RE: [ActiveDir] Domain Admin

[Daniel Gilbert]

I might go so far as to create a new account for the consultant.  Inform
the consultant to only use the new account when they need to perform the
work on the two servers.  A new account will allow you to audit their
work and also watch for "creep".  Also, do not give the elevated
account e-mail or anything like so that there is no way those servers
can pick up anything like a virus or spyware.

Dan

>  Original Message 
> Subject: [ActiveDir] Domain Admin
> From: "Patrick" <[EMAIL PROTECTED]>
> Date: Tue, January 09, 2007 10:19 pm
> To: 
> 
>I have a consultant that is asking for domain admin rights on 2 member 
> servers. I have google it but nothing seems to work out right. The servers 
> are on the domain but the consultant just has a domain user account. He can 
> logon on to the servers while they are on the domain but the administrative 
> tools is not there (as it should). I want to creat an OU and put the two 
> machines in that ou and delegate control to the consultants domain user 
> account. Any other way to do this without registry hacks or scripts?  All 
> assistance welcomed

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] OT: Hello?

[Daniel Gilbert]

Gil,

I will attach a LINUX sticker on one side and mount my DEC chicken on
the other.

Dan


>  Original Message 
> Subject: RE: [ActiveDir] OT: Hello?
> From: "Gil Kirkpatrick" <[EMAIL PROTECTED]>
> Date: Thu, January 04, 2007 4:09 pm
> To: 
> 
> Only if you had to install Linux.
> 
> -gil
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
> Sent: Thursday, January 04, 2007 4:04 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] OT: Hello?
> 
> Hey, Santa brought me coupon for a new home computer, redeemed the
> coupon and built the system.  Doesn't that count as work??
> 
> Dan
> 
> >  Original Message 
> > Subject: RE: [ActiveDir] OT: Hello?
> > From: "Crawford, Scott" <[EMAIL PROTECTED]>
> > Date: Thu, January 04, 2007 3:35 pm
> > To: ActiveDir@mail.activedir.org
> > 
> >Ive seen a few today, but the list has been quite slow
> for the last week or so.  Come on guys, the holidays are the time to
> actually get stuff done J   From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
> >  Sent: Thursday, January 04, 2007 4:21 PM
> >  To: ActiveDir@mail.activedir.org
> >  Subject: [ActiveDir] OT: Hello?I havent seen a single e-mail
> from the mailing list since yesterday morning. Is anyone else seeing
> this e-mail?  Has anyone else received e-mails since then?   Just
> curious if the list has just been dead for the past day, or if something
> might not be working properly.   ~Ben
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] OT: Hello?

[Daniel Gilbert]

Well, I usually lurk on this list but my day to day task is to run a
W2K3 forest.

Dan


>  Original Message 
> Subject: RE: [ActiveDir] OT: Hello?
> From: "Akomolafe, Deji" <[EMAIL PROTECTED]>
> Date: Thu, January 04, 2007 4:20 pm
> To: 
> 
>>>>Santa brought me coupon for a new home computer, redeemed the coupon 
> and built the system   So, what exactly did YOU do? 
> Sincerely, 
>_
>   (, /  |  /)   /) /)   
> /---| (/_  __   ___// _   //  _ 
>  ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)  
>(/   
> Microsoft MVP - Directory Services
> www.akomolafe.com - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about 
> Yesterday? -anon 
>   From: Gil Kirkpatrick
> Sent: Thu 1/4/2007 3:09 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] OT: Hello?
> 
>  Only if you had to install Linux.
>  
>  -gil
>  
>  -Original Message-
>  From: [EMAIL PROTECTED]
>  [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
>  Sent: Thursday, January 04, 2007 4:04 PM
>  To: ActiveDir@mail.activedir.org
>  Subject: RE: [ActiveDir] OT: Hello?
>  
>  Hey, Santa brought me coupon for a new home computer, redeemed the
>  coupon and built the system. Doesn't that count as work??
>  
>  Dan
>  
>  >  Original Message 
>  > Subject: RE: [ActiveDir] OT: Hello?
>  > From: "Crawford, Scott" <[EMAIL PROTECTED]>
>  > Date: Thu, January 04, 2007 3:35 pm
>  > To: ActiveDir@mail.activedir.org
>  > 
>  > Ive seen a few today, but the list has been quite slow
>  for the last week or so. Come on guys, the holidays are the time to
>  actually get stuff done J From: [EMAIL PROTECTED]
>  [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
>  > Sent: Thursday, January 04, 2007 4:21 PM
>  > To: ActiveDir@mail.activedir.org
>  > Subject: [ActiveDir] OT: Hello? I havent seen a single e-mail
>  from the mailing list since yesterday morning. Is anyone else seeing
>  this e-mail? Has anyone else received e-mails since then? Just
>  curious if the list has just been dead for the past day, or if something
>  might not be working properly. ~Ben 
>  
>  List info : http://www.activedir.org/List.aspx
>  List FAQ : http://www.activedir.org/ListFAQ.aspx
>  List archive: http://www.activedir.org/ma/default.aspx
>  List info : http://www.activedir.org/List.aspx
>  List FAQ : http://www.activedir.org/ListFAQ.aspx
>  List archive: http://www.activedir.org/ma/default.aspx
>   

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] OT: Hello?

[Daniel Gilbert]

Hey, Santa brought me coupon for a new home computer, redeemed the
coupon and built the system.  Doesn't that count as work??

Dan

>  Original Message 
> Subject: RE: [ActiveDir] OT: Hello?
> From: "Crawford, Scott" <[EMAIL PROTECTED]>
> Date: Thu, January 04, 2007 3:35 pm
> To: ActiveDir@mail.activedir.org
> 
>Ive seen a few today, but the list has been quite slow for 
> the last week or so.  Come on guys, the holidays are the time to actually get 
> stuff done J   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of WATSON, BEN
>  Sent: Thursday, January 04, 2007 4:21 PM
>  To: ActiveDir@mail.activedir.org
>  Subject: [ActiveDir] OT: Hello?I havent seen a single e-mail from the 
> mailing list since yesterday morning. Is anyone else seeing this e-mail?  Has 
> anyone else received e-mails since then?   Just curious if the list has just 
> been dead for the past day, or if something might not be working properly.   
> ~Ben

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] DNS scavenging question

[Daniel Gilbert]

Thanks for the input.  Luckily for us we do not have any static records, at
least I have not created any but I will check with the other Admins to be
sure.

 

I thought AGEALLRECORDS for bring the prior records into the fold and then
they would be scavenged out in the next cycle.  Guess we will give it a try
and let everyone know how it turned out.

 

Dan

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona
Sent: Thursday, December 07, 2006 3:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS scavenging question

 

You are correct.  

 

Due to the fact that aging/scavenging was not enabled the records which were
dynamically registered were not stamped with a date/time.  Therefore the
aging/scavenging process ignores them upon starting it's scavenging process.

 

You can use the AgeAllRecords which will do just that.  Age ALL your
records.  You have to be careful though.  I haven't proven this but I
believe that it will also turn your static records into dynamic record (time
stamp them).  Then when you run AgeAllRecords.well guess what?...

 

To prevent this, Once you ageallrecords you will have to go back into the
DNS console and ensure that static/manually created records you need are not
set to Delete this record when it becomes stale by unchecking the box in the
record properties.  You might have to enable the advanced view (View
-->Advanced) to view this as well as the timestamp of the record.

 

Once you've completed this you can then right click on the DNS server name
in the DNS console and select Scavenge Stale Resource Records or via command
prompt: dnscmd  /StartScavenging

 

Note: In order to successfully configure Scavenging and Aging you will need
to enable it both on the zone and the DNS server. Which I'm sure you have
already.but just in case.

 

Right click on server name-->Properties-->Advanced tab-->check the Enable
automatic scavenging of stale records or you can enable it for all zones by
right clicking on the server name and selecting Set Aging/Scavenging for all
Zones.-->check the box Scavenge stale resource records-->OK-->check the box
to apply these settings to the existing Active Directory-integrated zones
(if AD integrated)-->OK then go to the zone and right
click-->Properties-->General tab-->Aging button and check the Scavenge stale
resource records-->OK

 

Hope this will help.please chime in.

 

-vC

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Thursday, December 07, 2006 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS scavenging question

 

I have a rather off the wall DNS scavenging question.

 

I have a bunch of DNS records that are stale and need to be scavenged

out of the zone.  Following the O'REILLY book: DNS on Windows Server

2003 I have configured aging and scavenging.  (Don't ask why this

wasn't done when the zone was first setup, that is another story)

 

Now I know: If scavenging is disabled on a standard zone and you enable

scavenging, the server does not scavenge records that existed before

you enabled scavenging. The server does not scavenge those records even

if you convert the zone to an Active Directoryintegrated zone first. 

 

To enable scavenging of such records, use the AgeAllRecords in

Dnscmd.exe.  I know this must be done in order to configure existing

records to a scavengable state.

 

Is there a way to immediately force a scavenge cycle that will remove

all stale records?  I would not to have to wait unitl the "no-refresh"

and "refresh" intervals expire.

 

 

Daniel Gilbert

 

 

List info   : http://www.activedir.org/List.aspx

List FAQ: http://www.activedir.org/ListFAQ.aspx

List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] DNS scavenging question

[Daniel Gilbert]

I have a rather off the wall DNS scavenging question.

I have a bunch of DNS records that are stale and need to be scavenged
out of the zone.  Following the O'REILLY book: DNS on Windows Server
2003 I have configured aging and scavenging.  (Don't ask why this
wasn't done when the zone was first setup, that is another story)

Now I know: If scavenging is disabled on a standard zone and you enable
scavenging, the server does not scavenge records that existed before
you enabled scavenging. The server does not scavenge those records even
if you convert the zone to an Active Directory–integrated zone first. 

To enable scavenging of such records, use the AgeAllRecords in
Dnscmd.exe.  I know this must be done in order to configure existing
records to a scavengable state.

Is there a way to immediately force a scavenge cycle that will remove
all stale records?  I would not to have to wait unitl the "no-refresh"
and "refresh" intervals expire.


Daniel Gilbert


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] LCS permissions

[Daniel Gilbert]

Could you share that list?  I would appreciate it.

Daniel 

>  Original Message 
> Subject: RE: [ActiveDir] LCS permissions
> From: "Brandon Bernier" <[EMAIL PROTECTED]>
> Date: Thu, October 19, 2006 11:52 am
> To: 
> 
> Oh it's very home grown and very old. But setting up something to manage
> the LCS stuff isn't difficult. It's just a handful of attributes that
> are default for most users and only couple that actually need some
> human input depending on the scope of your implementation. If your
> going to go down the road of writing up a tool, I can shoot you a list
> of which ones are pretty generic and which ones require some thought
> for provisioning.
>  
> -Brandon
> 
>  
> 
> 
> From: [EMAIL PROTECTED] on behalf of Daniel Gilbert
> Sent: Thu 10/19/2006 1:22 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] LCS permissions
> 
> 
> 
> If I may ask, was the in-house provisioning a home grown application
> or
> commerical?
> 
> Dan
> 
> >  Original Message 
> > Subject: RE: [ActiveDir] LCS permissions
> > From: "Brandon Bernier" <[EMAIL PROTECTED]>
> > Date: Thu, October 19, 2006 9:45 am
> > To: 
> >
> > The install requires that all the ACL's from the /domainprep are
> present
> > for the install to work. But after the fact we removed the LCS ACL's
> and
> > let our in-house provisioning system handle it.
> > 
> > -Brandon
> >
> > 
> >
> > From: [EMAIL PROTECTED] on behalf of Daniel Gilbert
> > Sent: Thu 10/19/2006 12:13 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] LCS permissions
> >
> >
> >
> > Before I flood this list with inane LCS questions, I was wondering
> if
> > anyone out here has any experience with attempting to use granular
> > permissioning with LCS?
> >
> > I know the application is written to be used domain-wide but due to
> > business requirements I must attempt to limit use to a single OU.
> >
> > I am considering limiting access to the ms-RTC attributes in order
> to
> > control access (or management thereof) to LCS.
> >
> > Any one tried this before?
> >
> > Daniel
> >
> >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ml/threads.aspx
> >
> >
> >
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] LCS permissions

[Daniel Gilbert]

If I may ask, was the in-house provisioning a home grown application or
commerical?

Dan

>  Original Message 
> Subject: RE: [ActiveDir] LCS permissions
> From: "Brandon Bernier" <[EMAIL PROTECTED]>
> Date: Thu, October 19, 2006 9:45 am
> To: 
> 
> The install requires that all the ACL's from the /domainprep are present
> for the install to work. But after the fact we removed the LCS ACL's and
> let our in-house provisioning system handle it.
>  
> -Brandon
> 
> ________
> 
> From: [EMAIL PROTECTED] on behalf of Daniel Gilbert
> Sent: Thu 10/19/2006 12:13 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] LCS permissions
> 
> 
> 
> Before I flood this list with inane LCS questions, I was wondering if
> anyone out here has any experience with attempting to use granular
> permissioning with LCS?
> 
> I know the application is written to be used domain-wide but due to
> business requirements I must attempt to limit use to a single OU.
> 
> I am considering limiting access to the ms-RTC attributes in order to
> control access (or management thereof) to LCS.
> 
> Any one tried this before?
> 
> Daniel
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> 
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] LCS permissions

[Daniel Gilbert]

Before I flood this list with inane LCS questions, I was wondering if
anyone out here has any experience with attempting to use granular
permissioning with LCS?

I know the application is written to be used domain-wide but due to
business requirements I must attempt to limit use to a single OU.

I am considering limiting access to the ms-RTC attributes in order to
control access (or management thereof) to LCS.

Any one tried this before?

Daniel


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] I'm shareing the "Best Kept Secret" I know.

[Daniel Gilbert]

Something tells me you should be ducking and running

>  Original Message 
> Subject: [ActiveDir] I'm shareing the "Best Kept Secret" I know.
> From: "Fleming, Dave (DotComm)" <[EMAIL PROTECTED]>
> Date: Tue, October 17, 2006 6:29 am
> To: 
> 
>  
>  Top Ten Things Men Understand About Women   1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 
>   Dave Fleming
> Network Administrator
> Douglas-Omaha Technology Commission
> 408 So. 18th St.
> Omaha NE 68102
> [EMAIL PROTECTED]
> (402) 444-6290  
>   

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] what is the meaning of OT in front of the subject

[Daniel Gilbert]

Off Track?

>  Original Message 
> Subject: RE: [ActiveDir] what is the meaning of OT in front of the
> subject
> From: "Ramon Linan" <[EMAIL PROTECTED]>
> Date: Thu, October 05, 2006 6:39 am
> To: 
> 
> Some of the subjects have that OT preceding the subject, what's that?
> 
> Thanks
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Forest trusts

[Daniel Gilbert]

Don't you have to do some DNS delegations to ensure clients in one
forest can find clients in the other forest?

I would think that having domain.com as the tier two for both forests
will cause some unique DNS headaches.

Dan

>  Original Message 
> Subject: RE: [ActiveDir] Forest trusts
> From: "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]>
> Date: Tue, October 03, 2006 6:47 am
> To: 
> 
> Both forests can be "connected" to each other as long as within the
> connected environment each domain name is unique (NetBIOS and DNS)...
> 
> So if you have a forest called DOMAIN.COM (NetBIOS = DOMAIN) and another
> forest called SUB.DOMAIN.COM (NetBIOS = SUB) you can connect them to
> each and setup trusts between the forests.
> 
> jorge
> 
> >>>-Original Message-
> >>>From: [EMAIL PROTECTED] 
> >>>[mailto:[EMAIL PROTECTED] On Behalf Of Lev Zdenek
> >>>Sent: Tuesday, October 03, 2006 15:35
> >>>To: ActiveDir@mail.activedir.org
> >>>Subject: [ActiveDir] Forest trusts 
> >>>
> >>>Hello evr.
> >>>I have two independent forests.
> >>>Is it possible to trust forests which share a same name 
> >>>space. For example. I have domain in first forest domain.com 
> >>>and a domain in second forest my.domain.com. If not is it 
> >>>possible to migrate with some tools a domain my.domain.com 
> >>>to domain domain.com ?
> >>>Thx
> >>>Zdenek Lev
> >>>
> >>>
> >>>List info   : http://www.activedir.org/List.aspx
> >>>List FAQ: http://www.activedir.org/ListFAQ.aspx
> >>>List archive: http://www.activedir.org/ml/threads.aspx
> >>>
> 
> 
> This e-mail and any attachment is for authorised use by the intended 
> recipient(s) only. It may contain proprietary material, confidential 
> information and/or be subject to legal privilege. It should not be copied, 
> disclosed to, retained or used by, any other party. If you are not an 
> intended recipient then please promptly delete this e-mail and any attachment 
> and all copies and inform the sender. Thank you.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] I'm Baaaaaaack!

[Daniel Gilbert]

Hide the cheap stuff too!
>  Original Message 
> Subject: Re: [ActiveDir] I'm Baaack!
> From: "Laura E. Hunter" <[EMAIL PROTECTED]>
> Date: Thu, September 21, 2006 1:25 pm
> To: ActiveDir@mail.activedir.org
> 
> Quick!  Hide the good silverware!
> 
> On 9/21/06, Akomolafe, Deji <[EMAIL PROTECTED]> wrote:
> >
> > Yikes! Is it Halloween yet?
> >
> >
> >
> > Sincerely,
> >_
> >   (, /  |  /)   /) /)
> > /---| (/_  __   ___// _   //  _
> >  ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
> > (_/ /)
> >(/
> > Microsoft MVP - Directory Services
> > www.akomolafe.com - we know IT
> > -5.75, -3.23
> > Do you now realize that Today is the Tomorrow you were worried about
> > Yesterday? -anon
> >
> > 
> > From: Rick Kingslan
> > Sent: Thu 9/21/2006 11:00 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] I'm Baaack!
> >
> >
> > Be afraid Be very afraid!
> > :-)
> 
> 
> 
> Rick
> 
> _
> Be
> > seen and heard with Windows Live Messenger and Microsoft LifeCams
> >
> http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href=http://www.microsoft.com/hardware/digitalcommunication/default.mspx?locale=en-us&source=hmtagline
> 
> List
> > info : http://www.activedir.org/List.aspx
> List FAQ :
> > http://www.activedir.org/ListFAQ.aspx
> List archive:
> > http://www.activedir.org/ml/threads.aspx
> >
> 
> 
> -- 
> ---
> Laura E. Hunter
> Microsoft MVP - Windows Server Networking
> Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
> Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl)
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Good SBS book suggestion

[Daniel Gilbert]

Susan,

Can you suggest a good "ID 10 T's guide to SBS 2003" book?  I assume
from your e-mail address you know more than the average SA about SBS. 
Shameless request for information.  And being the SBS NOOB that I am
looking for any information I can get my hands on to provide my
customer with the best product for their limited budget.

I support a small office (eight users) and their workload and data
storage requirements are such that they really should get a real
server.

I am trying to decide if I suggest they purchase a server with SBS 2003
or a server with Windows Server 2003 R2 Standard edition.  I know there
is a cost difference with SBS 2003 being cheaper.  But, I do not think
they need all of the functionality that comes with SBS.  Their mail is
hosted with a comeericial ISP.  Their office is a mix of XP Home and XP
Pro.  I know the XP Pros can join a domain but the XP Homes can not.

Dan

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] HIDE OU

[Daniel Gilbert]

We created OU's and removed all users except for Domain Admins (of
course we left the SYSTEM access).  The OU never shows up for
non-Domain Admins.

Domain Admins have full access to the OU and can add as many objects as
they want.

Dan

>  Original Message 
> Subject: [ActiveDir] HIDE OU
> From: Za Vue <[EMAIL PROTECTED]>
> Date: Thu, June 01, 2006 9:22 am
> To: ActiveDir@mail.activedir.org
> 
> I know it has been done and probably asked before..but how do you hide a 
> particular user or OU in AD(W23K)?
> 
> -Z.V.
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Deleting "default-first-site-name" site

[Daniel Gilbert]

OK here is a question that will show my lack of AD knowledge:

If you promote a new domain controller and no subnet association exists,
doesn’t that domain controller default to the “default-first-site”?

I know it makes sense to create a new site, assign a subnet to that site
but ……..

If that site is not there, been deleted then where does the new domain
controller go?

