RE: [ActiveDir] DNS scavenging question
I don't believe that static records age, so they should not be affected by scavenging? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Falde Sent: Thursday, December 07, 2006 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS scavenging question http://technet2.microsoft.com/WindowsServer/en/library/d652a163-279f-404 7-b3e0-0c468a4d69f31033.mspx?mfr=true dnscmd /startscavenging I would recommend you make a backup of your zone before you ageall and start scavenging, have you taken into consideration records that need to be there that you will need to recreate as static entries ie. www.company.com etc? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Thursday, December 07, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS scavenging question I have a rather off the wall DNS scavenging question. I have a bunch of DNS records that are stale and need to be scavenged out of the zone. Following the O'REILLY book: DNS on Windows Server 2003 I have configured aging and scavenging. (Don't ask why this wasn't done when the zone was first setup, that is another story) Now I know: If scavenging is disabled on a standard zone and you enable scavenging, the server does not scavenge records that existed before you enabled scavenging. The server does not scavenge those records even if you convert the zone to an Active Directory?integrated zone first. To enable scavenging of such records, use the AgeAllRecords in Dnscmd.exe. I know this must be done in order to configure existing records to a scavengable state. Is there a way to immediately force a scavenge cycle that will remove all stale records? I would not to have to wait unitl the no-refresh and refresh intervals expire. Daniel Gilbert List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DC crashed
1) I would Google how to seize the FSMO roles. 2) Google how to cleanup metadata for the failed DC 3) Once all of that is done, I would still use a different name and IP for the rebuilt server before going on with a DCPROMO. Unless you had to use the same. 4) Use DCDIAG on the other DCs prior to and after promoting the rebuilt one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Friday, November 03, 2006 3:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC crashed Did you delete this server object from ADUC? If not, that's probably what you need to do. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clingaman, Bruce Sent: Friday, November 03, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC crashed I apologize for not doing my homework first, but I'm in a pickle and need help fast. One of my domain controllers (which held all the fsmo roles) crashed and I had to reinstall. Now that I've reinstalled, I'm ready to rejoin and promote. But I can't; I get User already exists when trying to join. I am using the same computer name as before. I have not deleted or changed anything in the directory on the other server yet. What do I need to do to get my old server back as a domain controller? Links to articles or even words to search by would be of great help. Thanks for any advice. Bruce. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT: TechED 2007
Any dates? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, October 19, 2006 4:29 AM To: ActiveDir.org Subject: [ActiveDir] OT: TechED 2007 It's Florida ! Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Is a Global Security group being used?
Does anyone have a way to determine if a domain global group is being used?. Will auditing on the DCs tell me this? Thanks in advance. Johnny Figueroa
RE: [ActiveDir] Is a Global Security group being used?
The tough one... being used in resource ACLs From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, September 06, 2006 10:16To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used? What do you mean by "being used"? Are you referring to it being in resource ACLs? Nested into other groups? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, JohnnySent: Wednesday, September 06, 2006 12:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is a Global Security group being used? Does anyone have a way to determine if a domain global group is being used?. Will auditing on the DCs tell me this? Thanks in advance. Johnny Figueroa
RE: [ActiveDir] Is a Global Security group being used?
Thank you everyone. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, September 06, 2006 12:34To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used? There are lots of utilities to report ACLs. The issue is, depending upon the size of the environment, this could be a lot of work that may not be worth it, depending on how badly the OP wants to know if the group is being used anywhere. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Wednesday, September 06, 2006 2:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used? Try Hyena. I believe that it has the option to report on ACLs and list the relevant users/groups Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Figueroa, JohnnySent: Wed 9/6/2006 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used? The tough one... being used in resource ACLs From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, September 06, 2006 10:16To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used? What do you mean by "being used"? Are you referring to it being in resource ACLs? Nested into other groups? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, JohnnySent: Wednesday, September 06, 2006 12:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is a Global Security group being used? Does anyone have a way to determine if a domain global group is being used?. Will auditing on the DCs tell me this? Thanks in advance. Johnny Figueroa
[ActiveDir] DNS Performance Counters
Good morning folks. I kind of run into this all the time... I am setting up performance monitoring of our DNS servers. I found a good reference: Domain Name System (DNS) ServiceProduct Operations Guide. It gives me a bunch of counters to monitor. The problem is interpreting the counters, what is acceptable, what kinds of things should lead you to further investigation, etc. Everything I find goes like this: "Secure Update Failure = Secure Update Failure is the total number of secure updates failed of the DNS server." Well that explains everything. Does anyone have a good reference for DNS Performance counters that explains what they actually mean and what measurements might be out of bounds? Thanks Johnny FigueroaSupervisor Network Operations SupportNetwork ServicesBanner HealthVoice (602) 747-4195Fax (602) 747-4406WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately
RE: [ActiveDir] DNS Performance Counters
Baseline of a healthy DNS server to compare against is definitely part of the answer. I was just looking for a place to start, every environment is different but typically I know what the rules of thumb are when it comes to disk, memory, processor and similar objects that you monitor. Thanks, this will help. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Friday, August 25, 2006 9:56To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS Performance Counters I personally thought that the referenced document is good enough for understandingDNS monitoring. Take the "secure update failure" part for an example. You'd typically want to monitor a trend in this failure over a specific period of time and then establish a benchmark. You can say: "we typically get 5-10 secure update failures a day, and we know that these are coming from misconfigured/rogue devices because we looked in the event log and we chased them down and we verified that, yeah, their requests should be rejected. Or simply, there are 5-10 such failures a day and we don't know where they are coming from, but we know how many we 'typically' get". Now that you have a baseline from your historical trend, you move onto the next stage of your monitoring. Looking for deviations. This is where you say "if we start getting 20 or more of these queries a day, then we need to drop everything and thoroughly investigate". In order words, the monitoring guideline you see in that document is intended to guide you as to what is relevant to "look for". It is not intended to tell you why what you are seeing is happening. It is a list of things pertinent to your DNS server's health. It is up to you to decide which of them you want to monitor, how you want to monitor them, and what you want to do when you come across deviations. What you do with the information is up to you. This is where digging through event log and using MOM management packs and similar tools come in. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Figueroa, JohnnySent: Fri 8/25/2006 9:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS Performance Counters Good morning folks. I kind of run into this all the time... I am setting up performance monitoring of our DNS servers. I found a good reference: Domain Name System (DNS) ServiceProduct Operations Guide. It gives me a bunch of counters to monitor. The problem is interpreting the counters, what is acceptable, what kinds of things should lead you to further investigation, etc. Everything I find goes like this: "Secure Update Failure = Secure Update Failure is the total number of secure updates failed of the DNS server." Well that explains everything. Does anyone have a good reference for DNS Performance counters that explains what they actually mean and what measurements might be out of bounds? Thanks Johnny FigueroaSupervisor Network Operations SupportNetwork ServicesBanner HealthVoice (602) 747-4195Fax (602) 747-4406WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately
[ActiveDir] Password resets
There is talk about using a home grown speech recognition system to reset a user's password. You would need to enroll, the system would recordyour voice and if you ever wanted to reset your password, it would ask you to repeat a word of its choice. The system would use a service account with the ability to reset passwords and turn on the option to force the user to reset the password at logon. Iam just sending this out to get somefeedback. Iwould have a challengetrying to excludecertain groups from being able to do this, like IT folks with elevated credentials. Unfortunately those IT folks are in the same OU as the users that want this functionality. Thoughts on any part of this? Thanks Johnny FigueroaSupervisor Network Operations SupportNetwork ServicesBanner HealthVoice (602) 747-4195Fax (602) 747-4406WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately
RE: [ActiveDir] Vendor Domain
There was no real reason for a separate domain, other than it simplified the vendor's support. We ended up creating an OU and delegating administration to it. Thanks I promised I would get back to you From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, July 20, 2006 5:46To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vendor Domain I completely understand. If a vendor is actively and completely supporting this application for you ***as a service*** then patching, etc should be something that you specify the requirements for in the actual contract with the vendor with penalties, etc associated with it for non-compliance. You shouldnot have to touch any of it because you shouldn't even have the ability to touch any of it - that is what the service model is about. If this is a vendor telling you to create a new domain/forest that you in any way shape or form have to support for their app, I would tell them they better have a reallyamazing explanation because all of the tables are already against them and if the extra domain/forest gets pushed through you immediately tell, not ask, the people requiring the application what it is going to cost to get the extra resources to support the extra domain/forest - including all licenses for monitoring and other third party tools needed to properly support the environment. Again, if this is just an application and application support, you tell the vendor where it goes. If this a service, then listen carefully to the vendor as they may have a good point and if you force them to deviate there will be a premium at the minimum associated with it. A new Domain/Forest for a service model should be a black box to you. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, JohnnySent: Thursday, July 20, 2006 8:23 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vendor Domain Joe, I can not comment on the specifics just yet asIThas not actually met with the vendor yet. We received the requirements and when I read about the separate domain with a trust to our own, I started to try and build a case for NOT. As I had mentioned earlier. I will try to keep an open mind on the whole thing but if every medical vendor came in and asked for their own domain we would have quite a mess. You then end up with problems like patch compliance, virus definitions you can not verify or having to provide for some form of isolation of these environments while allowing them to be functional. This last part turns into administration overhead and dollars that we try to push back to the vendor, not always successfully depending on how much the application is needed. Vendor supported environments inside your own can be a post all of its own that goes on forever. How many vendors say they will take care of their devices and you wake up one day only to find out that you are under attack from one of those vendor "supported" devices. It could be a virus as we have had happened to us or a misbehaving AV application on the same devices you don't have admin access to that renders several DFS servers inaccessible with high CPU usage. We will try to get to the bottom of it as usual, the devil is in the details. I promised to report back since many of you have taken the time to provide your thoughts on the matter. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, July 20, 2006 1:55To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vendor Domain My first reaction is that that is pretty nebulous and hazy. I don't think they can compare whatever it is they do to a respirator and have validity, I think that would be talking apples and olive pits. Overall it sounds like a move to reduce support and troubleshooting costs by having a known fixed environment in which their app will run. It could even mean that they have bad decisions (and coding) in the software itself that has hard requirements to that specific layout so they don't have to code for a more generic setup. Certainly the concern that AD may not be stable is a valid one from a vendor doing managed service support standpoint as it is something I have encountered in the field myself.More environments than not that I have walked into to deploy Exchange the AD folks thought AD was perfectly fine and were surprised when Exchange dragged their DCs under water and I have to go through their design and figure out what exactly isn't optimal (hint usually the disk subsystems - stop using mirrors damnit).But if the customer is willing to accept that risk as a caveat to the support model then the vendor should be able to support it. This can and usually should have some level of impact on costing and possibly support levels and penalties (if they exist). It is cheaper to
