RE: [ActiveDir] lastlogontimestamp-

[Garello, Kenneth]

Steve,

I have just verified that OWA is updating the lastlogontimestamp (Win2003 AD, 
exchange2003 sp1) which is what I was most concerned with. The other issues 
(stored token) should be few and far between so the six month lag should be 
good enough to catch it.

I think we are going to remove the mailbox and then move the Active directory 
account to a special OU pretty much as you are doing. We seem to have a lot of 
account re-enables 2 months after we delete them.

Thanks for your time,

Ken

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford
Sent: Thursday, June 02, 2005 12:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp-

As I understand it, remote NTLM authentication is when someone doesn't log on 
by doing CTRL ALT DEL and putting in a username/password but accesses some 
resource which either prompts for username/password (perhaps a web page or 
email program) or uses the stored token. This doesn't update the 
lastlogontimestamp.

I think you need a plan C for checking the email stuff. How will students 
access the email? Web? POP3? IMAP? Whichever it is, if you have logs for access 
to this then you know who's accessing the email and (effectively) who's not 
accessing the email - if you have a policy that you must access the email at 
least once per month then you just check the logs each month, build a list of 
those who have accessed; match this against your total list of users and the 
"misses" are the ones who are now inactive.

Most of our funding depends on proving that students enrol, attend courses and 
take and pass exams so our student records people are quite good at keeping 
accurate lists - auditors pick up on things if they get it wrong!

Students can enrol to many courses at any time of the year and also drop out, 
leave or get kicked out at any time of the year. If the leaving is planned (eg 
they move away from London) then they are removed cleanly from the system; if 
they just don't turn up for classes for a certain number of weeks (it varies 
but I think it's about 4-6) then they get withdrawn. There's no point for us 
leaving a student on the system if they're not showing for classes - we don't 
get the funding for them (and if we leave them on the system but they don't 
take the exam then that looks even worse - we taught a student for a whole year 
and they failed at the end.)

What we actually do with the student accounts is to set the expiry date to 
"yesterday" and move them to an "expired" OU. If it turns out that (eg) they 
were sick but didn't get round to calling then it's easy to just re-instate the 
account.


Steve

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Garello, Kenneth
> Sent: 02 June 2005 13:45
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] lastlogontimestamp-
> 
> Steve,
> 
> Thanks for the alternate view.  Unfortunately, our business 
> policy is not that simple.  We basically allow for lifetime 
> email as long as the account is active. 
> Do you simply delete the account when a student becomes 
> inactive?  What determines enrollment at your school? (This 
> is a problem in many other areas of the butsiness - did a 
> student leave or is he just not taking classes)
> 
> I would still like to understand what a "remote NTLM 
> Authentication" is.
> 
> 
> Ken
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Steve Rochford
> Sent: Thursday, June 02, 2005 8:17 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] lastlogontimestamp-
> 
> Is it possible to approach this from another way? Do you have 
> any access to enrolled student data? If so, then it might be 
> easier to delete students who are no longer enrolled rather 
> than try and work out those who haven't logged on.
> 
> I have a script that runs at regular intervals and pulls a 
> listing of all student accounts in the AD (and before someone 
> starts worrying, yes, I do use paging :-)) For each account I 
> then run the function below which returns true if the student 
> is still enrolled and false if not. The web page it calls is 
> on a "public" server and it provides very basic info about 
> the student or "N/A" if they're not enrolled. 
> 
> You obviously need someone in your student records section to 
> provide you with such a web page but it shouldn't be a big 
> job for them to do and it then means you can clear accounts 
> for students who are regularly using the system but shouldn't 
> be! (We have an occasional problem with students who try to 
> use the college a

RE: [ActiveDir] lastlogontimestamp-

[Garello, Kenneth]

Steve,

Thanks for the alternate view.  Unfortunately, our business policy is not that 
simple.  We basically allow for lifetime email as long as the account is 
active. 
Do you simply delete the account when a student becomes inactive?  What 
determines enrollment at your school? (This is a problem in many other areas of 
the butsiness - did a student leave or is he just not taking classes)

I would still like to understand what a "remote NTLM Authentication" is.


Ken


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford
Sent: Thursday, June 02, 2005 8:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp-

Is it possible to approach this from another way? Do you have any access to 
enrolled student data? If so, then it might be easier to delete students who 
are no longer enrolled rather than try and work out those who haven't logged on.

I have a script that runs at regular intervals and pulls a listing of all 
student accounts in the AD (and before someone starts worrying, yes, I do use 
paging :-)) For each account I then run the function below which returns true 
if the student is still enrolled and false if not. The web page it calls is on 
a "public" server and it provides very basic info about the student or "N/A" if 
they're not enrolled. 

You obviously need someone in your student records section to provide you with 
such a web page but it shouldn't be a big job for them to do and it then means 
you can clear accounts for students who are regularly using the system but 
shouldn't be! (We have an occasional problem with students who try to use the 
college as a free "internet café"!)

Steve

function CheckStudent(id)
 Set oXML = CreateObject("Msxml2.ServerXMLHTTP")
 oXML.Open "GET", "http://server.cnwl.ac.uk/checkstatus.asp?id="; & id, False
 oXML.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
 oXML.Send
 if oXML.responseText="N/A" then
  CheckStudent=false
 else
  CheckStudent=true
 end if
 Set oXML = nothing
end function 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Garello, Kenneth
> Sent: 01 June 2005 14:05
> To: ActiveDir@mail.activedir.org
> Cc: Toro, Pedro; Poueriet, Jorge
> Subject: RE: [ActiveDir] lastlogontimestamp-
> 
> David,
> 
> After researching, I was unable to decipher what a "remote 
> NTLM Authentication" is.  Can you give me an example of this?
> I am trying to come up with an effective account deletion 
> policy in a school with high turnover.
> 
> 
> Thanks,
> 
> Ken
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] lastlogontimestamp-

[Garello, Kenneth]

David,

After researching, I was unable to decipher what a "remote NTLM
Authentication" is.  Can you give me an example of this?
I am trying to come up with an effective account deletion policy in a
school with high turnover.


Thanks,

Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Friday, May 27, 2005 6:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp- 

In 2003 RTM lastLogonTimeStamp gets updated during Kerberos
authentications
and interactive NTLM authentications.  Remote NTLM auths do not cause it
to
be updated.  There was talk to get this changed in SP1.

> -Original Message-
> To make matters worse, there is a fix out there somewhere 
> that causes ntlm auth to actually update this field (or am I 
> just dreaming it? :)

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Backups...

[Garello, Kenneth]

Found this on the web

http://www.dlttape.com/DLTtape/Backup+Basics/Media+Calculator.htm

 

Ken

 











From: Jason B
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 17, 2005
5:10 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Backups...



 



Slightly OT for an AD forum, but since I've seen so much
great advice flow through this list, and we're populated with Sys Admins (who
are frequently in charge of backups) I figured I'd throw it out there.  





 





We have two Dell Tape autoloaders that have 8 slots (7 DLT
IV + 1 cleaning tape).  One of the autoloaders exclusively handles
Exchange backups, the other is for backup of our NAS and Samba file
shares.  Each DAT tape can hold 70-80GB compressed and we have ~280GB of
data to be backed up on multiple file servers (NAS, Samba shares and
others).  We use CA's Brightstor ArcServe for backups (yuck - I MUCH
prefer BackupExec, and almost prefer NTBackup to ArcServe, but I'm
deviating).  Right now, all that's done is load 7 tapes in there and
perform a full backup on Friday and incremental M-Th, and then overwrite that
each week - not desireable.  I just acquired ~30 additional new tapes (DLT
IV) and want to see a few common backup rotations (like GFS) that would work
for us.  Does anyone know of any "Backup calculators" where you
can put in the amount of data you have to back up, the time you want to have
backups for (like, say 3 months), etc...  and have it make some
recomendations?  I've seen some web-based tools like this, and IIRC,
BackupExec had one built in, but I can't seem to find any.





 





Does anyone know of any?





 





Thanks.

RE: [ActiveDir] OT: Exchange Mail Forwarding

[Garello, Kenneth]

I provide all services.  I provide OWA as a student email client against
exchange 2000.
Alumni are considered the same as regular students.  The accounts are
essentially perpetual.


Ken
-Original Message-
From: Coleman, Hunter [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, January 18, 2005 9:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Exchange Mail Forwarding

Are you providing any mail services for the students, or just a
forwarding service? Or do you provide one level of service for the
current students, and a lesser level for alumni?

Hunter 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Garello,
Kenneth
Sent: Tuesday, January 18, 2005 6:23 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Exchange Mail Forwarding

I'm looking to provide students in my college a way to set up mail
forwarding using a web interface. I don't want to provide outlook to the
students.
I am utilizing exchange 2000 (soon upgrading to 2003).

I have investigated creating an asp.net application via
adsi/directoryentry, but it is proving to be too complex for my
experience.

Does anyone have any ideas?

