RE: [ActiveDir] Flags Attribute?
Title: RE: Flags Attribute? That did it. Thanks joe! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, October 10, 2006 5:02 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Flags Attribute? For the first part, what about just using LDIFDE to export from AD? dn: CN=Flags,CN=Schema,CN=Configuration,DC=test,DC=locchangetype: addobjectClass: attributeSchemaattributeID: 1.2.840.113556.1.4.38attributeSyntax: 2.5.5.9isSingleValued: TRUEshowInAdvancedViewOnly: TRUEadminDisplayName: FlagsadminDescription: FlagsoMSyntax: 2searchFlags: 0lDAPDisplayName: flagsname: FlagsschemaIDGUID:: dnmWv+YN0BGihQCqADBJ4g==systemOnly: FALSEsystemFlags: 16isMemberOfPartialAttributeSet: TRUE Alternately you can pull this # Attribute: flagsdn: cn=Flags,cn=Schema,cn=Configuration,dc=Xchangetype: ntdsschemaaddobjectClass: attributeSchemaattributeId: 1.2.840.113556.1.4.38ldapDisplayName: flagsattributeSyntax: 2.5.5.9adminDescription: FlagsadminDisplayName: Flags# schemaIDGUID: bf967976-0de6-11d0-a285-00aa003049e2schemaIDGUID:: dnmWv+YN0BGihQCqADBJ4g==oMSyntax: 2systemFlags: 16isMemberOfPartialAttributeSet: TRUEisSingleValued: TRUEsystemOnly: FALSE from the %windir%\adam\MS-AdamSchemaW2K3.LDF file in ADAM SP1. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)Sent: Tuesday, October 10, 2006 4:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Flags Attribute? Nevermind the second part of my question. I figured out what I was doing wrong, my LDIF syntax was messed up when I tried to modify MayContain. _ From: Bernier, Brandon (.) Sent: Tuesday, October 10, 2006 3:05 PM To: 'ActiveDir@mail.activedir.org' Subject: Flags Attribute? Ok, I think I'm going crazy here... I need to add the Flags attribute into an ADAM instance and can't find it in any of LDF files that ship with W2K/W2K3/R2/ADAM. While I can do a ADFind on this attribute and dump the needed properties into a LDIF file, I'd like to steal as much as possible that what was originally imported into AD. Also, when I'm creating an attribute how do I have it change the SystemMayContain/MayContain attribute on a existing structural Class? I know they are construcuted and I can't modify the Class directly, but know there must be a way to do it. Thanks for the help! -Brandon
RE: [ActiveDir] Flags Attribute?
Title: RE: Flags Attribute? Nevermind the second part of my question. I figured out what I was doing wrong, my LDIF syntax was messed up when I tried to modify MayContain. _ From: Bernier, Brandon (.) Sent: Tuesday, October 10, 2006 3:05 PM To: 'ActiveDir@mail.activedir.org' Subject: Flags Attribute? Ok, I think I'm going crazy here... I need to add the Flags attribute into an ADAM instance and can't find it in any of LDF files that ship with W2K/W2K3/R2/ADAM. While I can do a ADFind on this attribute and dump the needed properties into a LDIF file, I'd like to steal as much as possible that what was originally imported into AD. Also, when I'm creating an attribute how do I have it change the SystemMayContain/MayContain attribute on a existing structural Class? I know they are construcuted and I can't modify the Class directly, but know there must be a way to do it. Thanks for the help! -Brandon
[ActiveDir] Flags Attribute?
Title: Flags Attribute? Ok, I think I'm going crazy here... I need to add the Flags attribute into an ADAM instance and can't find it in any of LDF files that ship with W2K/W2K3/R2/ADAM. While I can do a ADFind on this attribute and dump the needed properties into a LDIF file, I'd like to steal as much as possible that what was originally imported into AD. Also, when I'm creating an attribute how do I have it change the SystemMayContain/MayContain attribute on a existing structural Class? I know they are construcuted and I can't modify the Class directly, but know there must be a way to do it. Thanks for the help! -Brandon
RE: [ActiveDir] Move all OU and USERS from one forest to another forest
Look in the scirpts folder when you install GPMC. There is a script called CreateXMLFromEnvirnoment.wsf and you can tell it to dump out all the Groups, OU's and Users. Then take that XML it generates and run a script in your other Domain with GPMC installed called CreateEnvironmentFromXML.wsf. -Brandon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Tuesday, October 03, 2006 10:38 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Move all OU and USERS from one forest to another forest Hi, I am trying to build a testing environment. I have the production forest and the testing forest, not connected at all. Is there an easy way of creating all the same OUs and users from one forest to the other?, each forest only have one domain, also, I only interested in moving some of the attributes,i.e. there is no MS exchange in the testing environment so I don't care about exchange attributes. I was going to build an script that will read from production LDAP and create objects in the other one, but is there is already something that, like a tool or script it will prefer to use it to save time. Can I use ADAM for this? Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Secure LDAP queries from the outside
Are you publishing a CRL? If so then it must use the path to the CRL that's specified in the certificate or it bombs out (latency to the hosting CRL server will kill it too..forgot the exact value). Why do you need CRL checking on your DC's? Doesn't that make you question who is on your DC's that would make you revoke a cert among other things? I would modify the template (if your using a Enterprise CA) and reissue the certs without a CRL and make sure the clients have the public key to your Root CA in their trusted root store. Something to ponder. -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 10:36 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we don’t use a “well known” provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, RobertSent: Tuesday, August 22, 2006 9:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say “It works fine behind our firewall”, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same error…but I don’t have a cert installed on my DC so I’d expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 6:19 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using “adfind”: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using “ldp”, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] MS Schema GUIDS different from my Forest to MSDN
That about settles it. I didn't realize schemaIDGuid existed and I was looking at the wrong attribute. Thanks for the help. -Brandon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Tuesday, August 15, 2006 6:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] MS Schema GUIDS different from my Forest to MSDN MS Schema GUIDS different from my Forest to MSDNobjectGUID and schemaIDGUID are not the same thing. objectGUID will always be randomly generated when an object is created and will differ between different forests for schema. schemaIDGUID can and usually is (at least for schema from MS) set when the object is created, so those tend to be the same between all installations*. Did you look at the schemaIDGUID attribute to compare there? Joe K. * If schemaIDGUID isn't specified at create time, AD and ADAM will happily create a random one for you. It is generally considered to be a best practice to specify the schemaIDGUID though so that it can be published as a static value. Letting the directory create it for you is generally considered "hackish". - Original Message - From: Bernier, Brandon (.) To: ActiveDir@mail.activedir.org Sent: Tuesday, August 15, 2006 4:26 PM Subject: [ActiveDir] MS Schema GUIDS different from my Forest to MSDN Answer to my question below: I'm missing an ACE for ms-DS-Az-Admin-Manager. but what's interesting is that I'm using the Schema GUID from MSDN and for some reason that different from what I have in production (verified using ADFind to dump all the Classes ObjectGUID in the Schema). I asked someone who implemented the Schema here why and they said they ran across the same issue and it was told it wasn't a big deal...I disagree, since if that was the case my code would be working and this note wouldn't exist. Anyone seen this before? -Brandon _________ From: Bernier, Brandon (.) Sent: Tuesday, August 15, 2006 1:24 PM To: 'ActiveDir@mail.activedir.org' Subject:ADSIEdit unable to enumerate list of objects that a group can create OK..I'm probably doing something silly here but I need more insight on how ADSIEdit enumerates what object types you can create.. The scenario is I have 1 OU and in that OU I have a Group that I've ACL'd to create/delete ms-DS-Az-Admin-Manager objects and mod some attributes on it in that OU . So I bind up as a User in this Group using ADSIEdit and try to create a instance of this object, well that list is empty..so I can't create jack. What am I missing? I'll write a quick little VBScript to test that out, but in the meantime what gives? Thanks! -Brandon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] MS Schema GUIDS different from my Forest to MSDN