[ActiveDir] Interesting read
Ouch, how many things could go wrong? I thought the domain controllers would complaint if the time synchhad a gap over 5 mins. http://redmondmag.com/columns/article.asp?editorialsid=1388
RE: [ActiveDir] Vendor Domain
Thank you all. The vendor in question is bringing in a medical solution. Here is the response from the vendor so far. Mind you that we have lots of medical device solutions that exist in our domain, the FDA card is played as a blanket so you stop asking questions...we ran into the same issue with security patches. "why can't I patch that device?". When we've looked at these FDA regulations in the past it turned out that there was more liability by not patching. From the vendor: "Let me start by thanking you for considering our support model and continuing to pursue supporting it in your organization. Our designers have architected the system to comply with Microsofts best practices. We have implemented our own .local domain in an effort to provide solid system integrity founded on Kerberos authentication and a single sign-on experience for your clinicians. Our system relies heavily on the integrity of the Active Directory structure. We have integrated the launching of services and control of processes using this Microsoft recommended model. It has been our experience that relying on a hospitals Active Directory structure is a dependency that has opened our customers up to liabilities for the integrity of our regulated medical device. I liken the servers to a respirator. Having an outside person, no matter how qualified, work on a respirator would be a concern from a clinical standpoint. We have witnessed Group Policies applied to servers in a more open environment. This is a liability we do not want to expose our business partners to. Any change, no matter how minute to our system, would endanger our validation and designation as aXXX regulated medical device and would open you to failing FDA auditing." Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, July 20, 2006 12:12To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vendor Domain I would tend to agree except in the case of Exchange, I am ALL FOR Exchange being run in a separate single domain forest, it solves an incredible number of problems such as the GC/NSPI problems as well as administrative isolation, etc. The exception there is if Exchange is deployed in a decentralized fashion outto all of the sites you already have DCs at, at that point, you probably want to fight with the issues with it in the main forest. The biggest complaint I have seen for running a separate Single Domain Forest for Exchange is around provisioning and quite frankly, that really isn't all that involved and doesn't necessarily need a full blown MIIS/IIFP solution. It dependson what data isneeded where. If you need all of the GAL info in the main NOS forest as well as the Exchange forest then you looking more into metadat sync tools unless your provisioning is all being handled through a centralized mechanism and then that can be used to send the info in both directions and actual tie between the domains for syncing isn't necessarily required. But if this isn't Exchange, I would be curious to hear the details of the app and why they want a separate forest. Most vendors if they told me they did it in a stupid way that had that requirement I would beat and tell them to fix it. With MSFT and Exchange, that only works a little bit. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Thursday, July 20, 2006 2:32 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vendor Domain I think everyone would be conceptually opposed - would be good to hear the vendor's reasoning for this. What does the app do? What benefit do you have from running their app in a speparate (single domain) forest? I can think of many downsides, but if the app is supposed to protect really sensitive data (isolation scenario), this may potentially be the reason for them to demand a separate forest. Certainly not, if the same folks manage both forests though... So pls. aks them for more details - doesn't hurt to understand their thinking. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, JohnnySent: Wednesday, July 19, 2006 8:09 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Vendor Domain We are a 2003 Forest with an empty root domain and a single child domain. We have a vendor looking to bring in a product that utilizes its own domain and has a one way trust to our domain. I do not know anything about the product yet but I am almost conceptually opposed to these vendor domains. I am looking for pros and cons... really ammunition to say no. Thanks Johnny FigueroaSupervisor Network Operations SupportNetwork ServicesBanner HealthVoice (602) 747-4195Fax (602) 747-4406WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and
RE: [ActiveDir] Vendor Domain
Joe, I can not comment on the specifics just yet asIThas not actually met with the vendor yet. We received the requirements and when I read about the separate domain with a trust to our own, I started to try and build a case for NOT. As I had mentioned earlier. I will try to keep an open mind on the whole thing but if every medical vendor came in and asked for their own domain we would have quite a mess. You then end up with problems like patch compliance, virus definitions you can not verify or having to provide for some form of isolation of these environments while allowing them to be functional. This last part turns into administration overhead and dollars that we try to push back to the vendor, not always successfully depending on how much the application is needed. Vendor supported environments inside your own can be a post all of its own that goes on forever. How many vendors say they will take care of their devices and you wake up one day only to find out that you are under attack from one of those vendor "supported" devices. It could be a virus as we have had happened to us or a misbehaving AV application on the same devices you don't have admin access to that renders several DFS servers inaccessible with high CPU usage. We will try to get to the bottom of it as usual, the devil is in the details. I promised to report back since many of you have taken the time to provide your thoughts on the matter. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, July 20, 2006 1:55To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vendor Domain My first reaction is that that is pretty nebulous and hazy. I don't think they can compare whatever it is they do to a respirator and have validity, I think that would be talking apples and olive pits. Overall it sounds like a move to reduce support and troubleshooting costs by having a known fixed environment in which their app will run. It could even mean that they have bad decisions (and coding) in the software itself that has hard requirements to that specific layout so they don't have to code for a more generic setup. Certainly the concern that AD may not be stable is a valid one from a vendor doing managed service support standpoint as it is something I have encountered in the field myself.More environments than not that I have walked into to deploy Exchange the AD folks thought AD was perfectly fine and were surprised when Exchange dragged their DCs under water and I have to go through their design and figure out what exactly isn't optimal (hint usually the disk subsystems - stop using mirrors damnit).But if the customer is willing to accept that risk as a caveat to the support model then the vendor should be able to support it. This can and usually should have some level of impact on costing and possibly support levels and penalties (if they exist). It is cheaper to run support on a fixed known setup than it is to support something you didn't design and can't exercise control over. You as a customer would need to accept that as well. But it really comes back to whether the product will work in a generic environment at all and if the vendor is willing to put in the time to figure out their exposure and write the contract(and bill) to suitably cover for it. Taking this back to an Exchange example which is more familiar to many folks. Take the example whereyou want email and you bring someone in to create and run an Exchange service for you. You aren't managing or supporting it, it is all them, you simply give them the requirements.If they have a cookie cutter separate domain/forest solution it is something they have worked out and tested and understand and can best support. In general I think it is better for you and think it is good for you to strongly considerallowing them to run it that way because of the issues with Exchange and the resulting administration mess. It is tough to fight it because there aren't a lot of options outside of Exchange with the features people want... If you have strong feelings against that separate forestand wantthe vendorto forgo their own design, which does happen, they can and usually willrun it from your forest however you havegot to expect cost increases.You are basically telling the respirator company (to use that bad analogy) that you want the respirator to work in an entirely different way than the product you picked out of the catalog. The prices increases are to cover real costs incurred by the vendorto cover a changed support model and cover for the extra design work that they would need to be involved into support your environment.In addition, you would need toaccept the caveats on service that they may need to put into place to protect themselves from lawsuits that are actually the fault of something they don't control. An example would beany issues that end up having a root cause back in
[ActiveDir] Vendor Domain
We are a 2003 Forest with an empty root domain and a single child domain. We have a vendor looking to bring in a product that utilizes its own domain and has a one way trust to our domain. I do not know anything about the product yet but I am almost conceptually opposed to these vendor domains. I am looking for pros and cons... really ammunition to say no. Thanks Johnny FigueroaSupervisor Network Operations SupportNetwork ServicesBanner HealthVoice (602) 747-4195Fax (602) 747-4406WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately
RE: [ActiveDir] How much of the DIT is cached in RAM ?
lol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Thursday, June 15, 2006 3:04 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Awesome! I completely forgot about this. I did; however, thoroughly document the process so that my team can squeak the lobster whenever necessary. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, June 15, 2006 2:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Following up: http://msexchangeteam.com/archive/2006/06/15/427966.aspx Cheers, BrettSh On Thu, 28 Apr 2005, joe wrote: Hey Brett... I've seen your blog, how about you tell ~Eric the story and he can blog it. :o) evilgrin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, April 28, 2005 8:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? The dev who put it in, is what I like to call my boss ... he has no child, I can guarantee it had nothing to do with that ... Email me directly the Exch product manager's name, and I'll try to light a fire under them ... if they don't product something, I'll produce something on my blog (when it is up) and send it around ... Cheers, BrettSh On Thu, 28 Apr 2005, Michael B. Smith wrote: One of the Exchange Product Managers said today that she is preparing a blog on Squeaky Lobster, including a picture of the original Squeaky. I also asked about the KB and was told, simply, that it isn't currently publicly available. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 28, 2005 7:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Try - http://www.realcooltoys.com/squeakylobster.html Squeaky Lobster is a magic reg key to enable special Squeaky Lobster ESE counters. It first came to being, I believe, with Exchange 5.5 where I heard two different stories, the first being that the dev guy who put it in had a kid who had a squeaky lobster toy (or he had it) and the other is that it was thought up after lunch. I would tend to go with the first explanation myself... Anyway, it was carried through and is available on AD, or at least it was on 2K AD which is the last time I used it a couple of years ago. There used to be a KB out there that talked about what it made available but I don't see it anywhere which sucks because if I need it again I will have to go dig through 8 GB of PSTs and notepad docs. :o) I want to say that I think I heard they changed (or were changing) the name of this reg entry to something like show advanced counters or something like that but I don't think I can point at any references for that. As far as I know, this key wasn't supposed to be hidden or secret, though it appears it might have gone underground. I don't think I will post any more on it and let ~Eric or Brett put out in the public whatever they think should be available. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Thursday, April 28, 2005 1:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? This has been a great thread. I've really enjoyed reading it. This question is going to illustrate my extreme ignorance; however, the answer is worth it. What is Squeaky Lobster? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, April 27, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? From ESE's advanced perf counters exist, that tell you on a non-per-search basis: - Database Pages Transferred/sec - Database Page Latches/sec IIRC, the first is rate of pages being transferred from disk, and the 2nd is the rate at wich you are making a read of something on a page in the cache (that will include the read right after a page is transferred, BTW). It doesn't give you the per query stats you were discussing, but it does give you an idea of how much disk the DC is requiring ... If you were to isolate a DC from load, except your query, it could give a _rough_ idea for a paticular query, but remember latches aren't unique references, so if a single query internally has to read a page several times, that will be several latch counts.