Dan

>  Original Message 
> Subject: RE: [ActiveDir] Deleting "default-first-site-name" site
> From: "Steve Rochford" <[EMAIL PROTECTED]>
> Date: Wed, April 12, 2006 7:53 am
> To: 
> 
> Thanks; that's what I expected but I wanted to check before I deleted
> something crucial :-)
>  
> Steve
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of Dean Wells
> Sent: Wed 12/04/2006 14:27
> To: Send - AD mailing list
> Subject: RE: [ActiveDir] Deleting "default-first-site-name" site
> 
> 
> 
> Since replication takes place between DCs which logically exist in
> logical
> sites, no, ... not at all -- there's nothing to replicate with. 
> Regarding
> the deletion question; I've deleted it more times than I can count,
> sometimes I rename it if I need a new site ... there's nothing
> "special"
> about that object outside of its name (and that _should_ also prove a
> moot
> point.  This of course depends upon the developer, good coding vs. bad
> coding ... deleting it may break some joeware tools though -- haha,
> just
> teasing :0)
> 
> --
> Dean Wells
> MSEtechnology
> * Email: [EMAIL PROTECTED]
> http://msetechnology.com
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of
> > Steve Rochford
> > Sent: Wednesday, April 12, 2006 9:15 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Deleting "default-first-site-name" site
> >
> > We no longer have any servers in the
> > "default-first-site-name" site; should I delete that site? I
> > hadn't really thought it mattered until I was looking at the
> > latency figures with repadmin (shown below for one server).
> > Does it matter that no replication has taken place to a site
> > without servers?
> > 
> > Steve
> > 
> > Replication Latency for site willesden (wstud3.student.cnwl.ac.uk):
> > Originating SiteVerTime Local UpdateTime
> > Orig. Update   Latency  Since Last
> >   ==  =  === 
> > ===    ==
> >  Default-First-Site-Name 50  2004-04-07 08:25:58 
> > 2001-07-26 15:39:10  23656:46:48  17644:21:27
> >  wembley  58498  2006-04-12 12:25:57 
> > 2006-04-12 12:25:55  00:00:02  00:21:28
> >  kilburn  5  2006-04-12 12:10:56 
> > 2006-04-12 12:06:52  00:04:04  00:36:29
> >willesden  59228  2006-04-12 12:09:50 
> > 2006-04-12 12:09:50  00:00:00  00:37:35
> > Madhouse  13173  2006-04-12 12:25:57 
> > 2006-04-12 12:22:40  00:03:17  00:21:28
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> >
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Server 2003 "DNS Admins" group permissions

[Daniel Gilbert]

We are in the preliminary stages of that right now, in fact I have one
of the junior SA’s writing up documentation for the procedure on how to
configure the domain controllers to allow “trusted OU Admins” the
ability to read-only certain domain controller Event View logs.

I figure I can assist the OU Admins troubleshoot user problems and give
the junior SA some documentation writing experience.

Dan

>  Original Message 
> Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> From: "Gorder, Lee E Mr CTNOSC/GD-NS" <[EMAIL PROTECTED]>
> Date: Thu, April 06, 2006 2:46 pm
> To: "'ActiveDir@mail.activedir.org'" 
> 
> Dan,
> 
> You guys doing that now?
> 
> Lee
> 
> 
> 
> -Original Message-
> From: Daniel Gilbert [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, April 06, 2006 2:38 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> 
> Yeah Sergio,
> 
> You could even use that that information to say...allow OU Admins the
> ability to view the logs of the domain controllers local to them.
> 
> Dan
> >  Original Message 
> > Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> > From: "Olivarez, Sergio J Mr CTNOSC/GD-NS"
> > <[EMAIL PROTECTED]>
> > Date: Thu, April 06, 2006 12:49 pm
> > To: ActiveDir@mail.activedir.org
> > 
> > Here is a link of what Ulf is talking about:
> > 
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;323076
> > 
> > 
> > Thanks,
> > Sergio 
> > 
> > -Original Message-
> > From: Ulf B. Simon-Weidner [mailto:[EMAIL PROTECTED] 
> > Sent: Thursday, April 06, 2006 12:41 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> > 
> > Might be - you know that you can delegate any eventlog by adjusting the
> > CustomSD Registrykey underneath the specific eventlog in the registry?
> > 
> > Gruesse - Sincerely, 
> > 
> > Ulf B. Simon-Weidner 
> > 
> >   MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
> >   Weblog: http://msmvps.org/UlfBSimonWeidner
> >   Website: http://www.windowsserverfaq.org
> >   Profile:
> >
> http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
> > D   
> > 
> >  
> > 
> > |-Original Message-
> > |From: [EMAIL PROTECTED] 
> > |[mailto:[EMAIL PROTECTED] On Behalf Of 
> > |Thommes, Michael M.
> > |Sent: Thursday, April 06, 2006 5:54 PM
> > |To: ActiveDir@mail.activedir.org
> > |Subject: [ActiveDir] Server 2003 "DNS Admins" group permissions
> > |
> > |The default "DNS Admins" group has permission to use the DNS GUI
> > |(dnsmgmt.msc) and to make changes in it but does not have 
> > |permission to view the DNS event log (DnsEvent.Evt).  Would 
> > |this just be an oversight on Microsoft's part?
> > |
> > |TIA,
> > |Mike Thommes
> > |List info   : http://www.activedir.org/List.aspx
> > |List FAQ: http://www.activedir.org/ListFAQ.aspx
> > |List archive: 
> > |http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Server 2003 "DNS Admins" group permissions

[Daniel Gilbert]

Yeah Sergio,

You could even use that that information to say...allow OU Admins the
ability to view the logs of the domain controllers local to them.

Dan
>  Original Message 
> Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> From: "Olivarez, Sergio J Mr CTNOSC/GD-NS"
> <[EMAIL PROTECTED]>
> Date: Thu, April 06, 2006 12:49 pm
> To: ActiveDir@mail.activedir.org
> 
> Here is a link of what Ulf is talking about:
> 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;323076
> 
> 
> Thanks,
> Sergio 
> 
> -Original Message-
> From: Ulf B. Simon-Weidner [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, April 06, 2006 12:41 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Server 2003 "DNS Admins" group permissions
> 
> Might be - you know that you can delegate any eventlog by adjusting the
> CustomSD Registrykey underneath the specific eventlog in the registry?
> 
> Gruesse - Sincerely, 
> 
> Ulf B. Simon-Weidner 
> 
>   MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
>   Weblog: http://msmvps.org/UlfBSimonWeidner
>   Website: http://www.windowsserverfaq.org
>   Profile:
> http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
> D   
> 
>  
> 
> |-Original Message-
> |From: [EMAIL PROTECTED] 
> |[mailto:[EMAIL PROTECTED] On Behalf Of 
> |Thommes, Michael M.
> |Sent: Thursday, April 06, 2006 5:54 PM
> |To: ActiveDir@mail.activedir.org
> |Subject: [ActiveDir] Server 2003 "DNS Admins" group permissions
> |
> |The default "DNS Admins" group has permission to use the DNS GUI
> |(dnsmgmt.msc) and to make changes in it but does not have 
> |permission to view the DNS event log (DnsEvent.Evt).  Would 
> |this just be an oversight on Microsoft's part?
> |
> |TIA,
> |Mike Thommes
> |List info   : http://www.activedir.org/List.aspx
> |List FAQ: http://www.activedir.org/ListFAQ.aspx
> |List archive: 
> |http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Where's Deji.. (was Quiet? DEC? Related?)

[Daniel Gilbert]

I found him. :)

>  Original Message 
> Subject: RE: [ActiveDir] Where's Deji.. (was Quiet?  DEC?  Related?)
> From: "Mark Parris" <[EMAIL PROTECTED]>
> Date: Mon, April 03, 2006 12:41 am
> To: 
> 
> Sorry Could not resist.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
> Sent: 03 April 2006 04:21
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Where's Deji.. (was Quiet? DEC? Related?)
> 
> Talk about kicking a man when he's down!  I would have loved to have
> been
> there - and not only for the vats of single malt you guys seem to have
> had
> without me.
> 
> Alas, my employer failed to be persuaded by my forceful argument [1]
> for
> attending.  
> 
> Perhaps I need one of those roving evangelist roles at HP :-)
> 
> Tony
> 
> [1] Not to mention the begging and unseemly weeping.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Gil
> Kirkpatrick
> Sent: Monday, 3 April 2006 8:53 a.m.
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Where's Deji.. (was Quiet? DEC? Related?)
> 
> 
> Deji had to bail at the last minute. Something about "work" or some
> other
> similarly lame excuse.
> 
> Its about as silly as "Where's Tony?" Sure NZ is like really far away
> and
> stuff, but come on! These are your peeps, Tony!
> 
> Now that I have at least tacit acceptance from D&J for DEC 2007, its
> time
> for me to start twisting Tony's arm. I will not be denied! Muwah hah
> hah
> hah!
> 
> -g
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana
> Sent: Friday, March 31, 2006 11:27 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Quiet? DEC? Related?
> 
> Definitely a huge thanks to everyone for making this an awesome first
> DEC
> for me!  It was great matching up faces to the email addresses I see
> daily.
> The DR, Security and Interopt sessions were a couple of my favorites. 
> The
> D&J show was awesome!
> 
> For those not able to attend this year, make it a priority next year. 
> I was
> told I could take a class this quarter...I've taken enough AD and
> Exchange
> classes over the years so I chose to attend DEC because of the praise
> given
> to it by the folks on this list.  It was well worth the trip...didn't
> hurt
> that red 9 kept hitting either ;-)
> 
> So the only mystery left is where was Deji?
> 
> Cheers,
> Alex
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Friday, March 31, 2006 5:14 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Quiet? DEC? Related?
> 
> Absolutely. Very entertained. 
> 
> I had a near permanent smile from the point I directed a question to
> Stuart
> asking him where he was from so I could give him a copy of AD3E. The
> funny
> part was him thinking I was trying to set him up for something... As
> soon as
> I saw him in the audience I intended on giving him a copy to say thanks
> from
> all of us for the work he has done on this stuff and his lack of
> failure in
> listening to our feedback. The way it all played out though was great
> and
> added to the fun.
> 
> To those who sadly didn't attend we gave out copies of Active
> Directory
> Third Edition to folks who were answering questions we tossed out into
> the
> open. I said the next question is for Stuart alone and said 
> 
> "Stuart, where are you from?" 
> 
> knowing that most of the folks in the audience would know exactly where
> he
> was from having seen his keynote abt Identity Management I
> figured
> most people would yell it out so I said it was just for him. His
> response
> was priceless... "Now or originally?"  The audience howled. Great fun.
> 
>   
> 
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
> Sent: Friday, March 31, 2006 7:49 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Quiet? DEC? Related?
> 
> That's cool. I can go with that. As long as you're entertained. Let's
> just
> say it's not my kind of entertainment, unlike the joe and Dean show.
> Hey,
> joe and Dean, aren't you the guys who sing "Little Old Lady >From
> Pasadena"?
> Or was that "Little Old Attr Caused PAS Expansion"? :)
> 
> Wook
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Friday, March 31, 2006 4:27 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Quiet? DEC? Related?
> 
> Well it really depends on their attitude. What Guido I did wasn't
> gambling
> though I stated it as such previously. Wee were being entertained. You
> don't
> really gamble when you play the slots, you have no control over the
> outcome.
> If someone goes in thinking they will walk away with more money 

RE: [ActiveDir] Live Communications Server errors

[Daniel Gilbert]

Darren,

I was able to solve my issue by adding the child domain in the global
properties under the forest name inside of LCS.

I had built the system in a child doman, I guess by default only the
root was in the global properties.  Once I added all child domain
names, the clients were able to log on with no problem.

Back to lurking and learning.

Dan

>  Original Message 
> Subject: RE: [ActiveDir] Live Communications Server errors
> From: "Marsden Darren" <[EMAIL PROTECTED]>
> Date: Fri, March 24, 2006 4:35 am
> To: 
> 
> Hello All,
> 
> This is my first contribution to the list having been an avid "reader"
> for some time. 
> 
> Okay to the question in hand:
> 
> What Client are you using??
> 
> Have you stipulated the following in AD??
> 
> Windows Messenger Policy Settings/SIP Communications Service Policies
> Windows Messenger Policy Settings/Windows Messenger Feature Policies
> 
> Are you using TLS or TCP?
> 
> Darren Marsden
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
> Sent: 17 March 2006 16:19
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Live Communications Server errors
> 
> Are you attempting to login with your e-mail address rather than your
> UPN in AD? Is your e-mail domain the same as the AD domain? If not, and
> you want to login to the LCS infrastructure with your smtp address as an
> ID, you will need to add that namespace to the list of namespaces that
> the LCS server is authorative for.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
> Sent: 16 March 2006 23:59
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Live Communications Server errors
> 
> Since I was in a lab environment and I wanted to first learn the basics,
> I turned the XP firewall off and still get the failures.  Oh well, back
> to the books to see if I missed a small note or something.
> 
> Dan
> 
> >  Original Message 
> > Subject: Re: [ActiveDir] Live Communications Server errors
> > From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
> > <[EMAIL PROTECTED]>
> > Date: Thu, March 16, 2006 2:31 pm
> > To: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
> > <[EMAIL PROTECTED]>
> > Cc: ActiveDir@mail.activedir.org
> > 
> > E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : When 
> > troubleshooting setting up anything new....:
> > http://msmvps.com/blogs/bradley/archive/2004/12/04/22348.aspx
> > 
> > Ah yes, my issue was with the XP firewalls...
> > 
> > Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> > 
> > > I had to set up a DNS record.  Let me see if I remember what I did.
> > >
> > > Daniel Gilbert wrote:
> > >
> > >> I thought so at first but, according to the LCS documentation if I
> > >> manually configure the clients I would not need DNS.
> > >>
> > >> Just to be on the safe side I created a new SRV record:
> > >> _sipinternal
> > >> _tcp
> > >> port 5060
> > >> lcsservername.domainname
> > >>
> > >> Checked the output via a nslookup, set type-srv and the result was
> as
> > >> expected.
> > >>
> > >> Went back to clients, flushed the DNS cache and still getting the
> same
> > >> error:
> > >> Cannot sign in to Communications Serivce because the server is
> > >> temporarily unavailable.
> > >> Please try again later.  If the problem persists, contact your
> system
> > >> administrator"
> > >>
> > >> Dan
> > >>
> > >>  
> > >>
> > >>>  Original Message 
> > >>> Subject: RE: [ActiveDir] Live Communications Server errors
> > >>> From: "Woodruff, Michael" <[EMAIL PROTECTED]>
> > >>> Date: Thu, March 16, 2006 1:02 pm
> > >>> To: 
> > >>>
> > >>> Sounds like maybe a DNS issue...  Does it check out ok?
> > >>> -Original Message-
> > >>> From: [EMAIL PROTECTED]
> > >>> [mailto:[EMAIL PROTECTED] On Behalf Of Daniel
> Gilbert
> > >>> Sent: Thursday, March 16, 2006 2:39 PM
> > >>> To: ActiveDir@mail.activedir.org
> > >>> Subject: [ActiveDir] Live Communications Server errors
> > >>>
> > >>> Does anyone if thei

RE: [ActiveDir] Live Communications Server errors

[Daniel Gilbert]

SUCCESS

Thank you Susan :)

I followed the link:
http://msmvps.com/blogs/bradley/archive/2004/12/04/22348.aspx and added
the name of the child domain that is hosting the LCS server.  The doman
name was also part of the SIP URI.  Added the child domani name under
the forest properties and made the connections as advertised.

Thanks again.

Dan

>  Original Message 
> Subject: Re: [ActiveDir] Live Communications Server errors
> From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
> <[EMAIL PROTECTED]>
> Date: Thu, March 16, 2006 2:31 pm
> To: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
> <[EMAIL PROTECTED]>
> Cc: ActiveDir@mail.activedir.org
> 
> E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : When 
> troubleshooting setting up anything new:
> http://msmvps.com/blogs/bradley/archive/2004/12/04/22348.aspx
> 
> Ah yes, my issue was with the XP firewalls...
> 
> Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> 
> > I had to set up a DNS record.  Let me see if I remember what I did.
> >
> > Daniel Gilbert wrote:
> >
> >> I thought so at first but, according to the LCS documentation if I
> >> manually configure the clients I would not need DNS.
> >>
> >> Just to be on the safe side I created a new SRV record:
> >> _sipinternal
> >> _tcp
> >> port 5060
> >> lcsservername.domainname
> >>
> >> Checked the output via a nslookup, set type-srv and the result was as
> >> expected.
> >>
> >> Went back to clients, flushed the DNS cache and still getting the same
> >> error:
> >> Cannot sign in to Communications Serivce because the server is
> >> temporarily unavailable.
> >> Please try again later.  If the problem persists, contact your system
> >> administrator"
> >>
> >> Dan
> >>
> >>  
> >>
> >>>  Original Message 
> >>> Subject: RE: [ActiveDir] Live Communications Server errors
> >>> From: "Woodruff, Michael" <[EMAIL PROTECTED]>
> >>> Date: Thu, March 16, 2006 1:02 pm
> >>> To: 
> >>>
> >>> Sounds like maybe a DNS issue...  Does it check out ok?
> >>> -Original Message-
> >>> From: [EMAIL PROTECTED]
> >>> [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
> >>> Sent: Thursday, March 16, 2006 2:39 PM
> >>> To: ActiveDir@mail.activedir.org
> >>> Subject: [ActiveDir] Live Communications Server errors
> >>>
> >>> Does anyone if their is a forum dedicated to Live Communications Server
> >>> (LCS)??
> >>>
> >>> I am trying to establish a working LCS structure in a lab environment
> >>> and it appears I am successful in all parts except for gwtting the
> >>> clients to successfully connect to the LCS server.
> >>>
> >>> I built the lab following:
> >>> "Live Communications Server 2005 w/SP1 Active Directory Preparation"
> >>> "Live Communications Server 2005 w/SP1 Standard Edition Deployment
> >>> Guide"
> >>> "Live Communications Server 2005 with SP1 Standard Edition Lab Quick
> >>> Start"
> >>>
> >>>> From the Admin snap-in on the LCS server all looks well.
> >>>
> >>>
> >>> On the clients I get the error:
> >>> "Cannot sign in to Communications Serivce because the server is
> >>> temporarily unavailable.
> >>> Please try again later.  If the problem persists, contact your system
> >>> administrator"
> >>>
> >>> I have stopped and restarted both the LCS service and MSDE service on
> >>> the LCS server with no change in the client error messages.
> >>>
> >>> A GOOGLE search does not turn up a lot of help but, I will continue to
> >>> look.
> >>>
> >>> Any help in locating a forum or the answer would be much appreciated.
> >>>
> >>> Dan
> >>>
> >>> List info   : http://www.activedir.org/List.aspx
> >>> List FAQ: http://www.activedir.org/ListFAQ.aspx
> >>> List archive:
> >>> http://www.mail-archive.com/activedir%40mail.activedir.org/
> >>> List info   : http://www.activedir.org/List.aspx
> >>> List FAQ: http://www.activedir.org/ListFAQ.aspx
> >>> List archive: 
> >>> http://www.mail-archive.com/activedir%40mail.activedir.org/
> >>>   
> >>
> >>
> >> List info   : http://www.activedir.org/List.aspx
> >> List FAQ: http://www.activedir.org/ListFAQ.aspx
> >> List archive: 
> >> http://www.mail-archive.com/activedir%40mail.activedir.org/
> >>
> >>  
> >>
> >
> 
> -- 
> Letting your vendors set your risk analysis these days?  
> http://www.threatcode.com
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Live Communications Server errors

[Daniel Gilbert]

Since I was in a lab environment and I wanted to first learn the basics,
I turned the XP firewall off and still get the failures.  Oh well, back
to the books to see if I missed a small note or something.

