RE: [ActiveDir] OT: Exchange Restrict Sending
I believe this option sets who can send to the group, not who the group members can send to. Is this correct? If so, is there a way to restrict who a group of users can send mail to? You can define in the properties of a group in Exchange general, there is the option to set the message restriction.there you can define a white list of users. Dhiraj Haritwal From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Wednesday, January 03, 2007 9:17 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Exchange Restrict Sending Can anyone tell me if there is a way in Exchange to restrict who certain users can send to? Almost a whitelist for certain groups of approved recipients. I would appreciate any help, This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com <http://www.info-lution.com/> Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
[ActiveDir] OT: Exchange 2003 Copy Outgoing Messages
Is there a way built-into Exchange 2003 running on Server 2003 that a user can be copied on all messages sent by another user? We have a manager that wants to monitor all outgoing messages sent by certain users regardless of the recipient. Is this possible? Thank you in advance for any help. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
[ActiveDir] OT: Exchange Restrict Sending
Can anyone tell me if there is a way in Exchange to restrict who certain users can send to? Almost a whitelist for certain groups of approved recipients. I would appreciate any help, Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
[ActiveDir] TS Remote Control Mouse Pointer
When remote controlling a user's session on a Server 2k3 TS is there a way to allow both users to see the mouse pointer? This makes it easier when doing training. Currently, when one user is controlling the session, the other user can only see what is going on on the screen, but not the mouse pointer initiating the actions. Is this possible at all? Thanks in advance for any help, Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
[ActiveDir] Public Folder Appointment Owner
I would like to know how to find out who created a meeting using a calendar in a public folder. Right now, if I open an appointment that someone else created and go into the "Scheduling" tab, it shows me as the owner. If I then open the appointment logged on as another user, it shows that user is the owner. Is this a configuration issue or is it just the way it works? Thanks, Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
[ActiveDir] Outlook Rules Lockdown
Is there a way to place restrictions on which rules users can create in Outlook, like disallowing users to create an auto-forward rule? I would like to control these settings by group membership. Thanks in advance for any help, Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] Restrict VPN Access By Computer Name
Cool, I will test that out, thanks. I am not too familiar with using or configuring EAP – would this solution require installing a CA on the network? Furthermore, would these certificates be assigned to the machine, not the user? No, I understand the difference between IAS and ISA. I just mentioned ISA because you said that it might be a good idea to use it. For most of our clients, a $1500 firewall solution is overkill. We are pretty much standardized on the Netgear FVL328, which costs under $300, provides 100 VPN tunnels for branch offices and is compact enough to fit in most of our clients’ wiring closets (the term “closet” being the operative word as most of our clients do not have or need a server room). I would prefer a firewall appliance to one installed on a server and most ISA appliances are on the expensive side and are designed for rack-mounting. I can’t remember where, but I vaguely remember reading that Microsoft would be offering a light version of ISA2006 that can be used as an embedded solution for small business networks such as those that I manage. It will compete with Netgear, Linksys, Firebox, etc.. Maybe I am mistaken, but I will try to find out. I will take your advice and wait for LH server instead of messing with WS2k3 quarantine. I appreciate the recommendation. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, November 14, 2006 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restrict VPN Access By Computer Name You are right, Calling-Station-Identifier (in some cases) map to the telephone number. In 802.1x scenario, though, it's usually the MAC, but I have also seen it map to the client's IP address. I attribute this to some vendors not reading the RFC or just opting to do it their way. In our situation, MS maps it to MAC. I re-read your original message and I have another thought. Since these are computers under your control, why not issue them certificates and use EAP as your authentication filter? Hope we are not mixing acronyms here, re: IAS vs. ISA. IAS is the RADIUS server. Free with the OS. ISA is the proxy/caching/firewall solution. $1,500.00 for Standard edition, comes in a black box version, too. For what it does, ISA is on of the cheapest solutions of its type in the market. I am not aware of the "light" version you mentioned. If you think NAP is complex, try your hands on 2K3 qtine. Also, you can combine all the NAP roles on one server, you do not have to separate them. The only strict requirement is that it be installed on a LH server. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Dan DeStefano Sent: Tue 11/14/2006 5:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restrict VPN Access By Computer Name Thank you for your response. I thought the Calling-Station-Id was used for phone numbers (that is what the description says anyway). But you are saying that MAC addresses can be used here as well? Other than the above, what would the advantages of deploying IAS be? This is a small network with 100 or so users and only a handful of them have VPN access (right now being controlled in the user account properties). For this reason I am not sure I can also justify the costs of implementing ISA especially with a current firewall solution in place. Plus, we have no ISA experts in our organization or anyone who has even administered ISA before. Maybe this will change with the new ISA 2006, but most ISA solutions right now are enterprise-class and on the expensive side (for most small businesses). I heard that ISA 2006 is supposed to have a “light” version of some sort, but that being said, I am not sure if it would be as fully-featured and support what you are suggesting (though I know little of it other than the fact that it exists). Thanks for the advice about ws2k3 quarantine, I guess we won’t waste our time with it. I have read about Longhorn NAP and it looks great. But it also looks a bit complex, requiring a bit more infrastructure than most small businesses need or can afford. Have you ever tried restricting VPN access by MAC address? Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behal
RE: [ActiveDir] Restrict VPN Access By Computer Name
Thank you for your response. I thought the Calling-Station-Id was used for phone numbers (that is what the description says anyway). But you are saying that MAC addresses can be used here as well? Other than the above, what would the advantages of deploying IAS be? This is a small network with 100 or so users and only a handful of them have VPN access (right now being controlled in the user account properties). For this reason I am not sure I can also justify the costs of implementing ISA especially with a current firewall solution in place. Plus, we have no ISA experts in our organization or anyone who has even administered ISA before. Maybe this will change with the new ISA 2006, but most ISA solutions right now are enterprise-class and on the expensive side (for most small businesses). I heard that ISA 2006 is supposed to have a “light” version of some sort, but that being said, I am not sure if it would be as fully-featured and support what you are suggesting (though I know little of it other than the fact that it exists). Thanks for the advice about ws2k3 quarantine, I guess we won’t waste our time with it. I have read about Longhorn NAP and it looks great. But it also looks a bit complex, requiring a bit more infrastructure than most small businesses need or can afford. Have you ever tried restricting VPN access by MAC address? Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, November 14, 2006 1:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restrict VPN Access By Computer Name Call-Station-Identifier is a much more stable and reliable filter - it is the Client's MAC address. "Client Friendly Name" is optional and may not be sent in many VPN negotiation. The identifier will very likely be sent (I don't want to say ALWAYS since I don't have any relevant doc that say that, but I am yet to see a negotiation that does not include the identifier. Unfortunately, in order to use the identifier as a filter, you will have to create a policy for each device. I don't see how you can wildcard it. So, depending on how many clients you are talking here, well Yes, if I were you, I'd bring in RADIUS. Better, I'll bring in something like ISA 2006. With ISA, you should be able to create a Computer Set that includes the names or IPs of the Clients in question, and you can use that to filter your inbound VPN connection requests. I don't have such configuration, but it makes sense in my head. Also, if you haven't started messing with that 2K3 quarantine thingamabob yet, thank your stars. You don't want to. Not now the NAP in Longhorn is so close at hand. I'd recommend that you encourage your techs to concentrate on learning NAP instead. I just took a quick look around in NAP, and I can see where what you are trying to do here can be easily accomplished. Hope I haven't thoroughly confused you yet. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Dan DeStefano Sent: Mon 11/13/2006 9:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Restrict VPN Access By Computer Name I was wondering if there is a way to restrict client VPN connections via computer name. The reason for this is that we only want clients connecting from approved devices for which they do not have administrative privileges. In other words, we do not want people VPNing into our network from their possibly virus and spyware-infested home PCs. I know that a clever user could rename his/her home PC, but this is probably not too likely and that type of user is probably likely to be conscious of updated antivirus/spyware software. I saw a setting in Remote Access Policies called Client Friendly Name (IAS). Is this the setting I am looking for? If so, do I have to set up an IAS server? If not, is there another way I can accomplish my goal. I know that WS2k3 R2 has a quarantine feature, but I am not familiar with it, though it looks like a bit of a PITA to set up and I am looking for a quick way to fix this problem. We will probably eventually use the new quarantine feature after our techs have had a chance to learn and test it a bit. I think another problem with this feature is for small business networks that have just a single SBS server. Any help would be greatly appreciated. Thanks,
RE: [ActiveDir] Restrict VPN Access By Computer Name
Thank you for your input. I hear you about SBS, but for small businesses it is really a great deal. We are a managed solution provider and most of our clients are in the SBS range of 5-50 users, for which SBS cannot be beat. I love the RWW and try to use it as much as possible on SBS networks. However, there are still some laptops that require offline data access and intermittent connectivity to the network to update offline files, OST files, etc, for which the RWW alone is not enough. Also, I should have mentioned that the network of which I am speaking belongs to our largest client who does not use SBS. The reason I mentioned SBS is that I would like to leverage whatever solution comes out of this to our SBS clients. We also have a policy that machines from which users connect must have latest AV and AS software, but users are normally admins on these machines (usually personal PCs/laptops). So, no matter what you do to the PC to make it secure, ultimately the user has control over it and its security is always in question. Ideally, I would like any user that requires VPN access to the network to be using a corporate asset, such as a laptop, to which we are the only people with admin privileges. However, management requires certain users that are not issued company notebooks to have VPN access. I am just trying to balance requirements from management with proper security. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, November 14, 2006 1:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Restrict VPN Access By Computer Name (Say SBS and it's like waving a red flag in front of me) For SBS networks we don't use VPN, in fact the only time I use VPN is for patching, otherwise we use RWW (Remote Web Workplace) which does not introduce the risks that VPN does. RWW is a web based remote access and can typically be more secure (and thus not introduce the risks) from home PCs. And if you want two factor auth for RWW, Dana Epp is introducing RWW-Guard. But honestly I have a policy in my office that if they want remote access, they are to have up to date a/v, antispyware and I have the right to inspect their systems. (Logmein.com is great for this) Akomolafe, Deji wrote: Call-Station-Identifier is a much more stable and reliable filter - it is the Client's MAC address. "Client Friendly Name" is optional and may not be sent in many VPN negotiation. The identifier will very likely be sent (I don't want to say ALWAYS since I don't have any relevant doc that say that, but I am yet to see a negotiation that does not include the identifier. Unfortunately, in order to use the identifier as a filter, you will have to create a policy for each device. I don't see how you can wildcard it. So, depending on how many clients you are talking here, well Yes, if I were you, I'd bring in RADIUS. Better, I'll bring in something like ISA 2006. With ISA, you should be able to create a Computer Set that includes the names or IPs of the Clients in question, and you can use that to filter your inbound VPN connection requests. I don't have such configuration, but it makes sense in my head. Also, if you haven't started messing with that 2K3 quarantine thingamabob yet, thank your stars. You don't want to. Not now the NAP in Longhorn is so close at hand. I'd recommend that you encourage your techs to concentrate on learning NAP instead. I just took a quick look around in NAP, and I can see where what you are trying to do here can be easily accomplished. Hope I haven't thoroughly confused you yet. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Dan DeStefano Sent: Mon 11/13/2006 9:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Restrict VPN Access By Computer Name I was wondering if there is a way to restrict client VPN connections via computer name. The reason for this is that we only want clients connecting from approved devices for which they do not have administrative privileges. In other words, we do not want people VPNing into our network from their possibly virus and spyware-infested home PCs. I know that a clever user could rename his/her home PC, but this is probably not too likely and that type of user is probably likely to
[ActiveDir] Restrict VPN Access By Computer Name
I was wondering if there is a way to restrict client VPN connections via computer name. The reason for this is that we only want clients connecting from approved devices for which they do not have administrative privileges. In other words, we do not want people VPNing into our network from their possibly virus and spyware-infested home PCs. I know that a clever user could rename his/her home PC, but this is probably not too likely and that type of user is probably likely to be conscious of updated antivirus/spyware software. I saw a setting in Remote Access Policies called Client Friendly Name (IAS). Is this the setting I am looking for? If so, do I have to set up an IAS server? If not, is there another way I can accomplish my goal. I know that WS2k3 R2 has a quarantine feature, but I am not familiar with it, though it looks like a bit of a PITA to set up and I am looking for a quick way to fix this problem. We will probably eventually use the new quarantine feature after our techs have had a chance to learn and test it a bit. I think another problem with this feature is for small business networks that have just a single SBS server. Any help would be greatly appreciated. Thanks, Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] Event ID 108
I just tried to deploy the package by assigning it to a user who is an administrator of the test workstation and it deployed fine. However, this is undesirable since the users of the domain are not given administrative privileges on their workstations. I believe that when assigning it to the computers that all permissions are set correctly (E.G. – the computers group being used for deployment is assigned “Apply Group Policy” on the GPO, and the group has “read” share and NTFS permissions to the AIP for the package). Plus, usually when there is a permissions problem, the Event Log on the workstation will say something like “cannot find package” or something and that is not what it is saying. Do you think it is possible that the problem is the domain is in Windows 2000 Mixed mode and there are both w2k3 and w2k domain controllers? Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, November 08, 2006 8:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Event ID 108 Yes, if you deleted and recreated the GPO, it would have a different GUID. So I'm guessing that one of those packageRegistration objects is the package you've deployed and one is a package that has been removed. I can't think of any reason why software deployment would just fail like that, across GPOs. Can you successfully deploy another package--say adminpak.msi--just to see if its something with that media you're using? Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Wednesday, November 08, 2006 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Event ID 108 I did delete and recreate the deployment GPO so that may be the reason for the 2 packages. However, since the GPO was deleted and recreated, wouldn’t the new GPO have a different GUID? If so, then why would the old package be in the new GPO? Additionally, the MSI packages is directly from the Outlook 2003 media that works fine when run manually. Also, when I create other software deployment GPOs, they fail as well. The AIP that I used to create the GPO is the exact same AIP used on a different, w2k3 domain for a different client and it works fine. So I think the problem is with software deployment GPOs in genera. Does that make sense? OK, I will rename the DDP back to the default. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, November 08, 2006 12:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Event ID 108 Dan- The 2 packageRegistration objects represent two separate packages. The MSI and MST are referenced within the msiFileList attribute on each packageRegistration object. Its possible that one of those packageRegistration objects is a "removed" package--removed packages don't actually get deleted in AD--they just lie around forever :-). So, I'm not sure why you're getting errors since it does appear that the packages are getting created properly. Renaming the DDP is not a problem for Windows, but it can be confusing to administrators looking at it. I would rename it back to "DDP" to avoid any confusion. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Wednesday, November 08, 2006 8:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Event ID 108 Thanks for your help. When I look in the SYSVOL folder, I do see the software deployment policy I have created. I can also see the policy in the \System\Policies AD container. There are 2 packageRegistration objects in the Domain\System\Policies\GUID\Machine\Class Store\Packages container. I assume one is for the MSI and one for the MST, correct? Yes, the “All Users and Computers” GPO does begin with “31B2F3…” Also, there is a container named “Default Domain Policy” under the System container in AD. Does renaming the DDP cause problems? Would it be advisable to name it back to DDP? Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, November 07, 2006 11:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Event ID 108 Dan- I would resolve the problem before upgrading. It sounds like you have at least two things going on. First off, the sw. deployment error sounds like something deeply wrong with AD. The software installation data object referred to below is probably something called a packageRegistration
RE: [ActiveDir] Event ID 108
