RE: [ActiveDir] How to find non-primary SMTP addresses?
Here is a cheesy VB script to list email addresses and kick them to a
CSV file***. It's not horribly efficient, tight coding, or cleaned up
very much but it has worked for me. Remember to replace the LDAP Path
with yours and you may have to adjust the page size if you have more
than 2000 objects. Also watch for line feeds in the code that may be
email caused.
Have fun..
_Stuart Fuller
(***Full disclaimer of liability - use at own risk)
---
'--
'ListUsers Email Script
'Stuart Fuller
'7/7/05
'--
Dim adsComputer
Dim adsOU
Dim operatingSystem
Dim osVersion
Dim servicePack
Dim fileSys
Dim fileTxt
Const ForReading = 1, ForWriting = 2, ForAppending = 8
wscript.echo Start
'Create the output file
set fileSys = CreateObject(Scripting.FileSystemObject)
Set fileTxt = fileSys.OpenTextFile(QueryOutput.csv, ForWriting, True)
fileTxt.Writeline(First Name, Last Name, ID, Primary Mail
Address,,Additional Email Addresses)
'Create the connection to AD
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject(ADODB.Connection)
Set objCommand = CreateObject(ADODB.Command)
objConnection.Provider = ADsDSOObject
objConnection.Open Active Directory Provider
Set objCOmmand.ActiveConnection = objConnection
'Set the SQL type query against AD
'REPLACE LDAP PATH with OU or domain you want to query in the
objCommand.Commandtext line
'Example 'LDAP://ou=users,dc=joeware,dc=com'
objCommand.CommandText = Select givenName, sn, sAMaccountName, mail,
ADsPath from 'LDAP PATH' _
where objectClass='user' AND objectCategory='Person'
objCommand.Properties(Page Size) = 2000
objCommand.Properties(Timeout) = 60
objCommand.Properties(Searchscope) = ADS_SCOPE_SUBTREE
objCommand.Properties(Cache Results) = False
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
'Loop through the returned records
Do Until objRecordSet.EOF
strGName = objRecordSet.Fields(givenName).value
strSName = objRecordSet.Fields(sn).value
strMail = objRecordSet.Fields(mail).value
strSAM = objRecordSet.Fields(sAMaccountName).value
'In order to get the multi-varied attribute go get the user object
'and then query the proxyaddress attribute
set objUser =
GetObject(objRecordSet.Fields(ADsPath).value)
on error resume next
For each strProxyAddress in
objUser.ProxyAddresses
strAdd = Left(strProxyAddress,4)
If ((strAdd = SMTP) OR (strAdd =
smtp)) Then
strAddress = Right(strProxyAddress,
LEN(strProxyAddress) - 5)
strAddAll = strAddAll strAddress ,
End If
Next
fileTxt.WriteLine(strGName , strSName , strSAM ,
strMail , , strAddAll )
'Since we are using strAddAll as additive - clear the vars
strAddress = null
strAddAll = null
'Go grab the next record and restart loop
objRecordSet.MoveNext
Loop
wscript.echo DONE
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, January 25, 2007 11:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?
Yeah JoeK is right on, nothing in LDAP will help you with this. The
proxyAddresses attribute is case insensitive so there is no way to query
to
just get addresses that are secondary.
AdFind can help with this in a small perl script. You use the CSV
capability
of AdFind combined with its ability to only display the multivalue
attributes that have a string match to smtp (AdFind isn't case sensitive
either for this query). That simply outputs just smtp addresses so it is
nice and clean. The perl script would look something like
@out=`adfind -sc exchaddresses:smtp -csv -nocsvheader`;
foreach $thisline (@out)
{
next unless $thisline=~/smtp:.+/;
$thisline=~s/(SMTP:.+)([\;])/$2/; # strip out primary
$thisline=~s/;{2,}/;/; # cleanup multiple semicolons
$thisline=~s/;\/\/; # cleanup semicolon/quote
print $thisline;
}
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday, January 25, 2007 7:52 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?
In addition to what Ulf said, there also isn't any practical way to
query
for users that have secondary addresses vs. only having a primary and
there
isn't any practical way to just get the secondary addresses out of the
proxyAddresses attribute. You essentially need to get all the data and
then
check for the values that are prefixed with lower case smtp.
Maybe Joe R. has a neat trick with ADFind to make this easier,
RE: [ActiveDir] OT: Time change support webcast
Susan, Thanks!!! I think a lot of us are going to be busy dealing with unforeseen time issues in March especially with all those Windows 2000 servers that won't die. _Stuart Fuller From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 09, 2007 10:07 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Time change support webcast http://blogs.technet.com/beatrice/archive/2007/01/09/preparing-for-dst-c hanges-in-2007.aspx In August of 2005 the United States Congress passed the Energy Policy Act, which changes the dates of both the start and end of daylight saving time (DST) from 2007. While the change in daylight saving time applies to U.S. and Canada, it may have an impact also on customers who interact or integrate with systems that are based in North America or rely on such date/time for calculations. Windows Client, windows Server, Windows Mobile, Sharepoint Services, Exchange Server and Office Outlook are some of the Microsoft Products which will be affected by the DTS changes. Updates to these products are being developed and tested. Depending on the particular product or scenario, these updates will be released through Microsoft Customer Support Services (CSS), Hotfixes incorporated in Knowledge Base articles, Windows Update, Microsoft Update, Windows Server Update Services (WSUS), and the Microsoft Download Center. What you can do in the meanwhile to prepare your business for the change: 1. Check the Microsoft site: Preparing for daylight saving time changes in 2007 http://www.microsoft.com/windows/timezone/dst2007.mspx 2. Participate on Microsoft Support WebCast: Deploying Microsoft Windows 2000 updates for daylight saving time changes for worldwide use http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032 324210EventCategory=2culture=en-USCountryCode=US , which is specifically focused on Microsoft Windows 2000. It talks about the registry changes and the time zones that are being updated. This WebCast also tells how to confirm that the updates have been applied, and then provides information about testing and rollback procedure. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] OT: WSUS groupings match your AD groupings?
Similar here ... Except we set up separate WSUS VM's for workstations and Servers. On the workstation VM we setup target groups based on our administrative divisions. For example all the HR workstations go into a HR workstation group and all the Financial workstations go into a Financials workstations group... Etc. We don't divide workstations out by type or OS in WSUS only by admin division. We have about 800 workstations pointed at that WSUS server divided out to 12 computer groups. It would be a nice enhancement to WSUS that it would actually read AD computer groups instead of yet again setting up a new group scheme. One would think that a MS patching system would know how to use Active Directory. Of course, when I talked to a WSUS dev person at TechED two years ago and asked about why do they limit the install/reboot time setting in WSUS/SUS to integer hours instead of allowing Admins to use minutes (e.g. 7:30 or 7:15 or 5:15), he looked at me like I was from Mars. So if the WSUS devs can't figure out that time also comes in minutes instead of just hours maybe they also don't know that Active Directory computer groups exist. :-) _Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, May 11, 2006 3:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: WSUS groupings match your AD groupings? I tried the gp targeted thing and didn't like it. I just create groups by purpose, color, whatever and move stuff around. Mostly just have things sorted out by purpose. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Scott Klassen Sent: Thursday, May 11, 2006 4:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: WSUS groupings match your AD groupings? I'm setup with 3 groups here. Workstations, Servers, and Laptops. Mid-sized. Scott Klassen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, May 11, 2006 2:36 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: WSUS groupings match your AD groupings? I was just chatting with someone on what a typical firm sets up in their Target groups in WSUS SBS 2003 r2 will ship with 2 servers and computers Some of us have three.. servers, computer, laptops. For mid sized firms what's your average number of groups that is reasonable for you to handle? For large firms.. what's your average number of groups? And does your WSUS groupings match your AD/OU groupings? Just wondering how you guys in big server land are setting up WSUS. (or are you using other patch products.. I use Shavlik here) -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Quiet? DEC? Related?
The DEC backpacks were very nice and my wife immediately appropriated mine as soon as I got home last night. Gil handed the conference slide deck out on a USB stick which was a great idea. Dean-n-Joe sessions were definitely the best of DEC and Gil *has* to convince them to present next year. I haven't been that entertained since the very first time I watched Monty Python and the Holy Grail _Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Thursday, March 30, 2006 9:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Dean and Joe ended up doing 2 sessions. I think they were on track to get it all covered in 1 session until Guido's house burned down. At any rate, both were excellent and probably the best of DEC. They're spinning up a website and some or all of the session content will probably end up there. They may be posting details about the site, but I didn't ask how widely they intend to publicize it. Hunter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, March 30, 2006 1:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Sounds great. Sorry I missed it. How was the Dean 'n Joe show? Did the handbags come out or was it a peaceable affair? Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, 30 March 2006 11:07 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Just wrapped up Day 3. 530 people. General consensus is that it was the best DEC ever. More to follow when I can type on something bigger than a credit card. -gil -Original Message- From: Ayers, Diane [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 3/29/06 1:23 PM Subject: RE: [ActiveDir] Quiet? DEC? Related? Maybe we should ask a question on the merits of doubling down on an 11 when the dealer has a face card showing... :-) Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, March 29, 2006 9:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Don't worry we're still here.. ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Moon, Brendan Sent: Wed 2006-03-29 19:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Quiet? DEC? Related? Hmm.. everyone must be having fun at DEC... this list has been very quiet this week! - Brendan Moon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: speaking of AD books...
C) Hunter and I were TRs and I would highly recommend it. Joe Robbie have made significant changes and have cleared up a couple of my pet peeves in the scripts and security bits from the 2E book. It also still has the best introduction and explanation of VB scripting for AD. As to the BP guide... I too would like to see that. We have managed to stay fairly centralized but we are now supporting a second remote data center. The one thing that has saved us is the new version of Dell's RAC card. It has a virtual CD/floppy drive feature where you can map your local workstation drive to be the CD or floppy of the server. Using that feature I was able to do bare metal installs across the wire. Very cool and saved me a seven hour round trip drive to eastern Montana. _Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, January 23, 2006 8:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: speaking of AD books... Dear people, I would appreciate it it you would prioritize the following for me; [A] [ ] Work 60 hours a week managing (with only one other person) 250 PCs in 4 states and 40 Servers. [B] [ ] Live at the only bookmark in my browser when at home www.microsoft.com looking for solutions, etc. [C] [ ] Read joe's (et al) new book. [D] [ ] Studying for my MCSA [E] [ ] Studying for my MCP [F] [ ] Studying for my MCSE [G] [ ] Securing my network [H] [ ] Reading the new book joe is going to write on BP's [Yes, please tell me how to rebuild a DC remotely from bare metal!!] [I] [ ] Reading Robbie's book(s) (note: please sub-prioritize those books) [J] [ ] Balanicing my checkbook ( hey .. I have to do something else at home, right?) [K] [ ] Patching my network [L] [ ] Learn to script [M] [ ] Watch College basketball on TV [N] [ ] Read all of Sakari's books [O] [ ] Read the AD list archives completely Hey, I'm almost serious here. As Guido would say, That's enough for today. RH List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: DEC 2006
Aimed at both Hunter and I are "average" AD admins and have found it very useful. The best part is sitting aroundat night talking with Joe and Dean.:-) _Stuart Fuller From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike klineSent: Friday, January 06, 2006 1:34 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DEC 2006 Looks like DEC is a great event and a lot of the heavy hitters and MVP's from this list will be there. Just wondering about it, is this a good conference for the average AD admin/designer or is this aimed at the advanced experts. I think my company will send some of us so I'm trying to get a feelfor the target audience. Thanks Mike On 1/6/06, Lee, Wook [EMAIL PROTECTED] wrote: I'm doing my regular lounge act at DEC. I don't know if I'll be able to make it to DEC 07 if I have to pay to play (the DEC that will live in Infamy if they make us pay, haha). Maybe they'll let me come if I volunteer to help set up or maybe do janitorial work on the side. I know Stella and Christine are always looking for "volunteers". :-P ;-) Wook P.S. Haikus and Jingles have been done. Do we dare do Limericks? "The 7 Limericks of Identity Management" does have a certain ring to it. Higgledy-Piggledy? Sonnets would be too high-brow for this crowd. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge deSent: Friday, January 06, 2006 2:05 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DEC 2006 damn I knew there was a catch! ;-)) jorge From: [EMAIL PROTECTED] on behalf of Gil KirkpatrickSent: Fri 2006-01-06 00:48To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DEC 2006 Jorge, you're speaking at DEC. You already get a free pass.We're not going to make speakers pay for their tickets, at least not until after 2007. :) -g-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge deSent: Thursday, January 05, 2006 3:51 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DEC 2006can I get a free pass?jorgeFrom: [EMAIL PROTECTED] on behalf of Gil KirkpatrickSent: Thu 2006-01-05 23:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DEC 2006Well, I'm going. But I get a free pass... :)-gil From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]] On Behalf Of Mark ParrisSent: Thursday, January 05, 2006 3:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: DEC 2006Of the list how many people are going to DEC this year? www.directoryexpertsconference.com http://www.directoryexpertsconference.com/Tomorrow is the last day for the early bird registrations if anyone wants to day some $£EUR's.MarkThis e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify thesender immediately by return e-mail, delete this e-mail and destroy anycopies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal.This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] single login size in bytes?
We went through this exercise during our design and plan phase of our AD deployment four years ago - including using the same whitepaper that Bob mentioned. We have multiple sites across Montana with 56K frame relay lines that authenticate back to DCs in a centralized location. We thought that the 56K sites were going to be a big deal but they really are not a problem. The offices are generally less than 15 users and login times are very reasonable - less than two minutes including a Novell login. The offices also access Exchange from the central location and generally performance is only an issue for very large documents (4MB+). The use of bandwidth for a 56K line is really not the issue, it is the delay, latency, and user experience you want to worry about. It is quite easy to run a 56K circuit up to 100% with a single user doing something like downloading a large file from the Internet. However, if the other users can still login and do their thing then it is okay. The user sitting out in Ekalaka, Montana knows that things across a 56K line take longer and therefore don't expect to get the file down as quick as someone with a T-1 line. _Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Thanks Bob... I actually used that article too, once upon a time, though it's way more detail than I was looking for. There's another one more recent, it goes into server authentication details - way TMI. You know, we're not even talking multiple machines, just one. The serious thing is that we can't impact cc transactions. But even so... I tested it and with a first-time user log on, it spiked the graph to just over 50 kbps. Subsequent logons were in the 40 kbps range, and only briefly. No one here at the technical level is worried about it - note how I was asking about how much bandwidth it uses, not how much of a noticeable delay might there be :) Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Monday, October 10, 2005 2:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Rich- This paper isn't XP/2003 but essentially a lot of the same principals apply. I found this paper very illuminating in it's day so maybe it will be of some use to you. As far as the feasibility, I spent a lot of time at the wrong end of an ISDN line and it wasn't that bad but I never had more than 2 machines connected concurrently. Windows 2000 Startup and Logon Traffic Analysis: http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/conf eat/w2kstart.mspx HTH Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 9:01 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] single login size in bytes? Does anyone happen to know a rough idea how many bytes are transmitted when a single user logs on to an XP box to a W2K3 AD, assuming cached credentials aside? I've been goog searching and finding a lot of detailed info about replication but not much about the size of the authentication packets etc. I am digging out net monitor as I type (well almost as I type) to see for myself, but anyone who would like to comment on the feasibility of having XP machines on the far end of a 56K frame circuit actually being members of the domain, please feel free to let me know. We're talking simple logging in, including a single GPO or maybe two - but no replication, etc. They do already get their email using Outlook to a pst. And please don't laugh. This is a very serious issue. ;-) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by
RE: [ActiveDir] Server Roles
I'll put in a plug for more centralized deployment then the traditional branch office deployment. This is something that should go in your risk assessment along with the security concerns that Gil mentioned. One of our agencies (2500 users) went from a 14 DC deployment with DC's in the major branches to a 4 DC deployment with DC's in the main office and one in an alternate location. They were initially very reluctant to do that because of logon requirements, printing, etc... but they now love the ease of administration that a centralized deployment gives them. Two factors to keep in mind that made this a good thing for them - bandwidth is cheaper than Admin and if we lose the link, what breaks?. For the agency involved and because of how they run their main applications, if they lost the link back to HQ, the users couldn't do their work anyway. With the high dependency on the WAN for the LOB applications any benefit a local DC gave the users was very small. _Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 07, 2005 7:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server Roles We had a pretty inefficient model for small site deployment, so we recently revamped it to the one mentioned below. So far, the DC-less sites have been quite small, no more than 10 users. However, I'd be comfortable letting that go up as far as 100 or so users - but we do have very good WAN connectivity. As I mentioned though, a major factor in this is whether or not there's going to be an Exchange server locally. If our messaging team have decided that they want a local Exchange server on that site, then we have to put a GC there too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: 07 October 2005 13:59 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Server Roles Mark, How many users to site are you talking about in the no local DC scenario. 10, 20..50 ? Cheers Mylo [EMAIL PROTECTED] wrote: I've looked at using Virtual Server for small sites and it makes sense to me. The only drawback is that all your eggs are in one basket - lose the host and you lose everything. The same's true for patching as you'll need downtime on all of the guest machines when the host is updated. One nice advantage of using Virtual Server in this scenario is the ability to access the Virtual Server Administration Console and therefore have complete remote control over the virtual hardware and the console. This is ideal for small sites with no local admin/technical staff. I have to agree with Joe about whether you actually need a DC or not though. At a number of sites we've chosen not to deploy a local DC at all. In fact, we tend to tie the DC deployment decision into whether or not that site is going to have Exchange server locally. Regards, Mark. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 07 October 2005 01:18 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server Roles Mylo, I pretty much agree with Gil but I don't think most people or orgs have the slightest idea how to evaluate their environments for risks. Plus too many people have the mindset that if they don't know of a way to hack something, no way exists. If this is the direction taken, bring someone else in to do it. Even if you do that it still may not work out well though because of assumptions that are made during the analysis that don't end up being true in implementation. Oh yeah, of course we look at the logs Of course we patch right away and watch the security bulletins The fewer vectors available to compromise tends to mean the less chance of being compromised. I think max paranoa is the safer path. IIS on a DC makes me very queasy. Granted it is based on the history of IIS and it is all fixed now, but consider... How many exploits do you need against your DCs before it is considered too many? Is a single compromise acceptable? I don't mind losing most one off servers, it hurts but I can survive. If someone walked through a hole on a DC or a cert server your base security for the entire environment, all servers and clients, has been compromised and you can not easily have much faith in those pieces any longer. I can rebuild an IIS server in a couple of hours, how fast can you rebuild from scratch your domain structure? Your Cert structure? Exchange... Well I have all sorts of love for Exchange but right off, if Exchange is running on a GC, you have no fault tolerance or load balancing for directory work, that is the one and only GC that will ever be used. The Exchange provider should be complaining about that all alone. Failover to another GC in another site may suck, but at least it is possible. If someone insists that they can only have one server at a site, at this time