Title: MS Schema GUIDS different from my Forest to MSDN Answer to my question below: I'm missing an ACE for ms-DS-Az-Admin-Manager… but what's interesting is that I'm using the Schema GUID from MSDN and for some reason that different from what I have in production (verified using ADFind to dump all the Classes ObjectGUID in the Schema). I asked someone who implemented the Schema here why and they said they ran across the same issue and it was told it wasn't a big deal…..I disagree, since if that was the case my code would be working and this note wouldn’t exist. Anyone seen this before? -Brandon _____ From: Bernier, Brandon (.) Sent: Tuesday, August 15, 2006 1:24 PM To: 'ActiveDir@mail.activedir.org' Subject: ADSIEdit unable to enumerate list of objects that a group can create OK..I'm probably doing something silly here but I need more insight on how ADSIEdit enumerates what object types you can create.. The scenario is I have 1 OU and in that OU I have a Group that I've ACL'd to create/delete ms-DS-Az-Admin-Manager objects and mod some attributes on it in that OU . So I bind up as a User in this Group using ADSIEdit and try to create a instance of this object, well that list is empty..so I can't create jack. What am I missing? I'll write a quick little _vbscript_ to test that out, but in the meantime what gives? Thanks! -Brandon
[ActiveDir] ADSIEdit unable to enumerate list of objects that a group can create
Title: ADSIEdit unable to enumerate list of objects that a group can create OK..I'm probably doing something silly here but I need more insight on how ADSIEdit enumerates what object types you can create.. The scenario is I have 1 OU and in that OU I have a Group that I've ACL'd to create/delete ms-DS-Az-Admin-Manager objects and mod some attributes on it in that OU . So I bind up as a User in this Group using ADSIEdit and try to create a instance of this object, well that list is empty..so I can't create jack. What am I missing? I'll write a quick little _vbscript_ to test that out, but in the meantime what gives? Thanks! -Brandon
RE: [ActiveDir] ADAM pwdLastSet
I don't want to do this. One of the directories we are moving in is coming from iPlanet and you can do whatever you want there. That team has asked us to look into ramifications using pwdLastSet and from testing and your input, it's a bad idea. Basically we just need to expire someones password, but need them to be able to bind back in and change their password. I also wanted to test using msDS-UserPasswordExpired but that cannot be changed either. Any other ideas to delegate expiring a Users password in this case? Thanks for the help! -Brandon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Friday, July 14, 2006 11:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ADAM pwdLastSet ADAM pwdLastSetAre you sure you want to do this? My experience with setting pwdLastSet to 0 in AD is that doing that will break the ability to do an LDAP bind for the user, so they can't do an LDAP change password operation. This would be a problem for ADAM users if the same behavior applies as LDAP is the only way to do a change password operation. In AD, when you are set to 0, the only way to change the password at next login is through a Windows login. I'd be interested to know if this really gets you the results you want. I may go test this... :) That said, I'm not sure what you did wrong from a delegation standpoint, but I always recommend using the allowedAttributesEffective constructed attribute to find out what attributes the currently bound user actually has rights to modify. This is an essential troubleshooting step. Also, the ACL editor in ADAM SP1 LDP is really nice and may help you see what you did wrong. Joe K. - Original Message ----- From: Bernier, Brandon (.) To: ActiveDir@mail.activedir.org Sent: Friday, July 14, 2006 9:30 AM Subject: [ActiveDir] ADAM pwdLastSet We need to delegate an ADAM Group the ability to change any other ADAM Users pwdLastSet to 0 under a certain OU. This way we can force ADAM Users to change their password if they meet specific criteria. So we add an ACE to the parent OU where the ADAM Users live for WPRP on pwdLastSet for Adam Users. However it keeps giving us "Insufficient Access Rights". MSDN says the value is set by the system and we know that, but it will allow ADAM Administrators to change this value to 0. So what am I missing here? btw- this is ADAM RTM. -Brandon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] ADAM pwdLastSet
Title: ADAM pwdLastSet We need to delegate an ADAM Group the ability to change any other ADAM Users pwdLastSet to 0 under a certain OU. This way we can force ADAM Users to change their password if they meet specific criteria. So we add an ACE to the parent OU where the ADAM Users live for WPRP on pwdLastSet for Adam Users. However it keeps giving us "Insufficient Access Rights". MSDN says the value is set by the system and we know that, but it will allow ADAM Administrators to change this value to 0. So what am I missing here? btw- this is ADAM RTM. -Brandon
RE: [ActiveDir] SFTP with AD Auth
It's too bad IIS6 doesn't support TLS for FTP or that would be a great solution. However, since it doesn't I would recommend a product called "Serv-U" by Rhinosoft. -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, BryanSent: Wednesday, July 12, 2006 3:32 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] SFTP with AD Auth We’re just now rolling into production with Globalscape’s product. Mixed feelings about it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul GlennSent: Wednesday, July 12, 2006 12:47 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] SFTP with AD Auth I just thought I'd poll everyone to see what is being used as a SFTP server. Because of the politics of the arena here, the server will have to be on a member server and not on an DC itself - which I can't think would make much of a difference.The users will be accessing their home dirs only. I've found a couple of packages just by doing some google searches: FreeSTP doesn't look like it works unless it's actually on a DC. Although I haven't confirmed that yet. SSH Secure Shell (which is now SSH TecTIA) at first glance looks like you need their client to connect to the server. I'd really like to stay with something that works with most free SFTP clients (Filezilla, WinSCP, Etc). I've found a few more, but I thought (like I said) I would get a poll just to see what others used.Thanks,Paul -- ***"I've got a fever and the only prescription is morecowbell."--Christopher Walken***
[ActiveDir] ADAM Passwords?
Title: ADAM Passwords? Since ADAM doesn't have a PDC Emulator FSMO, how does it deal with the following? Assuming tons of replicas in a configuration set. 1.) ADAM User Account gets locked out, who authoritatively locks it out? 2.) ADAM User changes their password and typed in the old one..does this increment their badPasswordCount? Thanks! -Brandon
RE: [ActiveDir] LDAP over SSL
Another big benefit to using an Enterprise CA is that you can use
existing Certificate Templates and auto-enroll all your Domain Controllers
via Group Policy.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Thursday, July 06, 2006 4:06
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
LDAP over SSL
I've implemented 3rd party certs on DCs for precisely this
reason (LDAP over SSL). The process was a little convoluted but it works
:)
I don't follow the chaining issue - the DC merely needs to
trust the PKI infra which issued the cert.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Deji
AkomolafeSent: 05 July 2006 22:54To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP over
SSL
If you are able to deploy a
stand-alone CA, then you should be able to deploy an enterpise one. One CA can
be a Root/Policy/Issuing CA at the same time, and the big reason to want a
stand-alone Root CA is for additional security. But if all you are looking to do
with your certs is to protect LDAP traffic, I don't see why you can't have one
properly-secured server in the forest do that for you.
I don't recommend a third-party cert for
DCs. You will be requiring your DCs to chain up to an external authority for
internal communications.
Sincerely,
_
(, / |
/)
/) /) /---| (/_
__ ___// _ // _ )
/ |_/(__(_) //
(_(_)(/_(_(_/(__(/_(_/
/)
(/ Microsoft MVP - Directory
Serviceswww.readymaids.com - we know ITwww.akomolafe.com -5.75, -3.23Do you now realize that Today is the Tomorrow you
were worried about Yesterday?
-anon
From: John SinglerSent: Wed 7/5/2006
1:09 PMTo: ActiveDir@mail.activedir.orgSubject:
[ActiveDir] LDAP over SSL
Greetings,
Environment: Single forest, single domain, 3 DC's, DC1 holds all FSMO
rolls, all DC's GC's, BIND DNS. All DCs w2k3 SP1, FFL/DFL are w2k3.
We are investigating, in the lab, migrating some Java apps to use AD for
auth (using the Java LDAP libraries that support SSL).
We do not currently run a CA.
Can i install a stand alone CA, request a cert and install it on the
DCs? Or does it need to be an Ent. CA?
Also, if using 3rd party certs do i need one for *each* DC? I'm fairly
certain that the answer is "yes" .. just checking.