RE: [ActiveDir] WMI Filter
I thought WMI filters could only be evaluated by XP or 2003 ?, 2000, NT will ignore the filter and apply. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Friday, June 09, 2006 10:55To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] WMI Filter I think I did something wrong... I was using this WMI filter on a GPO: "select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional" OR Caption = "Microsoft Windows 2000 Professional"" I was doing this to keep this GPO from applying to server operating systems, and when I tested it with Windows 2003 and XP and 2000 Pro, everything seemed to be fine. Well, I just tested it with a couple of 2000 Advanced Server boxes and the policy is applying. DId I do something wrong with the filter? Is caption not the best method to filter by OS? Thanks, Justin ClayITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
[ActiveDir] Rights to move an object from one OU to another
What rights does a user need to move objects from one OU to another? I can not seem to find that or a white paper on delegation of authority that someone mentioned before. Thanks in advance. Johnny Figueroa Supervisor Network Operations Support Network Services Banner Health Voice (602)495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
I think the codes like 42c converted to decimal will give you the process id and them the thread is the 2nd code, 2f0. If that helps any. I think this is not always a problem. 1) Take a look at AV on the workstations. I have seen AV patches on the clients that drive CPU up on the DC for dfssvc.exe. Take a look at AV on the DC. 2) How are these DCs performing. CPU busy?, what happens if you stop netlogon?. Some infected PCs one time were causing a DOS on the DCs. You may want to take a look at enabling Netlogon tracing and using a tool called NLPARSE to check the results. Look at the .CSV file for pages of failed codes from specific clients. Go take a look at these clients. Article about enabling NL logs: http://support.microsoft.com/?id=109626 http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833 2080 3) move a workstation to an OU without GPOs and see what happens. If there is a GPO problem, start applying the existing GPO to the new OU one by one. Things like folder redirection and the location of the user's profile could be an issue. 4) make that call to PSS Good luck From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Friday, June 02, 2006 10:52To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Hopefully the attachment comes through. The interesting part, and where most of the time delay is seen is here: USERENV(42c.2f0) 12:36:47:528 ProcessGPOs: Machine role is 2. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:41:01:573 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: MyGetUserName failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: No WMI logging done in this policy cycle. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: Processing failed with error 1753. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Friday, June 02, 2006 12:19 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 I think a different thread mentioned that DNS was about 90% of the cause of this type of behavior. It's not the only one however. What keeps rebooting? The DC? Or the workstations? If the workstations, not only ethereal but Darren's suggestion of logging is a good idea. On 6/2/06, Za Vue [EMAIL PROTECTED] wrote: Finally..someone is also experiencing this problem. My DCs are Windows 2003 SP1 also. It seems to hang every 3-4 reboots. My first thought was DNS DNS.. but NetDiag, Repl, DCDiag, Nslookup all show no error. Nothing is reported in logs. It is not firewall. I have play with NetBIOS, changing Provider Order in Network Neighborhood-Advanced Settings..nada. This week has been quiet. If someone calls again I have ethereal setup and ready to capture. The thing about my environment is I do not manage the switches or router. I don't know if someone is messing with something. -Z.V. , Justin (ITS) wrote: Hello, Last night we upgraded our 3 Win2K3 domain controllers to SP1. This morning, we're getting tons and tons of calls from users who report that their computer sits at "Applying computer settings" for a good 10 minutes, then another 10 or so minutes at "Applying your personalized settings" After the upgrade we did start seeing DCOM errors in the System event log, which I've found many people online have experienced. I "fixed it" (or at least the DCOM errors went away) by granting Network Service the following rights: Local Launch Remote Launch Local Activation Remote Activation In the Launch and Activation Permissions dialog on the Security tab of the netman component. However, even after the DCOM errors have gone away, we continue to see the same results on the clients. Any ideas? I'm considering calling Premier Support, but I figured you guys would be better help than them. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we
RE: [ActiveDir] PCs hang at Applying computer settings after upgrading DCs to 2K3 SP1
All your services set to Automatic come up? I know there is a known problem with the Windows Time Service. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Friday, June 02, 2006 11:07To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] PCs hang at "Applying computer settings" after upgrading DCs to 2K3 SP1 Nothing else has changed. We are seeing several Access is Denied errors from computer accounts trying to authenticate. Event ID 5722 from NETLOGON. No other changes were made, just the SP1 install. I installed it on the PDC emulator first, finished the install, rebooted, waited for it to boot back up, ran a dcdiag /s:servername, repeated on the other two DCs. DCDIAG to both the naming context and each DC individually comes back clean except for systemlog, because of the aforementioned 5722 errors. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Friday, June 02, 2006 11:59 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] PCs hang at "Applying computer settings" after upgrading DCs to 2K3 SP1 What else did you do during the upgrade? Make any other changes? What steps did you take? What other software is running on the machines? What other errors? DCDIAG results? Netdiag results? -ajm On 6/2/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: Hello, Last night we upgraded our 3 Win2K3 domain controllers to SP1. This morning, we're getting tons and tons of calls from users who report that their computer sits at "Applying computer settings" for a good 10 minutes, then another 10 or so minutes at "Applying your personalized settings" After the upgrade we did start seeing DCOM errors in the System event log, which I've found many people online have experienced. I "fixed it" (or at least the DCOM errors went away) by granting Network Service the following rights: Local Launch Remote Launch Local Activation Remote Activation In the Launch and Activation Permissions dialog on the Security tab of the netman component. However, even after the DCOM errors have gone away, we continue to see the same results on the clients. Any ideas? I'm considering calling Premier Support, but I figured you guys would be better help than them. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
[ActiveDir] GPO question
We have a GPO in place for all users to do Folder Redirection of My Documents. We are experiencing problems with long delays during this process when users connect to a Citrix Server. This started with 2003 SP1 (there is a potential hot fix from MS, but we are not crazy about it) The real question is that I am not finding a way to not apply that GPO when our users connect to the Citrix servers. Here is what I mean: A) Typically you can counteract a GPO applied above with a GPO that disables that same function, like we did recently with Screen Saver settings. But, Folder redirection of My Documents can not be disabled, it is just not configured or Configured and pointing to the redirection location. B) There are no GPOs applied to the Terminal Server or Citrix Servers OUs, but do not want to Block inheritance of GPOs (not best practices because it is hard to troubleshoot and I am not even sure it is an option in this case). The Folder Redirection GPO is applied to the USERS OU and sub OUs based on AD Group membership. C) Loopback processing seems to be the reverse of what I am trying to do. Unless I am just not getting it. Any other ideas? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Name Server records
I have an AD 2003 domain and an AD integrated DNS zone. If I look a the properties of that DNS zone and go to the Name Servers tab, I see a few servers that are not our domain controllers/DNS servers. Those servers look like DNS servers in other domains that we have a trust with. I guess I am curious as to how these servers end up as NS records for that zone?. The zone is AD integrated and is set to Dynamic updates, secure Only. I could and will delete those records but I am thinking those records will come back. The name servers in question do NOT show up with * on the IP address, which could be the result of a query. Ideas? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Name Server records
Title: [ActiveDir] Name Server records It is a DC/DNS and it replicates to the forest which is actually just one domain. That's just it, I don't see how or why anybody would go in there and add them. There are only a few people that have the access to do that and adding those records just does not make sense. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Wednesday, March 08, 2006 4:28To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Name Server records what is the replication scope of the zone? if it is: DC within domain OR DC/DNS servers within domain then someone must have added them manually. Before removing them try finding out who added them and more important WHY? jorge From: [EMAIL PROTECTED] on behalf of Figueroa, JohnnySent: Thu 2006-03-09 00:17To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Name Server records I have an AD 2003 domain and an AD integrated DNS zone. If I look a theproperties of that DNS zone and go to the "Name Servers" tab, I see afew servers that are not our domain controllers/DNS servers. Thoseservers look like DNS servers in other domains that we have a trustwith.I guess I am curious as to how these servers end up as NS records forthat zone?. The zone is AD integrated and is set to "Dynamic updates","secure Only".I could and will delete those records but I am thinking those recordswill come back. The name servers in question do NOT show up with "*" onthe IP address, which could be the result of a query.Ideas?ThanksJohnny FigueroaEnterprise Network Consultant/IntegratorNetwork Services Banner Health Voice (602)495-4195 Fax (602) 495-4406WARNING: This message, and any attachments, are intended only for theuse of the individual or entity to which it is addressed and may containinformation that is privileged, confidential and exempt from disclosureunder applicable law. If the reader of this message is not the intendedrecipient or employee/agent responsible for delivering the message tothe intended recipient, you are hereby notified that any dissemination,distribution or copying of the communication is strictly prohibited. Ifyou receive this communication in error, please notify us immediatelyList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD auditing
We are looking at http://www.manakoa.com/products/but we already have MOM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Wednesday, February 22, 2006 11:01To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD auditing All, Were looking for a good tool to run an initial audit of our AD environment to establish a permission baseline. Were look at Quest software AD management suite and also another product from NetPro called security manager. Does anyone have any experience with either of these products or can someone recommend a better solution. Thanks in advance, Mike
RE: [ActiveDir] Is the Directory Infected?
Looks like there is a weird name executable our there. I take it your domain is not called company.com, unless you changed the message for security reasons before posting. http://www.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Monday, February 20, 2006 1:01To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is the Directory Infected? An associate emailed me yesterday and asked if he should be concerned about this which popped up on his DC console from Norton AV Corp Edition: Message from DC03 to DC01 on 2/19/2006. Virus Found!Virus name: [EMAIL PROTECTED] in DC01 CN=Schema,CN=Configuration,DC=company,DC=com-DC03.exe I said "yes, looks like you have a virus on your DC." But what is actually infected here? Is the Directory infected? And why does it list that as an exe? Thanks. - nme --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.15.11/264 - Release Date: 2/17/2006
RE: [ActiveDir] Limit Logon thru GPO
I looked at cconnect as an option and decided not to connect our directory to a SQL database dependency for this functionality. Not to mention the fact that your support now has to deal with dirty logoffs with a different tool. We have decided to take a good look at using a Network Share to do this. But you do have to agree to the limitations and I have not tested this yet. http://support.microsoft.com/kb/260364/en-us From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Thursday, February 16, 2006 10:06To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Limit Logon thru GPO This cconnect.exe seems interesting anybody used it with 2003 Server? or is it strictly a NT/2000 tool? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Thursday, February 16, 2006 8:17 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Limit Logon thru GPO There is no native way of doing this in GP, but there is the Resource Kit utility Cconnect.exe that tries to accomplish the same thing without messy AD partitions (not at all to imply that anything remotely related to AD is messy :)) Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Thursday, February 16, 2006 7:59 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Limit Logon thru GPO Sorry if this question has already been asked but I was sure I saw this at one time and now I cannot find it anywhere. I am beginning to think it was all just a wishful dream. Q. Is it possible to limit the number of logons a user may have at any one moment, using GPO? Microsoft has released the LimitLogin tool, which you can download from http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f71-8546-25c359cc0842/limitlogin.exe. The tool stores logged-on information in a custom AD partition (dc=limitlogin, dc=domain, dc=com; e.g., dc=limitlogin,dc=savilltech,dc=com) via a Microsoft IIS 6.0 (Windows Server 2003) hosted Web service, a client component, and a logon and logoff script. This is the only answer I could find on the internet but surely this cannot be the only way, like I mentioned I was sure I saw this at one time and now I cannot find it anywhere. Was it all a dream? Should MS get there act together? or did I really see this? I would rather not use LimitLogon as it seems like a bit of a pain in the a$$ to setup and I am pretty sure it is irreversible. Thanks, Aaron Visser Computer Services Tech School District #33 Chilliwack Secondary School [EMAIL PROTECTED] 604.795.7295
RE: [ActiveDir] WINS record cleanup?