RE: [ActiveDir] Biggest AD Gripes
Restore to dissimilar hardware is a HUGE pain point for us in reference to AD restores for DR drills (1). Take Joe's suggestion of removing the OS dependency from AD version and go one further where the backup and restore of AD is somewhat independent and not gloomed into system state. Not sure how you would do this without a major redesign of AD but fixing the dissimilar hardware restore problem would be a nice Things that may work would be to do something with an true export/import tool or fixing the Virtual Server / Vmware / SAN disk copy problem. _Stuart Fuller (1)Sungard and other DR vendors have a mix of equipment and you may not get your specific version of the special Dell 2U server to recover to. Doing an actual restore from a Dell to a Compaq or IBM or vis-versa is a PIA and sometimes almost impossible without a lot of manual steps and fooling the OS to recognize the HAL or RAID driver. We have gone to VMWare ESX for some of our DC's so that we can get around the dissimilar hardware restore problem BUT since MS doesn't officially support AD on Vmware our pointy-haired boss types get nervous. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Tuesday, August 02, 2005 5:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Everyone is making a number of suggestions/comments that hit home to me, so rather than chiming in with AOLMe too!/AOL, I'll bring up the one that makes me crazy that no-one has mentioned yet: Restoring a domain controller to alternate hardware (think Disaster Recovery drill at a company like Sungard) should Not. Be. So. Friggin'. Hard. It's better in K3 than it was in 2K, but it's still way too much of a hothouse-flower-y delicate operation. (Maybe Longhorn's AD as a service will make this better. I can hope, at least, because right now it still sucks canal water.) - Laura -Original Message- From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 02, 2005 6:30 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes DFS-R is only supported for custom DFS namespaces. MS at the moment does not support DFS-R for SYSVOL replication. MS states that in the DFS-R overview document page 16 See: http://www.microsoft.com/downloads/details.aspx?FamilyID=5e547 c69-d224-4423-8eac-18d5883e7bc2DisplayLang=en QUOTE: DFS Replication is not supported for SYSVOL replication in Windows Server 2003 R2. Do not attempt to configure DFS Replication on SYSVOL by disabling FRS and setting up a replication group for SYSVOL. Continue to use FRS for SYSVOL replication on domain controllers running Windows Server 2003 R2. FRS and DFS Replication can co-exist on the same member server or domain controller. A shame, but true! DFS-R really rocks!!! It is way better than NTFRS! Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Carlos Magalhaes Sent: Tue 8/2/2005 11:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes * Using the new DFS-Replication mechanism in R2 for the SYSVOL This is available AFAIK if all your servers are running R2 :P Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 02 August 2005 09:59 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes http://www.novell.com :o) Bloody NetWare bigot ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, August 02, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes A while ago I put some AD feature thoughts in a textfile not knowing what to do with them at that moment Here goes: * Active Directory thoughts: * OU = security principal * Possibility to merge Forests * Cut and paste a domain from one forest to another * Domain concept: * Domain controller - directory server (not specific to a certain domain, but hosting naming contexts) * Password policies not only per domain but also per OU * Keep domain as a replication boundary but remove the flat structure (prevent context login like NDS - Aliases?) * Multiple replication boundaries (naming contexts) per directory server * Remove domain as an entity. Forest is only entity needed * Integrate file system and possible other resources into the directory (e.g. search where security principals are used) * Permissioning TOP-DOWN and BOTTOM-UP (file system) * Delegation of Control: ability to dictate
RE: [ActiveDir] Biggest AD Gripes
-I dislike that there is no easy undelete (e.g. true undo with all the attribs coming back and all the nasty cross domain group stuff fixed). -I dislike that there is no official support of AD on VMware ESX. (Come ON MS, let VMware certify their drivers...) -I dislike the multiple different ways that values are represented in attributes... Some attribs are relatively straightforward and others are in some type of bitwise format. For example lastlogonTime is represented with a high and low part bit value. What is wrong with using stuff that is easily recognized to the scripter like say a normal date / time stamp?? (See P. 208 of Robbie Allen's AD Cookbook for this example - four lines of code to display a date/time plus you have to add the date of 1/1/1601 to it to have it come out right). -I dislike the fact that the forest not the domain is the true security boundary. -I dislike the fact that the password policy rules are only configurable on a per domain basis. -I dislike the fact that a good chunk of the Terminal Services user information is a big old binary blob in a single attribute and you have to have a special .dll (built in on 2k3 servers) to write/read to it. _Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 02, 2005 10:25 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Biggest AD Gripes So what are everyone's biggest AD Gripes? I am not talking about gripes about things that use AD like GPOs[1] or Exchange or NFS or anything else like that. I mean actual AD really missed the boat because of this that or the other thing. Like o I dislike that when you defunct an attribute it doesn't purge the information in the directory for that attribute. o The fact that AD Security policy is managed through a technology dependent on AD and replicates both within AD and the other technology. o I dislike that there is no true schema delete. o I dislike the fact that I can't specify which branches of the tree replicate where. o I dislike the fact that GUIDs are represented in multiple ways in the directory. o I dislike the implementation of property sets especially since they could be so incredible awesomely cool. Specifically I dislike that an attribute can only be in a single property set. o I dislike creator/owner on SDs. o I dislike the lack of configurable business rules. o I dislike the fact that I can't run multiple domains on a single domain controller. Etc etc. I have more but lets see what others say. Everyone pipe up. Let's pretend that MS will actually see this, let's further say let's pretend MS AD Developers will see this. What would you tell them if you were sitting in the room with them? joe [1] I do not consider GPOs to be part of AD. They are a technology that leverages AD. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Slightly OT: Windows 2003 SP1 hangs on Domain Controller
Have you updated the BIOS, RAID Firmware, RAID drivers to thesame level as the other machines??? Also there is an issue with Dell Open Manage and 2003 SP1 - see "user notes for supported windows operating systems" under http://support.dell.com/support/edocs/software/smsom/4.4/en/Readme/Readme_ins.txt?c=usl=encs=s=gen. That states you need to update Open Manage before applying SP1. HTH, _Stuart Fuller From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou VegaSent: Wednesday, July 13, 2005 7:55 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Slightly OT: Windows 2003 SP1 hangs on Domain Controller Yeah I forgot to mention disk space the C drive has over 4GB free and the other volume has over 80GB free. Thanks for the input! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Wednesday, July 13, 2005 9:43 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Slightly OT: Windows 2003 SP1 hangs on Domain Controller The first thing I would check is disk space availability. Also, every once in a great while I find the folder System Volume Information that is huge. I believe it is due to a stuck volume shadow copy operation. A reboot clears it out. HTH, Mike Thommes -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou VegaSent: Wednesday, July 13, 2005 7:50 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Slightly OT: Windows 2003 SP1 hangs on Domain Controller Hi all, Im applying W2K3 SP1 on my domain controllers after a test in my lab. In the lab and on the first production domain controllers SP1 installed fine. I have one remaining DC where the SP1 setup hangs during the backing up registry portion of the install. The hardware is the same on this final DC as it is on the other DCs a Dell 2650. The system remains responsive; however the setup just doesnt go any further (progress bar). I have left it overnight with no successful completion. Heres what Ive tried: 1) There was a system reboot before the SP1 process was started.I usually do this anyways before installing a SP 2) Machine was backed up during normal course of backups 3) When the machine came up I noticed the removable storage service did not start. Started it and its now running 4) After the 1st install failure, rebooted and successfully applied other Windows updates to the server (some IE6 ones that I had held off on) 5) Searched Google using Windows 2003 SP1 Install fails and Windows 2003 SP1 Registry backup fails. Nothing immediately jumped to mind as relevant in those searches. 6) Searched Support.Microsoft.Com with the same query again nothing that seems to match my circumstance 7) It has stalled 4 times now at the same pointany suggestions? Thanks in advance! Regards, Lou
RE: [ActiveDir] Synching NDS and AD
Title: Synching NDS and AD Nsure Identity Manager = "Metadirectory" for all disparate NDS (Edir) and AD directories. We are/have been looking at this question, and yes you can do a simplesynch between Novell and AD with this product. *BUT* in our case theOU structures between to the two directories are so disparate that a direct sync is relatively impossible.If we end up going with this solution, wewill have to project both directories toa third directorythat we willwrite the sync rules for. This ends up beinga Metadirectory. *If* your OU structure, account ID's, etc... arefairly orexactly the same, then you can do a direct sync and end up with something "...not the size of an Identity Management Tool like MIIS". If you want a full blown Metadirectory then Novell's Nsure Indentity management is in the same category ofdirectory products as MIIS. _Stuart Fuller From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, JoseSent: Wednesday, May 11, 2005 3:16 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Synching NDS and AD Hi Jorge, We run Netware NDS6.5 along with AD 2003 and we have a fulltime Netware Consultant on staff assigned by Novell. I spoke with him about your request andwhat he would recommend and he gave me this link http://www.novell.com/products/nsureidentitymanager/ Regards, Jose Medeiros -- -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Jorge de Almeida PintoSent: Wednesday, May 11, 2005 11:07 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Synching NDS and AD Hi, Does anyone know of a product that can acchieve the following: * Synching NDS and AD * 2-way synching * Automated synching * Possibility to assign a directory for the first sync * Synching of user accounts, groups and passwords (although I wonder if the latter is possible because different mechanisms are used for storing pwds) * Not the size of an Identity Management tool like MIIS Could MS Services for Netware play a role in this? Cheers #JORGE# Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant __ ...OLE_Obj... LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (IDT) Kennedyplein 248, 5611 ZT, Eindhoven . Postbus 7089 5605 JB Eindhoven ( Tel : +31-(0)40-29.57.777 2 Fax : +31-(0)40-29.57.709 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] " http://www.logicacmg.com/ - Solutions that matter - This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Synching NDS and AD
Title: Synching NDS and AD I won't argue with Mr. Culver about whatNovell'sfine Nsure Identity Manager(DirXML) product will or will not do, for obvious reasons... :-) He is absolutely right thatyou canwrite any type of rules to do the variousnasty one to many, many to one, and many to manyjoins when doing the synchronization. What I meant by "relatively impossible" was really "tedious and painful". However, the other concept thatI was trying to get at (and obviously failed to do) is thatit iseasier to write two "simple" synchronization rule sets when synchronizingthe directories to a "metadirectory" (or using MIIS's terms - "the metaverse")then to use a more complex single direct synchronization rule set. As for the State of Montana's AD / NDS OU structures Here is an example: Medium sizeagency with geographic dispersion across all 56 counties in Montana and 700+ users (for sake of discussion call this "Agency A"). (For you people who actually work for a living translate "agency" to "division" or "subsidiary") NDS: Active Directory agency OU agency OU -LocationA-Users -Users -Workstations -Workstations -GPO OU 1 -Win2000XP-GPO OU 2 -NT-Servers -LocationB -Users -Workstations -LocationC -Users - -Location . Now for Agency A, if they create an user in AD andwant to synchronize to NDS, whatOU does the user get created in???They will have tocome up with some rule that looks atanother attribute of the user object to decide where to place the user such as "City". Okay, so you write an DirXML rule that says if user is created in Active Directory under "ou=User, ou=Agency A", create a new user in NDS, and place the user in "ou=users, ou= Location A, ou=Agency A"where Location = Location Aif City = A. Great that works for the Metadirectorycase and for thedirect synch case *until* your agency administrator decides to change OU structure on the AD side or on the NDS side. Let's say the agency administrator is implementingsome type of ZEN policy on the NDS side or otherwise goes crazy and splits up the Users OU underneaththe Location OU. In the direct sync case you have to rewrite theentire synchronization rule to determine which OU the user willget placed in.In the Metadirectorycase, you don't have to touch the ADimport rule becausenothing changed. All you would have to do is to modify the NDS export rule totake into account thenew logic for determining where to place the user. So... the points I was trying to make were: 1. Novell's NsureIdentity (rebranded DirXML) truly is an industrial strength Metadirectory and exceeds Jorge's criteria of "Not the size of an Identity Management tool like MIIS". 2.If you have *fairly* large and disparateOUstructures between AD and NDS, you aremuch better off in the long runbuilding a trueMetedirectory thantrying tobuild a direct synchronization link. 3.If you have 2 directories, then a Metadirectory becomes way more attractive andiseasier to manage, more efficient, and much easier tomaintainthe synchronization logic and something like Nsure Identity Manager or MIISbecome very attractiveproducts. 4. I'm not saying "don't use Nsure (DirXML)"what I am saying is realize what you are getting when you purchase Nsure. _Stuart Fuller P.S. Hunter *does* know that there is something wrong with me :-p From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, JoseSent: Thursday, May 12, 2005 3:22 PMTo: ActiveDir@mail.activedir.orgCc: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Synching NDS and AD In response to Stuarts posting, " NIM is actually bigger than just eDir and AD Sync, and it's certainly more than just a simple sync with the ability to control the flow of metadata and modify data on the fly through XSLT XML, it also includes the idea of authorative sources at an attribute level - one of the most powerful and flexible metadirectory products on the market today and one which is reasonably mature/robust. If you've setup your AD structure so differently to your eDirectory structure within the same company then there's either something wrong with one of the structures or there's something wrong with you - I have never ever seen a directory structure in AD that I can't apply rules through NIM to syncwith eDirectory even in instances of poor design. " As Per Matthew Culver Sr Network Engineer Novell Inc. -- -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Fuller, StuartSent: Thursday, May 12, 2005 12:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Synching NDS and AD Nsure Identity Manager = "Metadirectory" for all disparate NDS (Edir) and AD directories. We are/have been looking at this question, and yes you can do a simplesynch between Novell
RE: [ActiveDir] Cross WINS Pollination
Title: Cross WINS Pollination Looking back at your original question - Have you considered using a tiered WINS server set up?? This scenario divides up your WINS infrastructure into levels with the top tier pushingdown to the lower tier. The top tier is where you have the DC's and "important Enterprise servers" registered while the lower tier(s) are where you register the clients and the "organizationally distinct" servers. The top tier servers do a push onlyreplication to the lower tier servers instead of a push-pull. It looks something like this: Tier 1- Enterprise WINS / \ / \ Tier 2-Company A WINS Company B WINS The advantage of using this setup is that Company A clients see all ofthe Enterprise WINS records and the Company A records but not any of the Company B records. The disadvantage is that this is more complex, more servers/services,and you are relying on WINS replication to get the critical WINS DC records down to the Tier 2 servers. _Stuart Fuller From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, May 02, 2005 12:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS Pollination Consider the methodology of a large organization, a step which is manual in nature could be overlooked by a single support person which is what is to be avoided. But again, in the header of my mail, I did not want to go into all of the reasons but rather if it could be done. -Jon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Monday, May 02, 2005 2:41 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS Pollination Certainly good feedback, but how often are you removing and updating records? This amounts to a filtered sync in my mind. I understand why you want to do it now, but I'm not sure I agree with the approach to make it semi-automatic. At least, I don't think I understand the amount of updates and number of possible records. I'm asking if it's worth it to even automate it vs. just manually doing this due to infrequent changes (this is just for dc and servers). And the conversation is academic. I'm just trying to figure out where to file this type of usage later. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, May 02, 2005 12:43 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS Pollination If you have a large WINS architecture you are pushing the records into I would prefer the dynamic insert than the static insert myself. Static records can be a pain to remove from a large WINS architecture or at least they were in the past the few times I tried to clean some up. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Monday, May 02, 2005 11:54 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS Pollination Hmm I see what you're after, but that's a funky place to be to say the least. I would *think* that your DC's and servers would be static enough that you *could* manually enter those records into the WINS systems on the respective sites. I would also *hope* that WINS is not required for that, but if it is, you would have to either script that manual version as Joe described (you could build a list of serrvers and DC's since it's not highly volatile right?) and run this on a regular basis, or you could read the db in the target domain and push that to others. There are permissions issues as Joe mentioned, but shouldn't be too terribly difficult to workaround that. Thanks for assuaging my curiousity and good luck with that :) Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, May 02, 2005 10:43 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS Pollination If you had two distinct organizations and did not want to replicate each other's WINS database information that would be first reason. However, what if both organizations wanted to use a 'shared domain' model. You can accomplish this by having one set of DC's and Servers register to one set of WINS via normal processes and then create a static entry on the second set of WINS servers. The problem with this model is it isn't autonomous to changes. So if I decided to add a new server or DC, one side will automatically get the updates, but the other has to manually be changed. What would be nice if I could run a command on all servers to refresh a entries at a timed interval against the disjointed WINS server(s). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Monday, May 02, 2005 10:08 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS
RE: [ActiveDir] VB Script and Group policy
Just looking at the code and not verifying if this is the
correct way to do this
You have "strConnectString" in there twice so that the only
value that gets passed to the action part of the script is "\\servername\Boston_IT"
Try
strConnectString = "\\servername\Boston_IT2"strResult
=objWSHNetwork.AddWindowsPrinterConnection(strConnectString)
strConnectString = "\\servername\Boston_IT"strResult
=objWSHNetwork.AddWindowsPrinterConnection(strConnectString)
To
lessen your variable confusion I would modify it further to
strConnectString = "\\servername\Boston_IT2"strResult
=objWSHNetwork.AddWindowsPrinterConnection(strConnectString)
strConnectString2 = "\\servername\Boston_IT"strResult
=objWSHNetwork.AddWindowsPrinterConnection(strConnectString2)
More stuff on scripting
printers is available from Microsoft's Script Center - http://www.microsoft.com/technet/scriptcenter/default.mspx
_Stuart Fuller
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine
AllenSent: Tuesday, April 12, 2005 2:19 PMTo:
'ActiveDir@mail.activedir.org'Subject: [ActiveDir] VB Script and
Group policy
Running Windows 2000
AD
I'm looking to
automate the installation of printers using a vb script and group
policy.I found the script referenced below which works great for
adding the printer and works great with GP. However, I can only add one
printer. Every time I modify it to add additional printers it only adds
one.
Set objWSHNetwork =
CreateObject("WScript.Network") 'create network objectstrConnectString = "\\servername\Boston_IT2"strConnectString
= "\\servername\Boston_IT"strResult
=objWSHNetwork.AddWindowsPrinterConnection(strConnectString)
Does anyone out
there know a way of additional multiple printers with this script? I
should mention I am not a vb person.