Also also, if anyone has figured out a way to use OpennSSL to generate a
proper self-sgned cert for a DC i'd love to hear it (i've used these for
IIS following http://eal.us/blog/_archives/2003/6/2/25109.html ).
tia,
john
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
[ActiveDir] Self vs. the object name / effective permissions
Title: Self vs. the object name / effective permissions Someone came by my cube and said they were having permission issues. They assigned Self some rights for computer objects and in ADUC the effective permissions are correct. However, they also did effective permissions on the name of the computer object and it has different results….Why is this?? I know Self represents the object…so where is it getting different permissions from? DSAcls is retrieving correct information for me, but this seems like a bug to me. -Brandon
RE: [ActiveDir] OT: DHCP Cluster
Can you do a rolling upgrade? Meaning evict one node from the cluster, reload it with 2K3 and put DHCP back on then add it back into the cluster and do the other node. I've done this with SQL many times, but I forgot what changed from W2K to W2k3 for DHCP..I don't remember anything mind blowing, but I'd look into anyways. -Brandon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, June 22, 2006 10:03 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: DHCP Cluster Anybody know any good knowledgebase articles or resources for migrating a 2000 DHCP cluster to a 2003 DHCP cluster? I would appreciate the information/links. Thanks, Nate List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Move Enterprise CA
If you use Autoenrollment, you also need to repoint the PKI settings in the GPO that tells the clients to autoenroll to the new CA. -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Monday, June 05, 2006 11:09 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Move Enterprise CA Hi all I have to move an Enterprise CA from one DC to another. The following article appears to show the required steps. How to move a certification authority to another server http://support.microsoft.com/?kbid=298138 For those of you that have done this, is the process as straightforward as it appears? Anything to look for that isn’t mentioned in the article? Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
RE: [ActiveDir] [OT] Sysprep Query
This msg chain sums it up. http://groups.google.com/group/microsoft.public.windowsxp.setup_deployme nt/browse_thread/thread/1e82dbc6cb7480d0/655cafc92cb89c97?lnk=st&q=why+n ot+use+sysprep&rnum=1&hl=en#655cafc92cb89c97 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, May 31, 2006 9:02 AM To: ActiveDir.org Subject: [ActiveDir] [OT] Sysprep Query Can anybody point me in the direction of a statement as to the effects of not running sysprep - I know you have to and always do - but looking for hard (read that as decent) documentation as to the effects of not running sysprep on a server. I don't like the fact that most of the infrastructure that has not had this run on it. Regards, Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT help with VBS/WMI Script
If your concerned about the server being up, incorporate this into your
script. It will ping the box and execute your logic if its up. This is
just an example, it wouldn't actually work if you cut and paste it.
Set objShell = CreateObject("WScript.Shell")
For Each strServerName in colServerList
Set objScriptExec = objShell.Exec("ping -n 2 -w 1000 " &
servername)
strPingResults = LCase(objScriptExec.StdOut.ReadAll)
If InStr(strPingResults, "reply from") Then
Put your OS version WMI code here, call
a function preferably.
Else
Wscript.Echo "Error:" & Err.Description
(something like this)
End if
Next
Set objShell = Nothing
-Brandon
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike
Sent: Thursday, May 25, 2006 12:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT help with VBS/WMI Script
If I use this, everything gets "Server1++" nothing ever gets anywhere.
:-)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Timo Ed
Sent: Wednesday, May 24, 2006 4:22 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT help with VBS/WMI Script
'=
For Each strComputer In serverList
Set colSettings = ""
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer &
"\root\cimv2")
Set colSettings = objWMIService.ExecQuery _
("Select * from Win32_OperatingSystem")
If err then
WScript.Echo strComputer + "++"
else
Set colSettings = objWMIService.ExecQuery _
("Select * from Win32_OperatingSystem")
For Each OS In colSettings'
WScript.Echo strComputer + "+" + OS.Caption + "+" +
OS.Version
Next
end if
Next
'=
Rgds,
Tim
On 5/25/06, Hutchins, Mike <[EMAIL PROTECTED]> wrote:
> So I am trying to get some information from a gigantic list of
machines.
> Problem is that if the machine isn't up, the script retains the
> previous values. Example
>
> server1+Microsoft(R) Windows(R) Server 2003, Enterprise
> server1+Edition+5.2.3790
> server2+Microsoft(R) Windows(R) Server 2003, Enterprise
> server2+Edition+5.2.3790
>
> In this example Server1 is Accurate (the "+" is a delimiter)
> Server2 is not online so the script retained the OS.Caption and
> OS.Version part. I would rather it be blank like;
>
> server2++
>
> Here is the script part that this lies in. Any suggestions greatly
> appreciated.
>
> For Each strComputer In serverList
>Set colSettings = ""
>Set objWMIService = GetObject("winmgmts:" _
>& "{impersonationLevel=impersonate}!\\" & strComputer &
> "\root\cimv2")
>Set colSettings = objWMIService.ExecQuery _
>("Select * from Win32_OperatingSystem")
>For Each OS In colSettings
>WScript.Echo strComputer + "+" + OS.Caption + "+" + OS.Version
>Next
> Next
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Slow Boot Up
I would use ethereal to grab a trace of opening up ADUC and take a peek at what its trying to do. Maybe it's a DNS issue. Also, are your clients logging event ID 1030's in the app log? -Brandon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, May 25, 2006 10:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Slow Boot Up Morning everyone, Recently all my wkstns are taking up to 5 minutes to log in after a restart. Stuck at "Applying Computer Settings" and "Applying Security Settings." Only change to GPO is "offline files" options are all disabled. While from the desktop it takes up to 30 seconds to load and open up AD snap-in to add a user to a group. Doesn't matter if firewall is turned on or off. No weir logs on DC. DCDIAG and NetDiag showed no errors. My FSMO roles are spread between two DC in two separate subnets. Schema Master, Domain Naming Master, and GC are on the same DC. RID, Infras, and PDC is on the other DC. I thought about promoting another server to a DC. Any thought or idea where to check and look? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] AD, LDAP, and VB Script
Here is a good link to get you started. http://www.microsoft.com/technet/scriptcenter/scripts/ad/default.mspx Also if you don't have any prior _vbscript_ experience, the Windows 2000 Scripting Guide is pretty good book(one of my many desktop companions). -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Navroz ShariffSent: Thursday, May 25, 2006 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD, LDAP, and _vbscript_ Dear group, Can anyone recommend books or references regarding querying AD via LDAP using _vbscript_? I am a native C++ and JAVA programmer and am very interested in learning how one goes about doing that. Joe, your set of tools from joeware-very handy set of tools thank you-were they written in C, C++? If so, do you use Borland or Studio.net to write and compile them? Thank you, -Shariff
RE: [ActiveDir] Removing ADAM from configuration set
Title: Removing ADAM from configuration set My lab has changed a bit but the error remains the same. I have two servers running ADAM SP1 and one isn't ADAM SP1, all in the same configiguration set. The one that isn't ADAM SP1 allows me to use DSMGMT to remove any server from the configuration set. The SP1 boxes throw this error when I try to remove a server via DSMGMT --> metadata clean up. DsRemoveDsServerW error 0x57(The parameter is incorrect.) -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, May 23, 2006 12:31 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Removing ADAM from configuration set Define "it doesn't work". Also go chat with Snyder, he had a fun little tool called Whack-A-DC that was used for the lifeboats that you may be able to modify for this. But yes, the ADAM tools aren't all polished yet, and may not be polished later. The idea behind ADAM was providing an LDAP directory for developers, not for Admins, or at least that is my opinion on the matter. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)Sent: Wednesday, May 17, 2006 5:20 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Removing ADAM from configuration set I'm currently blowing away the server object and nTDSDSA object I wish to separate from CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN=GUID. Is there a better way to knock it out of the configuration set? I tried using DSMGMT.exe and treating it as a Decommed/Dead server and cleaning up Metadata, but it doesn't work (the separated instance is offline). Some of these ADAM tools need some polishing up IMO. The reason I'm breaking it out is so when we do schema extensions if shit hits the fan we can uninstall ADAM on the other boxes and rejoin to this guy with minimal effort. -Brandon
[ActiveDir] [OT] Service ChangeConf
Title: [OT] Service ChangeConf Is there another way to delegate the startup type of a service besides using CC (ChangeConf), this would be fine but it also gives whomever has access to change the service context to localsystem. -Brandon
RE: [ActiveDir] DC Demotion and Certificate Services
Title: DC Demotion and Certificate Services I take it your using an Enterprise CA and issuing via the Domain Controller Template? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian ClineSent: Friday, May 19, 2006 1:52 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC Demotion and Certificate Services We will be demoting one of our domain controllers to a member server, which also happens to be running certificate services. Before demoting, however, I must of course remove certificate services. The only certificates it has issued are for domain controllers, as well as a web server certificate to the domain administrator. If I understand correctly, to move this CA I can go through the CA backup process in MMC, install certificate services on the other DC and restore the backup to it. Is this correct? I have very little experience with certificate services in particular, so I want to make sure this is the correct way to go about this. Any guidance on moving it from one DC to another would be appreciated. Thanks. -- Brian A. Cline Internet Applications Developer G&P Trucking Company, Inc. Direct: 803.936.8595 Toll Free: 800.922.1147 x8595
RE: [ActiveDir] Linking an auxiliary class to a structural class
Title: RE: Linking an auxiliary class to a structural class Ok, I figured it out. You can't link a systemAuxilaryClass unless its done at class creation time. This will work though. It took me a bit it figure this out since I've never done a modify with an add before. dn: CN=MyClass1,CN=Schema,CN=Configuration,DC=X changetype: ntdsschemamodify add: AuxiliaryClass AuxiliaryClass: MyClass2 -Brandon _ From: Bernier, Brandon (.) Sent: Thursday, May 18, 2006 10:54 AM To: 'ActiveDir@mail.activedir.org' Subject: Linking an auxiliary class to a structural class I've got a billion ADAM instances and I want to add an auxiliary class to a structural one, both class already exist. This is cake in the ADAM Schema MMC or via ADSI, but I'm going for LDF format. Can someone tell me where I fudged up? Thanks! dn: CN=Test1,CN=Schema,CN=Configuration,DC=X changetype: add add: systemAuxiliaryClass systemAuxiliaryClass: Test2 - dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - If an attribute (in this case systemAuxiliaryClass) is multivalued, when adding another value via LDF is that considered an add or a modify? I figured add. -Brandon
[ActiveDir] DSACLS bug maybe?