Thanks,

Ken

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OT: Exchange Mail Forwarding

[Garello, Kenneth]

I'm looking to provide students in my college a way to set up mail
forwarding using a web interface. I don't want to provide outlook to the
students.
I am utilizing exchange 2000 (soon upgrading to 2003).

I have investigated creating an asp.net application via
adsi/directoryentry, but it is proving to be too complex for my
experience.

Does anyone have any ideas?

Thanks,

Ken

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Windows XP automatic profile deletion suggestions

[Garello, Kenneth]

Local profiles are deleted automatically
for anyone belonging to the local guest group.

 

Ken

 









From: Stockbrugger,
Brian L. [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 26, 2004
4:44 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Windows
XP automatic profile deletion suggestions



 

We have many labs that many students use and in this one
particular lab we do not have any desktop controls (DeepFreeze, Fortress or
even strict GPO’s) set for a number of reasons.  Most of the
students do not have a home folder to redirect roaming profiles to and we would
rather not set that up.  We want to get away from having them log in using
a generic user account.  So I am looking for an easy way to automatically
delete the user profile upon logout so the machine does not accumulate many profiles
over time.  I have done this using Terminal Services and Citrix.  For
those students that have home folders we are implementing roaming profiles to
fix this but we really do not want to add the rest of these students into that
category.  My goal is to have them login with their unique userid and then
once they logout the profile is deleted either with a script or some other
unknown mechanism that escapes me right now.

 

Any suggestions?

 

Thanks -- Brian

 

RE: [ActiveDir] OT Received Packets

[Garello, Kenneth]

I think someone mentioned previously that it is possible that the wrong
adapter might be chosen.

Justin,
 Make sure that you are not choosing the dial up adapter that always appears
in the list.  That should be apparent though, because you would receive at
most two packets.  Other than that you should still see the occasional
broadcasts regardless of promiscuous mode.

Ken

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, October 08, 2003 8:01 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT Received Packets

Let's leave NIC's private life out of this, ok?

The NIC shouldn't need to go promiscuous for the simple fact that he's
trying to find packets that are hitting that box - so its only got to see
traffic that's destined for it. The flip side of that is that I don't
remember the last NIC I bought which couldn't go promiscuous, so I doubt
that's the issue, unless its an OLD POS model.

I'm thinking it might actually be a filter in NetMon that's causing the
issue - but I don't know exactly why.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, October 07, 2003 9:59 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] OT Received Packets
> 
> 
> Total and complete speculation as I can't imagine in my 
> wildest dreams as to
> why NetMon isn't picking up all of these 1000's of packets 
> that Justin is
> seeing.  The shim isn't able to read?  
> 
> Yeah, I've seen some pretty messed up stuff in NetMon as 
> well.  In fact, the
> reverse is true - I've seen stuff in NetMon that Ethereal 
> wasn't able to
> correctly read.
> 
> I suspect that the biggest issue is that the NIC is not promiscuous. 
> 
> Rick Kingslan  MCSE, MCSA, MCT
> Microsoft MVP - Active Directory
> Associate Expert
> Expert Zone - www.microsoft.com/windowsxp/expertzone
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Joe
> Sent: Tuesday, October 07, 2003 8:43 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] OT Received Packets
> 
> Yes. :o)
> 
> I have not heard of ethereal being able to pick up packets that netmon
> can't. Have you positive experience of this or is it theory? 
> I have seen
> some pretty hokey packets in netmon. 
> 
>   joe
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
> Sent: Tuesday, October 07, 2003 8:50 PM
> To: [EMAIL PROTECTED]
> 
> Joe,
> 
> If the NIC can't get into promiscuous mode, won't it ignore 
> packets that are
> *not* addressed to it?  IOW, a packet comes in for another 
> machine.  It
> notes that the packet came in (via the stats at the In - Out [which, I
> question to some degree anyway]) but it's not for me.  
> Because I'm not in
> promiscuous mode, I don't (can't) copy it, so I drop it.  
> Because it wasn't
> copied, it's not passed to the NetMon shim.  However, a 
> packet the *IS*
> addressed to me shows up and is passed up the stack and is 
> read as well by
> the NetMon shim.  This one shows up in the trace buffer.
> 
> Also, isn't it possible that the packets that are showing up 
> at Justin's
> system corrupted.  NetMon may or may not deal with it 
> properly (can't answer
> that one, honestly).. Ethereal, does, however present even the corrupt
> packets with some ability to determine what might be the 
> problem.  The Pcap
> module does seem to be a bit ahead of the shim that NetMon uses.
> 
> Yes, I know - but if the packets show up in the in-out 
> counter on Justin's
> system, but no one else's - they must be destined for his 
> system.  Heck, I
> dunno.  Me, I'm just one of the team here, and I'm counting 
> on my supporting
> cast.  Rick can't do everything (to paraphrase the football
> commercial.)
> 
> ;p
> 
> Rick Kingslan  MCSE, MCSA, MCT
> Microsoft MVP - Active Directory
> Associate Expert
> Expert Zone - www.microsoft.com/windowsxp/expertzone
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Joe
> Sent: Tuesday, October 07, 2003 6:55 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] OT Received Packets
> 
> Shouldn't need to NETMON will see everything Ethereal will. 
> If the traffic
> is hitting that NIC, it should be visible in NETMON unless 
> the NIC can't go
> into promiscious mode. Even still, anything addressed to that 
> machine should
> be visible. 
> 
>   joe
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Bill Moran
> Sent: Tuesday, October 07, 2003 4:55 PM
> To: [EMAIL PROTECTED]
> 
> Salandra, Justin A. wrote:
> > I am watching my interface in netmon and there is nothing 
> coming up.  
> > I see other traffic on the network.
> 
> You could install Ethereal (http://www.ethereal.com) which 
>

RE: [ActiveDir] OT Received Packets

[Garello, Kenneth]

Are they arps?  Blaster or Nachi?

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 06, 2003 2:44 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT Received Packets

No no peer to peer software running.

 -Original Message-
From:   Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent:   Monday, October 06, 2003 2:35 PM
To: '[EMAIL PROTECTED]'
Subject:RE: [ActiveDir] OT Received Packets

My first thought it might be machine policy, but it sounds like the traffic
is fairly continuous, as opposed to just after boot.

Are you running any p2p software?

-g


-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 06, 2003 10:47 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT Received Packets


Netmon is gathering traffic but not showing all the packets that I am
receiving.

I am finding these numbers by going into Network and clicking on the status
of my network connection.  Right now I have 29,000 packets received and
5,000 sent and my laptop has been on for an hour.

 -Original Message-
From:   Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent:   Monday, October 06, 2003 1:26 PM
To: '[EMAIL PROTECTED]'
Subject:RE: [ActiveDir] OT Received Packets

"I have run network monitor and  can not find what the traffic is that I am
receiving."

Meaning that NETMON is not showing any traffic? Or that NETMON can't
identify the traffic?

How are you determining that you are actually receiving this traffic?
PERFMON?

-gil


-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 06, 2003 5:39 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] OT Received Packets


This a little off topic, but I have to ask.  My Laptop within minutes of
being turned on receives over 7,000 packets and sends only 300 or so.  In 15
minutes I will have over 30,000 received packets.  My computer is the only
one this is happening too.

I have run network monitor and  can not find what the traffic is that I am
receiving.  I have run a antivirus scan on my computer with updated DAT
files and found nothing.  I have looked at my services and did not find
anything different.

This only happens on my work network, not at home.  Does anyone have any
ideas?

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]  

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Incredibly slow log on

[Garello, Kenneth]

Do the same users log on to both NT systems and windows 2000 systems?
If so I have seen the following problem create very long logons due to
profile problems -> Q271518


Ken


-Original Message-
From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 25, 2003 1:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Incredibly slow log on

Mark-
When these strange slowdowns happen, I usually find it helpful to enable
userenv logging on the workstation. The problems could be a combination
of GPO processing and profile downloading. The fact that NT clients
don't have a problem points towards a possible hangup in GPO processing,
since NT doesn't process GPOs. Check out
http://support.microsoft.com/default.aspx?scid=kb;en-us;221833 to enable
verbose userenv logging and then take a look at the resulting log file.
The events in there are time-stamped, with the tail of the file being
the most recent events. Look for long lag times in between events. If
you need help interpreting the file, go ahead and send me an email off
line.

Good luck,

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark
Sent: Thursday, September 25, 2003 1:37 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Incredibly slow log on


Just wondering if anyone else has encountered this problem.

We have just installed a small external office with some new clients.
They authenticate with the AD across a 512Mb fixed line. There are the
"usual" encryption/firewall devices between the two sites.

When logging on in the office with an adminstrative account which has no
associated scripts, the logon process is quick and painless. The admin
accounts also have no roaming profiles to worry about. However, when
logging on with a user accounts, which does have a script and roaming
profile (max size 8MB) associated with it, the logon process can take 25
minutes and generally the roaming profile it not successfully retrieved.

A couple of old NT cleints left in the office that authenticate with an
NT domain controller across the same line through the same
encryption/firewall devices have no such problems at all.

