RE: [ActiveDir] Remote DC's on Virtual Server

[Bernard, Aric]

Regarding  http://www.support.microsoft.com/kb/897615 - agreed.  I often forget 
that not all customers have a premier support agreement in place...and cannot 
necessary afford third-party support as my organization will provide.

To be clear, I did not state that ESX was easier to deploy:  "and from an 
enterprise perspective often considered easier to manage given the wide range 
of tools available for it." Certainly for a "smaller" organization or a home 
lab, VS2005 will be easier to implement based on the underlying host OS and the 
less restrictive hardware requirements. As for System Center VMM - it will be a 
good tool when it is complete but is currently lacking many features that 
should show up in the next beta.  I think I have made it clear that my 
perspective is from that of the Enterprise customer (also known as large, 
global, etc.) and as such I have not run into a single instance of recycled 
hardware - although I should probably highlight my "bias" based on who my 
employer is.  Regardless, I certainly agree with you that MSVS must be part of 
the conversation as to what VE should be used and is appropriate in many 
situations and customer environments.

Finally, my point was not to support one over the other just to make a 
statement based on what I see in the "field".  And FWIW I only run VS2005 in 
all of my test environments (outside of customers) although currently 
non-support for x64 guests is becoming a sticking point for me.

Regads,

Aric   (who's Ben?)



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Saturday, January 20, 2007 9:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server

>>>All indications to the contrary are likely due to insufficient operational 
>>>experience with the product - not an attack on anyone just a statement based 
>>>on my personal experience and interactions with others
Not at all, Ben. I can speak from both side of the aisle as far as VMWare and 
VS are concerned, although my bias, to which I have already confessed, plays a 
role in my dislike of VMWare. My dislike, though, is driven largely based on 
the original (apples and oranges) statement to which I responded. I have not 
disputed that VMWare is ahead of VS at this present time. I have simply 
stipulated that the perceived gap is so considerably narrowed now that 
dismissing VS as a non-starter is no longer a technically sound or tenable 
position.

>>>However, MS stated virtual machine support is the same regardless of virtual 
>>>environment provider.
This is just wrong. Please see http://www.support.microsoft.com/kb/897615

You will also notice that my observation and opinion were based mostly on where 
we are today on VS 2005 SP1 Beta 2. I do not dispute that VMWare is superior, 
but at what cost? I disagree with your assertion that ESX is easier to deploy 
and manage than VS - that just defies logic (no offense). Not with the 
availability of System Center.  When you need to provision a lab of, say, 20 
servers running various OSes, and you are under the gun to get it done, like 4 
hours ago, on a piece of recycled (Ebayed) hardware, ESX is not your friend.

I was afraid that this thread will go down the undesirable path of "Us vs 
Them", and I apologize for making it so. The point I'm trying to make is that, 
if you are looking for a Virtualization solution, VS does NOT stink one bit. 
Factor in the cost overlay, the deployment and maintenance efforts, divide that 
by what EXACTLY you are looking for in virtualization, then give VS a fair 
shake and not just go with the popular "VMWare Rules" opinion. ESX may have 
been sexy a while back when VS was truly ugly, but that is not the case today. 
VS is evolving, and you may just be pleasantly surprised that it adequately 
meets your need without breaking your bank and back.


Sincerely,
   _
  (, /  |  /)   /) /)
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
   (/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon


From: Bernard, Aric
Sent: Sat 1/20/2007 5:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server

Other points to clear up...



MS supports VS2005 as it is there product.  However, MS stated virtual machine 
support is the same regardless of virtual environment provider.



MS recently (nore than a year ago?) made some changes to their licensing model 
for virtual environments in terms of the Windows OS and how many instances can 
be run given a single license.  This is applicable to any virtual environment, 
not just V

RE: [ActiveDir] Remote DC's on Virtual Server

[Bernard, Aric]

Damn mobile device...

That said, the new tools (i.e. System Center  virtual Machine  Manager) coming 
and next generation Microsoft Virtualization technologies, undoubtedly some 
catching up will occur.

Sent from my Windows Mobile device.

-Original Message-
From: "Bernard, Aric" <[EMAIL PROTECTED]>
To: "ActiveDir@mail.activedir.org" 
Sent: 1/20/07 5:41 PM
Subject: RE: [ActiveDir] Remote DC's on Virtual Server


Other points to clear up...

MS supports VS2005 as it is there product.  However, MS stated virtual machine 
support is the same regardless of virtual environment provider.

MS recently (nore than a year ago?) made some changes to their licensing model 
for virtual environments in terms of the Windows OS and how many instances can 
be run given a single license.  This is applicable to any virtual environment, 
not just VS2005.

In my role I am a supporter (technically, politically, and marketing) of MS 
products.  However, from an Enterprise perspective (management and operations) 
VMWare is generally regarded as the superior product for all the reasons 
mentioned and more. VMWare is not difficult to implement and operate as 
compared to VS2005 and from an enterprise perspective often considered easier 
to manage given the wide range of tools available for it.  All indications to 
the contrary are likely due to insufficient operational experience with the 
product - not an attack on anyone just a statement based on my personal 
experience and interactions with others.

That


Sent from my Windows Mobile device.

-Original Message-
From: "Brett Shirley" <[EMAIL PROTECTED]>
To: "ActiveDir@mail.activedir.org" 
Sent: 1/20/07 3:28 PM
Subject: RE: [ActiveDir] Remote DC's on Virtual Server


Does anyone know if the vmware stuff, allows "ba xxx w4" in the windows
debugger (obviously running on windows guest VM)?

ba xxx w4 = means break on address write w/in 4 bytes of the xxx, which is
a pointer.  This kind of bp is set through a register directly on the CPU.

I know for a fact VS doesn't support it ... not sure if its impossible to
support, switching machines would mean you simply have to swap out that
set of registers as well, I guess ... just curious.

Cheers,
BrettSh [msft]

posting "as is"


On Thu, 18 Jan 2007, Akomolafe, Deji wrote:

> >>> one runs on bare metal and other runs under a host OS
>
> Actually, that's a sleight of hand. ESX runs on a VMware-cooked Linux Kernel. 
> So, one can argue that, because it is bundled with its own "OS", ESX does not 
> really "run on bare metal" in the way some people describe it.
>
>
> Sincerely,
>_
>   (, /  |  /)   /) /)
> /---| (/_  __   ___// _   //  _
>  ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
>(/
> Microsoft MVP - Directory Services
> www.akomolafe.com - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about 
> Yesterday? -anon
>
>
>
> From: Noah Eiger
> Sent: Thu 1/18/2007 4:53 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Remote DC's on Virtual Server
>
>
> I realize this is now getting a bit OT, but.
>
> Deji, I think the fruit distinction is based on the fact that one runs on 
> bare metal and other runs under a host OS. (Or at least that is how I have 
> always thought of them.) Beyond that, I agree there are simply feature 
> comparisons.
>
> That said, (and with the caveat that I have not worked with ESX) I find the 
> MS product to be much simpler than VM Server (nee GSX). I started halfway 
> down the path of migrating my MS VMs to VM Server and found it overly complex 
> and the video emulation performance using the VM Ware client was so bad as to 
> be unacceptable.
>
> And as to the OP, I have DCs running on MS VS2k5 R2 and have not had any 
> problems. In the situation you describe, Justin, it seems like performance 
> and cost would be the deciding factor.
>
> --- nme
>
>
>
>
> From: Akomolafe, Deji [mailto:[EMAIL PROTECTED]
> Sent: Thursday, January 18, 2007 3:44 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Remote DC's on Virtual Server
>
> :)
>
> Interesting points, again. Did I remember to say that I am biased? I think 
> so. I expect that I'm going to catch some flaks for what I'm about to write, 
> but .
>
> These do not make VS and ESX "apples and oranges". VMotion, Host clustering. 
> Different nomenclature, different capabilities, same purpose, Resource 
> allocation guarantee, CPU Resource allocation weight.
>
> Superior Networking capabilities. Sure. Does VS have networking capabilities? 

RE: [ActiveDir] Remote DC's on Virtual Server

[Bernard, Aric]

Other points to clear up...

MS supports VS2005 as it is there product.  However, MS stated virtual machine 
support is the same regardless of virtual environment provider.

MS recently (nore than a year ago?) made some changes to their licensing model 
for virtual environments in terms of the Windows OS and how many instances can 
be run given a single license.  This is applicable to any virtual environment, 
not just VS2005.

In my role I am a supporter (technically, politically, and marketing) of MS 
products.  However, from an Enterprise perspective (management and operations) 
VMWare is generally regarded as the superior product for all the reasons 
mentioned and more. VMWare is not difficult to implement and operate as 
compared to VS2005 and from an enterprise perspective often considered easier 
to manage given the wide range of tools available for it.  All indications to 
the contrary are likely due to insufficient operational experience with the 
product - not an attack on anyone just a statement based on my personal 
experience and interactions with others.

That


Sent from my Windows Mobile device.

-Original Message-
From: "Brett Shirley" <[EMAIL PROTECTED]>
To: "ActiveDir@mail.activedir.org" 
Sent: 1/20/07 3:28 PM
Subject: RE: [ActiveDir] Remote DC's on Virtual Server


Does anyone know if the vmware stuff, allows "ba xxx w4" in the windows
debugger (obviously running on windows guest VM)?

ba xxx w4 = means break on address write w/in 4 bytes of the xxx, which is
a pointer.  This kind of bp is set through a register directly on the CPU.

I know for a fact VS doesn't support it ... not sure if its impossible to
support, switching machines would mean you simply have to swap out that
set of registers as well, I guess ... just curious.

Cheers,
BrettSh [msft]

posting "as is"


On Thu, 18 Jan 2007, Akomolafe, Deji wrote:

> >>> one runs on bare metal and other runs under a host OS
>
> Actually, that's a sleight of hand. ESX runs on a VMware-cooked Linux Kernel. 
> So, one can argue that, because it is bundled with its own "OS", ESX does not 
> really "run on bare metal" in the way some people describe it.
>
>
> Sincerely,
>_
>   (, /  |  /)   /) /)
> /---| (/_  __   ___// _   //  _
>  ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
>(/
> Microsoft MVP - Directory Services
> www.akomolafe.com - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about 
> Yesterday? -anon
>
>
>
> From: Noah Eiger
> Sent: Thu 1/18/2007 4:53 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Remote DC's on Virtual Server
>
>
> I realize this is now getting a bit OT, but.
>
> Deji, I think the fruit distinction is based on the fact that one runs on 
> bare metal and other runs under a host OS. (Or at least that is how I have 
> always thought of them.) Beyond that, I agree there are simply feature 
> comparisons.
>
> That said, (and with the caveat that I have not worked with ESX) I find the 
> MS product to be much simpler than VM Server (nee GSX). I started halfway 
> down the path of migrating my MS VMs to VM Server and found it overly complex 
> and the video emulation performance using the VM Ware client was so bad as to 
> be unacceptable.
>
> And as to the OP, I have DCs running on MS VS2k5 R2 and have not had any 
> problems. In the situation you describe, Justin, it seems like performance 
> and cost would be the deciding factor.
>
> --- nme
>
>
>
>
> From: Akomolafe, Deji [mailto:[EMAIL PROTECTED]
> Sent: Thursday, January 18, 2007 3:44 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Remote DC's on Virtual Server
>
> :)
>
> Interesting points, again. Did I remember to say that I am biased? I think 
> so. I expect that I'm going to catch some flaks for what I'm about to write, 
> but .
>
> These do not make VS and ESX "apples and oranges". VMotion, Host clustering. 
> Different nomenclature, different capabilities, same purpose, Resource 
> allocation guarantee, CPU Resource allocation weight.
>
> Superior Networking capabilities. Sure. Does VS have networking capabilities? 
> Of course. Does ESX integrate with AD as well as VS? Does it run on Windows? 
> Support software iSCSI? Live backup and Shadow Copy? (OK, if you count VCB 
> and its proxy).
>
> Administration - show of hands, quick - ESX or VS, which is easier and less 
> complex to deploy and administer? Which has easier and faster client 
> deployment option?
>
> I swear, I have NOT drunk any kool-aid, but I think people's perceptions of 
> the superiority of ESX over VS is largely driven by a combination of 
> historical trends, myths, marketing and the unavoidable "Winblows Sux" 
> mentality. Since we are on a Windows-centric list here, I do not mind 
> admitting that I do not subscribe to the notion that if it's not Windows, it 
> must be better than Windows. Mind you, Hunt

RE: [ActiveDir] Who needs that much ram anyway?

[Bernard, Aric]

My understanding is as follows:

All three switches address the 32-bit architecture only.
Exchange has never supported AWE.
Exchange 2007 has RTM'd.


Aric

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros
Sent: Tuesday, January 16, 2007 2:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Who needs that much ram anyway?

What about the 3Gb switch in the boot.in that is required to take advantage
of the additional memory.
Also depending on the age of the server and CPU, you may also need a PAE /
AWE switch.
http://support.microsoft.com/kb/283037

Since the final realease of Exchange 2007 will only be 64 bit and require a
64 bit version of Windows 2003 or Longhorn, I am not sure if the switch will
be required, any one else know?

Jose


- Original Message -
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
<[EMAIL PROTECTED]>
To: 
Sent: Tuesday, January 16, 2007 8:47 AM
Subject: Re: [ActiveDir] OT: Who needs that much ram anyway?


> Personally I was surprised that a Windows 2003 server and Exchange 2007
> would need a patch to run more than 4 gigs because
> "This problem occurs because of a problem in the Windows kernel"
>
> Seems to me in the x64 era, we're all going to be running more than 4 gigs
> so they should bundle this up in the Exchange 2007 installer from the get
> go rather than having everyone stumble across a KB article.
>
> I'm assuming it's discussed in the readme that no one reads?
>
>
> Brian Desmond wrote:
>> The more you can get in memory, the better. 32GB is the threshold for
>> Exchange before it stops making sense.
>>
>> I've remoted into SQL servers with dozens of CPUs and dozens of gigs of
>> ram before...
>>
>> Thanks,
>> Brian Desmond
>> [EMAIL PROTECTED]
>>
>> c - 312.731.3132
>>
>>
>>
>>> -Original Message-
>>> From: [EMAIL PROTECTED] [mailto:ActiveDir-
>>> [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz -
>>> SBS Rocks [MVP]
>>> Sent: Tuesday, January 16, 2007 4:01 AM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: [ActiveDir] OT: Who needs that much ram anyway?
>>>
>>>
>>>   The Microsoft Exchange Information Store service stops responding on
>>> a
>>>   computer that is running Windows Server 2003 and Exchange Server
>>>
>> 2007
>>
>>> http://support.microsoft.com/?kbid=928368
>>>
>>> This problem occurs if Exchange Server 2007 is installed on a computer
>>> that has more than 4 gigabytes (GB) of RAM.
>>>
>>> List info   : http://www.activedir.org/List.aspx
>>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>>> List archive: http://www.activedir.org/ma/default.aspx
>>>
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>>
>>
>
> --
> Letting your vendors set your risk analysis these days?
> http://www.threatcode.com
>
> If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
> will hunt you down...
> http://blogs.technet.com/sbs
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Renaming sites

[Bernard, Aric]

SMS will be irritated as it stores the site names in its own DB.  Also Exchange 
gets a little uptight if it is in the site with the name being changed - a 
restart is required.

Sent from my Windows Mobile device.

-Original Message-
From: "Mark Parris" <[EMAIL PROTECTED]>
To: "ActiveDir.org" 
Sent: 12/4/06 3:29 PM
Subject: Re: [ActiveDir] Renaming sites

I can remember some issues with DFS and Windows 2000 but I assume you are 
Windows 2003 now?

So I won't go into them without checking.



Regards,

Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596


-Original Message-
From: "Huber, Rob \(HNI Corp\)" <[EMAIL PROTECTED]>
Date: Mon, 4 Dec 2006 16:36:59
To:
Subject: [ActiveDir] Renaming sites

Does anyone know of any issue with renaming sites?  For example, if we change 
the site call Chicago to ChicagoIL, what issues could arise?  I expect that 
since the GUID is not changes that there will not be a problem.  How about if 
we use SMS??
 â²Ø§~^m¶Yÿà rدyØ«¢¸?.+-jÊq.+-!¶Úÿ 0iËb½çb®Sàü¸¬´PjÊq.+-j·!S÷¡¶Úÿ 
0(tm)¨¥j·!S÷oe¢oÚrدyØ«(tm)¨¥iËb½çb®Sà
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Elevating privileges from DA to EA

[Bernard, Aric]

Kevin,

FWIW - as others are stating, assuming you know what you are doing, it is 
*simple* and painless so long assuming that you are a DA of any domain in the 
forest and have access to the console of a GC.  There are many exploits 
strategies in this area and in its most basic form this can be done with 
rudimentary knowledge, native tools, and no coding or scripting.


Aric

-Original Message-
From: "Kevin Brunson" <[EMAIL PROTECTED]>
To: "ActiveDir@mail.activedir.org" 
Sent: 9/15/06 1:35 PM
Subject: RE: [ActiveDir] Elevating privileges from DA to EA

http://www.microsoft.com/technet/security/Bulletin/MS02-001.mspx
discusses some elevation of privilege attacks.  It also links to another
article that is supposed to have more details on SID filtering, which
doesn't seem to exist anymore.  All references I have found point only
at NT4 and 2000 as susceptible to this kind of attack, and they have a
patch to fix it.  So I guess 2003 is secure at least when it comes to
the SIDHistory method.  There must be other ways of doing it, though.  I
don't know that they could possibly be "simple" if MS put out a patch to
fix this particular hole way back in 02.  The referenced article (for
those who don't read it) calls for "a binary edit of the data structures
that hold the SIDHistory information".  Not exactly "candy from a baby"
level, unless you happen to be a 3rd level black-belt in
babies-canditsu.  But I'm sure someone with extreme skills could take on
an unpatched 2000 domain without much trouble.  Either way, it looks
like sidfiltering mitigates most of the risk.  



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Friday, September 15, 2006 2:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Elevating privileges from DA to EA

 

>>>Al - we are designing a forest with regional domains (don't ask!) and
one region has suggested it needs to split from this forest since
elevating rights in any regional domain from DA to EA (forest wide) is
'simple' [and this would break the admin / support model].

 

What is being said is very very true. Either you trust ALL Domain Admins
(no matter the domain those are in) or you do not trust ANY! Every
Domain Admin or ANY person with physical access to a DC has the
possibility to turn the complete forest into crap!

Because if that was NOT the case the DOMAIN would be the security
boundary. Unfortunately it is not! The Forest is the security boundary,
whereas EVERY single DC in the forest MUST be protected and EVERY Domain
Admin MUST be trusted!

 

>>>I am arguing that it is not simple and am looking for methods which
may be used to elevate rights as per the above

 

When you know HOW, it is as easy as taking candy from a baby

 

jorge

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, September 15, 2006 09:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Elevating privileges from DA to EA

Thanks for responses, all.

 

Al - we are designing a forest with regional domains (don't
ask!) and one region has suggested it needs to split from this forest
since elevating rights in any regional domain from DA to EA (forest
wide) is 'simple' [and this would break the admin / support model].

 

I am arguing that it is not simple and am looking for methods
which may be used to elevate rights as per the above.

 

Make sense?

 

neil

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 14 September 2006 20:59
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Elevating privileges from DA to EA

Can you reword?  I'm not sure I clearly understand the question.


FWIW, going from DA to EA is a matter of adding one's id to the
EA group.  DA's have that right in the root domain of the forest (DA's
of the root domain have that right). Editing etc. is not necessary. Nor
are key-loggers etc. 
If physical access is available, there are plenty of ways to get
the access you require to a domain but I suspect you're asking how can a
DA from a child domain gain EA access; is that the question you're
looking to answer?  

Just for curiousity, what brings up that question? 

Al

On 9/14/06, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote: 

It has been suggested by certain parties here that elevating
one's rights from AD to EA is 'simple'. 

I have suggested that whilst it's possible it is not simple at
all. 

Does anyone have any descriptions of methods / backdoors /
workarounds etc that can be used to elevate rights in this way?
Naturally, you may prefer to send this to me offline :) 

RE: [ActiveDir] Windows 2003 R2

[Bernard, Aric]

There not - nor are the LUN management bits or WSS - I should have said
"some of which" instead of "some or all of which".  They idea was to
give Justin an idea of what was coming with R2.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Friday, May 26, 2006 10:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Windows 2003 R2


How is DFSR, FSM, SRM, and CLFS about AD or a supporting service?


On Fri, 26 May 2006, Bernard, Aric wrote:

> Er...yes?  Can you be more specific?  A reason behind your question
> could make for a better answer...
> 
>  
> 
> DFSR
> 
> PMC
> 
> FSM
> 
> SRM
> 
> MMC3.0
> 
> ADAM
> 
> ADFS
> 
> Enhanced subsystem for UNIX/NIS/Password sync
> 
> CLFS
> 
> Integrated SAN LUN management
> 
> .NET Framework 2.0
> 
> WSS SP2
> 
>  
> 
> Some of which do require changes to the schema. Some or all of which
> could be considered supporting.  Some of which are available outside
of
> the R2 release itself.
> 
>  
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
> Justin A.
> Sent: Friday, May 26, 2006 9:04 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Windows 2003 R2
> 
>  
> 
> Did R2 make any changes to Active Directory and its supporting
services?
> 
>  
> 
> Justin A. Salandra
> 
> MCSE Windows 2000 & 2003
> 
> Network and Technology Services Manager
> 
> Catholic Healthcare System
> 
> 646.505.3681 - office
> 
> 917.455.0110 - cell
> 
> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 
> 
>  
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Windows 2003 R2

[Bernard, Aric]

Er…yes?  Can you be more specific? 
A reason behind your question could make for a better answer…

 

DFSR

PMC

FSM

SRM

MMC3.0

ADAM

ADFS

Enhanced subsystem for UNIX/NIS/Password
sync

CLFS

Integrated SAN LUN management

.NET Framework 2.0

WSS SP2

 

Some of which do require changes to the
schema. Some or all of which could be considered supporting.  Some of which are
available outside of the R2 release itself.

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Friday, May 26, 2006 9:04 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Windows 2003
R2



 

Did R2 make any changes to Active Directory and its
supporting services?

 

Justin A. Salandra

MCSE Windows 2000 & 2003

Network and Technology Services Manager

Catholic Healthcare System

646.505.3681 - office

917.455.0110 - cell

[EMAIL PROTECTED]

 

RE: [ActiveDir] AD DNS along with Bind

[Bernard, Aric]

You are surely not exposing your internal namespace to the Internet
Or are you?

Let me get out the old Hacking 101 books...



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, May 25, 2006 12:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DNS along with Bind

(From my DNS admin)
If I did that, then I would have to open DNS conduits through our
firewalls for the DC, as anyone who was requesting information from any
AD zone would be querying the DNS Server on the DC.  We try to limit
contact to the DC from the Internet.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: [EMAIL PROTECTED]
Argonne, IL   60439-4828 IBMMAIL:  I1004994


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Wednesday, May 24, 2006 4:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DNS along with Bind

Why configure the BIND servers as secondary to the zones delegated to
the Windows DNS servers?  Why not just let the Windows DNS servers
handle those queries?  By doing so you would remove the issue
surrounding the zone serial numbers while also provide redundancy for
Windows based zones and the dynamic updates they require.

Could just be a personal preference I suppose...

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Wednesday, May 24, 2006 12:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DNS along with Bind

Hi Freddy,
(From my DNS Admin)



When any client (or server) machine wants to locate an SRV record, it
asks the BIND slave servers, as the Windows 2003 DNS Server is not in
any TCP/IP configuration as a DNS server to be queried.
In fact, we recently moved the DNS Service from one DC to another when
we upgraded the original DC to new hardware.  The only machines we had
to change were the BIND slave servers, which had the IP address of the
old master in the BIND configuration file.


The BIND servers are slaves for all of the AD zones, so those BIND
servers give answers to the queries.  We have three DCs for the forest,
and if the one on which the DNS Service is running is down, then the
only problems are

   1) the rare DDNS update from a DC, updating an SRV or CNAME
  record

   2) the more frequent DDNS updates for one forward subdomain zone
  and its five reverse zones, all under the control of a Windows
  DHCP server.

I do not know of the DHCP code retries its DDNS.  The DC on which DNS
runs is not down that often, and we have not received complaints when it
was down.

>Interesting article mentioned below, does it applies to 2003 as well?

I assume you are referencing 282826 (previously know as Q282826).
It does apply to 2003.  When I first read it, I could not understand it.
I made a flowchart from the text, and after a MS employee explained it,
I understood it.  

Assume that there is an AD-integrated zone, xxx.example.com, and there
are two DCs running the DNS Service.  Assume that all of the
behind-the-scenes AD synchronization has taken place, and both DCs have
exactly the same zone information; the zone serial number is, say 100.
Some machine, pc1.xxx.example.com, sends a DDNS update to DC1.  After
the update is complete, the zone serial number on DC1 is now 101.
At the same time, another machine, pc2.xxx.example.com, sends a DDNS
update to DC2.  After that update is complete, the zone serial number on
DC2 is 101.  We now have two copies of the zone, each with serial number
101, and each has an update that the other does not have.
Which DC has the correct zone information?  Neither.  I have no idea how
long it takes the behind-the-scenes AD synchronization to occur.
When it has occurred, the resulting zone has both updates.  But what is
the serial number?  It can't be 101, as serial number 101 was associated
with a copy of the zone that did not have both of the updates.  Can it
be 102?  No, as there could have been another DDNS update to DC1 before
the synchronization occurred.  In this case,
DC1 would have serial number 102, and DC2 serial number 101.
I contend that there is no value that can be used as the serial number
for the combined-update zone.

What 282826 is saying is that the zone serial number is meaningless
unless that DNS Server is a master server feeding a BIND (or other
vendor) slave server.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 

RE: [ActiveDir] [OT]Identity Access Mangement

[Bernard, Aric]

Another option is HP Select Identity.





-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, May 25, 2006 7:42 AM
To: ActiveDir.org
Subject: Re: [ActiveDir] [OT]Identity Access Mangement

The requirement is

Workflow provisioning - HR create users- then users are authorised by 
departmental heads for access. Rules for email, account creation etc.

The various systems all tie in to a metadirectory, which is then authorative 
for the company - the data is mastered in various locations.

There is a self service interface for password resets and resource access.

 BMC have a product that ships out the box to do virtually all of this - I 
think based on the old calendra product suite.

All I was looking for was alternative products that did the same.

Active roles unless they have changed the scope of the product did not do this, 
but then I last saw the product a couple of years ago and when ever I now speak 
to a quest salesman - I give an alias as they are like leaches. 

Mark

-Original Message-
From: "Al Mulnick" <[EMAIL PROTECTED]>
Date: Thu, 25 May 2006 09:20:00 
To:ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT]Identity Access Mangement

You two need a room ? :) 
  
Mark, can you give more information? I know Quest has something that might be 
of interest, but more detail might be needed to better understand. In the 
meantime, check out their ActiveRoles product.  There are several others, but 
that's one that jumps to mind based on the way you describe it. 
  
MIIS? Hmmm did you also get cookies with the kool-aid? Did you feel really 
sleepy right after but just attribute it to sugar rush? Did the back of your 
neck sting or itch a little when you woke up? ;-) 
  
Don't get me wrong, MIIS has a place, but it can be a real PITA to get 
working.  It's a significant investment in time and resources and it's not well 
understood in the industry.  I can't begin to count how many environment I've 
been in and seen the services running and that's about it.  Some real basic 
consuming of information and thennada. Nothing more. 
  
-ajm
  
On 5/25/06, Carlos Magalhaes <[EMAIL PROTECTED]:  > 
wrote: They changed it again (Just checked and you 100% right :))

C

Tomasz Onyszko wrote:
> On Thu, 25 May 2006 11:53:43 +0200, Carlos Magalhaes wrote 
>
>> Not yet no but we both know thats in the pipe line for SP2. I still
>> would like to know why MIIS was not an option.C
>>
>
> Workflow is not included in SP2, some solution is planned in Gemini time 
> frame
>
> --
> Tomasz Onyszko
> http://www.w2k.pl/:   (PL blog)
> http://blogs.dirteam.com/blogs/tomek:  
> (EN blog)
>
> List info   : http://www.activedir.org/List.aspx: 
>  
> List FAQ: http://www.activedir.org/ListFAQ.aspx
:  
> List archive: http://www.activedir.org/ml/threads.aspx: 
>  
>
>

List info   : http://www.activedir.org/List.aspx
:  
List FAQ: http://www.activedir.org/ListFAQ.aspx: 
 
List archive: http://www.activedir.org/ml/threads.aspx: 
 

 .+w֧B+v*
rz+v*汫

RE: [ActiveDir] AD DNS along with Bind

[Bernard, Aric]

Why configure the BIND servers as secondary to the zones delegated to
the Windows DNS servers?  Why not just let the Windows DNS servers
handle those queries?  By doing so you would remove the issue
surrounding the zone serial numbers while also provide redundancy for
Windows based zones and the dynamic updates they require.

Could just be a personal preference I suppose...

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Wednesday, May 24, 2006 12:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DNS along with Bind

Hi Freddy,
(From my DNS Admin)



When any client (or server) machine wants to locate an SRV record, it
asks the BIND slave servers, as the Windows 2003 DNS Server is not in
any TCP/IP configuration as a DNS server to be queried.
In fact, we recently moved the DNS Service from one DC to another when
we upgraded the original DC to new hardware.  The only machines we had
to change were the BIND slave servers, which had the IP address of the
old master in the BIND configuration file.


The BIND servers are slaves for all of the AD zones, so those BIND
servers give answers to the queries.  We have three DCs for the forest,
and if the one on which the DNS Service is running is down, then the
only problems are

   1) the rare DDNS update from a DC, updating an SRV or CNAME
  record

   2) the more frequent DDNS updates for one forward subdomain zone
  and its five reverse zones, all under the control of a Windows
  DHCP server.

I do not know of the DHCP code retries its DDNS.  The DC on which DNS
runs is not down that often, and we have not received complaints when it
was down.

>Interesting article mentioned below, does it applies to 2003 as well?

I assume you are referencing 282826 (previously know as Q282826).
It does apply to 2003.  When I first read it, I could not understand it.
I made a flowchart from the text, and after a MS employee explained it,
I understood it.  

Assume that there is an AD-integrated zone, xxx.example.com, and there
are two DCs running the DNS Service.  Assume that all of the
behind-the-scenes AD synchronization has taken place, and both DCs have
exactly the same zone information; the zone serial number is, say 100.
Some machine, pc1.xxx.example.com, sends a DDNS update to DC1.  After
the update is complete, the zone serial number on DC1 is now 101.
At the same time, another machine, pc2.xxx.example.com, sends a DDNS
update to DC2.  After that update is complete, the zone serial number on
DC2 is 101.  We now have two copies of the zone, each with serial number
101, and each has an update that the other does not have.
Which DC has the correct zone information?  Neither.  I have no idea how
long it takes the behind-the-scenes AD synchronization to occur.
When it has occurred, the resulting zone has both updates.  But what is
the serial number?  It can't be 101, as serial number 101 was associated
with a copy of the zone that did not have both of the updates.  Can it
be 102?  No, as there could have been another DDNS update to DC1 before
the synchronization occurred.  In this case,
DC1 would have serial number 102, and DC2 serial number 101.
I contend that there is no value that can be used as the serial number
for the combined-update zone.

What 282826 is saying is that the zone serial number is meaningless
unless that DNS Server is a master server feeding a BIND (or other
vendor) slave server.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: [EMAIL PROTECTED]
Argonne, IL   60439-4828 IBMMAIL:  I1004994


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO
Sent: Tuesday, May 23, 2006 8:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DNS along with Bind

Hi Mike,

If you are delegating those 6 zones to only 1 DNS server, if that dns
server
is going through a quick reboot or downtime - then none of your client
can
find the NS delegation and hence causing a no domain controller found
scenario isnt it?