Make sure that the Database verification option is checked on all your WINS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, February 14, 2006 7:33 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WINS record cleanup? Hi, On my WINS servers I see records that have an expiration date of years ago. The record is also marked active. This doesn't seem to make any sense. I have all of the default settings for renewal, extinction, etc. We have also pushed a scavenge operation but these records persist. Has anyone else seen issues like this? Thanks. Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DC II
We are in the process of coming up with a 2nd Data Center for DR. I am working on the AD part of it and I am trying to find out what the process is for finding a DC in DC II of DC I is down. I looked at some of the Domain Locator articles and it talks about how a client finds a DC and what happens if the DC that it contacts is not in its site, etc, etc. What I don't see is what happens if the DC I site is down?... How could it find DC II, is that all part of the site cost?. It has been a while and I am confused, is Site Costs used to find DCs or just for replication? Any articles or explanations are appreciated. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC II
Thank you all. It looks like I need to look at the weights and priorities of the SRV records to go to DC I if available and DC II if DC I is down. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, January 26, 2006 12:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC II If a client can't find a DC in its site, it will then try to find any DC in its domain, regardless of site, based on the weights and priorities associated with the DCs locator records in DNS. Site link cost doesn't enter into the process. However, NETLOGON does use site link cost to determine the covering DC for a DC-less site. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Thursday, January 26, 2006 12:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC II We are in the process of coming up with a 2nd Data Center for DR. I am working on the AD part of it and I am trying to find out what the process is for finding a DC in DC II of DC I is down. I looked at some of the Domain Locator articles and it talks about how a client finds a DC and what happens if the DC that it contacts is not in its site, etc, etc. What I don't see is what happens if the DC I site is down?... How could it find DC II, is that all part of the site cost?. It has been a while and I am confused, is Site Costs used to find DCs or just for replication? Any articles or explanations are appreciated. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Janitor 2.0
They are not exactly the same thing. Have you compared the solutions? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Saturday, December 10, 2005 3:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Janitor 2.0 Why spend 200 dollars on something that is available for free? Is the time to import the csv into Excel too much? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Saturday, December 10, 2005 5:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Janitor 2.0 Does anyone have any experience with a product called AD Janitor 2.0 ? It is a tool much like the OLDCMP tool but with a GUI. It lets you move, disable and delete old computer and user accounts. Pretty good export. I have downloaded it and done some testing but wanted to know if anybody else has used the tool in production. For $200 seems worth it. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD Janitor 2.0
Does anyone have any experience with a product called AD Janitor 2.0 ? It is a tool much like the OLDCMP tool but with a GUI. It lets you move, disable and delete old computer and user accounts. Pretty good export. I have downloaded it and done some testing but wanted to know if anybody else has used the tool in production. For $200 seems worth it. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Question
I did some testing and here is what I found. 1) If you actually give the user or group READ access in ADUC (User and Computers, not DNS) under domainname/System/MicrosoftDNS. This give you access to the DNS MMC on the server 2) Then at the ZONE(s) level, you have to give the user or group READ access and DENY = (WRITE, Create All Child Objects and Delete All Child Objects). It gets some rights from Authenticated users as William mentioned. I did not want these folks to be able to create 10,000 records on our DNS servers. Any other way, the user or group ends up having the ability to create dns resource records and delete them. This way, I can truly give some folks READ access to the DNS zones and it does not interfere with dynamic updates which works under system. We are 2003 DCs (two 2000 DCs left) in native mode. We do not have SP1 on the DCs just yet. Your mileage may vary! Thank you everyone. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, William Sent: Friday, December 09, 2005 3:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question On the 2003 DC, you could use the Effective Permissions tab (Security - Advanced - Effective Permissions) to verify the permissions assigned to the test user. I was able to get read-only for the user by setting Read at the server level and again at the zone level. I had to remove 'Everyone' and 'Authenticated Users' where applicable. It sounds as if the user may have more rights than expected. William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 08 December 2005 16:34 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question 2K in native mode, all but two of the DCs are running 2003 (NOT SP1 yet) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, William Sent: Thursday, December 08, 2005 9:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question I think there are differences between functional levels. What OS / mode are you running at? I can say for certain, on my test rig (2k in Native mode) I have set read-only access to specific zones. I have not had much luck yet in assigning further permissions such as adding records. William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 08 December 2005 16:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question This is a tough one. I followed your link William, http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/73b2314f-6acf-422a-85bc-c1d04d1d8e00.mspx Gave a test user Read access to a specific AD integrated zone. To be able to connect the DNS MMC, I still had to give the user Read access to the server object or the UI would get access denied. So, if you give the user read access to the server object, even if you specify this object only they can create and delete records with the DNS MMC even if you specified read only to the AD intergraded zone. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, William Sent: Thursday, December 08, 2005 7:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question Hi Johnny, You can delegate security of the DNS Zone to allow read-only access. See http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/73b2314f-6acf-422a-85bc-c1d04d1d8e00.mspx The user can run the DNS management snap-in on their local system and connect to the remote DNS server. William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 07 December 2005 21:56 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Question As I am getting ready to migrate a number of zones from a QIP DNS server to a Microsoft DNS server, I have a concern about giving support folks access to the DNS MMC. Some folks just need to be able to use the MMC to troubleshoot, so I thought I would give them Read Only access to DNS. I see dhcp and wins users (view only) but I do not see the same thing for DNS. I created a test user in the domain, I tried to start the DNS mmc and it told me that access was denied. I then went to the DNS server object and gave the user list and read access to the objects. To my surprise the test userid was able to add or delete DNS records in the AD DNS zone. It probably should not be a surprise since the zone is AD integrated and set to secure updates. I take it this means that as long as a user is a member of the domain, they CAN create and delete resource records in DNS. I take it all I did was expose the UI by giving the user read access to the objects. How do you mitigate this? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602
RE: [ActiveDir] DNS Question
This is a tough one. I followed your link William, http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/73b2314f-6acf-422a-85bc-c1d04d1d8e00.mspx Gave a test user Read access to a specific AD integrated zone. To be able to connect the DNS MMC, I still had to give the user Read access to the server object or the UI would get access denied. So, if you give the user read access to the server object, even if you specify this object only they can create and delete records with the DNS MMC even if you specified read only to the AD intergraded zone. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, William Sent: Thursday, December 08, 2005 7:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Question Hi Johnny, You can delegate security of the DNS Zone to allow read-only access. See http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/73b2314f-6acf-422a-85bc-c1d04d1d8e00.mspx The user can run the DNS management snap-in on their local system and connect to the remote DNS server. William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 07 December 2005 21:56 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Question As I am getting ready to migrate a number of zones from a QIP DNS server to a Microsoft DNS server, I have a concern about giving support folks access to the DNS MMC. Some folks just need to be able to use the MMC to troubleshoot, so I thought I would give them Read Only access to DNS. I see dhcp and wins users (view only) but I do not see the same thing for DNS. I created a test user in the domain, I tried to start the DNS mmc and it told me that access was denied. I then went to the DNS server object and gave the user list and read access to the objects. To my surprise the test userid was able to add or delete DNS records in the AD DNS zone. It probably should not be a surprise since the zone is AD integrated and set to secure updates. I take it this means that as long as a user is a member of the domain, they CAN create and delete resource records in DNS. I take it all I did was expose the UI by giving the user read access to the objects. How do you mitigate this? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it. Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message. Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moving 3rd party DNS to AD
I appreciate the feedback on your experience with QIP and MS DNS. It will all help -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Tuesday, December 06, 2005 8:52 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Moving 3rd party DNS to AD probably not needed but here is a script I used and deployed with SMS to all my member servers to update the DNS order. The script was used to add a third DNS server for 'just in-case' lookups but was effective in updating the member servers w/o having to manually do it. Probably won't be useful but thought I would pass along. You could easily make this accept command line switches but by default only runs on the local machine. Hope that helps. Sub Main() SetDNSServerSearchOrder() End Sub Sub SetDNSServerSearchOrder() ' On Error Resume Next Err.clear dim aDNS(1) 'Primary DNS server aDNS(0) = x.x.x.x 'Alternate DNS server aDNS(1) = x.x.x.x 'Set Networking Managing Objects strComputer = . set objWMIService = GetObject(winmgmts:\\ strComputer \root\cimv2) Set colItems = objWMIService.ExecQuery(Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = 1) For Each objItem in colItems errDNS = objItem.SetDNSServerSearchOrder() wscript.sleep 500 errDNS = objItem.SetDNSServerSearchOrder(aDNS) Next set objWMIService = Nothing set colItems = Nothing End Sub Steve Schofield Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Managed Complex Hosting #1 in Service and Support - Original Message - From: Steve Schofield [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 06, 2005 10:39 PM Subject: Re: [ActiveDir] Moving 3rd party DNS to AD Boy that is a real toughie! I have experience both with AD using QIP (6.x version) which was really good and now for the past year getting used to MS DNS with integrated zones on DC's which was ok but has been rock solid with w2k3 sp1 (lots of DNS fixes in w2k3 sp1). What would I do, boy not sure but here is an attempt. If your goal is have AD/DNS hosted on MS to quickly cutover one brainstorm is to have your DNS servers in AD be secondary's and ability to *import* the QIP zones so you could have real-time updates up to and just before cutover. Not sure off-hand if that is possible but believe so. Then for cutover, unplug QIP network cable, change the IP on the MS dns servers, convert to a primary zone to allow dynamic updates if you are supporting that. You can also setup the QIP to be the forwarders for the AD ones but would suggest to stay away from that if possible and just use the ROOT servers. As far as performance, DNS is not a very intensive process for a standard type setup. I would suggest RAID 1 for redundancy with 1 or 2 gig of ram. A dual proc machine would be more than sufficient. The RAID should use a hardware based controller with some cache for added boost. One benefit if these were DC's vs. standard DNS servers is the multi-master replication being integrated into AD database providing redundancy. Depending on your AD database size and DC's size, the entire database is loaded into memory could provide a pretty good boost. The ISP I work for (orcsweb.com) our internal AD servers take a lot of requests and those machines sit idle regarding DNS (we send lots of emails a day pretty DNS lookup intensive and works well). The QIP experience I didn't directly manage so I can't provide any stats there sorry. Hope that provides some ideas, the UI management tool in QIP is better than AD but the MMC is ok for a few domains.. Good luck, feel free to contact me [EMAIL PROTECTED] Steve Schofield Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Managed Complex Hosting #1 in Service and Support - Original Message - From: Figueroa, Johnny [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 06, 2005 3:18 PM Subject: [ActiveDir] Moving 3rd party DNS to AD I will be removing a couple of Lucent QIP DNS servers running on Sun Solaris with Microsoft DNS. We already have our AD infrastructure. The _zones in the QIP DNS servers were delegated to AD DNS/DCs so the domain controllers could update their SRV records. We debated if we should integrate the zones owned by the QIP solution into AD (DC/DNS Servers) or create a couple of standalone DNS servers in AD, which will not be domain controllers. We chose to go with the standalone DNS servers mainly so that the testing, cutover and potential roll back could be done with minimal changes. I.e. turn off QIP DNS servers, change IP on the MS DNS servers to that of the old QIP servers and we are done. Roll back would be something like turn off MS DNS servers and turn QIP back on. The _zones in question are in our empty root domain, the clients and the AD resource records
