 working with the MONAD shell (aka MSH). At the very least I can say 
 that MONAD is more useful to me than WSH/VBScript since I am more 
 comfortable with C# and as I can execute nearly every command (for 
 testing purposes) from the command line as opposed to in the body of a

 script.

 To date, one of my favorite cmdlets is the get-member which 
 enumerates the properties, methods, and other relevant information 
 that you can use or squeeze out of a given object.

 So am I sold on it? Not exactly (it is still a little too much like
 programming) but I do think it is much better than what we have today 
 from a shell perspective.

 Question of the day: If .Net = .Fat then does cmdlet = piglet?

 Aric


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
 Sent: Thursday, December 01, 2005 6:55 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Scripting/WMI/MONAD - was FSMO role transfer

 Just curious - what's MONAD's goal supposed to be, other than having 
 an acronym that sounds like a

 military facility?

 -Original Message-

 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of joe

 Sent: Thursday, December 01, 2005 9:15 AM

 To: ActiveDir@mail.activedir.org

 Subject: RE: [ActiveDir] Scripting/WMI/MONAD - was FSMO role transfer

 You know that the scriptomatic 2 HTA will create Perl script that does

 WMI

 right

 I am not a huge fan of WMI but there are times in the scripting world 
 if you

 want to stick to pure script it is in the only way to do what you want

 and I

 will use it if I don't have time (or ability as in the case of mailbox

 reconnects or getting info on what DCs are being used by DSACCESS) to 
 write

 native code to do what I need.

 If you have perl in your pocket

RE: [ActiveDir] Trusts.....

2005-11-28 Thread Ayers, Diane 
You mention that it is a legacy trust.  I don't know how far back it goes
legacy wise but I ran into an issue where a legacy trust could not be
upgraded (modified) as the trust existed prior to upgrade (way back in NT
4.0 land) and the solution was to delete the trust entirely and recreate.  

There is a KB article on it which I don't have at my fingertips but the root
issue was that the legacy trust did not have the rights GUIDs to be
modified.  Not sure if this is the situation you are running into or not.

Diane 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: Monday, November 28, 2005 5:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Trusts.

Grr.  This thing won't budge.  I have implemented the settings from the
article below, but still no joy.  I will hopefully have missed something and
will re-check.watch this space.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: 28 November 2005 11:50
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Trusts.

Found it...thanks...
http://support.microsoft.com/default.aspx?scid=kb;en-us;889030 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: 25 November 2005 16:00
To: ActiveDir.org
Subject: Re: [ActiveDir] Trusts.

Brad,

I am not in the office at the moment but there is a microsoft Kb titled
something like creating trusts are not establised as expected, this has
about 8 steps you can walk through to trouble shoot. 

Regards

Mark

-Original Message-
From: Smith, Brad [EMAIL PROTECTED]
Date: Fri, 25 Nov 2005 13:56:42
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Trusts.

SorryIt is a legacy trust between a W2K Domain (Single Domain, Single
Forest) and a W2K3 Domain (Single Domain, Single Forest). I know how to
create trusts, that bit is easy enough, what I am having problems with is
understanding and troublshooting why it can't create an RPC connection to do
the required bits and pieces, I am not even getting to the point where it
asks for authentication details, I have only specified the destination
domain, and then it fails with a unable to establish RPC type error
message.  I can resolve the DNS name of domain, ie domain.com 
 
any ideas ?
 
 From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED]
On Behalf Of Almeida Pinto, Jorge de
Sent: 24 November 2005 16:18
To: ActiveDir@mail.activedir.org
Subject: RE: Trusts.

 
 
 
Hi, 
 
You do not mention the type of trust you want to create but between a W2K
and W2K3 forest you can only create external trusts. 
For more info see:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
rHelp/b30ef067-746e-4453-b879-804259aafdd3.mspx 
 
Cheers,
Jorge 

 From: [EMAIL PROTECTED] on behalf of Smith, Brad
Sent: Thu 11/24/2005 4:15 PM
To: ActiveDir@mail.activedir.org
Subject: Trusts.

 
 
Hi List,
 
I am having annoying problems getting two forests to establish a trust (one
is W2K, one is W2K3).  Has anyone got a reference to what permissions are
required
 
TIA,
 
Brad
 
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.


This message has been scanned for viruses by MailControl - (see
http://bluepages.wsatkins.co.uk/?4318150)



 
This email and any attached files are confidential and copyright protected.
If you are not the addressee, any dissemination of this communication is
strictly prohibited. Unless otherwise expressly agreed in writing, nothing
stated in this communication shall be legally binding.
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] exporting group membership

2005-11-28 Thread Ayers, Diane 



here is a script that you can 
use. It dumps the group to a spreadsheet with column headers. Modify 
as you see fit

Diane



On Error Resume Next

CRLF=CHR(13)+CHR(10)

strADName = InputBox("Enter Complete LDAP DN for desired 
group","Group Name?","")Set GroupObj = GetObject("LDAP://"  
strADname)

wscript.echo ("Getting group Membership for "  
strADName)

if Err.Number 0 
thenwscript.echo "Failed to connect to "  
strADNamewscript.quitend if

set 
memberlist=GroupObj.MembersSet objExcel = 
WScript.CreateObject("Excel.Application")objExcel.Visible = 
TrueobjExcel.Workbooks.Add

objExcel.ActiveSheet.Name = 
GroupObj.SAMAccountNameobjExcel.ActiveSheet.Range("A1").ActivateobjExcel.ActiveCell.Value 
= "ID"'col header 1objExcel.ActiveCell.Offset(0,1).Value = 
"Last Name"'col header 2objExcel.ActiveCell.Offset(0,2).Value = "First 
Name"'col header 3objExcel.ActiveCell.Offset(0,3).Value = 
"Address"'col header 4objExcel.ActiveCell.Offset(0,4).Value = 
"Office"'col header 5objExcel.ActiveCell.Offset(0,5).Value = "Internal 
Phone"'col header 6objExcel.ActiveCell.Offset(0,6).Value = "External 
Phone"'col header 7objExcel.ActiveCell.Offset(0,7).Value = 
"Mobile"'col header 
8objExcel.ActiveCell.Offset(1,0).Activate'move 1 
down

for each member in 
memberlistIf Len(member.SAMaccountName)=4 
thenobjExcel.ActiveCell.Value = 
member.SAMAccountNameobjExcel.ActiveCell.Offset(0,1).Value = 
member.snobjExcel.ActiveCell.Offset(0,2).Value = 
member.givenNameobjExcel.ActiveCell.Offset(0,3).Value = 
member.streetAddressobjExcel.ActiveCell.Offset(0,4).Value = 
member.physicalDeliveryOfficeNameobjExcel.ActiveCell.Offset(0,5).Value 
= member.telephoneNumberobjExcel.ActiveCell.Offset(0,6).Value = 
member.otherHomePHoneobjExcel.ActiveCell.Offset(0,7).Value = 
member.mobileobjExcel.ActiveCell.Offset(1,0).ActivateEnd 
ifnext

set GroupObj = 
Nothing

wscript.echo 
"Done"wscript.quit


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Frank 
AbagnaleSent: Friday, November 25, 2005 8:02 AMTo: 
ActiveSubject: [ActiveDir] exporting group 
membership

I am trying to export the following fields from Active 
Directory using CSVDE

I ran the following command 
CSVDE -F c:\output.csv -d "ou=security groups,ou=INTARA,dc=COM" -r 
"(objectclass=group)" -l 
cn,description,member,whencreated,whenchanged,info,managedby,mail

This retrieves the information I want, however, the Member tab displays a 
list of users full DN in one single cell and makes it difficult to overview the 
member list.

How can I display a list of the users in there own individualcells 
going downwards (if that makes sense) does CSVDE allow this? If not any other 
tools out there?


Yahoo! 
Music Unlimited - Access over 1 million songs. Try it free.

RE: [ActiveDir] Schema Updates

2005-10-10 Thread Ayers, Diane 
Title: Schema Updates



You 
ever find that often times the products are already bought before your input is 
requested?

The better question is when do they 
ever check with you before they buy a product? Nope... They usually 
ask someone that has no clue of the impact to the production systems then they 
bring it to us to "implement"

We have Unity and it hashad a 
major impact toour AD environment although I can say that the users 
(including me) love it's functionality. What irksme more though is 
the version that we implemented initially had major schema changes and then the 
subsequent version decide to move a lot of the data from AD to a separate SQL 
DB. Why didn't they tell me that BEFORE we irrevocably altered the 
schema.

Another good example is Cisco 
ICM. The versionprior to the new 7.x version required a separate 
domain, required domain admin level privileges to operate and schema changes to 
forest as well as a litany of other "issues". At least version 7.x will 
integrate into an existing corporate domain although requires a dedicated 
OU. I really get nervous with applications that want to create user 
objects wily-nily in orderto operate.

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, October 10, 2005 6:52 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Schema Updates


Our movement for Cisco 
Unity was based strictly on a wholesale move to Cisco VoIP solutions all the way 
around. Apparently theres some cost savings there somewhere. I 
dunno regarding the comment joe made about not ever being in your ad 
environment. Concur 100%. You ever find that often times the 
products are already bought before your input is 
requested?

I dunno if I have 
bigger problems with cisco being in the software space or their horrible turnout 
of applications after theyve acquired them. Unity, call manager, etc one 
uses ad one uses dirsync in a proprietary ldap server odd stuff like 
that. Not to mention, it took a nda and massive levels of coercion to get 
cisco to fess up to what the exact permissions were that are required in order 
for unity to work successfully. That was a good month long ordeal. 
Unfortunately nda - so I cant really speak or blog on the exact stuff to 
correct it. Their reasoning? Most admins have no idea how to 
configure the ACLs properly to support their application. I 
digress.


:m:dsm:cci:mvp 
marcusoh.blogspot.com




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Tim Vander 
KooiSent: Monday, October 10, 
2005 7:57 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema 
Updates

The price tag will 
definitely drop as soon as Microsoft releases Exchange 12 with UM built in. But, 
it's not THAT expensive today, and there are some great business pluses to it. 
We had no problemsshowing ROI on VOIP or UM.




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Michael B. 
SmithSent: Monday, October 10, 
2005 6:14 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema 
Updates
It's a feature with 
lots of "gee whiz!" appeal, but once people see the price tag, the response is 
usually "ouch!"

We are still waiting 
for the "year of UM". I'm betting on 2007. :-)




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Ed Crowley 
[MVP]Sent: Monday, October 10, 
2005 6:49 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema 
Updates
I think this is 
definitely a case where Moore's Law hasn't been applicable. It's 
funny how little this story has changed since I saw the first unified messaging 
demos (then by Octel) about ten years ago.
Ed Crowley 
MCSE+Internet MVPFreelance E-Mail PhilosopherProtecting the world from 
PSTs and Bricked Backups!






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Monday, October 10, 2005 1:49 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema 
Updates
Entirely your option. 
:) Windows 3.11 and Windows NT are really not the same product. 


Note I am not saying I 
won't use cisco routers because they sucked 12 years ago. As someone else 
pointed out, software isn't cisco's ball of wax. There is obviously a little bit 
of a scary point there when you consider though that the IOS is software... 


Also as you mentioned, 
it wasn'tcreatedor even modified much by cisco. So I don't expect it 
is much different now than what I saw. 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Tim Vander 
KooiSent: Monday, October 10, 
2005 12:37 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema 
Updates
And I will never run 
Windows because 3.11 just wasn't that great at networking. 
;-)




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Monday, October 10, 2005 9:42 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema 
Updates
Being the best 
available doesn't make something good and doesn't need

RE: [ActiveDir] Modifying Domain Admins Administrators Group

2005-10-07 Thread Ayers, Diane 
Probably.  Never said it was fool-proof but only that it addresses a
small part of the total picture.  I will let my cohorts speak to the
specifics to the process if they choose.  Ideally, your admin and
security model would prevent any un-authorized changes but the 8th and
9th layer sometimes comes into play... Fortunately we don't have that
problem

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, October 06, 2005 5:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins  Administrators Group 

How does it work? Do you use LDAP to look at the membership? If so, you
probably have a whole in the implementation.
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane
Sent: Thursday, October 06, 2005 2:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins  Administrators Group 

We run a simple process that monitors the members of elevated privilege
groups.  Any changes trigger a notification.  Doesn't address the
prevention but will allow you to capture the occurrence and deal with it
appropriately.

Diane 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Thursday, October 06, 2005 10:00 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Modifying Domain Admins  Administrators Group 

Hi,

We have about 7 domain administrators in a particular child domain. I
just found out someone added the DBA Group to part of the Administrators
group in this domain. Not necessary, not required nor is it a policy.
Event logs have obviously been overwritten therefore I would like to
know the simplest method to avoid this scenario from ever happening
again.

What are my options?

Thank you so much.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Modifying Domain Admins Administrators Group

2005-10-06 Thread Ayers, Diane 
We run a simple process that monitors the members of elevated privilege
groups.  Any changes trigger a notification.  Doesn't address the
prevention but will allow you to capture the occurrence and deal with it
appropriately.

Diane 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Thursday, October 06, 2005 10:00 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Modifying Domain Admins  Administrators Group 

Hi,

We have about 7 domain administrators in a particular child domain. I
just found out someone added the DBA Group to part of the Administrators
group in this domain. Not necessary, not required nor is it a policy.
Event logs have obviously been overwritten therefore I would like to
know the simplest method to avoid this scenario from ever happening
again.

What are my options?

Thank you so much.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Precreating sites and subnets

2005-09-01 Thread Ayers, Diane 
Tom:

I used Robbie Allen's script to do this.  You can glean from his script
the techniques for doing this.  I sent you a copy under a separate email

Diane 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, September 01, 2005 11:02 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Precreating sites and subnets

I'm trying to run this script from MS to precreate site and subnet
objects in a test forest from a csv file.
 
That works fine but I also would like to add a descritpion for each
subnet from the same csv file.
 
How can I edit this script to do that?
 
Thanks. Sorry for being lazy but i'm kinda under the gun(actually this
is the IBM AD consultant's homework).
 
Thanks again.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Database Corruption

2005-08-19 Thread Ayers, Diane 



My preferred approach would be to 
demote the box to member server and re-promote to a domain controller to ensure 
a good fresh copy of the DIT. YMMV as the specific requirements at your 
location may prevent this. We have only run into this once early in our AD 
days and this was the approach we used with good success.

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Alex 
FontanaSent: Friday, August 19, 2005 3:29 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Database 
Corruption


Started getting the error below a 
few weeks ago on one of our DCs. My first reaction is to run a non-auth 
restore from a day before this started happening and let replication take care 
of everything else. Any reason NOT to do this? Im concerned that 
this may happen again and wasnt able to find anything specific to the error 
below. Besides calling PSS any thing else I should look into before 
restoring? This box holds all FSMO roles, Win2k3, server for NIS.

TIA

-alex

Event 
Type: Error
Event Source: NTDS 
ISAM
Event Category: Database Page Cache 

Event 
ID: 
475
Date: 
8/19/2005
Time: 
2:00:24 PM
User: 
N/A
Computer: 
DC
Description:
NTDS (528) NTDSA: The database page 
read from the file "C:\WINNT\NTDS\ntds.dit" at offset 665067520 
(0x27a42000) for 8192 (0x2000) bytes failed verification due to a 
page number mismatch. The expected page number was 81184 (0x00013d20) and 
the actual page number was 2349964126 (0x8c119b5e). The read operation 
will fail with error -1018 (0xfc06). If this condition persists then 
please restore the database from a previous backup. This problem is likely due 
to faulty hardware. Please contact your hardware vendor for further assistance 
diagnosing the problem.

RE: [ActiveDir] Biggest AD Gripes

2005-08-03 Thread Ayers, Diane 
Not a AD gripe but a tools gripe.  The AD Sites and Services snap-in
sucks canal water as Laura sez.  MS  said they would fix it in Win2K3
but it still sucks.

Diane 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, August 02, 2005 9:25 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Biggest AD Gripes

So what are everyone's biggest AD Gripes? I am not talking about gripes
about things that use AD like GPOs[1] or Exchange or NFS or anything
else like that. I mean actual AD really missed the boat because of this
that or the other thing.

Like 

o I dislike that when you defunct an attribute it doesn't purge the
information in the directory for that attribute.

o The fact that AD Security policy is managed through a technology
dependent on AD and replicates both within AD and the other technology.
 
o I dislike that there is no true schema delete.

o I dislike the fact that I can't specify which branches of the tree
replicate where.

o I dislike the fact that GUIDs are represented in multiple ways in the
directory.

o I dislike the implementation of property sets especially since they
could be so incredible awesomely cool. Specifically I dislike that an
attribute can only be in a single property set. 

o I dislike creator/owner on SDs.

o I dislike the lack of configurable business rules.

o I dislike the fact that I can't run multiple domains on a single
domain controller. 



Etc etc. I have more but lets see what others say. Everyone pipe up.
Let's pretend that MS will actually see this, let's further say let's
pretend MS AD Developers will see this. What would you tell them if you
were sitting in the room with them?



   joe





[1] I do not consider GPOs to be part of AD. They are a technology that
leverages AD.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Account lockout

2005-08-02 Thread Ayers, Diane 
Title: Account lockout



Look in the security event logs on the 
domain controller and it will tell you what machine the lockout is coming 
from. You will have to check all the DCs until you find the one that is 
authenticating the account and locking it out. MS has tools to do this for 
you.

http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9Edisplaylang=en


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jake 
StablSent: Tuesday, August 02, 2005 11:19 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Account 
lockout


WellIdidjustchangepasswordandIdontthinkIambeingaserviceonacomputeranywhere.
Ihavechangedmypasswordinthepastroughlyamonthagoandnoproblem..Tryingtofigureouthowtologthisontheservers.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, 
JoseSent: Tuesday, August 02, 2005 1:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Account 
lockout

Did 
you recently change your password and now it's occurring? Have you used 
your account as a service on a server? 

Jose

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Jake 
  StablSent: Tuesday, August 02, 2005 8:53 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Account 
  lockout
  Good day everyone. Here is a crazy problem I 
  am having today. I am logged on to my laptop writing emails and 
  administering my domain and then all of a sudden my account will get locked 
  out.. Just about every 5 minutes this is happening and I dont really know 
  why? Where can I start looking to fix this?? I am lost.
  Jake

RE: [ActiveDir] Doubletake(OT)

2005-07-07 Thread Ayers, Diane 
We use DoubleTake on a number of DAS based File/Print servers in our
distributed environment that are fairly large (~1 TB).  We implemented it
when we had some server failures that created extended outages for clients
while we recovered data from backup tapes.  Our current implementation is
locally across a dedicated NIC to a stand by server that can take over if
we lose the primary.  In our configuration and failover or failback is a
manually initiated process.

It seems to work pretty well but there are some limitations.  We briefly
considered using it for Exchange and it may work for smaller environments
but I was not comfortable using it in a medium or large exchange shop.  I
can't speak to SQL.  Bottom line, It seems to work well for File servers but
I would not go farther than that.  There seems to be better ways of
addressing the other systems.

We are taking a close look at FRS that is in R2.  We are hoping that MS got
it right this time... ;-)

Diane

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, July 06, 2005 11:07 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Doubletake(OT)

Anyone using Doubletake out there?
My manager is interested in purchasing it and I was wondering what you guys
think of it, yea or nay.

In my enviorment it doesn't seem to make sense except as to file servers.
DC's have built in redundancy if you have more than 1 and we have an
active/passive exchange2k3 cluster plus with RSG and/or dial tone restore,
it doesn't seem to apply here as well.
For MS SQL we are using a log shipping solution.
So i was just wondering if any one out there had experience with this or a
simillar product and how they are using it and if its worth it to get.

Thanks a lot.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Doubletake(OT)

2005-07-07 Thread Ayers, Diane 
Tom:

From the limitations perspective, in our testing, we found that the
application worked well on the FP boxes but we found it sensitive to
accidental mis-configuration and difficult to recover from these issues.  We
set a policy that only those trained on the configuration and operation were
to do any admin work on the DoubleTake systems. I can go into more issues
off list if you want.  I was involved in some of the initial work at our
Company but that has since moved to another team

AS far as exchange, I've work with Exchange since 4.0 and understand the
nature of the beast so to speak.  With all the inherent issues around I/O as
well as the DB being in an inconsistent state from the time you start the
services (RAM, Cache, logs, etc) and our perceived touchiness around
DoubleTake, I could not see introducing it into out exchange environment
(~20K users).  Maybe it was an unjustified prejudice.  We pride ourselves in
running a pretty good exchange shop in regards to availability, etc. and I
did not want to risk that.

Diane

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, July 07, 2005 7:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Doubletake(OT)

Can you elaborate further on why you don't feel comfortable using it with
Exchange as well as what you think the limitations are, if you don't mind?
Thanks a lot.


Ayers, Diane wrote:
 We use DoubleTake on a number of DAS based File/Print servers in our 
 distributed environment that are fairly large (~1 TB).  We implemented 
 it when we had some server failures that created extended outages for 
 clients while we recovered data from backup tapes.  Our current 
 implementation is locally across a dedicated NIC to a stand by 
 server that can take over if we lose the primary.  In our 
 configuration and failover or failback is a manually initiated 
 process.
 
 It seems to work pretty well but there are some limitations.  We 
 briefly considered using it for Exchange and it may work for smaller 
 environments but I was not comfortable using it in a medium or large 
 exchange shop.  I can't speak to SQL.  Bottom line, It seems to work 
 well for File servers but I would not go farther than that.  There 
 seems to be better ways of addressing the other systems.
 
 We are taking a close look at FRS that is in R2.  We are hoping that 
 MS got it right this time... ;-)
 
 Diane
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
 Sent: Wednesday, July 06, 2005 11:07 AM
 To: ActiveDir (E-mail)
 Subject: [ActiveDir] Doubletake(OT)
 
 Anyone using Doubletake out there?
 My manager is interested in purchasing it and I was wondering what you 
 guys think of it, yea or nay.
 
 In my enviorment it doesn't seem to make sense except as to file 
 servers. DC's have built in redundancy if you have more than 1 and we 
 have an active/passive exchange2k3 cluster plus with RSG and/or dial 
 tone restore, it doesn't seem to apply here as well.
 For MS SQL we are using a log shipping solution.
 So i was just wondering if any one out there had experience with this 
 or a simillar product and how they are using it and if its worth it to 
 get.
 
 Thanks a lot.
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Load balancing LDAP request among my DCs

2005-06-13 Thread Ayers, Diane 
Not to hijack the thread but has anyone used a hardware based load
balancer such as a BigIP appliance to load balance and/or fail over
LDAP?  We have some apps that have to be configured to a specific host
and this was one idea floated up.

Diane

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Monday, June 13, 2005 7:20 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Load balancing LDAP request among my DCs

Have you considered altering SRV record weights/priorities in DNS?

Check out this article
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/O
perations/df86810b-9fc5-49b8-a704-d01c042cf460.mspx - it may relate to
the PDC but applies to DCs in general too.

neil



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 13 June 2005 15:04
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Load balancing LDAP request among my DCs


Hello,
I have a site with 4 DCs 2003.
It seems that one of my DC can not deal with a large number of LDAP
queries, GC Response and NTLM/Kerberos Auth  I misunderstand
something but is my DC 2003 is able to check that it cannot deserve
these queries and forward automatically these queries to another DC that
is less busy ? In order wold, can AD 2003 natively load-balance queries
to another less busy DC ? Regards, Yann


==
Please access the attached hyperlink for an important electronic
communications disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml


==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] lastlogontimestamp-

2005-05-31 Thread Ayers, Diane 
I'm staying out of it.   I'll let you guys settle it.  :-) 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, May 30, 2005 6:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp- 

Hey I was simply agreeing with Diane, she is the one that knew it was wrong.
:o)
   
   joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, May 29, 2005 5:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp- 

note to Deji
You just made joe's head bigger...
/note to Deji

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, May 27, 2005 8:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp- 

I'll yield on this and stand corrected. Although I did not exactly remember 
reading about (or observing) this behavior, current materials I just consulted 
say that Joe and Diane are correct - as always.
 
note to self
Got to read more.
/note to self
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon



From: [EMAIL PROTECTED] on behalf of joe
Sent: Fri 5/27/2005 6:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp- 



Yes, I agree with you, it is incorrect.

