RE: [ActiveDir] Remote DC's on Virtual Server

[Brett Shirley]

Does anyone know if the vmware stuff, allows "ba xxx w4" in the windows
debugger (obviously running on windows guest VM)?

ba xxx w4 = means break on address write w/in 4 bytes of the xxx, which is
a pointer.  This kind of bp is set through a register directly on the CPU.

I know for a fact VS doesn't support it ... not sure if its impossible to
support, switching machines would mean you simply have to swap out that
set of registers as well, I guess ... just curious.

Cheers,
BrettSh [msft]

posting "as is"


On Thu, 18 Jan 2007, Akomolafe, Deji wrote:

> >>> one runs on bare metal and other runs under a host OS
> 
> Actually, that's a sleight of hand. ESX runs on a VMware-cooked Linux Kernel. 
> So, one can argue that, because it is bundled with its own "OS", ESX does not 
> really "run on bare metal" in the way some people describe it.
> 
> 
> Sincerely, 
>_
>   (, /  |  /)   /) /)   
> /---| (/_  __   ___// _   //  _ 
>  ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)  
>(/   
> Microsoft MVP - Directory Services
> www.akomolafe.com - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about 
> Yesterday? -anon
> 
> 
> 
> From: Noah Eiger
> Sent: Thu 1/18/2007 4:53 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Remote DC's on Virtual Server
> 
> 
> I realize this is now getting a bit OT, but.
>  
> Deji, I think the fruit distinction is based on the fact that one runs on 
> bare metal and other runs under a host OS. (Or at least that is how I have 
> always thought of them.) Beyond that, I agree there are simply feature 
> comparisons.
>  
> That said, (and with the caveat that I have not worked with ESX) I find the 
> MS product to be much simpler than VM Server (nee GSX). I started halfway 
> down the path of migrating my MS VMs to VM Server and found it overly complex 
> and the video emulation performance using the VM Ware client was so bad as to 
> be unacceptable. 
>  
> And as to the OP, I have DCs running on MS VS2k5 R2 and have not had any 
> problems. In the situation you describe, Justin, it seems like performance 
> and cost would be the deciding factor.
>  
> --- nme
>  
> 
> 
> 
> From: Akomolafe, Deji [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, January 18, 2007 3:44 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Remote DC's on Virtual Server
>  
> :)
>  
> Interesting points, again. Did I remember to say that I am biased? I think 
> so. I expect that I'm going to catch some flaks for what I'm about to write, 
> but .
>  
> These do not make VS and ESX "apples and oranges". VMotion, Host clustering. 
> Different nomenclature, different capabilities, same purpose, Resource 
> allocation guarantee, CPU Resource allocation weight.
>  
> Superior Networking capabilities. Sure. Does VS have networking capabilities? 
> Of course. Does ESX integrate with AD as well as VS? Does it run on Windows? 
> Support software iSCSI? Live backup and Shadow Copy? (OK, if you count VCB 
> and its proxy).
>  
> Administration - show of hands, quick - ESX or VS, which is easier and less 
> complex to deploy and administer? Which has easier and faster client 
> deployment option?
>  
> I swear, I have NOT drunk any kool-aid, but I think people's perceptions of 
> the superiority of ESX over VS is largely driven by a combination of 
> historical trends, myths, marketing and the unavoidable "Winblows Sux" 
> mentality. Since we are on a Windows-centric list here, I do not mind 
> admitting that I do not subscribe to the notion that if it's not Windows, it 
> must be better than Windows. Mind you, Hunter, I am NOT implying that this is 
> where you are coming from, but the reason I asked you to enunciate the 
> reasoning behind your thinking was because I was hoping to hear something I 
> haven't heard before on this issue.
>  
> VS certainly wasn't as feature-rich as ESX a couple of revs back. The gap is 
> considerably narrowed with what's currently going into VS and what ESX 3.0.1 
> has today. Will VS catch and surpass ESX in a few months, no. Will it ever 
> catch up, maybe. But, today, if we factor in the cost overlay (in licensing, 
> hardware and administrative values), and discount our preconceived (or 
> received) notions of ESX superiority, and give VS (as of SP1 Beta 2) a fair 
> shake, one would be pleasantly surprised at how narrow the gap really is.
>  
> To me, these 2 products are all bananas - one is a "just banana" and the 
> other is "organic banana". They are certainly not more "apple and orange" 
> than your convertible and my jalopy are "apple and orange". They are both 
> virtualization tools, and they each serve the same purpose. One is cheap 
> (like, FREE cheap, while giving you liberal Windows licensing terms and 
> flexibility to boot), the other is not.
>  
> Now, I'm off to fi

RE: [ActiveDir] OT: Silly me.. I thought it already had RTM'd

[Brett Shirley]

It was probably confusing b/c they had the launch event (last week in NYC
w/ Vista + Office) before our RTM (which was today, I just got back from
the "ship party").

Cheers,
BrettSh [msft]


On Fri, 8 Dec 2006, Michael B. Smith wrote:

> Exchange2007 on Yahoo Groups (very low volume so far)
> PowerShell on Yahoo Groups (very low volume so far)
> 
> Plus all the standard Exchange lists have had a little Exchange 2007
> traffic.
> 
> Of course, most of the people who have been posting are beta-users or
> MVPs or TAP people...with RTM that'll start to switch...
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
> CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Friday, December 08, 2006 3:22 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] OT: Silly me.. I thought it already had RTM'd
> 
> http://blogs.technet.com/brettjo/archive/2006/12/08/exchange-server-2007
> -rtm.aspx
> 
> Good Morning all, just wanted to bring the following to your
> attention..!!!
> 
> http://msexchangeteam.com/archive/2006/12/07/431782.aspx
> 
> Okay so where's the Exchange 2007 listserves?
> 
> -- 
> Letting your vendors set your risk analysis these days?  
> http://www.threatcode.com
> 
> If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
> will hunt you down...
> http://blogs.technet.com/sbs
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Tombstone.

[Brett Shirley]

By default it is not possible to recover an AD object from an AD
tombstone.

The AD tombstone mechanism is used to support AD replication.

The way AD replications works, is that in a sense a delete is really like
a modify by "setting the isDeleted" attribute (really the metadata, maybe
the attr too, don't remember OTOH).  By setting this attribute the AD
object turns into an AD tombstone, a change that can replicate normally
around to make the delete global.

Cheers,
Brett Shirley


On Tue, 5 Dec 2006, Ajay Kumar wrote:

> Hi all,
> 
> I have a query
> Is that possible to recover network object from AD tombstone.
> If not then wht is use of it.
> 
> Regards,
> Ajay pardeshi
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] OT: "new" ms-Sysinternals utils: .exe size gone up like crazy!

[Brett Shirley]

I did not say that compiler options produced the increase in size.  I said
someone guessed pretty close, and pasted all the guesses into one mail
thread (because people on this alias are so terrible at finding the tip of
the thread).

Cheers,
-BrettSh

On Tue, 14 Nov 2006, Javier Jarava wrote:

> Hey! I wonder why everybody assumes that I am implying there is
> something sneaky going on?? :)) I mean, it's not like any of you had
> seen my new tinfoil hat, and I believe I haven't ranted about my
> conspiracy theories on-list not even once!!
> 
> (I was about to say that I am SURE I've never referred to MS using the
> "M " shortcut, but I think that might be getting a little too
> close to irony, and probably joke might be misread, so I decided to be
> on the safe side and try to be serious and avoid it And then
> decided that the day is boring enough so what the h..!)
> 
> (Note: yes, the above paragraphs are not to be taken seriously and can
> be skipped over without losing any content).
> 
> Conspiracy theories aside, the reason of my OP was that I tend to
> enjoy lean utils and when a program just about doubles its size for no
> apparent reason, I like to ask why.
> 
> There was a time loong ago when I thought I knew something about
> programming (that was around the time of VS5 and BCB1/3, so I guess
> that explains how outdated I sometimes feel), and I remember getting
> big changes in exe sizes just by playing around with compiler options.
> Thats what I believed the reason for the change was, and I guess the
> thread more or less confirms is (specially BrettSH's posts).
> 
> But I was (and still am) curious as to the how/what/why of the change.
> I mean, I (obviously) don't have the code for the sysinternals utils
> (and probably wouldn't be able to make much sense of it if I had), but
> I tend to "remember" that the little code I've seen from Sysinternals
> (something to do with file defrag. IIRC) was clean and neat-looking,
> w/o "dangerous shortcuts" and similar hocus-pocus that might be
> "cleaned off" and thus get a bigger exe.
> 
> And if the reason is "sysinternals used an standard MS compiler" vs
> "in-house use of better tools"... well, I know that exe size is not
> everything.. but... being honest, if you had an established and
> working product, and one of your programmers "used better tools" to
> get a result that is 2x, wouldn't you wonder if it was worth it?
> 
> So I guess it boils down to a matter of curiosity, and I also feel
> that there is a lesson there worth knowing. After all, I truly believe
> the Sysinternals utils are true "gems" and I hope they are maintained
> and grown to be even better.
> 
>  :)
> 
> On 13/11/06, joe <[EMAIL PROTECTED]> wrote:
> > Could be various things of which most would probably be a little difficult
> > to ascertain.
> >
> > Compiler versions can certainly cause deltas, as well as individual switches
> > in a compiler. For instance, if I use Borland Builder 6.0 to compile
> > something and then use Borland Developer Studio (Basiclaly Borland Builder
> > 7.0) I will see a reduction usually of about 10-40% in binary size. However,
> > if I select certain switches (primarily things like inline function
> > expansion while using STL code), the BDS compile can grow from 50-300% and
> > probably more, 300% is about the most I have seen. It is likely that MSFT
> > would compile the tools with something different than Mark would have and
> > use. From the times I have looked at Mark's source, I am pretty sure he just
> > used the standard Visual Studio product that was current for the time. I
> > won't speak for MSFT on what they definitively use, but they are not sitting
> > there using VS to build release code.
> >
> > Other possibilities are additional PE options like manifests, code signing,
> > x64 compiles, as mentioned above a variety of compiler/linker options (set
> > through switches or different interpretations of pragmas), using different
> > libraries for standard functions (i.e. not everyone implements cout or
> > printf identically), and of course there are things like changes to the code
> > to reflect internal MSFT programming guidelines like changing how strings
> > are handled, etc.
> >
> > There obviously tin foil hat things that it could be as well but there are
> > so many non-devious things it could be it would be quite a while before I
> > started thinking something devious was occurring.
> >
> > I wouldn't be surprised if no one there even knows the bloat occurred or
> > why. I am sure someone there could figure it out if they wanted to though.
> >
> >joe
> >
> > --
> > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
> > Sent: Monday, November 13, 2006 12:47 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] OT: "new" ms-Sysinternals utils: .exe size gone u

RE: [ActiveDir] OT: "new" ms-Sysinternals utils: .exe size gone up like crazy!

[Brett Shirley]

I started a mail thread on this internally, and BOY was I wrong,
apparently bbisw.lib is only like 3k, so couldn't possibly explain the
bloat!

They pretty much know what bloated the binaries, and said they'll blog
something about it in the next few days or so on the sysinternals blog ...
though someone's guess below was pretty close according to initial
analysis ...

But you don't have to wait for it, feel free to propogate your favorite
conspiracy theories in the meantime ...

Cheers,
BrettSh

This posting is provided "AS IS" with no warranties, and confers
no rights.


On Mon, 13 Nov 2006, Brian Desmond wrote:

> I think MS may have signed them all. Dunno if that increases size.
>
> Thanks,
> Brian Desmond
> [EMAIL PROTECTED]
>
> c - 312.731.3132
>


On Mon, 13 Nov 2006, Steve Egan (Temp) wrote:

> Back in my days of programming in C, if we used the C-Worthy Interface
> Library (CWIL), a simple three-line program would be a MINIMUM of 170K.
> Maybe it's because a GUI is now included, or somesuch??
>
> Steve Egan
> Purcell Systems
> System/Network Administrator
> desk 509 755-0341 x110
> cell 509 475-7682
> fax 509 755-0345


On Mon, 13 Nov 2006, Brett Shirley wrote:

> We had to compile in bbisw.lib (Big Brother Is Watching).  You might
think
> that's against your rights, but you signged them away when you accepted
> the 5k larger eula.txt below (which you didn't read).
>
> Cheers,
> BrettSh [EMAIL PROTECTED] <-- I've decided its funny when I use it.
>
> Just b/c I know this kind of thing can go rabbidly out of control, _YES,
I
> WAS KIDDING._


On Mon, 13 Nov 2006, Free, Bob wrote:

> I would think in part it has to be the new GUI EULA that pops up and
> the code they use to update the registry of acceptance of said EULA.
>

On Mon, 13 Nov 2006, joe wrote:

> Could be various things of which most would probably be a little difficult
> to ascertain. 
> 
> Compiler versions can certainly cause deltas, as well as individual switches
> in a compiler. For instance, if I use Borland Builder 6.0 to compile
> something and then use Borland Developer Studio (Basiclaly Borland Builder
> 7.0) I will see a reduction usually of about 10-40% in binary size. However,
> if I select certain switches (primarily things like inline function
> expansion while using STL code), the BDS compile can grow from 50-300% and
> probably more, 300% is about the most I have seen. It is likely that MSFT
> would compile the tools with something different than Mark would have and
> use. From the times I have looked at Mark's source, I am pretty sure he just
> used the standard Visual Studio product that was current for the time. I
> won't speak for MSFT on what they definitively use, but they are not sitting
> there using VS to build release code. 
> 
> Other possibilities are additional PE options like manifests, code signing,
> x64 compiles, as mentioned above a variety of compiler/linker options (set
> through switches or different interpretations of pragmas), using different
> libraries for standard functions (i.e. not everyone implements cout or
> printf identically), and of course there are things like changes to the code
> to reflect internal MSFT programming guidelines like changing how strings
> are handled, etc. 
> 
> There obviously tin foil hat things that it could be as well but there are
> so many non-devious things it could be it would be quite a while before I
> started thinking something devious was occurring.  
> 
> I wouldn't be surprised if no one there even knows the bloat occurred or
> why. I am sure someone there could figure it out if they wanted to though.
> 
>joe
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
> Sent: Monday, November 13, 2006 12:47 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] OT: "new" ms-Sysinternals utils: .exe size gone up like
> crazy!
> 
> Hi!
> 
> Just a quick question to the list, to see what the honrable members (tm)
> think.
> 
> I have just d/l some of the the updated sysinternals tools from MS (filemon,
> regmon, autoruns and pstools to be precise), and I have noticed that most if
> not all the utils have grown in size A LOT.
> 
> As an example, this is the change I see from pstools v2.34 and v2.4:
> 
> Archive:  SYSINTERNALS PsTools v2.34 -20060710- PsTools.zip
>   Length Date   TimeName
>     
>122880  20/03/06 16:19   psshutdown.exe
> 94208  02/08/05 11:14   pskill.exe
> 65536  30/03/06 10:05   pslog

RE: [ActiveDir] OT: "new" ms-Sysinternals utils: .exe size gone up like crazy!

[Brett Shirley]

We had to compile in bbisw.lib (Big Brother Is Watching).  You might think
that's against your rights, but you signged them away when you accepted
the 5k larger eula.txt below (which you didn't read).

Cheers,
BrettSh [EMAIL PROTECTED] <-- I've decided its funny when I use it.

Just b/c I know this kind of thing can go rabbidly out of control, _YES, I
WAS KIDDING._

On Mon, 13 Nov 2006, Steve Egan (Temp) wrote:

> Back in my days of programming in C, if we used the C-Worthy Interface
> Library (CWIL), a simple three-line program would be a MINIMUM of 170K.
> Maybe it's because a GUI is now included, or somesuch??
> 
> Steve Egan
> Purcell Systems
> System/Network Administrator
> desk 509 755-0341 x110
> cell 509 475-7682
> fax 509 755-0345
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
> Sent: Monday, November 13, 2006 10:33 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] OT: "new" ms-Sysinternals utils: .exe size gone
> up like crazy!
> 
> I think MS may have signed them all. Dunno if that increases size. 
> 
> Thanks,
> Brian Desmond
> [EMAIL PROTECTED]
> 
> c - 312.731.3132
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:ActiveDir-
> > [EMAIL PROTECTED] On Behalf Of Javier Jarava
> > Sent: Monday, November 13, 2006 12:47 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] OT: "new" ms-Sysinternals utils: .exe size gone
> up
> > like crazy!
> > 
> > Hi!
> > 
> > Just a quick question to the list, to see what the honrable members
> > (tm)
> > think.
> > 
> > I have just d/l some of the the updated sysinternals tools from MS
> > (filemon,
> > regmon, autoruns and pstools to be precise), and I have noticed that
> > most if
> > not all the utils have grown in size A LOT.
> > 
> > As an example, this is the change I see from pstools v2.34 and v2.4:
> > 
> > Archive:  SYSINTERNALS PsTools v2.34 -20060710- PsTools.zip
> >   Length Date   TimeName
> >     
> >122880  20/03/06 16:19   psshutdown.exe
> > 94208  02/08/05 11:14   pskill.exe
> > 65536  30/03/06 10:05   psloglist.exe
> > 49152  27/03/06 13:07   psloggedon.exe
> >106496  21/07/05 10:22   psgetsid.exe
> >146704  26/07/00 12:00   pdh.dll
> > 57344  06/04/06 14:52   psservice.exe
> > 53248  30/12/05 03:15   psfile.exe
> >135168  11/07/06 09:00   psexec.exe
> > 63786  08/07/06 11:10   Pstools.chm
> >135168  13/12/05 09:51   Psinfo.exe
> >106496  07/11/03 14:42   pssuspend.exe
> > 86016  01/12/04 17:27   pslist.exe
> > 57344  16/05/04 08:36   pspasswd.exe
> >  1969  11/02/06 09:22   Eula.txt
> >39  10/07/06 13:58   version.txt
> >     ---
> >   1281554   16 files
> > 
> > Archive:  SYSINTERNALS PsTools v2.4 -20061101- PsTools.zip
> >   Length Date   TimeName
> >     
> >412472  01/11/06 13:07   psexec.exe
> >166712  01/11/06 13:06   psfile.exe
> >322360  01/11/06 13:07   psgetsid.exe
> >428856  01/11/06 13:07   Psinfo.exe
> >318264  01/11/06 13:07   pskill.exe
> >191288  01/11/06 13:06   pslist.exe
> >162616  01/11/06 13:06   psloggedon.exe
> >187192  01/11/06 13:06   psloglist.exe
> >170808  01/11/06 13:06   pspasswd.exe
> >179000  01/11/06 13:06   psservice.exe
> >404280  01/11/06 13:07   psshutdown.exe
> >375608  01/11/06 13:07   pssuspend.exe
> > 63786  08/07/06 11:10   Pstools.chm
> >38  15/10/06 16:32   psversion.txt
> >153672  01/11/06 13:05   pdh.dll
> >  7005  28/07/06 08:32   Eula.txt
> >     ---
> >   3543957   16 files
> > 
> > Just wondering outloud what is the reason for the size change.
> > Different
> > compiler, maybe?
> > 
> > 
> > Thanks a lot for your time in reading thus far.
> > 
> > Javier Jarava
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> http://www.mail-archive.com/activedir@mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] List Groups I'm In?

[Brett Shirley]

What groups you are in, is a question that has different answers in
different contexts ...

Ask your domain's DC get one answer, ask another domain get a 2nd answer
(which one is relevant often depends on the domain of the computer you
logged onto / authenticated to), ask your workstation (local SAM accounts)
get a 3rd answer, ask for your token may yield a 3rd answer ...

The below are AD based answers, I've a program internally that prints out
the current security context's token, dunno if anything like that is
available externally, but I assume there must be something like it maybe
(one would hope) whoami /groups is token based (suggested on other forks)  
...

Since I don't really know what you're going after, it is possible that any
of the suggestions are correct for your purpose, or that one or the other
is wrong, seems unlikely both are wrong ... just FYI ...

Cheers,
-BrettSh [msft]

This posting is provided "AS IS" with no warranties, and confers no
rights.

On Wed, 25 Oct 2006, Matt wrote:

> You can also use a vb script from the scripting center URL below and follow
> the path below the URL.
> http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx?mfr=true
> Script Center 
> Home>
> Script
> Repository>
> Active
> Directory>
> Groups
> 
> 
> tnx
> mm
> 
> 
> On 10/25/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> >
> >
> > http://www.joeware.net/win/free/tools/memberof.htm
> > I don't believe there's any builtin tool that will provide this
> > information.
> > Thanks,
> > Andrew Fidel
> >
> >
> >  *Michael B Allen <[EMAIL PROTECTED]>*
> > Sent by: [EMAIL PROTECTED]
> >
> > 10/25/2006 12:46 PM  Please respond to
> > ActiveDir@mail.activedir.org
> >
> >   To
> > ActiveDir@mail.activedir.org  cc
> >
> >  Subject
> > [ActiveDir] List Groups I'm In?
> >
> >
> >
> >
> >
> >
> > Was is the easiest way for a user (say on a stock XP client) to list
> > what groups they're in?
> >
> > Specifically I'd like the user to be able to just type a command like
> > 'net user list groups' or some such and get a list of NT Account names
> > for tokenGroups.
> >
> > Or if there is a dialog somewhere that's good too.
> >
> > Ideas?
> >
> > Mike
> >
> > --
> > Michael B Allen
> > PHP Active Directory SSO
> > http://www.ioplex.com/
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
> >
> >
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Monitoring AD Database

[Brett Shirley]

>From comparing the old ese97 / Exch55 source (that's the code for the
win2k version of ESE), and from context, I'm 78% sure that ...

The "Database\ File Operations Pending" counter, got split out to 4
different perf counters, that accumulated would mean the same thing.  
Those split out perf counters are:

009_Name=I/O Database Reads Async Pending
009_Help=I/O Database Reads Async Pending is the number of database
009_Help= read operations asynchronously pending completion.  [Dev Only]

009_Name=I/O Log Reads Async Pending
009_Help=I/O Log Reads Async Pending is the number of logfile
009_Help= read operations asynchronously pending completion.  [Dev Only]

009_Name=I/O Database Writes Async Pending
009_Help=I/O Database Writes Async Pending is the number of database
009_Help= write operations asynchronously pending completion.  [Dev Only]

009_Name=I/O Log Writes Async Pending
009_Help=I/O Log Writes Async Pending is the number of logfile
009_Help= write operations asynchronously pending completion.  [Dev Only]

While it says "I/O Database Reads Async Pending", I think it accounts for
both sync and async read IO, because our sync reads, are generally
implemented as async reads (that are forced to wait for completion in that
thread).  Though I'm not 100% sure here, perhaps a downlevel platform like
win2k or nt 4 or win98 might force us to fallback to sync IO (it is
considered a fall back IO method), and in such case it may be impossible
to reconstruct the meaning of the above perf counters...

And I believe the "Database\ File Operations/sec" would be split out to a
similar set of 4 performance counters...

009_Name=I/O Database Reads/sec
009_Help=I/O Database Reads/sec is the rate of database read operations
009_Help= completed.

009_Name=I/O Log Reads/sec
009_Help=I/O Log Reads/sec is the rate of logfile read operations completed.

009_Name=I/O Database Writes/sec
009_Help=I/O Database Writes/sec is the rate of database write operations
009_Help= completed.

009_Name=I/O Log Writes/sec
009_Help=I/O Log Writes/sec is the rate of logfile write operations completed.

Sorry, I can only be 78% sure, because the way the code is compiled is
slightly different between the releases.

In related news we now have something like well over 400 performance
counters in the latest versions of ESE (Vista / Exchange 2007), fun stuff
...

Cheers,
BrettSh [msft]

This posting is provided "AS IS" with no warranties, and confers no
rights.

On Wed, 28 Jun 2006, Teo De Las Heras wrote:

> Thanks Brett.  Here are the two perf counters that I couldn't find:
> 
> 
> Database\ File Operations Pending
> 
> Indicates the number of reads and writes issued by the database cache
> manager to the database file or files that the operating system is currently
> processing.
> 
> This counter should be as low as possible. If it is not, it usually
> indicates that the server needs more memory or processing power.
> 
> Database\ File Operations/sec
> 
> Indicates the number of reads and writes (per second) issued by the database
> cache manager to the database file or files.
> 
> This counter should be as low as possible. If it is not, it usually
> indicates that the server needs more memory.
> Teo
> 
> 
> On 6/27/06, Brett Shirley <[EMAIL PROTECTED]> wrote:
> >
> > If you give me specifics on which performance counters specifically don't
> > show up for 2003 that are there in 2000, I can look into it (could've been
> > removed on purpose, unintentionally removed, superceded by another
> > counter, or simply made squeaky).
> >
> > Cheers,
> > BrettSh [msft]
> >
> >
> > On Tue, 27 Jun 2006, Teo De Las Heras wrote:
> >
> > > So I found the following article which pertains to Windows 2000 on
> > adding
> > > the AD database counters.  It works on Windows 2003, but not all the
> > > counters listed for 2000 show up on 2003.  Is there something I'm
> > missing?
> > >
> > >
> > http://www.microsoft.com/technet/archive/windows2000serv/technologies/activedirectory/deploy/adguide/addeploy/addch09.mspx?mfr=true
> > >
> > > Teo
> > >
> >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ml/threads.aspx
> >
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Linked Attributes Replication

[Brett Shirley]

I suspect ... and winging it here ...

if you truly have a DC _that isn't a GC_ for the domain (domain2 I
believe) of the user object with the dangling manager link ... move IM for
domain2 to that DC ... wait four days for IM to make the rounds ... he
should [re?]generate a infrastructure update ... watch event logs to see
if AD is having trouble with IM duties ... possibly regularly query AD for
new infrastructure update objects, hint they're deleted objects ... see if
the problem rectifies itself ...

If domain2's IM is already on (for 4+ days) a DC with the dangling manager
link, then in theory you've already unintentionally followed my
suggestion, and well the problem is non-obvious to me ...

-BrettSh

This posting is provided "AS IS" with no warranties, and confers
no rights.

On Fri, 20 Oct 2006, David Loder wrote:

> joe and I talked offline.  Neither of us think it's a
> lingering object (but that was his first guess too). 
> He was thinking it was a phantom but I'm not sure
> since I see it in a GC - which never has a need to
> create a phantom.
> 
> Layout is a follows.
> 
> Domain0 is empty root, with child domains 1-6.
> 
> Manager previously existed in Domain1.  User still
> exists in Domain2.
> 
> Manager has been verified to not exist on any DC in
> Domain1.
> 
> Some (not all) of Domain2's DCs and GCs show the user
> having a manager.  Some (not all) of Domain1's GCs
> show the user having a manager.  Some (not all) of
> Domain3's GCs show the user having a manager.  None of
> Domain0's GCs or 4-6 show the user having a manager.
> 
> Around the time this happened back in 2003 there had
> been some incorrect Infrastructure Master placements. 
> However, Domain2's IM appears to have been correctly
> configured.  Not sure if that is just a red-herring to
> lead us down the phantom path.
> 
> 
> --- Eric Fleischman <[EMAIL PROTECTED]>
> wrote:
> 
> > >From the data provided below it sounds like you
> > have a lingering object
> > & a lingering link value...not tragic, pretty
> > straight forward to clean
> > up. If you could be more specific as to domain
> > layout & in which domain
> > each user resides we could likely provide steps to
> > fix this up.
> > 
> > If you search KB for lingering object you'll find
> > all sorts of mention
> > of them. I say that you must have a lingering object
> > as link values need
> > point so some object (they are nothing more than a
> > DNT pointer really)
> > so it sounds like you have an object in the partial
> > NC on the GC which
> > still represents that manager.
> > 
> > ~Eric
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On
> > Behalf Of David Loder
> > Sent: Thursday, October 19, 2006 8:36 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Linked Attributes Replication
> > 
> > We've found something unusual in our forest and are
> > hoping someone may have insight as to root-cause.
> > 
> > Sometime back in 2003, when our forest was running
> > W2K
> > SP3, someone's manager was deleted, and that event
> > was
> > faithfully replicated around the originating domain
> > and the forest GCs.  The manager doesn't exist
> > anywhere.
> > 
> > Fast forward to today, forest now running W2K3 SP1. 
> > About 20% of the DCs (both originating domain DCs
> > and
> > forest GCs) show that the user still has a manager
> > because the manager attribute contains a DN that no
> > longer exists in the forest.
> > 
> > Let me repeat that statement.  If I look at GC_1 it
> > shows the employee's manager is .  If I
> > look
> > at GC_2 it shows manager is
> > CN=Someone_that_no_longer_exists_in_the_forest.  Yet
> > both GC_1 and GC_2 show the same metadata for the
> > manager attribute.
> > 
> > At this point we're theorizing that when the user's
> > manager was deleted, that change was faithfully
> > replicated around the forest.  However, the linked
> > attribute update is not a replicated event - each DC
> > is personally responsible for updating the backlink,
> > and we had one W2K DC that didn't do it.  Fast
> > forward
> > to today where 100% of the DCs have been reinstalled
> > and repromoed as W2K3.  Depending on which DC they
> > sourced their promo from we now have the
> > "corruption"
> > spread we see today where some 20% of the DCs have
> > the
> > incorrect value.
> > 
> > Has anyone else ever encountered this or have some
> > idea what may that caused the initial "corruption"?
> > 
> > 
> > __
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> > protection around 
> > http://mail.yahoo.com 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.activedir.org/ml/threads.aspx
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.activedir.org/ml/th

Re: [ActiveDir] [OT] Exchange 2007 Schema

[Brett Shirley]

Oh crap!  Brian Puhl, you reading?  Tony says E2k7 is a beta product, I
hope you didn't load that schema on our main forest?  Too late to get it
backed out (via forest restore)?

Thanks for the heads up Tony,
BrettSh [msft]

P.S. - Does anyone think I'm as funny as I think I am ... probably not ...


On Thu, 5 Oct 2006, Tony Murray wrote:

> Hi all
> 
> There are apparently schema changes post Beta 2 - just in case anyone was 
> considering pre-loading the schema changes into production [1].
> 
> I don't have any further details on what the changes are.
> 
> Tony
> 
> [1] Which of course you wouldn't contemplate with a Beta product :-) 
> 
> 
> 
> 
> 
> Sent via the WebMail system at mail.activedir.org
> 
> 
>  
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] MORE OT OT: wikis

[Brett Shirley]

"There are three types of mathematicians, those who
can count, and those who can't."

On Thu, 5 Oct 2006, Laura A. Robinson wrote:

> TRIPLE AAARGH!!! 
>  
> 10! 10!
>  
> I give up; I'm dain bramaged today.
> 
> 
>   _  
> 
> From: Laura A. Robinson [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, October 05, 2006 8:34 PM
> To: 'ActiveDir@mail.activedir.org'
> Subject: RE: [ActiveDir] MORE OT OT: wikis
> 
> 
> "There are two types of people in the world- those who understand binary and
> those who don't."
>  
> That's what the t-shirt I got for my birthday says, anyway. :-)
>  
> Laura
> 
> 
>   _  
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
> Jorge de
> Sent: Thursday, October 05, 2006 5:03 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] MORE OT OT: wikis
> 
> 
> only 10 types of people understand binary...
> one type does understand and the other type does not understand
>  
> 
> Met vriendelijke groeten / Kind regards,
> Ing. Jorge de Almeida Pinto
> Senior Infrastructure Consultant
> MVP Windows Server - Directory Services
>  
> LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
> (   Tel : +31-(0)40-29.57.777
> (   Mobile : +31-(0)6-26.26.62.80
> *   E-mail : 
> 
>   _  
> 
> From: [EMAIL PROTECTED] on behalf of joe
> Sent: Thu 2006-10-05 20:22
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] OT: wikis
> 
> 
> 
> Careful, I recall a math professor in my differential equations class or
> maybe it was higher throwing a proof up on the board showing that 1 + 1 != 2
> and it wasn't a numberical base trick
> 
> I didn't follow through it, I just closed my eyes and shook my head and
> thought forward to my communications class as the sights were easier on the
> eyes...
> 
> I still wonder why I went into a field with such a high ratio of men to
> women... :)
> 
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
> Sent: Thursday, October 05, 2006 12:55 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] OT: wikis
> 
> 999,998 + 2 = 1,000,000, not 100,000. ;-)
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Greg Nims
> > Sent: Thursday, October 05, 2006 11:49 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] OT: wikis
> >
> >
> > > It's funny how we quote wikis as definitive sources of information,
> > > when they can be edited by anyone and everyone :)
> > >
> > > Who vets the edits and how much does that person know about the
> > > subject matter??
> >
> > Anyone can edit, which is why they are generally correct. 
> > When 100,000 people view a record, and 2 people want to
> > change it to be incorrect,
> > 999,998 will want to correct it.
> >
> > I wouldn't use a wiki as a great historical or technical
> > source.  But for encyclopedia entries, which give a good
> > summation of a subject, they are great.
> >
> >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ml/threads.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 
> 
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be copied,
> disclosed to, retained or used by, any other party. If you are not an
> intended recipient then please promptly delete this e-mail and any
> attachment and all copies and inform the sender. Thank you.
> 
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT: wikis

[Brett Shirley]

Except when 99% of the common wisdom about something is wrong, like in the
case of ESE / JET Blue ... ;-)

Cheers,
-BrettSh

On Thu, 5 Oct 2006, Greg Nims wrote:

> 
> > It's funny how we quote wikis as definitive sources of information, when
> > they can be edited by anyone and everyone :)
> >
> > Who vets the edits and how much does that person know about the subject
> > matter??
> 
> Anyone can edit, which is why they are generally correct.  When 100,000 
> people view a record, and 2 people want to change it to be incorrect, 
> 999,998 will want to correct it.
> 
> I wouldn't use a wiki as a great historical or technical source.  But for 
> encyclopedia entries, which give a good summation of a subject, they are 
> great.
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] what is the meaning of OT in front of the subject

[Brett Shirley]

Huh, I would've considered that on-topic ... esp. when threads start "How
do I configure a Exchange mailbox blah blah ..." right like we know about
Exchange?

Cheers,
-BrettSh

no warranties, yada, yada ...


On Thu, 5 Oct 2006, Mark Parris wrote:

> Off Topic i.e. the people on the list might know the answer but it's nothing 
> to do with Active Directory.
> 
> e.g. What are the recommended Anti-Virus exclusions for a Domain Controller?
> 
> Mark
> 
> Mark Parris
> 
> Base IT Ltd
> Active Directory Consultancy
> Tel +44(0)7801 690596
> 
> 
> -Original Message-
> From: "Ramon Linan" <[EMAIL PROTECTED]>
> Date: Thu, 5 Oct 2006 09:39:38 
> To:
> Subject: RE: [ActiveDir] what is the meaning of OT in front of the subject
> 
> Some of the subjects have that OT preceding the subject, what's that?
> 
> Thanks
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Replication Metadata

[Brett Shirley]

Just tell your boss you didn't say the hour would be made up of
consecutive minutes. [1]

Cheers,
-BrettSh

[1] A line that was used on me when Windows Architect told me I'd be able
to solve my global sync object naming problem within a "few hours".  A
couple days of issues later, and after he spent 30 minutes trying to debug
what was going on on a kd with me, I said, "So 3 hours, eh?", He responds,
"I didn't say they'd be consecutive hours." :)


On Thu, 14 Sep 2006, joe wrote:

> Yep, if vbscript you want the XML versions...
> 
> You should be able to do this in an hour You just need to pick the right
> hour. ;o) 
> 
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
> Sent: Thursday, September 14, 2006 9:12 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Replication Metadata
> 
> That's great info; thanks joe.  I'll take a look at
> msDS-ReplValueMetaData and msDS-ReplAttributeMetaData.  I'm trying to do
> this in a vbscript and avoid getting into any compiled solutions.  I
> told my boss I could do this in an hour because I thought I could just
> use IADsTools, oopsie. 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, September 14, 2006 5:38 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Replication Metadata
> 
> I doubt that IADsTools was updated. They seemed to be trying to kill
> that as
> far back as 2001. I think it was someone's pet project and they went to
> another petting zoo to work... I know I found some time issues in it
> back
> then and some more later that I tried to get corrected and was wholly
> unsuccessful on both occasions.
> 
> But the answer is... There is additional metadata available now for
> looking
> at value level changes. The way IADsTools was probably getting the info
> (this is a guess, never saw the code) is through the attribute
> replPropertyMetaData but it very well could have been using the RPC
> based
> API call DsReplicaGetInfo. 
> 
> Probably the simplest mechanism to use now are the attributes
> msDS-ReplAttributeMetaData and msDS-ReplValueMetaData which by default
> will
> return XML strings with the data. If you are equipped to handle it, you
> can
> instead make the calls much faster and pass less data on the wire by
> asking
> for the binary versions of those attributes by appending the ;binary
> modifier. 
> 
> If you want to write DC API based code, you can use DsReplicateGetInfo2.
> 
>   joe
> 
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
> Joseph
> Sent: Friday, September 08, 2006 11:36 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Replication Metadata
> 
> I'm using Robbie Allens example for using IADSTools.DCFunctions to read
> group object meta data.  I just realized that now that we've upgraded to
> 2003 I can no longer look at the member last changed field to determine
> when group membership last changed.
> 
> I know that RepAdmin can look at the individual group changes so there
> must be some updated API that I can use to do the same thing, I just
> can't seem to find it.
> 
> Can anyone point me in the right direction?
> 
> Thanks 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: RE : RE: [ActiveDir] backup and restore AD.

[Brett Shirley]

BTW, if you have snapshot based backup you _can_ backup and just restore
only the AD data (dit, log, and chk), and it will work w/o USN rollback
correctly.  We used to run quick tests like that all the time, but ONLY
validated that the DS / AD didn't break.  That doesn't make it supported.  
BTW, it is in fact _not supported_.

There are an unknown # of components (AD itself, SAM, LSA, Kerberos, NTLM,
AuthZ, etc ... just about anything DS or security related) that may have a
dependency on some random part of AD and some random part of Registry data
staying in sync ... we don't know what breaks when you restore one w/o the
other ... this is why it is unsupported ... and almost completely untested
... but why let that dissuade you, you're a pioneer right. ;)

The most obvious case of this, would be if you restored a DIT from one
domain, to the DIT folder for a DC in another domain, replacing it's DIT.  
Would that work, almost guaranteed there would be security issues.  
That's of course the extreme case, and one easy to avoid, we don't know
the inbetween cases.

Cheers,
-BrettSh [msft]


On Fri, 18 Aug 2006, Yann wrote:

> Hello Jorge,
>
>   Thanks for clarification.
>   I will check next week if i have no issues with usn rollback :( . 
>
>   Yann
> 
> "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]> a ?crit :
>   when a DC is restored from the system state (amongst others):
>   * the restored RID pool is thrown away (invalidated) and a new RID pool is 
> requested at the RID master
>   * the invocation ID of the AD DB is changed (which prevent USN rollbacks)
>
>   so in your case it works because the backup is not that old. The AD DB is 
> tightly coupled with the registry and there is a reason for that! The reason 
> as why you MUST restore the system state as MS says. The way you are doing 
> that is, how shall I say it gentlyNOT SUPPORTED! ;-)
>   And I guess you will be hitting on USN Rollback. See my blog and search for 
> BACKUP and you will find an article with some more info
>
>   jorge
> 
>   
> -
>   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann
> Sent: Tuesday, August 08, 2006 22:47
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] backup and restore AD.
> 
> 
>   
>   Hello,
>
>   I had question about D backup & restore.
>   It is possible to backup AD in 2 ways:
>   1) backup only the system state.
>   2) backup system state & file system containing the AD working directory 
> (ntds.dit, edb.chk, Edb*.log,Res1.log and Res2.log).
>
>   MS states that u have to restore your AD by restoring the system state.
>   But ,what about just restoring the AD working directory without system 
> state ? I tested it and that works fine. 
>   So my question is:
>   => In what circumstances do i have to choose a restore from system state or 
> a restore from AD working directory.
>
>   Thanks for clarification,
>
>   Yann
>
> 
> -
>   D?couvrez un nouveau moyen de poser toutes vos questions quelque soit le 
> sujet ! Yahoo! Questions/R?ponses pour partager vos connaissances, vos 
> opinions et vos exp?riences. Cliquez ici. 
> 
>   This e-mail and any attachment is for authorised use by the intended 
> recipient(s) only. It may contain proprietary material, confidential 
> information and/or be subject to legal privilege. It should not be copied, 
> disclosed to, retained or used by, any other party. If you are not an 
> intended recipient then please promptly delete this e-mail and any attachment 
> and all copies and inform the sender. Thank you.
> 
> 
>   
> -
>  D?couvrez un nouveau moyen de poser toutes vos questions quelque soit le 
> sujet ! Yahoo! Questions/R?ponses pour partager vos connaissances, vos 
> opinions et vos exp?riences. Cliquez ici. 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir][OT]Dean's kick-a## article

[Brett Shirley]

I don't think I ever actually said that ...

