RE: [ActiveDir] Remote DC's on Virtual Server
After reading this thread, I have to kick my 2 cents in. I use ESX and VS day in and day out, and I think I can give fair comparison. I use only ESX - none of the rest of the suite of related products (virtual center, vmotion, etc), so this should be a pretty good apples-to-apples comparison. First, I can't see how anyone can say installing ESX is difficult or complicated. You pick a time zone, configure your disks, and configure your network. Not exactly rocket science. Once you are up and running, you point your web browser at the box's IP address and download the management client. Building virtuals in ESX is about the same in ESX as it is in VS. ESX is clearly superior in capabilities: Virtuals can have 1 cpu in VS, 4 in ESX Virtuals can have 3.5GB of RAM in VS, 16GB in ESX ESX can present raw LUNs to virtuals - this lets you do physical-to-virtual clustering among other things ESX has VLAN capability in it's virtual switches. You can extend VLAN trunks into your ESX server via one NIC ESX virtual disk files can be grown. ESX knows how to combine identical memory pages to conserve memory. This is a big win if you run many small virtuals on one box. The strong points for VS is that it runs on any hardware that windows runs on, it supports iSCSI, and it is free. Both are solid and perform reasonably well (although the general consensus around here is that virtuals running under ESX seem snappier than VS). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, January 21, 2007 12:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server Read all of this sort of. I have a fairly simple opinion: If you want to screw around, or do small scale virtualization, VS or VMWare server - whatever makes you happy, they're about the same in a datacenter. If you want to go do all that money saving stuff, large scale lets buy some gigantic servers on a SAN, drink the kool aid off the cover of eweek, etc - go buy an esx license or two. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Sunday, January 21, 2007 12:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server All indications to the contrary are likely due to insufficient operational experience with the product - not an attack on anyone just a statement based on my personal experience and interactions with others Not at all, Ben. I can speak from both side of the aisle as far as VMWare and VS are concerned, although my bias, to which I have already confessed, plays a role in my dislike of VMWare. My dislike, though, is driven largely based on the original (apples and oranges) statement to which I responded. I have not disputed that VMWare is ahead of VS at this present time. I have simply stipulated that the perceived gap is so considerably narrowed now that dismissing VS as a non-starter is no longer a technically sound or tenable position. However, MS stated virtual machine support is the same regardless of virtual environment provider. This is just wrong. Please see http://www.support.microsoft.com/kb/897615 You will also notice that my observation and opinion were based mostly on where we are today on VS 2005 SP1 Beta 2. I do not dispute that VMWare is superior, but at what cost? I disagree with your assertion that ESX is easier to deploy and manage than VS - that just defies logic (no offense). Not with the availability of System Center. When you need to provision a lab of, say, 20 servers running various OSes, and you are under the gun to get it done, like 4 hours ago, on a piece of recycled (Ebayed) hardware, ESX is not your friend. I was afraid that this thread will go down the undesirable path of Us vs Them, and I apologize for making it so. The point I'm trying to make is that, if you are looking for a Virtualization solution, VS does NOT stink one bit. Factor in the cost overlay, the deployment and maintenance efforts, divide that by what EXACTLY you are looking for in virtualization, then give VS a fair shake and not just go with the popular VMWare Rules opinion. ESX may have been sexy a while back when VS was truly ugly, but that is not the case today. VS is evolving, and you may just be pleasantly surprised that it adequately meets your need without breaking your bank and back. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
RE: [ActiveDir] [OT] Partitioning
If you are extending the last partition (and it is not the system or boot drive) on the disk into free space, diskpart will do the trick. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday, January 19, 2007 9:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] [OT] Partitioning Hi folks, we've got a few partitions we need to enlarge on about 3 of our servers - the space is there and available, but the partition just needs to be expanded. Seeing as how PartitionMagic Pro has been discontinued, can anyone recommend a good product for this? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax
RE: [ActiveDir] NTP Client Software
http://ntp.isc.org/bin/view/Main/ExternalTimeRelatedLinks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Smith Sent: Wednesday, January 03, 2007 8:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NTP Client Software Hello Wonder if anyone out there has any NTP client software recommendations? We need to keep some clients within 1-2 sec’s of our stratum 1 timeserver and Windows Time simply does not cut it. Any suggestions would be much appreciated. Dan Send instant messages to your online friends http://uk.messenger.yahoo.com
RE: [ActiveDir] Updating cached credentials
We proved it by running GPRESULT and seeing the group listed as one of the groups the user was a member of. The dialup connection option requires that the Nortel VPN client be installed in what Nortel calls service mode. Our network folk don't allow that (long story). It isn't an SSL VPN, it is ipsec. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, December 21, 2006 3:30 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials how'd you prove that the user creds were resynched and that the group memberships were appropriate? Saying that, I'm sure that a gina would have solved that issue if you logon via the dial up connection. Have you already tried that method? (that's where you create the vpn as connection you can choose and prior to logon use the dial up connection check box for the logon. That implies that you have the alternate GINA installed from Nortel. For your method you specified here, does that work with the ssl vpn? That would greatly interest me if it did. Al On 12/21/06, Ken Cornetet [EMAIL PROTECTED] wrote: I have found a solution to the problem of updating group information in cached credentials. Here's how a user would do it (assumes user has admin rights, sorry) Log on with a LOCAL user id. Establish a VPN connection. Use ALT+CTRL+DEL to lock the workstation. Unlock the workstation using your DOMAIN user ID, not the local user ID (This will cause the local user id to be logged off). Log in with your domain user ID. Run GPUDATE /FORCE From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 29, 2006 2:16 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials My suggestion on that is to check with Nortel without mentioning the psynch control and see what they recommend. SSL vpns are by nature a user-mode application but I'm not familiar with how Nortel recommends to use it. As for the gpresult, I'm sorry to say I do not know where it gets it's information. Might be worth filing a DCR for it to get the information from the same place that the group policy engine does, though. Al On 11/29/06, Ken Cornetet [EMAIL PROTECTED] wrote: The three finger salute did NOT result in the GPO being applied. The only thing that made the GPO get applied was the Psynch ActiveX control. We have a recent version of the Nortel VPN client (May 2006). I do not know if it is the latest. Most, if not all security fixes applied to XP clients. On your last question, I believe you are referring to what Nortel calls service mode where the VPN client installs itself as a service and the user supplies their VPN credentials (we use SecurID) on the NT logon screen. Our networking people (they own the VPN and client) will not allow it to be used in that manner without testing, and they won't test because they are replacing the Nortel IPSec VPN with an SSL VPN (which I presume will have the same issue). From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 29, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials You said the gpresult didn't give you the group membership regardless, right? Just that the gpo was applied properly after the three finger salute. I do know that the three finger salute method, with Nortel's client will cache the user's credentials ( i.e. the user's password) but was not sure if it would for the group membership. That's interesting. Did you check to be sure you have the latest Nortel client and fixes for your XP clients? One other thing: I suppose it's semantics that we're discussing, but have you considered having the user logon using the dial-up connection ( i.e. the Nortel client via the GINA method) instead of having the user logon first, then establish the vpn? What were the results of that method? On 11/29/06, Ken Cornetet [EMAIL PROTECTED] wrote: We had the user reboot, login using cached credentials, start the VPN, then run GPRESULT. From: [EMAIL PROTECTED] [mailto: [EMAIL
RE: [ActiveDir] Updating cached credentials