Interesting article mentioned below, does it applies to 2003 as well? 


Thank you and have a splendid day!
 
Kind Regards,
 
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Wednesday, May 24, 2006 4:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DNS along with Bind

Adeel,
Here is a response from our DNS guy.  I hope it helps you.

Mike Thommes
=

Here are the steps I took for delegating t

RE: [ActiveDir] how to find DNS servers in a forest?

[Bernard, Aric]

How about just performing a query against the
directory for all objects have a value of “DNS/*” in their servicePrincipalName
property?  Of course you could restrict this query more by limiting it
only to computer objects, etc.

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Dean Wells
Sent: Wednesday, May 17, 2006 3:54
AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] how to
find DNS servers in a forest?



 



Dump the msDs-masteredBy attribute of the
forestDNSzones NC head to determine the DCs running 2K3 upon which MS' DNS is
installed and is (or at least was) running.  You can further qualify that
list using WMI or SC.EXE or any means of remotely querying the installed
services.  This is quite simple to script or to wrap in a for-in-do-loop to
automate the output.





 





Note - this addresses only DCs running DNS
which I inferred was your primary goal.



--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com



 





 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Wednesday, May 17, 2006 2:30
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] how to
find DNS servers in a forest?





first thing comes to
mind is using WMI and check for the DNS server service and that it is also
started





 











Met vriendelijke
groeten / Kind regards,





Ing. Jorge de Almeida
Pinto





Senior Infrastructure
Consultant





MVP Windows
Server - Directory Services





 







LogicaCMG
Nederland B.V. (BU RTINC Eindhoven)





(  Tel : +31-(0)40-29.57.777





( Mobile : +31-(0)6-26.26.62.80



* E-mail : 









 







From:
[EMAIL PROTECTED] on behalf of Manjeet Singh
Sent: Wed 2006-05-17 07:24
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] how to find
DNS servers in a forest?





If I have a list of DCs in windows 2003
forest, I just want to verify if they have Microsoft-DNS installed on them?
Where this information stored in AD?

 

Or I want to find how many DC’s have
DNS Installed.

 

Thanks, Manjeet



This
e-mail and any attachment is for authorised use by the intended recipient(s)
only. It may contain proprietary material, confidential information and/or be
subject to legal privilege. It should not be copied, disclosed to, retained or
used by, any other party. If you are not an intended recipient then please
promptly delete this e-mail and any attachment and all copies and inform the
sender. Thank you.

RE: [ActiveDir] DHCP migration(OT)

[Bernard, Aric]

Title: Re: [ActiveDir] DHCP migration(OT)








I agree with Daniel – I believe that netsh
will do a fine job of migrating scopes and scope options but not leases. 
However, leases should not be too much of an issue so long as you instruct the
DHCP server to perform conflict detection (assumes that ICMP is not blocked on
your network).

 

A set of commands something like the
following perform the migration for you.

 

From a command prompt on the existing DHCP
server:

Netsh  dhcp  server  \\existing_dhcp_server  export  c:\dhcp_info.txt
  all

 

From a command prompt on the new DHCP
server:

Netsh  dhcp  server  \\existing_dhcp_server  import  \\existing_dhcp_server\c$\dhcp_info.txt
  all

 

Now keep in mind that this will export
everything and import everything.  I would suggest ensuring that the new DHCP
server is at the time of import not authorized in the AD or at least in a state
that no clients will attempt to use it.  After the import you can retrofit any
of the imported data as necessary, such as altering or removing scopes or
options.

 

If you need to be more selective about
what you export from the existing server, you will want to use the dump command
instead and the massage the output so that you can use the add command on the
new DHCP server.

 

HTH

 

Aric

 

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Conrad, Daniel C Mr. Nortel
Government Solutions
Sent: Tuesday, May 16, 2006 9:50
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DHCP
migration(OT)



 





Past experience, 





 





NETSH will migrate the scopes but you use the backup/restore
process for the leases (if you want them).





 





D







 







From:
[EMAIL PROTECTED] on behalf of Matheesha Weerasinghe
Sent: Tue 5/16/2006 8:43 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DHCP
migration(OT)





Havent
played with it for a while so I cant answer unless I fire up a
VM and start playing. Do you fancy letting me know your findings ;-)

M@

On 5/16/06, Tom Kern <[EMAIL PROTECTED]> wrote:
>
> Will netsh overwrite the scopes already exisitng on the target?
>
> Also, does netsh migrate leases or just the scope and scope options?
>
> Thanks
>
>
>
> On 5/16/06, Matheesha Weerasinghe <[EMAIL PROTECTED]> wrote:
> > look into netsh. might be of use.
> >
> > On 5/12/06, Tom Kern <[EMAIL PROTECTED] > wrote:
> > >
> > > I want to migrate DHCP(scopes,scope options,leases) from one
win2k box
> to
> > > another.
> > >
> > > My issue is, the target server is running DHCP with scopes,etc
already
> > > configured.
> > >
> > > Is there anyway to migrate the source DHCP server to the target
without
> > > overwriting the target's settings?
> > >
> > > I just want to merge the 2- move the source info over while
keeping the
> > > target DHCP info intack as well.
> > >
> > > Is this possible?
> > >
> > > Thanks
> > >
> > >
> >
>
>
.+-wi0-+֬[EMAIL PROTECTED]֫rzm  Vry&-4ibb 

RE: [ActiveDir] Trust for delegation error

[Bernard, Aric]

It sounds like you are configuring this setting on many directory objects: For 
what purpose?

What functional level is the domain having these problems and is different from 
the other domains?

Aric


Sent from my Windows Mobile 5 device.

-Original Message-
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
To: "ActiveDir@mail.activedir.org" 
Sent: 5/5/06 10:59 AM
Subject: [ActiveDir] Trust for delegation error 

Hi all,

I have  a new problem:
When I try to enbale this option :"Trust Computer for delegation"
for a computer account  in DSA.msc  I recive this error 
"Your security setting do not allow you to Specify whether or not This 
account is to be trusted for delagation"
 
I have already applied an instrution to change local user rights, 
But it is still showing that message
The mos strange is that we have 18 subdomains, and it works in 
all, but that.

That is happening to user, too, I can not enable "TUST FOR 
delegation" for a user account
Is htere a way to solve that problem?

___
Adrião Ferreira Ramos
[EMAIL PROTECTED]
Equipe Suporte Windows
(11) 3388-8193
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 2003 DFS/open files

[Bernard, Aric]

There is no disturbed locking mechanism built into DFS/R.  If a file is
open, typically it will not get replicated.  If the same file is open in
two different locations the last write will win, although DFSR by
default will store any of these "conflicts" in a folder just in case.
DFS/R is great if you are distributing read-only content or content that
is modified in one place (or more if coordinated) and requires alternate
locations for reading/writing/backup.

If you need to distribute files for read and write to multiple locations
then you need to leverage a central file store or a wide area file
system (WAFS) that provides a distributed locking mechanism.  Most true
WAN Accelerators (Riverbed) *do not* do this.  I have had some limited
experience with Tacit and Brocade who both provide viable WAFS solutions
that integrate well with W2K3R2.


Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steven Comeau
Sent: Thursday, April 06, 2006 12:16 PM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] 2003 DFS/open files

This is a good question and I hope it gets answered.  We have 20 sites
and
want to put servers out there and possibly do DFS w/replication to keep
main copies at the HQ for backup purposes, but I am afraid of changes to
a
single file that is opened at several sites.  I was considering WAN
Accelerators/WAN Cache devices that negotiate the file locks, etc., that
makes the file appear it is only open at the HQ file server.  Anyone
have
experience with these type of devices?

Steven Comeau
Sr. Director of IT
Community Options
16 Farber Road
Princeton, NJ  08540
EMail: [EMAIL PROTECTED]
Phone: 609-951-9900  x114
FAX: (609)  919-3889
www.comop.org

Give the gift of  flowers   http://www.Vaseful.com.

~
This message is intended for the use of the individual or entity to
which
it is addressed and may contain information that is privileged,
confidential and exempt from disclosure under applicable law.  If the
reader of this message is not the intended recipient or the employee or
agent responsible for delivering the message to the intended recipient,
you are hereby notified that any distribution or copying of the
communication is strictly prohibited.  If you have received this 
communication in error, please notify us immediately by e-mail and
return
the original message to us at this e-mail address.  Thank you for your
cooperation in supporting confidentiality.
 ~

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

[Bernard, Aric]

BTW I did report this from the beta program but was basically ignored.
In fact, I think I gave ~Eric an image of one of my DCs, but I ran out
of time and had to work around the issue.

If it is now a "known issue" I would be interested to learn more about
what is causing it.  Please let us know what you find out from your TAM.

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Friday, February 17, 2006 1:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

that is interesting in deed - then your case is similar to Aric's
afterall. I was thrown off by the ADPREP error message stating "...for
objects defined in Windows 2000 schema..." - but this way Aric might
have simply been one of the first to encounter the issue as at the time
it wasn't a known issue :-)

keep us posted - esp. if you get a link to more information or anything
appropriate to share.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Freitag, 17. Februar 2006 20:18
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

Our MS TAM has indicated this is a known bug!  I will keep the group
posted as I learn more details.

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Friday, February 17, 2006 10:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

As an update to this thread, we transferred the Schema Master role back
to other DC that has the SFU tools installed originally thinking this
might get the R2 schema update to work.  Wrong!  It fails with the same
error.  I can only imagine we do not have that unique an environment in
our testbed and expect others to have the same experience.  Luckily, we
never put SFU 3.5 on our production systems.  

We are going to open up a trouble ticket with Microsoft regarding this
issue.  I would like to hear of others' experiences (success or failure)
when trying to install R2 in an environment where SFU 3.5 had been
installed.  Thanks!

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, February 16, 2006 9:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

Hi Guido,
   Thanks for the response!  This server is Windows 2003/SP1 with all
but the current month's patches.  It is the current FSMO role holder.  I
did some checking this morning and find the SFU 3.5 tools on another DC
that could have been the FSMO role holder at the time the SFU schema
changes were made.  I don't see why that would make any difference, do
you?

-mike

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Thursday, February 16, 2006 3:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

Mike - I see you're upgrading from Win2000 AD. Are your sure that you've
previously installed SFU 3.5 or was it maybe SFU 2.0 ?

The reason I'm asking is that there's a known schema incompatibility
with SFU 2.0:
check out http://support.microsoft.com/?id=293783 "Cannot Upgrade
Windows 2000 Server to Windows Server 2003 with Windows Services for
UNIX 2.0 Installed"

CAUSE
The upgrade may not work because the attributeSchema 'uid' that is used
by Windows 2000 Server for the NIS schema is not compatible with the one
that is used by Windows Server 2003. 

As such your error is likely independent from the changes in the R2
schema - it's actually an incompatibility in the Win2003 base schema
(not that this really matters for you; I just want to clarify that the
error should be unrelated to R2). As such it's different from Aric's
case, who was performing an upgrade from a Win2003 schema to Win2003
R2...


/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Donnerstag, 16. Februar 2006 02:53
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

Hi Aric,
No, there were a lot more errors - all seem to be related to SFU
attributes.  I only copied a small portion to my posting to save
bandwidth.  Painful = time = headaches  8-(  I was expecting this
upgrade to be a "walk in the park".

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Wednesday, February 15, 2006 7:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

Are these the only two errors you received?

I encountered similar errors during be

RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

[Bernard, Aric]

Are these the only two errors you received?

I encountered similar errors during beta testing when I implemented R2
in an existing forest - but a lot more than just 2. :)  I created a
secondary forest and validated that it did not recur.  Note that I also
had SFU installed in the original forest and the new secondary forest.

I was able to clean up the schema in the existing forest exhibiting the
errors but it was a fairly painful process of what seemed to be a goose
chase.  The tasks included disabling objects attributes in the schema
and renaming them amongst other things.

Fortunately I have not heard of this happening in production...yet.

So can these errors be ignored?  If I remember correctly ADPrep is
actually failing and therefore NO you cannot ignore these errors since
ADPREP will nto occur until they are resolved.

Regards,

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Wednesday, February 15, 2006 5:22 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] issue with R2 upgrade; SFU confusion?

Hi,
We did a adprep /forestprep from the W2K3/SP1 R2 Disk 2 CD today on
our testbed FSMO DC.  It gave the following errors (only a portion shown
below) because, I am guessing, that we had already installed SFU 3.5 on
this forest some time ago.  Should I assume these errors can be ignored?
Has anybody else experienced this?  Thanks as always!

Mike Thommes



"attributeId" attribute value for objects defined in Windows 2000 schema
and ext
ended schema do not match.


A previous schema extension has defined the attribute value as
"1.2.840.113556.1
.4.7000.187.70" for object
"CN=uidNumber,CN=Schema,CN=Configuration,DC=anl,DC=go
v" differently than the schema extension needed for Windows 2003 server
.
[Status/Consequence]
Adprep cannot extend your existing schema
[User Action]
Contact the vendor of the application that previously extended the
schema to res
olve the inconsistency. Then run adprep again.





=
"attributeId" attribute value for objects defined in Windows 2000 schema
and ext
ended schema do not match.


A previous schema extension has defined the attribute value as
"1.2.840.113556.1
.4.7000.187.71" for object
"CN=gidNumber,CN=Schema,CN=Configuration,DC=anl,DC=go
v" differently than the schema extension needed for Windows 2003 server
.
[Status/Consequence]
Adprep cannot extend your existing schema
[User Action]
Contact the vendor of the application that previously extended the
schema to res
olve the inconsistency. Then run adprep again.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Site Link Question

[Bernard, Aric]

Keep in mind that this recommendation was
specific to Windows 2000.  Windows 2003 automatically distributes links amongst
several DCs (if more than one exists) in a hub site.  Also you can use the ADLB
to more formally balance the load amongst available DCs.

 

 


Aric

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Brian Desmond
Sent: Wednesday, February 08, 2006
11:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Site Link
Question



 

You can do it a couple ways:

 

Have your network people split up the subnet your DCs at the hub are on
or move them to a dedicated subnet that’s easily broken down (e.g. a /24
can break to two /25s or four /26s). Or, create /32 subnets in AD for each
DC’s IP. Hub Site A has the /32 for the DC serving it and other DCs in
the site, and then the remote site subnets associated with it, same for the
other sites. FWIW I have >50 sites reporting into a very busy hub site and
there is no issue so far, and it just continues to get busier (My estimate is
about 20K PCs authenticate against the two DCs in the hub site in addition to
50 or so DCs replicating out every couple hours). CPU is 30% peak and NIC is
about 35mb/sec during the day on them. DL 380 G4s 4GB RAM Dual Proc, separate
RAID1s for OS, DB, logs, etc. 

 

 



Thanks,
Brian Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Adeel Ansari
Sent: Wednesday, February 08, 2006
2:26 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Site Link
Question



 



All, 





 





I have about a few hub sites with 100+ site
link. I found following from M$ website :





 






 Make sure that no site
 is directly connected to more than 20 other sites


This condition can occur in large hub-and-spoke
deployments where most sites are branch sites that communicate with a
centralized hub site. If this condition exists and there are more than 20 site
links from the hub site to branch sites, the hub site can be divided into
multiple sites to provide additional bridgehead servers to handle the
replication volume. In a site, a single bridgehead server is active per domain.
If the site has more than 20 site links, the bridgehead servers can become
overloaded.





 





http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspx#EFAA





 





 





Can someone please explain what steps do I need to
take to divide the hub sites?





 





Regards,





Adeel





 

RE: [ActiveDir] Site Links

[Bernard, Aric]

To be sure, connection objects and site
links are two different things.  Connection objects I typically created by
the KCC/ISTG although they can be created manually.  Site Links are always
created “manually” even if that manual operation is performed by a
script.

 

Site links should be created to join AD
sites, which typically represent physically different locations. From a
physical to logical mapping, in most cases, the site link represents the WAN
link between those locations.  If bandwidth is at all a concern
(throughput or latency) you should in most cases create site link with only two
members: the hub site and the specific spoke site.  This provides optimal
control and knowledge of what systems connection objects will be created
between.  In the unlikely event (hopefully) that all of your hub domain
controllers are down for an extended period of time, your spoke site could
connect and replicate with other spokes attached to the same hub so long as
site link transitivity has not been disabled.  If your spoke sites have
direct network access to more than one hub location (via frame cloud or
alternate link) then it might be advantageous to implement a secondary higher cost
site link in the same manner to act as a backup.

 

As Mark mentioned, if at all possible, let
the KCC/ISTG create and remove the required connection objects as it sees
fit.  This is typically the most reliable way of maintaining a connected
and properly replicating topology all else being equal (and properly configured
:-).

 

 

Aric

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Creamer, Mark
Sent: Tuesday, February 07, 2006
11:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Site
Links



 

Do you have manually created links?
You’ll likely get a lot better answers than mine, but basically when I
had replication problems, I eventually determined that a lot of it was my own
causing. Basically, I had no reason to create any site links manually, which I
had done. I got rid of those, changed the costs per recommendations on this
list, and let the KCC do the rest. It’s been perfect ever since.

 



 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Adeel Ansari
Sent: Tuesday, February 07, 2006
2:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Site Links



 



AD Experts, 





 





Is there any best practices for
creating and managing site links? The problem I am facing where I have
many hub and spoke sites with well over 20 site links. What is the best
procedure to fix this issue? 





 





-Adeel




This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.

RE: [ActiveDir] OT: Roaming Profiles

[Bernard, Aric]

Disabling the use of roaming profiles and
instead requiring remote desktop is something I implemented at a
customer.  In their case, this satisfied the traveling user community
given the alternatives they saw: a) waiting for the profile download and logon
process to complete, b) buying notebooks for traveling users, or c) buying hardware
and setting up a replication process to ensure that all sites traveling users
visit have replicas of the users profile.

 

Another option implemented by a recent
customer (of which roaming profiles was just a part) included deploying the HP
EFS WAN Accelerator.  Once populated the appliance provided adequate logon
times for roaming users.  The problem of course was pre-populating the
roaming profile shares (a few dozen users) into the appliances cache.  I
believe that there was a tool available to assist with the population.

 

 

Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Friday, February 03, 2006
2:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Roaming Profiles



 



Ulf & everyone,





 





thanks for your responses, roaming profiles are mandatory here, if
we were to take this away, all hell would break loose.





 





I guess educating them to store files elsewhere would be a good start.





 





thanks





 





Frank





 





Ulf - you are not the first to mention Carl Hanratty, you won't be
the last!

"Ulf B.
Simon-Weidner" <[EMAIL PROTECTED]> wrote:





Hi Frank,

 



with those large roaming profiles you
need to



1. educate your users

2. question the use of roaming profiles

 

In fact I've seen a lot of companies who
tend to stick to local only profiles in the recent past. Roaming profiles are
great - however I see them in infrastructures where people are moving around on
multiple computers a lot, and where they don't have that much individual
applications. I would use roaming profiles for the production workers who are
spending not a lot of time on the computer and might share a pool of computers,
however for the regular office worker and the board of directors I'd use local
profiles since they tend to work on the same computer a lot and also travel a
lot.

Educate them not to store their critical
data within the profile, and maybe a desktop backup software which is taking
care of their profile and data when connected comes in handy too.



 





Carl Hanratty



 





 







F rom:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Friday, February 03, 2006
10:51 AM
To: Active
Subject: [ActiveDir] OT: Roaming
Profiles



Hi all,





I have a question regarding Roaming Profiles. Our environment currently
have 3500 users which are all roaming profile enabled. Their profiles are
stored on the local site server. We have approx 56 sites which are all linked
by 256-1mb lines.





I like the concept of roaming profiles, however some of our users have
profiles ranging from 5mb - 200mb, some even with 1GB profiles. 





Because alot of our users log on to different computers at different
sites, we are finding issues with corrupted profiles and logon speeds. On a few
occasions, where a user has been added to a group, the permissions assign to
this group are not shown when the users is logged back on. Dele ting the
profile and recreating fixes this issue but it's quite a time consuming effort.





How does everyone deal with roaming profiles if used? sometimes there
are instances where users just want to logon to the PC without their roaming
profile so they can remote desktop to their PC. In this situation they have to
take their profile across which can take forever depending on the size of
profile and link.





Any creative ideas? how about using DFS to store the profiles? 





Thanks





Frank





 











Yahoo!
Mail - Helps protect you from nasty viruses.





 







Brings words and photos together (easily) with
PhotoMail
- it's free and works with Yahoo! Mail.

RE: [ActiveDir] OT: Gauging AD experience

[Bernard, Aric]

Gil’s thoughts match with mine as
well.  AD is a critical infrastructure component and designing it properly
is important.  However, the real complexities of AD come into play as the ancillary
systems leveraging the directory increase and as multiple directories need to
be integrated in some fashion to support a great IdM need.

 

One of the things that I would encourage
you to do is determine what your goals are.  As Gil alluded to, if your
goals are to be able to design large AD deployments, you may be locking
yourself into an undesirable path.  On the other hand, if you want to
become an expert at managing, operating and diagnosing AD you will have a
longer career life, but even that will become less important as the various
tools improve – that said, working in this role will likely give you
greater exposure to those ancillary systems.

 

In general I would encourage you to have a
look at and understand Microsoft DSI and determine where in that mix your
interest lies.  Conceptually DSI is the way forward regardless of what you
call it (Adaptive Enterprise, On Demand, etc.) or what technologies are
supporting it (MS or non-MS).  Finding a sweet spot in that mix will
certainly prove to be valuable over the next 7 – 10 years.  Also,
you might look at the Microsoft Certified Architect program and understand its
competencies and direction – I believe that this role in an organization is
becoming more valuable and will continue to increase over the next couple of
years.

 

 

Regards,

 

Aric Bernard

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Wednesday, January 18, 2006
9:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Gauging AD experience



 

Hiring on with an IT services company that
does large Windows projects would probably be the best way to develop the
experience you're looking for. That way you get exposure to many different
environments, requirements, people, and projects.

 

HP, Internosis, LogicaCMG, and Microsoft
Consulting Services are some examples, and there are tens or hundreds of
others. 

 

Some smaller consulting companies like
Oxford Computer Group focus on IdM projects and will sometimes get pulled into
AD projects in an advisory capacity.

 

From a career standpoint, I would look
more to the broader IdM technologies. AD expertise is rapidly becoming
comoditized, and in larger enterprise environments, AD is but one
component of the IdM and security infrastructure. Moving forward, MIIS and ADFS
are going to take center stage in the WIndows environment, and AD is going to
be pushed more into the background. AD will still be a critical component, and
there will always be a need for architects who can design large AD
infrastructures. But AD won't be where the action is.

 

-gil

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Wednesday, January 18, 2006
9:49 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Gauging
AD experience

I am trying to figure out how one gauges their AD
experience. For example, I have designed, implemented and maintained an
AD/Exchange environment of 5000 users with 1000 workstations from the ground
up, alone. The environment is only 3 sites, with little complexity. I now work
for a company maintaining a directory of about 150 users and 150 workstations.
And the more local AD people I talk to, the more confident I am that I know
quite a bit about AD compared to them (only talking about the people I have
met…not generalizing the entire industry).

 

Although I am not a guru like some on this list, I would
like to get myself to the place where I can say “yeah, I can design your
50,000 user / 15 site infrastructure.” Or is that even possible? Is a
project of that size several directory experts working together? 

 

I honestly believe that I could perform such a task, but
knowing that I would make some mistakes that a VERY experienced person would
not. 

 

So, I guess my question is:

 

How do I get to where I want to be? Consult? Try to get a
job with the biggest company I can? 

 

There may be no real answer, but I thought it was worth
asking because I have been thinking about it for a couple of months and
don’t know where to start to move forward, and this is the only place I
know that has people that I consider AD gurus (or gods even)

 

RE: [ActiveDir] WinXP and Win2003

[Bernard, Aric]

Just to be clear, VS2005R2 does not support
64-bit guests….

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, January 02, 2006
9:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003



 

“If you want to test 64 bit you are
kind of screwed too, oh wait vmware workstation does that as well...”

 

Just don’t like VPC, do you? 
:o)  What about USB are you looking for?  What does VMWare do with
USB that is this vital?  I doubt it’s the USB coffee warmer…

 

As to the 64-bit support, I guess that
would concern me if my laptop had an x64 chip.  But, then I could use VS
2005 R2.

 

But, I’m not going to argue the
virtues of VMWare vs. VPC.  I Use VPC because it’s what 100% of the
material that I get from internal is supplied on.  And, I get about 100 or
so DVD’s with all types of imaginable configurations.  I’m
glad that you’ve got the time to put together all of these disks,
joe.  I wish I had that kind of time.

 

Rick

 

 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Sunday, January 01, 2006
1:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003



 

I am not a big workstation OS type of
person, I use XP only when I must. Longhorn seems to work ok in a VM.

 

I do agree that it isn't the right thing
for all situations, but half the people setting up dual booting blow it anyway.
VM is a much simpler solution for most people. Obviousy if you are doing perf
or physical hardware related testing it is tough. Heck even if you want USB you
can't use VPC, you use vmware instead. If you want to test 64 bit you are kind
of screwed too, oh wait vmware workstation does that as well... 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, January 01, 2006
1:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003

Hehe….  Let me know how that
full-out testing of Vista and Aero Glass is
going for you in a VPC or a VMWare virtual machine.  

 

I agree, dual-booting is not the optimal
method to running different OS’s, but if you want the OS to have the full
machine, rather than the limited virtualized hardware that the VMs are allowed
– I think dual booting still has a very strong place in the testing /
learning environment.

 

And, make no mistake – this is
coming from a guy that when on the road, has a 250GB external with nothing BUT
VMs with VPC and VS 2005 R2 on his laptop.  I love
virtualization….  It’s just not the right thing for all
situations.

 

Rick

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, January 01, 2006
10:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003



 

I have no clue why it wouldn't allow you
to have different names for the OS and then both can be joined at the same
time, I have done this often. You did use different directories for the
installations right? 



 





Any more dual booting is going the way of
the dodo, the "new" thing is to virtualization software so you have
both instances up and running at once. Look at Virtual PC or VMWare
Workstation.





 





 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser
Sent: Sunday, January 01, 2006
6:01 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] WinXP and
Win2003



Hi list,





I have windows xp sp 2 on my machine, I need to test something so I
installed windows 2003 server enterprise edition R2 on the same machine same
hard disk, I can see the dual boot screen and choose the OS, but I can only
login to the domain if one of the OS's is disconnected from the domain, meaning
if I want to login to the windows 2003 I have to go to the windows xp and
disjoin the machine from the domain then restart and login to the domain in
windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it
from the domain then restart and join the xp to the domain and login, locally I
can login to both machines no problem. the error is that the computer account
is not found on the domain when I try to login and both OSes are joined to the
domain. I tried to rename the machine name to different names in each OS but
same thing happens. is there a way to do that? (login to domain using both OS's
without having to disjoin?) 





Thank you

RE: [ActiveDir] ID Locket Out when Accessing DC

[Bernard, Aric]

With my consulting hat on, I have the following questions:

Do you only have problems with this one user account?
What is your account lockout policy set to?
What are the Domain and Forest functional levels?
Are you having any replication problems with the DC you are connecting
to?
Is the machine you are using to connect to the DC joined to the domain?
Have you reviewed the security logs on the DC after this has happened?
Have you performed a network trace o understand what transactions are
taking place between the client system and the DC?

Answer to these will help in diagnosing your issue.

Regards,

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
Sent: Tuesday, December 27, 2005 3:53 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ID Locket Out when Accessing DC

I have a situation, where i am using my enterprise admin id to access
my DC through UNC Path. But everytime i try to do so this enterprise
admin id gets locked out.

Wht could be the possible reason for this. I have win2k3 enviornment.
--
RD
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Win32Shutdown Method & Win2003

[Bernard, Aric]

Unfortunately the addition of the force
flag does not resolve this issue.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Wednesday, December 14, 2005
12:47 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Win32Shutdown Method & Win2003



 

YUP,  you should add
4, Here is some code

Const LOGOFF = 0
Const SHUTDOWN = 1
Const REBOOT = 2
Const FORCE = 4
Const POWEROFF = 8
For Each objPC In GetObject("winmgmts:{(shutdown)}").ExecQuery("Select * from Win32_OperatingSystem")
    objPC.Win32Shutdown LOGOFF + FORCE
Next

 



On 12/15/05, Darren
Mar-Elia <[EMAIL PROTECTED]>
wrote:

Devon-

Are you getting an actual error or just
that it doesn't work? I ran your script on my test W2003 box and it worked just
fine. I ran it as administrator at the server's console. How are you running
this script? At the console or in a TS session? The latter may be problematic.
Also, you might want to try:

 

 objSystem.Win32Shutdown 4


 

which I think is forced logoff. That would
get around issues where some process is preventing the normal logoff.

 

Darren

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Harding, Devon
Sent: Wednesday, December 14, 2005
9:52 AM




To: ActiveDir@mail.activedir.org
Subject: RE:
[ActiveDir] Win32Shutdown Method & Win2003







 





Same error

 













From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Alain Lissoir
Sent: Wednesday, December 14, 2005
11:26 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Win32Shutdown Method & Win2003



 



On 2003? Or 2000?





Hmmm ... can you try with
this :)  





 





objWMILocator.Security_.Privileges.AddAsString
"SeRemoteShutdownPrivilege", True



 











From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Harding, Devon
Sent: Wednesday, December 14, 2005
7:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Win32Shutdown Method & Win2003

I still get the same
error running on a server:

 

Generic Error

 

It seem to be giving an
error right at this point: objSystem.Win32Shutdown 0

 

Here is the whole script:

Set objWMILocator =
CreateObject ("WbemScripting.SWbemLocator") 

objWMILocator.Security_.Privileges.AddAsString
"SeShutdownPrivilege", True 

Set objWMIServices = objWMILocator.ConnectServer(strComputerName,
cWMINameSpace, strUserID, strPassword)

 

Set objSystemSet =
GetObject("winmgmts:{impersonationLevel=impersonate,(Shutdown)}").InstancesOf("Win32_OperatingSystem")

 

For Each objSystem In
objSystemSet

   
objSystem.Win32Shutdown 0

Next

 

















From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Alain Lissoir
Sent: Wednesday, December 14, 2005
9:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Win32Shutdown Method & Win2003



 



Have you tried your
script as a plain admin on server? I wonder if it is not a question of
privileges ...





 





Try to add to your script
the following before connecting to the Root\CIMv2 namespace. Then retry ...





 





    Set
objWMILocator=CreateObject ("WbemScripting.SWbemLocator")





   
objWMILocator.Security_.Privileges.AddAsString "SeShutdownPrivilege",
True





    Set
objWMIServices = objWMILocator.ConnectServer(strComputerName,
cWMINameSpace, strUserID, strPassword)



 















From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Harding, Devon
Sent: Wednesday, December 14, 2005
5:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Win32Shutdown Method & Win2003

This script is part of a
another script that upon logon, checks certain registry values, then if the
values are not set, the script then sets the value and logoff the current
user.  Like I said before, it works on Windows XP but not servers. 
Why?

 





















From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Steve Shaff
Sent: Tuesday, December 13, 2005
7:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Win32Shutdown Method & Win2003



 

The shutdown command
works.  Give that a shot.

S

 





















From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Harding, Devon
Sent: Tuesday, December 13, 2005
2:34 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Win32Shutdown
Method & Win2003



 

I'm using the following script to logoff a
workstation.  It works fine on XP workstations but does not seem to work
on Windows 2000/2003 servers.  Any Ideas?

 

Set objSystemSet =
GetObject("winmgmts:{impersonationLevel=impersonate,(Shutdown)}").InstancesOf("Win32_OperatingSystem")

 

For Each objSystem In objSystemSet

   
objSystem.Win32Shutdown 0

Next

 

Devon Harding

Windows Systems Engineer

Southern Wine & Spirits
- BSG

954-602-2469

 



















__
This message and any attachments are
solely for the intended recipient
and may contain confidential or
privileged information. 