Thanks
RE: [ActiveDir] Have fun at DEC
Maybe that should be a competition between the various methods of forest recovery. Virtual versus Lag/Hot Site versus MS white paper full rebuild etc Although I think Dean's total VM scripted method would probably win :-) -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Tuesday, March 22, 2005 11:13 AM To: 'Lee, Wook '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Have fun at DEC I was thinking that maybe next time for the AD UP-All-Nighter we could disaster-recover a screwed up forest of two or three domains. now that sounds interesting!!! _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, March 21, 2005 10:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have fun at DEC Thanks for all the good words. I haven't ground up the session evals yet, but my informal polling indicates that overall, this DEC came off quite well. High points (not from me, but summarized from attendee comments I heard) 1) Most of the sessions were well done, with one or perhaps two exceptions. Of course joe, Jorge, Dean, Wook, Jesse, and Rick wanted gnarlier content, but for the vast unwashed the sessions were very well recevied. I've had half a dozen attendees claim that this DEC was the best tech conference they had ever attended. 2) The AD All Night event came off quite well... people had a great time and learned quite a bit as well. 3) The opportunities for networking with peers were outstanding. As was the food and the free beer. 4) The analyst panel was quite interesting and useful. Lows: 1) Wireless access charges. There was nothing we could do about this in Vancouver, but we will make fixing this at the next DEC a high priority. 2) Information overload. There was a lot of information in a fairly compressed timeframe, and after a day and a half it was hard to absorb any more. More demos or hands-on sessions would help. 3) The analyst panel wasn't interesting because it wasn't technical. (It depended on who I talked to) I had a great time and learned quite a bit. It was also great to get a bunch of the more prolific activedir.org posters together and swap stories. Jorge and joe/Dean have indicated that they are going to put together sessions for next year, so I'm looking forward to that. I have to agree that Christine and Stella (and now Rita too) are the best. You can't even begin to guess at how much goes into putting on something like DEC, and they pull it off every year with style and grace. The .ppts will be posted up on our web site in a couple of days (the laptop with all the .ppts was delayed coming back from Vancouver apparently). Thanks again to those who presented and attended. I look forward to working with you next year. Semper Pullus! -gil _ From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Mon 3/21/2005 6:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have fun at DEC I not only had fun at DEC, I learnt so many things. Aside from being around the usual suspects (Hi, Dean! Hi, Joe! Hi, Rick!), I got to meet Jorge, Hunter, Alain and a host of other people. Then I came away with 2 of the most eye-opening lessons to-date in my professional life: You can't cram a security discussion into a 75-minute presentation :) There is an inverse relationship between the number of admins and the security of your network - the higher the number of admins, the lower the security. Gil and the rest of the DEC crews are some of the most gracious hosts I have ever had the pleasure of being associated with - and I am grateful for the opportunity. And, Rick, thanks a bunch for your late-night assistance. I owe you one. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Mon 3/21/2005 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have fun at DEC Hey now, Dean and I actually weren't on the admin teams. We were wandering consultants. We initially had been under the understanding that it was a hacking session and we are under constraints about showing off tricks like that so we excused ourselves from the competition. Gil asked us just to walk around and check out what was going on. Once we realized it was a break-fix with users trying to take advantage of a poorly configured system Dean jumped in a little more but still didn't get to do what he wanted. Had we been on the admin team, the first thing we would have done is make it so no one could connect remotely to the DCs and secured them, then opened them up. That would have made the whole
RE: [ActiveDir] Continuity planning and AD
To duplicate ESX, you would have to develop a very stripped and efficient kernel. ESX is actually running a proprietary kernel running underneath the hosts and it uses a Linux console OS to control the kernel. This is one of the main reasons why ESX is so much more efficient than VPC or GSX where the underlying OS is normal Windows. ESX also uses a specialized and very efficient disk format (VMFS) for the actual host files. Here is the map: VPC = VM workstation Virtual Server = GSX ??? = ESX Hardware virtualization idea is a HUGE thing and Microsoft needs to get more on board and should have bought Vmware when they had the chance. As the to the DR scenario (e.g. SunGard), we are in the same boat and ESX and Virtual Hosts solves all of the mucking about with dissimilar hardware restores. In fact, because ESX emulates common drivers on the OS install CD you can actually do a physical to virtual restore with a lot less trouble than one would think. In our specific case we are able to use Ntbackup to restore directly a Windows 2000 Dell 2550 to a virtual server on ESX with no special steps. -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, March 18, 2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Continuity planning and AD Wouldn't it just be easier to expect them to put that ESX functionality in virtual server? ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 11:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Continuity planning and AD I am 150% behind this mechanism. Your up and functioning again time is drastically reduced as you can recover to any machine that has your virtualization software up and running. This is technology that I have been recommending to the list for probably a couple of years now along with many others. Basically you spin up a little site with virtuals of all of your domains, you script their daily (or more often) shutdown and backup. If you get really cute you have multiple DCs of each domain and stagger their shutdown and backup times and maybe even their replication schedules. This also helps with establishing lab forests or safe harbor (aka Life Boat) forests to do real data tests for things like schema updates and such. If MS would get off their butt and support VMWARE ESX officially as a hardware platform this would open up even more possibilities such as near immediate full forest recovery even with X domains where X is some crazy number like 20+. In fact, now that I have heard of Server Foundation Architecture at DEC[1] from Stuart Kwan, my battle with IE on DCs is pretty much wrapped up (unless I hear the idea dying) and I appear to have won so I am going to see if I can take on getting MS to support ESX since they have no competing product. I believe the idea is as solid and just as the idea to get IE/GUI off of servers if you want to run that way. So anyway, if this is something you are interested in as well, getting ESX server supported as a hardware platform, feel free to ping me offline about it and let me know the kind of business you represent (size, how much MS, etc) so when I start my email compaign and start making a nuisance of myself in the various forums and face to face times with MS Execs I have some numbers and company names behind me. Virtualization is truly where we are going and MS and Virtual Server is no where near the capability of ESX and I haven't heard anything that would lead me to believe MS is anywhere near to announcing anything like that. This seems to be good for everyone from what I can see, good for the customer as their life will probably become easier and more secure, good for MS because people will buy more product licenses because they can fit more in the data center, good for hardware vendors because they sell better higher end hardware instead of a bunch of the lower end small margin stuff. Some very large orgs (no names please) I talked to at DEC are all moving forward with ESX solutions even though MS doesn't officially support the platform. They have looked at it and determined that the solution justifies going outside the realm of guaranteed MS Support. That doesn't look good for MS, it is inability to admit to reality. Sure don't support vmware workstation or GSX, we understand, it competes with your own productlines, but you don't have a product like ESX... period. And larger customers are going to want to go ESX versus GSX or Virtual Server. Heck if you really look at it, you could come up with some pretty good cookie cutter Small Business ESX solutions as well. joe [1] When Stuart announced having a DC up and running in the lab on this platform with no GUI/IE there was big time applause from the audience and a tear came to my eye. People were buzzing about it the whole rest of the week. Rick tried to get
RE: [ActiveDir] Custom MMC
And see the following - http://support.microsoft.com/default.aspx?scid=kb;en-us;247151 http://support.microsoft.com/default.aspx?scid=kb;en-us;214676 And also - http://www.microsoft.com/resources/documentation/WindowsServ/2003/standa rd/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2 003/standard/proddocs/en-us/sag_ADadmin.asp Or http://tinyurl.com/6r2hv What I use in a batch file is: start runas /user:DOMAIN\user mmc c:\directory\Con.msc /server=server1.company.com Where Con.msc has the dsa snap-in loaded in it and can include others like sites and services, DNS, etc... _Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Friday, February 25, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Custom MMC dsa.msc /domain=fqdn of domain -DaveC Reuters AITS Infrastructure -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, February 25, 2005 5:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Custom MMC Your guess is as good as mine. It is why I don't like to guess and actually try to see what is failing. Naming issues tend to be related to some problem with the resolution process which tends to come down to DNS. However, without a trace, that is, at best a guess. We could guess for some time and not guess right. However, one other guess is that ADUC is trying to contact the NT4 domain, I seem to recall there being a switch you could use with DSA to point at a specific domain but I don't recall what it is. Finally, if you can't trace from their side, try tracing from your side on the DNS server and DCs. However that is going to be orders of magnitude more difficult to figure out than doing it from the client. An alternative would be to configure a client on your side like theirs and see what happens when you do it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, February 25, 2005 5:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Custom MMC How can it be DNS when he can do a NSLOOKUP and find all the SRV Records and is using my DNS Servers??? He can ping the domain name and can resolve every record to IP. Plus, I will not be able to do a Network Monitor since this is not a facility that we can work with, they subscribe to e-mail from us and I wanted to be able to provide them with reset password capabilities. What else can I try? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, February 25, 2005 4:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Custom MMC That sounds like DNS issues. Time to get the network monitor out and watch the traffic and see where it fails. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, February 25, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Custom MMC It did not work, Still getting Naming Information cannot be located error. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, February 25, 2005 12:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Custom MMC Assuming the ID has permission to read that location, it should work fine. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, February 25, 2005 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Custom MMC I will try this however the msc I want to run is located at \\servername\consoles\filename.msc so should I do Runas /netonly /user:DOMAIN\USER cmd Password Type \\servername\consoles\filename.msc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, February 25, 2005 11:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Custom MMC Try this runas /netonly /user:domain\user cmd Then enter password At the command prompt that is opened type dsa.msc FYI. This is how I do all of my admin work. I fire up various command prompts in the various security contexts I need and color code them all. The more power the specific ID has the brighter more obnoxious the color of the window. I want there to be no clue when I am typing a command, what security context it is running under. Note that the DNS has to be right for this to work. If the machine that isn't trusted can't resolve the AD domain, you aren't going to be able to use MMC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin
RE: [ActiveDir] DC or not DC
I hate to drag this off subject slightly and since no one has mentioned it, but isn't the whole point of Microsoft Virtual Server and VMware GSX/ESX so that you can run multiple servers on the same physical server and not have the application/security/resource conflicts that you can get by running everything on one server? At the last MS TechEd several of the MS people I talked to were pitching Virtual Server as *the* solution to the I only have one server and branch office scenarios. -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 9:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC Yeah MS has always said best practice is not to put back office apps or IIS on domain controllers for as long as I can recall. Ditto file and print. There are possible resource and security issues. Then they have SBS SBS bothers me because you take everything MS has every said and you say, hmmm, forget about it At that point, what do you and don't you listen to from MS? My thoughts? Listen to all of it but don't trust any of it until you have proven it yourself. I generally (there are exceptions to make the rule) consider anything from MS as propaganda until I have proven with my direct experience or it has been stated to me by my very few trusted advisors. Like if Dean tells me something, I tend to listen closely, I may argue, but I start from a losing position because if I don't agree it is probably because I don't understand through no fault of Dean's explanation. Many conversations I have with Dean start out with me thinking, oh shit, he expects I know what I am talking about with this functionality... With Rick, well you argue with Rick about everything because he is a hoot to argue with. With Deji... Check it twice - all of it. ;oP Tony... Never argue with Tony's dinner wine choice, never. My thoughts are that if you have a company small enough that SBS works for you. You probably won't have too many resource issues unless you have some serious power users. However security concerns will *always* be there simply because you are adding additional vectors. You can't add more services to service users and NOT open up more possible security holes. Additionally one of the methods for fixing replication hangs and such in AD is a reboot because attempting to stop and start the AD services is less than helpful. Tougher to do that when you have people using fixed services such as FP, SQL, Exchange, etc as they tend to get cranky when the server side of the equation disappears. My personal reaction to anything but DHCP/DNS/WINS on a DC are sort of a blanched look and I don't even really like DHCP/WINS/DNS on the DC because I think that also raises the security vectors too much. Keep in mind, AD is the bastion of your enterprise security. Why give people holes to poke at to see if they can compromise the entire forest? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Wednesday, February 16, 2005 11:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC If you have the resources on the box and can not afford to purchase a new box for SQL or Exchange, then you are stuck with the only one option. However, I am a big believer of keeping the server roles separate. I find that the overhead of SQL (and even Exchange) is rather high during peek times. And, if SQL runs on the DC, this may cause latency issues with DNS lookups, group policy updates to clients and/or log in issues. I believe that Microsoft's best practices said to keep things separate. (But, I may be dreaming...Like I often do...) However, with everything that I have said, it is just my opinion and is dependant on how many users you have and if your company can afford the cost. * Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alonzo Hess Sent: Wednesday, February 16, 2005 7:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC or not DC Last night I received the latest MCPMag email newsletter and always read the questions that people ask. I was kind of surprised by the opening sentence of the question. I know that the Microsoft gospel is never to run Exchange, SQL Server, etc. on a domain controller. I've never seen or heard this before. I realize having the server be a DC would add some overhead, but what are the lists thoughts on this? Good or Bad? Thanks, Zo List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] DC - rebuld issues
Correct... You will need to do metadata cleanup to remove DC2 and will need seize the appropriate FSMO roles. Search the AD list archive at http://www.mail-archive.com/activedir@mail.activedir.org/ for previous threads on this topic and restores in general. Some papers to read are (watch for line feed in the url): How to remove data in Active Directory after an unsuccessful domain controller demotion (This is the situation you are in when you restore in a test bench environment. One server up and the other DC's still registered but not playing any more) http://support.microsoft.com/kb/216498 Active Directory Operations Guide - Active Directory Backup and Restore http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologie s/activedirectory/maintain/opsguide/part1/adogd03.mspx Best Practices: Active Directory Forest Recovery - http://www.microsoft.com/downloads/details.aspx?FamilyID=3eda5a79-c99b-4 df9-823c-933feba08cfeDisplayLang=en _Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra Sent: Tuesday, February 15, 2005 11:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC - rebuld issues Thanks stuart...I got this resolved by running the re-store again... How ever i have another issue here...i wanted this to be a single DC domain...but my domain owner is DC2 which we do not want to build... Can some one help me with the proper commands... I am checking on the ntdsutil -- roles and sieze rolesam i going correct...please help Regards, Chandra -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Fuller, Stuart Sent: 14 February 2005 21:02 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC - rebuld issues I have seen a similar thing while using Ntbackup during our DR drills. The first restore goes along and doesn't really complete (no log file pops up and no warning - ntbackup simply stops and exits somewhere in the AD portion of the restore). You reboot the server and you login with local admin credentials instead getting a choice to use AD. This second login can take a while because it has to fail on a bunch of partially restored stuff. If you simply run the full restore again after reboot then that works and the DC comes up just fine. This occurs with the target server set to AD Disaster Recovery safe mode or just booted normally. -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra Sent: Monday, February 14, 2005 12:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC - rebuld issues Importance: High Hi, I have a typical issue with re-building a DC. I am currently in the stage of re-creating a AD domain for DR documentation. Have installed W2k server -- trying to restore for a backup tape from the live system ( whole C drive and the System state) -- make registry changes for RPC and NTFRS Issue here is that after completely restoring and re-starting -- prompted with the login of the local system and not the domain ...mostly if i login with the local admin - nothing comes upexplorer.exe does not start up. Any ideas and suggetions please. Regards, Chandra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC - rebuld issues
I have seen a similar thing while using Ntbackup during our DR drills. The first restore goes along and doesn't really complete (no log file pops up and no warning - ntbackup simply stops and exits somewhere in the AD portion of the restore). You reboot the server and you login with local admin credentials instead getting a choice to use AD. This second login can take a while because it has to fail on a bunch of partially restored stuff. If you simply run the full restore again after reboot then that works and the DC comes up just fine. This occurs with the target server set to AD Disaster Recovery safe mode or just booted normally. -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra Sent: Monday, February 14, 2005 12:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC - rebuld issues Importance: High Hi, I have a typical issue with re-building a DC. I am currently in the stage of re-creating a AD domain for DR documentation. Have installed W2k server -- trying to restore for a backup tape from the live system ( whole C drive and the System state) -- make registry changes for RPC and NTFRS Issue here is that after completely restoring and re-starting -- prompted with the login of the local system and not the domain ...mostly if i login with the local admin - nothing comes upexplorer.exe does not start up. Any ideas and suggetions please. Regards, Chandra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [gptalk] Display Computer Name on Desktop
This is actually a common thing for the Citrix/TS world and is a
registry hack to the My Computer icon.
From http://thethin.net TS FAQ:
Question:
How do I change the name of My Computer to display the server name or
username?
Response:
Using Regedt32 edit Registry for My Computer. The key is :
HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
Delete the following value in this key and recreate as follows :
Value Name : (No Name)
Data Type : REG_EXPAND_SZ
Data: %USERNAME% %COMPUTERNAME%
(To do this delete the current value and using `Edit` from menu bar
select
`String`. Do not enter a value name.
-Stuart Fuller
P.S. All registry warnings apply - use at your own risk.
P.P.S. You can also use the BG info tool from Sysinternals - this is way
cool - http://www.sysinternals.com/ntw2k/freeware/bginfo.shtml
-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]
Sent: Friday, February 11, 2005 11:41 AM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: [gptalk] Display Computer Name on Desktop
I have a question, is there a way to display the computer name on the
desktop either through a login script or via GPO?
Justin A. Salandra
MCSE Windows 2000 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Display Computer Name on Desktop
Since I hadn't done this for a while I checked on my 2003 server and the
reg hack below does not work on Windows 2003 server. Looks like MS
moved the effective CLISD for My Computer to underneath HKCU.
The previously posted VBS code seems the best way to do this instead of
all the mucking about with REG_SZ and REG_EXPAND_SZ keys. There is also
the issue where the 2003 regedit doesn't want to delete the actual
(default) key so you can't change it to a REG_EXPAND_SZ type without
exporting the key, hacking the export, and re-importing.
Of course you could just hit F2 and rename it manually...harder to
script but just as effective. :-)
-Stuart Fuller
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart
Sent: Friday, February 11, 2005 12:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [gptalk] Display Computer Name on Desktop
This is actually a common thing for the Citrix/TS world and is a
registry hack to the My Computer icon.
From http://thethin.net TS FAQ:
Question:
How do I change the name of My Computer to display the server name or
username?
Response:
Using Regedt32 edit Registry for My Computer. The key is :
HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
Delete the following value in this key and recreate as follows :
Value Name : (No Name)
Data Type : REG_EXPAND_SZ
Data: %USERNAME% %COMPUTERNAME%
(To do this delete the current value and using `Edit` from menu bar
select `String`. Do not enter a value name.
-Stuart Fuller
P.S. All registry warnings apply - use at your own risk.
P.P.S. You can also use the BG info tool from Sysinternals - this is way
cool - http://www.sysinternals.com/ntw2k/freeware/bginfo.shtml
-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]
Sent: Friday, February 11, 2005 11:41 AM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: [gptalk] Display Computer Name on Desktop
I have a question, is there a way to display the computer name on the
desktop either through a login script or via GPO?
Justin A. Salandra
MCSE Windows 2000 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD PowerPoint presentation
Oldie but goodie http://www.microsoft.com/windows2000/techinfo/planning/incremental/netmi grate.asp. Not exactly a nice packaged PowerPoint but enough material to put something together and it directly addresses Netware 5.1. Also you can find a remarkable amount of additional material simply by using the search at Microsoft.com for Novell Active Directory. -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey Sent: Tuesday, February 08, 2005 3:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD PowerPoint presentation Anyone out there know where I can find a good PowerPoint presentation on AD migration. (why, how, best practice, cost savings, delegation, Novell, etc). Management wants to know why migrate from Netware 5.1. Thanks Nathan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory Backup
Another thing I would like to point out is that not only do you have to have a good backup strategy but also you have to test your recovery of AD from your backup system. It is always a very useful exercise to take your tapes of AD and go to a test benchand see if you can recover. Recovery testingwill have you learn about such things asseizing FSMO roles,MetaData cleanup,and my personal favorite - restoresto dissimilar hardware. I think I have learnedmoreabout how ADworksand operates from the time spent trying to recover it thanany othermethod. I can recommend one other white paper besides the ones already mentioned: Best Practices: Active Directory Forest Recovery - http://www.microsoft.com/downloads/details.aspx?FamilyID=3eda5a79-c99b-4df9-823c-933feba08cfeDisplayLang=en -Stuart Fuller From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, February 07, 2005 3:24 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Backup note that it's worth to backup Group-Policies separately, as you don't want to restore your AD to fix a specific GPO. This can be achieved very well with the GPMC (http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx). also check out this whitepaper: http://wm.quest.com/library/whitepapers/10_Things_to_Know_about_Active_Directory_Recovery.pdf /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Monday, February 07, 2005 11:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Backup Hi Sergio, You can use whatever tool that's Windows 2000/2003 compliant to backup Active Directory. Windows 2000/2003 itself has NTBACKUP that gives you the possibility to backup to TAPE or FILE. To backup Active Directory you must at a minimum backup the SYSTEM STATE (I always also backup the system drive - drive with the WINDOWS dir). See also the following resources for more info on this: * http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd03.mspx(Active Directory Operations Guide - Active Directory Backup and Restore) * http://www.windowsitlibrary.com/ebooks/administeringad/Index.cfm(chapter 6) Cheers Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sergio Sánchez TrujilloSent: Monday, February 07, 2005 10:50To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Active Directory Backup Hello, Could i do a backup of the Active Directory? How? We have a tape library backup and ARCServer Software Backup... but it's not necessary to use this library. Thanks Sergio SánchezThis e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
[ActiveDir] RouterIdentity object
Does anyone know how, whyand/or what is the process that happens whena "RouterIdentity" object gets created under a normal workstation (2000 or XP) object in Active Directory?? Thanks, Stuart Fuller
RE: [ActiveDir] RouterIdentity object
Thanks Bob, I was trying to help an agency out who cloned a bunch of machines that all ended up with the router identity object and ran into the "I can't delete the workstation object" problem. Do you know if you need both the Remote Access Connection Manager services and Routing and Remote Access service turned up to have this show up in AD or just RRAS??? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Thursday, February 03, 2005 2:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RouterIdentity object Before I fat-fingered send I meant to say RRAS installation will create arRASAdministrationConnectionPoint attached to that computer that shows up in ADUC as "RouterIdentity"and the dialog it throws freaks people out when they go to delete the computer account :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Thursday, February 03, 2005 1:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RouterIdentity object RRAS installation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, StuartSent: Thursday, February 03, 2005 1:25 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] RouterIdentity object Does anyone know how, whyand/or what is the process that happens whena "RouterIdentity" object gets created under a normal workstation (2000 or XP) object in Active Directory?? Thanks, Stuart Fuller
RE: [ActiveDir] RouterIdentity object
Flip your view in ADUC to "Users, Groups, and Computers as containers". Then expand your RRAS server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Thursday, February 03, 2005 2:43 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RouterIdentity object where do you see that? i don't see it under my win2ksp4 RRAS server. is that via adsiedit? thanks -Original Message-From: Free, Bob [mailto:[EMAIL PROTECTED]Sent: Thursday, February 03, 2005 4:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RouterIdentity object Before I fat-fingered send I meant to say RRAS installation will create arRASAdministrationConnectionPoint attached to that computer that shows up in ADUC as "RouterIdentity"and the dialog it throws freaks people out when they go to delete the computer account :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Thursday, February 03, 2005 1:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RouterIdentity object RRAS installation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, StuartSent: Thursday, February 03, 2005 1:25 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] RouterIdentity object Does anyone know how, whyand/or what is the process that happens whena "RouterIdentity" object gets created under a normal workstation (2000 or XP) object in Active Directory?? Thanks, Stuart Fuller
RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada
If you are a skier then Whistler/Blackcomb is not to be missed. IMHO it is simply the best, extraordinary, largest, most varied terrain, (insert your own gushing adjective here)... ski area in North America. Maybe Gil needs to organize a NetPro ski trip... -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Monday, January 31, 2005 8:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Stanley Park, Junior Hockey games, Whistler/Blackcomb, Vancouver Art Museum. I'm sure anyone who's lived in BC longer than I did will be able to tell you more stuff. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, January 30, 2005 3:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Hi, I hope you don't mind asking this... I'm visiting DEC (AD ttrack) in march and hope to meet some of you guys that are also visiting DEC. Besides visiting DEC I'm staying a few days longer hopefully to see very nice things in the region. Does any of you know what's worth visiting/seeing in the region of Vancouver? Regards, Jorge Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant __ ...OLE_Obj... LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (IDT) Kennedyplein 248, 5611 ZT, Eindhoven * Postbus 7089 5605 JB Eindhoven * Tel : +31-(0)40-29.57.777 * Fax : +31-(0)40-29.57.709 * Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] http://www.logicacmg.com/ http://www.logicacmg.com/ - Solutions that matter - This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Forest trusts vs trusts within forests
FWIW, White papers of relevance if you haven't seen them already. The first one will probably answer your questions. What's the underlying motivation for two forests?? Reading between the lines, it sounds like the trust issue may not be the real issue compared to some other service autonomy or data isolation political issue. Windows 2000/2003: Multiple Forests Considerations White Paper http://www.microsoft.com/downloads/details.aspx?FamilyID=b717bfcd-6c1c-4 af6-8b2c-b604e60067baDisplayLang=en Design Considerations for Delegation of Administration in Active Directory http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologie s/activedirectory/plan/addeladm.mspx Best Practices for Delegating Active Directory Administration http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog ies/directory/activedirectory/actdid1.mspx -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, January 06, 2005 1:32 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Forest trusts vs trusts within forests Happy New Year ! I'm having a design discussion with myself about adding a forest vs adding a domain to an existing forest. I understand about the automatic transitive trust between domains in a forest, and how it's possible for a clever domain admin in a subdomain to compromise the entire forest. What I'm shaky on is this: If you had two single-domain forests, and established trusts in both directions between them, do you have the same issues ? I would think not, because the configuration and schema NCs are not shared between them, but I'm looking for some confirmation on that. Also, since we're talking about two single-domain forests, I'm guessing that the 'forest trusts' available in W2K3 FFL don't really come into play here, correct ? In other words, getting the first domain to W2K3 FFL doesn't buy anything with respect to this trust ? Thanks, Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RRAS win2k
1. L2TP requires two nics. We tried one nic and could not get it to work. 2. Certificates are required to establish the encrypted channel. A pre-shared key is NOT secure and if you read the MS doc, this option is only for testing. If you do pre-shared key then you might as well forgo L2TP and do PPTP. For L2TP, you need a CA that the clients can get a cert from that both the VPN server and the client have the root cert in their trusted store. Frankly, L2TP is a pain in the butt to set up and administer. There are issues with NAT for older firewalls and clients that don't understand how to pass L2TP. The Microsoft clients also have to be updated with the NAT-T patch (http://support.microsoft.com/default.aspx?scid=kb;en-us;818043). Here is a couple of articles on issues with NAT-T and IPsec: http://www.microsoft.com/technet/community/columns/cableguy/cg0802.mspx http://www.microsoft.com/technet/community/columns/cableguy/cg1004.mspx For L2TP using Microsoft start here (and believe me this is one thing where you end up having to read the documents): http://www.microsoft.com/windowsserver2003/techinfo/overview/vpnfaq.mspx http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog ies/networking/vpndeplr.mspx http://www.microsoft.com/resources/documentation/WindowsServ/2003/standa rd/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2 003/standard/proddocs/en-us/sag_VPNtopnode.asp http://www.microsoft.com/windows2000/technologies/communications/vpn/def ault.asp Have fun :-) -Stuart Fuller -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Monday, November 22, 2004 3:50 PM To: ActiveDir (E-mail) Subject: [ActiveDir] RRAS win2k Hi. I'm trying to set up RRAS as a ipsec/l2tp vpn server. I have a couple of questions. You can either point my sorry butt to a good doc if i seem too lazy or answer them for me. I've been using mark Minasi's book on win2k server as a guide but he's doesn't really go into depth about RRAS and vpn. So here goes- 1.Do i need 2 nics on my RRAS server or can i just have one public or NAT'ed nic and have my router route the vpn tunnels? 2. Do i need to install a certificate for ipsec vpn's or can i use the windows logon as a pre-shared key? I have remote clients and i can't access them physically so I chose RRAS as a solution so i wouldn't have to push out vpn clients since they are all running XP. But if I need to push out a certificae,i think i'm screwed. The Minasi book doesn't mention anything about certificates for ipsec. In fact I don't see anything in the RRAS manager for certificates. Unless this is a gpo setting. Thanks and I apologize if this seems basic but I can' find good RRAS info. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Slightly OT: AD Scripting question - ADO query and description field
To the scripting
gurus:
This one is kind of
driving me nuts so any clarification on why this happens would be greatly
appreciated.