Dan

>  Original Message 
> Subject: Re: [ActiveDir] Live Communications Server errors
> From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
> <[EMAIL PROTECTED]>
> Date: Thu, March 16, 2006 2:31 pm
> To: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
> <[EMAIL PROTECTED]>
> Cc: ActiveDir@mail.activedir.org
> 
> E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : When 
> troubleshooting setting up anything new:
> http://msmvps.com/blogs/bradley/archive/2004/12/04/22348.aspx
> 
> Ah yes, my issue was with the XP firewalls...
> 
> Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> 
> > I had to set up a DNS record.  Let me see if I remember what I did.
> >
> > Daniel Gilbert wrote:
> >
> >> I thought so at first but, according to the LCS documentation if I
> >> manually configure the clients I would not need DNS.
> >>
> >> Just to be on the safe side I created a new SRV record:
> >> _sipinternal
> >> _tcp
> >> port 5060
> >> lcsservername.domainname
> >>
> >> Checked the output via a nslookup, set type-srv and the result was as
> >> expected.
> >>
> >> Went back to clients, flushed the DNS cache and still getting the same
> >> error:
> >> Cannot sign in to Communications Serivce because the server is
> >> temporarily unavailable.
> >> Please try again later.  If the problem persists, contact your system
> >> administrator"
> >>
> >> Dan
> >>
> >>  
> >>
> >>>  Original Message 
> >>> Subject: RE: [ActiveDir] Live Communications Server errors
> >>> From: "Woodruff, Michael" <[EMAIL PROTECTED]>
> >>> Date: Thu, March 16, 2006 1:02 pm
> >>> To: 
> >>>
> >>> Sounds like maybe a DNS issue...  Does it check out ok?
> >>> -Original Message-
> >>> From: [EMAIL PROTECTED]
> >>> [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
> >>> Sent: Thursday, March 16, 2006 2:39 PM
> >>> To: ActiveDir@mail.activedir.org
> >>> Subject: [ActiveDir] Live Communications Server errors
> >>>
> >>> Does anyone if their is a forum dedicated to Live Communications Server
> >>> (LCS)??
> >>>
> >>> I am trying to establish a working LCS structure in a lab environment
> >>> and it appears I am successful in all parts except for gwtting the
> >>> clients to successfully connect to the LCS server.
> >>>
> >>> I built the lab following:
> >>> "Live Communications Server 2005 w/SP1 Active Directory Preparation"
> >>> "Live Communications Server 2005 w/SP1 Standard Edition Deployment
> >>> Guide"
> >>> "Live Communications Server 2005 with SP1 Standard Edition Lab Quick
> >>> Start"
> >>>
> >>>> From the Admin snap-in on the LCS server all looks well.
> >>>
> >>>
> >>> On the clients I get the error:
> >>> "Cannot sign in to Communications Serivce because the server is
> >>> temporarily unavailable.
> >>> Please try again later.  If the problem persists, contact your system
> >>> administrator"
> >>>
> >>> I have stopped and restarted both the LCS service and MSDE service on
> >>> the LCS server with no change in the client error messages.
> >>>
> >>> A GOOGLE search does not turn up a lot of help but, I will continue to
> >>> look.
> >>>
> >>> Any help in locating a forum or the answer would be much appreciated.
> >>>
> >>> Dan
> >>>
> >>> List info   : http://www.activedir.org/List.aspx
> >>> List FAQ: http://www.activedir.org/ListFAQ.aspx
> >>> List archive:
> >>> http://www.mail-archive.com/activedir%40mail.activedir.org/
> >>> List info   : http://www.activedir.org/List.aspx
> >>> List FAQ: http://www.activedir.org/ListFAQ.aspx
> >>> List archive: 
> >>> http://www.mail-archive.com/activedir%40mail.activedir.org/
> >>>   
> >>
> >>
> >> List info   : http://www.activedir.org/List.aspx
> >> List FAQ: http://www.activedir.org/ListFAQ.aspx
> >> List archive: 
> >> http://www.mail-archive.com/activedir%40mail.activedir.org/
> >>
> >>  
> >>
> >
> 
> -- 
> Letting your vendors set your risk analysis these days?  
> http://www.threatcode.com
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Live Communications Server errors

[Daniel Gilbert]

I thought so at first but, according to the LCS documentation if I
manually configure the clients I would not need DNS.

Just to be on the safe side I created a new SRV record:
_sipinternal
_tcp
port 5060
lcsservername.domainname

Checked the output via a nslookup, set type-srv and the result was as
expected.

Went back to clients, flushed the DNS cache and still getting the same
error:
Cannot sign in to Communications Serivce because the server is
temporarily unavailable.
Please try again later.  If the problem persists, contact your system
administrator"

Dan

>  Original Message 
> Subject: RE: [ActiveDir] Live Communications Server errors
> From: "Woodruff, Michael" <[EMAIL PROTECTED]>
> Date: Thu, March 16, 2006 1:02 pm
> To: 
> 
> Sounds like maybe a DNS issue...  Does it check out ok? 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
> Sent: Thursday, March 16, 2006 2:39 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Live Communications Server errors
> 
> Does anyone if their is a forum dedicated to Live Communications Server
> (LCS)??
> 
> I am trying to establish a working LCS structure in a lab environment
> and it appears I am successful in all parts except for gwtting the
> clients to successfully connect to the LCS server.
> 
> I built the lab following:
> "Live Communications Server 2005 w/SP1 Active Directory Preparation"
> "Live Communications Server 2005 w/SP1 Standard Edition Deployment
> Guide"
> "Live Communications Server 2005 with SP1 Standard Edition Lab Quick
> Start"
> 
> >From the Admin snap-in on the LCS server all looks well.
> 
> On the clients I get the error:
> "Cannot sign in to Communications Serivce because the server is
> temporarily unavailable.
> Please try again later.  If the problem persists, contact your system
> administrator"
> 
> I have stopped and restarted both the LCS service and MSDE service on
> the LCS server with no change in the client error messages.
> 
> A GOOGLE search does not turn up a lot of help but, I will continue to
> look.
> 
> Any help in locating a forum or the answer would be much appreciated.
> 
> Dan
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Live Communications Server errors

[Daniel Gilbert]

Sorry my spelling was alittle off, "gwtting" should be "getting"

Dan

>  Original Message 
> Subject: [ActiveDir] Live Communications Server errors
> From: Daniel Gilbert <[EMAIL PROTECTED]>
> Date: Thu, March 16, 2006 12:38 pm
> To: ActiveDir@mail.activedir.org
> 
> Does anyone if their is a forum dedicated to Live Communications Server
> (LCS)??
> 
> I am trying to establish a working LCS structure in a lab environment
> and it appears I am successful in all parts except for gwtting the
> clients to successfully connect to the LCS server.
> 
> I built the lab following:
> "Live Communications Server 2005 w/SP1 Active Directory Preparation"
> "Live Communications Server 2005 w/SP1 Standard Edition Deployment
> Guide"
> "Live Communications Server 2005 with SP1 Standard Edition Lab Quick
> Start"
> 
> >From the Admin snap-in on the LCS server all looks well.
> 
> On the clients I get the error:
> "Cannot sign in to Communications Serivce because the server is
> temporarily unavailable.
> Please try again later.  If the problem persists, contact your system
> administrator"
> 
> I have stopped and restarted both the LCS service and MSDE service on
> the LCS server with no change in the client error messages.
> 
> A GOOGLE search does not turn up a lot of help but, I will continue to
> look.
> 
> Any help in locating a forum or the answer would be much appreciated.
> 
> Dan
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Live Communications Server errors

[Daniel Gilbert]

Does anyone if their is a forum dedicated to Live Communications Server
(LCS)??

I am trying to establish a working LCS structure in a lab environment
and it appears I am successful in all parts except for gwtting the
clients to successfully connect to the LCS server.

I built the lab following:
"Live Communications Server 2005 w/SP1 Active Directory Preparation"
"Live Communications Server 2005 w/SP1 Standard Edition Deployment
Guide"
"Live Communications Server 2005 with SP1 Standard Edition Lab Quick
Start"

>From the Admin snap-in on the LCS server all looks well.

On the clients I get the error:
"Cannot sign in to Communications Serivce because the server is
temporarily unavailable.
Please try again later.  If the problem persists, contact your system
administrator"

I have stopped and restarted both the LCS service and MSDE service on
the LCS server with no change in the client error messages.

A GOOGLE search does not turn up a lot of help but, I will continue to
look.

Any help in locating a forum or the answer would be much appreciated.

Dan

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Windows Installer failure

[Daniel Gilbert]

Found it: 
http://support.microsoft.com/default.aspx?scid=kb;en-us;290301

Thanks to everyone.

Dan

>  Original Message 
> Subject: [ActiveDir] Windows Installer failure
> From: Daniel Gilbert <[EMAIL PROTECTED]>
> Date: Fri, January 20, 2006 8:31 am
> To: ActiveDir@mail.activedir.org
> 
> To All:
> 
> I have run into an issue here that has me stumped.  I am attempting to
> remove an application from a Windows Server 2003 Standard Edition with
> SP1 installed.
> 
> During the removal process I get the following error: Error 1720: There
> is a problem with this Windows Installed package.  A script required
> for this install to could not be run.  Contact your support personnel
> or package vendor."
> 
> I seem to remember there was a program you could run that would show all
> msi packages installed and would let you manually remove one.
> 
> Has anyone ever heard of this program?
> 
> I tried the program msizap T[WA!] {A91DF459-5729-426E-ACCB-8C61C1481B53}
> to no avail.
> 
> TIA
> 
> Dan
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Windows Installer failure

[Daniel Gilbert]

To All:

I have run into an issue here that has me stumped.  I am attempting to
remove an application from a Windows Server 2003 Standard Edition with
SP1 installed.

During the removal process I get the following error: Error 1720: There
is a problem with this Windows Installed package.  A script required
for this install to could not be run.  Contact your support personnel
or package vendor."

I seem to remember there was a program you could run that would show all
msi packages installed and would let you manually remove one.

Has anyone ever heard of this program?

I tried the program msizap T[WA!] {A91DF459-5729-426E-ACCB-8C61C1481B53}
to no avail.

TIA

Dan

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Change Auditor tools

[Daniel Gilbert]

Check out a product called Change Auditor for Active Directory (CAAD)
from NetPro (www.netpro.com).

*Not plugging the product just answering the e-mail*

Dan

>  Original Message 
> Subject: [ActiveDir] Change Auditor tools
> From: "Rascher, Raymond" <[EMAIL PROTECTED]>
> Date: Tue, November 08, 2005 6:52 am
> To: "'ActiveDir@mail.activedir.org'" 
> 
> Hello, I am looking for a software product which can monitor, log and alert
> when changes are made to Active Directory. If the product could also archive
> security logs that would be a nice addition as well. If you can suggest some
> products along with you experiences that would be great.
> 
> Thanks,
> Ray
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Security Log file size not reaching the maximum log file size

[Daniel Gilbert]

Have you cleared (archived) the logs since
the new settings???

 

Dan

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, October 18, 2005
6:54 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Security Log
file size not reaching the maximum log file size



 


We recently increased our auditing and set the security
log file size to 1G, but the security log over-writes at about 409MBs; thus
never reaching the 1G security log file size. 
Windows
2003 Domain Controllers 

Anyone
with any ideas ? 

RE: [ActiveDir] Knowing when users were deleted.

[Daniel Gilbert]

Yann,

There are some utilities you can purchase that will alert you when an
object is deleted, added, modified...

Dan

>  Original Message 
> Subject: [ActiveDir] Knowing when users were deleted.
> From: Yann <[EMAIL PROTECTED]>
> Date: Thu, October 13, 2005 11:56 pm
> To: ActiveDir@mail.activedir.org
> 
> 
> Hi there, 
>   
> I wonder if there is a way to know when a user has been deleted from AD other 
> than using security audt, because at the time of the deletion, i forgot to 
> activate the audit :( 
>   
> So my boss urge me to find the guilty user AND the time of deletion. 
> I looked for attributes in adsi and found that there is the whencreated, 
> whenmodified attribute but not whendeletedtimestamp one. 
>   
> Any idea ?
> 
>   Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
>  Téléchargez le ici ! 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] salary(OT)

[Daniel Gilbert]

Not to hijack this thread but, I hope lurking remains free.

Dan

>  Original Message 
> Subject: RE: [ActiveDir] salary(OT)
> From: "joe" <[EMAIL PROTECTED]>
> Date: Thu, October 13, 2005 2:50 pm
> To: 
> 
>  
> I have found that shooting for your contract salary is as good a target as 
> any, but expect to miss unless you didn't get a very good contract rate. I 
> have only seen one case where a company was willing to pay contract level 
> fees to a FTE and that was back when I first got back into the industry (I 
> burned out on it back when I was about 21 or so and left it) and had been 
> completely screwed over by the contract house for my rate where they were 
> making at least as much as I was. When I said I was leaving the FTE offer I 
> received would have been a 60% raise from my previous salary. Unfortunately, 
> the new contract position I was taking was a 100%+ increase and with OT 
> (which you don't get as a FTE) ended up being a 200% increase.  
>   
> Anyway, you tend to take a considerable hit (I have seen reductions of 
> 20%-75% for FTE offers and all but one of which I turned down cold) but you 
> try to make it up in benefits such as vaca, retirement, insurance, etc. As a 
> contractor you tend to have a different mindset than as an FTE as well. As a 
> contractor it is jump for the money and your mind should always be ready to 
> make that jump. As FTE it seems people get in a rut and don't want to move 
> once they start to get a feeling of ownership. Personally I wouldn't be an 
> FTE but for a very small handful of companies where I really like and respect 
> the management. My manager I have now is probably one of the best managers in 
> the universe, he is certainly the best I have had to this point in my 
> "career" and I have had several good managers. He is the kind of guy that you 
> love or hate, if you aren't above the curve, you hate him. But then I have 
> often been described as the person you love or hate myself. I had one manager 
> once say of me, "joe is the Bill Lambeer of IT, if he is on y
our team you feel great and you love him. If he isn't, you want to kill him.". 
Another said "joe is worth his weight in gold and he ain't a small guy...". 
After I heard that one I went and asked for a raise. Somehow I failed.  
>   
> Every time I have negotiated with someone on any job I always just ask up 
> front, so what salary or rate are you thinking. If the range is some 
> ridiculous range like $50k-$300k which headhunters like to do because they 
> think they are bright or something I tell the person they need to give a more 
> realistic range of somewhere within $10k and it better not be pumped up with 
> possible bonuses (Bonuses are not salary). If they can't or won't, spend your 
> time elsewhere. 
>   
>  
> Keep in mind, whatever rate you ask for, make sure it covers sending gifts of 
> beer and chocolate and possibly money to the members of this list for keeping 
> your head above water. I don't think any single person has generated such a 
> volume in the number of questions asked since I have been watching this list. 
> It actually made me wonder at one point if Tony could somehow arrange it so 
> that people pay for every question asked and they get credit for every answer 
> given that people vote on and say is a good answer. If no one can answer the 
> question (note that isn't the same as the answer doesn't work for someone for 
> whatever localized reason) then full refund. 
>   
>joe  
>   
>  
>  
>   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
> Sent: Wednesday, October 12, 2005 9:37 PM
> To: activedirectory
> Subject: [ActiveDir] salary(OT)
> 
>  
>  
> well, i've been consulting for 2 months full time for a company and now they 
> want to make me an offer to work for them(yeah,i'm amazed too..) 
> At first it was a head/senior AD position  but now they want to throw in 
> Exchange in the mix. 
> they used to outsource all their windows infrastructure and during my tenure 
> there, they took it back so they have no AD/Exchange people. 
>   
> This is a 3000 user finanical corp in Manhattan. 
>   
> my question is, what kind of salary would one expect for a such a position, 
> taking into account the bussiness and location and size. 
>   
>   
> thanks 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] DNS scavenging

[Daniel Gilbert]

To All:

 

Is there a way to script the setting of the "Delete this record when it
becomes stale" checkbox?

 

I am attempting to setup a test forest with multiple domains to do some
testing/learning about DNS scavenging.  I have found a script that creates
resource records (thank you Robbie Allen).  Now I need to know if I can set
the "Delete this record when it becomes stale" checkbox via a script.

 

I am hoping to create a couple of hundred DNS records set the checkbox, set
scavenging up and learn its behavior.  Sort of firm up my knowledge of how
DNS scavenging works.

 

Dan 

<>

RE: [ActiveDir] Have fun at DEC

[Daniel Gilbert]

s they could get on the physical box which they couldn't do.
> 
> It was extremely interesting though to see the various viewpoints. There was
> a rather stark line between many of the people where it was get the services
> running versus lock the environment down. I have no problem telling a user
> to go screw off if there is a security issue. Between fixing security and
> making users run I will almost always go to the side of security because if
> you don't have security, you can't guarantee the quality of the information
> in your system which is a poor place to be for an authentication system.
> Plus if it is insecure, you can't even guarantee the services very well. ;oP
> 
> I wouldn't say anyone actually won the competition.
> 
> That last part about the schema being messed up was Dean having fun. He
> pulled one of his tricks but didn't really let anyone see how he did it. It
> was just to show that yes, there are ways you can really hurt yourself bad
> or be hurt bad. Nothing in that test was anywhere near that level of danger.
> 
> 
>joe
> 
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
> Pinto
> Sent: Monday, March 21, 2005 7:45 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Have fun at DEC
> 
> Fun at DEC?
> 
> Yeahh it was fun. It was also great to meat Gil, Guido, Dean, Joe, Rick and
> Deji in person.
> No chicken as I hoped for, but a t-shirt (that not even said "I went to DEC
> to get a rubber chicken but all I got was this lousy
> t-shirt") and we also got a  bag. Gil was walking around with his bag that
> had a rope attached to it and the rubber chicken was hanging at the end of
> the rope.
> We all heart the rubber chicken "cry" (hee.. I would cry if I had a rope
> around my neck! ;-)) ) on monday during the "AD all night" session. By the
> way.. that session was also fun. It all started with 4 environments and each
> environment contained 1 forest and 1 domain with 2 DCs some wireless network
> stuff, an ADMINS team and a USERS team. In each environment security
> (whatever you could think of!!!) was really screwed! The admins (a complete
> team of people incl. Dean, Joe, Rick and Deji) had about 15 min. to correct
> all security screw-ups they could. After that the users came in and started
> working on the network using laptops with all kinds of hacking tools. We
> were supposed to wait 15 min. but we (I) didn't (hey a hacker doesn't wait
> until your network is safe and all security vulnerabilities are solved by
> you! So we didn't either). While the admins were searching and solving al
> vulnerabilities I already created two user accounts anonymously and added
> those to the adminstrators and domain admins groups. After we created the
> accounts we thought we should wait a bit so the admins had the chance to to
> some work. We also hoped they didn't find the accounts Crap that didn't
> work as we afterwards wan't to delete all kinds of things in AD to screw it
> up as bad as possible. The caveat was that if some admin found us screweing
> around and he could prove we did the damage the user got fired. If a user
> screwed up something and an admin did not prevent it the admin got fired.
> I still don't who did it, but after a while both DCs started rebooting and
> rebooting. The admins shut down the wireless network appliances so they
> couldn't be attacked. We as users started complaining about that we could do
> our work and that the SLA sucked. ;-)) The DCs were not physically
> secured (hey that's also important!) and one of the users pulled the power
> plug of the DCs and those went down... The user was caught on the act and
> got fired. The admin that was responsible got demoted From admin to
> user! Hahaha. That wasn't also bad because that admin also knew all the
> passwords. As soon as we knew the password of the administrator account we
> tried again to screw it up. After a while everything was closed down to
> maximum security (at least I think it was as we were not able to do
> anything). Better yet the admins could do much either because the DC was so
> screwed it didn't even know it had a schema (or something like that). ;-))
> 
> Again: great session!
> 
> Hope to attend again next year
> 
> Cheers
> Jorge
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Friday, March 18, 2005 09:15
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Have fun at DEC
> 
> At least I heard the chicken this year, I never had heard i

RE: [ActiveDir] A forestprep question

[Daniel Gilbert]

I believe the command is adprep /forestprep and then adprep /domainprep
to add a Windows 2003 domain controller into a Windows 2000 domain.

Dan

>  Original Message 
> Subject: [ActiveDir] A forestprep question
> From: "Shadow Roldan" <[EMAIL PROTECTED]>
> Date: Tue, March 15, 2005 11:18 am
> To: 
> 
> Hello
> 
> I'm adding a windows 2003 server (shipped this way) to my 2000 domain as
> a new domain controller. This will be the first of a staged migration to
> a full windows 2003 domain.
> 
> Additionally, I have an Exchange 2003 server running on an windows 2000
> server. I have already run forestprep when I installed E2k3.
> 
> Do I need to run it again before adding a Win 2k3 domain controller or
> is the domain already set?
> 
> Thanks
> 
> _
>  
> Shadow Roldan
> IT Manager
> Zero G Software, Inc.
> mailto:[EMAIL PROTECTED]
> www.ZeroG.com
>  
> The leading provider of multiplatform software deployment solutions.
> _ 
>  
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Have fun at DEC

[Daniel Gilbert]

I believe I am the proud owner of the last DEC chicken.  Gil gave it to
me at DEC in Ontario.

Sure wish I could have made it to DEC this year.