RE: [ActiveDir] Win32Shutdown Method & Win2003

[Bernard, Aric]

FWIW – If you are sitting at the console
of the server the method works fine.  However it consistently fails with the
generic error if you are logged in via TS to session 0 or another.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Wednesday, December 14, 2005
9:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Win32Shutdown Method & Win2003



 

Same error

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Wednesday, December 14, 2005
11:26 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Win32Shutdown Method & Win2003



 



On 2003? Or 2000?





Hmmm ... can you try with
this :)  





 





objWMILocator.Security_.Privileges.AddAsString
"SeRemoteShutdownPrivilege", True



 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding,
 Devon
Sent: Wednesday, December 14, 2005
7:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Win32Shutdown Method & Win2003

I still get the same
error running on a server:

 

Generic Error

 

It seem to be giving an
error right at this point: objSystem.Win32Shutdown 0

 

Here is the whole script:

Set objWMILocator =
CreateObject ("WbemScripting.SWbemLocator") 

objWMILocator.Security_.Privileges.AddAsString
"SeShutdownPrivilege", True 

Set objWMIServices =
objWMILocator.ConnectServer(strComputerName, cWMINameSpace, strUserID,
strPassword)

 

Set objSystemSet =
GetObject("winmgmts:{impersonationLevel=impersonate,(Shutdown)}").InstancesOf("Win32_OperatingSystem")

 

For Each objSystem In
objSystemSet

   
objSystem.Win32Shutdown 0

Next

 

















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alain Lissoir
Sent: Wednesday, December 14, 2005
9:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Win32Shutdown Method & Win2003



 



Have you
tried your script as a plain admin on server? I wonder if it is not a question
of privileges ...





 





Try to
add to your script the following before connecting to the Root\CIMv2 namespace.
Then retry ...





 





    Set
objWMILocator=CreateObject ("WbemScripting.SWbemLocator")





   
objWMILocator.Security_.Privileges.AddAsString "SeShutdownPrivilege",
True





   
Set objWMIServices = objWMILocator.ConnectServer(strComputerName,
cWMINameSpace, strUserID, strPassword)



 















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding,
 Devon
Sent: Wednesday, December 14, 2005
5:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Win32Shutdown Method & Win2003

This
script is part of a another script that upon logon, checks certain registry
values, then if the values are not set, the script then sets the value and
logoff the current user.  Like I said before, it works on Windows XP but
not servers.  Why?

 





















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Tuesday, December 13, 2005
7:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Win32Shutdown Method & Win2003



 

The
shutdown command works.  Give that a shot.

S

 





















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding,
 Devon
Sent: Tuesday, December 13, 2005
2:34 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Win32Shutdown
Method & Win2003



 

I’m using the following script
to logoff a workstation.  It works fine on XP workstations but does not
seem to work on Windows 2000/2003 servers.  Any Ideas?

 

Set objSystemSet =
GetObject("winmgmts:{impersonationLevel=impersonate,(Shutdown)}").InstancesOf("Win32_OperatingSystem")

 

For Each objSystem In objSystemSet

   
objSystem.Win32Shutdown 0

Next

 

Devon Harding

Windows
Systems Engineer

Southern
Wine & Spirits - BSG

954-602-2469

 



















__
This message and any attachments are
solely for the intended recipient
and may contain confidential or
privileged information. If you are not
the intended recipient, any disclosure,
copying, use or distribution of
the information included in the message
and any attachments is
prohibited. If you have received this
communication in error, please
notify us by reply e-mail and
immediately and permanently delete this
message and any attachments. Thank You.

RE: [ActiveDir] Cross forest trust and DNS

[Bernard, Aric]

Note that the *client* will talk to the DC in the other forest as
well...

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, December 14, 2005 1:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cross forest trust and DNS

I'm not sure that there are additional DNS related pieces of the
equation, not documented by Gil.

The process is more of a referral than a DNS lookup per se, as per the
steps below.  i.e. the client always talks to a DC in its own domain,
which then talks to a DC in the other forest. [I believe the DC will
talk to any DC in the other forest, unless sites/subnets are synced. If
the other DC is down, then the first DC will re-home to another DC.]
Further detail is contained in the doc below, IIRC.

I'll let someone who knows more about this fill in any gaps or correct
me :)

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: 14 December 2005 09:12
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cross forest trust and DNS

Thanks Jorge
 
I was aware of these.  The provide good detail, but both of them assume
that the DCs in the second forest to which referrals are made are
available.  For example, 
 
5. Workstation1 contacts a domain controller in ForestRootDC1 (its
parent
domain) for a referral to a domain controller (ForestRootDC2) in the
forest root domain of the msn.com forest.
6. Workstation1 contacts ForestRootDC2 in the msn.com forest for a
service ticket to the requested service.

Gil Kirkpatrick once wrote an excellent article on Authentication
Topology
(http://www.netpro.com/forum/files/authentication_topology.pdf), which
showed (among other things) the sequence of DNS interactions for client
location of DC and authentication.  I was hoping to find something
similar for the cross forest DNS interactions.
 
Cheers
Tony



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, 14 December 2005 8:25 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cross forest trust and DNS


Tony,
 
Found the following documents. I think this is what you were looking for
Planning and Implementing Federated Forests in Windows Server2003
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/
directory/activedirectory/fedffin2.mspx
Look for the section called "Routing of Kerberos Authentication"
 
Accessing resources across forests
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S
erve
rHelp/517b4fa4-5266-419c-9791-6fb56fabb85e.mspx
 
Cheers,
Jorge



From: [EMAIL PROTECTED] on behalf of Tony Murray
Sent: Wed 12/14/2005 3:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cross forest trust and DNS



Agreed, although it's nice to have a documented model to hand alongside
the testing, as there are sometimes environmental variables that could
skew the results.

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Wednesday, 14 December 2005 2:39 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cross forest trust and DNS

 

A network monitor and a test environment is often better than any other
source. J

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, December 13, 2005 5:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cross forest trust and DNS

 

Thanks very much for the detailed information Bernard.  Good point about
the site sync too.

 

Where did you find the information?  Is it hidden in a safe somewhere
within HP, or is it publicly available? J  My Google mojo let me down on
this one.

 

Tony

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Wednesday, 14 December 2005 1:59 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cross forest trust and DNS

 

More information.

 

The DNS interactions work as follows (note that I have excluded most
other transactions that occur):

 

1.  Forest A client queries DNS for ResourceServer.ForestB.com 
2.  Client receives response for resource server. 
3.  Client queries for
_kerberos._tcp.ClientSiteName._sites.dc._msdcs.ForestB.com. 
4.  Assuming that sites are not synced between forests, or more
specifically that the clients site does not exist in ForestB, the query
fails (Name does not exist). 
5.  Client queries for _kerberos._tcp.dc._msdcs.ForestB.com. This is
equal to a request for "any" KDC in ForestB. 
6.  Client will receive a response for all KDCs registered in
_kerberos._tcp.dc._msdcs.ForestB.com for ForestB. 
7.  Client attempts to contact KDC based on the ordered response
were
re

RE: [ActiveDir] Cross forest trust and DNS

[Bernard, Aric]

A network monitor and a test environment is
often better than any other source. J

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, December 13, 2005
5:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cross
forest trust and DNS



 

Thanks very much for the
detailed information Bernard.  Good point about the site sync too.

 

Where did you find the
information?  Is it hidden in a safe somewhere within HP, or is it
publicly available? J  My Google mojo let me down on this one.

 

Tony

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Wednesday, 14 December 2005
1:59 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cross
forest trust and DNS



 

More information…

 

The DNS interactions work as follows (note
that I have excluded most other transactions that occur):

 


 Forest A client
 queries DNS for ResourceServer.ForestB.com
 Client
 receives response for resource server.
 Client
 queries for _kerberos._tcp.ClientSiteName._sites.dc._msdcs.ForestB.com.
 Assuming
 that sites are not synced between forests, or more specifically that the
 clients site does not exist in ForestB, the query fails (Name does not
 exist).
 Client
 queries for _kerberos._tcp.dc._msdcs.ForestB.com. This is equal
 to a request for “any” KDC in ForestB.
 Client
 will receive a response for all KDCs registered in _kerberos._tcp.dc._msdcs.ForestB.com for ForestB.
 Client
 attempts to contact KDC based on the ordered response were returned from
 DNS.
 I
 attempt fails client will attempt to contact the next KDC based on the
 ordered response were returned from DNS.


 

As you have already concluded, tweaking
what priority of the SRV records is the best way to ensure that the proper
DC/KDCs are tried first.  When attempting to contact a non-accessible
DC/KDC, the failover/timeout process is very quick.  Syncing your sites
will not necessarily help anything unless the client (forest A) in question
belongs to the same site (name) that the DC in forest B does.

 


Regards 

 

Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, December 13, 2005
2:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cross
forest trust and DNS



 

Thanks Jorge and Deji for
your responses.

 

It sounds like
we’re all pretty much of the same opinion, i.e. that there will be a
sequence of attempts against a list of DCs in Forest B.   It would
still be good to understand the how the DNS interactions work in this
situation.  I’ve searched around for documentation, but with no
success so far.

 

Tweaking the DC locator
records for the DCs in the Forest B domain sounds like an interesting
idea.  I suspect some adjustmens to SRV priority might do the trick. 
As you indicate, I would need to find a way of doing this such that it
doesn’t impact anything else.

 

Tony

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Wednesday, 14 December 2005
9:39 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cross
forest trust and DNS



 

I would
think the client receives a list of referrals and use the DC on top of the
list and goes down the list until it finds a DC that responds. A client simply
does not know why a certain DC does not respond. It can be anything...
firewall, network, DC down or whatever.

As there
is no sites and subnets synchronization in place yet the DC retrieving the
referral does not know in which site to query for a DC, it will query for the
DCs in a certain domain. Do you have the possibility to tweak the registration
of domain wide DC locator records for the DCs in forest B that are not
reachable (taking into account that it does not impact services in forest B)

 

Cheers,

Jorge

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Monday, December 12, 2005
22:09
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Cross forest
trust and DNS

Hi all

 

Need a bit of help with this one.  Here’s
the scenario.

 

Two Windows Server 2003 forests federated with a
cross forest trust.  Forest A has 4 DCs,
all of which are reachable from Forest B.  Forest B has approx. 30 DC, of
which only those in main site (10) are reachable from Forest
A’s network.  There is no site and subnet synchronisation in
place.  

 

My concern is that not all the DCs in Forest B are
reachable from Forest A ((because network
routes are only in place to the main site).  DNS secondary zones are being
used and these obviously contain information about the unreachable DCs in
Forest B.  What happens when a client in Forest
A need to access a resource in Forest B?  The routing of Kerberos
authentication requires DNS lookups for DCs in Forest B.  If the client in
Forest A receives a referral to an unreachable
DC in

RE: [ActiveDir] Cross forest trust and DNS

[Bernard, Aric]

More information…

 

The DNS interactions work as follows (note
that I have excluded most other transactions that occur):

 


 Forest A client
 queries DNS for ResourceServer.ForestB.com
 Client
 receives response for resource server.
 Client
 queries for _kerberos._tcp.ClientSiteName._sites.dc._msdcs.ForestB.com.
 Assuming
 that sites are not synced between forests, or more specifically that the
 clients site does not exist in ForestB, the query fails (Name does not
 exist).
 Client
 queries for _kerberos._tcp.dc._msdcs.ForestB.com. This is equal to a
 request for “any” KDC in ForestB.
 Client
 will receive a response for all KDCs registered in _kerberos._tcp.dc._msdcs.ForestB.com for ForestB.
 Client
 attempts to contact KDC based on the ordered response were returned from
 DNS.
 I
 attempt fails client will attempt to contact the next KDC based on the ordered
 response were returned from DNS.


 

As you have already concluded, tweaking
what priority of the SRV records is the best way to ensure that the proper DC/KDCs
are tried first.  When attempting to contact a non-accessible DC/KDC, the
failover/timeout process is very quick.  Syncing your sites will not necessarily
help anything unless the client (forest A) in question belongs to the same site
(name) that the DC in forest B does.

 


Regards 

 

Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, December 13, 2005
2:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cross
forest trust and DNS



 

Thanks Jorge and Deji for
your responses.

 

It sounds like
we’re all pretty much of the same opinion, i.e. that there will be a
sequence of attempts against a list of DCs in Forest B.   It would
still be good to understand the how the DNS interactions work in this
situation.  I’ve searched around for documentation, but with no
success so far.

 

Tweaking the DC locator
records for the DCs in the Forest B domain sounds like an interesting idea. 
I suspect some adjustmens to SRV priority might do the trick.  As you
indicate, I would need to find a way of doing this such that it doesn’t
impact anything else.

 

Tony

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Wednesday, 14 December 2005
9:39 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cross
forest trust and DNS



 

I would
think the client receives a list of referrals and use the DC on top of the
list and goes down the list until it finds a DC that responds. A client simply
does not know why a certain DC does not respond. It can be anything...
firewall, network, DC down or whatever.

As there
is no sites and subnets synchronization in place yet the DC retrieving the
referral does not know in which site to query for a DC, it will query for the
DCs in a certain domain. Do you have the possibility to tweak the registration
of domain wide DC locator records for the DCs in forest B that are not
reachable (taking into account that it does not impact services in forest B)

 

Cheers,

Jorge

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Monday, December 12, 2005
22:09
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Cross forest
trust and DNS

Hi all

 

Need a bit of help with this one.  Here’s
the scenario.

 

Two Windows Server 2003 forests federated with a
cross forest trust.  Forest A has 4 DCs,
all of which are reachable from Forest B.  Forest B has approx. 30 DC, of
which only those in main site (10) are reachable from Forest
A’s network.  There is no site and subnet synchronisation in
place.  

 

My concern is that not all the DCs in Forest B are
reachable from Forest A ((because network
routes are only in place to the main site).  DNS secondary zones are being
used and these obviously contain information about the unreachable DCs in
Forest B.  What happens when a client in Forest
A need to access a resource in Forest B?  The routing of Kerberos
authentication requires DNS lookups for DCs in Forest B.  If the client in
Forest A receives a referral to an unreachable
DC in Forest B, does the request simply fail or is there some built-in
intelligent retry mechanism?  In other words will the client in Forest A eventually be referred to a reachable DC?

 

I realise there are long term solutions to this (site
and subnet synchronisation, the addition of network routes), but I am keen to
understand the DNS interactions so I can determine whether this will work in
the short term.

 

Tony

 

 

This
communication, including any attachments, is confidential. If you are not the
intended recipient, you should not read it - please contact me immediately,
destroy it, and do not copy or use any part of this communication or disclose
anything about it. Thank you. Please note that this communication does not
designate an information system for the purposes 

RE: [ActiveDir]

[Bernard, Aric]

Your desire is a bit unclear.  Regardless, stop thinking about rendom.
;-)  My guess is that you want to consolidate DNS domains currently hosted on
BIND to W2K3 DC/DNS servers.  This is a fairly trivial exercise from a server
perspective.  The following basic steps are required:

 

1.    Configure
the BIND server to allow secondary zone transfers to your favorite W2K3 DC/DNS
server.

2.    Configure
the W2K3 DC/DNS server to host a secondary zone for the zone configured in (1)
above.

3.    Modify
the delegation for the zone in the “parent” zone to include the
W2K3 DC/DNS server.

4.    Modify
the configuration of the zone on the W2K3 DC/DNS server marking it as AD
Integrated.

5.    Wait
for replication of the zone to complete.

6.    Modify
the delegation for the zone in the “parent” zone to include ALL the
W2K3 DC/DNS servers that will host a copy of the zone.

7.    Remove
the zone from the BIND server.

 

At this point the W2K3 DNS server will have a copy of the zone –
other options to complete this portion do exist such as forklifting the zone
files which in your case (with many zones) could be much more acceptable from
an administrative perspective.

 

While the above will work in many environments there could be factors
in your infrastructure that could be problematic such as how DNS is interconnected
throughout the organization, where clients point to for Primary/Secondary,
etc.  One way to work around these potential issues is to reconfigure the BIND
server with a secondary zone (for each moved zone) until you can properly
resolve all the issues associated with the move.

 

HTH

 

Aric

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott McIntosh
Sent: Monday, December 12, 2005
4:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 



 

Our company has the following DNS architecture (this is somewhat
oversimplified but illustrates the point): 


COM 

 
| 

   
ABCCORP  (hosted on UNIX BIND) 

 
/ \ 

(hosted on AD-integrated        DIR  
         FR              
UK                 
US - etc.
(hosted
on UNIX BIND)
    
W2k3 DNS) 
       
                 
              /  
   |     \        
  \     
            \     
                 
   \ 

    
                 
           AM    
EU       AS     
  Seton (etc)   
Gilly (etc)       Marshal  (etc)  
   (many domains at this level)
    
                 
         /        
     \            \

                
    Marshal  (etc)   Seton (etc)  
Wong (etc) 


DIR.ABCCORP.COM is the W2k3 AD
forest root domain. Currently clients and WIndows servers capable of DNS
self-registration register in AD. All non-Windows servers are registered in
BIND.  I want to simplify..  simplify  simplify the DNS
architecture and host as much as possible on AD-integrated Server 2003 DNS.



Under the current architecture,
could this be accomplished using rendom.exe (Domain Rename tool)? Or would this
require an entire AD restructure and be a logistical nightmare to migrate? What
would be the steps to accomplish this? In the EU.DIR.ABCCORP.COM domain, the AD
implementation is nearly fully implemented and there are many locations. It is
W2k3 forest and domain functional level. 

If it would be very difficult to
implement, what is the maximum degree of AD-integrated Server 2003 hosting
which could be achieved given this scenario?

RE: [ActiveDir] gpmc

[Bernard, Aric]

I would be a bit worried.  You might try
having a look at the permissions associated with the copied GPOs.  Try to “copy”
the same GPOs using GPMC and see if you have a different result.  

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Tom Kern
Sent: Monday, December 12, 2005
11:39 AM
To: activedirectory
Subject: [ActiveDir] gpmc



 



I had an admin(consultant) copy gpo's from one Forest
to another using Quest.





 





However, when i open up the GPMC and focus on the policy, it has no
settings defined.





Under "details", it has 1 change for the user config under
sysvol but 0 under AD.





 





Does this mean something went wrong with the copy?





 





The AD part is not in sync with the Sysvol part it seems.





Also, when i run GPOTOOL, it just lists the default domain and domain
controllers policies.





The one's coppied over do not come up.





 





The only thing they have in common is that the Sysvol portition is
updated but the AD portion is at 0.





 





Does Quest only copy the sysvol files and not the GPC in AD? Or did
they just screw up?





 





Thanks a lot!!

RE: [ActiveDir] GC list

[Bernard, Aric]

So here is a twist (for which I can take
no credit)…If you have the Microsoft Shell (Monad) installed….

(Can be installed on a workstation - http://www.microsoft.com/downloads/details.aspx?FamilyID=ec1d82d9-0aff-451a-88b4-41db70e04f19&displaylang=en)

 

To get the GCs in the forest, issue the
following two commands in the Microsoft Shell:

 

$MyForest =
[System.DirectoryServices.ActiveDirectory.Forest]::getcurrentForest()

$MyForest.GlobalCatalogs

 

The result is something like:

 

Forest
  : MyForest.us

CurrentTime   
   : 11/30/2005 8:05:58 PM

HighestCommittedUsn   : 3444285

OSVersion 
  : Windows Server 2003

Roles 
  : {SchemaRole, NamingRole, PdcRole}

Domain     :
sacnet.us

IPAddress 
   : 10.1.0.1

SiteName  
   : MySite1

SyncFromAllServersCallback :

InboundConnections  :
{035ddf44-5838-4a24-bb44-8b3c35a90140}

OutboundConnections   :
{6cb45330-5ab3-49f6-9ad5-321c80896c10}

Name    :
MyGC1.MyForest.us

Partitions  :
{DC=MyForest,DC=us, CN=Configuration,DC=MyForest,DC=us,
CN=Schema,CN=Configuration,DC=MyForest,DC=us, DC=DomainDnsZones,DC=MyForest,DC=us,
DC=ForestDnsZones,DC=MyForest,DC=us}

 

Forest   :
MyForest.us

CurrentTime   :
11/30/2005 8:05:58 PM

HighestCommittedUsn   : 2794469

OSVersion 
  : Windows Server 2003

Roles 
  : {RidRole, InfrastructureRole}

Domain
    : MyForest.us

IPAddress 
   : 10.2.0.2

SiteName  
   : MySite2

SyncFromAllServersCallback :

InboundConnections  :
{6cb45330-5ab3-49f6-9ad5-321c80896c10}

OutboundConnections   :
{035ddf44-5838-4a24-bb44-8b3c35a90140}

Name  
 : MyGC2.MyForest.us

Partitions
 : {DC=MyForest,DC=us, CN=Configuration,DC= MyForest,DC=us,
CN=Schema,CN=Configuration,DC= MyForest,DC=us, DC=DomainDnsZones,DC= MyForest,DC=us,
DC=ForestDnsZones,DC= MyForest,DC=us}

 

 

 

 

 













From:
[EMAIL PROTECTED] on behalf of Harding, Devon
Sent: Tue 11/29/2005 10:43 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GC list





What’s the easiest way to get a list of ALL my
DC’s and GC’s in my forest along with IP address?

 

Devon Harding

Windows Systems Engineer

Southern Wine & Spirits
- BSG

954-602-2469

 










__This message and any attachments are solely for the intended recipientand may contain confidential or privileged information.  If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited.  If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments.  Thank You.

RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers

[Bernard, Aric]

Might be a problem if the service is disabled, no?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, November 28, 2005 1:22 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on
domain Controllers

ehhh... according to the KB article
(http://support.microsoft.com/?id=312403) objects do age out..
 

It is not critical that you manually delete the Distributed Link
Tracking objects after you stop the Distributed Link Tracking server
service unless you have to reclaim the disk space that is being consumed
by these objects as quickly as possible. Distributed Link Tracking
clients prompt the Distributed Link Tracking server to update links
every 30 days. The Distributed Link Tracking Server service scavenges
objects that have not been updated in 90 days. 

 
 
Jorge



From: [EMAIL PROTECTED] on behalf of joe
Sent: Mon 11/28/2005 10:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on
domain Controllers


They don't age out. You need to delete them. MS cleans up very little in
the directory automatically. Actually I was having an offlist
conversation with one of my MS friends about this topic in regards to
the previous FSP question. When deleting them it isn't too much impact,
however, when they get purged out after the tombstone expires you may
find your DCs chugging away if you have lots. I have seen hundreds of
thousands of the filelinks in a directory before eating up tremendous
space.
 
Personally I would hope the AD admins are doing a good job cleaning
things up but for all practical purposes, most places aren't cleaning up
and have no clue that they should be or that they need to be. The hard
part, when SHOULD the system automatically delete something. It comes
down it being able to identify without a shadow of a doubt that the
object isn't needed (say computer objects, FSP, etc) or could be
perfectly reconstituted if necessary in the event of a bad delete.
 
   joe



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Monday, November 28, 2005 12:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on
domain Controllers


Thanks for info the joe and Guido,
 
Because of our politics where I work, modifiying 4 workstations is
not that easy. Changing 20 DCs on the other hand is a walk in the park.
 
If I do not remove all of the filelinks manually, aren't they going to
age out automatically after 60 days?
 
Thanks
 
Y



From: Grillenmeier, Guido
Sent: Mon 28/11/2005 11:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on
domain Controllers


nope, no known impact (unless you have specifically deployed an app that
makes use of this service - none of the MS apps do, which is why the
service is disabled by default in Win2003).
 
however, if you want to make sure, why don't you just reverse your
disabling process: first disable all clients, then disable the service
on the DCs.
 
Don't forget to cleanup the records underneath your domain's
System\FileLinks\ObjectMoveTable and System\FileLinks\VolumeTable
containers as these will surely contain a lot of garbage.
 
/Guido



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Montag, 28. November 2005 17:40
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Disabling "Distributed Link Tracking Server" on
domain Controllers


As anyone found any issues in disabling the "distributed link tracking
server" on windows 2000 server domain controllers? 
 
I would like to take a two step approach in disabling this useless
service. First on the DCs and them on all workstations. I was just
wondering if there would be an impact on the clients seeing that cannot
communicate with the server.
 
Thanks
 
Yves 


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Trusts.....

[Bernard, Aric]

Errr.trust creation process! :)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Monday, November 28, 2005 9:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Trusts.

Brad,

Have you attempted to connect to the "C$" (or any other) share between
the PDCe of the two domains?  Is this successful? Aka Do you have RPC
connectivity outside of the share creation process?


Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: Monday, November 28, 2005 7:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Trusts.

Thanks Diane but that isn't the issue here as these domains have never
seen
each other before.  They were deployed specifically to figure out how
they
would trust each other.  The W2K3 build is fairly locked down, so I
wanted
to troubleshoot it and get it working. I have down everything I can
think of
which is mainly the items in the KB article below, but still no joy.  I
thnik the next step is to jumop into netmoneeek.  Watch this space. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane
Sent: 28 November 2005 14:50
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Trusts.

You mention that it is a legacy trust.  I don't know how far back it
goes
legacy wise but I ran into an issue where a legacy trust could not be
"upgraded" (modified) as the trust existed prior to upgrade (way back in
NT
4.0 land) and the solution was to delete the trust entirely and
recreate.  

There is a KB article on it which I don't have at my fingertips but the
root
issue was that the legacy trust did not have the rights GUIDs to be
modified.  Not sure if this is the situation you are running into or
not.

Diane 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: Monday, November 28, 2005 5:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Trusts.

Grr.  This thing won't budge.  I have implemented the settings from the
article below, but still no joy.  I will hopefully have missed something
and
will re-check.watch this space.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: 28 November 2005 11:50
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Trusts.

Found it...thanks...
http://support.microsoft.com/default.aspx?scid=kb;en-us;889030 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: 25 November 2005 16:00
To: ActiveDir.org
Subject: Re: [ActiveDir] Trusts.

Brad,

I am not in the office at the moment but there is a microsoft Kb titled
something like creating trusts are not establised as expected, this has
about 8 steps you can walk through to trouble shoot. 

Regards

Mark

-Original Message-
From: "Smith, Brad" <[EMAIL PROTECTED]>
Date: Fri, 25 Nov 2005 13:56:42
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Trusts.

SorryIt is a legacy trust between a W2K Domain (Single Domain,
Single
Forest) and a W2K3 Domain (Single Domain, Single Forest). I know how to
create trusts, that bit is easy enough, what I am having problems with
is
understanding and troublshooting why it can't create an RPC connection
to do
the required bits and pieces, I am not even getting to the point where
it
asks for authentication details, I have only specified the destination
domain, and then it fails with a "unable to establish RPC" type error
message.  I can resolve the DNS name of domain, ie domain.com 
 
any ideas ?
 
 From: Almeida Pinto, Jorge de
[mailto:[EMAIL PROTECTED]
On Behalf Of Almeida Pinto, Jorge de
Sent: 24 November 2005 16:18
To: ActiveDir@mail.activedir.org
Subject: RE: Trusts.

 
 
 
Hi, 
 
You do not mention the type of trust you want to create but between a
W2K
and W2K3 forest you can only create external trusts. 
For more info see:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S
erve
rHelp/b30ef067-746e-4453-b879-804259aafdd3.mspx 
 
Cheers,
Jorge 

 From: [EMAIL PROTECTED] on behalf of Smith, Brad
Sent: Thu 11/24/2005 4:15 PM
To: ActiveDir@mail.activedir.org
Subject: Trusts.

 
 
Hi List,
 
I am having annoying problems getting two forests to establish a trust
(one
is W2K, one is W2K3).  Has anyone got a reference to what permissions
are
required
 
TIA,
 
Brad
 
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender

RE: [ActiveDir] Trusts.....

[Bernard, Aric]

Brad,

Have you attempted to connect to the "C$" (or any other) share between
the PDCe of the two domains?  Is this successful? Aka Do you have RPC
connectivity outside of the share creation process?


Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: Monday, November 28, 2005 7:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Trusts.

Thanks Diane but that isn't the issue here as these domains have never
seen
each other before.  They were deployed specifically to figure out how
they
would trust each other.  The W2K3 build is fairly locked down, so I
wanted
to troubleshoot it and get it working. I have down everything I can
think of
which is mainly the items in the KB article below, but still no joy.  I
thnik the next step is to jumop into netmoneeek.  Watch this space. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane
Sent: 28 November 2005 14:50
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Trusts.

You mention that it is a legacy trust.  I don't know how far back it
goes
legacy wise but I ran into an issue where a legacy trust could not be
"upgraded" (modified) as the trust existed prior to upgrade (way back in
NT
4.0 land) and the solution was to delete the trust entirely and
recreate.  

There is a KB article on it which I don't have at my fingertips but the
root
issue was that the legacy trust did not have the rights GUIDs to be
modified.  Not sure if this is the situation you are running into or
not.

Diane 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: Monday, November 28, 2005 5:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Trusts.

Grr.  This thing won't budge.  I have implemented the settings from the
article below, but still no joy.  I will hopefully have missed something
and
will re-check.watch this space.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: 28 November 2005 11:50
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Trusts.

Found it...thanks...
http://support.microsoft.com/default.aspx?scid=kb;en-us;889030 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: 25 November 2005 16:00
To: ActiveDir.org
Subject: Re: [ActiveDir] Trusts.

Brad,

I am not in the office at the moment but there is a microsoft Kb titled
something like creating trusts are not establised as expected, this has
about 8 steps you can walk through to trouble shoot. 

Regards

Mark

-Original Message-
From: "Smith, Brad" <[EMAIL PROTECTED]>
Date: Fri, 25 Nov 2005 13:56:42
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Trusts.

SorryIt is a legacy trust between a W2K Domain (Single Domain,
Single
Forest) and a W2K3 Domain (Single Domain, Single Forest). I know how to
create trusts, that bit is easy enough, what I am having problems with
is
understanding and troublshooting why it can't create an RPC connection
to do
the required bits and pieces, I am not even getting to the point where
it
asks for authentication details, I have only specified the destination
domain, and then it fails with a "unable to establish RPC" type error
message.  I can resolve the DNS name of domain, ie domain.com 
 
any ideas ?
 
 From: Almeida Pinto, Jorge de
[mailto:[EMAIL PROTECTED]
On Behalf Of Almeida Pinto, Jorge de
Sent: 24 November 2005 16:18
To: ActiveDir@mail.activedir.org
Subject: RE: Trusts.

 
 
 
Hi, 
 
You do not mention the type of trust you want to create but between a
W2K
and W2K3 forest you can only create external trusts. 
For more info see:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S
erve
rHelp/b30ef067-746e-4453-b879-804259aafdd3.mspx 
 
Cheers,
Jorge 

 From: [EMAIL PROTECTED] on behalf of Smith, Brad
Sent: Thu 11/24/2005 4:15 PM
To: ActiveDir@mail.activedir.org
Subject: Trusts.

 
 
Hi List,
 
I am having annoying problems getting two forests to establish a trust
(one
is W2K, one is W2K3).  Has anyone got a reference to what permissions
are
required
 
TIA,
 
Brad
 
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.


This message has been scanned for viruses by MailControl - (see
http://bluepages.wsatkins.co.uk/?4318150)



 
This email and any attached files are confidential and copyright
protected.
If you are not the addressee, any dissemination of this communication is
strictly prohibited. Unless otherwise expressly agreed 

RE: [ActiveDir] Renaming AD accounts en masse

[Bernard, Aric]

Another command line option would DSMOD.

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Almeida Pinto, Jorge de
Sent: Thursday, November 17, 2005
12:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Renaming
AD accounts en masse



 





you can use the example
as explained at: http://www.microsoft.com/technet/scriptcenter/resources/qanda/dec04/hey1214.mspx





although a group is used as example you can do it
with users also. Modifying the script to use an input file would to the
"en masse" thing





 





cheers,





Jorge







 







From:
[EMAIL PROTECTED] on behalf of Tony Murray
Sent: Thu 11/17/2005 8:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Renaming
AD accounts en masse





You can create with CSVDE
but not modify, so it wouldn’t be suitable for renaming.