[ActiveDir] DNS Question
As I am getting ready to migrate a number of zones from a QIP DNS server to a Microsoft DNS server, I have a concern about giving support folks access to the DNS MMC. Some folks just need to be able to use the MMC to troubleshoot, so I thought I would give them Read Only access to DNS. I see dhcp and wins users (view only) but I do not see the same thing for DNS. I created a test user in the domain, I tried to start the DNS mmc and it told me that access was denied. I then went to the DNS server object and gave the user list and read access to the objects. To my surprise the test userid was able to add or delete DNS records in the AD DNS zone. It probably should not be a surprise since the zone is AD integrated and set to secure updates. I take it this means that as long as a user is a member of the domain, they CAN create and delete resource records in DNS. I take it all I did was expose the UI by giving the user read access to the objects. How do you mitigate this? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Moving 3rd party DNS to AD
I will be removing a couple of Lucent QIP DNS servers running on Sun Solaris with Microsoft DNS. We already have our AD infrastructure. The _zones in the QIP DNS servers were delegated to AD DNS/DCs so the domain controllers could update their SRV records. We debated if we should integrate the zones owned by the QIP solution into AD (DC/DNS Servers) or create a couple of standalone DNS servers in AD, which will not be domain controllers. We chose to go with the standalone DNS servers mainly so that the testing, cutover and potential roll back could be done with minimal changes. I.e. turn off QIP DNS servers, change IP on the MS DNS servers to that of the old QIP servers and we are done. Roll back would be something like turn off MS DNS servers and turn QIP back on. The _zones in question are in our empty root domain, the clients and the AD resource records are in a child domain/zone already in AD. Feel free to comments or make suggestions about that approach, but my real question is around performance. I am trying to get performance data from the folks that support the QIP DNS servers but that may not be an option at this time. Those servers connect via firewall to the internet for root servers and do not forward to anybody else at this point and so will the MS replacements. The AD DNS servers currently forward to the QIP servers mentioned for Internet address resolution and cache it for the clients. There are some mainframe systems that point to the QIP servers directly but that's the exception not the rule, our clients point to AD DNS servers. The performance documents I found so far talk about memory being the real issue with DNS servers and they give me a formula, something like 100K for every 1000 records. My questions are: 1) No sure if I need to go with anything else other than dual processors, quads seem like overkill. 2) I am not reading anything that would tell me how I may setup the disks for the server. The zones themselves are in the megabytes range so they will not take a lot of space. I will probably mirror the OS as that is our standard, but then is there a way to have the zones on different disk drives and perhaps set those up as RAID 5? I realize performance are tough questions without knowing the environment but it has been my experience that you always get useful replies from this group. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Obsolete Domain groups
Got it. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, December 05, 2005 3:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Obsolete Domain groups Nope, there is no last used. Kind of hard to define last used for a group anyway, for instance for a security group it would be the last time anyone from the group logged in and the group SID was stuffed in the user's token. If you are talking security groups, the best to do is change the group to a DL and then it won't get added to security groups. If there is no screaming for a couple of months, you are probably safe. If the group is used for non-Windows security or to send IMs or emails to a group of people or otherwise group items (like OUs or whatever) then a solution would be to put the groups in a heavily protected OU so nothing can read the membership for a while and make sure no one screams. Either way, dump the membership to some other format so you can repopulate as needed and before final delete, clear the membership for a while. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Sunday, December 04, 2005 4:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Obsolete Domain groups Does anyone know of a way to identify old\obsolete domain groups? Are the group objects in AD stamped with something like a last used date stamp?. I am thinking a member server with some resources and domain permissions on those resources has to ask the domain some questions about it. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Obsolete Domain groups
Does anyone know of a way to identify old\obsolete domain groups? Are the group objects in AD stamped with something like a last used date stamp?. I am thinking a member server with some resources and domain permissions on those resources has to ask the domain some questions about it. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Slow LDAP responses
A couple of things: 1) Have you looked at what AV solution is on your clients? If you are using McAfee VSE 8.0 with Patch 11, they are your problem. There is a patch 11a http://groups.google.com/group/microsoft.public.windows.server.general/b rowse_thread/thread/e12b2c63af204b54/b62bcff6d7e9ce1e?lnk=stq=dfssvc.ex e+high+cpurnum=2hl=en#b62bcff6d7e9ce1e http://groups.google.com/group/microsoft.public.windows.server.dfs_frs/b rowse_thread/thread/1ec1e082e8880bb1/8b3c12d674c8c1f2?lnk=stq=dfssvc.ex e+high+cpurnum=1hl=en#8b3c12d674c8c1f2 2)I had another situation going on with high CPU of LSASS and it was virus activity from unprotected workstations, I ended up setting NETLOGON logging: http://support.microsoft.com/?id=109626 a value of 2080 (HEX) Then taking the netlogon.log file created in the debug directory and loading that into NLPARSE.EXE to look for clients with tons of failed authentication requests. Everyone of the clients found with lots of failed authentication requests had AV stopped on it and eventually found to be infected with BAT\mumu From my experience with these events, they are a symptom of something hammering your DCs. Good luck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, December 01, 2005 3:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Slow LDAP responses How odd, that jumped offlist and then back onlist... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Whaley, Greg Sent: Wednesday, November 30, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: FW: [ActiveDir] Slow LDAP responses Thanks Joe. In further research I have found when LDAP response is slow that LSASS.exe is taking up most of the process. I have also seen in other post that there may be a beta patch from MS for lsass.exe high utilization. So know I am waiting for MS to get back to me. Greg Whaley Consulting LAN Engineer St. John Health 586-753-1594 -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 7:43 PM To: Whaley, Greg Subject: RE: [ActiveDir] Slow LDAP responses ADFIND will take any standard LDAP query and execute it, you generally just specify the base (-b) and a filter (-f) and add -selapsed to get the timing values. So for instance, you could do Adfind -b dc=domain,dc=com -f ou=* -dn -selapsed To get a list of all DNs of Ous in domain.com joe -Original Message- From: Whaley, Greg [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 23, 2005 8:56 AM To: joe Subject: RE: [ActiveDir] Slow LDAP responses Joe, I do not really understand the command syntax any way you can give me an example? Greg Whaley Consulting LAN Engineer St. John Health 586-753-1594 -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, November 04, 2005 4:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Slow LDAP responses How do you know the responses are slow? What aspect is slow? Is it the name resolution, the bind, the query itself, what? Usually the first thing I would do in something like this is look at the -selapsed output of adfind which breaks up timing by various things done in the query Elapsed Times: LDAP_OPEN 0.016 ROOT_DSE 0 LDAP_OPEN_20 PARTIAL_SCHEMA 0.407 LDAP_UNBIND_2 0 LDAP_SEARCH_INIT 0 LDAP_GET_PAGES 0.062 LDAP_UNBIND0 That can help narrow it down. If the open is really slow then I get out a network sniff and start watching the name res process, etc and usually find the problem there. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Whaley, Greg Sent: Friday, November 04, 2005 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Slow LDAP responses I am seeing issues with slow LDAP response on a specific Windows 2000 domain Controller. I have looked in the logs and the only thing I can see is that is causeing an issue is in the application log. Here is the event ID 1000: Windows cannot query for the list of Group Policy objects . A message that describes the reason for this was previously logged by this policy engine. I then go down to the error that was previously logged and see this. Event ID 1000 Windows cannot establish a connection to **Domain**.COM with (0). Anyone have any clues on what might be going on? This error started after the DC was rebooted because of issues with slow LDAP response. Greg Whaley Consulting LAN Engineer CONFIDENTIALITY NOTICE: This email message and any accompanying data are confidential, and intended only for the named recipient(s). If you are not the intended recipient(s), you are hereby notified that the dissemination, distribution, and or copying of this message is strictly prohibited. If you receive this message in error, or are
RE: [ActiveDir] FSMO role transfer
I think what was meant about the trivial part is around the seizing of the roles not the transfer. I would love to have much of the ntdsutil functionality built into the UI, even if at some point it requires you to reboot/restore, whatever. I don't think either camp is going to convince the other that you should or shouldn't transfer roles prior to some maintenance. It is almost a personality thing. I prefer not to transfer the role and deal with the possibility that I may need to seize it, on the rare case that something goes drastically wrong that I can not recover from before the role is actually needed. You architected the roles on specific DCs for a reason, if I forget to move it back I may end up with a DC hosting a role for a long time that I never meant to. Also, I don't consider transferring roles around part of the normal operating procedures. But that's just me. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cace, Andrew Sent: Wednesday, November 30, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer It is available in the AD snap-ins. In AD Domains Trusts, you can transfer the Domain Naming master by right-clicking the name of the snap-in in tree-view and choosing Operations Master. In ADUC, right-click the name of the domain and choose Operations Master to transfer the RID, PDC, and Infrastructure masters. In the Schema Management snapin, you can transfer the Schema master by right-clicking Active Directory Schema and choosing Operations Master. Next question...Why isn't there a single place to click all of these? -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer stupid question alert If the task is that trivial If the benefit is so great Why isn't it part of the AD snap ins as a one button task? sincerely, who needs scripting when you can ask for a gui/wizard or button instead David Adner wrote: I'm not debating the effort it takes to make the change. I'm saying I don't see the point in devoting whatever amount of effort it takes for something that's going to provide benefit only, IMO, an extremely rare case. And if that case happened, the corrective action is also a trivial process. And again, I'm not saying I don't see your point; I just don't agree with it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNA Sent: Wednesday, November 30, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer That process is trivial in itself. It does not take much to transfer the roles before you conduct maintenance on a server. Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master. Sounds like a stitch in nine saves time concept to me. I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, November 30, 2005 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem. If I'm pulled into a dark room because something goes wrong then I should feel confident I'll leave that room with my hide mostly intact; it may be slightly singed, but I can live with that. If management isn't the reasonable type then that's a different issue. If your philosophy is to take every proactive measure ahead of time possible, then that's fine. I just don't see the point with regards to FSMO roles when the recovery action is a relatively trivial process. This is obviously a matter of personal preference so I'm not trying to convince others to change. I just found the concept unusual so I thought I'd share. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I would rather, as stated earlier, assess the risk and then act appropriately. The original poster never defined 'maintenance' in detail. The original post did state that the box would be down for ~2 hours for maintenance. This is clearly more than a patch and a reboot. We've been over that scenario and concluded that it carries a lesser risk. As joe
[ActiveDir] DHCP Reservations
Does anyone know of a way to tell if a DHCP address is a reserved IP address from the client side? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OWA after resetting password
This is all in an Exchange 2003 and AD 2003 environment. I wonder if I have this right?. When the help desk resets a password in ADUC, that password change is made against the DC that the tool is connected to and the PDC Emulator. If a user logs on to the network the authenticating DC checks the password against its database, if the passwords do not match then it goes to the PDC Emulator to resolve the conflict and the user gets on with the new password. If a user is only an OWA user and he tries to logon to OWA after a help desk password reset, it appears that if replication against the DCs in the Exchange AD site has not happened then the new password is not recognized. In other words there is a delay between resetting the password and the user being able to sign on with it. I take it that OWA does not check against the PDC Emulator but just the DCs in its site. Is there anything that can be done about this, other than reducing the interval for replication on the site connector? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OWA after resetting password