Dan

>  Original Message 
> Subject: RE: [ActiveDir] Have fun at DEC
> From: "joe" <[EMAIL PROTECTED]>
> Date: Fri, March 11, 2005 5:16 pm
> To: ActiveDir@mail.activedir.org
> 
> Unfortunately Gil doesn't do that anymore. He did the last chicken I think 2
> years back I think. I know for sure he didn't do one last year. 
> 
> He needs T-Shirts that say... 
> 
> I went to DEC to get a rubber chicken but all I got was this lousy t-shirt.
> 
> 
>   joe
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
> Sent: Friday, March 11, 2005 6:51 PM
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] Have fun at DEC
> 
> For all you folks who are going to DEC, have a great time and good luck
> getting the rubber chicken.
> 
> Phil (re-subscribed with new address)
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] User moves in a large environment

[Daniel Gilbert]

15000 users moving at any one time was a conservative estimate.

Most users are Military and Government

>  Original Message 
> Subject: RE: [ActiveDir] User moves in a large environment
> From: "Mulnick, Al" <[EMAIL PROTECTED]>
> Date: Fri, March 04, 2005 1:10 pm
> To: ActiveDir@mail.activedir.org
> 
> 15000 users on the move at any given time?  
> 
> Anyway, for the move between OU's, have you considered a self-serv app or
> something that's (semi)automated inside of the move process?  I haven't been
> in that large environment in a while, but seems that might make sense for
> between OU movement at the least.  That would take the process rights from
> the OU owners up to another level for workflow etc.  I would guess that
> something that had an approval process would work (i.e. Request to move
> user1 from OU1 to OU2 -> ask OU2 owners for approval first) and so on.
> Might be controlled by your move coordinators or however that fits in your
> process.  
> 
> Domain moves: I could see using an automated or semi-automated process vs.
> the current hand-off process if your structure is stable enough to do so.
> It might be that it removes the account object and moves it to the staging
> OU in the target domain and sends a task, email or whatever if that's what
> you need.  Workflow checks and balances for this as well.
> 
> You will want to capture mail data and attributes I would guess but that
> depends on the move criteria and depth I would imagine. 
> 
> Automating it would make much more sense and you could orchestrate a series
> of events that are automated and checked to gather the appropriate
> information (files, attributes you intend to keep, etc) and move it where it
> belongs.  
> 
> Some of this would depend on the current provisioning processes you keep as
> to how you integrate it.  
> 
> These are the fun types of problems to solve :)
> 
> 
> My $0.04 anyway,
> 
> Al 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
> Sent: Friday, March 04, 2005 2:47 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] User moves in a large environment
> 
> To All:
> 
> (Sorry for the long post)
> 
> I was wondering what everyone uses to facilitate user moves in a large
> environment?
> 
> Scenario: Root domain with six (6) child domains.  Each child domain has
> between thirty (30) to sixty (60) OUs.  These OUs are geographic locations
> spread around a region.  Each OU is managed by an IT Team that only has
> rights to their OU, IT Teams do not cross manage to other OUs.
> 
> I need to develop or discover a way to facilitate user moves from one
> (1) OU to another in the same domain and to another domain.  Our environment
> should have about 300,000 users and about five (5) percent is on the move
> from one (1) OU to another or from one (1) domain to another.
> 
> In the old days, pre-2000, the process was to delete the user when they
> departed and recreate the user when they arrived. 
> 
> We do not yet have Exchange 2003 deployed but I can see it happening very
> very soon.
> 
> Using a whiteboard (allows lots of erasing) I devised a OU structure that
> allowed the departing IT Team to place the user into an OutProcessing OU
> once the departing user fully outprocessed their current home.  (I figure
> the departing user is removed from every domain security group except the
> Domain Users group).
> 
> ATAMO
> 
> The user is moved from the OutProcessing OU in one domain to the
> InProcessing OU of another domain.  The user arrives at their new location,
> the local IT Team retrieves the user from the Inprocessing OU and places
> them in their new Home OU.
> 
> Now, my PHBs have freaked out because we are not staffed for this kind of
> mission but, the customers are screaming at us to provide this service.  I
> know I can permission the OUs to allow SOMEONE the rights to move users from
> one OU to another, even if the OU resides in a different domain.  But the
> PHBs are screaming they do not want to take on this kind of mission, their
> thought is to continue to do things like we "did in the past".
> 
> I guess my main question is this: is anyone else required to move users
> around in a large environment and if so, how are they doing it? 
> 
> TIA
> 
> Daniel
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] User moves in a large environment

[Daniel Gilbert]

To All:

(Sorry for the long post)

I was wondering what everyone uses to facilitate user moves in a large
environment?

Scenario: Root domain with six (6) child domains.  Each child domain has
between thirty (30) to sixty (60) OUs.  These OUs are geographic
locations spread around a region.  Each OU is managed by an IT Team
that only has rights to their OU, IT Teams do not cross manage to other
OUs.

I need to develop or discover a way to facilitate user moves from one
(1) OU to another in the same domain and to another domain.  Our
environment should have about 300,000 users and about five (5) percent
is on the move from one (1) OU to another or from one (1) domain to
another.

In the old days, pre-2000, the process was to delete the user when they
departed and recreate the user when they arrived. 

We do not yet have Exchange 2003 deployed but I can see it happening
very very soon.

Using a whiteboard (allows lots of erasing) I devised a OU structure
that allowed the departing IT Team to place the user into an
OutProcessing OU once the departing user fully outprocessed their
current home.  (I figure the departing user is removed from every
domain security group except the Domain Users group).

ATAMO

The user is moved from the OutProcessing OU in one domain to the
InProcessing OU of another domain.  The user arrives at their new
location, the local IT Team retrieves the user from the Inprocessing OU
and places them in their new Home OU.

Now, my PHBs have freaked out because we are not staffed for this kind
of mission but, the customers are screaming at us to provide this
service.  I know I can permission the OUs to allow SOMEONE the rights
to move users from one OU to another, even if the OU resides in a
different domain.  But the PHBs are screaming they do not want to take
on this kind of mission, their thought is to continue to do things like
we “did in the past”.

I guess my main question is this: is anyone else required to move users
around in a large environment and if so, how are they doing it? 

TIA

Daniel

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] IT PrOlympics Challenge on WindowsITPro

[Daniel Gilbert]

Might need to be the Americans against the Canadians since the next DEC is
scheduled for Vancouver B.C.

Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CIT)
Sent: Tuesday, November 30, 2004 4:33 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] IT PrOlympics Challenge on WindowsITPro

Well maybe at the Next DEC Gil will have another AD Set of AD challenges for
the Americans verses the Europeans.  

What do you think Gil?

Toddler

-Original Message-
From: Ulf B. Simon-Weidner [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, November 30, 2004 5:05 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] IT PrOlympics Challenge on WindowsITPro

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Geary, Simon (Computer People)
> Sent: Tuesday, November 30, 2004 9:29 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] IT PrOlympics Challenge on WindowsITPro
> 
> I had the same experience as you Ulf. I'm from Scotland and 
> when I registered I was told I could only download the ebook 
> but not register for the actual contest. This is a shame as 
> everyone knows that the best Active Directory Pros are from Europe. :)
> 

:-D

Gruesse - Sincerely,
 
Ulf B. Simon-Weidner
 
  MVP-Book "Windows XP - Die Expertentipps":  http://tinyurl.com/44zcz 
  Weblog: http://msmvps.org/UlfBSimonWeidner
  WebSite: http://www.windowsserverfaq.org  
 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Excahnge suggestion

[Daniel Gilbert]

Can this list suggest a good Exchange 2000/2003 list?

I am now being tasked with providing Exchange 2003 support and hope to
find an Exchange list that can provide the same high quality support,
suggestions, and advise as this list.

Daniel

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS Issue

[Daniel Gilbert]

I assume you created the proper named forward zone, this happened to me
once.  Make sure the zone allows dynamic updates.

Once the new server is pointing to itself for DNS run net stop netlogon and
net start netlogon from the command prompt.  This should re-register the
proper SRV records.

You might want to run ipconfig /flushdns and ipconfig /registerdns to clear
out any stale DNS data.

Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser
Sent: Wednesday, September 22, 2004 6:00 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] DNS Issue

Ok here it goes,

Windows 2003 Servers

Today the Raid controller lost the HD config on my main AD server after hour
or so of trying to get it back online I decided to opt for the promotion of
AD to my secondary Domain controller and just rebuild the 1st one. Well the
big problem I faced was that I never installed DNS on the second domain
controller. I decieded to go ahead with the FSMO promotion and everything
was seized just fine. But now I sit with no DNS (I installed DNS before the
Seizer of roles) but it is not creating any Zones. I have tried to create a
new Zone but it keeps looking for the downed server?

Any help in this would be greatly appreciated

Thanks,
Aaron Visser

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Password policy scenerio

[Daniel Gilbert]

Title: Message








Steve,

 

Creating a password policy and linking it
to an OU will affect local accounts only.  So, if I understood your post
correctly, a domain user can have a zero length password, but if they wanted to
create or reset a local account say, on a workstation, they will need to meet
the six character password requirement.

 

Remember, different password policies for
different users is one of the few reasons to have a separate domain.

 

Dan

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield
Sent: Tuesday, August 31, 2004
5:11 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Password
policy scenerio



 



I have a question on password policy and get people's
input.  From what i read, most people or things I've read implement their
password policy using the Default Domain Policy or a custom policy with this
linked to the Top of the domain.  There is some existing password
settings in the Default Domain Policy but these aren't the settings I want to
apply to my Persons OU.  I want to create a custom policy with the correct
password settings then link to the Persons OU.   I've went ahead and
done this and experiencing un-expected results.  





 





By default the Default Domain Policy is inherited on the
Persons OU.  then i have the custom Password Policy linked to this
OU.  I hate to have to implement the password at the top of the domain cause
this could cause issues in the domain for other user accounts outside the
Persons OU.    I've created, linked a custom Password
Policy to the Persons OU.  when I do a gpresult, the custom Password
policy processes after the Default Domain Policy.  When I do gpresult,
says all policies applied but the Default Domain Policy was currently
setup to allow zero length passwords.  I want to implement a 6 length
minimum but it still allows people to have zero-lengthed policy when changing
their password on a workstation in this domin.  I don't want to put the
authenticated users (in the filtered list of the GPO) in the custom password
policy that is linked to the Persons OU until I get expected results with a few
machines and test users.  Would I have to , in the filtered list of the
custom password policy, the userID and machine they are logging into to insure
the custom password policy is applied. Currently people can reset their
password to zero length.  I'm missing the obvious but would appreciate input. 
Sorry for the long post but wanted to share what i've done so far.  





 





Steve

RE: [ActiveDir] GC removal

[Daniel Gilbert]

Thanks.  If I understand your reply correctly, since my GC is a W2K3 server
the removal/deletion should move along unless preempted.

If it is still in the removal process Monday morning, I will contact my PSS
rep and see if I can't get the KB from them.

Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Friday, July 16, 2004 3:58 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

In 2k03 we introduced rapid gc demotion.
Out of the box on 2k, we'll clean out 500 objects per KCC run. Since KCC
runs every 15 mins, that translates to 2000 objects per hour that are
cleaned out.

This was changed in 2k03 to be as fast as we can so long as we aren't
preempted, and this behavior was backported to 2k as of SP4. So if you
have SP4 on the GC, you will get the rapid demotion behavior.

There should be a KB on thisah here it is.
http://support.microsoft.com/default.aspx?scid=KB;EN-US;325378

Oh look at that typoit says "slow to remove connection objects" when
it should be "slow to remove objects". I'll submit a change request to
get that fixed.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, July 16, 2004 5:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

:o)

Nod, the serious part was about Dean's previous post.

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gilbert, Daniel
L
Mr ANOSC/FCBS
Sent: Friday, July 16, 2004 5:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

C'mon Joe, I knew I could do that, I was trying to find a way to speed
up
nature/evolution.

Dan

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Friday, July 16, 2004 2:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

The fastest method I have found is to demote the server. :o)

I seem to recall Dean posting something once upon a time to force
objects to
get yanked out. Can't find it at the moment, check the archives.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Friday, July 16, 2004 4:00 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GC removal

Is there a way to speed up the process for Global Catalog removal?

I know the proper Microsoft steps, but I was hoping there was a script
out
there to speed up the process.

Dan

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] GC removal

[Daniel Gilbert]

Is there a way to speed up the process for Global Catalog removal?

I know the proper Microsoft steps, but I was hoping there was a script
out there to speed up the process.

Dan

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] What's a directory partition head?

[Daniel Gilbert]

He's new give him time :)
>  Original Message 
> Subject: RE: [ActiveDir] What's a directory partition head?
> From: "Kevin Sullivan" <[EMAIL PROTECTED]>
> Date: Wed, June 30, 2004 12:41 pm
> To: [EMAIL PROTECTED]
> 
> Hehe
> 
> Sorry but that is funny...
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tieman, Harold
> A Mr ANOSC/FCBS
> Sent: Wednesday, June 30, 2004 1:15 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] What's a directory partition head?
> 
> Someone that knows the answer to that question :o)
> 
> 
> -Original Message-
> From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, June 29, 2004 2:36 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] What's a directory partition head?
> 
> Partition heads (usually "NC heads") are the AD objects that represent
> the
> root of a domain. So for a domain named foo.bar.baz, the DN of the
> partition
> head object is DC=foo,DC=bar,DC=baz. The replication process, amongst
> others, check the ACLs on the partition head before replicating, so the
> ACLs
> on the partition heads are quite important.
> 
> In fact at the Directory Experts Conference in DC, one of the scenarios
> in
> the hands-on troubleshooting contest was a messed up ACL on a partition
> head. Only one group figured it out, IIRC.
> 
> -gil
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino
> Sent: Tuesday, June 29, 2004 10:50 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] What's a directory partition head?
> 
> 
> 
> 
> 
> All,
> 
> Stupid question:  What is the meaning of the phrase "directory partition
> heads" as used below?
> 
> Thanks,
> Mike
> 
> 
> Use the Dcdiag tool to test that the security descriptors on the
> directory
> partition heads, such as the Schema, Domain, or Configuration directory
> partitions, for the proper permissions.
> 
> 
> 
> *** PLEASE NOTE *** This E-Mail/telefax
> message and any documents accompanying this transmission may contain
> privileged and/or confidential information and is intended solely for
> the
> addressee(s) named above.  If you are not the intended
> addressee/recipient,
> you are hereby notified that any use of, disclosure, copying,
> distribution,
> or reliance on the contents of this E-Mail/telefax information is
> strictly
> prohibited and may result in legal action against you. Please reply to
> the
> sender advising of the error in transmission and immediately
> delete/destroy
> the message and any accompanying documents.  Thank you.
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Uninstallation

[Daniel Gilbert]

Title: Message








Try dcpromo /forceremoval.  This will
remove AD from the server and turn it back into a standalone.

 

Dan

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Malachi Burke
Sent: Monday, June 14, 2004 5:17
PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir]
Uninstallation



 

Our new PDC from Dell turns out to be
physically damaged inside, so we’re sending it back.  I want to
remove AD from the system (for security reasons) but DCPROMO isn’t
working because this DC is now off the LAN.  It’s off the LAN
because I successfully cloned (via NTbackup) its behavior to the replacement
PDC which now has its same name and IP address.  Is there a quick and easy
way to wipe out AD without actually reformatting the system?  Thanks!

 

Mal

 



 

RE: [ActiveDir] [OT] Cats & dogs (was A root dc question)

[Daniel Gilbert]

I think the next DEC should include a roundtable on the Pro's and Con's of
Cats and Dogs in AD. :-O


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, May 16, 2004 7:55 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [OT] Cats & dogs (was A root dc question)

:o)

Happy Sunday!
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brent Westmoreland
Sent: Sunday, May 16, 2004 10:16 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] [OT] Cats & dogs (was A root dc question)

I'm crying in my breakfast cereal with laughter here.

$ - )

On May 16, 2004, at 10:05 AM, joe wrote:

> Oh this is probably going too far but.
>
> No, that three-day old stanky can I would call Exchange. It seems to 
> be necessary even though there are other things you can use but seems 
> to be the most efficient and handy of the bunch, it just smells really 
> bad when you have to use it and you always seem to cut yourself when 
> opening it up to use. :o)  Personally I use dry catfood, self 
> contained, doesn't make a huge mess, good for the cat's teeth and 
> doesn't stink up the house. It may not be the cat's favorite but it 
> gets the cat what it needs. Sort of like POP3/SMTP Standards based 
> email.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] A root dc question

[Daniel Gilbert]

Cats treat humans like slaves, now a Dog, it knows how to greet you at the
door after a rough day in the forest.  Ever come home after a rough day and
have the Cat greet you with anything other than distain?

Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, May 15, 2004 11:10 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

Cats rock. They play with you, you just don't usually realize that they are
playing because they don't come up and drool on you. A dog is like beer,
harsh and in your face. A cat is like wine, very smooth and gentle and
refined. I can leave the house for days and know the cat will be fine and
won't have destroyed anything other than walking back and forth across my
Zen garden on my computer desk. 

  joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, May 13, 2004 5:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

Never liked cats much - what fun are they? At least a dog will play with
you. I nearly whacked one with a paint roller whilst painting the front
porch a couple of years ago. The school drama department took it upon
themselves to paint a very nice recital hall (not auditorium/theater) which
had white walls and a gloss varnish floor black. Since they destroyed the
space, I'm trying to start a movement whereby anyone who does a show in the
space is required to paint something on the walls.

--Brian Desmond
[EMAIL PROTECTED]
Payton on the Web! Http://www.wpcp.org
 
v: 773.534.0034 x135
f: 773.534.0035
 
 
-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 11:46 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

I think he was apologizing for working on Novell... :oP 

Personally I am sitting here posting because I am waiting for a second coat
of paint to dry. Before I take off some masking tape and put my furniture
back in place. And I must tell you, it is a joy to paint with white paint
when you have a curious black cat. I have little white cat footprints across
my kitchen floor now and a cat that is no longer all black. Ever see a black
cat with a white nose and white pads, pretty funny. She sneezed paint all
over my leg too.

As for the learning part, yes learn away. That is why some of us give very
long winded drawn out responses in the first place. A lot of these questions
could be answered with Yes,no,maybe, don't be stupid, or go hire someone who
knows but the goal is to increase the knowledge base around Windows AD so
that it gets run properly and less is ascertained to be Magic. A lot of
people think I give long responses because I like to talk (or write).
Actually it is because I like to hear others learn. The more everyone learns
about this stuff, the better for all of us as we will all be watching out
for the same things and beating vendors into doing things right. I actually
had a recent near experience with a vendor that had previously encountered
some knowledgeable AD guys at Cisco. When our people encountered them, it
was like, wow, your stuff actually looks good! Saved some time and
headaches. 

  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, May 13, 2004 11:14 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

Finally, i want to apolgize again. i came from a Novell enviorment and
inherited my current AD set up and i'm afraid i'm using you as a learning
tool to get deeper into AD internals and i want to apologize for wasting
your time. I've read robbie allen's Active Directory and most of the
Distributed Sytems Guide of the Windows 2k resource kit and both while
excellent don't seem to answer all my questions esp, things like this post.
Perhaps you could just recommend a book or site?
thanks for your time, everyone.

I'm not sure why you're apologizing for wanting to learn. I don't think
anyone who actively participates on this mailing list is here just to shoot
the breeze & dick around, but rather to learn and share knowledge. So, I say
fire away, I'll certainly jump in on a thread if it's something I know
about...

--Brian Desmond
[EMAIL PROTECTED]
Payton on the Web! Http://www.wpcp.org
 
v: 773.534.0034 x135
f: 773.534.0035
 
 
-Original Message-
From: Kern, Tom [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 9:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

1. i'm not really interested in hacking my AD, so i'm not asking for that
bit of info. i just wonder why it exists and i'm sure googling it will turn
up alot of "how to's", which makes me wonder why MS doesn't have a fix for
it?

2. so aside from politics or the inability of corps to collaspe thier NT
domain structure into OU's, you're saying there really is no reason for
multiple domains at all(or maybe to limit rep traffic of 

RE: [ActiveDir] Remote Desktop Issue

[Daniel Gilbert]

Nothing appeared in the event logs.  I
was able to clear up the problem.  Do know why this worked but here is
what I did:

 

Added the new Enterprise Admin to the
Remote Desktop tab in SYSTEM properties.  Let him log in successfully, had
him log off, removed him from Remote Desktop tab, had him log in again.

 

I know, everyone is saying, “Wait a minute!
If the Remote Desktop tab is empty then Administrators can log in by default” 
Yep, I totally agree.  Don’t understand why this worked but it did.