Cheers Mate,
-BrettSh [msft]

This posting is provided "AS IS" with no warranties, and confers no
rights.


On Tue, 15 Aug 2006, Michael B. Smith wrote:

> And we share a DB platform. :-) 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Tuesday, August 15, 2006 12:43 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir][OT]Dean's kick-a## article
> 
> I would wear that... But on the back it has to say 
> 
>   Brett Says: 
>  FSQL! 
> 
> 
> 
> I've seen some of the SQL MVPs, I think the DS MVPS can take em! The
> Exchange MVPs can have our backs too... Because we all know what happens
> to
> Exchange if AD gets messed up.
> 
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
> CPA
> aka Ebitz - SBS Rocks [MVP]
> Sent: Tuesday, August 15, 2006 12:02 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir][OT]Dean's kick-a## article
> 
> Are said TShirts for sale?
> 
> I can envision the next MVP summit with a room full of Bretts.
> 
> (www.cafepress.com  there can be a Brett Store with Brett
> merchandise)
> 
> Brett Shirley wrote:
> > Ego isn't wearing a t-shirt with your own picture on it, ego is
> insisting
> > others wear a t-shirt with your picture on it ... 
> >
> > So was that it, Dean?  Were you conceding my point, I couldn't tell
> (like
> > maybe the "okey dokes" was like "whatever", blow brett off) ... or do
> you
> > still feel this is all database specific implementation detail?  As
> > opposed to my posistion that this is directory service implementation
> > detail (for AD in the dblayer of the DS)?  A directory service needs
> this
> > in order to function correctly across regular replication scopes.
> >
> > Cheers,
> > BrettSh
> >
> > On Tue, 15 Aug 2006, Dean Wells wrote:
> >
> >   
> >>> Maybe I can help w/ the ego (after all I consider trimming Dean's
> ego
> >>> one of my higher callings in life ;-) ...
> >>>   
> >> Remain focused on your own for now.  Once you no longer feel the need
> to
> >> wear t-shirts with your own face on them, you can probably rest
> assured
> that
> >> you're safe to begin on mine ;0)
> >>
> >> ... uhhh, okey dokes :0/
> >>
> >> --
> >> Dean Wells
> >> MSEtechnology
> >> t Email: [EMAIL PROTECTED]
> >> http://msetechnology.com
> >>
> >> 
> >>> -Original Message-
> >>> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> >>> [EMAIL PROTECTED] On Behalf Of Brett Shirley
> >>> Sent: Tuesday, August 15, 2006 9:12 AM
> >>> To: ActiveDir@mail.activedir.org
> >>> Cc: Send - AD mailing list
> >>> Subject: RE: [ActiveDir][OT]Dean's kick-a## article
> >>>
> >>> Maybe I can help w/ the ego (after all I consider trimming Dean's
> ego
> >>> one of my higher callings in life ;-) ...
> >>>
> >>> Dean, you said you didn't mind if we continued to discuss this
> thread
> >>> at one point (a at the time highly volatile thread, which I decided
> to
> >>> let settle down), do you remember this thread:
> >>>
> >>>http://www.mail-
> >>> archive.com/activedir@mail.activedir.org/msg32470.html
> >>>
> >>> Where I think you basically conveyed (IMNHO) I didn't know what I
> was
> >>> talking about in regards to what is required for a DS implementation
> >>> ...
> >>>
> >>> >From your two emails in that thread, first you said:
> >>>
> >>>   
> >>>> ... that the process of injecting the phantom isn't a behavioral
> >>>> requirement imposed or carried out by the directory service itself.
> >>>> It is a requirement imposed by the underlying database and is
> >>>> necessary because of the mechanism used by ESE to provide uniform
> >>>> representation of object references (i.e. link pairs).
> >>>> 
> >>> Then in a subsequent email:
> >>>
> >>>   
> >>>> Nod, I understand your point but, to me, it's a matt

RE: [ActiveDir][OT]Dean's kick-a## article

[Brett Shirley]

Ego isn't wearing a t-shirt with your own picture on it, ego is insisting
others wear a t-shirt with your picture on it ... 

So was that it, Dean?  Were you conceding my point, I couldn't tell (like
maybe the "okey dokes" was like "whatever", blow brett off) ... or do you
still feel this is all database specific implementation detail?  As
opposed to my posistion that this is directory service implementation
detail (for AD in the dblayer of the DS)?  A directory service needs this
in order to function correctly across regular replication scopes.

Cheers,
BrettSh

On Tue, 15 Aug 2006, Dean Wells wrote:

> > Maybe I can help w/ the ego (after all I consider trimming Dean's ego
> > one of my higher callings in life ;-) ...
> Remain focused on your own for now.  Once you no longer feel the need to
> wear t-shirts with your own face on them, you can probably rest assured that
> you're safe to begin on mine ;0)
> 
> ... uhhh, okey dokes :0/
> 
> --
> Dean Wells
> MSEtechnology
> t Email: [EMAIL PROTECTED]
> http://msetechnology.com
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:ActiveDir-
> > [EMAIL PROTECTED] On Behalf Of Brett Shirley
> > Sent: Tuesday, August 15, 2006 9:12 AM
> > To: ActiveDir@mail.activedir.org
> > Cc: Send - AD mailing list
> > Subject: RE: [ActiveDir][OT]Dean's kick-a## article
> > 
> > Maybe I can help w/ the ego (after all I consider trimming Dean's ego
> > one of my higher callings in life ;-) ...
> > 
> > Dean, you said you didn't mind if we continued to discuss this thread
> > at one point (a at the time highly volatile thread, which I decided to
> > let settle down), do you remember this thread:
> > 
> >http://www.mail-
> > archive.com/activedir@mail.activedir.org/msg32470.html
> > 
> > Where I think you basically conveyed (IMNHO) I didn't know what I was
> > talking about in regards to what is required for a DS implementation
> > ...
> > 
> > >From your two emails in that thread, first you said:
> > 
> > > ... that the process of injecting the phantom isn't a behavioral
> > > requirement imposed or carried out by the directory service itself.
> > > It is a requirement imposed by the underlying database and is
> > > necessary because of the mechanism used by ESE to provide uniform
> > > representation of object references (i.e. link pairs).
> > 
> > Then in a subsequent email:
> > 
> > > Nod, I understand your point but, to me, it's a matter of perspective
> > > -- where does the directory begin and end?  From a developers
> > > standpoint, the directory may well be a whole component neatly
> > > organized into a single area of a source tree.  From my perspective,
> > > the term directory (in this context) is used to relay the concept of
> > a
> > > (mostly) standards based component with predictable features,
> > > interfaces, behaviors, structures, underlying mechanisms, etc.
> > 
> > Any directory service has a form of the infrastructure master DN-
> > cleanup problem, when the "cross-reference" spans replication scopes,
> > irregardless of underlying database technology, ESE, or SQL Server, or
> > anything else you can think of.  If they seemingly don't have this
> > problem, then there is some form of replication happening and thus the
> > DN isn't really crossing replication scopes (that's why the GC doesn't
> > have this problem ... as you pointed out in part 1 of the article).
> > 
> > So I'd argue the last 2 lines in the first quote were wrong in two
> > ways:
> > (A) ESE doesn't provide uniform representation of object references.
> > That's just patently incorrect.  And (B) this isn't an ESE
> > implementation detail, it is a DS implementation detail for being
> > constructed on any kind of database that isn't performing replication
> > (same as SQL, MySQL, BerkleyDB, whatever NDS used, or ESE)?  I just
> > want it on record ...
> > 8/17/2005, Dean was wrong once.
> > 
> > Thanks,
> > BrettSh
> > ex-Garage Door Operator #7.
> > 
> > 
> > On Mon, 14 Aug 2006, Dean Wells wrote:
> > 
> > > Cheeky git . my head, your stomach . at least we'll have the plane to
> > > ourselves!  :0)
> > >
> > >
> > >
> > > Best start working on that pilot's license!
> > >
> > > --
> > > Dean Wells
> > > MSEtechnology
> > > * Email: [EMAIL PROTECTED]
> > > 

RE: [ActiveDir][OT]Dean's kick-a## article

[Brett Shirley]

Maybe I can help w/ the ego (after all I consider trimming Dean's ego one
of my higher callings in life ;-) ...

Dean, you said you didn't mind if we continued to discuss this thread at
one point (a at the time highly volatile thread, which I decided to let
settle down), do you remember this thread:

   http://www.mail-archive.com/activedir@mail.activedir.org/msg32470.html

Where I think you basically conveyed (IMNHO) I didn't know what I was
talking about in regards to what is required for a DS implementation ...

>From your two emails in that thread, first you said:

> ... that the process of injecting the phantom isn't a behavioral 
> requirement imposed or carried out by the directory service itself.  
> It is a requirement imposed by the underlying database and is 
> necessary because of the mechanism used by ESE to provide uniform
> representation of object references (i.e. link pairs).

Then in a subsequent email:

> Nod, I understand your point but, to me, it's a matter of perspective
> -- where does the directory begin and end?  From a developers
> standpoint, the directory may well be a whole component neatly
> organized into a single area of a source tree.  From my perspective,
> the term directory (in this context) is used to relay the concept of a
> (mostly) standards based component with predictable features,
> interfaces, behaviors, structures, underlying mechanisms, etc.

Any directory service has a form of the infrastructure master DN-cleanup
problem, when the "cross-reference" spans replication scopes, irregardless
of underlying database technology, ESE, or SQL Server, or anything else
you can think of.  If they seemingly don't have this problem, then there
is some form of replication happening and thus the DN isn't really
crossing replication scopes (that's why the GC doesn't have this problem
... as you pointed out in part 1 of the article).

So I'd argue the last 2 lines in the first quote were wrong in two ways:
(A) ESE doesn't provide uniform representation of object references.  
That's just patently incorrect.  And (B) this isn't an ESE implementation
detail, it is a DS implementation detail for being constructed on any kind
of database that isn't performing replication (same as SQL, MySQL,
BerkleyDB, whatever NDS used, or ESE)?  I just want it on record ...
8/17/2005, Dean was wrong once.

Thanks,
BrettSh 
ex-Garage Door Operator #7.


On Mon, 14 Aug 2006, Dean Wells wrote:

> Cheeky git . my head, your stomach . at least we'll have the plane to
> ourselves!  :0)
> 
>  
> 
> Best start working on that pilot's license!
> 
> --
> Dean Wells
> MSEtechnology
> * Email: [EMAIL PROTECTED]
> http://msetechnology.com  
> 
>  
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Monday, August 14, 2006 5:09 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir][OT]Dean's kick-a## article
> 
>  
> 
> Hey I sometimes have to ride on planes with that guy, don't swell his ego
> too much... I want to be able to sit on the plane. 
> 
>  
> 
> :)
> 
>  
> 
> --
> 
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm 
> 
>  
> 
>  
> 
>  
> 
>   _  
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
> Weerasinghe
> Sent: Monday, August 14, 2006 3:02 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir]
> 
> joe said "pretty decent" http://blog.joeware.net/2006/06/08/400/
> 
>  
> 
> I think thats an understatement ;-)
> 
>  
> 
> However, my profuse thanks to joe too. I wasnt aware of the article until he
> blogged it.
> 
>  
> 
> M@
> 
>  
> 
> On 8/14/06, Dean Wells <[EMAIL PROTECTED]> wrote: 
> 
> Why thank you . but who said otherwise?  ;0)
> 
> --
> Dean Wells
> MSE technology
> * Email: [EMAIL PROTECTED]
> http://msetechnology.com  
> 
>  
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
> Weerasinghe
> Sent: Monday, August 14, 2006 2:35 PM
> 
> 
> To: ActiveDir@mail.activedir.org
> 
> Subject: Re: [ActiveDir] 
> 
>  
> 
> http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1192821,0
> 0.html?track=NL-463
>  00.html?track=NL-463&ad=554811USCA&ad=554808> &ad=554811USCA&ad=554808 
> 
>  
> 
> I dont care what anyone says. Thats a damn fine article.
> 
>  
> 
> I couldnt possibly thank Dean enough for that info.
> 
> M@
> 
>  
> 
>  
> 
> On 8/14/06, Graham Turner <[EMAIL PROTECTED]> wrote: 
> 
> Alter ego !
> 
> my thanks are due
> 
> worked out a treat - so the GC's are not so ***'d as i thought 
> 
> any info on the concept of the phantoms though ??
> 
> GT
> 
> > Hey Robert,
> >
> > In the article you posted, the registry key is incorrect in the KB 
> > content.  It lists the registry key as: 
> > HKCU\Software\Policies\Microsoft\Windows\Directory
> >
> > However, the correct registry key is:
> > HKCU\Soft

Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest

[Brett Shirley]

Touching schema.ini would qualify as very not supported ...

-B

On Thu, 3 Aug 2006, Paul Williams wrote:

> Setting FFL=2 automatically when building first DC in forestIt might be worth 
> looking at the %systemroot%\system32\schema.ini file again.  I just had a 
> poke around in there after reading Dean's answer to your question yesterday 
> and the first section, the [DEFAULTROOTDOMAIN] section is setting 
> nTMixedMode.  You can change that to 0 (for native) and try adding 
> mSDS-Behavior-Version and setting it to 2.
> 
> I don't know if that will work, but you're probably in a position to test 
> this...
> 
> 
> --Paul
> 
>   - Original Message - 
>   From: [EMAIL PROTECTED] 
>   To: ActiveDir@mail.activedir.org 
>   Sent: Thursday, August 03, 2006 9:39 AM
>   Subject: [ActiveDir] Setting FFL=2 automatically when building first DC in 
> forest
> 
> 
>   According to http://support.microsoft.com/kb/223757/en-us the 
> SetForestVersion entry in the dcpromo answer file can only be used to set FFL 
> to 1 or 0 when building a new forest.
> 
>   Is this correct? I'd like to automate the transition to FFL=2 when building 
> the first DC in a forest (without a script).
> 
>   Perhaps another change request for Longhorn? :) 
> 
>   neil 
> 
>   PLEASE READ: The information contained in this email is confidential and 
>   intended for the named recipient(s) only. If you are not an intended 
>   recipient of this email please notify the sender immediately and delete 
> your 
>   copy from your system. You must not copy, distribute or take any further 
>   action in reliance on it. Email is not a secure method of communication and 
>   Nomura International plc ('NIplc') will not, to the extent permitted by 
> law, 
>   accept responsibility or liability for (a) the accuracy or completeness of, 
>   or (b) the presence of any virus, worm or similar malicious or disabling 
>   code in, this message or any attachment(s) to it. If verification of this 
>   email is sought then please request a hard copy. Unless otherwise stated 
>   this email: (1) is not, and should not be treated or relied upon as, 
>   investment research; (2) contains views or opinions that are solely those 
> of 
>   the author and do not necessarily represent those of NIplc; (3) is intended 
>   for informational purposes only and is not a recommendation, solicitation 
> or 
>   offer to buy or sell securities or related financial instruments. NIplc 
>   does not provide investment services to private customers. Authorised and 
>   regulated by the Financial Services Authority. Registered in England 
>   no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
>   London, EC1A 4NP. A member of the Nomura group of companies.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest:

[Brett Shirley]

Susan, how on earth could _you_ get a lingering object?  Seems impossible
with only one DC, oh wait did you just forget to delete it?

>From The Love,
-B

On Wed, 2 Aug 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:

> Information about lingering objects in a Windows 2000-based forest or in 
> a Windows Server 2003-based forest:
> http://support.microsoft.com/?kbid=910205
> 
> -- 
> Letting your vendors set your risk analysis these days?  
> http://www.threatcode.com
> 
> If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
> hunt you down...
> http://blogs.technet.com/sbs
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] 80/20 ..... Was: Read-Only Domain Controller and Server Core

[Brett Shirley]

I've always followed a DSI[1] access model, it definately supercedes in
every way what RBS[resource], RBS[role], ABS, CBS, NBC, ABC can provide
...

[1] DSI = Defending Security Infrastructures

-B

On Tue, 1 Aug 2006, Matt Hargraves wrote:

> Without going with an Access-Based Security (ABS) model, there are few ways
> to make sure that all of the people who need access to an object are the
> only ones who are getting access.  Local server security groups (which are
> difficult to manage), a smallish environment, user-based ACLs on rights and
> objects, or a very strange environment, there is no other way to have a 100%
> accurate security environment for resources.
> 
> Access based security is nice because it is very granular, but the problem
> with it is that it has a very high level of maintenance and has a lot of
> room for error and a lot of inherent cost in hardware.  The larger the
> environment, the larger the number of points of failure in the security
> model.  You have 100,000 shares in an environment (or more) and the number
> of people required to manage that resource start getting restrictively high.
> 
> Does John the Crankshaft mechanic need access to share
> "\\servername\share80385"?  Probably not 95% of the time, but that one or
> two times a year that he does need access, do you really want to make him
> wait between 2 hours and potentially as high as 2 days to gain that access
> just so that you an have 100 people controlling 1,000 shares and the ACLs
> each?
> 
> I can't argue that RBS is the only way to go, but there's nothing wrong with
> going with a hybrid.  RBS base with an ABS overlap ends up with a security
> model where you've got the potential for granularity, but a system where a
> resource has a team that may need access to an object, they can be granted
> that access and if there are individuals who need access above and beyond
> what the RBS model would grant, the access can be granted.  Users who change
> roles are automatically removed from the groups they are no longer members
> of (via the HR software, SAP or whatever) and when someone moves into a role
> where they now require access to a resource (or set of resources), they are
> automatically granted that access via the same mechanism.
> 
> The alternative is a forest root with disjoined domain that holds users,
> then a resource subdomain and an Exchange subdomain.  2-3 times as many DCs,
> added cost that goes with that (power, a/c, NOC space), added overhead of
> maintaining that somewhat complex environment... the alternative for larger
> environments is to buy 2-3 times as many Exchange servers due to large token
> sizes.  Not to mention the bloating of your DIT database causing reduced
> performance on your DCs.
> 
> An exclusive RBS is a best-case scenario that almost never exists.  But it
> should be the basis of a security model.  The alternative is a bloated
> environment and a bloated management structure for that environment.
> 
> An exclusive ABS is another best-case scenario that rarely exists outside of
> smaller environments, where management of resources is easier to control
> because the people who are controlling the resource know everyone who needs
> access to their resource.
> 
> Considering how large the companies you commonly work with are, it's
> suprising to see you recommending a difficult to manage model.  With
> hundreds of thousands of users and possibly a nearly identical number of
> shares (or worse... more) and a large number of applications, it's hard to
> see where an ABS is practical.
> 
> 
> 
> On 7/31/06, joe <[EMAIL PROTECTED]> wrote:
> >
> >  If I am fixing security bugs in my program is it ok to get 80% of them
> > and leave the remaining known 20%?
> >
> > Do you have a lot of faith in a firewall that stops 80% of the bad
> > traffic? Or an AV scanner that finds 80%?
> >
> > If I set up a shared folder to get files shared out to multiple folks, is
> > it ok if only 80% of the people I give access to really need the access?
> > What if in that shared folder are personal files about you or your wife or
> > your kids or maybe some compromising photos of you and your mistress[1]? :)
> >
> > How about the flip side, if I set up a shared folder and only 80% of the
> > folks who need the access get it, is that good?
> >
> > Would you have a list of people in the DA group where only 80% really
> > needed the access? Or again on the flip side, only 80% of the people who
> > required it got it?
> >
> >
> > Security should be very tightly controlled. Especially for access.
> >
> > Role based security fits squarely in this hole, IMO. It is probably more a
> > problem with the implementation and the definition of the roles than
> > anything because if you really got into defining really granular roles that
> > you should, you are almost at the point of doing resource based security
> > anyway which again, IMO, is by far the more secure way of handling resource
> > security. It is rare 

RE: [ActiveDir] Virtual DCs

[Brett Shirley]

Random thoughts on VM based DCs ...

 1. There is a whitepaper on Virtual DCs on msft's site, I didn't see
it mentioned below, so I thought I'd mention it.

 2. The whitepaper neglected to mention that you should turn off HD
caching on the host system.

 3. of course "diff-disks" are absolutely not supported, as well as making
copies of the .vhds or VMWare equiv (?what is this called?) for backup /
restore purposes.  If you don't know understand why, don't even try this,
you're sure to mess up your _forest_ (not just a single DC).

 4. Also there is some question in my mind, as to whether .vhds or the
VMWare equivalent are as crash safe as the underlying ESE DB on raw
hardware.

 5. Also stacking all VM DCs for a single domain or NC on a single
physical box, doesn't make sense as well as you ruin any real redunancy.

Given 4 and the fact that I'm[1] unlikely to care about debugging / fixing
a corruption from a database on a VM system, it makes 5 esp. critical.  
It doesn't mean you need physical DCs, just that you shouldn't expose
yourself to single fault failures ... which I would probably include as a
whole power grid, ergo if datacenter power goes out, you should have
either a physical DC (or two) for each domain or NC there, or have at
least VM DCs running in a different datacenter.

I've always thought the multiple DCs from different domains on a server
was intriquing way to create sort of a "forest on a box" for disaster
recovery purposes, but once you realize that 3 limits the ways you can
recover it is somewhat (though not entirely) less interesting.

My 2c.

Cheers,
BrettSh [msft]

[1] And I'm an ESE Developer, aka basically at the top of the escalation
ladder of people who can return your corrupted DB to a working state.


On Wed, 19 Jul 2006, Brad Smith wrote:

> I would definitely back the use of VM's on this one, although I would
> definitely keep one or two DC's present.  I have personally done the
> rounds with MS on this, and we ended up wit 5 physical DC's, and 38
> Virtual ones.  There were two reasons we retained physical DC's:
> 
>  
> 
> 1)   At the time (a couple of months ago), different staff in MS
> interpreted their own support policy differently, and they couldn't (and
> still haven't) resolved it.  To ensure we had a supported environment we
> retained some physical DC's.
> 
> 2)   We were uncertain how much Exchange would pull on the DC's for
> it lookups, and to minimise risk of deploying VM's we gave the bigger
> sites (where our Exchange boxes were) physical DC's
> 
>  
> 
> Ada, I say go for it, but keep one, possibly two physical DC's.
> 
>  
> 
> Brad
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: 08 June 2006 14:05
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Virtual DCs
> 
>  
> 
> Along these lines, has anyone seen an actual best practices whitepaper
> for MS Virtual Server?  How to configure disk arrays, controller cache,
> how many VHDs per volume, memory allocation, etc.
> 
>  
> 
> Bryan Lucas
> 
> Server Administrator
> 
> Texas Christian University
> 
> (817) 257-6971
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Presley, Steven
> Sent: Wednesday, June 07, 2006 10:23 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Virtual DCs
> 
>  
> 
> This is absolutely true.  I know virtualization scares a lot of people,
> but the fact is that in some environments virtualizing systems saves a
> great deal of money and actually makes managing systems much easier
> (here it has reportedly saved a "significant" amount in hardware cost
> for the enterprise).  I have been closely watching my Exchange servers
> ever since our AD side of the house started virtualizing DC's and with
> domain controllers running on ESX servers in an optimized configuration
> the performance is very close to hardware.  I have noticed that in terms
> of LDAP performance that VM's are a tad bit slower then hardware, but
> that "tad" is well within the range of performance that applications
> like Exchange require.  After over a year of having virtualized DC's we
> have not had any problems with virtualized domain controllers (placed
> globally on ESX servers around the world).  We do, however, work on the
> side of caution and do maintain a few hardware DC's in our HQ that own
> FSMO roles, but I've seen nothing to suggest that they could not be on
> VM's to date (it's just a precaution).  
> 
>  
> 
> I have to admit at first I totally dismissed virtualization because I
> considered it, like others, as more of a development\test environment
> solution, however I have since been convinced after working with
> virtualized OS's that it has it's place (we have 100's if not 1000's of
> virtualized hosts currently in production).  I/O intensive applications
> are not a good place for virtualization in production, but ot

RE: [ActiveDir] User extraction

[Brett Shirley]

You could also use the bit wise query operators to make a list of just
disabled and just enabled accounts, then merge the two w/ the appopriate
column ...

-B

On Tue, 18 Jul 2006, Mike Newell wrote:

> Hey,
> 
> There's no isDisabled attribute that I know of. You could run the adfind
> command below and use the userAccountControl attribute to determine if
> the account is disabled or not. 
> 
>  
> 
> adfind -b dc=yourdomain,dc=com -nodn -f "(&(objectCategory=person)(o
> 
> bjectClass=user))" givenName SN userAccountControl >> filename.txt
> 
>  
> 
> You can do some stuff in Excel if you need a report that says disabled.
> 512 is normal, 514 is disabled, etc. Check here for the details on the
> values for the userAccountControl attribute.
> 
>  
> 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;305144
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
> Sent: Tuesday, July 18, 2006 11:41 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] User extraction
> 
>  
> 
> What is the adfind syntax that will extract all users in a domain to a
> text file and contains the following field?
> 
>  
> 
> LastName, FirstNameisDisabled
> 
>  
> 
> -Devon
> 
> 
> --- 
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential,
> and exempt from disclosure under applicable law or may constitute as
> attorney work product. If you are not the intended recipient, you are
> hereby notified that any use, dissemination, distribution, or copying of
> this communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i)
> destroy this message if a facsimile or (ii) delete this message
> immediately if this is an electronic communication. 
> Thank you.
> 
> 
> 
> This message and any attachments (the "Message") may contain confidential, 
> proprietary and/or privileged information and are only for their intended 
> recipient(s). If you are not the intended recipient, you should notify the 
> sender and delete the Message. E-mail transmissions cannot be guaranteed to 
> be secure or error-free. This Message is provided for information purposes 
> and should not be construed as a solicitation or offer to buy or sell any 
> securities or financial instruments, or to provide investment advice in any 
> jurisdiction where the sender is not properly licensed or permitted to do so. 
>  This Message is subject to additional conditions and restrictions.  Please 
> read them here:  http://legal.dimensional.com/email/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] NTDS.DIT Size

[Brett Shirley]

Someone said this:
> Whatever needs to be loaded should perform better when smaller.

I suspect this is not true, or at least not very significant.  OLD (OnLine
Defrag) cinches up the DB so the fewest pages are used for data and
whitespace is consolidated to whole pages, and so while backup time would
be longer / take up more space, from a caching perspective it shouldn't
perform any better.

Cheers,
-BrettSh [msft]

On Fri, 30 Jun 2006, Brian Desmond wrote:

> Sounds like he's probably just not populating many attributes. I've got
> double that DIT size at a client with half the number of users easily.
> I've also never had a reason to defrag a dit when I can just dcpromo
> down/up if I think it will fix a database issue. 
> 
>  
> 
> Thanks,
> 
> Brian Desmond
> 
> [EMAIL PROTECTED]
> 
>  
> 
> c - 312.731.3132
> 
>  
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
> Guido
> Sent: Thursday, June 29, 2006 6:53 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] NTDS.DIT Size
> 
>  
> 
> 1.7GB for 250.000 users is pretty small already - I guess you don't use
> Exchange for messaging or use extremely few attributes of your objects
> in AD.  With the steps outlined by Ulf you should get a fair idea on how
> much whitespace you currently have, however, you shouldn't expect to
> have much if your AD is growing at a fairly constant rate. The database
> grows fairly linear and whitespace is being used automatically be new
> data.
> 
>  
> 
> As you're talking about moving to 64-bit, I guess you're already using
> Win2003.  On 32-bit Windows 2003 DCs without /3GB switch, the LSASS
> process can consume (cache) up to about 1.5GB, with /3GB it's around
> 2.6GB.  /3GB is supported on both Standard and Enterprise Edition with
> respect to DCs.
> 
>  
> 
> So theoretically you're well in the limits of the 32-bit OS, as long as
> you have at least 4GB in your DCs and are using the /3GB switch.
> However, the /3GB switch reduces the vitual memory for the kernel down
> to 1GB, with can be a limiting factor in other situations - usually not
> on a DC (if it's not also hosting many other services).
> 
>  
> 
> But the 64-bit DCs won't cost you one penny extra: almost all server HW
> for the past 12 months has been x64 capable and the 64-bit Win2003
> version has the same licensing costs as the 32-bit version. So you might
> as well go for it and have even more room for growth.  Mind you, with
> your current DIT size you should not expect much performance difference
> for your AD (unless you're replacing old server HW with new HW at the
> same time...).
> 
> /Guido
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
> Simon-Weidner
> Sent: Donnerstag, 29. Juni 2006 23:47
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] NTDS.DIT Size
> 
> Hello Joshua,
> 
>  
> 
> I'd look at the whitespace to determine when to offline defrag a DC. You
> can enable the associated event which will tell you the amount of
> whitespace by setting the registry key
> HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\6 Garbage
> Collection to 1 instead of 0 (which is the default). Regkey might be
> likely - just typed it from hard.
> 
> This will give you an event every time when garbage collection runs
> (every 12 hrs) and tell you the amount of whitespace in the DB.
> 
>  
> 
> Whatever needs to be loaded should perform better when smaller.
> 
>  
> 
> I've heard that a DC on x64 will perform better than on 32-bit, since
> it's very likely you already have some of the newer servers with x64 I'd
> just give it a try for one DC yourself.
> 
>  
> 
> Gruesse - Sincerely, 
> 
> Ulf B. Simon-Weidner 
> 
>   Profile & Publications:
> http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
> C811D
> http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B4
> 89-F2F1214C811D>
>   Weblog: http://msmvps.org/UlfBSimonWeidner
> http://msmvps.org/UlfBSimonWeidner> 
>   Website: http://www.windowsserverfaq.org
> http://www.windowsserverfaq.org/> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Joshua Coffman
> Sent: Thursday, June 29, 2006 10:59 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] NTDS.DIT Size
> 
>  
> 
> Our AD (NTDS.dit) is at 1.7GB (approx. 250,000 users).
>  
> Should an offline defrag be performed at a regular interval?
>  
> Some articles I read only say it is only worthwhile if you are running
> low on space. We have plenty of drive space and RAM.
>  
> At what point should the AD be moved to 64 bit?
>  
> Thanks,
>  
> Josh
>  
>  
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: RE : Re: [ActiveDir] Question regarding compacting AD DB.

[Brett Shirley]

Just curious, Al, where did you hear this from:
 > doing this. Online defrag can be a wonderful thing, and off-line is
 > typically recommended if online is not going to be able to finish
 > during it's run time.

Because I've never recommended that.  online defrag actually saves off
where it stopped, so it picks up on it's next run where it stopped last
run, and thus can finish over multiple runs.  Or were you calling a
complete pass a run, and saying if it never finishes a complete pass?

Cheers,
BrettSh

On Tue, 27 Jun 2006, Yann wrote:

> Hello Al,
>
>   Good links u pointed to me, especially the link to automate the process 
> .
>   Thanks again for clarification on this subject.
>
>   Yann
> 
> Al Mulnick <[EMAIL PROTECTED]> a ?crit :
> 
> http://technet2.microsoft.com/WindowsServer/en/Library/5dd6f9eb-0533-4474-ac52-dca78c5471dd1033.mspx?mfr=true
>  
>
>   
> http://technet2.microsoft.com/WindowsServer/en/Library/975c456e-8b79-4ace-8363-82543236dbb31033.mspx?mfr=true
>  
>
>   
> http://technet2.microsoft.com/WindowsServer/f/?en/Library/5b1d983d-ffab-4514-a95e-6aa0420dacb51033.mspx
>  
>
>   Compacting is a local dit thing.  You'll need to deal with it local
> to each machine.  IIRC, you can automate/semi-automate this and can
> off-set it to not take out your entire forest at the same time. The
> above links should help.
>
>   I've just never seen a big reason to do this on an automated basis.  
> Even with similar amounts of DC's I didn't have enough of a reason to
> do this.  You may want to verify that there is much free space before
> doing this. Online defrag can be a wonderful thing, and off-line is
> typically recommended if online is not going to be able to finish
> during it's run time.
>
>
>
>   Al
> 
>  
>   On 6/27/06, Yann <[EMAIL PROTECTED]> wrote:   Hello,
>
>   It may be a silly question, but when u perform a migration from winNT/w2k 
> to a w2k3 domain, do i have next to compact+defrag  the ntds.dit on *EACH* 
> DC2k3 that have been migrated ? or may i do the operation on only one DC and 
> this DC will replicate the state (compact&defrag) on all other DCs ? 
>   I have at least 60 DCs :(
>   I think the answer will be "compact & defrag each DC that have been 
> upgraded", but just to be 100 % sure.
>
>   Thanks for answer.
> 
> Yann
> 
>  
>
> 
> -
>   Yahoo! Mail r?invente le mail ! D?couvrez le nouveau Yahoo! Mail et son 
> interface r?volutionnaire.   
>   
> 
> 
> 
> 
> 
>   
> -
>  Yahoo! Mail r?invente le mail ! D?couvrez le nouveau Yahoo! Mail et son 
> interface r?volutionnaire.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Monitoring AD Database

[Brett Shirley]

If you give me specifics on which performance counters specifically don't
show up for 2003 that are there in 2000, I can look into it (could've been
removed on purpose, unintentionally removed, superceded by another
counter, or simply made squeaky).

Cheers,
BrettSh [msft]


On Tue, 27 Jun 2006, Teo De Las Heras wrote:

> So I found the following article which pertains to Windows 2000 on adding
> the AD database counters.  It works on Windows 2003, but not all the
> counters listed for 2000 show up on 2003.  Is there something I'm missing?
> 
> http://www.microsoft.com/technet/archive/windows2000serv/technologies/activedirectory/deploy/adguide/addeploy/addch09.mspx?mfr=true
> 
> Teo
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Is this like AD blog season or what?

[Brett Shirley]

I can't tell if this guy is just trying to stroke my ego or what?  Anyway,
luckily that is something I know a bit about ...

-B

On Sat, 24 Jun 2006, Phil Renouf wrote:

> I'd love to hear more about repadmin :)
> 
> Becoming one of my favourite tools, would love to know as much as I can
> about it, especially any of those undocumented featuresalthough I guess
> writing a blog about them might make them documented.
> 
> Too soon to start blogging about longhorn AD stuff?
> 
> Phil
> 
> 
> On 6/22/06, Brett Shirley <[EMAIL PROTECTED]> wrote:
> >
> > I wouldn't mind hearing specific things people would like to hear about
> > ...  I have my own internal list of ideas of stuff to blog about / proto
> > blogs / etc, but wondering how much my plan matches desire.
> >
> > Cheers,
> > -BrettSh
> >
> > On Thu, 22 Jun 2006, joe wrote:
> >
> > > I wouldn't mind seeing some AD Dev guys blogging. The closest to it that
> > I
> > > am aware of is Brett then ~Eric and Eric isn't in AD Dev nor ever was
> > but
> > > one of the more visible AD gurus. I would probably pay to subscribe to a
> > > blog by DonH if he told stories of all of the AD Dev work and why
> > various
> > > decisions were made.
> > >
> > >
> > > --
> > > O'Reilly Active Directory Third Edition -
> > > http://www.joeware.net/win/ad3e.htm
> > >
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
> > CPA
> > > aka Ebitz - SBS Rocks [MVP]
> > > Sent: Friday, June 09, 2006 4:29 PM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: [ActiveDir] Is this like AD blog season or what?
> > >
> > > Active Directory Discussion : Introducing the Active Directory
> > > Discussion Blog:
> > > http://blogs.technet.com/ad/archive/2006/06/09/434604.aspx
> > >
> > > --
> > > Letting your vendors set your risk analysis these days?
> > > http://www.threatcode.com
> > > The SBS product team wants to hear from you:
> > > http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx
> > >
> > > List info   : http://www.activedir.org/List.aspx
> > > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ml/threads.aspx
> > >
> > > List info   : http://www.activedir.org/List.aspx
> > > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ml/threads.aspx
> > >
> >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ml/threads.aspx
> >
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] DC Configuration

[Brett Shirley]

I think to go from 5000 users to a load metric (across organizations) is
ridiculous ... one orgs 5000 users do not generate the same load as
anothers 5000 users.  Be careful about making comparisons like that.  Just
my 2c.

Cheers,
-BrettSh

On Fri, 23 Jun 2006, Al Lilianstrom wrote:

> Myrick, Todd (NIH/CC/DCRI) [E] wrote:
> > Some of my opinions based on my own research.
> > 
> >  
> > 
> >1. I prefer hot swappable hardware RAID 1 for all boot / system
> >   partitions no matter what the role of the server is.  To me this
> >   gives the fastest disaster recovery option for situations you are
> >   unsure about with regards to OS updates and single drive
> >   failures.  On a side note we used to use three mirrors for our
> >   domain controller setups. 1 for system/boot/syslog, 1 for
> >   transaction logs, and 1 for data.  We mirrored this after our
> >   exchange setup, except in Exchange we used RAID 5 arrays to store
> >   the data.
> >2. With regards to number of spindles and performance, I discussed
> >   this with someone on the list before (Guido) and people at HP and
> >   we came to the conclusion that with the latest 15K drives you
> >   won?t see any tangible performance improvements going with
> >   multiple mirrors unless you DC?s service more than 5000 people in
> >   that location where the DC resides.
> 
> I had a feeling that 15K drives wouldn't buy me much. After some reading 
> last night I'm even more convinced. For our size I think I'll be going 
> with 2 mirror sets and as much memory as we can afford.
> 
> >3. Judging from the original posters SMTP information, it looks like
> >   his organization has less than 5000 people in it, so I recommend
> >   his first option.
> > 
> 
> While my 'organization' has less that 5000 employees we can have from 
> 1-4000 visitors here at any time. With the Accelerator running (as it is 
> now) we'll be crowded for the next 1.5 years.
> 
> > 
> > Follow-up thoughts looking for group input.
> > 
> >  
> > 
> > With regards to when is it best to use Software RAID, I have debated 
> > this with several people and I seem to favor this approach in Virtual 
> > Server Environments and using it on the System/Boot Partition for DR 
> > purposes.  Another possible use for the software based mirroring might 
> > be to create live copy of server for duplication purposes (personally I 
> > think there are much better approaches out there.)  Any thoughts on this?
> > 
> >  
> > 
> > What Disk type do you all recommend?  I currently still stick to the 
> > Basic Disk for the most part. (Unless I want to use software based 
> > fault-tolerance).
> > 
> 
> We use basic for most for the most part. The only time I use dynamic is 
> when I have to create a large (>5TB) volume on some of the SATA boxes 
> that we have that host some large-ish SQL databases.
> 
>   al
> 
> -- 
> 
> Al Lilianstrom
> CD/CSS/CSI
> [EMAIL PROTECTED]
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Is this like AD blog season or what?