I have found a solution to the problem of updating group information in cached credentials. Here's how a user would do it (assumes user has admin rights, sorry) Log on with a LOCAL user id. Establish a VPN connection. Use ALT+CTRL+DEL to lock the workstation. Unlock the workstation using your DOMAIN user ID, not the local user ID (This will cause the local user id to be logged off). Log in with your domain user ID. Run GPUDATE /FORCE From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 29, 2006 2:16 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials My suggestion on that is to check with Nortel without mentioning the psynch control and see what they recommend. SSL vpns are by nature a user-mode application but I'm not familiar with how Nortel recommends to use it. As for the gpresult, I'm sorry to say I do not know where it gets it's information. Might be worth filing a DCR for it to get the information from the same place that the group policy engine does, though. Al On 11/29/06, Ken Cornetet [EMAIL PROTECTED] wrote: The three finger salute did NOT result in the GPO being applied. The only thing that made the GPO get applied was the Psynch ActiveX control. We have a recent version of the Nortel VPN client (May 2006). I do not know if it is the latest. Most, if not all security fixes applied to XP clients. On your last question, I believe you are referring to what Nortel calls service mode where the VPN client installs itself as a service and the user supplies their VPN credentials (we use SecurID) on the NT logon screen. Our networking people (they own the VPN and client) will not allow it to be used in that manner without testing, and they won't test because they are replacing the Nortel IPSec VPN with an SSL VPN (which I presume will have the same issue). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 29, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials You said the gpresult didn't give you the group membership regardless, right? Just that the gpo was applied properly after the three finger salute. I do know that the three finger salute method, with Nortel's client will cache the user's credentials ( i.e. the user's password) but was not sure if it would for the group membership. That's interesting. Did you check to be sure you have the latest Nortel client and fixes for your XP clients? One other thing: I suppose it's semantics that we're discussing, but have you considered having the user logon using the dial-up connection ( i.e. the Nortel client via the GINA method) instead of having the user logon first, then establish the vpn? What were the results of that method? On 11/29/06, Ken Cornetet [EMAIL PROTECTED] wrote: We had the user reboot, login using cached credentials, start the VPN, then run GPRESULT. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 29, 2006 11:56 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials Curious. After trying those, how did you validate that the user's group membership wasn't affected? On 11/29/06, Ken Cornetet [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Ok, this is really strange... I tried Al Munick's suggestion of having the user change their password via a three-finger salute. That did not update cached group membership. I tried Guy Teverovsky's suggestion to do a runas while VPN connected. It did not update cached group membership. James Aurther Wells suggested that the group membership would be updated by a workstation process discussed in KB824302. We connected via VPN and let things sit for 4 hours - no cached group membership update. Since I mentioned that we used Psynch, Idan Shoham of M-Tech pointed me to an ActiveX control that forces an update of cached credentials on the workstation when the Psynch web app is used to change
RE: [ActiveDir] Updating cached credentials
Ok, this is really strange... I tried Al Munick's suggestion of having the user change their password via a three-finger salute. That did not update cached group membership. I tried Guy Teverovsky's suggestion to do a runas while VPN connected. It did not update cached group membership. James Aurther Wells suggested that the group membership would be updated by a workstation process discussed in KB824302. We connected via VPN and let things sit for 4 hours - no cached group membership update. Since I mentioned that we used Psynch, Idan Shoham of M-Tech pointed me to an ActiveX control that forces an update of cached credentials on the workstation when the Psynch web app is used to change passwords. After configuring Psynch to run the ActiveX control, the user gets the group policy that was controlled by group membership. Now this is where things gets weird: GPRESULT shows that the policy IS applied, but does NOT show the user as being a member of the group that gets the policy! Huh? Now my question is where does GPRESULT look for group membership information? It does not appear to be looking the same place that the group policy processing engine looks! -Original Message- From: Ken Cornetet Sent: Wednesday, November 22, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: Updating cached credentials Is there a way to force updating of cached credentials on an XP workstation? We have several users that seldom (if ever) connect to the corporate network directly. Instead, they log in (XP sp2) using cached credentials and connect via a Nortel VPN. We have several group policies that are filtered by group membership. The problem is that the group membership seems to be cached on the workstation, and is never updated to reflect the new membership, and group policy is never applied. Is there any mechanism for forcing this update? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Updating cached credentials
We had the user reboot, login using cached credentials, start the VPN, then run GPRESULT. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 29, 2006 11:56 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials Curious. After trying those, how did you validate that the user's group membership wasn't affected? On 11/29/06, Ken Cornetet [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Ok, this is really strange... I tried Al Munick's suggestion of having the user change their password via a three-finger salute. That did not update cached group membership. I tried Guy Teverovsky's suggestion to do a runas while VPN connected. It did not update cached group membership. James Aurther Wells suggested that the group membership would be updated by a workstation process discussed in KB824302. We connected via VPN and let things sit for 4 hours - no cached group membership update. Since I mentioned that we used Psynch, Idan Shoham of M-Tech pointed me to an ActiveX control that forces an update of cached credentials on the workstation when the Psynch web app is used to change passwords. After configuring Psynch to run the ActiveX control, the user gets the group policy that was controlled by group membership. Now this is where things gets weird: GPRESULT shows that the policy IS applied, but does NOT show the user as being a member of the group that gets the policy! Huh? Now my question is where does GPRESULT look for group membership information? It does not appear to be looking the same place that the group policy processing engine looks! -Original Message- From: Ken Cornetet Sent: Wednesday, November 22, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: Updating cached credentials Is there a way to force updating of cached credentials on an XP workstation? We have several users that seldom (if ever) connect to the corporate network directly. Instead, they log in (XP sp2) using cached credentials and connect via a Nortel VPN. We have several group policies that are filtered by group membership. The problem is that the group membership seems to be cached on the workstation, and is never updated to reflect the new membership, and group policy is never applied. Is there any mechanism for forcing this update? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Updating cached credentials
The three finger salute did NOT result in the GPO being applied. The only thing that made the GPO get applied was the Psynch ActiveX control. We have a recent version of the Nortel VPN client (May 2006). I do not know if it is the latest. Most, if not all security fixes applied to XP clients. On your last question, I believe you are referring to what Nortel calls service mode where the VPN client installs itself as a service and the user supplies their VPN credentials (we use SecurID) on the NT logon screen. Our networking people (they own the VPN and client) will not allow it to be used in that manner without testing, and they won't test because they are replacing the Nortel IPSec VPN with an SSL VPN (which I presume will have the same issue). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 29, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials You said the gpresult didn't give you the group membership regardless, right? Just that the gpo was applied properly after the three finger salute. I do know that the three finger salute method, with Nortel's client will cache the user's credentials ( i.e. the user's password) but was not sure if it would for the group membership. That's interesting. Did you check to be sure you have the latest Nortel client and fixes for your XP clients? One other thing: I suppose it's semantics that we're discussing, but have you considered having the user logon using the dial-up connection ( i.e. the Nortel client via the GINA method) instead of having the user logon first, then establish the vpn? What were the results of that method? On 11/29/06, Ken Cornetet [EMAIL PROTECTED] wrote: We had the user reboot, login using cached credentials, start the VPN, then run GPRESULT. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 29, 2006 11:56 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials Curious. After trying those, how did you validate that the user's group membership wasn't affected? On 11/29/06, Ken Cornetet [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Ok, this is really strange... I tried Al Munick's suggestion of having the user change their password via a three-finger salute. That did not update cached group membership. I tried Guy Teverovsky's suggestion to do a runas while VPN connected. It did not update cached group membership. James Aurther Wells suggested that the group membership would be updated by a workstation process discussed in KB824302. We connected via VPN and let things sit for 4 hours - no cached group membership update. Since I mentioned that we used Psynch, Idan Shoham of M-Tech pointed me to an ActiveX control that forces an update of cached credentials on the workstation when the Psynch web app is used to change passwords. After configuring Psynch to run the ActiveX control, the user gets the group policy that was controlled by group membership. Now this is where things gets weird: GPRESULT shows that the policy IS applied, but does NOT show the user as being a member of the group that gets the policy! Huh? Now my question is where does GPRESULT look for group membership information? It does not appear to be looking the same place that the group policy processing engine looks! -Original Message- From: Ken Cornetet Sent: Wednesday, November 22, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: Updating cached credentials Is there a way to force updating of cached credentials on an XP workstation? We have several users that seldom (if ever) connect to the corporate network directly. Instead, they log in (XP sp2) using cached credentials and connect via a Nortel VPN. We have several group policies that are filtered by group membership. The problem is that the group membership seems to be cached on the workstation, and is never updated to reflect the new membership, and group policy is never applied. Is there any mechanism for forcing this update