I did delete and recreate the deployment GPO so that may be the reason for the 2 packages. However, since the GPO was deleted and recreated, wouldn’t the new GPO have a different GUID? If so, then why would the old package be in the new GPO? Additionally, the MSI packages is directly from the Outlook 2003 media that works fine when run manually. Also, when I create other software deployment GPOs, they fail as well. The AIP that I used to create the GPO is the exact same AIP used on a different, w2k3 domain for a different client and it works fine. So I think the problem is with software deployment GPOs in genera. Does that make sense? OK, I will rename the DDP back to the default. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, November 08, 2006 12:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Event ID 108 Dan- The 2 packageRegistration objects represent two separate packages. The MSI and MST are referenced within the msiFileList attribute on each packageRegistration object. Its possible that one of those packageRegistration objects is a "removed" package--removed packages don't actually get deleted in AD--they just lie around forever :-). So, I'm not sure why you're getting errors since it does appear that the packages are getting created properly. Renaming the DDP is not a problem for Windows, but it can be confusing to administrators looking at it. I would rename it back to "DDP" to avoid any confusion. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Wednesday, November 08, 2006 8:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Event ID 108 Thanks for your help. When I look in the SYSVOL folder, I do see the software deployment policy I have created. I can also see the policy in the \System\Policies AD container. There are 2 packageRegistration objects in the Domain\System\Policies\GUID\Machine\Class Store\Packages container. I assume one is for the MSI and one for the MST, correct? Yes, the “All Users and Computers” GPO does begin with “31B2F3…” Also, there is a container named “Default Domain Policy” under the System container in AD. Does renaming the DDP cause problems? Would it be advisable to name it back to DDP? Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, November 07, 2006 11:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Event ID 108 Dan- I would resolve the problem before upgrading. It sounds like you have at least two things going on. First off, the sw. deployment error sounds like something deeply wrong with AD. The software installation data object referred to below is probably something called a packageRegistration object, which should exist in AD under the GPC portion of the GPO. The fact that you don't seem to have or be able to fix the DDP GPO is strange. What is the GUID of the "All Users and Workstations" GPO? If it starts with {31B2F3.., then its probably just the DDP renamed. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Monday, November 06, 2006 5:38 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Event ID 108 I am having a problem when deploying applications via GPO in a Windows 2000 SP4 AD domain. The clients do not receive the package and I receive Event ID 108 "There is no software installation data object in the Active Directory". I have followed the recommendations from http://eventid.net/display.asp?eventid=108&eventno=1181&source=Application%20Management&phase=1, as well as from other MSKB articles, but without success. I have deleted/recreated the GPO, msi and mst packages, but the problem persists. This is a network I inherited and when looking around in AD I noticed that the “Default Domain Policy” has either been deleted or renamed because it no longer exists. The only policy bound to the domain is one called “All Users and Workstations”, which I do not recognize as a built-in policy. I have run dcdiag /fix and netdiag /fix on all DCs and netdiag /fix on the test-deploy workstations, but this has not solved the problem. Everything else with the domain including authentication, name resolution, etc.. works fine, but I think this error may be evidence of a larger problem with AD. We are planning on upgrading the domain to WS2k3 within the next few weeks. Does anyone think that may fix the problem? If not, would it be wise to put off the upgrade until this issue is resolved? Thanks i
RE: [ActiveDir] Event ID 108
Thanks for your help. When I look in the SYSVOL folder, I do see the software deployment policy I have created. I can also see the policy in the \System\Policies AD container. There are 2 packageRegistration objects in the Domain\System\Policies\GUID\Machine\Class Store\Packages container. I assume one is for the MSI and one for the MST, correct? Yes, the “All Users and Computers” GPO does begin with “31B2F3…” Also, there is a container named “Default Domain Policy” under the System container in AD. Does renaming the DDP cause problems? Would it be advisable to name it back to DDP? Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, November 07, 2006 11:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Event ID 108 Dan- I would resolve the problem before upgrading. It sounds like you have at least two things going on. First off, the sw. deployment error sounds like something deeply wrong with AD. The software installation data object referred to below is probably something called a packageRegistration object, which should exist in AD under the GPC portion of the GPO. The fact that you don't seem to have or be able to fix the DDP GPO is strange. What is the GUID of the "All Users and Workstations" GPO? If it starts with {31B2F3.., then its probably just the DDP renamed. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Monday, November 06, 2006 5:38 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Event ID 108 I am having a problem when deploying applications via GPO in a Windows 2000 SP4 AD domain. The clients do not receive the package and I receive Event ID 108 "There is no software installation data object in the Active Directory". I have followed the recommendations from http://eventid.net/display.asp?eventid=108&eventno=1181&source=Application%20Management&phase=1, as well as from other MSKB articles, but without success. I have deleted/recreated the GPO, msi and mst packages, but the problem persists. This is a network I inherited and when looking around in AD I noticed that the “Default Domain Policy” has either been deleted or renamed because it no longer exists. The only policy bound to the domain is one called “All Users and Workstations”, which I do not recognize as a built-in policy. I have run dcdiag /fix and netdiag /fix on all DCs and netdiag /fix on the test-deploy workstations, but this has not solved the problem. Everything else with the domain including authentication, name resolution, etc.. works fine, but I think this error may be evidence of a larger problem with AD. We are planning on upgrading the domain to WS2k3 within the next few weeks. Does anyone think that may fix the problem? If not, would it be wise to put off the upgrade until this issue is resolved? Thanks in advance for any help, Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
[ActiveDir] Event ID 108
I am having a problem when deploying applications via GPO in a Windows 2000 SP4 AD domain. The clients do not receive the package and I receive Event ID 108 "There is no software installation data object in the Active Directory". I have followed the recommendations from http://eventid.net/display.asp?eventid=108&eventno=1181&source=Application%20Management&phase=1, as well as from other MSKB articles, but without success. I have deleted/recreated the GPO, msi and mst packages, but the problem persists. This is a network I inherited and when looking around in AD I noticed that the “Default Domain Policy” has either been deleted or renamed because it no longer exists. The only policy bound to the domain is one called “All Users and Workstations”, which I do not recognize as a built-in policy. I have run dcdiag /fix and netdiag /fix on all DCs and netdiag /fix on the test-deploy workstations, but this has not solved the problem. Everything else with the domain including authentication, name resolution, etc.. works fine, but I think this error may be evidence of a larger problem with AD. We are planning on upgrading the domain to WS2k3 within the next few weeks. Does anyone think that may fix the problem? If not, would it be wise to put off the upgrade until this issue is resolved? Thanks in advance for any help, Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
[ActiveDir] OT: Exchange Question
I have a client who would like certain users to no longer receive e-mail, while still being able to access their mailboxes. Is there a way to do this other than exporting their mailbox to PST and mailbox-disabling the users? Thank you in advance, Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] OT: SBS RWW Issue
How do I subscribe to the yahoo groups LS? Just send an e-mail to [EMAIL PROTECTED] with "subscribe" in the subject line? How do I access the MS partner newsgroup? I am not too familiar with the partner site, though my company is a MS partner and I do have access to the partner site. Thank you - changing the companyweb, default web site and remote virtual directory from ASP.Net 2.0 back to 1.1 resolved the issue. Do you know why this happens? Is it something that will be resolved by MS? I am extremely grateful for your help. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 10, 2006 11:51 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: SBS RWW Issue For the record we have an extremely active SBS listserve at [EMAIL PROTECTED] and as a MS partner there is a managed newsgroup with guaranteed MS engineer response ISA on the front end? Can you post your ipconfig /all? (yes folks this is prob the number one SBS troubleshooting thing we ask for and people post their inner goo and big server land would freak I know) You have your nic's pointing to the internal nic's IP right? One nic or two? http://msmvps.com/blogs/bradley/archive/2006/05/12/94435.aspx Hang on... you downloaded .NET 2.0 lately? If so flip that company web back to 1.1 Dan DeStefano wrote: > > I know this is way off topic, but I haven't been able to resolve this > issue. > > I am using SBS 2003 SP1 with all patches installed. > > I am having a problem with my companyweb website and the Remote Web > Workplace. When connecting to the companyweb site from the local LAN, > I receive Page Cannot Be Displayed. However, I can connect via IP > address and via the external domain name assigned to the server. The > internal DNS CNAME entry for companyweb points to the correct IP > address and this is confirmed via nslookup and ping. > > Additionally, regardless of how i connect, the Remote Web Workplace > does not come up at all, it always gives a 404 Page Cannot Be > Displayed error. I am using the self-signed certificate created with > the Configure E-mail and Internet Connection wizard. > > I have compared the IIS settings to another SBS implementation where > everything works fine and there are no differences. > > I would appreciate any help. > > > Thanks, > > Dan > > Dan DeStefano > *Info-lution Corporation* > [EMAIL PROTECTED] > http://www.info-lution.com <http://www.info-lution.com/> > Office: 727 546-9143 > FAX: 727 541-5888 > > If you have received this message in error please notify the sender, > disregard any content and remove it from your possession. > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: SBS RWW Issue
I know this is way off topic, but I haven’t been able to resolve this issue. I am using SBS 2003 SP1 with all patches installed. I am having a problem with my companyweb website and the Remote Web Workplace. When connecting to the companyweb site from the local LAN, I receive Page Cannot Be Displayed. However, I can connect via IP address and via the external domain name assigned to the server. The internal DNS CNAME entry for companyweb points to the correct IP address and this is confirmed via nslookup and ping. Additionally, regardless of how i connect, the Remote Web Workplace does not come up at all, it always gives a 404 Page Cannot Be Displayed error. I am using the self-signed certificate created with the Configure E-mail and Internet Connection wizard. I have compared the IIS settings to another SBS implementation where everything works fine and there are no differences. I would appreciate any help. Thanks, Dan Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] OT: Possible Security Hole in RDP?
I should have mentioned that my RDP connection to the TS was as a normal user as well. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Tuesday, October 10, 2006 8:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possible Security Hole in RDP? If the RDP session is being created to the target server with Admin privileges and that account also has admin privileges on your machine then I would suspect that this is what happening here. I.E. the connection is back to your PC from the server, under the credentials you logged in with, and not from your PC to the server under your local credentials. Anyone else got any ideas?? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: 10 October 2006 14:10 To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Possible Security Hole in RDP? I have noticed something with Terminal Services and RDP that is concerning. I am using a notebook on which I am just a normal user (I do not log on as administrator unless absolutely necessary). I create an RDP connection to a WS2k3 terminal server and choose to make the notebook’s local disks available on the terminal server. I can then browse through my notebook’s hard drive with impunity. I can access all files and folders to which I should not have any access at all, including the administrator profile. However, it does take very long to open these files/folders. I am sure this is a known issue, I just haven’t read about it anywhere. Does anyone know if there is a way to mitigate this other than setting group policy to not allow local disks to connect to the terminal server? Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession. Disclaimer: The Development Bank of Southern Africa exercises no control over information contained in any e-mail message originating from within the organisation. The Bank makes no representation relating to the completeness or accuracy and accepts no responsibility for any loss, damage or liability that is incurred by reliance on the content hereof by the recipient or any other party. Each page attached hereto must also be read in conjunction with any disclaimer, which forms part of it. Confidentiality: The e-mail is privileged and confidential and for use of the addressee only. Should you have received this e-mail in error, please return it to [EMAIL PROTECTED]. Dissemination, disclosure, copying or any similar actions of the content of this e-mail is strictly prohibited. Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
[ActiveDir] OT: Possible Security Hole in RDP?
I have noticed something with Terminal Services and RDP that is concerning. I am using a notebook on which I am just a normal user (I do not log on as administrator unless absolutely necessary). I create an RDP connection to a WS2k3 terminal server and choose to make the notebook’s local disks available on the terminal server. I can then browse through my notebook’s hard drive with impunity. I can access all files and folders to which I should not have any access at all, including the administrator profile. However, it does take very long to open these files/folders. I am sure this is a known issue, I just haven’t read about it anywhere. Does anyone know if there is a way to mitigate this other than setting group policy to not allow local disks to connect to the terminal server? Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] Folder Redirection Issue
Thank everyone for their help. The problem seems to be that users need read permissions to the root home folders directory as just giving them traverse/read folder contents was not enough. This is not such a big deal I guess because thanks to ws2k3 sp1’s new access-based enumeration feature, users cannot even see other users’ home folders in the home folder share. Again, thank all of you for your help, Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Thursday, October 05, 2006 9:38 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Folder Redirection Issue Sorry, didn't read thoroughly first (oops). Yeah, it sounds like a perms issue, I usually set the root of my user shares directory to have Read/Traverse perms for users in case of an emergency and/or troubleshooting. It's an administrative share anyway, I can understand the paranoia of also setting it to basically be unbrowsable, but it sounds like you're going 1/2 a step too far (at least for the purposes of the applications in your environment). On 10/5/06, Matt Hargraves <[EMAIL PROTECTED]> wrote: If you're using a transform file to deploy, you should be able to define the default file location, either as a variable (%homedrive%) or alternatively, you can install the GPO extensions for MS Office and set the item via GPO and stop worrying, as long as you test it a little bit before deploying it out to everyone. On 10/4/06, Kennedy, Jim < [EMAIL PROTECTED]> wrote: "Office was deployed to the workstations via group policy using an AIP and MST transform." Bet you will find something in that MST that is pointing to the wrong location. Blow out an Outlook profile on one as a test. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefano Sent: Wednesday, October 04, 2006 11:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Folder Redirection Issue I am having a weird problem with folder redirection. I have set the My Documents redirection to the subfolder of the root drive option and set the path to the homefolders directory (\\servername\homefolders$). This is supposed to redirect users my documents to \\servername\homefolders$\%username%\my documents and it does. The users log onto their PCs and open their My Documents folder fine – and looking at the properties of their my documents folder confirms that the redirection is working properly. The problem is that in certain applications, namely Outlook 2003 (all latest patches and SPs applied). When a user goes to save an attachment, for example, and clicks on my documents in the save dialog, they receive the error "cannot access \\servername\homefolders$, which makes sense since the users do not have access to the homefolders$ share, just to their subfolder. So Outlook, for some reason, is not drilling down into the users my documents in the home folder, but instead is trying to access the root of the homefolders$ share. In other Office apps, the my documents works fine. There are also no event log entries that reference this issue. I am stuck here as I am unable to find any KB articles that discuss this. Does anyone have any suggestions? I have not yet reinstalled Outlook because all other Office apps work fine. Office was deployed to the workstations via group policy using an AIP and MST transform. Any help would be greatly appreciated. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession. Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
[ActiveDir] Folder Redirection Problem
I am sorry if this is a repost, but I inadvertently deleted any responses: I am having a weird problem with folder redirection. I have set the My Documents redirection to the subfolder of the root drive option and set the path to the homefolders directory (\\servername\homefolders$). This is supposed to redirect users my documents to \\servername\homefolders$\%username%\my documents and it does. The users log onto their PCs and open their My Documents folder fine – and looking at the properties of their my documents folder confirms that the redirection is working properly. The problem is that in certain applications, namely Outlook 2003 (all latest patches and SPs applied). When a user goes to save an attachment, for example, and clicks on my documents in the save dialog, they receive the error “cannot access \\servername\homefolders$, which makes sense since the users do not have access to the homefolders$ share, just to their subfolder. So Outlook, for some reason, is not drilling down into the users my documents in the home folder, but instead is trying to access the root of the homefolders$ share. In other Office apps, the my documents works fine. There are also no event log entries that reference this issue. I am stuck here as I am unable to find any KB articles that discuss this. Does anyone have any suggestions? I have not yet reinstalled Outlook because all other Office apps work fine. Office was deployed to the workstations via group policy using an AIP and MST transform. Any help would be greatly appreciated. Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
[ActiveDir] Folder Redirection Issue
I am having a weird problem with folder redirection. I have set the My Documents redirection to the subfolder of the root drive option and set the path to the homefolders directory (\\servername\homefolders$). This is supposed to redirect users my documents to \\servername\homefolders$\%username%\my documents and it does. The users log onto their PCs and open their My Documents folder fine – and looking at the properties of their my documents folder confirms that the redirection is working properly. The problem is that in certain applications, namely Outlook 2003 (all latest patches and SPs applied). When a user goes to save an attachment, for example, and clicks on my documents in the save dialog, they receive the error “cannot access \\servername\homefolders$, which makes sense since the users do not have access to the homefolders$ share, just to their subfolder. So Outlook, for some reason, is not drilling down into the users my documents in the home folder, but instead is trying to access the root of the homefolders$ share. In other Office apps, the my documents works fine. There are also no event log entries that reference this issue. I am stuck here as I am unable to find any KB articles that discuss this. Does anyone have any suggestions? I have not yet reinstalled Outlook because all other Office apps work fine. Office was deployed to the workstations via group policy using an AIP and MST transform. Any help would be greatly appreciated. Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] Search Mailbox