Title: DSACLS bug maybe? Has anyone seen this issue before? If you create a computer account in ADUC, then type "DSACLS DnOfComputerObject" it will spit out the ACL's on it. However, if you create another computer account and delegate out who can join it DSACLS can't spit out the ACL's.
RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
Ken, Thanks for the help. The problem was someone felt the need to audit computers objects in my testlab and was walking behind me turning off that specific computer for delegation. Grr. -Brandon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Thursday, May 18, 2006 10:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM Well, you need to ensure that referrals are happening properly (so that the DC in your domain is referring you to the correct KDC in the foreign domain in the foreign forest) Cheers Ken : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.) : Sent: Thursday, 18 May 2006 11:10 PM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM : : I forgot one detail. I am accessing this site from a computer that is : joined up to a different forest. That metabase key : NTAuthenticationProviders also didn't do what I was hoping for. : : -Brandon : : -Original Message- : From: Bernier, Brandon (.) : Sent: Thursday, May 18, 2006 8:56 AM : To: 'ActiveDir@mail.activedir.org' : Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM : : I am running the application pool for this website as "Network : Service". : It is not explicitly defined in my IE Intranet Security Zone, but we : have a proxy script that enables "bypass from proxy server" and we : have : that condition in IE security zone enabled, so yes its there. I know : it : is using Kerberos (unless .Net is wrong) because I do a catch that : poops : out the user context : : System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLe : ve : l.ToString(); : System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationT : yp : e; : : and : : HttpContext.Current.User.Identity.Name.ToString(); : : A.) Yes : B.) Yes : C.) Yes : D.) Until development is completed it is accessed under the server : FQDN, : I registered an HTTP SPN as followings "setspn -a servername.com : servername". : E.) Yes : F.) I'm not getting any related failures on either the IIS server or : the : DC it contacting. : : My network traces show it trying to authing as NTLM...I thought if it : can use kerb it does that first then NTLM...I'm going to add : NTAuthenticationProviders=Negotiate in the metabase for this site so : it : forces kerb or nothing. Thanks again! : : -Brandon : : : : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer : Sent: Wednesday, May 17, 2006 7:45 PM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM : : : : There's lots of information missing from your post. : : : : If you are using a FQDN or IP address to access the site, then the : site : must be in IE's Intranet Security zone (not Internet zone). IE doesn't : attempt Kerberos authentication for sites in the Internet zone. : : : : You haven't mentioned what security contexts you are running your : website under. If your web application is running under a custom : account, all applications accessible at the same FQDN must also be : running under that account (even if they are in a different web app : pool). And you need to register the SPN under that custom account. If : you are using the default Network Service account, then you do not : need : to register a HTTP SPN unless you are using a non-default port. : : : : So, perhaps you can give us the following configuration details? : : a) Is website in Intranet security zone in IE? : : b) Is "Enable Integrated Windows AuthN" enabled in IE? : : c) Is IIS computer account trusted for delegation in AD? : : d) What is the URL you are using to access the site, what SPN did : you register and where? : : e) The other applications accessible at the FQDN/IP address - are : they also running under the same user context? : : f) In the Security event log, what logon failure events do you : see? Can you cut-n-paste them here please? : : : : Cheers : : Ken : : : : -- : : My IIS Blog: www.adOpenStatic.com/cs/blogs/ken : : Tech.Ed Boston 2006 See you there: Everything the web administrator : needs to know about MOM 2005 : : ____ : : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, : Brandon (.) : Sent: Thursday, 18 May 2006 6:51 AM : To: ActiveDir@mail.activedir.org : Subject: [ActiveDir] [OT] IIS6 - Kerb/NTLM : : : : : : OK...I've got a nice issue here and I've been bashing my head against : my : desk to the point where I need help. : : I'm writing a very directory intensive application in C#
[ActiveDir] Linking an auxiliary class to a structural class
Title: Linking an auxiliary class to a structural class I've got a billion ADAM instances and I want to add an auxiliary class to a structural one, both class already exist. This is cake in the ADAM Schema MMC or via ADSI, but I'm going for LDF format. Can someone tell me where I fudged up? Thanks! dn: CN=Test1,CN=Schema,CN=Configuration,DC=X changetype: add add: systemAuxiliaryClass systemAuxiliaryClass: Test2 - dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - If an attribute (in this case systemAuxiliaryClass) is multivalued, when adding another value via LDF is that considered an add or a modify? I figured add. -Brandon
RE: [ActiveDir] ADAM Schema Questions
Title: RE: ADAM Schema Questions Please ignore part two of my question, I figured it out. I was only running dn: CN=MyClass,CN=Schema,CN=Configuration,DC=X changetype: modify replace: isDefunct isDefunct: TRUE - dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - As opposed to dn: CN=MyClass,CN=Schema,CN=Configuration,DC=X changetype: modify replace: isDefunct isDefunct: TRUE - dn: CN=MyClass,CN=Schema,CN=Configuration,DC=X changetype: modrdn newrdn: cn=MyClassOld deleteoldrdn: 1 dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - _ From: Bernier, Brandon (.) Sent: Wednesday, May 17, 2006 5:23 PM To: 'ActiveDir@mail.activedir.org' Subject: ADAM Schema Questions 1.) If you have a ton of server in a configuration set, when you do a schema extension and one box is down will it work? In my test I had two ADAM servers and it would not take the schema update because it couldn’t replicate (I purposely broke replication with it's partner). 2.) When you defunct a class/attribute, whats the attribute to hide it from the MMC? I thought defunting it did hide it, but I am mistaken. Thanks! -Brandon
RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
I forgot one detail. I am accessing this site from a computer that is joined up to a different forest. That metabase key NTAuthenticationProviders also didn't do what I was hoping for. -Brandon -Original Message- From: Bernier, Brandon (.) Sent: Thursday, May 18, 2006 8:56 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM I am running the application pool for this website as "Network Service". It is not explicitly defined in my IE Intranet Security Zone, but we have a proxy script that enables "bypass from proxy server" and we have that condition in IE security zone enabled, so yes its there. I know it is using Kerberos (unless .Net is wrong) because I do a catch that poops out the user context System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLeve l.ToString(); System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationTyp e; and HttpContext.Current.User.Identity.Name.ToString(); A.) Yes B.) Yes C.) Yes D.) Until development is completed it is accessed under the server FQDN, I registered an HTTP SPN as followings "setspn -a servername.com servername". E.) Yes F.) I'm not getting any related failures on either the IIS server or the DC it contacting. My network traces show it trying to authing as NTLM...I thought if it can use kerb it does that first then NTLM...I'm going to add NTAuthenticationProviders=Negotiate in the metabase for this site so it forces kerb or nothing. Thanks again! -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Wednesday, May 17, 2006 7:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM There's lots of information missing from your post. If you are using a FQDN or IP address to access the site, then the site must be in IE's Intranet Security zone (not Internet zone). IE doesn't attempt Kerberos authentication for sites in the Internet zone. You haven't mentioned what security contexts you are running your website under. If your web application is running under a custom account, all applications accessible at the same FQDN must also be running under that account (even if they are in a different web app pool). And you need to register the SPN under that custom account. If you are using the default Network Service account, then you do not need to register a HTTP SPN unless you are using a non-default port. So, perhaps you can give us the following configuration details? a) Is website in Intranet security zone in IE? b) Is "Enable Integrated Windows AuthN" enabled in IE? c) Is IIS computer account trusted for delegation in AD? d) What is the URL you are using to access the site, what SPN did you register and where? e) The other applications accessible at the FQDN/IP address - are they also running under the same user context? f) In the Security event log, what logon failure events do you see? Can you cut-n-paste them here please? Cheers Ken -- My IIS Blog: www.adOpenStatic.com/cs/blogs/ken Tech.Ed Boston 2006 See you there: Everything the web administrator needs to know about MOM 2005 ________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.) Sent: Thursday, 18 May 2006 6:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] [OT] IIS6 - Kerb/NTLM OK...I've got a nice issue here and I've been bashing my head against my desk to the point where I need help. I'm writing a very directory intensive application in C# with ASP.Net 2.0. If I authenticate to the webpage via NTLM my directory calls will fail, this is because of the NTLM double hop (trying to pass it from the client to IIS and do stuff to Active Directory). So I say I'll use Kerberos instead, I figured if I enabled the computer object for the IIS box to be trusted for delegation and give it an HTTP SPN it should work. It will work locally from the webserver, but not from any client. My guess is it wants to the client computers to be trusted as well to support the mutual auth (I hope I'm wrong). Any suggestions? -Brandon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