BDC's weren't entirely read only, non-replicating attributes such as last 
logon, bad password count, etc were written locally and yes you had to query 
all DCs to get an accurate accounting of what happened.

If this were the architecture of NT4, the PDC would have burned to the ground 
in any decent sized enterprise.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane
Sent: Friday, May 27, 2005 7:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp-

 In NT4, all updates go up to the PDC. This is why you will get a true 
 last
login report

Not that my small wattage can hold a candle to the brain power for the others 
on the list but isn't this incorrect?  IIRC, under NT 4.0 the last logon went 
to the authenticating DC.  That is why you had to query all the DCs in a domain 
to get an accurate lastlogon value for an account.

Updates to an account such as pwd changes, etc went to the DC. 

Not that it really matter since NT 4.0 is no longer relevant.

Diane

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, May 27, 2005 2:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp-

In NT4, all updates go up to the PDC. This is why you will get a true last 
login report.

Post NT4, most updates take place on any DC, and lastlogon is one such update. 
Because it is possible that a user can be authenticated by different DC at 
different time, AND because lastlogon is NOT replicated between DCs, you will 
get different lastlogon report, depending on which DC you are querying for it. 
The reason you are getting a consistent report today is likely because you are 
querying the DC that logged you in today. If you query ANOTHER DC now, you will 
get a different result IF that DC had not authenticated you today.

Lastlogontimestamp was introduced in 2K3 to address this lack of correlation in 
a multi-DC environment. Lastlogontimestamp is eventually replicated and 
adjusted, so you will get more consistent result if you query multiple DCs for 
lastlogontimestamp. Before lastlogontimestamp, you will have to query ALL your 
DCs for lastlogon, then you will have to compare the results they give you and 
find the most current in order to get a semblance of accurate last logon.

HTH


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon



From: [EMAIL PROTECTED] on behalf of Medeiros, Jose
Sent: Fri 5/27/2005 1:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp-



Hi Al,

Thank you for taking the time to reply, and I very much appreacite your effort 
on researching this. You know that I recall using USRSTAT on a NT4 Domain and 
it would show the Domain Controller that actually authenticated the user 
account, however it does not seem to display this output in an Active Directory 
Forrest. Go figure..

BTW: My last logon is the correct time and I have logged in several times today.

Have a happy Memorial day weekend!

Peace!

Jose :-)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL

RE: [ActiveDir] lastlogontimestamp-

2005-05-27 Thread Ayers, Diane 
 In NT4, all updates go up to the PDC. This is why you will get a true last
login report

Not that my small wattage can hold a candle to the brain power for the
others on the list but isn't this incorrect?  IIRC, under NT 4.0 the last
logon went to the authenticating DC.  That is why you had to query all the
DCs in a domain to get an accurate lastlogon value for an account.

Updates to an account such as pwd changes, etc went to the DC.  

Not that it really matter since NT 4.0 is no longer relevant.

Diane

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, May 27, 2005 2:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp- 

In NT4, all updates go up to the PDC. This is why you will get a true last
login report.
 
Post NT4, most updates take place on any DC, and lastlogon is one such
update. Because it is possible that a user can be authenticated by different
DC at different time, AND because lastlogon is NOT replicated between DCs,
you will get different lastlogon report, depending on which DC you are
querying for it. The reason you are getting a consistent report today is
likely because you are querying the DC that logged you in today. If you
query ANOTHER DC now, you will get a different result IF that DC had not
authenticated you today.
 
Lastlogontimestamp was introduced in 2K3 to address this lack of correlation
in a multi-DC environment. Lastlogontimestamp is eventually replicated and
adjusted, so you will get more consistent result if you query multiple DCs
for lastlogontimestamp. Before lastlogontimestamp, you will have to query
ALL your DCs for lastlogon, then you will have to compare the results they
give you and find the most current in order to get a semblance of accurate
last logon.
 
HTH
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Medeiros, Jose
Sent: Fri 5/27/2005 1:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp- 



Hi Al,

Thank you for taking the time to reply, and I very much appreacite your
effort on researching this. You know that I recall using USRSTAT on a NT4
Domain and it would show the Domain Controller that actually authenticated
the user account, however it does not seem to display this output in an
Active Directory Forrest. Go figure..

BTW: My last logon is the correct time and I have logged in several times
today.

Have a happy Memorial day weekend!

Peace!

Jose :-)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Al Mulnick
Sent: Friday, May 27, 2005 1:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp-


Part of the problem I see with your output below is that it doesn't show
which domain controller you last logged on to.  While that's not a problem
if you have only one DC in your forest, it can be if you have more than
that.  LastLogon is not replicated.  LastLogonTimeStamp is and as such you
have to query each possible DC to find out the last logon.
To make matters worse, there is a fix out there somewhere that causes ntlm
auth to actually update this field (or am I just dreaming it? :)

In the end, you'll want more than just the lastlogon to figure out what a
user is doing.  You may be able to show something close, in which case
lastlogontimestamp will show you plenty.  I would likely forgo the int8
conversions and opt instead for the IADSUser if you don't need that
accuracy.  For that matter, I'd likely forgo vbscript if I needed pinpoint
accuracy because vbscript won't be as accurate with numbers as something
like c# or perl or jscript or...

To figure out what users are doing, you'll want to look at the pwdLastSet
attribute as well and possibly some other information to get a real feel for
the usage patterns before automating some action.

If I ever get the time, I still have some code lying around that does that
kind of logic and spits out the accounts that way.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Friday, May 27, 2005 4:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp-

Hi Joe,

Quick question, I have always just used the NET USER /DOM (username ) at a
command prompt which gives me the following output:

C:\Documents and Settings\jmedeirosnet user /dom jmedeiros The request will
be processed at a domain controller for domain Stargate.sg1.net.

User namejmedeiros
Full NameMedeiros, Jose
Comment
User's comment
Country code 000 (System Default)
Account active

RE: [ActiveDir] Exchange and AD

2005-04-18 Thread Ayers, Diane 



Brenda:

Fire up ADSIedit and take a look at 
the Exchange Services container in AD.(CN=Microsoft 
Exchange,CN=Services,CN=Configuration,DC=domain,DC=com) and verify that the 
Exchange groups have been applied to the container correctly. 
Exchange Domain Servers group "should" (don't have multiple systems to verify) 
have read access on this container and increased permissions on the 
"organizational" containers under this..

If they aren't there, then something 
went fubar in the Exchange setup...

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brenda 
CaseySent: Monday, April 18, 2005 12:29 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange and 
AD

Yes, I have connectivity to a GC. The 
Exchange server is running on W2K3 (on a W2K domain) but is not a DC. 
Should there still be SRV records for it, and if so where exactly would I look 
for them aslooking briefly I did not find 
them?

The sites and subnets are defined properly and 
there is a corresponding subnet for the exchange server and the associated 
site.


Thanks,
Brenda



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
TomSent: Monday, April 18, 2005 1:09 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange and 
AD

Do you 
have connectivity to a GC? Are the srv records in dns?

  -Original Message-From: Medeiros, Jose 
  [mailto:[EMAIL PROTECTED]Sent: Monday, April 18, 2005 2:58 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Exchange and AD
  Hi 
  Brenda, 
  
  I 
  would try and run Forestprep and Domainprep a second time. Once it is 
  completed, reinstall Exchange andselect thejust the systems 
  manager option for the install. That should fix it.
  
  Jose
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of Brenda 
CaseySent: Monday, April 18, 2005 11:52 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange and 
AD
Yes we did run setup/domainprep from the 
exchange cd. We believe that we have followed the entire setup 
procedure.


Thanks,
Brenda


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
TomSent: Monday, April 18, 2005 12:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange and 
AD

did you run "Setup/ domainprep" off the exchange 
cd?

  -Original Message-From: Brenda Casey 
  [mailto:[EMAIL PROTECTED]Sent: Monday, April 18, 2005 
  2:39 PMTo: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] Exchange and AD
  During the install of Exchange, the Microsoft Exchange 
  System Attendant is unable to start. After bypassing the start of 
  this service during the install and then rebooting the server the 
  following error is generated in the Application Log 
  file.Microsoft Exchange System 
  Attendant does not have sufficient rights to read Exchange configuration 
  objects in Active Directory. Wait for replication to complete and then 
  check to make sure the computer account is a member of the "Exchange 
  Domain Servers" security group.For more information, click 
  http://www.microsoft.com/contentredirect.asp.For more information, see Help and Support Center 
  at http://go.microsoft.com/fwlink/events.asp.We have read several KB articles, but have been unable to 
  find a solution. Any help would be appreciated! (The Exchange 
  Server computer account is not disable, and does exist in 
  AD).
  Thanks,Brenda

RE: [ActiveDir] OT: Exchange Transaction logs

2005-04-12 Thread Ayers, Diane 
If your Exchange backup is working correctly, you don't have to manage
the logs.  A correctly configures exchange aware backup will purge the
logs for you after a successful backup.

I suggest that you bone up on your exchange backup and recovery
processes.  As a start read the Exchange Server 2003 Disaster Recovery
Operations Guide
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/disre
copgde.mspx 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, April 12, 2005 7:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Exchange Transaction logs

So lets say I get the backup software working correctly (Duh, I forgot
to turn on the open file option)...will I ever need the transaction logs
from say January of this year? The reason I ask is because for now I
have just moved all logs older than February to another machine to free
space. If I don't need to ever backup those transaction logs, then I
will just delete them once I have verified that the backups are working
correctly. 




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane
Sent: Tuesday, April 05, 2005 11:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Exchange Transaction logs

Not to be nit picky but it means you are not backing it up _correctly_
As Doug mentions, a correct on-line exchange backup will purge the logs
on completion of the backup process.

Diane

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stelley,
Douglas
Sent: Tuesday, April 05, 2005 8:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Exchange Transaction logs

Transaction logs are automatically deleted upon successful backup of
exchange. If your getting a large collection of transaction logs, that
means you are not backing up Exchange. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, April 05, 2005 11:11 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Exchange Transaction logs

Just had a couple of questions about a couple things I can't seem to get
a straight answer for. 

Is there a recommended length of time to hold on to Exchange transaction
logs? 

Is there any reason to keep transaction logs around any further back
than specified in the checkpoint file?

Is it typical to enable circular logging, or does this somehow get you
into some issues if a disaster does happen?

As always, THANKS for your advice/comments
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

Confidentiality Notice: The information contained in this message may be
legally privileged and confidential information intended only for the
use of the individual or entity named above. If the reader of this
message is not the intended recipient, or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that any release, dissemination, distribution, or copying of
this communication is strictly prohibited. If you have received this
communication in error please notify the author immediately by replying
to this message and deleting the original message. Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Update Your PayPal Account Information

2005-04-10 Thread Ayers, Diane 
 JS/Stealus.gen trojan as well

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Sunday, April 10, 2005 3:40 PM
To: [EMAIL PROTECTED]
Cc: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Update Your PayPal Account Information

Hi all,

Anyone with Paypal accounts please do not send any information to this post.

This is being forwarded to the Paypal security team.

Thanks,



Original Message Follows
From: io o
Reply-To: ActiveDir@mail.activedir.org
To: activedir activedir@mail.activedir.org
Subject: [ActiveDir] Update Your PayPal Account Information
Date: Mon, 11 Apr 2005 00:29:59 +0300


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Exchange Transaction logs

2005-04-05 Thread Ayers, Diane 
Not to be nit picky but it means you are not backing it up _correctly_
As Doug mentions, a correct on-line exchange backup will purge the logs
on completion of the backup process.

Diane

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stelley,
Douglas
Sent: Tuesday, April 05, 2005 8:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Exchange Transaction logs

Transaction logs are automatically deleted upon successful backup of
exchange. If your getting a large collection of transaction logs, that
means you are not backing up Exchange. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, April 05, 2005 11:11 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Exchange Transaction logs

Just had a couple of questions about a couple things I can't seem to get
a straight answer for. 

Is there a recommended length of time to hold on to Exchange transaction
logs? 

Is there any reason to keep transaction logs around any further back
than specified in the checkpoint file?

Is it typical to enable circular logging, or does this somehow get you
into some issues if a disaster does happen?

As always, THANKS for your advice/comments
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

Confidentiality Notice: The information contained in this message may be
legally privileged and confidential information intended only for the
use of the individual or entity named above. If the reader of this
message is not the intended recipient, or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that any release, dissemination, distribution, or copying of
this communication is strictly prohibited. If you have received this
communication in error please notify the author immediately by replying
to this message and deleting the original message. Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT:RPC over HTTP vs OWA

2005-03-23 Thread Ayers, Diane 



FWIW, there was a long conversation 
covering PRC over HTTP on the security basics mailing list. You can look 
at the archives to see if there was anything worth gleaning from the 
conversation

Diane

http://www.securityfocus.com/archive/105/389606/2005-02-04/2005-02-10/1




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, 
JoeSent: Wednesday, March 23, 2005 4:04 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT:RPC over HTTP 
vs OWA


Thanks for your 
comments! As I said, Much appreciated! 


Joe 
Pelle
Senior Infrastructure 
Architect
Information 
Technology
Valassis / 
IT
19975 Victor 
Parkway Livonia, MI 
48152
Tel 734.591.7324 
Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/

This message may include 
proprietary or protected information. If you are not the intended recipient, 
please notify me, delete this message, and do not further communicate the 
information contained herein without my express written 
consent.





From: Dave A. 
Marquis [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 22, 2005 3:46 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT:RPC over HTTP 
vs OWA


Our Org is using 
both RPC and OWA and I have to say that RPC with ISA 2004 is sweet. My 2 
Cents.

Dave



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Bruyere, 
MichelSent: Tuesday, March 22, 
2005 2:22 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT:RPC over HTTP 
vs OWA



You're right, I meant UNLOCKING accounts not enabling 
them! As for the lockout time... it is available in 2k too. 





De: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
De la part de joeEnvoyé: Tuesday, March 22, 2005 3:13 
PMÀ: ActiveDir@mail.activedir.orgObjet: RE: [ActiveDir] OT:RPC over 
HTTP vs OWA

OWA allows for 
two-factor authentication such as SecurID and Windows Password. RPC over HTTP 
does not have that capabaility that I have seen.

 
joe




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Pelle, 
JoeSent: Tuesday, March 22, 
2005 2:52 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT:RPC over HTTP vs 
OWA
Hey all – I was wondering what 
everyone’s thoughts were about using RPC over HTTP vs Outlook Web Access…? 
Is one more secure than the other? What were the reasons you 
implemented one and not the other?

Any insight is always much 
appreciated! 

Thanks! 


Joe 
Pelle
Senior Infrastructure 
Architect
Information 
Technology
Valassis / 
IT
19975 Victor 
Parkway Livonia, MI 
48152
Tel 734.591.7324 
Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/

This message may include proprietary 
or protected information. If you are not the intended recipient, please notify 
me, delete this message, and do not further communicate the information 
contained herein without my express written 
consent.

This e-mail message, including all attachments, 
is for the sole use of the intended recipients(s) and may contain confidential 
and privileged information. You may NOT use, disclose, copy, or 
disseminate this information. If you are not the intended recipient, please 
contact the sender by reply e-mail immediately. Please destroy all copies of the 
original message and all attachments.

RE: [ActiveDir] AD Database Corrupt

2005-03-08 Thread Ayers, Diane 
The one instance that we had a corrupt database, we used this method as
well.  Fortunately we had enough redundancy to allow the demotion of the
server and not affect any services.  Is was also fortunate that we had
high connectivity between the DCs to allow a full copy of the directory
to be replicated to the newly re-promoted server.

The initial triage process that we started was similar to what ~Eric
suggested but it made sense to just demote and start over with a new
clean copy of the directory.

Diane 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, March 08, 2005 7:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Database Corrupt

I would have to tend to agree with this. I am also a fan of wipe the
machine, test for hardware issues, and start over. You may find the
issue if you troubleshoot but in every occasion where I have gone into
the troubleshooting process on a dead DIT I ended up rebuilding anyway,
usually have the DC sitting there dead a day or four with no answers.

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Tuesday, March 08, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Database Corrupt

If possible, remove the DC from the domain, and do the NTDSUTIL
clean-up, and just rebuild it.  Check your Anti-virus comfit to make
sure it isn't possibly configured to scan the AD databases. Also check
the hardware to make sure you don't have a controller card or HD issue. 

Unless there is a reason to try to save the box, I would just rebuild
them.

Todd  

-Original Message-
From: Jacob Walker [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 08, 2005 7:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Database Corrupt

One of our 60 AD DC's has stopped replicating.  All of the others are
still replicating fine.  On the problem DC, where are seeing the
following in the Directory Service log in event viewer:

Event Source:   NTDS ISAM
Event Category: Database Corruption
Event ID:   467
Description:
NTDS (536) NTDSA: Index INDEX_00020078 of table datatable is corrupted
(0).


Event Source:   NTDS Replication
Event Category: Replication
Event ID:   1084
Description:
Internal event: Active Directory could not update the following object
with changes received from the following source domain controller. This
is because an error occurred during the application of the changes to
Active Directory on the domain controller.

Object: 
distinguished_name_path_of_object_that_failed_to_write_to_local_database
Object GUID: 32_character_alpha-numeric_object_GUID
Source domain
controller:object_GUID_for_source_domain_controller's_NTDSDSA_object._ms
dcs.
forest
root domain

Synchronization of the local domain controller with the source domain
controller is blocked until this update  problem is corrected.

This operation will be tried again at the next scheduled replication.


We have looked at MS article 837932, but nothing seems to apply.  And,
the corruption location seems to be in the domain database from what we
see in the details of the one error above and from the results of
repladmin /showreps.  At this point, is there anything that can be done
for this DC other than restoring or demoting and re-promoting.
Unfortunately, we will be unable to do a restore because we backup the
System State on some of our DC's, but not this particular one.  The one
saving grace is that it is a remote office DC and not one of our primary
DC's or FSMO role holders.

Any suggestions?


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Citrix GPO Application

2005-02-08 Thread Ayers, Diane 
We have a very similar situation.  The Citrix MetaFrame boxes are the
same OU as other servers.  We created two policies for the Citrix
settings.  One for the machine policies and one for the user policies.
We also created two groups, one for the Citrix machines and one for the
Citrix users.  The machine policy is filtered so that it only applies to
the members of the citric servers group in that OU.  The Citrix user
policies are applied via loop back processing and filtered by the
Citrix Users group so that the user policies are only applied to
members of the Citrix Users group when they log onto the meta frame
servers (including terminal sessions).

Just don't put your Citrix admins in the Citrix users group and they
wont have the policies applied when the log onto the box.

Diane 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rogers, James
Sent: Tuesday, February 08, 2005 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Citrix GPO Application

I'm struggling with an issue that I'd like to get some insight on.  I'm
building a new Citrix Metaframe XPs machine that I need to apply a group
policy to.  However, I don't want this policy to affect administrators,
only users.

Because of the way our AD is structured, I can only apply these settings
to the OU with the server, not to the OU's with the users.  Is there any
way I can tell the GPO to ignore administrative users and only apply to
regular users that log in to the machine?

-James R. Rogers

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Printing Distribution Lists

2004-12-13 Thread Ayers, Diane 



here's my "I'm not a programmer but I 
play one on TV" approach... Dumps to an excel spreadsheet. Easily 
modifiable to even the programming challenged like me...

Diane
---
On Error Resume Next

CRLF=CHR(13)+CHR(10)

strADName = InputBox("Enter Complete LDAP DN for desired group","Group 
Name?","CN=Listname,OU=Groups,DC=Company,DC=COM")Set GroupObj = 
GetObject("LDAP://"  strADname)

wscript.echo ("Getting group Membership for "  
strADName)

if Err.Number 0 
thenwscript.echo "Failed to connect to "  
strADNamewscript.quitend if

set 
memberlist=GroupObj.MembersSet objExcel = 
WScript.CreateObject("Excel.Application")objExcel.Visible = 
TrueobjExcel.Workbooks.Add

objExcel.ActiveSheet.Name = 
GroupObj.SAMAccountNameobjExcel.ActiveSheet.Range("A1").ActivateobjExcel.ActiveCell.Value 
= "ID"'col header 1objExcel.ActiveCell.Offset(0,1).Value = 
"Last Name"'col header 2objExcel.ActiveCell.Offset(0,2).Value = "First 
Name"'col header 3objExcel.ActiveCell.Offset(0,3).Value = 
"Address"'col header 4objExcel.ActiveCell.Offset(0,4).Value = 
"Office"'col header 5objExcel.ActiveCell.Offset(0,5).Value = "Internal 
Phone"'col header 6objExcel.ActiveCell.Offset(0,6).Value = "External 
Phone"'col header 7objExcel.ActiveCell.Offset(0,7).Value = 
"Mobile"'col header 
8objExcel.ActiveCell.Offset(1,0).Activate'move 1 
down

for each member in 
memberlistIf Len(member.SAMaccountName)=4 
thenobjExcel.ActiveCell.Value = 
member.SAMAccountNameobjExcel.ActiveCell.Offset(0,1).Value = 
member.snobjExcel.ActiveCell.Offset(0,2).Value = 
member.givenNameobjExcel.ActiveCell.Offset(0,3).Value = 
member.streetAddressobjExcel.ActiveCell.Offset(0,4).Value = 
member.physicalDeliveryOfficeNameobjExcel.ActiveCell.Offset(0,5).Value 
= member.telephoneNumberobjExcel.ActiveCell.Offset(0,6).Value = 
member.otherHomePHoneobjExcel.ActiveCell.Offset(0,7).Value = 
member.mobileobjExcel.ActiveCell.Offset(1,0).ActivateEnd 
ifnext

set GroupObj = 
Nothing
wscript.echo 
"Done"wscript.quit


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Christine 
AllenSent: Monday, December 13, 2004 11:49 AMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] Printing 
Distribution Lists

Running Exchange 
2003 and ad 2000 (not on the same box).

Is there a way to 
allow user to print out DL membership? Thanks.
-ChristineChristine N. AllenCitrix/Windows 2000 
EngineerBMC Healthnet PlanOne Design Center PlaceBoston, MA 
02210Work: 617-748-6034Cell: 
617-290-4407

RE: [ActiveDir] Exchange Latency

2004-12-06 Thread Ayers, Diane 



One option is to have the users switch 
to Outlook 2003 and run it in "local cached mode"

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan 
DeStefanoSent: Monday, December 06, 2004 9:06 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Exchange 
Latency


A couple of our users who split their time between two of our sites (NY, 
LA). The problem is that no matter where we storethese user's mailboxes, 
when they are at the other site, they experience latency. I am not sure there is 
much that can be done about this, but I have been asked to see if the problem 
can be alleviated. One suggestion I got was to have the users' mailboxes 
replicated between the two sites. Another suggestion was to have the users' 
mailboxes stored on a network drive on one site that is mapped to the other 
site. I am not sure the first suggestion is possible and I do not see the point 
of the second solution. Anyway, does anybody have any suggestions?
_

Daniel DeStefano
PC Support Specialist

IAG Research
345 Park Avenue South, 12th 
Floor
New York, NY 10010
T. 212.871.5262
F. 212.871.5300

www.iagr.net
Measuring Ad Effectiveness on 
Television

The information contained in this communication is confidential, 
may be privileged and is intended for the exclusive use of the above named 
addressee(s). If you are not the intended recipient(s), you are expressly 
prohibited from copying, distributing, disseminating, or in any other way using 
any of the information contained within this communication. If you have received 
this communication in error, please contact the sender by telephone 212.871.5262 
or by response via e-mail.