Thanks for all your help. I appreciate it. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, September 21, 2006 11:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Search Mailbox No – not without a third party product (e.g. Veritas Enterprise Vault or EMC Legato). This feature is native to Exchange 2007. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Thursday, September 21, 2006 9:02 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Search Mailbox Is there any way to search for messages within a mailbox without using Outlook in Exchange 2000; like using System Administrator? Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession. Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
[ActiveDir] Search Mailbox
Is there any way to search for messages within a mailbox without using Outlook in Exchange 2000; like using System Administrator? Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
[ActiveDir] OT - Redirect Incoming Mail on Exchange 2003
I am running Exchange 2003 SP2 and have a question about mail forwarding. I would like to forward all mail from a specific domain to an outside e-mail address. So, when a message comes in from [EMAIL PROTECTED], the message is automatically forwarded to [EMAIL PROTECTED]. Is this possible using built-in Exchange functionality? If not, can anyone recommend a product that can do this? I have been looking at GFI Mail Essentials for other purposes, but cannot ascertain whether or not it can do this for me. I would appreciate any help that can be provided. Thanks, Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
[ActiveDir] OT - Redirect Incoming Mail on Exchange 2003
I am running Exchange 2003 SP2 and have a question about mail forwarding. I would like to forward all mail from a specific domain to an outside e-mail address. So, when a message comes in from [EMAIL PROTECTED], the message is automatically forwarded to [EMAIL PROTECTED]. Is this possible using built-in Exchange functionality? If not, can anyone recommend a product that can do this? I have been looking at GFI Mail Essentials for other purposes, but cannot ascertain whether or not it can do this for me. I would appreciate any help that can be provided. Thanks, Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: OT [ActiveDir] Optimize Exchange Pagefile
I understand what you are saying and, in a perfect world, I would always recommend mirrored/duplexed arrays to hold at least the exchange log files. However, most of my clients are small businesses with which money is more of an object than performance. And at $300+ per SCSI disk, it is difficult to justify having 2 or more disks that aren’t used to store data. All that being said, I will discuss this with the people in my organization as I do not like using RAID5 especially where Exchange is concerned. Does anyone have any experience with using SATA II drives in applications as I have described? With their new NCQ and 3Gb/s features, combined with their cost/GB, they make an attractive alternative to SCSI for small businesses. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Monday, May 08, 2006 4:59 AM To: ActiveDir@mail.activedir.org Subject: RE: OT [ActiveDir] Optimize Exchange Pagefile Al, I still think that interesting (i.e. BAD) things might happen if the RAID-5 ever flips into degraded mode(i.e. runs on two drives.) The first proper Exchange Server I built (yes it was 5.0 RTM) was designed for a similar situation. We were a small business without about 20 people and the server was a Dual Pentium Pro (I guess with NT4) with a third party raid card (I can't remember the make). Any way I built it the same way as Dan proposes, and it ran fine for a while. However we had some issues with temperature control in the server room and we lost a drive from the array. These days I would have taken the server off line and allowed the re-build to complete. I didn't and the RAID card could just not cope with re-building the array and the minimal load we placed on it. To cut a long story short I spent a long time sorting out the mess it made of the databases . Since then I have been very wary of such configs. In " theory" they should work. In my experience, and yes it was a long time ago, and hardware should have improved, it may not. Dave. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 05 May 2006 19:06 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Optimize Exchange Pagefile yeah, there would be some general disagreement from me. Why? Only because this is SBS box vs. an enterprise Exchange server hosting 5K users. My laptop (crud that it is) could host 20 heavy exchange users with usable/good performance with that amount of memory. I don't think the focus of a machine that will only ever have <75 users should be optimized for more than space in most situations. It would be a waste of money that could be spent on other things like better backups, better coffee, etc. I don't believe there's any value in buying a system such as SBS and then having to make adjustments to things like pagefile size. That's counter to the product's reason for being. Saying that, Dave is correct that optimizing the disk layout has the biggest benefit, but it's SBS and as such it's "special". Just ask SBS-Lady ;) Al On 5/4/06, Dave Wade <[EMAIL PROTECTED]> wrote: > If you have 4gig of RAM then you should get minimal paging. (I know > this is a great generalization) > > 1) Log file access is sequential, database is random > 2) Keeping Log files write queue down is key to performance > 3) log files are write only > 4) raid-5 tends to have poor write performance (again greate generalization). > > So I would try and get another drive in the box so I could have a mirrored > pair for OS & LOGS, and a mirrored pair for Databases. . Putting these on > seperate drives will do far more for performance than changing the page file. > RAID-5 is a real bad performer on write. These days I woudl avoid as far as > possible... > > I am sure other folks may disagree... > >-Original Message- >From: [EMAIL PROTECTED] on behalf of Dan DeStefano >Sent: Thu 04/05/2006 21:36 >To: ActiveDir@mail.activedir.org >Cc: >Subject: RE: [ActiveDir] Optimize Exchange Pagefile > > > >Yes, far less than 100, on this box it is under 20. > >You do not think it is necessary to mess with the page file, even if > only to make it static? > > > > > >Dan > > > > > > > > > _ > > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave > Wade >Sent: Thursday, May 04, 2006 4:06 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Optimize Exchange Pagefile > > > >There is no point in messing about with memory config if you only have > a three drive RAID 5 array. Disk config is critical. How many users
RE: [ActiveDir] Optimize Exchange Pagefile
Yes, far less than 100, on this box it is under 20. You do not think it is necessary to mess with the page file, even if only to make it static? Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Thursday, May 04, 2006 4:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Optimize Exchange Pagefile There is no point in messing about with memory config if you only have a three drive RAID 5 array. Disk config is critical. How many users do you want to put on this box. less than 100? -Original Message- From: [EMAIL PROTECTED] on behalf of Dan DeStefano Sent: Thu 04/05/2006 20:16 To: ActiveDir@mail.activedir.org Cc: Subject: [ActiveDir] Optimize Exchange Pagefile I was wondering if anyone can point me to any MS document that discusses optimizing the page file on an Exchange box. I found http://support.microsoft.com/kb/815372, but this article does not discuss the page file. I am running SBS 2003 on a 3 GHZ Xeon with 4GB physical memory and a 3-disk RAID5 array with 2 logical drives. I plan on installing the Exchange binaries on the first logical drive (which will also contain the system and boot partitions) and the Exchange databases, logs, queues, etc on the second logical drive. The way I normally set the pagefile on my systems is to set it to be static and 1.5x physical RAM. I also create a pagefile on each disk and let Windows choose the best one (which will be the second logical drive). I do not want to disable the pagefile on C: because, from what I understand, this will disable crash dumps, which I do not want. However, I set the crash dump to kernel only, not the entire pagefile. That being said, would it be appropriate to set the pagefile on C: to something small like 256MB since the OS will be using the one on the second drive anyway? Also, other than not using the /3GB switch, are there any other differences between the memory/pagefile settings on a regular Exchange box running WS2k3 and the SBS2k3 version? I would appreciate any guidance. Dan DeStefano Info-lution Corporation www.info-lution.com MCSE - 2073750 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession. Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
[ActiveDir] Optimize Exchange Pagefile
I was wondering if anyone can point me to any MS document that discusses optimizing the page file on an Exchange box. I found http://support.microsoft.com/kb/815372, but this article does not discuss the page file. I am running SBS 2003 on a 3 GHZ Xeon with 4GB physical memory and a 3-disk RAID5 array with 2 logical drives. I plan on installing the Exchange binaries on the first logical drive (which will also contain the system and boot partitions) and the Exchange databases, logs, queues, etc on the second logical drive. The way I normally set the pagefile on my systems is to set it to be static and 1.5x physical RAM. I also create a pagefile on each disk and let Windows choose the best one (which will be the second logical drive). I do not want to disable the pagefile on C: because, from what I understand, this will disable crash dumps, which I do not want. However, I set the crash dump to kernel only, not the entire pagefile. That being said, would it be appropriate to set the pagefile on C: to something small like 256MB since the OS will be using the one on the second drive anyway? Also, other than not using the /3GB switch, are there any other differences between the memory/pagefile settings on a regular Exchange box running WS2k3 and the SBS2k3 version? I would appreciate any guidance. Dan DeStefano Info-lution Corporation www.info-lution.com MCSE - 2073750 Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] Exchange 5.5 Upgrade Problems
I can connect and bind successfully to the ex5.5 machine from the new ws2k3 machine using the domain admin account and the service account and via both ports: 389 and 38900. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, April 19, 2006 2:47 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange 5.5 Upgrade Problems I missed the part about the ADC then. :) Try the event log - what do you see at startup of the machine? If you connect to tcp 389 of that machine, what answers? (try LDP and just connect - you should see what you're looking for there.) Until you can connect to the Exchange directory via LDAP, you're not going anywhere. Basically, be sure to check that the LDAP component is operational and work from there. Al On 4/19/06, Dan DeStefano <[EMAIL PROTECTED]> wrote: The ADC is set to use port 38900 and the LDAP protocol at the Ex5.5 site level is set to use 38900, but at the server level it is set to use 389 (when I change this, mail stops flowing). Regardless, when I try connecting in ADC tools to the Ex5.5 box it fails on either port. I am trying to build a new Ex2k3 server in the domain, but it will not join the organization because the ADC tools have not bee run, or at least that is the error message I am getting. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ion Gott Sent: Wednesday, April 19, 2006 10:25 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems The Exchange 5.5 directory should be listening on another port since it is running on a DC that is already listening on 389 for AD LDAP operations. If possible it would probably be a lot safer and easier to build a new Exchange 2003 server and just migrate to the new machine...if possible. Ion From: [EMAIL PROTECTED] on behalf of Dan DeStefano Sent: Tue 4/18/2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems We are planning a complete domain migration and restructuring, but that takes a while and the client has not signed off yet, but they want ex2k3 features quickly. So we determined the fastest way to implement ex2k3 would be to do an in-place upgrade of their server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 9:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Why are you doing this interim upgrade when your end goal is a 2k3 native environment? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 9:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Yes, I can connect to the dc/ex5.5 box from the new ex2k3 member server using ldp on both ports 389 and 38900. I can also bind using the enterprise/domain admin account and the ex service account. I am not trying to do a direct upgrade from 5.5 to 2k3, rather I am trying to do an interim upgrade to ex2k, then upgrade from ex2k to ex2k3. I am receiving the database inconsistent errors when trying to do the ex2k upgrade. Note: I am not sure if it matters, but in ex5.5 administrator, the ldap protocol for the site is set to 38900, but for the server it is set to 389. I tried changing it in the server to 38900, but that stopped mail from flowing. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Could be all sorts of things here, but lets start simple. Can you do an ldap bind to the exchange box on port 38900 using the ldp tool (or similar) from the support tools? You can't do an inplace upgrade from 5.5 to 2003 which is what it sounds like you're doing when you get the consistency error. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 8:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange 5.5 Upgrade Problems I have taken over administration of a w2k AD domain running Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve all the errors in the event logs, but now they are just about all resolved and the DC/Ex5.5 server passes all netdiag/dcdiag tests. My current project is to upgrade the Ex5.5 server (which is also the domain's only DC) to Ex2k3, but I a
RE: [ActiveDir] Exchange 5.5 Upgrade Problems
I am not trying to upgrade from Ex5.5 to Ex2k3, but rather from Ex5.5 to Ex2k, then, from Ex2k to Ex2k3. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, April 19, 2006 10:45 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange 5.5 Upgrade Problems In place of Exchange 5.5 to Exchange 2003? Check the readme, release notes and migration path scenarios again. Last I checked, that was not a supported upgrade path (2000 to 2003 is supported although not always preferred). Al On 4/18/06, Dan DeStefano <[EMAIL PROTECTED]> wrote: We are planning a complete domain migration and restructuring, but that takes a while and the client has not signed off yet, but they want ex2k3 features quickly. So we determined the fastest way to implement ex2k3 would be to do an in-place upgrade of their server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 9:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Why are you doing this interim upgrade when your end goal is a 2k3 native environment? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 9:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Yes, I can connect to the dc/ex5.5 box from the new ex2k3 member server using ldp on both ports 389 and 38900. I can also bind using the enterprise/domain admin account and the ex service account. I am not trying to do a direct upgrade from 5.5 to 2k3, rather I am trying to do an interim upgrade to ex2k, then upgrade from ex2k to ex2k3. I am receiving the database inconsistent errors when trying to do the ex2k upgrade. Note: I am not sure if it matters, but in ex5.5 administrator, the ldap protocol for the site is set to 38900, but for the server it is set to 389. I tried changing it in the server to 38900, but that stopped mail from flowing. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Could be all sorts of things here, but lets start simple. Can you do an ldap bind to the exchange box on port 38900 using the ldp tool (or similar) from the support tools? You can't do an inplace upgrade from 5.5 to 2003 which is what it sounds like you're doing when you get the consistency error. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 8:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange 5.5 Upgrade Problems I have taken over administration of a w2k AD domain running Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve all the errors in the event logs, but now they are just about all resolved and the DC/Ex5.5 server passes all netdiag/dcdiag tests. My current project is to upgrade the Ex5.5 server (which is also the domain's only DC) to Ex2k3, but I am running into problems. I have successfully run Forestprep and Domainprep. However, when I attempt to run the installation, I receive the error "Exchange… cannot be assigned the task "upgrade" because… the directory database is in an inconsistent state… the private and or public stores are in an inconsistent state". However, when using Eseutil to check database consistency of all 3 databases, it reports that they are consistent. Even so, I tried using Eseutil to: repair all 3 DBs and perform soft recovery on all 3 DBs, but nothing worked. I then ran every test/repair using isinteg, all of which completed successfully and only some of which reported errors. However, nothing has worked and I am still getting the same errors when trying to upgrade. I also upgraded the ADC to the Ex2k SP3 version, which had no effect. Now my plan is to install a new WS2k3/Ex2k3 server into the Ex5.5 organization, move all mailboxes to it, then decommission the old Ex5.5 box. While waiting for my maintenance window to upgrade the current ADC to the 2k3 version, I installed EX2k3 ADC on the new mail server (which is not a DC). Now, when I try to run the "Data collection" step in ADC tools on the new ws2k3 box, I receive the error "Server :389 is not an Exchange 5.5 server or an SRS service". I realized that since it was installed on a DC that the LDAP port in ADC was changed to 38900, so I changed it in ADC tools. However, I am now receiving the error "Could not connect to server :38900 with LDAP error
RE: [ActiveDir] Exchange 5.5 Upgrade Problems
The ADC is set to use port 38900 and the LDAP protocol at the Ex5.5 site level is set to use 38900, but at the server level it is set to use 389 (when I change this, mail stops flowing). Regardless, when I try connecting in ADC tools to the Ex5.5 box it fails on either port. I am trying to build a new Ex2k3 server in the domain, but it will not join the organization because the ADC tools have not bee run, or at least that is the error message I am getting. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ion Gott Sent: Wednesday, April 19, 2006 10:25 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems The Exchange 5.5 directory should be listening on another port since it is running on a DC that is already listening on 389 for AD LDAP operations. If possible it would probably be a lot safer and easier to build a new Exchange 2003 server and just migrate to the new machine...if possible. Ion From: [EMAIL PROTECTED] on behalf of Dan DeStefano Sent: Tue 4/18/2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems We are planning a complete domain migration and restructuring, but that takes a while and the client has not signed off yet, but they want ex2k3 features quickly. So we determined the fastest way to implement ex2k3 would be to do an in-place upgrade of their server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 9:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Why are you doing this interim upgrade when your end goal is a 2k3 native environment? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 9:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Yes, I can connect to the dc/ex5.5 box from the new ex2k3 member server using ldp on both ports 389 and 38900. I can also bind using the enterprise/domain admin account and the ex service account. I am not trying to do a direct upgrade from 5.5 to 2k3, rather I am trying to do an interim upgrade to ex2k, then upgrade from ex2k to ex2k3. I am receiving the database inconsistent errors when trying to do the ex2k upgrade. Note: I am not sure if it matters, but in ex5.5 administrator, the ldap protocol for the site is set to 38900, but for the server it is set to 389. I tried changing it in the server to 38900, but that stopped mail from flowing. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Could be all sorts of things here, but lets start simple. Can you do an ldap bind to the exchange box on port 38900 using the ldp tool (or similar) from the support tools? You can’t do an inplace upgrade from 5.5 to 2003 which is what it sounds like you’re doing when you get the consistency error. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 8:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange 5.5 Upgrade Problems I have taken over administration of a w2k AD domain running Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve all the errors in the event logs, but now they are just about all resolved and the DC/Ex5.5 server passes all netdiag/dcdiag tests. My current project is to upgrade the Ex5.5 server (which is also the domain’s only DC) to Ex2k3, but I am running into problems. I have successfully run Forestprep and Domainprep. However, when I attempt to run the installation, I receive the error “Exchange… cannot be assigned the task “upgrade” because… the directory database is in an inconsistent state… the private and or public stores are in an inconsistent state”. However, when using Eseutil to check database consistency of all 3 databases, it reports that they are consistent. Even so, I tried using Eseutil to: repair all 3 DBs and perform soft recovery on all 3 DBs, but nothing worked. I then ran every test/repair using isinteg, all of which completed successfully and only some of which reported errors. However, nothing has worked and I am still getting the same errors when trying to upgrade. I also upgraded the ADC to the Ex2k SP3 version, which had no effect. Now my plan is to install a new WS2k3/Ex2k3 server into the Ex5.5 organization, move all mailboxes to it, then decommission the old Ex5.5 box. While