I recently created a
script for one of our agency OU admins that queried the AD for their
workstations and returned name, distinguished name, description, and some
operating system details. The guts of the script are shown
below. What I found is that "description" is what I think is a
multi-variate field and the line "strDescrip =
objRecordSet.Fields("description").Value" barks at me. WSH returns "Type
mismatch code 800A000D"error.
I got around this by
shimmingin a call back to the original object andadding in a return
of ADSpath to the ADO query. I set the description string via
aGetObject calland I don't get any errors - "strDescrip =
GetObject(strADSPath).description".
My questions to the
scripting gurus in the group are:
1. When doing an ADO
query, how to you handle things that return arrays or multi-variate
attributes?
2. Is there
something within the "objRecordSet.Fields..." bit that you can turn on to force
a single value or pick a value from an returned multi-variate or
array??
3. Why does an
return froman ADO query be any different than a "GetObject" return?
Or in other words, why should description bark in an ADO query but be fine in a
normal GetObject?
Thanks,
Stuart
Fuller
Sometimes cheesy
scripting person
State of
Montana
===ADO
query script ==
Const
ADS_SCOPE_SUBTREE = 2Set objConnection =
CreateObject("ADODB.Connection")Set objCommand =
CreateObject("ADODB.Command")objConnection.Provider =
"ADsDSOObject"objConnection.Open "Active Directory Provider"Set
objCOmmand.ActiveConnection = objConnectionobjCommand.CommandText =
_"Select Name, distinguishedName, description, operatingSystem,
operatingSystemServicePack, operatingSystemVersion from
'LDAP://ou=SomeOU,dc=ChildDomain,dc=RootDomain,dc=Root' " _ "where
objectClass='computer'" objCommand.Properties("Page Size") =
2000objCommand.Properties("Timeout") = 60
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False Set objRecordSet =
objCommand.ExecuteobjRecordSet.MoveFirstDo Until
objRecordSet.EOFstrName =
objRecordSet.Fields("Name").ValuestrDescrip =
objRecordSet.Fields("description").ValuestrOS =
objRecordSet.Fields("operatingSystem").ValuestrOSV =
objRecordSet.Fields("operatingSystemVersion").ValuestrOSSP =
objRecordSet.Fields("operatingSystemServicePack").ValuestrLocation =
objRecordSet.Fields("distinguishedName").ValuefileTxt.WriteLine(strName
"," strDescrip "," strOS "," strOSV
"," strOSSP ","
strLocation)objRecordSet.MoveNextLoop
wscript.echo
"DONE"
==Bad fix to
make it work=
Do Until
objRecordSet.EOFstrName =
objRecordSet.Fields("Name").Value==strADSPath =
objRecordSet.Fields("ADSPath").Value==' Go get multi-valued
description attribute from object using
ADSpath==strDescrip =
GetObject(strADSPath).descriptionstrOS =
objRecordSet.Fields("operatingSystem").ValuestrOSV =
objRecordSet.Fields("operatingSystemVersion").ValuestrOSSP =
objRecordSet.Fields("operatingSystemServicePack").ValuestrLocation =
objRecordSet.Fields("distinguishedName").ValuefileTxt.WriteLine(strName
"," strDescrip "," strOS "," strOSV
"," strOSSP ","
strLocation)objRecordSet.MoveNextLoop
RE: [ActiveDir] Slightly OT: AD Scripting question - ADO query an d description field
wend
on error goto 0
Perl
use Win32::OLE;
use Win32::OLE::Enum;
use Win32::OLE 'in';
my $strBase= dc=joe,dc=com;
my $strFilter = ((objectcategory=person)(objectclass=user));
my $strAttrs = distinguishedName,displayName,memberOf;
my $strScope = subtree;
my $objConn = Win32::OLE-CreateObject(ADODB.Connection);
$objConn-{Provider} = ADsDSOObject;
$objConn-Open(Active Directory Provider);
my $objComm = Win32::OLE-CreateObject(ADODB.Command);
$objComm-{ActiveConnection} = $objConn;
$objComm-{Properties}{Page Size} = 1000;
$objComm-{CommandText} =
LDAP://$strBase;$strFilter;$strAttrs;$strScope;
my $objRS = $objComm-Execute();
$objRS-MoveFirst;
while (!$objRS-EOF())
{
print DN: .$objRS-Fields(0)-Value.\n;
print Display Name: .$objRS-Fields(1)-Value.\n;
foreach $group (in $objRS-Fields(2)-Value)
{
print $group\n;
}
print \n;
$objRS-MoveNext();
}
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart
Sent: Monday, November 22, 2004 11:46 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Slightly OT: AD Scripting question - ADO query and
description field
To the scripting gurus:
This one is kind of driving me nuts so any clarification on why this
happens would be greatly appreciated.
I recently created a script for one of our agency OU admins that queried
the AD for their workstations and returned name, distinguished name,
description, and some operating system details. The guts of the script
are
shown below. What I found is that description is what I think is a
multi-variate field and the line strDescrip =
objRecordSet.Fields(description).Value barks at me. WSH returns
Type mismatch code 800A000D error.
I got around this by shimming in a call back to the original object and
adding in a return of ADSpath to the ADO query. I set the description
string via a GetObject call and I don't get any errors - strDescrip =
GetObject(strADSPath).description.
My questions to the scripting gurus in the group are:
1. When doing an ADO query, how to you handle things that return arrays
or multi-variate attributes?
2. Is there something within the objRecordSet.Fields... bit that you
can turn on to force a single value or pick a value from an returned
multi-variate or array??
3. Why does an return from an ADO query be any different than a
GetObject
return? Or in other words, why should description bark in an ADO query
but be fine in a normal GetObject?
Thanks,
Stuart Fuller
Sometimes cheesy scripting person
State of Montana
===ADO query script == Const ADS_SCOPE_SUBTREE =
2 Set objConnection = CreateObject(ADODB.Connection) Set objCommand =
CreateObject(ADODB.Command) objConnection.Provider = ADsDSOObject
objConnection.Open Active Directory Provider
Set objCOmmand.ActiveConnection = objConnection objCommand.CommandText =
_ Select Name, distinguishedName, description, operatingSystem,
operatingSystemServicePack, operatingSystemVersion from
'LDAP://ou=SomeOU,dc=ChildDomain,dc=RootDomain,dc=Root' _ where
objectClass='computer'
objCommand.Properties(Page Size) = 2000
objCommand.Properties(Timeout) = 60
objCommand.Properties(Searchscope) = ADS_SCOPE_SUBTREE
objCommand.Properties(Cache Results) = False Set objRecordSet =
objCommand.Execute objRecordSet.MoveFirst Do Until objRecordSet.EOF
strName = objRecordSet.Fields(Name).Value strDescrip =
objRecordSet.Fields(description).Value
strOS = objRecordSet.Fields(operatingSystem).Value
strOSV = objRecordSet.Fields(operatingSystemVersion).Value
strOSSP = objRecordSet.Fields(operatingSystemServicePack).Value
strLocation = objRecordSet.Fields(distinguishedName).Value
fileTxt.WriteLine(strName , strDescrip , strOS ,
strOSV , strOSSP , strLocation) objRecordSet.MoveNext Loop
wscript.echo DONE
==Bad fix to make it work=
Do Until objRecordSet.EOF
strName = objRecordSet.Fields(Name).Value == strADSPath =
objRecordSet.Fields(ADSPath).Value
==' Go get multi-valued description attribute from object using ADSpath
== strDescrip = GetObject(strADSPath).description strOS =
objRecordSet.Fields(operatingSystem).Value
strOSV = objRecordSet.Fields(operatingSystemVersion).Value
strOSSP = objRecordSet.Fields(operatingSystemServicePack).Value
strLocation = objRecordSet.Fields(distinguishedName).Value
fileTxt.WriteLine(strName , strDescrip , strOS ,
strOSV , strOSSP , strLocation) objRecordSet.MoveNext Loop
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] virus/worm
Talk to the Cisco people about Cisco ACS, dynamic VLANs, and some of their access control stuff in their switches. In one of our sites, if your MAC address isn't in the special list on the switch you get booted to an VLAN that only has Internet access. Network quarantine is a relatively new concept but more products are coming out to handle just the situation that you are experiencing. -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Monday, November 22, 2004 2:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] virus/worm I suggested the vlan solution,but these guys move around alot and the sales managers sometimes want a meeting in their office,sometimes in another office,etc Since the sales guys generate all the profit,everyone kinda cowtows to them. Noone wants to inconvienve them. so i'm looking for a solution that goes around the roaming virii users without making them change. sigh... thanks -Original Message- From: Paul van Geldrop [mailto:[EMAIL PROTECTED] Sent: Monday, November 22, 2004 4:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] virus/worm Even though that first line might sound rather amusing, it might just be the trick to get things done.. it's amazing how management can decide to .. bend the rules, let us say, when it concerns their own daily routines. Consider placing the laptops in a restricted VLAN. This might require that you get some procedures OKed regarding access and availability, but it'll be worth it. If you're going to invite a load of foodhungry virii into your network, at least make sure they only get to feed on themselves. Regards, Paul. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Monday, November 22, 2004 9:34 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] virus/worm Wait until your bosses machine gets infected. Maybe that's what it will take to get the policy changed. And you should try using another AV product if the current one is not keeping your systems cleaned from known viruses. How are you cleaning them when you find them? (read: are you sure you're actually cleaning them?) -ASB On Mon, 22 Nov 2004 15:27:58 -0500, Kern, Tom [EMAIL PROTECTED] wrote: Hi all. I am having a serious issue with bot type worms that keep infecting my machines over and over. It doesn't matter that I'm fully patched and my virus defs are up to date. I use Symantec Corporate Edition 9.0 in a win2k mixed mode AD enviroment. My machines all have the most up to date patches and hot fixes. I have seen machines that are up to date in everything get reinfected time and time again. The worm is a varient of what Symantec calls Spybot.worm32. It usually creates a exe in system32 called Explorer.exe or 386.exe or svchosting.exe and no matter the defs it slips by Symantec. This is a posting perhaps better sent to a virus or Symantec list,but you guys seem really knowldgeable and I'd like to pick your collective brains about how to deal with this issue. I assume its getting in via laptop users wh take their pc's home at nite or some of our traveling sales guys,but if my desktops are up to date and patched,they should'nt get infected. No? Am I being naive? Finally,we are a liqour distributor and alot of times we have suppliers from other companies come in with laptops that give powerpoint presentations and access our internet connection. These guys are from elsewhere so they don't have accounts in our domain and thus log in locally. How can i protect myself against these guys? Management insits they be allowed to do their thing with their laptops on our network when they come in and since they don't log into our domain,I can't even push out a GPO and I'm at the mercy of these guys and what hteir IT dept did or did not do. Help! Thanks alot. If I can get a solution to just one of these 2 questions,I'll be a happy man. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Modifying Terminal Services Settings En Masse
Here is a script that I have used many times. It
uses the new scripting objectsfor TS profiles that are available in
Windows 2003.
-Stuart Fuller
Set Terminal Server Profile paths'Uses W2K3 api
-runs only froma Windows 2003
server'by Stuart Fuller 10/1/03
Option Explicit
'Dimension variablesDIM
strTSprof,strTShomepath,strTShomedrive,strOUDIM
objUser,adoConnection,ADsPath,adoRecordsetDIM userADsPathDIM
strTEST
'Set ConstantsConst adStateOpen = 1
'==Modify this part to what you want for TS profile, home, and
home drive"
'Set TS path strings that you wantstrTShomepath =
"\\someserver\home\"strTShomedrive = "Z:"strTSprof = "\\someserver\profile\"
'==Modify this part to the target user
OU==='Set OU to modify
'example: "user,ou=finance,ou=corporate"strOU =
"users,ou=OU1"
'Establish adoConnection objectSet adoConnection =
CreateObject("ADODB.Connection")adoConnection.Provider =
"ADSDSOObject"adoConnection.Open "", "", ""
'get users
'Modify this bit to connect with your Active
Directory
'Example - dc=joewaredomain,dc=joeware,dc=netSet adoRecordset
= adoConnection.Execute _("LDAP://ou=" strOU
",dc=childdomain,dc=parentdomain,dc=com;((objectClass=User)(objectCategory=Person));"
_ "Name,ADsPath,samAccountname;subtree")
'start loop and loop through users
While Not adoRecordset.EOFuserADsPath =
adoRecordset.Fields.Item("ADsPath").Valueset objUser =
GetObject(userADsPath)objUser.TerminalServicesHomeDirectory =
strTShomepath
objUser.samAccountnameobjUser.TerminalServicesHomeDrive =
strTShomedrive objUser.TerminalServicesProfilePath = strTSprof
objUser.samAccountnameobjUser.SetInfoadoRecordset.MoveNextWend'end
loop
'Clear vars and write finish
messageadoConnection.CloseSet adoRecordset = Nothingwscript.echo
"Script Finish"
From: Jordan, Jason [EPM/AUS]
[mailto:[EMAIL PROTECTED] Sent: Wednesday, October 27,
2004 1:46 PMTo: [EMAIL PROTECTED]Subject:
[ActiveDir] Modifying Terminal Services Settings En Masse
Well, I have a
fewquestions that I think this group should be able to answer without
breaking a sweat.
I need to write a
script that can modify2 particular settings for all users in a
particularOU.The settings I need to modifyare the
Terminal Services User Profile and Terminal Services Home Folder. I am
planning on using LDIFDEor CSVDE to make the modification. I would
like to set both of these settings for all usersto \\SERVER\SHARE\DIRECTORY\%USERNAME%
Once these are set by the script, I will have to open each user and close them
so that theTerminal Services Home Foldergets created on the share
with the right permissions.
So here are my
questions:
1. What is the
AD/LDAP name for the Terminal Services User Profile and Terminal Services Home
Folder setting?
2. Is there a
better way than LDIFDE or CSVDE to make the modification?
3.Is
there a better way than opening and closing each user to get the home folder
created and permissions updated?
Thanks in advance
for all of your help.
jasonjordan MCSE, MCP+I, MCP Sr. SQL
DBA/Windows Network Administrator Emerson Process
Management, LLLP, Austin Data Center (512) 832-3191
RE: [ActiveDir] Backup Strategy
Personally I think USB drives are a bad idea. Not so much from the reliability standpoint as from the index and catalog standpoint. USB drive will probably have to be labeled individually and you end up having someadmin/operator manually keeping track of where all thedrives are located (e.g. vault or on-site). Most, if not all, tape system / backup softwaredo indexing and cataloging as part of their software and will read bar-codes tapes. They will tell you what tapes to pull and what to bring back from vault. Andif you have an ATL or tape loader, the software willdo the ejecting / requesting automagically. Our ATL system does this and it makes what we call the "vault run" a snap. I agree with the other posts... for the money you will spend on USB drives and the possiblepotential tracking problems, go with the standard SAN and tapeloader solution. -Stuart Fuller P.S. The other part of this question you should be asking is what is my recovery plan? If the USB drives are the way to go, then how does that plan work when I need to recover something? Also if you are using a DR vendor like Sungard or Iron Mountain, how will USB drives and your plan work with their systems?? From: Dan DeStefano [mailto:[EMAIL PROTECTED] Sent: Monday, October 25, 2004 9:52 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Backup Strategy I am sorry if this is off-topic, but I greatly respect the opinions/suggestions that come from this list. I am working on a backup strategy for my company. We have just over 300GB of data to back up. I have been asked to estimate storage capacity/cost required to keep data for 1 month and 3 months, so this means that we will need between 1 and 3 TB of storage. The current backups are stored on a SCSI array and the plan is to use USB drives for offsiting our data. This means that we will need 4-12 300GB USB drives to store our offsite data. I personally do not like this solution and am in favor of a disk/tape solution; using a disk array for onsite backups and using tape for offsite backups. The company prefers disk-based backup because of its speed. However, I think that disks are less reliable than tape and that using USB drives is not an enterprise-class solution (I have also heard that those 300GB USB drives are not too reliable). Not to mention the fact that these drives are bulky and our server room is already pretty cramped. Does anyone have any suggestions? Are my concerns valid? Is my suggestion of disk/tape the best solution? _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
RE: [ActiveDir] OT: Server backup
Yep, This is what we do for multiple servers including our DC's. We use Ntbackup to send backups to a file server with a big honking disk and then use our Mainframe tape system to scrape the .bkf's to tape. Works like a charm... Problems you will run into is how you configure the scheduled jobs and whether you overwrite the .bkf or append to it. To emulate the tape rotation schemes in something like Backup Exec, you will end up with multiple jobs. We do this since both of our Mainframe backup products don't really understand how to restore a DC. I have had much better luck restoring a DC via a Ntbackup .bkf file than anything else. Yes, I know I said Mainframe... I work for a State government and they do still exist. Linux on ZOS-OS/390... It Rocks!! ;-) -Stuart Fuller -Original Message- From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 31, 2004 8:12 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Server backup Is it acceptable to backup to local disk (using NTbackup) and then copy that file to a machine with a tape drive, and back that backup file up to tape? Example:1. Backup an Exchange Server locally 2. Copy that backup file to a machine with a tape drive 3. Backup that file to tape I would be doing this for both an Exchange Server, and my DCs. This is my only option to get this stuff onto tape, so I hope it is acceptable. What problems my I run into? As always, THANKS List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Slightly OT: Cisco ACS and Active Directory
Has anyone gone down the path of using Cisco ACS for regular and wireless network access control AND authenticatingit with their Active Directory? If so, can you share any the good,the bad, or the indifferent information on setup, use, etc...?? Specifically I am looking for information on use of AD groups, AD authentication method setup, use of a MS certificate authority, and distribution of certs. Thanks, Stuart Fuller State of Montana
RE: [ActiveDir] Renaming The Admin Account
Umm... In the default install NTFS permissions are set up via GROUP ACE's instead of the individual ACE for the local administrator account. If you look at the NTFS permissions on %systemroot%\system32 you will see permissions only for GROUPS not individual accounts (e.g. Administrators, Creator Owner, Power Users, System, Users). Also remember that the ACE is actually a stamp with the SID of the group or user. The GUI and OS actually do the translation of the SID to the friendly display name. For example the well known SID of the local administrator account is S-1-5-domain/workstation SID-500. (See http://support.microsoft.com/?kbid=243330) The actual display name of the account is irrelevant except for us humans, the OS will translate that display name or login name to the SID when checking permissions. When you rename the local administrator account nothing happens except for changing the effective display name and the name that us humans use to log in with. The SID still stays the same and all of the permissions are the same. So for your questions... 1. IF you have ACL'd things with the actual Admin account instead of groups, what is displayed to the user in the GUI is the display name of the Admin account. If you have renamed the Admin account then the renamed display name is what is shown (e.g. Administrator = Admin). 2. What are you asking here?? If as an admin you want to permission the local Admin account to the folder then this is a bad idea. Use groups instead of individual accounts. If you actually need to do this then what you will pick in the GUI is the renamed admin account (e.g. Admin). -Stuart Fuller -Original Message- From: Rocky Habeeb [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 8:25 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Renaming The Admin Account People, OK, I know you guys are the Experts and I know MS says, rename it, but tell me the answer to these questions please. Let's say you run NTFS permissions on your local PCs. Lets say your standards are (for EVERY FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain Admin and System. Modify for Everyone (At least where it is not a security risk). [1] What is displayed locally to the User (for Admin accounts) when they look at NTFS permissions on their file/folder objects? [2] What do you as the Admin select in the ACL, when you set new permissions for file/folder objects? Thanks RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Exchange 2000 SPAM Filtering
Title: OT: Exchange 2000 SPAM Filtering We are fairly happy with the Espion Interceptor anti-spam appliance and have discussed it previously on the list. See http://www.securitypipeline.com/showArticle.jhtml?articleId=20300229pgno=9for a review and http://www.espionintl.com/for thecompany home page. I think a defense in depth strategy is the best path to take. I would recommend not relying on just one solution but pick a Exchange Anti-virus solution that fits your reporting needs and then pick a separate anti-spam solution. The all-in-one products seem to shine in one area while falling down in the other. Alsoone of the key things you can do is to institute content filters where people can't email .exe,.chm, .vbs, etc.. to each other. That has saved our butt more times than theanti-virus or spam filtering. -Stuart Fuller From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, July 15, 2004 7:00 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Exchange 2000 SPAM Filtering We are very happy with ModusGate by Vircom (www.vircom.com). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor]Sent: Thursday, July 15, 2004 8:50 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Exchange 2000 SPAM Filtering Our organization is running Exchange 2000. We recently put up an SMTP Gateway between our firewall and Exchange 2000 Email Gateway to fend off SPAM and viruses giving us a good choke point for both. We are using Symantec Mail Security for SMTP which does not require Exchange 2000 to run on. It is a very good product by Symantec but we remain unimpressed as it gives no automated reporting or performance monitoring. Does anyone have a product that combats viruses and SPAM while providing automated reporting and performance monitoring, preferably one that does not require Exchange 2000 to run? We want to stay away from having to maintain another Exchange server if we can help it as we would not put any user mailboxes on it. Thanks in advance and sorry for the OT discussion if it offends anyone. Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270
RE: [ActiveDir] OT: Active Directory Browser History Files
You can look at the users "Local Settings\History" or "Local Settings\Temporary Internet Files". However these two folders may not be replicating with your roaming profiles from the local workstations. That depends on how you have the roaming profile settings configured. Have you thought about something likeSurfControl (http://www.surfcontrol.com/)? This may be a better/easier/more flexible solution than parsing through everyone's roaming or local profiles. It will alsocatch those users that are smart enough to delete both the IE history and the temp files. -Stuart Fuller From: Edwin [mailto:[EMAIL PROTECTED] Sent: Thursday, July 15, 2004 8:44 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Active Directory Browser History Files In our domain we use roaming profiles. What I would like to know is if there is an easy way to monitor the web sites that end users are looking at while at their workstations. We have users that are going to site that may offend others and this needs to be addressed. I am aware of reviewing the Firewall logs but I was hoping that there would be an easier way since all the machines are connected to the domain. Thank you all for your replies. Edwin
RE: [ActiveDir] Slightly OT: Enterprise IP address management?