[Brett Shirley]

I wouldn't mind hearing specific things people would like to hear about
...  I have my own internal list of ideas of stuff to blog about / proto
blogs / etc, but wondering how much my plan matches desire.

Cheers,
-BrettSh

On Thu, 22 Jun 2006, joe wrote:

> I wouldn't mind seeing some AD Dev guys blogging. The closest to it that I
> am aware of is Brett then ~Eric and Eric isn't in AD Dev nor ever was but
> one of the more visible AD gurus. I would probably pay to subscribe to a
> blog by DonH if he told stories of all of the AD Dev work and why various
> decisions were made.
> 
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
> aka Ebitz - SBS Rocks [MVP]
> Sent: Friday, June 09, 2006 4:29 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Is this like AD blog season or what?
> 
> Active Directory Discussion : Introducing the Active Directory 
> Discussion Blog:
> http://blogs.technet.com/ad/archive/2006/06/09/434604.aspx
> 
> -- 
> Letting your vendors set your risk analysis these days?  
> http://www.threatcode.com
> The SBS product team wants to hear from you:
> http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: Re: [ActiveDir] Errors During Authoritative Restore

[Brett Shirley]

BTW, yes the scratch the forest and start over, usually people don't auth
restore, they just make sure the rolled back forest, doesn't replicate
with the corrupted forest.  This is the normal forest restore procedure.

Note: Because AD tries to replicate with deleted NTDS Settings objects, 
you have to make sure all the other DC's computer accounts are deleted,
this fails auth so that they can't replicate.  IIRC, ntdsutil from sp1
does delete the DC computer accounts, where as win2k3 RTM and before does
not.

Cheers,
BrettSh

On Wed, 21 Jun 2006, Brett Shirley wrote:

> 
> This should give you a list of any other classes using non-standard naming
> attributes.  Send us the output.
> 
> Cheers,
> BrettSh
> 
> FindNonStdNamingAtts.cmd:
> @echo off
> rem Somewhat brute force, should claim one non-standard naming 
> rem attribute msTapi-uid, but this provides a sort of yes, the
> rem the command is working feedback.
> rem
> rem When the command is done, you should see one or more lines 
> rem like this printed:
> remtempo.txt:8654:1> rDNAttID: msTAPI-uid
> rem
> rem So for to see the class that requires say this msTAPI-uid, 
> rem you can open up the tempo.txt file and goto line 8654 to
> rem see the class it is associated with.  This is hacky.
> 
> [Ed. BrettSh: note my email editor wrapped these lines, this is
> basically 2 line script, you have to have win2k3 repadmin.exe and 
> findstr.exe.]
> 
> repadmin /showattr . ncobj:schema: /onelevel
> /filter:"(name=*)" /atts:objectClass,name,rdnattid,ldapDisplayName >
> tempo.txt
> 
> findstr /snic:"rDNAttID" tempo.txt | findstr
> /veic:"lDAPDisplayName: rDNAttID" | findstr /veic:"rDNAttID: ou" | findstr
> /veic:"rDNAttID: cn" | findstr /veic:"rDNAttID: o" | findstr
> /veic:"rDNAttID: dc" | findstr /veic:"rDNAttID: l" | findstr
> /veic:"rDNAttID: c" | findstr /veic:"rDNAttID: uid" | findstr
> /veic:"rDNAttID: st" | findstr /veic:"rDNAttID: street" | findstr
> /veic:"rDNAttID: street"
> 
> 
> 
> 
> On Wed, 21 Jun 2006, Joshua Coffman wrote:
> 
> > Thanks again for your help. I appreciate your feedback and expertise on the 
> > subject.
> >  
> > You are correct, this is a test of a bare-metal restore of the entire 
> > domain, where I bring in tapes from offsite and restore a single DC to a 
> > completely disconnected machine (on identical hardware). In this worst-case 
> > scenario, the plan was to restore a single DC, perform metadata cleanup, 
> > and rebuild and dcpromo new replicas.  I was under the impression that in 
> > order to restore the entire database from scratch, you had to mark the 
> > SYSVOL as primary, and perform an authoritative restore: restore database. 
> > Are you saying you just restore from tape, mark SYSVOL as primary, skip the 
> > auth restore commands in NTDSUTIL, and just perform the metadata cleanup 
> > functions, clean DNS, etc. and you are good to go? If this is correct, it 
> > would be a much cleaner/faster process, because we wouldn't have to be 
> > updating USNs on a half-million objects. 
> >  
> > It makes sense that it would not have to be authoritative, if all replica 
> > DC's were going to be new, but I (probably mistakenly) thought that the 
> > authoritative restore was a required step.
> >  
> > Thanks!Josh
> > 
> > 
> > Subject: RE: Re: [ActiveDir] Errors During Authoritative RestoreDate: Wed, 
> > 21 Jun 2006 08:48:25 +0100From: [EMAIL PROTECTED]: 
> > ActiveDir@mail.activedir.org
> > 
> > 
> > 
> > glad Brett picked up on analysing the different errors you were getting - 
> > I've not seen these before.
> >  
> > curious to hear what type of issue you are testing to recover from?  From 
> > what you write, I gather you are testing to restore your production domain 
> > to another (hopefully physically separated) test-system.  I.e. you are 
> > testing a full recovery of your AD domain or forest - is this correct? 
> >  
> > If so, authorititative restore of the AD DB is not the right approach 
> > anyways. The restore database option gives the false impression of doing a 
> > full recovery of AD - it bears more risks than value and likely this is why 
> > it was removed from Longhorn.  In a distributed multi-master database such 
> > as AD, auth. restoring the partition of one DC will never completely 
> > overwrite the same partition of the other DCs: although you might be lucky 
> > and think you have fully recovered, any additional objects or n

RE: Re: [ActiveDir] Errors During Authoritative Restore

[Brett Shirley]

This should give you a list of any other classes using non-standard naming
attributes.  Send us the output.

Cheers,
BrettSh

FindNonStdNamingAtts.cmd:
@echo off
rem Somewhat brute force, should claim one non-standard naming 
rem attribute msTapi-uid, but this provides a sort of yes, the
rem the command is working feedback.
rem
rem When the command is done, you should see one or more lines 
rem like this printed:
remtempo.txt:8654:1> rDNAttID: msTAPI-uid
rem
rem So for to see the class that requires say this msTAPI-uid, 
rem you can open up the tempo.txt file and goto line 8654 to
rem see the class it is associated with.  This is hacky.

[Ed. BrettSh: note my email editor wrapped these lines, this is
basically 2 line script, you have to have win2k3 repadmin.exe and 
findstr.exe.]

repadmin /showattr . ncobj:schema: /onelevel
/filter:"(name=*)" /atts:objectClass,name,rdnattid,ldapDisplayName >
tempo.txt

findstr /snic:"rDNAttID" tempo.txt | findstr
/veic:"lDAPDisplayName: rDNAttID" | findstr /veic:"rDNAttID: ou" | findstr
/veic:"rDNAttID: cn" | findstr /veic:"rDNAttID: o" | findstr
/veic:"rDNAttID: dc" | findstr /veic:"rDNAttID: l" | findstr
/veic:"rDNAttID: c" | findstr /veic:"rDNAttID: uid" | findstr
/veic:"rDNAttID: st" | findstr /veic:"rDNAttID: street" | findstr
/veic:"rDNAttID: street"




On Wed, 21 Jun 2006, Joshua Coffman wrote:

> Thanks again for your help. I appreciate your feedback and expertise on the 
> subject.
>  
> You are correct, this is a test of a bare-metal restore of the entire domain, 
> where I bring in tapes from offsite and restore a single DC to a completely 
> disconnected machine (on identical hardware). In this worst-case scenario, 
> the plan was to restore a single DC, perform metadata cleanup, and rebuild 
> and dcpromo new replicas.  I was under the impression that in order to 
> restore the entire database from scratch, you had to mark the SYSVOL as 
> primary, and perform an authoritative restore: restore database. Are you 
> saying you just restore from tape, mark SYSVOL as primary, skip the auth 
> restore commands in NTDSUTIL, and just perform the metadata cleanup 
> functions, clean DNS, etc. and you are good to go? If this is correct, it 
> would be a much cleaner/faster process, because we wouldn't have to be 
> updating USNs on a half-million objects. 
>  
> It makes sense that it would not have to be authoritative, if all replica 
> DC's were going to be new, but I (probably mistakenly) thought that the 
> authoritative restore was a required step.
>  
> Thanks!Josh
> 
> 
> Subject: RE: Re: [ActiveDir] Errors During Authoritative RestoreDate: Wed, 21 
> Jun 2006 08:48:25 +0100From: [EMAIL PROTECTED]: ActiveDir@mail.activedir.org
> 
> 
> 
> glad Brett picked up on analysing the different errors you were getting - 
> I've not seen these before.
>  
> curious to hear what type of issue you are testing to recover from?  From 
> what you write, I gather you are testing to restore your production domain to 
> another (hopefully physically separated) test-system.  I.e. you are testing a 
> full recovery of your AD domain or forest - is this correct? 
>  
> If so, authorititative restore of the AD DB is not the right approach 
> anyways. The restore database option gives the false impression of doing a 
> full recovery of AD - it bears more risks than value and likely this is why 
> it was removed from Longhorn.  In a distributed multi-master database such as 
> AD, auth. restoring the partition of one DC will never completely overwrite 
> the same partition of the other DCs: although you might be lucky and think 
> you have fully recovered, any additional objects or new attributes added to 
> existing objects in the respective AD partition after you performed the 
> backup will replicate back to the restored DC.
>  
> The correct way to fully restore AD is to restore only a single instance of 
> the DB (i.e. a single DC) and re-build / re-promote all the other DCs. 
> Instead of performing an auth. restore of the DB, you'd just restore it 
> non-authoritatively and do a metadata cleanup of all the other DCs on the 
> restored DC to ensure it is the only one representing your domain (you would 
> mark SysVol as primary during the restore process). There are a few more 
> steps to perform to ensure that the recovered DC doesn't replicate any data 
> from other existing DCs in your environment - all of these are described in 
> the (fairly old) AD Forest Recovery Whitepaper which pretty much also applies 
> for full recovery of a single domain: 
> http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=3EDA5A79-C99B-4DF9-823C-933FEBA08CFE
>  
> It's a little more complex in a multi-domain environment as you also have to 
> take care of the partitions of your domain on GCs in other domains - if 
> you're goal is to also fully restore the config partition, you're talking 
> about a full forest restore anyways (which would roughtly use the same 
> ap

RE: [ActiveDir] AD Restore

[Brett Shirley]

Very likely replication is not working for some reason ... there are a few
reasons it could not be working, some of them fixable, some of them not.

I suspect we should answer this question first ... what is the backup /
restore software you used?

Thanks,
BrettSh [msft]


On Wed, 21 Jun 2006, Almeida Pinto, Jorge de wrote:

> I do hope you are talking about w2k3 SP1!
>  
> did you do:
> restore subtree 
> ?
>  
> if w2k3 SP1... did you also import the LDF file?
>  
> do you have a multiple domain forest? if yes, were those objects members of 
> groups in other domains?
>  
>  
> explain the steps you have already done
>  
> Met vriendelijke groeten / Kind regards,
> Ing. Jorge de Almeida Pinto
> Senior Infrastructure Consultant
> MVP Windows Server - Directory Services
>  
> LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
> (   Tel : +31-(0)40-29.57.777
> (   Mobile : +31-(0)6-26.26.62.80
> *   E-mail : 
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
> Sent: Wed 2006-06-21 15:37
> To: ActiveDir@mail.activedir.org
> Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
> Subject: [ActiveDir] AD Restore
> 
> 
> 
> Please...I need help urgently    
> 
> 
> One of our users deleted an OU, 
> We tried to restore it with AD authoritative restore. The process was all 
> right, in the domain controller we did it. But it doe snot replicate objects 
> to the other DC?s   Only a few objects are replicated. 
> What can I do to solve this problem?   It is very important.. 
> 
> 
> 
> ADRIAO 
> 
> 55 11 98983142
> 
> 
> This e-mail and any attachment is for authorised use by the intended 
> recipient(s) only. It may contain proprietary material, confidential 
> information and/or be subject to legal privilege. It should not be copied, 
> disclosed to, retained or used by, any other party. If you are not an 
> intended recipient then please promptly delete this e-mail and any attachment 
> and all copies and inform the sender. Thank you.
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Errors During Authoritative Restore

[Brett Shirley]

Do you have any schema extensions applied?  Do you know if those schemas
added any LDAP naming attributes?  If the 2nd question doesn't make sense
to you, I'll figure out a way you can query this, and send it to us.

Aside, it is generally not recommended to run "restore database".  In fact
this command was removed from Longhorn.

If you decide to retry that scenario again, I can suggest some
intermediate steps that would be good to know.  i.e.

1. Before running auth restore, be interesting to know the results of an
esentutl /k ntds.dit (checksum the database).

2. After auth restore, it would be good to know if the database is
logically consistent from ESE's perspective (do this via "esentutl /g
ntds.dit").

3. Also after we know it is logically consistent from AD's perspective (do
this via, exact command line provided:
ntdsutil "sem data anal" "go" "q" "q"

Cheers,
BrettSh [msft]
Ex-Building 7 Garage Door Operator


On Tue, 20 Jun 2006, Joshua Coffman wrote:

> I have a few questions for you AD gurus out there! :)
>
>  I just ran through a Disaster Recovery test of two of our ADs and I
> have a few questions which have come up as a result of the test.
>  
> Configuration Notes:
> These boxes are Windows 2003, SP1.
> The domains were originally Windows 2000 domains.
>
>  The following errors pop up on one of the domain controllers during
> the restore.
>
>  "Could not display the attribute type for the object with DNT
> 831424.Error: failed to get dn of dnt 831424" This occurs many times
> throughout the restore.
>
>  NOTE: This is during a complete restore, e.g. "authoritative restore:
> restore database" I also see a few of these.
>
> "There was an error parsing the GUID from the file on line: 1981" (Not
> to many of these, maybe four or five)
>
>  Additionally, with SP1, LDIF files are created to restore back-links.
> The file that restores the user/group back-links imports successfully.
> The file that restores the configuration back-links fails. (sorry, I
> do not have the error handy)
>
>  The authoritative restore says it completed successfully, and after I
> go through metadata cleanup and FSMO seizure, the box starts up
> without any errors, and AD throws no errors on startup.
>
>  I was wondering if anyone can tell me what these errors mean? What
> are their ramifications? How can the errors be resolved.
>  
> Thanks,
>  
> Josh

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server

[Brett Shirley]

Two things ...

Secondly, it isn't just security groups, has anyone been hired or quit?

Firstly, the whole thing isn't big server vs. small server ... it is
whether you have any AD replicas, that includes having two DCs for the
same domain (assuming neither is NT4, then these DCs replicate the
domain), or having another domain in the same forest (it is a replica of
the global config/schema).

Cheers,
-BrettSh



On Tue, 20 Jun 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]  wrote:

> The decision is made by the IT pro of the needed recovery process.  I 
> would hope that any one of the folks on this list wouldn't just have an 
> image restore if they were a single DC but also a system state out there 
> as well.
> 
> You as the pro then make the appropriate recovery method... 
> authoritative restore throw back in the imagewhatever... if you 
> are running a single DC... you've gone through the permutations... you 
> know why you've chosen single DC over multiple DCs.. you have a plan.
> 
> Again... in the SBS space there is a camp that would argue that 
> introduction of muliple DCs takes away the flexibility of imaging that DC.
> 
> ...and in SBSland... who makes 10 new domain groups for heavens sake on 
> Tuesday?  We set this network up three years ago with the appropriate 
> security groups and OU structure and we honestly have not touched that 
> structure since.
> 
> I would argue as an IT pro... you will know the needs of your client and 
> have that decision tree mapped out of the ways you can DR that network.
> 
> As long as you can grab a part of that system state even if it's off an 
> old tape media... you can reinsert that (this is called the "Graveyard 
> Swing" by JeffM in SBSland.
> 
> When the need for DR hits you'll want options to go down that highway.. 
> not just one path.
> 
> Wyatt, David wrote:
> 
> > Now here's the problem.  The "just restore and resume approach" could 
> > be, in a very specific situation, a bad idea.  I'm sure everything 
> > would "work" as such, but as desired?
> >
> > After a backup is taken, new security principals might have been 
> > created in the domain. These security principals might be permissioned 
> > on certain resources e.g. file shares etc.  Now depending on when the 
> > image was taken and restore, it is *possible* the security principals 
> > no longer exist because the recovery has reverted to the image date, 
> > but their access rights might still exist. If the RID pool is not 
> > raised after a restore, and new security principals are created after 
> > the recovery might obtain identical security IDs (SIDs) and could have 
> > access to those objects, which was not originally intended.  So:
> >
> > Monday - image taken
> > Tuesday - 10 new domain groups created and assigned permissions to 
> > file server
> > Wednesday - need to recover DC as its crashed, restore image from 
> > Monday.  Now you have SIDs assigned on the file server but are not 
> > present on the domain.  When you create new security principals they 
> > could obtain identical SIDs to the ones belonging to the groups that 
> > were created on Tuesday.
> >
> > Would it not be prudent to raise the RID pool as part of your single 
> > DC recovery procedure?  I can't see what harm it would do anyway.
> >
> >
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford
> > Sent: 20 Jun 2006 11:00
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory 
> > Server and Exchange Server
> >
> >
> > Hi David,
> >
> > Just restore and resume as it's a single DC.
> >
> > Cheers
> >
> > Rob
> >
> >
> > Robert Rutherford
> > QuoStar Solutions Limited
> > 
> > The Enterprise Pavilion
> > Fern Barrow
> > Wallisdown
> > Poole
> > Dorset
> > BH12 5HH
> >  T:  +44 (0) 8456 440 331   
> > F:   +44 (0) 8456 440 332   
> > M:   +44 (0) 7974 249 494   
> > E:  [EMAIL PROTECTED]   
> > W:  www.quostar.com 
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
> > Sent: 20 June 2006 10:38
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory 
> > Server and Exchange Server
> >
> >
> > To all single DC folks - when you perform a restore of your single DC 
> > from an image, as part of your procedure do you increase the value of 
> > the RID pool or just restore and resume working?
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Susan 
> > Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> > Sent: 20 Jun 2006 1:03
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Ghost Backup or Image for Active Directory 
> > Server and Exchange Server
> >
> >
> > And you didn't go to Jeff Middleton's TechEd session on DR for Small
> > business 

RE: [ActiveDir] How much of the DIT is cached in RAM ?

[Brett Shirley]

Following up:
http://msexchangeteam.com/archive/2006/06/15/427966.aspx

Cheers,
BrettSh

 
On Thu, 28 Apr 2005, joe wrote:
> 
> > Hey Brett... I've seen your blog, how about you tell ~Eric the story 
> > and he can blog it. :o)
> > 
> > 
> > 
> >  
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> > Sent: Thursday, April 28, 2005 8:32 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
> > 
> > The dev who put it in, is what I like to call "my boss" ... he has no 
> > child, I can guarantee it had nothing to do with that ...
> > 
> > Email me directly the Exch product manager's name, and I'll try to 
> > light a fire under them ... if they don't product something, I'll 
> > produce something on my blog (when it is up) and send it around ...
> > 
> > Cheers,
> > BrettSh
> > 
> > 
> > On Thu, 28 Apr 2005, Michael B. Smith wrote:
> > 
> > > One of the Exchange Product Managers said today that she is 
> > > preparing a blog on Squeaky Lobster, including a picture of the 
> > > original Squeaky. I also asked about the KB and was told, simply, 
> > > that "it isn't currently publicly available".
> > > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of joe
> > > Sent: Thursday, April 28, 2005 7:38 PM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
> > > 
> > > Try - http://www.realcooltoys.com/squeakylobster.html
> > > 
> > > Squeaky Lobster is a magic reg key to enable special "Squeaky Lobster"
> > > ESE counters. It first came to being, I believe, with Exchange 5.5 
> > > where I heard two different stories, the first being that the dev 
> > > guy who put it in had a kid who had a squeaky lobster toy (or he had 
> > > it) and the other is that it was thought up after lunch. I would 
> > > tend to go with the first explanation myself... Anyway, it was 
> > > carried through and is available on AD, or at least it was on 2K AD 
> > > which is the last time I used it a couple of years ago.
> > > 
> > > There used to be a KB out there that talked about what it made 
> > > available but I don't see it anywhere which sucks because if I need 
> > > it again I will have to go dig through 8 GB of PSTs and notepad 
> > > docs. :o)
> > > 
> > > I want to say that I think I heard they changed (or were changing) 
> > > the name of this reg entry to something like "show advanced 
> > > counters" or something like that but I don't think I can point at 
> > > any references for that.
> > > 
> > > As far as I know, this key wasn't supposed to be hidden or secret, 
> > > though it appears it might have gone underground. I don't think I 
> > > will post any more on it and let ~Eric or Brett put out in the 
> > > public whatever they think should be available.
> > > 
> > > 
> > >   joe
> > > 
> > >  
> > > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
> > > Joseph
> > > Sent: Thursday, April 28, 2005 1:31 PM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
> > > 
> > > This has been a great thread.  I've really enjoyed reading it.
> > > 
> > > This question is going to illustrate my extreme ignorance; however, 
> > > the answer is worth it.  What is "Squeaky Lobster"?
> > > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Brett 
> > > Shirley
> > > Sent: Wednesday, April 27, 2005 3:42 PM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
> > > 
> > > 
> > > >>From ESE's advanced perf counters exist, that tell you on a
> > > >non-per-search
> > > basis:
> > >  - Database Pages Transferred/sec
> > >  - Database Page Latches/sec
> > > 
> > > IIRC, the first is rate of pages being transferred from disk, and 
> > >

RE: [ActiveDir] [OT] User Accounts

[Brett Shirley]

I added a bit more about Eric's GIGANTIC DIT here:
http://blogs.msdn.com/brettsh/archive/2006/06/12/631516.aspx

... feel free to post questions in the responses section ... or here.

Sorry the formatting on the table isn't the best.

Cheers,
BrettSh

On Fri, 9 Jun 2006, Brett Shirley wrote:

> The limit on the number non-linked multi-values (~800 - ~1300 depending)
> probably wouldn't apply (even if you put each post for a given thread it's
> own value) ... the max LDAP packet size (10MBs) would apply though, your
> posts can get Looonnngg.
> 
> Cheers,
> BrettSh
> 
> On Thu, 8 Jun 2006, joe wrote:
> 
> > I don't know, some of my posts might invoke the dreaded Admin Limit Exceeded
> > in ADAM... You know the one... The one you were going to write a blog entry
> > about when there were too many entries in a non-linked multivalue
> > attribute...
> >  
> > :)
> > 
> > 
> > --
> > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm 
> >  
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
> > Sent: Thursday, June 08, 2006 9:25 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] User Accounts
> > 
> > You could build the archive on ADAM, and enable the indexes to allow for
> > efficient medial substring indexes. :)
> > 
> > ~Eric
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
> > Sent: Thursday, June 08, 2006 6:07 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] User Accounts
> > 
> > Great info ~Eric! 
> > 
> > The link to the start of the thread is: 
> > 
> > http://www.activedir.org/ml/msg08620.aspx 
> > 
> > We've just moved the archive onto the ActiveDir.org web site and we're
> > having one or two teething problems with the search feature.  :-)
> > 
> > Tony
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
> > Sent: Friday, 9 June 2006 10:38 a.m.
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] User Accounts
> > 
> > After this thread (I believe Dean asked what the error was at one point,
> > but I can't find that tip of the thread right now), I decided to go
> > ahead and test this.
> > http://blogs.technet.com/efleis/archive/2006/06/08/434255.aspx
> > 
> > I'll blog some more on other things we found along the way over the next
> > few days.
> > 
> > ~Eric
> > 
> > 
> > -Original Message-
> > From: Eric Fleischman
> > Sent: Wednesday, April 19, 2006 7:39 AM
> > To: 'ActiveDir@mail.activedir.org'
> > Subject: RE: [ActiveDir] User Accounts
> > 
> > > DNTs are reusable in ESE, however ADs implementation does not allow
> > DNTs
> > > to be released / reused on a single server, and the database will only
> > 
> > > "reuse" them if you recreate the DB by repromoting (cause the data is 
> > > replicated from other servers into a virgin ESE, and DNTs are assigned
> > 
> > > from the beginning at this point).
> > 
> > Basically, yes. Though I would point out, this is hardly reusing
> > DNTs...this is more starting over. :) For the sake of clarity I would
> > point out that such a re-promotion would need to be over the wire and
> > not IFM. IFM just picks up where the last left off, as you are using the
> > old database again, and so the same AD level rules apply.
> > 
> > ~Eric
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
> > Simon-Weidner
> > Sent: Tuesday, April 18, 2006 11:40 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] User Accounts
> > 
> > >* DNTs (to me) are _not_ a component of the directory
> > 
> > IIRC they are like a (primary/foreign) key in a database. Technically
> > not needed by the database layer, and not needed by the application, but
> > needed to keep the data together for the application. So if you look at
> > AD from the outside it won't be referenced, if you look at ESE it's just
> > a DB and doesn't care about the data stored within, but you still need
> > it in between to store the AD in the ESE.
> > Right?
>

Re: [ActiveDir] question regarding Tony's article on linked attributes

[Brett Shirley]

It is 1/2 a dozen of one, 1/2 a dozen of the other ...

We "store forward links", but AD defines a table, with indices such that
we have an efficient way to lookup backlinks for a given object.  Don't
have time right now to show you what I mean, but my Daddy says there are
24 usable hours in the day, so maybe at 3 AM ...

Cheers,
BrettSh


On Fri, 9 Jun 2006, Willem Kasdorp wrote:

> Hi, 
> 
>  
> 
> I was just reading Tony's article
> 
> (http://www.activedir.org/article.aspx?aid=92) on linked attributes, and
> encountered something that I wondered about. This section "Why have linked
> attributes?" says:
> 
>  
> 
> "I haven't seen an official explanation, but I can think of two reasons why
> they would be useful.  The first is consistency.  By storing one half of the
> link only in the directory database, it ensures that queries for the back
> link attribute values are always consistent with the information stored in
> the forward link.  The second reason is that it is an efficient means of
> storage in the directory database and keeps the space used to a minimum." 
> 
>  
> 
> My guess would be that the primary function of back links is to enable
> efficient backward lookups: of which groups is this user a member? Secondly,
> the quote suggests that the backlinks are not stored in the database. I'd
> think they are stored there because it would be pretty hard/inefficient to
> calculate them on the fly, but that they are not replicated. 
> 
>  
> 
> Anybody care to comment?
> 
>  
> 
> --
> 
>  
> 
>Cheers, Willem.
> 
>  
> 
>  
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] [OT] User Accounts

[Brett Shirley]

 
> 
> Ulf B. Simon-Weidner 
> 
>   MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
>   Weblog: http://msmvps.org/UlfBSimonWeidner
>   Website: http://www.windowsserverfaq.org
>   Profile:
> http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
> C811
> D   
> 
>  
> 
> |-Original Message-
> |From: [EMAIL PROTECTED]
> |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
> |Sent: Wednesday, April 19, 2006 1:18 AM
> |To: Send - AD mailing list
> |Subject: RE: [ActiveDir] User Accounts
> |
> |Inline is my take on an IM conv. Brett and I just had, the result and 
> |content of which turned up some interesting (to me at least) 
> |implementation details.  The short story is -
> |
> |* DNTs (to me) are _not_ a component of the directory
> | - they _are_ a component of the layer that bridges the two
> (dblayer)
> | - to Brett, I believe he sees them within the sum of "what is
> the 
> |directory"
> |* DNTs (to both Brett and I) are not part of ESE
> |* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows)
> |* DNTs are not reusable
> |
> |I hope the summary and conversational text inline proves useful.
> |
> |--
> |Dean Wells
> |MSEtechnology
> |* Email: [EMAIL PROTECTED]
> |http://msetechnology.com
> |
> | 
> |
> |> -Original Message-
> |> From: [EMAIL PROTECTED]
> |> [mailto:[EMAIL PROTECTED] On Behalf Of
> |Brett Shirley
> |> Sent: Tuesday, April 18, 2006 5:11 PM
> |> To: ActiveDir@mail.activedir.org
> |> Cc: Send - AD mailing list
> |> Subject: RE: [ActiveDir] User Accounts
> |> 
> |> 
> |> Dean, I didn't understand this comment ...
> |>  > But, dude, seriously, you weren't aware that AD's ESE
> |used a 32 bit
> |> DNT?
> |>  > Methinks perhaps you're muddling in the realms of personal 
> |> interpretation  > ... though I'm quite certain you'll argue that too 
> |> ... ESE purist :0p
> |> 
> |> Are you claiming that ESE knows what a DNT is?
> |
> |Not at all ... but IMO, neither does the directory ... and per our IM, 
> |the dblayer knows what they are (after all, DNT = distinguished name 
> |tag ...
> |blatantly not an ESE term ... and dblayer = database layer ... 
> |not a directory term ... hmmm)
> |
> |> A DNT is an entirely AD concept, ESE has no idea what a DNT is.
> |
> |Nod.
> |
> |> ESE also has no concept of linked-values, or the link_table.
> |
> |Now this was news to me, so here's the summary: ESE has tables
> |+ columns + indices over columns.  The dblayer forms the
> |bridge between two technologies, one molding the behavior of the other 
> |(dblayer molds ESE).
> |ESE maintains no referential integrity, the dblayer does this ... 
> |including link-pairs <-- this part was especially surprising to me.
> |
> |> This is the 2nd time you've confused the AD dblayer (what maintains 
> |> the AD schema on an ESE
> |> database) and the ESE database layer.  
> |
> |Don't know that I'd agree with that since on neither occasion was the 
> |dblayer specifically referenced .. but it's moot for the moment since 
> |I'm still mulling over whether my new-found knowledge pertaining to 
> |link-pairs influences my opinion on where DNTs lie; directory or 
> |database.
> |
> |
> |
> |List info   : http://www.activedir.org/List.aspx
> |List FAQ: http://www.activedir.org/ListFAQ.aspx
> |List archive: 
> |http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 
> 
> This communication, including any attachments, is confidential. If you
> are not the intended recipient, you should not read it - please contact
> me immediately, destroy it, and do not copy or use any part of this
> communication or disclose anything about it. Thank you. Please note that
> this communication does not designate an information system for the
> purposes of the Electronic Transactions Act 2002.
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] DSID-020A06F3 error from French platform AD

[Brett Shirley]

This means there is a physical corruption in the AD database.  Does this
domain have replicas?  If yes, just repromote another replica and then
demote this guy.  If no, sometimes a offline defrag can save the
database.  Otherwise, what is the backup situation for this domain?  Don't
be tempted to repair your database, that's unsupported.

The hardware should be considered suspect at this point.

Cheers,
BrettSh [msft]


On Mon, 5 Jun 2006, Gil Kirkpatrick wrote:

> I'm receiving this error on subtree searches of the Config NC, on a French 
> version of Windows 2003 SP1. Anyone have any ideas?
>  
> (From LDP) <<<
> ldap_search_s(ld, "CN=Configuration,DC=francais,DC=local", 2, 
> "(objectclass=*)", attrList,  0, &msg)
> Error: Search: Erreur d'op?ration. <1>
> Server error: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data 
> -1018
>  
> Result <1>: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data 
> -1018
>  
> Matched DNs: 
> Getting 0 entries:
> >>>
>  
> I'm logged in as the domain Administrateur. One level searches seem to work 
> ok.
>  
> -gil
>  
> 
> 
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sivarajan, 
> Santhosh
> Sent: Monday, June 05, 2006 10:10 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DC and ADC replication prob.
> 
> 
> What is your ADC configuraiton?
>  
> Santhosh Sivarajan | MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA
> Houston, TX
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of Ajay Kumar
> Sent: Sun 6/4/2006 10:00 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] DC and ADC replication prob.
> 
> 
> Hi all,
>  
> Pls help me out,
> Just recently I set up small doamin of  50 Pc's with a DC and ADC.
> But the prob. is that the replication is not taking place between DC and ADC 
> and there
> is no error in event log. What could be the problem.
>  
> Ajay.
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] New DC can't find the machine account

[Brett Shirley]

Is this joe joe or joe someoneelse?  It occured to me, I've NEVER seen joe
joe's last name ...

-B

On Wed, 31 May 2006, McNicholas, Joe wrote:

> 
> 
> Is DFS running?
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom
> Sent: 31 May 2006 14:38
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] New DC can't find the machine account
> 
> Hi,
> 
> I have a Windows 2000 based AD (empty root with 1 child domain) that I'm
> in the process of upgrading to w2003r2 as a test for our production
> domain (same configuration). The adprep went fine as well as the dcpromo
> of the new DC. However when the new DC reboots I get the following
> messages in the application log:
> 
> EVENT TYPEError
> SOURCEUserenv
> EVENT ID  1097
> Windows cannot find the machine account, The Local Security Authority
> cannot be contacted .
> 
> and
> 
> EVENT TYPEError
> SOURCEUserenv
> EVENT ID  1030
> Windows cannot query for the list of Group Policy objects. Check the
> event log for possible messages previously logged by the policy engine
> that describes the reason for this.
> 
> Neither system has these messages when they were simple servers in the
> domain. They were rebooted several times before becoming DCs to make
> sure the event logs were clean.
> 
> They seem to be functioning as DCs. File replication with the orginal
> w2k dc took a long time to start up.
> 
> I added a second w2k3 r2 DC and it is showing the exact same messages. 
> Both machines were created from the same sysprep image - the machine
> that was built as the basis for the sysprep image was never in the
> domain.
> 
> I've been searching Microsoft and came up with one or two applicable
> docs. One said to make sure that services like netlogon were set to
> automatic (it is). Another had settings for enabling debug on the
> netlogon service which I implemented. All that I see in there is
> netlogon pausing.
> 
> Any ideas?
> 
>   al
> -- 
> 
> Al Lilianstrom
> CD/CSS/CSI
> [EMAIL PROTECTED]
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] 2003 to 2003 Upgrade Questions

[Brett Shirley]

Just to be clear, the fix for USN rollback doesn't make restoring an image
a Microsoft supported mechanism.  It's still not supported, just makes it
less likely (though not 100%) to hork DS / AD.

Cheers,
BrettSh [msft]


On Fri, 26 May 2006, Riley, Devin wrote:

> We are preparing for our upgrade from AD 2000 to 2003. I am working out
> our upgrade plan and have a few questions regarding recovery/contingency
> plans.
> 
> Our environment supports about 1700 desktops and 120+ servers. We have
> two AD sites and four domain controllers. All DCS are GCs.
> 
> High level review of steps that we will be taking to prepare for
> recovery in the event that the entire upgrade goes south:
> * System state backups of all domain controllers.
> * Disk image of our DC holding all FSMO roles. This machine will have
> the hotfix related to the USN rollback applied before imaging. The image
> will be loaded onto identical hardware and run offline to confirm that
> it is good.
> * Addition of one domain controller running as a virtual machine in a
> different site, which will be copied offline for disaster recovery
> purposes.
> * We have successfully performed the schema update against our AD in a
> lab environment and did not run into any problems.
> * In the event of problems during the upgrade process, our plans call
> for contacting PSS and working through normal recovery processes. The
> disk image and virtual machine copy are intended for use in event that
> normal recovery attempts have failed and we need to recover from
> scratch.
> * We are running the full gamut of health checks to make sure we have a
> healthy AD before beginning any upgrade tasks in our production
> environment.
> 
> Questions:
> It is my feeling that the schema update is a more significant step than
> adding the first Server 2003 DC. Is this correct? Does the process of
> adding a Server 2003 domain controller present any level of risk greater
> than adding a W2K DC?
> 
> We are considering adding a lag site and performing the schema update in
> the lag site and ensuring that it replicates successfully in the lag
> site before letting it hit the rest on the domain controllers.
> Considering the size of our environment, is the process of upgrading the
> schema in a lag site going to add unnecessary complication to the
> process? I know that may be very subjective.
> 
> Is it a worthwhile strategy to add a lag site for the purpose of
> recovery during the upgrade process? We are not otherwise using lag
> sites at this time.
> 
> If we add a lag site for the schema update, do we need to physically
> disconnect it from the other sites when the schema is updated to prevent
> the replication from occurring after the update?
> 
> Thanks in advance for any input.
> 
> Devin
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Windows 2003 R2

[Brett Shirley]

How is DFSR, FSM, SRM, and CLFS about AD or a supporting service?


On Fri, 26 May 2006, Bernard, Aric wrote:

> Er...yes?  Can you be more specific?  A reason behind your question
> could make for a better answer...
> 
>  
> 
> DFSR
> 
> PMC
> 
> FSM
> 
> SRM
> 
> MMC3.0
> 
> ADAM
> 
> ADFS
> 
> Enhanced subsystem for UNIX/NIS/Password sync
> 
> CLFS
> 
> Integrated SAN LUN management
> 
> .NET Framework 2.0
> 
> WSS SP2
> 
>  
> 
> Some of which do require changes to the schema. Some or all of which
> could be considered supporting.  Some of which are available outside of
> the R2 release itself.
> 
>  
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
> Justin A.
> Sent: Friday, May 26, 2006 9:04 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Windows 2003 R2
> 
>  
> 
> Did R2 make any changes to Active Directory and its supporting services?
> 
>  
> 
> Justin A. Salandra
> 
> MCSE Windows 2000 & 2003
> 
> Network and Technology Services Manager
> 
> Catholic Healthcare System
> 
> 646.505.3681 - office
> 
> 917.455.0110 - cell
> 
> [EMAIL PROTECTED]  
> 
>  
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] User Accounts

[Brett Shirley]

I started, it will take a long time to do a proper diagram that doesn't
take too many liberties w/ the actual implementation ...

But I found something that is approximately accurate (but with too many
liberties IMO):

http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/03wsdsu.mspx

Skip down to see diagram 3.3 (Security sub-system's interaction), and
especially 3.4 (Directory Service proper) ... they're ok, but I wouldn't
read / trust the text too closely.

One thing that is not made very clear in fig 3.4 is that everything except
ESE and (most of) SAM is in ntdsa.dll.  Also parts of LDAP and MAPI may
use helper libraries to expose thier network heads (such as an ASN.1
[de|en]coding library + TCP / sockets stuff, and RPC respectively).

I honestly don't know too much about ADSI, but if there is something ADSI
can do that actually can't be done through LDAP, then I would suspect it
is cheating and skipping around and using the SAM RPC head (what the "net
apis" eventually trickle down to).

The first diagram here is even further refined on the replication side
(though has taken some liberties, though a scant less):

http://technet2.microsoft.com/WindowsServer/en/Library/1465d773-b763-45ec-b971-c23cdc27400e1033.mspx?mfr=true


When you saying the DB is different on each server ... what I think your
trying to describe is that AD replication is what I would call "object
logical".

 - object logical - meaning that two objects can be shown to be logially
equivalent on separate servers, even if the actual datatable data,
link_table data, etc are different.  
Though I might say it isn't pure, as some data on the objects may
be different, when not replicated, such as USNs, instanceTypes,
etc.  If it was truly object logical, you wouldn't be able to view
anything non-replicated/different from the object interface (LDAP).

 - Another option would be "database logical", meaning the ESE DBs could
be described as logically equivalent (i.e. the same object's row, would
have the same DNTs, etc) ... i think SQL offers something like this with
at least one form of SQL replication (SQL Merge Replication is springing
to mind?)?  Also an offline defragged ESE database would be database
logically the same as the original DB.

 - One last common option is physical replication, where the databases are
equivalent data at the same byte offsets into the databases.  Often done
with transaction log shipping (although not the only option), which SQL
supports, and Exch/ESE will support with E12 (well it's mostly physically
equivalent).  Very difficult (err impossible) to do multi-master
replication with such a mechanism.