[ActiveDir] Updating cached credentials
Is there a way to force updating of cached credentials on an XP workstation? We have several users that seldom (if ever) connect to the corporate network directly. Instead, they log in (XP sp2) using cached credentials and connect via a Nortel VPN. We have several group policies that are filtered by group membership. The problem is that the group membership seems to be cached on the workstation, and is never updated to reflect the new membership, and group policy is never applied. Is there any mechanism for forcing this update? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Updating cached credentials
Thanks Al. We typically change passwords via a web app (Psynch) rather than at the workstation. One of our desktop techs thought that changing your password via the three-finger salute would cause the credentials to be updated, but in this case it didn't seem to work. We'll try the workstation lock and see if that works. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 22, 2006 12:31 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials As I understand it, The nortel vpn client is a shim that works at layer 3 and does not take effect until after the user session has begun. This prevents much of the normal node processing you'd like to see happen such as control of the windows firewall, caching of group membership and so on. Since most companies require a password change on a regular basis for user accounts, I'm kind of surprised that you see this behavior. The way to change the user credentials on a nortel client is to have the user use the three finger salute (ctrl+alt+del sequence) to lock the workstation after the vpn is established. When the user logs back on this *is expected* to re-cash the credentials. This should be a familiar sequence of events for the users every password change. Has this not addressed the problem for you to date? On 11/22/06, Ken Cornetet [EMAIL PROTECTED] wrote: Is there a way to force updating of cached credentials on an XP workstation? We have several users that seldom (if ever) connect to the corporate network directly. Instead, they log in (XP sp2) using cached credentials and connect via a Nortel VPN. We have several group policies that are filtered by group membership. The problem is that the group membership seems to be cached on the workstation, and is never updated to reflect the new membership, and group policy is never applied. Is there any mechanism for forcing this update? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT: wikis
They like it because it shows that division by zero can bite you without being obvious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, October 08, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis I've seen that stunt a few times. I'm not sure the point of showing it but math teachers love to demonstrate it for some reason. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 05, 2006 2:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis Careful, I recall a math professor in my differential equations class or maybe it was higher throwing a proof up on the board showing that 1 + 1 != 2 and it wasn't a numberical base trick I didn't follow through it, I just closed my eyes and shook my head and thought forward to my communications class as the sights were easier on the eyes... I still wonder why I went into a field with such a high ratio of men to women... :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, October 05, 2006 12:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis 999,998 + 2 = 1,000,000, not 100,000. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Nims Sent: Thursday, October 05, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: wikis It's funny how we quote wikis as definitive sources of information, when they can be edited by anyone and everyone :) Who vets the edits and how much does that person know about the subject matter?? Anyone can edit, which is why they are generally correct. When 100,000 people view a record, and 2 people want to change it to be incorrect, 999,998 will want to correct it. I wouldn't use a wiki as a great historical or technical source. But for encyclopedia entries, which give a good summation of a subject, they are great. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Disabling the file open security warning for certain VBS scripts
Title: Disabling the file open security warning for certain VBS scripts
You could add all of the possible source servers to your IE
"Local Intranet" zone via group policy.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Friday, July 21, 2006 9:22
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
Disabling the file open security warning for certain VBS
scripts
Thanks Kevin. I thought as much.
The option to store the files locally is not viable - there
are ~15,000 machines :)
Code signing may be viable altho I'm not sure there is a
single, trusted PKI within the org...
Thank again,
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin
BrunsonSent: 21 July 2006 15:06To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Disabling the
file open security warning for certain VBS scripts
You cant turn it off
for specific files, or even file types. You can set it via Internet
Explorer GPO to turn off the warning altogether, but I dont think you really
want that.
There are two options
that I know of. You can either use a trusted source for code-signing, or
you can store the files locally on every machine in the environment. If it
is stored locally Windows doesnt consider it to be a threat. You
would have to change the path to the vbs scripts to something that resolves
locally on the machines (c:\scripts\..., for example). Of course the admin
overhead on that becomes insane. If every user connects to your network
from a Citrix server or something like that, it is a little more doable.
Otherwise code-signing is really the only viable option.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: Friday, July 21, 2006 3:04
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Disabling the file
open security warning for certain VBS scripts
I have a bunch of vbs
scripts which are stored in SYSVOL.
They are called when a
user right clicks an object in AD and chooses one of the extra functions added
to the context menu (via a displaySpecifiers change)
.
By default, these
scripts generate a file open security dialog - which I'd like to
suppress.
Any ideas as to how
this might be done for just a select few VBS scripts, without allowing all VBS
scripts to run without a warning? The scripts could be executed from any machine
in the forest.
Software restriction
policy? Code
signing? IE zone
changes? ???
Thx,
neil
PLEASE READ: The information
contained in this email is confidential and
intended for the named recipient(s)
only. If you are not an intended
recipient of this email please
notify the sender immediately and delete your
copy from your system. You must not
copy, distribute or take any further
action in reliance on it. Email is
not a secure method of communication and
Nomura International plc ('NIplc')
will not, to the extent permitted by law,
accept responsibility or liability
for (a) the accuracy or completeness of,
or (b) the presence of any virus,
worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please request
a hard copy. Unless otherwise stated
this email: (1) is not, and should
not be treated or relied upon as,
investment research; (2) contains
views or opinions that are solely those of
the author and do not necessarily
represent those of NIplc; (3) is intended
for informational purposes only and
is not a recommendation, solicitation or
offer to buy or sell securities or
related financial instruments. NIplc
does not provide investment services
to private customers. Authorised and
regulated by the Financial Services
Authority. Registered in England
no. 1550505 VAT No. 447 2492 35.
Registered Office: 1 St Martin's-le-Grand,
London,
EC1A
4NP. A member of the Nomura group of
companies.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a
[ActiveDir] 2003 mode - what happens?
We are planning on upgrading our two domain forest to 2003 mode (now at 2000 native). What happens during this change? The only thing that I'm aware of is changes in the way AD replicates (linked value stuff...). However, the SAPfolks heretell me that2003 mode changes the way kerberos works according to their SAP notes. So, what exactly happens?