Thanks, the AvoidPdcOnWan is not on in our environment and there is no firewall between the sites. I am waiting to hear from someone that knows OWA internals, to see if what we see is the case and if there is anything that can be done about it. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 02, 2005 4:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OWA after resetting password I'm not an expert on OWA, but as you mentioned in the first part of your message the DC performs the check against the PDC to see if the password has been changed. So long as OWA is using a DC to authenticate a user, which I'm assuming it does, then the DC will handle the PDC check invisibly. The replication interval wont have any effect on the PDC getting notified of the change as a separate mechanism is used to inform the PDC of the change. If your OWA is sitting on a secure network along with a selection of DC's, is it possible that the DC's there can't contact the PDC due to firewall rules? Also, check if you're using AvoidPdcOnWan - http://support.microsoft.com/?kbid=225511 Regards, Mark. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 02 November 2005 09:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OWA after resetting password This is all in an Exchange 2003 and AD 2003 environment. I wonder if I have this right?. When the help desk resets a password in ADUC, that password change is made against the DC that the tool is connected to and the PDC Emulator. If a user logs on to the network the authenticating DC checks the password against its database, if the passwords do not match then it goes to the PDC Emulator to resolve the conflict and the user gets on with the new password. If a user is only an OWA user and he tries to logon to OWA after a help desk password reset, it appears that if replication against the DCs in the Exchange AD site has not happened then the new password is not recognized. In other words there is a delay between resetting the password and the user being able to sign on with it. I take it that OWA does not check against the PDC Emulator but just the DCs in its site. Is there anything that can be done about this, other than reducing the interval for replication on the site connector? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group. Replies to this email may be monitored by the Barclays Group for operational or business reasons. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OWA after resetting password
I thought about the ALTOOLS and that button you are talking about. However my testing seems to show that this is actually the user's site, not the site where the user last changed their password which would be from within OWA (Exchange site) which is different from the user's. Unless I missed something. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Wednesday, November 02, 2005 6:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OWA after resetting password I'm assuming this difference in behavior is due to the fact that an OWA login is not an interactive login through LSASS. A possible solution is to get your hands on the ALTOOLS download from Microsoft. One of the tools in this set is the additional info dll. It allows you to reset the password on a DC in the site in which the user last logged in. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 02 November 2005 15:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OWA after resetting password Thanks, the AvoidPdcOnWan is not on in our environment and there is no firewall between the sites. I am waiting to hear from someone that knows OWA internals, to see if what we see is the case and if there is anything that can be done about it. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 02, 2005 4:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OWA after resetting password I'm not an expert on OWA, but as you mentioned in the first part of your message the DC performs the check against the PDC to see if the password has been changed. So long as OWA is using a DC to authenticate a user, which I'm assuming it does, then the DC will handle the PDC check invisibly. The replication interval wont have any effect on the PDC getting notified of the change as a separate mechanism is used to inform the PDC of the change. If your OWA is sitting on a secure network along with a selection of DC's, is it possible that the DC's there can't contact the PDC due to firewall rules? Also, check if you're using AvoidPdcOnWan - http://support.microsoft.com/?kbid=225511 Regards, Mark. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 02 November 2005 09:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OWA after resetting password This is all in an Exchange 2003 and AD 2003 environment. I wonder if I have this right?. When the help desk resets a password in ADUC, that password change is made against the DC that the tool is connected to and the PDC Emulator. If a user logs on to the network the authenticating DC checks the password against its database, if the passwords do not match then it goes to the PDC Emulator to resolve the conflict and the user gets on with the new password. If a user is only an OWA user and he tries to logon to OWA after a help desk password reset, it appears that if replication against the DCs in the Exchange AD site has not happened then the new password is not recognized. In other words there is a delay between resetting the password and the user being able to sign on with it. I take it that OWA does not check against the PDC Emulator but just the DCs in its site. Is there anything that can be done about this, other than reducing the interval for replication on the site connector? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do
RE: [ActiveDir] OWA after resetting password
They are not setting the Must Change Password at Next Login box. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil RenoufSent: Wednesday, November 02, 2005 8:51 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OWA after resetting password I am wondering that since this is a helpdesk password reset, are the helpdesk personel checking the Must Change Password at Next Login box. If that is checked then the user won't be able to log into OWA until they change their password themselves. Phil On 11/2/05, Peter Johnson [EMAIL PROTECTED] wrote: I'm assuming this difference in behavior is due to the fact that an OWAlogin is not an interactive login through LSASS. A possible solution is to get your hands on the ALTOOLS download from Microsoft. One of thetools in this set is the additional info dll. It allows you to reset thepassword on a DC in the site in which the user last logged in.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Figueroa,JohnnySent: 02 November 2005 15:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OWA after resetting passwordThanks, the AvoidPdcOnWan is not on in our environment and there is nofirewall between the sites. I am waiting to hear from someone that knowsOWA internals, to see if what we see is the case and if there isanything that can be done about it.Thanks-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of[EMAIL PROTECTED]Sent: Wednesday, November 02, 2005 4:08 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OWA after resetting passwordI'm not an expert on OWA, but as you mentioned in the first part of yourmessage the DC performs the check against the PDC to see if the password has been changed.So long as OWA is using a DC to authenticate a user,which I'm assuming it does, then the DC will handle the PDC checkinvisibly.The replication interval wont have any effect on the PDC getting notified of the change as a separate mechanism is used to inform the PDCof the change.If your OWA is sitting on a secure network along with a selection ofDC's, is it possible that the DC's there can't contact the PDC due to firewall rules?Also, check if you're using AvoidPdcOnWan -http://support.microsoft.com/?kbid=225511Regards,Mark.-Original Message- From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Figueroa, JohnnySent: 02 November 2005 09:52To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OWA after resetting passwordThis is all in an Exchange 2003 and AD 2003 environment. I wonder if I have this right?. When the help desk resets a password inADUC, that password change is made against the DC that the tool isconnected to and the PDC Emulator. If a user logs on to the network the authenticating DC checks the password against its database, if thepasswords do not match then it goes to the PDC Emulator to resolve theconflict and the user gets on with the new password.If a user is only an OWA user and he tries to logon to OWA after a help desk password reset, it appears that if replication against the DCs inthe Exchange AD site has not happened then the new password is notrecognized. In other words there is a delay between resetting thepassword and the user being able to sign on with it. I take it that OWA does not check against the PDC Emulator but just the DCs in its site.Is there anything that can be done about this, other than reducing theinterval for replication on the site connector?ThanksJohnny FigueroaEnterprise Network Consultant/Integrator Network Services Banner HealthVoice (602)495-4195 Fax (602) 495-4406WARNING: This message, and any attachments, are intended only for theuse of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosureunder applicable law.If the reader of this message is not the intendedrecipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination,distribution or copying of the communication is strictly prohibited.Ifyou receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ For more information about Barclays Capital, please visit our web siteat http://www.barcap.com.Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message.Although the Barclays Group operates anti-virus programmes, it does notaccept responsibility for any damage
[ActiveDir] Access to ADUC from anywhere
I am looking to provide access to Active Directory Users and Computers MMC to some folks that move around a lot and may not have access to their computers. The goal is to allow them to reset passwords while out on the floor working with users. I've tried a customized MMC but it looks like you need to Adminpak. MSI or at least parts of it: http://support.microsoft.com/default.aspx?scid=kb;en-us;314978 Do I have any other options? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DNS Aging and Scavenging
I am seeing more duplicate PTR records in our DNS reverse zones than I'd like. Our DHCP lease is 8 days, the zones are AD integrated. I've been down the DNSUpdateProxy group road, etc. So I believe the records are duplicates because they are not scavenged in time, not because of security rights to update the record or delete it. Our scavenging per zone is set to 7 days for the no-refresh interval and 7 days for the refresh interval. I went by the formula that the refresh interval should be 87.5% of the lease time, I'm just not sure about the no-refresh interval. I found this paragraph in a support document that I don't understand: After the record is refreshed, it cannot be refreshed again for the interval specified by the no-refresh interval. The no-refresh interval, a zone parameter, prevents unnecessary Active Directory replication traffic. However, the record can still be updated during the no-refresh interval. If a dynamic update request requires modification to a record, the request is considered an update. If the request requires no modifications, it is considered a refresh. Therefore, prerequisite-only updates, updates that include a list of prerequisites but no zone changes, are also considered refreshes. If the goal is to get rid of addresses as soon as they are truly stale, then that would be right after the lease expires? In my scenario, should the no-refresh interval be (1) and the refresh (7)?. In a 2003 AD/DNS environment, how much replication traffic is this going to be? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Aging and Scavenging
Thank you, great article -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, September 30, 2005 1:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Aging and Scavenging Take a look at an article written by Marcus http://myitforum.techtarget.com/articles/16/print_view.asp?id=6287 Cheers, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Friday, September 30, 2005 10:35 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Aging and Scavenging I am seeing more duplicate PTR records in our DNS reverse zones than I'd like. Our DHCP lease is 8 days, the zones are AD integrated. I've been down the DNSUpdateProxy group road, etc. So I believe the records are duplicates because they are not scavenged in time, not because of security rights to update the record or delete it. Our scavenging per zone is set to 7 days for the no-refresh interval and 7 days for the refresh interval. I went by the formula that the refresh interval should be 87.5% of the lease time, I'm just not sure about the no-refresh interval. I found this paragraph in a support document that I don't understand: After the record is refreshed, it cannot be refreshed again for the interval specified by the no-refresh interval. The no-refresh interval, a zone parameter, prevents unnecessary Active Directory replication traffic. However, the record can still be updated during the no-refresh interval. If a dynamic update request requires modification to a record, the request is considered an update. If the request requires no modifications, it is considered a refresh. Therefore, prerequisite-only updates, updates that include a list of prerequisites but no zone changes, are also considered refreshes. If the goal is to get rid of addresses as soon as they are truly stale, then that would be right after the lease expires? In my scenario, should the no-refresh interval be (1) and the refresh (7)?. In a 2003 AD/DNS environment, how much replication traffic is this going to be? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
Are you applying the policy to an OU that does not have users? If so that is why the GPO is not applying. You would need to do a loopback processing option for this. You need to enable loopback Processing This is under Computer/administrative templates/system/group policy What is happening is that your GPO is in a container that contains the computers not the users. So the settings only apply to objects in that OU. Since there are no users in that OU the user settings do not apply, even though they are logging on to machines in that group. By enabling loopback processing you are telling it to apply the user settings to all users of this machine when they log on. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 12:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Hi, I found that only computer policies applies ;/ The user only policy do not apply, still searching but will appreciate any inputs. It may be permissions issue, I' looking this way. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: September 19, 2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the The following GPOs were not applied because they were filtered out section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] 2003 SP1