What I would like to ask is what part of the W2K environment could be
causing such slow responses across this line ? The clients are XP. Is
there some tweak that could speed up the data exchange ? I have been
discussing it internally and mention has been made of whether the
communication is UDP or TCP. I have to admit complete ignorance of what
this means. But it seems communication can be defaulted to one or the
other, which has an impact. I really am clueless though.

I probably wont get any replies to this but am just curious as to what
could possibly be contributing to the problem.

Many thanks for any pointers.

Mark
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] slow guid resolution

[Garello, Kenneth]

Joe,

Thanks for the correction.  That was indeed why the article mentioned in
another post was not found.

The particular directories that I am referring to are primarily user's
personal directories.  Each directory has 1 group (domain administrators)
and 1 user assigned in the ACL.  It is the user resolution that takes >15
seconds.

This issue and quota management is the only places that the problem is
evident.  It makes the quota management interface virtually useless.

I will investigate the DNS possibility further.

Thanks again all,

Ken

-Original Message-
From: Joe [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 22, 2003 9:40 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] slow guid resolution

First off, it is a SID translation not a GUID translation, retry your
searches based on that as I'm sure that confused the matter.

How many security principals do you have in the ACL chain? If it is
greater than 6 or 7 you probably need to start looking at a better
security structure utilizing groups instead of userids being directly
added to ACL's. 

Also when you list group memberships on a member machine that has
members from the other domains do you see a delay or errors?

Finally as with almost all issues around AD that are based symptoms of
going slow, are you sure your DNS system is all working properly? Have
you done a network trace to see if DNS queries are being made that are
being responded to with unknown name or possibly not being responded to?
While you have the network sniffer out I would also look at the trace to
see if there are any obvious delays between requests and responses
between the client and the server(s). 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Garello,
Kenneth
Sent: Tuesday, July 22, 2003 10:21 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] slow guid resolution


I'm just wondering if anyone experiences this same issue.  I never got
any feedback.

Ken

-Original Message-
From: Garello, Kenneth [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, July 02, 2003 3:57 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] slow guid resolution

I have an active directory forest with 1 parent domain and two child
domains which I upgraded from Winnt 4.0.

The parent and one of the child domains are running in native mode. All
of my servers belong to the parent domain. When I view or modify
permissions on a server directory, guid->name resolution for id's that
are on the child domain take > 15 seconds. This is also happens when I
view quotas.

Is this expected behavior?  If not, what should I look at?

I have done extensive research on ms support.

TIA

Ken
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] slow guid resolution

[Garello, Kenneth]

Thanks you for your responses.

My account domains each have 2 DCs and each is GC
In my resource domain (DNS parent), I just have one GC

If I am performing a task on a resource computer (file server/non DC) such
as viewing directory ACL's does the GC of the domain that the computer
exists in get queried or the does the GC of the domain that the user account
exists in get queried.

All computers are connected by a high speed network ~100MB

Ken

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 22, 2003 10:34 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] slow guid resolution

I'd suspect the delay is caused by the system trying to convert the SID's
back to the account name, which is normal.

I'd expect that the delay is caused by too few Global Catalog servers, but
that's not necessarily the case. How are your GC's layed out?

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -Original Message-
> From: Garello, Kenneth [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, July 22, 2003 10:21 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] slow guid resolution
> 
> 
> I'm just wondering if anyone experiences this same issue.  I 
> never got any
> feedback.
> 
> Ken
> 
> -Original Message-
> From: Garello, Kenneth [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, July 02, 2003 3:57 PM
> To: '[EMAIL PROTECTED]'
> Subject: [ActiveDir] slow guid resolution
> 
> I have an active directory forest with 1 parent domain and 
> two child domains
> which I upgraded from Winnt 4.0.
> 
> The parent and one of the child domains are running in native 
> mode. All of
> my servers belong to the parent domain.
> When I view or modify permissions on a server directory, guid->name
> resolution for id's that are on the child domain take > 15 seconds.
> This is also happens when I view quotas.
> 
> Is this expected behavior?  If not, what should I look at?
> 
> I have done extensive research on ms support.
> 
> TIA
> 
> Ken
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
> List info   : 
> http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] slow guid resolution

[Garello, Kenneth]

I'm just wondering if anyone experiences this same issue.  I never got any
feedback.

Ken

-Original Message-
From: Garello, Kenneth [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, July 02, 2003 3:57 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] slow guid resolution

I have an active directory forest with 1 parent domain and two child domains
which I upgraded from Winnt 4.0.

The parent and one of the child domains are running in native mode. All of
my servers belong to the parent domain.
When I view or modify permissions on a server directory, guid->name
resolution for id's that are on the child domain take > 15 seconds.
This is also happens when I view quotas.

Is this expected behavior?  If not, what should I look at?

I have done extensive research on ms support.

TIA

Ken
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] slow guid resolution

[Garello, Kenneth]

I have an active directory forest with 1 parent domain and two child domains
which I upgraded from Winnt 4.0.

The parent and one of the child domains are running in native mode. All of
my servers belong to the parent domain.
When I view or modify permissions on a server directory, guid->name
resolution for id's that are on the child domain take > 15 seconds.
This is also happens when I view quotas.

Is this expected behavior?  If not, what should I look at?

I have done extensive research on ms support.

TIA

Ken
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD upgrade

[Garello, Kenneth]

The issue I had was the problem of win2000 clients only contacting the
win2000 DC after upgrading - I didn't realize it so when I brought the
win2000 DC down, w2k clients could not authenticate to NT DC's.
I've heard that this may have been fixed with recent service packs.

Ken

-Original Message-
From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, July 02, 2003 9:02 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] AD upgrade 

Brenda,
Thank you. I had no specific issues of concern. I was just looking for
feedback from someone who had gone through the process, something to give me
a little heads up on what the users may experience during the upgrade.

-Original Message-
From: Brenda Frazier [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 01, 2003 19:35
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] AD upgrade 


Cindy,

We were in a similar situation.  We did our upgrade on a Saturday morning
advising our users there would be periodic, but short outages as we were
upgrading the domain.  As long as one NT4 domain controller and DNS/WINS
server was available, all were happy.  Unless your PDC and DNS servers have
resources the users need access to, the users probably won't notice anything
until they see the Directory icon show up under My Network Places\Entire
Network, providing you aren't immediately using and applying GPOs..  

Monday morning the users came in and logged on using their usual
(Pre-Windows 2000) logon with no problems.  We stayed in mixed mode for a
few months until we were able to retire the NT4 DCs.  Only the very
observant noticed security policies were being applied to the workstations
as they started finding the AD domain controllers.  The other thing that
cropped up was we had to remind the users not to change their password while
logged on to multiple machines.

Do you have a particular issue you are concerned with?

Brenda Frazier
Systems Engineer

Belkin Corporation
Information Services
310 604-2030
310 604-2022 fax
www.belkin.com


-Original Message-
From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 01, 2003 6:38 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AD upgrade 


I finally have a date set for my AD upgrade. It will be in in place upgrade
of our NT domain. I've done this procedure 3 times in my test lab and I'm
95% confident. What I don't know is what impact the upgrade process will
have on our end users accessing network resources during the upgrade
process. DHCP and WINS are on member servers, but our DNS server will
promoted to a DC immediately after the PDC upgrade is complete. Are there
any specific issues I should be aware of? I have a 7x24 network (don't we
all), so taking the network down is not a viable option.
Thanks

Cynthia Rittenhouse  MCSE,CCNA
LAN Administrator
County of Lancaster
Lancaster, PA 17602



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Confidential
This e-mail and any files transmitted with it are the property
of Belkin Corporation and/or its affiliates, are confidential,
and are intended solely for the use of the individual or
entity to whom this e-mail is addressed.  If you are not one
of the named recipients or otherwise have reason to believe
that you have received this e-mail in error, please notify the
sender and delete this message immediately from your computer.
Any other use, retention, dissemination, forwarding, printing
or copying of this e-mail is strictly prohibited.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT:(maybe) Distribution list problems

[Garello, Kenneth]

Title: RE: [ActiveDir] OT:(maybe) Distribution list problems









Well…

 

I experimented with the KB article 323749.

 I bound directly to one of the
distribution lists that I was having problems with and set the security descriptor
as the knowledge base instructed – I was then able to modify the message
restrictions list.  But I was also
able to then modify my other dist lists also.  The way the bind to the object intimates
that it is object specific.

 

I am still also confused about why an Enterprise
Administrator cannot modify without setting that parameter.

If anyone has any insight I’d
appreciate hearing it.

 

Ken

 

-Original Message-
From: Garello, Kenneth
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 12, 2003 8:45
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir]
OT:(maybe) Distribution list problems

 



Bill,





 





Thanks for the knowledge base number - I
would never have posted a question on this list if I had not felt that I
had researched it to the best of my ability.  I must have filtered the my
search poorly.





 





That being said, I am a not sure that this applies to
me as I am attempting to modify the distribution group as an Enterprise
Enterprise admin as well as an exchange administrator, but I will research this
and hopefully it will apply.