Good point, yes, you could reset the DNTs by "defragging" the original
datatable table to a new table, and thus compressing the number space to
only those DNTs used, and keeping a translation table while you do it to
fix up the references afterwards.  As you point out, it would take a bit
of time.  This would be an O(n) operation with the number of objects in
the DB, and thus "not in the spirit of IFM".  It could probably be made
somewhat fast, but still wouldn't compare to the raw file copy, IFM does
today.

Cheers,
BrettSh



On Mon, 15 May 2006, Ulf B. Simon-Weidner wrote:

> Nice - poking with the finger works - give it to me babe ;-)
> 
> I wasn't aware that ADSI is 100% LDAP, I thought it's just 9x% + some
> special stuff (AFAIK setting pwds directly with LDAP doesn't work), so I
> thought there's some stuff which supports it server side.
> 
> Seems like you guys have a pretty good definition of the layers, would be
> great if you get the time to create a diagram or just dump thoughts to us
> and we'll handle visio. Having a diagram of the layers (even if not 100%
> correct) would make some things easier to explain. E.g. the replication -
> it's pretty hard for many to understand that it's not handled in the DB -
> they just think AD and don't get that the DB is different on each server.
> 
> Resetting DNTs: OK - if DNT is a auto-incrementing primary key (compared
> with SQL) there's a third option: reading the backup db and writing it into
> the real, while keeping a dnt-translation table during the process. However
> would slow down dcpromo /IFM (OK - not correct - you know what I mean) and
> really doesn't make any sense since it would be way easier to have larger
> values. And there would be other options in the future, but mentioning those
> would make me look like and alcoholic (and it's actually way to early here
> to handle thinking like that).
> 
> Gruesse - Sincerely, 
> 
> Ulf B. Simon-Weidner 
> 
>   Profile & Publications:
> http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F12

RE: [ActiveDir] User Accounts

[Brett Shirley]

g non-IFM.
> >
> >> Right?
> >> 
> >> Gruesse - Sincerely,
> >> 
> >> Ulf B. Simon-Weidner
> >> 
> >>   MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
> >>   Weblog: http://msmvps.org/UlfBSimonWeidner
> >>   Website: http://www.windowsserverfaq.org
> >>   Profile:
> >> http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B4
> >89-F2F1214C811
> >> D   
> >> 
> >>  
> >> 
> >> |-Original Message-
> >> |From: [EMAIL PROTECTED]
> >> |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
> >> |Sent: Wednesday, April 19, 2006 1:18 AM
> >> |To: Send - AD mailing list
> >> |Subject: RE: [ActiveDir] User Accounts
> >> |
> >> |Inline is my take on an IM conv. Brett and I just had, the
> >> result and
> >> |content of which turned up some interesting (to me at least) 
> >> |implementation details.  The short story is -
> >> |
> >> |* DNTs (to me) are _not_ a component of the directory
> >> |  - they _are_ a component of the layer that bridges the
> >> two (dblayer)
> >> |  - to Brett, I believe he sees them within the sum of
> >> "what is the
> >> |directory"
> >> |* DNTs (to both Brett and I) are not part of ESE
> >> |* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows)
> >> |* DNTs are not reusable
> >> |
> >> |I hope the summary and conversational text inline proves useful.
> >> |
> >> |--
> >> |Dean Wells
> >> |MSEtechnology
> >> |* Email: [EMAIL PROTECTED]
> >> |http://msetechnology.com
> >> |
> >> | 
> >> |
> >> |> -Original Message-
> >> |> From: [EMAIL PROTECTED]
> >> |> [mailto:[EMAIL PROTECTED] On Behalf Of
> >> |Brett Shirley
> >> |> Sent: Tuesday, April 18, 2006 5:11 PM
> >> |> To: ActiveDir@mail.activedir.org
> >> |> Cc: Send - AD mailing list
> >> |> Subject: RE: [ActiveDir] User Accounts
> >> |> 
> >> |> 
> >> |> Dean, I didn't understand this comment ...
> >> |>  > But, dude, seriously, you weren't aware that AD's ESE
> >> |used a 32 bit
> >> |> DNT?
> >> |>  > Methinks perhaps you're muddling in the realms of personal 
> >> |> interpretation  > ... though I'm quite certain you'll
> >> argue that too
> >> |> ... ESE purist :0p
> >> |> 
> >> |> Are you claiming that ESE knows what a DNT is?
> >> |
> >> |Not at all ... but IMO, neither does the directory ... and
> >> per our IM,
> >> |the dblayer knows what they are (after all, DNT = 
> >distinguished name 
> >> |tag ...
> >> |blatantly not an ESE term ... and dblayer = database layer ... 
> >> |not a directory term ... hmmm)
> >> |
> >> |> A DNT is an entirely AD concept, ESE has no idea what a DNT is.
> >> |
> >> |Nod.
> >> |
> >> |> ESE also has no concept of linked-values, or the link_table.
> >> |
> >> |Now this was news to me, so here's the summary: ESE has tables
> >> |+ columns + indices over columns.  The dblayer forms the
> >> |bridge between two technologies, one molding the behavior of
> >> the other
> >> |(dblayer molds ESE).
> >> |ESE maintains no referential integrity, the dblayer does this ... 
> >> |including link-pairs <-- this part was especially surprising to me.
> >> |
> >> |> This is the 2nd time you've confused the AD dblayer (what
> >> maintains
> >> |> the AD schema on an ESE
> >> |> database) and the ESE database layer.  
> >> |
> >> |Don't know that I'd agree with that since on neither
> >> occasion was the
> >> |dblayer specifically referenced .. but it's moot for the
> >> moment since
> >> |I'm still mulling over whether my new-found knowledge pertaining to 
> >> |link-pairs influences my opinion on where DNTs lie; directory or 
> >> |database.
> >> |
> >> |
> >> |
> >> |List info   : http://www.activedir.org/List.aspx
> >> |List FAQ: http://www.activedir.org/ListFAQ.aspx
> >> |List archive: 
> >> |http://www.mail-archive.com/activedir%40mail.activedir.org/
> >> 
> >> List info   : http://www.activedir.org/List.aspx
> >> List FAQ: http://www.activedir.org/ListFAQ.aspx
> >> List archive: 
> >> http://www.mail-archive.com/activedir%40mail.activedir.org/
> >> 
> >> 
> >
> >
> >List info   : http://www.activedir.org/List.aspx
> >List FAQ: http://www.activedir.org/ListFAQ.aspx
> >List archive: 
> >http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> >List info   : http://www.activedir.org/List.aspx
> >List FAQ: http://www.activedir.org/ListFAQ.aspx
> >List archive: 
> >http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Image a DC?

[Brett Shirley]

What are you talking about, you don't need mushrooms, these responses have
as much content as any post I've seen from joe and Dean. ;-)

>From The Love (esp. for Dean who's going to think I'm being an ass),
BrettSh

On Fri, 12 May 2006, Darren Mar-Elia wrote:

> You need to consume special mushrooms in order to see Joe and Dean's posts. 
>  
> You can buy those at joeware.net...
>  
>  
> 
>   _  
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Gent
> Sent: Friday, May 12, 2006 3:33 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Image a DC?
> 
> 
> second one, i got Joe's twice
> 
> - Original Message - 
> From: Brian   Desmond 
> To: ActiveDir@mail.activedir.org 
> Sent: Friday, May 12, 2006 6:13 PM
> Subject: RE: [ActiveDir] Image a DC?
> 
> 
> This is the first post in this thread I can read
> 
>  
> 
> Thanks,
> Brian Desmond
> 
>   [EMAIL PROTECTED]
> 
>  
> 
> c - 312.731.3132
> 
>  
> 
>  
> 
>   _  
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Friday, May 12, 2006 5:50 PM
> To: ActiveDir@mail.activedir.org; 'Send - AD mailing list'
> Subject: RE: [ActiveDir] Image a DC?
> 
>  
> 
> And also it couldn't be that way because, well it just doesn't work that way
> ya limey.
> 
>  
> 
> On that other part though, I really had no idea, that is pretty interesting.
> Definitely worth bookmarking.
> 
>  
> 
> --
> 
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm 
> 
>  
> 
>  
> 
>  
> 
>   _  
> 
> From: joe [mailto:[EMAIL PROTECTED] 
> Sent: Friday, May 12, 2006 5:49 PM
> To: 'ActiveDir@mail.activedir.org'; 'Send - AD mailing list'
> Subject: RE: [ActiveDir] Image a DC?
> 
>  
> 
>  
> 
>   _  
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
> Sent: Friday, May 12, 2006 5:42 PM
> To: Send - AD mailing list
> Subject: RE: [ActiveDir] Image a DC?
> 
>  
> 
>  
> 
>  
> 
>  
> 
>   _  
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Friday, May 12, 2006 5:33 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Image a DC?
> 
>  
> 
>  
> 
>  
> 
>   _  
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> [EMAIL PROTECTED]
> Sent: Friday, May 12, 2006 12:04 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Image a DC?
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Image a DC?

[Brett Shirley]

From a mail offline w/ someone:

>>>No, there is no such capability to ensure consistency, via imaging.  
>>>It makes a best effort (w/ the work we did in
>>>win2k3 SP1 for VMs), but we don't officially support it.
>>>
>>>What they might be referring to, is that LH Server Backup
>>>(LHSB) does full volume backup (with a cunning differential block 
>>>level scheme) that may be "reminiscent" of imaging, but I always 
>>>consider imaging to be offline and outside the knowledge of the O.S.
>>>
>>>Cheers,
>>>-BrettSh


On Fri, 12 May 2006 [EMAIL PROTECTED] wrote:

> "No you won't be interested" or "no you won't be hearing about how it works?" 
> :)
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: 12 May 2006 16:32
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Image a DC?
> 
> No you won't.
> 
> Cheers,
> -BrettSh
> 
> 
> On Fri, 12 May 2006, Almeida Pinto, Jorge de wrote:
> 
> > Very interested in hearing how as it depends on if the "backup 
> > tool" triggers the actions needed (and therefore AD aware) or not. If 
> > it is not, then the OS (DC) should detect this in some way...
> > 
> > jorge
> > 
> > >>>-Original Message-
> > >>>From: [EMAIL PROTECTED]
> > >>>[mailto:[EMAIL PROTECTED] On Behalf Of Craig 
> > >>>Cerino
> > >>>Sent: Friday, May 12, 2006 16:21
> > >>>To: ActiveDir@mail.activedir.org
> > >>>Subject: RE: [ActiveDir] Image a DC?
> > >>>
> > >>>Although - from what I got from the MS folks at INTEROP last week - 
> > >>>you'll be able to do this with LONGHORN
> > >>>
> > >>>Just an FYI
> > >>>
> > >>>-Original Message-
> > >>>From: [EMAIL PROTECTED]
> > >>>[mailto:[EMAIL PROTECTED] On Behalf Of Mark 
> > >>>Parris
> > >>>Sent: Thursday, May 11, 2006 10:34 AM
> > >>>To: ActiveDir.org
> > >>>Subject: Re: [ActiveDir] Image a DC?
> > >>>
> > >>>I should have added, I have no intention of doing any DC imaging.
> > >>>
> > >>>Mark
> > >>>-Original Message-
> > >>>From: "Mark Parris" <[EMAIL PROTECTED]>
> > >>>Date: Thu, 11 May 2006 14:06:41
> > >>>To:"ActiveDir.org" 
> > >>>Subject: [ActiveDir] Image a DC?
> > >>>
> > >>>Am I reading this correctly - HP is stating I should create an 
> > >>>image of a DC and then deploy this DC image to all new DC's ?
> > >>>Or does something happen under the hood?
> > >>>
> > >>>Page 16.
> > >>>
> > >>>Mark
> > >>>
> > >>>http://docs.hp.com/en/eclass-is-platform/eclass-is-platform.pdf
> > >>><http://docs.hp.com/en/eclass-is-platform/eclass-is-platform.pdf>
> > >>>
> > >>>Double-click on Create Image and enter the path and file name to 
> > >>>store the new disk image. Since this image is of a Domain 
> > >>>Controller, the image data should be stored in a secure location. 
> > >>>If the local file system does not suffice for this purpose, then 
> > >>>select something other than ".\images\."
> > >>>Otherwise, type in a name and location such as 
> > >>>".\images\adimage.img." Click Finish to save the task. (Figure 11).
> > >>>
> > >>> Drag and drop this script to the server assigned as an Active 
> > >>>Directory server through the deployment console. This causes the 
> > >>>Domain Controller to be imaged. In order to keep a good backup of 
> > >>>the Domain Controller, this process should be repeated periodically 
> > >>>so that the image available for redeployment (should this be 
> > >>>necessary) is as up-to-date as 
> > >>>possible..+-wi0-
> > >>>[EMAIL PROTECTED]
> > >>>?E
?rzm  
> > >>>Vry&-4???i?bb.???
> > >>>?Bv
rz?

RE: [ActiveDir] Image a DC?

[Brett Shirley]

No you won't.

Cheers,
-BrettSh


On Fri, 12 May 2006, Almeida Pinto, Jorge de wrote:

> Very interested in hearing how as it depends on if the "backup
> tool" triggers the actions needed (and therefore AD aware) or not. If
> it is not, then the OS (DC) should detect this in some way...
> 
> jorge
> 
> >>>-Original Message-
> >>>From: [EMAIL PROTECTED] 
> >>>[mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino
> >>>Sent: Friday, May 12, 2006 16:21
> >>>To: ActiveDir@mail.activedir.org
> >>>Subject: RE: [ActiveDir] Image a DC?
> >>>
> >>>Although - from what I got from the MS folks at INTEROP last 
> >>>week - you'll be able to do this with LONGHORN 
> >>>
> >>>Just an FYI
> >>>
> >>>-Original Message-
> >>>From: [EMAIL PROTECTED] 
> >>>[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
> >>>Sent: Thursday, May 11, 2006 10:34 AM
> >>>To: ActiveDir.org
> >>>Subject: Re: [ActiveDir] Image a DC?
> >>>
> >>>I should have added, I have no intention of doing any DC imaging.
> >>>
> >>>Mark
> >>>-Original Message-
> >>>From: "Mark Parris" <[EMAIL PROTECTED]>
> >>>Date: Thu, 11 May 2006 14:06:41
> >>>To:"ActiveDir.org" 
> >>>Subject: [ActiveDir] Image a DC?
> >>>
> >>>Am I reading this correctly - HP is stating I should create 
> >>>an image of a DC and then deploy this DC image to all new DC's ?
> >>>Or does something happen under the hood?
> >>>
> >>>Page 16.
> >>>
> >>>Mark
> >>>
> >>>http://docs.hp.com/en/eclass-is-platform/eclass-is-platform.pdf
> >>> 
> >>>
> >>>Double-click on Create Image and enter the path and file 
> >>>name to store the new disk image. Since this image is of a 
> >>>Domain Controller, the image data should be stored in a 
> >>>secure location. If the local file system does not suffice 
> >>>for this purpose, then select something other than 
> >>>".\images\."
> >>>Otherwise, type in a name and location such as 
> >>>".\images\adimage.img." Click Finish to save the task. (Figure 11).
> >>>
> >>> Drag and drop this script to the server assigned as an 
> >>>Active Directory server through the deployment console. This 
> >>>causes the Domain Controller to be imaged. In order to keep 
> >>>a good backup of the Domain Controller, this process should 
> >>>be repeated periodically so that the image available for redeployment
> >>>(should this be necessary) is as up-to-date as 
> >>>[EMAIL PROTECTED]
> >>>??E
r??zm  
> >>>V??r??y??&-??4???i??bb??.?B??v
rz??ry?i
> >>>.B??v
rz??ryi
> >>>
> 

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
.+-?w??mr??y?.+-j?q.+->??i??+?v*?????E
??r?{?m
0???j?!o?r??y???I??V??+?v*??

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] backup/restore of DCs with third party tool

[Brett Shirley]

Does anyone have experience with this?  I have some.

I can only speak to separating and backing up only the AD DB state without
registry, etc.

We used to use this method alot in testing AD, we had a little utility /
unit test called dsback.exe, that would just trigger AD's streaming backup
/ restore support.  It basically worked.

Achtung!  Note, this is VERY different than just copying off the AD DB,
and copying it back later.  This uses the regular backup / restore
infrastructure, so it does the right things, and changes the invocation ID
during restore.

We only worked w/in a fairly narrow constraint when doing such testing,
though, which is that the restore was back to the same machine, which had
not changed its DC state.  Also the backup we used was never very old,
i.e. made hours or at most a few days before.

We didn't restore just the AD DB to fresh install (obviously this wouldn't
work).  Also I'm 91% sure we didn't restore the AD DB to a different DC.  
I'm fairly certain anything but the same DC backup/restore is unlikely to
work, or will have some issues.

The problem with even the limited case I mention above, it is not entirely
clear what security sub-systems expect the AD DB and registry to be in
sync ... i.e. perhaps machine account password changing (or any of
probably a dozen to several dozen suspect operations), requires the two to
be in sync, we wouldn't know such issues until someone managed to get a
backup / restore spanning such an event, and given the limited time nature
of our testing w/ this method, it was unlikely we shook out any issues
there.

Is it supported?  No.  Achtung!

If you come to PSS w/ problems, and they learn how you've done this (and
if you hide it, you're just an ), the first thing they'll ask is, "Do you have any real backups
of system state?"

What are the dangers of using such a system?  Unknown.

I can't even say, I'm convinced there isn't a big bad hairy monster hiding
in this closet, frankly I don't know.  I do know it will work for the AD
DB most of the time.  I myself wouldn't do it to production.

Cheers,
BrettSh


On Wed, 3 May 2006, Almeida Pinto, Jorge de wrote:

> I do have thoughts what could go wrong, but was wondering if someone has 
> experience with this. Anyone? Anyone?
>  
>  
> Met vriendelijke groeten / Kind regards,
> Ing. Jorge de Almeida Pinto
> Senior Infrastructure Consultant
> MVP Windows Server - Directory Services
>  
> LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
> (   Tel : +31-(0)40-29.57.777
> (   Mobile : +31-(0)6-26.26.62.80
> *   E-mail : 
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de
> Sent: Tue 2006-05-02 15:30
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] backup/restore of DCs with third party tool
> 
> 
> 
> Hi,
> 
> I was wondering if someone has any experience with "HP Openview Storage data 
> Protector Manager" concerning the backup and restore of domain controllers.
> 
> With NTBACKUP and third party backup/restore tools I have worked with until 
> now to backup/restore a DC you needed to select the system state which 
> contains the following components:
> 
> *  
> "COM+ Class Registration database" (always included)
> *  
> "Boot files including the system files" (always included)
> *  
> "Certificate Services database" (only for certificate services server)
> *  
> "Active Directory directory service" (only for directory server)
> *  
> "SYSVOL structure" (only for directory server)
> *  
> "Cluster service information" (only for cluster server)
> *  
> "IIS Metabase" (only for IIS server)
> 
> Microsoft defined the system state as the collection of these components and 
> during backup or restore it was always an all-or-nothing selection. Of course 
> there is a good reason for that as several components interact/work with each 
> other.
> 
> However, with "HP Openview Storage data Protector Manager" the possibility 
> exists to select individual components of the system state during backup or 
> restore.
> I wonder what the impact is of restoring individual components of the system 
> state (not all) (e.g. only AD without SYSVOL and registry, etc.)
> 
> Can anyone elaborate on that? Does anyone have experience with this?
> 
> Thank you!
> 
> Cheers,
> jorge
> 
> 
> 
> Met vriendelijke groeten / Kind regards,
> Ing. Jorge de Almeida Pinto
> Senior Infrastructure Consultant
> MVP Windows Server - Directory Services
> 
> LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
> (   Tel : +31-(0)40-29.57.777
> (   Mobile : +31-(0)6-26.26.62.80
> *   E-mail : 
> 
> 
> This e-mail and any attachment is for authorised use by the intended 
> recipient(s) only. It may contain proprietary material, confidential 
> information and/or be subject to legal privilege. It should not be copied, 
> disclosed to, retained or used by, any other party. If you are not an 
> intended

RE: [ActiveDir] User Accounts

[Brett Shirley]

Dean, I didn't understand this comment ...
 > But, dude, seriously, you weren't aware that AD's ESE used a 32 bit DNT?
 > Methinks perhaps you're muddling in the realms of personal interpretation
 > ... though I'm quite certain you'll argue that too ... ESE purist :0p

Are you claiming that ESE knows what a DNT is?

A DNT is an entirely AD concept, ESE has no idea what a DNT is.  ESE also
has no concept of linked-values, or the link_table.  This is the 2nd time
you've confused the AD dblayer (what maintains the AD schema on an ESE
database) and the ESE database layer.  There are two layers here.

Thanks,
BrettSh


On Sun, 16 Apr 2006, Dean Wells wrote:

> One can but bow down to the "creator" and accept the facts "as is" (well,
> mostly, I'm kinda talkative after all) ... and an informative post at that
> ... nice job Mrs. Shirley (DEC attendees may understand that reference ...
> either way, I'm grinning as I suspect are joe and possibly ~Eric ;0)  
> 
> But, dude, seriously, you weren't aware that AD's ESE used a 32 bit DNT?
> Methinks perhaps you're muddling in the realms of personal interpretation
> ... though I'm quite certain you'll argue that too ... ESE purist :0p
> 
> To satisfy my curiosity; what happens (in theory I'd guess, though perhaps
> in practice if this has indeed been tested) when a long-standing AD (say
> 2K3) DC has, within a single lifetime, written 2^31 (props to ~Eric)
> DNT-consuming rows of "stuff" to the DIT ... does it error or soldier on?
> 
> PS - re: RIDs: last I checked, ceiling was 2^30 ... at least for traditional
> SIDs (non-ADAM).
> 
> --
> Dean Wells
> MSEtechnology
> * Email: [EMAIL PROTECTED]
> http://msetechnology.com
> 
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> > Sent: Sunday, April 16, 2006 8:47 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] User Accounts
> > 
> > 
> > Eric's quoting didn't come across in pine so well, so I've 
> > improved it by using ">>" where he was quoting others ...
> > 
> > *Ahem* ... for the hex heads ...
> > 
> > ESE limits:
> > 
> > The underlying store (aka ESE or JET Blue) does not have a 
> > 4.2 billion row constraint to the # of rows in a single table 
> > ... ESE will support from
> > 2^1 up to 2^(~240*8) rows in a single table, _depending upon 
> > your primary key_ ... and if you found ESE's old max 
> > 9.95e+583 rows to be woefully under sized, you'll be able to 
> > go to around _I think_ 2^(~1875*8) rows in Vista ... if you 
> > can find the storage for it [1].
> > 
> > AD design limits:
> > 
> > Active Directory however choose a primary key ("The DNT") 
> > that has only 32 bits, and is signed, so limiting to positive 
> > values is limited to 2.1 billion rows (as ~Eric mentions), 
> > but this is not ESE's fault, nor an ESE limitation.  Exchange 
> > for example choose a 63-bit message ID on thier message table 
> > (called "1-23" IIRC), and is thus limited to no more than
> > 2^63 / 9.22 quintillion rows (though probably a bit less due 
> > to the way they parse up the message ID).
> > 
> > Clearly the Exchange limit of # of message rows, shows that 
> > ESE is not limited to 2.1 or 4.2 billion rows in a single 
> > table, this is why it is crucial to be able to distinguish 
> > how ESE differs from the data layer / schema (of AD) 
> > constructed on top of ESE.
> > 
> > At this point we think we've established the max # of objects 
> > in an AD database, BUT the actual hard limitation would be 
> > the minimum of several competing constraints, any which could 
> > reduce us far lower ...
> > 
> > Actual hard limitation will be the
> > 1. Dean points out over "the lifetime of the database".  This 
> > is crucial to understand, you should consider his meaning, he 
> > is right on about that.  
> > This is again an AD limitation, not an ESE limitation though. 
> >  AD could've concocted (not even that hard) a scheme to reuse 
> > rows / DNTs.
> > 
> > 2. joe pointed out the 16 TB DB size limit, he is right about 
> > that, which means at 2 billion objects, your net aggregate 
> > object size cost (including SD which may be single instanced, 
> > the link values, the ESE overhead to maintain the database, 
> > indices, rows, record format, etc) must be below 8KB / 
> > object.  This is worth notin

RE: [ActiveDir] User Accounts

[Brett Shirley]

gt; 
>   _  
> 
> From: [EMAIL PROTECTED] on behalf of Ulf B. Simon-Weidner
> Sent: Mon 4/17/2006 1:09 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] User Accounts
> 
> 
> 
> Very interesting again, thanks for those explainations.
> 
> So you've seen Ads with 50M - <100M Objects. This makes the theoretical part
> of my brain a bit anxious - theoretically ;-)
> 
> Were these real objects, or what the regular AD-Guy would refer to (Sum of
> users, computers, groups, a.s.o - leaving out technical objects like
> phantoms, objects in the C-NC, S-NC, D-NC/System,.. dnsNode-Objects [1],..)?
> 
> That means they'll have issues after a "account overturn" [2] of 20-40 (or
> 10 if 100M Objects and you feel comfortable with 1.07B) because then they
> hit the "unreleased DNTs" and have to start repromoting DCs to get them
> back.
> OK - while a "account overturn" of 20 seems very long term - I doubt that
> DNTs are being released by inplace upgrades and I don't look very happy
> imagining running ADMT or some other migration tool against 100M Object ADs.
> And the limit is still the forest, not the domain.
> 
> So in the long term they might be even hitting the DNT-Limit, without even
> creating a bigger AD DIT (considering they perform regular DIT-maintenance)
> - just by deleting and recreating each object b/c of its natural overturn up
> to 40 times and not releasing their DNTs. However long term - if we assume
> 100M Objects and a object overturn about 10yrs we'll have 20 cycles and 200
> yrs to figure that out - or just get the last bit back and rethink.
> 
> Limit on RIDs - this one is interesting as well, since we only need to
> create 2147483 DCs and create 325 objects on the last one. Anyone out there
> to borrow me some hardware ;-)
> 
> However I'm still curious what would happen when we have the 2^31+1 newly
> created objects (handled error, major bang of the server against the wall)
> (no matter how many are currently existing - same issue whold happen with
> lower numbers of objects and frequent deletion/creation)?
> Also - as Dean mentioned - what would happen when we have more than
> 2^30-1000+1 Security Principles - Bang boom bang - or start the RIDs over at
> 1000, or overflow which would cause the RIDs to start at 1(yeah - I'd like
> to be the 2^30-1000+500 user then)?
> 
> OK - everything extremely unlikely - but the d... [3] thing is that my brain
> wants to know that now - and I can't find the soft reset ;-)
> 
> [1] Uupsi - they tend to be deleted and recreated quite frequently (compared
> to accounts)
> 
> [2] How would you call this? "Inventory overturn" comes to my mind (the
> cycle when a warehouse has all inventory sold and new one in there), so
> "account overturn" may be appropriate defining when each account has been
> dismissed and a new one created (however technically I'm talking to "object
> overturn") - people leave and people join - people die and people are being
> instantiated (aka born).
> 
> [3] Swearword? Do clue - I'm german - we have our own - can't keep a
> dictionary of approabriate words in foreign languages  in the same brain
> which is interested in those answers.
> 
> Gruesse - Sincerely,
> 
> Ulf B. Simon-Weidner
> 
>   MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
>   Weblog: http://msmvps.org/UlfBSimonWeidner
>   Website: http://www.windowsserverfaq.org
> <http://www.windowsserverfaq.org/> 
>   Profile:
> http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
> D  
> 
> 
> 
> |-Original Message-
> |From: [EMAIL PROTECTED]
> |[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> |Sent: Monday, April 17, 2006 2:47 AM
> |To: ActiveDir@mail.activedir.org
> |Subject: RE: [ActiveDir] User Accounts
> |
> |
> |Eric's quoting didn't come across in pine so well, so I've
> |improved it by using ">>" where he was quoting others ...
> |
> |*Ahem* ... for the hex heads ...
> |
> |ESE limits:
> |
> |The underlying store (aka ESE or JET Blue) does not have a 4.2
> |billion row constraint to the # of rows in a single table ...
> |ESE will support from
> |2^1 up to 2^(~240*8) rows in a single table, _depending upon
> |your primary key_ ... and if you found ESE's old max 9.95e+583
> |rows to be woefully under sized, you'll be able to go to
> |around _I think_ 2^(~1875*8) rows in Vista ... if you can find
> |the storage for it [1].
> |
> |AD design limits:
> |
> |Active Directory however choose a primary key ("The DNT") th

RE: [ActiveDir] User Accounts

[Brett Shirley]

Eric's quoting didn't come across in pine so well, so I've improved it by
using ">>" where he was quoting others ...

*Ahem* ... for the hex heads ...

ESE limits:

The underlying store (aka ESE or JET Blue) does not have a 4.2 billion row
constraint to the # of rows in a single table ... ESE will support from
2^1 up to 2^(~240*8) rows in a single table, _depending upon your primary
key_ ... and if you found ESE's old max 9.95e+583 rows to be woefully
under sized, you'll be able to go to around _I think_ 2^(~1875*8) rows in
Vista ... if you can find the storage for it [1].

AD design limits:

Active Directory however choose a primary key ("The DNT") that has only 32
bits, and is signed, so limiting to positive values is limited to 2.1
billion rows (as ~Eric mentions), but this is not ESE's fault, nor an ESE
limitation.  Exchange for example choose a 63-bit message ID on thier
message table (called "1-23" IIRC), and is thus limited to no more than
2^63 / 9.22 quintillion rows (though probably a bit less due to the way
they parse up the message ID).

Clearly the Exchange limit of # of message rows, shows that ESE is not
limited to 2.1 or 4.2 billion rows in a single table, this is why it is
crucial to be able to distinguish how ESE differs from the data layer /
schema (of AD) constructed on top of ESE.

At this point we think we've established the max # of objects in an AD
database, BUT the actual hard limitation would be the minimum of several
competing constraints, any which could reduce us far lower ...

Actual hard limitation will be the 
1. Dean points out over "the lifetime of the database".  This is crucial
to understand, you should consider his meaning, he is right on about that.  
This is again an AD limitation, not an ESE limitation though.  AD could've
concocted (not even that hard) a scheme to reuse rows / DNTs.

2. joe pointed out the 16 TB DB size limit, he is right about that, which
means at 2 billion objects, your net aggregate object size cost (including
SD which may be single instanced, the link values, the ESE overhead to
maintain the database, indices, rows, record format, etc) must be below
8KB / object.  This is worth noting because the average size of ONLY the
raw data (i.e. excluding ESE overhead) _in the datatable_ of an AD user in
our primary corp domains is 11,924 bytes.  Dang certs.

3. Eric, also points out about LID (which is a Long-value ID) is a signed
int (again 31 bits available in positive value space), so we could be
limited to less than 2 billion objects, if each object had a couple "burst
long values" (only _burst_ LVs use LIDs). LV = Long-Value, not Link Value
for this discussion.  This _IS_ an ESE limitation.  Expeience tells us
replProperlyMetaData and supplementalCredentials on typical AD users are
burst, and thus the limit could be as low as 1 billion.

4. SIDs (well RIDs actually) can limit how many security principals you
use, but RIDs are a security aspect, and so I have no idea if you can use
32, 31, or less of that number space, I suspect 1 billion but don't know
that at all.

Anyway along time ago we (some AD people) went through all the various
aspects, issues, etc and we came up with "the safe value", that special
value we wanted to claim / support ... and we started saying 1 billion was
the official limit.  I updated the wikipedia topic on it awhile back.

The issue joe mentioned with the # of pages in an ESE database being 2^31
... I like to state it as: "Jordie (my pseudonym for a paticularly
talented developer) took away the high bit before he moved off the ESE
team, and won't give it back.".  That is the funny way to say, paranoia
drove one of us to cap it to explicitly positive page numbers.  Given that
the file system is limited to 16 TBs for a single file for some paticular
(?default? 4k? max?) "allocation size", I don't really see this being
fixed anytime soon...

My confidence ranges from 53% to 72% for all the above info ... I don't
give a confidence of more than 80% to anything I didn't personally verify
in code, and never a confidence of over 90% that I didn't personally test
that the code worked like it looked ... that is experience talking.  
Confidences of 53% to 72% probably means talented and smart /
non-blowheart types told me this information.

*Cough* ... for the realists ...

I've heard of two production ADs in excess of 50 M (less than 100 M
though), and have seen 46, 85 and 100 M object test DITs.  I've never seen
an AD database in excess of 100 GBs in size.  Basically, I'm neither
worried about the # of objects nor the database size of AD databases, as
clearly people haven't even gotten to an order of magnitude of the
theoretical limits, and we've still tested higher than production
deployments I've heard of / seen.  3 - 5 M is common for e-commerce
directories.

While thoretically we could give ~2/7ths of the world an account in a
single AD database, that is not practical, limitations on backup/restore
time, SLAs, amount of query l

RE: [ActiveDir] Technet Magazine "Active Directory Component Jigsaw"

[Brett Shirley]

I'm definately not responsible for purchasing of IT products at my
company, oh well guess I'm not influential enough to justify a free
subscription of the magazine.

Sigh.
-B


On Wed, 8 Mar 2006, Grillenmeier, Guido wrote:

> wow, what a hurdle ;-)
> 
> 
> 
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL 
> PROTECTED]
> Sent: Mittwoch, 8. M?rz 2006 17:53
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Technet Magazine "Active Directory Component Jigsaw"
> 
> 
> As an addition, the only way that it's free is if you answer the questions 
> stating that you are responsible for the purchasing of IT products in your 
> company.
>  
> Bonnie
> 
> 
> 
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
> Simon-Weidner
> Sent: Wednesday, March 08, 2006 11:15 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Technet Magazine "Active Directory Component Jigsaw"
> 
> 
> Hi Todd,
>  
> this would rock if you are able to scan it (or somebody has contacts to the 
> team to request a printable-file)?
>  
> Subscriptions are only free for US Residents (shipping costs), and the 
> web-version does not include the picture.
>  
> 
> Gruesse - Sincerely, 
> 
> Ulf B. Simon-Weidner 
> 
>   MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz 
>  
>   Weblog: http://msmvps.org/UlfBSimonWeidner 
>  
>   Website: http://www.windowsserverfaq.org  
>   Profile:   
> http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D 
> 
> 
> 
>  
> 
> 
> 
> 
>   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, 
> Todd (NIH/CC/DNA) [E]
>   Sent: Wednesday, March 08, 2006 5:00 PM
>   To: ActiveDir@mail.activedir.org
>   Subject: [ActiveDir] Technet Magazine "Active Directory Component 
> Jigsaw"
>   
>   
> 
>http://www.microsoft.com/technet/technetmag/
> 
>
> 
>   Someone in my office just gave me a copy of this free magazine, and it 
> came with the really neat insert called the "Active Directory Component 
> Jigsaw".  It is a wall hanging that outlines all the AD process graphically.  
> I will try to scan it and post it on my Blog, but I just wanted to make you 
> all aware of it.  I plan to hang it on my cubical wall on the outside that 
> says "What I do here" :-)
> 
>
> 
>   Subscriptions are free.
> 
>
> 
>   Todd
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] repadmin info oddity

[Brett Shirley]

I wouldn't make a "hard feature" on such parsing, b/c it is not documented
and could change at Brett or (lets call him) Greg's willy nilly.

Oh and I just rememberd ... I should also note, isn't a 100% accurate to
use retired DSA signatures, we punted a bug in repadmin relating around
this, IIRC ... IFM maintains the same retired DSAs list as the original
source DC, meaning it is tricky to figure who is the real slim shady when
deal with retired IIDs.

It may be probabalistically or even deterministically possible by looking
at when the IID was retired, and matching against active IIDs, and
matching retired IIDs, to figure out who originally owned the IID.  That's
what joe should work on...

We've also debated when we delete a DSA or stamping all related IIDs, into
a never cleared place in the DS, so that repadmin /showutdvec could always
resolve DSAs even after they've been deleted for 10 years.



On Tue, 21 Feb 2006, Dean Wells wrote:

> Hmmm, I would guess he's probably adding a new switch to deal with this
> particular thread.
> 
> Anyway, since he's not responded, I'll take a stab at what ADfind can or
> cannot do here (not really ADfind's problem if my lazy research is
> accurate).  The attribute in question's syntax is a single-valued "octet
> string" which can typically be filtered against assuming the correct
> notation is supplied.  This particular attribute, however, will often
> contain multiple GUIDs within the flat value (a pack of them) making it
> difficult to successfully construct a reliable and/or optimal filter
> (remember, medial queries are painful without the necessary index). 
> 
> To further complicate the issue, the byte ordering is maintained differently
> internally to the way it's displayed.  Since ADfind AFAIK cannot yet decode
> "retiredReplDSASignatures", in order to query against it we have to reorder
> it ourselves.  Here's an example of how to convert repadmin's display format
> to the internally maintained byte ordering (this is a little painful) -
> 
> repadmin's output  = 6cc4a8e0-2019-4e4f-81cd-f35926de38a3
> internal structure = E0 A8 C4 6C 19 20 4F 4E 81 CD F3 59 26 DE 38 A3
> 
> ... now trim the hyphens and pad repadmin's output to pair up the bytes -
> 
> repadmin's output  = 6c c4 a8 e0 20 19 4e 4f-81 cd f3 59 26 de 38 a3 (padded
> & trimmed)
> internal structure = E0 A8 C4 6C 19 20 4F 4E 81 CD F3 59 26 DE 38 A3
> 
> ... now, re-order the 1st 4 octets, then the next 2 octets and again the
> next 2 octets.  I've added extra spaces for legibility (essentially, you're
> re-ordering the first double-word, the next word, the next word and the rest
> remains as is ... this is known as "network" or "pretty" byte ordering) -
> 
> repadmin's output  = e0 a8 c4 6c19 204f 4e81 cd f3 59 26 de 38
> a3 (re-ordered)
> internal structure = E0 A8 C4 6C19 204F 4E81 CD F3 59 26 DE 38
> A3
> 
> OK, having done all of that, you now have two possible options:
> 
> option 1) use a fairly concise query and parse the output as follows ...
> 
> ... create a string of 8 words (or 8 octet pairs if you prefer) to match
> ADfind's output format -
> 
> resulting structure = E0A8 C46C 1920 4F4E 81CD F359 26DE 38A3
> 
> ... then use the following syntax -
> 
> C:\>adfind -config -f
> "&(objectcategory=ntdsdsa)(retiredReplDSASignatures=*)" -csv -nocsvheader
> retiredReplDSASignatures | findstr "E0A8 C46C 1920 4F4E 81CD F359 26DE 38A3"
> 
> ... this returns the DN of the "NTDS Settings" object of the DC that owns
> the retired invocation ID.  If no results are returned, one of two things
> occurred; 1) you fat-fingered it or 2) the DC no longer exists.
> 
> option 2) submit the following v. expensive query (note, it's a medial
> query) -
> 
> C:\>adfind -config -f
> "retiredReplDSASignatures=*\E0\A8\C4\6C\19\20\4F\4E\81\CD\F3\59\26\DE\38\A3*
> " retiredReplDSASignatures
> 
> Fingers crossed that Joe will have a hidden switch to do the decoding for
> you, until then, this is it I'm afraid.
> 
> --
> Dean Wells
> MSEtechnology
> * Email: [EMAIL PROTECTED]
> http://msetechnology.com
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Scott Klassen
> Sent: Tuesday, February 21, 2006 5:11 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] repadmin info oddity
> 
> Too bad Joe picked today to be MIA.
> 
> Scott Klassen
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
> Sent: Tuesday, February 21, 2006 7:59 AM
> To: Send - AD mailing list
> Subject: RE: [ActiveDir] repadmin info oddity
> 
> The GUIDs returned in this scenario are not used by the directory in the
> traditional manner and, as such, using a GUID-based binding string won't
> locate the owning object.  The invocation IDs (which are indeed GUIDs but
> not objectGUIDs) are maintained on the DC's NTDSDSA instance (its NTDS
> Settings object) by the "invocationId" property ... retired invocation ID

RE: [ActiveDir] repadmin info oddity

[Brett Shirley]

Dean on another fork identified where repadmin gets the GUIDs it can
resolve.  It does a search in CN=Sites (maybe CN=Configuration) for all
DSA objects (aka "nTDSDSA" or "NTDS Settings objects", retrieving the two
attributes Dean mentioned, and makes a table/cache to translate the names
to GUIDs.  If you want, you can use "/nocache" to not build the cache (and
consequently possibly speed up the operation) and then you will see all
GUIDs in your UTDVec.