 

A script or LDIFDE would
be the obvious alternatives.

 

Tony

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Phil Renouf
Sent: Friday, 18 November 2005
6:17 a.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Renaming
AD accounts en masse



 



CSVDE is probably a good bet since you have the
information in Excel already:





 





http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/1050686f-3464-41af-b7e4-016ab0c4db26.mspx






 





Phil

 





On 11/17/05, Rimmerman, Russ <[EMAIL PROTECTED]>
wrote: 



What's the easiest and
quickest way to rename a large (1000+) number of AD user accounts? 
LDIFDE? AD.NET?  Or is there
something easier?  I'm going to be importing 1000+ AD accounts that are
first.last for the username and will want to rename them to a specific username
listed in an excel spreadsheet. 




 
  
  ~~
  This e-mail is confidential, may contain proprietary information
  of the Cooper Cameron Corporation and its operating Divisions 
  and may be confidential or privileged.
  
  This e-mail should be read, copied, disseminated and/or used only
  by the addressee. If you have received this message in error please
  delete it, together with any attachments, from your system. 
  ~~
  
 




 

This
communication, including any attachments, is confidential. If you are not the
intended recipient, you should not read it - please contact me immediately,
destroy it, and do not copy or use any part of this communication or disclose
anything about it. Thank you. Please note that this communication does not
designate an information system for the purposes of the Electronic Transactions
Act 2002.

RE: [ActiveDir] DNS vs NETBIOS name? Or something else?

[Bernard, Aric]

The NetBIOS domain name and the DNS domain
name do not have to match.  This is often something that occurs during an in-place
upgrade from NT4 to W2K/W2K3.  The list that is presented in the drop down menu
during logon display NetBIOS names.  When your users are logging in using [EMAIL PROTECTED] syntax (also known a User
Principal Name or UPN) they should be able to do so regardless of what is
listed in the domain drop down list – in fact if I remember correctly,
when typing the UPN as soon as the “@” is typed the domain list
should become inaccessible (grayed-out).

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Monday, November 14, 2005
7:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS vs
NETBIOS name? Or something else?



 

Crap, after sending this I realized that
the title of the post was probably the phrase I should be searching on. 

 

I don’t have access to the machine
till tomorrow, but does this look like what I am looking for… http://www.windowsitpro.com/Article/ArticleID/42545/42545.html

 

Unless you have any other thoughts or
comments on the matter?

 

 









From: Douglas M. Long
[mailto:[EMAIL PROTECTED] 
Sent: Monday, November 14, 2005
10:40 PM
To: 'ActiveDir@mail.activedir.org'
Subject: DNS vs NETBIOS name? Or
something else?



 

I just started with a company running AD 2003 and am a little
confused about something. The domain name is domain.com, but when logging in
there are two domains to select from. The second domain name is totally
different; lets call it domint. It seems that users can only log in with the
domint domain (unless they specify the local machine as the domain and
[EMAIL PROTECTED]) . Is the domint some netbios crap? I know there is probably an
easy answer, but I can’t seem to google the correct phrase to find
anything. 

 

As always, thanks much for helping out (retards like me). 

 

RE: [ActiveDir] CertSvc Error

[Bernard, Aric]

Was this an upgrade from W2K?

 

What error messages are you receiving on
the DC?









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, November 11, 2005
8:43 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] CertSvc
Error



 



True if running in production -- thanks
on the feedback of not needing to do a reinstall ...





 





Chuck





 

RE: [ActiveDir] CertSvc Error

[Bernard, Aric]

Definitely upgradeable and uninstall/reinstall
is not advisable if you have any amount of certs deployed from the CA.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, November 11, 2005
7:14 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] CertSvc
Error



 



It can't hurt to try the
uninstall/reinstall approach since that might not be a component that is
"upgradable" ...





 





Chuck





 

RE: [ActiveDir] CertSvc Error

[Bernard, Aric]

You’ll also have to refresh the
policy on the affected DCs (i.e. gpupdate.exe /force).  Are all of the DCs
W2K3?

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Thursday, November 10, 2005
12:19 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



 

Hmm…I’ve enabled those
settings and rebooted the CertSvc and am still getting these errors:

 

Event
Type:   Warning

Event Source:    CertSvc

Event Category: None

Event
ID:   53

Date:   
11/10/2005

Time:   
3:10:06 PM

User:   
N/A

Computer:
SWSAD1

Description:

Certificate Services denied request 1252
because The requested certificate template is not supported by this CA.
0x80094800 (-2146875392).  The request was for SWSCA\SWSADCA5$.  Additional
information: Denied by Policy Module  0x80094800, The request was for a
certificate template that is not supported by the Certificate Services policy:
DomainController.

 

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Thursday, November 10, 2005
2:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



 

If I remember correctly
you will want to enable both the renew and update features (below) to help
resolve your issue.

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding,
 Devon
Sent: Thursday, November 10, 2005
10:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



 

And this….

 

Public
Key Policies/Autoenrollment Settingshide


 
  
  Policy
  
  
  Setting
  
 
 
  
  Enroll certificates automatically
  
  
  Enabled
  
 
 
  
  
   

Renew expired certificates, update
pending certificates, and remove revoked certificates


Disabled

   
   

Update certificates that use
certificate templates


Disabled

   
  
  
  
 


 

 

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Thursday, November 10, 2005
12:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



 

The
“DomainController(v0.0): V1 Certificate Template” is not supported under Windows
Server 2003.  You may be specifying that your DCs autoenroll for this
certificate via GPO.  Check out your DDC GPO.  The new policy they
should be autoenrolling for is “Domain Controller Authentication”.

 

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding,
 Devon
Sent: Thursday, November 10, 2005
9:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



 

It was a
Windows 2000 upgraded to Windows 2003

 





















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Thursday, November 10, 2005
12:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



 

Is your
CA on Windows Server 2003 in a Windows 2000 domain?

 



















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding,
 Devon
Sent: Thursday, November 10, 2005
11:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] CertSvc Error

I keep getting these errors on my
root domain controller and any new DC’s added are not being issued
certificates.

 

Event
Type:   Warning

Event Source:   
CertSvc

Event Category: None

Event
ID:   77

Date:   
11/10/2005

Time:   
3:00:36 AM

User:   
N/A

Computer:
SWSAD1

Description:

The "Windows default"
Policy Module logged the following warning: The DomainController(v0.0): V1
Certificate Template could not be loaded.  Element not found. 0x80070490
(WIN32: 1168).

 

Event
Type:   Warning

Event Source:   
CertSvc

Event Category: None

Event
ID:   53

Date:   
11/10/2005

Time:   
3:00:36 AM

User:   
N/A

Computer:
SWSAD1

Description:

Certificate Services denied request
1242 because The requested certificate template is not supported by this CA.
0x80094800 (-2146875392).  The request was for SWSGS\BSGAD1$. 
Additional information: Denied by Policy Module  0x80094800, The request
was for a certificate template that is not supported by the Certificate
Services policy: DomainController.

 

I looked at the following MS article
but saw no resolution. http://support.microsoft.com/default.aspx?scid=kb;en-us;283218


 

Devon Harding

Windows
Systems Engineer

Southern
Wine & Spirits - BSG

954-602-2469

 



















__
This message and any attachments are
solely for the intended recipient
and may contain confidential or
privileged information. If you are not
the intended recipient, any disclosure,
copying, use or distribution of
the information included in the message
and any attachments is
prohibited. If you have received this
co

RE: [ActiveDir] CertSvc Error

[Bernard, Aric]

If I remember correctly you will want to
enable both the renew and update features (below) to help resolve your issue.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Thursday, November 10, 2005
10:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



 

And this….

 

Public Key Policies/Autoenrollment
Settingshide


 
  
  Policy
  
  
  Setting
  
 
 
  
  Enroll certificates automatically
  
  
  Enabled
  
 
 
  
  
   

Renew expired certificates, update
pending certificates, and remove revoked certificates


Disabled

   
   

Update certificates that use
certificate templates


Disabled

   
  
  
  
 


 

 













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Bernard, Aric
Sent: Thursday, November 10, 2005
12:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



 

The “DomainController(v0.0):
V1 Certificate Template” is not
supported under Windows Server 2003.  You may be specifying that your DCs
autoenroll for this certificate via GPO.  Check out your DDC GPO. 
The new policy they should be autoenrolling for is “Domain Controller
Authentication”.

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding,
 Devon
Sent: Thursday, November 10, 2005
9:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



 

It was a Windows 2000
upgraded to Windows 2003

 

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Thursday, November 10, 2005
12:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



 

Is your
CA on Windows Server 2003 in a Windows 2000 domain?

 















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding,
 Devon
Sent: Thursday, November 10, 2005
11:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] CertSvc Error

I keep getting these errors on my
root domain controller and any new DC’s added are not being issued
certificates.

 

Event
Type:   Warning

Event Source:   
CertSvc

Event Category: None

Event
ID:   77

Date:   
11/10/2005

Time:   
3:00:36 AM

User:   
N/A

Computer:
SWSAD1

Description:

The "Windows default"
Policy Module logged the following warning: The DomainController(v0.0): V1
Certificate Template could not be loaded.  Element not found. 0x80070490
(WIN32: 1168).

 

Event
Type:   Warning

Event Source:   
CertSvc

Event Category: None

Event
ID:   53

Date:   
11/10/2005

Time:   
3:00:36 AM

User:   
N/A

Computer:
SWSAD1

Description:

Certificate Services denied request
1242 because The requested certificate template is not supported by this CA.
0x80094800 (-2146875392).  The request was for SWSGS\BSGAD1$. 
Additional information: Denied by Policy Module  0x80094800, The request
was for a certificate template that is not supported by the Certificate
Services policy: DomainController.

 

I looked at the following MS article
but saw no resolution. http://support.microsoft.com/default.aspx?scid=kb;en-us;283218


 

Devon Harding

Windows
Systems Engineer

Southern
Wine & Spirits - BSG

954-602-2469

 















__
This message and any attachments are
solely for the intended recipient
and may contain confidential or
privileged information. If you are not
the intended recipient, any disclosure,
copying, use or distribution of
the information included in the message
and any attachments is
prohibited. If you have received this
communication in error, please
notify us by reply e-mail and
immediately and permanently delete this
message and any attachments. Thank You.

RE: [ActiveDir] CertSvc Error

[Bernard, Aric]

In the default domain controllers policy
(or an alternate policy if you have left this one intact), look at the
following:

Public Key Policies/Autoenrollment Settings

Public Key Policies/Automatic Certificate Request
Settings

 

Keep in mind that this could be set in any
policy that affects the DC in question.  

 

Also, and I forgot to ask previously, do
you want to your DCs to have certs?  While not mandatory, in the near term you
will find that more services, applications, etc. will become dependent on certs
and therefore it is a good idea to become intimately involved with PKIs and how
the interoperate inside and outside of your organization.

 

 

HTH

 

Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Thursday, November 10, 2005
10:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



 

Where exactly is this setting in the DDC
policy?  All I have enabled is this:

 


 
  
  Policy
  
  
  Setting
  
 
 
  
  Microsoft network server: Digitally sign communications (if
  client agrees)
  
  
  Enabled
  
 


 

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Thursday, November 10, 2005
12:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



 

The “DomainController(v0.0):
V1 Certificate Template” is not
supported under Windows Server 2003.  You may be specifying that your DCs
autoenroll for this certificate via GPO.  Check out your DDC GPO. 
The new policy they should be autoenrolling for is “Domain Controller
Authentication”.

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding,
 Devon
Sent: Thursday, November 10, 2005
9:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



 

It was a Windows 2000
upgraded to Windows 2003

 

















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Michael B. Smith
Sent: Thursday, November 10, 2005
12:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



 

Is your
CA on Windows Server 2003 in a Windows 2000 domain?

 















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding,
 Devon
Sent: Thursday, November 10, 2005
11:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] CertSvc Error

I keep getting these errors on my
root domain controller and any new DC’s added are not being issued
certificates.

 

Event
Type:   Warning

Event Source:   
CertSvc

Event Category: None

Event
ID:   77

Date:   
11/10/2005

Time:   
3:00:36 AM

User:   
N/A

Computer:
SWSAD1

Description:

The "Windows default"
Policy Module logged the following warning: The DomainController(v0.0): V1
Certificate Template could not be loaded.  Element not found. 0x80070490
(WIN32: 1168).

 

Event
Type:   Warning

Event Source:   
CertSvc

Event Category: None

Event
ID:   53

Date:   
11/10/2005

Time:   
3:00:36 AM

User:   
N/A

Computer:
SWSAD1

Description:

Certificate Services denied request
1242 because The requested certificate template is not supported by this CA.
0x80094800 (-2146875392).  The request was for SWSGS\BSGAD1$. 
Additional information: Denied by Policy Module  0x80094800, The request
was for a certificate template that is not supported by the Certificate
Services policy: DomainController.

 

I looked at the following MS article
but saw no resolution. http://support.microsoft.com/default.aspx?scid=kb;en-us;283218


 

Devon Harding

Windows
Systems Engineer

Southern
Wine & Spirits - BSG

954-602-2469

 















__
This message and any attachments are
solely for the intended recipient
and may contain confidential or privileged
information. If you are not
the intended recipient, any disclosure,
copying, use or distribution of
the information included in the message
and any attachments is
prohibited. If you have received this
communication in error, please
notify us by reply e-mail and
immediately and permanently delete this
message and any attachments. Thank You.

RE: [ActiveDir] CertSvc Error

[Bernard, Aric]

The “DomainController(v0.0):
V1 Certificate Template” is not
supported under Windows Server 2003.  You may be specifying that your DCs
autoenroll for this certificate via GPO.  Check out your DDC GPO.  The new
policy they should be autoenrolling for is “Domain Controller
Authentication”.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Thursday, November 10, 2005
9:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



 

It was a Windows 2000 upgraded to Windows
2003

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Thursday, November 10, 2005
12:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



 

Is your CA
on Windows Server 2003 in a Windows 2000 domain?

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding,
 Devon
Sent: Thursday, November 10, 2005
11:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] CertSvc Error

I keep getting these errors on my
root domain controller and any new DC’s added are not being issued
certificates.

 

Event
Type:   Warning

Event Source:   
CertSvc

Event Category: None

Event ID:  
77

Date:   
11/10/2005

Time:   
3:00:36 AM

User:   
N/A

Computer:
SWSAD1

Description:

The "Windows default"
Policy Module logged the following warning: The DomainController(v0.0): V1
Certificate Template could not be loaded.  Element not found. 0x80070490
(WIN32: 1168).

 

Event
Type:   Warning

Event Source:   
CertSvc

Event Category: None

Event
ID:   53

Date:   
11/10/2005

Time:   
3:00:36 AM

User:   
N/A

Computer:
SWSAD1

Description:

Certificate Services denied request
1242 because The requested certificate template is not supported by this CA.
0x80094800 (-2146875392).  The request was for SWSGS\BSGAD1$. 
Additional information: Denied by Policy Module  0x80094800, The request
was for a certificate template that is not supported by the Certificate
Services policy: DomainController.

 

I looked at the following MS article
but saw no resolution. http://support.microsoft.com/default.aspx?scid=kb;en-us;283218


 

Devon Harding

Windows
Systems Engineer

Southern
Wine & Spirits - BSG

954-602-2469

 











__
This message and any attachments are
solely for the intended recipient
and may contain confidential or
privileged information. If you are not
the intended recipient, any disclosure,
copying, use or distribution of
the information included in the message
and any attachments is
prohibited. If you have received this
communication in error, please
notify us by reply e-mail and
immediately and permanently delete this
message and any attachments. Thank You.

RE: [ActiveDir] Crashed Root DC HELP!

[Bernard, Aric]

While not conclusive, it sounds like you might have a hardware problem
of sorts.

If you have a second DC in the forest root domain, you can seize the
roles that were once held by the failed DC.  If you don't have a second
DC in the root domain, consider this a painful lesson that you (or
whomever) have learned.  After coming to grips with that, build a new
server (different hardware) and attempt to restore the system state to
it. You may have to fight through a few odds and ends to get it running
"properly" on different hardware.

The reason you lost the ability to add objects to the domain in you
previous dilemma is because the failed DC held the RID Master role.  Had
you seized this to another DC in the domain, the problem would have
resolved itself.


Regards,

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel
V Contractor NASIC/SCNA
Sent: Tuesday, November 01, 2005 6:50 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Crashed Root DC HELP!

Hey all,

My root DC which held the roles Schema master and Infrastructure master
showed me the BSOD via inacessible boot device.  I reinstalled the OS,
restored the system state from DSRM, and it BSOD'D again.  I have a
corrupt
system state backup most likely.  Since this is the ROOT DC, is my
forest
going to die or corrupt slowly?  I have had this happen before many
moons
ago at another company, and I lost the ability to add new objects to the
domain.  Does anybody know of a document covering just the ROOT DC
restoration best practices or anything pertaining to the ROOT DC in that
manner? Or does anyone have any lessons learned or suggestions for this
dilemma.


Dude where is your forest,
Nathaniel Bahta
General Dynamics Network Systems 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Server With Hyperthreading/Multicore Licensing

[Bernard, Aric]

Windows Server 2003 does in fact
distinguish between physical and logical while Windows 2000, as quoted below,
does not.

 

Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin
Sent: Monday, October 24, 2005
8:06 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Server With Hyperthreading/Multicore Licensing



 

Microsoft Windows does not distinguish
between physical and logical processors.  Windows simply fills out the
license limit using the first processors counted by the BIOS.

http://www.microsoft.com/windows2000/server/evaluation/performance/reports/hyperthread.asp

 

SQL Server does not have this
luxury.  SQL Server counts each logical processor as an individual
processor.  But you do not need to obtain a separate license to be in
compliance when using HTT.

http://www.microsoft.com/sql/howtobuy/SQLonHTT.doc

 

Edwin









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc A. Mapplebeck
Sent: Monday, October 24, 2005
10:40 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Server
With Hyperthreading/Multicore Licensing



 

Sorry for the OT post, I have a quick
question that one of my students asked and I am not sure myself of the correct
answer. How does a multithreaded processor affect licensing and server
abilities. What would happen if you had a quad CPU server, but the CPUs were
also hyperthreaded, effectively making it an 8 CPU system, could you use Server
2003 Standard, or would you need to get Enterprise?
How would this affect other server products with per-cpu licensing such as SQL.
And how about a CPU that is multi-core, 8 seperate processes, 4 chips but with
8 CPU cores. Any help would be appreciated. - Marc



 



_-_-_-_-_-_-_-_-_-
-"During times of universal deceit, telling the truth becomes a
revolutionary act." - George Orwell, 1984
_-_-_-_-_-_-_-_-_-
Marc A. Mapplebeck, MCP/MCDST/N+/A+/CNA
IT Manager, City Animal Hospital Ltd.
MCP#: 3146827
CompTIA#: COMP001002835054
[EMAIL PROTECTED]
[EMAIL PROTECTED]
_-_-_-_-_-_-_-_-_-
P: 506-471-7044
ICQ: 26743793
Yahoo!: mmapplebeck
MSN: [EMAIL PROTECTED]
_-_-_-_-_-_-_-_-_-
This e-mail communication (including any or all attachments) is intended only
for the use of the person or entity to which it is addressed and may contain
confidential and/or privileged material. If you are not the intended recipient
of this e-mail, any use, review, retransmission, distribution, dissemination,
copying, printing, or other use of, or taking of any action in reliance upon
this e-mail, is strictly prohibited. If you have received this e-mail in error,
please contact the sender and delete the original and any copy of this e-mail
and any printout thereof, immediately. Your co-operation is appreciated.

Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à son
destinataire, qu'il soit une personne ou un organisme, et pourrait comporter
des renseignements privilégiés ou confidentiels. Si vous n'êtes pas le
destinataire du courriel, il est interdit d'utiliser, de revoir, de
retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce
courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon. Si
vous avez reçu le présent courriel par erreur, prière de communiquer avec
l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie
électronique ou imprimée de celui-ci, immédiatement. Nous sommes reconnaissants
de votre collaboration. 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin
Sent: October 24, 2005 09:38
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Geographic
Domain Setup

Hello Everyone.

 

The company that I work for has been divided into two
isolated parts.  As a result the corporate domain that is used will also
need to be divided.  The employees of the old domain will remain in their
place while others will be put into a new domain.  One domain will have
nothing to do with the other.  I have been tasked with heading the
creation of a new domain that will be used in different geographic locations;

 


 Atlanta, Georgia 
 Miami, Florida 
 Orlando, Florida 
 Houston, Texas 
 Fremont, California 
 Vancouver, Canada 


 

I have built a domain before but this was for one office of
less than 100 employees.  This domain is of a much larger scale and more
complex.  I have read a few MSFT articles and have a little bit of
information as to what I am getting myself into.  I was hoping that I
would be able to get more information from the community in hopes of getting
real life experience knowledge than a document that outlines best practices.

 

When I built the single site domain I had the below
configuration that worked very well for me.  I think that I am going to
create a similar if not exact root domain.  I think that I would am having
more problems with considering the geographic issues that I will be facing.

 

2 Domain Controllers

   
Both DNS Servers

  

RE: [ActiveDir] Can't access root domain

[Bernard, Aric]

Have you validated that time is synchronized between the two systems?
Can you verify that the enterprise admins group remains a member of the
child domain's domain admin group?


Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jeroen Peters
Sent: Saturday, October 22, 2005 2:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Can't access root domain

The message is the same as when loging on with a wrong
username/password.
The result is also the same, no acccess to the share. And I'm really
sure
that I type the correct username/password :-)
The message in Active directory users and computers when editing
exchange
settings states that it cannot find the exchange server. (DNS is ok,
clients
have no problem finding the Exchange server).

Regards,

Jeroen

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley
Sent: Saturday, October 22, 2005 11:51 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Can't access root domain

When access is denied... what's the message you get?

Jeroen Peters wrote:

>The MS DTC errors are now gone (reset the log and restarted service), 
>thanks! Rest of the issues remain.
>
>Regards,
>
>Jeroen
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley
>Sent: Saturday, October 22, 2005 11:12 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] Can't access root domain
>
>http://www.eventid.net/display.asp?eventid=53258&eventno=4493&source=MS
>DTC&p
>hase=1
>
>Try that event code.
>
>Susan Bradley wrote:
>
>  
>
>>I'm SBS sir.  We're used to this.  Honestly it's not 'that' long for 
>>us... my box shuts down in a reasonable time fram.  Actually it's +3 
>>not +1 gig...but we don't need the /3 gig switch settings either 
>>we max at 4 gig and there are KBs that specifically state that the /3 
>>is irrelevant to us...
>>
>>But back to youDo you have the exact error messages as I'm not 
>>finding 71/72 with MSDTC 
>>http://www.eventid.net/display.asp?eventid=72&source=
>>
>>Jeroen Peters wrote:
>>
>>
>>
>>>Yes, that's installed but that aren't the symptoms. I have only 
>>>switches, no routers between the domains. The DC in the root domain 
>>>is reachable by RDP.
>>>
>>>On Exchange on DC's, you really should avoid that. I've done it 
>>>because of budget reasons, and I regret it very much. It is also 
>>>inreversable, you can't demote a DC with exchange on it. Normal 
>>>restarting is history to, you have to first shutdown exchange 
>>>(scripted that) before you shutdown or restart, or you want to wait a

>>>really long time.
>>>When you add ram above 1GB, you have a problem too because DC's with
>>>+1GB
>>>ram need a different configuration then exchange servers with +1GB 
>>>ram. In short, Exchange on DC's sucks.
>>>
>>>Regards,
>>>
>>>Jeroen
>>>
>>>-Original Message-
>>>From: [EMAIL PROTECTED]
>>>[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>>>Bradley
>>>Sent: Saturday, October 22, 2005 9:59 PM
>>>To: ActiveDir@mail.activedir.org
>>>Subject: Re: [ActiveDir] Can't access root domain
>>>
>>>And BTWI don't see a problem running Exchange on a DC  ;-)
>>>
>>>You'll need this hotfix http://support.microsoft.com/?kbid=898060
>>>anyway before applying Exchange 2003 sp2.
>>>
>>>Jeroen Peters wrote:
>>>
>>> 
>>>
>>>  
>>>
Hi,

I'm having the following issues:
When I try to open a share on our root domain from the child domain 
I get prompted for an username and password, but I'm not allowed to 
open it although I log on with the root domain admin. The root 
domain DC also runs Exchange (I know, bad) and I'm no longer capable

of editing exchange settings via active directory users and 
computers from the child domain. I'm however capable to access 
Exchange via the server manager from the child domain.
When editing share permissions on a file server in the child domain 
I get prompted for the root domain admin, but access is denied. When

I cancel the prompt I can edit the permissions as usual. The root 
domain admin can no longer log on to servers in the child domain via

remote desktop connection. From the root domain I can browse the 
child domain normally. Access to Exchange from the child domain
(Outlook) works ok, as does OWA.
This behavior started when one of the two DC's in the child domain 
was updated to SP1. All servers run Server 2003.
The updated server also gives MS DTC errors (event id 72 and 71, MS 
DTC could not correctly process a DC Promotion/Demotion event).
When access is denied, no security events are logged.
Any clues?

Thanks,

Jeroen Peters
  


>>>List info   : http://www.activedir.org/List.aspx
>>>List FAQ: http://www.activedir.org/ListFAQ.aspx
>>>List archive: 
>>>http://www.mail-archive.com/activedir%40mail.activedir.org/
>>>

RE: [ActiveDir] NDTS.DIT sizes

[Bernard, Aric]

In many environments, 30 MB would be
considered a small difference in sizes between DITs.  In a very small
environment I have, the difference is 18 MB.  In large environments I have seen
differentials in the GBs.  In many cases larger differentials are due to white
space in the DIT. 

 

As for FRS, there should be no relation
between problems it is having and the size of the DIT.

 

 

Regards,

 

Aric

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mike Hogenauer
Sent: Monday, October 17, 2005
8:38 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] NDTS.DIT
sizes



 

Odd question 

 

I have 8
different DC’s in a few sites; replication seems to be working great, all
servers’ windows 2003 ENT. All servers have plenty of disk space. 

 

When I look at
the actual size of my ntds.dit file, it’s relatively the same on all
DC’s except for one which is 30 MB larger than the others and the last
date modified is 8/9/05, this server holds no roles either. 

Does this mean
that I’m having FRS problems on this server? 

 

Thanks in
advance, 

Mike 

 

RE: [ActiveDir] Virtual Servers in Branch Offices

[Bernard, Aric]

Noah,

 

There are two schools of thought here
(maybe more:-):


 Run
 the DC role on the physical host and the file server in the virtual guest
 Run
 the DC in one virtual guest and the file server in another virtual guest.


I often leverage (1) but have used (2)
before as well.

 

As for the physical host configuration, memory
and spindles are key. 

 

I like to provide as much RAM as possible
to each VM running on the host without taking away what is necessary for the
host and the services running on it (lsass for example).  As for the disk
configuration I prefer to have a single “base” OS virtual disk that
each VM is linked to with a separate differencing disk – you can save a
few GBs and may get some performance benefits. 

 

From the physical side, a high speed RAID
configuration is a must if you want well performing VMs.  If you have enough
physical disks, creating separate RAID sets for each of the differencing disks and
the base OS disk will likely provide the best performance.  In many
instance I deploy all of the virtual disks across a single RAID set spanned
across as many spindles as possible.  There are many variables here such
as the IO pattern of each VM so YMMV.

 

Regards,


Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Wednesday, October 12, 2005
3:30 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Virtual
Servers in Branch Offices



 



Hi -





 





Just to follow up on the design thread Since I am
placing DCs in small branch offices is there a value in using Virtual Server
2005 to create separate virtual boxes (DC & file server) running on the
same physical box? Some users have administrative access to the file server,
and I'd love to keep them off the DCs. I am also curious about optimal physical
and virtual drive configurations for such a box.





 





I reviewed the thread here about Virtual Domain Controllers
but it seemed to focus on using them as backups. I am talking about production.





 





Any thoughts most welcome.





 





-- nme

RE: [ActiveDir] Reverse DNS

[Bernard, Aric]

You probably do not want to go out and
expose your internal DNS server (presumably supporting your internal forest) to
the Internet.  Your internal DNS names and IP addresses should remain private,
unless of course you are using public IP addresses internally and in such a
case you would only want to expose those required externally.  

 

It is highly likely that your ISP already
has some form of a reverse lookup zone in place for your subnet even if it only
has generic records.  If that is the case, I would probably go about just
having them modify the existing zone altering the existing records with the
proper names of your systems unless you cannot depend on them for timely
changes (find another ISP) or you have a lot of PTR records that need to be
published externally or the records you do publish will be fairly dynamic.

 

 

Regards,

 

Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube
Sent: Wednesday, October 12, 2005
1:44 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Reverse
DNS



 



Thanks all,





 





And when I configure the DNS reverse zone on my internal DSN server and
ask my ISP to delegate my subnet (We pay monthly fees for the subnet and
internet access), then anything else I should do? to my internal DNS, should I
publish my internal DNS? or is it enough to keep it hte same way? 





 





Also assuming that I want the ISP to configure the reverse dns for me,
I just ask them to add a reverse DNS for my subnet? 





 





Thanks





r.c.







 





On 10/12/05, Brian
Desmond <[EMAIL PROTECTED]>
wrote: 



That's not
entirely true. Your ISP will need to delegate your subnet(s) to your DNS
servers if you want to run your own reverse DNS. If you own yoru subnet, you
need to work with the registrar to get the delegation. 

 



Thanks, 
Brian
Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Ed Crowley [MVP]
Sent: Wednesday, October 12, 2005
1:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Reverse
DNS





 

It's likely that your ISP will have to host your Internet
reverse zone if they own your IP addresses.  Really, you're going to have
to ask them. 

Ed
Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!™



 



 







From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of rubix cube
Sent: Wednesday, October 12, 2005
9:47 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Reverse DNS



Hi list,





How do you
exactly configure a reverse DNS zone? which type should it be? (standard,
primary, active directory integrated), should it allow for zone transfer, if I
want to configure it on my internal DNS server (which doesn't do any zone
transfers with any one else its only internal, but it can resolve external
names), how should I do that? I need it for my email that is being rejected for
the lack of a reverse DNS setup. Also do I need to do anything with my ISP, ask
him to do anything for my name records in his database? 





Thanks,





r.c.











 

RE: [ActiveDir] Active Directory wish list

[Bernard, Aric]

Agreed - the legacy APIs pose a serious problem in many cases.  

After noodling over the LDAP issue a little more, and recalling that
ports are specified in the SRV records :), any AD aware of SRV aware
system/application should be able to handle multiple instances of LDAP
on a single server (assuming they are each using a different port or
IP).

The SYSVOL issue is also negligible as, like you said, the file system
hierarchy was clearly designed with the domain name embedded.  The only
issue here that remains (in its current incarnation) is that of data
replication.  Given the advancements shown in DFSR this should be easily
overcome with the only problem being replicating data to places it
should not be (i.e. a legacy DC running some antiquated OS like W2K or
W2K3 pre-R2 ;-).

There are of course other unhandled issues such as which domain should
the IUSR_Machine user object be created in if IIS is installed/running
on a multi-domain capable DC?  (Or better yet, should the IUSR account
exist at all?)  Regardless, there is a substantial trail of legacy
issues that have to be handled before multi-domain DCs can come to
fruition.  Of course we should more properly be talking about
multi-forest DCs as opposed to multi-domain DCs - or does that just blur
the entire security boundary issue a bit too much?