We used to use both MetaIP DNS and DHCP along with a plethora of Netware server. When we migrated to Active Directory we dropped MetaIP DNS and Netware DNS and went to Microsoft AD-integrated DNS exclusively. We did keep MetaIP DHCP because of the nice-to-have features such as automatic failover to a backup DHCP server and IP address searches that Microsoft DHCP lacks. We centralize our DNS and DHCP management to our network group who also handles all of the routers and switches for the State network. We might not compare well for your global environment since we are limited to a single state, however, our network is around 12,000 users and about 400 sites. The majority of sites are grabbing DNS and DHCP across the WAN. A few sites are getting DHCP from the local shudder old Netware server and a very few are getting it from a local Windows file server. As far as IP address management goes, the network group also has sole responsibility for this including assigning address ranges subnets. I would look at using MS for DNS since it is free and if you AD-integrate your zones it is very easy to manage. Reporting is a little harder but with the dnscmd tool and some batch files with FOR statements in them, we were able to get what we need out of the DNS. I would look at MetaIP for the DHCP since the automagic failover feature is the biggest gapping hole in MS's DHCP. Our network people also can't search, report, or add MACs to Microsoft's DHCP like they can with MetaIP's. HTH, Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 07, 2004 12:22 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Slightly OT: Enterprise IP address management? We currently have a mish-mash of Microsoft DNS and DHCP in use as well as QIP (outdated and not supported) for these services. Our network group is strongly in favor of an overall IP address management tool such as QIP or MetaIP for DNS and DHCP as these are just part of the capability of the tools. The real value to those tools lies outside of merely DHCP and DNS. They need to what device is on what address and/or whether the address is available, regardless of whether it's part of a DHCP scope or not. We also have ping blocked throughout most of the environment in response to the viruses/worms that came out some time ago. We're 65,000 users across 600 offices across 6 countries. We're currently some Active Directory and some NT4.0. We have a project to migrate to a global AD design. This effort is part of the project. What I'm hoping for is that some of you, in large environments like ours, would be kind enough to share how you're handling DNS/DHCP and IP address management so we can get some perspective. Or if you have a recommendation for a methodology or a product, please share. Our network group's biggest gripe about Microsoft DNS and DHCP is no centralized reporting or management as well as lack of support for IP addresses that lie outside of the DHCP scopes. Thanks, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SRV Record registration by Non-DC's
Yes... very occasionally... in the _msdcs\dc\_tcp zone. Have not been able to trace them down to a common issue/application/problem. One possible culprit was the Citrix Management Console on a couple of Citrix admin workstations. We end up looking at the DNS records every week and deleting the ones that shouldn't be there. We have even thought about scripting something to check for appropriate records. The idea of scripting some type of autocheck for proper SRV records was kicked around on the list recently. -Stuart From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 3:24 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] SRV Record registration by Non-DC's We have seen a number of SRV record registrations for hosts for LDAP that aren't DC's. Has anyone experienced this before? Thanks, Todd
RE: [ActiveDir] lsass.exe process causing high CPU on DCs
There is a reason to attend TechEd... Win303 - AD performance troubleshooting. From that talk, the two typical causes are non-indexed searches against AD or a rapid retry of authentication from an application that is using an bad or expired account. As Joe says all the time... crank up NetMon and Perfmon and look for odd LDAP search calls to the DC (e.g. . PerfMon will also tell you if you are having perfomance issues due to hardware limitations... look at Network utilization, Disk I/O, Disk Queue, and Memory. Also did you add/change/delete anything recently?? and do you have any baseline to compare the current behavior with what is expected?? -Stuart -Original Message- From: Mulnick, Al To: [EMAIL PROTECTED] Sent: 5/26/2004 9:38 AM Subject: RE: [ActiveDir] lsass.exe process causing high CPU on DCs Searches, logging on, etc could cause this. Have you checked to see that there aren't any other issues going on? What about a network trace to see what the heck is going on at the wire after checking the logs? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Airhart, Cliff Sent: Wednesday, May 26, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] lsass.exe process causing high CPU on DCs Hello Everyone, We have 2 Domain controllers running Windows2000 server with Active Directory that is running a high and low CPU pattern. The CPU flatlines at 100% for about 60 seconds then drops to 5% for about 30 seconds. This high and low cycle continues to repeat. When the CPU is high the lsass.exe process is the cause of the high CPU. From what I understand that is the Active Directory process. What Active Directory activity would cause this type of behavior? Thanks in advance for your help! Cliff Airhart Network Engineer Spectrolab List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anyone attending TechEd?
I be there... in fact I am already here with a group of four IT types from the State of Montana (...it is really only a state of mind instead of a actual state). I am currently sitting at one of the 1000 CommNet PC's at TechEd. San Diego covention center is very nice and right by the harbor. The Cabana's are in the same room as the 1000's PC's under a huge fabric tent like structure (Sails Pavillion). All that is missing is Jimmy Buffet, a parrot, and three shots of your favorite beverage. If you want to meet use the RIO or send me an email off list. Cheers, Stuart Fuller State of Montana - IT type/AD dweeb [EMAIL PROTECTED] -Original Message- From: Marco Bombardi To: [EMAIL PROTECTED] Sent: 5/22/2004 4:31 PM Subject: [ActiveDir] Anyone attending TechEd? Hello everyone, I know this is not something new to you but this is indeed a really awesome list! Thank you Tony for putting it together and thank you to this great list of contribuitors that put so much time into writing detailed answers, suggestions and explanations. I was just wondering who from the list will be attending TechEd next week and would be interested in getting together for some AD and Exchange chat. Feel free to email / IM me directly if you're interested. Depending on the number of answers we can plan a group dinner or something... Thank you and see some of you there. Marco Bombardi [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] VPN users and their AD passwords
Three more references from our friends at Cisco... Look at the Netlogon part of the client ini file. IIRC, this is the bit you may have to adjust. Client ini file config: http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administratio n_guide_chapter09186a008015cfdc.html Rebranding the client: (see the bit about Start before Logon as an option) http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administratio n_guide_chapter09186a00800eca5d.html Managing the VPN client: (See the bit about Managing Windows NT Logon Properties) http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_user_guide_ch apter09186a00800ecb3e.html -Stuart -Original Message- From: Jeff Salisbury [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 18, 2004 11:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] VPN users and their AD passwords Stuart - Thanks for the info! Do you know if using either or both methods actually update the cached credentials on the user's notebooks? If not we would still be stuck with locked user account problems after the change. Jeff Jeff Salisbury Network Infrastructure and Security Manager Belkin Corporation Information Services 310 604-2061 310 604-2022 fax www.belkin.com -Original Message- From: Fuller, Stuart [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 18, 2004 9:52 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] VPN users and their AD passwords Check out the Cisco documentation on configuring the concentrator to support the NT/AD password expiration feature. We are doing this and it works like a charm and nobody has to hit cancel. Clients with expired password get warned at VPN login and given an opportunity to change the password. See: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration _example09186a00800946b9.shtml or search cisco.com for VPN concentrator password expiration and take the first result. MS IAS config for Cisco VPN is documented here - http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration _example09186a0080094700.shtml -Stuart -Original Message- From: Ayers, Diane To: [EMAIL PROTECTED] Sent: 5/18/2004 5:56 PM Subject: RE: [ActiveDir] VPN users and their AD passwords Gee... you give them remote access to the company via the internet from anywhere and their complaining about having to hit cancel?I would tell them to get over it... :-) Actually with my client, I can just type in my password in the ctrl-alt-del login box and just ignore the VPN client if I am on the compnay network. It will authenticate via normal channels. Externally, I can choose to authenticate via the VPN client. Only if you don't let the VPN client initialize fully do you get the big cancel button when you hit ctrl-alt-del. Either hit cancel or wait for the VPN client to initialize before they hit the keyboard. Diane _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 18, 2004 4:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] VPN users and their AD passwords The complaint here from users is that if they ARE on the network, they have to hit cancel on the Cisco VPN client login so they can get to the CTRL-ALT-DEL screen. Is there any workaround for this, or just tell the users to get over it? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ayers, Diane Sent: Tuesday, May 18, 2004 4:15 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] VPN users and their AD passwords I'm running v 4.0.3(D) of Cisco VPN client and it is configured as Jeff describes below (logon to VPN before laptop logon). I had my domain password expire and IIRC, I was able to change my password at my usual ctrl-alt-del logon after I had done my VPN login. This was after a few adult beverages so I may have been confused... :-) Diane _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Salisbury Sent: Tuesday, May 18, 2004 1:21 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] VPN users and their AD passwords Russ - With the newer versions of the Cisco VPN client you can configure the client to allow logon to the network via VPN before you logon to the notebook. When you first start up the system and hit Ctrl-Alt-Del to get the regular logon box, a Cisco VPN connection dialog comes up instead. You use this dialog to connect by VPN first so that you are actually authenticating your account with a domain controller, then you get a logon box again for logging on to the machine. This keeps the cached account information and the domain account information in synch. If users change their password while connected by VPN, the cached credentials on the notebook are not updated. If they restart the notebook, they have to logon using their old password. When they next connect by VPN they will have to provide their new password. As soon as their machine tries
RE: [ActiveDir] Dial-In Property Sheet and Windows XP SP1
This is one of my pet peeves forthe ADUC in XP. See http://support.microsoft.com/?id=304718and then search for "dial-in". Quote: The Dial-in tab that configures Routing and Remote Access dial-in or VPN access and callback settings is removed when the Administration Tools package is installed on Windows XP clients. To remotely manage the RAS dial-in tab in Active Directory Users or Computers or Internet Authentication Server (IAS) from a Windows XP-based computer, use Terminal Services or Remote Desktop to access a Windows 2000-based or Windows Server 2003-based computer. Alternatively, log on to the console of a Windows 2000-based or Windows Server 2003-based computer to configure these settings directly. -Stuart From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, May 14, 2004 1:38 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Dial-In Property Sheet and Windows XP SP1Sensitivity: Private Have any problem to view the Dial-In Property Sheetwith Windows XP SP1 ?. Thks. AVISO LEGAL:Esta informacion es privada y confidencial y esta dirigida unicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informacion por favor elimine el mensaje. La distribucion o copia de este mensaje esta estrictamente prohibida. Esta comunicacion es solo para propositos de informacion y no debe ser considerada como propuesta, aceptacion ni como una declaracion de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o afiliadas. La transmision de e-mails no garantiza que el correo electronico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informacion sea completa o precisa. Toda informacion esta sujeta a alterarse sin previo aviso.This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or affiliates. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice.
RE: [ActiveDir] A root dc question
Tom, For more information about the issue of non-trusted Domain Admins in a forest see the AD Design Considerations for Delegation of Administration in Active Directory white paper - http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/ac tivedirectory/plan/addeladm.mspx. That lists some of the risks that Joe and others have mention without going into specific methods. It also has a great non-technical explanation of the risks that can be showed to the pointy haired boss types. Another good source of information is the AD security white paper - http://www.microsoft.com/windowsserver2003/techinfo/overview/adsecurity.mspx The most basic answer to your original DR question is, yes, you have to have the root DC admins involved with any DR. Since your background is in Novell, I would compare just restoring a child domain to trying to restore only a child partition/replica in the NDS without restoring the root partition/replica. I also totally agree with Joe on the limited enterprise admins and domain admins. This is the model we are using and it has been very successful for a three domain forest with 11,000 users. In fact if I had to do it over again I would go with a single domain. I doubt that you are going to be able to convince the Enterprise Admins to give you the same rights just for DR. A better scenario is to push the concept of Forest Recovery instead of Domain Recovery for the type of DR your are talking about. Your management then may be able to involve the other bits of the company instead of having just one entity trying to do DR. HTH, -Stuart -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 2:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question Understood, but I think we're not seeing the trees for the forest here :) As I said earlier, I don't want a how to for AD hacking. Actually, I only wanted to know how dependent a child domain was on the root dc, which you've more than answered and I thank you all. Now i guess what i'm asking is just a good reference, not so i can figure out how to compromise a forest, but to understand how the AD internals work on a non-hand holding level so i can know among many other things, how such a thing could happen. Not how to do it. and, joe, if the 2 books you mentioned are the best start, then thats great and thanks. i know how tricky it is to answer some questions where the answer might prove dangerous or annoying at best, so i'm not asking for it. and i apologize for making you guys talk in circles. i guess the real answer is, If you gotta ask, you don't know my apologies to louis armstrong. Thanks again. -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 3:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question There are multiple vectors which one could utilize. Discussing any of them probably isn't good because we don't have methods to protect against them except to limit who gets access to what in the first place and even that is not a guarantee, just puts that much more burden on the person trying to do damage. Ditto for various simple (and complex) D.O.S. techniques. I know of some real doozies but you won't catch me uttering them anywhere near a public forum and usually not even in private except with a very small closed set of people who I am positive have my back and would treat the info the same. The info isn't NDA but it actually isn't something I want people knowing about simply from the point of safety of me, myself, and my butt. This is one of the few things I am not all about being upfront and talkative about. If I saw an easy way for MS to correct the shortcomings I would probably spout until they did, I unfortunately do not so will remain mum except that it is possible and people should be careful on who they make domain admins or give an local logon DC access rights to. Once more... Domains are not security boundaries. If your enterprise admins do not feel they could be compromised, not many words you can use to convince them otherwise, they would have to see it or finally see the light. I doubt proving the fact to them will get you enterprise admin, most likely it would get domain admin as well as any local logon rights to a DC removed from you. You could possibly, depending on your org, talk them into letting you have your own forest. That may even be tough. You can't fully protect a DC or a domain. However you should handle the easy ones like being very tight on who can log on or control services on a DC and who the admins are. The goal is to make it as difficult as possible to someone trying to do you harm while still maintaining needed functionality. There are some things that you have to make a very hard call on, be insecure or not allow someone functionality they think they need. I've had lots of people tell me they needed to be admins on domains, my security
RE: [ActiveDir] OT: Research Question
Title: OT: Research Question My $0.02 1. Salary 2. Environment - I live in semi-rural Montana and that is a bonus. I drive 10 miles to work and it takes 13 minutes. Also in 15 minutes I can be fishing in a blue ribbon trout stream or skiing at our local area. 3. Management - The pointy hair boss factor and politics is high around here but my immediate sups shield me fairly well and are good to work for. 4. "Cool Toys" - In my position I get to play with a lot of new technology that actually solves problems. (e.g. ESX Server, AD, Windows 2003, MOM, etc...) 5. Coworkers -Stuart From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 1:42 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research Question Hmm Salary (being paid is a way of being told job well done) Coworkers (getting paid a lot doesn't help much if you have sucky co-workers) Management (Bad management can make no amount of money enough after a while) Influence (hard to state this one, basically having input into what is being done and knowing it will be considered) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectorySent: Thursday, May 13, 2004 2:46 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research Question Yes, but having live data from people I 'know' (so to speak) makes this a much more personal assignment, and one that I am more likely to get a good grade on since I have a kindred feeling for the research data. I am using ALL the answers I get, as each one adds a little more to the over all picture. Plus, this isn't the only list this got posted on. ;) Mitch -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlPosted At: Thursday, May 13, 2004 12:44 PMPosted To: ~AD Discussion~Conversation: [ActiveDir] OT: Research QuestionSubject: RE: [ActiveDir] OT: Research Question lol. Mitch, you probably want to insert favorite search engine for surveys. Places like Monster.com, Yahoo.com, Dice.com, etc all keep that kind of information as well for marketing purposes. They may share. I'm sure the bureau of labor and statistics would keep such information as well. Not to mention psychological websites, those related to workplace issues (OSHA?) and industry magazines that also conduct such salary and well-being surveys. Happy hunting. Al From: Zach Huseby [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 12:59 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research Question the 2nd and the 18th of each month. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectorySent: Thursday, May 13, 2004 10:05 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Research Question Hello, I am doing research for a college project, and I would appreciate any feedback I can get on the following question: As an IT professional, what factors in your employment make a difference to you? Why? I really appreciate the time you take to give me some insight into your world. Thank you, Mitch Noob college student
RE: [ActiveDir] TCP Port Blocking
This is something that is probably better handled by an Intrusion Detection system that can detect Sasser traffic and take action against the remote computer if found. If you had your VPN or remote user access point(s) behind a firewall, you could use the firewall to block the ports. That way you are not relying on the computers to be members of your domain AND to be able to get/read the GP across what may be a slow link. VPN in Windows 2003 has the "ability" to force VPN users to run a custom script against the remote workstation before it is allowed on the inside network. See "Network Access Quarantine Control in Windows Server 2003" - http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx My take is that you are trying to protect your network from Sasser or "worm 'd jour" and I don't think port blocking by GP is the appropriate hammer. Look to an IDS, firewall, or other solutions instead of port blocking by GP. What happens if next time you need to block port 135-9, 389, or 80?? -Stuart From: Lee, Wook [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:19 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] TCP Port Blocking The problem with trying to patch remote systems via GP is that simple things like ICMP blocking can prevent GP from applying. And it only works for W2K and XP clients that are members of the forest. It's not uncommon for remote users to be on systems that are just workgroup members. Wook From: Roger SeielstadSent: Thu 5/13/2004 1:54 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] TCP Port Blocking I've not done it directly, but its possible to use IPSec policies to block specific ports, which would do exactly what you're trying to do. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Mike Hogenauer [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 4:14 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] TCP Port Blocking Sorry for the newbie sounding question. How can I use Group Policy to block certain ports in all workstation in a certain OU? Ex: for the SASSER virus it's recommended to block TCP 5554 9996. I have remote users that I wanted apply a GP to that will block these ports. Thanks Mike Mike Hogenauer blocked::mailto:[EMAIL PROTECTED] Rendition Networks, Inc. 10735 Willows Rd NE, Suite 150 Redmond, WA 98052 425.636.2115 | Fax: 425.497.1149
RE: [ActiveDir] OT: ntbackup bks file issue
Try putting the exclude after the full drive spec: C:\ C:\dir1\ /exclude This is howntbackup on my 2003 server shows the bks file when doing a similar thing. -Stuart Fuller From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 9:14 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: ntbackup bks file issue I'm trying to get a scheduled ntbackup that does the system state and a few other directories to recognize the line in my bks file which excludes some directories. The lines in my targets.bks file look something like this: C:\Dir1\ /exclude C:\ D:\ SystemState I have saved the file as Unicode, per instructions in KB 237310. But ntbackup is still backing up everything, i.e. ignoring my exclude. Anyone seen this before? Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] Kerberos event ID's 677
ThanksTodd!! -that whitepaperis great. Eric... Thanks for the information. I thought it may be one of those "check engine" light warnings with no real world meaning. However, I am reluctant to apply the hotfix without more detailed information on what the issue is and how the HF fixes it. It would be nice to get a copy of whatever documentation that goes with the HF.Generally it is okay to put black electrical tape over the check engine light so it goes out... but sometimes not... ;-) -Stuart Fuller From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Monday, April 05, 2004 8:14 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos event ID's 677 http://www.microsoft.com/downloads/details.aspx?FamilyID=7dfeb015-6043-47db-8238-dc7af89c93f1DisplayLang=en Microsoft just published a Kerberos Troubleshooting White Paper... It is pretty good. Todd From: Eric Fleischman [mailto:[EMAIL PROTECTED] Sent: Saturday, April 03, 2004 4:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos event ID's 677 I just saw this post. Sorry, I would have replied sooner if I had noticed it. The good is that this is typically benign. If anything, I'd say we over-report this error. Typically this error is thrown because the client asked the server to talk a language that it could not. The client then said "ok how about this" and life is fine, but in the meantime the server tossed an event and scared the administrator. It's unfortunate that the error text isn't better. So, you can ignore the event. There is a QFE that should help suppress them. If you call the 800 support # and ask them to send you Q824905 that should suppress some of them. But again, this is benign, so I wouldn't sweat it. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, StuartSent: Thursday, April 01, 2004 10:12 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Kerberos event ID's 677 Has anyone else been seeing a plethora of "service ticket request failed" event ID 677 logs in their Security logs on their Windows 2000 SP4 DC's?? The failure code is "0xE" and the sources seem to beWindows 2003 member servers. I have queried our MS support and they told me to try a hot fix from KB 824905. Unfortunately, even through the hotfix is from November 2003, the KB article is not available on TechNet or on MS premier support web site. So in keeping with today's theme of missing documentation from Microsoft... anybody have more information on this article, hotfix, or this issue in general?? I would like to know what this hotfix is actually suppose to do before actually applyingon my test bench DC's. Thanks, Stuart Fuller
[ActiveDir] Kerberos event ID's 677
Has anyone else been seeing a plethora of "service ticket request failed" event ID 677 logs in their Security logs on their Windows 2000 SP4 DC's?? The failure code is "0xE" and the sources seem to beWindows 2003 member servers. I have queried our MS support and they told me to try a hot fix from KB 824905. Unfortunately, even through the hotfix is from November 2003, the KB article is not available on TechNet or on MS premier support web site. So in keeping with today's theme of missing documentation from Microsoft... anybody have more information on this article, hotfix, or this issue in general?? I would like to know what this hotfix is actually suppose to do before actually applyingon my test bench DC's. Thanks, Stuart Fuller
RE: [ActiveDir] Restore
This is also why most backup software vendors offer the ability to password protect the information on the tapes. -Stuart Fuller -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 31, 2004 2:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Restore Yup... That's the idea. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 31, 2004 4:40 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Restore I have a question for everyone, If I have a facility that is using the same back up and tape drive as me, could I take their tapes and access the backed up data on those tapes and restore that data to an alternate location? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Web site for Windows Update Service now available (SUS v2)
FYI, More detailed information on SUS v2 (WUS) is now available on MS web site - see http://www.microsoft.com/windowsserversystem/sus/wusbeta.mspx. _Stuart
RE: [ActiveDir] Microsoft Operations Manager
Brent, We have MOM 2000 monitoring our empty root domain with plans to include our main user domain in the near future. From what I have seen the AD health checks are very robust and fairly useful. The real value that I have seen so far with MOM is in performance monitoring and reporting. If you remember the AD sizer tool, one of the questions it asks you is the number of logons per second... Well with MOM that number is easily available and shows up in a nice report that you don't have to dig for. I heard a talk last year at TechEd from the MOM program manager who discussed the use of MOM on Microsoft's internal network and the work and collaboration between the MOM team and the MS internal support team. The gist of the spiel was that with the AD management pack you are basically getting a set of rules, health checks, and alerts that were proofed, developed, and tweaked through use on MS's production network. The gotchas I found with MOM is the amount of planning, testing, and learning you need to do before deploying it. This is one of those products where the more you put into it the more you will get out it. MOM is really easy to install but the okay what next part is much harder. If you have a large distributed DC environment and/or plan to use MOM for other Windows systems, then you really have to plan out things like configuration groups, event forwarding, database archiving, and server sizing. We have a fairly simple AD environment and can accommodate it with a single MOM configuration group and two dedicated MOM servers (one DCAM/reporting - one SQL). If AD health is all you are really after and don't need the event alerting, performance monitoring, reporting that comes with MOM, then look at the health check scripts from the Microsoft Branch Office Deployment Guide (see http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/ac tivedirectory/deploy/adguide/default.mspx) HTH -Stuart -Original Message- From: Brent Westmoreland [mailto:[EMAIL PROTECTED] Sent: Friday, March 19, 2004 1:35 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Microsoft Operations Manager I am busy researching the Microsoft Operations Manager software, specifically for AD health. Does anyone have any real world experience messing with this? I am specifically wondering how much value this could add to an organization, any gotchas, etc. Brent List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Microsoft Patch
Dan, SUS is fine and works well in a large AD environment. We have 2000+ workstations spread across the State of Montana that are using SUS to receive Microsoft Patches.Network connections range from high-speedLAN to very poky 56Kbs lines.Major benefits of SUS is the ability to configure through Group Policies, ease of use,quick setup, and the small fact that it is free. Major detrimentsare lack of good reporting, lack of good troubleshooting tools, lack of installation flexibility, and that you can only install MS security patches with it. If you are looking for a patch solution that is beyond what SUS can do, and you actually have a budget to spend money, then I would suggest SMS (Microsoft), PatchLink, or UpdateExpert. Also if you have any Netware then look at Zen. We have state agencies running both SMS, PatchLink, Zen with various degrees of success.Several agencies have implemented SUS just for MS patches while pushingotherupdatesand software installation through the other solutions. HTH -Stuart From: Cariglia, Daniel [mailto:[EMAIL PROTECTED] Sent: Monday, March 15, 2004 2:43 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Microsoft Patch I am in the process of looking at alternatives to distribute/manage Microsoft patches. We have SUS running in a lab setup and it seems alright. My question is are there superior products out there that someone has used and can recommend that work well with AD? Running AD with an empty root and 2 child domains where the users reside, users are either Windows 2000 Pro or XP Pro. Any suggestions would be appreciated. Thank You, Dan
RE: [ActiveDir] Experiences with DFS.....