RE: [ActiveDir] Exchange Latency

2004-12-06 Thread Ayers, Diane 



You can use Outlook 2003 against 
Exchange 2000. The local cached mode is a specific configuration of 
the Outlook 2003 on the client side, No server config work is 
required.

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan 
DeStefanoSent: Monday, December 06, 2004 9:57 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Exchange 
Latency

The 
problem is that we are not upgrading to Ex2k3 and have no plans to do so in the 
near future.

_

Daniel DeStefano
PC Support Specialist

IAG Research
345 Park Avenue South, 12th 
Floor
New York, NY 10010
T. 212.871.5262
F. 212.871.5300

www.iagr.net
Measuring Ad Effectiveness on 
Television

The information contained in this communication is confidential, 
may be privileged and is intended for the exclusive use of the above named 
addressee(s). If you are not the intended recipient(s), you are expressly 
prohibited from copying, distributing, disseminating, or in any other way using 
any of the information contained within this communication. If you have received 
this communication in error, please contact the sender by telephone 212.871.5262 
or by response via e-mail.

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Michael B. 
  SmithSent: Monday, December 06, 2004 12:13 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exchange 
  Latency
  I'm not quite sure what you mean by latency. But cached 
  mode in Outlook 2003 goes a long way to alleviating many of these types of 
  complaints.
  
  If you can combine that with Exchange 2003 on the 
  backend, so you get compression and buffer packing, that can help a great deal 
  as well.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Dan 
  DeStefanoSent: Monday, December 06, 2004 12:06 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] Exchange 
  Latency
  
  
  A couple of our users who split their time between two of our sites (NY, 
  LA). The problem is that no matter where we storethese user's mailboxes, 
  when they are at the other site, they experience latency. I am not sure there 
  is much that can be done about this, but I have been asked to see if the 
  problem can be alleviated. One suggestion I got was to have the users' 
  mailboxes replicated between the two sites. Another suggestion was to have the 
  users' mailboxes stored on a network drive on one site that is mapped to the 
  other site. I am not sure the first suggestion is possible and I do not see 
  the point of the second solution. Anyway, does anybody have any 
  suggestions?
  _
  
  Daniel DeStefano
  PC Support Specialist
  
  IAG Research
  345 Park Avenue South, 12th 
  Floor
  New York, NY 10010
  T. 212.871.5262
  F. 212.871.5300
  
  www.iagr.net
  Measuring Ad Effectiveness on 
  Television
  
  The information contained in this communication is confidential, 
  may be privileged and is intended for the exclusive use of the above named 
  addressee(s). If you are not the intended recipient(s), you are expressly 
  prohibited from copying, distributing, disseminating, or in any other way 
  using any of the information contained within this communication. If you have 
  received this communication in error, please contact the sender by telephone 
  212.871.5262 or by response via e-mail.

RE: [ActiveDir] Stress testing and performance analysis of domain controllers

2004-12-06 Thread Ayers, Diane 
Wouldn't this be dependent on the volume of changes that you see in your
environment?  With Exchange and its accompanying volume of changes,
moving the log files to separate spindles is as you say, a no
no-brainer.  However in our AD environment, we see very low volume of
changes. We get maybe 50 MB of log files a day at most..  

Our server design for our Win2K AD deployment was to design a DC like an
Exchange server with oddles of disks and separate spindle sets for the
OS, DB and logs but we found that this layout was a major overkill. For
our Win2K3 upgrades to our domain controllers, we are using less dsiks
and combining the OS and log spindles.  We are still beefing up the
memory and processors which in our environment seem to be the most
critical components.  Our DIT is ~1 GB.

Diane

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Monday, December 06, 2004 10:21 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Stress testing and performance analysis of
domain controllers

Definitely, putting DIT and logs on separate spindles is a no-brainer
and guaranteed to improve things.

Gil I agree with everything Al has ever said Kirkpatrick CTO, NetPro

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Monday, December 06, 2004 10:54 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Stress testing and performance analysis of
domain controllers

I think you can get what you want using the below tool in conjunction
with
http://www.microsoft.com/downloads/details.aspx?FamilyID=4814fe3f-92ce-4
871-
b8a4-99f98b3f4338DisplayLang=en

Using the /3gb switch is often recommended, but your biggest benefit
will likely come from the disk layout.  If you can get both, that's
great, but the disk would be the one to really fight for if something
has to give.

That said, it's rumored that 64bit Windows does a nice job as well.  I
couldn't speak that however.  

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Singler
Sent: Monday, December 06, 2004 12:04 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Stress testing and performance analysis of
domain controllers

maybe the Server Performance Advisor? :

http://www.microsoft.com/downloads/details.aspx?FamilyID=61a41d78-e4aa-4
7b9-
901b-cf85da075a73displaylang=en

or

http://tinyurl.com/46wd3

hth,

john

Ruston, Neil wrote:
 
 
 As part of a more general AD design refresh, I am re-visiting the DC 
 hardware and OS configuration.
 
 I am proposing several changes to the DC spec, including the adoption 
 of the following:
 
 * Use 4Gb RAM
 * Use /3gb switch
 * Place AD logs and database on separate disk spindles
 
 In order to 'sell' this idea, I would like to demonstrate the 
 effective increase in 'horse power' that the above offers. I am 
 therefore looking for a tool which can help me to show that a DC with 
 config A can handle load x whilst DC spec B can handle load y.
 
 Ideally, this tool will act much like loadsim and simulate a load on 
 the DC so as to identify the maximum load that each config is capable 
 of handling.
 
 Is there such a tool available on the market?
 
 Thanks in advance,
 Neil
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Master Browser

2004-11-16 Thread Ayers, Diane 
Dusting off the old NT 4.0 memories... Key point is that browsing is
not related to name resolution at all.  Browsing is a simple NetBIOS
based directory that allows users to find resources.  Conecting to the
resource either by clicking on an object in the browse list or by
manually connecting (via the run command, net use, etc.) still relys on
the underlying name resoution process in your environment (WINS, etc.) 

Browse list functionaltiy may be hit or miss.  My favorite line was
browsing sucks. If your name resoution process is working an robust
then let the Network Neighborhood stuff do it's thing...  Just educate
the users on the nature of the beast.

Diane

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Monday, November 15, 2004 11:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Master Browser

So, really the only thing this service does is allow users to click
through the Network Neighborhood (or its successors). Is it correct that
it does not prevent users from finding devices from the run line or
(obviously) from mapped drives?

As for publishing shares from workstations ... (zoinks!) you may have
bigger fish to fry!  ;-)

-- nme

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Monday, November 15, 2004 10:13 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Master Browser

I personally favor disabling it on all workstation machines. There's
little harm in leaving it running on servers, even non DC's.

The big question is whether or not its needed - are the browse list
issues relevant enough to fix. In other words, is there a minor change
to usage that would eliminate the issue entirely? The biggest place I'd
expect to see this is if users are publishing shares from their own
machines.


Roger Seielstad
E-mail Geek  MS-MVP  

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Tyson Leslie
 Sent: Monday, November 15, 2004 4:47 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Master Browser
 
 Do you still suggest turning it off on all servers and workstations 
 (as per
 your KB article), even in an all W2K or better environment?   
 We have done
 so (via group policy) for quite some time, but recently ended up 
 having to defend this decision to an admin in one of our other 
 offices, because he was encountering browse list issues in his domain.

 (We have left it running on the Domain Controllers only.)
 
   Tyson.
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of ASB
 Sent: Monday, November 15, 2004 10:46 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [ActiveDir] Master Browser
 
 Turning off the service is a *much* better approach and doesn't 
 generate any errors in the EventLog.
 
 
 
 - ASB
   Cheap, Fast, Secure -- Pick Any TWO.
   http://www.ultratech-llc.com/KB/
 
  
 
 
 On Mon, 15 Nov 2004 12:34:06 -0500, Craig Cerino [EMAIL PROTECTED] 
 wrote:
  
  
  
  I wouldn't turn of the service - -I would ( and do) go into the 
  registry and tell the box it is NOT a Master Browser and NOT to 
  maintain a list
  
   
  
  
  
  
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Adams, 
  Kenneth W
  (Ken)
  Sent: Monday, November 15, 2004 12:16 PM
  To: [EMAIL PROTECTED]
  Subject: RE: [ActiveDir] Master Browser
  
  
  
   
  
  
  To stop this error message, you will need to turn off the Computer 
  Browser service.  The error message is actually an informational 
  message telling you about the browser status of computer CCDC01.
  
  Ken Adams
  
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl
  Sent: Monday, November 15, 2004 12:01 PM
  To: [EMAIL PROTECTED]
  Subject: [ActiveDir] Master Browser
  
  One of my DC's is returning the following error and I'm not
 sure what
  to
 do:
  
   
  
  The browser has received a server announcement indicating that the 
  computer
  CCDC01 is a master browser, but this computer is not a
 master browser.
  
   
  
  Event ID 8005
  
   
  
  This DC holds none of the FSMO roles so I'm not sure what I need to 
  tell this server so I don't get this error anymore.
  
   
  
  Thanks
  
  Jake
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:

RE: [ActiveDir] Master Browser

2004-11-16 Thread Ayers, Diane 
IIRC domain master browsers will register themselves with WINS (don't
recall the hex code anymore) and the subnet master browsers will use
this info to populate the list of domains.  However the mechanism for
resolving the host name to an IP address is separate..   

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario
Sent: Tuesday, November 16, 2004 7:53 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Master Browser

If I remember right, I thought WINS would make your browse list if the
Master Browser on Subnets were not available. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane
Sent: Tuesday, November 16, 2004 9:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Master Browser

Dusting off the old NT 4.0 memories... Key point is that browsing is
not related to name resolution at all.  Browsing is a simple NetBIOS
based directory that allows users to find resources.  Conecting to the
resource either by clicking on an object in the browse list or by
manually connecting (via the run command, net use, etc.) still relys on
the underlying name resoution process in your environment (WINS, etc.) 

Browse list functionaltiy may be hit or miss.  My favorite line was
browsing sucks. If your name resoution process is working an robust
then let the Network Neighborhood stuff do it's thing...  Just educate
the users on the nature of the beast.

Diane

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Monday, November 15, 2004 11:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Master Browser

So, really the only thing this service does is allow users to click
through the Network Neighborhood (or its successors). Is it correct that
it does not prevent users from finding devices from the run line or
(obviously) from mapped drives?

As for publishing shares from workstations ... (zoinks!) you may have
bigger fish to fry!  ;-)

-- nme

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Monday, November 15, 2004 10:13 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Master Browser

I personally favor disabling it on all workstation machines. There's
little harm in leaving it running on servers, even non DC's.

The big question is whether or not its needed - are the browse list
issues relevant enough to fix. In other words, is there a minor change
to usage that would eliminate the issue entirely? The biggest place I'd
expect to see this is if users are publishing shares from their own
machines.


Roger Seielstad
E-mail Geek  MS-MVP  

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Tyson Leslie
 Sent: Monday, November 15, 2004 4:47 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Master Browser
 
 Do you still suggest turning it off on all servers and workstations 
 (as per
 your KB article), even in an all W2K or better environment?   
 We have done
 so (via group policy) for quite some time, but recently ended up 
 having to defend this decision to an admin in one of our other 
 offices, because he was encountering browse list issues in his domain.

 (We have left it running on the Domain Controllers only.)
 
   Tyson.
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of ASB
 Sent: Monday, November 15, 2004 10:46 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [ActiveDir] Master Browser
 
 Turning off the service is a *much* better approach and doesn't 
 generate any errors in the EventLog.
 
 
 
 - ASB
   Cheap, Fast, Secure -- Pick Any TWO.
   http://www.ultratech-llc.com/KB/
 
  
 
 
 On Mon, 15 Nov 2004 12:34:06 -0500, Craig Cerino [EMAIL PROTECTED]
 wrote:
  
  
  
  I wouldn't turn of the service - -I would ( and do) go into the 
  registry and tell the box it is NOT a Master Browser and NOT to 
  maintain a list
  
   
  
  
  
  
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Adams, 
  Kenneth W
  (Ken)
  Sent: Monday, November 15, 2004 12:16 PM
  To: [EMAIL PROTECTED]
  Subject: RE: [ActiveDir] Master Browser
  
  
  
   
  
  
  To stop this error message, you will need to turn off the Computer 
  Browser service.  The error message is actually an informational 
  message telling you about the browser status of computer CCDC01.
  
  Ken Adams
  
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl
  Sent: Monday, November 15, 2004 12:01 PM
  To: [EMAIL PROTECTED]
  Subject: [ActiveDir] Master Browser
  
  One of my DC's is returning the following error and I'm not
 sure what
  to
 do:
  
   
  
  The browser has received a server announcement indicating that the 
  computer
  CCDC01 is a master browser, but this computer is not a
 master browser.
  
   
  
  Event ID 8005
  
   
  
  This DC holds none

RE: [ActiveDir] 64 Bit?

2004-11-09 Thread Ayers, Diane 
Title: RE: [ActiveDir] 64 Bit?



I guess my questions are 
general. I can see some advantages on shifting to a 64 bit platform for AD 
services but since the company I work for is definitely not bleeding edge, I was 
looking for what the general adoption rate of the 64 bit platform was. Our 
deployment can be considered (as compared to some of the more global 
deployments) some was centralized. Our DIT is ~1GB in 
size. The down side is that the "3rd party" tools and products have not 
really jumped on the 64 bit bandwagon yet.

The main focus of my original question 
was more along the lines of whether other organizations had plans to shift to 
the 64 bit platform and when. If you've already shifted, what were some of the 
benefits and issues you saw.

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
FleischmanSent: Monday, November 08, 2004 6:24 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 64 
Bit?

I have 
worked with several environments that had 64bit DCs. All had DITs that were 
=8GB in size.
What sorts 
of questions do you have?
~Eric
_From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf 
Of Ayers, DianeSent: Monday, November 
08, 2004 6:58 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] 64 Bit?
All:
Is anyone 
looking at using the 64 bit platform for their AD domain controllers? 
We're doing a life cycle replacement of our hardware next year and was wondering 
if anyone has gone down this path. I sat though some of the Web casts but 
is there anyone running 64 bit in the "real world" ;-)
Diane

[ActiveDir] 64 Bit?

2004-11-08 Thread Ayers, Diane 
All:

Is anyone looking at using the 64 bit platform for their AD domain
controllers?  We're doing a life cycle replacement of our hardware next year
and was wondering if anyone has gone down this path.  I sat though some of
the Web casts but is there anyone running 64 bit in the real world ;-)

Diane
attachment: winmail.dat

RE: [ActiveDir] AD OpenLDAP

2004-11-04 Thread Ayers, Diane 
Just to Echo Justin's comment, the BIG difference between NT 4.0 and
Active Directory is the integration/dependence on your DNS environment.
In addition to the integration into your other LDAP sources, DNS is an
area that you should focus some time on before you create your Active
directory namespace.  

Based on your environment, I'm assuming that you are ruining BIND for
your DNS services.  BIND fully supports AD but there are a couple of
items that you'll need to address.  Cricket Liu has some good info on
BIND and Active directory that you can read to help get you up to speed.

http://www.google.com/search?num=20hl=enlr=newwindow=1q=Cricket+Liu+
DNS+Active+Directory

Of course, if your not running BIND, you can ignore this email... ;-)

Diane 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Thursday, November 04, 2004 6:33 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD  OpenLDAP

AD comes with Windows 2003 you just have to run DCPROMO on the server
and be sure that you have DNS configured since AD cannot exist without
DNS

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Romeyn Prescott
Sent: Thursday, November 04, 2004 9:12 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AD  OpenLDAP

Greetings.

I have just joined this list and I know next to nothing about Active
Directory.  We support most of our services with Linux whenever possible
and still have an NT4 Domain Controller which will soon be replaced by a
Linux box running Samba.  The NT PDC is NOT the authoritative source for
our user account info, however.  That is sync'd with another server via
some custom code that was written by one of our sysadmins.

My chief responsibility is Computer Lab/Classroom support, and I have
been stuck using gpedit at the local level, not having had a Win2000 or
2003 server to play with, let alone AD.  That is changing.  We have just
purchased a Windows 2003 server to meet another need, and I have a
couple of questions which I hope are not out of line for this
list:

1) Does Active Directory come with Server 2003, or is it some sort of
add-on which must be purchased separately.  (Microsoft's web site
seems, in at least one location, to indicate that it comes with it, but
I just want to be sure.)

2) We have a relatively new OpenLDAP server (also running on Linux)
which also mirrors our account base.  Given that we do NOT want the
Windows 2003 server to be the source for our user accounts, is it
possible to tell it to synchronize with an OpenLDAP server?  Is such a
task trivial, complicated, or impossible?

I thank you in advance for your time,
...ROMeyn
--
signat-url: http://www2.potsdam.edu/prescor/signat-url.htm
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Mac OS X and SMB

2004-11-04 Thread Ayers, Diane 



I don't know squat about apple but you probably have 
SMB signing set in your domain policies and Apple probably does not support SMB 
signing. Once you moved the server into AD, it received the domain 
policies and breaking the Apple access.

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, 
JoeSent: Thursday, November 04, 2004 11:59 AMTo: 
[EMAIL PROTECTED]Cc: Canzoneri, Kurt; Kusch, 
TomSubject: [ActiveDir] Mac OS X and SMB


Hello! 


We had an issue last night where we 
took a Windows 2003 Server and moved it to our 2003 AD. We have macs that 
access shares on that server and after the move to AD we were unable to open 
files in Quark 6 via SMB. AppleTalk worked fine but the file association 
with SMB was wrong.

Any clues?! 


Joe 
Pelle
Infrastructure 
Architect
Information 
Technology
Valassis / 
IT
19975 Victor 
Parkway Livonia, MI 
48152
Tel 734.591.7324 
Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/

This message may have 
included proprietary or protected information. This message and the 
information contained herein are not to be further communicated without my 
express written consent.

RE: [ActiveDir] BDC upgrade

2004-10-20 Thread Ayers, Diane 
Title: RE: [ActiveDir] BDC upgrade



Ditto. Used it once to "demote" 
a BDC that was also a time source in the NT 4.0 world. wanted to keep the 
server but didn't want it to be a BDC anymore. Best $99 bucks spent as far 
as saved time, etc. 

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Stockbrugger, 
Brian L.Sent: Wednesday, October 20, 2004 4:35 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] BDC 
upgrade


We have used this tool 
on two occasions and it worked flawlessly both times. We went into it 
knowing the risks and ramifications. In the end it saved us days of work 
which was the alternative and well worth the risk.

~Brian





From: Robert 
Rutherford [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 20, 
2004 4:21 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] BDC 
upgrade



http://utools.com/UPromote.asp



BR



Rob





From: 
[EMAIL PROTECTED] on behalf of Perdue David J Contr 
InDyne/Enterprise ITSent: Wed 
20/10/2004 23:59To: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] BDC 
upgrade

I think 
this is the one you are talking about Brian. It's formerly Aelita,but 
now is Quest.http://wm.quest.com/products/domainmigrationwizard/They've 
got a a product that will "demote" a NT4 PDC/BDC. It's 
prettyslick. And totally not supported by 
MS.DaveDavid 
J. PerdueMCSE 2000, MCSE NT, MCSA, 
MCP+I-Original 
Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
On Behalf Of Brian DesmondSent: Wednesday, October 20, 2004 3:37 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] BDC upgradeHave 
you looked into the File Server Migration Toolkit from MS? It's autility for 
moving file servers and it includes a patch for 2003 that makesit so the old 
server name still works - utilizes aSP1 feature called DFSConsolidation 
Roots.That aside, I forget who (been awhile), but somebody makes a 
hundred dollarutility which will let you convert a BDC to a member server. 
It's totallyunsupported by MS, so if stuff breaks, you may be out of luck. 
I'd looktowards the migration kit mentioned above, 
myself.Thanks.--Brian 
Desmond[EMAIL PROTECTED]Payton on the web! 
www.wpcp.orgv - 773.534.0034 x135f - 773.534.8101 
-Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] 
On Behalf Of Janson Anderson Sent: Wednesday, October 20, 2004 5:29 
PM To: [EMAIL PROTECTED] Subject: [ActiveDir] BDC 
upgrade Hi all, I'm merging/upgrading some NT 4 
domains together. Domain A and Domain B are both account and resource 
domains. I've upgraded Domain A to 2003, and am planning to 
migrate users and computers from Domain B into Domain A using ADMT 
v2. Domain B is small. In fact when I took over it 
consisted of a single PDC that had all files on it. I've since 
added a second DC and transfered the PDC role to it. So, 
to get to my question: The BDC in Domain B has all the files of 
the Users I am going to be transfering. Is there any way to 
upgrade this BDC to a 2003 member server without upgrading the domain to 
2k3 AD first? I would then just move it to domain A as a member 
server using ADMT. From what I've read it seems the only way would 
be to upgrade the PDC to 2k3, then upgrade this bdc to 2k3 then dcpromo 
it down to a member server. Is this the route I have to take, or is 
there an easier way? Thanks in advance for the help. 
List info : http://www.activedir.org/mail_list.htm 
List FAQ : http://www.activedir.org/list_faq.htm 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List 
info : http://www.activedir.org/mail_list.htmList 
FAQ : http://www.activedir.org/list_faq.htmList 
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List 
info : http://www.activedir.org/mail_list.htmList 
FAQ : http://www.activedir.org/list_faq.htmList 
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/=== 
Scanned for virus infection by 
Messagelabs===

RE: Re[2]: [ActiveDir] DNS naming confused

2004-10-16 Thread Ayers, Diane 
Your Exchange STMP addresses are assigned separately.  Your domain could be
JoeBagOfDoughnuts.com and your email address can be DoughnutHoles.com

Diane 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sveta
Sent: Saturday, October 16, 2004 5:35 PM
To: Deji Akomolafe
Subject: Re[2]: [ActiveDir] DNS naming confused

Hi  Deji,

 Thank
 how it will look if I install exchange server on top of it  if I call it
company.com and one of the clients ( of cause president
 ) goes to trip with the laptop , then if I send e-mail to
[EMAIL PROTECTED]  it will stay in local exchange mailbox ,  it will
never will go out to isp company.com email server


 Sveta


--
Best regards,
 Sveta   
 mailto:[EMAIL PROTECTED]


Saturday, October 16, 2004, 5:42:00 PM, you wrote:

 You could name it anything you want. You could call
it
 company.local. Or you could call it company.com. If
you call it
 company.com, be prepared to host and maintain an
internal
 company.com zone, which MUST be separate from your
external
 company.com zone and must not be hosted on the same
DNS server. The
 most important point (IMO) is that you MUST ensure
that ALL your
 internal servers and clients are configured to use
ONLY the INTERNAL
 DNS server(s) in TCP/IP. No room for external DNS
servers anywhere
 in your internal Domain, except on the Forwarders
tab of your DNS
 server configuration - if you want them to do
forwarding. Another
 important thing is that you should NOT name it
company
 (single-label). Single-label will hurt you.
  
 Hope I haven't confused you too much :)
  

  
 Sincerely,

 Dhjl Aksmvlafi, MCSE MCSA MCP+I
 Microsoft MVP - Directory Services
 www.readymaids.com - we know IT
 www.akomolafe.com
 Do you now realize that Today is the Tomorrow you
were worried about Yesterday?  -anon





 From: Sveta
 Sent: Sat 10/16/2004 12:29 PM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] DNS naming confused


 Hi
 I have scenario ,
 one server win 2003 std ,
 confused with the dns naming , we have
 company.com , but it hosted somewhere else mail
 and web , what I should name my new installation
 only one server 10 users file server


  





___
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Off-topic sorta

2004-10-06 Thread Ayers, Diane 



Bad idea to place an exchange server 
in the DMZ. Better choice would be to use ISA 2004 in the DMZ to publish 
OWA. OMA and http over RPC to the external users. See http://www.isaserver.org for more 
info. 