RE: [ActiveDir] Exchange 5.5 Upgrade Problems
We are planning a complete domain migration and restructuring, but that takes a while and the client has not signed off yet, but they want ex2k3 features quickly. So we determined the fastest way to implement ex2k3 would be to do an in-place upgrade of their server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 9:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Why are you doing this interim upgrade when your end goal is a 2k3 native environment? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 9:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Yes, I can connect to the dc/ex5.5 box from the new ex2k3 member server using ldp on both ports 389 and 38900. I can also bind using the enterprise/domain admin account and the ex service account. I am not trying to do a direct upgrade from 5.5 to 2k3, rather I am trying to do an interim upgrade to ex2k, then upgrade from ex2k to ex2k3. I am receiving the database inconsistent errors when trying to do the ex2k upgrade. Note: I am not sure if it matters, but in ex5.5 administrator, the ldap protocol for the site is set to 38900, but for the server it is set to 389. I tried changing it in the server to 38900, but that stopped mail from flowing. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Could be all sorts of things here, but lets start simple. Can you do an ldap bind to the exchange box on port 38900 using the ldp tool (or similar) from the support tools? You can’t do an inplace upgrade from 5.5 to 2003 which is what it sounds like you’re doing when you get the consistency error. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 8:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange 5.5 Upgrade Problems I have taken over administration of a w2k AD domain running Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve all the errors in the event logs, but now they are just about all resolved and the DC/Ex5.5 server passes all netdiag/dcdiag tests. My current project is to upgrade the Ex5.5 server (which is also the domain’s only DC) to Ex2k3, but I am running into problems. I have successfully run Forestprep and Domainprep. However, when I attempt to run the installation, I receive the error “Exchange… cannot be assigned the task “upgrade” because… the directory database is in an inconsistent state… the private and or public stores are in an inconsistent state”. However, when using Eseutil to check database consistency of all 3 databases, it reports that they are consistent. Even so, I tried using Eseutil to: repair all 3 DBs and perform soft recovery on all 3 DBs, but nothing worked. I then ran every test/repair using isinteg, all of which completed successfully and only some of which reported errors. However, nothing has worked and I am still getting the same errors when trying to upgrade. I also upgraded the ADC to the Ex2k SP3 version, which had no effect. Now my plan is to install a new WS2k3/Ex2k3 server into the Ex5.5 organization, move all mailboxes to it, then decommission the old Ex5.5 box. While waiting for my maintenance window to upgrade the current ADC to the 2k3 version, I installed EX2k3 ADC on the new mail server (which is not a DC). Now, when I try to run the “Data collection” step in ADC tools on the new ws2k3 box, I receive the error “Server :389 is not an Exchange 5.5 server or an SRS service”. I realized that since it was installed on a DC that the LDAP port in ADC was changed to 38900, so I changed it in ADC tools. However, I am now receiving the error “Could not connect to server :38900 with LDAP error 6. Check server name, port number and account permissions”. I am logged on with the Enterprise/Domain Administrator account and the ADC service is set to use the same service account as the ADC on the Ex5.5 server. If you need any more info please let me know. Any help that anyone can provide will be greatly appreciated. Dan DeStefano Info-lution Corporation www.info-lution.com MCSE - 2073750 If you have received this message in error please notify the sender, disregard any content and remove it from your possession. If you have received this message in error please notify the sender, disregard any content and remove it from your possession. If you have received this message in error please notify the
RE: [ActiveDir] Exchange 5.5 Upgrade Problems
Yes, I can connect to the dc/ex5.5 box from the new ex2k3 member server using ldp on both ports 389 and 38900. I can also bind using the enterprise/domain admin account and the ex service account. I am not trying to do a direct upgrade from 5.5 to 2k3, rather I am trying to do an interim upgrade to ex2k, then upgrade from ex2k to ex2k3. I am receiving the database inconsistent errors when trying to do the ex2k upgrade. Note: I am not sure if it matters, but in ex5.5 administrator, the ldap protocol for the site is set to 38900, but for the server it is set to 389. I tried changing it in the server to 38900, but that stopped mail from flowing. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Could be all sorts of things here, but lets start simple. Can you do an ldap bind to the exchange box on port 38900 using the ldp tool (or similar) from the support tools? You can’t do an inplace upgrade from 5.5 to 2003 which is what it sounds like you’re doing when you get the consistency error. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 8:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange 5.5 Upgrade Problems I have taken over administration of a w2k AD domain running Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve all the errors in the event logs, but now they are just about all resolved and the DC/Ex5.5 server passes all netdiag/dcdiag tests. My current project is to upgrade the Ex5.5 server (which is also the domain’s only DC) to Ex2k3, but I am running into problems. I have successfully run Forestprep and Domainprep. However, when I attempt to run the installation, I receive the error “Exchange… cannot be assigned the task “upgrade” because… the directory database is in an inconsistent state… the private and or public stores are in an inconsistent state”. However, when using Eseutil to check database consistency of all 3 databases, it reports that they are consistent. Even so, I tried using Eseutil to: repair all 3 DBs and perform soft recovery on all 3 DBs, but nothing worked. I then ran every test/repair using isinteg, all of which completed successfully and only some of which reported errors. However, nothing has worked and I am still getting the same errors when trying to upgrade. I also upgraded the ADC to the Ex2k SP3 version, which had no effect. Now my plan is to install a new WS2k3/Ex2k3 server into the Ex5.5 organization, move all mailboxes to it, then decommission the old Ex5.5 box. While waiting for my maintenance window to upgrade the current ADC to the 2k3 version, I installed EX2k3 ADC on the new mail server (which is not a DC). Now, when I try to run the “Data collection” step in ADC tools on the new ws2k3 box, I receive the error “Server :389 is not an Exchange 5.5 server or an SRS service”. I realized that since it was installed on a DC that the LDAP port in ADC was changed to 38900, so I changed it in ADC tools. However, I am now receiving the error “Could not connect to server :38900 with LDAP error 6. Check server name, port number and account permissions”. I am logged on with the Enterprise/Domain Administrator account and the ADC service is set to use the same service account as the ADC on the Ex5.5 server. If you need any more info please let me know. Any help that anyone can provide will be greatly appreciated. Dan DeStefano Info-lution Corporation www.info-lution.com MCSE - 2073750 If you have received this message in error please notify the sender, disregard any content and remove it from your possession. If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
[ActiveDir] Exchange 5.5 Upgrade Problems
I have taken over administration of a w2k AD domain running Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve all the errors in the event logs, but now they are just about all resolved and the DC/Ex5.5 server passes all netdiag/dcdiag tests. My current project is to upgrade the Ex5.5 server (which is also the domain’s only DC) to Ex2k3, but I am running into problems. I have successfully run Forestprep and Domainprep. However, when I attempt to run the installation, I receive the error “Exchange… cannot be assigned the task “upgrade” because… the directory database is in an inconsistent state… the private and or public stores are in an inconsistent state”. However, when using Eseutil to check database consistency of all 3 databases, it reports that they are consistent. Even so, I tried using Eseutil to: repair all 3 DBs and perform soft recovery on all 3 DBs, but nothing worked. I then ran every test/repair using isinteg, all of which completed successfully and only some of which reported errors. However, nothing has worked and I am still getting the same errors when trying to upgrade. I also upgraded the ADC to the Ex2k SP3 version, which had no effect. Now my plan is to install a new WS2k3/Ex2k3 server into the Ex5.5 organization, move all mailboxes to it, then decommission the old Ex5.5 box. While waiting for my maintenance window to upgrade the current ADC to the 2k3 version, I installed EX2k3 ADC on the new mail server (which is not a DC). Now, when I try to run the “Data collection” step in ADC tools on the new ws2k3 box, I receive the error “Server :389 is not an Exchange 5.5 server or an SRS service”. I realized that since it was installed on a DC that the LDAP port in ADC was changed to 38900, so I changed it in ADC tools. However, I am now receiving the error “Could not connect to server :38900 with LDAP error 6. Check server name, port number and account permissions”. I am logged on with the Enterprise/Domain Administrator account and the ADC service is set to use the same service account as the ADC on the Ex5.5 server. If you need any more info please let me know. Any help that anyone can provide will be greatly appreciated. Dan DeStefano Info-lution Corporation www.info-lution.com MCSE - 2073750 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
[ActiveDir] Outlook Contacts Problem
We recently had an Exchange server failure and mailboxes had to be restored from backup. Now some users are having problems with their contacts. When they click ‘To’ in a message and select ‘Contacts’, the list is empty. However, the contacts are present in the ‘Contacts’ folder in the users’ mailboxes. I went to the properties of the Contacts folder and selected “Show this folder as an address book” and restarted Outlook, but the problem persists. I also removed and recreated the Outlook profile, with no success. We are using Outlook 2000. I would appreciate any suggestions. _ Daniel DeStefano
[ActiveDir] Permissions Problem
I am trying to set permissions to a folder and all subfolders/files that allow a group to read/execute and write but not delete. I have assigned the permissions appropriately for the group (read/execute, list folder contents, read, write) to the parent folder and reset all subfolders/files. The users are supposed to open a template excel file, edit it and save it as a different file name into a subfolder in this folder tree. The problem is that when they try to save the file as, they receive an error stating that the folder is read-only. They can create a subfolder and save the file in there, but this is not acceptable. Is what I propose possible or does this group simply need modify permissions to the folder tree? Thanks in advance, Daniel DeStefano
RE: [ActiveDir] Do you make your users local admins on their PCs?
It is a very poor idea to allow users local admin privileges on their machine. First of all, it is a security vulnerability and makes it much easier for a machine to be compromised by malware. Also, denying admin privileges will help mitigate most Windows vulnerabilities as most of them run in the security context of the locally logged-on user. Another plus is that it allows you to more easily control locally-saved data: if users are only allowed to save data to one or two folder trees, then those are all you have to worry about backing up when you need to move the user. I think it is a poor idea to allow users to install software on their machines. You should control all the software on all machines this way all the PCs can be kept in a known state, which makes troubleshooting problems much easier. Not to mention the fact that many programs that users tend to download/install will cause increased network traffic and network vulnerability; and these days many freeware programs will also install malware. _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail. From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Thursday, June 30, 2005 8:35 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Do you make your users local admins on their PCs? We're having a big discussion about users being local administrators on their PCs. We've made them local admins in the past (on NT4 domain) because they needed to be able to install apps, and we kept running into issues that led back to them not having local admin rights. Is there easy way now that we're on a Win2k3 AD domain to take admin rights away but still ensure things work correctly? What's the general consensus, do most of you give your users local admin rights? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
[ActiveDir] Automate Adding Environment Variables
Is there a way to have a user specify an environment variable at first logon? We have a program that needs to send mail to an e-mail address and this has to be specific to each user. This server (a terminal server) will likely contain 200+ user accounts and doing this manually would be undesirable. Ideally, I would like it if the first time a user logs onto the server, they are prompted to enter their e-mail address and hit enter, and this will set a user variable that points to this e-mail address (something like [EMAIL PROTECTED]. I was thinking it would be best if this can be done with a simple DOS batch file that can be set to run at first user logon, probably by adding it to the "Runonce" key in the user's registry hive (unless there is a better way). We do not want this to execute every time the user logs onto the terminal server. I would greatly appreciate any help, Dan DeStefano
RE: [ActiveDir] Open Another User's Registry File
Thank you for your help _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail. From: Robinson, Chuck [mailto:[EMAIL PROTECTED] Sent: Monday, June 27, 2005 9:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Open Another User's Registry File Open Regedit, set your focus to HKLM, use Load Hive from the File Menu. Be sure to unload the hive when you are done. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Monday, June 27, 2005 9:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Open Another User's Registry File Is it possible to open another user’s ntuser.dat file for editing? I would like to be able to edit some per-user settings for specific users, but when I try to open it using regedt or regedt32, I am asked if I want to add the information in the file to the registry, which I do not want to do. This is on a Windows 2000 Server machine. I appreciate any help, _ Daniel DeStefano
RE: [ActiveDir] Logon server bad discovery
Thanks a lot, I appreciate it. _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail. From: Lev Zdenek [mailto:[EMAIL PROTECTED] Sent: Monday, June 27, 2005 9:59 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logon server bad discovery Hello I have the following problem. I Have network with only W2K3 SP1 domain controllers in several sites (uhnete). Subnet, site, and site links are configured . There are DNS, GC in each site. My klient are XP SP2. When I tested my logon server through set „l=logon server“ I discovered that my logon server is from another site, than client reside (belongs) . DC and DNS and replication in function corectly. I discovered that the clients after logon belong to incorect site (nltest /dsgetsite) Site which client belongs to changes randomly. When I set parametr "DynamicSiteName" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" to correct SITE evr. Is function correctly. I would like to get more information how the logon process discovery right site and right domain controller. I found some information on MSDN about DsGetDcName, but this information is incomplete. http://support.microsoft.com/default.aspx?scid=kb;en-us;314861 Does anybody solution for this. THX Zdenek
[ActiveDir] Open Another User's Registry File
Is it possible to open another user’s ntuser.dat file for editing? I would like to be able to edit some per-user settings for specific users, but when I try to open it using regedt or regedt32, I am asked if I want to add the information in the file to the registry, which I do not want to do. This is on a Windows 2000 Server machine. I appreciate any help, _ Daniel DeStefano
[ActiveDir] Remove View Menu From Explorer
In Windows 2000, is it possible to remove or disable the “View” menu from Windows Explorer and Internet Explorer 6? If not, then is it possible to remove or disable the “Explorer Bar” submenu? It would also be OK to be able to just remove all text menus (Edit, View, Go, etc). We are locking down a kiosk machine and want the clients to be able to see one folder only and not be able to navigate to others. The problem is that if we just remove access from the parent folder, a certain program we are using does not work properly, plus, even though the user account is given ‘modify’ permissions to their folder and no permissions to the parent folder, the shortcut used to open their folder does not work. I appreciate any help on this issue, _ Daniel DeStefano
RE: [ActiveDir] Lock down server not in a domain using GPO
Title: Message Where do you set permissions on a local policy? _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail. From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 21, 2005 8:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Lock down server not in a domain using GPO You can set the policy permissions to allow the local administrator account to read but not apply the policy. Or, you can do what we do and create a special local account for policy administration and set that special account to read and not apply the policy. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, June 21, 2005 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Lock down server not in a domain using GPO We have a terminal server we would like to use for clients to access some of our data that they need and this server should be locked-down so the clients can only do what they need. The problem is that management would rather this server not be a member of our domain so we cannot use AD GPOs to lock the server down. I looked into using local policies to lock down the machine, but found out that they would also affect the administrator account unless that group/account is denied ‘read’ permissions to the “..\system32\grouppolicy” folder. However, would this not deny editing of the policies in the folder as well. It has been suggested that we create a new AD domain solely for use with this terminal server. Is this a good idea? I tend to think this is too much solution. Can anyone make any suggestions on the best way to accomplish our goals? Thank you in advance, _ Daniel DeStefano PC Support Specialist
[ActiveDir] Lock down server not in a domain using GPO