 

BTW Joe, great write up on DEC.  I
was supposed to attend but we started a big Windows 2003 migration and I happen
to have the last Rubber Chicken Gil ever gave out at a DEC, got it in Ottawa.

 

DAn

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Saturday, March 27, 2004
7:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remote
Desktop Issue



 

That almost sounds like a disk space
or permissions issue... I.E. it is trying to create the local profile, failing,
and blowing the user off. Anything in the event logs?

 

 joe



 



-

http://www.joeware.net   (download joeware)

http://www.cafeshops.com/joewarenet  (wear joeware)

 

 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel L. Gilbert
Sent: Friday, March 26, 2004 12:48
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remote
Desktop Issue

No error message.  He gets the logon
prompt, logs on, the screen flashes “applying settings” then the
terminal session screen closes out.

 

Really weird.

 

Dan

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Hines
Sent: Thursday, March 25, 2004
12:35 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Remote
Desktop Issue



 



What error does he get when trying to connect using a
terminal session?






 







- Original Message - 





From: Gilbert, Daniel L Mr ANOSC/FCBS






To: ActiveDir
([EMAIL PROTECTED]) 





Sent: Thursday, March
25, 2004 1:58 PM





Subject: [ActiveDir] Remote
Desktop Issue





 



To All:

 

I have a Remote Desktop issue that is driving me nuts.  Servers
are Windows Server 2003.

 

I have a root domain spread across to two different sites, both
physically (East Coast and West Coast) and AD wise (AD East and AD West).

 

My two Enterprise Admins are members of a child domain (Child1) and
through security group membership; they are placed into the Enterprise Admins
security group in the root domain.

 

This structure has worked fine for the last year.  One of the
Enterprise Admins has moved on to a bigger and better job and I promoted one of
my Senior Admins to become a new Enterprise Admin.

 

Now the fun part begins.

 

The new Enterprise Admin can log on locally to the root DCs in the
physical site West Coast (the bulk of the root is here) from either the
keyboard or via Remote Desktop.

 

The new Enterprise Admin can log on locally to the root DCs in the
physical site East Coast (our COOP site) from the keyboard but he can not log
in via Remote Desktop.

 

I am sure his account has replicated from West Coast to East Coast
because he can log on from the keyboard and I have waited long enough for
replication to occur.

 

I checked the permissions on the RDP connection but it still at
default.

 

Any ideas where I can go for a clue?  My head is getting squishy
from beating it against the wall.

 

Daniel L. Gilbert,
Contractor

Senior Active
Directory Specialist

CONUS
Theater Network Operations and Security
 Center (CONUS-TNOSC)

(520)
533-6700 DSN: 821-6700

[EMAIL PROTECTED]

 

RE: [ActiveDir] User Display Question

[Daniel Gilbert]

OK, I followed KB250455.  Opened ADUC, created new users and display in ADUC
MMC (main window) was correct, i.e. lastname, firstname.  Users created
before KB250455 unchanged, i.e. firstname lastname.

Ran the script in KB277717 on the OU that contained users created before
KB250455 was run.  Output (command prompt window) correctly identified users
in correct format, i.e. lastname, firstname.

Here is where I think things are going south, in the main ADUC window the
old users are still displayed as firstname lastname, but new users are
displayed as lastname, firstname.

Is it possible to change the way users in the main ADUC window are
displayed??  I mean can I retrofit the old users to display like new ones?

Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Tuesday, December 30, 2003 5:42 PM
To: '[EMAIL PROTECTED] '
Subject: RE: [ActiveDir] User Display Question

Hi,

Q250455 only applies for user accounts created after the change. User
accounts already created before the change remain as is. To change the
display name of those users (already created) also see Q277717

Regards,
Jorge


-Original Message-
From: Gilbert, Daniel L Mr ANOSC/FCBS
To: [EMAIL PROTECTED]
Sent: 12/31/2003 12:08 AM
Subject: [ActiveDir] User Display Question

To All:

 

If this issue has been covered before please point me in the right
direction.

 

I am attempting to change the default display of users in ADUC.

 

I did some research and found Q250455, which is titled "How to Change
Display Names in Active Directory".  Followed this Q article and new
users created now display as: lastname, firstname.

 

Now my question, how do I make this change retroactive?  Should all
existing users display change to lastname, firstname or do I need to run
another script to change their display as well?

 

Daniel L. Gilbert


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Port Requirements for the Microsoft Windows Server System (Q83201 7)

[Daniel Gilbert]

Thanks

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Tuesday, December 09, 2003
12:54 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Port
Requirements for the Microsoft Windows Server System (Q83201 7)



 

I'm
sure this will be VERY interesting for most of you - a great KB that's recently
been published with the various port requirements for Windows Servers. 

http://support.microsoft.com/default.aspx?scid=kb;en-us;832017 

/Guido

RE: [ActiveDir] Delegate Access for DC servers (2003)

[Daniel Gilbert]

how about these?

Best Practices for Delegating Active Directory Administration (2.7 MB)
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
 
 
Best Practices for Delegating Active Directory Administration Appendices (4.2 MB)
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en
 
>  Original Message 
> Subject: [ActiveDir] Delegate Access for DC servers (2003)
> From: "Morley, Scott" <[EMAIL PROTECTED]>
> Date: Thu, December 04, 2003 12:25 pm
> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> 
> All,
> 
> I am challenged with providing a level of access to Domain Controllers
> that
> would allow individuals to access the OS and fix any hardware issues,
> but
> not impact Active Directory (2003).
> 
> Any thoughts or articles that anyone can point my way?
> 
> Scott Morley
> MCSE 2000/4.0, Exchange 2000/5.5, MCT, CCNA, CNE, CNI 
> Senior Systems Engineer/Architect 
> Global Messaging Services, Starwood Technology Center 
> Starwood Hotels and Resorts, Worldwide
>  
> Phone: 781-348-7120
>  
> Learning is not compulsory... neither is survival.
> - W. Edwards Deming 
> This electronic message transmission contains information from the
> Company that may be proprietary, confidential and/or privileged.
> The information is intended only for the use of the individual(s) or
> entity named above.  If you are not the intended recipient, be
> aware that any disclosure, copying or distribution or use of the
> contents of this information is prohibited.  If you have received
> this electronic transmission in error, please notify the sender
> immediately by replying to the address listed in the "From:" field.
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Happy Thanksgiving...

[Daniel Gilbert]

Tha back at'cha Todd.

Some turkey to hold me over during the Black Hawk Down Fest.

Dan
>  Original Message 
> Subject: [ActiveDir] Happy Thanksgiving...
> From: "Myrick, Todd (NIH/CIT)" <[EMAIL PROTECTED]>
> Date: Wed, November 26, 2003 12:02 pm
> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> 
> Just wanted to wish everyone on the list a Happy Thanksgiving...
> 
> Todd Myrick
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Robbie Allen for sainthood

[Daniel Gilbert]

UPS finally delivered my copy of the Active Directory
Cookbook.

 

After a hundred pages, I must agree, Robbie Allen has a best
seller here.  I would love to find a way to put this book in binder and
stick in at my desk.  Sort of camouflage it so it looks like a regular
notes bonder.  I know I could just put Robbie’s book on my desk but,
some lowlife varmit would just steal it.  And then I would have to hunt
them down and do harm.

 

Dan

 

 

RE: [ActiveDir] Active Directory Cookbook

[Daniel Gilbert]

Title: Message









Hey,

 

You must be up late too.

 

Dan

 

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen
Sent: Friday, October 24, 2003
10:40 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active
Directory Cookbook

 



And what have you been
drinking at 1am?? :-)  Good thought, but my guess is that
people who offer good suggestions probably already have a copy
of the book (since they know what's in there and what isn't).  FWIW,
I would be happy to mention in the acknowledgements section anyone who
suggests a recipe I include in the next edition.





 





Robbie Allen





http://www.rallenhome.com/





-Original
Message-
From: Myrick, Todd (NIH/CIT)
[mailto:[EMAIL PROTECTED] 
Sent: Saturday, October 25, 2003
12:54 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active
Directory Cookbook

Hey Rob,

 

What about this
donate a cookbook a month for someone who comes up with a great idea for
additions to the next version of the cookbook.

 

Basically the submissions
have to follow the format of the book, and have to work.  

 

They would be judge based
on the following criteria.

 

The topic covered in
AD.  1-25 points (Existing topics with a spin get up to 12.5 points; new
topics getting up to 25 if worthy.)

The issues identified
within the topic 1-25 points.  (Each issue identified gets 2.5 points for
existing topics. Max 10)

The solutions that meet
the needs identified for each topic. 1-50 points.  (Each need that gets a solution
gets 5 points per solutions.  Solutions should identify any GUI, CLI, and
VB methods for automation.)

 

To make things
interesting if it takes off,  If one of the vendors (CoughNETPRO,
CoughAELITA, Cough.Quest, Cough..BV) was willing to support this
contest, it would be really interesting.

 

Just an Idea at 1AM...

 

Toddler

 

 

 

-Original Message-
From: Robbie Allen
[mailto:[EMAIL PROTECTED] 
Sent: Friday, October 24, 2003
12:43 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active
Directory Cookbook

 



Thanks
for all of the positive feedback about the book.  I give the credit to my
all-star cast of reviewers :-)  





 





My main
goal was to produce a reference that would help AD admins get their job done
quicker and easier.  There is just too much stuff AD admins have to
remember and that's why I thought the O'Reilly cookbook format would work
especially well in this case.





 





If you
have the book (or even if you don't), be sure to check out the following web
site, which has all of the code in the book and any corrections: http://www.rallenhome.com/books/adcookbook/code.html





 





Keep the
feedback coming





 





Regards,





Robbie
Allen





-Original
Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 24, 2003
11:51 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: Re: [ActiveDir] Active
Directory Cookbook


Agreed - I got mine yesterday from Amazon and I must say that this
should be on the shelf of every AD administrator. Period. 

Michael
Parent MCSE MCT
Analyst I - Web Services 
ITOS - Systems Enablement
Maritime Life Assurance Company
(902) 453-7300 x3456 


 
  
   
  
  
  "Lou Vega"
  <[EMAIL PROTECTED]> 
  Sent
  by: [EMAIL PROTECTED] 
  10/24/2003
  10:37 AM 
  Please
  respond to ActiveDir 
  
  
          
   
        To:      
   <[EMAIL PROTECTED]> 
   
        cc:         
   
        Subject:        [ActiveDir] Active
  Directory Cookbook
  
 





Received my very own copy of Mr. Robbie Allen's "Tuna" book
last night from Amazon.com - in the first night's reading the book is already
proving it's worth as I see how to do certain things much simpler than I had
done them before (with regards to the VBScripts included), as well as learn new
things I didn't realize could be done (in both AD2K and AD2K3). The book will
be very handy as I continue to stand up my development Windows 2003 domain.

  
To
anyone else on this list who hasn't gotten it yet...it's a worthwhile addition
to your Active Directory library. 
  
To
Robbie (and all the others who assisted him!) - thanks for a great resource!

  
r/

Lou

  
  
  

RE: [ActiveDir] Active Directory Cookbook

[Daniel Gilbert]

Todd,

You are s badd

Dan
>  Original Message 
> Subject: RE: [ActiveDir] Active Directory Cookbook
> From: "Myrick, Todd (NIH/CIT)" <[EMAIL PROTECTED]>
> Date: Fri, October 24, 2003 9:54 pm
> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> 
> Hey Rob,
> 
>  
> 
> What about this donate a cookbook a month for someone who comes up
> with
> a great idea for additions to the next version of the cookbook.
> 
>  
> 
> Basically the submissions have to follow the format of the book, and
> have to
> work.  
> 
>  
> 
> They would be judge based on the following criteria.
> 
>  
> 
> The topic covered in AD.  1-25 points (Existing topics with a spin get
> up to
> 12.5 points; new topics getting up to 25 if worthy.)
> 
> The issues identified within the topic 1-25 points.  (Each issue
> identified
> gets 2.5 points for existing topics. Max 10)
> 
> The solutions that meet the needs identified for each topic. 1-50
> points.
> (Each need that gets a solution gets 5 points per solutions. 
> Solutions
> should identify any GUI, CLI, and VB methods for automation.)
> 
>  
> 
> To make things interesting if it takes off,  If one of the vendors
> (CoughNETPRO, CoughAELITA, Cough.Quest, Cough..BV) was
> willing to support this contest, it would be really interesting.
> 
>  
> 
> Just an Idea at 1AM...
> 
>  
> 
> Toddler
> 
>  
> 
>  
> 
>  
> 
> -Original Message-
> From: Robbie Allen [mailto:[EMAIL PROTECTED] 
> Sent: Friday, October 24, 2003 12:43 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Active Directory Cookbook
> 
>  
> 
> Thanks for all of the positive feedback about the book.  I give the
> credit
> to my all-star cast of reviewers :-)  
> 
>  
> 
> My main goal was to produce a reference that would help AD admins get
> their
> job done quicker and easier.  There is just too much stuff AD admins
> have to
> remember and that's why I thought the O'Reilly cookbook format would
> work
> especially well in this case.
> 
>  
> 
> If you have the book (or even if you don't), be sure to check out the
> following web site, which has all of the code in the book and any
> corrections: http://www.rallenhome.com/books/adcookbook/code.html
>  
> 
>  
> 
> Keep the feedback coming
> 
>  
> 
> Regards,
> 
> Robbie Allen
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> 
> Sent: Friday, October 24, 2003 11:51 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] Active Directory Cookbook
> 
> 
> Agreed - I got mine yesterday from Amazon and I must say that this
> should be
> on the shelf of every AD administrator. Period. 
> 
> Michael Parent MCSE MCT
> Analyst I - Web Services 
> ITOS - Systems Enablement
> Maritime Life Assurance Company
> (902) 453-7300 x3456 
> 
> 
> 
> 
>  
> 
> "Lou Vega" <[EMAIL PROTECTED]> 
> Sent by: [EMAIL PROTECTED] 
> 
> 10/24/2003 10:37 AM 
> Please respond to ActiveDir 
> 
> 
> To:<[EMAIL PROTECTED]> 
> cc: 
> Subject:[ActiveDir] Active Directory Cookbook
> 
> 
> 
> 
> Received my very own copy of Mr. Robbie Allen's "Tuna" book last night
> from
> Amazon.com - in the first night's reading the book is already proving
> it's
> worth as I see how to do certain things much simpler than I had done
> them
> before (with regards to the VBScripts included), as well as learn new
> things
> I didn't realize could be done (in both AD2K and AD2K3). The book will
> be
> very handy as I continue to stand up my development Windows 2003
> domain. 
>   
> To anyone else on this list who hasn't gotten it yet...it's a
> worthwhile
> addition to your Active Directory library. 
>   
> To Robbie (and all the others who assisted him!) - thanks for a great
> resource! 
>   
> r/ 
> Lou
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active Directory Cookbook

[Daniel Gilbert]

Thanks.  I can see I will have some reading to do this weekend.

Dan
>  Original Message 
> Subject: RE: [ActiveDir] Active Directory Cookbook
> From: [EMAIL PROTECTED]
> Date: Fri, October 24, 2003 12:57 pm
> To: [EMAIL PROTECTED]
> 
> While not a cookbook per se, I have found this link useful in my
> understanding of PKI:
> http://tinyurl.com/s8y1
>  
> HTH
>  
>  
> Sincerely,
> 
> Dèjì Akómöláfé, MCSE MCSA MCP+I
> www.akomolafe.com
> www.iyaburo.com
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday?  -anon
> 
> ________
> 
> From: [EMAIL PROTECTED] on behalf of Daniel Gilbert
> Sent: Fri 10/24/2003 11:34 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Active Directory Cookbook
> 
> 
> 
> Robbie,
> 
> I haven't gotten my copy of your book yet, I know :-(, I waited until
> just
> recently to order it.  I looked at the table of contents but did not
> see any
> thing about Certificate Services, is it there and I just missed it??
> 
> If it is not in your book, as the "Master of Cookbooks" can you suggest
> a
> good source for learning Certificate Services structure and installing
> guide.
> 
> I am trying to get my head around Certificate Service in order to
> answer some
> structure questions.
> 
> Dan
> >  Original Message 
> > Subject: RE: [ActiveDir] Active Directory Cookbook
> > From: "Robbie Allen" <[EMAIL PROTECTED]>
> > Date: Fri, October 24, 2003 9:43 am
> > To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> >
> > Thanks for all of the positive feedback about the book.  I give the
> > credit
> > to my all-star cast of reviewers :-) 
> > 
> > My main goal was to produce a reference that would help AD admins
> get
> > their
> > job done quicker and easier.  There is just too much stuff AD admins
> > have to
> > remember and that's why I thought the O'Reilly cookbook format would
> > work
> > especially well in this case.
> > 
> > If you have the book (or even if you don't), be sure to check out
> the
> > following web site, which has all of the code in the book and any
> > corrections: http://www.rallenhome.com/books/adcookbook/code.html
> > <http://www.rallenhome.com/books/adcookbook/code.html>
> > 
> > Keep the feedback coming
> > 
> > Regards,
> > Robbie Allen
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]
> >
> > Sent: Friday, October 24, 2003 11:51 AM
> > To: [EMAIL PROTECTED]
> > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> > Subject: Re: [ActiveDir] Active Directory Cookbook
> >
> >
> >
> > Agreed - I got mine yesterday from Amazon and I must say that this
> > should be
> > on the shelf of every AD administrator. Period.
> >
> > Michael Parent MCSE MCT
> > Analyst I - Web Services
> > ITOS - Systems Enablement
> > Maritime Life Assurance Company
> > (902) 453-7300 x3456
> >
> >
> >
> >   "Lou Vega" <[EMAIL PROTECTED]>
> > Sent by: [EMAIL PROTECTED]
> >
> >
> > 10/24/2003 10:37 AM
> > Please respond to ActiveDir
> >
> >
> >
> > To:<[EMAIL PROTECTED]>
> > cc:
> > Subject:[ActiveDir] Active Directory Cookbook
> >
> >
> >
> > Received my very own copy of Mr. Robbie Allen's "Tuna" book last
> night
> > from
> > Amazon.com - in the first night's reading the book is already
> proving
> > it's
> > worth as I see how to do certain things much simpler than I had done
> > them
> > before (with regards to the VBScripts included), as well as learn
> new
> > things
> > I didn't realize could be done (in both AD2K and AD2K3). The book
> will
> > be
> > very handy as I continue to stand up my development Windows 2003
> > domain.
> >  
> > To anyone else on this list who hasn't gotten it yet...it's a
> > worthwhile
> > addition to your Active Directory library.
> >  
> > To Robbie (and all the others who assisted him!) - thanks for a
> great
> > resource!
> >  
> > r/
> > Lou
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active Directory Cookbook

[Daniel Gilbert]

Robbie,

I haven't gotten my copy of your book yet, I know :-(, I waited until just recently to 
order it.  I looked at the table of contents but did not see any thing about 
Certificate Services, is it there and I just missed it??

If it is not in your book, as the "Master of Cookbooks" can you suggest a good source 
for learning Certificate Services structure and installing guide.

I am trying to get my head around Certificate Service in order to answer some 
structure questions.

Dan
>  Original Message 
> Subject: RE: [ActiveDir] Active Directory Cookbook
> From: "Robbie Allen" <[EMAIL PROTECTED]>
> Date: Fri, October 24, 2003 9:43 am
> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> 
> Thanks for all of the positive feedback about the book.  I give the
> credit
> to my all-star cast of reviewers :-)  
>  
> My main goal was to produce a reference that would help AD admins get
> their
> job done quicker and easier.  There is just too much stuff AD admins
> have to
> remember and that's why I thought the O'Reilly cookbook format would
> work
> especially well in this case.
>  
> If you have the book (or even if you don't), be sure to check out the
> following web site, which has all of the code in the book and any
> corrections: http://www.rallenhome.com/books/adcookbook/code.html
>  
>  
> Keep the feedback coming
>  
> Regards,
> Robbie Allen
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> 
> Sent: Friday, October 24, 2003 11:51 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] Active Directory Cookbook
> 
> 
> 
> Agreed - I got mine yesterday from Amazon and I must say that this
> should be
> on the shelf of every AD administrator. Period. 
> 
> Michael Parent MCSE MCT
> Analyst I - Web Services 
> ITOS - Systems Enablement
> Maritime Life Assurance Company
> (902) 453-7300 x3456 
> 
> 
> 
>   "Lou Vega" <[EMAIL PROTECTED]> 
> Sent by: [EMAIL PROTECTED] 
> 
> 
> 10/24/2003 10:37 AM 
> Please respond to ActiveDir 
> 
> 
> 
> To:<[EMAIL PROTECTED]> 
> cc: 
> Subject:[ActiveDir] Active Directory Cookbook
> 
> 
> 
> Received my very own copy of Mr. Robbie Allen's "Tuna" book last night
> from
> Amazon.com - in the first night's reading the book is already proving
> it's
> worth as I see how to do certain things much simpler than I had done
> them
> before (with regards to the VBScripts included), as well as learn new
> things
> I didn't realize could be done (in both AD2K and AD2K3). The book will
> be
> very handy as I continue to stand up my development Windows 2003
> domain. 
>   
> To anyone else on this list who hasn't gotten it yet...it's a
> worthwhile
> addition to your Active Directory library. 
>   
> To Robbie (and all the others who assisted him!) - thanks for a great
> resource! 
>   
> r/ 
> Lou
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT? - You guys rock

[Daniel Gilbert]

True, since Scottsdale was right up the road, attending DEC was easy.  Now, since it 
looks to be headed East, travel will be issue.