RE: Re: [ActiveDir] DNS on a DC or NOT
Since we are talking about DNS and DCs, I'll post my usual request: AD integrated secondaries would be a REAL handy thing! winmail.dat
RE: [ActiveDir] OT: Exchange patch this month
Also, please note that KB916803 referenced in MS06-019 is wrong. E2k3 SP2 and E2K SP3 do *not* get the new version of STORE.EXE that changes the Send As security. Only E2k3 SP1 gets the new STORE.EXE. At least so says MS06-019 (Security Update Information section). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, May 10, 2006 7:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Exchange patch this month Since there are a lot of Exchange questions on this list.. just a fyi there's a lovely patch for Exchange this month that not only changes persmissions affecting Blackberries...but has 'from remote attack' impact. You Had Me At EHLO... : BlackBerry and GoodLink users may be unable to send messages after applying latest Exchange 2003 store hotfixes: http://msexchangeteam.com/archive/2006/01/13/417440.aspx On a SBS box it so far.. is requiring reboot. Microsoft Security Bulletin MS06-019: Vulnerability in Microsoft Exchange Could Allow Remote Code Execution (916803): http://www.microsoft.com/technet/security/Bulletin/MS06-019.mspx And the EHLO blog has a new landing place http://msexchangeteam.com/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: KVM switches
Does anyone have any suggestions for cheap KVM switches? We are currently using Belkin 16 port switches. They are cheap enough, but we seem to experience issues with them. I don't need anything fancy. No KVM over IP, no KVM over cat 5, etc. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] R2 Upgrade or install?
Your scenario 2 works, and our TAM says there is no problem doing it. I have upgraded a couple of servers this way. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Friday, April 28, 2006 12:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] R2 Upgrade or install? Hey all, I am having a debate and wondering if the following is true: 1)You must upgrade your 2003 servers to SP1 before going to R2. 2)You can upgrade a existing 2003 server to SP1 and then load the components from R2 onto it from R2 disk 2. Or 3)Must you load the R2 disk 1 2003 Operating System disk with SP1 embedded and then load R2 disk 2 onto it. Just trying to figure out if we need to upgrade to SP1 and then we can load the components of R2 onto our existing 2003 servers, or if we need to load the R2 disk 1 operating system, which contains SP1 already, and then R2 disk 2. Does anyone have any ideas? Thanks, Nate Bahta List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster Recovery
I do a backup of the C: drive and system state using NTBACKUP to a file on an alternate DC, then I back up the whole DC (files and system state) using Legato Networker. Why the NTBACKUP? Just in case... I've done a couple of hotsite test recoveries of our DCs (HP DL380G2) to various other HP server models, and even to Dells. I've never had a major problem doing this with server 2003 (windows 2000, on the other hand, seemed to always give me grief). I have toyed with the idea of having a couple of DCs running on virtual servers. I'd create a perl script to nightly shut down the DCs, copy thevirtual diskfiles, then bring the DCs back up. I want to do this not so much for the hardware independence, but rather for the speed of recovery. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy HunterSent: Tuesday, March 21, 2006 10:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Disaster Recovery Hello there, I have a question regarding Active Directory disaster recovery. I was just curious as to what steps you all take to protect your forest. An example is I back up my System State nightly and these tapes go off to a offsite location. If my building and computer suite was to burn down, I would need to rebuild my forest. In this scenario I am assuming it would be easier to have identical hardware to carry out a restore, I know you can restore to alternate hardware but I hear bad things about this. The other thought is to haveDC built using virtual server and start this DC one per month to replicate the latest copy of AD, then shutting it down, saving a copy of the VHD and sending to a offsite location, That way it's not hardware dependant and just need to do a metadata cleanup what do you all do? amy Yahoo! Cars NEW - sell your car and browse thousands of new and used cars online search now
RE: [ActiveDir] OT: Hacking up QB to run under user rights (the official Intuit answer)
You keep using that word. I do not think it means what you think it means. Obligatory Princess Bride quote. Oh wait... This isn't the Exchange list. Never mind. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phillip Partipilo Sent: Friday, March 17, 2006 11:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Hacking up QB to run under user rights (the official Intuit answer) Oh. Wow. They've finally responded to that problem? Inconceivable! Phillip Partipilo Parametric Solutions Inc. Jupiter, Florida (561) 747-6107 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, March 16, 2006 7:08 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Hacking up QB to run under user rights (the official Intuit answer) Message: User Access Rights Problem: Windows XP and Windows 2000 users must have Power Users or Administrator group rights...: http://www.quickbooks.com/support/faqs/qb2006/a4edfd81.html -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Communication across a trust...with firewalls
I've just been troubleshooting the same scenario. I think you are correct - the member servers want to talk directly to a DC in the domain containing the user in question. They do not ask their own DC to do the authentication. I know this is the case when you add a user from the trusted domain to a local group on the member server. The member server looks in DNS to find all the domain controllers for the user's domain, does what I guess would be called an "LDAP ping", then starts talking to the first DC that answers back. Ethereal is your friend! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, March 14, 2006 10:35 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Communication across a trust...with firewalls Within a domain, when a users credentials are presented to a member server, that member server communicates with the domain controller to validate the creds. We have a cross-forest (crosscompany; a divestiture) trust set up that we are testing. A member server in the other forest/domain and across the firewall is having trouble authenticating credentials from our domain. Their DC works fine. Ports on the firewall are only opened for the two domain controllers (one on each side). Heres the question: in order to validate the foreign credentials, should the member server be looking first to its own DC, or is it trying to cross the firewall to find our DC? Based in the preliminary traffic sampling so far, I think thats what is happening. Is that normal/expected behavior? TIA, AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com
RE: [ActiveDir] OT: DEC 2006
I remember those. That was my last year at U of L and they announced that the next year all engineering students would be required to buy a rainbow. The cost was to be spread over 4 years of tuition. Fortunately, the rainbow proved itself an instant flop and U of L dropped that plan. If memory serves, they did run MSDOS, but they didn't have a pc compatible BIOS so that while they gave the impression that they were PC compatible, in reality they wouldn't run anything that required BIOS calls (which was 99% of the software out there). We used a lot of HP 150 touch screens, and they were the same way. Also, you had to buy pre-formatted floppies from DEC - you couldn't format your own. At least until someone leaked the formatting utilities. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kat Collins Sent: Wednesday, January 11, 2006 9:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: DEC 2006 Anyone remember the Rainbow? It was DEC's attempt at a Personal computer. Launched in early '83, if I remember... ran its own proprietary DEC-OS and was not compatible with any IBM-DOS apps. It died a year or two later, but the marketing stickers held up for about 10 years!! I had one stuck to my daughter's mirror and damned if I could get it off!! And the DECwriter and the Gold key. a - sweet memories!! On 1/11/06, joe [EMAIL PROTECTED] wrote: Ah but people using DEC and attending DECUS were smarter than the average bear To this day the people I meet who grew up on DEC are more well rounded and knowledgeable in the field than the norm. The good ol days... Anyone remember Mike Mayfield and the RSTS/E Monitor Internals books he wrote? Only place to get the real scoop on the internals so you could really wreak havoc. I think he also wrote the original Trek too so if your system was still up after poking around in the internals you could play a video game on your DecWriter or VT52. I got my first official corporate support position supporting OS/2 and Win31 on Token Ring back in the mid 90's because I knew DEC. The 8 or so people in the panel interview started asking me questions about the equipment the job was for (OS/2 Win31 tcp/ip Token Ring) and I couldn't answer any of the questions so they saw DEC on my resume and started asking DEC questions and a couple of hours later we were all laughing and I had my choice of the three open positions they had even though I knew nothing about any of them. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John McGlinchey Sent: Tuesday, January 10, 2006 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DEC 2006 My experience is just the opposite. I attended DECUS (The other DEC, Digital Equipment Computer Users Society Symposia) a few times back in the 90's and the casinos complained that the attendees were not losing enough money. This was attributed to 1) most of the attendees knew the odds were against them so they kept their money in their pockets where it belonged and 2) the ones that did play were pretty good at it and were winning too much. I'll not be attending but I'm sending someone that works for me instead. Have a good conference. John McGlinchey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, January 10, 2006 3:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DEC 2006 I think you are going to find the same at Green Valley - http://www.greenvalleyranchresort.com/gaming/index.html Leave your car and house titles at home! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Kat Collins - The Email of the species is more powerful than the Mail! The human voice is the organ of the soul. Henry Wadsworth Longfellow List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD
Outlook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, January 11, 2006 10:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD Don't forget SQL, Sharepoint, MSDE, ISA. I'm sure I've forgotten something around here... Laura E. Hunter wrote: ...a single Domain Controller WITH EXCHANGE RUNNING ON IT, you mean? :-) On 1/11/06, joe [EMAIL PROTECTED] wrote: BLASPHEMY! Non-AD Environments! That's almost as bad as having a single Domain Controller!!! :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, January 11, 2006 2:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD How to implement system policies for Windows XP-based, Windows 2000-based, and Windows Server 2003-based client computers in non-Active Directory environments: http://support.microsoft.com/?kbid=910203 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD or is this Exchange task?