We have a terminal server we would like to use for clients to access some of our data that they need and this server should be locked-down so the clients can only do what they need. The problem is that management would rather this server not be a member of our domain so we cannot use AD GPOs to lock the server down. I looked into using local policies to lock down the machine, but found out that they would also affect the administrator account unless that group/account is denied ‘read’ permissions to the “..\system32\grouppolicy” folder. However, would this not deny editing of the policies in the folder as well. It has been suggested that we create a new AD domain solely for use with this terminal server. Is this a good idea? I tend to think this is too much solution. Can anyone make any suggestions on the best way to accomplish our goals? Thank you in advance, _ Daniel DeStefano PC Support Specialist
RE: [ActiveDir] Secure DHCP
I thought about that, but I think it would quickly become cumbersome to manage. Kind of defeats most of the purpose of DHCP. Dan -Original Message- From: Cace, Andrew [mailto:[EMAIL PROTECTED] Sent: Monday, May 16, 2005 10:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure DHCP This would require some effort to configure and maintain, but what about using DHCP reservations? This will accomplish the goal of only allowing approved PC's on your network. -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, May 16, 2005 9:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure DHCP At the lower layers of the OSI stack, the only way I'm aware of to block computers from getting an IP address is to use port-based authentication if your network hardware supports it. As Al mentioned, quarantine networks are becoming a more realistic solution, but don't address the basics of DHCP. Using IPSec to ensure only trusted computers can get access to resources is a decent solution as well; the rogue PC can get an address, but cannot connect to anything except perhaps the internet. Not simple to set up, though... Hmmm. Maybe we can develop a power over ethernet solution. Run 220V AC through the ethernet cables and put a high-pass filter on the legit machines. Then, if someone plugs a rogue laptop into the network, the laptop gets a little hot... :-) ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano > Sent: Monday, May 16, 2005 7:00 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Secure DHCP > > I am wondering if there is any way to secure DHCP from assigning > leases to PCs that are not authorized on the domain. I imagine that > this is not possible since, in order to authenticate, a PC needs an IP > address. > > The problem is that the other day we had a rogue PC plug into our > network and, though probably coincidental, our browse list was messed > up afterwards. So I have been tasked with finding out if there is a > way to prevent unauthorized PCs from obtaining IP leases on our > network (other than disabling all jacks not in use, which is what we > will be doing). If not, does anyone have any suggestions on how to > prevent the above situation in the future? > > > > _ > > > > Daniel DeStefano > > PC Support Specialist > > > > IAG Research > > 345 Park Avenue South, 12th Floor > > New York, NY 10010 > > T. 212.871.5262 > > F. 212.871.5300 > > > > www.iagr.net <http://www.iagr.net/> > > Measuring Ad Effectiveness on Television > > > > The information contained in this communication is confidential, may > be privileged and is intended for the exclusive use of the above named > addressee(s). If you are not the intended recipient(s), you are > expressly prohibited from copying, distributing, disseminating, or in > any other way using any of the information contained within this > communication. If you have received this communication in error, > please contact the sender by telephone 212.871.5262 or by response via > e-mail. > > > > > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Secure DHCP
I am wondering if there is any way to secure DHCP from assigning leases to PCs that are not authorized on the domain. I imagine that this is not possible since, in order to authenticate, a PC needs an IP address. The problem is that the other day we had a rogue PC plug into our network and, though probably coincidental, our browse list was messed up afterwards. So I have been tasked with finding out if there is a way to prevent unauthorized PCs from obtaining IP leases on our network (other than disabling all jacks not in use, which is what we will be doing). If not, does anyone have any suggestions on how to prevent the above situation in the future? _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
RE: [ActiveDir] DNS vs. Hosts File
Well, he said that he wanted it on domain controllers so that if DNS goes down that people can still log on. But that is not the case, right? People can logon to a DC in AD as long as that DC can query a GC, right? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, May 05, 2005 4:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS vs. Hosts File Did you ask him if you could have the host file on his machine… that he MUST be using to browse the web with? DNS untrustworthy vs host file… bahaha From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Thursday, May 05, 2005 4:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS vs. Hosts File Recently, one of my colleagues and I got into a discussion about DNS vs. hosts files in AD. He has configured the hosts file on all of our domain controllers (Windows 2000 AD in native mode) to point to other DCs. One of our DCs was moved to another site and the hosts file on a DC was not changed to point to the moved DC on its new subnet – this obviously resulted in NTFRS errors. Anyway, after this I got into a discussion with my boss about the need of the hosts file in AD. It is my position that the hosts file is no longer necessary and should not really be used in AD and is only included for backward-compatibility, testing and for certain special instances. It is his position that DNS is untrustworthy and that the hosts file should be configured as a backup in case DNS goes down. My response to this was twofold – 1. the hosts file is queried before DNS so it is not really a backup, it is a primary method of name-resolution, plus, it does not support SRV records; 2. DNS is the foundation of AD and if it goes down, AD will not work correctly anyway. Plus, that is the reason for secondary DNS servers, of which we have several. Could anyone point to any documentation that discusses the role of the hosts file in AD and also include your own opinions and comments. _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
[ActiveDir] DNS vs. Hosts File
Recently, one of my colleagues and I got into a discussion about DNS vs. hosts files in AD. He has configured the hosts file on all of our domain controllers (Windows 2000 AD in native mode) to point to other DCs. One of our DCs was moved to another site and the hosts file on a DC was not changed to point to the moved DC on its new subnet – this obviously resulted in NTFRS errors. Anyway, after this I got into a discussion with my boss about the need of the hosts file in AD. It is my position that the hosts file is no longer necessary and should not really be used in AD and is only included for backward-compatibility, testing and for certain special instances. It is his position that DNS is untrustworthy and that the hosts file should be configured as a backup in case DNS goes down. My response to this was twofold – 1. the hosts file is queried before DNS so it is not really a backup, it is a primary method of name-resolution, plus, it does not support SRV records; 2. DNS is the foundation of AD and if it goes down, AD will not work correctly anyway. Plus, that is the reason for secondary DNS servers, of which we have several. Could anyone point to any documentation that discusses the role of the hosts file in AD and also include your own opinions and comments. _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
[ActiveDir] File Share Access
I am sorry about re-posting this question, but we lost some e-mail here at my company and I would have missed any responses to the original post. I am having a problem with accessing a share on a server. The problem is that when I am logged onto a PC with a local administrator account and I connect to a share on a certain server, the contents of the share are displayed without me being prompted for a username/password to make the connection. The problem is that since permissions are set on these files/folders, I cannot access any of them when logged on with the local admin account. When connecting to other server shares, I am prompted for a username/pass, which I enter and am subsequently able to access shares. I have looked into various settings on the server, most notably the anonymous enumeration of shares, but nothing helps. This share I am speaking of is a share cluster resource, but I am not sure if this would have anything to do with it. Also, the everyone group is not in the share or ntfs permissions anywhere. I would appreciate any help provided. Thanks in advance, _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
[ActiveDir] File Share Access
I am having a problem with accessing a share on a server. The problem is that when I am logged onto a PC with a local administrator account and I connect to a share on a certain server, the contents of the share are displayed without me being prompted for a username/password to make the connection. The problem is that since permissions are set on these files/folders, I cannot access any of them when logged on with the local admin account. When connecting to other server shares, I am prompted for a username/pass, which I enter and am subsequently able to access shares. I have looked into various settings on the server, most notably the anonymous enumeration of shares, but nothing helps. This share I am speaking of is a share cluster resource, but I am not sure if this would have anything to do with it. Also, the everyone group is not in the share or ntfs permissions anywhere. I would appreciate any help provided. Thanks in advance, _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
RE: [ActiveDir] Kerberos authentication and 2003 /2000
Have you tried running netdiag /fix? Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Friday, April 22, 2005 9:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos authentication and 2003 /2000 Domain running 2000 native mode. DC are 2000. Have member servers with 2003. when I run netdiag I see that Kerberos authentication failed. Should I be concerned or is something wrong on either the member server or the Domain controllers. Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] All Folders Read Only
That is the way it is supposed to be - all folders usually have the 'read only' attribute enabled. I think even if you disable the attribute, it will enable again automatically. Access to the folders is set by the NTFS permissions. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike O'Sullivan Sent: Friday, April 15, 2005 3:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] All Folders Read Only We have a computer running Windows XP SP2 that all folders are listed as read only. I know that the read only attribute is typically ignored on folders, but the user is no longer able to save any files to the computer. We have followed the steps in KB326549 with no luck. Has anyone else run into this problem that might have a possible work around. Any suggestions would be much appreciated Thanks Mike Michael O'Sullivan Information Technology Specialist College of Veterinary Medicine University of Florida 352.392.4700x4343 352.392.7259 (fax) [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Clustered Printers
I Just wanted to update this post. I have resolved the issue. It turns out that it was a permissions problem on the spool directory on the cluster. This was determined by the audit logs. Once I gave full control permissions to Domain Computers and Local System everything worked fine. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Monday, April 11, 2005 5:52 PM To: activedir@mail.activedir.org Subject: [ActiveDir] OT: Clustered Printers I am trying to get printing working on a w2k cluster. I have done the following: 1. Installed all printer drivers on both nodes of the cluster (active/passive). 2. Set up a print spooler resource and pointed it to a folder on the shared disk array that has domain users - modify permissions and brought the print spooler online. 3. Browsed to the cluster virtual server through network places and used the "add printer" applet to set up the printers. Made sure domain users had "print" permissions on all printers. I can now connect to the clustered printers and set them up on a workstation (xppro). However, when I try to print a test page, I immediately get the "document failed to print...) error. But there are no errors in the event logs, just the warning saying the printer driver was installed. I read a kb article that said the w2k cluster service was not ad-aware and that you need to add the everyone group to the "pre-windows 2000..." Group. I have done this but the problem persists. Am I doing something wrong? Do more permissions need to be added somewhere? I would appreciate any help. Dan DeStefano _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail. .BövrzÊryi List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Clustered Printers
I am trying to get printing working on a w2k cluster. I have done the following: 1. Installed all printer drivers on both nodes of the cluster (active/passive). 2. Set up a print spooler resource and pointed it to a folder on the shared disk array that has domain users - modify permissions and brought the print spooler online. 3. Browsed to the cluster virtual server through network places and used the "add printer" applet to set up the printers. Made sure domain users had "print" permissions on all printers. I can now connect to the clustered printers and set them up on a workstation (xppro). However, when I try to print a test page, I immediately get the "document failed to print...) error. But there are no errors in the event logs, just the warning saying the printer driver was installed. I read a kb article that said the w2k cluster service was not ad-aware and that you need to add the everyone group to the "pre-windows 2000..." Group. I have done this but the problem persists. Am I doing something wrong? Do more permissions need to be added somewhere? I would appreciate any help. Dan DeStefano _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
RE: [ActiveDir] Clustering Question
So then I can just add an additional network name resource to the current cluster group? Is there any way to hide the shares from users when accessing the cluster through the new network name? I just don’t want any confusion with the users. Dan From: Brian Desmond [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, April 08, 2005 3:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Clustering Question No, you can't do this. The disk reosurce has to be in one group so that it fails over with that group. Why don't you just add the spooler service to the existing file print group if you only have one lun available? You can add an additional virtual name as well so users don't notice the changeover. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Dan DeStefano Sent: Fri 4/8/2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Clustering Question I am a relative novice when it comes to clustering so please forgive me. Is it possible to have two different cluster groups use the same disk resource? We currently have a cluster group that is handling file shares and want to add to it a print spooler as our current print server is on the edge of failure. However, we would like to keep the same network name so that the switch will be transparent to users. So would the following configuration work: cluster group 1: network name – “file” disk resource – “z” file share – “share” master node – node1 standby node – node2 active/passive cluster group 2: network name – “print” disk resource – “z” spooler – “spooler1” master node – node2 standby node – node1 active/passive will this configuration work? What about if the same node was made master for both groups? _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
[ActiveDir] Clustering Question
I am a relative novice when it comes to clustering so please forgive me. Is it possible to have two different cluster groups use the same disk resource? We currently have a cluster group that is handling file shares and want to add to it a print spooler as our current print server is on the edge of failure. However, we would like to keep the same network name so that the switch will be transparent to users. So would the following configuration work: cluster group 1: network name – “file” disk resource – “z” file share – “share” master node – node1 standby node – node2 active/passive cluster group 2: network name – “print” disk resource – “z” spooler – “spooler1” master node – node2 standby node – node1 active/passive will this configuration work? What about if the same node was made master for both groups? _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
[ActiveDir] Exchange CALs
I was told by a colleague that he heard that each Exchange CAL includes a license for Outlook. Is this true? _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
[ActiveDir] Exchange 2000
I need to find out how many mailboxes are on particular Exchange 2000 servers for auditing purposes. What is the quickest way to do this? _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
RE: [ActiveDir] time sync script
You shouldn't need to do this. Once a client is joined to a domain, it should automatically sync its clock with the "closest" DC in the site. This is done via the Windows Time Service (w32time.exe) and its functionality is controlled via the "w32tm.exe" command. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, April 05, 2005 2:20 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] time sync script Anybody have a script that can check the time on client machines and auto sync them with the Domain Controller? Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain Groups / users in lab
All you want is that certain teachers should not have the teachers have the same GPO applied as the labs? You should be able to do this in several different ways. Are you saying that you do not want the default domain GPO to apply to these teachers? If so then you may want to think about restructuring your GPOs so that any lab policies are not applied at the domain level, but rather to the specific lab OUs themselves. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, March 18, 2005 2:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Groups / users in lab Hi, I’m run a domain in a University environment. I currently have 1 domain with all accounts in it: students, faculty, and staff. We have computer labs that any users (students, fac/staff) can use. These computers do not offer roaming profiles and we allow accounts local administrative access. Each lab has its own profile that is specific to their lab and not the user. What I would also like to do is allow faculty/staff members to use the domain for their personal workstations but I don’t want them to have the same GPO as they would have if they were using a computer lab. Do I need to setup a separate domain? Or a child domain? Or is it possible for user OU’s to apply to computer groups rather than applying them on the User OU? Current domain structure example mydomain.edu mycomputers lab1 lab2 human resources Information Technology people employees students Thanks, -- Matt Brown [ SELECT * FROM computers WHERE OS > MS ] Information Technology System Specialist Eastern Washington University
RE: [ActiveDir] Roaming Profiles
Sorry, I should mention that the servers are all W2k and the clients are mostly WXPP (the others are W2k). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Thursday, March 17, 2005 12:22 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Roaming Profiles I have a question about roaming profiles: Is there a way to restrict the size of a profile? I could probably create a new partition on a file server just for the roaming profiles and then enable quotas, but I am looking for a more elegant solution. I vaguely remember some way of limiting profile size through GPO or something, but I can’t seem to remember how. _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
[ActiveDir] Roaming Profiles
I have a question about roaming profiles: Is there a way to restrict the size of a profile? I could probably create a new partition on a file server just for the roaming profiles and then enable quotas, but I am looking for a more elegant solution. I vaguely remember some way of limiting profile size through GPO or something, but I can’t seem to remember how. _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
RE: [ActiveDir] XP Srv Pk 2
Yes, I have done this. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Tuesday, March 15, 2005 9:54 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] XP Srv Pk 2 Anyone sucessfully pushed XP Service Pack 2 via GPO to XP clients from a W2K AD? Thank you, Z.V.