I was fairly impressed with ISA 
2004. Not as a firewall but being able to securely publish internal 
content.

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Wednesday, October 06, 2004 1:51 PMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] Off-topic 
sorta

I've 
been asked to open ports:

tcp 
135
tcp/udp 389
tcp/udp 88
tcp 
3268
tcp 
691

So we 
can have an exchange front end server on our DMZ talk to exchange backend server 
on our internal network. Has anyone done this and what's the security 
implications of this?

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~

RE: [ActiveDir] Off-topic sorta

2004-10-06 Thread Ayers, Diane 



I'm not a DMZ/firewall person but 
generally the shear number of ports, etc that you have to open between the DMZ 
and the internal network is not a "good thing". 
Additionally for boxes that are in the DMZ, they should be configured as highly 
secure boxes and that tends to break Exchange. 

I have never seen any of the exchange 
"pundits" recommend placing an exchange server in the DMZ...

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Wednesday, October 06, 2004 2:06 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Off-topic 
sorta

Even 
though its just a front-end server? What are the security 
implications?

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Ayers, 
  DianeSent: Wednesday, October 06, 2004 3:58 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Off-topic 
  sorta
  Bad idea to place an exchange server 
  in the DMZ. Better choice would be to use ISA 2004 in the DMZ to publish 
  OWA. OMA and http over RPC to the external users. See http://www.isaserver.org for more 
  info. 
  
  I was fairly impressed with ISA 
  2004. Not as a firewall but being able to securely publish internal 
  content.
  
  Diane
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
  RussSent: Wednesday, October 06, 2004 1:51 PMTo: 
  '[EMAIL PROTECTED]'Subject: [ActiveDir] Off-topic 
  sorta
  
  I've 
  been asked to open ports:
  
  tcp 
  135
  tcp/udp 389
  tcp/udp 88
  tcp 
  3268
  tcp 
  691
  
  So 
  we can have an exchange front end server on our DMZ talk to exchange backend 
  server on our internal network. Has anyone done this and what's the 
  security implications of this?
  


  ~~This 
e-mail is confidential, may contain proprietary informationof the 
Cooper Cameron Corporation and its operating Divisionsand may be 
confidential or privileged.This e-mail should be read, copied, 
disseminated and/or used onlyby the addressee. If you have received 
this message in error pleasedelete it, together with any 
attachments, from your 
system.~~

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~

RE: [ActiveDir] Off-topic sorta

2004-10-06 Thread Ayers, Diane 
As my co-worker says... Harumph  (I agree) :-)

Diane 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, October 06, 2004 5:06 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Off-topic sorta

I second that, and deduct a DINING Services point from Douglas M :)
 
Russ, ISA is not that expensive. It's the best way (IMNSHO) to go. Given the
amount of open ports and gyrations you'd have to do  if you don't use ISA
(or similar), you are buying a lot of eases (ease of deployment, ease of
management/administration, ease of being able to sleep well at night -with
both eyes closed) and the added satisfaction of knowing that you've done it
the right way and made it difficult for the malicious ones to attack you.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rick Boza
Sent: Wed 10/6/2004 2:47 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Off-topic sorta


Actually, it's not necessarily a bad thing to drop a front end server into
the DMZ, but to do so you will most certainly want to be sure to apply the
hack to the end-point mapper (which will allow you to control the precise
port used by RPC).  There are plenty of good articles and papers for using
an FE server in the DMZ (for example, check
http://support.microsoft.com/default.aspx?scid=kb;en-us;280132 for info on
the ports needed).  At that point, it becomes very important to monitor all
the traffic passing thru those ports.
 
The reverse proxy solution is simpler and more secure.  You don't need to
drop a domain member into the DMZ, you drop a stand-alone server with ISA on
it and let it handle everything through a single port.
 
Typical scenarios have 443 on the public firewall open to the ISA box, and a
single port (usually a remapped port, but could be 443 again or even 80)
open between the ISA box and your front-end server on the internal-facing
firewall.  You can even wrap that one in IPSec if you want.
 
The other nice plus with using ISA is it will do a stateful packet
inspection as it proxies, giving you even more added security - a nice bonus
if you're a fan of defense in depth.
 
Point being, ISA (or for that matter, any server capable of reverse-proxy
functions) is the preferred method from most Exchange folks these days, and
Microsoft endorses this as well.  It can be done with just a FE server, but
using ISA would be safer and more secure.
 



From: [EMAIL PROTECTED] on behalf of Ayers, Diane
Sent: Wed 10/6/2004 5:21 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Off-topic sorta


I'm not a DMZ/firewall person but generally the shear number of ports, etc
that you have to open between the DMZ and the internal network is not a
good thing®.  Additionally for boxes that are in the DMZ, they should be
configured as highly secure boxes and that tends to break Exchange.  
 
I have never seen any of the exchange pundits recommend placing an
exchange server in the DMZ...
 
Diane



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, October 06, 2004 2:06 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Off-topic sorta


Even though its just a front-end server?  What are the security
implications?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Ayers, Diane
Sent: Wednesday, October 06, 2004 3:58 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Off-topic sorta


Bad idea to place an exchange server in the DMZ.  Better choice
would be to use ISA 2004 in the DMZ to publish OWA. OMA and http over RPC to
the external users.  See http://www.isaserver.org for more info.  
 
I was fairly impressed with ISA 2004.  Not as a firewall but being
able to securely publish internal content.
 
Diane



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, October 06, 2004 1:51 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Off-topic sorta


I've been asked to open ports:
 
tcp 135
tcp/udp 389
tcp/udp 88
tcp 3268
tcp 691
 
So we can have an exchange front end server on our DMZ talk to
exchange backend server on our internal network.  Has anyone done this and
what's the security implications of this?
~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential

RE: [ActiveDir] OT:Exhange size limit require restart?

2004-09-23 Thread Ayers, Diane 




It takes a while to take affect (~ 2 hrs). Take a look at the KB 
below to see how to modify this behavior
Diane
http://support.microsoft.com/default.aspx?scid=kb;%5bLN%5d;327378


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. 
LongSent: Thursday, September 23, 2004 7:20 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] OT:Exhange size 
limit require restart?


Does anyone know if 
there is something that has to be restarted if you change the Sending message 
size and Receiving message size limits are changed (Global Settings)? I have 
increased the size of both, and it doesnt seem like they took affect. Exchange 
2003

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~

RE: [ActiveDir] Unauthorized DHCP Requests

2004-09-13 Thread Ayers, Diane 



Hunter:

With Cisco ACS, how are you going to 
deal with non-MS based devices that get DHCP addresses? That's always been 
the hang-up for us to shift to a setup like you 
describe.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, 
HunterSent: Monday, September 13, 2004 6:41 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Unauthorized 
DHCP Requests

Our network folks are starting to roll out Cisco's Access 
Control Server. They plan to tie it into our AD, and eventually configure all of 
the network devices so that machines won't get on the network unless they're 
joined to the AD and have successfully authenticated. I'm not sure who else 
besides Cisco has this kind of thing, but I suspect they're not the only 
one.

Hunter


From: Joe L. Casale 
[mailto:[EMAIL PROTECTED] Sent: Sunday, September 12, 2004 
4:33 PMTo: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] Unauthorized DHCP Requests


Yea, it's ugly as heck 
to manage though. Mac reservations for all, but anyone can spoof that if they 
have a wit. Your problem is a common one, but not a simple 
one.

If you hear of a 
slicker solution then that, pray tell!

jlc





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of EdwinSent: Thursday, September 09, 2004 4:21 
AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Unauthorized DHCP 
Requests

Our domain is using a Win2K3 server 
which is also a domain controller as its DHCP solution. Often I look at 
the DHCP tables and notice that there are unauthorized machines that connect to 
our network. This seems to occur from employees who bring in their laptop 
during the weekend when the workload is light and management does not have as 
much a presence.

The workstations within the domain 
all follow a naming scheme. For example, ORL-RM3-204-2 which means, the 
server is located in Orlando, physically located in Room3, desk 
number 204 and the number of times that that particular workstation has been 
replaced.

So if I see a workstation in the 
DHCP tables that does not follow that naming scheme, then I know that something 
else has managed to get an IP Address from the 
network.

Is there a way to prevent 
unauthorized machines from retrieving an IP address? If so, is there also 
a way to make an exception to the rule should a non-standard naming convention 
machine require authorized access to the network?

Thank you all for your 
replies.

Edwin

RE: [ActiveDir] OT: Server backup

2004-08-31 Thread Ayers, Diane 
Backup to disks IMHO will become more the norm as the disk capacity
continue to outstrip the tape backup capabilities.  We do this for all
our Exchange boxes and has worked very well.  We keep 2-3days of backup
files on a secondary server.  All backups are sucked off the disks
onto tape(s) for longer term recovery.  If configured correctly, it will
greatly speed up your backup/recovery times over tape.  

For our configs we use a dedicated secondary server for each exchange
server and use a dedicated GB IP connection between the primary and
secondary server.  The connection is configured w/ a private IP address
and specifically use this connection for the backup process removing
this traffic from the end user data path.  The backup files on the
secondary servers are ether backed up to tape or an enterprise backup
system. Since the data is now on the secondary box, you can do this
backup during production hours.

Diane

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, August 31, 2004 7:12 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Server backup

Is it acceptable to backup to local disk (using NTbackup) and then copy
that file to a machine with a tape drive, and back that backup file up
to tape? 

Example:1. Backup an Exchange Server locally
2. Copy that backup file to a machine with a tape drive
3. Backup that file to tape

I would be doing this for both an Exchange Server, and my DCs. This is
my only option to get this stuff onto tape, so I hope it is acceptable.
What problems my I run into?

As always, THANKS
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt

2004-08-05 Thread Ayers, Diane 
Thanks for checking.

Diane 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Thursday, August 05, 2004 10:02 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003
up grade attempt

Unfortunately, I don't know, and the SAP guy who installed it doesn't
remember either.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane
Sent: Wednesday, August 04, 2004 7:20 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003
up grade attempt


Ken:

Do you recall which version of the SAP portal it was that made the
schema changes?  I'm asking since we are testing the SAP portal against
AD in our lab with our SAP folks.  I know that the initial version that
they came to us with required a schema change (version 5?) and before we
got it set up they came back with the newer version that supposedly did
not require a change.  IIRC that was version 6.  

Diane 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, August 04, 2004 12:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003
up grade attempt

Well side by side we see:

MS UID

dn: CN=uid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: uid
adminDisplayName: uid
adminDescription: A user ID.
attributeId: 0.9.2342.19200300.100.1.1
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 8
schemaIdGuid:: oPywC4ken0KQGhQTiU2fWQ==
attributeSecurityGuid:: Qi+6WaJ50BGQIADAT8LTzw==
showInAdvancedViewOnly: FALSE
systemFlags: 0



SAP UID

dn: CN=uid,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC=com
changetype: add
adminDisplayName: uid
attributeID:
1.2.840.113556.1.4.7000.233.28688.28684.8.464850.1724825.154498.1299246.
15
attributeSyntax: 2.5.5.4
cn: uid
instanceType: 4
isSingleValued: TRUE
lDAPDisplayName: uid
distinguishedName:
CN=uid,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC=com
objectCategory:
CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC=
com
objectClass: attributeSchema
objectGUID:: f1Sz+++ZY0eIH7t1mStJIA==
oMSyntax: 20
name: uid
schemaIDGUID:: Qy93MDGWsEqRfKr837RfzA==
showInAdvancedViewOnly: TRUE



The main diffs being

O attributeSyntax/omsyntax - ci unicode string for MS, ci string for SAP
-
SAP shouldn't have an issue unless someone uses some multibytes in the
uid.

O schemaIDGuid - shouldn't be an issue unless there are property sets
involved for security

O attributeID - if SAP uses the ldapdisplayname in class definitions
instead of the attributeIDs they should be ok.

O MS is multi-valued, SAP is single valued - This could be painful if
using ADSI due to the difference in how it handles mv versus sv, but if
using LDAP this shouldn't be too bad, just would only use the first
value in the attribute.



Definitely there are points that could cause pain but wouldn't expect it
would be overly difficult for SAP to correct and use the MS definition
versus theirs. Unless they use UID as a unique identifier within the
database in which case the multi-value could cause some serious key
issues. 

   joe


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, August 04, 2004 3:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003
up grade attempt

Thanks Joe, I saw that (rare for me lately).  Just curious if SAP and
Active Directory could play well together or not.  

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, August 04, 2004 3:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003
up grade attempt

I would expect it would really dork it up pretty well... 

However there are two compensating things.

1. SAP shouldn't have done this. Ok so that isn't really a compensating
factor but they really shouldn't have! 2. He already said that they
aren't using it so breaking SAP doesn't matter. Now for the part I
don't know: how do I fix it? The SAP portal was tested, but was
back-burned indefinately, so I don't have to worry about breaking it.




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, August 04, 2004 2:46 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003
up grade attempt

Anyone have the impact that would have on SAP application by chance?

Just curious really.  Don't have SAP handy. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, August 04, 2004 12:51 PM
To: [EMAIL PROTECTED]
Cc: 'Eric Fleischman'
Subject: RE: [ActiveDir] Schema Gurus

RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt

2004-08-04 Thread Ayers, Diane 
Ken:

Do you recall which version of the SAP portal it was that made the
schema changes?  I'm asking since we are testing the SAP portal against
AD in our lab with our SAP folks.  I know that the initial version that
they came to us with required a schema change (version 5?) and before we
got it set up they came back with the newer version that supposedly did
not require a change.  IIRC that was version 6.  

Diane 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, August 04, 2004 12:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003
up grade attempt

Well side by side we see:

MS UID

dn: CN=uid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: uid
adminDisplayName: uid
adminDescription: A user ID.
attributeId: 0.9.2342.19200300.100.1.1
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: FALSE
systemOnly: FALSE
searchFlags: 8
schemaIdGuid:: oPywC4ken0KQGhQTiU2fWQ==
attributeSecurityGuid:: Qi+6WaJ50BGQIADAT8LTzw==
showInAdvancedViewOnly: FALSE
systemFlags: 0



SAP UID

dn: CN=uid,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC=com
changetype: add
adminDisplayName: uid
attributeID:
1.2.840.113556.1.4.7000.233.28688.28684.8.464850.1724825.154498.1299246.
15
attributeSyntax: 2.5.5.4
cn: uid
instanceType: 4
isSingleValued: TRUE
lDAPDisplayName: uid
distinguishedName:
CN=uid,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC=com
objectCategory:
CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC=
com
objectClass: attributeSchema
objectGUID:: f1Sz+++ZY0eIH7t1mStJIA==
oMSyntax: 20
name: uid
schemaIDGUID:: Qy93MDGWsEqRfKr837RfzA==
showInAdvancedViewOnly: TRUE



The main diffs being

O attributeSyntax/omsyntax - ci unicode string for MS, ci string for SAP
-
SAP shouldn't have an issue unless someone uses some multibytes in the
uid.

O schemaIDGuid - shouldn't be an issue unless there are property sets
involved for security

O attributeID - if SAP uses the ldapdisplayname in class definitions
instead of the attributeIDs they should be ok.

O MS is multi-valued, SAP is single valued - This could be painful if
using ADSI due to the difference in how it handles mv versus sv, but if
using LDAP this shouldn't be too bad, just would only use the first
value in the attribute.



Definitely there are points that could cause pain but wouldn't expect it
would be overly difficult for SAP to correct and use the MS definition
versus theirs. Unless they use UID as a unique identifier within the
database in which case the multi-value could cause some serious key
issues. 

   joe


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, August 04, 2004 3:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003
up grade attempt

Thanks Joe, I saw that (rare for me lately).  Just curious if SAP and
Active Directory could play well together or not.  

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, August 04, 2004 3:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003
up grade attempt

I would expect it would really dork it up pretty well... 

However there are two compensating things.

1. SAP shouldn't have done this. Ok so that isn't really a compensating
factor but they really shouldn't have!
2. He already said that they aren't using it so breaking SAP doesn't
matter.
Now for the part I don't know: how do I fix it? The SAP portal was
tested, but was back-burned indefinately, so I don't have to worry about
breaking it.




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, August 04, 2004 2:46 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003
up grade attempt

Anyone have the impact that would have on SAP application by chance?

Just curious really.  Don't have SAP handy. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, August 04, 2004 12:51 PM
To: [EMAIL PROTECTED]
Cc: 'Eric Fleischman'
Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003
upgrade attempt

Great, you have to love that! ~Eric have them fix their sheet!

Here is a little article about defuncting attribs/classes so you can
learn about it

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/d
isab
ling_existing_classes_and_attributes.asp


Unfortunately, defuncting is something you can only do in an FFL 2K3
forest... Or you can delete stuff but I think you have to be pre-W2K
SP2.
OEM will definitely let you do it. Robbie published a nice little
article on this a ways back. MS got pissed and made it so you couldn't
do it any more... 

However I

RE: [ActiveDir] AD and printer admins

2004-07-29 Thread Ayers, Diane 
I'm sorry, I must be missing something.  Can't you just add them desktop
support team to the local power users group on the servers that you create
the print shares on?   That what we do and it seems to work.  The only thing
that they can't do is to create new IP ports for shares if they are required
but there are some reg permission changes that you can do to allow that.

Diane

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Thursday, July 29, 2004 7:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and printer admins

Currently Right now our Desktop support group has been added to the local
admin group of our Server so they can create new printers.  We really don't
want them to have local admin permissions.  Just permissions to create
printers.  Current I cannot use Printer operators or a printer OU to do that
as we are in the middle of a lengthy migration from an NT domain.

Any ideas?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, July 28, 2004 9:05 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] AD and printer admins

What is the full detail of what the solution needs to be able to accomplish?
Also, have you seen what the built-in Print Operators group can do for you?
:) 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Tuesday, July 27, 2004 5:21 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and printer admins

That lets them modify current printers yes.  But not create new ones.
Which is my dilemma.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info
Sent: Tuesday, July 27, 2004 4:36 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and printer admins

Make an OU for desktop support add users there
In printer propertiessecurity tab add OU there and give full rights...

Never tried but guess that's the way.

Gr J

-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Namens Cothern Jeff D. Team EITC
Verzonden: dinsdag 27 juli 2004 22:21
Aan: [EMAIL PROTECTED]
Onderwerp: [ActiveDir] AD and printer admins


Is there a way within AD and other security settings to allow a Desktop
Support section the ability to create and maintain printers without putting
them into the local admin group on the servers.  Currently we are not using
the Printers OU for AD.  The printers are added the old way thru the add
printer wizard.  

Jeff


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LSASS.EXE!

2004-07-27 Thread Ayers, Diane 
My bets are on Sasser.  Reapply MS04-011 and reboot.

Diane 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford,
Robert
Sent: Tuesday, July 27, 2004 7:28 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LSASS.EXE!

What started this? Was it after a specific patch?

-Original Message-
From: Jacob Stabl [mailto:[EMAIL PROTECTED]
Sent: 27 July 2004 15:21
To: [EMAIL PROTECTED]
Subject: [ActiveDir] LSASS.EXE!


Ok I have been having this problem for quite a while and I have been
ignoring it because I thought it was just a freak error.  My main
directory server has been saying lsass.exe application error then I
click OK then it says its going restart in 60 seconds.  I have checked
for all the viruses, sasser, blaster and all of the above.  All the
updates have always been up to date, sophos anti virus always runs on
it.  I have no idea what to do next, I am starting to get scared since
it is my main directory server.  

--
Jacob Stabl
Network Engineer
Plain Local Schools
http://eagle.stark.k12.oh.us
Work: 330.492.3500 x.383
Cell: 330.495.7243

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and the information it contains are confidential and may be
privileged. If you have received this e-mail in error please notify the
sender immediately and delete the material from any computer. Unless you
are the intended recipient, you should not copy this e-mail for any
purpose, or disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or
accuracy of this communication as it has been transmitted over a public
network. Whilst the MCPS-PRS Alliance monitors all communications for
potential viruses, we accept no responsibility for any loss or damage
caused by this e-mail and the information it contains.
It is the recipient's responsibility to scan this e-mail and any
attachments for viruses. Any 
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored
for quality control and other purposes.

The MCPS-PRS Alliance Limited is a limited company registered in England
under company number 03444246 whose registered office is at c/o 29-33
Berners Street, London, W1T 3AB.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] win2k pro or server?

2004-07-21 Thread Ayers, Diane 
It may be more than you want but what the heck.  I'm not a programmer so
YMMV

Diane

-


On Error Resume Next
Set Network = WScript.CreateObject(WScript.Network)
strComputer = InputBox (Enter NETBIOS name of computer,
GetComputerLocation In AD, Network.ComputerName )
Set objWMIService = GetObject(winmgmts:\\  strComputer 
\root\cimv2)
Set colItems = objWMIService.ExecQuery(Select * from
Win32_OperatingSystem,,48)
For Each objItem in colItems
Wscript.Echo BootDevice:   objItem.BootDevice
Wscript.Echo BuildNumber:   objItem.BuildNumber
Wscript.Echo BuildType:   objItem.BuildType
Wscript.Echo Caption:   objItem.Caption
Wscript.Echo CodeSet:   objItem.CodeSet
Wscript.Echo CountryCode:   objItem.CountryCode
Wscript.Echo CreationClassName:   objItem.CreationClassName
Wscript.Echo CSCreationClassName:   objItem.CSCreationClassName
Wscript.Echo CSDVersion:   objItem.CSDVersion
Wscript.Echo CSName:   objItem.CSName
Wscript.Echo CurrentTimeZone:   objItem.CurrentTimeZone
Wscript.Echo Debug:   objItem.Debug
Wscript.Echo Description:   objItem.Description
Wscript.Echo Distributed:   objItem.Distributed
Wscript.Echo EncryptionLevel:   objItem.EncryptionLevel
Wscript.Echo ForegroundApplicationBoost:  
objItem.ForegroundApplicationBoost
Wscript.Echo FreePhysicalMemory:   objItem.FreePhysicalMemory
Wscript.Echo FreeSpaceInPagingFiles:  
objItem.FreeSpaceInPagingFiles
Wscript.Echo FreeVirtualMemory:   objItem.FreeVirtualMemory
Wscript.Echo InstallDate:   objItem.InstallDate
Wscript.Echo LargeSystemCache:   objItem.LargeSystemCache
Wscript.Echo LastBootUpTime:   objItem.LastBootUpTime
Wscript.Echo LocalDateTime:   objItem.LocalDateTime
Wscript.Echo Locale:   objItem.Locale
Wscript.Echo Manufacturer:   objItem.Manufacturer
Wscript.Echo MaxNumberOfProcesses:   objItem.MaxNumberOfProcesses
Wscript.Echo MaxProcessMemorySize:   objItem.MaxProcessMemorySize
Wscript.Echo Name:   objItem.Name
Wscript.Echo NumberOfLicensedUsers:  
objItem.NumberOfLicensedUsers
Wscript.Echo NumberOfProcesses:   objItem.NumberOfProcesses
Wscript.Echo NumberOfUsers:   objItem.NumberOfUsers
Wscript.Echo Organization:   objItem.Organization
Wscript.Echo OSLanguage:   objItem.OSLanguage
Wscript.Echo OSProductSuite:   objItem.OSProductSuite
Wscript.Echo OSType:   objItem.OSType
Wscript.Echo OtherTypeDescription:   objItem.OtherTypeDescription
Wscript.Echo PlusProductID:   objItem.PlusProductID
Wscript.Echo PlusVersionNumber:   objItem.PlusVersionNumber
Wscript.Echo Primary:   objItem.Primary
Wscript.Echo ProductType:   objItem.ProductType
Wscript.Echo QuantumLength:   objItem.QuantumLength
Wscript.Echo QuantumType:   objItem.QuantumType
Wscript.Echo RegisteredUser:   objItem.RegisteredUser
Wscript.Echo SerialNumber:   objItem.SerialNumber
Wscript.Echo ServicePackMajorVersion:  
objItem.ServicePackMajorVersion
Wscript.Echo ServicePackMinorVersion:  
objItem.ServicePackMinorVersion
Wscript.Echo SizeStoredInPagingFiles:  
objItem.SizeStoredInPagingFiles
Wscript.Echo Status:   objItem.Status
Wscript.Echo SuiteMask:   objItem.SuiteMask
Wscript.Echo SystemDevice:   objItem.SystemDevice
Wscript.Echo SystemDirectory:   objItem.SystemDirectory
Wscript.Echo SystemDrive:   objItem.SystemDrive
Wscript.Echo TotalSwapSpaceSize:   objItem.TotalSwapSpaceSize
Wscript.Echo TotalVirtualMemorySize:  
objItem.TotalVirtualMemorySize
Wscript.Echo TotalVisibleMemorySize:  
objItem.TotalVisibleMemorySize
Wscript.Echo Version:   objItem.Version
Wscript.Echo WindowsDirectory:   objItem.WindowsDirectory
Next




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
DL.ActiveDirectory
Sent: Wednesday, July 21, 2004 7:52 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win2k pro or server?