Needless to say, given the current technology, using virtual guest
operating systems atop your favorite virtualization product is a viable
way to generally satisfy the need for running multiple domains on a
single piece of hardware as opposed to the desire of running them all on
a single OS instance albeit at a higher theoretical cost for system
management and other pay for software that is installed in each
instance.


Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, October 10, 2005 2:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

I don't think the issue is there. When you make an LDAP call, you
specify
where you want to go, the hierarchy is all there and required in the
call.
Also I don't believe the issue is in SYSVOL, if you look at the sysvol
structure, it has the domain component in there. In fact when I first
saw
that in say Oct 1999 in the gold product I was thinking... H is MS
thinking about supporting multiple domains from a single DC? One of the
big
issues is at the level of all of the old NET style calls. You specify a
server, not a domain, then it assumes there is one auth point on that
one
server (i.e. one SAM in the old days) and it works it. If a call came in
for
user bob on server123 and there were three domains or partitions or x
hosted
all of which have bob, which one gets sent back? 

If the old NET functionality got dumped, I would be rewriting quite a
bit of
code. The only reason I am not already doing it is that there is no
impetus
to, it works, I don't have to worry about it. At the same time, that
holds
back from doing newer and cooler things if MS did offer the option to
move
on. If that option were there though... I would start rewriting to get
to
it. At the present time, there is no sign of the death of the NET API so
there is no reason to rewrite something that works fine using it unless
there is some other reason (like you need something that isn't
accessible
through the API). Even on this list which has a lot of the more eager
techofolks, we discuss the WinNT provider and other NET API based
methods
quite a bit for accessing AD. How come everyone isn't only using the
LDAP
methods? Answer, because the NET API methods still work for many things.





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Monday, October 10, 2005 4:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

Sounds like we need an LDAP.SYS that is similar to HTTP.SYS in that it
can
act as a routing, queuing, and parsing mechanism to determine which LDAP
namespace/partition or domain an inbound request is destined for.

With such a mechanism in place registration/advertisement (DNS) of the
various LDAP namespaces supported should be compatible with today's
implementation and existing client capabilities.  However, some of the
other
facets of the NOS implementation (i.e. SYSVOL) would still be
unaccounted
for but I suppose similar proxy methods could be developed to support
these
subsystems as well...


Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Monday, October 10, 2005 12:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

The limitations of the VMs are the underlying hardware, in our case. I
have
9 VMs running on one server. It's choking for more RAM, but management
won't
foot the bill for the additional riser card and ram.
Otherwise, no limitat

RE: [ActiveDir] Active Directory wish list

[Bernard, Aric]

Sounds like we need an LDAP.SYS that is similar to HTTP.SYS in that it
can act as a routing, queuing, and parsing mechanism to determine which
LDAP namespace/partition or domain an inbound request is destined for.

With such a mechanism in place registration/advertisement (DNS) of the
various LDAP namespaces supported should be compatible with today's
implementation and existing client capabilities.  However, some of the
other facets of the NOS implementation (i.e. SYSVOL) would still be
unaccounted for but I suppose similar proxy methods could be developed
to support these subsystems as well...


Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Monday, October 10, 2005 12:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory wish list

The limitations of the VMs are the underlying hardware, in our case. I
have 9 VMs running on one server. It's choking for more RAM, but
management won't foot the bill for the additional riser card and ram.
Otherwise, no limitations in functionality. If I had adequate hdw to run
the VMs I could use VMs more gracefully.
I've used/use desktop hdw to run testlab machines, but scalability and
user experience testing is indeed a factor for some things.
The underlying "wish" here was to be able to put multiple AD DCs on one
piece of hdw/OS. Instead of having to build 3 VMs or physical machines,
be able to run 3 domains on one, with AD running as a service, kinda
like the way IIS can run multiple websites, or SQL can run multiple DBs
(although it's at a lower level than either of those apps). If I could
run 3 domains on 2 servers instead of 6, I would imagine that I'd save
on licensing costs as well as hdw, since running an AD service would
likely be less hdw intensive than running an OS...
We can dream, can't we? :-)


**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
> Sent: Monday, October 10, 2005 10:28 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Active Directory wish list
> 
> I agree.  SMB business can be very complex.
> 
> Can you expand on the idea that VM's aren't working well for 
> you? I'm trying 
> to understand the difference between that and a multiple 
> domain DC for that 
> scenario.
> 
> I'd have to say that smaller, cheaper dc's (desktop class?) 
> have always 
> worked well for me in the past when doing functionality testing. 
> Scalability requires full-blown hardware. But I'm not seeing where VM 
> environments aren't working as well as you'd like a physical 
> environment to 
> work?  What's the difference in this situation?
> 
> For availability, I could see some value in a DC configured 
> to host mulitple 
> domains because I could designate one to be the failover for several 
> domains.  Otherwise, I'm not sure I get it. Is this like a 
> LPAR concept 
> you're talking about? That would be more helpful to you in 
> these situations? 
> If so, how is that different than VM's?
> 
> Test environments are notoriously able to take down servers 
> without warning. 
> I would often prefer to use a VM to decrease that risk of 
> consuming all 
> resources to destruction. That provides some isolation while 
> not requiring 
> extra hardware.
> 
> VM's require licenses (the OS and apps do) FWIW. You're only 
> saving on the 
> hardware and environmentals that I can see, but I'm trying to 
> understand 
> what I'm missing.
> 
> 
> - Original Message - 
> From: "Charlie Kaiser" <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, October 10, 2005 11:05 AM
> Subject: RE: [ActiveDir] Active Directory wish list
> 
> 
> For us, it's the ability to run parallel domains for test/development
> purposes. We have our production domain, my IT test domain, 
> and our LOB
> application test domain. I'd have another IT test domain if I had the
> available hardware right now.
> We are required to test and document all changes to the LOB app and a
> significant number of people work in that test domain. 
> Running it on VMs
> or old hardware doesn't cut it gracefully, although that's what I do.
> Since management won't write the check for additional 
> hardware/licenses,
> we do what we can.
> But if we had one beefy server to replace 3, and one server license to
> replace 3, it would be much more cost effective to do, and would
> increase performance for the user community.
> In my last gig, we had multiple domains that were used for development
> and customer support departments. The support kids especially needed
> multiple domains to recreate customer environments and 
> various software
> versions.
> I can think of a lot of reasons to need multiple domains/forests in an
> SMB environment. Regulatory compliance, 24x7 availability 
> that mandates
> full testing 

RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.

[Bernard, Aric]

My understanding is as follows:

 


 1
 licensed copy of W2K3R2 or Longhorn (EE/DC) provides the following:
 
  1
  physical host running the licensed OS
  4
  virtual guests running the licensed OS or a lesser version (i.e. Enterprise
  Edition would allow for Web Edition running in a VM)
 
 VMs
 developed and designed for the following purposes (as examples) need not
 be licensed until which time they no longer fall under the following:
 
  Copies
  of licensed machines (physical or virtual) used for backup purposes only
  “Template”
  virtual disks used for deploying new virtual guests
  Other
  virtual machines not generally online and not used for production
  purposes (e.g. an offline CA in a VM would not qualify)
 


 

 

 

Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Monday, October 10, 2005
12:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT]
Movement in licensing over Virtual Instances at MS.



 

I’m a bit confused as to what she
was trying to say… in the quote below, she says four VMs, but she doesn’t say four instances of
Windows… and she says that they’ll only charge for virtual images
of Windows actually running.  I take that to mean that if I have a box
with 10 virtual machines defined but only 4 running at a time, that I only have
to pay for 4?  Unless I start a 5th one before I bring one of
the others down?  Does it mean that currently I’d have to pay for
10?  Or is it that if I am only running 4 I can run them on top of one
purchased copy of Windows Server 2003 R2 EE?

 

One thing that seems a bit silly to me is
if I have my new 64 bit server, GOLIATH, and he’s running 10 VMs with
Windows, then he’s running 10 W2K3 kernels, 10 HALs, 10 __ (fill
in the blank).  There was a concept, sort of filled by NTVDM, that you
could run something in there and if it crashed it didn’t take down the
OS.  What if you could run an instance of Exchange in one of those? 
Or a DC?  VMs are now sort of like having CD images on the network were
for a while – 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25
copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4… you see what
I mean.  Run 10 VMs and you have maybe 15 GB of duplicate info on disk.
 I hear ESX can mitigate that somewhat… but MS wrote the Windows
code, who could do it better than them?  Or maybe I’m way off base
here. ?? 

 



---
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field
Platform Development
Applebee's International,
Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
---
"I am always doing
that which I can not do, in order that I may learn how to do it." - Pablo
Picasso











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, October 10, 2005
10:06 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT]
Movement in licensing over Virtual Instances at MS.



 



http://www.pcworld.com/news/article/0,aid,122949,00.asp 





 





Virtual Windows License Simplified





 





 







Microsoft also will allow customers to
have four virtual machines running on top of Windows Server 2003 R2 Enterprise
Edition and Windows Server "Longhorn" Datacenter Edition at no extra
cost, Kelly said. 

 
 

 











---APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- 
PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any attachments.
This information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal
law. Applebee's International, Inc. reserves the right to monitor and review
the content of all messages sent to and from this e-mail address. Messages sent
to or from this e-mail address may be stored on the Applebee's International,
Inc. e-mail system.

RE: [ActiveDir] Active Directory wish list

[Bernard, Aric]

Well good, especially since I didn’t
actually see you make a recommendation or discuss any vaporware... J

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP]
Sent: Wednesday, October 05, 2005
10:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active
Directory wish list



 

I don't make recommendations
based on vaporware or rumors...

Ed
Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!™



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Wednesday, October 05, 2005
6:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active
Directory wish list

Actually, it may – rumor has it that
there may be some licensing changes coming for the virtualized Windows
world…

 

 

 

Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP]
Sent: Wednesday, October 05, 2005
5:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active
Directory wish list



 

You're hardly alone in this.  It took
a little while before the touted security of the empty root model was blown
open by my esteemed colleagues at HP (then Compaq).  Lots and lots of
organizations have adopted empty-root and other multiple-domain architectures,
only to regret it later.

 

Still, Virtual Server (or VMware) would
address the hardware requirement to a large extent since you could
run two physical machines instead of six, but it doesn't really do anything for
Charlie's desire to buy fewer server licenses.

Ed
Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!™



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Wednesday, October 05, 2005
2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active
Directory wish list

I’m not saying we need a better solution here, and there are factors due to the
internal/external nature of our business that PSS (I think) recommended the
design we have.  When we
built it, the empty root was widely considered to be the best design.  My
point was that to support this, we need at least 6 W2K3 servers running (physical
or not is mostly beside the point).  We don’t really need load
balancing for this size – but we need 2 servers for each domain if we
want to avoid the risk of having the only DC for a domain go down.  My
point was that the directory is a database, but it’s tied to the server
OS in such a way that even stopping the directory on one box is a feat for MS
to do (they’re working on that, as I think Joe mentioned and is
non-NDA).  Securing a copy of the directory and making it available means
doing that for the entire server unit right now, not just the directory –
a different database model than say SQL.  Should the AD database be more
modular to separate it out from the OS so that it could be treated as one might
treat a SQL database?  Maybe not.  I was just asking the question in
hopes of sparking some new ideas of ways to mitigate the risk a single DC
domain incurs today. J



---
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field
Platform Development
Applebee's International,
Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
---
"I am always doing
that which I can not do, in order that I may learn how to do it." - Pablo
Picasso











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Wednesday, October 05, 2005
2:37 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Active
Directory wish list



 



My question would be: for a small directory of 5000 users, why do you
have 3 domains? If it is for separate password policies, then perhaps a better
wish list item would be the ability to have multiple password policies in one
domain. 





 





Phil

 





On 10/5/05, Rich
Milburn <[EMAIL PROTECTED]>
wrote: 

I think the biggest reason people want to be able to run multiple
domains on one server is the same reason practically no one (except for 
SBS) installs just one DC, and the same reason we always install a
minimum of 2 for a domain.  We have a forest root and 2 child domains
model, and it takes us 6 servers to run that - for basically 2
directories and fewer than 5000 users.  That seems like a waste of 
hardware in some situations - especially if you have multiple orgs that
you run.  The parallel might be for a web hosting company to have 2
full
web servers for each domain they host - in case 1 goes down, they still 
have a second.  VS is an answer, yes, although you still need a full
server license for each VM.  The thing with domains is you don't want
to
only have 1 online copy of the direc

RE: [ActiveDir] Active Directory wish list

[Bernard, Aric]

Actually, it may – rumor has it that
there may be some licensing changes coming for the virtualized Windows world…

 

 

 

Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP]
Sent: Wednesday, October 05, 2005
5:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active
Directory wish list



 

You're hardly alone in this.  It took
a little while before the touted security of the empty root model was blown
open by my esteemed colleagues at HP (then Compaq).  Lots and lots of
organizations have adopted empty-root and other multiple-domain architectures,
only to regret it later.

 

Still, Virtual Server (or VMware) would
address the hardware requirement to a large extent since you could
run two physical machines instead of six, but it doesn't really do anything for
Charlie's desire to buy fewer server licenses.

Ed
Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!™



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Wednesday, October 05, 2005
2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active
Directory wish list

I’m not saying we need a better solution here, and there are factors due to the
internal/external nature of our business that PSS (I think) recommended the
design we have.  When we
built it, the empty root was widely considered to be the best design.  My
point was that to support this, we need at least 6 W2K3 servers running
(physical or not is mostly beside the point).  We don’t really need
load balancing for this size – but we need 2 servers for each domain if
we want to avoid the risk of having the only DC for a domain go down.  My
point was that the directory is a database, but it’s tied to the server
OS in such a way that even stopping the directory on one box is a feat for MS
to do (they’re working on that, as I think Joe mentioned and is
non-NDA).  Securing a copy of the directory and making it available means
doing that for the entire server unit right now, not just the directory –
a different database model than say SQL.  Should the AD database be more
modular to separate it out from the OS so that it could be treated as one might
treat a SQL database?  Maybe not.  I was just asking the question in
hopes of sparking some new ideas of ways to mitigate the risk a single DC
domain incurs today. J



---
Rich Milburn
MCSE, Microsoft MVP - Directory
Services
Sr Network Analyst, Field
Platform Development
Applebee's International,
Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
---
"I am always doing
that which I can not do, in order that I may learn how to do it." - Pablo
Picasso











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Wednesday, October 05, 2005
2:37 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Active
Directory wish list



 



My question would be: for a small directory of 5000 users, why do you
have 3 domains? If it is for separate password policies, then perhaps a better
wish list item would be the ability to have multiple password policies in one
domain. 





 





Phil

 





On 10/5/05, Rich
Milburn <[EMAIL PROTECTED]>
wrote: 

I think the biggest reason people want to be able to run multiple
domains on one server is the same reason practically no one (except for 
SBS) installs just one DC, and the same reason we always install a
minimum of 2 for a domain.  We have a forest root and 2 child domains
model, and it takes us 6 servers to run that - for basically 2
directories and fewer than 5000 users.  That seems like a waste of 
hardware in some situations - especially if you have multiple orgs that
you run.  The parallel might be for a web hosting company to have 2
full
web servers for each domain they host - in case 1 goes down, they still 
have a second.  VS is an answer, yes, although you still need a full
server license for each VM.  The thing with domains is you don't want
to
only have 1 online copy of the directory.  MS didn't seem too
convinced 
there was a good reason to have an online second server - they cited
backups as a good solution to the issue.  In a big org the cost of an
additional server to provide redundancy is negligible, but is having an
online copy (second DC) really the BEST way to do this?  And it
doesn't
help SBS users, since they can (correct me if I'm wrong) only have 1 DC.
I realize it may be the best way we have with W2K3, but how could the
issue of redundancy be addressed with AD differently than having 2 DCs
minimum per domain?  Anyone have any ideas?

Rich


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of joe
Sent: Tuesday, October 04, 2005 9:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [Active

RE: [ActiveDir] Rights Management Server

[Bernard, Aric]

BTW - RMS does not leverage the traditional cert services that you would use 
for a PKI.  It has its own "certs" that it hands out.  Also it requires a 
database server (SQL).  On principal, I would not put this on a DC.  Both the 
DC and the RMS Server play critical roles, however losing the RMS server could 
be far more devastating than a single DC.


Aric

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, October 05, 2005 5:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Rights Management Server

The only thing I know about RMS is what the acronym stands for. However, your
question is about using the DC as the cert server so you don't have to
procure additional hardware, right? There is nothing wrong with that. It's a
supported configuration, and as long as you do your due diligence and get
your backup right, you should be fine.
 
One common issue with running the CA on a DC is that the cert service will be
broken if you use one of the MS custom inf to harden the DC. I forgot which
one exactly, but you will know when your cert service is broken. Recovery is
not too hard, so don't sweat it.
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Wed 10/5/2005 2:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Rights Management Server



Has anyone deployed Microsoft's RMS and used their DC's as the Root
certification server? We are debating wether we need dedicated hardware
for the RMS servers or whether they can share.

Thanks in advance.


Holland + Knight

Travis Abrams
IT Security & Systems Manager
Holland & Knight LLP

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active Directory wish list

[Bernard, Aric]

How about the VSMT for VS2005? ;)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, October 05, 2005 12:45 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Active Directory wish list

Have you guys checked out the PtoV tool on VMware?

Rich Milburn wrote:

>I kinda like the idea of running a DC in a VS machine, and having an
>online realtime copy of it somewhere in addition to incremental
>backups... and you should be able to bring up the vhd on any box, not
>just one with similar hardware, and without having to go through
Laura's
>7 step DR plan :) (reference thread [ActiveDir] AD Restore Problem)
>
>But can you have a VSS-type remote copy of your DC session vhd file?  
>
>(Forgive me if I bring up topics that were adequately addressed during
>my hiatus in Windows Desktop Deployment World...)
>
>---
-
>---
>Rich Milburn
>MCSE, Microsoft MVP - Directory Services
>Sr Network Analyst, Field Platform Development
>Applebee's International, Inc.
>4551 W. 107th St
>Overland Park, KS 66207
>913-967-2819
>---
-
>---
>"I am always doing that which I can not do, in order that I may learn
>how to do it." - Pablo Picasso
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
>CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Wednesday, October 05, 2005 1:12 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] Active Directory wish list
>
>As a representative of the SBS community there is not a day that goes
by
>
>that the 'can we cluster SBS' or 'can I have a hot server' doesn't come

>up.  [if you have SA you can have a cold server]
>
>With 9/11, with Katrina, with the potential for earthquakes in 
>California ... honestly... the answer for any small business should not

>be 'well hope your backup is good... you have tested it right?'  
>Conversely I would argue the home user needs to be better protected
than
>
>they are now.  [but that's way OT]  I think the fault tolerance for 
>small firms is being a bit pushed to the asp/hosted services model in 
>the marketplace even though us control freaks aren't always fond of
>that.
>
>Actually we 'can' have additional domain controllers..just that the SBS

>has to hold the FSMO roles and be the PDC.  By the time you reconfigure

>that additional DC to take over the FSMO roles...maybe your time is 
>better spent fixing the PDC, ya know?
>
>Is there a good story for small firms to have redundancy, fault 
>tolerance without a fat checkbook? 
>
>Nope, I would argue...not really.right now imaging is the only way.
>
>And in that instance.. you probably want to stay with a single DC and 
>not suffer the wrath of Brett and ghosting your DCs.
>
>A recent whitepaper on the subject of the 'myths' of SBS:
>http://msmvps.com/bradley/archive/2005/10/04/68986.aspx
>http://msmvps.com/bradley/archive/2005/10/05/69035.aspx
>
>I still would argue that virtualization needs to be done WAY more than 
>we are doing now...but that's just my wacko thoughts.
>
>
>Rich Milburn wrote:
>
>  
>
>>I think the biggest reason people want to be able to run multiple
>>domains on one server is the same reason practically no one (except
for
>>SBS) installs just one DC, and the same reason we always install a
>>minimum of 2 for a domain.  We have a forest root and 2 child domains
>>model, and it takes us 6 servers to run that - for basically 2
>>directories and fewer than 5000 users.  That seems like a waste of
>>hardware in some situations - especially if you have multiple orgs
that
>>you run.  The parallel might be for a web hosting company to have 2
>>
>>
>full
>  
>
>>web servers for each domain they host - in case 1 goes down, they
still
>>have a second.  VS is an answer, yes, although you still need a full
>>server license for each VM.  The thing with domains is you don't want
>>
>>
>to
>  
>
>>only have 1 online copy of the directory.  MS didn't seem too
convinced
>>there was a good reason to have an online second server - they cited
>>backups as a good solution to the issue.  In a big org the cost of an
>>additional server to provide redundancy is negligible, but is having
an
>>online copy (second DC) really the BEST way to do this?  And it
doesn't
>>help SBS users, since they can (correct me if I'm wrong) only have 1
>>
>>
>DC.
>  
>
>>I realize it may be the best way we have with W2K3, but how could the
>>issue of redundancy be addressed with AD differently than having 2 DCs
>>minimum per domain?  Anyone have any ideas?
>>
>>Rich
>>
>>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of joe
>>Sent: Tuesday, October 04, 2005 9:20 PM
>>To: ActiveDir@mail.activedir.org
>>Subject: RE: [ActiveDir] Active Directory wish list
>>
>>Yeah I can say th

RE: [ActiveDir] Change AD Passwords

[Bernard, Aric]

Title: Change AD Passwords








PSynch is a good one.  However, you might
have a relationship with another vendor that offers something else:  Quest,
NetIQ, HP all have products that perform similar functions.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, October 04, 2005
3:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change AD
Passwords



 

I agree that psynch should be checked out
for this.

 

  joe

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana
Sent: Tuesday, October 04, 2005
6:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change AD
Passwords

If you’re willing to spend money and
have a solution that scales, i.e. does more than just AD passwords look into
P-Synch from MTech.  http://www.psynch.com/

 

I’ve used them here and at a prior
company for password changes, password expiry notifications, password synch
between multiple systems, self-service password resets, etc.  I’m
sure they’ll do everything you want…but at a price.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, October 04, 2005
1:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change AD
Passwords



 

Iisadmpwd would be my solution. I
wouldn’t even expect IE on a Mac to work. Are these all OS X machines?
Why not support Safari as the standard browser, or some other common browser
that works. Seems crazy to support  a browser that is no longer developed.


 

Also, is it worth looking for something
with automatic password reset? What I mean is, are people really going to
supply or do you already have the proper data to fulfill validation of a user?
If not, then it would be hard to justify the cost…unless like you said,
there is something free out there that does it. In which case I would be
interested tooJ

 

 

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jake Stabl
Sent: Tuesday, October 04, 2005
3:07 PM
To: [EMAIL PROTECTED]; MS-Exchange
Admin Issues; ActiveDir@mail.activedir.org
Subject: [ActiveDir] Change AD
Passwords



 

I
know this message has come across this list before but I still don’t have
a good solution.  Third party solutions that cost money are fine and FREE
is better.

I
have been looking for some way for users to change their AD passwords from the
web.  I have tried to use the built-in method from MS IIS but the .asp
script doesn’t work correctly on a Macintosh with IE on it.  Plus
not every staff member has access to a PC to change passwords.

Also
what would be nice is a product that does password change, and forgotten
passwords.  This would greatly reduce the amount of service calls. 
Also maybe a way to notify these people when their password will expire.

The
NOS here is Windows 2003 naturally… 

Thanks


--

Jacob Stabl 
Network Engineer 
Plain Local School District

http://www.plainlocal.org

Office: 
330.492.3500 
Cell
:    330.704.1278 
IP
Phone: 4466 

RE: [ActiveDir] Multiple forests with a common DNS parent zone

[Bernard, Aric]

Title: Multiple forests with a common DNS parent zone








Based on the configuration explained below,
there should be no problem.

 


Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, October 03, 2005
2:30 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Multiple
forests with a common DNS parent zone



 

I
have encountered a situation where 4 forests exist today, all of which have a
common DNS parent zone - let's call it xxx.com.

Forest
1 has root domain named xxx.com with multiple child domains 
Forest
2 has root domain named ap.xxx.com with multiple child domains 
Forest
3 has root domain named am.xxx.com with multiple child domains 
Forest
4 has root domain named jp.xxx.com with no children 

DNS
resolution between the 4 forests works fine. Xxx.com is hosted on UNIX BIND
servers with all child zones delegated to Windows DNS servers. All child zone
DNS servers forward to the servers hosting xxx.com. Existing forests are w2k
native and no trusts exist between these forests.

 

There
is a proposal to build a new, fifth forest and to migrate all objects from the
4 forests above into this new forest. 

Forest 5 will have root domain named
global.xxx.com and 4 children - representing the 4 forests above.


Does
anyone have any concerns over the re-use of the same DNS name - xxx.com? I feel
uncomfortable with this proposal but don't have any technical reasons to block
it.

Any
comments? 

Thanks,

neil






___

Neil Ruston 
Global Technology Infrastructure 
Nomura International plc 
Telephone: +44 (0) 20 7521 3481 

 



PLEASE READ: The information contained in this email is
confidential and 





intended for the named recipient(s) only. If you are not an
intended 





recipient of this email please notify the sender immediately
and delete your 





copy from your system. You must not copy, distribute or take
any further 





action in reliance on it. Email is not a secure method of
communication and 





Nomura International plc ('NIplc') will not, to the extent
permitted by law, 





accept responsibility or liability for (a) the accuracy or
completeness of, 





or (b) the presence of any virus, worm or similar malicious
or disabling 





code in, this message or any attachment(s) to it. If
verification of this 





email is sought then please request a hard copy. Unless otherwise
stated 





this email: (1) is not, and should not be treated or relied
upon as, 





investment research; (2) contains views or opinions that are
solely those of 





the author and do not necessarily represent those of NIplc;
(3) is intended 





for informational purposes only and is not a recommendation,
solicitation or 





offer to buy or sell securities or related financial
instruments. NIplc 





does not provide investment services to private customers.
Authorised and 





regulated by the Financial Services Authority. Registered in
England






no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 





London, EC1A 4NP. A member of the
Nomura group of companies. 

RE: [ActiveDir] OT: Additional DHCP server same LAN

[Bernard, Aric]

Counseling indeed!

I made the assumption when you said the same LAN that both companies
were sharing the same subnet...and you know what they say about
assumptions...

Of course Marcus is right if my assumption is incorrect. :)


Regards,

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, September 26, 2005 8:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Additional DHCP server same LAN

Are you suggesting counseling, Aric?  :)

DHCP is based on broadcast.  I suppose if you configured your helpers to
point to different subnet segments (assuming the two companies don't
share the same subnet) you might be able to do this.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Monday, September 26, 2005 4:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Additional DHCP server same LAN

Not if they are on the same LAN.  Why do you want to do this before the
separation?  Maybe there is a workaround for what ever problem you are
having.

Regards,

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Monday, September 26, 2005 1:18 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Additional DHCP server same LAN

Two companies sharing the same physical LAN, IP configuration, Windows
2000 servers, two seperate forests, and one DHCP server.  In the the
not so distant future they will seperate.  In the meantime, is there a
way to point the XP pro clients from CompanyB to a new DHCP server on
the same physical LAN through Group Policy or WMI Scripting?


Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Domain-wide operations masters change

[Bernard, Aric]

Are you asking if there is a way to do
this with out using the event logs?

 

The only option I can think of is gathering
all of the persons with permissions and beating them about the head until
somebody confesses.  Come to think of it that could generate some false
positives. J

 

If you have access to the logs and need to
narrow down the time in which the change occurred, you can look at the whenChanged
attribute (in GMT) for the following objects

CN=RID Manager$,CN=System,DC=YourDomain,DC=YourDomainSuffix

CN=Infrastructure, DC=YourDomain,DC=YourDomainSuffix

 

The PDC role is defined in an attribute fSMORoleOwner
on the domain head object for the domain in question.  Determining when
this attribute was changed would  have to be done with repadmin or another
utility (as opposed to ADSIEdit which can give you the information on the other
two).

 

I believe that event ID 1458 is what you
need to look for in the Application log on either (or both) the system that
originally held the role and the one that requested the transfer. The user that
requested the transfer should be identified. 

 

If you do not have access to the logs I
suggest that you discuss changing your log retention policies by either keeping
more information “live” on the DC or by archiving old information on
a regular basis. Another option would be to implement some sort of log
collection system.

 

HTH

 

Aric

 

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Monday, September 26, 2005
2:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Domain-wide operations masters change



 

Know of an easy way to find out who? 
I'm assuming auditing, but our security logs are unwieldy and if it happened
over a couple days ago, well you know how that goes.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Monday, September 26, 2005
3:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Domain-wide operations masters change

No automatic change mechanism for OM roles.  Someone did it. J

 

Regards,

 

Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Monday, September 26, 2005
1:12 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain-wide
operations masters change



 



I just noticed our domain-wide operations masters levels all
changed.  We've had the same pdc/rid/infrastructure master for years, and
suddenly, it's on a different domain controller.  Is there any way this
could have changed automatically?  Or did a domain admin have to
physically make this change?




 
  
  ~~
  This e-mail is confidential, may contain proprietary information
  of the Cooper Cameron Corporation and its operating Divisions
  and may be confidential or privileged.
  
  This e-mail should be read, copied, disseminated and/or used only
  by the addressee. If you have received this message in error please
  delete it, together with any attachments, from your system.
  ~~
  
 


 






~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

RE: [ActiveDir] LDAP filters

[Bernard, Aric]

This is always a good starting place if
you find it consumable:  http://www.faqs.org/rfcs/rfc2254.html

Optionally, using the ADU&C MMC
Snap-in you can build some “Saved Queries” and see how they are
built (Query String) by the snap-in to learn some of the intricacies.

 

Regards,

 

Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Monday, September 26, 2005
1:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP filters



 

Where can I fine more info on creating LDAP filters? 
I’m trying to have Exchange 2003 Address List display users on multiple
Mailbox Stores and Groups.  I have to do a custom LDAP search to
accomplish this.

 

Devon Harding

Windows Systems Engineer

Southern Wine & Spirits
- BSG

954-602-2469

 







__
This message and any attachments are
solely for the intended recipient
and may contain confidential or
privileged information. If you are not
the intended recipient, any disclosure,
copying, use or distribution of
the information included in the message
and any attachments is
prohibited. If you have received this
communication in error, please
notify us by reply e-mail and
immediately and permanently delete this
message and any attachments. Thank You.

RE: [ActiveDir] Domain-wide operations masters change

[Bernard, Aric]

No automatic change mechanism for OM roles.  Someone did it. J

 

Regards,

 

Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Monday, September 26, 2005
1:12 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain-wide
operations masters change



 



I just noticed our domain-wide operations masters levels all
changed.  We've had the same pdc/rid/infrastructure master for years, and
suddenly, it's on a different domain controller.  Is there any way this
could have changed automatically?  Or did a domain admin have to
physically make this change?








~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

RE: [ActiveDir] OT: Additional DHCP server same LAN

[Bernard, Aric]

Not if they are on the same LAN.  Why do you want to do this before the
separation?  Maybe there is a workaround for what ever problem you are
having.

Regards,

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Monday, September 26, 2005 1:18 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Additional DHCP server same LAN

Two companies sharing the same physical LAN, IP configuration, Windows
2000 servers, two seperate forests, and one DHCP server.  In the the
not so distant future they will seperate.  In the meantime, is there a
way to point the XP pro clients from CompanyB to a new DHCP server on
the same physical LAN through Group Policy or WMI Scripting?


Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Domain Controller Security

[Bernard, Aric]

Allow me to logon to any DC in any domain
and I will own your entire Forest.

 

Allow me access to the console of any DC
in any domain (assuming I can use a USB port or floppy drive) even without an
account that allows me to logon locally and I will own your entire Forest. 

 

The point, as Joe so eloquently phrased
it, is “Just don’t do it!”  The forest is the security
boundary, and if someone can compromise a single DC regardless of domain they
can own your forest.


Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gideon Ashcraft
Sent: Thursday, September 22, 2005
8:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain
Controller Security



 



The only thing to do is to make him an admin of that site, or better
yet make that site a child domain and make him a domain admin of that child
domain. I know from experience that using a DC as anything but a DC is a
freakin pain in the ass, my predecessor set a DC up as a print/file server and
another as a SQL server (finally able to demote that one now, soon hopefully).
But my citrix profiles are on the domain controller, and after months of trying
to set delegation up properly in AD and setting up permissions in the
appropriate folders on the DC, the only way I was able to get my Helpdesk admin
set up to create accounts with my scripts so that I didn't have to do it was to
make him a domain admin. My company is too damn cheap to get me another server
to put the citrix profiles somewhere else. Oh yeah, and its an app server for
network install of office (can you feel my pain).





 





So, if there is only one server in the site and its a DC, the only
way to get him to do anything is to make him a domain admin (make it a child
domain so he can't climb up the tree)





 





Gideon Ashcraft





Network Admin





Screen Actors Guild




<[EMAIL PROTECTED]>

ct: RE: [ActiveDir] Domain Controller Security 



Look
through the archives.

 

The short answer is... "Just don't do
it". You can't possibly secure this regardless of what anyone says. If
someone says it can be made safe, stop asking them technical questions about
Domain Controllers and Active Directory.

 

Either you trust the person or you don't.
If you don't trust the person, then don't put the person in a position to show
you the meaning of screwed.

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of van Donk, Fred
Sent: Tuesday, September 20, 2005
4:52 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain
Controller Security



I have a contractor in a remote site. There is only 1 server
in that site which is a DC.





 





He needs to administer that server. 





-Create shares





-Make file/share permissions





-Change user passwords in the User OU for that site.





 





He is not allowed to log on to any other server is the
domain.





 





When I make him a "Server Operator" he can logon
to any server in the domain.





 





Any idea on how to lock him down to that one server and then
how to lock him down on that one OU where he should only be allowed to change
the passwords of the users.





 





Thanks!





Fred





 





 








List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: SAN Assessment

[Bernard, Aric]

Lawana provides some really great advice here.  I found the URL for a
document that covers a lot of the point spoken of in the message above.
Even though it does include references to specific hardware platforms
(as examples) it contains a lot of really good information that may be
of value to you.

The document is "free" but you do need to have an "HP Passport" to get
at it (you can get this quickly and easily when attempting to access the
URL).

http://h71019.www7.hp.com/activeanswers/Secure/111015-0-0-0-121.html



Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lawana Gibson
Sent: Thursday, September 22, 2005 7:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: SAN Assessment

Good mornin',
We have a SAN environment within our library.  We're running a FC4500
with 1.2 TB of disk space.  I have seven servers connected to the SAN
and a PowerVault 136T Tape Library.  We had Dell (we're a Dell shop)
come in and assess our environment; we made the decision on how much
disk space we needed, etc.  So basically they took our specifications
and produced a system (hardware, mgmt software, HBA).  We had them
install a "turn key" system so all we had to do was start moving data
over to the disks (or LUNS).  BUTyou have to be very careful and
make sure they are giving you the most current equipment; they are not
selling you mgmt software that will not work with your server
environmentbasically make sure they know your network.  Make sure
your sales/technical accountant is aware of when your equipment comes
in, who they sent to install the equipment, etc.  Have them/make them
document everything!  I have horror stories related to our SAN
installation, but once I finally complained loud enough (and we
threatened not to pay them) they sent someone out to reconfigure our
system.  We are now in the phase of upgrading our SAN environment...as a
matter of fact I'm meeting with them next week.  If I had one thing to
warn you or suggest...make sure YOU are aware of what you're getting as
far as software, HBAs and drivers, SAN management software, etc.
Because if you don't know, you could be stuck with a monster on your
hands.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Wednesday, September 21, 2005 10:04 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: SAN Assessment

Hi,

We're in the process of planning to migrate from Notes to Exchange and
one 
the dependenices of this migration is a SAN environment.

Has anyone utilized the services of any independent consulting bodies to

carry out a SAN assessment. Essentially, helping in the process of 
determining requirements and laying out a path to successful deployment
with 
considerations for high availability, scalability and future
considerations.

Thanks,


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: SAN Assessment

[Bernard, Aric]

And if you do have or considering HP SAN equipment, call you HP
representative and let them know you need help with capacity planning
and configuration for your SAN for Exchange.  Most of the folks at HP
involved with this kind of activity follow Pierre's (an HP employee)
methodology and best practices.

In many cases they can provide assistance at little or no direct cost to
you.


Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Wednesday, September 21, 2005 3:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: SAN Assessment

If you have the time, pick up a copy of Pierre Bijaoui's "Scaling
Microsoft Exchange 2000." I don't think it's been updated for Exchange
2003, but most everything he covers in there carries forward. It's very
good information on building storage infrastructure for Exchange,
including SANs.

It may not replace a consulting engagement, but it will give you enough
background to understand (and question) any recommendations. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Wednesday, September 21, 2005 4:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: SAN Assessment

Well we don't have a preferred vendor. We're looking at all the obvious
choices: HP, EMC, StorageTek (SUN) etc.

Right now its more important to just get an independent (non-vendor
specific) assessment carried out.

Thanks,



"Firefox - Rediscover the web "




Original Message Follows
From: "Bernard, Aric" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
To: 
Subject: RE: [ActiveDir] OT: SAN Assessment
Date: Wed, 21 Sep 2005 14:25:57 -0400

Yep, lots of consulting firms do his sort of work.  Who is the SAN
vendor?  Typically they will be happy to come out and help with this
kind of activity as it usually means additional sales now or in the
future.

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, September 21, 2005 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: SAN Assessment

I work for a consulting firm that does these sorts of things, so, yes I
know people utilize consulting firms to do this stuff. :)

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Wednesday, September 21, 2005 11:04 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: SAN Assessment

Hi,

We're in the process of planning to migrate from Notes to Exchange and
one the dependenices of this migration is a SAN environment.

Has anyone utilized the services of any independent consulting bodies to

carry out a SAN assessment. Essentially, helping in the process of
determining requirements and laying out a path to successful deployment
with

considerations for high availability, scalability and future
considerations.

Thanks,


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Group policy stupid question

[Bernard, Aric]

Susan,

You can restrict GPOs to certain groups by using either Deny or Allow
permissions.  So in your case you could deny a particular security group
access to the GPO.  If you leverage the GPMC you can use the delegation
tab to explicitly deny a groups access to the GPO.

As for diagramming, I depends on what you want to get out of the
diagram.  Visio is OK for some things while the GPMC can provide nice
reports for others.

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, September 21, 2005 2:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Group policy stupid question

Stupid question that showcases how I don't know enough about GP

Is there a way to do a group policy group so that it's

"Everyone" but <-> "this group" 

And does Visio work the best for diagramming these structures out?



-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: SAN Assessment

[Bernard, Aric]

Yep, lots of consulting firms do his sort of work.  Who is the SAN
vendor?  Typically they will be happy to come out and help with this
kind of activity as it usually means additional sales now or in the
future.

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, September 21, 2005 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: SAN Assessment

I work for a consulting firm that does these sorts of things, so, yes I
know
people utilize consulting firms to do this stuff. :)

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Wednesday, September 21, 2005 11:04 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: SAN Assessment

Hi,

We're in the process of planning to migrate from Notes to Exchange and
one 
the dependenices of this migration is a SAN environment.

Has anyone utilized the services of any independent consulting bodies to

carry out a SAN assessment. Essentially, helping in the process of 
determining requirements and laying out a path to successful deployment
with

considerations for high availability, scalability and future
considerations.

Thanks,


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Synchronizing AD

[Bernard, Aric]

HP also offers a product called LDSU (lightweight
directory synchronization utility) which, although relatively unknown, is very
mature and is used in many fortune 500 IT shops.  http://h20219.www2.hp.com/services/cache/11215-0-0-225-121.html

 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Matt
Sent: Tuesday, September 13, 2005
7:13 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Synchronizing AD



 

You could use MIIS (http://www.microsoft.com/windowsserversystem/miis2003/default.mspx) which
is a fully functional meta-directory solution from Microsoft or there is
another tool called SimpleSync (http://www.cps-systems.com/simplesync/) which
I believe will provide you simpler but similiar
functionality.   I prefer to use MIIS however it is costly, and
perhaps overly complex for your particular situation. 



On 9/13/05, [EMAIL PROTECTED]
<[EMAIL PROTECTED]>
wrote: 

Does
anyone have any recommendations on products or information on synchronizing
data from a SQL database to AD. For example, we want to synch data from the HR
database to the users account. 

Thanks
in advance 

 

Travis Abrams







-- 
Tnx, 
Matt 

RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...

[Bernard, Aric]

I say tomato… Is there really such a
thing as a trusted network?  We should all probably be thinking no since
such a large number of malicious attacks come from within. 

 

Regardless, the more layers you have in
place the harder it is – err- should be to penetrate the internal
network.

 

Your point is well taken, yet there is a
trade off between security, cost, and usability.  The balance is different
for each organization. 

 

In Jason’s case it sounds like he
has got enough work ahead of him just getting funding for an ISA server let
alone a secondary or tertiary DMZ/semi-trusted network/extranet/callitwhatyouwill
layered network. 

 

 

Aric

 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Roger Seielstad
Sent: Friday, September 09, 2005
8:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...



 

Again to clarify, the ISA server often
(but not always) resides in the semi-trusted network while the SharePoint
server should always reside on a fully-trusted network.  



 





Actually - you really should look at that
differently. It should read:





 





ISA server should reside in the
semi-trusted network while the SharePoint server should reside on a more
trusted network.





 





Many people seem to think they should
only have 3 classes of networks - Untrusted (i.e. the big I), Semi-trusted
(DMZ) and fully trusted (internal). I think its fairly trivial and
significantly safer to layer services like this, mail relays, and other servers
which make outbound calls to the 'Net into what I would describe as an internal
DMZ. Yes, its more trusted, but you can still ACL off and obscure the internal
workings of your network.




Roger Seielstad
E-mail Geek 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Wednesday, September 07,
2005 5:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...

I should make sure I was clear – in
no way did I encourage the placement of ISA AND the SharePoint server onto the
semi-trusted (DMZ) network. Again to clarify, the ISA server often (but not
always) resides in the semi-trusted network while the SharePoint server should
always reside on a fully-trusted network.  The key benefit here is that the
only required configuration through the firewall to the internal network is the
web ports (i.e. 80, 443) necessary to allow proper communication between the
ISA server and the SharePoint server.  If the ISA server were compromised,
however unlikely, the only path through the firewall to the internal network
would be via the web ports to the SharePoint server. 

 

Another problem with the IPSec solution is
that if your SharePoint server in the DMZ is compromised (it is running IIS ;-)
the IPSec path it has through to the internal network will be compromised as
well.  Of course this will then allow a potential hacker to ride the IPSec
tunnel straight to all of the systems/ports (i.e. 88, 123, 389, 3268, 3269, and
[god forbid] 135 and 445) you have configured the SharePoint server to
communicate with on the internal LAN.  BTW I think you can configure IPSec
to work between clients/member servers and DCs so long as the correct
exceptions are in place or as long as you use certificates (which would be the
best approach if using it in the DMZ).

 

 

BTW, Jason, never say never.  With
enough good arguments and still meeting the stated requirements you can
certainly change people’s opinions…

 

 


Aric   

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, September 07,
2005 5:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...



 





Looks like we have plenty of ideas and
opinions ;)





 





ISA is a great way to deal with this, but I believe the
decision was made to put the SP machine in the DMZ regardless of the technical
merit or viability. And whether or not it is a good idea.  That said, ISA
doesn't offer much if you put it AND this machine in a semi-trusted network
(for whatever that means these days.) 





 





Shame there's no leeway though.  The downside to using
IPSec is that as others have pointed out, it won't work on member server
<->DC for W2K servers (limitation of the OS) but will for 2K3 member
servers but that still leaves you with a secure channel from the DMZ host to
your internal network.  That means you can't monitor the traffic from the
DMZ to your internal network because it's encrypted (sounds like a broken
record, I know.) 





 





Too bad you can't sway the decision makers to do this
differently. But hopefully you've received a lot of ideas to pick from. 





 





Best of luck,





Al





 





 







 

RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...

[Bernard, Aric]

Yes, in fact I have implemented this
(under Windows 2000).

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Wednesday, September 07,
2005 7:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...



 

Using certificates to allow IPSec
between clients/member servers and DCs sounds good.  Has anyone
actually done this?  I'd be interested, as I'm surprised the KB article
didn't mention this as an alternative.  I've also heard (more than once)
some statements from MS people to the effect that "IPSec between member
servers and DCs is not supported".

 

Tony

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Thursday, 8 September 2005
2:30 p.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...



That was the way that I understood that paragraph as well.





 





And to give a little more information about Aric's point on not being
able to monitor the traffic between the DMZ host and the DC's; that is why it
is important to have an Intrusion Detection/Intrusion Prevention system in
place. Even in a small shop this can save you a lot of headaches if properly
maintained and will let you monitor for malicious traffic on the DMZ host and
the DC's. It is a good way to mitigate many security admins concerns about
opening encrypted tunnels through the firewalls. 





 





Phil

 





On 9/7/05, Bernard,
Aric <[EMAIL PROTECTED]>
wrote: 



The quote relates to when you are using Kerberos as the
method to setup the secure connection (ISAKMP).  If you use certificated
then IPSec can be used end-to-end between clients/member servers and DCs. 

 

Aric

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Tony Murray
Sent: Wednesday, September 07,
2005 5:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE:
[ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...



 

Hi Phil

 

Here's the text I was referring to:

 

Currently, we do not support using IPSec to encrypt network
traffic from a domain member server to a domain controller when you apply the
IPSec policies by using Group Policy or when you use the Kerberos
authentication method. 

The goal with IPSec is to encrypt the traffic between the two
sides and with the scenario described below you would need Kerberos
authentication.  Or have I missed something? 

 

Tony

 







From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Phil Renouf
Sent: Thursday, 8
September 2005 11:02 a.m.
To: ActiveDir@mail.activedir.org

Subject: Re:
[ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...



Did I
miss something in that article? I don't see where it says client > DC via
IPSec is not supported; just that you can't encrypt Kerberos traffic. 





 





Phil

 





On
9/7/05, Tony Murray < [EMAIL PROTECTED]>
wrote: 

> If
you absolutely HAVE to then I would prefer to look at using IPSec for
communication between the Sharepoint box and your DC's 

 

IPSec would be good, but it isn't supported between member
servers and DCs.

 

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949

 

Tony

 







From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Phil Renouf
Sent: Thursday, 8
September 2005 4:20 a.m.



To: ActiveDir@mail.activedir.org
Subject: Re:
[ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...








  





I would look
at putting the Sharepoint server on the internal network and deploy an ISA
server in the DMZ and use Web Publishing or Server Publishing to get your
external clients access to the site. If you want to open access from the DMZ to
your AD Forest your firewall will be swiss
cheese from all the ports than need to be open. 





 





If you
absolutely HAVE to then I would prefer to look at using IPSec for communication
between the Sharepoint box and your DC's. That leaves you only needing the
IPSec port open and not the very large number of ports to support AD
communication. 





 





http://support.microsoft.com/kb/q179442/

 





Phil
 













On
9/7/05, Jason B <
[EMAIL PROTECTED] > wrote: 

Because
this will be a sharepoint server for clients.  Regardless, that
decision has already been made and I don't have any input into it. 
Any info on the ports I'd need open? 

- Original Message -
From: "ASB" <[EMAIL PROTECTED]
>
To: <
ActiveDir@mail.activedir.org>
Sent: Wednesday, September 07, 2005 8:45 AM 
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...


Why did you decide to put it in the DMZ? 

-ASB

On 9/7/05, Jason B < [EMAIL PROTECTED]> wrote:
> We are putting a MS share

RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...

[Bernard, Aric]

The quote relates to when you are using Kerberos
as the method to setup the secure connection (ISAKMP).  If you use certificated
then IPSec can be used end-to-end between clients/member servers and DCs.

 

Aric

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Tony Murray
Sent: Wednesday, September 07,
2005 5:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...



 

Hi Phil

 

Here's the text I was referring to:

 

Currently, we do not support using IPSec
to encrypt network traffic from a domain member server to a domain controller
when you apply the IPSec policies by using Group Policy or when you use the
Kerberos authentication method. 

The goal with IPSec is to encrypt the
traffic between the two sides and with the scenario described below you would
need Kerberos authentication.  Or have I missed something?

 

Tony

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Thursday, 8 September 2005
11:02 a.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Which ports
to open in the DMZ to communicate with AD & SQL...



Did I miss something in that article? I don't see where it says client
> DC via IPSec is not supported; just that you can't encrypt Kerberos
traffic.





 





Phil

 





On 9/7/05, Tony
Murray <[EMAIL PROTECTED]>
wrote: 

> If you absolutely HAVE to then I would prefer to look at
using IPSec for communication between the Sharepoint box and your DC's 

 

IPSec would be good, but it isn't
supported between member servers and DCs.

 

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949

 

Tony

 







From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Phil Renouf
Sent: Thursday, 8 September 2005
4:20 a.m.
To: ActiveDir@mail.activedir.org
Subject: Re:
[ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...

 



I would look at putting the Sharepoint server on the internal network
and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing
to get your external clients access to the site. If you want to open access
from the DMZ to your AD Forest your firewall
will be swiss cheese from all the ports than need to be open. 





 





If you absolutely HAVE to then I would prefer to look at using IPSec
for communication between the Sharepoint box and your DC's. That leaves you
only needing the IPSec port open and not the very large number of ports to
support AD communication. 





 





http://support.microsoft.com/kb/q179442/
 





Phil
 







On 9/7/05, Jason B
<[EMAIL PROTECTED]
> wrote: 

Because this will be a sharepoint server for
clients.  Regardless, that
decision has already been made and I don't have any input into it. 
Any info on the ports I'd need open?

- Original Message -
From: "ASB" <[EMAIL PROTECTED]
>
To: <
ActiveDir@mail.activedir.org>
Sent: Wednesday, September 07, 2005 8:45 AM 
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...


Why did you decide to put it in the DMZ? 

-ASB

On 9/7/05, Jason B < [EMAIL PROTECTED]> wrote:
> We are putting a MS sharepoint server in the DMZ and need to have it on
> the
> domain and communicating with a SQL server on the
domain.  Because of
> these 
> needs, we only want to open the minimum number of ports to get
> functionality.  We have LDAP (389) opened and SQL (1433)
opened.  What 
> other
> ports will we need to open to be able to log in on the sharepoint server 
> with a domain account?  Currently, with only these two ports
opened, a
> domain account can't log on to the sharepoint server in the DMZ. 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

















This e-mail message has been scanned for Viruses and Content and
cleared by NetIQ MailMarshal at Gen-i Limited 









 







This e-mail message has been scanned for Viruses and Content and
cleared by NetIQ MailMarshal at Gen-i Limited 

RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...

[Bernard, Aric]

I should make sure I was clear – in no
way did I encourage the placement of ISA AND the SharePoint server onto the
semi-trusted (DMZ) network. Again to clarify, the ISA server often (but not
always) resides in the semi-trusted network while the SharePoint server should
always reside on a fully-trusted network.  The key benefit here is that
the only required configuration through the firewall to the internal network is
the web ports (i.e. 80, 443) necessary to allow proper communication between
the ISA server and the SharePoint server.  If the ISA server were
compromised, however unlikely, the only path through the firewall to the
internal network would be via the web ports to the SharePoint server. 

 

Another problem with the IPSec solution is
that if your SharePoint server in the DMZ is compromised (it is running IIS ;-)
the IPSec path it has through to the internal network will be compromised as
well.  Of course this will then allow a potential hacker to ride the IPSec
tunnel straight to all of the systems/ports (i.e. 88, 123, 389, 3268, 3269, and
[god forbid] 135 and 445) you have configured the SharePoint server to
communicate with on the internal LAN.  BTW I think you can configure IPSec
to work between clients/member servers and DCs so long as the correct
exceptions are in place or as long as you use certificates (which would be the best
approach if using it in the DMZ).

 

 

BTW, Jason, never say never.  With
enough good arguments and still meeting the stated requirements you can
certainly change people’s opinions…

 

 


Aric   

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, September 07,
2005 5:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...



 





Looks like we have plenty of ideas and
opinions ;)





 





ISA is a great way to deal with this, but I believe the
decision was made to put the SP machine in the DMZ regardless of the technical
merit or viability. And whether or not it is a good idea.  That said, ISA
doesn't offer much if you put it AND this machine in a semi-trusted network
(for whatever that means these days.) 





 





Shame there's no leeway though.  The downside to using
IPSec is that as others have pointed out, it won't work on member server
<->DC for W2K servers (limitation of the OS) but will for 2K3 member
servers but that still leaves you with a secure channel from the DMZ host to
your internal network.  That means you can't monitor the traffic from the
DMZ to your internal network because it's encrypted (sounds like a broken
record, I know.) 





 





Too bad you can't sway the decision makers to do this
differently. But hopefully you've received a lot of ideas to pick from. 





 





Best of luck,





Al





 





 







 







From:
[EMAIL PROTECTED] on behalf of Bernard, Aric
Sent: Wed 9/7/2005 7:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...





I agree with Phil – I think using an
ISA (or other reverse proxy solution) is the best way to go given your
constraints.

 

Using a reverse proxy solution allows you
the following:


 Keep
 you Sharepoint server behind the firewall, yet make it accessible to
 external clients as if it was in the DMZ. 
 Restrict
 your [additional] holes through the firewall to only that needed by the
 reverse proxy solution to interact with the Sharepoint server (port 80).
 


 

BTW - this scenario is becoming extremely
common.  The next common addition you will see to this will likely be the
use of ADFS to provide an identity trust bridge between the internal forest and
a partner forest (or other identity system).

 

Regards,

 

Aric Bernard

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Wednesday, September 07,
2005 9:20 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...



 



I would look at putting the Sharepoint server on the internal network
and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing
to get your external clients access to the site. If you want to open access
from the DMZ to your AD Forest your firewall
will be swiss cheese from all the ports than need to be open. 





 





If you absolutely HAVE to then I would prefer to look at using IPSec
for communication between the Sharepoint box and your DC's. That leaves you
only needing the IPSec port open and not the very large number of ports to
support AD communication. 





 





http://support.microsoft.com/kb/q179442/
 





Phil
 





On 9/7/05, Jason B
<[EMAIL PROTECTED]>
wrote: 

Because this will be a sharepoint server for
clients.  Regardless, that
decision has already been made and I do

RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...

[Bernard, Aric]

I agree with Phil – I think using an
ISA (or other reverse proxy solution) is the best way to go given your
constraints.

 

Using a reverse proxy solution allows you
the following:


 Keep
 you Sharepoint server behind the firewall, yet make it accessible to external
 clients as if it was in the DMZ.
 Restrict
 your [additional] holes through the firewall to only that needed by the
 reverse proxy solution to interact with the Sharepoint server (port 80).


 

BTW - this scenario is becoming extremely
common.  The next common addition you will see to this will likely be the use
of ADFS to provide an identity trust bridge between the internal forest and a
partner forest (or other identity system).

 

Regards,

 

Aric Bernard

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Wednesday, September 07,
2005 9:20 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...



 



I would look at putting the Sharepoint server on the internal network
and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing
to get your external clients access to the site. If you want to open access from
the DMZ to your AD Forest your firewall will
be swiss cheese from all the ports than need to be open. 





 





If you absolutely HAVE to then I would prefer to look at using IPSec
for communication between the Sharepoint box and your DC's. That leaves you only
needing the IPSec port open and not the very large number of ports to support
AD communication. 





 





http://support.microsoft.com/kb/q179442/
 





Phil
 





On 9/7/05, Jason B
<[EMAIL PROTECTED]>
wrote: 

Because this will be a sharepoint server for
clients.  Regardless, that
decision has already been made and I don't have any input into it. 
Any info on the ports I'd need open?

- Original Message -
From: "ASB" <[EMAIL PROTECTED]>
To: <
ActiveDir@mail.activedir.org>
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...


Why did you decide to put it in the DMZ? 

-ASB

On 9/7/05, Jason B <[EMAIL PROTECTED]>
wrote:
> We are putting a MS sharepoint server in the DMZ and need to have it on
> the
> domain and communicating with a SQL server on the
domain.  Because of
> these
> needs, we only want to open the minimum number of ports to get
> functionality.  We have LDAP (389) opened and SQL (1433)
opened.  What 
> other
> ports will we need to open to be able to log in on the sharepoint server
> with a domain account?  Currently, with only these two ports
opened, a
> domain account can't log on to the sharepoint server in the DMZ. 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx

List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




 

RE: [ActiveDir] Virtual Domain Controllers

[Bernard, Aric]

Two good points - VS2005 SP1 (R2) will relieve both these issues.  The
beta version is very stable and I actually know some running it in
production.




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, August 23, 2005 8:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Virtual Domain Controllers

A couple of notes: 

VS 2005 will not install on an X64 version of windows. If you use a
server with an AMD CPU, install 32 bit windows.

Do not install server 2003 SP1 on the virtuals (the host is ok). It will
slow your virtuals into what seems like 66MHz 486 machines. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Monday, August 22, 2005 6:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Virtual Domain Controllers

My understanding is that Windows Server 2003 provides full support for
dual core processors and abstracts them, so to speak, from VS2005
insomuch as the application sees two physical processors - so yes; this
is currently not true of ESX until the next point release.

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Monday, August 22, 2005 3:51 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Virtual Domain Controllers

Thanks Aric, great link! I'd seen the older BOG (2004) but this latest
one I've missed.
The VS Server is an interesting angle, running the DC on the physical
machine and the F&P element within VS2005 is an option provided the user

requirements aren't too onerous. The 50-60% I referred to was probably
on the generous side... and my experience of this has limited to fairly
low yield boxes (web servers, app servers) mostly for PoC or cloning
production environments for testing/troubleshooting and development. 
Incidentally, you mentioned the DL385... does VS2005SP1 include support
for dual core?

Thanks again,
Mylo



Bernard, Aric wrote:

>For your first question, you can find Microsoft's Branch Office 
>Infrastructure Solution (BOIS) here:
>http://www.microsoft.com/technet/itsolutions/branch/default.mspx
>
>In short, and more direct for your question, some organizations are 
>deploying a single server solution to a branch office/remote site
which,
>as an example, is a domain controller running VS2005 with VMs 
>representing other local servers/services that might be required (i.e.
>File and Print, web caching, etc.). Using this approach, your Domain 
>Admins continue to be responsible for the physical machine and the 
>Domain Controller itself, however your local admin can fully administer

>the other servers living within VMs (via RDP or remote tools) without 
>compromising the security of the DC.  This of course assumes that
VS2005
>does not contain a flaw that allows a guest to host breach. :)
>
>As for performance, I do not have any concrete numbers, but you will 
>most certainly take a performance hit on both your host and your guests

>when using virtualization.  I think your statement of 50-60% is quite 
>high based on my experience, but then again YMMV depending on what the 
>environment is hosting and what the end-user demands are and what the 
>host hardware configuration looks like.  (I prefer an x64 system with a

>small array of disks - like the HP Proliant DL385 for ~$3500US.) 
>Regardless, in small remote sites performance is typically not critical

>and nearly any server class system will perform adequately as a DC and
a
>VS2005 host. Keep in mind the small remote office solutions often have 
>two common single points of failure - the server (in a single server
>solution) and the network.  The failure of either can have a
significant
>impact on the end-users...
>
>Regards,
>
>Aric Bernard
>
>
>
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
>Sent: Monday, August 22, 2005 10:17 AM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] Virtual Domain Controllers
>
>It'd be interesting to hear what solutions are in place in larger 
>enterprise environments (for small remote sites). IMO, the hybrid 
>DC/File and Print in one box, for remote sites, sounds nasty because:
>
>1. There's no local sam  so a 'local' administrator needs to be 
>built-in administrator in AD.. I guess that's fine if your domain 
>admin=F&P Admin but if not
>2. If you're file and print server contains loads of local groups
etc...
>
>that becomes part of  AD database I know that this is less of an 
>issue under Win2K3 versus Win2k/NT4, but if you're in a largish 
>organisation dealing with 100+ sites, each with a hybrid FAP/DC  with 
>lots of groups and users that meet 

RE: [ActiveDir] Virtual Domain Controllers

[Bernard, Aric]

Hi Brian,

Out of curiosity, how will LSASS steal memory from that which you have
physically allocated to a specific virtual machine?  Since VS2005 does
not allow over committing of physical memory, this should not be
possible.

May be I am missing your point?

Regards,

Aric Bernard

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Monday, August 22, 2005 5:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Virtual Domain Controllers

I wouldn't ride the DC on the physical hardware and the FP on the VS
install. I'd ride them both on there. Lsass will steal all the memory
you'd
like to allocate to VS. Instead, let lsass and company in its own
instance,
allocate it 2/3 the memory available and then the other third to your f
& p
instance.

ESX IMHO Is not the tool for this type of gig. A) its expensive and b)
it's
suited to running dozens if not hundreds of VMs on high power hardware.
GSX/VS is more for a smaller operation on a much smaller dose of
hardware
(e.g. a 380/385 or 2850). 

--brian

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Monday, August 22, 2005 6:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Virtual Domain Controllers

My understanding is that Windows Server 2003 provides full support for
dual core processors and abstracts them, so to speak, from VS2005
insomuch as the application sees two physical processors - so yes; this
is currently not true of ESX until the next point release.

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Monday, August 22, 2005 3:51 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Virtual Domain Controllers

Thanks Aric, great link! I'd seen the older BOG (2004) but this latest 
one I've missed.
The VS Server is an interesting angle, running the DC on the physical 
machine and the F&P element within VS2005 is an option provided the user

requirements aren't too onerous. The 50-60% I referred to was probably 
on the generous side... and my experience of this has limited to fairly 
low yield boxes (web servers, app servers) mostly for PoC or cloning 
production environments for testing/troubleshooting and development. 
Incidentally, you mentioned the DL385... does VS2005SP1 include support 
for dual core?

Thanks again,
Mylo



Bernard, Aric wrote:

>For your first question, you can find Microsoft's Branch Office
>Infrastructure Solution (BOIS) here:
>http://www.microsoft.com/technet/itsolutions/branch/default.mspx
>
>In short, and more direct for your question, some organizations are
>deploying a single server solution to a branch office/remote site
which,
>as an example, is a domain controller running VS2005 with VMs
>representing other local servers/services that might be required (i.e.
>File and Print, web caching, etc.). Using this approach, your Domain
>Admins continue to be responsible for the physical machine and the
>Domain Controller itself, however your local admin can fully administer
>the other servers living within VMs (via RDP or remote tools) without
>compromising the security of the DC.  This of course assumes that
VS2005
>does not contain a flaw that allows a guest to host breach. :)
>
>As for performance, I do not have any concrete numbers, but you will
>most certainly take a performance hit on both your host and your guests
>when using virtualization.  I think your statement of 50-60% is quite
>high based on my experience, but then again YMMV depending on what the
>environment is hosting and what the end-user demands are and what the
>host hardware configuration looks like.  (I prefer an x64 system with a
>small array of disks - like the HP Proliant DL385 for ~$3500US.)
>Regardless, in small remote sites performance is typically not critical
>and nearly any server class system will perform adequately as a DC and
a
>VS2005 host. Keep in mind the small remote office solutions often have
>two common single points of failure - the server (in a single server
>solution) and the network.  The failure of either can have a
significant
>impact on the end-users...
>
>Regards,
>
>Aric Bernard
>
>
>
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
>Sent: Monday, August 22, 2005 10:17 AM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] Virtual Domain Controllers
>
>It'd be interesting to hear what solutions are in place in larger 
>enterprise environments (for small remote sites). IMO, the hybrid 
>DC/File and Print in one box, for remote sites, sounds nasty because:
>
>1. There's no local sam  so a &#x

RE: [ActiveDir] Virtual Domain Controllers

[Bernard, Aric]

My understanding is that Windows Server 2003 provides full support for
dual core processors and abstracts them, so to speak, from VS2005
insomuch as the application sees two physical processors - so yes; this
is currently not true of ESX until the next point release.