Cheers,
BrettSh


On Tue, 21 Feb 2006, Scott Klassen wrote:

> Thanks Michael and Dean.  Very good information.  ADFind came up empty on
> the GUIDs, so wherever Repadmin is getting this info from, it is well
> buried.  I'm not going to lose any sleep over it.  The more I learn on this
> list, the more things I don't want to mess with.  :)
> 
> Scott Klassen
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
> Sent: Tuesday, February 21, 2006 6:44 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] repadmin info oddity
> 
> Adfind (http://www.joeware.net/win/free/tools/adfind.htm) to the rescue!
> I recently had to do this and got it accomplished with the following
> syntax (with a little help from joe :)  ):
> 
> adfind -default -binenc -f
> objectGUID={{GUID:0B3F5BC4-5713-4611-8F6A-752A3B0DE664}} dn
> 
> ("adfind /???" For lots of good info!)
> 
> Mike Thommes
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of SCOTT KLASSEN
> Sent: Monday, February 20, 2006 8:56 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] repadmin info oddity
> 
> I try to keep up on new or updated MS KB articles and often check to see
> how 
> they correlate with my environment.  I noticed that 875495, dealing with
> USN 
> rollbacks, was updated earlier this month.  As I've experienced two AD 
> issues, both of which needed PSS involvement (one dealing with sysvol 
> inconsistency and the other which wound up being the RID master going on
> 
> temporary strike) I figured that I'd do a quick check as described in
> the 
> article.  On the good side, the USN's are consistent between
> controllers.  
> On the disconcerting side, I got a little more information than I was 
> expecting.  Besides my DC's, I also got USN listings for several GUIDs.
> I 
> assume these are leftovers from DC demotions and only remain in the form
> of 
> historical data.  Do I need to worry about these (especially the DC1 
> (retired) listing) and is there a way I can resolve the GUIDs to names,
> find 
> where this info is hiding, and clear them out?
> 
> Thanks,
> 
> Scott Klassen
> 
>   >repadmin /showutdvec dc1 dc=domain,dc=com
> Caching GUIDs.
> ..
> Default-First-Site-Name\DC2  @ USN455091 @ Time 2006-02-20
> 20:08:20
> 2c92760e-e8fc-4418-947e-3b1016ab8514 @ USN   1012381 @ Time 2005-08-04 
> 00:02:34
> 6e129965-56c3-469e-b70a-f1fdfb8bb2cc @ USN969931 @ Time 2004-07-24 
> 11:53:16
> Default-First-Site-Name\DC1  @ USN   1717571 @ Time 2006-02-20
> 20:10:50
> Default-First-Site-Name\DC1 (retired) @ USN   1298674 @ Time 2005-08-05 
> 06:36:16
> e2199f22-f1dd-4d1c-90a6-0e8bb874f355 @ USN744173 @ Time 2004-12-28 
> 20:52:04
> ff0d7d50-214f-4bc1-96b6-55ac6ef317f0 @ USN852323 @ Time 2005-06-08 
> 14:29:20
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Script to transfer FSMO roles.

[Brett Shirley]

That is not true, the schema and naming FSMOs also have extensive state
that is sensitive and critical, however the frequency of the updates is
significantly less, and thus less likely to cause an issue.

Having personally been on PSS cases for people who've f-d up thier forest,
because they didn't understand the concept of the F-Single-Master-O, and
which data each is responsible for, I do not recommend seizing any roles
except one.  It is not good to conflict the NCs, hard to undo, and even
worse to conflict the schema.

If you're a novice, here is what you should remember, IMNHO
- Only the PDC is safe for seizing.
- The infrastructure master is probably safe (I've never
  really thought it through enough to vouch for it).
- Seizing any other role is a complicate process that will require
  learning of some DS internals, and a few steps.

The process for seizure, should be
A) Understand what data that FSMO owns, and think carefully if
   ANYONE has updated that data on a DC that is somehow
   unavailable to the forest at this moment, and could be brought
   back to the forest?
a. If it could be brought back, you must then decide to not
   bring it back _EVER_, destroy the DC before seizure.  Or
   bring it back and let it's changes replicate out.
B) By seizing you can break the F-Single-Master-O model, and
   effectively have the potential to multi-mastered the data on
   more than one DCs, conflicting the data in a very bad way...
C) Run repadmin /syncall  
   to guarantee your forest has a consistent view of the data in
   question you want to seize.
D) Finally perform the seizure, don't use a script, don't temp
   yourself with it.  Use ntdsutil / dsmgmt.
E) Finally, evaluate what you did to cause this seizure?  Did you
   take down a box without properly demoting it?  Institute an
   IT policy that allows for that mistake never to happen again,
   seizures should not be a part of any IT operation, unless you
   experienced critical hardware failure.

Dean is right, it's the wrong place to fixup RID seizure in ntdsutil
though, but I also think an LDAP modification performing a seizure, and a
LDAP control for performing the more common transfer is ass backwards as
well, so what do I know.

I wrote this mail in a hurry, so didn't proof it, probably mistakes ...

BrettSh [msft]
Building #7 Garage Door Operator


On Mon, 13 Feb 2006, Dean Wells wrote:

> Having chatted offline on this topic, I'm reminded that it's worth
> mentioning an exception pertaining to the RID FSMO.  Extensive state is
> maintained for this particular role, state which is sensitive and requires
> modification when the role is seized.  Unfortunately, these modifications
> are handled client-side by NTDSUTIL (a mistake in my opinion), as such, any
> manual seizure of the RID Master should be either conducted using NTDSUTIL
> (again, in a controlled manner) or supplemented with the necessary RID
> allocation pool modifications.
> --
> Dean Wells
> MSEtechnology
> * Email: dwells  @msetechnology.com
>   http://msetechnology.com
> 
>  
> 
>   _  
> 
> From: Dean Wells [mailto:[EMAIL PROTECTED] 
> Sent: Monday, February 13, 2006 9:06 AM
> To: Send - AD mailing list ([EMAIL PROTECTED])
> Subject: RE: [ActiveDir] Script to transfer FSMO roles.
> 
> 
> A few thoughts -- 
>  
> I'm not entirely adverse to the idea of throwing commands at NTDSUTIL and
> seizing roles (and relying upon the mandatory pre-emptive transfer attempt)
> but I prefer not to perform such actions when the capability to trap
> failures within a sequence of events is beyond my control, e.g. the transfer
> fails and the seize continues without confirmation or regard for my input.
>  
> Although I realize that your goal here is to seize a role, a single slip of
> the finger may inadvertently cause seizure to occur.  I would suggest
> scripting the operation to _manually_ attempt a transfer first, trap the
> error and confirm your intention to proceed with a seize (remains achievable
> with NTDSUTIL).  Of course, the implications of _not_ doing it this way are
> entirely dependent upon either or both the FSMO role in question and/or your
> particular infrastructure.
>  
> The commands below outline an alternative approach for attempting a FSMO
> transfer of the domain naming master -
>  
> admod -h  -b "" becomedomainmaster::1
>  
> ... and the equivalent seizure -
>  
> admod -h  -b cn=partitions,cn=configuration,dc=
> fsmoroleowner::""
>  
> ... e.g. -
>  
> admod -h machine1.adcorp.lan -b
> cn=partitions,cn=configuration,dc=adcorp,dc=lan fsmoroleowner::"CN=NTDS
> Settings,CN=MACHINE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=ADCORP,DC=LAN"
>  
> This approach provides more contr

Re: [ActiveDir]

[Brett Shirley]

Sorry Doug, the mail system is broken ... you'll probably get mails
forever from this alias, it is unavoidable.  Sorry for the inconvience.

-Brett

This posting is provided "AS IS" with no warranties, and confers no
rights.

On Fri, 10 Feb 2006, Doug Ferguson wrote:

> Unsubscribe
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Putting a DC on VMware

[Brett Shirley]

And diff or rollback virtual hard disks are not supported.  Neither is
copying off the virtual hard disk.  Also please turn off the write cache
on the host.

Cheers,
BrettSh
ESE SDE [msft]



On Tue, 31 Jan 2006, Ion Gott wrote:

> Definitely good points on some of the key items to take into account when it 
> comes to the virtualization of anything.
>  
> In regards to Microsoft stance on support of DC's on virtualization 
> platforms, this changed a few months ago and it is actually now supported I 
> believe without the premier support agreementsee 
> http://support.microsoft.com/?kbid=888794
>  
> Quote from the KB:
>  
> Support for Active Directory domain controllers in virtual hosting 
> environments
>  
> We do not test the functionality of Active Directory domain controllers in 
> virtual hosting environments. However, we will help troubleshoot domain 
> controllers that run in virtual hosting environments, whether the virtual 
> hosting environment comes from Microsoft or from a third party. If the host 
> environment causes a problem, the vendor of the host environment must provide 
> support. One method to determine whether the host environment causes a 
> problem is to determine whether the problem occurs when the host environment 
> is installed on the hardware that is listed in the Microsoft Hardware 
> Compatibility list or in the Microsoft Windows Tested Products list.
>  
> I have deployed Windows 2003 domain controllers on VMWare GSX and ESX server 
> platforms at several clients over the past 5-6 months. From a performance 
> standpoint everything functions well and overall DC's tend to make good 
> candidates for virtualization. 
>  
> For example on several  DL380 G4 servers with dual Xeon processes and 6GB of 
> RAM I am running 5 domain controllers per physical server on VMWare GSX 
> server 3.2 at different data center locations and supporting various child 
> domains.
>  
> As far as the security of the physical host it was placed in an empty forest 
> root (Another hot topic as to even being secure...I know) with hardening via 
> local policy and ACL rights on the server itself.
>  
> Hope that helps...
>  
> Ion V. Gott
> 
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of joe
> Sent: Tue 1/31/2006 5:55 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Putting a DC on VMware
> 
> 
> Things to keep in mind that others mentioned but I just wanted to emphasize.
>  
> 1. Understand your supportability position. If you do not have a Premier 
> contract or a contract through a services organization such as HP you do not 
> even have best effort support for the OS on VMWARE. You will need to 
> reproduce any issues on hardware (or Virtual Server) to get MS to engage. If 
> you have Premier you get best effort but could still end up having to 
> reproduce outside of VMWARE.
>  
> 2. Security security security security. Who owns the hosts running the DCs? 
> They better be domain admins because they could be if they wanted to be.
>  
> 3. Exchange is supported on only Virtual Server R2 and under a very specific 
> set of circumstances.
>  
>joe
>  
> --
> O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
>  
>  
> 
> 
> 
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Etts, Russell
> Sent: Monday, January 30, 2006 5:55 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Putting a DC on VMware
> 
> 
> 
> Hi all 
> 
> One of our sites is looking to put two DCs on VM ware.  I'm not too sure this 
> is really the best thing to do.  Am I being too paranoid?  Can anyone point 
> me in the right direction regarding suggestions on running a DC on Vmware?  
> Even if there are white papers for running Exchange 2000 on Vmware?
> 
> Thanks all 
> 
> Russ 
> 
> Remember, you can't spell "Quality" without "IT" 
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: DEC 2006 (way OT ...)

[Brett Shirley]

It sounds like this gave it on a per-save basis.  Shadow copy gives it to
you only if you took a snapshot, which has a non-trivial affect on
performance (it snapshots the whole volume in a block level way, such that
we have to incur copy-on-write IO costs).  From what people have said of
the feature, it sounds a bit more cunning, and at a logical level, rather
than block based.

A plust for snapshot however is that it also snaps the directory / file
hierarchy, it sounds like, if however your data scheme made a dependency
on a certain file structure representing something, it doesn't sound like
you have the ability to say _not_ see file X, b/c you're looking at a
previous version of the directory itself ... perhaps I'm wrong though.

Cheers,
BrettSh [msft]
SDE - ESE

On Fri, 13 Jan 2006, Robert Bobel wrote:

> Doesn't shadow copy essentially give you multiple file versions?
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of Brett Shirley
> Sent: Fri 1/13/2006 12:46 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] OT: DEC 2006 (way OT ...)
> 
> 
> 
> Al,
> 
> > I always wished that Microsoft would support multiple file versions like
> > VMS did.
> 
> I'm just curious, if you have the time, for my own edification, what was
> this VMS file system feature?  Could you elaborate how it worked?
> 
> Cheers,
> BrettSh [msft]
> SDE - ESE
> 
> 
> On Thu, 12 Jan 2006, Al Lilianstrom wrote:
> 
> > Don't forget the VAXMate and PCSA v1.1. What a interesting pair...
> >
> > My brother in law worked for DEC at that time and had a VAXStation II
> > and a Pro350 that he had bought from DEC in his basement. Kept trying to
> > sell me the Pro.
> >
> > VMS was great. I turned off my last VAX just over 2 years ago. It had
> > been up and running for 8 years. Great OS, great hardware, lousy company
> > management.
> >
> > I always wished that Microsoft would support multiple file versions like
> > VMS did.
> >
> >   al
> >
> > Lee, Wook wrote:
> > > Ah, now we're really dragging out the old war horses. My first job at
> > > DEC was writing CBI courses for the DECmate WPS+ list processing module.
> > > They gave me a Robin (think VT100 with a processor and dual 5.25" floppy
> > > disks) to use at home (a little basement studio next to the laundry room
> > > in the basement of my apartment building in Acton, MA.) My second job
> > > was writing a device driver in C for a Polaroid CRT-to-film peripheral
> > > called the Polaroid Palette (had a mini-high resolution B&W CRT and a
> > > Color-filter wheel all controlled by a Z80 processor) for the very same
> > > Rainbow PC.
> > >
> > > In those days, Digital could not decide on a PC strategy. There were
> > > three different product lines that all had some potential but none of
> > > them took off. We had the Rainbow which was close to what became
> > > mainstream with an 8088 or 8086 processor, the DECmate with was
> > > basically a secretarial workstation running WPS+ and not much else and
> > > the Pro 350 which was a repackaged PDP-11 that spent a few years as the
> > > console device for some of the bigger VAXen. If I recall correctly, the
> > > Pro 350 OS was based on RSTS.
> > >
> > > Those were the good old days before 1987 and Black Tuesday. I think I
> > > had some Digital options at something like $150. Sigh.
> > >
> > > Wook
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Kat Collins
> > > Sent: Wednesday, January 11, 2006 6:18 PM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: Re: [ActiveDir] OT: DEC 2006
> > >
> > > Anyone remember the Rainbow?  It was DEC's attempt at a Personal
> > > computer.  Launched in early '83, if I remember...  ran its own
> > > proprietary DEC-OS and was not compatible with any IBM-DOS apps.  It
> > > died a year or two later, but the marketing stickers held up for about
> > > 10 years!!  I had one stuck to my daughter's mirror and damned if I
> > > could get it off!!
> > >
> > > And the DECwriter and the Gold key. a - sweet memories!!
> > >
> > > On 1/11/06, joe <[EMAIL PROTECTED]> wrote:
> > >> Ah but people using DEC and attending DECUS were smarter than the
> > > average
> > >> bear To this day the people I meet who grew up on DEC are more
> > > well
> &

Re: [ActiveDir] OT: DEC 2006 (way OT ...)

[Brett Shirley]

Al,

> I always wished that Microsoft would support multiple file versions like 
> VMS did.

I'm just curious, if you have the time, for my own edification, what was
this VMS file system feature?  Could you elaborate how it worked?

Cheers,
BrettSh [msft]
SDE - ESE


On Thu, 12 Jan 2006, Al Lilianstrom wrote:

> Don't forget the VAXMate and PCSA v1.1. What a interesting pair...
> 
> My brother in law worked for DEC at that time and had a VAXStation II 
> and a Pro350 that he had bought from DEC in his basement. Kept trying to 
> sell me the Pro.
> 
> VMS was great. I turned off my last VAX just over 2 years ago. It had 
> been up and running for 8 years. Great OS, great hardware, lousy company 
> management.
> 
> I always wished that Microsoft would support multiple file versions like 
> VMS did.
> 
>   al
> 
> Lee, Wook wrote:
> > Ah, now we're really dragging out the old war horses. My first job at
> > DEC was writing CBI courses for the DECmate WPS+ list processing module.
> > They gave me a Robin (think VT100 with a processor and dual 5.25" floppy
> > disks) to use at home (a little basement studio next to the laundry room
> > in the basement of my apartment building in Acton, MA.) My second job
> > was writing a device driver in C for a Polaroid CRT-to-film peripheral
> > called the Polaroid Palette (had a mini-high resolution B&W CRT and a
> > Color-filter wheel all controlled by a Z80 processor) for the very same
> > Rainbow PC.
> > 
> > In those days, Digital could not decide on a PC strategy. There were
> > three different product lines that all had some potential but none of
> > them took off. We had the Rainbow which was close to what became
> > mainstream with an 8088 or 8086 processor, the DECmate with was
> > basically a secretarial workstation running WPS+ and not much else and
> > the Pro 350 which was a repackaged PDP-11 that spent a few years as the
> > console device for some of the bigger VAXen. If I recall correctly, the
> > Pro 350 OS was based on RSTS.
> > 
> > Those were the good old days before 1987 and Black Tuesday. I think I
> > had some Digital options at something like $150. Sigh.
> > 
> > Wook
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Kat Collins
> > Sent: Wednesday, January 11, 2006 6:18 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] OT: DEC 2006
> > 
> > Anyone remember the Rainbow?  It was DEC's attempt at a Personal
> > computer.  Launched in early '83, if I remember...  ran its own
> > proprietary DEC-OS and was not compatible with any IBM-DOS apps.  It
> > died a year or two later, but the marketing stickers held up for about
> > 10 years!!  I had one stuck to my daughter's mirror and damned if I
> > could get it off!!
> > 
> > And the DECwriter and the Gold key. a - sweet memories!!
> > 
> > On 1/11/06, joe <[EMAIL PROTECTED]> wrote:
> >> Ah but people using DEC and attending DECUS were smarter than the
> > average
> >> bear To this day the people I meet who grew up on DEC are more
> > well
> >> rounded and knowledgeable in the field than the norm.
> >>
> >> The good ol days... Anyone remember Mike Mayfield and the RSTS/E
> > Monitor
> >> Internals books he wrote? Only place to get the real scoop on the
> > internals
> >> so you could really wreak havoc. I think he also wrote the original
> > Trek too
> >> so if your system was still up after poking around in the internals
> > you
> >> could play a video game on your DecWriter or VT52.
> >>
> >> I got my first official corporate support position supporting OS/2 and
> > Win31
> >> on Token Ring back in the mid 90's because I knew DEC. The 8 or so
> > people in
> >> the panel interview started asking me questions about the equipment
> > the job
> >> was for (OS/2 Win31 tcp/ip Token Ring) and I couldn't answer any of
> > the
> >> questions so they saw DEC on my resume and started asking DEC
> > questions and
> >> a couple of hours later we were all laughing and I had my choice of
> > the
> >> three open positions they had even though I knew nothing about any of
> > them.
> >> :)
> >>
> >>
> >>
> >>
> >> -Original Message-
> >> From: [EMAIL PROTECTED]
> >> [mailto:[EMAIL PROTECTED] On Behalf Of John
> > McGlinchey
> >> Sent: Tuesday, January 10, 2006 4:13 PM
> >> To: ActiveDir@mail.activedir.org
> >> Subject: RE: [ActiveDir] OT: DEC 2006
> >>
> >> My experience is just the opposite. I attended DECUS (The other DEC,
> > Digital
> >> Equipment Computer Users Society Symposia) a few times back in the
> > 90's and
> >> the casinos complained that the attendees were not losing enough
> > money.
> >> This was attributed to 1) most of the attendees knew the odds were
> > against
> >> them so they kept their money in their pockets where it belonged and
> > 2) the
> >> ones that did play were pretty good at it and were winning too much.
> >>
> >> I'll not be attending but I'm sending someone that works for me
> > instead.

RE: [ActiveDir] Reducing number of Global Catalogs

[Brett Shirley]

Ignoring the fairly over-discussed if every DC is a GC anyway, the
Infrastructure FSMO / Master (IM) can be on GC aspect ...

In "the standard forest" (if there is such a thing) with a mix of DCs and
GCs, the Infrastructure FSMO must be on a non-GC, for both win2k and
win2k3.  There has been no change here.

What you might be thinking of is the fact that we (in fact I) made it so a
win2k3 DC can perform the duties of the Domain Naming FSMO / Master even
if it is not a GC.  Win2k only knowns how to perform the duties of the
Naming FSMO on a GC.

Basically the contstraints were such that for win2k these two roles
couldn't even exist on the same machine.  Now they can both be held on a
non-GC as of Win2k3.

Cheers,
BrettSh [msft]

This posting is provided "AS IS" with no warranties, and confers no
rights.


On Mon, 19 Dec 2005, joe wrote:

> I am curious myself. I seem to recall a rumour to that effect previously but
> have not seen anything substantial.
>  
>  
> 
>   _  
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
> Sent: Wednesday, December 14, 2005 10:13 PM
> To: Send - AD mailing list
> Subject: RE: [ActiveDir] Reducing number of Global Catalogs
> 
> 
> How so?
> --
> Dean Wells
> MSEtechnology
> * Email: dwells  @msetechnology.com
>   http://msetechnology.com
> 
>  
> 
>   _  
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
> Sent: Wednesday, December 14, 2005 8:15 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Reducing number of Global Catalogs
> 
> 
> The issue with IM on GCs is solved in Windows 2003 for multi-domain
> forests...
>  
> Chuck
>  
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Ntds.dit file corruption

[Brett Shirley]

5.737.7967 | 408-449-6621 CELL
> 
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]> 
> [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley,
> CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Monday, December 05, 2005 8:53 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Ntds.dit file corruption
> 
> 
> I did? :-)  I think I still said all I know is what the poster said  :-)
> 
> I think I need a course in event log reading because even with the logs, 
> and the default size of the logs, I still don't see a smoking gun.  The
> directory services one is filled with events 'post' blow up.
> 
> What is interesting is that it seems to me big server land goes .. oh
> yeah... ntds.dit corruption... and sbsland freaks out.  Either we do
> indeed need to ensure we have a secondary DC or we need to park a second
> copy of a system state offsite [say at the vap/var]
> 
> Brett Shirley wrote:
> > She replied offline, very likely a single bit flip, tragedy, they aren't
> > one release later (Longhorn), where this would've probably been
> > non-disruptively handled, logged, and possibly self-healed:
> >   http://blogs.technet.com/efleis/archive/2005/01.aspx
> >
> > Anyway, this kind of thing is usually hardware ...
> >
> > While there are much better disk sub-system testers, one that is freely 
> > available to any box with Exchange is jetstress.  You might give that a
> > try.  If you can reproduce the event / error with jetstress I would not
> > use that box in production.
> >
> > If you do reproduce the issue several times (several times is key, as you 
> > want a trend before you start playing the variable game), some things
> > you might vary (one at a time):
> >
> >  - Try making sure you have the latest driver and motherboard / controller
> > firmware.  Then see if you can reproduce. 
> >
> >  - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on
> > RAID5.
> >
> >  - Try swapping out the hard drives, one at a time.
> >
> >  - Adding the jetstress files to the exclude list in the Anti-Virus 
> > software. (A low probablility, I've never heard of Anit-Virus causing this
> > paticular type of error, and I can't imagine the mistake an anti-virus
> > product would have to have to cause this side effect) 
> >
> >  - If you can reproduce it several times, you could followup with Dell.
> > Good luck.
> >
> > I'm not sure if I answered your question ...
> >
> > Cheers,
> > BrettSh
> >
> > 
> > On Sun, 4 Dec 2005, Eric Fleischman wrote:
> >
> >
> >> Going back to the original post, I'm not sure I fully understand the
> >> problem yet. Susan, can you define "ntds.dit file corruption" for us? 
> >> What sort of corruption? What errors/events lead you to believe this?
> >> Specifically, I'm interested in errors from NTDS ISAM or ESE if you
> >> have any.
> >>
> >>
> >>
> >> 
> >>
> >> From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA
> aka Ebitz - SBS Rocks [MVP] 
> >> Sent: Sat 12/3/2005 10:58 PM
> >> To: ActiveDir@mail.activedir.org
> >> Subject: [ActiveDir] Ntds.dit file corruption
> >>
> >>
> >>
> >> SBS box [with Windows 2003 sp1 since September]
> >>
> >> RE: [ActiveDir] Database Corruption:
> >> http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html
> >>
> >> We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant
> >> and PSS have been banging on.  Could not get the services back running, 
> >> changed the RPC service to local system and some service came back up [I
> >> don't have all the details but the consultant opened a support case of
> >> SRX051202605433].
> >>
> >> Bottom line they are about going to give up and start a restore but 
> >> before they do that I'd like to get the view of the AD gods and
> >> goddesses around here.  From all that I've seen, read, seen in the SBS
> >> newsgroup, the corruption of ntds.dit is rare to nil and an underlying 
> >> cause is hardware issues [raid, disk subsystem].  This doesn't just
> >> happen.
> >>
> >> The VAP asked if not properly excluding the ad databases from the a/v
> >> would cause this/trigger this and my expectation is 'no', given that I 
> >> doubt the

RE: [ActiveDir] Ntds.dit file corruption

[Brett Shirley]

She replied offline, very likely a single bit flip, tragedy, they aren't
one release later (Longhorn), where this would've probably been
non-disruptively handled, logged, and possibly self-healed:
  http://blogs.technet.com/efleis/archive/2005/01.aspx

Anyway, this kind of thing is usually hardware ...

While there are much better disk sub-system testers, one that is freely
available to any box with Exchange is jetstress.  You might give that a
try.  If you can reproduce the event / error with jetstress I would not
use that box in production.

If you do reproduce the issue several times (several times is key, as you 
want a trend before you start playing the variable game), some things
you might vary (one at a time):

 - Try making sure you have the latest driver and motherboard / controller
firmware.  Then see if you can reproduce.

 - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on
RAID5.

 - Try swapping out the hard drives, one at a time.

 - Adding the jetstress files to the exclude list in the Anti-Virus
software. (A low probablility, I've never heard of Anit-Virus causing this
paticular type of error, and I can't imagine the mistake an anti-virus
product would have to have to cause this side effect)

 - If you can reproduce it several times, you could followup with Dell.  
Good luck.

I'm not sure if I answered your question ...

Cheers,
BrettSh


On Sun, 4 Dec 2005, Eric Fleischman wrote:

> Going back to the original post, I'm not sure I fully understand the
> problem yet. Susan, can you define "ntds.dit file corruption" for us?
> What sort of corruption? What errors/events lead you to believe this?
> Specifically, I'm interested in errors from NTDS ISAM or ESE if you
> have any.
>  
>  
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks 
> [MVP]
> Sent: Sat 12/3/2005 10:58 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Ntds.dit file corruption
> 
> 
> 
> SBS box [with Windows 2003 sp1 since September]
> 
> RE: [ActiveDir] Database Corruption:
> http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html
> 
> We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant
> and PSS have been banging on.  Could not get the services back running,
> changed the RPC service to local system and some service came back up [I
> don't have all the details but the consultant opened a support case of
> SRX051202605433].
> 
> Bottom line they are about going to give up and start a restore but
> before they do that I'd like to get the view of the AD gods and
> goddesses around here.  From all that I've seen, read, seen in the SBS
> newsgroup, the corruption of ntds.dit is rare to nil and an underlying
> cause is hardware issues [raid, disk subsystem].  This doesn't just
> happen.
> 
> The VAP asked if not properly excluding the ad databases from the a/v
> would cause this/trigger this and my expectation is 'no', given that I
> doubt the majority of us in SBSland properly set up exclusions
> Virus scanning recommendations on a Windows 2000 or on a Windows Server
> 2003 domain controller:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
> 
> If this were my hardware and box, I'd be putting this sucker on the
> operating table and getting an autopsy before putting it back online.
> 
> Are we right in being paranoid now about this hardware?  For you guys in
> big server land you'd just slide over another box into that server role.
> 
> ---
> Stupid question alert
> 
> Okay so we know that having a secondary/additional domain controller is
> a good thing even in SBSland...but question many times the second
> server in SBSland is a terminal server box because we do not support TS
> in app mode on our PDCs. So we've established that having a domain
> controller and a terminal server is a security issue [see Windows
> Security resource kit, NIST Terminal services hardening guide, etc
> etc]  If our second server is a member server handing out TS
> externally, should that be a candidate for the additional DC?  Are the
> issues of TS on a DC ... true for 'any' DC?  Would it be better than to
> Vserver/VPC a Win2k3 inside a workstation in the network if a third
> server box was not feasible?
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GC list

[Brett Shirley]

Note instead of repadmin /options *, look for GC flag, you can run

repadmin /viewlist gc:

Gives only all GCs in your forest ... something I thought would probably
be useless when I implemented it.

Cheers,
-BrettSh [msft - ESE - SDE]

On Tue, 29 Nov 2005, Almeida Pinto, Jorge de wrote:

> to view all DCs in the forest
> * repadmin /viewlist *
>  
> to view all DCs in the domain
> * run nslookup and configure set type=srv and query for 
> _ldap._tcp.dc._msdcs.. (per domain)
> * NLTEST /DCLIST:
> * netdom query dc
> * run replmon and ask for "show domain controllers in domain"
>  
>  
> to view all DCs that have the GC flag checked (all DCs in the forest will be 
> returned and the DC with the GC flag enabled will have the IS_GC option)
> * repadmin /options *
>  
> to view all DCs that have the GC flag checked
> * run replmon and ask for "show global catalog servers in the enterprise"
> * run nslookup and configure set type=srv and query for 
> _ldap._tcp.gc._msdcs..  (per forest)
>  
>  
> most options will give you the server names, but only NSLOOKUP returns the DC 
> name and its Ip address
>  
> with all you may still need to tweak the output in the way you want to see it
>  
> Cheers,
> Jorge
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of Harding, Devon
> Sent: Tue 11/29/2005 10:43 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] GC list
> 
> 
> 
> What's the easiest way to get a list of ALL my DC's and GC's in my forest 
> along with IP address?
> 
>  
> 
> Devon Harding
> 
> Windows Systems Engineer
> 
> Southern Wine & Spirits - BSG
> 
> 954-602-2469
> 
>  
> 
> 
> 
> __
> This message and any attachments are solely for the intended recipient
> and may contain confidential or privileged information. If you are not
> the intended recipient, any disclosure, copying, use or distribution of
> the information included in the message and any attachments is
> prohibited. If you have received this communication in error, please
> notify us by reply e-mail and immediately and permanently delete this
> message and any attachments. Thank You. 
> 
> 
> 
> This e-mail and any attachment is for authorised use by the intended 
> recipient(s) only. It may contain proprietary material, confidential 
> information and/or be subject to legal privilege. It should not be copied, 
> disclosed to, retained or used by, any other party. If you are not an 
> intended recipient then please promptly delete this e-mail and any attachment 
> and all copies and inform the sender. Thank you.
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Microsofts Exchange Server 12 64 bit announcement

[Brett Shirley]

Cost debate ...

I've heard that on big Exchange servers that by a factor of 4 or 5 to 1,
the cost is mostly spent on big disk hardware (read as SAN).  It is the
IOPS that cost.  With a 4x drop in IOPS required, the same hardware will
be usable for more users/servers.  Clearly the people who get the rub is
the medium and small businesses ...

Well, even the medium business may have some savings, in that if they're
on the small-ish side of medium business, they will have the new Centro
bundles, that I think save on software costs.  And if on the larger end,
they're probably bursting at thier disk subsystems seams, they may not
have to move to a SAN so soon, or their SAN may last them alot longer.

With everything they pack on a small business server, they're probably
overloaded already, and _esp_ tight in kernel memory address space, I'm
surprised they don't hit NPP exhaustion all the time.  It is likely this
will be a blessing in disguise, with 64-bit address space, and 8 GBs of
memory, those servers will be happier servers.

Engh, clearly it is _not_ the most ideal, but I don't think it will be too
bad.  People have been pointing out, alot of people are unknowningly
buying the right hardware today.  I appologize to the small business
crowd, when upgrading, please plan on buying a new server one to three
years from now.

Brian, do you mind sharing of the 400k you spent, what proportion was disk
hardware that could be transistioned?

Brian, if it's difficult to repurpose hardware, I suggest you inform the
org, that you'll be working on "tuning the hardware config of those old
Exch servers in your office, until they figure out where they want you to
actually repurpose them".  That should give you some nice desktop
development box for at least a few years. ;)

Unfortunately, there are other costs besides new hardware. :P For instance
is any of the backup software, or the anti-virus software, or possibly
your monitoring agents going to be native 64-bit?  Some of them may even
need to be to run on 64-bit servers.  Not to mention the cost (in time) of
getting an admin to perform migration, over a more silent, just upgrade
the binaries type upgrade.  Remember a month of an admins time is a
company committing between 5k and 15k to that effort.

All this gets weighed.

On the other side of the sacle, however, is that in place upgrades,
prevent the development team from making the most drastic changes, because
the code must be made to either upgrade the database (often intractable)
or have two code paths to handle both formats (often unsupportable long
term).  I don't think there are actually too many people who would trade
the 4x IOPS savings, for in-place upgrade feature.

Also in some ways moving to 64-bit wholesale, actually improves the story
for all those other bits of ancillary software, because vendors won't let
the 64-bit support linger.

Engh, clearly it is _not_ the most ideal, but I don't think it will be a
terrible burden.  People have been pointing out, alot of people are
unknowningly buying the right hardware today.  I appologize to the small
business crowd, when upgrading, please plan on buying a new server one to
three years from now.

Cheers,
BrettSh [msft]
ESE Developer

This posting is provided "AS IS" with no warranties, and confers no
rights.

On Tue, 15 Nov 2005, Brian Desmond wrote:

> I wish it as that easy. Dysfunctional silo'ed government organizations make
> simple things like moving hardware to a new task a monumental task.
> Especially when there are use restrictions on funds used to purchase things.
> 
> 
> Thanks,
> Brian Desmond
> [EMAIL PROTECTED]
>  
> c - 312.731.3132
>  
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
> Sent: Tuesday, November 15, 2005 9:19 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Microsofts Exchange Server 12 64 bit announcement
> 
> Most organisations (including yours perhaps?) could plan to redeploy
> current Exchange hardware elsewhere if it's not quite end-of-life by the
> time they're ready to deploy E12.  Not all systems will have the 64 bit
> requirement in the time frame we are talking about, so you are likely to
> have some flexibility if you have other servers that you need to
> hardware refresh in the meantime.
> 
> Just a thought.
> 
> Tony
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
> Sent: Wednesday, 16 November 2005 2:33 p.m.
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Microsofts Exchange Server 12 64 bit
> announcement
> 
> I see this environment lasting pas the E12 timeline. It has a ton of
> room to
> grow in all aspects of the hardware. This seems like the sort of thing
> that
> they needed to have announced a while ago. 
> 
> Thanks,
> Brian Desmond
> [EMAIL PROTECTED]
>  
> c - 312.731.3132
>  
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailt

RE: [ActiveDir] Microsofts Exchange Server 12 64 bit announcement

[Brett Shirley]

I can confirm, yes, you will only be able to deploy Exchange 12 on amd64
(well x64, i.e. including EMTWhatever) hardware.

Now, I must confess something ...

A bit over one and a half years ago (~Mar 2004, give or take a couple
months), there was this "Focus 64" campaign, posters showed up everwhere
"Focus 64 ... Shift to the power of 64-bit ... 
Objects in mirror are closer than they appear."  It was just some internal
propaganda to get the development teams to be thinking and taking into
consideration 64-bit ... there are always a few of these campaign's going
on ...

Around the same time or shortly before this Exchange was still asking if
we could add PAE/AWE support to ESE like SQL.  At one point, I vaguely
remember yelling across the room, "PAE?  PAE?!?  Are you kidding me?!  We
have 64-bit desktops today!  PAE will be mueseums in five years!" (the
exact wording probably involved swear words).  I also mentioned that PAE
is a horrible hack, it makes me nauseous.  Hack up ESE because they didn't
want to port to 64-bits?  Shortly after they were waffling again!!
Wondering if they could just make it run as a 32-bit app on 64-bit OSs,
large memory aware so they could go from the ~3GB they got today to the
3.9GB of address space a large aware app gets on a amd64 based Windows OS
(that'd be a 30% increase in available memory).  They could get this if
they only ported the IFS driver to 64-bit, or removed it.  BTW, the IFS
driver is what prevents running 32-bit Exch2k3 on 64-bit OSs.  64-bit OSs
require 64-bit drivers / kernel mode components.  At which point I made a
clarifying comment to the effect of, "No, no, I want to see 48 GBs of ESE
buffer cache!  Only a native 64-bit store.exe will do.  Get off your ..."
(perhpas I felt more swear words were necessary, I don't remember)
Anyway, with all this debate on "what 64-bit support means", I just wasn't
100% convinced that Exchange was compelled enough ...

So I arranged with the guy in charge of the Focus 64 campaign to reserve
50 posters for the Exchange mailbox team's floor exclusively, and one
night I snuck over in the dead of night (or early early morning I think)
and plastered these posters up and down the mailbox team's hall, I put
64-bit posters in thier regular reserved War team room, on the back of the
dev manager's chair, and even on the back of the bathroom stall doors,
just so when they're really "concentrating", they'd be thinking 64-bit.

I mean what was I supposed to do !?, they were making JET Blue look
bad.  We've servers 1 TB worth of databases attached, and only .09 to .12%
of DB buffer cache, and email is kind of weird load, kind of 4/5ths OLTP
and 1/5th DSS, and well basically Exchange is _starved_ for memory today.
JET had multiple 64-bit binaries (the Win2k DEC Alpha binary - Sept 1999
[last shipped in Beta 3, never made it to RTM], the ia64 binaries in Sept
2001, the amd64 binaries in Mar 2003).  We had tested 64-bit Itanium DCs,
with on the order of 32 GBs of RAM, to great effectiveness for huge DIT
files.

Anyway, I'm not going to claim my persistent nagging of the mailbox team
swung the tide, I honestly think they would've come to the decision
naturally on thier own (it was the only real choice).  But did walking by
a couple hall ways of posters make them _only_ Focus 64??  I personally
don't think so, but I've confessed, so I have a clear conciousness. :) If
you need someone to blame, you can blame me personally if you like ...


Overall ...

I'm quite happy, the Exchange team stepped up to the plate, and is going
to release IMO, the killer 64-bit app.  They deserve accolades.

There are actuallly several details besides this one that make an inplace
upgrade a more difficult thing to do/support, and together these details
embolden the forced migration option.  If you read the notes from people
at the IT Forum close enough, I saw at least 2 of the other reasons that
increase the difficulty of doing in place upgrades.  We rigorously debate
these things, there are more aspects to the decision than has been
mentioned so far.

joe, I run my desktop heavily loaded, and frequently run with 200 to 300
windows open, and persistently run out of desktop heap (a kernel mode
resource, I've even increased this several times), I'm greatly
anticipating having a 64-bit desktop for "whizbang GUI stuff".

I had some comments on the cost debate, but I'll put that on another fork
of the thread ...