 





Ken







-Original Message- 
From: Brown, Bill [contractor]
[mailto:[EMAIL PROTECTED] 
Sent: Thu 6/12/2003 4:27 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir]
OT:(maybe) Distribution list problems



Ken, 

Took about 30 seconds to find knowledge base article
323749 on TechNet - did you look? 

R/Bill 

 -Original Message- 
From:   Garello, Kenneth [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, June
12, 2003 2:32 PM 
To: [EMAIL PROTECTED]

Subject:   
[ActiveDir] OT:(maybe) Distribution list problems 

I have an active directory forest with 1 parent domain
and two childdomains 
which I upgraded from Winnt 4.0.


The parent and one of the child domains are running in
native mode. 
I have an exchange2000/exchange5.5
mixed mode environment in which some 5.5 
distribution lists were upgraded
into the parent domain (native AD) as 
universal distribution lists.


I have had no issues with maintenance of the
distribution lists until 
recently.  If I try to add a
name from any of the domains to the "Accept 
Message Only from" list and
click "apply", I receive a "constraint 
violation" 8007202F. The box
is titled "Active Directory - Exchange 
extension. 

Does anyone have any idea how to troubleshoot this
error? 

There are no event messages that give me any insight.


Thanks, 

Ken 
List info   : http://www.activedir.org/mail_list.htm

List FAQ    : http://www.activedir.org/list_faq.htm

List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


 

List info   : http://www.activedir.org/mail_list.htm

List FAQ    : http://www.activedir.org/list_faq.htm

List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OT:(maybe) Distribution list problems

[Garello, Kenneth]

I have an active directory forest with 1 parent domain and two childdomains
which I upgraded from Winnt 4.0.

The parent and one of the child domains are running in native mode.
I have an exchange2000/exchange5.5 mixed mode environment in which some 5.5
distribution lists were upgraded into the parent domain (native AD) as
universal distribution lists.

I have had no issues with maintenance of the distribution lists until
recently.  If I try to add a name from any of the domains to the "Accept
Message Only from" list and click "apply", I receive a "constraint
violation" 8007202F. The box is titled "Active Directory - Exchange
extension.

Does anyone have any idea how to troubleshoot this error?

There are no event messages that give me any insight.

Thanks,

Ken
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Exchange 5.5 and active directory connector errors

[Garello, Kenneth]

That message comes up if the install
account does not have the proper privileges.

 

I used the exchange 5.5 service account which
is a domain administrator to install.

 

Ken

 

-Original Message-
From: Salandra, Justin A.
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 05, 2003 2:15
PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Exchange
5.5 and active directory connector error s

 

Have you setup all your connection agreements correctly to replicate
two way from exchange 5.5 to AD?

Have you setup a Public Folder Connection Agreement?

 

-Original
Message-
From: Rick Reynolds
[mailto:[EMAIL PROTECTED]
Sent: Thursday, June 05, 2003 2:06
PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Exchange 5.5
and active directory connector errors

 

While
trying to install Exchange 2000 where the active directory is installed. 

I keep
getting the following error. 

 

Setup
has detected that the Exchange 5.5 site your server belongs to has not
replicated to the Active Directory yet. You can either wait for replication to
complete and try the upgrade again or upgrade a server from a site that has
already been replicated to the AD.

 

I have
tried all that I can find on the microsoft knowledge base, and am trying here
before I spend the money to call Microsoft. 

 

RE: [ActiveDir] Mixed to Native and Exchange 2000

[Garello, Kenneth]

My apologies - I could have sworn I read otherwise.

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 01, 2003 10:08 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Mixed to Native and Exchange 2000

That's incorrect. Using the move mailbox command preserves SIS.

--
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis Inc.


> -Original Message-----
> From: Garello, Kenneth [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, April 01, 2003 9:16 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Mixed to Native and Exchange 2000
> 
> 
> The only problem is that single instance storage benefits are 
> lost. So you may experience a large increase in disk requirements.
> 
> -Original Message-
> From: Craig Cerino [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, April 01, 2003 7:58 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Mixed to Native and Exchange 2000
> 
> We went along the lines of Option 1 as well - worked like a 
> charm for us. It's also a good way for you to be sure that 
> the new email server is built to specs (yours or industry 
> standards) if the previous machine was built before you were 
> with your organization. This was the case with me and our old 
> box was a PIG. 
> 
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, April 01, 2003 7:30 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] Mixed to Native and Exchange 2000
> 
> I agree.  Option 1 worked for me.  I think they called it 
> leap frogging or something like that :-)
> 
> >  from:Missy Koslosky <[EMAIL PROTECTED]>
> >  date:Tue, 01 Apr 2003 05:13:06
> >  to:  [EMAIL PROTECTED]
> >  subject: Re: [ActiveDir] Mixed to Native and Exchange 2000
> > 
> > I'd go with option 1 - the moving train (or whatever it's 
> called these 
> > days).  Tony Redmond write an article about this a few 
> years ago that
> should
> > be available in the archies of www.winnetmag.com somewhere.
> > 
> > I do a lot of migrations, and this is the method we choose 
> most of the
> time.
> > Missy Koslosky
> > - Original Message -
> > From: "Myrick, Todd (NIH/CIT)" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Monday, March 31, 2003 2:55 PM
> > Subject: [ActiveDir] Mixed to Native and Exchange 2000
> > 
> > 
> > I had a beef fillet marinade in Guinness this weekend, it 
> was actually
> kind
> > of sweet tasting.  So I recommend that or a nice piece of buffalo
> filet
> > marinade in Guinness for you AD Native Mode celebration.
> > 
> > We converted to Native Mode last year on many of our AD 
> Domains.  Now
> is the
> > pain of ADCing and In-place upgrading to Exchange 2000.
> > 
> > Just for the record, how many of you all in-place upgraded your
> Exchange 5.5
> > Servers and org to Exchange 2000.  I am really concerned about us
> doing this
> > because we have Exchange 5.5 Servers with IS's in the 60 to 100 Gig
> range,
> > and I feel if we have a problem doing an in-place upgrade 
> on a server,
> we
> > would have to do a disaster recovery of the server in a limited time
> window.
> > In addition it will take us some time to get all the 
> servers upgraded
> to
> > 2000, and we will have some server consolidations to contend with.
> What has
> > everyone elses experiences been doing this?  Has in-place upgrading
> Exchange
> > 5.5 servers with large IS been pretty non-eventful?
> > 
> > I have heard from some people are doing the following when 
> moving from 
> > Exchange 5.5 to 2000.
> > 
> > 1.  Setting up the RUS first, then standing up pure Windows 2000
> Exchange
> > 2000 servers in the site, and moving the mailboxes from the Exchange
> 5.5
> > servers to the Exchange 2000 servers.  Tedious, but is 
> easier to roll
> back a
> > failed move.  Takes forever to get to pure front-end/back-end
> solution.
> > 
> > 2.  doing Inter-org migrations by creating a New Exchange 2000 org,
> and
> > migrating the accounts out of the Exchange 5.5 org into the new 2000
> ORG.
> > Allows the New Org to start out in Native Mode, and allows 
> for refresh
> of
> > Exchange Hardware.  Problem seems to be third-party add-ins for
> Exchange
> > like FAX Services, Blackberry, and Secure E-mail.  There are
> workarounds for
> > this though.
> > 
> > Todd Myrick
> > 
> >

RE: [ActiveDir] Mixed to Native and Exchange 2000

[Garello, Kenneth]

The only problem is that single instance storage benefits are lost. So you
may experience a large increase in disk requirements.

-Original Message-
From: Craig Cerino [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 01, 2003 7:58 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Mixed to Native and Exchange 2000

We went along the lines of Option 1 as well - worked like a charm for
us.
It's also a good way for you to be sure that the new email server is
built to specs (yours or industry standards) if the previous machine was
built before you were with your organization. This was the case with me
and our old box was a PIG. 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 01, 2003 7:30 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Mixed to Native and Exchange 2000

I agree.  Option 1 worked for me.  I think they called it leap frogging
or something like that :-)