I am running the application pool for this website as "Network Service". It is not explicitly defined in my IE Intranet Security Zone, but we have a proxy script that enables "bypass from proxy server" and we have that condition in IE security zone enabled, so yes its there. I know it is using Kerberos (unless .Net is wrong) because I do a catch that poops out the user context System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLeve l.ToString(); System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationTyp e; and HttpContext.Current.User.Identity.Name.ToString(); A.) Yes B.) Yes C.) Yes D.) Until development is completed it is accessed under the server FQDN, I registered an HTTP SPN as followings "setspn -a servername.com servername". E.) Yes F.) I'm not getting any related failures on either the IIS server or the DC it contacting. My network traces show it trying to authing as NTLM...I thought if it can use kerb it does that first then NTLM...I'm going to add NTAuthenticationProviders=Negotiate in the metabase for this site so it forces kerb or nothing. Thanks again! -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Wednesday, May 17, 2006 7:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM There's lots of information missing from your post. If you are using a FQDN or IP address to access the site, then the site must be in IE's Intranet Security zone (not Internet zone). IE doesn't attempt Kerberos authentication for sites in the Internet zone. You haven't mentioned what security contexts you are running your website under. If your web application is running under a custom account, all applications accessible at the same FQDN must also be running under that account (even if they are in a different web app pool). And you need to register the SPN under that custom account. If you are using the default Network Service account, then you do not need to register a HTTP SPN unless you are using a non-default port. So, perhaps you can give us the following configuration details? a) Is website in Intranet security zone in IE? b) Is "Enable Integrated Windows AuthN" enabled in IE? c) Is IIS computer account trusted for delegation in AD? d) What is the URL you are using to access the site, what SPN did you register and where? e) The other applications accessible at the FQDN/IP address - are they also running under the same user context? f) In the Security event log, what logon failure events do you see? Can you cut-n-paste them here please? Cheers Ken -- My IIS Blog: www.adOpenStatic.com/cs/blogs/ken Tech.Ed Boston 2006 See you there: Everything the web administrator needs to know about MOM 2005 ____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.) Sent: Thursday, 18 May 2006 6:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] [OT] IIS6 - Kerb/NTLM OK...I've got a nice issue here and I've been bashing my head against my desk to the point where I need help. I'm writing a very directory intensive application in C# with ASP.Net 2.0. If I authenticate to the webpage via NTLM my directory calls will fail, this is because of the NTLM double hop (trying to pass it from the client to IIS and do stuff to Active Directory). So I say I'll use Kerberos instead, I figured if I enabled the computer object for the IIS box to be trusted for delegation and give it an HTTP SPN it should work. It will work locally from the webserver, but not from any client. My guess is it wants to the client computers to be trusted as well to support the mutual auth (I hope I'm wrong). Any suggestions? -Brandon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Self grown AD webtool sample output - any takers in joint dev ?
What are your requirements? Also if you can get over .Net big footprint, it's very easy to learn (I came from a VBS background). Nowadays I struggle more trying to write cmdlets in powershell then anything I can do in C#. -Brandon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, May 17, 2006 1:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Self grown AD webtool sample output - any takers in joint dev ? Hi, I'm up for helping out a bit. Not quite sure how I'll fit in. I've got quite a bit of experience with batch file scripting, and some with VB6. Currently playing about with VB 2005 Express (before I fully commit to .NET). I also have a fair bit of experience with PHP and PERL, and limited knowledge of WMIC/ADSI. Regards, Adam. On 17/05/06, Freddy HARTONO <[EMAIL PROTECTED]> wrote: > > > > > Hi guys > > Sample web output > Output as attached in MHT - mostly are mouseovers as well as can be > clicked for more info to open newpage. (not attached here) > > <> > Background > Started up as a for fun thing - year and a half back on my prev job, > which then becomes a personal hobby and sort of a good to have tool > for viewing all DC tools results in one page (can be published on > intranet) > > Havent had time to develop this anymore since a few months back, (too > darn busy now), anybody interested in join dev or at least help out in > improving the codes? > > Yes it is in batch files > Around 1000 lines of BATCH scripts so far (sorry dudes, im too dumb to > understand other scripting language), using tools such as support > tools, resource kit, psexec/rcmd, logparser, joeware etc etc. I'm > hoping to keep most of it still in batch otherwise I wouldn't understand any of it. > > Please note some of these are very site specifics, such as im using > SAV all along, so wouldn't work in Trend/Mcafee environment for > example. And some requires changing the variables manually - such as > DN etc etc (too difficult for me to make it very generic) also comments are minimal. > > Agentless, query over the network (requires rcmdsvc.exe resource kit > to be installed though), runs on a scheduled basis (depending on > network speed), on a server (must be 2003). > > Bugs? > Yeah Of course! LOTS of minor bugs (fair warning) and those of you > that are experts in codes will definitely laugh at my lines :) > > Contact me offline if you are interested in joint effort or reviewing > - [EMAIL PROTECTED] > > Thank you and have a splendid day! > > Kind Regards, > > Freddy Hartono > Group Support Engineer > InternationalSOS Pte Ltd > mail: [EMAIL PROTECTED] > phone: (+65) 6330-9785 > > -- AdamT "A casual stroll through the lunatic asylum shows that faith does not prove anything." - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] ADAM Schema Questions
Title: ADAM Schema Questions 1.) If you have a ton of server in a configuration set, when you do a schema extension and one box is down will it work? In my test I had two ADAM servers and it would not take the schema update because it couldn’t replicate (I purposely broke replication with it's partner). 2.) When you defunct a class/attribute, whats the attribute to hide it from the MMC? I thought defunting it did hide it, but I am mistaken. Thanks! -Brandon
[ActiveDir] Removing ADAM from configuration set
Title: Removing ADAM from configuration set I'm currently blowing away the server object and nTDSDSA object I wish to separate from CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN=GUID. Is there a better way to knock it out of the configuration set? I tried using DSMGMT.exe and treating it as a Decommed/Dead server and cleaning up Metadata, but it doesn't work (the separated instance is offline). Some of these ADAM tools need some polishing up IMO. The reason I'm breaking it out is so when we do schema extensions if shit hits the fan we can uninstall ADAM on the other boxes and rejoin to this guy with minimal effort. -Brandon
[ActiveDir] [OT] IIS6 - Kerb/NTLM
Title: [OT] IIS6 - Kerb/NTLM OK…I've got a nice issue here and I've been bashing my head against my desk to the point where I need help. I'm writing a very directory intensive application in C# with ASP.Net 2.0. If I authenticate to the webpage via NTLM my directory calls will fail, this is because of the NTLM double hop (trying to pass it from the client to IIS and do stuff to Active Directory). So I say I'll use Kerberos instead, I figured if I enabled the computer object for the IIS box to be trusted for delegation and give it an HTTP SPN it should work. It will work locally from the webserver, but not from any client. My guess is it wants to the client computers to be trusted as well to support the mutual auth (I hope I'm wrong). Any suggestions? -Brandon
[ActiveDir] [OU] ASP.Net 2.0 Impersonation
Title: [OU] ASP.Net 2.0 Impersonation
This is way off topic, but I need a sanity check and the only other place to turn is the wall left of me.
Background: Writing lots of tools in ASP.Net 2.0 on a R2 Enterprise Server. For my website I turn off Anonymous Access and enable Windows Authentication. After that I ACL the website directory with the appropriate administrator group that uses these tools.