Title: AD or is this Exchange task? As much as I like to whip up perl code, I usually use AutoIt http://www.autoitscript.com/autoit3/for one-shot things like this. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Wednesday, December 21, 2005 2:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD or is this Exchange task? Ive been asked to write a script to mail-DISable a bunch of public folders. Is that accomplished by manipulating something in AD, or Exchange or both? I havent been able to uncover much documentation on this topic, except for one guys horror story. Ill tell our Exchange dude to do it manually if this is an unusually risky undertaking, but there are about 1000 or so to do. Thanks, MarkThis e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Recommendations for a DOD wipe of a RAID Array?
Go to the HP drivers page for your server and download the MS-DOS SCSI drivers. Copy the appropriate driver(s) to your boot disk, and add the driver(s) to the config.sys file. You should be good to go! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, November 15, 2005 9:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommendations for a DOD wipe of a RAID Array? Greetings, I am trying to use Symantecs Gdisk with a /DODWIPE option to do a security wipe of a Compaq 7000's Raid Array, however using a dos boot disk will not allow me to access the disk array. My work around on this was that I created a 32 bit bootable CD-Rom using Bart's PE and I added the server's 32bit Raid controller driver which now allows me to access the disk array. However since it is running a 32bit OS, gdisk will not work as it is only a 16bit program. When I try and use Symantec's Gdisk32 which will run, the /DODWIPE option is not available. Does anyone know if Symantec has an updated version of GDISK32 that supports a DODWIPE? Does any one have any prefered tools other then GDISK that they can recommend that will work with my Raid Array? Since there are some HP employees on this list, does HP have a recommended tool they provide there customers to use on Proliant servers before decommisioning them? Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Recommendations for a DOD wipe of a RAID Array?
This looks like what you want: http://h18023.www1.hp.com/support/files/server/us/download/7599.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, November 16, 2005 12:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommendations for a DOD wipe of a RAID Array? Hi Ken, Hmm.. Dos drivers may be available for ATA controllers but are they available for high end RAID SCSI Raid Controllers? http://h18007.www1.hp.com/support/files/storage/us/family/model/1237.htm l?lang=encc=us Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet Sent: Wednesday, November 16, 2005 5:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommendations for a DOD wipe of a RAID Array? Go to the HP drivers page for your server and download the MS-DOS SCSI drivers. Copy the appropriate driver(s) to your boot disk, and add the driver(s) to the config.sys file. You should be good to go! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, November 15, 2005 9:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommendations for a DOD wipe of a RAID Array? Greetings, I am trying to use Symantecs Gdisk with a /DODWIPE option to do a security wipe of a Compaq 7000's Raid Array, however using a dos boot disk will not allow me to access the disk array. My work around on this was that I created a 32 bit bootable CD-Rom using Bart's PE and I added the server's 32bit Raid controller driver which now allows me to access the disk array. However since it is running a 32bit OS, gdisk will not work as it is only a 16bit program. When I try and use Symantec's Gdisk32 which will run, the /DODWIPE option is not available. Does anyone know if Symantec has an updated version of GDISK32 that supports a DODWIPE? Does any one have any prefered tools other then GDISK that they can recommend that will work with my Raid Array? Since there are some HP employees on this list, does HP have a recommended tool they provide there customers to use on Proliant servers before decommisioning them? Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Reset Domain Admin Password in Windows Server 2003 AD
I've used a simpler (IMHO) version: rename logon.scr to logon.sav, then copy cmd.exe to logon.scr. Reboot. Presto! In a few minutes you have a command shell running under system. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, JoseSent: Friday, November 04, 2005 12:28 PMTo: ActiveDir@mail.activedir.orgCc: [EMAIL PROTECTED]Subject: [ActiveDir] Reset Domain Admin Password in Windows Server 2003 AD Has any one ever tried this? Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL Forgot the Administrator's Password? - Reset Domain Admin Password in Windows Server 2003 AD. Featured Product: Windows XP/2000/NT Key - Easy to use utility to reset Windows 2003/XP/2K/NT local and domain controller administrator passwords. Download FREE version now! Note: In order to successfully use this trick you must first use one of the password resetting tools available on the Forgot the Administrator's Password? page. The reason for that is that you need to have the local administrator's password in order to perform the following tip, and if you don't have it, then the only method of resetting it is by using the above tool. Read more about that on the Forgot the Administrator's Password? page. Update: You can also discuss these topics on the dedicated Forgot Admin Password - Related Discussions forum. Lamer note: This procedure is NOT designed for Windows XP since Windows XP is NOT a domain controller. Also, for a Windows 2000 version of this article you should read the Forgot the Administrator's Password? - Change Domain Admin Password in Windows 2000 AD page. Reader Sebastien Francois added his own personal note regarding the changing of Domain Admin passwords on Windows Server 2003 Active Directory domains (HERE). I will quote parts of it (thanks Seb!): Requirements Local access to the Domain Controller (DC). The Local Administrator password. Two tools provided by Microsoft in their Resource Kit: SRVANY and INSTSRV. Download them from HERE (24kb). Step 1 Restart Windows 2003 in Directory Service Restore Mode. Note: At startup, press F8 and choose Directory Service Restore Mode. It disables Active Directory.When the login screen appears, log on as Local Administrator. You now have full access to the computer resources, but you cannot make any changes to Active Directory. Step 2 You are now going to install SRVANY. This utility can virtually run any programs as a service. The interesting point is that the program will have SYSTEM privileges (LSA) (as it inherits the SRVANY security descriptor), i.e. it will have full access on the system. That is more than enough to reset a Domain Admin password. You will configure SRVANY to start the command prompt (which will run the 'net user' command). Copy SRVANY and INSTSRV to a temporary folder, mine is called D:\temp. Copy cmd.exe to this folder too (cmd.exe is the command prompt, usually located at %WINDIR%\System32). Start a command prompt, point to d:\temp (or whatever you call it), and type: instsrv PassRecovery "d:\temp\srvany.exe" (change the path to suit your own). It is now time to configure SRVANY. Start Regedit, and navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PassRecovery Create a new subkey called Parameters and add two new values: name: Application type: REG_SZ (string) value: d:\temp\cmd.exe name: AppParameters type: REG_SZ (string) value: /k net user administrator 123456 /domainReplace 123456 with the password you want. Keep in my mind that the default domain policy require complex passwords (including digits, respecting a minimal length etc) so unless you've changed the default domain policy use a complex password such as [EMAIL PROTECTED] Now open the Services applet (Control Panel\Administrative Tools\Services) and open the PassRecovery property tab. Check the starting mode is set to Automatic. Go to the Log On tab and enable the option Allow service to interact with the desktop. Restart Windows normally, SRVANY will run the NET USER command and reset the domain admin password. Step 3 Log on with the Administrator's account and the password you've set in step #2. Use
RE: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs
Title: Domain Controller Consolidation utilizing Dual Core CPUs I've been looking at HP DL385s for some SAP stuff. SAP's benchmarking page (http://www50.sap.com/benchmarkdata/sd2tier.asp) shows that a dual dual-core AMDbox gives the same performance as a 4-way Intel box. I've built a few 385s so far, and they rock! And, as a bonus, you could run your DCs on 64 bit windows. Four CPUs, 16GB of RAM, and 64 bit windows - that's one honkin' DC! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mauricio F. FunesSent: Thursday, October 13, 2005 11:56 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs Gentleman, Does anyone has any information regarding Domain Controller consolidation utilizing Dual Core CPUs? I have not seen anything reports from microsoft indicating the performance boost gained by utilizing Dual Core technology on DCs. It is presume to be much better that the 20% to 30% gain from Hyper Threading CPUs. Thanks for your input, Mauricio Funes [EMAIL PROTECTED] Pasadena, CA