>  from:Missy Koslosky <[EMAIL PROTECTED]>
>  date:Tue, 01 Apr 2003 05:13:06
>  to:  [EMAIL PROTECTED]
>  subject: Re: [ActiveDir] Mixed to Native and Exchange 2000
> 
> I'd go with option 1 - the moving train (or whatever it's called these
> days).  Tony Redmond write an article about this a few years ago that
should
> be available in the archies of www.winnetmag.com somewhere.
> 
> I do a lot of migrations, and this is the method we choose most of the
time.
> Missy Koslosky
> - Original Message -
> From: "Myrick, Todd (NIH/CIT)" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, March 31, 2003 2:55 PM
> Subject: [ActiveDir] Mixed to Native and Exchange 2000
> 
> 
> I had a beef fillet marinade in Guinness this weekend, it was actually
kind
> of sweet tasting.  So I recommend that or a nice piece of buffalo
filet
> marinade in Guinness for you AD Native Mode celebration.
> 
> We converted to Native Mode last year on many of our AD Domains.  Now
is the
> pain of ADCing and In-place upgrading to Exchange 2000.
> 
> Just for the record, how many of you all in-place upgraded your
Exchange 5.5
> Servers and org to Exchange 2000.  I am really concerned about us
doing this
> because we have Exchange 5.5 Servers with IS's in the 60 to 100 Gig
range,
> and I feel if we have a problem doing an in-place upgrade on a server,
we
> would have to do a disaster recovery of the server in a limited time
window.
> In addition it will take us some time to get all the servers upgraded
to
> 2000, and we will have some server consolidations to contend with.
What has
> everyone elses experiences been doing this?  Has in-place upgrading
Exchange
> 5.5 servers with large IS been pretty non-eventful?
> 
> I have heard from some people are doing the following when moving from
> Exchange 5.5 to 2000.
> 
> 1.  Setting up the RUS first, then standing up pure Windows 2000
Exchange
> 2000 servers in the site, and moving the mailboxes from the Exchange
5.5
> servers to the Exchange 2000 servers.  Tedious, but is easier to roll
back a
> failed move.  Takes forever to get to pure front-end/back-end
solution.
> 
> 2.  doing Inter-org migrations by creating a New Exchange 2000 org,
and
> migrating the accounts out of the Exchange 5.5 org into the new 2000
ORG.
> Allows the New Org to start out in Native Mode, and allows for refresh
of
> Exchange Hardware.  Problem seems to be third-party add-ins for
Exchange
> like FAX Services, Blackberry, and Secure E-mail.  There are
workarounds for
> this though.
> 
> Todd Myrick
> 
> 
> -Original Message-
> From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]
> Sent: Thursday, March 27, 2003 7:26 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Mixed to Native
> 
> 
> Always a good Guinness! 
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> Sent: Thursday, March 27, 2003 7:06 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Mixed to Native
> 
> The worst part of the mixed to native mode conversion is picking which
> refreshing beverage you're going to enjoy when its done.
> 
> --
> Roger D. Seielstad - MCSE
> Sr. Systems Administrator
> Inovis Inc.
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, March 27, 2003 5:49 AM
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] Mixed to Native
> >
> >
> >
> > Hi All,
> >
> > I've finally migrated my last remote office into my 2000
> > domain. All of my NT BDCs are gone and I'm 100% 2000 on the
> > DCs I still have a couple offices on NT workstations.
> > It's been some time since I've focussed on 2000 and can't
> > remember if there are any gotchas with the move from mixed to
native?
> >
> >  I've read back through all my documentation/notes, but that
> > no substitute to real worl experience... Can anyone offer
> > some guidance?
> >
> > Thanks and BR,
> >
> > Rob
> >
> >
> > Robert Rutherford
> > MIS Department - DEK
> > +44 (0)1305 20823

RE: [ActiveDir] .net RC2

[Garello, Kenneth]

Thanks for the info.  It is useful.

Ken

-Original Message-
From: Michael Bennett [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, February 19, 2003 1:50 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] .net RC2

Hi Ken,
I have no experience with this to answer you but did attend a MS Windows
Server 2003 web seminar yesterday:

Microsoft Windows Server 2003: Upgrading Windows 2000 Domains to Windows
Server 2003:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.
com/servicedesks/webcasts/wc021803/wcblurb021803.asp

You can view this webcast by clicking its link (2hrs, 25min). Don't just
download the PPT slides. Listen to the engineers in the webcast link.
You can jump from slide to slide and the audio follows.

I don't know if the addition of a member server requires a schema
update. The addition of a 2003 domain controller certainly does.

The seminar also discussed the problem of adding a 2003 DC to a W2K
forest that has Exchange 2000 (slide 14 in the presentation). The
origina install of Exchange 2000 into a W@K environment added two
"corrupted" LDAP objects: LabeledURI and Secretary. This must be fixed
beofre adding 2003 DCs.
You must: 
1. Run a script that corrects these two objects to avoid LDAP "name
mangling".
2. Run ADPREP /FORESTPREP.
3. Run ADPREP /DOMAINPREP. These 3 steps clean up that problem.

As an aside, slide 35 describes a known client-side bug.
Problem: After a user changes his or her password, the client continues
to send the old password 3x causing an acct lockout on many systems.
Happens with 9x and W2K. Fixes are available. As a result, Microsoft
recommends setting the low threshold of incorrect passwords to 10,
rather than something reasonable like 3.

Sorry I didn't specifically answer your question but it is definitely
worth your while to view and listen to the webcast.
Regard, Michael
 
Michael Bennett
Sr. Network Engineer
Onward Technologies
222 N. LaSalle Street
Suite 1150
Chicago, IL. 60601
312-795-9500
[EMAIL PROTECTED]


-Original Message-
From: Garello, Kenneth [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, February 19, 2003 10:31 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] .net RC2


Are there any known issues installing a Windows .net rc2 member server
into a windows 2000 sp3 domain?

I know it's a vague question, but I would like to experiment with TS
features in a complex environment.


Thanks,

Ken
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] .net RC2

[Garello, Kenneth]

Are there any known issues installing a Windows .net rc2 member server into
a windows 2000 sp3 domain?

I know it's a vague question, but I would like to experiment with TS
features in a complex environment.


Thanks,

Ken
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active Directory Authentication via ras

[Garello, Kenneth]

Has anyone done this in a production environment?  I am concerned with
schema issues.  Should I be?

Ken

-Original Message-
From: Weston Rogers [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, January 28, 2003 12:13 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Active Directory Authentication via ras

Yup.. Redhate.. Thanks!!


-Original Message-
From: Christopher Hummert [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, January 28, 2003 11:54 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Active Directory Authentication via ras


Easiets if you're using Red Hat. Which distro are you using? Anyways
here's the info: http://online.securityfocus.com/infocus/1563

-Chris

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Weston Rogers
Sent: Tuesday, January 28, 2003 8:46 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Active Directory Authentication via ras


Is it possible, or anyone know of any tips on how to get a linux box
with an 8 port modem card (dialin server) to auth via an AD DC  to get
permissions, etc?  I wanted to try to mess around with this..

Thanks.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD Lab

[Garello, Kenneth]

Title: Message









Have you set that server as a GC?

 

-Original Message-
From: Don Murawski (Lenox)
[mailto:[EMAIL PROTECTED]] 
Sent: Monday, January 06, 2003
3:09 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AD Lab

 



Has anyone setup a AD Lab and had
Global Catalog problems?





I installed a BDC on the
production network, disconnect it from the production and connected
it to the lab network.





Seize the FSMO roles.





I'm able to join the domain
but, I'm receiving "Unable to establish connection
with a GC.





 





Any suggestion would be great.





 



 

RE: [ActiveDir] A little OT:: Mac on the Net

[Garello, Kenneth]

What's a Mac?

-Original Message-
From: Canzoneri, Kurt [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, November 26, 2002 9:37 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] A little OT:: Mac on the Net

Try trashing the ApplesharePrep preference and the TCP/IP preference. Reboot
and zapp the pram 3-5 times. You will have to set up Appleshare and TCP/IP
settings after this.

Kurt Canzoneri, MCSE
Network / System Engineer
EIG
Valassis / POD
47585 Galleon Drive Plymouth, MI  48170
Tel  734.354.2496  Fax  734.354.2694
[EMAIL PROTECTED]
www.valassis.com

This message may have included proprietary or protected information.
This message and the information contained herein are not to be further
communicated without my express written consent.



-Original Message-
From: Morgan, Joshua [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 26, 2002 9:12 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] A little OT:: Mac on the Net


I recently changed our internal DHCP and Wins to be Windows 2000 from
Windows NT 4.0. After I did this some/most of the Macintosh's on the network
having been presenting this error:

"Another device on your TCP/IP internet, which has the physical address 00
02 B3 2A FA EF, is currently using the same IP address (10.80.102.236). Your
TCP/IP network interface has been shut down."

Now what bothers me   is there is no computer assigned (10.80.102.236).  And
no assigned machine has the physical address 00 02 B3 2A FA EF.

I have gone to a few of the Macintosh's and tried static IP's  but I get the
same error above with  the static IP that I gave it in place of
(10.80.102.236). 

Any Ideas?


TIA,
Joshua





Joshua Morgan
Network Engineer
South Carolina School for the Deaf and Blind
Phone: (864) 577-7548

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] IIS behind firewall

[Garello, Kenneth]

Thanks for everyone's input.  I've got a lot of planning to do!

Ken

-Original Message-
From: Roger Seielstad [mailto:roger.seielstad@;inovis.com] 
Sent: Thursday, November 07, 2002 7:52 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] IIS behind firewall

Actually, there are a lot of secure ways to do this - none of them, however,
involve putting IIS outside your firewall. There's no reason that it can't
be behind the firewall, with just ports 443 and 80 open from the outside
world. The flip side to that is putting it outside your firewall, you need
all the NT or AD authentication ports open, plus you have to do a lot of
hacking your Exchange servers to set static ports for the services (by
default they are dynamicly assigned ports).