Cheers,
BrettSh [msft]
ESE Developer

This posting is provided "AS IS" with no warranties, and confers no
rights.



On Wed, 16 Nov 2005, Rich Milburn wrote:

> Makes me wonder if MS is not betting at least some of the farm on the quick 
> 64 bit transition that Gates is certain is going to happen.  If anyone has 
> the potential to influence that switch, MS has got it.  The switch to 32 bit 
> was overdue, so everyone realized the benefits and it happened fast.  But 
> we've currently got a memory model that will allow us to quite comfortably 
> handle readi

Re: [ActiveDir] DHCP ERROR

[Brett Shirley]

These are ESE (the database engine under DHCP) events.

Did you reACL anything like the root of the volume or the Windows
directory?

Anti-virus software installed, that is scanning that directory?

Are these events persistent, or sporadic?

Cheers,
BrettSh [msft]


On Thu, 3 Nov 2005, Ravi Dogra wrote:

> Hi All,
> 
> I am getting some Dhcp Errors kindly suggest what could be the
> possible reason for that...
> 
> tcpsvcs (656) An attempt to delete the file
> "C:\WINDOWS\System32\dhcp\backup\old\new" failed with system error 5
> (0x0005): "Access is denied. ".  The delete file operation will
> fail with error -1032 (0xfbf8).
> 
> 
> Event ID 485
> 
> 
> and another is
> 
> 
> tcpsvcs (656) The backup has been stopped because it was halted by the
> client or the connection with the client failed.
> 
> event id 215
> 
> 
> Thanks
> Ravi
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Exchange now supported on virtual hardware [okay so now we're getting a bit OT]

[Brett Shirley]

Susan, SMTP isn't a client retrieval protocol (like POP), it's a mail
delivery protocol.  IMAP, POP, and MAPI are your client retrieval
protocols.  SMTP and (IIRC) MAPI are mail delivery protocols.  MAPI doing
double duty.  SMTP, IMAP, and POP are the open (i.e. standardized)
protocols.  IMAP is generally considered superior to POP (makes me wonder
does Exchange support IMAP?).

I must caveat and say I'm like 57% sure of all of the above, these things
are happening at least 2 or 3 layers above where I work.

Cheers,
-BrettSh [msft]
ESE Dev

Posting as is ...


On Mon, 31 Oct 2005, Susan Bradley wrote:

> You do realize that that is officially a "transition tool" that you 
> should use to transition 'to' SMTP
> 
> [and yes, even with a dynamic IP and all that you can still host your 
> own email]
> 
> Ed Crowley [MVP] wrote:
> 
> >I have no problem with SBS except that stupid POP mail connector.
> >
> >Ed Crowley MCSE+Internet MVP
> >Freelance E-Mail Philosopher
> >Protecting the world from PSTs and Bricked Backups!?
> >
> >-Original Message-
> >From: [EMAIL PROTECTED]
> >[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
> >aka Ebitz - SBS Rocks [MVP]
> >Sent: Monday, October 31, 2005 5:29 PM
> >To: ActiveDir@mail.activedir.org
> >Subject: Re: [ActiveDir] Exchange now supported on virtual hardware
> >
> >I would just like to point out that the person who has SBS Rocks as part of
> >her email address did not post that
> >
> >I was thinking that though. :-)
> >
> >Ed Crowley [MVP] wrote:
> >  
> >
> >>Less than 50 means SBS, doesn't it?  Who needs virtualizaton? 
> >>
> >>Ed Crowley MCSE+Internet MVP
> >>Freelance E-Mail Philosopher
> >>Protecting the world from PSTs and Bricked Backups!?
> >>
> >>-Original Message-
> >>From: [EMAIL PROTECTED]
> >>[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
> >>Smith
> >>Sent: Monday, October 31, 2005 1:45 PM
> >>To: ActiveDir@mail.activedir.org
> >>Subject: RE: [ActiveDir] Exchange now supported on virtual hardware
> >>
> From a book proposal I wrote:
> >>
> >>According to the United States Small Business Administration (the US 
> >>SBA, at http://www.sba.gov/advo/stats/arsbfaq.txt), small firms:
> >>
> >>* Total approximately 23 million in the United States.
> >>* Represent 99.7 percent of all employer firms.
> >>* Employ half of all private sector employees.
> >>* Pay 44.3 percent of the total U.S. private payroll.
> >>* Generate 60 to 80 percent of net new jobs annually.
> >>* Create more than 50 percent of non-farm, private gross domestic 
> >>product (GDP).
> >>* Are employers of 39 percent of high tech workers (such as 
> >>scientists, engineers, and computer workers).
> >>
> >>Now, the SBA defines a "small firm" as having less than 500 employees. 
> >>For the purpose of our discussion, we'll define a small company as 
> >>having less than 50 employees. According to 
> >>http://www.sba.gov/advo/stats/us_01ss.pdf,
> >>this makes up approximately 50% of all employer firms.
> >>
> >>M
> >>
> >>-Original Message-
> >>From: [EMAIL PROTECTED]
> >>[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
> >>Sent: Monday, October 31, 2005 4:39 PM
> >>To: ActiveDir@mail.activedir.org
> >>Subject: Re: [ActiveDir] Exchange now supported on virtual hardware
> >>
> >>Of course it's always best, but I have to wonder what the benefit of 
> >>running smaller exchange servers in a virtual environment would be?  
> >>Is that to deal with shrinking datacenter floor space?  I was thinking 
> >>this might be interesting in an environment where I had lots of branch
> >>
> >>
> >office deployments.
> >  
> >
> >>  Might be easier to deploy a "solution in a box" to those sites. 
> >>Faster recovery scenarios come to mind as well.
> >>
> >>I have to say, I'm with Deji on this.  If you want to deploy a mailbox 
> >>server, I don't see a problem with it up front as long as you treat it 
> >>like
> >>clustering: respect the tool and it's idiosynchratic behavior patterns. 
> >>Otherwise, how many people are really deploying >2500 user density 
> >>(and have heavy user populations) for Exchange?  Not nearly as many as 
> >>those deploying less if the majority of companies out there are ~99 
> >>employees in the first place. [1]
> >>
> >>[1] just some stat I picked up in a magazine.  Whatever.  My point is 
> >>that the number of companies that have a) the number of employees to 
> >>do large density deployments and b) the networks to support it are 
> >>fewer than those that would have 10 users here and 50 users there 
> >>spread out across the globe.  By the numbers, you're more likely to 
> >>deploy to a smaller user population than a larger one and I like the 
> >>idea of virtualization for these environments.  It cuts down on some 
> >>of the datacenter clutter although it does increase my risks of 
> >>failure; it may cancel out if I can better watch a single machine's
> >>
> >>
> >environmentals vs. a room full of them.
> >  
> >
> >>
> >>
>

Re: [ActiveDir] Is your AD 'dirty'? OT

[Brett Shirley]

Should be fixed.

-B

On Fri, 21 Oct 2005, Brett Shirley wrote:

> I'll ask him, I know him.
> 
> -B
> 
> On Fri, 21 Oct 2005, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> 
> > http://blogs.technet.com/bpuhl/contact.aspx
> > 
> > Ping the blog and see if he'll turn on comments.
> > 
> > Al Mulnick wrote:
> > 
> > > Shame we can't comment it.  I've seen similar and I note that people 
> > > would really do that.  I also think that it's funny that somebody 
> > > would think the effort expended would be less to start again than it 
> > > would to fix what you have.  Especially since it would take a lot to 
> > > figure out what the new would need to be set to.  :)
> > >
> > > He's got an interesting style though.  Thanks for the post.
> > >
> > >
> > >> From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" 
> > >> <[EMAIL PROTECTED]>
> > >> Reply-To: ActiveDir@mail.activedir.org
> > >> To: ActiveDir@mail.activedir.org
> > >> Subject: [ActiveDir] Is your AD 'dirty'?
> > >> Date: Thu, 20 Oct 2005 23:59:41 -0700
> > >>
> > >> Brian Puhl's Weblog:
> > >> http://blogs.technet.com/bpuhl/
> > >>
> > >> This blog might be interesting to watch ;-)
> > >> List info   : http://www.activedir.org/List.aspx
> > >> List FAQ: http://www.activedir.org/ListFAQ.aspx
> > >> List archive: 
> > >> http://www.mail-archive.com/activedir%40mail.activedir.org/
> > >
> > >
> > >
> > > List info   : http://www.activedir.org/List.aspx
> > > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> > >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Is your AD 'dirty'? OT

[Brett Shirley]

I'll ask him, I know him.

-B

On Fri, 21 Oct 2005, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:

> http://blogs.technet.com/bpuhl/contact.aspx
> 
> Ping the blog and see if he'll turn on comments.
> 
> Al Mulnick wrote:
> 
> > Shame we can't comment it.  I've seen similar and I note that people 
> > would really do that.  I also think that it's funny that somebody 
> > would think the effort expended would be less to start again than it 
> > would to fix what you have.  Especially since it would take a lot to 
> > figure out what the new would need to be set to.  :)
> >
> > He's got an interesting style though.  Thanks for the post.
> >
> >
> >> From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" 
> >> <[EMAIL PROTECTED]>
> >> Reply-To: ActiveDir@mail.activedir.org
> >> To: ActiveDir@mail.activedir.org
> >> Subject: [ActiveDir] Is your AD 'dirty'?
> >> Date: Thu, 20 Oct 2005 23:59:41 -0700
> >>
> >> Brian Puhl's Weblog:
> >> http://blogs.technet.com/bpuhl/
> >>
> >> This blog might be interesting to watch ;-)
> >> List info   : http://www.activedir.org/List.aspx
> >> List FAQ: http://www.activedir.org/ListFAQ.aspx
> >> List archive: 
> >> http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> >
> >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Knowing when users were deleted.

[Brett Shirley]

Ulf, what Al (well the suggestion on the plate) is suggesting is taht the
"something to centralize that info", _is_ AD replication.  Implying the
data is in AD.

Cheers,
-Brett


On Tue, 18 Oct 2005, Ulf B. Simon-Weidner wrote:

> |  Wherever the information gets put, it should be a) done as 
> |the default yet configurable b) centrally viewable (I should 
> |NOT have to visit each DC in my forest to find the data) and 
> |c) be included in the base product.
> 
> Exactly, that's what I ment. Enable that logging by default and provide
> something to centralize that info.
> 
> |-Original Message-
> |From: [EMAIL PROTECTED] 
> |[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
> |Sent: Tuesday, October 18, 2005 2:42 AM
> |To: ActiveDir@mail.activedir.org
> |Subject: RE: [ActiveDir] Knowing when users were deleted.
> |
> |Not sure that's going to fix the issue though, unless I'm 
> |missing something. 
> |  Wherever the information gets put, it should be a) done as 
> |the default yet configurable b) centrally viewable (I should 
> |NOT have to visit each DC in my forest to find the data) and 
> |c) be included in the base product.  I can see no valuable way 
> |to otherwise do this.  Having to deploy yet another product 
> |doesn't fix the problem, it exacerbates it; it's even worse if 
> |it's a reskit item as those aren't "supported" nor as heavily 
> |tested.  This is important enough that it should be and should 
> |meet those criteria above.
> |
> |We may just need to knock a few more edges off before 
> |submitting this FMR ;)
> |
> |
> |>From: "Ulf B. Simon-Weidner" <[EMAIL PROTECTED]>
> |>Reply-To: ActiveDir@mail.activedir.org
> |>To: 
> |>Subject: RE: [ActiveDir] Knowing when users were deleted.
> |>Date: Mon, 17 Oct 2005 23:36:44 +0200
> |>
> |>Another Hmm.
> |>
> |>I'd still like to see that better configured that putting it into the 
> |>AD if the infos are already there (or configurable). We could request 
> |>to make it default to log that kind of info. And as far as we are 
> |>talking about looking into every server: Where's ACS? And also SNMP 
> |>would be an option to get notified on a single system instead of 
> |>looking into every DC.
> |>
> |>Ulf
> |>
> |>|-Original Message-
> |>|From: [EMAIL PROTECTED]
> |>|[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
> |>|Sent: Monday, October 17, 2005 3:10 AM
> |>|To: ActiveDir@mail.activedir.org
> |>|Subject: RE: [ActiveDir] Knowing when users were deleted.
> |>|
> |>|I'll see your Eurocents and add raise you two. :)
> |>|
> |>|I fully understand where you're coming from Ulf.  Adding this 
> |>|information into the DIT when it is currently possible to get is 
> |>|something that grates against common sense and common engineering 
> |>|principles even if you subscribe to belts and braces methodologies.
> |>|
> |>|However, I think two things make this a worthwhile request 
> |with a big 
> |>|payoff.  First to Laura's point about diminishing returns.  I agree, 
> |>|at some point there will be diminishing returns.  I also 
> |believe that 
> |>|as hardware gets bigger (i.e.
> |>|Standard 80 GB hard drives, 1 GB memory in workstation 
> |machines, etc. 
> |>|[1]) the bar gets raised until we get to the diminishing return.  
> |>|Since we're targeting 80/20 out of the box [2] it seems reasonable 
> |>|that 80% of the deployments would benefit from such a change. The 
> |>|other 20 would be those that
> |>|a) don't care or know about such things and b) those that can't 
> |>|tolerate the additional overhead and therefore wouldn't want 
> |to deploy 
> |>|it.  I say tough pickles to them.  :) Seriously, this could be on by 
> |>|default but configurable (group
> |>|policy?) to disable it as a performance issue etc.
> |>|
> |>|Second, I think that the major benefit is the ability to 
> |actually get 
> |>|usable information native to the product vs.
> |>|having to invest in a third party product. Why?  Because today in 
> |>|order to get that information I have to have something that scrapes 
> |>|the Security logs looking for such information.  Is this a 
> |good idea?  
> |>|I think it is.  Is it something that could be native?  I think it 
> |>|could and should be native if technically feasible.
> |>|
> |>|Making us look in a particular DC's event logs is more 
> |difficult than 
> |>|it should be without yet another product.
> |>|That's fine for the really large companies that have deeper pockets, 
> |>|and larger needs.  For the small to medium businesses, it should not 
> |>|be so difficult nor should it
> |>|*require* SQL licensing or expertise.
> |>|
> |>|
> |>|
> |>|[1] I'm not saying that the quality has kept up, only that the 
> |>|hardware is bigger, faster, stronger and cheaper.
> |>|[2] I'm making that up, but it sounds reasonable
> |>|
> |>|
> |>|
> |>|
> |>|-Original Message-
> |>|From: [EMAIL PROTECTED]
> |>|[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
> |>|Simon-Weidner
> |>|Sent: Sunday, October 16, 2005 4:42

RE: [ActiveDir] Knowing when users were deleted.

[Brett Shirley]

The proposal was no history, nor even a history of who modified it, merely
who made the current state of the AD be the way it is.  In order to do
that, you must track the modifier (whether by "backlink", GUID, SID, DN,
samAccountName, whatever) at the replication conflict level, ergo for each
attribute, and for DN values for each value.

The ancillary question, was, would it be OK to just get the last modifier
at the object level (i.e. aggregate it up to who last touched the object,
any attribute of value).  Obviously, this would lose who made the change
at time whenChanged minus 1 (or more).

The first probably will not bloat the DIT, (in fact it will probably
shrink the DIT as I will show shortly, when I find an extra hour).  In a
twist of irony, the later even though significantly less data, would
probably bloat the DIT (although obviously only very slightly).

This is because to implement the first idea, you have enough of an impact
on DIT size (10% or more), the team would consider strongly compressing
the meta-data to make up for it.  Where as the later, would be so
insignificant, that no one would invest in any compression.  At least that
is my prediction of how it would play out.

Cheers,
-Brett


On Tue, 18 Oct 2005, Almeida Pinto, Jorge de wrote:

> Hi,
> 
> I'm not sure if I would want this in the AD DB as this would mean a
> larger DIT (as every change is stamped... - how many versions are kept
> as history?) and additional replication traffic. I would prefer a better
> central auditing solution instead of having to check each DC to see for
> who made a change and when.
> 
> Jorge
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
> Sent: Tuesday, October 18, 2005 10:17
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Knowing when users were deleted.
> 
> joe wrote:
> > Correct, you can currenlty only get the when and the where (DC Where 
> > not Client Where).
> >  
> > Which raises the question. How many people would like a metadata stamp
> 
> > with the GUID or SID of the userid that made the modification for a 
> > given attribute (or value if appropriate)? Or would it be ok to just 
> > have who made the last change to the object? Either way, none of the 
> > "administrators group" nonsense, it points to a specific security
> principal.
> 
> 
> count me with this request
> 
> 
> --
> Tomasz Onyszko
> http://www.w2k.pl
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> This e-mail and any attachment is for authorised use by the intended 
> recipient(s) only. It may contain proprietary material, confidential 
> information and/or be subject to legal privilege. It should not be copied, 
> disclosed to, retained or used by, any other party. If you are not an 
> intended recipient then please promptly delete this e-mail and any attachment 
> and all copies and inform the sender. Thank you.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Knowing when users were deleted.

[Brett Shirley]

You then change the representation from an external one to an internal
one, which is a significant design decision ... I wrote up about a page
filling out the argument against using a backlink scheme ... then figured
there probably isn't interest, as we're talking a hypothetical feature.  
Let me know if you want me to finish off and send my argument against
backlinks ...

Cheers,
BrettSh [msft]

On Fri, 14 Oct 2005, joe wrote:

> Can you do some sort of backlink type of magic where you use some smaller
> sized value to represent the real value via indirection or something? 
> 
> I expect most companies would be willing to take the hit on DIT size to get
> this kind of capability. ESE can handle it right?
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Friday, October 14, 2005 11:50 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Knowing when users were deleted.
> 
> 
> Ignoring the 16 bytes at the beginning of the metadata for version and attr
> count info, and garbage wasted space ... the metadata for a single attribute
> is 48 bytes, adding the SID (28 bytes) would be an expansion of 57% on the
> _raw_ per attribute metadata size.
> 
> A sampling of a corporate DB showed the raw metadata size to be 15% of the
> DIT size, which would lead me to believe the DIT would expand by ~10% for a
> trivial implementation against this paticular corporate DIT.[1]
> 
> However, if you look at the /showobjmeta for _any_ object, you will realize
> that is a data structure that is over ripe (like banannas you wouldn't even
> use for a bananna cake) for being compressed.  I think I could add a SID,
> (custom) compress it, and shrink the DIT in size.
> 
> While you might think a GUID is better, because If you add a GUID, it is
> only 16 bytes, but that's a very uncompressible 16 bytes, "effectively a
> random hash".  The SID is more likely to compress properly.
> 
> [1] I expect that corporate DITs vary what % is meta-data by how many certs
> and big blobs they stick in thier AD.  I imagine most corporate DITs are
> worse (as in higher % is metadata) than the one I checked out.
> 
> Not that I've been thought of it ...
> 
> Cheers,
> -BrettSh [msft]
> 
> This posting is provided "AS IS" with no warranties, and confers no rights.
> 
> 
> On Fri, 14 Oct 2005, Al Mulnick wrote:
> 
> > 
> > GUID or SID of the user account that made the delete request.  Last 
> > mod my not be enough in case some process gets hold of that data in 
> > the deleted items, even if unlikely.  I want the id of the identity 
> > that put caused the object to be there in the first place.
> >  
> > Having the data for a full undelete option wouldn't seem too terrible 
> > either, although that might significantly increase the storage in the DIT.
> > In the past I've had to write apps to keep that information out of 
> > band in order to put back items mistakenly removed. But I can't see 
> > why I should have to trip through all the DC's Audit logs to find the 
> > information about who deleted something given how common this type of 
> > question is.  It should be recorded same as the audit log (we have the 
> > information, why not stamp it on the object at time of deletion?)
> >  
> > Al
> >  
> >  
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of joe
> > Sent: Friday, October 14, 2005 11:03 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Knowing when users were deleted.
> > 
> > 
> > Correct, you can currenlty only get the when and the where (DC Where 
> > not Client Where).
> >  
> > Which raises the question. How many people would like a metadata stamp 
> > with the GUID or SID of the userid that made the modification for a 
> > given attribute (or value if appropriate)? Or would it be ok to just 
> > have who made the last change to the object? Either way, none of the 
> > "administrators group" nonsense, it points to a specific security
> principal.
> >  
> >  
> > 
> >   _
> > 
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Freddy 
> > HARTONO
> > Sent: Friday, October 14, 2005 3:18 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Knowing when users were deleted.
> > 
> > 
> > Hi Yann,
> >  
> > You can find at the deletedobject folder via adfind -showdel and see 
> > the Last modified date - th

RE: [ActiveDir] Knowing when users were deleted.

[Brett Shirley]

P.S. - You can't really insult me ... 

P.P.S - and if we were smart, we would've compressed the metadata from the
get go ;) and we'd be trying to figure out how to stuff the SID in the
metadata w/o bloating the DIT by 10% ... and instead we'd have to be
really cunning (cunning is smarter than smart) to make it all work out, 

P.P.P.S. - or do survey's to see if the increase in DIT size is worth the
feature to you guys (which is an interesting question in itself, just to
see what people are willing to "pay". ;)

P.P.P.P.S. - Instead we're lucky.  The line between lucky and cunning is
very narrow.

OK, I'm done.


On Fri, 14 Oct 2005, Brett Shirley wrote:

> Well, first you should _never_ ever view anything _I_ am musing as a
> possible feature from the product group, I muse ALOT of stuff.  PMs will
> be feature groups spokespeople, I am a dev.  This feature (in various
> forms) has been under consideration before, specicfically Win2k, Win2k3,
> and Longhorn timeframes.
> 
> Secondarily, features for any company, is always an optimization question
> of profit opportunity of feature A vs. feature B vs. cost vs. available
> resources ... would you give up the planned Longhorn RODC features for
> something like this?
> 
> And finally ... you've dealt with the product group before ... they tell
> us (devs) the first time we goto a conference never promise the customer
> anything, as we are only supposed to set expectations in customers that
> will be delievered on ...
> 
>   IF you really want a commitment on adding it... how about this, I
>   can commit to delivering my first blog post before giving you user
>   modification tracking in metadata.
> 
> ... have I now doomed the feature to never show up?
> 
> So you asked was that a yes or no in that previous post ... I'd view this
> as nothing less than and nothing more than ... msft has smart people who
> think about this stuff ... and in that spirit, if it were done, you
> probably don't need to worry about DIT bloat (I'm much too smart to let
> that happen, frankly you insult me ;).
> 
> Cheers,
> BrettSh [msft]
> 
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> 
> On Fri, 14 Oct 2005, Al Mulnick wrote:
> 
> > Is that a "yes" you'll add it? Or no, "..and no bananas for you." answer?
> > 
> > Al
> >  
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> > Sent: Friday, October 14, 2005 11:50 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Knowing when users were deleted.
> > 
> > 
> > 
> > Ignoring the 16 bytes at the beginning of the metadata for version and attr
> > count info, and garbage wasted space ... the metadata for a single attribute
> > is 48 bytes, adding the SID (28 bytes) would be an expansion of 57% on the
> > _raw_ per attribute metadata size.
> > 
> > A sampling of a corporate DB showed the raw metadata size to be 15% of the
> > DIT size, which would lead me to believe the DIT would expand by ~10% for a
> > trivial implementation against this paticular corporate DIT.[1]
> > 
> > However, if you look at the /showobjmeta for _any_ object, you will realize
> > that is a data structure that is over ripe (like banannas you wouldn't even
> > use for a bananna cake) for being compressed.  I think I could add a SID,
> > (custom) compress it, and shrink the DIT in size.
> > 
> > While you might think a GUID is better, because If you add a GUID, it is
> > only 16 bytes, but that's a very uncompressible 16 bytes, "effectively a
> > random hash".  The SID is more likely to compress properly.
> > 
> > [1] I expect that corporate DITs vary what % is meta-data by how many certs
> > and big blobs they stick in thier AD.  I imagine most corporate DITs are
> > worse (as in higher % is metadata) than the one I checked out.
> > 
> > Not that I've been thought of it ...
> > 
> > Cheers,
> > -BrettSh [msft]
> > 
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> > 
> > 
> > On Fri, 14 Oct 2005, Al Mulnick wrote:
> > 
> > > 
> > > GUID or SID of the user account that made the delete request.  Last 
> > > mod my not be enough in case some process gets hold of that data in 
> > > the deleted items, even if unlikely.  I want the id of the identity 
> > > that put caused the object to be there in the first place.
> > >  
> > > Havi

RE: [ActiveDir] Knowing when users were deleted.

[Brett Shirley]

Well, first you should _never_ ever view anything _I_ am musing as a
possible feature from the product group, I muse ALOT of stuff.  PMs will
be feature groups spokespeople, I am a dev.  This feature (in various
forms) has been under consideration before, specicfically Win2k, Win2k3,
and Longhorn timeframes.

Secondarily, features for any company, is always an optimization question
of profit opportunity of feature A vs. feature B vs. cost vs. available
resources ... would you give up the planned Longhorn RODC features for
something like this?

And finally ... you've dealt with the product group before ... they tell
us (devs) the first time we goto a conference never promise the customer
anything, as we are only supposed to set expectations in customers that
will be delievered on ...

IF you really want a commitment on adding it... how about this, I
can commit to delivering my first blog post before giving you user
modification tracking in metadata.

... have I now doomed the feature to never show up?

So you asked was that a yes or no in that previous post ... I'd view this
as nothing less than and nothing more than ... msft has smart people who
think about this stuff ... and in that spirit, if it were done, you
probably don't need to worry about DIT bloat (I'm much too smart to let
that happen, frankly you insult me ;).

Cheers,
BrettSh [msft]

This posting is provided "AS IS" with no warranties, and confers no
rights.

On Fri, 14 Oct 2005, Al Mulnick wrote:

> Is that a "yes" you'll add it? Or no, "..and no bananas for you." answer?
> 
> Al
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Friday, October 14, 2005 11:50 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Knowing when users were deleted.
> 
> 
> 
> Ignoring the 16 bytes at the beginning of the metadata for version and attr
> count info, and garbage wasted space ... the metadata for a single attribute
> is 48 bytes, adding the SID (28 bytes) would be an expansion of 57% on the
> _raw_ per attribute metadata size.
> 
> A sampling of a corporate DB showed the raw metadata size to be 15% of the
> DIT size, which would lead me to believe the DIT would expand by ~10% for a
> trivial implementation against this paticular corporate DIT.[1]
> 
> However, if you look at the /showobjmeta for _any_ object, you will realize
> that is a data structure that is over ripe (like banannas you wouldn't even
> use for a bananna cake) for being compressed.  I think I could add a SID,
> (custom) compress it, and shrink the DIT in size.
> 
> While you might think a GUID is better, because If you add a GUID, it is
> only 16 bytes, but that's a very uncompressible 16 bytes, "effectively a
> random hash".  The SID is more likely to compress properly.
> 
> [1] I expect that corporate DITs vary what % is meta-data by how many certs
> and big blobs they stick in thier AD.  I imagine most corporate DITs are
> worse (as in higher % is metadata) than the one I checked out.
> 
> Not that I've been thought of it ...
> 
> Cheers,
> -BrettSh [msft]
> 
> This posting is provided "AS IS" with no warranties, and confers no rights.
> 
> 
> On Fri, 14 Oct 2005, Al Mulnick wrote:
> 
> > 
> > GUID or SID of the user account that made the delete request.  Last 
> > mod my not be enough in case some process gets hold of that data in 
> > the deleted items, even if unlikely.  I want the id of the identity 
> > that put caused the object to be there in the first place.
> >  
> > Having the data for a full undelete option wouldn't seem too terrible 
> > either, although that might significantly increase the storage in the 
> > DIT. In the past I've had to write apps to keep that information out 
> > of band in order to put back items mistakenly removed. But I can't see 
> > why I should have to trip through all the DC's Audit logs to find the 
> > information about who deleted something given how common this type of 
> > question is.  It should be recorded same as the audit log (we have the 
> > information, why not stamp it on the object at time of deletion?)
> >  
> > Al
> >  
> >  
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of joe
> > Sent: Friday, October 14, 2005 11:03 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Knowing when users were deleted.
> > 
> > 
> > Correct, you can currenlty only get the when and the where (DC Where 
> > not Client Where).
> >  
> 

RE: [ActiveDir] Knowing when users were deleted.

[Brett Shirley]

Ignoring the 16 bytes at the beginning of the metadata for version and
attr count info, and garbage wasted space ... the metadata for a single
attribute is 48 bytes, adding the SID (28 bytes) would be an expansion of
57% on the _raw_ per attribute metadata size.

A sampling of a corporate DB showed the raw metadata size to be 15% of the
DIT size, which would lead me to believe the DIT would expand by ~10% for
a trivial implementation against this paticular corporate DIT.[1]

However, if you look at the /showobjmeta for _any_ object, you will
realize that is a data structure that is over ripe (like banannas you
wouldn't even use for a bananna cake) for being compressed.  I think I
could add a SID, (custom) compress it, and shrink the DIT in size.

While you might think a GUID is better, because If you add a GUID, it is
only 16 bytes, but that's a very uncompressible 16 bytes, "effectively a
random hash".  The SID is more likely to compress properly.

[1] I expect that corporate DITs vary what % is meta-data by how many
certs and big blobs they stick in thier AD.  I imagine most corporate DITs
are worse (as in higher % is metadata) than the one I checked out.

Not that I've been thought of it ...

Cheers,
-BrettSh [msft]

This posting is provided "AS IS" with no warranties, and confers no
rights.


On Fri, 14 Oct 2005, Al Mulnick wrote:

> 
> GUID or SID of the user account that made the delete request.  Last mod my
> not be enough in case some process gets hold of that data in the deleted
> items, even if unlikely.  I want the id of the identity that put caused the
> object to be there in the first place.  
>  
> Having the data for a full undelete option wouldn't seem too terrible
> either, although that might significantly increase the storage in the DIT.
> In the past I've had to write apps to keep that information out of band in
> order to put back items mistakenly removed. But I can't see why I should
> have to trip through all the DC's Audit logs to find the information about
> who deleted something given how common this type of question is.  It should
> be recorded same as the audit log (we have the information, why not stamp it
> on the object at time of deletion?)
>  
> Al
>  
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Friday, October 14, 2005 11:03 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Knowing when users were deleted.
> 
> 
> Correct, you can currenlty only get the when and the where (DC Where not
> Client Where). 
>  
> Which raises the question. How many people would like a metadata stamp with
> the GUID or SID of the userid that made the modification for a given
> attribute (or value if appropriate)? Or would it be ok to just have who made
> the last change to the object? Either way, none of the "administrators
> group" nonsense, it points to a specific security principal.
>  
>  
> 
>   _  
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO
> Sent: Friday, October 14, 2005 3:18 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Knowing when users were deleted.
> 
> 
> Hi Yann,
>  
> You can find at the deletedobject folder via adfind -showdel and see the
> Last modified date - that would be when the object is deleted.
> 
> But as for who deleted - I dont think you can find it without the auditing.
>  
> 
> 
> Thank you and have a splendid day! 
> 
> Kind Regards, 
> 
> Freddy Hartono 
> Group Support Engineer 
> InternationalSOS Pte Ltd 
> mail: [EMAIL PROTECTED] 
> phone: (+65) 6330-9740 - temp 
> 
>  
> 
>   _  
> 
> From: Yann [mailto:[EMAIL PROTECTED] 
> Sent: Friday, October 14, 2005 2:57 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Knowing when users were deleted.
> 
> 
> Hi there,
>  
> I wonder if there is a way to know when a user has been deleted from AD
> other than using security audt, because at the time of the deletion, i
> forgot to activate the audit :(
>  
> So my boss urge me to find the guilty user AND the time of deletion.
> I looked for attributes in adsi and found that there is the whencreated,
> whenmodified attribute but not whendeletedtimestamp one.
>  
> Any idea ?
> 
> 
> 
>   _  
> 
> Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
> T?l?chargez
>  yahoo.com> le ici ! 
> 
> 



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Documenting AD

[Brett Shirley]

I shot this off w/o much forethought, the /d is fairly AD replication
oriented, and clearly not a complete picture.

People have pointed out lots of other stuff, schema, trusts, etc ... good
thread.

Cheers,
-BrettSh [msft]

This posting is provided "AS IS" with no warranties, and confers no
rights.
 

On Thu, 13 Oct 2005, Brett Shirley wrote:

> 
> There is an undocumented switch "/d" in dcdiag that spills out a bunch of
> quasi formated output for the forest.  Useful for collecting most of the
> forest info at once, I've had PSS send me the output, when diagnosing
> customer issues.
> 
> This is basically debugging (/d) information off the internal view of your
> forest that dcdiag builds when it runs, and as such it is likely to change
> or expand at any time.
> 
> Cheers,
> -BrettSh [msft]
> 
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> 
> 
> On Thu, 13 Oct 2005, Almeida Pinto, Jorge de wrote:
> 
> > What could be interesting is just having the information, not how it is 
> > presented. For the documentation of the site and replication topology (and 
> > of course others like OUs structure, members of powerfll groups, etc.) you 
> > could use something like ADFIND. OK, the presentation of it may not be the 
> > most beautifull for documentation but it could be used
> >  
> > my EUR 0,0002
> >  
> > Cheers,
> >  
> > Jorge
> >  
> > ADFIND: http://www.joeware.net/win/free/tools/adfind.htm
> > determine sites:
> > adfind -config -f "(objectClass=site)" -dn
> > determine subnets and associated subnets:
> > adfind -config -f "(objectClass=subnet)" distinguishedname siteobject
> > determine properties of the intersite transports
> > adfind -config -f "(objectClass=interSiteTransport)"
> > determine site links and associated sites:
> > adfind -config -f "(objectClass=sitelink)" distinguishedname sitelist
> > determine all Site link bridges and its properties
> > adfind -config -f "(objectClass=siteLinkBridge)"
> > determine all NTDS Site Settings objects for each site and its properties
> > adfind -config -f "(objectClass=nTDSSiteSettings)"
> > determine all NTDS Settings objects for each DC and its properties
> > adfind -config -f "(objectClass=nTDSDSA)"
> > determine all replication connections and its properties
> > adfind -config -f "(objectClass=nTDSConnection)"
> > 
> > 
> > 
> > From: [EMAIL PROTECTED] on behalf of Peter Johnson
> > Sent: Thu 10/13/2005 11:36 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Documenting AD
> > 
> > 
> > 
> > Also you IP subnets to Site Mappings need to be documented. I.E. a list
> > of all IP subnets and what site in Active Directory Sites and services
> > they belong to.
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
> > Sent: 12 October 2005 18:27
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Documenting AD
> > 
> > [Brett]  >>  "spending time working on AD > Replication, AD
> > backup/restore"
> > Did you create ASR and will a DC who "masters changes" (per joe's
> > comments) and who goes down and has to be rebuilt via ASR have the USN
> > rollback problems you guys are talking about?
> > 
> > [Hint] "Keep it simple."  Some of us cannot follow all of this because
> > you guys are so far out there, we couldn't track you even with the
> > Hubble telescope.
> > 
> > Just tell me my ASRs are OK
> > 
> > RH
> > 
> > ___
> > 
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of
> > [EMAIL PROTECTED]
> > Sent: Wednesday, October 12, 2005 11:42 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Documenting AD
> > 
> > 
> > Additional components:
> > =
> > Schema
> > Database
> > Administrative support model
> > Domain controller spec
> > DC/GC placement
> > Exchange topology and design
> > DNS design (zone type, placement etc etc)
> > SYSVOL/FRS
> > DFS
> > 
> > Administration:
> > ===
> > User and group admin and tools
> > DC admin/support and tools

RE: [ActiveDir] Documenting AD

[Brett Shirley]

do you
> go about it? etc
> 
> so far I'm thinking along these lines:
> - a general AD layout diagram detailing the OU structure - Visio will be
> the weapon of choice I think
> - list all GPO's, where they're linked to and what they do etc
> - a breakdown of sites and their links
> - a breakdown of replication settings
> - listing of service accounts with descriptions and reasons for
> existence (maybe?)
> - trusts between any other domains
> - detail FSMO roles
> 
> ... and that's kinda where I run out of ideas lol
> 
> what do you'll reckon? Have I missed or gone overboard on anything?
> 
> if I've got the time I'd like to try and script as much of this as
> possible, but if anyone knows of something that does some / all of this,
> please let me know before I kill myself scripting all night :D lol
> 
> Cheers :)
> 
> 
> For Troup Bywaters + Anders
> 
> Tim Sutton 
> 
> T: +44 (0) 113 243 2241
> F: +44 (0) 113 242 4024
> E: [EMAIL PROTECTED] 
> W: www.TBandA.com  
> 
> Eastgate House
> 10 Eastgate
> Leeds
> LS2 7JL
> Office Location Map
> 
> -Original Message-
> From: David Adner [mailto:[EMAIL PROTECTED]
> Sent: 06 May 2005 20:21
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] best practice? (aka: USN rollback discussion
> and why it's a bad idea to image DC's for recovery purposes)
> 
> Since no one referenced them during this thread... For a bit more detail
> on the subject, check these out.
> 
> How to detect and recover from a USN rollback in Windows Server 2003
> http://support.microsoft.com/?kbid=875495
> 
> How to detect and recover from a USN rollback in Windows 2000 Server
> http://support.microsoft.com/?kbid=885875
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> > Sent: Thursday, May 05, 2005 13:19
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] best practice?
> >
> >
> > I don't really have serious time to answer this right now ...
> >  so for now, you're going to have to trust me, it's not just a little
> > bad you can recover from it with X, it is _really_ bad to do an image
> > based restore, and hard to restore normality afterwards ...
> >
> > I'll prop a portion of a slide deck later on, where I show to the
> > backup vendors how the inconsistency is introduced ...
> > but I don't know if it will make sense w/o my delivery.  It is also a
> > bit simplified.  joe is close below, some comments inline, in joe's
> > mail, as it's the closest so far to understanding why this is bad ...
> >
> > BTW, clean and dirty AD DB have _nothing_ to do with this.
> > clean/dirty is an ESE / JET Blue level concept, this is an entirely AD
> 
> > Logical issue.
> > Nothing prevents an ESE database from being imaged.  The AD has a
> > design decision that prevents image based restores.
> >
> > I don't play XBox or any computer games really.  I know that sounds
> > weird, that a computer geek would not play video games, but I met a
> > girl at a party the other day who is a huge FPS player, so I think the
> 
> > world somehow balances out in that respect.  How could that compare to
> 
> > the relaxing sense of accomplishment of working out paticularly
> > cunning methods of compressing replication metadata ... I mean really?
> 
> > Same goes for hair maintanence tasks.
> >
> > On Thu, 5 May 2005, joe wrote:
> >
> > > I am actually waiting for Brett or ~Eric to respond to your post as
> > > well. I am positive they could give you a bulleted list of
> > things that
> > > you as well as the rest of us are completely unaware of
> > that will go
> > > pear shaped both because they have seen things like that or
> > just know
> > > it from familiarity with the code paths involved.
> > >
> > > AD will not do a complete reload of the DB on its own, that
> > was an NT4
> > > thing that occurred if the change log rolled. All gone now.
> > >
> > > Do some searching on DSA IDs/GUIDs and Invocation
> > IDs/GUIDS. A DSA ID
> > > is the GUID for the DC itself[1], it doesn't change for the life of
> > > the DC from my understanding. The invocation GUID[2] changes on
> > > restores, again to flag, hey new DB,
> >
> > [BrettSh] It's not a new DB so much, as a new 

RE: [ActiveDir] BlackComb Super Forest Functional Mode

[Brett Shirley]

re: "some virtualization and isolation of processes and threads ..."

A CS teacher once told me that in general in computers whenever you hear
the word "virtual", you can replace with "slow" ...