Issue: I keep getting "operational failures" when I go to execute any directory query. IIS has the user credential, unlike classic ASP you now need to either enable impersonation in your web.config or manually change thread context when needed. I've verified that its getting the correct Windows Principal, but it only executes correctly if I hardcode that ID into my web.config. Something is fishy here...Here is a tidbit of code that fails and my web.config
btw- Anyone know a good IIS forum that has the same level of masterminds that ActiveDir has?
-Brandon
Code behind snippet
try
{
DirectoryEntry objOU = new DirectoryEntry("LDAP://" + m_strFullOUDN);
DirectoryEntry objComputer = objOU.Children.Add(String.Concat("CN=", m_strComputerName), "computer");
objComputer.Properties["samAccountName"].Add(String.Concat(m_strComputerName, "$"));
objComputer.CommitChanges();
objComputer.Close();
objComputer.Dispose();
}
catch (System.Runtime.InteropServices.COMException ex)
{
//grabbing lots of stuff to see who I really am
TextBox1.Text = TextBox1.Text + "Error Message: " + ex.Message.ToString();
TextBox1.Text = TextBox1.Text + "\n Error Code: " + ex.ErrorCode.ToString();
TextBox1.Text = TextBox1.Text + "\n \n Stack Dump: " + ex.StackDump.ToString();
TextBox1.Text = TextBox1.Text + "\n \n User Type : " + System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLevel.ToString();
TextBox1.Text = TextBox1.Text + "\n Current Windows Principal : " + System.Security.Principal.WindowsIdentity.GetCurrent().Name;
TextBox1.Text = TextBox1.Text + "\n Current HTTP Identity : " + HttpContext.Current.User.Identity.Name.ToString();
TextBox1.Text = TextBox1.Text + "\n Is Anonymous : " + System.Security.Principal.WindowsIdentity.GetCurrent().IsAnonymous;
TextBox1.Text = TextBox1.Text + "\n Auth Mech : " + System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationType;
}
Web.config
http://schemas.microsoft.com/.NetConfiguration/v2.0">
[ActiveDir] [OU] ASP.Net 2.0 Impersonation - DirectoryEntry
Title: [OU] ASP.Net 2.0 Impersonation - DirectoryEntry
This is way off topic, but I need a sanity check and the only other place to turn is the wall left of me.
Background: Writing lots of tools in ASP.Net 2.0 on a R2 Enterprise Server. For my website I turn off Anonymous Access and enable Windows Authentication. After that I ACL the website directory with the appropriate administrator group that uses these tools.
Issue: I keep getting access denied when I go to execute any directory query. IIS has the user credential, unlike classic ASP you now need to either enable impersonation in your web.config or manually change thread context when needed. I've verified that its getting the correct Windows Principal, but it only executes correctly if I hardcode that ID into my web.config. Funny thing is that the bind is done as Network Service (my app pool id). Something is fishy here...Here is a tidbit of code that fails and my web.config
btw- Anyone know a good IIS forum that has the same level of masterminds that ActiveDir has?
-Brandon
Code behind snippet
try
{
DirectoryEntry objOU = new DirectoryEntry("LDAP://" + m_strOU);
DirectoryEntry objComputer = objOU.Children.Add(String.Concat("CN=", m_strComputerName), "computer");
objComputer.Properties["samAccountName"].Add(String.Concat(m_strComputerName + "$"));
objComputer.CommitChanges();
objComputer.Close();
objComputer.Dispose();
}
Web.config
http://schemas.microsoft.com/.NetConfiguration/v2.0">
RE: [ActiveDir] [OT] SCM SDDL on Windows 2003 SP1
Title: RE: [OT] SCM SDDL on Windows 2003 SP1 This one didn't steam from the lunch, but I got the most useful info for it from your blog about this time last year. I've been warning people over here that it will break their service delegation for application services, unless they prep for it. This all makes sense now, I do wish the MS article "Best practices and guidance for writers of SDDL lists" listed RC as "Read Control" as opposed to "RCtl", but at least one is guessable. Thanks joe! btw- I feel like a boy scout with a special decoder ring when I'm putting these SDDL strings together :). -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, May 02, 2006 10:07 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] SCM SDDL on Windows 2003 SP1 Hi Brandon. I am wondering if I was indirectly responsible for your task. Did it happen to come up some time after the last time I saw you guys for lunch? I had a brief parking lot conversation with someone when he mentioned SP1 deployment that day... So anyway, what is Read Control used for... It has been a bit, so I am taking this off the top of my head, but I believe that is used within the SCM for enumerating the actual Security Descriptor of the SCM or services. The thing about the SDDL format is that it is generic and the fields can mean slightly different things for different securable objects. You can find a definitive answer in the docs for OpenSCManager. Look for a link on SP1 changes or Service Security or something like that and it will take you to a page with a ton of info about the security requirements for various calls which is where I learned about most of that stuff. How SC and other programs work when they open up the SCM is that they request the perms they need, usually the easiest way is to ask for everything you could possibly need versus trying to figure out what specific pieces you need. That is why so many service manipulation tools broke when that SCM ACL was changed. In actuality, if you know the actual service name you want to manage AND you have permissions on that service directly, you can manage it without changing the SCM permissions. However, the tool you are using has to know to connect directly to that service AND NOT request enumeration privileges from the SCM. That is a change I had to make to my SVCUTL utility and a change MSFT had to make to SC for the SP1 version. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)Sent: Tuesday, May 02, 2006 9:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] SCM SDDL on Windows 2003 SP1 Ok…..The SCM also needs RPWPRC (thought I got away from having to do that, since compmgmt.msc works), which is stop,start and RCtl (what does this mean??) for sc.exe to work…So that piece is figured out, but I'm still miffed by what sc.exe is trying to do when it stops a service and what RCtl is. Comments are appreciated. -Brandon _________ From: Bernier, Brandon (.) Sent: Tuesday, May 02, 2006 9:15 AM To: ActiveDir@mail.activedir.org Subject: [OT] SCM SDDL on Windows 2003 SP1 I'm having this issue when I ACL the SCM for Windows 2003 SP1. I want certain groups to start/stop their own services…so I add this ACE to (A;;CCLC;;;GroupObjectSID) to the SCM, this allows them to query config and query service status (so compmgmt.msc can enum services/status, then stop/start) and then I add an ACE to the services for RPWP (start, stop). This works via compmgmt.msc, but I get access denied with sc.exe…. If I change the ACE I put on the SCM to pretty much what System has it works fine, so I'm going over each perm and trying to figure it out which one I must be missing. I figured if anything sc.exe would be the one not to give me trouble. Any ideas? -Brandon
RE: [ActiveDir] [OT] SCM SDDL on Windows 2003 SP1
Title: RE: [OT] SCM SDDL on Windows 2003 SP1 Ok…..The SCM also needs RPWPRC (thought I got away from having to do that, since compmgmt.msc works), which is stop,start and RCtl (what does this mean??) for sc.exe to work…So that piece is figured out, but I'm still miffed by what sc.exe is trying to do when it stops a service and what RCtl is. Comments are appreciated. -Brandon _ From: Bernier, Brandon (.) Sent: Tuesday, May 02, 2006 9:15 AM To: ActiveDir@mail.activedir.org Subject: [OT] SCM SDDL on Windows 2003 SP1 I'm having this issue when I ACL the SCM for Windows 2003 SP1. I want certain groups to start/stop their own services…so I add this ACE to (A;;CCLC;;;GroupObjectSID) to the SCM, this allows them to query config and query service status (so compmgmt.msc can enum services/status, then stop/start) and then I add an ACE to the services for RPWP (start, stop). This works via compmgmt.msc, but I get access denied with sc.exe…. If I change the ACE I put on the SCM to pretty much what System has it works fine, so I'm going over each perm and trying to figure it out which one I must be missing. I figured if anything sc.exe would be the one not to give me trouble. Any ideas? -Brandon
[ActiveDir] [OT] SCM SDDL on Windows 2003 SP1
Title: [OT] SCM SDDL on Windows 2003 SP1 I'm having this issue when I ACL the SCM for Windows 2003 SP1. I want certain groups to start/stop their own services…so I add this ACE to (A;;CCLC;;;GroupObjectSID) to the SCM, this allows them to query config and query service status (so compmgmt.msc can enum services/status, then stop/start) and then I add an ACE to the services for RPWP (start, stop). This works via compmgmt.msc, but I get access denied with sc.exe…. If I change the ACE I put on the SCM to pretty much what System has it works fine, so I'm going over each perm and trying to figure it out which one I must be missing. I figured if anything sc.exe would be the one not to give me trouble. Any ideas? -Brandon
RE: [ActiveDir] Multiple users having same UPN?