Tho, to defend NetPro, holding it back East will allow a different population attend.

Dan
>  Original Message 
> Subject: RE: [ActiveDir] OT? - You guys rock
> From: "Creamer, Mark" <[EMAIL PROTECTED]>
> Date: Thu, October 23, 2003 11:42 am
> To: [EMAIL PROTECTED]
> 
> Wow...from Scottsdale to Washington?? Yuck ;-)
> 
> 
> 
> -Original Message-
> From: Daniel Gilbert [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, October 23, 2003 2:14 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] OT? - You guys rock
> 
> Yusuf,
> 
> If you get the chance you should attend a DEC (Directory Experts
> Conference) hosted by NetPro
> (www.netpro.com).  Most of the folks you mentioned will be there.  In
> fact some of those you mentioned
> will probably be putting on a presentation.
> 
> I believe the next DEC is scheduled for the Spring of 2004 in lovely
> Washington, D.C. (Can I say
> lovely and Washington, D.C. in the smae thought?)
> 
> Dan
> >  Original Message 
> > Subject: RE: [ActiveDir] OT? - You guys rock
> > From: "Mayet, Yusuf Y" <[EMAIL PROTECTED]>
> > Date: Thu, October 23, 2003 9:11 am
> > To: [EMAIL PROTECTED]
> > 
> > I agree Al that the contributions from the likes of Joe, Rick,
> > Robbie,Todd,
> > Gil .and and (that's the rest of the folks I haven't mentioned)
> > have all
> > been well appreciated.
> >  
> > And over these past years you guys have been my inspiration and thus
> > wanting
> > to excel myself all of the time
> >  
> > Presently I am at the age of 24 with only a handful of years of
> > experience
> > and I have learnt so much and so much more to learn from all of you.
> >  
> > With me being located at the edge of Africa I am hoping at one time
> I
> > would
> > have the opportunity to rub shoulders with you guys sometime or the
> > other.
> >  
> > Thanks again guys
> >  
> >  
> > yusuf
> > 
> >
> __
> 
> > 
> > For information about the Standard Bank group visit our web site
> > 
> >
> __
> 
> > 
> > Disclaimer and confidentiality note 
> > Everything in this e-mail and any attachments relating to the
> official
> > business of Standard Bank Group Limited  is proprietary to the group.
> 
> > It is confidential, legally privileged and protected by law. 
> > Standard Bank does not own and endorse any other content. Views and
> > opinions are those of the sender unless clearly stated as being that
> of
> > the group. 
> > The person addressed in the e-mail is the sole authorised recipient.
> > Please notify the sender immediately if it has unintentionally
> reached
> > you and do not read, 
> > disclose or use the content in any way.
> > Standard Bank can not assure that the integrity of this
> communication
> > has been maintained nor that it is free of errors, virus,
> interception
> > or interference.
> >
> __
> _
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT? - You guys rock

[Daniel Gilbert]

So, you are saying he gets a Puck?
>  Original Message 
> Subject: RE: [ActiveDir] OT? - You guys rock
> From: "Myrick, Todd (NIH/CIT)" <[EMAIL PROTECTED]>
> Date: Thu, October 23, 2003 11:07 am
> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> 
> Check is in the mail Yusuf.  :P
>  
> Thanks for the kind words, I appreciate it.  Especially being compared
> to
> Joe, Rick, Robbie and Gil.  
>  
> Todd Myrick
> -Original Message-
> From: Mayet, Yusuf Y [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, October 23, 2003 12:12 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] OT? - You guys rock
> 
> 
> I agree Al that the contributions from the likes of Joe, Rick,
> Robbie,Todd,
> Gil .and and (that's the rest of the folks I haven't mentioned)
> have all
> been well appreciated.
>  
> And over these past years you guys have been my inspiration and thus
> wanting
> to excel myself all of the time
>  
> Presently I am at the age of 24 with only a handful of years of
> experience
> and I have learnt so much and so much more to learn from all of you.
>  
> With me being located at the edge of Africa I am hoping at one time I
> would
> have the opportunity to rub shoulders with you guys sometime or the
> other.
>  
> Thanks again guys
>  
>  
> yusuf
> 
> __
> For information about the Standard Bank group visit our web site
> http://www.standardbank.co.za> >
> 
> __
>  
> Disclaimer and confidentiality note 
> Everything in this e-mail and any attachments relating to the official
> business of Standard Bank Group Limited  is proprietary to the group. 
> It is confidential, legally privileged and protected by law. 
> Standard Bank does not own and endorse any other content. Views and
> opinions
> are those of the sender unless clearly stated as being that of the
> group. 
> The person addressed in the e-mail is the sole authorised recipient.
> Please
> notify the sender immediately if it has unintentionally reached you and
> do
> not read, 
> disclose or use the content in any way.
> Standard Bank can not assure that the integrity of this communication
> has
> been maintained nor that it is free of errors, virus, interception or
> interference.
> 
> ___
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT? - You guys rock

[Daniel Gilbert]

Yusuf,

If you get the chance you should attend a DEC (Directory Experts Conference) hosted by 
NetPro (www.netpro.com).  Most of the folks you mentioned will be there.  In fact some 
of those you mentioned will probably be putting on a presentation.

I believe the next DEC is scheduled for the Spring of 2004 in lovely Washington, D.C. 
(Can I say lovely and Washington, D.C. in the smae thought?)

Dan
>  Original Message 
> Subject: RE: [ActiveDir] OT? - You guys rock
> From: "Mayet, Yusuf Y" <[EMAIL PROTECTED]>
> Date: Thu, October 23, 2003 9:11 am
> To: [EMAIL PROTECTED]
> 
> I agree Al that the contributions from the likes of Joe, Rick,
> Robbie,Todd,
> Gil .and and (that's the rest of the folks I haven't mentioned)
> have all
> been well appreciated.
>  
> And over these past years you guys have been my inspiration and thus
> wanting
> to excel myself all of the time
>  
> Presently I am at the age of 24 with only a handful of years of
> experience
> and I have learnt so much and so much more to learn from all of you.
>  
> With me being located at the edge of Africa I am hoping at one time I
> would
> have the opportunity to rub shoulders with you guys sometime or the
> other.
>  
> Thanks again guys
>  
>  
> yusuf
> 
> __
> 
> For information about the Standard Bank group visit our web site
> 
> __
>   
> Disclaimer and confidentiality note 
> Everything in this e-mail and any attachments relating to the official
> business of Standard Bank Group Limited  is proprietary to the group. 
> It is confidential, legally privileged and protected by law. 
> Standard Bank does not own and endorse any other content. Views and
> opinions are those of the sender unless clearly stated as being that of
> the group. 
> The person addressed in the e-mail is the sole authorised recipient.
> Please notify the sender immediately if it has unintentionally reached
> you and do not read, 
> disclose or use the content in any way.
> Standard Bank can not assure that the integrity of this communication
> has been maintained nor that it is free of errors, virus, interception
> or interference.
> ___
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] You guys amaze me!

[Daniel Gilbert]

I am glad you asked the smart guys.  Me, being the not too bright sometimes, would 
have answered like this:  demote 1 DC, rebuild it, stand up a new domain and then 
migrate from old domain to new one.  Then, demote the old DCs when no longer needed, 
join them to new domain.

As I said I some times take the hard approach.

Dan
>  Original Message 
> Subject: [ActiveDir] You guys amaze me!
> From: "Rocky Habeeb" <[EMAIL PROTECTED]>
> Date: Thu, October 23, 2003 7:05 am
> To: [EMAIL PROTECTED]
> 
> I'm serious.
> 
> Here is a question for you.  As always, if you could offer any info, I
> would
> be very grateful.  We're a small shop with only 2 Admins managing 200
> users
> in 4 states and we don't have the firepower you guys do.
> 
> Let's say you don't like your AD domain name and you want to change it.
>  You
> have 4 DCs, 3 each W2K SP3 and 1 each NT4 SP6a, so you're still in
> mixed
> mode.  You could move the NT DC to 2K, then move everyone to W2K3,
> then
> raise the Forest functionality level and then play Russian Roulette
> with
> Rendom.  That's one option.  Or could it be as simple as DCPromoing all
> 3
> W2K3 servers down to Standalone servers, allowing the NT4 DC which
> still
> controls the pre-W2K subdomain name to take full control of the domain
> again, and then DCPromoing one of the 3 W2K DCs back up to W2K as the
> FSMO
> and renaming the domain to what you want?  I would love to believe I
> could
> do it and get away with it.
> 
> Thank you people.
> 
> PS:  I don't envy you Joe.  I hope you're being paid well!
> 
> RH
> 
> -
> Rocky Habeeb
> Microsoft Systems Administrator
> -
> James W. Sewall Company
> Old Town, Maine
> -
> 207.827.4456
> habr @ jws.com
> www.jws.com
> -
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Replication question

[daniel . gilbert]

Title: Message




To All:
 
I am looking for some answers to questions I have about the REPADMIN 
command.  I am running the Windows 
2003 Support Tools version of the command with the following switches: /replsum 
/bysrc /bydest /sort:delta
 
I get a display like the following:
 
Replication Summary Start Time: 2003-10-16 
14:14:31
 
Beginning data collection for replication summary, this 
may take awhile:  
 
(excerpt of actual data)
 
Source 
DC   
largest delta  
fails/total  %%  error 
SRV-SITEA0017   14h:25m:59s    0 /  15    0   
SRV-SITEC0002   14h:25m:53s    0 /   9    0   
SRV-SITEB0001   02h:25m:57s    0 /  22    0   
Destination DC    largest delta    fails/total  %%  
error 
SRV-SITEA0017   14h:26m:43s    0 /  28    0   
SRV-SITEC0002   
17m:59s    0 /   5    0   
SRV-SITEB0001   
17m:43s    0 /  17    0   
 
Now before everyone jumps on me telling me the deltas are way to large, I 
agree. I think. I have found one replication schedule misconfigured and it has 
been corrected.
 
Now, my real question is how to interpret the results.  I think I understand the information 
about the largest delta (time since last replication), the fails/total (number 
of failures in the last number of replication attempts), %% (percent of 
failures), and error (an explanation of any errors)
 
What I can seem to get a grasp on is the Source DC or Destination DC 
column.  I have looked at the 
repadmin command in the Microsoft Help and Support page and it gives some 
information but not have to interpret the results.
 
If someone can explain to me what the Source DC and Destination DC 
columns tell me I would appreciate it. 
 
Dan
 

Daniel L. Gilbert, 
Contractor
Senior Active 
Directory Specialist
CONUS 
Theater Network Operations and Security 
Center (CONUS-TNOSC
(520) 
533-6700 DSN: 821-6700
[EMAIL PROTECTED]
 

RE: [ActiveDir] OT: DS Conference

[daniel . gilbert]

Title: Message



Hang 
on to it.  I will see if I can rise to the "challenge" and get on via low 
speed delivery as apposed to ducking :-)

  
  -Original Message-From: Myrick, Todd 
  (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Friday, October 03, 
  2003 7:40 AMTo: '[EMAIL PROTECTED]'Subject: 
  RE: [ActiveDir] OT: DS Conference
  On 
  my projects I hand out "Ship it" Hockey Pucks.  People are honored in two 
  ways.  Those that did well on the project get the puck handed to 
  them.  Those who were "challenged" on the project, get them thrown at 
  them.  So Dan, I have an extra puck here, I can put chicken on it.  
  Take your pick for deliver.  Hehe
   
  Gil, 
  I vote to change from Chickens to Pucks.  To quote the book I got the 
  idea from "Microserfs" "For every product shipped, it brings us closer to the 
  vision, a computer on every desk".  The Microsoft Ship It awards are 
  acrylic that is indestructible.  The protagonist tried to break 
  theirs.  There is something successful about Cult like 
  environments.  DEC seems to be shaping up to be quite a interesting 
  environment.   
   
  Toddler
  

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 03, 2003 10:23 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS 
Conference
"I 
want a chicken damnit." I am afraid the last NetPro chicken already has a 
home ;-)
 
(It is proudly displayed with prior DEC nametags 
and books)

  
  -Original Message-From: Joe 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 
  6:38 PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] OT: DS Conference
  Ditto only my toilet paper is spelled Exchange 2000... 
  
   
  :oP
   
  I will be at the next one and Gil... I want a chicken damnit. And a 
  nice NetPro Polo, my last one (kind of blue green) disintegrated and had 
  to be put down.
   
    joe
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, 
  Todd (NIH/CIT)Sent: Thursday, October 02, 2003 3:35 
  PMTo: '[EMAIL PROTECTED]'
  
  A lot of people asked why I didn't attend this years 
  Fall DEC so I will say it one time, it wasn't my doing... Believe 
  me.
   
  I was asked to come and be a booth expert or something, so I began 
  the process of government red tape to get approval.  What I got was 
  10 boxes of Toilet paper instead of travel orders.  I couldn't trade 
  up the toilet paper for a rubber chicken in time to get a plane 
  ticket.  Then it went down hill.  The final result was, we don't 
  know why you can't go, but you can't go.  And if you go on your own 
  time, it is a Ethical issue.  We can let you go, but we have to pay 
  for it, since it is out of the country I have to wait four weeks for my 
  orders to get cut, this is a week before the 
  conference.
   
  So, I missed you all, and I am sorry that there was no Texas Hold'm 
  tourney.  Rich H. from Netpro was deeply 
  disappointed.
   
  I hear rumors that Spring DEC 2004 might be coming to DC.  
  This is my and Kevin S's backyard.  So if it happens, I 
  expect everyone to show up.  We will have one hell 
  of a time.  And there will be a poker night, nightlife, and most 
  importantly a good educational experience.  I also vote that the Fall 
  DEC be in the Virgin Islands or some tropical 
  destination.
   
  I missed seeing you all.  
   
  Toddler    
  

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 02, 2003 3:09 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS 
Conference
The Final Chicken hopes to make a cameo appearance at the next 
DEC. ;-)

  
  -Original Message-From: 
  Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: 
  Thursday, October 02, 2003 10:56 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS 
  Conference
  
  Second that 
  (or third that). I could only be there for the first day but that day 
  was Guido Grillenmeir, Robbie Allen, Nelson Roust (sp?) and of course 
  Gil Kirkpatrick and Stuart Kwan. It was a great day. Stuart always 
  gives a fantastic presentation which is not only entertaining but 
  filled with great information. It is of course great to hear from 
  Microsoft to help understand their roadmap. Guido's presentation on 
  recovery has great detail and fully demonstrates the value of 
  understanding the process and being prepared for unpredictable 
  disaster. Robbie knows LPAD querying incredibly well and does a 
  fa

RE: [ActiveDir] OT: DS Conference

[daniel . gilbert]

Title: Message



"I 
want a chicken damnit." I am afraid the last NetPro chicken already has a home 
;-)
 
(It is 
proudly displayed with prior DEC nametags and books)

  
  -Original Message-From: Joe 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 6:38 
  PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] OT: DS Conference
  Ditto only my toilet paper is spelled Exchange 2000... 
  
   
  :oP
   
  I 
  will be at the next one and Gil... I want a chicken damnit. And a nice NetPro 
  Polo, my last one (kind of blue green) disintegrated and had to be put 
  down.
   
    joe
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
  (NIH/CIT)Sent: Thursday, October 02, 2003 3:35 PMTo: 
  '[EMAIL PROTECTED]'
  
  A lot of people asked why I didn't attend this years Fall 
  DEC so I will say it one time, it wasn't my doing... Believe 
  me.
   
  I 
  was asked to come and be a booth expert or something, so I began the process 
  of government red tape to get approval.  What I got was 10 boxes of 
  Toilet paper instead of travel orders.  I couldn't trade up the toilet 
  paper for a rubber chicken in time to get a plane ticket.  Then it went 
  down hill.  The final result was, we don't know why you can't go, but you 
  can't go.  And if you go on your own time, it is a Ethical issue.  
  We can let you go, but we have to pay for it, since it is out of the country I 
  have to wait four weeks for my orders to get cut, this is a week before the 
  conference.
   
  So, 
  I missed you all, and I am sorry that there was no Texas Hold'm tourney.  
  Rich H. from Netpro was deeply disappointed.
   
  I 
  hear rumors that Spring DEC 2004 might be coming to DC.  This is my and 
  Kevin S's backyard.  So if it happens, I expect everyone 
  to show up.  We will have one hell of a time.  And there 
  will be a poker night, nightlife, and most importantly a good educational 
  experience.  I also vote that the Fall DEC be in the Virgin Islands or 
  some tropical destination.
   
  I 
  missed seeing you all.  
   
  Toddler    
  

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 02, 2003 3:09 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS 
Conference
The Final Chicken hopes to make a cameo appearance at the next DEC. 
;-)

  
  -Original Message-From: Sullivan, 
  Kevin [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 
  2003 10:56 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS 
  Conference
  
  Second that (or 
  third that). I could only be there for the first day but that day was 
  Guido Grillenmeir, Robbie Allen, Nelson Roust (sp?) and of course Gil 
  Kirkpatrick and Stuart Kwan. It was a great day. Stuart always gives a 
  fantastic presentation which is not only entertaining but filled with 
  great information. It is of course great to hear from Microsoft to help 
  understand their roadmap. Guido's presentation on recovery has great 
  detail and fully demonstrates the value of understanding the process and 
  being prepared for unpredictable disaster. Robbie knows LPAD querying 
  incredibly well and does a fantastic job presenting. It is great to hear 
  from people like Robbie who use AD to its fullest extent in his current 
  job and produces such great books to help the industry benefit from his 
  experiences. Nelson's presentation was great (I missed much of it due to a 
  con call), and Gil of course always adds a ton of value. 

   
  I learned that 
  Smarties are not what I thought they were (thanks Stuart), and that NetPro 
  is banning the chicken (I have mixed reactions on this one). NetPro did a 
  fantastic job hosting this event. My second time attending and I sure I 
  will have it on my schedule moving forward!
   
  Kevin 
  Sullivan
   
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  Sent: Thursday, October 
  02, 2003 12:51 PMTo: 
  [EMAIL PROTECTED]
   
  
  I was there 
  too!  Learned a lot.
  
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Thursday, 
October 02, 2003 9:42 AMTo: 
[EMAIL PROTECTED]Cc: '[EMAIL PROTECTED]'; 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS 
Conference
I was 
there and must say it was very worthwhile! Michael Parent MCSE 
MCTAnalyst I - Web Services ITOS - Systems 
EnablementMaritime Life Assurance Company(902) 453-7300 
x3456 

  
  

   

  Roger 
  Seielstad <[EMAIL PROTECTED]> 
  Sent by: 
  [EMAIL PROTECTED] 

RE: [ActiveDir] Password Policy - Challenge....

[daniel . gilbert]

Does the -1 setting tell the system it "never expires"?

-Original Message-
From: Joe [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 03, 2003 4:24 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Password Policy - Challenge


See I knew the word challenge in the subject would bring you guys out... In
fact Challenge is the alternate spelling for MVP... :op   Speaking of which,
did you notice that the AD list has doubled?

Correct, setting pwdLastSet to 0 will cause it to flag as expired (user must
change password on next logon). If you clear that flag due to the
implementation of NOT keeping this info in userAccountControl but instead in
the attribute that specifies password age will cause that password age to
have to become something valid and since it can't be set back to what it was
previously (no history), the logical thing is to put it to 0 days old. 

Keep in mind that that attribute can be set to two things by a programmer
without hacking LSASS... 0 or -1. 0 as Tony points out will force the user
to be expired right now. So what do you think setting it to -1 would do?