Is there a way to tell via vbs?

Thank you,
Mitch Lawrence

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brown, Bill
[contractor] Posted At: Tuesday, July 20, 2004 1:21 PM Posted To: ~AD
Discussion~
Conversation: win2k pro or server?
Subject: RE: [ActiveDir] win2k pro or server?

If you hit the start button - there is a vertical bar that displays this
information...

R/Bill

 -Original Message-
From:   Kern, Tom [mailto:[EMAIL PROTECTED] 
Sent:   Tuesday, July 20, 2004 2:14 PM
To: ActiveDir (E-mail)
Subject:[ActiveDir] win2k pro or server?

Sorry if this is really basic and covered before- but whats the quickest
way(via script or gui admin tool) to tell if a particular pc/server is
running win2k pro or server?
thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   :

RE: [ActiveDir] Moving Roaming profiles

2004-06-03 Thread Ayers, Diane 
It seems that outside of the FRS / replication issues, using DFS would
be a good way of virtualizing the storage location of the profiles.  If
you used a DFS root to designate your storage location and you needed to
migrate/replace this location, you could update the DFS root without
having to modify any user attributes.  Basically make the management of
the profile data a backroom thing.

Using FRS would make the whole setup somewhat ugly.

Diane 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick
Sent: Wednesday, June 02, 2004 9:15 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Moving Roaming profiles

It is indeed  NOT a good thing.

I would not do this.

FRS is not meant to replicate this type of dynamic data (profiles) you
may experience data loss or perhaps FRS breakdowns (depending on size,
number of files, and amount of change per file).
Clarification on the data loss - this would not be due to FRS or
'corrupt'
files, but rather the natural way FRS works - which is on a last writer
wins basis.

my .02

-steve


- Original Message -
From: Malachi Burke [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, June 02, 2004 8:16 PM
Subject: [ActiveDir] Moving Roaming profiles


 I want to move roaming profiles from our regular share into a DFS
 folder.  The setup is straightforward.  Two DC's, DFS replicate to
each
 other, highly available roaming profiles.  A sanity check that this is
 indeed a good thing would be nice.

 I am also a bit concerned about DFS because the documentation is so
 verbose (i.e. makes my brain hurt figuring it all out).  Scenario: DC1
 and DC2 both are hosting DFS root \\testroot\root.  They are hosting
 their own corresponding file shares (say \\DC1\root and \\DC2\root).
Am
 I right in expecting that EITHER DC1 or DC2 can go offline, and
 \\testroot\root will still be available?

 Lastly, moving the profiles looks like you have to muck with ownership
 and permissions.  I was able to brute-force move one this way (by
 forcefully claiming ownership and subsequent permission of the entire
 profile tree), but a more graceful method would be appreciated.

 Malachi

 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] exchange 5.5, active directory and ADC

2004-06-01 Thread Ayers, Diane 



I'll second Nick's comment to test 
your implementation in a lab setup first before doing it live. There are 
some subtle (and not so subtle) things that you can do to hose your production 
setup. The first lab run we did hosed our lab but we learned. That's 
what labs are for

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Nicolas 
BlankSent: Tuesday, June 01, 2004 3:11 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] exchange 5.5, 
active directory and ADC


Correct, suggest since 
you havent worked with the ADC before that you lab/vmware this at least once, 
and document your process before trying this in production. This way youll have 
something to work with without being tempted to tick any options you havent 
seen work in the lab before.

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Chaudhary, 
AmitSent: 01 June 2004 11:49 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] exchange 5.5, 
active directory and ADC

Sorry 


But 
want to make sure Im understanding you here. You suggesting set schedule to 
never, until the ADC is inplace and working ok? Then moving it to a schedule? We 
dont plan to completely shut down the old exchange server for a few weeks at 
least.

Anything else I 
should be aware off adding the ADC in terms of this migration to Exchange 
2003





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Nicolas 
BlankSent: 01 June 2004 
10:39To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] exchange 5.5, 
active directory and ADC

Yip, the 
AD container/OU is selectable whilst creating the recipient agreement 
connection. Suggest the first thing you configure is setting your schedule to 
NEVER, and finish your other bits and pieces.

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Chaudhary, 
AmitSent: 01 June 2004 11:21 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] exchange 5.5, 
active directory and ADC

Nick

Cheers, 
can you configure ADC to create any accounts it needs to in a separate container 
in the AD?






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Nicolas 
BlankSent: 01 June 2004 
10:04To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] exchange 5.5, 
active directory and ADC

Amit,
Depending 
on how the accounts were created, it is possible to use the ADC to match 
accounts already existing in AD. If no match is found for a 5.5 mailbox, a 
duplicate account will be created in AD. The default matching rule will 
match the 5.5 associated-NT-Account field to the AD accounts sid or sidHistory 
attribute. You may extend the matching rules in the ADC so that you can 
match RDN to CN or a mail alias to samaccountname ifyou have a match between 
those. I strongly suggest you read the article below: 

Understanding and 
Deploying Exchange 2000 Active Directory Connector
http://www.microsoft.com/downloads/details.aspx?FamilyID=c763b584-c511-4687-b27f-a13a8f82d4c8displaylang=en

If you 
configure your ADC incorrectly, you may only have duplicate accounts, but at 
worst case you might lose mail.


-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Chaudhary, 
AmitSent: 01 June 2004 10:13 
AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] exchange 5.5, active 
directory and ADC

Hi

This maybe a bit of topic 
but I was hoping to get some advice from the list.

I have a Windows 2000 
active directory environment, one of my Windows 2000 servers is running exchange 
5.5 (not a DC). We have been considering moving to exchange 2003, the migration 
method was to join exchange 2003 to the existing site, move the mailboxes and 
then bring down the old server. The problem is that I have come across the 
Active Directory Connector and I wanted to get some more information on this, as 
I have been told it has not been installed on my site. I.e. the5.5 
directory is not updating the active directory and vice versa.

If we were to install the 
Active Directory Connector, would exchange create new accounts in my AD for all 
the mailboxes I have in my mail system, or will it see that active directory 
accounts are already created? The AD accounts are created as firstname lastname, but the display names 
for our email accounts are lastname, 
firstname. What will be the overall affect on my AD of installing 
this connector and enabling bi-directional communication?

Regards

Amit

RE: [ActiveDir] Mixed network PC and Mac - AD or XServe

2004-05-18 Thread Ayers, Diane 



Don't even get me started on PERC raid 
controllers... I'll share my stories after a few "adult 
beverages"...

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brent 
WestmorelandSent: Tuesday, May 18, 2004 4:02 AMTo: 
[EMAIL PROTECTED]Subject: Re: [ActiveDir] Mixed network PC 
and Mac - AD or XServe

You would genuinely use anything that has a perc raid controller? 
ewww, I feel dirty all of a sudden. 
On May 18, 2004, at 12:44 AM, joe wrote: 
I was laughing pretty good even before I got to 
the information on the new book 
 
Out of the hardware vendors mentioned I would say 
I like Dell the best. I really dislike IBM unless you like to overpay for 
everything plus I have seen hellacious motherboard failures and the RSA solution 
is only about 5-10 years behind the DRAC solution from Dell. Haven't even seen 
an ACER in like 8-10 years, and would have thrown something at one at that 
pointas they were ~= to packard bell. 
 
Also if building check out newegg.com pricing. I 
have built some very nice systems very cheaply through newegg. 
 
As for Exchange. I would have to agree unless 
thecustomer wants the integrated calendaring or the integrated IM or the 
other little things that Exchange adds on. At that point Exchange starts 
winning. Mostly the calendaring is the big thing. 
 
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brent 
Westmoreland 
Sent: Monday, May 17, 2004 7:09 PM 
To: [EMAIL PROTECTED] 
Subject: Re: [ActiveDir] Mixed network PC and Mac - AD or 
XServe 
In regard to cost estimates you probably can get Dell hardware to fulfill 
that role, you can also get some Gateway servers, and probably Acer has some 
offerings as well. For that matter, you could even build your own clone servers 
and save a pantload from pricewatch.com. There are always ways to leverage costs 
with Intel Based hardware. Personally, I wouldn't implement the smallest of 
server projects with less than IBM or HP hardware, but that is a personal 
preference. And even with those options, you could probably still find 
some cost comparable options. I didn't get quotes from 3 vendors before posting 
to the list. 
In regard to exchange, If you want it then don't even consider going apple. 
Exchange needs Active Directory, so a duplication of directories in this 
instance would be fruitless. 
In regard to file service performance, it depends on who you ask... pc 
vendors will tell you that theirs is faster, Apple puts this up: 
http://www.apple.com/xserve/performance.html 
In the end file services are file services, its pretty much like taking an 
airplane from washington to newark or taking a train from washington to newark, 
either way your trip will take about the same. Now as a stickler you can 
benchmark the f*_k out of it and say either a x86 is faster by 3 microseconds or 
a mac is faster by 4, but we're talking about 70 users!?!?! 
Now, lets talk about AFP. Dump it... Get rid of it... it is as 80's as Ferris 
Bueller and while it may work in movies, technology needs upgrades. (chicka 
chicka... chicka chicka... omp omp O Yeahhh! Sorry little bit of 
'yellow fever') No wonder Microsoft is getting rid of it, Apple should too. Macs 
do great with smb:// cifs:// ftp://, etc. , I haven't noticed any difference in 
file services to smb shares between a pc and a mac connected to the same share 
over the same network. 
Yes, you can setup AD to authorize mac and pc machines to file services, it 
requires a little tweaking and if you end up needing assistance with it I'll 
answer any questions you might have. 
For planning resources on the OS X side, hit 
www.macwindows.com 
www.macosxlabs.org 
and you will definitely need the os x manuals at 
http://docs.info.apple.com/article.html?artnum=107912 
for SSO interoperability, you should read the O'Reilly Kerberos book written 
by Jason Garmon, and for the AD side check out anything by Robbie Allen et al. 

Finally, if you are in on the Cats  Dogs discussion check out the yet to 
be released title Cats and Domain Local Groups by Joe Richards. 
I still stick by my original recommendation that AD and now the apparent 
Exchange plans are bad news for your client, its like shooting a gnat with an 
RPG and then finding out you could have bought a fly swatter at your local flea 
market (that was better suited to the original task) for $0.98 and no client 
access licenses. 
And really, really finally if you are still concerned about OS X reliability 
consider that Yahoo, Hotmail, IBM, the International Space Station, and others 
use BSD for critical applications. 
http://www.apple.com/macosx/features/unix/ 
'nuff said. 
On May 17, 2004, at 2:16 PM, Noah Eiger wrote: 
Thanks Brent and Robbie. 
 
A bit of a surprising response from an AD list.  
 
Brent, maybe you can shed some light on the cost calculations you offered. To 
me, I look at the XServe for about $3000 with no storage (80 GB SATA) and then 
an array for $6000 (1TB,

RE: [ActiveDir] OT: explorer.exe hangs on folder access

2004-05-18 Thread Ayers, Diane 



SWAG but we've run into issues with 
the thumbs.db file being corrupted. thumbs.db (hidden system) is created 
when you do the thumbnails view. Try deleting that and see if it 
helps.

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael 
WassellSent: Tuesday, May 18, 2004 11:42 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe 
hangs on folder access

Doesn't appear so :-(

I took a look through every log for the past 3 days and 
there doesn't seem to be anything abnormal happening (not logged 
atleast).

Would a corruptedMFT entry restore itself upon 
restart?

I appreciate all of the help by the way Al. Like I 
said this has happened once before and coincidentally it happened to my boss so 
I spent a few hours scratching my head trying to figure it out and sure enough I 
restarted the server that evening and everything was fine 
afterwards.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: Tuesday, May 18, 2004 2:29 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe 
hangs on folder access

Nothing in there about disk errors that might explain 
something about a corrupted MFT entry maybe?

Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael 
WassellSent: Tuesday, May 18, 2004 2:11 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe 
hangs on folder access

The 
only events logged are informational success notifications and success audit 
security logs I do not see any relevant Warning or Error events logged 
:-(

Serverspecs:2xPIII 600, 1GB RAM, 2 
RAID-1 arrays

The server functions as a file/print server as well as 
a DC holding all roles for the domain. Domain has100 
+/-users/groups.

Backup client installed, exchange admin tools, resource kit 
tools, support tools





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, AlSent: Tuesday, May 18, 2004 1:38 
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
OT: explorer.exe hangs on folder access

Any relevance? Does that mean there is nothing or 
nothing that seems related? If there is something else going on, it would 
be helpful to know. I'd be particularly interested in anything in the system 
log. While we're investigating the scope of this, what else is on the 
machine? How is the machine configured?

Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael 
WassellSent: Tuesday, May 18, 2004 12:14 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe 
hangs on folder access

There is nothing abnormal shown in the event logs 
onclient or server with any relevance :-(


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: Tuesday, May 18, 2004 11:18 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: explorer.exe 
hangs on folder access

Log entries?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael 
WassellSent: Tuesday, May 18, 2004 10:27 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] OT: explorer.exe 
hangs on folder access

This is a very 
strange problem I experienced a few weeks ago and just yesterday I've noticed it 
happen again. This only happens with a single folder, all others are 
fine. This particular instance the folder is completely empty except for 
"My Pictures" being automatically created within.

Expected 
cause:

User Personal (My 
Documents) folders are redirected to a central location on the file 
server. 
User is not granted 
exclusive rights to their user folders rights are inherited from 
parent.
User folders are 
automatically created when user first logs into the domain.

Symptom:

When user attempts 
to log in the explorer.exe process hangs and the desktop is never created. 
User can log off by using Task Manager, or forcing a logoff/shutdown using 
shutdown.exe.
Explorer.exe hangs 
when any PC attempts to access the user folder (including locally on the 
server).
Strangely enough, I am able to copy the contents of the folder 
elsewhere using the explorer interface and am able to retrieve a directory 
listing using command prompt.

Taking ownership of 
the folder does not resolve the issue.
Desktop.inishowsbeing accessed by whichever user is 
attempting to access the folder, visible using computer management mmc 
snap-in. Forcibely closing all instances does not resolve the 
issue.

Resolution:

Restarting the 
server resolves the issue.

Does anyone have ANY 
clue what this might be? Server is running Windows Server 2003 
Std.
Ive considering 
calling M$FT on the issue but I'm sure they'll suggest that I restart the 
server.

TIA for any 
input.

RE: [ActiveDir] VPN users and their AD passwords

2004-05-18 Thread Ayers, Diane 



Gee... you givethem remote 
access to the company via the internet from anywhere and their complaining about 
having to hit cancel? I would tell them to get over it... 
:-)

Actually with my client, I can just type in my password in the 
ctrl-alt-del login box and just ignore the VPN client if I am on the compnay 
network. It will authenticate via normal channels. Externally, 
I can choose to authenticate via the VPN client. 

Only if you don't let the VPN client initialize fully do you get the big 
cancel button when you hit ctrl-alt-del. Either hit cancel or wait for the 
VPN client to initialize before they hit the keyboard.

Diane



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Tuesday, May 18, 2004 4:34 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] VPN users and 
their AD passwords

The 
complaint here from users is that if they ARE on the network, they have to hit 
cancel on the Cisco VPN client login so they can get to the CTRL-ALT-DEL 
screen. Is there any workaround for this, or just tell the users to get 
over it?

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Ayers, 
  DianeSent: Tuesday, May 18, 2004 4:15 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] VPN users and 
  their AD passwords
  I'm running v 4.0.3(D) of Cisco VPN 
  client and it is configured as Jeff describes below (logon to VPN before 
  laptop logon). I had my domain password 
  "expire"andIIRC,I was able to change my password at my usual 
  ctrl-alt-del logon after I had done my VPN login. 
  
  
  This was after a few adult beverages 
  so I may have been confused... :-)
  
  Diane
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Jeff 
  SalisburySent: Tuesday, May 18, 2004 1:21 PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] VPN users 
  and their AD passwords
  
  
  Russ - With the newer versions of 
  the Cisco VPN client you canconfigure the client to allow logon to the 
  network via VPN before you logon to the notebook. When you first start up the 
  system and hit Ctrl-Alt-Del to get the regular logon box, a Cisco VPN 
  connection dialog comes up instead. Youuse this dialog to connect by VPN 
  first so that you are actually authenticating your account with a domain 
  controller, then you get a logon box again for logging on to the machine. This 
  keeps the cached account information and the domain account information in 
  synch.
  
  If 
  users change their password while connected by VPN, the cached credentials on 
  the notebook are not updated. If they restart the notebook, they have to logon 
  using their old password. When they next connect by VPN they will have to 
  provide their new password. As soon as their machine tries to access network 
  resources, it passes the old password information and causes the user's 
  account to lockout very quickly (assuming you have account lockout 
  enabled).
  
  On 
  the 3.6.3 client, you would go into Options - Windows Logon Properties and 
  select Enable Start Before Logon. You would also want to select Disconnect VPN 
  Connection While Logging Off. I believe this requires a system restart so that 
  it hooks into the security dialog (msgina?). 
  
  If 
  you need to go update your remote clients and you use SMS 2003, you may also 
  want to upgrade your VPN clients at the same time to the 4.x VPN 
  Client.Microsoft's notes say that the 4.x client will accurately report 
  theIP address assigned by your VPN concentrator, as opposed to the IP 
  address the notebook has on the user's personal network, so that the SMS 2003 
  Client boundary calculations will work properly.
  
  We also have a ton of users with non-expiring 
  passwords because theyneeded remote access in the past. One of my tasks 
  this week is to get them to change their passwords, then we will set them to 
  start expiring. We still need to figure out how to take care of remote users 
  who only connect by dial-up direct toour company (no broadband 
  available).
  Jeff Salisbury Network 
  Infrastructure and Security Manager 
  Belkin Corporation 
  Information Services 310 604-2061 310 604-2022 fax 
  www.belkin.com -Original Message-From: Rimmerman, Russ 
  [mailto:[EMAIL PROTECTED]Sent: Tuesday, May 18, 2004 
  12:19 PMTo: '[EMAIL PROTECTED]'Subject: 
  [ActiveDir] VPN users and their AD passwords
  
How do your VPN 
only users who never attach their laptop to your network change their AD 
passwords when they expire? We're having an issue where we have to 
make all our VPN users "Password never expires" because they cannot change 
their password when it does expire, because they're only coming in via a 
Cisco VPN client. 

Thanks

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron

RE: [ActiveDir] OT: Ad hoc queries from within Excel

2004-05-14 Thread Ayers, Diane 



We wrote a basic one that allows users 
to dump DL memberships to a spreadsheet w some of the attributes. 
Basically it was for the clerical folks that create phone lists for depts. and 
floors. I don't know if we can share. Also It's hard coded to 
our domains and OUs

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Friday, May 14, 2004 6:46 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] OT: Ad hoc queries 
from within Excel


Im 
constantly having users ask me to do some ad-hoc query on AD, and send them the 
output. Seems like it would be pretty cool to create an Excel add-in that would 
allow someone to import AD data directly into Excel. Ive seen a few add-ins 
that query a SQL database like that, but has anyone already seen such a thing 
for AD? I dont want to reinvent the wheel  just not finding anything so far on 
Google

Mark 
Creamer
Systems 
Engineer
Cintas 
Corporation
Honesty and 
Integrity in Everything We Do

RE: [ActiveDir] HELP I just deleted an OU

2004-05-03 Thread Ayers, Diane 



Unplug a DC before it 
replicates


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grantham, 
CaronSent: Monday, May 03, 2004 10:05 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] HELP I just deleted 
an OU





How can I 
get the OU with all objectes restored 
immediately

RE: [ActiveDir] AD screw up

2004-04-16 Thread Ayers, Diane 
Title: Message



Have you read the Branch Office 
guides?

http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/branchoffice/default.aspfor 
Windows 2000


http://www.microsoft.com/downloads/details.aspx?FamilyID=9353a4f6-a8a8-40bb-9fa7-3a95c9540112DisplayLang=enfor 
Windows 2003

Diane



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Drew 
GainorSent: Friday, April 16, 2004 9:26 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD screw 
up

I 
suppose I could. Where can I find information on setting that 
up?

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Salandra, Justin A.Sent: Friday, April 16, 2004 
  9:18 AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] AD screw up
  
  You could do that, 
  but are you sure you cant accomplish what you want to do with just one domain 
  and a detailed OU strcture?
  
  -Original 
  Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Drew 
  GainorSent: Friday, April 
  16, 2004 12:06 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] AD screw 
  up
  
  
  Not knowing what I was doing I set 
  up an AD at my company corporate office. I then converted everyone over to it 
  along with my Exchange server.
  
  
  
  Now I also have a couple of branch 
  offices and want to create children.
  
  
  
  The mistake I made was that I did 
  not set up an Empty Root Domain first. Isetup the corporate domain as 
  the first server.
  
  
  
  This is what I would like to do. 
  Tell me if I am wrong or if you have any other 
  suggestions.
  
  
  
  
  
  Root - 
  ADRoot
  
  child - 
  corp.ADRoot
  
  child - 
  branch1.ADRoot
  
  child - 
  branch2.ADRoot
  
  
  
  I do not want the domains to be 
  internet FQDN.
  
  
  
  Drew

RE: [ActiveDir] Password Never Expires...

2004-04-02 Thread Ayers, Diane 



Also, just as an FYI, If you're on XP, you can use the 
Win2K3version ADUC which allows you to build a query in the GUI itself for all 
accounts that are configured as you described. It will work aganst both 
Win2K and Win2K3 domains.

Diane

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Rod 
  TrentSent: Friday, April 02, 2004 4:48 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Password Never 
  Expires...
  Here's a script to find those accounts and throw them 
  into a spreadsheet:
  
  http://www.myitforum.com/articles/11/view.asp?id=3102
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Frank 
  AbagnaleSent: Friday, April 02, 2004 7:46 AMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] Password Never 
  Expires...
  
  Hi,
  One of our helpdesk technicians has been creating new user accounts with 
  the 'Password Never Expires' tab selected. 
  
  does anyone know a way of how I can find out which accounts are set to 
  'Password Not Expire' and if there is an automated way to reset these?
  
  thanks...
  
  -frank
  
  
  
  Do you Yahoo!?Yahoo! 
  Small Business $15K Web Design Giveaway - Enter today

RE: [ActiveDir] [MailServer Notification]To Recipient file blocking settings matched and action taken.

2004-03-11 Thread Ayers, Diane 
Crap.  Our bad too.  sorry guys...

Diane

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, March 11, 2004 7:00 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] [MailServer Notification]To Recipient file blocking
settings matched and action taken.