Title: Message What exactly do you mean by "add redundancy to our NAS offerings"? Are you worried about single point of failure and are thinking that having two replicated NAS's would allow you to get around that? Or are you trying to load balance because the NAS device isn't keeping up? If you are worrying about single point of failure, then I would suggest increased physical redundancy (e.gthings like RAID-5 RAID-10, multiple power sources, etc..). If you are worriedabout load balancing then you solution may bemore down the path of a highly available SAN instead of NAS (multiple servers connected to the same file system). With 1,000,000+ files and frequent changes any solution is going to have a difficult time replicating the data across the network.You will end up withsome type of drift between the two file sets and that maycreate yet more problems. -Stuart "Oracle is a Tape Application" From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Thursday, March 11, 2004 9:00 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Experiences with DFS. We are thinking of using DFS in order to add redundancy to our NAS offerings. My main question is does anyone have experience using DFS to replicate/keep in sync large amounts of info, i.e. 200+GB, between two or more servers? As always, thank you for the help. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477
RE: [ActiveDir] Experiences with DFS.....
Title: Message I am probably using "drift" in the wrong way but to my fuzzy brain it is the replication latency. Two files systems being push/pulled replicated will have a point in time difference in content."Drift"is what Iam callingthe amount of difference between the two instances at any point in time.This also assumes that you are writing to one file system only at a time and then push/pulling the changes to the other. If you write/modify both files systems at the same time then no need for replication and no "drift". Also, drift really only comes into play if you are trying to use both file systems. If one instance is only a fail-over or hot spare copy, then having slight differences may not be an issue. From: Gayoso, Ray [mailto:[EMAIL PROTECTED] Sent: Thursday, March 11, 2004 11:12 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Experiences with DFS. Stuart... What do you mean by drift? -----Original Message-From: Fuller, Stuart [mailto:[EMAIL PROTECTED] Sent: Thursday, March 11, 2004 12:04 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Experiences with DFS. What exactly do you mean by "add redundancy to our NAS offerings"? Are you worried about single point of failure and are thinking that having two replicated NAS's would allow you to get around that? Or are you trying to load balance because the NAS device isn't keeping up? If you are worrying about single point of failure, then I would suggest increased physical redundancy (e.gthings like RAID-5 RAID-10, multiple power sources, etc..). If you are worriedabout load balancing then you solution may bemore down the path of a highly available SAN instead of NAS (multiple servers connected to the same file system). With 1,000,000+ files and frequent changes any solution is going to have a difficult time replicating the data across the network.You will end up withsome type of drift between the two file sets and that maycreate yet more problems. -Stuart "Oracle is a Tape Application" From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Thursday, March 11, 2004 9:00 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Experiences with DFS. We are thinking of using DFS in order to add redundancy to our NAS offerings. My main question is does anyone have experience using DFS to replicate/keep in sync large amounts of info, i.e. 200+GB, between two or more servers? As always, thank you for the help. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477
RE: [ActiveDir] Terminal Services Profile
Devan, Do you have access to a Windows 2003 server that is member of the domain in question? If so then this is fairly easy to script - see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcen ter/user/scrug85.asp If not then TSPROF.EXE from the resource kit may be the way to go. -Stuart -Original Message- From: Devan Pala [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 17, 2004 1:23 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Terminal Services Profile Hi, Does anyone have a script or reference to something that can modify the Terminal Services Profile property tab under each user. I would like to change this for hundreds of users. Thanks, _ Dream of owning a home? Find out how in the First-time Home Buying Guide. http://special.msn.com/home/firsthome.armx List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Suppress reboot of windows update???
Title: Message Doug, See www.susserver.com and www.microsoft.com/sus for a lot of information about this. However, the best description of the various GPO options is the SUS deployment guide available from MS - http://www.microsoft.com/windowsserversystem/sus/susdeployment.mspx(start on page 53) For your specific question -set the "No auto-restart for scheduled Automatic Updates installations" to Enabled under "Computer Configuration \ Administrative Templates\ Windows Components \ Windows Updates. Be forewarned thatsome of the AU settings do not always jive with the described behavior in the GPO help. Also some of the described behavior changes if the user has admin rights to the client PC. read the doc test first -Stuart State of Montana P.S. SUS rocks!!! We have about 1000+ workstations configured to use it and they just all got updated by simply checking a box. Of course there was some testing, etc. first:-) MS nowhas a very detailed Patch Management Strategy Guide forSUSthat is available from the SUS web site. From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Thursday, February 12, 2004 12:40 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Suppress reboot of windows update??? Is there an easy way to suppress the "automatic rebooting" of Windows Update, when automatically download and installis the selected method? It would really be nice if it automatically downloaded and installed, but required the user to click a button to reboot, instead of it just rebooting in 5minutes. Seems there is a key that I could just add through GP to do this. Any help is highly appreciated. 2000 SP4 domain XP SP1a clients
RE: [ActiveDir] Domain Naming Server FSOM
Is the Domain Naming Master FSMO on the same DC that is the PDC emulator?? -Stuart -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 11:14 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Domain Naming Server FSOM I have noticed that logons take an enourmous amount of time on non DC Windows 2000 Servers if the Server running the Domain Naming Master is rebooting. Why is this? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Contents of GC
Title: Message THE FOLLOWING ENVIRONMENT IS AN EXAMPLE: * 1 forest with 3 domains (W2K Native Mode) * DOM_A is forest root * DOM_B is a child domain of DOM_A * DOM_C is a child domain of DOM_A * Each domain has 5 DCs * Each DC = GC -- Question - you state all DC's are GC's??? Shouldn't one DC from each domain hold the IM role and not be aGC? I wonder if all DC's are GC's, then you are running into a IM versus GC conflict. Maybe not so much in the normal replication problem but in the garbage collection. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;248047 Any replication errors?? and have you let the domains run for more than 24 hours so that the normal garbage collection and database maintenance stuff has a chance to run? Brings up another question - anybody have a good description of the normal garbage collection and database maintenance procedures in AD? -Stuart Fuller State of Montana From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, January 29, 2004 9:32 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Contents of GC I tested the situation I described earlier (see below) and the findings are as expected: I restored DOM_B using the backup without the 1 objects. Everything is in sync again. When I do an AD search (in DOM_A or DOM_C) for the 1 objects (all begin with the name TEST) I get 1 results When I do an AD search (in DOM_B) for the 1 objects (all begin with the name TEST) I get 0 results. THUS: how to get those objects out of the GC data? ;-( Regards, JORGE
RE: [ActiveDir] Contents of GC
Title: Message Found an article on the Garbage collection interval -see "The Active Directory Database Garbage Collection Process" http://support.microsoft.com/default.aspx?scid=kb;en-us;198793 You know it is a problem for Microsoft when the search engine on Google groups is way better than the search engine for Microsoft Premier support. -Stuart From: Fuller, Stuart [mailto:[EMAIL PROTECTED] Sent: Thursday, January 29, 2004 10:20 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Contents of GC THE FOLLOWING ENVIRONMENT IS AN EXAMPLE: * 1 forest with 3 domains (W2K Native Mode) * DOM_A is forest root * DOM_B is a child domain of DOM_A * DOM_C is a child domain of DOM_A * Each domain has 5 DCs * Each DC = GC -- Question - you state all DC's are GC's??? Shouldn't one DC from each domain hold the IM role and not be aGC? I wonder if all DC's are GC's, then you are running into a IM versus GC conflict. Maybe not so much in the normal replication problem but in the garbage collection. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;248047 Any replication errors?? and have you let the domains run for more than 24 hours so that the normal garbage collection and database maintenance stuff has a chance to run? Brings up another question - anybody have a good description of the normal garbage collection and database maintenance procedures in AD? -Stuart Fuller State of Montana From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, January 29, 2004 9:32 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Contents of GC I tested the situation I described earlier (see below) and the findings are as expected: I restored DOM_B using the backup without the 1 objects. Everything is in sync again. When I do an AD search (in DOM_A or DOM_C) for the 1 objects (all begin with the name TEST) I get 1 results When I do an AD search (in DOM_B) for the 1 objects (all begin with the name TEST) I get 0 results. THUS: how to get those objects out of the GC data? ;-( Regards, JORGE
RE: [ActiveDir] Account Expired?
Jennifer, Check out the Account lockout tools available from Microsoft. The AcctInfo.dll adds a new tab to the users property page that may have the information your help desk is looking for. See - http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63- 8629-b999adde0b9edisplaylang=en Or search Microsoft TechNet on acctinfo.dll -Stuart -Original Message- From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 27, 2004 7:44 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Expired? Hi, I was wondering if there was an option toi view if an account has expired in the AD console? Right now, I can see this information using the net user command but the helpdesk would like an to see this information in the console. Does anyone know how to do this - if it can be done.? Thank you Jennifer List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] moving DC
Couple of thoughts on this... 1. MS recommends if possible to have your SUS server be a dedicated box. May not be possible in your case but, if so, I would not run SUS and therefore IIS on a DC. 2. I wouldn't recommend that you patch your DC's automatically without a lot of planning/testing. I get very paranoid about patching DC's and normally manually do this. Of course in a large environment with 100's of DC's an automatic patch mechanism is probably a requirement. 3. If you are going to use SUS to patch your DC and workstations, I would create a separate GP for the DC. This will at least move the time of the reboot to a different time than the workstations. Bad things may happen when you have your DC reboot right when all of your workstations are rebooting. -Stuart P.S. SUS is way cool and we are now using it to patch 2000 workstations and about 100 servers... Well worth the minimal time investment to get it running. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 2:02 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] moving DC I wouldn't recommend that you move the DC out of the Domain Controllers OU. It would mean that the Default Domain Controllers Policy would no longer be applied to that DC. Not a good thing. There may well be other problems associated with such a move. You can link GPOs to any number of different OUs. If you really want the DCs to get the new policy, why not link it to the Domain Controllers OU in addition to your new OU? I don't know what's in the policy, but I would recommend that you test it thoroughly before applying it directly to the Domain Controllers OU. Tony -- Original Message -- Wrom: MBIPBARHDMNNSKVFVWRKJVZCMHVIBGDADRZFSQH Reply-To: [EMAIL PROTECTED] Date: Tue, 23 Dec 2003 09:24:52 +0400 Hi I have created a new OU (name:sus clients) in my AD and moved all my computers there to setup a grp policy which gets the updates from the SUS server loaded in my DC. Everything goes well. But, one computer that has been left is my DC computer under ou DomainController. Can I move this computer also to the other OU? Would that affect? On the other hand, I could apply the same policy to the ou in question, but, I wanted to maintain only one OU for this purpose. Also, once I move the DC to this OU, my DC would also be applied of all patches. Thanks Md ILyas Conares Metal Supply Ltd p.o.box 2854, dubai, uae tel +9714 8835 111 - Extn.212 fax +9714 8836 611 mob +97150 6550 894 ___ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] attribute for remote access
Looking at this attrib via ADSI Edit shows that msNPAllowDialin set to True is equiv. to allow. False is equiv to deny and not set is Control access through Remote Access Policy. -Stuart -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:52 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] attribute for remote access Mark- Here's a snippit of a script we use to check that: userADsPath = adoRecordset.Fields.Item(ADsPath).Value set objUser = GetObject(userADsPath) dialInEnabled = objUser.msNPAllowDialin Hunter From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] attribute for remote access Anyone know what schema attribute controls the remote access policy (has 3 choices, Allow, Deny or Control by Policy)? I'd like to query for the users with Allow enabled. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 2003 Server, Firewalls, Terminal Services , and AD Trusts
HP/Microsoft support came through. Apparently, this problem is related to a known issue with TS and Winlogon.exe in Windows 2003. To fix it one needs a hotfixversion of Winlogon.exe (http://support.microsoft.com/?id=821929) and a reg hackto make the winlogon process ignore errors when attempting to read the user's AD TS configuration data (http://support.microsoft.com/?id=815266). -Stuart From: Fuller, Stuart [mailto:[EMAIL PROTECTED] Sent: Friday, December 12, 2003 10:51 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Windows 2003 Server, Firewalls, Terminal Services , and AD Trusts Guido, Thanks for reply and the link to the article - very useful. However, the TS port really isn't the issue. I can TS to the member server with no problems. The problem is that when I log into the member server via TSwith a trusted account I get rejected. With Windows 2000 TS,the trusted account logon request gets passed through the firewall via the member server DC's and the holes open between the member server DC's and the trusted DC's. With 2003 TS, it looks like the member server needs to contact the trusted DC's directly. I don't really want to open the ports on the firewall to allowtraffic from the member server to the trusted DC. I would prefer that 2003 like 2000 is able to"proxy" the logon request via the member server DC's. The odd thing about this is that the problem only occurs with a TS logon. If I use a trusted account and logon at the physical console I don't have any problems.Also, any shares and other security bits seem to work just find. I am stumped on this so that's why the query to the list. I do have a ticket in with our Microsoft support provider HP but so far no solution or explanation. -Stuart From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 2:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2003 Server, Firewalls, Terminal Services , and AD Trusts Stuart - I haven't run into this myself and am not really aware of particular changes in 2003 that would make this happen as described. However, the new MS KB on port requirements for the various services used on the system may give some insight (http://support.microsoft.com/default.aspx?scid=kb;en-us;832017). For Terminal Services the following port is required: System service name: TermService Application protocol Protocol Ports Terminal Services TCP 3389 Not sure, if this is of any help to you, but I would simply check if the authentication works correctly after opening that port on your firewall configuration. /Guido From: Fuller, Stuart [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 11. Dezember 2003 17:08To: [EMAIL PROTECTED]Subject: [ActiveDir] Windows 2003 Server, Firewalls, Terminal Services, and AD Trusts We are moving ahead with deploying Windows 2003 servers andI have run into an issue with Terminal Services logons, trusts, and firewalls.From what I can tell Windows 2003 needs to directly contact a trusted DC for authorization when processing a TS logon (remote admin mode). This bites when that trusted DC is behind a firewall and your logon attempt bounces.Let me explain the setupa bit morethen I'llgo into the problem. (Apologies in advance for the long email...) Setup: Domain A in Forest A has a one-way external trust with Domain B in Forest B whereB trusts domain A. Domain B is separated from A by a stateful-awarefirewall. The firewall is configured to allow all traffic to pass "out" from A to Band to generally deny all traffic from B to A. The exception tothis rule is thatthe DC's in Domain B haveport access to all of the DC's in Domain A. Domain B DNS is configuredfor forward lookup to Domain A DNS. Domain B DNS zone information is also configuredas a secondary zonein DomainA DNS (e.g. domain A and B can lookup each others DNS information). A member server in Domain B is Windows 2000 or Windows 2003. The administrators group for that server is configured to containDomain Local groups from Domain B. Those domainlocal groupscontain selected administrator user accounts from domain A. All Domain A and B DC's are Windows 2000 SP4 and both domains are in native mode. Issue: To administer the member server in Domain B, a domain A account isused. This works greatwith Windows 2000 member servers and an admin cansuccessfully log in at the console or TSto the box. The problem is thaton the newWindows 2003 servers,the TS bitno longerwork with Domain Aadmin accounts. The Domain A admin can logon via the console just fine, butwhen attempting a TS logon the admin will geta "The specified domain either does not exist or could not be contacted" error message. The TS logon attempt also generatesan event log message on the 2003 server. Theevent that is recorded is eventID
RE: [ActiveDir] Windows 2003 Server, Firewalls, Terminal Services , and AD Trusts
Guido, Thanks for reply and the link to the article - very useful. However, the TS port really isn't the issue. I can TS to the member server with no problems. The problem is that when I log into the member server via TSwith a trusted account I get rejected. With Windows 2000 TS,the trusted account logon request gets passed through the firewall via the member server DC's and the holes open between the member server DC's and the trusted DC's. With 2003 TS, it looks like the member server needs to contact the trusted DC's directly. I don't really want to open the ports on the firewall to allowtraffic from the member server to the trusted DC. I would prefer that 2003 like 2000 is able to"proxy" the logon request via the member server DC's. The odd thing about this is that the problem only occurs with a TS logon. If I use a trusted account and logon at the physical console I don't have any problems.Also, any shares and other security bits seem to work just find. I am stumped on this so that's why the query to the list. I do have a ticket in with our Microsoft support provider HP but so far no solution or explanation. -Stuart From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 2:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2003 Server, Firewalls, Terminal Services , and AD Trusts Stuart - I haven't run into this myself and am not really aware of particular changes in 2003 that would make this happen as described. However, the new MS KB on port requirements for the various services used on the system may give some insight (http://support.microsoft.com/default.aspx?scid=kb;en-us;832017). For Terminal Services the following port is required: System service name: TermService Application protocol Protocol Ports Terminal Services TCP 3389 Not sure, if this is of any help to you, but I would simply check if the authentication works correctly after opening that port on your firewall configuration. /Guido From: Fuller, Stuart [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 11. Dezember 2003 17:08To: [EMAIL PROTECTED]Subject: [ActiveDir] Windows 2003 Server, Firewalls, Terminal Services, and AD Trusts We are moving ahead with deploying Windows 2003 servers andI have run into an issue with Terminal Services logons, trusts, and firewalls.From what I can tell Windows 2003 needs to directly contact a trusted DC for authorization when processing a TS logon (remote admin mode). This bites when that trusted DC is behind a firewall and your logon attempt bounces.Let me explain the setupa bit morethen I'llgo into the problem. (Apologies in advance for the long email...) Setup: Domain A in Forest A has a one-way external trust with Domain B in Forest B whereB trusts domain A. Domain B is separated from A by a stateful-awarefirewall. The firewall is configured to allow all traffic to pass "out" from A to Band to generally deny all traffic from B to A. The exception tothis rule is thatthe DC's in Domain B haveport access to all of the DC's in Domain A. Domain B DNS is configuredfor forward lookup to Domain A DNS. Domain B DNS zone information is also configuredas a secondary zonein DomainA DNS (e.g. domain A and B can lookup each others DNS information). A member server in Domain B is Windows 2000 or Windows 2003. The administrators group for that server is configured to containDomain Local groups from Domain B. Those domainlocal groupscontain selected administrator user accounts from domain A. All Domain A and B DC's are Windows 2000 SP4 and both domains are in native mode. Issue: To administer the member server in Domain B, a domain A account isused. This works greatwith Windows 2000 member servers and an admin cansuccessfully log in at the console or TSto the box. The problem is thaton the newWindows 2003 servers,the TS bitno longerwork with Domain Aadmin accounts. The Domain A admin can logon via the console just fine, butwhen attempting a TS logon the admin will geta "The specified domain either does not exist or could not be contacted" error message. The TS logon attempt also generatesan event log message on the 2003 server. Theevent that is recorded is eventID 1219 with a message of "Logon rejected for domain\userID. Unable to obtain Terminal Server User Configuration. Error: the specified domain either does not exist or could not be contacted." Attempts at resolution: I have played around with the system policy setting to see if it was some odd 2003 signed security problem with no luck. I have also talked with HP/Microsoft support and so far they have had no enlightened response to the issue. I have also looked at KB822142 but that seems to only apply to 2000 and not 2003. I have have captured NetMon traces for the 2003
RE: [ActiveDir] Window 98 Desktops are being locked out
Samantha, See the following articles - this may be related to the version of AD client on the 98 workstations. If you aren't running the DS client then it may be the lockout count. Try increasing the number to something like 10. One Unsuccessful Logon Attempt May Trigger the Default Windows NT Lockout Policy (271496) http://support.microsoft.com/?kbid=271496. Failed Logon Adds Two to Windows NT Account Lockout Counter. http://support.microsoft.com/?kbid=317796 Service Packs and Hotfixes That Are Available to Resolve Account Lockout Issues http://support.microsoft.com/default.aspx?scid=kb;en-us;817701 There was a thread very recently on this list about the various version of AD client for Windows 98 and problems. -Stuart -Original Message- From: Bridges, Samantha [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 8:19 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Window 98 Desktops are being locked out Since our AD upgrade, all of the Windows 98 machines have been having problems with authentication. Seems that if a windows 98 machines hits a Active Directory DC for authentication, it will lockout the machine. If the Windows 98 machines gets a Windows NT 4.0 server it authenticates with no problem. Anyone ever heard of this and do you know of a possible fix. Thanks Samantha List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Bare metal restore on other hardware?