RE: [ActiveDir] Different Versions of Internet Explorer
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q164539ID=KB;EN -US;Q164539 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anthony Crawford Sent: Tuesday, October 11, 2005 5:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Different Versions of Internet Explorer We have a web based application that is behaving slightly different depending on the users version/patches of Internet Explorer. I was wondering if someone would shed some light as to what the numbers mean under Version. I understand it is Version 6.0 but what do the subsequent numbers mean? I also understand under Update Version those are probably patches that have been applied. For example, Computer One works fine and this is what is listed under Help - About Version: 6.0.2800.1106 xpsp2.503001-1526 Cipher Strength: 128 bit Update Version: SP1; Q818529; Q330994; Q828750; Q832894; Q837009; Q823353; Q867801; Q903235 Computer Two is having the issue and this is what is listed under Help - About Version: 6.0.2900.2180 xpsp_sp2_gdr.050301-1519 Cipher Strength: 128-bit Update Version: SP2 The main difference between the two is Computer One has been on the network for some time and thus has quite a few security patches whereas Computer Two is new and only needed a few patches. The problem seems to be on the new workstations. Thanks. Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] disabling users
I think the reason you don't see new Perl/win32 books is that they more or less aren't needed. Once you learn how to do COM with Perl, you can use the myriads of _vbscript_ resources that are out there. Once you know what object you need, and how it works, translating to Perl is usually trivial. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Wednesday, September 21, 2005 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] disabling users I only have time to learn one scripting lang. i figured perl is the better way to go as i have to work with linux and solaris as well. know of any good docs,books,sites on perl and COM+ or adsi? something that will teach you both like the _vbscript_ resources do? i really think there is a market for perl and AD/win32 out there that is untapped. O'reilly has let most of their win32 perl books become outdated and stop at Win NT as has Dave Roth. I'm not a programmer and i don't have time to learn multipe scripting langs, so i always thought perl would be the best way to go. I find it as approachable as _vbscript_ but unlike _vbscript_, I don't find many rescources for using it on win32 systems. I'm afraid learning perl and working with windows might be an uphill battle. are there resources for teaching you how to use perl with cdo,wmi,adsi,ado,etc? i'm not a total newbie to perl, i've used it on linux but i've never really done much on windows with activestate. and as i've said, i'm not a programmer and i didn''t major in comp sci, so a lot of this stuff is not second nature to me and hasn't been pounded in for years. so jumping from lang to lang for me is not really an option. thanks -Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Wed 9/21/2005 2:46 PM To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] disabling users
RE: [ActiveDir] Synchronizing AD
Title: Synchronizing AD I have some perl code that reads user information from some Oracle tables, and updates the corresponding user objects in AD (phone numbers, address, etc). It does not create new users (although I do have some other code for that), not does it sync changes made in AD back to the Oracle tables. It's yours if you want it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, September 13, 2005 9:00 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Synchronizing AD Does anyone have any recommendations on products or information on synchronizing data from a SQL database to AD. For example, we want to synch data from the HR database to the users account. Thanks in advance Travis Abrams
RE: [ActiveDir] GPO on XP 2000 Pro
WMI filters don't work for windows 2000 (server or professional). Create separate Ous for your servers and for your workstations. Link your GP to the workstation OU. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, August 24, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO on XP 2000 Pro How can I get a GPO to only run on all Windows XP and 2000 Pro. machines in a domain? WMI Filter is applied to 2000 machines so it'll run on 2000 server if I filter by OS type. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Domain Controllers
A couple of notes: VS 2005 will not install on an X64 version of windows. If you use a server with an AMD CPU, install 32 bit windows. Do not install server 2003 SP1 on the virtuals (the host is ok). It will slow your virtuals into what seems like 66MHz 486 machines. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, August 22, 2005 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers My understanding is that Windows Server 2003 provides full support for dual core processors and abstracts them, so to speak, from VS2005 insomuch as the application sees two physical processors - so yes; this is currently not true of ESX until the next point release. Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers Thanks Aric, great link! I'd seen the older BOG (2004) but this latest one I've missed. The VS Server is an interesting angle, running the DC on the physical machine and the FP element within VS2005 is an option provided the user requirements aren't too onerous. The 50-60% I referred to was probably on the generous side... and my experience of this has limited to fairly low yield boxes (web servers, app servers) mostly for PoC or cloning production environments for testing/troubleshooting and development. Incidentally, you mentioned the DL385... does VS2005SP1 include support for dual core? Thanks again, Mylo Bernard, Aric wrote: For your first question, you can find Microsoft's Branch Office Infrastructure Solution (BOIS) here: http://www.microsoft.com/technet/itsolutions/branch/default.mspx In short, and more direct for your question, some organizations are deploying a single server solution to a branch office/remote site which, as an example, is a domain controller running VS2005 with VMs representing other local servers/services that might be required (i.e. File and Print, web caching, etc.). Using this approach, your Domain Admins continue to be responsible for the physical machine and the Domain Controller itself, however your local admin can fully administer the other servers living within VMs (via RDP or remote tools) without compromising the security of the DC. This of course assumes that VS2005 does not contain a flaw that allows a guest to host breach. :) As for performance, I do not have any concrete numbers, but you will most certainly take a performance hit on both your host and your guests when using virtualization. I think your statement of 50-60% is quite high based on my experience, but then again YMMV depending on what the environment is hosting and what the end-user demands are and what the host hardware configuration looks like. (I prefer an x64 system with a small array of disks - like the HP Proliant DL385 for ~$3500US.) Regardless, in small remote sites performance is typically not critical and nearly any server class system will perform adequately as a DC and a VS2005 host. Keep in mind the small remote office solutions often have two common single points of failure - the server (in a single server solution) and the network. The failure of either can have a significant impact on the end-users... Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 10:17 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers It'd be interesting to hear what solutions are in place in larger enterprise environments (for small remote sites). IMO, the hybrid DC/File and Print in one box, for remote sites, sounds nasty because: 1. There's no local sam so a 'local' administrator needs to be built-in administrator in AD.. I guess that's fine if your domain admin=FP Admin but if not 2. If you're file and print server contains loads of local groups etc... that becomes part of AD database I know that this is less of an issue under Win2K3 versus Win2k/NT4, but if you're in a largish organisation dealing with 100+ sites, each with a hybrid FAP/DC with lots of groups and users that meet this criteria...I guess you wouldn't want to add the bloat to your AD if you can avoid it. Any other reasons? On the other side, what ort of performance hit do you get virtualising... GSX, I get around 50-60% of real life, subject to the number of Guests running and server role, and can't afford ESX so can't comment :-) Regards, Mylo Seely Jonathan J wrote: Thanks, Brad. That is very good to hear. I also appreciate the tips. JJ --- - *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Smith, Brad *Sent:* Tuesday, August 09, 2005 3:09 AM *To:*
RE: [ActiveDir] SIDs variable for batch file?