Good morning folks, I am entertaining the idea of applying SP1 to our 2003 domain controllers. I figured I would start with http://support.microsoft.com/kb/889101 but if you have any 1st hand knowledge of any issues, please let me know. For that matter, if you have a good link about applying 2003 SP1 to member servers please send it to me. I will probably assist with this task also. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Password policy change
Good morning folks, yesterday I changed the domain password security to retain password history for 5 passwords and the password can not be changed for one day. Our help desk used to set passwords to a default value when they got a call from a user and then tell the user to change it to something they want. It looks like that is not working for them Is there anyway around this ? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password policy change
Help desk sets he password to something something, tells the user to change their password to whatever they want it to be and the user can not. I thought about having the HD check the box that makes it so the user has to change the password the next time they log in but I think that would effectively lock out the OWA only users. The point is that the HD gets the user going by setting the password to something generic, then the user is supposed to change it to whatever they want to keep. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 26, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Which part is not working and how is it not working? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny Sent: Fri 8/26/2005 9:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password policy change Good morning folks, yesterday I changed the domain password security to retain password history for 5 passwords and the password can not be changed for one day. Our help desk used to set passwords to a default value when they got a call from a user and then tell the user to change it to something they want. It looks like that is not working for them Is there anyway around this ? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password policy change
Thank you all, just wanted to ask the geniuses before I closed the door on it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Friday, August 26, 2005 10:23 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Like Jeff said, if you keep the Password can not be changed for 1 day setting then this will not work. The helpdesk changing the password means that it can not be changed again for the next 24 hours. In your scenario the users will have to wait 24 hours to change their password, or you will need to turn that option off. Phil On 8/26/05, Figueroa, Johnny [EMAIL PROTECTED] wrote: Help desk sets he password to something something, tells the user to change their password to whatever they want it to be and the user can not. I thought about having the HD check the box that makes it so the user has to change the password the next time they log in but I think that would effectively lock out the OWA only users. The point is that the HD gets the user going by setting the password to something generic, then the user is supposed to change it to whatever they want to keep. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 26, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Which part is not working and how is it not working? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny Sent: Fri 8/26/2005 9:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password policy change Good morning folks, yesterday I changed the domain password security to retain password history for 5 passwords and the password can not be changed for one day. Our help desk used to set passwords to a default value when they got a call from a user and then tell the user to change it to something they want. It looks like that is not working for them Is there anyway around this ? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password policy change
I mean, if I use the check box to user must change password at next logon our users whose only way into the domain is OWA will not prompt them to change their password... Unless I am missing something. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Friday, August 26, 2005 3:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Johnny, We do exactly what you suggest, change the password and set the user must change password at next logon and they are able to change it, even within the password cannot be changed period. What do you mean by that would effectively lock out the OWA only users? Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Figueroa, Johnny [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 2:56 AM Subject: RE: [ActiveDir] Password policy change Help desk sets he password to something something, tells the user to change their password to whatever they want it to be and the user can not. I thought about having the HD check the box that makes it so the user has to change the password the next time they log in but I think that would effectively lock out the OWA only users. The point is that the HD gets the user going by setting the password to something generic, then the user is supposed to change it to whatever they want to keep. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 26, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Which part is not working and how is it not working? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny Sent: Fri 8/26/2005 9:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password policy change Good morning folks, yesterday I changed the domain password security to retain password history for 5 passwords and the password can not be changed for one day. Our help desk used to set passwords to a default value when they got a call from a user and then tell the user to change it to something they want. It looks like that is not working for them Is there anyway around this ? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Remove invalid PTR records
Does anyone have a script that will walk a DNS Reverse lookup zone and delete invalid records. In my mind, if you read a PTR record and ping the fully qualified host name and it does not answer it could be considered invalid. Laptops, shutdown clients should be o.k. when they boot up. We have an application that uses PTR records to work and we are getting a lot of invalid ones and in some cases duplicate, that causes a bit of a DNS round robin. I've addressed all the best practices for making sure that records are scavenged, etc with Microsoft but it does not help me with the current bad records that would take a while to age. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Changing a authoritative restore password on a DC
Is this what you are looking for? 2000: http://support.microsoft.com/?kbid=239803 2003: http://support.microsoft.com/Default.aspx?kbid=322672 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, August 05, 2005 10:30 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Changing a authoritative restore password on a DC Greetings, Quick question, does any one ever change their initial password used when they installed Active Directory? If so do you use a third party tool to automate the password change across all the controllers or is this some thing that is easily scriptable? Sincerely, Jose Medeiros 408-449-6621 Cell List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Attribute default
We are trying to change an AD user Attribute so that new users created get a default value. How would I start to try to do that? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Attribute default
Let me be more specific. If you look at the Exchange Features tab in ADUC, there are 3 attributes for Mobile services Outlook mobile access, User initiated synch and upt-todate-notifications which are all set to Enabled. I have a script to reset the existing users to Disabled but also want that to be the default when an ID is created. Thanks... Sorry for the 2 part. -Original Message- From: Figueroa, Johnny Sent: Monday, August 01, 2005 1:59 PM To: 'ActiveDir@mail.activedir.org' Subject: Attribute default We are trying to change an AD user Attribute so that new users created get a default value. How would I start to try to do that? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Attribute default
Title: RE: [ActiveDir] Attribute default Thank you, the problem with the most recent suggestion is that you have to have a template when creating the userids and I can not guarantee or dictate that. I think I am going to go with running my script once a week to look for users with those attributes enabled and disable it. Thank you all From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Monday, August 01, 2005 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Attribute default Hello, Iyou want a fixed value of an attribute to be copied whileduplication ofan account, you *must* extend the schemaas arequirement. By default when you duplicate an account,its memberof attribute and others I don't not remind ;( , is/are also duplicate, so that the new account inherit those attributes from the "model" account. In your example, you canpredefined the Outlook mobile access to disable for a user account. Go to MMC Schema, search for the "msExchOmaAdminWirelessEnable" attribute, right click on it and check the box "the atribute is copied during duplication of user account" - sorry but my MMC is in french, so my translation into english is a bit horrible, but i hope enough comprehensive :-) Next click OK, andright click"Your schema NC [your_dc.domain.com]", and click "reload the schema". Then, the configuration will take effect. Certains attributes, called system attributes,have the checkbox disable so you can not activate the feature. BUT, i share joe's advice about rather user a provisionning/deprovisonning system, which seems to be safer and proper :) Hope it helps, Yann De: [EMAIL PROTECTED] de la part de Figueroa, JohnnyDate: lun. 01/08/2005 23:05À: ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] Attribute default Let me be more specific. If you look at the "Exchange Features" tab inADUC, there are 3 attributes for "Mobile services"Outlook mobile access, User initiated synch and upt-todate-notificationswhich are all set to "Enabled". I have a script to reset the existingusers to "Disabled" but also want that to be the default when an ID iscreated.Thanks... Sorry for the 2 part.-Original Message-From: Figueroa, JohnnySent: Monday, August 01, 2005 1:59 PMTo: 'ActiveDir@mail.activedir.org'Subject: Attribute defaultWe are trying to change an AD user Attribute so that new users createdget a default value. How would I start to try to do that?ThanksJohnny FigueroaEnterprise Network Consultant/Integrator Network Services Banner HealthVoice (602)495-4195 Fax (602) 495-4406WARNING: This message, and any attachments, are intended only for theuse of the individual or entity to which it is addressed and may containinformation that is privileged, confidential and exempt from disclosureunder applicable law. If the reader of this message is not the intendedrecipient or employee/agent responsible for delivering the message tothe intended recipient, you are hereby notified that any dissemination,distribution or copying of the communication is strictly prohibited. Ifyou receive this communication in error, please notify us immediatelyList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Urgh... troubleshooting....
What happens when you run DCDIAG from the broken DC ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, July 29, 2005 1:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Urgh... troubleshooting Michel- Care to elaborate? We have 8.0i in the lab and I haven't noticed any ill effects on the DC's but this certainly caught my eye as we are scheduled to move it over to production soon. Thanks Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Friday, July 29, 2005 1:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Urgh... troubleshooting May look strange but are you running McAfee 8.0i?? Got someone that had something similar and the TDI driver of VS8 was the culprit... -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de vex Envoyé : Friday, July 29, 2005 4:15 PM À : ActiveDir@mail.activedir.org Objet : [ActiveDir] Urgh... troubleshooting Greetings, I've been a lurker here for quite some time and have had a relatively quiet AD until recently. We have a small network with 2K servers and a mix of 2K and XP2 workstations. Until recently, everything was find. Then Something Happened. I'm not sure what started the ball rolling, but it's certainly rolling now. I have one server that is listed in the AD and DNS as a DC, but it won't replicate AD either direction. I've spent a couple of hours doing some web surfing and initial troubleshooting, but I've had less than stellar success. (at one point in time it was working fine, since I have a lot of older AD information on the problem server) I've run DnsLint and all the DNS entries look good. When I do a 'net view \\servername' from the DC that does not have up to date AD information, I get a message back, access denied, and a corresponding entry in the security log about a failure audit of the server I'm attempting to view. But when I do the same thing and use an IP address instead of a server name, the net view information displays. Another symptom is printer connections and drive mapping. If I'm at the server with the out of date AD information, I'm getting an 'access denied' message when attempting to connect to a network printer or map a network drive. All of the steps outlined above work fine when initiated from any of the other servers. It's almost like the server with the out of date AD information is allowing access, but the rest of the servers in the organization won't let *that* particular server have access to any domain related stuff, such as printers and network shares. I can't even run dcpromo and remove AD from the affected server because it asks for some sort of authorization from other DC's located in the organization, but the other DC's won't allow it to access information. I'm assuming it's trying to tell the other DC's to remove any pertinent entries from the AD in regards to the server that's attempting to have it's AD removed Does anyone have any links to places I can continue to search for troubleshooting information? --Brett List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Urgh... troubleshooting....