Title: Multiple users having same UPN?
I didn't know that it had a default... I
made the mistake of assuming since it showed up as not set that it didn't have a
default value. So now I get to go back the person who said they tried it
and hit them for lying. That's strike two for not verifying their info and
believing them. This came up as a hot item and I will make it die
now. Thanks again for the useful info!
-Brandon
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Wednesday, March 22, 2006 7:38 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multiple users
having same UPN?
Every user has a default UPN even if there is nothing
populated, it will default to the [EMAIL PROTECTED], so say you had a
domain like am.company.com and a user say like bbernie1 in that domain, even
though there is no UPN populated a valid UPN for the user would be [EMAIL PROTECTED].
If you go to something like just using the forest root like
[EMAIL PROTECTED] then you
definitely will have to check for uniqueness as the system will not enforce
uniqueness, it will just fail for those users with the dupes.
I would not assume that only admins have the same IDs in
the different domains, I would be quite willing to bet that you will find
that you will get burned, you need to check every single ID when configuring. I
have found over the years many directories that accumulate things that others
say can't exist and have learned that you shouldn't assume. This is in general
and for your specific case.
You could always use a perl script to call out to adfind to
dump a list of all samaccountnames in the forest and have it hash the results
incrementing the counter for each ID and then dump out the IDs with counts
greater than 1. Something like
print "\nFindDupeSamAccounts V01.00.00pl Joe
Richards ([EMAIL PROTECTED]) March 2006\n\n";$|=1;my $hint=10;print
"Querying directory, please hold...\n";my @out=`adfind -t 0 -gc -b -f
"&(objectcategory=person)(samaccountname=*)" -list samaccountname`;print
"Query Completed. Processing...\n";my %myhash=();my %mymulti=();my
$proc="\\|/-";my
$cnt=0;foreach $thisid (@out) { chomp $thisid;
$thisid=lc($thisid); $myhash{$thisid}++; if
($myhash{$thisid}>1) {$mymulti{$thisid}=$myhash{$thisid}};
$cnt++; if (!($cnt%$hint)) {print
"\r",substr($proc,($cnt/$hint)%4,1)}; }print "\r";print
"Processing Completed.\n";
my $dupecnt=0;map {print
"$mymulti{$_}\t$_\n";$dupecnt++} sort {$mymulti{$a}<=>$mymulti{$b}} keys
%mymulti;
print "Total IDs : $cnt\n";print "Total Dupes:
$dupecnt\n";
should work fine. I even put a handy dandy spinner in there when
processing so you know it was doing something.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon
(.)Sent: Wednesday, March 22, 2006 10:25 AMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Multiple users
having same UPN?
Hello all,
I'm mulling over this one and the more I think about
this the less I like it. We have a single forest / multi-domain environment and
nothing has a UPN populated. Well of course some bad apple app comes along and
requires UPN's so we have to address populating UPN's across the forest.
We wanted to give everyone a UPN of
[EMAIL PROTECTED], I don't see this as an issue for the joe
user…unless you have user ID's with the same name in different domains (btw we
do not use UPN's for logons). I know that some admins meet that criteria so how
do I handle that? Search a GC to ensure it doesn't exist? That would making my
script suck by having to do that for 200,000 users (I'm over exaggerating
because I can limit to search only if it's an admin IDs). I'm going to see if it
will even let you add dups programmatically…But in the meantime, I want to
solicit feedback and see if there are other potential issues down the line by
doing this.
-Brandon
[ActiveDir] Multiple users having same UPN?
Title: Multiple users having same UPN? Hello all, I'm mulling over this one and the more I think about this the less I like it. We have a single forest / multi-domain environment and nothing has a UPN populated. Well of course some bad apple app comes along and requires UPN's so we have to address populating UPN's across the forest. We wanted to give everyone a UPN of [EMAIL PROTECTED], I don't see this as an issue for the joe user…unless you have user ID's with the same name in different domains (btw we do not use UPN's for logons). I know that some admins meet that criteria so how do I handle that? Search a GC to ensure it doesn't exist? That would making my script suck by having to do that for 200,000 users (I'm over exaggerating because I can limit to search only if it's an admin IDs). I'm going to see if it will even let you add dups programmatically…But in the meantime, I want to solicit feedback and see if there are other potential issues down the line by doing this. -Brandon
RE: [ActiveDir] Issue creating forest trusts
Title: Issue creating forest trusts no firewalls in the way (yet), both forests are at SP1. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, March 09, 2006 10:37 AMTo: ActiveDir@mail.activedir.orgSubject: Fw: [ActiveDir] Issue creating forest trusts long shot but are there any isa or nokia/checkpoint units between the boxes, we had to get a patch on the nokia unit because our domain controllers wouldn't communicate correctly because of rpc failues after loading sp1 for windows 2003. There was a change in how the RPC communication works in sp1 and isa 2004 and checlpoint firewalls rpc filter need to be updated.>Original Message> From: [EMAIL PROTECTED]> Date: 09/03/2006 15:13> To: ActiveDir@mail.activedir.org> Subj: [ActiveDir] Issue creating forest trusts> > > >Hello all, >I'm running into this issue where I want to create a forest trust on Windows 2003 with FFL2 level in both forests. When I enter the domain FQDN in the wizard, it tell me it cannot establish an RPC connect to server X. So I grabbed a network trace on both sides…It does a DNS lookup and finds a DC in the target forest, pings it and send 1 microsoft-DS TCP packet. I can't see inside that one and I’m curious what it's doing, well whatever it does fails because it does the same DNS lookup again and try to authenticate via NTLM as my ID in the other forest so of course it will get denied and stops. Any words of wisdom on what going on? Thanks! >-Brandon
[ActiveDir] Issue creating forest trusts
Title: Issue creating forest trusts Hello all, I'm running into this issue where I want to create a forest trust on Windows 2003 with FFL2 level in both forests. When I enter the domain FQDN in the wizard, it tell me it cannot establish an RPC connect to server X. So I grabbed a network trace on both sides…It does a DNS lookup and finds a DC in the target forest, pings it and send 1 microsoft-DS TCP packet. I can't see inside that one and I’m curious what it's doing, well whatever it does fails because it does the same DNS lookup again and try to authenticate via NTLM as my ID in the other forest so of course it will get denied and stops. Any words of wisdom on what going on? Thanks! -Brandon
[ActiveDir] Using IPSec on Domain Controllers?
Title: Using IPSec on Domain Controllers? Is anyone using IPSec for DC to DC communication in a moderately large environment? I'm curious to see what kind of support issues people are running into... Thanks! -Brandon
[ActiveDir] LDAPS SRV Records?
Title: LDAPS SRV Records? Does anyone have an idea which Windows API does the DNS registration of SRV records for DCs? I'm very curious as to if that is a public method. The purpose is I'm looking into how feasible it is to write a Windows Service that hooks into netlogon and registers secure LDAP SRV records as needed provided the DC's can speak LDAPS. Think it's a horrible idea? Could be done better? Let me know what you think. I know the ultimate solution is a DCR, but like I said..I'm just brainstorming ideas. -Brandon
RE: [ActiveDir] Rights needed for...
Title: Rights needed for... Thanks for the info joe, I'm doing quite well. This is the same struggle...just happens to be a couple years later. The vendor claims it works fine under reduced permission and our environment is hosed up, yet I can consistently reproduce it in multiple scenarios. I'll work with the guys listed to try and get some resolution out of this. Thanks again! -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, January 11, 2006 8:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Rights needed for... Hey Brandon. How are you? Just taking a guess but I would start with Change Password since kpasswd I believe takes the old and new passwords right? You might want to touch bases with Slav (see Vern) as he might know for sure having played with that stuff for a couple of years to kerberize UX and Solaris. I recall there was a join issue that was encountered that necessitated re-looking at the permissions delegated to the machine accounts even for Windows joins from what was previously assigned. Joining the SAN devices was always a pain in the rear and I recall it had to be done by DA there for a bit but the vendors were supposed to fix that. Again, ping Vern. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)Sent: Wednesday, January 11, 2006 3:27 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Rights needed for... Does anyone know what rights are acutally used during a join to perform the kpasswd function on the computer object? This doesn't really affect windows host since the traces (at least in my environment) shows them using NTLM for the password change. I'm told "Reset Password" should be it, but that’s only on the NTLM side… Any suggestions are very much appreciated. Thanks in advance! -Brandon
[ActiveDir] Rights needed for...