We happen to use a proxy server in our DMZ that functions as both a reverse
proxy (many clients to one server) and an SSL accelerator, with the OWA
server inside the firewall, and limited to just the proxy box for
connections.

--
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinger and Extricity
Atlanta, GA


> -----Original Message-
> From: Garello, Kenneth [mailto:KGarello@;worcester.edu] 
> Sent: Wednesday, November 06, 2002 2:19 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] IIS behind firewall
> 
> 
> Rick,
> 
> Thank you very much for your thoughts.
> 
> My task at hand is to provide Outlook Web Access to our internal mail
> system.  From your discussion, I take it that there really is 
> no secure way
> to do this.  Are there options that I am not aware of?
> 
> Ken
>  
> -Original Message-
> From: Rick Kingslan [mailto:rkingsla@;cox.net] 
> Sent: Wednesday, November 06, 2002 11:11 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] IIS behind firewall
> 
> Documents of interest:
> 
> http://www.nsa.gov/snac/win2k/index.html  (look for the guide on IIS,
> but IIS hardening is worthless unless the base OS is hardened as well)
> http://www.microsoft.com/technet/treeview/default.asp?url=/tec
> hnet/secur
> ity/prodtech/windows/windows2000/staysecure/default.asp  (get the
> templates!)
> http://www.sans.org (their guides are not free, but are quite 
> worth the
> money)
> 
> I'd also look at various places like @Stake, Church of the Swimming
> Elephant (COTSE), NTBugTraq for some EXCELLENT information from folks
> that do this daily.
> 
> Now, that the documents are cleared up, let's discuss IIS -> AD
> authentication across the DMZ.
> 
> First - your IIS servers should be on the outside.  At the very least,
> they should be in a hard DMZ (behind a bastion or the first firewall,
> but in front of a soft DMZ)  This is an untrusted zone.  It's 
> considered
> untrusted because the Internet data is not 'clean' or secure.  Putting
> things out here is, in effect, putting systems that must be 
> accessed by
> the public in harm's way.  There really is no other way.  We need to
> allow users to access them - but we can't lock them down as 
> much as we'd
> like.
> 
> The separation that is intrinsic with trusted and untrusted (your IIS
> Server in the hard DMZ is in the Internet zone) allows for the IIS
> server to access data in the untrusted DMZ.  In no way should the IIS
> server in the Internet zone be allowed to access anything in 
> the trusted
> zone.  What this means is that it is not really considered a 'safe
> practice' to allow IIS (or, any system directly) to authenticate to
> internal DCs.  This is the reason for RADIUS - the authentication
> request comes from a trusted third party system (at least as 
> far as your
> network is concerned - the RADIUS server is still on your network, but
> the number of ports open and the compromise risk are both low).
> 
> Microsoft authentication requires a slew of ports to be open.  Steve
> Riley of Microsoft has a good article:
> http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec
> _p63623.as
> p
> on how to do replication and authentication over and across firewalls,
> but it is still considered a risky practice.  It is typically not
> considered a 'good thing' to allow outside entities or 
> untrusted systems
> to access trusted systems.  In this case, the IIS server is untrusted
> because it is designed for direct access by outside entities that you
> have no control over.  In many ways, you EXPECT it to be compromised -
> hence you cannot trust it.  On the other hand, you need to be able to
> trust that a DC is not compromised and that it is who it says 
> it is and
> that the network is secure.  This would be a trusted system - 
> you trust
>

RE: [ActiveDir] IIS behind firewall

[Garello, Kenneth]

Rick,

Thank you very much for your thoughts.

My task at hand is to provide Outlook Web Access to our internal mail
system.  From your discussion, I take it that there really is no secure way
to do this.  Are there options that I am not aware of?

Ken
 
-Original Message-
From: Rick Kingslan [mailto:rkingsla@;cox.net] 
Sent: Wednesday, November 06, 2002 11:11 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] IIS behind firewall

Documents of interest:

http://www.nsa.gov/snac/win2k/index.html  (look for the guide on IIS,
but IIS hardening is worthless unless the base OS is hardened as well)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/prodtech/windows/windows2000/staysecure/default.asp  (get the
templates!)
http://www.sans.org (their guides are not free, but are quite worth the
money)

I'd also look at various places like @Stake, Church of the Swimming
Elephant (COTSE), NTBugTraq for some EXCELLENT information from folks
that do this daily.

Now, that the documents are cleared up, let's discuss IIS -> AD
authentication across the DMZ.

First - your IIS servers should be on the outside.  At the very least,
they should be in a hard DMZ (behind a bastion or the first firewall,
but in front of a soft DMZ)  This is an untrusted zone.  It's considered
untrusted because the Internet data is not 'clean' or secure.  Putting
things out here is, in effect, putting systems that must be accessed by
the public in harm's way.  There really is no other way.  We need to
allow users to access them - but we can't lock them down as much as we'd
like.

The separation that is intrinsic with trusted and untrusted (your IIS
Server in the hard DMZ is in the Internet zone) allows for the IIS
server to access data in the untrusted DMZ.  In no way should the IIS
server in the Internet zone be allowed to access anything in the trusted
zone.  What this means is that it is not really considered a 'safe
practice' to allow IIS (or, any system directly) to authenticate to
internal DCs.  This is the reason for RADIUS - the authentication
request comes from a trusted third party system (at least as far as your
network is concerned - the RADIUS server is still on your network, but
the number of ports open and the compromise risk are both low).

Microsoft authentication requires a slew of ports to be open.  Steve
Riley of Microsoft has a good article:
http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec_p63623.as
p
on how to do replication and authentication over and across firewalls,
but it is still considered a risky practice.  It is typically not
considered a 'good thing' to allow outside entities or untrusted systems
to access trusted systems.  In this case, the IIS server is untrusted
because it is designed for direct access by outside entities that you
have no control over.  In many ways, you EXPECT it to be compromised -
hence you cannot trust it.  On the other hand, you need to be able to
trust that a DC is not compromised and that it is who it says it is and
that the network is secure.  This would be a trusted system - you trust
the data, the authentication, the server.

The only way that I would do any type of authentication across a DMZ is
to have a forest or an AD authentication mechanism (an AD proxy, if you
will)in the DMZ (not trusted) with IPSec channels to a trusted DC or set
of DCs that would actually validate the request.

Right now, it's a bit messy.  But, be looking for a couple of things
from MS and third parties (Aelita, Cisco) to pony up, too.  I know that
Cisco has ACS, but I'm not quite as up on that as I should be to know if
it would help in this scenario.

Hope this helps  Any questions, please ask!

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone






-Original Message-
From: [EMAIL PROTECTED]
[mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of Garello,
Kenneth
Sent: Tuesday, November 05, 2002 9:22 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] IIS behind firewall


Can you point to specific documents that you consider helpful?  I'm
especially interested in the last sentence (trusted to untrusted zones
and AD).  How can I provide IIS -> AD authentication across the DMZ and
feel that I have followed best security practices for that situation.
 
Any info pointers would be appreciated.
 
Ken
 
-Original Message-
From: Rick Kingslan [mailto:rkingsla@;cox.net] 
Sent: Tuesday, November 05, 2002 9:28 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] IIS behind firewall
 
By implementing one or more firewalls with either a screened subnet from
one firewall or a DMZ implemented between two firewalls using stateful
inspection, packet filtering and web/server publishing.  Anything less
is asking for a major intrusion and compromise.  NAT is not even close
to 'goo

RE: [ActiveDir] IIS behind firewall

[Garello, Kenneth]

Title: Message









Can you point to specific documents that you
consider helpful?  I'm
especially interested in the last sentence (trusted to untrusted
zones and AD).  How can I provide IIS
-> AD authentication across the DMZ and feel that I have followed best
security practices for that situation.

 

Any info pointers would be appreciated.

 

Ken

 

-Original Message-
From: Rick Kingslan
[mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, November 05, 2002
9:28 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] IIS
behind firewall

 



By implementing one or
more firewalls with either a screened subnet from one firewall or a DMZ
implemented between two firewalls using stateful inspection, packet filtering
and web/server publishing.  Anything less is asking for a major intrusion
and compromise.  NAT is not even close to 'good enough' in this type of
scenario.





 





Also - the IIS server(s)
MUST be on the screened subnet or the DMZ - never on the internal networkif
they are going to be accessed by untrusted systems.  It would also be
highly suggested to review Microsoft/SANS/NSA guidelines for secure operations
in this type of environment.  All three put out substantial and important
documents detailing the lockdown procedures for Windows systems and secure
communications from trusted to untrusted zones.





Rick Kingslan  MCSE,
MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone








-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On
Behalf Of Mr Teo
Sent: Tuesday, November 05, 2002
3:26 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] IIS
behind firewall



Hi all 





i am setting up a network under active directory. then
my company is using 





class c private adress. however the company also have
a nat whoch hide the 





network from the public. so how do i allow for e.g.
all my staffs to host 





their IIS by using the firewall? 