RE: [ActiveDir] WINS
Title: Re: [ActiveDir] WINS Did you just remove WINS or did you also disable NetBIOS on your network? Isn’t it the case that as long as NetBIOS is enabled and being used on your network that you should also be using WINS as this will greatly reduce broadcasts and improve name-resolution, especially across subnets? From what I understand, the only reason to remove WINS is if you are also going to disable NetBIOS on your network. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Van Noy, Glen Sent: Sunday, March 06, 2005 2:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WINS Okay, I will look into it also. We removed WINS from our forest about a year ago and have seen no ill effects. We are not real big, 2000 exchange accounts and 25000 users, but everything seems to be running fine without it. Over the next few months, we are going to add student accounts to Exchange, so we will end up with quite a few more accounts. If I find out anything I will post it. Thanks, glen The University of Texas at Dallas From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Mezzone Sent: Sunday, March 06, 2005 1:20 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] WINS I'll look when I get home. I remember reading about it a year ago and was bummed out. I thought I could rid myself of wins. I did run Exchange without wins for a while but added it being MS recommends it. Only thing is it didn't give a reason why. Just said it was needed. It may not be the deployment guide, it's in one of the three recommended reading documents, deployment, admin guide and I forget the name of the other doc (planning an exchange environment?) Robert -Original Message- From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> To: ActiveDir@mail.activedir.orgSent: Sun Mar 06 13:27:42 2005 Subject: RE: [ActiveDir] WINS Just curious, where in the deployment guide does it say that Exchange 2003 needs WINS? We are running a clustered Exchange 2003 setup and we don't have WINS configured on our domain. glen [EMAIL PROTECTED] The University of Texas at Dallas From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Mezzone Sent: Sunday, March 06, 2005 12:20 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] WINS Unfortunetly it does. I thought it didn't until I read the deployment guide. Recently upgraded for 5.5. Robert -Original Message- From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> To: ActiveDir@mail.activedir.org Sent: Sun Mar 06 12:55:30 2005 Subject: [ActiveDir] WINS Is WINS still needed for exchange 2003? Some have said outlook still needs WINS. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange Routing
I would like to install an smtp server in the colo, but we do not have any spare servers and the other servers at the colo are mission-critical, so we really don’t want to mess with them. I thank everyone for all the help, Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, March 02, 2005 12:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Routing OK, so if you have a GC/DC in the same location, then you are good to go. Just ensure that the Exchange server is using this GC/DC for its operations. Bring down your TTL beforehand. Also do the MX switch maybe 2 days before the power outage to verify the colo Exchange is happy and that it is indeed receiving and routing. If I were you, though, I’d take the easy way out and do what has been suggested several times here – let a plain vanilla SMTP server do the storing for you during this outage. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, March 01, 2005 3:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Routing The colo site has a DC that is a GC. And once we move the mail server to the colo, we will re-register its DNS records and clear internal DNS server caches. This will be done 3-days in advance, so hopefully all client resolver caches should have timed out by then, right? But anyway, all we are concerned with is the server’s ability to receive mail from the outside, since most of our workstations are located in the building that will have the power outage. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, March 01, 2005 5:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Routing Yes and no. The problem is moving an Exchange server along with the supporting requirements such as DC/GC/DNS/(AD in general). Outside of that, it would probably work with those gotchas and the DNS TTL issues to contend with. It's just that it's simpler to prop up a simple MTA that will just queue the mail until your Exchange servers come back online to take delivery. W2K server would work just fine (note: make the timeout of delivery longer than the default to account for your outage). Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, March 01, 2005 4:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Routing The thing is that the server we are planning to move is currently idle, for all intents and purposes, but Exchange is installed and working on it. Plus, the server uses a private IP and has a NAT mapping to a public IP. So shouldn’t we just have to change the NAT mapping and add the MX record to our public zone file; then, for internal, just re-register the DNS records with the new IP? I did not mention this in my previous message, but we are not concerned with users being able to access their e-mail during this outage, we would just like to make sure the mail sent during this time period is eventually delivered. To deliver these few requirements, will the plan work? Also, we do not have any W2k3 servers. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, March 01, 2005 3:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Routing Is cutting off your arm a way to get rid of a hangnail? Sure, but it's overmuch. Doing what you want, properly, is pretty involved - you've gotta get DNS, GC, AD, Exchange, etc. all happy at the remote location - not just SMTP. Just stick a standalone W2K3 server with the SMTP service installed at the remote location if you REALLY want to put a server somewhere else. Or pay some service provider to do your secondary MX/store-and-forward for you. Worst case, you're looking at less than $100 for a month's service. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, March 01, 2005 3:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Routing I am not sure about that with our ISP. But will the procedures I suggested work? Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, March 01, 2005 3:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Routing You don't need to move an Exchange server you just need to have some company act as a secondary MX (store and forward mail services) for the domain of interest. PROBABLY your bandwidth provider will do this for you, for free. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, March 01, 2005 2:27 PM To: A
RE: [ActiveDir] Exchange Routing
The colo site has a DC that is a GC. And once we move the mail server to the colo, we will re-register its DNS records and clear internal DNS server caches. This will be done 3-days in advance, so hopefully all client resolver caches should have timed out by then, right? But anyway, all we are concerned with is the server’s ability to receive mail from the outside, since most of our workstations are located in the building that will have the power outage. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, March 01, 2005 5:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Routing Yes and no. The problem is moving an Exchange server along with the supporting requirements such as DC/GC/DNS/(AD in general). Outside of that, it would probably work with those gotchas and the DNS TTL issues to contend with. It's just that it's simpler to prop up a simple MTA that will just queue the mail until your Exchange servers come back online to take delivery. W2K server would work just fine (note: make the timeout of delivery longer than the default to account for your outage). Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, March 01, 2005 4:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Routing The thing is that the server we are planning to move is currently idle, for all intents and purposes, but Exchange is installed and working on it. Plus, the server uses a private IP and has a NAT mapping to a public IP. So shouldn’t we just have to change the NAT mapping and add the MX record to our public zone file; then, for internal, just re-register the DNS records with the new IP? I did not mention this in my previous message, but we are not concerned with users being able to access their e-mail during this outage, we would just like to make sure the mail sent during this time period is eventually delivered. To deliver these few requirements, will the plan work? Also, we do not have any W2k3 servers. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, March 01, 2005 3:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Routing Is cutting off your arm a way to get rid of a hangnail? Sure, but it's overmuch. Doing what you want, properly, is pretty involved - you've gotta get DNS, GC, AD, Exchange, etc. all happy at the remote location - not just SMTP. Just stick a standalone W2K3 server with the SMTP service installed at the remote location if you REALLY want to put a server somewhere else. Or pay some service provider to do your secondary MX/store-and-forward for you. Worst case, you're looking at less than $100 for a month's service. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, March 01, 2005 3:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Routing I am not sure about that with our ISP. But will the procedures I suggested work? Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, March 01, 2005 3:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Routing You don't need to move an Exchange server you just need to have some company act as a secondary MX (store and forward mail services) for the domain of interest. PROBABLY your bandwidth provider will do this for you, for free. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, March 01, 2005 2:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange Routing I have a question about Exchange routing. We have 2 Exchange 2000 servers at our main site, one that holds all the mailboxes and the other currently holds just a few mailboxes that aren’t being used, but the server is up and working. Both servers are in the same routing and administrative groups. Both servers are in the data center of our main site. The problem is that this weekend, the power will be turned off in our building and our network will be unavailable as will user’s mailboxes. We currently have no offsite data replication or Exchange DR strategy (though it’s not for lack of trying/nagging by our department to upper management). So, as a temporary solution, our current plan is to move the second Ex server to one of our colo sites and add a lower-priority MX record for it to our public DNS zone. The thinking is that messages sent to our domain will be sent to the second server at the colo, and this server will cache all the messages until the main server is back up and mail can be delivered to it. And, since the mail was received, no senders should receive NDRs. Then, on Monday, when the
RE: [ActiveDir] Exchange Routing
The thing is that the server we are planning to move is currently idle, for all intents and purposes, but Exchange is installed and working on it. Plus, the server uses a private IP and has a NAT mapping to a public IP. So shouldn’t we just have to change the NAT mapping and add the MX record to our public zone file; then, for internal, just re-register the DNS records with the new IP? I did not mention this in my previous message, but we are not concerned with users being able to access their e-mail during this outage, we would just like to make sure the mail sent during this time period is eventually delivered. To deliver these few requirements, will the plan work? Also, we do not have any W2k3 servers. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, March 01, 2005 3:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Routing Is cutting off your arm a way to get rid of a hangnail? Sure, but it's overmuch. Doing what you want, properly, is pretty involved - you've gotta get DNS, GC, AD, Exchange, etc. all happy at the remote location - not just SMTP. Just stick a standalone W2K3 server with the SMTP service installed at the remote location if you REALLY want to put a server somewhere else. Or pay some service provider to do your secondary MX/store-and-forward for you. Worst case, you're looking at less than $100 for a month's service. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, March 01, 2005 3:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Routing I am not sure about that with our ISP. But will the procedures I suggested work? Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, March 01, 2005 3:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Routing You don't need to move an Exchange server you just need to have some company act as a secondary MX (store and forward mail services) for the domain of interest. PROBABLY your bandwidth provider will do this for you, for free. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, March 01, 2005 2:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange Routing I have a question about Exchange routing. We have 2 Exchange 2000 servers at our main site, one that holds all the mailboxes and the other currently holds just a few mailboxes that aren’t being used, but the server is up and working. Both servers are in the same routing and administrative groups. Both servers are in the data center of our main site. The problem is that this weekend, the power will be turned off in our building and our network will be unavailable as will user’s mailboxes. We currently have no offsite data replication or Exchange DR strategy (though it’s not for lack of trying/nagging by our department to upper management). So, as a temporary solution, our current plan is to move the second Ex server to one of our colo sites and add a lower-priority MX record for it to our public DNS zone. The thinking is that messages sent to our domain will be sent to the second server at the colo, and this server will cache all the messages until the main server is back up and mail can be delivered to it. And, since the mail was received, no senders should receive NDRs. Then, on Monday, when the power is back, all messages will be delivered to the main server. Is this plan going to work? If so, how long will the messages be cached by the second server? How many messages will it cache (until it fills the drive)? Are these options configurable? Does anyone see any gotchas or things to consider? Thank you very much. I am a novice when it comes to Exchange, but trying to change that by studying my MSPress 70-284 text. Besides, I usually do not like to make any major changes to our mail/AD infrastructure without consulting you guys first. _ Daniel DeStefano
RE: [ActiveDir] Exchange Routing
I am not sure about that with our ISP. But will the procedures I suggested work? Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, March 01, 2005 3:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Routing You don't need to move an Exchange server you just need to have some company act as a secondary MX (store and forward mail services) for the domain of interest. PROBABLY your bandwidth provider will do this for you, for free. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, March 01, 2005 2:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange Routing I have a question about Exchange routing. We have 2 Exchange 2000 servers at our main site, one that holds all the mailboxes and the other currently holds just a few mailboxes that aren’t being used, but the server is up and working. Both servers are in the same routing and administrative groups. Both servers are in the data center of our main site. The problem is that this weekend, the power will be turned off in our building and our network will be unavailable as will user’s mailboxes. We currently have no offsite data replication or Exchange DR strategy (though it’s not for lack of trying/nagging by our department to upper management). So, as a temporary solution, our current plan is to move the second Ex server to one of our colo sites and add a lower-priority MX record for it to our public DNS zone. The thinking is that messages sent to our domain will be sent to the second server at the colo, and this server will cache all the messages until the main server is back up and mail can be delivered to it. And, since the mail was received, no senders should receive NDRs. Then, on Monday, when the power is back, all messages will be delivered to the main server. Is this plan going to work? If so, how long will the messages be cached by the second server? How many messages will it cache (until it fills the drive)? Are these options configurable? Does anyone see any gotchas or things to consider? Thank you very much. I am a novice when it comes to Exchange, but trying to change that by studying my MSPress 70-284 text. Besides, I usually do not like to make any major changes to our mail/AD infrastructure without consulting you guys first. _ Daniel DeStefano
[ActiveDir] Exchange Routing
I have a question about Exchange routing. We have 2 Exchange 2000 servers at our main site, one that holds all the mailboxes and the other currently holds just a few mailboxes that aren’t being used, but the server is up and working. Both servers are in the same routing and administrative groups. Both servers are in the data center of our main site. The problem is that this weekend, the power will be turned off in our building and our network will be unavailable as will user’s mailboxes. We currently have no offsite data replication or Exchange DR strategy (though it’s not for lack of trying/nagging by our department to upper management). So, as a temporary solution, our current plan is to move the second Ex server to one of our colo sites and add a lower-priority MX record for it to our public DNS zone. The thinking is that messages sent to our domain will be sent to the second server at the colo, and this server will cache all the messages until the main server is back up and mail can be delivered to it. And, since the mail was received, no senders should receive NDRs. Then, on Monday, when the power is back, all messages will be delivered to the main server. Is this plan going to work? If so, how long will the messages be cached by the second server? How many messages will it cache (until it fills the drive)? Are these options configurable? Does anyone see any gotchas or things to consider? Thank you very much. I am a novice when it comes to Exchange, but trying to change that by studying my MSPress 70-284 text. Besides, I usually do not like to make any major changes to our mail/AD infrastructure without consulting you guys first. _ Daniel DeStefano
[ActiveDir] Exchange 2000 and Disabled User Accounts
Is there any way to prevent Exchange from sending NDRs when someone sends a message to a disabled user? The problem is that I am usually given at least a week’s notice to new users and would like to create the new user account in advance so that the morning the user starts I just have to enable the account. If I do this, though, anyone sending a message to any DG to which the user belongs, the sender receives an NDR and subsequently makes a support call. If there is no way to suppress this behavior, then does anyone have any suggestions? Do I just wait until the morning the user starts before creating the user account? Create the account in advance with a strong, random password? Thanks in advance, _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
RE: [ActiveDir] GPO Software Deployment
I have it set in SSC to retrieve product updates using Live Update, so I assume this would patch all machines to the latest version. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Wednesday, February 23, 2005 1:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO Software Deployment Hello Dan, Only one piece of advise for you: Make sure you patch the .msi with the latest .msp provided by Symantec (I think it's 9.00.1400) For some odd reason you can't update the clients through a GPO using the provided .msp once the client have had the SAV .msi package installed. Good luck, Francis Ouellet From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: 23 février 2005 10:16 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO Software Deployment I would like to deploy a package (SAV 9.0) using GPO and use some of the switches with the msi package. However, I cannot figure out how to do this. Is it even possible or do I have to create a new package with all of the options embedded? _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
RE: [ActiveDir] GPO Software Deployment
I never realized that the msi file in the vphome share would properly configure the client in managed mode and to the proper parent server. Now that I think about it, however, it makes perfect sense. I piloted out the deployment using that package and it worked flawlessly. Thanks, Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Wednesday, February 23, 2005 12:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO Software Deployment I believe 9.0.0.338 is the first version of SAV that supports GPO deployment. I haven’t seen a transform creator per se, but the Symantec System Center allows you to configure most options. These settings are stored in GRC.dat on \\ParentServer\VPHOME\CLT-INST\WIN32 along with the MSI needed for GPO deployment. Are there other settings you’re hoping to tweak besides those configured in SSC? If not, you just create a new GPO with an assigned computer application with the source being \\ParentServer\VPHOME\CLT-INST\WIN32\Symantec Antivirus.msi One caveat, there will be problems removing the application if a password is required to uninstall since it will hang waiting for it, but since it will be invisible to the user, there will be no way to enter it. This results in a lengthy timeout. Not sure how this will affect clients that may have an earlier version installed, but again you can remove the password requirement through SSC. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Wednesday, February 23, 2005 9:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO Software Deployment I would like to deploy a package (SAV 9.0) using GPO and use some of the switches with the msi package. However, I cannot figure out how to do this. Is it even possible or do I have to create a new package with all of the options embedded? _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
[ActiveDir] GPO Software Deployment
I would like to deploy a package (SAV 9.0) using GPO and use some of the switches with the msi package. However, I cannot figure out how to do this. Is it even possible or do I have to create a new package with all of the options embedded? _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
RE: [ActiveDir] Using GPO to install an MSI package