 - virtual memory (yeah, yeah I'm really thinking of paging, not VM,
but I used a Mac first, so it stuck with me.)
 - virtual machine
 - virtual reality (though getting fastish these days)
 - 

But for the most part it is true.

To actually virtualize threads, processes, (and in this case we're
probably thinking the subcomponents in lsass: Kerb, NTLM, SAM, LSA, AD)
you may not be willing to pay the perf cost.  And subsequently the
hardware cost to handle the same load.  Usually you don't need hard
virtualization just good architecture to achieve most of the benefits of
good isolation.

Also there is a cost to isolation (whether through virtualization or
architecture), it almost always implies "a hop", some sort of link that
has a certain liklihood to break.  In many circumstances isolation
actually decreases overall system stability (and diagnosability often
decreases too) for the purpose of taking in some sort of more dynamic
flexibility.

I don't know what brought out that spout of abstract crap ...

Cheers,
-BrettSh [msft]


On Tue, 11 Oct 2005, Al Mulnick wrote:

> You know what would really be great? If Microsoft were to make it so that
> the architecture didn't allow those quirky little things that occur in the
> products when they are deployed together on the same machines.  Like
> Exchange not using any other DC if it's deployed on a DC type of quirk. 
> 
> Some real virtualization and isolation of processes and threads so that if
> something were to crash (heavens forbid) it couldn't make a big mess of the
> rest of the platform.  Across all product lines. 
> 
> Why? 
> 
> Because the real value Microsoft has over other products out there is that
> their products have the same look and feel and work together easily which
> translates to lower integration/acquisition/deployment costs if I use their
> products.  If I try to "save" money by going with something else that I have
> to customize in-house, I may not be able to do so as well, as easily or as
> cost-effectively. 
> 
> Because eventually I have to pay the programmers, architects, and support
> costs and since I'm not a tech company, I am not geared to do that.  I can
> either lower my quality, my expectations, or my costs, but likely not all
> three if I roll my own large products. 
> 
> Seriously, getting rid of legacy baggage is fine and dandy as long as there
> is a reason other than complaining.  I notice that the *nix crowd has their
> own problems.  If I were to write something for a *nix platform, my first
> choice is to figure out which manufacturer?  Then which version. Then what
> hardware platform in some cases. I don't have that with Microsoft products
> to the same extent.  To me, they sit somewhere between Macintosh/Mainframe
> and *nix platforms.  Mac/MF is very controlled in terms of revision and
> hardware (from the manufacturer of course).  *nix is more open if you
> include the linux crowd which makes stability much more difficult.
> Microsoft is x86/x64 based. Some choices, but also a lot of same old at the
> OS level.  
> 
> If I were to write an app, it would likely be targeted at WindowsXP first.
> Then I'd figure out a path to go to some of the intel based *nix distros.
> Several companies are going the other direction as well, from *nix platforms
> to Windows to follow the customers. But the reason I would take that
> approach is to get the app to the widest possible audience first and then
> chase the other customers. 
> 
> Kill the legacy.  Ok.  Timelines and how you get the app developer ecosystem
> to come along or be there first are the questions to answer. 
> 
> Does that mean scrapping the domain model?  Hmm... Not sure.  Does it mean
> scrapping the security model?  Maybe. What about blurring lines between my
> network and your network? Better do that else risk being left in the closet.
> 
> 
> What about the desktops?  Anything radical?  Depends on above I think, as
> long as the NOS concept stays intact.  Should it? 
> 
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Monday, October 10, 2005 8:39 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode
> 
> 
> Again, I am speaking legacy baggage. If you were a UNIX developer, would you
> rather stick to writing to old proprietary interfaces or using standards
> based interfaces like LDAP and Kerberos, etc. Again, all of the integration
> going on now is working in those areas. Those areas will move fine into the
> new realms. It is the old NET based stuff that need to be burned out of the
> product. Exactly the stuff that all of the non-MS folks have bitched about
> year after year. Dumping the legacy gives us a chance to move

RE: [ActiveDir] Adding custom fields to AD

[Brett Shirley]

Yes, I think Sept 20th, 2005, but as anything I or msft produces, there is
a "caveat that it would release when it is ready".

http://groups.google.com/group/microsoft.public.windows.server.active_directory/browse_thread/thread/39151ab777c4582d/7b3bf007a7b96f26?lnk=st&q=JET+Kodiak+Exchange&rnum=2#7b3bf007a7b96f26

I slay me.

Cheers,
BrettSh

P.S. - Eric, the answer is still no.

This posting is provided "AS IS" with no warranties, and confers
no rights.


On Mon, 10 Oct 2005, joe wrote:

> Ah true, I didn't think uses of ADAM which I think may make more sense than
> AD for some of those internet uses.
> 
> So do we have a timeline on these blog entries? 
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Monday, October 10, 2005 1:32 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Adding custom fields to AD
> 
> Yes, I was hoping you wouldn't take it has who has a bigger database
> contest, that was not my intent.  Besides it was really who has seen the
> bigger database, and who wants to admit that, you want to HAVE the bigger
> database.  My databases aren't really that big, usually a smidgen over the
> default 10 MB size for testing, really quite small actually.
> 
> As for the wondering what kind of crap is stuffed into the AD DB, I'd agree
> with you to some degree ... for corp / NOS type AD DBs ... but the ones I'm
> think of are almost always internet auth DBs, and have millions to 10s of
> millions of identities stored.  Then the size starts to make sense.  So you
> can imagine why they get big.
> 
> And finally about the size limit on AD objects, how many attrs,
> multi-values, link values, etc, and such, I have a blog post planned about
> that ... actually 3 posts ...
> 
> Cheers,
> -BrettSh [msft]
> 
> This posting is provided "AS IS" with no warranties, and confers no rights.
> 
> 
> On Sun, 9 Oct 2005, joe wrote:
> 
> > Ah Brett, you incorrigible one, you misunderstand my point of posting 
> > those numbers It wasn't to say, look how big I have seen, but 
> > instead, look how big these companies are and they still have small 
> > DBs. When I hear of some giant DB I don't think wow, what a big DB, I 
> > think, what kind of sh*t is being thrown into that AD to bloat it to 
> > that extent[1]?  I especially love hearing about companies that jam 
> > huge binaries into the directory like images that get replicated to 
> > the four corners of the earth and are only read by one program, a web app,
> in one or two of the company's datacenters.
> > Great use of bandwidth. I also especially love seeing a crap load of 
> > data going into the directory for Exchange when Exchange is 
> > centralized, also great use of bandwidth. That site in South America 
> > or in Kuala Lumpur with 10 people and a GC because they have crappy 
> > connectivity certainly needs to have every object and the entire 
> > Exchange selection of data for the other 200,000 users. No possible issues
> in data theft there...
> > 
> > I think after we get past the training of everyone to only grant 
> > permissions to those that really need the permissions and just those 
> > specific permissions to just those specific people, we will start 
> > training everyone to only put the data where it is really needed. 
> > Anyone with a really large DIT should sit down and look at what is in 
> > it and say, is it really necessary for all of this data to go where it 
> > goes? Is there additional exposure that I have for putting it there that
> isn't necessary?
> > 
> > Brett, while we have your attention if we do... How about some 
> > training on max data stored per object. What are the limits that we 
> > will hit as we stuff more and more data into say every user object? I 
> > know I have found the magic admin limit exceeded when punching a bunch 
> > of data into a non-linked multivalue attribute and it causing me to 
> > not be able to add any new attributes to the same user object. What other
> limits are we going to see?
> > Also, why do I see that admin limit on new attributes when the one 
> > single multivalue attribute get filled up?
> > 
> >   joe
> > 
> > 
> > [1] I really am not an entirely negative person. I am best described 
> > as a optimistic pessimist. Hope for the best of all worlds but plan 
> > for the worst. I have also been called a Socialist because I am 
> > willing to buy a burger for a friend and a good conversation. ;o)
> > 
> > 
> > 
> >  
> &

RE: [ActiveDir] Adding custom fields to AD

[Brett Shirley]

Yes, I was hoping you wouldn't take it has who has a bigger database
contest, that was not my intent.  Besides it was really who has seen the
bigger database, and who wants to admit that, you want to HAVE the bigger
database.  My databases aren't really that big, usually a smidgen over the
default 10 MB size for testing, really quite small actually.

As for the wondering what kind of crap is stuffed into the AD DB, I'd
agree with you to some degree ... for corp / NOS type AD DBs ... but the
ones I'm think of are almost always internet auth DBs, and have millions
to 10s of millions of identities stored.  Then the size starts to make
sense.  So you can imagine why they get big.

And finally about the size limit on AD objects, how many attrs,
multi-values, link values, etc, and such, I have a blog post planned about
that ... actually 3 posts ...

Cheers,
-BrettSh [msft]

This posting is provided "AS IS" with no warranties, and confers no
rights.


On Sun, 9 Oct 2005, joe wrote:

> Ah Brett, you incorrigible one, you misunderstand my point of posting those
> numbers It wasn't to say, look how big I have seen, but instead, look
> how big these companies are and they still have small DBs. When I hear of
> some giant DB I don't think wow, what a big DB, I think, what kind of sh*t
> is being thrown into that AD to bloat it to that extent[1]?  I especially
> love hearing about companies that jam huge binaries into the directory like
> images that get replicated to the four corners of the earth and are only
> read by one program, a web app, in one or two of the company's datacenters.
> Great use of bandwidth. I also especially love seeing a crap load of data
> going into the directory for Exchange when Exchange is centralized, also
> great use of bandwidth. That site in South America or in Kuala Lumpur with
> 10 people and a GC because they have crappy connectivity certainly needs to
> have every object and the entire Exchange selection of data for the other
> 200,000 users. No possible issues in data theft there... 
> 
> I think after we get past the training of everyone to only grant permissions
> to those that really need the permissions and just those specific
> permissions to just those specific people, we will start training everyone
> to only put the data where it is really needed. Anyone with a really large
> DIT should sit down and look at what is in it and say, is it really
> necessary for all of this data to go where it goes? Is there additional
> exposure that I have for putting it there that isn't necessary? 
> 
> Brett, while we have your attention if we do... How about some training on
> max data stored per object. What are the limits that we will hit as we stuff
> more and more data into say every user object? I know I have found the magic
> admin limit exceeded when punching a bunch of data into a non-linked
> multivalue attribute and it causing me to not be able to add any new
> attributes to the same user object. What other limits are we going to see?
> Also, why do I see that admin limit on new attributes when the one single
> multivalue attribute get filled up?
> 
>   joe
> 
> 
> [1] I really am not an entirely negative person. I am best described as a
> optimistic pessimist. Hope for the best of all worlds but plan for the
> worst. I have also been called a Socialist because I am willing to buy a
> burger for a friend and a good conversation. ;o)
> 
> 
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Sunday, October 09, 2005 11:29 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Adding custom fields to AD
> 
> Mylo, from the way you speak of JET, I suspect you might not know of the two
> JETs, and be thinking that JET = Access ... make sure you're "edJETicated"
> (man, I slay me! ;), see Notes at bottom of this:
>  
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ese/ese/por
> tal.asp
> This frequent confusion, is the reason we use the more desired term, ESE.  
> The two JETs once compatible at the top level API, have not even had to
> maintain API compatibility for nearly 10 years, so they are quite different.
> 
> If the _active amount of data_ (and the active amount of data, can be
> grossly enlarged by bad queries) exceeds memory, some operations will
> probably be thrown down to random disk IO speed (100 IOs / second is a
> standard single spindle/disk) ... ergo you get slow quick.
> 
> And like most database servers in such a situation, you can often throw
> hardware at it.  We have Exchange servers with a TB of databases attached,
> and a much higher update rate, BUT a big SAN to satisfy the IO load

RE: [ActiveDir] Adding custom fields to AD

[Brett Shirley]

Someone told me offline, they think I'm wrong about WINS not being in
3.50.  Hmmm, was it DHCP that didn't exist til 3.51?  Maybe RPL?  Maybe
WINS just wasn't JET Blue based until then?  H, now I'm all curious.

Cheers,
-BrettSh [msft]

On Sun, 9 Oct 2005, Brett Shirley wrote:

> That is entirely believable (about WINS being a mess).  JET Blue used to
> suck.  In Win2k, finally the older JET Blue 200 / 400 series was replaced
> by the version (ESE97) that underwent the top-to-bottom rewrite during
> Exch 5.5.
> 
> That is why I asked if it was a 4.0 NT server.  I'm not interested in
> chasing down a corruption bug in old JET 400, but if there are consistent
> corruptions in ESE 97+ variants, I'm curious to know how they're showing
> up.  If it's in ESE98+ I'm especially curious ... or at least as curious
> as time allows.
> 
> That said, joe's comment about how WINS admins treat thier servers is very
> interesting, I'll have to keep that in mind when people claim such a
> server is corrupt.  Thanks joe for the info!
> 
> BTW, I don't think WINS was even in NT 3.50, I thought it showed up in
> 3.51?
> 
> Cheers,
> -BrettSh [msft]
> 
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> 
> On Sun, 9 Oct 2005, Darren Mar-Elia wrote:
> 
> > In the NT 3.50 days, WINS was a mess. I'm sorry but no amount of good
> > design would help it. It just sucked. It got progressively better in NT
> > 4.0 but I saw lots of corruptions of many kinds in 3.5x and I knew a
> > thing or two about WINS. 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of joe
> > Sent: Sunday, October 09, 2005 8:52 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Adding custom fields to AD
> > 
> > I would guess that it never got that far. My experience with folks
> > troubleshooting WINS is that they don't look very deep, someone can't
> > resolve XYZ server name and they stop the service, delete the DB, and
> > repopulate and call the DB corrupt. 
> > 
> > I think I said this in another post but I have never seen a corrupt WINS
> > DB though I have had lots of people tell me that WINS was corrupt. I
> > have seen lots of dorked up individual entries and simply deleting that
> > entry and reregistering gets everything working fine again. The worst
> > cases I have seen have been really poorly configured SAMBA machines
> > stomping on domain records though I once heard of a really misconfigured
> > Windows machine knocking a Fortune 50 down for a bit because someone
> > built there own domain with the same domain name as the corporate domain
> > and registered it in the production WINS environment. The solution there
> > ended up being shut down WINS and deleting the WINS DB and letting it
> > rebuild... 
> >  
> >   joe
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> > Sent: Sunday, October 09, 2005 8:24 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Adding custom fields to AD
> > 
> > Tom, what revision of the server OS was the WINS server?  NT 4.0?  Did
> > you ever determine if the WINS DB corruptions were being exposed at the
> > app/WINS level (esentutl /g succeeds) or ESE level (esentutl /g fails)?
> > 
> > esentutl /g (the svc/DB must be offline for this) is the (slightly
> > simplistic) method for determining if the corruption is exposing itself
> > at the app logic level or the ESE level.
> > 
> > Was the server being hard powered down (power outage)?
> > 
> > Just curious.
> > 
> > Cheers,
> > -BrettSh [msft] - ESE Developer
> > 
> > 
> > On Sat, 8 Oct 2005, Tom Kern wrote:
> > 
> > > I've had the reverse-
> > > last place i worked at had corrupted WINS at least once every 2 
> > > months(this could of been due to my lousy admin skills) i've never had
> > 
> > > issues with dns(could be my dumb luck) now i work for a corp that has 
> > > netbios/tcp disabled and relies solely on dns(both MS and BIND) with 
> > > no name resolution issues.
> > > also wins replication seems much more complex than standard 
> > > primary/secondary dns replication.
> > >   and i'm not one to think i know anything as an admin or would even 
> > > think of getting into such a disscussion with someone as experienced 
> > > and knowldgab

RE: [ActiveDir] Adding custom fields to AD

[Brett Shirley]

That is entirely believable (about WINS being a mess).  JET Blue used to
suck.  In Win2k, finally the older JET Blue 200 / 400 series was replaced
by the version (ESE97) that underwent the top-to-bottom rewrite during
Exch 5.5.

That is why I asked if it was a 4.0 NT server.  I'm not interested in
chasing down a corruption bug in old JET 400, but if there are consistent
corruptions in ESE 97+ variants, I'm curious to know how they're showing
up.  If it's in ESE98+ I'm especially curious ... or at least as curious
as time allows.

That said, joe's comment about how WINS admins treat thier servers is very
interesting, I'll have to keep that in mind when people claim such a
server is corrupt.  Thanks joe for the info!

BTW, I don't think WINS was even in NT 3.50, I thought it showed up in
3.51?

Cheers,
-BrettSh [msft]

This posting is provided "AS IS" with no warranties, and confers no
rights.

On Sun, 9 Oct 2005, Darren Mar-Elia wrote:

> In the NT 3.50 days, WINS was a mess. I'm sorry but no amount of good
> design would help it. It just sucked. It got progressively better in NT
> 4.0 but I saw lots of corruptions of many kinds in 3.5x and I knew a
> thing or two about WINS. 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Sunday, October 09, 2005 8:52 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Adding custom fields to AD
> 
> I would guess that it never got that far. My experience with folks
> troubleshooting WINS is that they don't look very deep, someone can't
> resolve XYZ server name and they stop the service, delete the DB, and
> repopulate and call the DB corrupt. 
> 
> I think I said this in another post but I have never seen a corrupt WINS
> DB though I have had lots of people tell me that WINS was corrupt. I
> have seen lots of dorked up individual entries and simply deleting that
> entry and reregistering gets everything working fine again. The worst
> cases I have seen have been really poorly configured SAMBA machines
> stomping on domain records though I once heard of a really misconfigured
> Windows machine knocking a Fortune 50 down for a bit because someone
> built there own domain with the same domain name as the corporate domain
> and registered it in the production WINS environment. The solution there
> ended up being shut down WINS and deleting the WINS DB and letting it
> rebuild... 
>  
>   joe
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Sunday, October 09, 2005 8:24 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Adding custom fields to AD
> 
> Tom, what revision of the server OS was the WINS server?  NT 4.0?  Did
> you ever determine if the WINS DB corruptions were being exposed at the
> app/WINS level (esentutl /g succeeds) or ESE level (esentutl /g fails)?
> 
> esentutl /g (the svc/DB must be offline for this) is the (slightly
> simplistic) method for determining if the corruption is exposing itself
> at the app logic level or the ESE level.
> 
> Was the server being hard powered down (power outage)?
> 
> Just curious.
> 
> Cheers,
> -BrettSh [msft] - ESE Developer
> 
> 
> On Sat, 8 Oct 2005, Tom Kern wrote:
> 
> > I've had the reverse-
> > last place i worked at had corrupted WINS at least once every 2 
> > months(this could of been due to my lousy admin skills) i've never had
> 
> > issues with dns(could be my dumb luck) now i work for a corp that has 
> > netbios/tcp disabled and relies solely on dns(both MS and BIND) with 
> > no name resolution issues.
> > also wins replication seems much more complex than standard 
> > primary/secondary dns replication.
> >   and i'm not one to think i know anything as an admin or would even 
> > think of getting into such a disscussion with someone as experienced 
> > and knowldgable as you, but i've always found dns easier than wins and
> 
> > netbios names in general.
> >  my only diffculty came with learning dns on BIND/Linux and just 
> > wrapping my head around AD intergrated dns when i first came to
> Windows.
> > sometimes when you learn something via the command line, using the gui
> 
> > just confuses things.
> >  then again i'm probably one of those guys who "thinks" he knows dns 
> > but really doesn't know anything and hasen't found out yet :(
> >   what would you think would be a good replacement for dns/wins?
> > thanks
> > 
> >  On 10/8/05, joe <[EMAIL PROTECTED]> wrote:
> > >
> > > I wasn't saying 

RE: [ActiveDir] Adding custom fields to AD

[Brett Shirley]

Mylo, from the way you speak of JET, I suspect you might not know of the
two JETs, and be thinking that JET = Access ... make sure you're
"edJETicated" (man, I slay me! ;), see Notes at bottom of this:
 
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ese/ese/portal.asp
This frequent confusion, is the reason we use the more desired term, ESE.  
The two JETs once compatible at the top level API, have not even had to
maintain API compatibility for nearly 10 years, so they are quite
different.

If the _active amount of data_ (and the active amount of data, can be
grossly enlarged by bad queries) exceeds memory, some operations will
probably be thrown down to random disk IO speed (100 IOs / second is a
standard single spindle/disk) ... ergo you get slow quick.

And like most database servers in such a situation, you can often throw
hardware at it.  We have Exchange servers with a TB of databases attached,
and a much higher update rate, BUT a big SAN to satisfy the IO load.

With AD you have the added advantage of being able to throw RAM at the
situations, with a 64-bit native OS and 32 GBs of RAM, a 29 GB database
performs quite well.

So where AD caves in, is very hardware and workload dependant ... joe's
production numbers aren't even interesting anymore. (implying many
customers are in production with much bigger databases) ;-)

Cheers,
BrettSh [msft]
JET Blue, not JET Red Developer.


On Sat, 8 Oct 2005, Gil Kirkpatrick wrote:

> Much of AD's heritage lies in the old Exchange directory, which was
> ESE-based.
> 
> -gil
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Saturday, October 08, 2005 8:38 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Adding custom fields to AD
> 
> > One thing I am curious about though is why MS opted for JET  
> > as the DB of choice for AD.. was it the only viable option 
> > at the time ? 
> 
> What do you feel is wrong with ESE (aka Jet Blue)?
> 
> 
> > What's the ceiling on actual database size before it caves in
> (performance-wise)? 
> 
> Max size for an ESE DB for AD is ~16TB (8KB pages * 2147483646 max
> pages [1]). As for when it caves perf wise from an AD standpoint it
> really depends on what you are doing with it and what you have indexed
> from what I have seen. If someone is issuing crappy inefficient
> queries it will seem to be pretty slow pretty fast with relatively
> little data.
> 
> The largest DB I have seen in production has been ~20GB and that was
> with W2K on a GC and a bunch of that data shouldn't have been in the
> AD like duplicated ACEs and misc unneeded objects, etc. Going to K3
> would probably reduce that DB to about 10-12GB or better due to single
> instance store, cleanup would reduce it even further. One Fortune 5
> company I have worked with had a K3 GC DB in the area of 5GB and that
> was for some 250,000 users with Exchange and multiple custom
> attributes.
> 
>   joe
> 
> [1] See the docs for JetCreateDatabase -
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ese/ese
> /jet
> createdatabase.asp?frame=true
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mylo
> Sent: Friday, October 07, 2005 9:04 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Adding custom fields to AD
> 
> That's a good point about plonking stuff in AD a case of once a good
> thing comes along everyone wants to climb aboard. I remember doing
> ZENworks
> stuff with Novell where all the application configuration information
> for
> software distribution was shunted into NDS/E-Directory... all that bloat
> adds up replication-wise (still, at least there was partitioning).
> 
> One thing I am curious about though is why MS opted for JET  as the DB
> of
> choice for AD.. was it the only viable option at the time ? What's the
> ceiling on actual database size before it caves in (performance-wise)?
> 
> Mylo
> 
> joe wrote:
> 
> >I am going to basically say what the other said only I am going to put 
> >it this way
> >
> >IF the data needs to be available at all locations or a majority of 
> >locations where your domain controllers are located, consider adding 
> >the data to AD.
> >
> >IF the data is going to be needed only at a couple of sites or a single
> 
> >site, put them into another store. My preference being AD/AM unless you
> 
> >need to do some complicated joins or queries of the data that LDAP 
> >doesn't support.
> >
> >There is also the possibility of using app partitions but if you were 
> >going to go that far, just use AD/AM.
> >
> >The thing I have about sticking this data into AD is that AD is 
> >becoming, in many companies, a dumping ground of all the crap that was 
> >in all the other directories in the company. I realize this was the 
> >initial view from MS on how this should work but I worked in a large 
> >company and thought that was silly even then.
> >
> >The 

Re: [ActiveDir] Adding custom fields to AD

[Brett Shirley]

Tom, what revision of the server OS was the WINS server?  NT 4.0?  Did you
ever determine if the WINS DB corruptions were being exposed at the
app/WINS level (esentutl /g succeeds) or ESE level (esentutl /g fails)?

esentutl /g (the svc/DB must be offline for this) is the (slightly
simplistic) method for determining if the corruption is exposing itself at
the app logic level or the ESE level.

Was the server being hard powered down (power outage)?

Just curious.

Cheers,
-BrettSh [msft] - ESE Developer


On Sat, 8 Oct 2005, Tom Kern wrote:

> I've had the reverse-
> last place i worked at had corrupted WINS at least once every 2 months(this
> could of been due to my lousy admin skills)
> i've never had issues with dns(could be my dumb luck)
> now i work for a corp that has netbios/tcp disabled and relies solely on
> dns(both MS and BIND) with no name resolution issues.
> also wins replication seems much more complex than standard
> primary/secondary dns replication.
>   and i'm not one to think i know anything as an admin or would even think
> of getting into such a disscussion with someone as experienced and
> knowldgable as you, but i've always found dns easier than wins and netbios
> names in general.
>  my only diffculty came with learning dns on BIND/Linux and just wrapping my
> head around AD intergrated dns when i first came to Windows.
> sometimes when you learn something via the command line, using the gui just
> confuses things.
>  then again i'm probably one of those guys who "thinks" he knows dns but
> really doesn't know anything and hasen't found out yet :(
>   what would you think would be a good replacement for dns/wins?
> thanks
> 
>  On 10/8/05, joe <[EMAIL PROTECTED]> wrote:
> >
> > I wasn't saying I like WINS better than DNS or vice versa, just said I
> > don't like DNS. I especially dislike the AD/DNS integration. I don't like
> > chicken and egg problems.
> >  BTW, as you bring up WINS. 1. I've never had a corrupted WINS Database.
> > 2. Fewer admins had name resolution issues replication based issues with
> > WINS than they do with DNS. 3. The complexity of DNS seems to put many
> > admins off the deep end, interestingly enough, the same admins who said they
> > couldn't figure out WINS say they know all about DNS.
> >  But again, my comment wasn't I like WINS more than DNS, or I like any
> > name resolution systems better than DNS, it was simply I don't like DNS.
> >
> >  --
> > *From:* [EMAIL PROTECTED] [mailto:
> > [EMAIL PROTECTED] *On Behalf Of *Tom Kern
> > *Sent:* Saturday, October 08, 2005 12:42 PM
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* Re: [ActiveDir] Adding custom fields to AD
> >
> >   ok, i'll bite.
> > GPO's, i understand but whats there to hate about DNS?
> > its better than WINS.
> > I've never had a corrputed dns database.
> >  thanks
> >
> >  On 10/8/05, joe <[EMAIL PROTECTED]> wrote:
> > >
> > > Yeah, GPOs aren't AD. GPOs are an application that use AD. I hate GPOs.
> > > DNS
> > > too.
> > >
> > > :o)
> > >
> > >
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] ] On Behalf Of Rick Kingslan
> > > Sent: Saturday, October 08, 2005 11:19 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] Adding custom fields to AD
> > >
> > > Interesting question - and as to the 'implode point' for ESE/Jet Blue,
> > > Brettsh can answer that one. I'm pretty sure that we have a good idea on
> > > where the point of diminishing returns is, but it likely FAR exceeds
> > > what
> > > anyone might practically do today - even with added classes and
> > > attributes.
> > >
> > > As for why ESE - it works, it is self maintaining to a great degree,
> > > there
> > > is very little overhead in the DB, and it is quite optimized to the type
> > > of
> > > work that is required for AD. Brettsh can certainly add more.
> > >
> > > I am one for preaching more svelte attitudes on your AD. As joe mentions
> > > -
> > > it's for authN purposes first and foremost. It CAN handle DNS, it does
> > > GPO
> > > (though - truth be told the majority of GPO function is but a link to an
> > > attribute, while the actual GPO pieces reside in SYSVOL, so not much AD
> > > -
> > > lots of FRS), etc.
> > >
> > > App Parts make sense in some arenas where the amount of data is going to
> > > be
> > > very small and contained to just a few areas. I, too, like joe advocate
> > > ADAM. I try to sell ADAM constantly as THE solution for most anything
> > > that
> > > doesn't have to do with authN. Customer AppDev wants to stuff new things
> > >
> > > into AD constantly. Partly, they don't know the down sides. Partly, they
> > > think they have to learn something new. Partly, they don't really care
> > > if
> > > YOUR AD is affected by their decisions, as long as they deliver the
> > > solution
> > > in the timeframe specified. So, it's up to you, Mr. Admin and Mr.
> > > Architect
> > > to tell whoever wants to 

Re: [ActiveDir] Anyone seen this database corruption error before?

[Brett Shirley]

Did you know strupr, can change it's behavior based on locale of the
process?

Deji, your issue is likely a specific bug ...

 - There is a QFE, but you need to call msft to get it, ask for KB 902396

Note: this QFE causes some small number of indices to rebuild, so
the machine will "hang" before logon screen appears, don't reboot 
it, it is thinking.

 - This is a very rare case where offline defrag will not fix the index
corruption.

 - Just curious was this machine IFM'd or defragged recently? 

 - This could've made it stop replication.  Make sure replication hasn't
been stopped for more than a tombstone lifetime, if so, better off
just scrapping the DC.

 - Didn't Eric tell you this at the MVP summit?

Cheers,
-BrettSh [msft]

This posting is provided "AS IS" with no warranties, and confers no
rights.


On Thu, 6 Oct 2005 [EMAIL PROTECTED] wrote:

> Event Type:Error 
> Event Source:NTDS ISAM 
> Event Category:Database Corruption  
> Event ID:467 
> Date:10/6/2005 
> Time:7:30:05 AM 
> User:N/A 
> Computer:SM-CACS-DC01 
> Description: NTDS (784) NTDSA: Index INDEX_0009028F of table datatable is
> corrupted
>  
> Happens only on one regional DC. No obvious adverse impact to AD resources
> has so far been reported. No related event logged anywhere else.
>  
> Does anyone know how to fix, other than a defrag?
>  
>  
> Sincerely,
> 
> D?j? Ak?m?l?f?, MCSE+M MCSA+M MCP+I
> Microsoft MVP - Directory Services
> www.readymaids.com - we know IT
> www.akomolafe.com
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday?  -anon
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD Restore Problem

[Brett Shirley]

You must make sure all 5 DCs for all domains are shutdown together, before
taking any of the images.  (as they're all replicas of the config NC,
being they're in the same forest)  

And obviously during restore you need to make sure you keep them from
talking to (i.e. trying to replicate w/) the existing DCs (b/c it's
unrealistic to get 190 disseperate DCs shutdown).  There is guidance in
the AD forest recovery paper for this.

Sooo in my somewhat sleeply state, I see nothing wrong with your method.  
But do not take me saying I don't see an issue off the top of my head, as
any sort of Microsoft buy off. Restating the disclaimer now:
This posting is provided "AS IS" with no warranties, and confers
no rights. 

It's not technically performing any aspect of a stated plan that usually
makes me nervous, it's human nature that makes me nervous ...

Somewhere on one of the previous USN rollback threads, we discussed this
idea, what happens if you (who understand the semantics of this) get hit
by a bus, is your procedure well enough documented that a less astute
admin would not misunderstand the constraints of your restore system, and
make a significant misstep?
Human Nature aspect at issue:
We disregard rules that don't make immediate sense.

One last thing that makes me queasy, is I know what happens in an IT
meltdown, esp. in bigger environments, the junior admin on duty, will
usually DO ANYTHING to get the server back online.  You could come in, in
the morning only to discover one of the VM DCs was brought back up from
the image, and (I'm sure the quote will go exactly like this) "there still
seems to be some replication issues, things are not syncing right, but at
least we got the server back up!!!"
Human Nature aspect at issue:
Panicing, creates poor choices.

You should view putting in place mechanisms to insure against such
missteps by your staff, as part of your resposibility as an IT admin.


Cheers,
-BrettSh [msft]

Disclaimer2:  Good luck.


On Thu, 6 Oct 2005, Carroll Frank USGR wrote:

> Brett,
> 
> My plan for the VMWare images is really for the ultimate DR scenario
> where I have already lost the entire forest. In this case, I would use
> the 5 images to completely restart from scratch (god help me ;-). The
> theroy is that if I shut them down gracefully and then shoot the now
> closed image file off to tape I would have a much better shot with the
> image file on different hardware, etc. The images together would be a
> consistent point in time backup. The images would only be used if we
> decide that the entire forest is already dead.
> 
> I have a total of about 190 +/- dedicated DCs for the entire forest. Of
> those, about 30 of them are spread across three backbone nodes and those
> 30 are the ones that I send to tape daily (full system state). In the
> case of losing a given DC (backbone or site level) the SOP is to remove
> the remnants of the dead DC from the AD, rebuild/replace the server and
> promote it again.
> 
> The goal was that I want to have an ace in the hole so I don't orphan
> 20K clients, 1500 servers and the rest of the AD objects (user accounts,
> groups, mail info, etc).
> 
> Have I missed something here???
> 
> Thanks
> Frank
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Thursday, October 06, 2005 9:51 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD Restore Problem
> 
> If you have any replicas of those servers, when you restore those VMWare
> images, you will have corrupted your forest during restore.
> 
> -BrettSh [msft]
> 
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> 
> 
> On Thu, 6 Oct 2005, Carroll Frank USGR wrote:
> 
> > I am working my way down the VMWare path also for my ultimate DR "ace
> in
> > the hole". The environment is a TLD with 4 child domains. I am
> planning
> > on running a single VMWare server that has virtual DCs for all 5
> > domains. I am going to peel off a dedicated site/vlan and put the
> > physical VMWare server and all of the DC virt servers in that site.
> None
> > of the virtual DCs are going to be GCs. The reason for the dedicated
> > site is so I can keep people from using them for validation in
> > production.
> >  
> > Once I have them running, I plan to use the VM scripting to gracefully
> > shut them down once a day and then shoot the image file of the
> shutdown
> > DC off to tape, which then goes off-site. After the backup completes I
> > then restart the virtual servers.
> >  
> > This plays into the different hardw

RE: [ActiveDir] AD Restore Problem

[Brett Shirley]

If you have any replicas of those servers, when you restore those VMWare
images, you will have corrupted your forest during restore.

-BrettSh [msft]

This posting is provided "AS IS" with no warranties, and confers no
rights.


On Thu, 6 Oct 2005, Carroll Frank USGR wrote:

> I am working my way down the VMWare path also for my ultimate DR "ace in
> the hole". The environment is a TLD with 4 child domains. I am planning
> on running a single VMWare server that has virtual DCs for all 5
> domains. I am going to peel off a dedicated site/vlan and put the
> physical VMWare server and all of the DC virt servers in that site. None
> of the virtual DCs are going to be GCs. The reason for the dedicated
> site is so I can keep people from using them for validation in
> production.
>  
> Once I have them running, I plan to use the VM scripting to gracefully
> shut them down once a day and then shoot the image file of the shutdown
> DC off to tape, which then goes off-site. After the backup completes I
> then restart the virtual servers.
>  
> This plays into the different hardware scenario since I can use VMWare
> to abstract the hardware.
>  
> Of course, this whole process is the backup to the normal system state
> backup of all my backbone DCs.
>  
> FWIW - Frank
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
> Sent: Wednesday, October 05, 2005 5:37 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD Restore Problem
> 
> 
> You will still need to abandon the snapshot/image approach. Go to
> http://www.mail-archive.com/activedir@mail.activedir.org/ and search for
> "usn rollback". You can get the same information by searching
> support.microsoft.com, but without the colorful and enlightening
> commentary that the list provides.
>  
> Hunter
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of CHIANESE, DAVID
> Sent: Wednesday, October 05, 2005 2:09 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD Restore Problem
> 
> 
> I should clarify we don't actually use a laptop anymore as we have a HOT
> DR site defined and replicating live to Sungard.  Basically we have a
> vmware server in the DR site and replicate from that.  It greatly
> reduces post DR test administration in that we can revert back to the
> machine state previous to the test and not worry about metadata clean
> up.  The laptop always served us fine in a DR test with varying hardware
> at varying DR sites & tests.  Of course what I forgot to mention is that
> a good backup tape of your directory should be in the DR kit just in
> case the laptop comes up corrupt.  At least then you can restore vmware
> to the laptop and then the backup of AD to a vmware DC and go from
> there.  
>  
>  
> Regards,
> 
> David Chianese
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
> Sent: Wednesday, October 05, 2005 3:19 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD Restore Problem
> 
> 
> 
>   There have been lots of discussions on this list about the
> perils of imaging DCs and introducing them back into your production
> environment. Avoid that like the plague.
>
>   However, since VMWare/Virtual Server abstracts the hardware, it
> eliminates the restore-to-different-hardware problems. Build a DC on a
> virtual server and use NTBackup or your favorite 3rd party utility to
> back up the virtual server just as if it were a physical DC. Load up
> VMWare/Virtual Server on the alternate hardware and then restore your
> backup to a guest virtual machine.
>
>   Besides, relying on a laptop in the DR kit means that you're
> putting a lot of faith in the laptop's hardware. Dicey proposition, IMO.
>
>   Hunter
> 
> 
> 
>   From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of CHIANESE, DAVID
>   Sent: Wednesday, October 05, 2005 12:58 PM
>   To: ActiveDir@mail.activedir.org
>   Subject: RE: [ActiveDir] AD Restore Problem
>   
>   
>   You hit the nail on the head with VmWare.  Simply make a vmware
> laptop and dcpromo it to a DC/GC.  Place that laptop in a DR kit
> offsite.  Recall the kit and laptop once every 30 days and plug it into
> production to allow it to catch up on replication.  Place it back in
> your DR kit and ship it off site.  You can now contend with 2 DR
> scenarios: 
>
>   1.) A Real DR where a regional or national disaster occurs.
>   2.) A DR test where you do not want to affect production by
> seizing FSMO roles, making DNS changes, etc.
>
>   In a real DR situation, you would simply plug in your DR laptop
> and build a new Windows server, dcpromo and replicate from the laptop.
> In fact, if you actually only had a regional outage you would be able to
> build a new ser

Re: [ActiveDir] Manually data corruption in exchange

[Brett Shirley]

Are you just planning of using repair (eseutil /p) and isinteg to fix it,
or are you planning on just seeing how your application behaves against
Exchange, when there are various DB corruptions?