Orin, Another DC would be the way to go if you can arrange good physical security for your DC, figure out the secure network connectivity, and a good way to remotely manage the DC. Then you really have a hot site instead of a DR site. The key on DR for Active Directory is to test your DR method. You can restore AD from tape from the ground up although this should be your absolutely last resort. You will have better luck restoring AD onto exact hardware but you can do it on dissimilar hardware if you can get past the HAL and device driver issues. Dissimilar hardware restores are an issue for us since our servers are mostly Dell and the DR servers are Compaq. Some good KB articles on this subject (Some have been mentioned before in this thread): 1. How to Perform a Disaster Recovery Restoration of Active Directory on Dissimilar Hardware -- http://support.microsoft.com/?kbid=263532 2. Active Directory Disaster Recovery - http://www.microsoft.com/technet/prodtechnol/ad/windows2000/support/adrecov. asp 3. Best Practice Recommendation for Recovery you Active Directory Forest - http://download.microsoft.com/download/win2000srv/utility/1.001/nt5/en-us/fo restrecovery.exe Dissimilar hardware issues: 4. Network Adapters are missing or incorrect in Device Manager after you run NTBackup to restore system state data - http://support.microsoft.com/?kbid=810161 (This problem fixed in 2000-SP4) 5. I was able to resolve a restore of a VM ESX Server DC to a Compaq DL380 by following the steps on in-place upgrade mentioned in KB 263532. That process fixed the HAL and the various device driver issues I encountered. An in-place upgrade retains AD and security while re-enumerating the HAL and devices. 6. If you have trouble with your third-party vendor backup product for restores onto dissimilar hardware, try using NTBackup. I have found that for whatever reason, NTBackup will work while some other products don't. -Stuart P.S. Of course some of the issues with dissimilar hardware restores and bare metal restores are much better handled in Window Server 2003 with Automated System Recovery (ASR). Make me temped to move to 2K3 much sooner than planned... -Original Message- From: Orin Rehorst [mailto:[EMAIL PROTECTED] Sent: Friday, November 07, 2003 9:43 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Bare metal restore on other hardware? Our hot site contract includes use of equipment only for test and actual disasters...no permanent usage. I wanted to put an additional domain controller at our remote operational facility that we will be supporting should the data center here go down. Doesn't that sound like the way to go? Regards, Orin Orin Rehorst Port of Houston Authority (Largest U.S. port in foreign tonnage) e-mail: [EMAIL PROTECTED] Phone: (713)670-2443 Fax: (713)670-2457 TOPAS web site: www.homestead.com/topas/topas.html -Original Message- From: marcus [mailto:[EMAIL PROTECTED] Sent: Friday, November 07, 2003 10:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Bare metal restore on other hardware? Is having a domain controller at that site out of the question? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Flesher Sent: Friday, November 07, 2003 11:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Bare metal restore on other hardware? We managed to do a restore of AD to other Hardware. However, what we did is re-install the OS, put the backup client on there, and do a restore. Tivoli's TSM product worked pretty well in this regard. -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Orin Rehorst Sent: Friday, November 07, 2003 10:15 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Bare metal restore on other hardware? I'm charged with planning for disaster recovery. The goal is to restore active directory to new hardware at a hot site. Can you do a bare metal active directory restore on other hardware? TIA Regards, Orin Orin Rehorst Port of Houston Authority (Largest U.S. port in foreign tonnage) e-mail: [EMAIL PROTECTED] Phone: (713)670-2443 Fax: (713)670-2457 TOPAS web site: www.homestead.com/topas/topas.html List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Bindview and ADMT
Debbie, I can speak to problem number 2. We found during our migration of about 4000 workstations with ADMT v2, that rebooting the workstation right before running the migration made that problem go away. Here is a list of reasons that we found "Why the user profile didn't migrate": 1. User logged in. This can/will lock the user profile. ADMT needs to change security on many files in the users "docs settings" including the "ntuser.dat" file. If those files are open or locked for exclusive access then ADMT will fail. 2. Workstation not rebooted right before ADMT runs. If you reboot then you guarantee that the user profile will not be locked. During a normal user dayvarious badly behaved applications or print drivers will hold open various parts of theuser profile and generally not release it even if the user logs off. 3. Workstation "sick". Sometimes we ran into occasional problems with workstation that were messed up for other reasons (e.g. bad Netware client, bad printer driver, bad workstation image, etc...) ADMT in general will find those workstations and point them out to you that they need other work. -Stuart From: Ellis, Debbie [mailto:[EMAIL PROTECTED] Sent: Friday, November 07, 2003 10:19 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Bindview and ADMT Have any of your guys used the Bindview Migration tool? We have been testing the newest ADMT but have run into several problems that are listed below. Have any of you had similar problems? If a member of the domain admin or domain user group is migrated, there are problems with accessing the resources in the source domain. SIDhistory was migrated and instructions from ADMT were followed. There are problems migrating the local profiles on the user's desktops. It shows they were migrated over and no error message in the log files, but they were not migrated. We have tried with the user logged off and logged on.
RE: [ActiveDir] OT: enterprise Spam blocking products
I was Hunter in a past life or was it yesterday... :) Jason - to your specific question about an online review, I can't find one on the net either. I asked our security guy about this and where he found out about Espion. He told me that he originally found a review on MSN and other security sites that led him to the company, however, that review has been lost to the gods of the Internet Ether. Sorry... No soup for you... I would suggest contacting Espion directly for references/reviews. -Stuart (not Hunter) -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 12:21 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: enterprise Spam blocking products This is probably drifting off-topic for the list, so if anyone would rather that we take it offline that's ok. And I'm not Stuart, but enough people in our office mix us up that it shouldn't make a difference for the list :-) There are some things about the Interceptor that I've been very pleased with, and others that have room for improvement. It runs some ungodly number of tests against each inbound message, and each test gets assigned a point value depending on the results. The total number of points gets calculated, and if it exceeds a certain threshold then the message gets marked as spam. You can configure the points assigned to many of the tests, and you can adjust the threshold as well. So from that standpoint, we've found it very effective in tuning to fit our environment. We expect that to improve over time as we get better adjusting it and it builds a more comprehensive corpus of our email. After a couple of weeks running it, we're finding about 48% of our inbound mail qualifies as spam. No problems with reliability so far. Their support folks have been great, which has been a double-edged sword from my perspective. They're quick to answer questions and make configuration changes; that's good. I've had a hard time getting documentation, but that may be because our internal security department is our contact point so I'm not working directly with the Espion folks. I still get the sense that Espion prefers a more hands-on approach than what I'd like...they're quick to remotely login to the box (after we open firewall access) and work on it. I'd rather we have sufficient documentation to configure and troubleshoot the device, and only contact them when we can't resolve the issue. Hopefully that will improve over time. Some folks might prefer to offload all of the support and troubleshooting to the vendor. Let me know if you have other questions Hunter -Original Message- From: Jason Benway [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 8:26 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: enterprise Spam blocking products Stuart, Do you have experience with Espion's Interceptor appliance? It sounds like a very nice device but I haven't been able to find any reviews online. Thanks,jb -Original Message- From: Fuller, Stuart [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 2:05 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: enterprise Spam blocking products Jason, Two possible solutions to consider: 1. Cloudmark SpamNet - this runs locally on the client and automagically moves spam from the inbox to a spam folder. See http://www.cloudmark.com/ 2. Hardware based Spam appliance - this device sits in front of your mail gateways and filters the mail before it even hits Exchange. Users get a daily email report so that they can see what has been blocked and have an opportunity to request the blocked mail. An example of this is Espion's Interceptor appliance - see http://www.espionintl.com/interceptor.html -Stuart -Original Message- From: Jason Benway [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 11:34 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: enterprise Spam blocking products I started testing different spam products for our company. I'm testing GFI right now. I'm really like Ihatespam Gateway edition, but it has limitations because of CDO. What I'm looking for a software that will move spam into a user's folder other than the inbox without the user having to setup a filter in outlook. I would also like for the user to have the ability to 'tell' the software when it missed a spam message or incorrect tags a message as spam. I would prefer a product that does not run directly on the Exchange box. We are currently running Exchange 5.5 in a cluster. I know I'm asking a lot, but I thought will everyone's help I could find a product that is close. Thank you. jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir
RE: [ActiveDir] OT: enterprise Spam blocking products
Jason, Two possible solutions to consider: 1. Cloudmark SpamNet - this runs locally on the client and automagically moves spam from the inbox to a spam folder. See http://www.cloudmark.com/ 2. Hardware based Spam appliance - this device sits in front of your mail gateways and filters the mail before it even hits Exchange. Users get a daily email report so that they can see what has been blocked and have an opportunity to request the blocked mail. An example of this is Espion's Interceptor appliance - see http://www.espionintl.com/interceptor.html -Stuart -Original Message- From: Jason Benway [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 11:34 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: enterprise Spam blocking products I started testing different spam products for our company. I'm testing GFI right now. I'm really like Ihatespam Gateway edition, but it has limitations because of CDO. What I'm looking for a software that will move spam into a user's folder other than the inbox without the user having to setup a filter in outlook. I would also like for the user to have the ability to 'tell' the software when it missed a spam message or incorrect tags a message as spam. I would prefer a product that does not run directly on the Exchange box. We are currently running Exchange 5.5 in a cluster. I know I'm asking a lot, but I thought will everyone's help I could find a product that is close. Thank you. jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP in Multi-domain environments
Mark, I had a similar situation with the LDAP implementation in the PeopleSoft v8 Portal. Solved it by configuring the PeopleSoft LDAP request to pointat the Global Catalog port (3268) instead of the normal LDAP port (389). Also configured the LDAPtarget server to be thePDC FSMO role holder in the forest root domain. As I understand it A LDAP search to the AD LDAP port will only return the objects for the domain of the DC and not the forest. Since the Global Catalog literally knows about every object in the forest, then a LDAP search on the GC will return any object even across domains. The one caveat is that with the GC, you only get a subset of attributes for the object and not the full list. See MS article 256938 and 229662 for information about whatattributes are in included in the GC and how to add to that list. -Stuart Fuller State of Montana From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 2:18 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] LDAP in Multi-domain environments We have some apps that make LDAP queries to allow a user to log in. Picture an "empty" root with two sub-domains. If the app is to be used only in a single sub-domain, i.e. dc=domain1,dc=company,dc=com, it works fine. If it needs to cross over to the other domain we have, though, i.e. dc=domain2,dc=company,dc=com, we're out of luck. We can't make the root dc=company,dc=com LDAP query search BOTH sub-domains for the user. Is this a limitation of LDAP, or of the apps that are trying to use it? I suspect it's the apps, but maybe there's a global (middleware?) fix someone can suggest? If any of you are using an app called Kintana and have conquered this problem, I'd especially like to hear from you. Thanks! Mark Creamer Systems Engineer Cintas Corporation http://www.cintas.com Honesty and Integrity in Everything We Do
RE: [ActiveDir] SP4 or not SP4? (hotfixes 824226 828297)
Richard, Thank you very much for the information. We are going to take a pass on SP4 until seeing the documentation on 828297 and doing some more testing. Side question - you mention specific stress tests whenyou are going to test 828297, what tools or programs are you using do this? Thanks again for the information.You havesaved us a huge amount of grief. -Stuart Fuller State of Montana From: Puckett, Richard [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 2:48 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SP4 or not SP4? (hotfixes 824226 828297) Stuart, We originally installed SP4near the beginning of August on all of our production Domain Controllers after testing it in our (mirror of production) lab. Within two production workdays we began to see the same issues Vladimir mentioned in his BUGTRAQ e-mail and we opened a case with MS. Since the problem was readily identifiable, we were able to get a copy of KB824226, which we tested, theninstalled. Later onin the week we found that KB824226 had introduced an as-yet unknown LSASS problem associated with global heap allocations that were not being released (belowarea few of the telltale signs of a post-KB824226 DCin resource distress) which resulted in resource deprivation that caused most of the directory service-related functions to fail (failed replication, logons, LDAP queries, etc.). At first we were concerned that the problems might have been related somehow to the RPC/DCOM vulnerability being exploited by potentially infected hosts on our network, but further analysis ruled this out. We worked with MS for approximately two weeks to find a resolution for the problem, providing ADPerf, Event, UMDH and LSASS dump data. Eventually KB828297 came into existence fromthe analysisofdata that we and other customerswere providing. Though MS did work hard to locate and correct the error, KB828297did not appearin a timely enough fashion for us to use, and with more and more DCsfailing we made the decision to back out of SP4 to regain host stability, regressing to SP3. We're currently running SP4 in one of our lab configurations and are preparing to test KB828297 with some very specific stress tests to ensure we don't encounter any new issues before re-deploying SP4. Hope this data helps, Richard Post-KB824226Early (and Late) Resource Consumption Warning Signs Event Type: ErrorEvent Source: KDCEvent Category: NoneEvent ID: 7Date: 8/15/2003Time: 3:44:00 PMUser: N/AComputer: DOMAIN CONTROLLER NAMEDescription:The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was host/workstation fqdn and lookup type 0x48. Data:: 17 00 00 c0 ...À Event Type: WarningEvent Source: NTDS GeneralEvent Category: Internal Processing Event ID: 1519Date: 8/15/2003Time: 12:59:50 PMUser: EveryoneComputer: DOMAIN CONTROLLER NAMEDescription:A Directory Service operation failed because the database has run out of version storage. If this error repeats frequently it most likely indicates that an object that is too large for the Directory Service to handle is attempting to replicate in. This object must be deleted or shrunk on a Directory Server where it already exists.The internal id is 2020743. Event Type: ErrorEvent Source: NTDS GeneralEvent Category: Internal Processing Event ID: 1168Date: 8/20/2003Time: 11:52:44 PMUser: DOMAIN\useridComputer: DOMAIN CONTROLLER NAMEDescription:Error 8(8) has occurred (Internal ID 302022c). Please contact Microsoft Product Support Services for assistance. From: Fuller, Stuart [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 2:24 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] SP4 or not SP4? (hotfixes 824226 828297) I *was* planning to go ahead and install SP4 on all of ourproduction DC's this weekend. We have successfully tested it on our test bench and as a pilot in small separateforest. However, I have been following the notes by Vladimir Markovic on the NTbugtraq mailing list about LSASS and LDAP and those are making me a bit nervous to say the least. (These notes deal with hotfixes 824226 and 828297). I would like any comments from admins on the list with real-world experiencewith SP4 and AD. Specifically, those people running larger production environments (1,000+ users) and using applications that authenticate against AD via LDAP (e.g. PeopleSoft, Digite/Tufan, etc...). Has anyone elseexperienced the problems described in 824226? I have looked at the posts on Google from theMicrosoft newsgroup and there does seemto be other adminsthat have been affected by this. I amtrying to get a sense of whether this is a global problem or is limited to specific"unique" environments. Thanks, Stuart Fuller AD Dweeb State of Montana
[ActiveDir] SP4 or not SP4? (hotfixes 824226 828297)
I *was* planning to go ahead and install SP4 on all of ourproduction DC's this weekend. We have successfully tested it on our test bench and as a pilot in small separateforest. However, I have been following the notes by Vladimir Markovic on the NTbugtraq mailing list about LSASS and LDAP and those are making me a bit nervous to say the least. (These notes deal with hotfixes 824226 and 828297). I would like any comments from admins on the list with real-world experiencewith SP4 and AD. Specifically, those people running larger production environments (1,000+ users) and using applications that authenticate against AD via LDAP (e.g. PeopleSoft, Digite/Tufan, etc...). Has anyone elseexperienced the problems described in 824226? I have looked at the posts on Google from theMicrosoft newsgroup and there does seemto be other adminsthat have been affected by this. I amtrying to get a sense of whether this is a global problem or is limited to specific"unique" environments. Thanks, Stuart Fuller AD Dweeb State of Montana
RE: [ActiveDir] Possibly OT: Cisco VPN and AD
We run Cisco VPN and AD and have not seen this issue. However we did have to updatethe Cisco IOS to the correct version that likesRADIUS/IAS and understands MS-CHAPv2. (Can't remember the version - but if needed I can look it up). Questions: 1. What is the authentication mechanism set to on the concentrator? (e.g. RADIUS or NT domain) 2. Are you using Microsoft IAS with the concentrator? 3.How are you controlling the dial-in privileges on the user object?Is it by GPO, individually on the user object, and/or by the remote access policy in IAS? 4.If concentrator set to NT Domain, is the complexity type or password length of password different between the working and non working accounts? 5. If concentrator using RADIUS and IAS, have you looked at the IAS logs? If so, do the authentication attempts show up? -Stuart Fuller State of Montana From: Wright, T. MR [mailto:[EMAIL PROTECTED] Sent: Thursday, September 04, 2003 10:52 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Possibly OT: Cisco VPN and AD We have an issue with our VPN concentrator. It seems that it allows some ADusers to authenticate, while others can not. We can find no pattern to explain why the users that are able to authenticate are allowed to do so and why the users that can't authenticate can not. An example is that I have two domain admin acct's, one that is a Service acct. and one that belongs to me. I am able to authenticate using the service acct. but not my own acct. They are in the same OU, they have permissions to the same groups etc. The only thing I see in the event logs upon an authentication failureis a generic EventID 675 with Pre-authentication failed, with Failure Code 0x18, which translates to a bad password, but I know this is not the case since I use my admin account to logon to other resources etc. Our network guys have been in contact with TAC and they don't seem to have a clear answer either. They feel it it is something in our GPO. The thing is our GPO settings are not rocket science. Right now we are basically just enforcing complex passwords etc. and we're not doing much outside of that. I was hoping that someone might havehad these issues before and could providesome insight. Thanks, -Tim
RE: [ActiveDir] Local Admin
Title: Message What if you useMS's Script Encoder (see http://msdn.microsoft.com/library/default.asp?url="">) to hide the temporary admin password and use "runas"?? That way the user could have the script run at startup and it would not have to run in the context of the logged-in user. The giant caveat is the hackability of the encoder. From MS web page "Note that this encoding only prevents casual viewing of your code; it will not prevent the determined hacker from seeing what you've done and how." Not the bestsolution but may be "a" solution -Stuart From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 11:59 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin Making users admins on their "personal" computers is not at all appealing. But beauty and appeals were not of great importance at the time. Remember, it was a Management top-down mandate that had to be met as long as you want the paychecks to keep coming :) The idea of the startup script was exhaustively investigated and abandon due to the fact that the name of the Laptop owner is unknown, so you don't know whom exactly you will be adding to the group. So, I could script a query for the currently logged-on user and try to pass that as a parameter to the main script, but of course that won't work because IF the user already logs in, then the script won't be a startup script anymore, and the script would then be executing in the context of the currently logged-on user, who does not have the privilege to add him/herself to the admin group - otherwise there would be no need for a script in the first place. bragging rights Finally found an interesting puzzle that will likely stump Joe :) /bragging rights Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of JoeSent: Wed 7/30/2003 4:47 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin Restricted groups can be great, say you want to keep schema admins empty all of the time, you set the policy with no one in it and wham it is empty, then someone has to know to add themselves to the policy and to the group, not many hackers would think of that. Ditto but for setting specific members for enterprise admins, domain admins, domain controller admins, etc or if you want very specific admins for all machines on the network. Your particular issue is an interesting one. Assuming only the user him/herself would use the machine the first thing off the top of my head would be to have a startup script for the machine that did a net localgroup interactive /add That doesn't really appeal to the security side of me and really relies on physical security so no one else from the domain could log on to the machine or no bad local regular user accounts existed. Really though I don't recommend users being admins of their machines, usually your TCO goes way up when you do that. Other alternative would be some sort of perl script to do the job with a mapping file... I.E. Who's PC, who gets admins... etc. -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, July 30, 2003 2:25 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin While it is true that the Restricted Group will wipe out the existing members (I still don'tunderstand the practicalnecessity of this group) and while it is true that you can indeed add a"KNOWN" user/group to any Local group on any domain member using startup/shutdown machine option in GPO,I have aslightly different take on this question: A while ago, I was faced with the unenviable task ofmakingEVERY Laptop user alocal admin on his/her Laptop. Yes, we now do this duringinitial installation of the Laptops. But at the time of this Management request, there were about 650 Laptops in production and they were mostly connected to the domain at least twice a week. Given the fact that I had no way of telling who owns which Laptop or when that person will be connecting to the Domain, I had to fess up to Management that I had no means of accomplishing this task. So, which brings me to the question - how would you guys have tackled this problem, NATIVELY? It's not a quiz, and, no, there's is no beer reward in it ;)It's just for my own education, just in case. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Ayers, DianeSent: Tue 7/29/2003 9:17 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin Doink...Your right. I think my hard drive read/write head was stuck on restricted groups...Diane-Original
RE: [ActiveDir] Local Admin
For a vbs script sample to do this see
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ScriptCen
ter/user/ScrUG69.asp
Should work for both NT and 2000/XP.