ScanMail for Microsoft Exchange has blocked an attachment.

Sender = [EMAIL PROTECTED]
Recipient(s) = [EMAIL PROTECTED]
Subject = RE: [ActiveDir] Finding users who must change pw
Scanning time = 03/11/2004 09:59:43

Action on file blocking:
The attachment USERDUMP.zip matches the file blocking settings. ScanMail has 
Quarantined it.  The attachment was quarantined to C:\Program 
Files\Trend\Smex\Alert\USERDUMP40507edf815.zip_.

An attachment has been blocked. The email had the following subject RE: [ActiveDir] 
Finding users who must change pw. It was sent on 03/11/2004 at 09:59 AM from [EMAIL 
PROTECTED] The following action was taken USERDUMP.zip/Quarantined . 

If this was in error, please contact Gregg Porter.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
.+-wi0-+YbmPi0-+bf.+-j!
0j!oryIV+v*

RE: [ActiveDir] Experiences with DFS.....

2004-03-11 Thread Ayers, Diane 



We looked at a DFS / FRS combo and quickly rejected it based on the 
problems with FRS. For data replication, FRS is a PoS (to be brutally 
honest). MS needs to start from scrtach on that one. Any efficient 
data replication scheme would utilize a block level or some other low 
levelreplication process and not be based on file level replication. 
A single change to, say a 10 MB file, should not trigger the replication of the 
entire 10 MB file.

We're looking at several third party replication tools but the jury is 
still out on the optimal solution.

Diane

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Brent 
  WestmorelandSent: Thursday, March 11, 2004 8:25 AMTo: 
  [EMAIL PROTECTED]Subject: Re: [ActiveDir] Experiences 
  with DFS.
  Yes, 
  You need to become familiar with the FRS registry settings and the 
  staging directory. Try these links to get you started: 
  http://www.jsiinc.com/SUBI/tip4100/rh4104.htm 
  http://www.jsiinc.com/SUBL/tip5900/rh5973.htm 
  Also, 
  definitely consider moving your staging directory to a large volume 
  follow the instructions in KB291823. 
  On Mar 11, 2004, at 11:00 AM, Chris Flesher wrote: 
  
We are thinking of using DFS in order to add redundancy to our NAS 
offerings. My main question is does anyone have experience using DFS to 
replicate/keep in sync large amounts of info, i.e. 200+GB, between two or 
more servers? 
 
As always, thank you for the help. 
 
Chris Flesher 
The University of Chicago 
NSIT/DCS 
1-773-834-8477 
 
  Brent Westmoreland 
  BMW Group - Data Center Americas 
  Business: 864.989.6567

RE: [ActiveDir] Experiences with DFS.....

2004-03-11 Thread Ayers, Diane 
Title: Message



Yes. FRS today would trigger the 
replication of the entire file with a change to that file. There are also 
issues with open files. You coulod configure a less frequent replication 
schedule but...

Diane



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Chris 
FlesherSent: Thursday, March 11, 2004 9:32 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Experiences with 
DFS.

Well, 
to give a little more info, we have 1,000,000+ files on our NAS. This machine is 
accessed pretty hard by ~1,000 users, housing .pst files and eudora data store 
files. If you are saying that each time there is a change in a file, it is 
replicated, would it constantly replicate email data files each time an email 
comes to the user? That could get ugly.

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Ayers, DianeSent: Thursday, March 11, 2004 
  10:52 AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Experiences with DFS.
  We looked at a DFS / FRS combo and quickly rejected it based on the 
  problems with FRS. For data replication, FRS is a PoS (to be brutally 
  honest). MS needs to start from scrtach on that one. Any efficient 
  data replication scheme would utilize a block level or some other low 
  levelreplication process and not be based on file level 
  replication. A single change to, say a 10 MB file, should not trigger 
  the replication of the entire 10 MB file.
  
  We're looking at several third party replication tools but the jury is 
  still out on the optimal solution.
  
  Diane
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of Brent 
WestmorelandSent: Thursday, March 11, 2004 8:25 AMTo: 
[EMAIL PROTECTED]Subject: Re: [ActiveDir] Experiences 
with DFS.
Yes, 
You need to become familiar with the FRS registry settings and the 
staging directory. Try these links to get you started: 
http://www.jsiinc.com/SUBI/tip4100/rh4104.htm 
http://www.jsiinc.com/SUBL/tip5900/rh5973.htm 
Also, 
definitely consider moving your staging directory to a large volume 
follow the instructions in KB291823. 
On Mar 11, 2004, at 11:00 AM, Chris Flesher wrote: 

  We are thinking of using DFS in order to add redundancy to our NAS 
  offerings. My main question is does anyone have experience using DFS to 
  replicate/keep in sync large amounts of info, i.e. 200+GB, between two or 
  more servers? 
  
  As always, thank you for the help. 
  
  Chris Flesher 
  The University of Chicago 
  NSIT/DCS 
  1-773-834-8477 
  
Brent Westmoreland 
BMW Group - Data Center Americas 
Business: 864.989.6567

RE: [ActiveDir] OU design quandary

2004-03-04 Thread Ayers, Diane 
For us, our user management is centralized so the user objects were placed
in a single OU broken into sub OUs by type (users, administrators, service,
restricted).  Computer support is more decentralized so we have computer
objects in geographic based OUs with sub OUs by function (servers,
workstations, etc.)

Diane 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino
Sent: Thursday, March 04, 2004 9:19 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OU design quandary





All,

We are in the final stages of a global AD design for our company.  The
design will have two user domains -- one for North America and one for
Europe -- and it will have an empty root.  Each of the user domains will
have approximately 35,000 users.  Software distribution will be via Tivoli.

Two camps have emerged regarding OU structure and there's a rather large gap
between them.  I'm asking for your expert and experienced input to help
resolve this issue.

Camp one:
We're going to search instead of browse.  So put all users in a single users
OU, put all desktop machines in a single desktops OU, put all laptops in a
single laptops OU, put all IIS servers in a single OU, all SQL servers in a
single, etc, etc, etc.  Manage by groups instead of by OU in which the
object resides.

Camp two:
Regardless of whether we're going to search or browse, at some point having
office heirarchy in the OU design will be helpful enough that it's necessary
to build it now.  Users, desktops and laptops will be grouped as child OUs
to the office OUs.  Servers for applications will be grouped by function and
then by the , by the application suite or ASP that is responsible for the
application.  Allows more granular delegation and application of group
policy.


We have too little actual deployement and management experience in Active
Directory, especially this size, to make a definitive decision so I would
appreciate any and all feedback regarding the pros and cons.


Thanks,
Mike


*** PLEASE NOTE *** This E-Mail/telefax
message and any documents accompanying this transmission may contain
privileged and/or confidential information and is intended solely for the
addressee(s) named above.  If you are not the intended addressee/recipient,
you are hereby notified that any use of, disclosure, copying, distribution,
or reliance on the contents of this E-Mail/telefax information is strictly
prohibited and may result in legal action against you. Please reply to the
sender advising of the error in transmission and immediately delete/destroy
the message and any accompanying documents.  Thank you.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Site Configurations and SMS2003

2004-02-19 Thread Ayers, Diane 
Title: RE: [ActiveDir] Site Configurations and SMS2003






No, with wasn't Microsoft but a consultant. Normally I'd insert a smart-ass remark here about consultants but other than our disagreement about how to configure sites, it was a very well informed exchange of information. You and I are on the same page with having to hack something (e.g. DNS SRV records) that should be automatic. 

I think that I'll to read Robbie's chapter on Site configurations to kick my understanding up a notch


Thanks for everyone's input.


Diane

_ 

From:  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe

Sent: Wednesday, February 18, 2004 4:57 PM

To: [EMAIL PROTECTED]

Subject: RE: [ActiveDir] Site Configurations and SMS2003


Right off the bat, smack the person who said to hack the dns entries Hard. If that recommendation came from MS please let me know offline as I want to pass it up the line as that isn't good advice to be giving out. Anytime someone wants to take something automatic and make it manual, it is generally not good and crutching something that is misdesigned or misunderstood. Either way, something needs fixed. 

If you build the topology correctly in sites and services then you don't have to hack anything, the proper DC will cover the proper sites automagically.

I pretty much always set up specific sites for every location whether they have a DC or not. Both to keep them logically separate but also because I figured some day MS or someone else would say why heck, we have all of this info for site location already let's use it. Logical progression.

Sounds like from the quick read that I did that you want to set up a standard hub and spoke topology with some 5 hubs. You interconnect the hubs with site links (probably a mesh), then you set up site links from each wan site back to the hub site it should be tied to and disable automatic site link bridging [1] so the KDC doesn't have nightmares. The sites will either use the local DC or the DC that is closest via the site link back to the hub. 

If they did SMS correctly, you should just be able to drop in the SMS Servers and the machines that should use them should find them logically. 


 joe



[1] Make your site links intransitive.




_ 

From:  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ayers, Diane

Sent: Wednesday, February 18, 2004 11:18 AM

To: [EMAIL PROTECTED]

Subject: [ActiveDir] Site Configurations and SMS2003


All:


I know that this is somewhat off topic (SMS) but I had a recent conversation with some folks in regards to AD and SMS 2003. We are looking at possibly deploying SMS 2003 and looking at some deployment scenarios. Anyway the conversation turn to the AD sites and what is the best configuration for sites in an organization.

Briefly we have a highly connected backbone with DCs spread around key nodes on this backbone to support the geographical locations spurred off of this backbone. We developed our AD sites around these nodes (5 geo locations, 5 AD sites) with all the downstream geographic locations for each DC being rolled into the site.

It was recommend that we make each geographic location that are rolled up to the main sites we have now a separate site in AD irregardless if this geographic location has DC or not. Site connectors would be built between those sites that have DCs and for those sites that don't have DCs, we'd have to go in and hack the _kerberos._tcp.site name._sites and the _ldap._tcp.site name._sites SRV records so that they would refer to the correct DC. 

I'm still trying to grasp the nuances of sites in AD but this seemed to be an usual approach to sites in AD. Granted that SMS 2003 does bring some twists to the picture as a client will need to identify a distribution point from it's AD site. We have over 200 individual geographic sites with approx 180 software distribution boxes that we'd make distribution points. That would translate to 180 AD sites (sites mapped to distribution points). My basic understanding of sites is that the should be built around DCs.

This is a simply summary of what was discussed but I was wondering if there was some opinions one way or another over the best way to approach sites in AD. Obviously each case is different but wanted to capture folks thoughts.

Diane

[ActiveDir] Site Configurations and SMS2003

2004-02-18 Thread Ayers, Diane 
 All:
 
 I know that this is somewhat off topic (SMS) but I had a recent
 conversation with some folks in regards to AD and SMS 2003. We are looking
 at possibly deploying SMS 2003 and looking at some deployment scenarios.
 Anyway the conversation turn to the AD sites and what is the best
 configuration for sites in an organization.
 
 Briefly we have a highly connected backbone with DCs spread around key
 nodes on this backbone to support the geographical locations spurred off
 of this backbone.  We developed our AD sites around these nodes (5 geo
 locations, 5 AD sites) with all the downstream geographic locations for
 each DC being rolled into the site.
 
 It was recommend that we make each geographic location that are rolled up
 to the main sites we have now a separate site in AD irregardless if this
 geographic location has DC or not.   Site connectors would be built
 between those sites that have DCs and for those sites that don't have DCs,
 we'd have to go in and hack the  _kerberos._tcp.site name._sites and the
 _ldap._tcp.site name._sites SRV  records so that they would refer to the
 correct DC.   
 
 I'm still trying to grasp the nuances of sites in AD but this seemed to be
 an usual approach to sites in AD.  Granted that SMS 2003 does bring some
 twists to the picture as a client will need to identify a distribution
 point from it's AD site.  We have over 200 individual geographic sites
 with approx 180 software distribution boxes that we'd make distribution
 points.  That would translate to 180 AD sites (sites mapped to
 distribution points).  My basic understanding of sites is that the should
 be built around DCs.
 
This is a simply summary of what was discussed but I was wondering if there
was some opinions one way or another over the best way to approach sites in
AD.  Obviously each case is different but wanted to capture folks thoughts.

 Diane
 
 
attachment: winmail.dat

RE: [ActiveDir] Site Configurations and SMS2003

2004-02-18 Thread Ayers, Diane 
Title: RE: [ActiveDir] Site Configurations and SMS2003



That was my argument in the 
"discussion". I looked at sites as replication boundaries and localization 
of authentication and directory services. The counterpoint was "why 
maintain sites in two locations?". One in AD and one SMS. The angle 
was to simplify site management. However I was not comfortable with the 
proposed changes to AD sites to accommodate the needed SMS 
sites. However I was not 100% certain that the proposed AD 
site design to accommodate SMS was going to be a "bad 
thing"

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rich 
MilburnSent: Wednesday, February 18, 2004 9:39 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Site 
Configurations and SMS2003

I've heard the 
same thing - with AD it doesn't make any sense to have a 
site that doesn't have a DC in it - sites are 
used for replication and if there's nothing to replicate to 
in a site then why would you create 
an AD site? But with SMS, you can 
define SMS Site Boundaries and 
Roaming Boundaries with 
either subnets or AD Sites... 
guess which is easier to do for the SMS admin? So if the AD 
admins create a site for every area you'll 
have a DP in, then it makes it easy to set up boundaries. That is, it's easy if you trust that 
they are putting the right subnets in the right AD sites, and 
you get the right AD sites in the right SMS assignment boxes and spell them correctly. Barring all that, you could just 
add the subnets in the appropriate places in SMS and ignore the AD 
sites.
Rich
_From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of John 
McGlincheySent: Wednesday, February 18, 2004 10:49 
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Site 
Configurations and SMS2003
Sites are a collection of 
"Well Connected" subnets. That said, one persons definition of "well 
connected" can be completely different from another's. It really depends upon 
the bandwidth and network utilization between locations on your network. 
On some site designs I've set every location to be a site no matter what the 
bandwidth while on others I have groups locations together into a single site 
where bandwidth was "good enough" and the load put onto the network was deemed 
to be minimal. So, the answer is, it depends! I would think 
that adding SMS would make you rethink how you have grouped your sites to 
optimize the use of the SMS distribution points. Too many users hitting 
the distribution points will put a significant load on the location to location 
links and that would move you towards defining a location to be in a separate 
site. 
Just my $.02. Coming 
out of lurking mode. Great list. Thanks for being here.
John McGlinchey, MCSA, MCSE, 
CCNA
Bristol-Myers Squibb 
Company

  _ 
  From:  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On 
  Behalf Of Ayers, Diane
  Sent: Wednesday, February 18, 2004 11:18 AM
  To: [EMAIL PROTECTED]
  Subject: [ActiveDir] Site Configurations and SMS2003
  All:
  I know that this is somewhat 
  off topic (SMS) but I had a recent conversation with some folks in regards to 
  AD and SMS 2003. We are looking at possibly deploying SMS 2003 and looking at 
  some deployment scenarios. Anyway the conversation turn to the AD sites 
  and what is the best configuration for sites in an organization.
  Briefly we have a highly 
  connected backbone with DCs spread around key nodes on this backbone to 
  support the geographical locations spurred off of this backbone. We 
  developed our AD sites around these nodes (5 geo locations, 5 AD sites) with 
  all the "downstream" geographic locations for each DC being rolled into the 
  site.
  It was recommend that we make 
  each geographic location that are rolled up to the main sites we have now a 
  separate site in AD irregardless if this geographic location has DC or 
  not. Site connectors would be built between those sites that have 
  DCs and for those sites that don't have DCs, we'd have to go in and hack 
  the _kerberos._tcp.site 
  name._sites and the 
  _ldap._tcp.site name._sites 
  SRV records so that they would refer 
  to the correct DC. 
  I'm still trying to grasp the 
  nuances of sites in AD but this seemed to be an usual approach to sites in 
  AD. Granted that SMS 2003 does bring some twists to the picture as a 
  client will need to identify a distribution point from it's AD site. We 
  have over 200 individual geographic sites with approx 180 software 
  distribution boxes that we'd make distribution points. That would 
  translate to 180 AD sites (sites mapped to distribution points). My 
  basic understanding of sites is that the should be built around 
DCs.
  This is a simply 
  summary of what was discussed but I 
  was wondering if there was some opinions one way 
  or another over the best way t

RE: [ActiveDir] MS04-007 checking

2004-02-14 Thread Ayers, Diane 



You have any pointers to info the 
"proof of concept"? I'm not interested in code but would like to look at 
the info and we may want to pull the trigger at our organization. We're 
working the rollout for 007but may want to deployquicker than 
we currently have mapped out.

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of deji 
AgbaSent: Saturday, February 14, 2004 6:10 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] MS04-007 
checking


In case anyone here is having 
difficulties justifying (to management)the "urgent" need patch systems 
against this new vulnerability, here's one for your ammunition:
There is now a "Proof of Concept" exploit code that exploits this 
vulnerability. The clock is now ticking in the race for another Blaster. I am 
not sure if it's OK to post URL to exploits here, so I will err on the side of 
prudence and say if you need to know where, email me.




Sincerely,Dèjì Akómöláfé, 
MCSE MCSA 
MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now 
realize that Today is the Tomorrow you were worried about Yesterday? 
-anon


From: Rimmerman, RussSent: Fri 
2/13/2004 9:21 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] MS04-007 
checking

Might 
check with RetinA (http://www.eeye.com/). We're using Patchlink to not only 
detect, but patch and deploy software as well.

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, February 13, 2004 11:06 
  AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
  MS04-007 checkingDoes 
  anyone know of a tool to make sure that all the users have this patch applied? 
  I know Microsoft had something for the Blaster and was wondering if 
  anyone has anything that would check to make sure this patch has been 
  applied? Thanks again 
  Ryan McDonald

  
  
~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

RE: [ActiveDir] Where did Additional Acct Info tab go to?

2004-02-09 Thread Ayers, Diane 



dope slap to self on 
forehead

No wonder I could never make that DLL 
work. Ipretty much use the find function exclusively. I 
too ass-umed it was me...

Diane


From: deji Agba [mailto:[EMAIL PROTECTED] 
Sent: Monday, February 09, 2004 7:21 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Where did 
"Additional Acct Info" tab go to?


Let me guess... you are doing 
a "find" in ADUC, and you are then looking at the object's properties from the 
result of the "find". Correct? Try drilling down to where the account is located 
and then looking at the properties directly, you will very likely see the 
"additional account info" tab there. I submitted this to MS a long time ago, but 
I didn't hear back, so I concluded it "must be me" :).




Sincerely,Dèjì Akómöláfé, 
MCSE MCSA 
MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now 
realize that Today is the Tomorrow you were worried about Yesterday? 
-anon


From: Thommes, Michael M.Sent: Mon 
2/9/2004 6:30 AMTo: Active Directory Mailing List 
(E-mail)Subject: [ActiveDir] Where did "Additional Acct Info" tab go 
to?

Hi,
 
This morning I noticed that the "Additional Acct Info" (sp?) tab in ADUC on my 
Windows 2000 DCs (withextra "acctinfo.dll" installed) and on my Windows 
2003 DC (additional info by default) is no longer there. While I don't use 
this feature on a daily basis, I am sure I have used it in the last few 
weeks. I even tried logging on with the principle domain admin account 
after my normal admin failed to show this feature; that also didn't work. 
Has anyone experienced this? Thanks for any help!

Mike 
Thommes

RE: [ActiveDir] Other Listsrvs

2004-02-09 Thread Ayers, Diane 
Ditto

I dropped all the sunbelt lists due to the high signal-to-noise ratio

Diane

-Original Message-
From: Martin Tuip [mailto:[EMAIL PROTECTED] 
Sent: Monday, February 09, 2004 1:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Other Listsrvs


Personally I'm not too fond of the Sunbelt one due to the lower
technical level of the list compared to others.


Martin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wilson, Julie
Sent: Monday, February 09, 2004 1:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Other Listsrvs

Try this one:

[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kleciak, Clint
D B270
Sent: Monday, February 09, 2004 3:02 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Other Listsrvs


Anyone have any for Exchange?
 
 

-Original Message-
From: Steve Shaff [mailto:[EMAIL PROTECTED]
Sent: Monday, February 09, 2004 1:58 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Other Listsrvs



This is a general question for the group.  I am in charge more than just
the active directory, schema, trusts, etc.  I have found that this has
been a valuable source of information and I would like to know if anyone
knows of other listsrvs that deal with SMS and/or exchange, that are as
good as this one?

 

Thanks,
S 



CONFIDENTIALITY NOTICE: If you have received this e-mail in error,
please immediately notify the sender by e-mail at the address shown.
This e-mail transmission may contain confidential information.  This
information is intended only for the use of the individual(s) or entity
to whom it is intended even if addressed incorrectly.  Please delete it
from your files if you are not the intended recipient.  Thank you for
your compliance. Copyright (c) 2004 CIGNA


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Other Listsrvs

2004-02-09 Thread Ayers, Diane 
Sorry if it came across arrogantly.  Wasn't meant to be so.  Several
good lists have already been mentioned

Diane


-Original Message-
From: Wilson, Julie [mailto:[EMAIL PROTECTED] 
Sent: Monday, February 09, 2004 2:21 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Other Listsrvs

I hope you didn't mean that as arrogantly as it sounds. :)  But I do
agree it's a little to much for me sometimes too.

So tell me what lists do you consider the best ones for Exchange?

Thanks,

Julie

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane
Sent: Monday, February 09, 2004 3:58 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Other Listsrvs


Ditto

I dropped all the sunbelt lists due to the high signal-to-noise ratio

Diane

-Original Message-
From: Martin Tuip [mailto:[EMAIL PROTECTED]
Sent: Monday, February 09, 2004 1:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Other Listsrvs


Personally I'm not too fond of the Sunbelt one due to the lower
technical level of the list compared to others.


Martin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wilson, Julie
Sent: Monday, February 09, 2004 1:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Other Listsrvs

Try this one:

[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kleciak, Clint
D B270
Sent: Monday, February 09, 2004 3:02 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Other Listsrvs


Anyone have any for Exchange?
 
 

-Original Message-
From: Steve Shaff [mailto:[EMAIL PROTECTED]
Sent: Monday, February 09, 2004 1:58 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Other Listsrvs



This is a general question for the group.  I am in charge more than just
the active directory, schema, trusts, etc.  I have found that this has
been a valuable source of information and I would like to know if anyone
knows of other listsrvs that deal with SMS and/or exchange, that are as
good as this one?

 

Thanks,
S 



CONFIDENTIALITY NOTICE: If you have received this e-mail in error,
please immediately notify the sender by e-mail at the address shown.
This e-mail transmission may contain confidential information.  This
information is intended only for the use of the individual(s) or entity
to whom it is intended even if addressed incorrectly.  Please delete it
from your files if you are not the intended recipient.  Thank you for
your compliance. Copyright (c) 2004 CIGNA


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] I: Quest to aquire Aelita

2004-01-29 Thread Ayers, Diane 



But they wouldn't be able to shift to 
a new paradigm...


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Thursday, January 29, 2004 6:05 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] I: Quest to 
aquire Aelita


Wouldnt it be 
refreshing just once to read about a merger/acquisition that didnt contain the 
word synergies? ;-)


mc
-Original 
Message-From: 
GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 28, 
2004 10:57 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] I: Quest to aquire 
Aelita


This will be interessting for many 
folks on this list: 

http://biz.yahoo.com/bw/040128/285921_1.html



/Guido

RE: [ActiveDir] GPO and the Outlook Dumpster

2004-01-15 Thread Ayers, Diane 
Title: Message



Following this thread, a related 
question (taking it even more OT) comes up. Often in email discovery 
cases, we use ExMerge to suck the dumpster off a server to look at what's 
there. Would DumpsterAlwaysOn on the host that ExMerge is run from have an 
effect on what data is recovered from the Dumpster?