Found this, under Troubleshooting Active Directory : http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/d87e1c8f-2e6b-4ce3-b72b-7108acc6aecb.mspxMore to the point there are some special security checks in DCDIAG for 2003 SP1 that may be able to help. From the link above: An "Access denied" or other security error has caused replication problems Updated: March 2, 2005 Replication problems that have security causes can be tested and diagnosed by using the version of Dcdiag.exe that is included with Windows Support Tools in WindowsServer2003 Service Pack1 (SP1). Cause A replication destination domain controller cannot contact its source replication partner to get ActiveDirectory updates as a result of one or more security errors occurring on the connection between the two domain controllers. Top of page Solution Run the replication security error diagnostic test that is available in the version of Dcdiag in Windows Support Tools that is included in WindowsServer2003SP1. Test a Domain Controller for Replication Security Errors You can test any or all domain controllers in your forest for security errors. Requirements Administrative credentials: To complete this procedure, you must be a member of the Domain Admins group to test a domain controller in your domain or a member of the Enterprise Admins group to test a domain controller in another domain. Tool: Dcdiag.exe (Windows Support Tools) in WindowsServer2003SP1 Operating system: Although you can run the enhanced version of Dcdiag on computers running WindowsXP Professional and WindowsServer2003 with no service pack installed, to run the new replication security test (/test:CheckSecurityError), you must run Dcdiag on a domain controller running WindowsServer2003 with SP1. You can run the new Dcdiag replication security tests against domain controllers that are running the following operating systems: Windows2000Server with Service Pack3(SP3) Windows2000Server with Service Pack4(SP4) WindowsServer2003 WindowsServer2003 with SP1 To test a domain controller for replication security errors 1. At a command prompt, type the following command, and then press ENTER: dcdiag /test:CheckSecurityError /s:DomainControllerName DomainControllerName The Domain Name System (DNS) name, network basic input/output system (NetBIOS) name, or distinguished name of the domain controller on which you want to test If you do not use the /s: switch, the test is run against the local domain controller. You can also test all domain controllers in the forest by using /e: instead of /s:. 2. Copy the report into Notepad or an equivalent text editor 3. Scroll to the Summary table near the bottom of the Dcdiag log file. 4. Note the names of all domain controllers that reported Warn or Fail status in the Summary table. 5. Find the detailed breakout section for the problem domain controller by searching on the string DC: DomainControllerName. 6. Make the required configuration changes on the domain controllers. Rerun Dcdiag /test:CheckSecurityError with the /e: or /s: switch to validate the configuration changes. Test the Connection Between Two Domain Controllers for Replication Security Errors You can test the connection between two domain controllers in your forest for replication security errors. The domain controller that represents the source of the inbound connection does not have to be an existing source to run this test; that is, a connection object from that domain controller does not have to exist on the destination domain controller. The test is useful in the following scenarios: A connection exists between a source and a destination, and you receive a security error. A connection should be created automatically by the Knowledge Consistency Checker (KCC) and you want to test why the connection does not exist. You are trying to create a connection between two domain controllers and you receive a security error. You want to determine whether a connection could be created if you wanted to add one on this destination from the specified source. Requirements Administrative credentials: To complete this procedure, you must be a member of the Domain
[ActiveDir] DNSAdmins security rights
This looks to be different between 2000 and 2003 DNS servers. On 2000 DNSAdmins is granted full control to this object and all child objects. On 2003 DNS it was granted access to this object only. Does anyone know about this change and would it be o.k. to change the permissions to ...and all child object? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC Backups
Sorry, I meant drives C and E on DC2, database on E and logs on C with the OS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Sunday, July 17, 2005 3:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DC Backups You said the db was on the D: drive for DC2, so why would you see it on E:? Also, where are you running NTBackup from? If from DC1 when you are trying to drill down DC2's drive, that might not work since you can't remotely back up the system state with NTBackup. You would need a third party backup app like Veritas Backup Exec for that. -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] RUS question
I am replacing the domain controller that the Exchange 2003 RUS points to from a 2000 DC to a 2003 DC. I know the step in ESM to change the DC. My question is do I need to do anything else to make sure the RUS is using the new DC? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RUS question
I hear you, I was hoping to verify that the new DC was being used before downing the old one. Until then, I have no way to tell which DC stamped the attributes, old or new. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, July 14, 2005 7:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] RUS question Fastest easiest way would be to mailbox enable a user and verify the proper attributes got stamped. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Thursday, July 14, 2005 10:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] RUS question I am replacing the domain controller that the Exchange 2003 RUS points to from a 2000 DC to a 2003 DC. I know the step in ESM to change the DC. My question is do I need to do anything else to make sure the RUS is using the new DC? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RUS question
Awesome, it looks like the showInAddressBook attribute seems to show the DC who stamped it among other attributes. I dumped a new and old object and found the new object stamped on the showInAddressBook attribute with the new DC. Thanks a bunch ! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, July 14, 2005 7:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] RUS question Sure you do. Repadmin /showobjmeta (W2K3) or Repadmin /showmeta (W2K) will tell you where the originating write came from. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Thursday, July 14, 2005 9:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] RUS question I hear you, I was hoping to verify that the new DC was being used before downing the old one. Until then, I have no way to tell which DC stamped the attributes, old or new. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, July 14, 2005 7:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] RUS question Fastest easiest way would be to mailbox enable a user and verify the proper attributes got stamped. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Thursday, July 14, 2005 10:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] RUS question I am replacing the domain controller that the Exchange 2003 RUS points to from a 2000 DC to a 2003 DC. I know the step in ESM to change the DC. My question is do I need to do anything else to make sure the RUS is using the new DC? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Attribute on AD users called employeeID
We are adding an employeeID in batch, connect to a specific DC to make the change. Then when I try to search in ADUC pointing to the same DC, doing an advanced search and the presence of the attribute. The changes seem to take a long time to show up in ADUC. The attribute is not in the GC if that makes any difference. I expect my changes to be searchable with the ADUC immediately. Not a problem, just curios if somebody already knows why. Thanks -Original Message- From: Sakari Kouti [mailto:[EMAIL PROTECTED] Sent: Friday, July 08, 2005 3:18 PM To: ActiveDir@mail.activedir.org; Figueroa, Johnny Subject: RE: [ActiveDir] Attribute on AD users called employeeID Hi Johnny, In addition to what Tony listed, you can add to the context menu (i.e., mouse right click) of a user object a feature to modify employeeID. Instructions and the VBScript required are on the bottom of the page http://www.kouti.com/scripts.htm Yours, Sakari -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Friday, July 08, 2005 3:06 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Attribute on AD users called employeeID We are trying to write an interface between our payroll database and Active Directory. We are planning on using an attribute in AD called employeeID. However it appears that the attribute is not exposed in ADUC so you have to use LDP or a script to view it. Any ideas? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Attribute on AD users called employeeID
We are trying to write an interface between our payroll database and Active Directory. We are planning on using an attribute in AD called employeeID. However it appears that the attribute is not exposed in ADUC so you have to use LDP or a script to view it. Any ideas? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Attribute on AD users called employeeID
Very helpful. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, July 07, 2005 5:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Attribute on AD users called employeeID If it's important that you see the attribute in ADUC then you can look at extending the UI by modifying the display specifiers. It involves a bit of development effort: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/e xten ding_the_user_interface_for_directory_objects.asp Of course once you've done that you are committed to maintaining the changes you have made to the standard UI. Depending on why you want to have the attribute shown in ADUC (i.e. visibility or management, or both), you could look at some alternatives, e.g. - Develop a web (or other) interface for your admins to manage the attribute. - Use a different attribute that is visible in ADUC. - Look for 3rd party apps that include the employeeID attribute in the UI. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Friday, 8 July 2005 12:06 p.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Attribute on AD users called employeeID We are trying to write an interface between our payroll database and Active Directory. We are planning on using an attribute in AD called employeeID. However it appears that the attribute is not exposed in ADUC so you have to use LDP or a script to view it. Any ideas? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited # This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank You. Please note that this communication does not designate an information system for the purposes of the NZ Electronic Transactions Act 2002. This email was scanned and cleared by NetIQ MailMarshal at Gen-i Limited. # List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DMZ talking to your domain
I have a request to join a server in our DMZ to the domain. The reason appears to be for an application to leverage (SQL Reporting Server) and in order for this to work it needs to be in the domain. Sorry, to be vague.. I am trying to get more info. Are there best practices for when you need to have a DMZ server join your domain? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DMZ talking to your domain
Thank you all for the information and the link sent earlier http://redmondmag.com/columns/article.asp?EditorialsID=1010 Is quite good. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, July 06, 2005 11:33 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DMZ talking to your domain My best practice is not to do it. If there is an absolute requirement for a domain for DMZ servers (like for SQL clusters) then often I'll suggest making a DMZ domain that is also isolated in the DMZ, or might stretch to some back end servers that are a part of the DMZ domain and nothing else. There are just too many ports to open to support a domain member in the DMZ to make it worthwhile in my opinion. Phil On 7/6/05, Figueroa, Johnny [EMAIL PROTECTED] wrote: I have a request to join a server in our DMZ to the domain. The reason appears to be for an application to leverage (SQL Reporting Server) and in order for this to work it needs to be in the domain. Sorry, to be vague.. I am trying to get more info. Are there best practices for when you need to have a DMZ server join your domain? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS problem - Urgent
I have the backup also but the date seems to be from when the zones were converted to AD integrated. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Thursday, June 30, 2005 8:44 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] DNS problem - Urgent That is interesting. My domain's AD integrated DNS zone (which is a sub-domain to the one that is having issues) has a copy in this backup folder. -Original Message- From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Thursday, June 30, 2005 10:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS problem - Urgent That only applies if the zones are DNS primary/secondary en thus not AD integrated Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: donderdag 30 juni 2005 17:31 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] DNS problem - Urgent I have check this and the zone I'm looking for isn't there. I wonder if it was removed from this location because it was deleted out of the AD. But this does look like one directory that I should do a file level backup in case something like this happens again. Charlie -Original Message- From: Tetrault, Mike (OFT) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 30, 2005 10:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS problem - Urgent If this is Windows 2003 there should be a copy of the zone in: system32/dns/backup Mike Tetrault OFT 40 North Pearl St. Albany, NY (518) 402-9300 This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Thursday, June 30, 2005 10:58 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] DNS problem - Urgent The zone was deleted and the deletion was replicated to all sub-domains across the globe. We are testing that command now in our test lab, but our primary root AD admin isn't to confident that this will work. Thanks for the suggestion though and if this is our only option, then it is what we will do. Charlie -Original Message- From: Tomasz Onyszko [mailto:[EMAIL PROTECTED] Sent: Thursday, June 30, 2005 9:49 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS problem - Urgent Carerros, Charles wrote: My organization has found the need to restore our root _msdcs AD integrated zone on our forest. if this was deleted in DNS server and not in AD try to re-create DNS zone in DNS server, if zone is still in D it should show up its content If not, crete new zone and use netdiag /fix to re-register all records -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