You can use dsquery and dsget (not sure if they are from the support tools, or adminpak.msi) thusly: dsquery user -samid %USERNAME% | dsget user -sid temp.txt You would then use FOR (hint: try for /? to read temp.txt file, and put the SID into an environment variable. As the textbooks say, the details are left as an exercise for the reader. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ernesto Nieto Sent: Monday, August 15, 2005 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SIDs variable for batch file? I need to create a batch file that calls upon the SID of the current user. Is there a variable that will give me the info if called upon? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: MIIS, ADAM, AD
The
application(SAP enterprise portal) does an LDAP bind to authenticate the
user. I do not know at this point what (if any) encryption options are
available.
Proxy objects
only work for the domain the ADAM server is in, or other domains with a 2-way
trust.
Here's the
scenario:
We have one
domain (lets call it INTRANET) that contains our company employees. We have
another domain (lets call it EXTRANET) that contains users for our existing
business partner web-based Internet applications. The two domains do not
currently, and will never in the foreseeable future, trust each
other.
We will be
deploying one SAP EP to service both internal and external (Internet) users. The
SAP EP can only authenticate against one directory. We don't (for obvious
reasons) want to put our external users in our internal AD. I think that ADAM
would be a perfect fit for this. The question is how to sync
passwords.
I could use the
MS solution and use the free* MIIS which looks like it will do exactly what I
want, but with a considerable bit of added complexity. Also, we use Psynch to
let internal (INTRANET domain) users manage their passwords, and I'm afraid the
password hook it requires on the domain controllers will not play nice with the
MIIS password hook.
I can easily code
up my own code to do the simple user object syncing required, but passwords
would be tricky. Fortunately, I don't need to do the password sync.
Theexternal users (EXTRANET domain) use an internally developedweb
basedapp to manage passwords,
so I can hook into it easily enough to change the passwords in ADAM.As for
our internal users (INTRANET domain), I'm pretty sure Psynch can change
passwords in ADAM for me, or at least provide hooks for me to code it up
myself.
After reading
about the proxy user object, I thought it seemed a natural fit for our internal
users. That would eliminate on half of the password syncing issues. However, I'm
rather concerned about the warning on not using them.
BTW, I've been
playing with trying to programmatically create proxy user objects without much
luck. You have to supply the target SID when creating the object. I've tried
using the binary SID as returned from a Get("objectSID") call to the INTRANET
domain user object, and I've tried the "human readable" version "S-..." (which
is what LDP expects when creating a proxy user). Neither seem to work. Anyone
know the proper incantation for this bit of magic?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
MulnickSent: Sunday, July 31, 2005 11:33 AMTo:
ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] OT: MIIS, ADAM, AD
I'll be a lot more interested
in MIIS when "free" doesn't mean I have to "buy" SQL licenses to run it. I can
understand the server license for Windows, but it should run on any version of
the latest Windows server (enterprise, standard, etc) or a desktop OS. Not sure
why that is not possible, unless maybe there's a wait for the new SQL 2005
products.
Anyway, I'm with Joe on this. I think
the simpler you can keep it the better. Writing it in-house with a series of
scripts may be enough to do what you want and it's not too terribly
difficult.
As for proxy objects, if I recall correctly
you typically don't want to use them becauseof the security issues and
because it's really designed for legacy apps. If you can use AD, use
AD. If you have to use simple bind, then proxy objects may fit the
requirementas long as you remember to use some sort of transport
security.
You may have a problem with multiple
forests as well. Haven't tried that, but since it's a proxy bind, I
imagine it mayget a little confused. I'd be interested to hear if that's
not thecase though.
Al
From: [EMAIL PROTECTED] on
behalf of Robert BobelSent: Sun 7/31/2005 10:56 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: MIIS, ADAM,
AD
Nice side benefit is
that the license to use MIIS with the Feature Integration pack to sync AD to
ADAM is free.
http://www.microsoft.com/downloads/details.aspx?familyid=D9143610-C04D-41C4-B7EA-6F56819769D5displaylang=en
Bob
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joeSent: Saturday, July 30, 2005 7:59
PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: MIIS, ADAM,
AD
Where is this going to
be located? Extranet or Intranet?