Here let me illustrate:

File: Test.vbs

set o=getobject("LDAP://cn=joe,cn=users,dc=joehome,dc=com";)
o.pwdlastset=0
o.setinfo
o.pwdlastset=-1
o.setinfo


Screen Cap of Run
---
G:\temp>getuserinfo joehome\joe

GetUserInfo V02.07.00cpp Joe Richards ([EMAIL PROTECTED]) September 2003

User information for joehome\joe  (\\W2KASDC1)

User Name  joe
Full Name
Description
User's Comment
User Type  User
Enhanced Authority AccOp
Account Type   Global
Workstations

Home Directory
User Profile
Logon Script
Flags
Account ExpiresNever

Password age in days   40
Password last set  8/23/2003 9:37 AM
Bad PWD count  0

Num logons (this machine)  24
Last logon 12/21/2002 9:42 AM
Logon hoursAll


Global group memberships   *Domain Users
Local group memberships*Account Operators  *Users


Completed.

G:\temp>test
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.


G:\temp>getuserinfo joehome\joe

GetUserInfo V02.07.00cpp Joe Richards ([EMAIL PROTECTED]) September 2003

User information for joehome\joe  (\\W2KASDC1)

User Name  joe
Full Name
Description
User's Comment
User Type  User
Enhanced Authority AccOp
Account Type   Global
Workstations

Home Directory
User Profile
Logon Script
Flags
Account ExpiresNever

Password age in days   0
Password last set  10/3/2003 7:03 AM
Bad PWD count  0

Num logons (this machine)  24
Last logon 12/21/2002 9:42 AM
Logon hoursAll


Global group memberships   *Domain Users
Local group memberships*Account Operators  *Users


Completed.

G:\temp>



If you REM out the setting to -1 second piece, this is the account status:

G:\temp>getuserinfo joehome\joe

GetUserInfo V02.07.00cpp Joe Richards ([EMAIL PROTECTED]) September 2003

User information for joehome\joe  (\\W2KASDC1)

User Name  joe
Full Name
Description
User's Comment
User Type  User
Enhanced Authority AccOp
Account Type   Global
Workstations

Home Directory
User Profile
Logon Script
Flags  EXPIRED
Account ExpiresNever

Password age in days   0
Password last set  10/3/2003 7:11 AM
Bad PWD count  0

Num logons (this machine)  24
Last logon 12/21/2002 9:42 AM
Logon hoursAll


Global group memberships   *Domain Users
Local group memberships*Account Operators  *Users


Completed.

G:\temp>



So the answer to #3 below is to take the above small code snippet and wrap
it with a loop to go through all users you need cleared.

Now that I have said this, it is for edumacational purposes only. I DO NOT
recommend this as it is bypassing security and logically you do not want to
bypass security because there is a reason you have a password policy. That
reason being if someone is trying to hack you by brute force it takes X days
to get through a password of Y complexity that you have created. Your
password policy is supposed to determine a safe value for X for the Y that
you use. By passing the policy with either non-expiring accounts or this
(dare I say chicken clever :o) hack is not only bad, it is overall stupid to
do. That being said I would really hope people just keep this in their
noodle for the holy shit what am I going to do occurrances they have to
handle and not make this some regular thing that they do. I also think you
shouldn't use non-expiring ID's ever either but until MS and other vendors
step up to handling services properly, I think we will have a hard time
getting away from those. 



So, was this an assist or was this a goal? Or possibly was this a majo

RE: [ActiveDir] OT: DS Conference

[daniel . gilbert]

Title: Message



one 
word - Haiku

  
  -Original Message-From: Gil Kirkpatrick 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 12:36 
  PMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] OT: DS Conference
  Thanks for the compliments!
   
  I 
  think this was our best Directory Experts Conference to date... the 
  presentations were generally stronger than the previous DEC, and the logistics 
  were nearly flawless, thanks to Christine and Stella (still got to get the 
  wireless thing going in the conference room though). The hotel, food, and the 
  city were great. 
   
  Attendence was about 20% greater than the previous DEC, which has 
  been the historical growth rate. There was a good mix, about 45% from 
  Canada, eh?, 40% from the US, and 15% from Europe, and one attendee from 
  Singapore.
   
  Session evaluations were quite positive, averaging about 4.0 on a 
  1-5 scale. Overall usefulness of the conference averaged 4.4, and overall 
  satisfaction with the conference averaged 4.5. These are outstanding 
  numbers, and are backed up by the universally positive comments I received 
  from the attendees and speakers during and after the 
  conferece.
   
  
  Quest, NetPro, HP, and Microsoft sponsored the 
  event.
   Session titles and presenters (many names 
  will be familiar to list denizens)
   
  Stuart Kwan, Microsoft  - Microsoft Directory Services and 
  Identity and Access Management Strategy and Roadmap
  Robbie Allen, Cisco - LDAP Searching: 
  from Basics to Profiling
  Nelson Ruest, Resolution Enterprises - Redesigning GPO Structure for Improved 
  Manageability
  Gil Kirkpatrick, NetPro - Active Directory 
  Performance
  Guido Grillenmeier, HP C&I - Recovering from 
  Active Directory Disasters
  Rex Bachman, HP Software - Service Management of 
  Active Directory, Fact or Fiction
  Mike McHargue, Internosis - Building an operating a 
  Secure Active Directory Infrastructure
  Alan Isham, Intel - Managing Change in a Fortune 500 
  Active Directory Forest
  Alain Lissoir, HP C&I - Disabling an Active 
  Directory Schema Extension
  John Reijnders, LogicaCMG - To Trust or Not To 
  Trust
  Jeremy Palenchar, Washington Mutual - Active 
  Directory and Windows Server 2003 in a Customer Facing 
  Role
  Ioan Donea, Infrascope - DSML: XML Functionality for 
  Your Directory Services
  Wook Lee, HP Managed Services - Illegal Immigrants, 
  No PAS Zones, and Other Hazards on the Road to Windows 
  2003
  Alain Lissor, HP C&I - Leverage Your Windows 
  Infrastructure Monitoring to the WMI Scripting 
  Power
  Dave Sayers, Mark Cribben, Microsoft MCS - 
  Restructuring Active Directory in Windows Server 
  2003
  Paul Rich, Microsoft OTG - Microsoft's Directory 
  Architecture, Principles, and Multi-Forest 
  Challenges
   
  We also had an informal AD haiku contest, won handily 
  by Wook. I'll post links to the haiku later.
   
  Example:
   
  Authenitcation.
  Sometimes it works 
  well.
  Sometimes it 
  doesn't.
   
  The next DEC is being scheduled, but will most likely 
  be in the Washington DC area in April 2004. A call for papers will be 
  published soon.
   
  I hope you all can 
  attend!
   
  -g
   
  Gil KirkpatrickCTO, NetPro
  

-Original Message-From: Sullivan, 
Kevin [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 
2003 10:56 AMTo: [EMAIL PROTECTED]Subject: 
RE: [ActiveDir] OT: DS Conference

Second that (or 
third that). I could only be there for the first day but that day was Guido 
Grillenmeir, Robbie Allen, Nelson Roust (sp?) and of course Gil Kirkpatrick 
and Stuart Kwan. It was a great day. Stuart always gives a fantastic 
presentation which is not only entertaining but filled with great 
information. It is of course great to hear from Microsoft to help understand 
their roadmap. Guido's presentation on recovery has great detail and fully 
demonstrates the value of understanding the process and being prepared for 
unpredictable disaster. Robbie knows LPAD querying incredibly well and does 
a fantastic job presenting. It is great to hear from people like Robbie who 
use AD to its fullest extent in his current job and produces such great 
books to help the industry benefit from his experiences. Nelson's 
presentation was great (I missed much of it due to a con call), and Gil of 
course always adds a ton of value. 
 
I learned that 
Smarties are not what I thought they were (thanks Stuart), and that NetPro 
is banning the chicken (I have mixed reactions on this one). NetPro did a 
fantastic job hosting this event. My second time attending and I sure I will 
have it on my schedule moving forward!
 
Kevin 
Sullivan
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 
02, 2003 12:51 PMTo: 
[EMAIL PROTECTED]
 

I was there 

RE: [ActiveDir] Password Policy

[daniel . gilbert]

Can you set the expiration date out far enough to allow you to have an
expiration date.
Then run a script that will expire a portion of the users in say two weeks.
Re-run the script with a different set of users with expiration set to 4
weeks aways and so on??

Dan

-Original Message-
From: Travis Riddle [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 02, 2003 12:09 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Password Policy


I made a slight error when creating a group policy, and now need some advice
on how to fix it.  Hopefully some one will be kind enough to help out.  I
have a single domain with 2 sites.  I created a Default Policy for the
entire domain with fairly minimal settings (such as password policy, proxy
settings and a few IE settings).  Our manufacturing facility is our largest
site, and our corporate offices is significantly smaller, so instead of
applying one policy several times I set block policy inheritance for the
corporate OU (so they wouldn't get the Proxy and IE settings).  I then set
password settings on the separate corporate OU.  Well, I guess I didn't
realize at the time that you could only have one password policy for the
domain, so basically they haven't had to change their passwords for some
time now.

So here is the problem, I need to enable the password policy for corporate,
but if I do I think it will immediately expire their passwords (since they
are well over 90 days old).  Is my thinking wrong here, and is there a way
around this or am I going to have to call the corporate guys and have them
manually change their passwords?  Any ideas?

Your suggestions are much appreciated,

Thanks,

Travis
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: DS Conference

[daniel . gilbert]

Title: Message



The 
Final Chicken hopes to make a cameo appearance at the next DEC. 
;-)

  
  -Original Message-From: Sullivan, Kevin 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 
  10:56 AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] OT: DS Conference
  
  Second that (or third 
  that). I could only be there for the first day but that day was Guido 
  Grillenmeir, Robbie Allen, Nelson Roust (sp?) and of course Gil Kirkpatrick 
  and Stuart Kwan. It was a great day. Stuart always gives a fantastic 
  presentation which is not only entertaining but filled with great information. 
  It is of course great to hear from Microsoft to help understand their roadmap. 
  Guido's presentation on recovery has great detail and fully demonstrates the 
  value of understanding the process and being prepared for unpredictable 
  disaster. Robbie knows LPAD querying incredibly well and does a fantastic job 
  presenting. It is great to hear from people like Robbie who use AD to its 
  fullest extent in his current job and produces such great books to help the 
  industry benefit from his experiences. Nelson's presentation was great (I 
  missed much of it due to a con call), and Gil of course always adds a ton of 
  value. 
   
  I learned that 
  Smarties are not what I thought they were (thanks Stuart), and that NetPro is 
  banning the chicken (I have mixed reactions on this one). NetPro did a 
  fantastic job hosting this event. My second time attending and I sure I will 
  have it on my schedule moving forward!
   
  Kevin 
  Sullivan
   
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  Sent: Thursday, October 02, 
  2003 12:51 PMTo: 
  [EMAIL PROTECTED]
   
  
  I was there 
  too!  Learned a lot.
  
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 
02, 2003 9:42 AMTo: 
[EMAIL PROTECTED]Cc: '[EMAIL PROTECTED]'; 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS 
Conference
I was there 
and must say it was very worthwhile! Michael Parent MCSE 
MCTAnalyst I - Web Services ITOS - Systems EnablementMaritime 
Life Assurance Company(902) 453-7300 x3456 

  
  

   

  Roger 
  Seielstad <[EMAIL PROTECTED]> 
  Sent by: 
  [EMAIL PROTECTED] 
  10/02/2003 01:32 
  PM Please respond to 
  ActiveDir 

        
          
    To:        "'[EMAIL PROTECTED]'" 
  <[EMAIL PROTECTED]>       
    cc:               
    Subject:        RE: [ActiveDir] OT: DS 
  Conference
I'm betting Gil 
will chime in here shortly (since I believe you're talking about his 
company's conference).   http://www.netpro.com 
      
-- 
Roger D. 
Seielstad - MTS MCSE MS-MVP Sr. Systems 
Administrator Inovis 
Inc. 
-Original 
Message-From: Mayet, 
Yusuf Y [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 
11:55 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] OT: DS 
Conference
Hi guys, 
Does anyone have info about the 
DS conference that was recently held ? 
Any comments ??? 

Yusuf 
__ 
For information about the Standard Bank group visit our web site __Disclaimer 
and confidentiality note Everything in this e-mail and any attachments 
relating to the official business of Standard Bank Group Limited  is 
proprietary to the group. It is confidential, legally privileged and 
protected by law. Standard Bank does not own and endorse any other 
content. Views and opinions are those of the sender unless clearly stated as 
being that of the group. The person addressed in the e-mail is the sole 
authorised recipient. Please notify the sender immediately if it has 
unintentionally reached you and do not read, disclose or use the content 
in any way.Standard Bank can not assure that the integrity of this 
communication has been maintained nor that it is free of errors, virus, 
interception or interference.___ 

RE: [ActiveDir] OT: DS Conference

[daniel . gilbert]

Title: Message



I was 
there too!  Learned a lot.

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  Sent: Thursday, October 02, 2003 9:42 AMTo: 
  [EMAIL PROTECTED]Cc: '[EMAIL PROTECTED]'; 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS 
  ConferenceI was there 
  and must say it was very worthwhile! Michael Parent MCSE MCTAnalyst I - Web Services ITOS - Systems 
  EnablementMaritime Life Assurance Company(902) 453-7300 x3456 
  
  


  
  Roger Seielstad 
<[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 
10/02/2003 01:32 PM Please respond to ActiveDir 
                  To:     
   "'[EMAIL PROTECTED]'" 
<[EMAIL PROTECTED]>         cc:       
        
  Subject:        RE: [ActiveDir] OT: DS 
ConferenceI'm betting Gil will chime in here shortly (since I 
  believe you're talking about his company's conference).   http://www.netpro.com       
  -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis 
  Inc. 
  -Original Message-From: Mayet, 
  Yusuf Y [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 
  2003 11:55 AMTo: [EMAIL PROTECTED]Subject: 
  [ActiveDir] OT: DS Conference
  Hi guys, 
   
  Does anyone have info about the DS conference that 
  was recently held ? 
   
  Any comments ??? 
   
  Yusuf 
  __ 
  For information about the Standard 
  Bank group visit our web site __Disclaimer and confidentiality note 
  Everything in this e-mail and any attachments relating to the official 
  business of Standard Bank Group Limited  is proprietary to the group. 
  It is confidential, legally privileged and protected by law. Standard 
  Bank does not own and endorse any other content. Views and opinions are those 
  of the sender unless clearly stated as being that of the group. The person 
  addressed in the e-mail is the sole authorised recipient. Please notify the 
  sender immediately if it has unintentionally reached you and do not read, 
  disclose or use the content in any way.Standard Bank can not assure 
  that the integrity of this communication has been maintained nor that it is 
  free of errors, virus, interception or interference.___ 
  

RE: [ActiveDir] Logon Takes too Long!

[daniel . gilbert]

Title: Message



No 
fair :-( The rest of us haven't had a chance to read Robbie's 
book.
 
Dan

  
  -Original Message-From: Myrick, Todd 
  (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 
  2003 4:25 AMTo: '[EMAIL PROTECTED]'Subject: 
  RE: [ActiveDir] Logon Takes too Long!
  
  According to 
  Robbie 
  Allen's cook book, you 
  could be experiencing Kerberos UDP fragmentation.  You should really test 
  your network connectivity, run portqry against your domain controllers testing 
  ports 88, 389, 3268.  Check your DNS make sure your GC's are published 
  correctly.  And as mentioned, run the netdiag remotely, and DCDIAG.  
  I am also a big fan of Netpro's directory Troubleshooter for assisting some of 
  this solutions since knowing all the various ways to run the tools is pretty 
  tedious unless you have Robbie's book handy.
   
  Just my 2 
  cents.  
   
  Toddler
   
  -Original 
  Message-From: George 
  Arezina [mailto:[EMAIL PROTECTED] Sent: Thursday, October 
  02, 2003 5:21 
  AMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] Logon Takes too 
  Long!
   
  Hi people,
  Has anyone had logon problems with 
  Windows 2003 server with AD installed? I have a test environment with Windows 
  2003 servers and Windows XP Pro workstations, no W2K/NT servers or 
  workstations. After installing AD, users are taking around 20 minutes to logon 
  to the domain. I have raised the domain and forest levels to 2003. Can anyone 
  give me some suggestions or ideas? 
  Regards,
  George
   
    
  George 
  Arezina
  BA, A+, Net+, MCSE 2000
  Information Technology Consultant 
  
  National Bank of Serbia
  Pop Lukina 7-9, 11000 
  Belgrade.
  * E-mail: [EMAIL PROTECTED]
  ( Phone:+381 (11) 
  3202-474
  ( GSM:  +381 
  (63)  342-321
   
   
<>

RE: [ActiveDir] Software Install to DC's via GPO

[daniel . gilbert]

Any indication of the failure in the Event Logs??

Dan

-Original Message-
From: Frustrated Admin [mailto:[EMAIL PROTECTED] 
Sent: Monday, September 29, 2003 1:50 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Software Install to DC's via GPO


Yeah, I did that as well as rebooted several times, I
even let it sit for a day and came back to it.. Still
no dice.


--- Roger Seielstad <[EMAIL PROTECTED]>
wrote:
> Have you tried executing "secedit /refreshpolicy machine_policy 
> /enforce" from one of the domain controllers? I've found that
> generally machine
> policies are most often enforced at reboot time,
> unless specifically forced.
> 
> Roger
>
--
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: Frustrated Admin
> [mailto:[EMAIL PROTECTED]
> > Sent: Monday, September 29, 2003 4:29 PM
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] Software Install to DC's via
> GPO
> > 
> > 
> > I'm having trouble getting my domain controllers
> to
> > accept an assigned .msi based application
> deployment.
> > The policy is "assigned" under the Software
> > installation under computer configuration in the
> > policy.  I tried linking the policy to the Domain Controllers OU.  
> > But, the application wouldn't
> deploy.
> >  Next, I linked the policy to the Domain.  Still
> > couldn't deploy to the DCs, but was able to deploy
> to
> > member servers in that domain.
> > 
> > 
> > I have a separate policy for the deployment (it's
> not
> > part of Default Domain Controllers OU policy).
> The
> > policy is first in the execution list and it's set
> to
> > no override (which I don't believe makes a
> difference
> > when dealing with application deployment).  The
> > software share is located on a member server in
> the
> > same tree/domain and on the same subnet as the
> DCs.
> > The share permissions are full control for the
> > Everyone group.  I can access the share for the
> target
> > DCs.
> > 
> > 
> > So my question is, can I deploy applications via
> GPOs
> > to domain controllers?
> > 
> > 
> > 
> > 
> > __
> > Do you Yahoo!?
> > The New Yahoo! Shopping - with improved product
> search
> > http://shopping.yahoo.com
> > List info   :
> http://www.activedir.org/mail_list.htm
> > List FAQ:
> http://www.activedir.org/list_faq.htm
> > List archive:
> > http://www.mail-archive.com/activedir%>
> 40mail.activedir.org/
> > 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


__
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP query on ObjectSID attribute

[daniel . gilbert]

Title: Message



And a 
hard question might be???

  
  -Original Message-From: Gil Kirkpatrick 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 02, 2003 1:39 
  PMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] LDAP query on ObjectSID attribute
  We're giving a couple of them away at DEC Ottawa. So all you need to do 
  is show up, answer a ridiculously easy question (e.g. how many CPU clocks are 
  in the best case, non-error instruction path on a DC performing a non-SSL base 
  level search of an existing directory object?), and you get a free 
  book.
   
  -g
   
  Gil KirkpatrickCTO, NetPro
  

-Original Message-From: AD 
[mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 1:45 
PMTo: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] LDAP query on ObjectSID attribute

Would love to get 
is book. Not available from Chapters. ISBN #0672315874.
 
Do you have an extra copy you 
would like to sell?
 
-Original 
Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Monday, 
August 25, 2003 1:03 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] LDAP query on 
ObjectSID attribute
 

Hey 
Joe,

 

Wow, 
thanks for the compliment dude.

 

Is the 
SID bind part of the ADSI ADsPath syntax, or is it something supported in 
LDP? I haven't seen it before as part of ADSI.

 

-g
Gil 
KirkpatrickCTO, NetPro
-Original 
  Message-From: Joe 
  [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 7:46 
  AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP query 
  on ObjectSID attribute
  
  This 
  is an adsi thing and is called a SID Bind, you can also do a GUID bind in 
  a similar manner. If you are using LDAP API instead of ADSI you need to 
  encode the sid back into an octet string and do the search with it. Check 
  out Gil Kirkpatrick's Programming Active Directory as he has some good 
  info on this type of schtuff. Actually if you are doing any AD 
  programming, get that book. Gil rocks. :op
  
   
  
   
  
    
  joe
  
   
  
   
  
-Original 
Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of ADSent: Friday, August 22, 2003 9:27 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP query 
on ObjectSID attribute


I never heard 
of using an attribute as your BaseDN. 