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Monday, August 22, 2005 3:51 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Virtual Domain Controllers

Thanks Aric, great link! I'd seen the older BOG (2004) but this latest 
one I've missed.
The VS Server is an interesting angle, running the DC on the physical 
machine and the F&P element within VS2005 is an option provided the user

requirements aren't too onerous. The 50-60% I referred to was probably 
on the generous side... and my experience of this has limited to fairly 
low yield boxes (web servers, app servers) mostly for PoC or cloning 
production environments for testing/troubleshooting and development. 
Incidentally, you mentioned the DL385... does VS2005SP1 include support 
for dual core?

Thanks again,
Mylo



Bernard, Aric wrote:

>For your first question, you can find Microsoft's Branch Office
>Infrastructure Solution (BOIS) here:
>http://www.microsoft.com/technet/itsolutions/branch/default.mspx
>
>In short, and more direct for your question, some organizations are
>deploying a single server solution to a branch office/remote site
which,
>as an example, is a domain controller running VS2005 with VMs
>representing other local servers/services that might be required (i.e.
>File and Print, web caching, etc.). Using this approach, your Domain
>Admins continue to be responsible for the physical machine and the
>Domain Controller itself, however your local admin can fully administer
>the other servers living within VMs (via RDP or remote tools) without
>compromising the security of the DC.  This of course assumes that
VS2005
>does not contain a flaw that allows a guest to host breach. :)
>
>As for performance, I do not have any concrete numbers, but you will
>most certainly take a performance hit on both your host and your guests
>when using virtualization.  I think your statement of 50-60% is quite
>high based on my experience, but then again YMMV depending on what the
>environment is hosting and what the end-user demands are and what the
>host hardware configuration looks like.  (I prefer an x64 system with a
>small array of disks - like the HP Proliant DL385 for ~$3500US.)
>Regardless, in small remote sites performance is typically not critical
>and nearly any server class system will perform adequately as a DC and
a
>VS2005 host. Keep in mind the small remote office solutions often have
>two common single points of failure - the server (in a single server
>solution) and the network.  The failure of either can have a
significant
>impact on the end-users...
>
>Regards,
>
>Aric Bernard
>
>
>
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
>Sent: Monday, August 22, 2005 10:17 AM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] Virtual Domain Controllers
>
>It'd be interesting to hear what solutions are in place in larger 
>enterprise environments (for small remote sites). IMO, the hybrid 
>DC/File and Print in one box, for remote sites, sounds nasty because:
>
>1. There's no local sam  so a 'local' administrator needs to be 
>built-in administrator in AD.. I guess that's fine if your domain 
>admin=F&P Admin but if not
>2. If you're file and print server contains loads of local groups
etc...
>
>that becomes part of  AD database I know that this is less of an 
>issue under Win2K3 versus Win2k/NT4, but if you're in a largish 
>organisation dealing with 100+ sites, each with a hybrid FAP/DC  with 
>lots of groups and users that meet this criteria...I guess you wouldn't

>want to add the bloat to your AD if you can avoid it.
>
>Any other reasons?
>
>On the other side, what ort of performance hit do you get 
>virtualising... GSX, I get around 50-60% of real life, subject to the 
>number of Guests running and server role, and can't afford ESX so can't

>comment :-)
>
>Regards,
>Mylo
>
>Seely Jonathan J wrote:
>
>  
>
>>Thanks, Brad.  That is very good to hear.  I also appreciate the tips.
>> 
>>JJ
>>
>>
>>
>>
>---
-
>  
>
>>*From:* [EMAIL PROTECTED] 
>>[mailto:[EMAIL PROTECTED] *On Behalf Of *Smith, Brad
>>*Sent:* Tuesday, August 09, 2005 3:09 AM
>>*To:* ActiveDir@mail.activedir.org
>>*Subject:* RE: [Activ

RE: [ActiveDir] Virtual Domain Controllers

[Bernard, Aric]

For your first question, you can find Microsoft's Branch Office
Infrastructure Solution (BOIS) here:
http://www.microsoft.com/technet/itsolutions/branch/default.mspx

In short, and more direct for your question, some organizations are
deploying a single server solution to a branch office/remote site which,
as an example, is a domain controller running VS2005 with VMs
representing other local servers/services that might be required (i.e.
File and Print, web caching, etc.). Using this approach, your Domain
Admins continue to be responsible for the physical machine and the
Domain Controller itself, however your local admin can fully administer
the other servers living within VMs (via RDP or remote tools) without
compromising the security of the DC.  This of course assumes that VS2005
does not contain a flaw that allows a guest to host breach. :)

As for performance, I do not have any concrete numbers, but you will
most certainly take a performance hit on both your host and your guests
when using virtualization.  I think your statement of 50-60% is quite
high based on my experience, but then again YMMV depending on what the
environment is hosting and what the end-user demands are and what the
host hardware configuration looks like.  (I prefer an x64 system with a
small array of disks - like the HP Proliant DL385 for ~$3500US.)
Regardless, in small remote sites performance is typically not critical
and nearly any server class system will perform adequately as a DC and a
VS2005 host. Keep in mind the small remote office solutions often have
two common single points of failure - the server (in a single server
solution) and the network.  The failure of either can have a significant
impact on the end-users...

Regards,

Aric Bernard




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Monday, August 22, 2005 10:17 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Virtual Domain Controllers

It'd be interesting to hear what solutions are in place in larger 
enterprise environments (for small remote sites). IMO, the hybrid 
DC/File and Print in one box, for remote sites, sounds nasty because:

1. There's no local sam  so a 'local' administrator needs to be 
built-in administrator in AD.. I guess that's fine if your domain 
admin=F&P Admin but if not
2. If you're file and print server contains loads of local groups etc...

that becomes part of  AD database I know that this is less of an 
issue under Win2K3 versus Win2k/NT4, but if you're in a largish 
organisation dealing with 100+ sites, each with a hybrid FAP/DC  with 
lots of groups and users that meet this criteria...I guess you wouldn't 
want to add the bloat to your AD if you can avoid it.

Any other reasons?

On the other side, what ort of performance hit do you get 
virtualising... GSX, I get around 50-60% of real life, subject to the 
number of Guests running and server role, and can't afford ESX so can't 
comment :-)

Regards,
Mylo

Seely Jonathan J wrote:

> Thanks, Brad.  That is very good to hear.  I also appreciate the tips.
>  
> JJ
>
>

> *From:* [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Smith, Brad
> *Sent:* Tuesday, August 09, 2005 3:09 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Virtual Domain Controllers
>
> We run multiple DC's on GSX and ESX.  Eveyrthing seems have gone fine 
> so far, and MS will give their best endeavours on support. Most of the

> time they don't even ask us if the DC is virtual ;-)
>  
> Also, ensure that the time sync capability is disabled in the VMWare 
> Tools, and that the DC boots up completely before the file and print, 
> so that the file and print can authorise itself against it.  Otherwise

> the F&P may take up to half an hour (or thereabouts) to realise it can

> now contact a DC for file/print access authorisation.
>
>

> *From:* [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] *On Behalf Of 
> *Grillenmeier, Guido
> *Sent:* Monday, August 08, 2005 12:16 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Virtual Domain Controllers
>
> hehe - single DC - must have overread that - I would have called that 
> to be a problem in itself ;-) 
> But then again it's only for 10 users and likely ok.  As such, I even 
> doubt that SID reissue is much of a problem as this environment is 
> likely rather static rgd. new objects in AD ;-)
>
>

> *From:* [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] *On Behalf Of *joe
> *Sent:* Sonntag, 7. August 2005 00:43
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Virtual Domain Controllers
>
> Well since it is a single domain and a single DC I would say he really

> doesn't have a worry about USN rollbacks but he does hav

RE: [ActiveDir] OT:Exchange 2003 SP1 bloat

[Bernard, Aric]

Douglas,

Why not just move them between databases on the same server?  Exchange 
2000/2003 does support multiple Storage Groups and multiple DBs within each SG. 
 

In fact you should probably look into splitting your 91GB DB into several 
smaller DBs so if in fact you do need to perform some kind of offline repair 
(Eseutil/Isinteg) you can do so on smaller DBs over the course of several 
scheduled downtimes.

Regards,

Aric

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Wednesday, August 17, 2005 4:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat

You make a very good point. Now that Exchange 2000 and 2003 allow such easy 
moves of mailboxe's between servers, that is probably the best solution. 
However your assuming that you have multiple Exchange back end servers. But 
very good point.

Jose

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Al Mulnick
Sent: Wednesday, August 17, 2005 2:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat


I don't believe I've seen the reason that you want to defrag in the first 
place.  Any reason you would choose to defrag vs. just moving the users to a 
new db? 
 
Safer and faster IMHO than taking 3-10 hours to defrag and backing up the mail 
while doing so. 
 
Al



From: [EMAIL PROTECTED] on behalf of Medeiros, Jose
Sent: Wed 8/17/2005 4:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat



Keep in mind that this was a DELL Server Xeon 4 way 800 MHZ system with a Perc 
2 controller with U160, 10,000 rpm drives and the database resided on the DAS 
external array. I am sure that it will run much faster on the newer 3.0 GHZ 
Xeon's with Ultra 320 15,000 rpm Drives.

While your at it you may want to also run ISINTEG which takes even longer.

Jose :-)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Douglas M. Long
Sent: Wednesday, August 17, 2005 12:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat


Ah man, don't tell me that it took 10 hours for a 30GB database...the one I am 
defragging is 91GB.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Wednesday, August 17, 2005 2:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat

I am not sure I understand your point.. if he is trying to fix his bloat issue, 
this tool will do the same thing as Esutuil in compacting the database with out 
having to take down his exchange servers.

Last time I ran Esutuil on a 30gb data base it took nearly 10 hours to finish.

Jose

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Michael B. Smith
Sent: Wednesday, August 17, 2005 11:08 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat


I would never recommend a tool that does offline defragmentation as preventive 
maintenance.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Wednesday, August 17, 2005 1:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat

Want a simpler method? Try http://www.goexchange.com/, ( GOexchange is painless 
to use and saves you time by running automatic expert preventive maintenance 
while you attend to more important things )

You won't even have to take your Exchange servers offline to defrag the 
information and public folder stores.

Jose :-)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, August 17, 2005 10:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat


KB192185 has good info on this. You are on the right path, IMO.


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon



From: [EMAIL PROTECTED] on behalf of Douglas M. Long
Sent: Wed 8/17/2005 10:06 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat



I guess I was thinking of using the /p switch because of a paragraph"

"Run ESEUTIL with the /p switch to configure ESEUTIL to create the new 
defragmented database on an alternate location (for example, to a location on a 
different hard disk). This switch lets you preserve your original defragmented 
database (which lets you revert back to your original database if necessary). 
This switch also significantly reduces the amount of time it takes to 
defragment a database, because you are rebuilding to a new location, rather 
then rebuilding the datab

RE: [ActiveDir] Setting the default UPN when migrating accounts using ADMT

[Bernard, Aric]

No way to do this with ADMT.  The ADMTv3 beta
is pretty stable, unfortunately it does not have the ability to make this
change either.

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Celone, Mike
Sent: Wednesday, August 10, 2005
11:42 AM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Setting the
default UPN when migrating accounts using ADMT



 



In my test lab I have a single Win2k3 root domain and 2
child domains.  I am using ADMT 2 (when is 3 coming out, it's been in Beta
for over a year now) to migrate the accounts over.  Everything works great
except for the UPN.  For some reason it's always taking the name of the
root domain and not of the child domains.  Is there a way to make ADMT use
the child domain UPN.  





 





I figured I'd ask before I write a script to do it for me.





 





Mike

RE: [ActiveDir] AD migration

[Bernard, Aric]

LOL - I probably would not have this problem if I spelled my first name
"correctly".

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, August 09, 2005 3:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD migration

A it is a personal aversion to WINS at the crux here... I see. ;o)

WINS is great, I loved it. I ran a huge WINS architecture and it ran
well,
but then it was well configured and well monitored. MS didn't make it
easy
to monitor it, actually I think they tried everything they could to make
it
so you couldn't monitor it, but those who figured it out, tended to be
ok.
:)

It took me a minute to realize who you were talking to. We need Aric to
change his last name so he doesn't have two first names... 


   joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Tuesday, August 09, 2005 5:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD migration

U  Well, one - I like simplicity.  Two, I'm not a big fan of
WINS.
If all we're trying to do is to establish trust for a migration...

Besides, Bernard has already been here to show me the error of my ways,
Thank you.

;o)

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, August 09, 2005 4:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD migration

I didn't read the entire thread so maybe this is answered but this stuck
out
to me, why isn't WINS going to work? 

WINS replication nor name resolution doesn't require any trusts nor even
authentication. It is all entirely unauthenticated with replication
being
handled through IP address based "connection agreements" between the
source
and destination targets.

WINS is entirely name resolution, no worries with trusts or anything
else in
terms of that name resolution.

When you register in WINS, it is anonymous. When you query WINS it is
anonymous. Only when you use the admin interfaces to say look at the
database or modify the connection agreements, etc does any form of
authentication come into play. 


When playing across subnets like this with netbios functionality, WINS
is
generally the best way to go, certainly it is one of the least complex.
The
only time I would really look at using LMHOSTS is if there was a
requirement
not to use WINS or you don't want the names to be resolveable to anyone
that
asks. 


   joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Tuesday, August 09, 2005 12:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD migration

Really, it uses neither.  The NetBT is involved, but because we are on
(at
present) untrusted domains and forests, WINS isn't going to work.

Typically, this is done with an LMHosts file in the \Drivers\ETC
directory.
The records are going to be very specific, as they will define the
domain of
the target domain, as well as (typically) the PDC for the target.  A
'mirror' LMHosts will be set up on the other trusting side.

As noted, the format of the records is specific, and can be found here:

http://support.microsoft.com/kb/180094/

And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as
defined, otherwise they will not work.

Good luck - it's not daunting, but can be tedious to get working the
first
time.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Tuesday, August 09, 2005 5:58 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD migration

Sorry to keep harping- but if you have a trust between a child win2k
domain
in one forest with a root or child domain in another forest, does this
use
wins or dns.
i know this is not a "real" forest trust and more like an external trust
in
that its not transitive and uses ntlm and NOT kerberos, but does it also
relie on wins/netbios like an old NT-style trust?

thanks

On 8/8/05, Tom Kern <[EMAIL PROTECTED]> wrote:
> I just started today so what I got was- they have connectivity to the 
> child dns server but they cut off connectivity to anything in the root

> domain.
> the firewall is blocking all root traffic.
> this has been like this for a week.
> nothing is replicating to the root and there is no access to the _msdc

> forest zone.
> 
> The forest is win2k native with an empty root and 1 child domain in a 
> seperate tree.
> they have DA access in the child domain but no DA/EA access in the
root.
> all the exchange servers(about 10) are in the child domain.
> the only recipent policy in the root is the default one and the 
> enterprise
RUS.
> 
> 
> They want to migrate the child domain and all the resources to a new 
> forest where we have full control of everything.
> i assume we do not need connectivity to the _msdc forest dns zone to 
> create a trust with the old child domain to migrate everything over

RE: [ActiveDir] AD migration

[Bernard, Aric]

Don't worry Kingslan, I won't hold anything against you!  ;)  LOL



"Aric" Bernard

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Tuesday, August 09, 2005 2:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD migration

U  Well, one - I like simplicity.  Two, I'm not a big fan of
WINS.
If all we're trying to do is to establish trust for a migration...

Besides, Bernard has already been here to show me the error of my ways,
Thank you.

;o)

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, August 09, 2005 4:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD migration

I didn't read the entire thread so maybe this is answered but this stuck
out
to me, why isn't WINS going to work? 

WINS replication nor name resolution doesn't require any trusts nor even
authentication. It is all entirely unauthenticated with replication
being
handled through IP address based "connection agreements" between the
source
and destination targets.

WINS is entirely name resolution, no worries with trusts or anything
else in
terms of that name resolution.

When you register in WINS, it is anonymous. When you query WINS it is
anonymous. Only when you use the admin interfaces to say look at the
database or modify the connection agreements, etc does any form of
authentication come into play. 


When playing across subnets like this with netbios functionality, WINS
is
generally the best way to go, certainly it is one of the least complex.
The
only time I would really look at using LMHOSTS is if there was a
requirement
not to use WINS or you don't want the names to be resolveable to anyone
that
asks. 


   joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Tuesday, August 09, 2005 12:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD migration

Really, it uses neither.  The NetBT is involved, but because we are on
(at
present) untrusted domains and forests, WINS isn't going to work.

Typically, this is done with an LMHosts file in the \Drivers\ETC
directory.
The records are going to be very specific, as they will define the
domain of
the target domain, as well as (typically) the PDC for the target.  A
'mirror' LMHosts will be set up on the other trusting side.

As noted, the format of the records is specific, and can be found here:

http://support.microsoft.com/kb/180094/

And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as
defined, otherwise they will not work.

Good luck - it's not daunting, but can be tedious to get working the
first
time.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Tuesday, August 09, 2005 5:58 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD migration

Sorry to keep harping- but if you have a trust between a child win2k
domain
in one forest with a root or child domain in another forest, does this
use
wins or dns.
i know this is not a "real" forest trust and more like an external trust
in
that its not transitive and uses ntlm and NOT kerberos, but does it also
relie on wins/netbios like an old NT-style trust?

thanks

On 8/8/05, Tom Kern <[EMAIL PROTECTED]> wrote:
> I just started today so what I got was- they have connectivity to the 
> child dns server but they cut off connectivity to anything in the root

> domain.
> the firewall is blocking all root traffic.
> this has been like this for a week.
> nothing is replicating to the root and there is no access to the _msdc

> forest zone.
> 
> The forest is win2k native with an empty root and 1 child domain in a 
> seperate tree.
> they have DA access in the child domain but no DA/EA access in the
root.
> all the exchange servers(about 10) are in the child domain.
> the only recipent policy in the root is the default one and the 
> enterprise
RUS.
> 
> 
> They want to migrate the child domain and all the resources to a new 
> forest where we have full control of everything.
> i assume we do not need connectivity to the _msdc forest dns zone to 
> create a trust with the old child domain to migrate everything over(or

> anything in the root dns zone).
> 
> I'm not 2nd guessing the Quest guys, this is only for my own
education.
> 
> Thanks a lot
> 
> 
> On 8/8/05, Medeiros, Jose <[EMAIL PROTECTED]> wrote:
> > I am sure Quest's consultant's knows what they are doing. Didn't you
have them put a quote and migration plan together prior to the actual
migration? Or are you asking these questions because you are second
guessing
them? Or is this just for your own knowledge?
> >
> > My understanding is that both domain names have to be different when
using ADMT to migrate from a Source Domain to a Target Domain, unless
Quest
has a tool that over comes this that I am not aware of. Are you trying
to
keep the same domain name as the so

RE: [ActiveDir] Kerberos Delegation

[Bernard, Aric]

Bob,

As Rick and Joe mentioned, as far as allowing a system to do something
on behalf of a user, constrained delegation is a pretty good solution.
Your developers need as I understand it is as follows:

User connects to a front application server (i.e. web server) and
authenticates to that server using Kerberos.  The application needs to
be able to contact multiple different SQL servers to perform a
distributed query.  If the application where to do with a service
account, the response to the query would likely contain all of the
information that the service account had that matched the query - this
might contain more or less information than the user making the request
has access to.  In addition the audit trail on the SQL server should
reflect that the application server made the access to the SQL server as
opposed to the user.

Using constrained delegation, the application server is provided the
capability to act as the user when interacting with the identified SQL
servers (only).  If done properly, the application server will be
delegated in a manner that explicitly identifies the SQL servers Service
Principal names (which include port numbers) associated with each SQL
computers object in the directory.  Therefore the application server CAN
impersonate the user but under the constraint that it may only occur
when communicating with the remote server/service/port as named in the
delegation.

In your case the risk should be relatively low so long as your developer
has a vested interest in the integrity of the data on the SQL servers.
The only "abuse" of this specific configuration that I can think off the
top of my head would be possibility for the developer to execute a
stored procedure on the SQL server with more rights than he or she would
typically have thereby gaining access to or altering data in the DB that
they would otherwise not have access to.

Now if your developer starts asking for constrained delegation from the
application server to a DC, we should talk some more. :)

Regards,

Aric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Tuesday, August 09, 2005 2:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation

 >Assuming that you are aware of what constrained delegation is, how it
operates, and what it should be used for...

That's the point of my query, I certainly don't understand all I know
about it and we have never allowed it, at this point I have just begun
to scratch the surface. I was totally uncomfortable when it was first
proposed and threw up the stop sign. I'm getting less comfortable by the
minute as I read more about it. 

I'm reading the Kerberos Protocol Transition and Constrained Delegation
article and the Troubleshooting Kerberos Delegation white paper and like
I said, trying to understand all I know about it ;-(

Everyone's comments so far are immensely appreciated.

Thanks

Bob

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Tuesday, August 09, 2005 1:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation

Assuming that you are aware of what constrained delegation is, how it
operates, and what it should be used for...

Anytime you allow someone or something to impersonate, err, act on
behalf of another security principal, there is always cause for concern.
Constrained delegation certainly provides some flexibility in achieving
this goal and fulfilling the applications need, but like any Domain
Admin in your forest the developer and the application must be trusted.

I would recommend clear documentation as to the architecture of the
application, how and with what other systems it interoperates, and if
you have the wherewithal (or can bring in someone who does) a code
review to ensure that what is defined is accurate.  

I know this seems a little over-the-top, but we are taking about you
accepting someone else walking around with my ID and saying "he told me
it was OK that I access  on his behalf."

Regards,

Aric Bernard

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Tuesday, August 09, 2005 1:07 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Kerberos Delegation

We have a developer who wants us to allow delegation for a couple of SQL
servers and their service accounts so he can do distributed queries
across linked servers. This is new ground for us from an AD perspective
that I have just started researching and I'd like to hear other's
thoughts, policies etc.

We are at 2003 functional level so from what I read, we can allow
constrained delegation which is much better than un-constrained but most
of the comments I come across indicate this isn't something to be taken
lightly, has serious security ramifications, policies should be in place
etc etc..

I can fi

RE: [ActiveDir] Kerberos Delegation

[Bernard, Aric]

Assuming that you are aware of what constrained delegation is, how it
operates, and what it should be used for...

Anytime you allow someone or something to impersonate, err, act on
behalf of another security principal, there is always cause for concern.
Constrained delegation certainly provides some flexibility in achieving
this goal and fulfilling the applications need, but like any Domain
Admin in your forest the developer and the application must be trusted.

I would recommend clear documentation as to the architecture of the
application, how and with what other systems it interoperates, and if
you have the wherewithal (or can bring in someone who does) a code
review to ensure that what is defined is accurate.  

I know this seems a little over-the-top, but we are taking about you
accepting someone else walking around with my ID and saying "he told me
it was OK that I access  on his behalf."

Regards,

Aric Bernard

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Tuesday, August 09, 2005 1:07 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Kerberos Delegation

We have a developer who wants us to allow delegation for a couple of SQL
servers and their service accounts so he can do distributed queries
across linked servers. This is new ground for us from an AD perspective
that I have just started researching and I'd like to hear other's
thoughts, policies etc.

We are at 2003 functional level so from what I read, we can allow
constrained delegation which is much better than un-constrained but most
of the comments I come across indicate this isn't something to be taken
lightly, has serious security ramifications, policies should be in place
etc etc..

I can find a reasonable amount of information from the developers
point-of-view, and I can see how to implement it technically (I think)
but not a whole lot from the AD admin's perspective, especially as it
pertains to the desirability of allowing it and how best to manage it if
it is allowed.

Any info greatly appreciated.

Bob

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD migration

[Bernard, Aric]

Tom,

While I am sure that Rick has some document in which using LMHosts files
are identified as a best practice, I can assure you that it is quite
feasible to use WINS to accomplish the name resolution requirement for
the task at hand: creating an external trust between two domains with
different names explicitly for the purpose of migrating client systems
from one domain to another.  In fact I might suggest that in many cases
this is a better approach.  The Quest products will rely on name
resolution (as well as the trust) in order to migrate users, groups,
workstations, server and other resources between domains.  This name
resolution will in fact be even more important during the migration
process if users in one domain will need to access resources in the
other domain.  The existing WINS environment is already populated with
necessary records, and has all the information required to resolve the
names of DCs, resource servers, workstations, etc. in the existing
domain.  Assuming you have administrative control over the WINS server,
you can certainly configure WINS replication between a WINS server in
the new environment and one in the existing environment - and no, a
trust is not needed to make this work as WINS replication (and
resolution) is generally unauthenticated.

If you are planning to migrate your WINS servers to the new environment
I might argue that the best approach would be to migrate them first (one
by one verifying functionality as you go) to the new environment and
continue to point both old *and new systems* to the same WINS servers.
Of course this assumes, as stated previously, that you have
administrative control over the WINS servers.  This implementation
should avoid the need to use LMHost files or change primary/secondary
WINS assignments on migrated systems.  This is an approach I have used
many times when migrating between forests and between NT4 domains and AD
domains.

As for migrating without the availability of the root domain, you should
be "mostly" OK as the Quest representatives stated.  However without the
root being accessible and the _mscds DNS domain being unavailable, I
would certainly look to accelerate the migration as you should start
having replication even within your child domain(s).

Regards,

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Tuesday, August 09, 2005 9:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD migration

Tom,

The solution that I gave you is the only one that I know of.  If you are
able to get DNS to work (doubtful) or are able to get WINS to replicate
across a trust that at the present time doesn't exist, more power to
you.

However, given the trials and tribulations that you have discussed with
us
over the past couple of weeks - *I* would be looking for the easiest,
accepted, maintainable "best practice" method for getting your job done.

A piece of personal advice - and you can choose to ignore it or use it -
it's free.

In your new position, they are looking for results - not the most trick
way
of doing something.  I am sure that the company that has retained your
services is being billed for the time that you work to migrate their
user
base and Exchange to something that they can control.  Finding a DNS or
a
WINS solution when the LMHosts solution is 'best practice' is simply not
a
good idea.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Tuesday, August 09, 2005 11:14 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD migration

why can't you just use stub zones or conditional forwarding for this to
work?

or if NetBT is involved, can you just configure your wins servers to
replicate? I thought wins replication had nothing to do with NT
security. you just enter the ip of the partner servers...

Thanks

On 8/9/05, Rick Kingslan <[EMAIL PROTECTED]> wrote:
> Really, it uses neither.  The NetBT is involved, but because we are on
(at
> present) untrusted domains and forests, WINS isn't going to work.
> 
> Typically, this is done with an LMHosts file in the \Drivers\ETC
directory.
> The records are going to be very specific, as they will define the
domain
of
> the target domain, as well as (typically) the PDC for the target.  A
> 'mirror' LMHosts will be set up on the other trusting side.
> 
> As noted, the format of the records is specific, and can be found
here:
> 
> http://support.microsoft.com/kb/180094/
> 
> And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as
> defined, otherwise they will not work.
> 
> Good luck - it's not daunting, but can be tedious to get working the
first
> time.
> 
> Rick
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
> Sent: Tuesday, August 09, 2005 5:58 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] AD migration
> 
> Sorry to keep harping- but if you h

RE: [ActiveDir] Site link costs

[Bernard, Aric]

Title: Site link costs








Cathy,

 

I think you have got a handle on the big
picture – AD will work without creating any explicit site links, which
implies that all site will be members of the DefaultSiteLink, however this may
not be the optimal configuration and in turn may result in a “replication
topology” that is undesirable or at least lackluster in terms of
performance.  To quote Charlie… “it all depends on your [network] topology that you have”.

 

 

Regards,

 

Aric 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of O'Brien, Cathy
Sent: Thursday, July 21, 2005 2:18
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Site link
costs



 

Thanks to all of you who responded.

 

I think part of my problem is with
semantics. As Aric says, it's important to differentiate between sites, site
links, and connection objects. People here at work are saying that AD will
create its own site links, but actually, AD just uses the DefaultSiteLink to
create connection objects if we don't explicitly create site links, right? AD
doesn't actually create any new site link objects on its own? I certainly don't
see any in our environment that we didn't explicitly create.

 

I guess what these others mean is just
that we don't HAVE to create any site links. While I think our experience is
showing that we probably should, they're correct that we don't absolutely have
to. I just wanted to be sure though that I was understanding the concepts
underneath correctly.

 

Homework for the weekend: read through the
AD Replication Topology Technical Reference :-) 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Thursday, July 21, 2005
12:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Site link
costs

While I know absolutely nothing about your
environment aside from what you mention below, but I would have to make an
assumption that if your AD site topology were configured properly you could
have accomplished what you want without “deactivat[ing] the ability for AD to create its own links”.  Your approach is certainly not a best practice for
most environments.  

 

Further more; it is important to
differentiate between sites, site links and connection objects.  In every
forest, sites and associated site links must be implemented
manually/programmatically [1] as the KCC/ISTG only handles the creation of
connection objects between DCs based on the site topology explicitly defined in
the AD.  If you were seeing connection object being created automatically
between servers that you “disapproved” of then an error existed in
the site topology you defined.  Keep in mind that your site topology
consists of many things including sites, site links, site link bridges, costs,
schedules, preferred bridgehead servers (optionally), and more.

 

[1] The exception to this is the
DefaultFirstSite and DefaultSiteLink.

 

Regards,

 

Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Thursday, July 21, 2005
11:36 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Site link
costs



 



Great question, we just had this at our
place.  We just finished deploying a W2K3 AD structure across the globule
with each division using their own sub domain.  





 





We are creating our site links
manually.  And by saying "We" I mean one of the five Enterprise admins across
the globe.  We have deactivated the ability for AD to create its own links
so we don't have to worry about oddities.





 





The reason for this is so we can control
how often and WITH WHO each site replicates.  Right now we have the site
that hosts the first DC for each domain replicating back to sites with root
domain controllers but all other domain sites only replicate with each other
and their first DC.  This means that if the link between our root domain
controllers and that primary domain controller site was to go away we wouldn't
have replication with them. 





 





The links that were being created by AD
weren't what we wanted.  We had sites in Italy
replicating with New Jersey and sites in Mexico replication with Ireland.  I think this had
something to do with our routing tables, firewall placements and frame relay
clouds that we are using across the globe.





 





So, I guess it all depends on your
topology that you have.





 





Charlie





 





-Original Message-
From: O'Brien, Cathy
[mailto:[EMAIL PROTECTED]
Sent: Thursday, July 21, 2005 1:06
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Site link
costs

Sorry
for the basic question... 

Our
company just upgraded our NT4 domains in-place as child W2K3 domains under an
empty W2K3 forest root domain. 22 sites and their associated subnets were
established, with one subsidiary leaving all their objects in the default first
site beca

RE: [ActiveDir] Site link costs

[Bernard, Aric]

Title: Site link costs








While I know absolutely nothing about your
environment aside from what you mention below, but I would have to make an
assumption that if your AD site topology were configured properly you could
have accomplished what you want without “deactivat[ing] the ability for AD to create its own links”.  Your approach is certainly not a best practice for most environments. 


 

Further more; it is important to
differentiate between sites, site links and connection objects.  In every forest,
sites and associated site links must be implemented manually/programmatically [1]
as the KCC/ISTG only handles the creation of connection objects between DCs
based on the site topology explicitly defined in the AD.  If you were seeing connection
object being created automatically between servers that you “disapproved”
of then an error existed in the site topology you defined.  Keep in mind that
your site topology consists of many things including sites, site links, site
link bridges, costs, schedules, preferred bridgehead servers (optionally), and
more.

 

[1] The exception to this is the DefaultFirstSite
and DefaultSiteLink.