Diane


From: Mulnick, Al [mailto:[EMAIL PROTECTED] 
Sent: Thursday, January 15, 2004 8:57 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the 
Outlook Dumpster

I get 
different results. Feeling inaccurate, I went and enabled dumpsteralwayson 
on my computer. Shift+Delete the message. Check the folder it was 
deleted from and voila (that's my extent of French) it was in the deleted items 
recovery. Not too happy about that, I removed the setting, and this time 
went to an IMAP client. DumpsterAlwaysOn was not set at this point. 
I deleted and purged a message. Closed the IMAP client, and opened Outlook 
(XP) after resetting the key to 1. Check that folder with deleted items 
recovery and the message was there to be recovered. Try Shift+Delete on 
another message, and then was able to recover it.

Bottom 
line, Roger and Ollyare right. The message doesn't go away 
regardless of client or hard delete. It's marked for deletion and is later 
purged. You have to go into the deleted item recoveryand purge the 
message to makeit gone from all but abackup of the 
mailstore.

One 
note: I didn't need the registry setting to enable the use of recovery on the 
deleted items folder. That was there by default. I need the registry 
setting to see the form for other folders however.


Thanks 
for clearing that up :)

  
  -Original Message-From: deji Agba 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 11:09 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] GPO and the Outlook Dumpster
  
  That is exactly how it 
  operates in the field. UNLESS you have manually enabled DumpsterAlwaysOn on a 
  client, when a client SHIFT-DELETES a piece of mail, that mail is GONE and NOT 
  recoverable without going through an interesting hoop. That hoop involves 
  looking for the most recent backup of the user'sMailbox Server's 
  Information Store. This is what my initial response to Oliver said Now, I'm 
  done.
  
  
  
  Sincerely,Dèjì Akómöláfé, 
  MCSE MCSA 
  MCP+Iwww.akomolafe.comwww.iyaburo.comDo you 
  now realize that Today is the Tomorrow you were worried about Yesterday? 
  -anon
  
  
  From: Oliver MarshallSent: Thu 
  1/15/2004 7:16 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the 
  Outlook Dumpster
  Thanks for the interesting comments on this thread. I have had official word from several MS support peeps that would seem to resolve the issue. It would seem that SHIFT+DELETE marks a message as deleted immediately without it being moved to the delted items first. As the message is only MARKED as deleted but not actually deleted it is simply not visible to the user but does still remain in the datastore. If items are sent to the deleted items they are simply moved to the deleted items. Emptying the deleted items marks all the items in that folder as deleted.

So SHIFT+DELETE doesn't permanently delete emails, just permanently hides them from the user. The DUMPSTERON reg trick simply makes the dumpster menu item visible on all folders rather than just the deleted items folder.

Hope that helps.

Olly 

-Original Message-
From: deji Agba [mailto:[EMAIL PROTECTED] 
Sent: 15 January 2004 07:18
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO and the Outlook Dumpster

I usually refrain from adding to a thread more than once, except to occasionally concur. I have always thought that, all things being equal, Shift-Delete is indeed a permanent delete, given the following circumstances:
 
 Assuming you DON'T have deleted item retention enabled - which is the 
default configuration  You have not enabled DumpsterAlwaysOn -which is 
the default configuration You don't do brick-level backup, you don't 
have an offline Exchange server you test restore to, AND you are not 
willing to interrupt other users' access to do a live restore
 
I've been known to be wrong before, but I don't think this is one of those moments :-p
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon



From: Roger Seielstad
Sent: Wed 1/14/2004 4:58 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO and the Outlook Dumpster


But Shift-Delete is not a permanent delete. Assuming you have deleted item retension enabled, shift-delete simply marks the message for deletion, but it is still available within that folder's dumpster until the DIR time expires, and is accessible using the DumpsterAlwaysOn registry setting for Outlook.
 
Scared the crap out of my desktop guy who thought he could hide email...
 
Roger

RE: [ActiveDir] Search for phone numbers????

2003-12-11 Thread Ayers, Diane 
We simply modified the form for address book searches to include phone
number.  Individuals can now search one phone numbers for those mail
enabled objects in AD.  For us that meet the requirements 99% of the
time.

Diane 

-Original Message-
From: Douglas M. Long [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 11, 2003 10:17 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Search for phone numbers

Is there a way to add a field in the Search for people to allow
searching for a phone number, or other attributes that are specified in
the Active Directory? If not, how can a user search for other attributes
that are defined in the AD?

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Inter-site Urgent replication

2003-11-18 Thread Ayers, Diane 
Title: RE: [ActiveDir] Inter-site Urgent replication



All:

Thanks for the tips and hints. 
It seems that urgent replication is working better this AM. I tracked a 
locked account from the source DC to the replication partners and it seems to be 
bypassing the replication schedule. Too cool...

I'm still seeing some delay between 
the DCs that are "second hop" from the source via the replication topology but 
it seems to be a result of the new replication topology as opposed to anything 
else. As Joe mentioned, the bridgehead server issue between sites comes 
into play. 

I was curious if anyone has tweaked 
the holdback timing and pause rates. I'm inclined to tweak those settings 
to see better replication times as it seems that it has been tweaked already in 
2003. We're planning to go to 2003 after the holidays but want to see if 
anyone has taken the plunge in Win2K.

Diane


From: GRILLENMEIER,GUIDO (HP-Germany,ex1) 
[mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2003 
1:14 AMTo: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] Inter-site Urgent replication

this is not only useful in the scenario 
described in this thread - if you generally want to speed up intra-site 
replication between DCs, you'd also want to work on these settings (not in 2k3, 
where it's as quick as it can get anyways and where the registry key is removed 
by default):
Registry Key to change Windows 2000 
Replication behavior HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters- 
Replicator notify pause between DSAs (secs) = pause between 
notifications- Replicator notify pause after modify (secs) = 
pause to send first notification after a changeDefault values: pause after modify / pause 
between DSAs 

  
Windows 2000: registry 
values 

  5 minutes / 30 seconds 
  
Windows 2003: new default values if 
registry keys are not set 

  15 seconds / 3 seconds 
  
_ 
From:  Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Dienstag, 18. 
November 2003 05:34 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Inter-site Urgent replication 
So, you're thinking with ATM between 
DCs I can crank up the holdback timing and pause rates? Neat. 

;op 
Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - 
www.microsoft.com/windowsxp/expertzone 
WebLog - www.msmvps.com/willhack4food  
_ 
From:  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Joe Sent: Monday, November 
17, 2003 10:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Inter-site Urgent replication 
Cool in that case I would do the 
same... Also if it is W2K and your bandwidth can truly handle it I would turn 
down the timing for holdback and pause between dsa's. 
 joe 
_ 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Diane Ayers Sent: Monday, November 17, 2003 9:09 
PM To: [EMAIL PROTECTED] 
The biggest concern is not 
really the replication traffic and wanting to throttle the traffic but trying to 
localize the authentication. I've turned on change notifications and we'll 
see how this works. Thanks for the refresher on urgent replication and 
good point on the bridge head traffic.
Diane 
_ 
From:  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Joe Sent: Monday, November 
17, 2003 5:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Inter-site Urgent replication 
Urgent replication really isn't... It 
is urgent queuing of a replication request in actuality or at least from what I 
have observed. Basically you quickly stick a replication request into the queue 
of all change notification partners. They process it in the order and priority 
received... i.e. it would happen before a previously queued GC partition 
replication but after a previously queued domain partition 
replication.
You would need to enable change 
notification between sites to start to see the urgent queuing and doing that 
will blow out your replication schedules and most all benefits of 
compression.
HOWEVER, if you were happy with a 
single site setup, this all would be fine for you... Note however all traffic 
will STILL go through the bridgeheads. You won't set up a large ring like you 
had within a single site. 
 joe 
_ 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ayers, Diane Sent: Monday, November 17, 2003 6:04 
PM To: [EMAIL PROTECTED] 
Greetings 
In an effort to localize our authentication 
traffic, we recently implemented a multi-site configuration moving away from our 
single mega-site (single domain). All DCs are on high bandwidth links but 
we are trying to reduce authentication across the WAN. All inter-site 
transports are configured for a maximum replication frequency (15 
minutes). 
An assumption on my part (an

RE: [ActiveDir] Inter-site Urgent replication

2003-11-17 Thread Ayers, Diane 
Title: RE: Inter-site Urgent replication



We are at SP3. I've gone through 
most of those articles already. re-reading 232690 it does refer to my 
issue:

"Windows 2000 enables 
change notifications to propagate across inter-site connections. This is 
administratively configured on each site-link. Enabling change notifications 
across site-links propagates all change notifications. This enables urgent 
changes and all other replication events to propagate to a remote site with the 
same frequency as within the source 
site."

I can't find anymore info on "Enabling change 
notifications" other than "ignore replication schedule" on the IP 
transport. Doh!

Diane



From: Fuller, Stuart 
[mailto:[EMAIL PROTECTED] Sent: Monday, November 17, 2003 4:12 
PMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] Inter-site Urgent replication

Diane,

What service pack level are you at? A lot of fixes 
for password lockout and urgent replication were put into SP3 andmore in 
SP4.

The following MS 
articles may be relevant to your question:

Urgent Replication Triggers in Windows 2000 - http://support.microsoft.com/?kbid=232690
Account Unlocks and Manual Password Expirations Are Not 
Replicated Urgently - http://support.microsoft.com/?kbid=306133
Service Packs and Hotfixes that are available to resolve 
account lockout issues - http://support.microsoft.com/?kbid=817701

If you are having a lot ofaccount lockout issues, 
this web cast is"must see TV" - http://support.microsoft.com/?kbid=813500

Cheers,
Stuart


From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 17, 2003 4:42 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Inter-site 
Urgent replication

Hi Diane, 
My understanding (haven't tried it 
myself) is that urgent intersite replication observes the intersite replication 
schedule. You can work around this by enabling intersite notifications, but then 
that effectively circumvents any replication schedule.
That's my understanding anyway. 

-gil 

  -----Original Message- From: 
   Ayers, Diane [mailto:[EMAIL PROTECTED]] On Behalf 
  Of Ayers, Diane Sent: Monday, November 17, 2003 4:04 PM To: [EMAIL PROTECTED] Subject: Inter-site Urgent replication 
  Greetings 
  In an effort to localize our 
  authentication traffic, we recently implemented a multi-site configuration 
  moving away from our single mega-site (single domain). All DCs are on 
  high bandwidth links but we are trying to reduce authentication across the 
  WAN. All inter-site transports are configured for a maximum replication 
  frequency (15 minutes). 
  An assumption on my part (and probably 
  erroneous) is that urgent replication triggers such as account lockouts will 
  still bypass inter-site replication schedules and be replicated to all DCs in 
  the domain. We're getting a smattering of reports that the events such 
  as account lockouts are not getting replicated quickly. Putting 2 and 2 
  together, it looks like urgent replication is not carried between sites. 
  Is my assumption correct and can I enabled urgent replication between 
  sites?
  Diane

RE: [ActiveDir] Inter-site Urgent replication

2003-11-17 Thread Ayers, Diane 
Title: RE: Inter-site Urgent replication



Never mind. Google to the 
rescue... Thanks for your help.

Diane


Change Notification Between Sites
By default, changes are replicated between sites according to a schedule and 
not according to when changes occur. For this reason, the greatest replication 
latency across the forest is the sum of the greatest replication latencies 
along the single longest replication path of any directory partition.
For special circumstances, you can configure change notifications on 
connections between sites. By modifying the site link object, you can enable 
change notification between sites for all connections that occur over that link. 
Use ADSI Edit to enable change notification between sites.
To enable change notification between sites

  In ADSI Edit, expand the Configuration container. 
  Navigate to the Inter-Site Transports container, and select 
  CN=IP. (You cannot enable change notification for SMTP links.) 
  Right-click the site link object for the sites for which you want to 
  enable change notification, and then click Properties. 
  In the Select a property to view box, select options. 
  In the Edit Attribute box, if the Value(s) box shows 
  not set, type 1 in the Edit Attribute box. If the 
  Value(s) box contains a value, you must derive the new value by using a 
  Boolean BITWISE-OR calculation on the old value, as follows: 
  old_valueBITWISE-OR1. For example, if the value in the 
  Value(s) box is2, calculate 0010 OR 0001 to equal0011. Type 
  the integer value of the result in the Edit Attribute box; for this 
  example, the value is3. 
  Click OK. 
Enabling change notifications across site links propagates all change 
notifications. With change notification between sites set, changes propagate to 
the remote site with the same frequency that they are propagated within the 
source site, including changes that warrant urgent replication.




From: Ayers, Diane Sent: Monday, 
November 17, 2003 5:02 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Inter-site 
Urgent replication

We are at SP3. I've gone through 
most of those articles already. re-reading 232690 it does refer to my 
issue:

"Windows 2000 enables 
change notifications to propagate across inter-site connections. This is 
administratively configured on each site-link. Enabling change notifications 
across site-links propagates all change notifications. This enables urgent 
changes and all other replication events to propagate to a remote site with the 
same frequency as within the source 
site."

I can't find anymore info on "Enabling change 
notifications" other than "ignore replication schedule" on the IP 
transport. Doh!

Diane



From: Fuller, Stuart 
[mailto:[EMAIL PROTECTED] Sent: Monday, November 17, 2003 4:12 
PMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] Inter-site Urgent replication

Diane,

What service pack level are you at? A lot of fixes 
for password lockout and urgent replication were put into SP3 andmore in 
SP4.

The following MS 
articles may be relevant to your question:

Urgent Replication Triggers in Windows 2000 - http://support.microsoft.com/?kbid=232690
Account Unlocks and Manual Password Expirations Are Not 
Replicated Urgently - http://support.microsoft.com/?kbid=306133
Service Packs and Hotfixes that are available to resolve 
account lockout issues - http://support.microsoft.com/?kbid=817701

If you are having a lot ofaccount lockout issues, 
this web cast is"must see TV" - http://support.microsoft.com/?kbid=813500

Cheers,
Stuart


From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 17, 2003 4:42 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Inter-site 
Urgent replication

Hi Diane, 
My understanding (haven't tried it 
myself) is that urgent intersite replication observes the intersite replication 
schedule. You can work around this by enabling intersite notifications, but then 
that effectively circumvents any replication schedule.
That's my understanding anyway. 

-gil 

  -----Original Message- From: 
   Ayers, Diane [mailto:[EMAIL PROTECTED]] On Behalf 
  Of Ayers, Diane Sent: Monday, November 17, 2003 4:04 PM To: [EMAIL PROTECTED] Subject: Inter-site Urgent replication 
  Greetings 
  In an effort to localize our 
  authentication traffic, we recently implemented a multi-site configuration 
  moving away from our single mega-site (single domain). All DCs are on 
  high bandwidth links but we are trying to reduce authentication across the 
  WAN. All inter-site transports are configured for a maximum replication 
  frequency (15 minutes). 
  An assumption on my part (and probably 
  erroneous) is that urgent replication triggers such as account lockouts will 
  still bypass inter-site replication schedules and be replicated to all DCs in 
  the domain. We're getting a smattering of reports that the events such 
  as account lockouts are not getting replicated quickly. Putting 2

RE: [ActiveDir] NTDIS Size

2003-10-14 Thread Ayers, Diane 



Breaking the DB, logs and SysVol into 
separate logical partitions on the same physical spindles doesn't buy 
youmuch. Your still sharing the same spindles, head and I/O amongst 
the three logical partitions. I'd just create a D: volume and be done with 
it but that's just my opinion.

Diane


From: George Arezina 
[mailto:[EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 2:33 
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
NTDIS Size


Unfortunately, 

Management wants us to 
abide by their budget for the year. Therefore, we have to be within budget goals 
when it comes to spending money on hardware.

How about this hdd configuration:

First Mirror: System 
Partition (18GB)

Second Mirror: 72GB broken into D, E, F 
volumes.

  Database location: 
  D:\NTDS 
  Log location: 
  E:\NTDS 
  SYSVOL Location: 
  F:\SYSVOL 







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Nadalin, Oliver (REA 
- AUS)Sent: Tuesday, October 14, 
2003 11:15 
AMTo: 
'[EMAIL PROTECTED]'


you could 
probably have the AD DB log files on a separate mirror - if your budget allows 
it.

  -Original 
  Message-From: George 
  Arezina [mailto:[EMAIL PROTECTED]Sent: Tuesday, 14 October 2003 7:00 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] NTDIS 
  Size
  Hi 
  people,
  Can someone please confirm that I 
  have given enough GB for 1500 users in my AD database? I plan to install two 
  mirrored drives on my server. One Mirror will be the system partition (18GB) 
  and the second mirror will be 72GB where my ndts.dit database will be located. 
  
  Thanks
  
  
  
  George 
  Arezina
  BA, A+, Net+, MCSE 
  2000
  Information Technology 
  Consultant 
  National Bank of 
  Serbia
  Pop Lukina 7-9, 11000 
  Belgrade.
  * 
  E-mail: [EMAIL PROTECTED]
  ( 
  Phone:+381 (11) 3202-474
  ( 
  GSM: +381 (63) 
  342-321
  
  
This e-mail is for the use of the intended recipient(s) 
only. If you have received this e-mail in error, please notify the sender 
immediately and then delete it. If you are not the intended recipient, you 
must not use, disclose or distribute this e-mail without the author's 
permission. We have taken precautions to minimise the risk of transmitting 
software viruses, but we advise you to carry out your own virus checks on any 
attachment to this e-mail. We cannot accept liability for any loss or 
damage caused by software 
viruses.
image001.jpg

RE: [ActiveDir] Editing directory permissions

2003-09-17 Thread Ayers, Diane 
Title: Message



If you want a GUI, I recommend "Security Explorer" from Small 
Wonders. I've found it to be very useful at times

Diane

http://www.smallwonders.com/SecurityExplorer.htm

  -Original Message-From: Abbiss, Mark 
  [mailto:[EMAIL PROTECTED]Sent: Wednesday, September 17, 2003 
  2:55 AMTo: '[EMAIL PROTECTED]'Subject: 
  [ActiveDir] Editing directory permissions
  Please can anyone recommend a good utility (not xcacls) that will help 
  me add additional security permissons to a directory structure on one of our 
  W2K servers. I want the existing ACL info to remain but want to append another 
  set.
  
  Many 
  thanks,
  
  Mark

RE: [ActiveDir] Windows 2003 DC issue

2003-09-10 Thread Ayers, Diane 
Title: Message



We use a type of ACL for our Bind stuff. Only our DCs have the 
"rights" to do dynamic updates to our AD zoneon the bind server. 
Other hosts are updated in DNS via the DHCP server (Cisco) or other 
processes. The access rights are based on the source IP address. Not 
100% secure but it has worked well for us so far (knock on wood). DCs are 
still at Win2K.

Diane

  -Original Message-From: Gil Kirkpatrick 
  [mailto:[EMAIL PROTECTED]Sent: Wednesday, September 10, 2003 3:35 
  PMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] Windows 2003 DC issue
  Does 
  BIND provide for ACLs on RRs? I didn't know that...
  
  -g
  Gil KirkpatrickCTO, NetPro
  

-Original Message-From: Mulnick, Al 
[mailto:[EMAIL PROTECTED] Sent: Wednesday, September 10, 
2003 12:40 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Windows 
2003 DC issue
While you're checking that, you might also want to check that your 
new server is not prevented from creating new records by ACLs on the BIND 
server. Should show in the logs, but it would be good to 
check.


Al

  
  -Original Message-From: Chris 
  Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, 
  September 10, 2003 12:18 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 
  2003 DC issue
  Same Bind server. 
  Unfortunately, I don't run the Bind server. I'll talk with the 
  powers that be and get a response if anything looked 
  weird.
  Did not run NETMON, but will to see more.
  
  Thanks for the leads. I'll let you know how it 
  goes.
  

-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Wednesday, September 10, 2003 11:12 
AMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] Windows 2003 DC issue
The only change in 2003 re SRV publication that I can recall is 
that the default update interval is 15 minutes in W2K3 vs. 60 minutes in 
W2K. 

Some questions:

Is it the same BIND server that worked with W2K? 

Did you check the BIND logs? 
And if there was nothing there, did you run NETMON or some other 
network trace program?

-gil
-Original Message-From: 
Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, 
September 10, 2003 7:43 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Windows 2003 
DC issue

  We started 
  playing with 2003 in our test environment. We came across a problem 
  with how dynamic updates are done on 2003. Dynamic updates are done on 
  a Sun Bind server. For some reason, the SRV records would not update 
  on the Bind server. However, we can do dynamic update on 2000 DC to 
  theBind DNS. I'm just wondering if there is somethingnew 
  in 2003 with regards to how SRV records are created? Or maybe I'm just 
  missing something completely. Any ideas would be appreciated. We ended 
  up using 2003 DNS for the DC's. That worked, but isn't a 
  representation of how production will be. 
  
  Chris Flesher
  The University of 
  Chicago
  NSIT/DCS
  1-773-834-8477

RE: [ActiveDir] Adding machines to OU directly

2003-07-16 Thread Ayers, Diane 
Title: Message



I couldn't help but laugh reading this. How true. In our 
internal documentation, we discribe this setting and that they need to change 
when setting up computer accounts. We even have a huge screenshot with red 
circles and big arrows highlighting the point. I still get calls on "not 
being able to join the domain" Sigh...

  -Original Message-From: Coleman, Hunter 
  [mailto:[EMAIL PROTECTED]Sent: Wednesday, July 16, 2003 11:09 
  AMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] Adding machines to OU directly
  When your junior lads create the computer account in the 
  correct OU, are they changing the field "The following user or group can join 
  this computer to a domain"? This defaults to Domain Admins, and IIRC they'll 
  need to change it to their own account or a security group that they're a 
  member of.
  
  Hunter
  
  
  From: Mayet, Yusuf Y 
  [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 
  10:27 AMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] Adding machines to OU directly
  
  
  So correct me if I am 
  wrong but what you are saying is that even though I have given them the right 
  over the OU to add computer objects I would still have to go to the Domain 
  Policy and specify the groups that can add workstations to the 
  domain?
  
  
  
  
  
  
  From: 
  Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: 16 July, 2003 18:20 PMTo: 
  [EMAIL PROTECTED]
  
  Hmmm, what error? 
  When the computer joins the domain?... I wonder if it is a permissions issue 
  on the "join domain" part. The user actually joining from the computer need to 
  have that right this can be done through GP. The right is given by default 
  with the msDsMachineAccountQuota. Every user, by default, can add 10 computers 
  to the domain if this has been turned off or the 10 limit has been reached you 
  need to give the rights our for individuals to 'Join Computers to 
  Domain'...
  
  Kevin
  
  
  
  
  
  From: Mayet, 
  Yusuf Y [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 12:01 
  PMTo: 
  '[EMAIL PROTECTED]'
  
  Well seeing this 
  discussion has started I would like to throw a curve ball.
  
  In my environment I 
  have chosen the route to train the junior lads into pre-creating the computer 
  account into the relative OU.
  
  I have delegated the 
  following permission over "Computer Objects" to "Add and Remove computer 
  objects" 
  
  The problem I am 
  experiencing is that if the computer account already exists in the OU the 
  error received is "access Denied"
  
  Thanks in 
  advance
  Yusuf
  
  
  
  
  
  From: 
  Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: 16 July, 2003 17:14 PMTo: 
  [EMAIL PROTECTED]
  
  You don't need to 
  give them account operator rights. You give them 'specific' delegated rights. 
  There could be some complex solutions that involve automating the process of 
  looking through the computers container and moving computer account to the 
  appropriate container (that is if you know the appropriate container via a 
  name designation or something). This can be automated and scheduled but if you 
  are too understaffed I doubt you will be able to find the time to develop this 
  kind of solution. To have full functionality to address some of the 
  complexities of AD management easily you will probably want to evaluate third 
  part administrative tools. (plugOh, yeah, my company has 
  one./plug)
  
  Kevin 
  Sullivan
  Aelita 
  Software
  www.aelita.com
  
  
  
  
  
  From: Chris 
  Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 11:07 
  AMTo: 
  [EMAIL PROTECTED]
  
  
  I saw that out on 
  Technet. That's great as long as there is a person/group to handle that. We 
  are understaffed and are looking for the OU admins to take care of this 
  without giving them Account Operator rights. 
  