 

If this worked 
for you I really would like to know how you did 
it.

 

Thanks

 

Y

 



From: 
Jimmy AnderssonSent: 
Thu 21/08/2003 7:34 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP query 
on ObjectSID attribute
Why not use LDP and set it like this: Base DN Filter (&(ObjectCategory=*)(name=*)) (I used a SID from my lab domain) You might need to load the control for deleted objects, if it's deleted. Regards,/Jimmy-    Jimmy Andersson, Q Advice AB    CEO & Principal Advisor
&n
bsp; Microsoft MVP - Active Directory-- www.qadvice.com --   -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of ADSent: Friday, August 22, 2003 12:35 AMTo: [EMAIL PROTECTED] Anyone know how to query AD on the ObjectSID?   My query looks

 like this:   (&(ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-341234134123412432412344))   &
lt;
/FONT>Doesn't return anything. I know the sid must converted but I am not surewhat format it should be in.   Thanks  
 Y  List info   : http://www.activedir.org/mail_list.htmList FAQ    : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] WOT Unreadable code (was Connection String)

[daniel . gilbert]

People hear it and still stay out on break :-)

-Original Message-
From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 19, 2003 11:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


Very, very jealous... It is a horrible sound.

-Original Message-
From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 19, 2003 2:35 PM
To: '[EMAIL PROTECTED]'

Gil, 
received one screamin rubber chicken... I love it! Great sound. My
fellow sysadmins just might slit a throat today. It remains to be seen if it
will be mine or the chicken's :^) Thanks again! -JB


 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
If it's as difficult as pulling teeth through an elephants rump, then the
approach needs to be reevaluated.



-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 1:22 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


John,

Stella has put the world-famous Official DEC Screaming Yellow Rubber Chicken
in the mail, so you should get it by the end of the week or so. When you do
get it, be sure to give it a good squeeze.

When I spoke at the 2002 AFITC, a general from ACC (I've forgotten his name)
told me that someone in his office had received one and the noise was
driving him crazy. Scratch the chicken off the list of how to win friends
and influence people.

-gil


-Original Message-
From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 12:01 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


Gil, 
I'm not THAT old! Man, next you'll be implying that I built the
DARPAnet! 
(and we all know it was Al Gore who's responsible for that!) *grin* Nah, I
just have a fondness for old, dead languages and remembered seeing that one
before. I actually had a book mark to a "history of computing" type doc that
had this very example of MUMPS code. As for DEC Ottawa, I doubt it, times
and budgets being what they are. But I'll take the chicken... sounds like
cool geek-schwag :^)

 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane
mittam.



-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 12:01 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


Wow John! I'm impressed. Were you at Unisys when MUMPS actually ran on
Unisys minis? Or did you just get lucky with Google? :)

I'm thinking that your answer deserves a world-famous Official DEC Screaming
Yellow Rubber Chicken, whose hideous screech is known to strike fear in the
hearts of dogs, cats, and small children.
 
Are you coming to DEC Ottawa? I can give it to you there, along with your
free beer. Otherwise, send me your shipping info offlist, and no beer for
you.

-gil

-Original Message-
From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 10:39 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


prints a table of primes, formatting it into columns. What's my prize :^)


 John A. Bjelke 
  Unisys
 505.853.6774
  [EMAIL PROTECTED]
If it's as difficult as pulling teeth through an elephants rump, then the
approach needs to be reevaluated.



-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 9:56 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String)


Have you ever coded in MUMPS? It doesn't matter who the programmer is; its
ALWAYS unreadable. I think MUMPS programmers invented the term "write-only
programs".

Typical MUMPS program: f p=2,3:2 s q=1 x "f f=3:2 q:f*f>p!'q  s q=p#f" w:q
p,?$x\8+1*8

If anyone can guess what this code does, I'll give them a prize.

-g

Gil Kirkpatrick
CTO, NetPro


-Original Message-
From: Robbie Allen [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 6:51 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Connection String


Ha!  It is not the language that makes code unreadable, it is the PROGRAMMER
:-)

Robbie Allen
http://www.rallenhome.com/

> -Original Message-
> From: Glenn Corbett [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 05, 2003 9:38 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] Connection String
> 
> 
> HAHAHAPerl
> 
> I like to be able to read my code and understand it again in 6 months
> :)
> 
> Glenn
> 
> - Original Message -
> From: "Robbie Allen" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, August 05, 2003 11:14 PM
> Subject: RE: [ActiveDir] Connection String
> 
> 
> > > Come over to t

RE: [ActiveDir] Group Policy

[daniel . gilbert]

We do. It is our way to display the GPO's in human readable format.

Dan

-Original Message-
From: Ellis, Debbie [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 05, 2003 10:32 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Group Policy


Does anyone have a Group Policy  Spreadsheet ?
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Home Labs Interconnected

[daniel . gilbert]

Or maybe DirectoryInsight :-)

-Original Message-
From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 07, 2003 2:15 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Home Labs Interconnected


This sounds like a job for Directory Lockdown!

Toddler

-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 07, 2003 5:06 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Home Labs Interconnected


Even if you trust everyone, coordination remains a problem. Chat and such
are fine, but if I'm running some tests over the course of a couple of
evenings or a weekend, how can I reasonably expect 20 other people to leave
the whole thing alone for that length of time? And how do I put everything
back the way it was? (I guess remotely deployable VMWare is the obvious
answer to this last issue.)

-g

-Original Message-
From: Cary, Mark [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 07, 2003 1:44 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Home Labs Interconnected


What happens in the real world when this happens?  With message boards, chat
rooms, and instant messengers configuration changes could be documented and
discussed.  Your question goes back to trust, Is someone going to make
changes on there own with no concern for the other participants?


-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 07, 2003 2:44 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Home Labs Interconnected


Interesting idea I would think that trust isn't so much of an issue as
configuration management. If you have 20 people link their 100 servers into
a couple of AD forests (for instance), how do you make sure no one
reconfigures the replication topology right when you're in the middle of
testing out some site-specific GPO?

-g

-Original Message-
From: Cary, Mark [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 07, 2003 10:33 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Home Labs Interconnected


I wanted to pose this idea to the group and get some feedback.  

Resources at work are limited for a test lab and I only have 3 computers at
home for a lab, and I would think at least some of you are in similar
situations.  The home lab is ok for some stuff but I find it's hard to put a
real world slant on such a small network.  

Would it be plausible to get several IT people, that haven't really met just
interacted online (such as this list), to connect there home labs over the
Internet creating a larger lab environment.  This would create many
different sites and subnets, something hard to do in a standalone home lab
with limited hardware.  I see the biggest issue would be with security and
trust, could this be overcome?  Could this experiment succeed or would some
people always be trying to trash everyone else's computers?

What do you think?


The information contained in this message is confidential and is intended
for the addressee(s) only.  If you have received this message in error or
there are any problems please notify the originator immediately.  The
unauthorized use, disclosure, copying or alteration of this message is
strictly forbidden. Badger Meter, Inc. will not be liable for direct,
special, indirect or consequential damages arising from alteration of the
contents of this message by a third party or as a result of any virus being
passed on.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


The information contained in this message is confidential and is intended
for the addressee(s) only.  If you have received this message in error or
there are any problems please notify the originator immediately.  The
unauthorized use, disclosure, copying or alteration of this message is
strictly forbidden. Badger Meter, Inc. will not be liable for direct,
special, indirect or consequential damages arising from alteration of the
contents of this message by a third party or as a result of any virus being
passed on.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mai

RE: [ActiveDir] How to force RID master change

[daniel . gilbert]

One thing to do is use NTDSUTIL to sieze the RID master role.  Remove all
references to the failed DC in AD (ADSI edit, Sites and Services, DNS,)

Let replication update all DC's.

You should then be able to bring the server back using it's original name.

HTH

-Original Message-
From: EN [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 12, 2003 10:39 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] How to force RID master change


Thanks,
I have a question though.  I want to still use this server.  I got a
completely new HD in there now, and I want to use the same name.  Bad idea?
What should I really do, this is the first time this has happened and I
haven't read of what should be done when something like this occurs.

Ernesto


- Original Message - 
From: "Chianese, David P." <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, August 12, 2003 12:33 PM
Subject: RE: [ActiveDir] How to force RID master change


> NTDSUTIL.EXE, follow the prompts to seize the roll.  NOTE: Once you 
> seize this roll make sure the dead RID is offline and fdisk'd as you 
> never want that server to come back and start servicing DC's with its 
> old RID pool. The new RID master will artificially inflate the RID 
> pool to a higher
number
> and if per chance the old RID master comes back online in the future 
> it could potentially catch up to the new RID master and issue 
> duplicates.
That
> is a big mess you don't want to get into.
>
>
> Regards,
>
> Dave
>
> -Original Message-
> From: EN [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 12, 2003 1:27 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] How to force RID master change
>
>
> MessageIm searching the knowledgebase,but I thought maybe someone had 
> something I could use here as well.
>
> Well, one of my DCs just died, hard drive failed completely.  Fine. I 
> have another DC, but now I can't change the RID role.  I could change
the
> GC, PDC and infrastructure,
> but the RID master can't be changed, and it states on the tab "server 
> is offline.  Can't change roles" What's the best way to force the 
> change? Thanks
>
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
> This e-mail and any accompanying attachments are confidential.  The
information is intended solely for the use of the individual to whom it is
addressed.  Any review, disclosure, copying, distribution, or use of this
e-mail communication by others is strictly prohibited.  If you are not the
intended recipient, please notify us immediately by returning this message
to the sender and delete all copies.  Thank you for your cooperation.
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Special DEC offer (was ADAM Doc)

[daniel . gilbert]

Hey, I've seen movies of his toys.  He can afford a beer or two.

Off we go, into the wild blue yonder...

Dan

-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 04, 2003 10:27 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Special DEC offer (was ADAM Doc)


I knew that... I was just pulling your chain :)... No apologies necessary.

-gil

Gil Kirkpatrick
CTO, NetPro


-Original Message-
From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 04, 2003 6:28 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Special DEC offer (was ADAM Doc)


I apologize, 

What I was referring to was at DEC the first night there is a mixer, and
also after each nights sessions there are mixers as well.  I wasn't
referring to Gil having to take us all out on a night on the town.  Sorry if
I overstepped my spending Gil, it won't happen again. :>

Toddler

-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 04, 2003 12:26 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Special DEC offer (was ADAM Doc)


Getting' kinda loose and happy with *my* tab aren't you Todd?

Tell you what. Anyone who has posted to this list in the past month and
shows up in Ottawa gets a round on the house. Just mention this special
offer... 

-g

Gil Kirkpatrick
CTO, NetPro


-Original Message-
From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] 
Sent: Sunday, August 03, 2003 7:02 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] ADAM Doc


Rick, 

I took no offense to your clarification, nor Kevin's "".  It's just email.
This silly thing (email) tends to cause confusion sometimes.  What we really
need is a virtual bar, that serves real drinks, so on Friday's after a long
week of getting kicked around we can drink, swap stories, and maybe play a
hand of virtual Texas Holdem' or two.

I tell you what, if the two of you come to DEC in Ottawa, I will buy you a
round of drinks on Gil's Tab.  I will bring the deck of cards.

Toddler  

-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
Sent: Sunday, August 03, 2003 9:53 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADAM Doc

Kevin,

I'm not sure I get your meaning "Thanks from most of us".  Was this somehow
insinuating that I didn't appreciated Todd posting the release of AD/AM, or
is it that I would dare to correct or clarify a post?

Help me with this, because I very much appreciate all of the posts on this
list, and will thank each and every person.  That's much more than most are
willing to do.

Thanks for your comments.

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Gent
Sent: Saturday, August 02, 2003 3:28 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] ADAM Doc

Thanks from most of us


- Original Message -
From: "Myrick, Todd (NIH/CIT)" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, August 02, 2003 9:18 AM
Subject: RE: [ActiveDir] ADAM Doc


> Err oops!
>
> Sorry.
>
> Toddler
>
> -Original Message-
> From: Rick Kingslan [mailto:[EMAIL PROTECTED]
> Sent: Saturday, August 02, 2003 12:49 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] ADAM Doc
>
> Todd and all -
>
> This is more than just the Docs - this is the release of AD/AM and the
> included materials - a walkthrough (lab type material) and demo setup
files.
> This is the same material that we were presented with for beta and is
really
> quite good for getting your hands dirty.
>
> Enjoy!
>
> Rick Kingslan  MCSE, MCSA, MCT
> Microsoft MVP - Active Directory
> Associate Expert
> Expert Zone - www.microsoft.com/windowsxp/expertzone
>
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
> (NIH/CIT)
> Sent: Friday, August 01, 2003 7:39 PM
> To: '[EMAIL PROTECTED]'
> Subject: [ActiveDir] ADAM Doc
>
>
http://www.microsoft.com/downloads/details.aspx?FamilyID=9688f8b9-1034-4ef6-
> a3e5-2a2a57b5c8e4&DisplayLang=en
>
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ

RE: [ActiveDir] Special DEC offer (was ADAM Doc)

[daniel . gilbert]

Gil,

I believe I will take you up on that :-)

Dan

-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Sunday, August 03, 2003 9:26 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Special DEC offer (was ADAM Doc)


Getting' kinda loose and happy with *my* tab aren't you Todd?

Tell you what. Anyone who has posted to this list in the past month and
shows up in Ottawa gets a round on the house. Just mention this special
offer... 

-g

Gil Kirkpatrick
CTO, NetPro


-Original Message-
From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] 
Sent: Sunday, August 03, 2003 7:02 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] ADAM Doc


Rick, 

I took no offense to your clarification, nor Kevin's "".  It's just email.
This silly thing (email) tends to cause confusion sometimes.  What we really
need is a virtual bar, that serves real drinks, so on Friday's after a long
week of getting kicked around we can drink, swap stories, and maybe play a
hand of virtual Texas Holdem' or two.

I tell you what, if the two of you come to DEC in Ottawa, I will buy you a
round of drinks on Gil's Tab.  I will bring the deck of cards.

Toddler  

-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
Sent: Sunday, August 03, 2003 9:53 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADAM Doc

Kevin,

I'm not sure I get your meaning "Thanks from most of us".  Was this somehow
insinuating that I didn't appreciated Todd posting the release of AD/AM, or
is it that I would dare to correct or clarify a post?

Help me with this, because I very much appreciate all of the posts on this
list, and will thank each and every person.  That's much more than most are
willing to do.

Thanks for your comments.

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Gent
Sent: Saturday, August 02, 2003 3:28 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] ADAM Doc

Thanks from most of us


- Original Message -
From: "Myrick, Todd (NIH/CIT)" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, August 02, 2003 9:18 AM
Subject: RE: [ActiveDir] ADAM Doc


> Err oops!
>
> Sorry.
>
> Toddler
>
> -Original Message-
> From: Rick Kingslan [mailto:[EMAIL PROTECTED]
> Sent: Saturday, August 02, 2003 12:49 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] ADAM Doc
>
> Todd and all -
>
> This is more than just the Docs - this is the release of AD/AM and the
> included materials - a walkthrough (lab type material) and demo setup
files.
> This is the same material that we were presented with for beta and is
really
> quite good for getting your hands dirty.
>
> Enjoy!
>
> Rick Kingslan  MCSE, MCSA, MCT
> Microsoft MVP - Active Directory
> Associate Expert
> Expert Zone - www.microsoft.com/windowsxp/expertzone
>
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
> (NIH/CIT)
> Sent: Friday, August 01, 2003 7:39 PM
> To: '[EMAIL PROTECTED]'
> Subject: [ActiveDir] ADAM Doc
>
>
http://www.microsoft.com/downloads/details.aspx?FamilyID=9688f8b9-1034-4ef6-
> a3e5-2a2a57b5c8e4&DisplayLang=en
>
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Space on computer

[daniel . gilbert]

Title: Message



Pagefile???

  
  -Original Message-From: Juan Ibarra 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2003 3:40 
  PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
  Space on computer
  Hello, to all, sorry for the off topic question but 
  this I can't find an answer to. 
  I have a windows 2000 professional machine with a 
  12G HD with two partitions. 
  C:\ is 9G D:\ is 
  3G 
  C:\ says that it has 2G left of free space, If I 
  unhide all hidden and system files and right click on them and go to 
  properties, it tells me it is using 5Gs.  
  My question here is: Where are the other 2Gs?  
  I have done defrag on the disk and I don't seem to recover the missing 
  space.  Any comments would be appreciated.
  Thanks, Juan 

RE: [ActiveDir] Group Policy question

[daniel . gilbert]

Title: Message









Chris,

 

I am sure you raised this issue to the "higher
ups" you mentioned, but, wouldn't be easier to develop an OU
architecture that broke the >20,000 users up into separate OUs for
management.  That way those 40-50 OU
Admins would be further broken up to their respective OU.

 

I would think you could sell the "higher
ups" on the ability to delegate to those OU.

 

Just my $0.02

 

Dan

 

-Original Message-
From: Chris Flesher
[mailto:[EMAIL PROTECTED] 
Sent: Monday, July 21, 2003 12:21 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Group
Policy question

 



Let me give more info as
to why I'm asking this question. The idea has been floated of putting all of
our user accounts (>20,000) into one OU. Other OU's would exist, where
groups would reside. Access would be give to 40-50 different OU admins to the
primary User OU, and they would determine who they would put into their own
groups. From there, GPO's would be applied to the OU's by the OU admin, with
the GPO being applied to the group members (which everyone here says is
impossible). 





 





I have a headache just
thinking of this because of having 40-50 people having access to all user
accounts and trying to make sure they only touch what they are supposed to
touch, etc. I'm supposed to find all possible reasons why not to do this. So, I
ask questions.





 





 



Chris Flesher

The University of Chicago

NSIT/DCS

1-773-834-8477



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crenshaw, Jason
Sent: Monday, July 21, 2003 1:34
PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Group
Policy question

To make this clear to
everyone.  

 

Yes a user can be in more
than one group.  The question you are asking is can a GPO be applied to a
groups?  - NO

 

Read MS article
322176:  http://support.microsoft.com/?kbid=322176

 

Hope that this helps,

 

Jason Crenshaw

Sandia National
Laboratories



 

Short Answer:

 

NOTE: GPOs
are applied only to sites, domains, and organizational units. Group Policy
settings affect only the users and the computers that they contain.
Specifically, GPOs are not applied to security groups. 

The location of a security group in Active Directory does not affect filtering
through that security group as it is described in this procedure. 

If a user or a computer is not contained in a site, a domain, or an
organizational unit that is subject to a GPO either directly through a link, or
indirectly through inheritance, you cannot set any combination of permissions
on any security group to make those Group Policy settings affect that user or
computer. 

Filtering at the GPO level, as it is described in this procedure, causes the
GPO to be processed or not processed as a whole. The Software Installation
extension and the Folder Redirection extension use security groups to refine
control beyond the GPO level. Except for Folder Redirection and Software
Installation, security groups are not used to filter individual settings or
subsets of a GPO. For control over individual settings, edit or create a GPO
instead.

 

-Original Message-
From: Chris Flesher
[mailto:[EMAIL PROTECTED] 
Sent: Monday, July 21, 2003 12:18
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Group
Policy question

 



a user
can be a member of more then one group. if a user is a member of two groups
that are in seperate OU's, then the user can have group policy applied to two
seperate groups based on ACL's within each OU? I don't need an object existing
in two seperate OU's. I just need two seperate groups with a user being in each
group, with each group in seperate OU's. 





 





 



Chris Flesher

The University of Chicago

NSIT/DCS

1-773-834-8477



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crenshaw, Jason
Sent: Monday, July 21, 2003 12:38
PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Group
Policy question

   
What is group policy or a GPO?

 

Group policy is a new Windows term for common
configuration settings. An administrator can create a group policy which
applies to users or computers. This group policy can set certain computer
settings such as who can login to the computer or user settings such whether
the user can run control panel applets. Group policy is similar to what was
called policy in NT4, but there is a vastly improved performance together with
a greater number of common configuration settings. A GPO, or group policy
object, is a set of settings applied to a site, domain or OU container. The GPO
then is applied to every machine or user object under that container. One can
configure a GPO with ACLs to restrict the computers or users to which it is
applied.

 

This
also suggests that it is technically impossible to do since a user object