-Stuart
-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 29, 2003 12:07 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Local Admin
How? What about Windows NT 4 machines?
-Original Message-
From: Kevin Miller [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 29, 2003 1:21 PM
To: [EMAIL PROTECTED]
Subject:Re: [ActiveDir] Local Admin
you can do that with the GPO
- Original Message -
From: Bond, Simon [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, July 29, 2003 9:30 AM
Subject: RE: [ActiveDir] Local Admin
I'd be inclined to run a script on all workstations (perhaps via an SMS
job
or suchlike) which simply included the following:
net localgroup Administrators {domain\group here} /add
Eg. To add a group such as ExchangeAdmins in the IT domain to the
local
admins group:
NET LOCALGROUP Administrators IT\ExchangeAdmins /add
-Original Message-
From: Kevin Gent [mailto:[EMAIL PROTECTED]
Sent: 25 July 2003 19:49
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Local Admin
How do I add a domain user to the Local station's Administrators Group
across a large population of XP Pro/2000 Pro workstations ?
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and all attachments are confidential and may be privileged. If
you have received this e-mail in error, notify the sender immediately. Do
not use, disseminate, store or copy it in any way. Statements or opinions in
this e-mail or any attachment are those of the author and are not
necessarily agreed or authorised by News International (NI). NI Group may
monitor emails sent or received for operational or business reasons as
permitted by law. NI Group accepts no liability for viruses introduced by
this e-mail or attachments. You should employ virus checking software. News
International Limited, 1 Virginia St, London E98 1XY, is the holding company
for the News International group and is registered in England No 81701
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Computer Management Snap in?
Other things to try: 1. Admin rights to workstation?? 2. Is \\workstation\Admin$ share on workstation reachable?? - this is a quick check to see if file sharing, name resolution, and security is working. 3. Is my.network.net the actual machine name?? When I have seen this error it has usually been one of the following: 1. Machine off. :P 2. File Print sharing not turned up or corrupted. 3. No admin rights or not enough rights to remotely connect/read workstation. 4. Name resolution failing (workstation not in DNS/WINS). 5. Remote registry service turned off. -Stuart -Original Message- From: Carr, Jonathan (OFT) [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 5:58 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Computer Management Snap in? dumb question but can you ping it by name ?? If not, does it resolve to the correct IP ?? -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 7:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Computer Management Snap in? Hi Richard, Try using the IP (eg, \\12.12.123.1234). If that works, something might be wrong with your DNS registration. Mike Thommes -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tue 7/22/2003 1:54 AM To: [EMAIL PROTECTED] Cc: Subject: [ActiveDir] Computer Management Snap in? I simply want to see the hardware specs on another computer on my network but I get the following error... Computer \\MY.NETWORK.NET cannot be managed. The remote network path was not found. Choose 'Connect to another computer' from the Action menu to manage a different computer. All computers are connected through active directory. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Computer Management Snap in?
A... I think I may get it... ;) So what you are doing is loading up the MMC, choosing Computer management, and the choosing connect to a computer. And you fail when you use the FQDN for the computer in the connect box?? And you work when you put in the IP address or just the NetBIOS name?? Remembering your other posts about DNS, then this is a probably a DNS issue. FQDN (e.g. my.pretty.good.network.com) are resolved by DNS. NetBIOS names (e.g. my) are resolved by the WINS server or by local network segment broadcast. If your DNS servers don't allow dynamic registration then your workstations will not be in the DNS and therefore not pingable/reachable by FQDN. Can you ping the workstation from the MMC computer by FQDN? If not, then DNS registration is the issue. You have to have an record in the DNS for the workstation for FQDN name resolution to work. Otherwise you need to fall back to the other (e.g. WINS or network segment broadcast) forms of name resolution to reach the computer. I believe the dynamic DNS issue was the gist of Jonathan Carr's message. Are you running W2K DNS for your AD and your client workstations?? If so, check the allow dynamic registration and your W2K and XP workstation will automagically register and you can use the FQDN instead of the NetBIOS name. Although I am usually much too lazy to type in the FQDN... :p -Stuart Fuller State of Montana -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 6:24 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Computer Management Snap in? This is DHCP, Windows 2000, and I used (my) and not the the FQN. The FQN is what doesn't seem to work :-\ Any suggestions? On Tuesday, July 22, 2003, at 10:06 AM, Carr, Jonathan (OFT) wrote: How can this be.. In # 2 you say you can map a drive using UNC (\\workstation\admin$) but you have a name resolution issue. Don't make sense??? Is this DHCP Is it windows 2000 or above Try using just the name (my) and not the FQN (my.network.com) -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 12:30 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Computer Management Snap in? On Tuesday, July 22, 2003, at 08:29 AM, Fuller, Stuart wrote: Other things to try: 1. Admin rights to workstation?? My account is a duplicate of the Administrator account but I can't seem to access it but the administrator account can? 2. Is \\workstation\Admin$ share on workstation reachable?? - this is a quick check to see if file sharing, name resolution, and security is working. Yes 3. Is my.network.net the actual machine name?? I have my domain pointed to my network and my is a actual computer name (of course the above was just an example). When I have seen this error it has usually been one of the following: 1. Machine off. :P It's on 2. File Print sharing not turned up or corrupted. File and print sharing is on but I don't think it's sharing anything 3. No admin rights or not enough rights to remotely connect/read workstation. Refer to number 1 on first set of questions 4. Name resolution failing (workstation not in DNS/WINS). I don't see the workstation in the DNS and don't know where to check the WINS. There is a DNS server running that points my domain to my network but it's a on my web server. I don't have to add each workstation to that DNS do I? 5. Remote registry service turned off. Don't know? -Stuart -Original Message- From: Carr, Jonathan (OFT) [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 5:58 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Computer Management Snap in? dumb question but can you ping it by name ?? If not, does it resolve to the correct IP ?? -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 7:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Computer Management Snap in? Hi Richard, Try using the IP (eg, \\12.12.123.1234). If that works, something might be wrong with your DNS registration. Mike Thommes -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tue 7/22/2003 1:54 AM To: [EMAIL PROTECTED] Cc: Subject: [ActiveDir] Computer Management Snap in? I simply want to see the hardware specs on another computer on my network but I get the following error... - - - - Computer \\MY.NETWORK.NET cannot be managed. The remote network path was not found. Choose 'Connect to another computer' from the Action menu to manage a different computer
RE: [ActiveDir] admt 2.0 - nt4 computer migration
GT, Mostly OT but is related if you are starting the workstation migration journey... Rick's comment about the task manager and checking machines reminded me of something else we did during the workstation migrations. Our operating mantra during the process was clean reboot...clean rebootohmmclean rebooot. :) We used batch files with a FOR statement to drive shutdown.exe and uptime.exe. Shutdown allowed us to force the list of workstations to reboot right before the migration. The Uptime batch file (piped to a .csv file) allowed us to monitor the reboot cycle and make sure all the machines were ready to go. This had the side benefit of weeding out the problem child machines. If shutdown didn't work then the ADMT agent would generally bonk as well. Uptime was also useful in monitoring the reboot after the ADMT agent was finished. Machines that took a long time with the agent could be found and then checked. -Stuart --- Example Shutdown batch file: REM Modify the line below for location of workstation list set file=c:\temp\machineList.txt FOR /F tokens=1 delims=, %%i in (%file%) do shutdown \\%%i /R /c -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: Monday, July 14, 2003 2:08 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration Gentlemen, thanks to all for your contributions to this. will be going to customer site later this week to do some exhaustive testing on this issue (assuming of course that the computers have not melted in the ridiculously warm weather we are having here !) any other things that you can add will be v gladly received. GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 11, 2003 11:16 PM Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration Stuart, Graham - The Agent exec is ADMTAGNT.EXE. Also, I don't remember it running under the Explorer process, as when we did our migrations (well, the on-going saga...) it was an easy matter to check how a machine was doing by bringing up task manager to determine status and load on the box. Had to do this numerous times as workstations took too long and we needed to determine the real status of the process. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] admt 2.0 - nt4 computer migration
G, Let me clarify what I stated earlier... ADMT needs to be able to resolve the name of the workstation (e.g. find it on the network) and be able to get to the admin$ share on the workstation. When you run ADMT workstation migration, you are running in the security context of the user logged into the ADMT console (unless you use runas). This user needs to have administrator privileges on the target workstation. You can test this very simply by mapping a drive to the target workstation's admin$ share. If that works then you know that the ADMT user does have admin rights and the share is working. We have found that this cheese-o-matic test is the best indication that the ADMT workstation migration will run correctly. However from your other posts, I don't think normal ADMT security is your issue. It looks like the allowed list of applications from the NT Policy is whacking you. In any event, the whole point of the ADMT is to automate the workstation migration. If this is a problem for only a couple of machines, you could just manually migrate them. Join them directly to the new AD domain and simply copy over the user profile. You may have to work on fixing printers and resetting some file rights but usually on a user workstation that is pretty minimal. When we were doing our migration, we ran into about one out every two hundred workstations that had some type of underlying problem where ADMT would bonk. We took those as one-offs and figured it was easier to spend 10 minutes manually migrating the workstation then spending hours trying to figure out why ADMT was failing. On the ones that we did troubleshoot, it was never ADMT fault, it something whacked with the workstation OS, IP stack, NIC, or even shudder the Novell client. Stuart Fuller Active Directory State of Montana -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: Friday, July 11, 2003 8:58 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration Rick, thanks your time on this issue. my view is that we failing at the installation of the agent - as i read it this takes place using the credentials of the logged in user at the ADMT console ?? GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 11, 2003 2:05 PM Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration Graham - I have no documentation of an 'allowedrunlist' policy or setting in NT 4.0 (not saying that it doesn't exist - just in the limited time I have this AM I can't find anything). But, given that it does exist, yes - that's what I'm saying. If the policy does truly enforce WHO can run WHAT - then this could be an issue. With that being said - this agent (ADMT), in my experience, runs at the LocalSystem context, and therefore should not be subject to the rules of a ruleset applied by system policy, AFAIK. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Friday, July 11, 2003 5:20 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration Rick, thanks for post reply. is your inference then that it is conceivable that a restrictive allowedrunlist tattooed into the registry is able to prevent whatever application it is to run on the NT4 workstation. ??? GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 10, 2003 1:13 AM Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration Graham, System Policy on NT 4.0 is truly tatooed to the system. If you turn it off and back on, it's still there - unless manually removed or the policy is backed out via the de-application of said policy. And, sadly - I can't tell you right now what needs to run (yes the Agent, damn it - but what IS the Agent?) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, July 09, 2003 4:25 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration but then thinking about it no - when i failed on the first nt4 host thought it was down to that computer so tried another one straight away - same access denied result have spoken with the developers of the nt4 build - there is a system policy with an allowedrunlist policy - that was that even while logged off this registry value is tattooed into the computer registry if this is possible which i must confess to not being sure on then need to work out what actually needs to be allowed to run for the
RE: [ActiveDir] admt 2.0 - nt4 computer migration
G, Can't really speak to the specific technical upgrade process for ADMT. If I remember correctly, we simply installed the latest version over the top of the new one and everything seemed to work out. I think we did have to reinstall the password export service again... We ran the majority of our migrations from the ADMTv2 off of the .Net Server (e.g. 2003) Beta 3 CD. We wanted the v2 because of the password migration bit. We did update the ADMT from the Beta3 version to the RC1 version at about 3/4 through our migration. We didn't really see any differences and upgrading didn't solve a broke workstation migration issue we were having on a dual-proc machine. If it is the NT policy, then on the NT workstation you are trying to migrate, back out the allowed run policy and then try the migration again. If changing the policy via poledit doesn't work you can try looking at the reg keys. JSI FAQ (http://www.jsiinc.com/SUBA/tip/rh0050.htm) lists the two you need to look at (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explor er\ RestrictRun = 1 and entries under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explore r\RestrictRun). Test the workstation by running some unallowed application first so that you know the policy has really been backed out and not reapplied through whatever your distribution mechanism is. If backing off the NT policy doesn't work then re-verify the ADMT setup (http://support.microsoft.com/?kbid=260871). Can you migrate any other NT/2000/XP workstations? If so then ADMT is probably set up correctly and the trouble will be with the specific NT workstation build. According to JSI's note 0362, the RestrictRun policy only works on processes run from the Explorer process. I have no clue if the agent process is being remotely initiated on the workstation via the Explorer process but if between workee and no-workee this is the only difference. Additionally, I couldn't find in my brief surfing expedition what specifically the agent .exe are. Looking at our ADMT console the two probable candidates are ADMTAgnt.exe and DCTAgentService.exe. If the only solution is to add the agent executables to the allowed list then hopefully someone else on the mailing list knows what these really are. Stuart Fuller Active Directory State of Montana -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: Friday, July 11, 2003 12:25 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration Stuart, i share your views. i have assmued this is going to be a problem general to NT4 workstation migration - based on first two tested - both failed with identical message. the number of NT4 workstations still in production means a manual migration is not the most practical option. in the course of resolving this i have observed that the contents of the ADMT2 distribution are about 8 months more recent than the production ADMT2 programs that were in good faith !! from the .NET RC1 media, i am assuming the upgrade to be a supported process and will just see if this issue is not specific to ADMT version - i have also noted from netiq.com that they had to patch migration software to resolve similar issues of computer migration migration - do you have any issues specific to versions of ADMT ?? if it does prove to be issues of the allowedrunlist whacking me then the question remains as to what exe's need to be added to support the ADMT operation thanks for your support GT - Original Message - From: Fuller, Stuart [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 11, 2003 6:30 PM Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration G, Let me clarify what I stated earlier... ADMT needs to be able to resolve the name of the workstation (e.g. find it on the network) and be able to get to the admin$ share on the workstation. When you run ADMT workstation migration, you are running in the security context of the user logged into the ADMT console (unless you use runas). This user needs to have administrator privileges on the target workstation. You can test this very simply by mapping a drive to the target workstation's admin$ share. If that works then you know that the ADMT user does have admin rights and the share is working. We have found that this cheese-o-matic test is the best indication that the ADMT workstation migration will run correctly. However from your other posts, I don't think normal ADMT security is your issue. It looks like the allowed list of applications from the NT Policy is whacking you. In any event, the whole point of the ADMT is to automate the workstation migration. If this is a problem for only a couple of machines, you could just manually migrate them. Join them directly to the new AD domain and simply copy over the user profile. You may have to work on fixing printers and resetting some file rights
RE: [ActiveDir] admt 2.0 - nt4 computer migration
ADMT needs \\targetcomputername\admin$ Good test to see if security is a problem, is to simply try mapping a drive from the computer running ADMT to the admin$ share. (e.g. net use * \\targetcomputername\admin$. Make sure that you are logged in on the ADMT computer with the credentials that the ADMT is running under. Stuart Fuller Active Directory State of Montana From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 09, 2003 3:59 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration definitely the case of migration account have checked the driveletter$ shares - can;t from memory remember the other shares - which one in particular does admt need - admin$, ipc$ ?? - Original Message - From: John Witasick To: [EMAIL PROTECTED] Sent: Wednesday, July 09, 2003 10:09 PM Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration Graham, Some things to check: Do theAdministrative Shares exist on the NT workstations? Is the administrator account that you are using to migrate the workstations a member of the workstations' local admin group? John WitasickProject Manager - Windows Networking Services Group - Original Message - From: Graham Turner To: [EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 4:23 PM Subject: [ActiveDir] admt 2.0 - nt4 computer migration Am attempting the migration of computer from NT4 source domain to Windows2000 target domain.the migration environment is working fine with windows 2000 professionalclientshave got issues with the migration of an NT4 workstationthe extract from dispatch.log on the admt server is attached from which i amhoping to get a few clues as to the "access denied"have checked the "obvious" issues such as sourcedom\domain admins being amember of the local administrators group and the computer migration beingrun while logged an as a member of that sourcedom\domain admins groupThanksGT This E-mail, including any attachments, may be intended solely for the personal and confidential use of the sender and recipient (s) named above. This message may include advisory, consultative and/or deliberative material and, as such, would be privileged and confidential and not a public document. Any Information in this e-mail identifying a client of the department of Human Services is confidential. If you have received this e-mail in error, you must not review, transmit, convert to hard copy, copy, use or disseminate this e-mail or any attachments to it and you must delete this message. You are requested to notify the sender by return e-mail.
RE: [ActiveDir] Acct about to expire?
Jenn, Microsoft has an snap-in dll to ADUC called Additional Account Info. This dll gives an additional tab to ADUC that shows all sorts of cool things such as password expiration, password last set, last logon, SID, GUID, etc.. We found out about it through the February 27 support WebCast Microsoft Windows 2000 Server and Windows Server 2003: Password and Account Lockout Features - http://support.microsoft.com/default.aspx?scid=kb;en-us;813500gssnb=1 (Good one to read the transcript) It is now available directly from Microsoft - see Account Lockout and Management Tools - http://microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629 -B999ADDE0B9Edisplaylang=en -Stuart Fuller Active Directory DOA/ITSD State of Montana -Original Message- From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: Sunday, June 29, 2003 1:00 PM To: [EMAIL PROTECTED] How can you tell with the active directories snap-in when an users acct is about to expire? For example, with the users manager, the change password option is selected. Do I need a third party tool or script? Thanks Jenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