  
  
  
  Chris Flesher
  The University of 
  Chicago
  NSIT/DCS
  1-773-834-8477
  
-Original 
Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rakes, Brandon A. NMIMC 
ContractorSent: Wednesday, 
July 16, 2003 9:58 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Adding 
machines to OU directly
The way we have 
done it is to delegate administrative rights to the OU and then create the 
computer account in that OU first and then add the computer. If there is 
another way to automatically make it go in the desired OU I would love to 
hear how.

Brandon

-Original 
Message-From: Chris 
Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 10:33 
AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Adding machines to 
OU directly


Is there a way to delegate to a 
user the right to not only add machines to a domain, but place the user into 
the OU of their choice? I'm looking for an easy way to allow OU 
administrators to add machines and then

RE: [ActiveDir] AD, Logon times Custom messages

2003-07-08 Thread Ayers, Diane 
Title: Message



I stil prefer the upgraded version, bIg stIck®

Diane

  -Original Message-From: Myrick, Todd (NIH/CIT) 
  [mailto:[EMAIL PROTECTED]Sent: Tuesday, July 08, 2003 7:37 
  AMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] AD, Logon times  Custom messages
  I 
  ordered 10 StIcK's (tm) and they work great. I name my StIck's for the 
  special purposes they serve. The best thing is one size fits 
  all!
  
  Toddler
  

-Original Message-From: Roger 
Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 
08, 2003 8:56 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon 
times  Custom messages
The StIcK(tm) is a wonderful tool for addressing those issues which 
aren't quite technological in nature. Its generally applied, somewhat 
liberally, by a trained professional.

Roger
-- 
Roger D. 
Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator 
Inovis 
Inc. 

  
  -Original Message-From: Mr Clark 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 
  7:47 AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] AD, Logon times  Custom messages
  
  And what, exactly would be 
StIck?
  
  How would ISA server, or a web filter program 
  change/customize the logon message?
  Thanks.
  
  -Original 
  Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
  SeielstadSent: Tuesday, 
  July 08, 2003 06:43To: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon 
  times  Custom messages
  
  
  The 
  right tool for this job might just be the StIcK(tm) 
  ;)
  
  
  
  Roger
  
  -- 
  Roger D. 
  Seielstad - MTS MCSE MS-MVP Sr. 
  Systems Administrator Inovis 
  Inc. 
  
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 1:20 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD, Logon 
times  Custom messages


The right tool 
for the right job. I do not think the place you are looking at is the 
right place for this job. May I suggest ISA server, or similar web 
filter programs.HTH







Sincerely,Dèjì Akómöláfé, 
MCSE MCSA 
MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that 
Today is the Tomorrow you were worried about Yesterday? 
-anon





From: 
[EMAIL PROTECTED] on behalf of Roger 
SeielstadSent: Mon 
7/7/2003 8:59 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon 
times  Custom messages

The reject should be logged automatically, but I 
haven't checked for 
sure--Roger 
D. Seielstad - MTS MCSE MS-MVPSr. Systems AdministratorInovis 
Inc. -Original Message- From: Mr Clark 
[mailto:[EMAIL PROTECTED]] 
Sent: Monday, July 07, 2003 10:52 AM To: 
[EMAIL PROTECTED] Subject: RE: [ActiveDir] AD, Logon 
times  Custom messages Well, I just wanted 
to customize the message for my kids when they try to *sneak* on 
the computer during the middle of the night. :) As 
another thought, is there a way to "log" when someone tries to 
sign on at a restricted time? 
Charlie -Original Message- From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Roger Seielstad Sent: Monday, July 07, 2003 
09:43 To: '[EMAIL PROTECTED]' Subject: RE: 
[ActiveDir] AD, Logon times  Custom messages Best 
guess is that you cannot modify the message. As is 
pretty much standard for that type of message in Microsoft 
products, its coded into a DLL, and the only supportable way to 
do that would be to engage Microsoft Consulting Services 
to modify the DLL. However, since I believe that's part 
of the LSASS process on the client, and that 
gets patched somewhat regularly by service packs, etc, you'd 
have to reenage them for every new service pack. IMO, 
its not worth it. What are you trying to 
accomplish? 
-- 
Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems 
Administrator Inovis Inc.  
-Original Message-  From: Mr Clark [mailto:[EMAIL PROTECTED]] 
 Sent: Monday, July 07, 2003 9:36 AM  To: 
[EMAIL PROTECTED]  Subject: [ActiveDir] AD, Logon 
times

RE: [ActiveDir] Domain Rename

2003-07-02 Thread Ayers, Diane 
Jan:

I was browsing the Win2K tools page and saw this.  Not sure if you've seen these or 
not.

Windows Server 2003 Domain Rename Tools

http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx

Diane

-Original Message-
From: Jan Wilson [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 01, 2003 4:28 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Domain Rename


As it happens to many we need to rename our W2K domain. Our plan is to
upgrade our DCs to W3K then rename. Has anyone ventured down this road (to
hell) yet? The amount of work looks daunting! Thanks

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Domain Rename

2003-07-01 Thread Ayers, Diane 
thread hijack

H  Out of curiosity, has anyone moved their production domains to Win2K Forest 
Functional Mode yet?

Diane

/thread hijack

-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 01, 2003 5:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Domain Rename


Jan,

Key point is that you must be in Windows Server 2003 Forest Functional Mode
- only W2k3 DCs in the forest.  It's not anywhere near as bad as it looks.
Not anywhere as daunting as the road to Windows 2000 Native

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jan Wilson
Sent: Tuesday, July 01, 2003 6:28 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Domain Rename

As it happens to many we need to rename our W2K domain. Our plan is to
upgrade our DCs to W3K then rename. Has anyone ventured down this road (to
hell) yet? The amount of work looks daunting! Thanks

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Updating pwdLastSet

2003-06-16 Thread Ayers, Diane 
IIRC, that is not a writeable attribute.  We went through a similar exercise and found 
that we could not change that attribute.

Diane

-Original Message-
From: Rex Wheeler [mailto:[EMAIL PROTECTED]
Sent: Monday, June 16, 2003 10:05 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Updating pwdLastSet


We are doing some integration work allowing other platforms (unix) to authenticate 
against Active Directory. We have succeeded in making this happen but are running into 
testing challenges. 

We would like to be able to write test scripts to verify that account and password 
expiration logic is working correctly. For example we want to test that if you have a 
policy that says you must change your password every 30 days and you last changed your 
password 25 days ago, you should get a warning message saying that you have 5 days to 
change your password.

The problem is that we can't seem to update the pwdLastSet attribute. How can the 
value of this attribute be set? If it can not, does anyone have any ideas how to test 
such expiration logic without spending days of wall clock time?

Thanks,

Rex
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT- Quest Fastlane tools (maybe not OT?)

2003-06-05 Thread Ayers, Diane 
Title: OT- Quest Fastlane tools (maybe not OT?)



Stephen:

We have gone through an evaluation of products including the ActiveRoles 
and Migrator tools. Contact me off list and I can give you some input on 
what we found.

Diane 
AyersTeam Lead, 
System Server SupportPacific Gas 
 Electric Co.Sacramento/San 
Francisco

  -Original Message-From: Wilkinson, Stephen (DrKW) 
  [mailto:[EMAIL PROTECTED]Sent: Wednesday, June 04, 2003 
  8:15 AMTo: '[EMAIL PROTECTED]'Subject: 
  [ActiveDir] OT- Quest Fastlane tools (maybe not OT?)
  Does anyone have any feedback- positive and 
  negative - on using Active Roles and Migrator from Quest software. 
  We are looking at these products for migrating from a complex NT4 model and 
  further ongoing security admin of the AD.
  At a cost of around $20 per user and 8000 users 
  this is a large cost - we are really interested if people have had good or bad 
  experiences with these tools during a migration and day-to-day 
  operations.
  Fyi we are migrating NT4-Win2k3 (no upgrade 
  -building separate Win2k3 single forest single domain) and not worrying about 
  exchange (stay on 5.5 until next year).
  Thanks Stephen WilkinsonExtension 59276DDI 
  +44(0)207 4759276Mobile +44(0)7973 
  143970E-Mail: [EMAIL PROTECTED] 
  --If 
  you have received this e-mail in error or wish to read our e-mail 
  disclaimer statement and monitoring policy, please refer to 
  http://www.drkw.com/disc/email/ or contact the 
  sender.--

RE: [ActiveDir] AD/Exchange Question

2003-05-30 Thread Ayers, Diane 
One forest = One exchange Org irregardless of the domains within the forest.

Diane

-Original Message-
From: Ellis, Debbie [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 6:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AD/Exchange Question


My company is getting ready to migrate to Windows 2003 Active Directory from
NT 4.0.  Our design is to have separate trees in the enterprise forest. Do
we have to have separate Exchange Organizations or is there a work around to
still have one?
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] admt v2.0

2003-02-19 Thread Ayers, Diane 
Hmm...  We just did a test and migrated accounts w/ passwords without
configuring the PES servers for the source NT 4.0 domain.  We verified that
the accounts were migrated w/ passwords intact.

Diane

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Tony Murray
Sent: Wednesday, February 19, 2003 12:43 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] admt v2.0


Graham, Diane

The PES is required if you want to migrate passwords from NT4 to W2K.  It
can be installed on NT4 BDCs or PDCs, although the PDC is generally
preferable as ADMT talks to it anyway.  The controller running the PES must
have the high encryption pack installed.

Tony
-- Original Message --
From: Ayers, Diane [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Tue, 18 Feb 2003 14:56:56 -0800

Graham:

The password export server is only required for migration of accounts from
Win2K to Win2K.  It is not required for NT 4.0 to Win2K migrations.

Diane

-Original Message-
From: Graham Turner [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 18, 2003 10:40 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] admt v2.0


Dear All, have picked up many useful pointers towards a version of ADMT v2.0
that is shipped with .NET RC1 (i think).

keen to research the use of password export server and the processes of
password migration which is new to v2.0

on the basis of planned migration from a source NT4 domain to Win2k, have
reviewed the Technet document Chapter 9: migration of Windows NT4.0 account
domain to AD

presumably this documents ADMT v1.0 and as such does not indicate any
configuration relating to pwd migration

at what at the moment is an educated guess any options (???) for pwd
migration would be available from the password options dialog ??

any info on the operation of the password export server would be well
received - Technet seems a bit thin on searches for this, and the readme.doc
with ADMT2 is a bit brief - NO real specific questions here sorry !

it does also document issues with the migration of local user profiles - any
further confirmed instances of this





List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] admt v2.0

2003-02-18 Thread Ayers, Diane 
Graham:

The password export server is only required for migration of accounts from Win2K to 
Win2K.  It is not required for NT 4.0 to Win2K migrations.  

Diane

-Original Message-
From: Graham Turner [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 18, 2003 10:40 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] admt v2.0


Dear All, have picked up many useful pointers towards a version of ADMT v2.0
that is shipped with .NET RC1 (i think).

keen to research the use of password export server and the processes of
password migration which is new to v2.0

on the basis of planned migration from a source NT4 domain to Win2k, have
reviewed the Technet document Chapter 9: migration of Windows NT4.0 account
domain to AD

presumably this documents ADMT v1.0 and as such does not indicate any
configuration relating to pwd migration

at what at the moment is an educated guess any options (???) for pwd
migration would be available from the password options dialog ??

any info on the operation of the password export server would be well
received - Technet seems a bit thin on searches for this, and the readme.doc
with ADMT2 is a bit brief - NO real specific questions here sorry !

it does also document issues with the migration of local user profiles - any
further confirmed instances of this





List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Authentication ?

2003-01-16 Thread Ayers, Diane 
Title: Message



Ditto for us. Heavily mixed environment (~20K users) with no impact 
from going native. Go for it :-)

Diane

  -Original Message-From: Fugleberg, David A 
  [mailto:[EMAIL PROTECTED]]Sent: Thursday, January 16, 2003 
  8:54 AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Authentication ?
  We 
  had no issues when we went native...similar situation: Single domain, lots of 
  NT4 clients and member servers, as well as W2K clients and member 
  servers. A month or so afterthe last of the NT4 BDCs was removed, 
  we made the switch with no complaints. This domain had been upgraded 
  from NT4 back in 2000, so there's all kinds of old stuff on it. YMMV if 
  your old stuff is not similar to our old stuff, but that was our 
  experience.
  Dave
  
-Original Message-From: Don Murawski (Lenox) 
[mailto:[EMAIL PROTECTED]]Sent: Thursday, January 16, 
2003 10:29 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] 
Authentication ?
Let me clear upmy question!

I 
have NO 4.0 BDCs, AllWin2k DC's, but have a lot of legacy 
clients and applications.
Switching to native mode, I'm assuming should have NOT impact on 
these applications or systems.


  
  -Original Message-From: Craig Cerino 
  [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 
  11:14 AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Authentication ?
  
  Unless I am 
  reading his email wrong - - - 
  
  He is considering 
  going to NATIVE mode which means one of two 
  things:
  
He already HAS Win2K Srv and 
a few 2k servers on the wire 
He is planning to purchase 
WIN2K Srv 
  
  In 
  EITHER case (which 
  is just assumed since he is considering migrating) he would still 
  have to RUN DCPROMO to upgrade the PDC and BDCs or make them member 
  servers or remove them from the domain.
  
  Don - we haven't 
  heard form you since you opened the thread - - please let us know what is 
  the case so we can stop bickering and help 
  you.
  
  Guys - -I am not 
  trying to argue - - unfortunately vocal inflection and tone just don't 
  translate well via email - - - my apologies if it appears as if I'm 
  yelling or picking a fight.
  
  
  
  -Original 
  Message-From: Kevin 
  Gent [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 
  2003 11:13 
  AMTo: 
  [EMAIL PROTECTED]Subject: Re: [ActiveDir] 
  Authentication ?
  
  
  The only way his NT 4 PDCs and BDCs 
  are going to become DCs in a Win2K domain is to purchase W2K and upgrade 
  them.
  

- Original 
Message - 

From: Craig 
Cerino 

To: [EMAIL PROTECTED] 


Sent: 
Thursday, January 16, 
2003 8:07 
AM

Subject: RE: 
[ActiveDir] Authentication ?


Right - - but 
if he wants to keep what used to 
be his PDC and BDC's in the loop they will either have to be 
made DCs by running DCPROM - - or get them out of the replication loop 
by making them member servers or removing them from the 
domain

-Original 
Message-From: 
EALES, Jack - FPIL [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 
2003 7:51 
AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] 
Authentication ?


switching to 
native mode means having NO more NT4.0 BDC's... that's when it becomes a 
Native domain - rather than mixed...

  -Original 
  Message-From: 
  Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: 16 January 
  2003 12:41To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  Authentication ?
  If you run 
  DCPROMO on them and make them a DC they 
  will.
  
  Which you'll 
  have to do anyway  or downgrade them to member servers 
  
  
  -Original 
  Message-From: 
  Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] 
  Sent: 
  Thursday, January 16, 
  2003 7:16 
  AMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] 
  Authentication ?
  
  
  Considering 
  switching to native mode within a 
  month.
  
  
  
  Is there any 
  different in authentication methods in native mode than 
  mixed?
  
  Some reason 
  their seems to be a debate around my company about some applications 
  may be affected?
  
  It's my 
  understanding that

RE: [ActiveDir] AD restore to dissimilar hardware

2003-01-07 Thread Ayers, Diane 
Is this the only DC you have?  If not, why don't you just build a new box and run 
DCpromo to make it a DC with new data replicated from your other DCs?  

Diane

-Original Message-
From: osman filiz [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 07, 2003 5:19 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD restore to dissimilar hardware


i have read this document and i apply the steps i repaired the windows but 
still there is  blue screen...






From: Jimmy Andersson [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD restore to dissimilar hardware
Date: Tue, 7 Jan 2003 13:59:23 +0100

Disaster Recovery of Active Directory on Dissimilar Hardware:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q263532;

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
 www.qadvice.com 




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of osman filiz
Sent: Tuesday, January 07, 2003 1:30 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AD restore to dissimilar hardware



Hi,
I have one domain controller that has hardware problem about RAID Card;
now
i cannot fix it and i want to restore active directory to another pc
with
IDE controller.But i can't...After restoring active directory it gives
the
blue screen message while startup : 0x007B INACCESSIBLE BOOT DEVICE.
Ýs
it possible to restore AD to dissimilar hard disk controller platform?

Any comment?



_
Help STOP SPAM: Try the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


_
Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ADMT 2.0

2002-12-23 Thread Ayers, Diane 



Even though ADMT is on the .Net RC CD, the tool itself (IIRC) is not a 
beta version.

Diane

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]]On Behalf Of Brad 
  MartinSent: Monday, December 23, 2002 7:55 AMTo: Active 
  Directory Mailing ListSubject: [ActiveDir] ADMT 
  2.0
  
  Any know where I can find a beta 
  version of Microsoft Active Directory Migration Tool 2.0? Im doing an 
  upgrade/migration at the end of this week (nothing like a last minute 
  deployment) and it would be really useful to have it. 
  Thanks.
  
  Brad Martin
  Go Daddy 
Software
  [EMAIL PROTECTED]
  480.505.8800 ext. 
  250

RE: [ActiveDir] Script to find last logged on date

2002-12-16 Thread Ayers, Diane 
Title: Message



How about this?

http://cwashington.netreach.net/depo/view.asp?Index=717ScriptType=vbscript

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]]On Behalf Of Byrne, 
  SteveSent: Monday, December 16, 2002 6:59 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] Script to find 
  last logged on date
  Hi,
  
  I'm looking for a 
  way to find user accounts that have not been used for more than 6 months. 
  
  Does anyone know 
  where I can find a script to do this?Thanks,
  SB

RE: [ActiveDir] Anyone Heard of UltraBac?

2002-11-14 Thread Ayers, Diane 
We use Ultrabac in our org as our standard backup product for single
server tape backup.  We have been pretty happy with it as far as backup to
tape goes.  You can email me direct if you want more info.

Diane

-Original Message-
From: Eric [mailto:Eric;ch13-12westtex.org]
Sent: Wednesday, November 13, 2002 1:36 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Anyone Heard of UltraBac?


Supposedly it can perform a backup quicker than Veritas and the services
for Exchange and SQL do not have to be stopped.
 
Can anyone lend any feedback?
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Exchange install

2002-11-13 Thread Ayers, Diane 
Our Exchange boxes have 4 GB of memory.  Initial plan was to run standard
version.  Our first live box began generating memory fragmentation issues.
Supposedly this was fixed in SP3 as per PSS but no go.  The only fix was to
upgrade to Advanced and use the /3gb switch in the boot.ini (only supported
in advanced)

-Original Message-
From: Weston Rogers [mailto:wrogers;targettire.com]
Sent: Wednesday, November 13, 2002 10:41 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Exchange install


No, But from what I've heard, if you have over 3 gig of memory on the box
and its going to run e2k, its recommended to install adv server, but I dunno
how accurate that statement is.


-Original Message-
From: Sheri Brown [mailto:sbrown;c-s-d.org] 
Sent: Wednesday, November 13, 2002 12:26 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Exchange install


Do you have to have Windows 2000 Advanced Server to install Exchange?

Sheri L. Brown, Systems Administrator
CSD Headquarters -- Technology Department
102 North Krohn Place
Sioux Falls, SD 57103
(605) 367-5760 ext 3202 
[EMAIL PROTECTED]
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Exchange install

2002-11-13 Thread Ayers, Diane 
That was our feeling too.  It kick up costs for both the OS and the
monitoring layer since the monitoring ven-duh license was significantly
higher for advanced server.   

Sigh

-Original Message-
From: Weston Rogers [mailto:wrogers;targettire.com]
Sent: Wednesday, November 13, 2002 12:26 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Exchange install


That's _GREAT_ to hear.

My company isn't going to spend 8 g's to go to advanced server just because
e2k won't run on our 3gb win2k servers.  I only have 150 mailboxes on a NT
box with like 96 mb of ram (lol) so hopefully by the time it gets errors
I'll be long gone.

-Original Message-
From: Ayers, Diane [mailto:DMA8;pge.com] 
Sent: Wednesday, November 13, 2002 2:13 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Exchange install


Our Exchange boxes have 4 GB of memory.  Initial plan was to run standard
version.  Our first live box began generating memory fragmentation issues.
Supposedly this was fixed in SP3 as per PSS but no go.  The only fix was to
upgrade to Advanced and use the /3gb switch in the boot.ini (only supported
in advanced)

-Original Message-
From: Weston Rogers [mailto:wrogers;targettire.com]
Sent: Wednesday, November 13, 2002 10:41 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: Exchange install


No, But from what I've heard, if you have over 3 gig of memory on the box
and its going to run e2k, its recommended to install adv server, but I dunno
how accurate that statement is.


-Original Message-
From: Sheri Brown [mailto:sbrown;c-s-d.org] 
Sent: Wednesday, November 13, 2002 12:26 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Exchange install


Do you have to have Windows 2000 Advanced Server to install Exchange?

Sheri L. Brown, Systems Administrator
CSD Headquarters -- Technology Department
102 North Krohn Place
Sioux Falls, SD 57103
(605) 367-5760 ext 3202 
[EMAIL PROTECTED]
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Question about Active Directory

2002-11-12 Thread Ayers, Diane 
Very early in our AD deployment we had one server reporting AD corruption.
The other servers were OK.  We simply demoted the server, waited for
replication so that the server was removed from AD and re-promoted the
server. At this point it got a new copy of the database and problem solved.
Not that this would work for everyone due to band width, etc, but seemed to
work for us.

Diane

-Original Message-
From: Tim HInes [mailto:nupe009;carolina.rr.com]
Sent: Tuesday, November 12, 2002 11:42 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Question about Active Directory


Yes it can.  It is sometimes possible to repair it with ntdsutil or
esentutl.

see http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q315131 and
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q305500


Tim Hines, MCSA, MCSE (2000  NT4)
MVP - Active Directory




- Original Message -
From: Eric [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, November 12, 2002 2:29 PM
Subject: [ActiveDir] Question about Active Directory


Can AD become corrupted?  If so, can it be fixed with anything other
than restoring from backup?

Eric Etheredge, MCDBA
Systems Manager
Office of the Standing Trustee
Walter O'Cheskey, Trustee
Lubbock, Texas
Trustee's Website:  www.ch13-12westtex.org
Case Information Website:  www.trustee13.com


This transmission may contain information that is privileged,
confidential and/or exempt from disclosure under applicable law. If you
are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained
herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
received this transmission in error, please immediately contact the
sender and destroy the material in its entirety, whether in electronic
or hard copy format. Thank you.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Psched error?

2002-11-08 Thread Ayers, Diane 
Are you running NetIQ AppManager agents on this box by chance?

-Original Message-
From: Chris J. Popp [mailto:chris.popp;sharpeengineering.com]
Sent: Thursday, November 07, 2002 12:58 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Psched error?


I am constantly getting the following in Win2K SP3's App Log. Time and
date changes (of course) when it occurs:


Event Type: Error
Event Source:   Perflib
Event Category: None
Event ID:   1008
Date:   11/7/2002
Time:   11:32:18 AM
User:   N/A
Computer:   PACKERS
Description:
The Open Procedure for service PSched in DLL
C:\WINNT\system32\pschdprf.dll failed.  Performance data for this
service will not be available. Status code  returned is data DWORD 0. 
Data:
: 02 00 00 00 


Any ideas? MS's site came up blank on this.

Thanks,
Chris



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

  1   2   >