__ 





Do you Yahoo!? 





HotJobs - Search new jobs daily now 





http://hotjobs.yahoo.com/














 
  
   
  
 


 

RE: [ActiveDir] SP3 on

[Garello, Kenneth]

Took me a while but...

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q279537

It plagued me for weeks.

I don't know if it is his problem since the problem went away with the
Windows sp removal and not the exchange sp removal.

Ken

-Original Message-
From: Roger Seielstad [mailto:roger.seielstad@;inovis.com] 
Sent: Friday, November 01, 2002 7:15 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] SP3 on

I'd love to see the documentation on that, because that has not been my
experience at all.

Roger
--
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinger and Extricity
Atlanta, GA


> -Original Message-
> From: Garello, Kenneth [mailto:KGarello@;worcester.edu] 
> Sent: Thursday, October 31, 2002 10:44 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] SP3 on
> 
> 
> I think it would be more likely that the issue is Exchange 
> 5.5 service pack 4.  In one service pack, exchange RPC 
> communication behavior was changed so that it was necessary 
> to communicate between exchange services utilizing FQDN.  I 
> had to add records to the hosts files because my internal 
> machines did not have DNS names.
>  
> Ken
>  
> -Original Message-
> From: Salandra, Justin A. [mailto:jasalandra@;chcsnet.org] 
> Sent: Wednesday, October 30, 2002 9:30 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] SP3 on
>  
> That is strange because I have a E55SP4 on a W2K SP3 box with 
> no problems at all
>   -Original Message-
>   From: Dave Kinnamon [mailto:dkinnamon@;etcconnect.com]
>   Sent: Wednesday, October 30, 2002 2:35 PM
>   To: '[EMAIL PROTECTED]'
>   Subject: RE: [ActiveDir] SP3 on
>   My mistake ---  Exchange 5.5 SP4.  --  And I 
> verifyied with my Exchange Admin ... we never put W2K SP3 back on.
>
>
>
>
>   -Original Message-
>   From: Salandra, Justin A. 
> [mailto:jasalandra@;chcsnet.org]
>   Sent: Wednesday, October 30, 2002 1:30 PM
>   To: '[EMAIL PROTECTED]'
>   Subject: RE: [ActiveDir] SP3 on
>   What SP was your Exchange 5.5 Server?
>
>   -Original Message-
>   From: Dave Kinnamon [mailto:dkinnamon@;etcconnect.com]
>   Sent: Wednesday, October 30, 2002 2:24 PM
>   To: '[EMAIL PROTECTED]'
>   Subject: RE: [ActiveDir] SP3 on
>
>   I had problems with SP3 on an Exch 5.5 server.  
> I installed W2K server, Exch 5.5, then SP3.  Exchange was not 
> able to join our existing organization due to an RPC 
> communications error - sorry can't remember the specifics.
>
>   We uninstalled SP3, (good thing we backed-up 
> the files) and Exch 5.5 worked fine.  We then reinstalled SP3 
> again and all was good.
>
>   Apparently Exch5.5 didn't like something that 
> was "fixed" in SP3.
>
>
>
>   Dave
>
>
>
>
>
>   -Original Message-
>   From: MHR(Michael Ross) [mailto:mhr@;panduit.com]
>   Sent: Wednesday, October 30, 2002 9:07 AM
>   To: '[EMAIL PROTECTED]'
>   Subject: RE: [ActiveDir] SP3 on
>   its on all 30 of hours with no problems.. 
> actually it fixed quite a bit of replication problems
>   -Original Message-
>   From: Craig Cerino [mailto:Craig_Cerino@;Tiel.com] 
>   Sent: Wednesday, October 30, 2002 9:00 AM
>   To: [EMAIL PROTECTED]
>   Subject: RE: [ActiveDir] SP3 on
>   I have heard of people having certain issues - 
> -I can say I am one of the lucky ones - - -- - -I have had no 
> issues and I have it running on all (5) our DCs
>
>   Craig 
>
>
>   Craig P. Cerino
>   MCSE, MCP+I
>   Systems Administrator
>   TIE SOLUTIONS, Inc
>   * (617) 928-5000 ext 236
>   
> <http://images.google.com/imgres?imgurl=64.209.212.162/service
911/images/tutorials/TOPIC_84/88303.gif&imgrefurl=http://64.209.212.162/lyco
s/step/1,,6%2B33%2B84%2B23561%2B11825,00.html&h=210&w=278&prev=/images%3Fq%3
Dfax%2Bmachine%26start%3D80%26s%20>  F: (617) 928-5025
*[EMAIL PRO

RE: [ActiveDir] Remove DC from Domain

[Garello, Kenneth]

Thanks for everyones suggestions.  The problem was that they were old NT 4.0
BDC's that were defunct.  I used srvmgr to remove them.

Thanks again.

Ken

-Original Message-
From: Ayers, Diane [mailto:DAyers@;pacbell.net] 
Sent: Thursday, October 31, 2002 9:41 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remove DC from Domain

Use DCpromo to demote the server.  That should remove the DC from AD.  If
that fails, follow the links that the others posted.

Daine

-Original Message-
From: [EMAIL PROTECTED]
[mailto:ActiveDir-owner@;mail.activedir.org]On Behalf Of Garello, Kenneth
Sent: Thursday, October 31, 2002 10:21 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Remove DC from Domain


Is there a proper way of removing a DC from a domain?

Since I have done it improperly, I have computers left in the Domain
controller group that do not exist anymore.


Thanks,

Ken

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SP3 on

[Garello, Kenneth]

Title: Message









I think it would be more likely that the
issue is Exchange 5.5 service pack 4. 
In one service pack, exchange RPC communication behavior was changed so
that it was necessary to communicate between exchange services utilizing
FQDN.  I had to add records to the hosts files because my internal machines did not have DNS
names.

 

Ken

 

-Original Message-
From: Salandra, Justin A.
[mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, October 30, 2002
9:30 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] SP3 on

 



That is strange because I
have a E55SP4 on a W2K SP3 box with no problems at all





-Original Message-
From: Dave Kinnamon
[mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 30, 2002
2:35 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] SP3 on



My mistake --- 
Exchange 5.5 SP4.  --  And I verifyied with my Exchange Admin ...
we never put W2K SP3 back on.





 





 





 





 





-Original Message-
From: Salandra, Justin A.
[mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 30, 2002
1:30 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] SP3 on

What SP was your Exchange 5.5 Server?

 

-Original
Message-
From: Dave Kinnamon
[mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 30, 2002
2:24 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] SP3 on

 

I had
problems with SP3 on an Exch 5.5 server.  I installed W2K server, Exch
5.5, then SP3.  Exchange was not able to join our
existing organization due to an RPC communications error - sorry
can't remember the specifics.

 

We
uninstalled SP3, (good thing we backed-up the files) and Exch 5.5 worked fine.  We then reinstalled SP3 again and
all was good.

 

Apparently
Exch5.5 didn't like something that was "fixed" in SP3.

 

 

 

Dave

 

 

 

 

 

-Original Message-
From: MHR(Michael Ross)
[mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 30, 2002
9:07 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] SP3 on

its on all 30 of hours with no problems..
actually it fixed quite a bit of replication problems

-Original Message-
From: Craig Cerino
[mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, October 30, 2002
9:00 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] SP3 on

I have heard
of people having certain issues - -I can say I am one of the lucky ones - - --
- -I have had no issues and I have it running on all (5) our DCs

 

Craig 

 

 

Craig
P. Cerino

MCSE,
MCP+I

Systems
Administrator

TIE
SOLUTIONS, Inc

( (617) 928-5000 ext 236

 F: (617)
928-5025

*[EMAIL PROTECTED]

   
www.tiesolutions.com

 

 

 

 

-Original
Message-
From: Don Murawski (Lenox)
[mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, October 30, 2002
9:53 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] SP3 on 

 

Has anyone
had any problems with SP3 on Domain Controllers?

 

Don L
Murawski

Sr.
Network Administrator - MCSE 4.0, 2000

WorldTravel
BTI

1055
Lenox Park Blvd

Suite
420

Atlanta,
GA 30319

Phone:
(404) 923-9468

Fax:
(404) 949-6710

Cell:
(678) 549-1264

 

RE: [ActiveDir] Sites with no DC

[Garello, Kenneth]

Title: Message









How much overhead does leaving it up to
the locator incur?

 

Ken

 

-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]]

Sent: Wednesday, October 23, 2002
4:37 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Sites
with no DC

 



Hey Don,





 





Is this your first post
to the list? If so, welcome.





 





To answer your question,
no you don't have to create a site for each subnet. You can associate multiple
subnets with a single site. Or you can leave the subnets unassigned, and
the DC locator will do its best to find a DC "close" to the
authenticating PC.





 





-gil





-Original Message-
From: Don Murawski (Lenox)
[mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, October 23, 2002
1:02 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Sites with no
DC



We have subnets without dc's, do you
need to create a site and subnet in Sites and Services anyway for those sites?