Are they willing to let you know what user rights are required? I have found that applications that "require" admin or pu privileges can usually be run if appropriate permissions are given to select registry entries, directories, system files, etc and user rights. I have even run across a program that claimed to need admin privileges, but all it needed was modify permissions to the %systemroot%\temp directory. Maybe you can speak to a high-level tech and ask exactly why these privileges are required and from there you can extrapolate what rights and permissions are required. Then there are some apps that simply won't work. This is one of my biggest pet peeves - lazy coding that does not properly adhere to the Windows security model. I can think of no reason why an Accounting application needs PU privileges and usually you cannot get any good reason from the company itself. Anyway, good luck, and if you can figure it out, please post it or e-mail me directly at [EMAIL PROTECTED], as I also have a couple of users using Quickbooks and would like them not to have PU or admin privileges. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason BSent: Tuesday, February 15, 2005 10:44 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Using GPO to install an MSI package Okay, our environment is that all our clients are running Windows XP SP2, and our servers are Windows 2003. The situation is that our Accounting department uses Quickbooks, and about 70 of our employees need to use an application that comes with Quickbooks called "QB Timer". It's free for use for our employees and it integrates with Quickbooks without requiring a Quickbooks install on each machine. Now, the quandry: according to Intuit/Quickbooks, the program requires at least Power User permissions to install and run. Neither I, nor our CIO are willing to give local Power User permissions for these users, as that opens things up to too many potential problems, but our CFO and COO are REQUIRING the use of this application, or a similar one that integrates with Quickbooks. Now, the QBTimer is free, which is good, so that's the *preferred* app to use. It comes as an exe with a few other files, so I used WinInstall LE 2003 on a clean XP SP2 machine to package it into an MSI file. That worked well, and I can install it/assign it through GPO - even if the user doesn't have local Power User privs. However, true to form with Intuit products, it won't run if the logged on user doesn't have local admin or PU privs. If I grant PU privs to the user, it runs fine. I feel like I am --> <-- this close to getting this done, but I ran out of ideas to get this to work. I tried looking at the reg file that was made when I ran WinInstall and gave the users full rights to the specific areas in the registry to see if that did anything; which it didn't. Does anyone else have any siggestions, or am I stuck with Intuit's "users must have >= Power User privs" to run that app? ANY help or suggestions are GREATLY appreciated! --Jason
RE: [ActiveDir] Automate Computer Name Changes
I would prefer not to use RIS as there are a lot of customizations that I make to the OS, many of which cannot be done with unattended installation via RIS (or, at least I do not know or any way). Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Wassell Sent: Monday, February 14, 2005 3:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automate Computer Name Changes Is it safe to assume that RIS is not an option? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, February 14, 2005 3:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automate Computer Name Changes Dan- You can certainly script this with netdom. If you want to use sysprep, you could set the compnay name to be that dny01pd, and then sysprep will populate the rest with random crap. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] on behalf of Dan DeStefano Sent: Mon 2/14/2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Automate Computer Name Changes I have not been able to find a way to sufficiently solve the following problem: automatically changing computer names after imaging. I would like to reassign computer names based on a company naming convention plus variable. So a computer name would be something like “dny01pd***”, with the asterisks representing an automatically assigned number. As far as I know, Sysprep does not allow this; it will only allow you to assign a random name, which is not acceptable. I am not using unattended installations so I cannot use .udb files to assign computer names. I have been using GhostWalker to rename and join the PCs to a domain after imaging, but it just randomly-assigns numbers for the variables. This is a little better, but GhostWalker doesn’t increment the numbers, nor does it check the network for duplicate names (or so I’m told by Symantec support). Ideally, what I would like is some program or script or whatever, that can be run after imaging that will assign computer names consecutively or will consult a file for a list of names; then go and check on the network for a duplicate name preferably by fqdn – and ideally, be able to join the PC to a domain and assign it to a specific OU as icing on the cake. Does anyone know of a tool that will do this? (Are you working on something like this, Joe?) I am also curious about how others currently handle imaging and automatic computer naming. Dan DeStefano
[ActiveDir] Automate Computer Name Changes
I have not been able to find a way to sufficiently solve the following problem: automatically changing computer names after imaging. I would like to reassign computer names based on a company naming convention plus variable. So a computer name would be something like “dny01pd***”, with the asterisks representing an automatically assigned number. As far as I know, Sysprep does not allow this; it will only allow you to assign a random name, which is not acceptable. I am not using unattended installations so I cannot use .udb files to assign computer names. I have been using GhostWalker to rename and join the PCs to a domain after imaging, but it just randomly-assigns numbers for the variables. This is a little better, but GhostWalker doesn’t increment the numbers, nor does it check the network for duplicate names (or so I’m told by Symantec support). Ideally, what I would like is some program or script or whatever, that can be run after imaging that will assign computer names consecutively or will consult a file for a list of names; then go and check on the network for a duplicate name preferably by fqdn – and ideally, be able to join the PC to a domain and assign it to a specific OU as icing on the cake. Does anyone know of a tool that will do this? (Are you working on something like this, Joe?) I am also curious about how others currently handle imaging and automatic computer naming. Dan DeStefano
[ActiveDir] Very OT: Please Settle a Bet
Could anyone settle a bet for me? I would like to know if Windows 95 was a 16 or 32-bit OS. One of us is saying that it was natively 32-bit, but ran 16-bit apps in a VM, while the other one is saying the reverse: it was a 16-bit OS that was capable of running 32-bit apps in a VM. Also, one person is saying that W95 required DOS (like Win3.1.1) and the other is saying that, while built on DOS, DOS was not required and the OS went above and beyond its DOS roots. If anyone can settle these issues and offer proof like links to Web pages and such, we would be grateful. _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
RE: [ActiveDir] Built-in Defragger and Clustering
That did sound like a silly superstition to me. Anyway, do you use the built-in defragger to defragment your shared cluster drives? Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, February 09, 2005 12:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Built-in Defragger and Clustering Dan, Been working with Clusters for a number of years, and I have never heard of this. I can ping a couple folks, but I can’t surmise what the problem would be. If data is re-ordered, the disk is going to work fine one way or another. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, February 08, 2005 10:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Built-in Defragger and Clustering It has been suggested to me that W2k’s built-in defragger should not be used to defrag a shared disk in a MSCS cluster. I am hesitant to believe this since the fact that the servers are clustered does not change how the data is written to the disk, correct? So, is there any foundation for this belief? _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
[ActiveDir] Built-in Defragger and Clustering
It has been suggested to me that W2k’s built-in defragger should not be used to defrag a shared disk in a MSCS cluster. I am hesitant to believe this since the fact that the servers are clustered does not change how the data is written to the disk, correct? So, is there any foundation for this belief? _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
RE: [ActiveDir] Cloning and SIDs
Thank you, I never knew that. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, February 03, 2005 12:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cloning and SIDs The member machine SID and the machine's objectSID from AD are different things. The objectSID will be composed of the domain SID with a unique RID appended. The member machine's SID will stay constant through a domain change. If you clone machines, changing the machine SIDS is highly desirable. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Thursday, February 03, 2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Cloning and SIDs Does a machine’s SID change when it is added to a domain, or is the domain SID just appended to the current machine’s SID? I ask because I am creating desktop images and want to know if it is necessary to run Sysprep prior to imaging if the PC is not going to be joined to the domain until after imaging. In other words, I create the template installation and image it when the PC is still a workgroup member. _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
[ActiveDir] Cloning and SIDs
Does a machine’s SID change when it is added to a domain, or is the domain SID just appended to the current machine’s SID? I ask because I am creating desktop images and want to know if it is necessary to run Sysprep prior to imaging if the PC is not going to be joined to the domain until after imaging. In other words, I create the template installation and image it when the PC is still a workgroup member. _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
RE: [ActiveDir] Outlook/Exchange Issue
No, believe it or not, we currently have no network sniffer/tracer set up at the remote site. We just asked the firewall admin if he changed anything and he said that he would look into it... it worked 5 minutes later. I guess we'll find out what the problem exactly was tomorrow, but it's working now, so we and the user are happy. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 02, 2005 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Outlook/Exchange Issue Did the network trace crack it for you? :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Wednesday, February 02, 2005 1:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Outlook/Exchange Issue This issue has been resolved. We believe that there was an undocumented change made to the firewall at the site. I will post more info when/if I receive it. I greatly appreciate everyone's help. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra Sent: Wednesday, February 02, 2005 10:33 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Outlook/Exchange Issue One more thing...we can try is..make a change in the DC @ HQ and then try to replicate it across to the LA site. if the replication is success then this might avoid any replication or permissions issues. Chandra On Wed, 2 Feb 2005 09:50:03 -0500, Dan DeStefano <[EMAIL PROTECTED]> wrote: > > > Yes. The thing is that this is not a new user. This user has been with the > company for a while and it worked fine before. > > > > Dan > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra > Sent: Tuesday, February 01, 2005 6:14 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Outlook/Exchange Issue > > > > > Dan, did u check on local DC @ LA site? can you check if the user account > has replicated properlythink it could be the attribute changes may not > have replicated properly to the DC in LA > > > > > > Regards, > Chandra > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Dan DeStefano > Sent: 01 February 2005 17:04 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Outlook/Exchange Issue > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Outlook/Exchange Issue > > > > > When logging onto a machine at the HQ site, Outlook works fine for the user. > But when logging on from any PC at the LA site, Outlook hangs. However, > other users at the LA site are not having this problem. It is very weird > that only this one user is having this problem when logging on from this one > site. > > > > > > Dan > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Tuesday, February 01, 2005 4:57 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Outlook/Exchange Issue > > > > What happens if you log into a machine at the HQ site with the user's info? > > > > As for account corruption. I have never actually ever seen account > corruption. I know a lot of folks who said they had corruption and they > proved it was corruption by deleting and recreating. That doesn't actually > prove corruption, it just proves something wasn't right that the admin > didn't understand. Mailbox corruption, well that is another matter. MAPI is > a four letter word. > > > > > > joe > > > > > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano > Sent: Tuesday, February 01, 2005 4:10 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Outlook/Exchange Issue > > The tech working on the problem has tried this, but to no avail. > > Some more information: > > If I logon to the PC with any other user account and open Outlook it works > fine. I also had the user logon to PCs in other sites and the problem > persists. This has led me to believe that the problem may be with the user's > account itself. However the user can logon using OWA and has no problems > logging onto the domain so I am at a loss. > > Is it possible that there is some weird corruption with the user's domain > account and/or mailbox? Would re-creating the mailbox/user account be worth > a try? If so, what is the best way to go about doing this? Export the user&
RE: [ActiveDir] Outlook/Exchange Issue
This issue has been resolved. We believe that there was an undocumented change made to the firewall at the site. I will post more info when/if I receive it. I greatly appreciate everyone's help. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra Sent: Wednesday, February 02, 2005 10:33 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Outlook/Exchange Issue One more thing...we can try is..make a change in the DC @ HQ and then try to replicate it across to the LA site. if the replication is success then this might avoid any replication or permissions issues. Chandra On Wed, 2 Feb 2005 09:50:03 -0500, Dan DeStefano <[EMAIL PROTECTED]> wrote: > > > Yes. The thing is that this is not a new user. This user has been with the > company for a while and it worked fine before. > > > > Dan > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra > Sent: Tuesday, February 01, 2005 6:14 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Outlook/Exchange Issue > > > > > Dan, did u check on local DC @ LA site? can you check if the user account > has replicated properlythink it could be the attribute changes may not > have replicated properly to the DC in LA > > > > > > Regards, > Chandra > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Dan DeStefano > Sent: 01 February 2005 17:04 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Outlook/Exchange Issue > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Outlook/Exchange Issue > > > > > When logging onto a machine at the HQ site, Outlook works fine for the user. > But when logging on from any PC at the LA site, Outlook hangs. However, > other users at the LA site are not having this problem. It is very weird > that only this one user is having this problem when logging on from this one > site. > > > > > > Dan > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Tuesday, February 01, 2005 4:57 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Outlook/Exchange Issue > > > > What happens if you log into a machine at the HQ site with the user's info? > > > > As for account corruption. I have never actually ever seen account > corruption. I know a lot of folks who said they had corruption and they > proved it was corruption by deleting and recreating. That doesn't actually > prove corruption, it just proves something wasn't right that the admin > didn't understand. Mailbox corruption, well that is another matter. MAPI is > a four letter word. > > > > > > joe > > > > > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano > Sent: Tuesday, February 01, 2005 4:10 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Outlook/Exchange Issue > > The tech working on the problem has tried this, but to no avail. > > Some more information: > > If I logon to the PC with any other user account and open Outlook it works > fine. I also had the user logon to PCs in other sites and the problem > persists. This has led me to believe that the problem may be with the user's > account itself. However the user can logon using OWA and has no problems > logging onto the domain so I am at a loss. > > Is it possible that there is some weird corruption with the user's domain > account and/or mailbox? Would re-creating the mailbox/user account be worth > a try? If so, what is the best way to go about doing this? Export the user's > mailbox to a .pst file and delete the account/mailbox, recreate it, then > import the .pst file? If so, what preferences, appointments, tasks, etc. > will the user lose? > > > > I greatly appreciate everyone's help with this frustrating issue. > > > > > > Dan > > > > > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet > Sent: Tuesday, February 01, 2005 2:10 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Outlook/Exchange Issue > > > > > We have lots of kerberos authentication problems over VPN connections. The > solution is to force kerberos to use TCP. > > > > > > [HKEY_LOCAL_MACHINE\SYSTEM\Cur
RE: [ActiveDir] Outlook/Exchange Issue
Title: Message Yes. The thing is that this is not a new user. This user has been with the company for a while and it worked fine before. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra Sent: Tuesday, February 01, 2005 6:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Outlook/Exchange Issue Dan, did u check on local DC @ LA site? can you check if the user account has replicated properlythink it could be the attribute changes may not have replicated properly to the DC in LA Regards, Chandra -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Dan DeStefano Sent: 01 February 2005 17:04 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Outlook/Exchange Issue When logging onto a machine at the HQ site, Outlook works fine for the user. But when logging on from any PC at the LA site, Outlook hangs. However, other users at the LA site are not having this problem. It is very weird that only this one user is having this problem when logging on from this one site. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 01, 2005 4:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Outlook/Exchange Issue What happens if you log into a machine at the HQ site with the user's info? As for account corruption. I have never actually ever seen account corruption. I know a lot of folks who said they had corruption and they proved it was corruption by deleting and recreating. That doesn't actually prove corruption, it just proves something wasn't right that the admin didn't understand. Mailbox corruption, well that is another matter. MAPI is a four letter word. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, February 01, 2005 4:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Outlook/Exchange Issue The tech working on the problem has tried this, but to no avail. Some more information: If I logon to the PC with any other user account and open Outlook it works fine. I also had the user logon to PCs in other sites and the problem persists. This has led me to believe that the problem may be with the user’s account itself. However the user can logon using OWA and has no problems logging onto the domain so I am at a loss. Is it possible that there is some weird corruption with the user’s domain account and/or mailbox? Would re-creating the mailbox/user account be worth a try? If so, what is the best way to go about doing this? Export the user’s mailbox to a .pst file and delete the account/mailbox, recreate it, then import the .pst file? If so, what preferences, appointments, tasks, etc. will the user lose? I greatly appreciate everyone’s help with this frustrating issue. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, February 01, 2005 2:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Outlook/Exchange Issue We have lots of kerberos authentication problems over VPN connections. The solution is to force kerberos to use TCP. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters] "MaxPacketSize"=dword:0001 Not sure if that is your problem, but it's worth a shot. BTW, does anyone why kerberos was designed to use UDP in the first place? Seems pretty silly to me. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, February 01, 2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Outlook/Exchange Issue I have a frustrating problem: We have a W2k AD domain with 3 sites and 5 subnets – 3 bound to our HQ site and one each bound to our other two sites. These sites are connected by persistent VPN connections using our Nokia Checkpoint firewalls – two of our sites have dedicated T3 connections and the other site has a dedicated T1.Each site has a GC. I recently configured a laptop here in our main site for a user in our LA site. The laptop has a wired and wireless connection, however, our only site with wireless access is our main site – but since the user travels between sites periodically I configured the wireless connection as well. I installed Office 2000 from an administrative installation point at this site and configured Outlook to connect to our sole Exchange server here at our main site. I also set up the user’s Outlook profile from this site, connected to our Exchange server, synchronized the user’s mailbox (I set up Outlook in cached mode) and all worked well. After shipping the laptop to the user at the remote site, I got a call from the user. Outlook hangs after opening and gives me the “Not Responding”
RE: [ActiveDir] Outlook/Exchange Issue