Cheers,
BrettSh [msft]
ESE Dev


On Sun, 25 Sep 2005, Manjeet Singh wrote:

> All,
> 
> I am looking for different ways - How to manually corrupt
> 
> 1. Mailbox Store
> 2. Public Store
> 3. A single Mailbox
> 4. Public Folder
> 5. A single message in the mailbox 
> 
> We have created an application for Exchange and I want to test my
> application with by manually corrupting the message/mailbox/mailbox
> store/public store.
> 
> Thanks,
> Manjeet
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Sysvol and AV exclusions

[Brett Shirley]

 product. 
> 
> Tony
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
> Smith
> Sent: Thursday, 15 September 2005 10:07 a.m.
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Sysvol and AV exclusions
> 
> You obviously haven't dealt with the Exchange Team enough. 
> 
> :-)
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
> Sent: Wednesday, September 14, 2005 6:01 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Sysvol and AV exclusions
> 
> Hi Brett
> 
> Thanks for your detailed response.  I see you've also managed to sort out
> the formatting of the table in the article.  Oh, what power you wield! :-)
> 
> The main issue I have is that the article introduces some "new"
> exclusions.  I don't think I'm alone in thinking that the general approach
> before this article came out was, "If your AV product is FRS-compliant then
> include SYSVOL in scans.".  I am fully aware of the effects of a virus being
> replicated by SYSVOL, having seen it first-hand.  SYSVOL does a great job of
> moving a virus around a network very quickly. :-)  So it's important to scan
> SYSVOL (or at least parts thereof).
> 
> Going back to the issue, the 822158 article sets out exclusions, but doesn't
> indicate why they should be exlcuded.  In other words, what is the risk of
> including them?  This is relevant for at least one major AV product vendor,
> which has a (somewhat stupid) low limit on the number of files and folders
> that can be excluded on any one server.  I'm also not convinced that the AV
> product I'm thinking of can perform the level of granularity of
> inclusion/exclusion suggested in the table.
> 
> I can sort of understand why the staging areas would be excluded (compressed
> files, possibility of locking), but why exclude %systemroot%\sysvol and
> %systemroot%\sysvol\sysvol?  I can't see anything in my test environment
> that would pose any problems by scanning these folders.
> 
> Call me a control freak, but I just don't like seeing a statement such as,
> "Do not scan the following files and folders." with no additional
> explanation.
> 
> Tony
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Tuesday, 13 September 2005 10:47 p.m.
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Sysvol and AV exclusions
> 
> 
> The articles should not be inconsistent.
> The 822158 does mention 814263 (see bullet 2).
> 
> 284947 - is how to detect and diagnose excessive FRS replication.
> Noting it might be caused by Anti-Virus software.  And mentioning how to
> recover.  
> It is not SYSVOL specific, it is FRS specific.  But sincej SYSVOL is an FRS
> share, so it applies to SYSVOL, if this should happen to your SYSVOL.
> 
> 814263 - is about Anti-Virus programs that are compatible with FRS from a
> generic sense.  Againt not SYSVOL specific, FRS specific.  You will want one
> of these programs to continue on with your configuration of your DC's
> Anti-Virus program with 822158.
> 
> 822158 - Is the penultimate article for DCs and anti-virus software. You
> need to scroll over the very poorly formatted table, near the end.  
> You'll note some part of the sysvol folder, are to be scanned and other
> parts are excluded.  I believe the parts with the actual files (that people
> can execute during logon due to policy) are to be scanned.
> 
> Let me know if you have any issues, or find my statements inaccurate ...
> 
> FYI, it is important to get a good anti-virus program (per 814263) and
> configure it correctly (per 822158) to scan your SYSVOL shares, because I've
> know a major company to get a virus in it's SYSVOL, such that everyone who
> logged on would get the virus.  This is very nasty.  The first thing the
> admin does to check out such an issue is ... log on to a DC, which may not
> have actually been infected with a running copy of the virus.  If you can
> get ahold of a virus'd exe, I'd drop it on your SYSVOL just to check it
> works.
> 
> Cheers,
> BrettSh [msft]
> 
> This posting is provided "AS IS" with no warranties, and confers no rights.
> 
> On Tue, 13 Sep 2005, Tony Murray wrote:
> 
> > Hi all
> >  
> > For a while now, I've been including/excluding Sysvol from AV scans 
> > based on the recommendations in these articles.
> >  
> > Antivirus programs may modify security descriptors and cause excessive
> 
> > replication of FRS data in SYS

RE: [ActiveDir] NTOSKRNL

[Brett Shirley]

You can not restore a ghost image _IF_ you have more than 1 DC in your AD
forest.  Doing so can cause replicated inconsistencies and corruption, so
you should be very sure before you restore a ghost image of a DC.  If this
is the only DC for a child domain in a forest with other domains, and
ghost is your only backup method, you are kind of in a jam.  Let me know
if that is the case, and I'll try to help you get out of it ...

Since you are using SBS, hopefully you'll only have one DC, and won't be
in this jam.  Ghost is not a recommended backup method for DCs in any
case.

Cheers,
BrettSh [msft]
SDE AD Backup/Restore, Replication, Database

This posting is provided "AS IS" with no warranties, and confers
no rights.

On Wed, 14 Sep 2005, Quatro Info wrote:

> I just installed an addition ide driveam installing win2k on that 
> drive.wanna see if i can connecct to the array that
> way.
> 
> If i can ..isnt ghost an option?
> 
> 
> -Oorspronkelijk bericht-
> Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Medeiros, Jose
> Verzonden: woensdag 14 september 2005 19:32
> Aan: ActiveDir@mail.activedir.org
> Onderwerp: RE: [ActiveDir] NTOSKRNL
> 
> Oh .. one last thing, Wininternals http://www.wininternals.com/ has a tool to 
> recover a lost hard drive volume. It's helped me in on
> several occasions and well worth it's cost. In my opinion it's some thing 
> that every IT department should have.
> 
> Good luck and please post to the list how your recovery went.
> 
> Jose :-)
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Medeiros, Jose
> Sent: Wednesday, September 14, 2005 10:12 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] NTOSKRNL
> 
> 
> If that still does not work, run Chkdsk /f /r.
> 
> Jose
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Quatro Info
> Sent: Wednesday, September 14, 2005 10:03 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] NTOSKRNL
> 
> 
> Yep its oem 
> 
> -Oorspronkelijk bericht-
> Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Susan Bradley, CPA 
> aka Ebitz - SBS Rocks
> [MVP]
> Verzonden: woensdag 14 september 2005 18:46
> Aan: ActiveDir@mail.activedir.org
> Onderwerp: Re: [ActiveDir] NTOSKRNL
> 
> 
> 
> That's not an OEM is it?
> 
> Post security patch?
> 
> Quatro Info wrote:
> 
> >HI all,
> >
> >
> >I have a major issue with a SBS 2k3 server. It hang this morning and after a 
> >hard reset i get the message: 
> >
> >Windows could not start because the following file is missing or corrupt:
> >
> >Winnt_root\System32\Ntoskrnl.exe
> >
> >Please re-install a copy of the above file.
> >
> >I tried acessing recovery mode and set it back but i cant access any 
> >files...i even tried to set the boot.ini file back...doesnt work either: 
> >access denied..
> >
> >In recovery mode i can see the files by the dir command but cant change 
> >anything. 
> >
> >Tried registry repair utility: same message access denied
> >
> >At last i tried a parallel install prior to rebuilding the operating 
> >system...but after selecting a new folder on the harddrive for that 
> >installation it stops when examining harddrive (25 %).
> >
> >
> >Its a raid 1 (mirror) arrayall i can think off now is that there is 
> >something wrong with the partitions / array.
> >
> >
> >
> >Pls help.
> >
> >Thx Jorre
> >
> >List info   : http://www.activedir.org/List.aspx
> >List FAQ: http://www.activedir.org/ListFAQ.aspx
> >List archive: 
> >http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> >  
> >
> 
> --
> Letting your vendors set your risk analysis these days?  
> http://www.threatcode.com
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Sysvol and AV exclusions

[Brett Shirley]

The articles should not be inconsistent.
The 822158 does mention 814263 (see bullet 2).

284947 - is how to detect and diagnose excessive FRS replication.  Noting
it might be caused by Anti-Virus software.  And mentioning how to recover.  
It is not SYSVOL specific, it is FRS specific.  But sincej SYSVOL is an
FRS share, so it applies to SYSVOL, if this should happen to your SYSVOL.

814263 - is about Anti-Virus programs that are compatible with FRS from a
generic sense.  Againt not SYSVOL specific, FRS specific.  You will want
one of these programs to continue on with your configuration of your DC's
Anti-Virus program with 822158.

822158 - Is the penultimate article for DCs and anti-virus software. You
need to scroll over the very poorly formatted table, near the end.  
You'll note some part of the sysvol folder, are to be scanned and other
parts are excluded.  I believe the parts with the actual files (that
people can execute during logon due to policy) are to be scanned.

Let me know if you have any issues, or find my statements inaccurate ...

FYI, it is important to get a good anti-virus program (per 814263) and
configure it correctly (per 822158) to scan your SYSVOL shares, because
I've know a major company to get a virus in it's SYSVOL, such that
everyone who logged on would get the virus.  This is very nasty.  The
first thing the admin does to check out such an issue is ... log on to a
DC, which may not have actually been infected with a running copy of the
virus.  If you can get ahold of a virus'd exe, I'd drop it on your SYSVOL
just to check it works.

Cheers,
BrettSh [msft]

This posting is provided "AS IS" with no warranties, and confers no
rights.

On Tue, 13 Sep 2005, Tony Murray wrote:

> Hi all
>  
> For a while now, I've been including/excluding Sysvol from AV scans
> based on the recommendations in these articles.
>  
> Antivirus programs may modify security descriptors and cause excessive
> replication of FRS data in SYSVOL and DFS
>  
> http://support.microsoft.com/?kbid=284947
>  
> 
> Antivirus, backup, and disk optimization programs that are compatible
> with the File Replication Service
> 
> 
> http://support.microsoft.com/kb/815263/
> 
> In other words, if the AV software is not FRS-compliant then I exlude
> Sysvol from scans.
>  
> However, I recently came across the following article:
>  
> Virus scanning recommendations on a Windows 2000 or on a Windows Server
> 2003 domain controller
>  
> http://support.microsoft.com/kb/822158
>  
>  
> This includes a recommendation to exclude Sysvol, but doesn't really say
> why.  The article doesn't make any reference to the KB284947 and
> KB815263 articles, so I don't know whether the recommendations are based
> on that information or new information.
>  
> Can anyone clarify the situation for me?
>  
> Tony
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Infrastucture Master and adprep /domainprep

[Brett Shirley]

IFM is an odd abbreviation of the Infrstructure Master role.  I think IM
is more typical.

-B

On Mon, 29 Aug 2005, Grillenmeier, Guido wrote:

> Andreas actually teased me with this at the second DEC in US (must have
> been 2003 in Scottsdale, Arizona), as I also wondered why the IFM would
> be required for this role.  So after a good discussion about the IFM's
> functions it was clear there was absolutely no technical requirement
> that adprep /domainprep be performed on the IFM FMSO ;-) 
> 
> The only reason the IFM was "chosen" to perform this "special" task is:
> they had to ensure that the domainprep will only be performed on a
> single DC in a domain and all the other FMSOs already had many more
> special tasks than the IFM - this is why the domainprep was bound to be
> executed on the IFM FSMO.
> 
> /Guido
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura
> E.
> Sent: Montag, 29. August 2005 12:36
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
> 
> Yep, that was him.  Drat, dunno why I had Luther in my head as being his
> first name.  
> 
> 
> - L
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
> > Sent: Monday, August 29, 2005 12:32 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
> > 
> > Heavy German accent?  I suspect that it was Andreas 
> > Luther  (and looks nothing like Guido)
> > 
> > And - it might have been DEC as Andreas was there for the Identity
> > Management (read:MIIS) portion of the conference.
> > 
> > Rick 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > Hunter, Laura E.
> > Sent: Sunday, August 28, 2005 7:02 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
> > 
> > Oddly enough, this exact topic came up in a dinner 
> > conversation at Tech Ed this year.[1]  Luther...oh heck somebody
> remind me of his 
> > last name...had apparently quizzed people with this one at a previous 
> > conference (DEC?), only to utimately reveal that the answer was "You
> know how 
> > people always ask you what the IM FSMO does? Well, now you can tell
> them that 
> > it's responsible for running /domainprep."
> > 
> > 
> > 
> > [1] Please hold the jokes about having dinner conversations 
> > about Active Directory internals until the end, please.  :-)
> > 
> > 
> > > 
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > Tony Murray
> > > > Sent: Sunday, August 28, 2005 7:36 PM
> > > > To: ActiveDir@mail.activedir.org
> > > > Subject: [ActiveDir] Infrastucture Master and adprep /domainprep
> > > > 
> > > > Hi all
> > > >  
> > > > Does anyone know why the documentation suggests that adprep 
> > > > /domainprep be run on the DC holding the IM FSMO role?  I heard a 
> > > > rumour to the effect that it was only because that DC is
> > > likely to be
> > > > less busy than the other DCs, but I'd like to know for sure.
> > > >  
> > > > Tony
> > > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Database Corruption

[Brett Shirley]

Alex,

Unfortunately, only the developer version of eseutil.exe gives out more
info, including a raw hex dump of the page.  I'm a little curious, to see
if the tail of 81183, and the head of 81184 look skewed, sometimes we've
seen a disk corruption, where the bytes seem right, just off by several
bytes ... but maybe a probably explanation will present itself by just the
output of the header ...

If you make a copy of the bad database (& logs), before you defrag or
restore, it gives you / us the chance to ask more questions about the
nature of the corruption later ...

Cheers,
BrettSh [msft]

> This posting is provided "AS IS" with no warranties, and confers no
> rights.


On Tue, 23 Aug 2005, Al Mulnick wrote:

> Hopefully it's just an index that's taken one for the team.
>  Take the advice and ensure that the hardware is solid before
> declaring things well enough to be restored etc. This was the type of
> error in the Exchange world that would bug you till the end.  It was
> associated with everything from disk controller settings (battery
> backup) to faulty disks, to transient hardware errors.  Tough to
> diagnose, but almost always a hardware error (like >99% of the time)
> was the root cause. Software issues were sometimes to blame
> (misonfigured AV etc) that would take things out but see above for the
> frequency of that.
>  The fact that it stays the same is a good thing.  The fact that it
> occurred at all is not. Disk or other hardware would be my next
> suspect.  All the way down to the motherboard (checked the revs to
> ensure no issues yet?)
>  I have to also admit that a restore is not my favorite method if the
> bandwidth can support it.  I'd prefer to dcpromo the repaired piece of
> hardware, especially for a smaller DIT. That's just my preference
> though.
>  Good luck,
>  
> Al
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of Alex Fontana
> Sent: Mon 8/22/2005 9:30 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Database Corruption
> 
> 
> 
> ECC memory, no errors in the event logs relating to memory.  The ntds.dit is
> about 800MB.  There are multiple events, the page number is always the same
> (81184).
> 
> Haven't fixed it yet - it's limping along until this weekend when I'll dump
> the pages to see what the header shows - then either defrag or restore...
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Monday, August 22, 2005 10:22 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Database Corruption
> 
> Both Steve, Hunter's, and your original advice is sound ... I think it is
> very likely if you call PSS, they'll tell you to do Steve's, yours, and
> Hunter's advice in about that order.
> 
> My favorite disk sub-system diagnostics is jetstress, but dedicated disk
> sub-system stressers are better, as they try odd patterns of bits that
> they know buses, electrical systems, and disks get fouled up on.  Also do
> not ignore RAM checkers, that is almost as likely, perhaps even more
> likely here.
> 
> Do you have ECC or parity memory?  Any events in system or app event log
> related to parity memory issues?
> 
> BTW, how big is your ntds.dit file?  Is it over 1.5-2.5 GBs?  That
> increases the hypothesis of memory issues.
> 
> So you have multiple of these events?  If you do, do they always happen
> for the same page numbers ("pgno") and offsets?  If different, does thier
> frequency increase?
> 
> If you haven't restored it already, I'd be curious if you felt like
> sharing, what the page looked like from:
>esentutl /m ntds.dit /p81184 /v
>  ... then we could see how bad the header was corrupted.  Also this will
> tell you if the page is an "Index page", and thus likely to be fixed by an
> offline defrag.  If you see "primary" or "long value" page, offline defrag
> probably won't fix it.
> 
> Also get the previous page too (change 81184 to 81183 in the above
> command).  But again, only if you feel like sharing.
> 
> Cheers,
> BrettSh
> 
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> 
> 
> 
> On Sat, 20 Aug 2005, Coleman, Hunter wrote:
> 
> > I'd also look at running hardware diagnostics, particularly on the
> > disk subsystem and controller. No point in restoring or repromoting if
> > there is an unresolved hardware problem.
> >
> >   -Original Message-
> >   From: [EMAIL PROTECTED] on behalf of Steve Linehan
> >  

RE: [ActiveDir] Enterprise Domain Controllers

[Brett Shirley]

 vs. FPO - that specific piece of terminology seems to depend on
> whether you're an aging Borg or just a familiar.
> 
> --
> Dean Wells
> MSEtechnology
> * Email: [EMAIL PROTECTED]
> http://msetechnology.com
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Wednesday, August 24, 2005 12:48 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Enterprise Domain Controllers
> 
> I would stay the course and say there is no membership. 
> 
> There are security principals that could have the SID added to their token
> which I agree is most likely controlled by userAccountControl & 8192.
> However it is a state of being authenticated coupled with being a domain
> controller that controls what objects have that SID at any given moment. 
> 
> It is like an authenticated user, what is the membership? Given the idea
> stated below, authenticated users are any security principal that can be
> authenticated, but wait, if someone isn't logged on, how could they be
> "authenticated"? We know that authenticated users are only the users that
> are currently authenticated and have the authenticated users SID in their
> token. 
> 
> Now for a group which has real membership. You can look at an attribute and
> it tells you who is at this exact moment a member of the group. State of
> authentication has no bearing. For instance, if you have Exchange,
> mailenable and send an email to some random group you have in your domain.
> Then try the same with Enterprise Domain Controllers. 
> 
> Those are some of the reasons why I say there is no membership to list,
> there are only principals that occasionally have the SID in their token. If
> you want, I guess you could consider it a dynamic group with the membership,
> if I were to admit it had membership, completely dependent on the state of
> being both a domain controller (or at least flagged in a way in the
> directory to indicate such) and authenticated.
> 
> 
> :o)
> 
> 
>joe
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Wednesday, August 24, 2005 11:48 AM
> To: ActiveDir@mail.activedir.org
> Cc: Send - AD mailing list
> Subject: RE: [ActiveDir] Enterprise Domain Controllers
> 
> 
> After reading joe's description, which sounds accurate to a non-expert like
> myself, I am willing to raise my confidence in my answer from a measly 12%
> to a full 17%.
> 
> Well, I agree with most of what joe said, except for the part about not
> being able to "look" at the membership, you _sort of_ can as I alluded to in
> my mail, just not via the typical member attribute as joe was pointing out.
> 
> Cheers,
> Brett
> 
> On Wed, 24 Aug 2005, Dean Wells wrote:
> 
> >  
> > To further clarify Joe's point; the subset of 
> > foreignSecurityPrincipals within the domain NC under the 
> > ForeignSecurityPrincipals container (many [or all] of which will be 
> > well-known security principals) are present there because of a
> relationship with another object within that partition.
> > 
> > The foreignSecurityPrincipals within the config. NC serve as a 
> > template and represent the well-known security principals listed by 
> > the object picker when, for example, editing an ACL (do not test this 
> > by deleting one, unless it's a sandpit, since recreating them can be
> problematic).
> > 
> > As a general rule of thumb, and as far as I can recollect, foreign 
> > security principals are created to represent any security principal 
> > that cannot be resolved by a forest-local GC, e.g. users from a 
> > foreign forest's domain or well-known security principals ...
> >  and are necessary because of the archaic underlying database 
> > engine we continue to insist on using :o) .
> > 
> > --
> > Dean Wells
> > MSEtechnology
> > * Email: [EMAIL PROTECTED]
> > http://msetechnology.com
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of joe
> > Sent: Wednesday, August 24, 2005 9:01 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Enterprise Domain Controllers
> > 
> > It isn't an actual group. 
> > 
> > It is a Well-Known security principal (SID=S-1-5-9) like Authenticated 
> > Users or Everyone or Terminal Server User. You don't have the ability 
> > to look at the membership, let alone modify it. When a token for a 
> > domain controller is built, the SID is sim

RE: [ActiveDir] Enterprise Domain Controllers

[Brett Shirley]

After reading joe's description, which sounds accurate to a non-expert
like myself, I am willing to raise my confidence in my answer from a
measly 12% to a full 17%.

Well, I agree with most of what joe said, except for the part about not
being able to "look" at the membership, you _sort of_ can as I alluded to
in my mail, just not via the typical member attribute as joe was pointing
out.

Cheers,
Brett

On Wed, 24 Aug 2005, Dean Wells wrote:

>  
> To further clarify Joe's point; the subset of foreignSecurityPrincipals
> within the domain NC under the ForeignSecurityPrincipals container (many [or
> all] of which will be well-known security principals) are present there
> because of a relationship with another object within that partition.  
> 
> The foreignSecurityPrincipals within the config. NC serve as a template and
> represent the well-known security principals listed by the object picker
> when, for example, editing an ACL (do not test this by deleting one, unless
> it's a sandpit, since recreating them can be problematic).
> 
> As a general rule of thumb, and as far as I can recollect, foreign security
> principals are created to represent any security principal that cannot be
> resolved by a forest-local GC, e.g. users from a foreign forest's domain or
> well-known security principals ...  and are necessary because of
> the archaic underlying database engine we continue to insist on using :o)
> .
> 
> --
> Dean Wells
> MSEtechnology
> * Email: [EMAIL PROTECTED]
> http://msetechnology.com
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Wednesday, August 24, 2005 9:01 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Enterprise Domain Controllers
> 
> It isn't an actual group. 
> 
> It is a Well-Known security principal (SID=S-1-5-9) like Authenticated Users
> or Everyone or Terminal Server User. You don't have the ability to look at
> the membership, let alone modify it. When a token for a domain controller is
> built, the SID is simply added to it. 
> 
> It is represented in the directory as a foreignSecurityPrincipal so it can
> be added to groups and ACEs like Everyone is. As Tom indicated, it is
> maintained in the Wellknown Security Principals container of the
> configuration partition with other Well Known Security Principals. 
> 
> Here is a quick listing of all the FSPs listed in that container
> 
> Anonymous Logon
> Authenticated Users
> Batch
> Creator Group
> Creator Owner
> Dialup
> Digest Authentication
> Enterprise Domain Controllers
> Everyone
> Interactive
> Local Service
> Network
> Network Service
> NTLM Authentication
> Other Organization
> Proxy
> Remote Interactive Logon
> Restricted
> SChannel Authentication
> Self
> Service
> Terminal Server User
> This Organization
> Well-Known-Security-Id-System
> WellKnown Security Principals
> 
> 
> joe
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
> Sent: Wednesday, August 24, 2005 5:17 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Enterprise Domain Controllers
> 
> Hey All,
> 
> Can anyone tell me where this group is stored?  It isn't in the directory,
> and it isn't a local group...any ideas on how to check it's membership list
> is correct?
> 
> TIA,
> 
> 
> Brad
> 
> 
> This email and any attached files are confidential and copyright protected.
> If you are not the addressee, any dissemination of this communication is
> strictly prohibited. Unless otherwise expressly agreed in writing, nothing
> stated in this communication shall be legally binding.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Enterprise Domain Controllers

[Brett Shirley]

I don't think that's right at all ...  he's talking AD EDC group, nothing
to do with Exchange.

I'm just going to make this up* ... it's a piece of data on the DC's
computer account object that helps SAM determine if you deserve the EDC
group in your token.  Maybe it is a bit in the userAccountControl.

* I don't know what I'm talking about, I really did pretty much make that
up, because it sounded vaguely familiar, sooo I'm like only 12% sure of
all that stuff I just said.

Cheers,
BrettSh
G-Door Operator #7

Posting is provided "AS IS", and confers no rights or warranties ...



On Wed, 24 Aug 2005, Peter Johnson wrote:

> Hi Brad
> 
> It's in the User's container by default. One of the things that dsaccess
> does, except on frontend machines IIRC, is verify that the server is in
> the Exchange Domain Servers which is a member of Exchange Enterprise
> Servers. 
> 
> Regards
> Peter Johnson
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
> Sent: 24 August 2005 11:17
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Enterprise Domain Controllers
> 
> Hey All,
> 
> Can anyone tell me where this group is stored?  It isn't in the
> directory,
> and it isn't a local group...any ideas on how to check it's membership
> list
> is correct?
> 
> TIA,
> 
> 
> Brad
> 
> 
> This email and any attached files are confidential and copyright
> protected. If you are not the addressee, any dissemination of this
> communication is strictly prohibited. Unless otherwise expressly agreed
> in writing, nothing stated in this communication shall be legally
> binding.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Database Corruption

[Brett Shirley]

Both Steve, Hunter's, and your original advice is sound ... I think it is
very likely if you call PSS, they'll tell you to do Steve's, yours, and
Hunter's advice in about that order.

My favorite disk sub-system diagnostics is jetstress, but dedicated disk
sub-system stressers are better, as they try odd patterns of bits that
they know buses, electrical systems, and disks get fouled up on.  Also do
not ignore RAM checkers, that is almost as likely, perhaps even more
likely here.

Do you have ECC or parity memory?  Any events in system or app event log
related to parity memory issues?

BTW, how big is your ntds.dit file?  Is it over 1.5-2.5 GBs?  That
increases the hypothesis of memory issues.

So you have multiple of these events?  If you do, do they always happen
for the same page numbers ("pgno") and offsets?  If different, does thier
frequency increase?

If you haven't restored it already, I'd be curious if you felt like
sharing, what the page looked like from:
   esentutl /m ntds.dit /p81184 /v
 ... then we could see how bad the header was corrupted.  Also this will
tell you if the page is an "Index page", and thus likely to be fixed by an
offline defrag.  If you see "primary" or "long value" page, offline defrag
probably won't fix it.

Also get the previous page too (change 81184 to 81183 in the above
command).  But again, only if you feel like sharing.

Cheers,
BrettSh

This posting is provided "AS IS" with no warranties, and confers no
rights.



On Sat, 20 Aug 2005, Coleman, Hunter wrote:

> I'd also look at running hardware diagnostics, particularly on the
> disk subsystem and controller. No point in restoring or repromoting if
> there is an unresolved hardware problem.
> 
>   -Original Message- 
>   From: [EMAIL PROTECTED] on behalf of Steve Linehan 
>   Sent: Fri 8/19/2005 8:18 PM 
>   To: ActiveDir@mail.activedir.org 
>   Cc: 
>   Subject: RE: [ActiveDir] Database Corruption
> 
>   Well the first thing I always recommend is to try an offline
> defrag as it is possible that the corruption is in an index, i.e.
> metadata, that can be rebuilt.  If the offline defrag fails then
> restoring from backup or repromoting will be your next step.
> 
>   Thanks,
>   -Steve
>   _  
> 
>   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, 
> Diane
>   Sent: Friday, August 19, 2005 6:43 PM
>   To: ActiveDir@mail.activedir.org
>   Subject: RE: [ActiveDir] Database Corruption
>
>   My preferred approach would be to demote the box to member
> server and re-promote to a domain controller to ensure a good fresh
> copy of the DIT.  YMMV as the specific requirements at your location
> may prevent this.  We have only run into this once early in our AD
> days and this was the approach we used with good success.
> 
>   Diane
>   _  
> 
>   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex 
> Fontana
>   Sent: Friday, August 19, 2005 3:29 PM
>   To: ActiveDir@mail.activedir.org
>   Subject: [ActiveDir] Database Corruption
> 
>   Started getting the error below a few weeks ago on one of our
> DCs.  My first reaction is to run a non-auth restore from a day before
> this started happening and let replication take care of everything
> else.  Any reason NOT to do this?  I???m concerned that this may
> happen again and wasn???t able to find anything specific to the error
> below.  Besides calling PSS any thing else I should look into before
> restoring?  This box holds all FSMO roles, Win2k3, server for NIS.
> 
>   TIA
>   -alex
>
> 
>   Event Type:   Error
>   Event Source:NTDS ISAM
>   Event Category: Database Page Cache 
>   Event ID:   475
>   Date:8/19/2005
>   Time:2:00:24 PM
>   User:N/A
>   Computer: DC
>   Description:
> 
>   NTDS (528) NTDSA: The database page read from the file
> "C:\WINNT\NTDS\ntds.dit" at offset 665067520 (0x27a42000) for
> 8192 (0x2000) bytes failed verification due to a page number
> mismatch.  The expected page number was 81184 (0x00013d20) and the
> actual page number was 2349964126 (0x8c119b5e).  The read operation
> will fail with error -1018 (0xfc06).  If this condition persists
> then please restore the database from a previous backup. This problem
> is likely due to faulty hardware. Please contact your hardware vendor
> for further assistance diagnosing the problem.
> 
>
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT:Exchange 2003 SP1 bloat

[Brett Shirley]

Both are valid, but do VERY different things.  The first of the two you
listed is the repair/salvage sub-command, the second is offline defrag.

Cheers,
-B

On Fri, 19 Aug 2005, Douglas M. Long wrote:

> This is probably just me not comprehending this, but when you said 
> 
> "The confusion is that, there is also a /p option that can be provided to 
> defrag, like so:"
> 
> 
> Did you mean the confusion is that they are both** valid, or that one is 
> valid and one is not?
> 
> 
> ** eseutil /p mydb.edb and eseutil /d mydb.edb /p
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Thursday, August 18, 2005 10:27 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat
> 
> I am actually a programmer for ESE (you know the database under Exchange,
> once know as JET Blue ... ) ... yes, it may come as a shock to some of you
> that building 7 garage door operator is not my only job duty at msft ...
> 
> Anyway, I'd like to clear up some confusion and mistatements ...
> 
> 1. The /p switch ... 
> 
> There was some confusion on the /p switch ...
> 
> There are two different operations being discussed below that one can
> perform on an ESE database.  One is called defrag and the other repair.  
> It is CRITICAL everyone understand the difference between the two, because
> one is dangerous and destructive under certain circumstances.
> 
> Defrag:
>   eseutil /d mydb.edb
> 
> Repair:
>   eseutil /p mydb.edb
> 
> The confusion is that, there is also a /p option that can be provided to
> defrag, like so:
> 
> Defrag (w/o instate):
>   eseutil /d mydb.edb /p
> 
> The original mail understood this, but some subsequent mails got it mixed
> up, just wanted to make it explicit.  I loathe ESEUtil's command syntax,
> BTW. :P  Subcommands should always be full words, like repadmin. ;)
> 
> 
> 2. Repair (/p) is destructive.
> 
> Repair is really an unfortunate term for this functionality, because like
> when you repair a car, it works again!  That may not be the case after
> ESE's repair.  The command should've been called "salvage".  The command
> basically throws out any data that ESE doesn't understand due to physical
> or ESE logical corruptions in your database, basically salvaging what's
> left.
> 
> The defrag w/o instate ("eseutil /d mydb.edb /p") is NOT destructive.
> 
> Repair is dangerous.  I always try to steer people away from repair.  If
> though somehow the database has been corrupted, there is irreplaceable
> data it can really save you.
> 
> If the database is in perfect order, both physically ("eseutil /k" checks
> this) and ESE logically ("eseutil /g" checks that), then in theory repair
> is safe.  But that idea gives me the hee-bee-jee-bees.  It is possible for
> a disk to return valid data on one read, and invalid data on a 2nd read,
> so it could never be perfectly safe.  Did I mention I try to steer people
> away from repair.
> 
> 
> 2.a. Aside: NEVER run repair on an AD database.
> 
> Off the subject of this mail, but it bears repeating.
> 
> As you may or may not know, the ESE database engine is used in both
> Windows for Active Directory's database/ntds.dit and in Exchange for
> mailbox stores.  In the Windows version of the ESE database engine,
> eseutil.exe is called esentutl.exe.
> 
> Even though these binaries are similar, and based off similar sources, the
> versions are different, and compiled with the Esentutl.exe and eseutil.exe
> are
> 
> Never run repair on an AD database.  In fact in Win2k3 SP1, we disabled
> that functionality in esentutl.exe for AD databases.  Ok, we're really
> offtopic for the thread, moving back to ...
> 
> 
> 3. Defrag (how it works) ...
> 
> I'd like to go over very approximately the steps that ESE (offline) defrag
> goes through, because it will make some of the comments in the next point
> more poinaintly clear.
> 
> Defrag works like this:
> 
>   Step 1 - Open the "source" database.
> 
> ESE opens for reading the source or target database, that you've
> asked specified as the first non-flag argument after the /d sub-
> command.  i.e. "mydb.edb" above.
> 
>   Step 2 - Create a "destination" database with a temporary name.
> 
> By default the destination or temporary DB, is created in the
> same directory as the source database.
> 
>   Step 3 - Move the data table by table to the destination database.
> 
> Enumerate over each table in the 

RE: [ActiveDir] OMG, the most aweful ESE event info ever!!! ...

[Brett Shirley]

Wow, I meant to say, I can _not_ promise immediate action ...

It depends upon the severity of the bad text ...

Cheers,
BrettSh

On Fri, 19 Aug 2005, Brett Shirley wrote:

> Yes.  I can promise action immediately though.
> 
> I've seperated my action plan into 4 phases ...
> 
> Now: cleanup of crap, I've found 4 events to remove, and 1 that must be
> modified on a more immediate time scale.
> 
> Emprace: re-write and re-vet content for all ESE/ESENT/NTDS ISAM events,
> because it could be way better.
> 
> Extend: Figure out how to take the Event Help System forward a bit, this
> is internal improvement stuff, process improvement, DB improvement, etc 
> ...
> 
> NextGen: Figure out if there are any longer range improvements we can
> make.
> 
> I've started 4 threads on it, I've been writing up thoughts all morning,
> this is absolutely going to sap my day of real work ...
> 
> They will rue the day, they laid down crappy events help for ESE.  I've
> decided to take an interest in what they do.  Like Dean, usually when I
> take an interest in you, you become more unhappy. (w/ lots of love Dean ;)  
> In fact 2 out of my 4 significant GFs required therapy afterwards.
> 
> Cheers,
> -BrettSh
> G-Door Operator #7
> 
> On Fri, 19 Aug 2005, Michael B. Smith wrote:
> 
> > Does your offer apply to Exchange ESE as well as ESENT/NTDS ISAM? 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> > Sent: Friday, August 19, 2005 10:13 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] OMG, the most aweful ESE event info ever!!! ...
> > 
> > 
> > In the event view, you know how you can click the "fwlink" page to get
> > help and support text for any given event?
> > 
> > So I found the "support and help" text (below) for EventID 101 (farther
> > below) for Windows NTDS ISAM and for general ESENT, and it's like about
> > as close to 100% wrong as you can get.  It's talking about Restore.env,
> > and the Information Store, Windows now thinks it's Exchange?  Was it
> > just like make stuff up day at work or something?  WTF.  Does the
> > internet / network produce ANY valid content anymore? I think the new
> > quote should be, "It must be false, I read it on the internet".
> > 
> > Anyway, I've gotten a hold of the people responsible for this database,
> > we're having words ... I'll fix this.
> > 
> > OMG, I just found the text for Event ID 102 "%1 (%2) %3The database
> > engine started a new instance(%4)." ... and it's help text is worse than
> > event ID 101's text.  Event ID 102's help text:
> >  There is only one Jet database engine, ESE.dll, per
> > server. However, there can be one instance of Jet running per
> > storage group. Event 102 signifies that an instance of Jet has
> > started and indicates which instance has started.  
> > 
> > And oh my gosh I just thought someone could be trying to act on this
> > text on like an Exchange or SBS servers ... I'm nateous, I'm actually
> > wretching over this find ...
> > 
> > SOOO Why don't you guys tell us about this shtuff?  Seriously.  You guys
> > should hold your vendors in to higher responsibility.  Comments anyone?
> > 
> > joe, surely you must have a comment?  Tragically, I'll bet it is a
> > waste, I'll bet no one uses the system anymore.
> > 
> > I give uou permission to email me about any ESE event text and fwlinks
> > that suck, send mail to: [EMAIL PROTECTED]  Only
> > email that mail, about this stuff.  Well, give me a week or two to take
> > out the trash on the fwlinks.  BTW, I can't promise a reply or speedy
> > fixes, or anything.
> > 
> > Oh in case it isn't clear the ESE events are under, ESE (for Exchange,
> > SPS, Windows Desktop Search), ESENT (for General Windows), and for
> > Active Directory the events are categorized under "NTDS ISAM".
> > 
> > This is going to be a great Friday, i can just tell ...
> > BrettSh
> > G-Door Operator #7, 
> > but currently serving as Janitor (of the "Event Help Text" system)
> > 
> > 
> > Details if you click that fwlink, in the event box of NTDS ISAM | ESENT
> > Eevent ID 101 ...
> > 
> > 
> > Details
> > Product: Windows Operating System
> > ID: 101
> > Source: ESENT
> > Version: 5.2
&

RE: [ActiveDir] OMG, the most aweful ESE event info ever!!! ...

[Brett Shirley]

Yes.  I can promise action immediately though.

I've seperated my action plan into 4 phases ...

Now: cleanup of crap, I've found 4 events to remove, and 1 that must be
modified on a more immediate time scale.

Emprace: re-write and re-vet content for all ESE/ESENT/NTDS ISAM events,
because it could be way better.

Extend: Figure out how to take the Event Help System forward a bit, this
is internal improvement stuff, process improvement, DB improvement, etc 
...

NextGen: Figure out if there are any longer range improvements we can
make.

I've started 4 threads on it, I've been writing up thoughts all morning,
this is absolutely going to sap my day of real work ...

They will rue the day, they laid down crappy events help for ESE.  I've
decided to take an interest in what they do.  Like Dean, usually when I
take an interest in you, you become more unhappy. (w/ lots of love Dean ;)  
In fact 2 out of my 4 significant GFs required therapy afterwards.

Cheers,
-BrettSh
G-Door Operator #7

On Fri, 19 Aug 2005, Michael B. Smith wrote:

> Does your offer apply to Exchange ESE as well as ESENT/NTDS ISAM? 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Friday, August 19, 2005 10:13 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] OMG, the most aweful ESE event info ever!!! ...
> 
> 
> In the event view, you know how you can click the "fwlink" page to get
> help and support text for any given event?
> 
> So I found the "support and help" text (below) for EventID 101 (farther
> below) for Windows NTDS ISAM and for general ESENT, and it's like about
> as close to 100% wrong as you can get.  It's talking about Restore.env,
> and the Information Store, Windows now thinks it's Exchange?  Was it
> just like make stuff up day at work or something?  WTF.  Does the
> internet / network produce ANY valid content anymore? I think the new
> quote should be, "It must be false, I read it on the internet".
> 
> Anyway, I've gotten a hold of the people responsible for this database,
> we're having words ... I'll fix this.
> 
> OMG, I just found the text for Event ID 102 "%1 (%2) %3The database
> engine started a new instance(%4)." ... and it's help text is worse than
> event ID 101's text.  Event ID 102's help text:
>There is only one Jet database engine, ESE.dll, per
>   server. However, there can be one instance of Jet running per
>   storage group. Event 102 signifies that an instance of Jet has
>   started and indicates which instance has started.  
> 
> And oh my gosh I just thought someone could be trying to act on this
> text on like an Exchange or SBS servers ... I'm nateous, I'm actually
> wretching over this find ...
> 
> SOOO Why don't you guys tell us about this shtuff?  Seriously.  You guys
> should hold your vendors in to higher responsibility.  Comments anyone?
> 
> joe, surely you must have a comment?  Tragically, I'll bet it is a
> waste, I'll bet no one uses the system anymore.
> 
> I give uou permission to email me about any ESE event text and fwlinks
> that suck, send mail to: [EMAIL PROTECTED]  Only
> email that mail, about this stuff.  Well, give me a week or two to take
> out the trash on the fwlinks.  BTW, I can't promise a reply or speedy
> fixes, or anything.
> 
> Oh in case it isn't clear the ESE events are under, ESE (for Exchange,
> SPS, Windows Desktop Search), ESENT (for General Windows), and for
> Active Directory the events are categorized under "NTDS ISAM".
> 
> This is going to be a great Friday, i can just tell ...
> BrettSh
> G-Door Operator #7, 
> but currently serving as Janitor (of the "Event Help Text" system)
> 
> 
> Details if you click that fwlink, in the event box of NTDS ISAM | ESENT
> Eevent ID 101 ...
> 
> 
> Details
> Product: Windows Operating System
> ID: 101
> Source: ESENT
> Version: 5.2
> Symbolic Name: STOP_ID
> Message: %1 (%2) %3The database engine stopped. 
> 
> Explanation
> The extensible storage engine database engine stopped.
> 
> Possible causes include:
> 
>  - An online restoration failed. There may be missing log files on the
>computer or in an online restoration, or there may be old log files
>that are out of sequence with the log that is mentioned in the
>Restore.env file.
>  - A database could not be loaded. The directory where the database or
>logs exist might not have the correct permissions assigned to it in
>order to load the store.
>