 

Regards,

 

Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Thursday, July 21, 2005
11:36 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Site link
costs



 



Great question, we just had this at our
place.  We just finished deploying a W2K3 AD structure across the globule
with each division using their own sub domain.  





 





We are creating our site links
manually.  And by saying "We" I mean one of the five Enterprise admins across
the globe.  We have deactivated the ability for AD to create its own links
so we don't have to worry about oddities.





 





The reason for this is so we can control
how often and WITH WHO each site replicates.  Right now we have the site
that hosts the first DC for each domain replicating back to sites with root
domain controllers but all other domain sites only replicate with each other
and their first DC.  This means that if the link between our root domain
controllers and that primary domain controller site was to go away we wouldn't
have replication with them. 





 





The links that were being created by AD
weren't what we wanted.  We had sites in Italy
replicating with New Jersey and sites in Mexico replication with Ireland. 
I think this had something to do with our routing tables, firewall placements
and frame relay clouds that we are using across the globe.





 





So, I guess it all depends on your
topology that you have.





 





Charlie





 





-Original Message-
From: O'Brien, Cathy
[mailto:[EMAIL PROTECTED]
Sent: Thursday, July 21, 2005 1:06
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Site link
costs

Sorry
for the basic question... 

Our
company just upgraded our NT4 domains in-place as child W2K3 domains under an
empty W2K3 forest root domain. 22 sites and their associated subnets were
established, with one subsidiary leaving all their objects in the default first
site because they feel their bandwidth will support it. However, we're
currently having heated discussions regarding AD and site topology. 

Some
IT members are saying that there is no need to manually create site links or
assign properties such as cost and replication interval. They say that if we
don't do this, then AD does it automatically and it will do a better job than
we would anyway.

I 
thought that the KCC needed the site topology info to be provided (whether
manually or programmatically) so that it could automatically create the
connection objects (provided you're not manually creating them).

So
who is confused here, me or them? This should be basic stuff, and I want to
understand it correctly :-). 

TIA,

Cathy

RE: [ActiveDir] GC availability issue?

[Bernard, Aric]

Under normal (what ever that means) circumstances
2 GCs should certainly be able to handle 500 users.  

 

Have you defined subnets for each of your
9 sites?  

Are you certain that the clients in
question belong to one of the defined subnets?

Are your DCs registering all appropriate site
coverage records in DNS?

Is this usage of remote DCs occurring typically
on the workstations first access during/after joining the domain or does it
continue after subsequent reboots?

 

Introducing Windows Server 2003 schema extensions
should not cause this problem.

 

As for the rename error – this could
certainly be the result of the system “believing” that its name is
a duplicate in the organization due to replication latency based on your site
topology.  This of course could be exacerbated by the fact that local systems
(the new machines) might be accessing DCs in remote sites.

 

 

Aric 

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor]
Sent: Monday, July 18, 2005 11:34
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GC
availability issue?



 

Everyone,

   
We have an empty root domain and a child domain with approximately 9 or so
sites in the forest.  The root domain has 2 DCs (1 GC) and the child
domain has 3 DCs (1GC) both of which are located in our main site.  At our
main site where I am located we have approximately 500 users.  The best
scenario I can give you is we do PC rollouts where we take a large number of
PCs 30-50 at a time and rename them with an old extension in the host name then
we bring a new machine onto the network with the same name.  Sometimes we
get an error saying the computer account already exists in the organization
when we try to name the new machine with the same name, but the issue is
inconsistent.  I did some traffic sniffing with a PC and found that approximately
50% of the time machines in our site are contacting servers in other site for
directory service information instead of our site DCs.  Even machines that
have been on the network are not using local site DCs for information all the
time but using other site DCs instead.  I am wondering what could be
causing this.  This configuration has been static for sometime nothing new
has been introduced except for Windows 2003 schema (could this be the
cause?).  I think it is because we do not have enough GCs in our site (2),
but my boss disagrees.  What does everyone think?

 

Jeremy



---
Jeremy Burkes
Strategic Systems Programs
Management Information Systems
Help Desk: 202-764-1442
   Work: 202-764-1270
|     Fax: 202-764-1503
[EMAIL PROTECTED]



 

RE: [ActiveDir] branch office and dns

[Bernard, Aric]

If you branch office DC will be a DNS server AND you only have *one*
internal DNS domain, then yes you should be able to configure your
branch office DNS server to leverage the ISPs DNS servers as forwarders
without additional configuration.

If you have additional internal DNS domains, than as Jorge mentions you
will have to configure some method to allow name resolution for those
other domains - forwarding to other internal DNS servers, conditional
forwarding for the specific namespaces, or transferring the zone to the
branch office DNS server are all (but not the only) examples.


Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, July 11, 2005 12:03 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] branch office and dns

Assuming you have windows 2003 dns you can use conditional forwarding
I suppose you could configure forwarding for certain internal domains to
the HQ DNS servers if needed and for all other DNS domains forward to
the local ISPs
 
Cheers,
#JORGE#



From: [EMAIL PROTECTED] on behalf of Jeff Kraus
Sent: Mon 7/11/2005 8:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] branch office and dns


Hi all,
I would like to setup a branch office theat connects to our domain via a
vpn so that the branch office can resolve our internal  ad intrergrated
domain and use thier local isp dns for external instead of looking to
the  HQ dns servers and have them resolve the external name (which they
do already).
The Hq dns servers are setup to use fowarders. would i do the same for
the branch office ? .
the branch office server will be a domain controller as well. (I have
already address all concerns about a branch office domain controller---
it is nessary)
 
thanks for all your help 
 
 
Jeff Kraus
 
Network Manger 
NIC Holding Corp.
25 Melville Park Rd
Melville NY, 11747
Voice: 631.753.4272
Fax:631.753.4305
Email:  [EMAIL PROTECTED]
 
 


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Ds commands

[Bernard, Aric]

Most of the DS commands will work against a win2k DC.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Friday, July 01, 2005 3:57 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Ds commands

How do the DS commands figure out how not to work against a win2k dc or
does it matter?
If I just type "dsquery...", will it hit a win2k dc or try to find a
win2k3 dc?

Thanks.
Sorry to hear about your job fiasco, Rick.
They lost a good engineer.

--
Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net)

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT - just a bit OT. Visio and AD

[Bernard, Aric]

FWIW in the latest revision of the HP OVOw tool is now called the HP
OpenView Topology Viewer or OVTV.  The tool now accompanies both the AD
SPI and the Exchange SPI since it features the capability to visually
lay out both the Active Directory and the Exchange Organization.  Also
the tool can now save the views into an XML format for easy reuse and
possible data accessibility by another application or script.

I could not find any documentation on the HP web site showing updated
screen shots from the latest revision (although I did not look too hard)
so I have temporarily posted some basic screen shots of a test
environment at the following URL if anyone wants to take a peak.

http://www.sacnet.us/ovtv

Regards,

Aric Bernard 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, June 30, 2005 4:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - just a bit OT. Visio and AD

I think I could have called that one. ;o)

Thanks for doing that, my version was pretty old. Last time I ran it at

it generated a map that was like 14 pages wide or something like that.
Rather large but still useful.


Also since Guido hasn't mentioned it, folks may want to peek at the HP
OVO/W
ADSPI package. The old Age of Directories piece is in there and named
Active
Directory Topology Viewer (ADTV). The view you get with that is very
cool.
Heck it was very cool when I got it from Mickey back like 5-6 years ago.


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Thursday, June 30, 2005 7:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - just a bit OT. Visio and AD

Ok I received many me to posts and since most of you are likely blocking
attachments I have simply setup a download workspace that will be
available
for a day or so.  As I stated below this tool comes with no official
support
from Microsoft.  If you want to download it please use the following
workspace to do so:

https://sftus.one.microsoft.com/choosetransfer.aspx?key=d47fed07-f9fd-48
cf-9410-b597605c104a 

Select Receive Files from Microsoft and use the following password:
L#oHvsiu[d

Thanks,

-Steve


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Thursday, June 30, 2005 5:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - just a bit OT. Visio and AD

However there is a tool that is often used by support engineers at
Microsoft
called ADMap that can produce maps of your AD including OUs.
It is however not fully supported and simply a tool that allows for easy
documentation of an environment.  It will query the data from AD and
make
nice Visio diagrams of your AD and Exchange environment.  I will send it
to
you offline but it comes with no support. :-)

Thanks,

-Steve

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Thursday, June 30, 2005 5:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - just a bit OT. Visio and AD

Doh so now I have to manually create the layout.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, June 30, 2005 6:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - just a bit OT. Visio and AD

Microsoft removed this functionality; it is on the Vision website.

Mark

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: 30 June 2005 22:37
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT - just a bit OT. Visio and AD

Has anyone used Visio 2003 to connect to AD and get the OU structure?  I
have done it using an older version of Visio but seem to be having
problems
getting 2003 to do it.

Jeff

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedi

RE: [ActiveDir] _msdcs question

[Bernard, Aric]

If the _msdcs isn't "inside" the zone, then it must be inside some
"other" zone.  Transfer that zone as well as the zone you are currently
transferring.  Alternatively, setup conditional forwarding for the zone
holding the _msdcs records.


Regards,

Aric.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Friday, June 03, 2005 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] _msdcs question


 Still having _msdcs issues.

Now I can't add a user from the TRUSTING domain to the local
administrators group on the TRUSTED domain.  When I try, I get "The
server is not operational."  According to JSI, this is due to there
being no SRV records on the TRUSTING domain for that zone.  So I looked
at http://www.jsifaq.com/SUBJ/tip4600/rh4606.htm.  However, I already
have the zone transferred, but since the trusted domain is Win2003 and
the _msdcs isn't inside the zone, so when we do zone transfers, we
aren't getting the SRV records with it. 


Any suggestions?

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS zone replication in Active Directory

[Bernard, Aric]

Many organizations are using application directory partitions to store
DNS zone information in Windows Server 2003 domains and forests.  Does
it help improve replication performance? I am not sure if I can answer
that directly as it would depend on the organization and the amount of
DNS "churn" they experience.  What it does do is the following:

Limit the scope of servers that host DNS information.
Limit the replication of DNS information to only those servers that
"need it"
Limit the traffic associated with replication between non-DNS DCs that
are not specifically configured to host one of these application
partitions.
Reduce the size of database on DCs that do not hold one of these
partitions.
Keeps all references to DNS records out of the Global Catalog.

HTH,

Aric Bernard

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Friday, April 29, 2005 9:01 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS zone replication in Active Directory

Greetings, 

Is any one using this new feature in Windows server 2003 where DNS zones
can be stored in the domain or application directory partitions of
Active Directory? I found this on Microsoft TechNet site that states
that  " A partition is a data structure within Active Directory used to
distinguish data for different replication purposes. For more
information, see Active Directory integration ". Is any one using this
and does this feature help improve replication performance? 

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S
erverHelp/6c0515cf-1719-4bf4-a3c0-7e3514cef658.mspx

Thanks in advance, 

Jose Medeiros
MCP+I, MCSE, NT4 MCT
www.ntea.net
www.tvnug.org
www.sfntug.org

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DDNS and VPN Client Question

[Bernard, Aric]

Charles,

By default, the DNS client on Windows XP does not attempt dynamic update
over a Remote Access Service (RAS) or virtual private network (VPN)
connection. To modify this configuration, you can modify the advanced
TCP/IP settings of the particular network connection (VPN connection) or
modify the registry.

I just tested this using a simple configuration of a Windows VPN server,
a Windows DDNS server, and a Windows XP client.  Dynamic registration
was successful.

Be sure that your clients have been configured to dynamically register
their address by looking at the TCP/IP properties of the VPN
connection/interface itself.  Also be sure that the DNS servers they try
to register with are DDNS enabled.

Regards,

Aric Bernard



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles
Sent: Friday, April 29, 2005 9:20 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] DDNS and VPN Client Question

My laptops are getting all of the correct corporate DNS information when
they connect. 

The problem is that my laptops are not updating their own DDNS entries
in
those DNS servers because the DDNS entries are supposed to be updated
when a
laptop boots up.  When I then query for the DDNS the laptops have their
old
IP addresses references there so I don't get the machine with the
current IP
address.

When a laptop connects to the network after it has booted up, I was
wondering if there was a way to force the DDNS refresh as well.  Running
"ipconfig /registerDNS" doesn't do the trick as that only refreshes the
local DNS servers not the DDNS.

I was told that if the laptops don't update their DDNS entries,
applications
such as SMS may not be able to connect to the correct machines.

Charlie

-Original Message-
From: Medeiros, Jose [mailto:[EMAIL PROTECTED]
Sent: Friday, April 29, 2005 11:08 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DDNS and VPN Client Question


Well I can assure you that PPTP on Microsoft Servers ( NT4, 2000, 2003 )
if
properly configured will hand out your internal corporate DNS servers
when a
user connects remotely as well as a Cisco or other hardware based VPN
solutions. I am not familiar with AT&T's service provider solution. 

Hope this helps, 

Jose Medeiros

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Carerros,
Charles
Sent: Friday, April 29, 2005 8:58 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] DDNS and VPN Client Question


We are using a software based Nortel solution managed by ATT.  

ATT indicated that because the DDNS is updated when a windows box starts
up
they cannot replicate the DDNS entry using the software solution.  If we
are
to go with a hardware Cisco solution they can shape the startup process
to
grab the correct DDNS zone during the startup process.

They made it sound like this was a universal problem for VPN connections
that allow users to log onto their laptops and then dial in over VPN.

Charlie

-Original Message-
From: Medeiros, Jose [mailto:[EMAIL PROTECTED]
Sent: Friday, April 29, 2005 10:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DDNS and VPN Client Question


It would be helpful if you stated what type of VPN concentrator you are
using.

Jose

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Carerros,
Charles
Sent: Friday, April 29, 2005 8:35 AM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] DDNS and VPN Client Question


I just got finished in a meeting with my VPN vendor who had indicated
that
when our VPN clients connect to my corporate network they are unable to
refresh their DDNS entries.  This causes us some issues as that client
will
then have the wrong DDNS entry (maintaining the previous entry) so some
of
our management tools might not be looking at the incorrect machine.

I was wondering if anyone has heard of this as an issue and if so found
a
software way to get around it.  

I was told that the only way for this to work is for us to implement a
Cisco
VPN which forwards to a properly configured MS DHCP server that then
allows
the updating of the DDNS entry (I think through some proxy setting, I
stopped paying attention when I started thinking what it would take to
change all of my remote users to a different client).

Any help would be appreciated.

Charlie



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx

RE: [ActiveDir] GC's

[Bernard, Aric]

Tom, 

Most likely the reason that MS instructed them to remove the GC role
from all the DCs, only later to re-enable the role, as well as the
answer to your question around why would these deleted objects show up
on a GC is "lingering objects."  Basically a lingering object is an
object that has been previously deleted on a DC with a writeable
partition, but for some reason knowledge of that deletion (replication
of the tombstone object) never made it to a one or more DC/GCs. 9 times
out of 10 there are replication issues in the AD environment that are
preventing replication to one or more DC/GCs.  That 1 other time usually
is resulted to the tombstone lifetime not being long enough to allow the
deletion to replicate to all systems.

When lingering objects exist within the GC, which is read only, how do
you remove them?  The answer used to be "remove the GC role from all
systems" and after the removal is complete re-enable the role allowing
the GCs to rebuild themselves from the writeable domain partitions held
by other DCs.  For a smaller environment this is not a problem but for a
larger environment it will kill your functionality especially when it
comes to applications like Exchange - not to mention logging on.  The
occupancy level as Dean mentioned governs when the GC begins to "act
like" a GC.  In a large environment with lots of domains fulfilling the
occupancy level can take a long time.

In the later service packs of W2K and in W2K3 a new switch was
implemented in repadmin to help with the removal of lingering objects
even from the read-only GC partition.  

With any luck, Wook Lee will see this thread and will provide us his
dissertation on the various types of lingering objects (as defined by
him):  Zombies, Ghosts, and Poltergeists.

Regards,

Aric Bernard



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, April 20, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC's

I never talked to the guy from MS, so I don't know how that conversation
went, though it did seem a little like "reboot to fix the problem" type
solution.

Which brings me to another question- under what circumstances would a
deleted object still show up as a valid object in GC's?

That was the problem they were having. it was claimed that OU's were
deleted and that was never reflected in the GC, among other objects.
The only thing i can think of, is some admin said they were using
movetree to move objects between domains.
I've never used movetree, but i'm aware of its limitations as to global
and local groups as well that it can't move computer objects. I don't
know if it spits out an error when you try these things, but that
could've caused the issues.

thanks

-Original Message-
From: Dean Wells [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 20, 2005 12:26 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] GC's


"Occupancy level" is an integer (controlled via the DC's registry) that
represents how much of the total-partial foreign domain content a newly
designated GC must have sourced before announcing itself as "ready".
Early
builds of Windows 2000 defaulted to 3 I believe, this was later adjusted
to
6 where the 3 equates to the insane "a complete-partial replica of all
foreign domains in _same site_" and the 6 equates to the more
heart-warming
"a complete-partial replica of all foreign domains".

Unchecking and rechecking the GC box only has an impact if the uncheck
action replicated out discreetly and reached the DC to whom it applied
(keep
in mind that when you uncheck the box you are merely originating a write
against a replica of the config. NC which may or may not [most likely
not]
be the DC to whom the change applies).  If the box is rechecked before
it
reached that owning DC, it is impossible to state with any certainty as
to
whether the target DC will begin the demotion process since it's
dependent
upon the replication topology and its inherent end-to-end latency.

PS - With all due respect to the support technician that instructed you
to
demote each GC in turn, wait a while and re-promote ... that wouldn't
guarantee a working end-result, there's a chance it will work and an
equal
chance that it will fail unless the other steps were taken to contrive
how
the GCs re-sourced their content.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, April 20, 2005 11:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC's

Actually, I did want to know the other stuff as wel :) Also, what
exactly is
"occupancy level".

I had some EA's that saw a issue in AD where there were objects that
were
deleted in AD but were still present in the GC(for months).
They called MS and MS told them this will snowball into a serious issue.
So,after much chatting, MS recommended for 

RE: [ActiveDir] Installing DNS in Child Domain

[Bernard, Aric]

My take is that you two are talking about the same general topic.  Dean
is stating that yes you can delegate but this does not automagically
move the RRs from one server to another (or from the parent zone to the
child).  The process of splitting an existing zone into two
(parent/child) is a manual process.  Of course you could use the
information in the parent zone before the delegation to initially
populate your new delegated zone using a modified zone file, DNSCMD, or
something else.

Regards,

Aric Bernard

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Tuesday, April 19, 2005 10:29 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Installing DNS in Child Domain

But, correct me if I'm wrong here, why on earth wouldn't you be allowed
to delegate zones to their respective dns servers?
That makes no sense.
I'm on sp4 now and running ad intergrated dns and ALL zones are
delegated to their respective child dns servers.
I've been running like this for 2 + years with no issues.
Resoultion works, no rep errors. I can ping any host in the forest by
fqdn.

What's the delegation feature for then? Is it only for standard dns
servers?
I find that hard to believe.

I'm not in the office but I'll send up my root zone record when I get
back for you to see.


I'm seriously thinking we are talking about 2 totally different things
here(and if so, I apologize).
Its rare for me to be right on this list.
Esp. as compares to you, Dean.
  
Thanks
--
Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net)

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Exchange and AD

[Bernard, Aric]

As most have eluded to, Exchange is highly
reliant on AD and therefore name resolution.  I would start by having a look at
the health of AD.  Are you having any replication or name resolution issues
from the perspective of the DC?  Maybe a DCDiag is in order?

 

 

Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey
Sent: Monday, April 18, 2005 3:00
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
and AD



 

I have checked all of
the ACL's on the MS EXchange container earlier in the day and had to add the
Exchange computer.  All is correct now, but we are still getting the same
error message.

 

This is the first
Exchange 200X server in the org to I have nothing to compare it to.



 



Thanks,

Brenda

 

Brenda Casey, Network
Manager

Lincoln Center



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
 Guido
Sent: Monday, April 18, 2005 2:10
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
and AD

is this your first Exchange 200x server
in the org? 

if not, do others have the same problem?


 

Did you actually check the ACLs on the
MS Exchange container in the configuration NC (e.g. via ADSI edit)? I've had an
occurrance, where these were corrupt.

 

/Guido

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey
Sent: Montag, 18. April 2005 20:54
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
and AD

The Exchange server is
listed in the Computers OU.  We have not moved teh Exchange groups out of
the default users container.

The entire error in the
app log is:

Microsoft Exchange System Attendant does
not have sufficient rights to read Exchange configuration objects in Active
Directory. Wait for replication to complete and then check to make sure the
computer account is a member of the "Exchange Domain Servers" security
group.
For more information, click http://www.microsoft.com/contentredirect.asp.
For more information, see Help and Support
 Center at http://go.microsoft.com/fwlink/events.asp.



 



Thanks,

Brenda

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Monday, April 18, 2005 12:48
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
and AD

What OU is the server in? Have you moved
any of the Exchange groups from their default location? What is the complete
event?

 

The most common cause of this is moving
the Exchange Domain Servers or Exchange Enterprise Servers groups out of the
default users container.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey
Sent: Monday, April 18, 2005 2:39
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange and
AD

During the install of
Exchange, the Microsoft Exchange System Attendant is unable to start. 
After bypassing the start of this service during the install and then rebooting
the server the following error is generated in the Application Log file.

Microsoft Exchange System Attendant
does not have sufficient rights to read Exchange configuration objects in
Active Directory. Wait for replication to complete and then check to make sure
the computer account is a member of the "Exchange Domain Servers"
security group.

For more information, click http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support
 Center at http://go.microsoft.com/fwlink/events.asp.

We have read several KB articles, but have been
unable to find a solution.  Any help would be appreciated!  (The
Exchange Server computer account is not disable, and does exist in AD).

Thanks,
Brenda
  

RE: [ActiveDir] 2003 SP1 RTM

[Bernard, Aric]

The latest being what exactly?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Thursday, March 31, 2005 12:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003 SP1 RTM

And I presume you updated the VM with the latest VM additions, right? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Thursday, March 31, 2005 11:03 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003 SP1 RTM

I have a specific problem related in some way to SP1.

I have several test environments.  In each I use Virtual Server 2005.
Each environment is 100% Windows Server 2003.  After upgrading any of
the
VMs with SP1, the upgraded VM runs at nearly 100% CPU consistently. 

Removing and reinstalling the VM Additions has no affect.

Removing SP1 also removes the visible problem.

You might understand that I have an apprehension towards installing SP1
in
production, especially on those systems running as VMs.

Any ideas?

Regards,

Aric Bernard 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Thursday, March 31, 2005 10:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003 SP1 RTM

Dave can you quantify this statement please? I ask out of curiosity, not
disagreement.

Specifically:
1) You referred to SP1 having "too many changes." How did you make this
determination? What is the threshold where we cross in to too many?
2) What steps will you be going through between now and when you do
install
it? What will you do between now and deployment to give you the
confidence
level you need to fire it up on a box and see how it goes?

Interested, so we can perhaps think through ways to make that less
painful
going forward.
~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave A. Marquis
Sent: Thursday, March 31, 2005 8:37 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003 SP1 RTM

I am certainly going to be waiting to install this one for a
while
to many changes to jump right into it.

David A. Marquis
Computer Systems Administrator

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, March 31, 2005 6:48 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 SP1 RTM

FYI. Windows Server 2003 SP1 went RTM yesterday

http://www.microsoft.com/downloads/details.aspx?familyid=22CFC239-337C-4
D81-
8354-72593B1C1F43&displaylang=en

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail message, including all attachments, is for the sole use of
the
intended recipients(s) and may contain confidential and privileged
information. You may NOT use, disclose, copy, or disseminate this
information. If you are not the intended recipient, please contact the
sender by reply e-mail immediately. Please destroy all copies of the
original message and all attachments.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 2003 SP1 RTM

[Bernard, Aric]

Nothing in particular - every process usage appears to be exacerbated:

Without SP1:taskmgr.exe uses 1-5%
With SP1:   taskmgr.exe uses 10-35%

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Thursday, March 31, 2005 11:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003 SP1 RTM

What is using the CPU cycles?

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
> Sent: Thursday, March 31, 2005 11:03 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2003 SP1 RTM
> 
> I have a specific problem related in some way to SP1.
> 
> I have several test environments.  In each I use Virtual Server 2005.
> Each environment is 100% Windows Server 2003.  After upgrading any of
> the VMs with SP1, the upgraded VM runs at nearly 100% CPU 
> consistently. 
> 
> Removing and reinstalling the VM Additions has no affect.
> 
> Removing SP1 also removes the visible problem.
> 
> You might understand that I have an apprehension towards 
> installing SP1
> in production, especially on those systems running as VMs.
> 
> Any ideas?
> 
> Regards,
> 
> Aric Bernard 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Eric 
> Fleischman
> Sent: Thursday, March 31, 2005 10:27 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2003 SP1 RTM
> 
> Dave can you quantify this statement please? I ask out of 
> curiosity, not
> disagreement.
> 
> Specifically:
> 1) You referred to SP1 having "too many changes." How did you 
> make this
> determination? What is the threshold where we cross in to too many?
> 2) What steps will you be going through between now and when you do
> install it? What will you do between now and deployment to 
> give you the
> confidence level you need to fire it up on a box and see how it goes?
> 
> Interested, so we can perhaps think through ways to make that less
> painful going forward.
> ~Eric
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dave 
> A. Marquis
> Sent: Thursday, March 31, 2005 8:37 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2003 SP1 RTM
> 
> I am certainly going to be waiting to install this one for a
> while to many changes to jump right into it.
> 
> David A. Marquis
> Computer Systems Administrator
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, March 31, 2005 6:48 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] 2003 SP1 RTM
> 
> FYI. Windows Server 2003 SP1 went RTM yesterday
> 
> http://www.microsoft.com/downloads/details.aspx?familyid=22CFC
> 239-337C-4
> D81-
> 8354-72593B1C1F43&displaylang=en
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> This e-mail message, including all attachments, is for the sole use of
> the intended recipients(s) and may contain confidential and privileged
> information. You may NOT use, disclose, copy, or disseminate this
> information. If you are not the intended recipient, please contact the
> sender by reply e-mail immediately. Please destroy all copies of the
> original message and all attachments.
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 2003 SP1 RTM

[Bernard, Aric]

I have a specific problem related in some way to SP1.

I have several test environments.  In each I use Virtual Server 2005.
Each environment is 100% Windows Server 2003.  After upgrading any of
the VMs with SP1, the upgraded VM runs at nearly 100% CPU consistently. 

Removing and reinstalling the VM Additions has no affect.

Removing SP1 also removes the visible problem.

You might understand that I have an apprehension towards installing SP1
in production, especially on those systems running as VMs.

Any ideas?

Regards,

Aric Bernard 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Thursday, March 31, 2005 10:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003 SP1 RTM

Dave can you quantify this statement please? I ask out of curiosity, not
disagreement.

Specifically:
1) You referred to SP1 having "too many changes." How did you make this
determination? What is the threshold where we cross in to too many?
2) What steps will you be going through between now and when you do
install it? What will you do between now and deployment to give you the
confidence level you need to fire it up on a box and see how it goes?

Interested, so we can perhaps think through ways to make that less
painful going forward.
~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave A. Marquis
Sent: Thursday, March 31, 2005 8:37 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003 SP1 RTM

I am certainly going to be waiting to install this one for a
while to many changes to jump right into it.

David A. Marquis
Computer Systems Administrator

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, March 31, 2005 6:48 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 SP1 RTM

FYI. Windows Server 2003 SP1 went RTM yesterday

http://www.microsoft.com/downloads/details.aspx?familyid=22CFC239-337C-4
D81-
8354-72593B1C1F43&displaylang=en

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail message, including all attachments, is for the sole use of
the intended recipients(s) and may contain confidential and privileged
information. You may NOT use, disclose, copy, or disseminate this
information. If you are not the intended recipient, please contact the
sender by reply e-mail immediately. Please destroy all copies of the
original message and all attachments.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DHCP on a DC

[Bernard, Aric]

Technically it is Enterprise Admin, however you could modify the
permissions in AD to let an alternate user perform the authorization.

Regard,

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tim Foster
Sent: Thursday, March 31, 2005 8:37 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DHCP on a DC

Slightly off-topic...but I am trying to clarify the user account
required to authorize a DHCP server.  Does this need to be an Enterprise
Admin, or a Domain Admin?

Regards,

Tim 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Thursday, March 31, 2005 11:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DHCP on a DC

Hi,

This is for any DNS resource record! (when DHCP is installed on a DC and
no
user credentials are used)

A DC by default belongs to the computed group called ENTERPRISE DOMAIN
CONTROLLERS. That same group has ALL THE POWER over ALL DNS records when
AD
Integrated zones are used. When DHCP is installed on a DC it "inherits"
the
power from the DC and thus the DHCP can do anything with any DNS record.
As
you may know the DNS records of the DCs (e.g. all kinds of service
records)
are very important for the functioning of AD

Logically a member server DOES NOT belong to the computed group called
ENTERPRISE DOMAIN CONTROLLERS. When DHCP is installed on a member server
it
"inherits" the power from the member server and thus the DHCP can't do
much.
It only has the power over those records it has registered on behalf of
the
clients.

When DHCP is installed on a DC and to mitigate the risk that the DHCP
SERVICE has power over DC records and other records that it does not
own,
DHCP can be configured to use an user account when doing registrations
on
behalf of the client computers
(http://support.microsoft.com/default.aspx?scid=kb;en-us;255134) (in W2K
use
NETSH and in W2K3 use NETSH or the DHCP GUI)

The following situations are also interesting:
(1) Multiple DHCP servers at one location providing IP addresses and
registering those addresses on behalf of those clients
(2) Clients moving between different locations

In both situations multiple DHCP servers need to be able to
register/update
the DNS record of the clients. If DHCP is installed on a DC there is no
problem as DHCP inherits its rights through the DC role. If DHCP is
installed on member servers the DHCP server that registers some record
on
behalf of the client automatically becomes the owner of that record
(i.e.
has permissions for that record to modify it!). If another DHCP needs
(because of one of the situations mentioned above) to register/update
the
same record it is not allowed to do that and the record can therefore
not be
updated. A solution (not recommended!) for this is to make the DHCP
server a
member of the group DNSUpdateProxy. In this situation all DNS records
registered by the DHCP server that is a member of that group are
"owner-less", meaning that EVERYONE can update/register those records
and
become the owner! Imagine this one on a DC!!! -> DON'T DO THAT!!!
Even on a member server I don't recommend that, in some situations it
might
be needed, although I can't think of one right now.

If more than one DHCP server, regardless if it is installed on a DC or a
member server, needs to update the same records, configure DHCP to use
the
credentials of some user account
(http://support.microsoft.com/default.aspx?scid=kb;en-us;255134) (in W2K
use
NETSH and in W2K3 use NETSH or the DHCP GUI)
If DHCP is installed on a DC, configure DHCP to use the credentials of
some
user account
(http://support.microsoft.com/default.aspx?scid=kb;en-us;255134) (in W2K
use
NETSH and in W2K3 use NETSH or the DHCP GUI)

I hope this helps you understand the situations

Cheers
Jorge 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Thursday, March 31, 2005 17:25
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DHCP on a DC

Tom,

Thank you for responding.  Do you really mean "any record"?  So it could
just decide to delete the Domain Controllers OU?  Or do you mean any
record
in DNS, which is where I would expect it to operate?  I simply can't
understand why (logically) a DC would not be the optimum place for this.
A
proxy agent (member server) is still going to have and require the
requisite
authority to update records so where is the security vulnerability?  I
didn't mention that this is happening on W2K3 server.  Does this
vulnerability still apply?

Thanks

RH
___




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom
Sent: Thursday, March 31, 2005 9:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DHCP on a DC


You can install it on a DC but its not recommended.
When you install a dhcp server on a DC it runs in the security context
of
the DC.