 



Don L Murawski

 

RE: [ActiveDir] Add computer to domain delegation

[Garello, Kenneth]

Diane,

Thanks for the info - it has been a help.

Ken

-Original Message-
From: Ayers, Diane [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, October 02, 2002 4:22 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Add computer to domain delegation

Kenneth:

For the easiest approach, you can use the "delegation of control Wizard" if
you don't want to try and dig into the details of the AD ACLs.  Simply right
click on the OU you want to delegate and run the wizard.

There are some issues there.  The "roles" that are defined in the wizard are
based on the roles in the .inf file "delegwiz.inf".  There is a typo in the
file that you may need to correct.  If you run the delegation wizard and
don't see the role "Join a computer to the domain" then the inf file has a
typo.  You'll need to fix this.

The files that I have seen are as follows:

;--
[template6]
AppliesToClasses = domainDNS

Description = "Join a computer to the domain"

ObjectTypes = SCOPE

[template6.SCOPE]
computer=CC
;--

I've tweaked the file a bit give the delete and reset rights to the
delegated admin.  Here's what I changed it to:

;--
[template6]
AppliesToClasses=domainDns,organizationalUnit

Description = "Manage computer accounts in the domain or OU"

ObjectTypes = SCOPE, computer

[template6.SCOPE]
computer=CC,DC
[template6.computer]
CONTROLRIGHT= "Reset Password"

;--

There is a KB article on the templates if you want more info (although it's
pretty skimpy).

HTH

Diane Ayers 
Pacific Gas & Electric Co. 
Sacramento/San Francisco 




-Original Message-
From: Garello, Kenneth [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 02, 2002 11:50 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Add computer to domain delegation


Tony,

Thank you very much for your response.  

I found the privileges that you outlined below at the computer level, but
not at the OU level.  This means that I would have to explicitly apply the
four permissions required for each computer created.  Is there something I
am missing or is that way its gotta be?



Ken

-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, October 02, 2002 11:36 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Add computer to domain delegation


Justin

Sorry if I wasn't clear on this.

If someone has the appropriate permissions it is possible to simultaneously
create the computer object while joining the computer to the domain.  The
limitation of this approach is that it creates the computer object in the
Computers built-in container.  If you had a dedicated OU for workstations,
for example, you would need to subsequently move to the computer object from
the Computers container to your Workstations (or whatever) OU.

A way to avoid this is to pre-create the computer objects in your OU of
choice.  This can be done with ADUC, ADSI script, etc.  Then when the
computer is joined to the domain, the computer you are working with is
automatically matched (by name) to the pre-created computer object.  I have
not come across any problems with SIDs.

Another reason why I like this approach is that allows for a separation of
roles.  In many organisations you don't necessarily want the same people who
do the joining to be able to summarily create computer objects.

To separate the 2 roles, the permissions required on the OU are as follows.

To allow the creation of Computer objects:
Create Computer objects

To allow computers to be joined to the domain:
Allow  Read/Write Account Restrictions
Allow  Reset Password
Allow  Validated write to DNS host name
Allow  Validated write to service principal name
Note: apply these onto Computer objects

If you get strange results then have a look at the "Add workstation to
domain" group policy settings.  This is located in:

Computer Configuration -> Windows Settings -> Security Settings -> Local
Policies -> Local Rights Assignment

This group policy exists for backward compatibility with the old NT 4.0 user
right.  Under the GPO, users who have been granted this right can join a
workstation to a domain even if they do not have create child access on the
computer's container.  I would recommend that you disable this setting and
work exclusively with ACLs.

Tony
-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]]
Sent: Dienstag, 1. Oktober 2002 18:06
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Add computer to domain delegation


I thought that if you pre-created all computer accounts the SIDs for the
computer accounts wouldn't match when you went to actually go and join t

RE: [ActiveDir] Add computer to domain delegation

[Garello, Kenneth]

Tony,

Thank you very much for your response.  

I found the privileges that you outlined below at the computer level, but
not at the OU level.  This means that I would have to explicitly apply the
four permissions required for each computer created.  Is there something I
am missing or is that way its gotta be?



Ken

-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, October 02, 2002 11:36 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Add computer to domain delegation


Justin

Sorry if I wasn't clear on this.

If someone has the appropriate permissions it is possible to simultaneously
create the computer object while joining the computer to the domain.  The
limitation of this approach is that it creates the computer object in the
Computers built-in container.  If you had a dedicated OU for workstations,
for example, you would need to subsequently move to the computer object from
the Computers container to your Workstations (or whatever) OU.

A way to avoid this is to pre-create the computer objects in your OU of
choice.  This can be done with ADUC, ADSI script, etc.  Then when the
computer is joined to the domain, the computer you are working with is
automatically matched (by name) to the pre-created computer object.  I have
not come across any problems with SIDs.

Another reason why I like this approach is that allows for a separation of
roles.  In many organisations you don't necessarily want the same people who
do the joining to be able to summarily create computer objects.

To separate the 2 roles, the permissions required on the OU are as follows.

To allow the creation of Computer objects:
Create Computer objects

To allow computers to be joined to the domain:
Allow  Read/Write Account Restrictions
Allow  Reset Password
Allow  Validated write to DNS host name
Allow  Validated write to service principal name
Note: apply these onto Computer objects

If you get strange results then have a look at the "Add workstation to
domain" group policy settings.  This is located in:

Computer Configuration -> Windows Settings -> Security Settings -> Local
Policies -> Local Rights Assignment

This group policy exists for backward compatibility with the old NT 4.0 user
right.  Under the GPO, users who have been granted this right can join a
workstation to a domain even if they do not have create child access on the
computer's container.  I would recommend that you disable this setting and
work exclusively with ACLs.

Tony
-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]]
Sent: Dienstag, 1. Oktober 2002 18:06
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Add computer to domain delegation


I thought that if you pre-created all computer accounts the SIDs for the
computer accounts wouldn't match when you went to actually go and join the
computer to the domain.  Am I mistaken on this?  Can you send along some Q
Articles that explain what you want Ken to do?  

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
914.681.8117 office
646.483.3325 cell
[EMAIL PROTECTED]


 -Original Message-
From:   Tony Murray [mailto:[EMAIL PROTECTED]] 
Sent:   Tuesday, October 01, 2002 11:04 AM
To: [EMAIL PROTECTED]
Subject:Re: [ActiveDir] Add computer to domain delegation

Ken

A good way to do this is to pre-create the computer objects in your OU of
choice (using ADUC, script, etc.).  Once the object has been created, you
can then join the computer to the domain.  The join process will
automatically "find" the computer object in the correct OU.  The advantage
of this approach is that you can modify the OU ACL so that you have 2 roles:
one for creating the computer objects, and one for joining the computers to
the domain.  Of course both sets of permissions can be assigned to the same
group if that's what you want to do.

Have a browse through the archives for a thread with a subject of "Join
Computers to Domain".  It contains a lot of the detail on the permissions
required.

Tony

------ Original Message --
From: "Garello, Kenneth" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date: Tue, 1 Oct 2002 10:54:24 -0400 

Forgive me if this is a simple question - I have been trying to research
this for about a week and cannot get a complete picture.
 
I have a 3 domain forest that was upgraded from a classic style multi-master
nt 4.0 domain structure.  All my resources exist in the "resource domain"
(workstation accounts, and member servers) .  The resource domain is the
root domain
My user accounts exist in one of two account domains, which are subdomains
of the root.
 
I have a lab technician who's account obviously exists in one of the domain
accounts, but needs to add computers to a particular OU within the resource
domains consisting of the computers he is responsible f

RE: [ActiveDir] Active Directory Operations Guide

[Garello, Kenneth]

Underneath the links for Appendix A and Appendix B there is a link to
download the file as zip.

-Original Message-
From: Andy David [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, October 02, 2002 1:22 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active Directory Operations Guide

Its on the Sept 2002 Technet Service Packs CD 6 in two parts. Both .docs


-Original Message-
From: Joe.Baird [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, October 02, 2002 1:06 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Active Directory Operations Guide


Has anyone seen this document in a word format?  Is it only viewable via
html?

Thx, Joe


- Original Message -
From: "Myrick, Todd (NIH/CIT)" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, October 01, 2002 2:21 PM
Subject: [ActiveDir] Active Directory Operations Guide


>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/ad/windows2000/maintain/opsguide/default.asp
>
> I have been searching for a document like this to go along with my
> Architecture Document, and Implementation Document.  Figured I would share
> my find with you fine folks.  It serves as a good framework document.
>
> Todd
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


--
The information contained in this email message is privileged and
confidential information intended only for the use of the individual or
entity to whom it is addressed.  If the reader of this message is not the
intended recipient, you are hereby notified that any dissemination,
distribution or copy of this message is strictly prohibited.  If you have
received this email in error, please immediately notify Veronis Suhler
Stevenson by telephone (212)935-4990, fax (212)381-8168, or email
([EMAIL PROTECTED]) and delete the message.  Thank you.


==

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/