Title: Rights needed for... Does anyone know what rights are acutally used during a join to perform the kpasswd function on the computer object? This doesn't really affect windows host since the traces (at least in my environment) shows them using NTLM for the password change. I'm told "Reset Password" should be it, but that’s only on the NTLM side… Any suggestions are very much appreciated. Thanks in advance! -Brandon
RE: [ActiveDir] [OT] Generating EFS Recovery Certificate
Title: [OT] Generating EFS Recovery Certificate If only we had an enterprise CA implemented.You were right about makecert.exe if you wanted to do it and have the cert look just like the cipher.exe one it would look like this. The only down side to make cert is that it doesn't make a .pfx file so you need to manually create that. Thanks for the help! makecert -r -pe -n "OU=EFS File Encryption Certificate,L=EFS,CN=Administrator" -a sha1 -e 12/31/2008 -eku 1.3.6.1.4.1.311.10.3.4.1 -ss my testefs.cer -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrickSent: Thursday, January 05, 2006 12:59 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] [OT] Generating EFS Recovery Certificate You can use an MS Ent CA to do this ( just copy and edit the V2 template) .. or you should be able to specify the OID "1.3.6.1.4.1.311.10.3.4.1 " in your call to CryptEncodeObject to create one. Optionally, you can try makecert.exe ( but I have never tried this ) spat - Original Message ----- From: Bernier, Brandon (.) To: ActiveDir@mail.activedir.org Sent: Thursday, January 05, 2006 7:14 AM Subject: [ActiveDir] [OT] Generating EFS Recovery Certificate Sorry for the off topic question. Here is the background... Remember when you first bring up a DC and it generates a self-signed EFS Recovery Certificate? Well what do you do when you don't know about that and 5 years down the road you want to implement a recovery solution and that original DC is long gone? Well one way would be you can use Cipher.exe to generate another EFS Recovery cert and create a domain recovery agent using that cert and re-touch all your encrypted files across each PC. Great, no biggie. But let's say you want to put the this cert on a secure USB key fob, so it's cant be copied off or tampered with but your unnamed vendor doesn't support certs that are issued out for 100 years. So basically I need another way to generate a EFS Recovery Certificate that doesn't go out for 100yr, I'd like to control the issuing date. Does anyone know another way to go about this? It is unknown to me if I can use the Crypto API to generate a self-signed cert with whatever the EFS Recovery OID is. Thanks again for any input! -Brandon
[ActiveDir] [OT] Generating EFS Recovery Certificate
Title: [OT] Generating EFS Recovery Certificate Sorry for the off topic question. Here is the background... Remember when you first bring up a DC and it generates a self-signed EFS Recovery Certificate? Well what do you do when you don't know about that and 5 years down the road you want to implement a recovery solution and that original DC is long gone? Well one way would be you can use Cipher.exe to generate another EFS Recovery cert and create a domain recovery agent using that cert and re-touch all your encrypted files across each PC. Great, no biggie. But let's say you want to put the this cert on a secure USB key fob, so it's cant be copied off or tampered with but your unnamed vendor doesn't support certs that are issued out for 100 years. So basically I need another way to generate a EFS Recovery Certificate that doesn't go out for 100yr, I'd like to control the issuing date. Does anyone know another way to go about this? It is unknown to me if I can use the Crypto API to generate a self-signed cert with whatever the EFS Recovery OID is. Thanks again for any input! -Brandon
RE: [ActiveDir] Corporate Directory
Each user object has an attribute called "telephone number". I don't know much about crystal reports, otherwise I'd give you more specific details on that. Let me know if you would like a _vbscript_ or Perl example. -brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd HofertSent: Tuesday, November 15, 2005 10:05 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Corporate Directory I would like to use the data stored in Active Directory to generate our corporate phone list. I cannot figure out a way to access that data. Maybe that is by design. Can anyone offer assistance on how that data can be accessed to add to a crystal report or a query or something? Thanks Todd HofertIT DirectorSpartan Graphics, Inc. This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal.
RE: [ActiveDir] Adding IP's to relay restrictions
I don't believe that info is stored in Active Directory, I'm no exchange guru so please let me know if thats not true. It can be accessed from the IIS metabase, that info is stored in the RelayIPList key under the default SMTP instance. You can use Metabase Explorer to view it, but it's binary data. The part I'm not sure of is converting it to the format it likes, I'm sure there is an API call out there someone knows that can do it. -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sem 3Sent: Tuesday, November 15, 2005 9:03 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Adding IP's to relay restrictions Thanks Mike That doesn't seem to be it. I have used that before on E5.5 but on E2003 it is held in AD in the exchange part and it is now a Virtual server as opposed to a physical. Thanks for your help though :) SEM On 11/15/05, Thommes, Michael M. <[EMAIL PROTECTED]> wrote: I believe it is configured in the registry on the Exchange server. See http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q193922&ID=KB;EN-US;Q193922 Mike Thommes -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sem 3Sent: Tuesday, November 15, 2005 7:27 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Adding IP's to relay restrictions I need to scriptomaticaly or on batch add ip addresses to the Relay Restrictions list on an Exchange 2003 SMTP virtual server. I know these values are stored in AD but cant seem to find them. Any pointers scripts or tips would be really appreciated. Thanks all…..
RE: [ActiveDir] CertSvc Error **RESOLVED**
you should be able to. I believe it only restores the CA database and since the templates are published in AD, they should be left alone. But, I've never done this so please triple guess me. -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Friday, November 11, 2005 3:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CertSvc Error **RESOLVED** When I logged on to the CertServ as a Domain Admin in my child domain and ran certtmpl.msc, it said I needed to be a Domain Admin and Enterprise Admin to publish new templates. I was an Enterprise Admin, but not a part of the Domain Admins group in the root domain. I then Logged on as a Domain Admin/Enterprise Admin in the root domain and ran the command which then prompted me to Upgrade the templates. No more errors. Now the question is this, can I now restore my CA backup or will this cause a problem? Thanks all!!! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)Sent: Friday, November 11, 2005 2:41 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CertSvc Error besides uninstalling the CA and going through all the issues around that, why don't you blow away the templetes? If you run certtmpl.msc after it will ask "This is the first time you have opened Certificate Templetes, would you like to publish them in Active Directory?" say yes and then you get fresh templates. Then just pick your template and republish it. This doesn't have a horrible effect unless everything is re-autoenrolling at the time you do this. btw what kind of templates do you have published? -brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Friday, November 11, 2005 2:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CertSvc Error Well all the CA’s were backed up before the uninstall. And no this did not resolve the issue. When the service is restarted, it states that none of the policies could be loaded; one Event ID 77 warning for each template, like so: Event Type: Warning Event Source: CertSvc Event Category: None Event ID: 77 Date: 11/11/2005 Time: 10:46:04 AM User: N/A Computer: SWSAD1 Description: The "Windows default" Policy Module logged the following warning: The EFSRecovery(v2.0): V1 Certificate Template could not be loaded. Element not found. 0x80070490 (WIN32: 1168). For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, AricSent: Friday, November 11, 2005 11:49 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CertSvc Error Was this an upgrade from W2K? What error messages are you receiving on the DC? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, November 11, 2005 8:43 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] CertSvc Error True if running in production -- thanks on the feedback of not needing to do a reinstall ... Chuck __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] CertSvc Error
besides uninstalling the CA and going through all the issues around that, why don't you blow away the templetes? If you run certtmpl.msc after it will ask "This is the first time you have opened Certificate Templetes, would you like to publish them in Active Directory?" say yes and then you get fresh templates. Then just pick your template and republish it. This doesn't have a horrible effect unless everything is re-autoenrolling at the time you do this. btw what kind of templates do you have published? -brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Friday, November 11, 2005 2:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CertSvc Error Well all the CA’s were backed up before the uninstall. And no this did not resolve the issue. When the service is restarted, it states that none of the policies could be loaded; one Event ID 77 warning for each template, like so: Event Type: Warning Event Source: CertSvc Event Category: None Event ID: 77 Date: 11/11/2005 Time: 10:46:04 AM User: N/A Computer: SWSAD1 Description: The "Windows default" Policy Module logged the following warning: The EFSRecovery(v2.0): V1 Certificate Template could not be loaded. Element not found. 0x80070490 (WIN32: 1168). For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, AricSent: Friday, November 11, 2005 11:49 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CertSvc Error Was this an upgrade from W2K? What error messages are you receiving on the DC? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, November 11, 2005 8:43 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] CertSvc Error True if running in production -- thanks on the feedback of not needing to do a reinstall ... Chuck __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