Title: Message When logging onto a machine at the HQ site, Outlook works fine for the user. But when logging on from any PC at the LA site, Outlook hangs. However, other users at the LA site are not having this problem. It is very weird that only this one user is having this problem when logging on from this one site. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 01, 2005 4:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Outlook/Exchange Issue What happens if you log into a machine at the HQ site with the user's info? As for account corruption. I have never actually ever seen account corruption. I know a lot of folks who said they had corruption and they proved it was corruption by deleting and recreating. That doesn't actually prove corruption, it just proves something wasn't right that the admin didn't understand. Mailbox corruption, well that is another matter. MAPI is a four letter word. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, February 01, 2005 4:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Outlook/Exchange Issue The tech working on the problem has tried this, but to no avail. Some more information: If I logon to the PC with any other user account and open Outlook it works fine. I also had the user logon to PCs in other sites and the problem persists. This has led me to believe that the problem may be with the user’s account itself. However the user can logon using OWA and has no problems logging onto the domain so I am at a loss. Is it possible that there is some weird corruption with the user’s domain account and/or mailbox? Would re-creating the mailbox/user account be worth a try? If so, what is the best way to go about doing this? Export the user’s mailbox to a .pst file and delete the account/mailbox, recreate it, then import the .pst file? If so, what preferences, appointments, tasks, etc. will the user lose? I greatly appreciate everyone’s help with this frustrating issue. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, February 01, 2005 2:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Outlook/Exchange Issue We have lots of kerberos authentication problems over VPN connections. The solution is to force kerberos to use TCP. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters] "MaxPacketSize"=dword:0001 Not sure if that is your problem, but it's worth a shot. BTW, does anyone why kerberos was designed to use UDP in the first place? Seems pretty silly to me. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, February 01, 2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Outlook/Exchange Issue I have a frustrating problem: We have a W2k AD domain with 3 sites and 5 subnets – 3 bound to our HQ site and one each bound to our other two sites. These sites are connected by persistent VPN connections using our Nokia Checkpoint firewalls – two of our sites have dedicated T3 connections and the other site has a dedicated T1.Each site has a GC. I recently configured a laptop here in our main site for a user in our LA site. The laptop has a wired and wireless connection, however, our only site with wireless access is our main site – but since the user travels between sites periodically I configured the wireless connection as well. I installed Office 2000 from an administrative installation point at this site and configured Outlook to connect to our sole Exchange server here at our main site. I also set up the user’s Outlook profile from this site, connected to our Exchange server, synchronized the user’s mailbox (I set up Outlook in cached mode) and all worked well. After shipping the laptop to the user at the remote site, I got a call from the user. Outlook hangs after opening and gives me the “Not Responding” even after leaving it alone for 10+minutes. One of the other techs here is working on the problem and he tried repairing the Office installation, disabling the wireless connection, reinstalling Outlook, tried creating a new user profile, but nothing has been successful so far. Has anyone experienced this before? If I have left out any info, please let me know and I will provide it. Dan DeStefano
RE: [ActiveDir] Outlook/Exchange Issue
Title: Message The tech working on the problem has tried this, but to no avail. Some more information: If I logon to the PC with any other user account and open Outlook it works fine. I also had the user logon to PCs in other sites and the problem persists. This has led me to believe that the problem may be with the user’s account itself. However the user can logon using OWA and has no problems logging onto the domain so I am at a loss. Is it possible that there is some weird corruption with the user’s domain account and/or mailbox? Would re-creating the mailbox/user account be worth a try? If so, what is the best way to go about doing this? Export the user’s mailbox to a .pst file and delete the account/mailbox, recreate it, then import the .pst file? If so, what preferences, appointments, tasks, etc. will the user lose? I greatly appreciate everyone’s help with this frustrating issue. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, February 01, 2005 2:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Outlook/Exchange Issue We have lots of kerberos authentication problems over VPN connections. The solution is to force kerberos to use TCP. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters] "MaxPacketSize"=dword:0001 Not sure if that is your problem, but it's worth a shot. BTW, does anyone why kerberos was designed to use UDP in the first place? Seems pretty silly to me. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, February 01, 2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Outlook/Exchange Issue I have a frustrating problem: We have a W2k AD domain with 3 sites and 5 subnets – 3 bound to our HQ site and one each bound to our other two sites. These sites are connected by persistent VPN connections using our Nokia Checkpoint firewalls – two of our sites have dedicated T3 connections and the other site has a dedicated T1.Each site has a GC. I recently configured a laptop here in our main site for a user in our LA site. The laptop has a wired and wireless connection, however, our only site with wireless access is our main site – but since the user travels between sites periodically I configured the wireless connection as well. I installed Office 2000 from an administrative installation point at this site and configured Outlook to connect to our sole Exchange server here at our main site. I also set up the user’s Outlook profile from this site, connected to our Exchange server, synchronized the user’s mailbox (I set up Outlook in cached mode) and all worked well. After shipping the laptop to the user at the remote site, I got a call from the user. Outlook hangs after opening and gives me the “Not Responding” even after leaving it alone for 10+minutes. One of the other techs here is working on the problem and he tried repairing the Office installation, disabling the wireless connection, reinstalling Outlook, tried creating a new user profile, but nothing has been successful so far. Has anyone experienced this before? If I have left out any info, please let me know and I will provide it. Dan DeStefano
RE: [ActiveDir] OT: Exchange Mail Forwarding
Thanks. What about the rules still applying if the user's account is disabled? What about if the account is deleted, but the mailbox kept? Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, February 01, 2005 1:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange Mail Forwarding I like to shoot the departing users, but my HR says that's not something I should tell outsiders about. Seriously, the way you're doing it is about the only way you can do it because there is no easy way to get an auto-reply server side ( you could write code, but..) That's best done via the client. If not for that, you *could* put the SMTP addr as a secondary on a DL that included the two other mailboxes. Or PF, or contact, or whatever mailbox/mail-enabled object you wanted and remove the users mailbox. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, February 01, 2005 12:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Exchange Mail Forwarding We have a W2k AD domain with Exchange 2000. I am an Exchange novice. I have a user who has recently left the company and need his e-mail forwarded to 2 different users. The way I have done this is by setting up a rule using the user's Outlook profile that forwards all messages to these two users and also replies to the sender with a message that the user is no longer with the company and who to send future e-mails to. I am not too happy with this solution as I believe there may be a way to set this up on the Exchange server itself. However, I have only found how to forward the user's e-mail to another user's mailbox, but not to multiple mailboxes or to a distribution group and no way to create the auto-reply. My questions are: Is it possible to set this up on the server without having to use the client's Outlook? What about the auto-reply message? I would like to disable the user's domain account for security reasons. If I do, will the user's mailbox still receive messages and will the Outlook rules still work? What are the commonly-accepted procedures for dealing with departing users? I would greatly appreciate any help that can be provided. Dan DeStefano List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Outlook/Exchange Issue
I have a frustrating problem: We have a W2k AD domain with 3 sites and 5 subnets – 3 bound to our HQ site and one each bound to our other two sites. These sites are connected by persistent VPN connections using our Nokia Checkpoint firewalls – two of our sites have dedicated T3 connections and the other site has a dedicated T1.Each site has a GC. I recently configured a laptop here in our main site for a user in our LA site. The laptop has a wired and wireless connection, however, our only site with wireless access is our main site – but since the user travels between sites periodically I configured the wireless connection as well. I installed Office 2000 from an administrative installation point at this site and configured Outlook to connect to our sole Exchange server here at our main site. I also set up the user’s Outlook profile from this site, connected to our Exchange server, synchronized the user’s mailbox (I set up Outlook in cached mode) and all worked well. After shipping the laptop to the user at the remote site, I got a call from the user. Outlook hangs after opening and gives me the “Not Responding” even after leaving it alone for 10+minutes. One of the other techs here is working on the problem and he tried repairing the Office installation, disabling the wireless connection, reinstalling Outlook, tried creating a new user profile, but nothing has been successful so far. Has anyone experienced this before? If I have left out any info, please let me know and I will provide it. Dan DeStefano
[ActiveDir] OT: Exchange Mail Forwarding
We have a W2k AD domain with Exchange 2000. I am an Exchange novice. I have a user who has recently left the company and need his e-mail forwarded to 2 different users. The way I have done this is by setting up a rule using the user’s Outlook profile that forwards all messages to these two users and also replies to the sender with a message that the user is no longer with the company and who to send future e-mails to. I am not too happy with this solution as I believe there may be a way to set this up on the Exchange server itself. However, I have only found how to forward the user’s e-mail to another user’s mailbox, but not to multiple mailboxes or to a distribution group and no way to create the auto-reply. My questions are: Is it possible to set this up on the server without having to use the client’s Outlook? What about the auto-reply message? I would like to disable the user’s domain account for security reasons. If I do, will the user’s mailbox still receive messages and will the Outlook rules still work? What are the commonly-accepted procedures for dealing with departing users? I would greatly appreciate any help that can be provided. Dan DeStefano
RE: [ActiveDir] DC Unattended Restart
You can probably do this using the “shutdown” utility from the W2k Resource Kit (this utility is included with Server 2k3) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Gent Sent: Monday, January 31, 2005 4:08 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC Unattended Restart Is there any way to schedule an unattended restart, warm or cold boot, of a DC ?
RE: [ActiveDir] Office deployments via GPO
I believe you can control this behavior via the Office 2003 Custom Installation Wizard, which is part of the o2k3 resource kit toolbox: http://download.microsoft.com/download/0/e/d/0eda9ae6-f5c9-44be-98c7-ccc 3016a296a/ork.exe. Dan DeStefano -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, January 24, 2005 7:38 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Office deployments via GPO We have many desktops that we want to deploy Office 2003 to, and some of them already have Office 2003. Seperating which ones do and don't would be difficult, so we want to apply the GPO to a whole list of computers and let it deploy. The problem is, if they already have Office 2003 on the workstations, it deploys over top of it anyway, and this could cause Outlook or some other issues. Is there any way to get the GPO to detect if O2K3 is already installed and skip deployment if so? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT how to change how explorer lists computers
I have been looking for a way to change this myself and have not found one. The only thing I have found is that supposedly this is a design decision and unchangeable. The most annoying part of this is that not only does it display the comment first, but the comments are not even alphabetized, but the computer names are. This is really frustrating. If you find a way to do this please let me know - [EMAIL PROTECTED] Thanks, Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Tuesday, January 18, 2005 5:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT how to change how explorer lists computers Does anyone know how or if you can change how explorer lists the computers when you go to network places and view the entire network. Under 2000 it showed the computer name. Under XP it is showing the comment/description and then the computer name in parenthesis. We would like to only have the computer name. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Setup
Are you asking if Windows DNS needs to be used with AD? If so, then the answer is no, you can use another DNS server such as BIND, the only requirement being that it must support SRV records - dynamic updates are optional, but preferred. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, January 18, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Setup Does DNS need to be setup with Active Directory? My DNS isn't showing any of the LDAP ports or standard stuff that shows when you have an AD Integrated DNS. I tried deleting all the Zones and re-creating them... but it doesn't seem to help. Thanks, -- Matt Brown [ SELECT * FROM users WHERE clue > 0 ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Tuesday, January 18, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies that effect secure websites Putting the web sites into the security zones did not work. Still unable to browse to the sites on the XP workstations. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Thursday, January 13, 2005 5:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies that effect secure websites The firewall is disabled on the machines. I will try the security zones. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, January 13, 2005 5:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies that effect secure websites Are you sure it's the firewall and not some other setting? For example, some of the other security settings will prevent you from loading ActiveX controls and won't even prompt you for that. Firewall has nothing to do with that. Once you have connected to a web page via SSL, the conversation is encrypted and the firewall either allows the TCP 443 connection or it doesn't. Not partially, etc. Troubleshooting the firewall usually starts with logging. Have you tried logging the firewall to see what it's doing? Do you see it dropping connections to that page? You may also want to turn on script debugging to see if something is failing before the page loads. Finally, you may also want to put the web page into a different security zone for testing purposes to see if some of the security zone settings are too restrictive. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Thursday, January 13, 2005 4:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Policies that effect secure websites I am having an issue on a windows XP SP2 where some of the secure web sites will not come up. I have SSL and TSL selected and we are able to connect to our OWA server, but unable to connect a banking page for example. Now I checked on a windows 2000 machine and we are able to get to the page. I don't have anything in the policies that I see that tells IE how to handle secure sites but then I could be missing something. Any Ideas where to look. Jeff List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain name and server name don't match
1) Yes, if you have a single DC, it will hold all FSMO roles as well as be a Global Catalog. 2) If you add more DCs the FSMO roles do not automatically change, you must manually transfer whichever role you want. 3) Those groups must be present and are default built-in groups. Maybe someone has renamed them. Switching from Mixed mode to native mode has no effect on groups. Switching to Native mode allows AD to operate in true multi-master mode and once you switch, you can no longer have NT BDCs in your AD domain. You only have to be a member of the Schema Admins and Enterprise Admins to run Forestprep. Running Domainprep only requires membership in the Domain Admins group for the domain against which you are running the utility What do you mean your domain name and server name do not match? Could you clarify this? Dan DeStefano -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alonzo Hess Sent: Monday, January 10, 2005 9:13 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain name and server name don't match Apparently I'm now the new parent of an(misconfigured, I thnk ) AD that was unceremoniously dumped in my lap. Not having any 'real' experience with AD I set off on a search. I've used my trusty O'Reilly Bookshelf to grab some of the more recomended books (AD Cookbook, AD Forestry and Inside Active Directory). Until I can make it through these books I have a couple of questions. 1) If there is only one Win2k DC in a domain, does it take on all the FSMO roles (Schema Master, Domain Naming Master, RID Master, PDC Emulater, Infrastructure Daemon)? 2) If you add more DC's, how/what decides who is going to be the Schema master, Domain Naming Master, etc? 3) To run the AdPrep /ForestPrep and AdPrep /DomainPrep commands you must be a member of the Schema Admins and Enterprise Admins groups. Are those groups created when you up the functional level from Mixed to Native mode? Because our AD is in mixed mode and those groups are not present. Thanks is advance. Alonzo List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Software Deployment From MSCS Share
Duh, can't believe I didn't realize that. It works now, thank you. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Wednesday, December 29, 2004 6:48 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Software Deployment From MSCS Share You have to create a clustered resource for the file share and not grant permissions inside windows explorer but inside mscs. steve schofield - Original Message ----- From: "Dan DeStefano" <[EMAIL PROTECTED]> To: Sent: Wednesday, December 29, 2004 10:24 AM Subject: [ActiveDir] Software Deployment From MSCS Share I have an odd problem: When attempting to deploy a package stored on an MS Cluster shared resource, I receive "source unavailable" errors. The NTFS and share permissions on the share are set properly: the package is assigned to computers in an OU and the "Domain Computers" group has "Read" share/NTFS permissions to the package. However, when I move the package to a non-clustered share using the same settings and permissions, the application deploys fine. Is there a bug or problem with deploying packages located on an MSCS shared resource? If so, are there any workarounds? Thanks in advance, _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net <http://www.iagr.net/> Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO Processing
I had this problem on a PC and I fixed it by simply updating the NIC driver. Have you tried this? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Thursday, December 30, 2004 11:31 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO Processing I keep getting these errors on my Windows XP SP 1 Computer. I have rebuilt the machine twice and have put on XP SP2 and XP SP1a and the results are always the same, I have replaced the NIC and the Cable it uses to connect to the network and can’t seem to figure out what is going on. Any help is appreciated. Event Type: Error Event Source: Userenv Event Category: None Event ID: 1054 Date: 12/30/2004 Time: 11:24:46 AM User: NT AUTHORITY\SYSTEM Computer: CHCSWS26 Description: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
[ActiveDir] Software Deployment From MSCS Share
I have an odd problem: When attempting to deploy a package stored on an MS Cluster shared resource, I receive "source unavailable" errors. The NTFS and share permissions on the share are set properly: the package is assigned to computers in an OU and the "Domain Computers" group has "Read" share/NTFS permissions to the package. However, when I move the package to a non-clustered share using the same settings and permissions, the application deploys fine. Is there a bug or problem with deploying packages located on an MSCS shared resource? If so, are there any workarounds? Thanks in advance, _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
[ActiveDir] Terminal Services Web Client ActiveX Control
I am trying to deploy the TS Web Client ActiveX control to Windows XP Pro desktops using group policy (I know that XP Pro has the RDC client built-in, but the manager of the department wants the users using the Web client for testing). Anyway, the users do not have Admin privileges on their machines and cannot install ActiveX controls. I have tried deploying the Full Terminal Services Client to a test machine using group policy, but was still prompted to install the ActiveX control when connecting to the TS Web page. Is there any way to deploy this ActiveX control using group policy? If so, how? I noticed the file "mstsax.dll" installed in the system32 directory and was wondering if this is the control? If so, can I simply copy this file to the client machines and have the TS web page work? Is there any way to simply authorize this ActiveX control to allow installation by normal users? Thanks in advance, _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
RE: [ActiveDir] account lockout OT
Title: account lockout OT This is determined by the "Reset account lockout counter after" setting. _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Thursday, December 09, 2004 11:13 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] account lockout OT Say I have my accounts setup to lock after 3 failed attempts and to stay locked out for 30 minutes. I do 2 failed attempts, how long do I have wait before I can do 2 more attempts without the account getting locked out. Is based upon the lockout period? Or does it require a successful login to reset the counter? Thanks in advance for any responses. Holland + Knight Travis AbramsSystems EngineerHolland & Knight LLP 92 Lake Wire DrLakeland, FL 33815 Direct 863 499 5705Fax863 499 5711Email [EMAIL PROTECTED] www.hklaw.com NOTICE: This e-mail is from a law firm, Holland & Knight LLP ("H&K"), and is intended solely for the use of the individual(s) to whom it is addressed. If you believe you received this e-mail in error, please notify the sender immediately, delete the e-mail from your computer and do not copy or disclose it to anyone else. If you are not an existing client of H&K, do not construe anything in this e-mail to make you a client unless it contains a specific statement to that effect and do not disclose anything to H&K in reply that you expect it to hold in confidence. If you properly received this e-mail as a client, co-counsel or retained expert of H&K, you should maintain its contents in confidence in order to preserve the attorney-client or work product privilege that may be available to protect confidentiality.