If you are going to be
doing some very simple syncing, I would look at writing something myself or
maybe implementing one of the lighter syncing tools like SimpleSync or HP's
LDSU. If you need to do a lot of transforms or complex translations or connect
to lots of different data sources such as SAP, etc, MIIS might be where you want
to go. If you spin up MIIS, it ispossible you may need to have a body
sitting there maintaining and troubleshooting it due to its complexity plus it
is really in flux right now in my opinion in terms of how many
RE: [ActiveDir] Biggest AD Gripes
What is difficult about restoring a DC to different hardware? We just did our yearly DR testing (at Sungard as a matter of fact!), and I didn't have any problems. Just follow the little procedure they give you (basically, remove all the network cards and video card in device manager before you reboot after the recovery). Then, follow the other procedure they give you if you end up with phantom NICs. It's the same procedure for DCs as it is for member servers. It isn't hardware dependant, but if you are talking about the hours-long waltz you do with ntdsutil to remove all of the DCs you aren't bringing back, I've found a neat trick. Run through the process for one site once manually recording all of the text you type, then using a text editor create a command file duplicating the tons of commands required to remove every server from every site. Run ntdsutil yourfile.txt. The trick is that ntdsutil prompts before removing each server - just answer no to the server you recover. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Tuesday, August 02, 2005 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Everyone is making a number of suggestions/comments that hit home to me, so rather than chiming in with AOLMe too!/AOL, I'll bring up the one that makes me crazy that no-one has mentioned yet: Restoring a domain controller to alternate hardware (think Disaster Recovery drill at a company like Sungard) should Not. Be. So. Friggin'. Hard. It's better in K3 than it was in 2K, but it's still way too much of a hothouse-flower-y delicate operation. (Maybe Longhorn's AD as a service will make this better. I can hope, at least, because right now it still sucks canal water.) - Laura -Original Message- From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 02, 2005 6:30 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes DFS-R is only supported for custom DFS namespaces. MS at the moment does not support DFS-R for SYSVOL replication. MS states that in the DFS-R overview document page 16 See: http://www.microsoft.com/downloads/details.aspx?FamilyID=5e547 c69-d224-4423-8eac-18d5883e7bc2DisplayLang=en QUOTE: DFS Replication is not supported for SYSVOL replication in Windows Server 2003 R2. Do not attempt to configure DFS Replication on SYSVOL by disabling FRS and setting up a replication group for SYSVOL. Continue to use FRS for SYSVOL replication on domain controllers running Windows Server 2003 R2. FRS and DFS Replication can co-exist on the same member server or domain controller. A shame, but true! DFS-R really rocks!!! It is way better than NTFRS! Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Carlos Magalhaes Sent: Tue 8/2/2005 11:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes * Using the new DFS-Replication mechanism in R2 for the SYSVOL This is available AFAIK if all your servers are running R2 :P Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 02 August 2005 09:59 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes http://www.novell.com :o) Bloody NetWare bigot ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, August 02, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes A while ago I put some AD feature thoughts in a textfile not knowing what to do with them at that moment Here goes: * Active Directory thoughts: * OU = security principal * Possibility to merge Forests * Cut and paste a domain from one forest to another * Domain concept: * Domain controller - directory server (not specific to a certain domain, but hosting naming contexts) * Password policies not only per domain but also per OU * Keep domain as a replication boundary but remove the flat structure (prevent context login like NDS - Aliases?) * Multiple replication boundaries (naming contexts) per directory server * Remove domain as an entity. Forest is only entity needed * Integrate file system and possible other resources into the directory (e.g. search where security principals are used) * Permissioning TOP-DOWN and BOTTOM-UP (file system) * Delegation of Control: ability to dictate MEMBERS attribute AND the MEMBEROF attribute (so the possibility exists to dictate which users can be added to what groups)
RE: [ActiveDir] Biggest AD Gripes
Recovery programs are supposed to be smart enough to not recover the parts of the registry that describe the hardware. I know Ntbackup does this since windows 2000 (it even does it correctly since 2k SP3 or so...) I'm really curious as to what problems people are having recovering to different hardware. I've done recoveries galore using Legato and ntbackup to different hardware (Compaq/HP to Dell, etc), and I've never ran into problems that couldn't easily be fixed (like phantom NICs). One thing that will bite you if you aren't careful is that BOOT.INI *is* recovered as part of the system state. That means if your partition layout isn't the same between original server and recovery server, it won't reboot after the recover. It's easy to fix before you reboot after the recovery, but correcting it after the fact is a bit more difficult. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, August 08, 2005 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Help me understand where I'm missing this (I've been in a con-call for 3.5 hours this AM...). Isn't the registry backed up as part of the System State? And, doesn't the registry pretty much make something 'hardware dependent' to some great degree, just by its very nature? I'm sure that there's something very simple that I'm missing. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Monday, August 08, 2005 1:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes What is difficult about restoring a DC to different hardware? We just did our yearly DR testing (at Sungard as a matter of fact!), and I didn't have any problems. Just follow the little procedure they give you (basically, remove all the network cards and video card in device manager before you reboot after the recovery). Then, follow the other procedure they give you if you end up with phantom NICs. It's the same procedure for DCs as it is for member servers. It isn't hardware dependant, but if you are talking about the hours-long waltz you do with ntdsutil to remove all of the DCs you aren't bringing back, I've found a neat trick. Run through the process for one site once manually recording all of the text you type, then using a text editor create a command file duplicating the tons of commands required to remove every server from every site. Run ntdsutil yourfile.txt. The trick is that ntdsutil prompts before removing each server - just answer no to the server you recover. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Tuesday, August 02, 2005 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Everyone is making a number of suggestions/comments that hit home to me, so rather than chiming in with AOLMe too!/AOL, I'll bring up the one that makes me crazy that no-one has mentioned yet: Restoring a domain controller to alternate hardware (think Disaster Recovery drill at a company like Sungard) should Not. Be. So. Friggin'. Hard. It's better in K3 than it was in 2K, but it's still way too much of a hothouse-flower-y delicate operation. (Maybe Longhorn's AD as a service will make this better. I can hope, at least, because right now it still sucks canal water.) - Laura -Original Message- From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 02, 2005 6:30 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes DFS-R is only supported for custom DFS namespaces. MS at the moment does not support DFS-R for SYSVOL replication. MS states that in the DFS-R overview document page 16 See: http://www.microsoft.com/downloads/details.aspx?FamilyID=5e547 c69-d224-4423-8eac-18d5883e7bc2DisplayLang=en QUOTE: DFS Replication is not supported for SYSVOL replication in Windows Server 2003 R2. Do not attempt to configure DFS Replication on SYSVOL by disabling FRS and setting up a replication group for SYSVOL. Continue to use FRS for SYSVOL replication on domain controllers running Windows Server 2003 R2. FRS and DFS Replication can co-exist on the same member server or domain controller. A shame, but true! DFS-R really rocks!!! It is way better than NTFRS! Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Carlos Magalhaes Sent: Tue 8/2/2005 11:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes * Using the new DFS-Replication mechanism in R2 for the SYSVOL This is available AFAIK if all your servers are running R2 :P Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 02 August 2005 09:59 PM To: Send - AD mailing list Subject
RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred
I seem to recall that"(" and ")"have to be
escaped in LDAP.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mayuresh KshirsagarSent: Friday, August 05, 2005
6:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Problem adding an Exchange User - An operations error
occurred
The meta directory is
on a different domain, and is on HP-UX. The exchange server is on one machine,
and the AD is on a different one. Both the AD and the exchange machines have the
same admin login (the domain admin). The meta uses this login to connect to the
AD and exchange. If I dont pass the attribute homeMDB, a simple AD user is
created just fine. Just when I try to create the user with the homeMDB attribute
does it give the problem. Found out this on the net
# for hex 0x2020 /
decimal 8224 :
ERROR_DS_OPERATIONS_ERROR
Also the homeMDB value
is correct. I created a sample mailbox user from the exchange interface (users
and computers) and verified the homeMDB attribute.
What conditions can
then lead to this problem?
Thanks,
Mayuresh.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mayuresh
KshirsagarSent: Friday, August
05, 2005 10:40 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an
Exchange User - An operations error occurred
The meta tries to
create the entry. so it creates the entry in AD and the agent is responsible for
creating mailbox. Are the attributes seen for the entry correct? Also what all
is required if I am creating a mailbox user from a meta or a script, etc.
also can you suggest if I can find some useful information from the
exchange server? Any diagnostics, etc?
Thanks.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joeSent: Friday, August 05, 2005 4:37
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an
Exchange User - An operations error occurred
That error log isn't
very good. You can't even tell if it is an error being floated back from a DC.
Could be something in the meta directory tool.
As for the specific
data below for the attributes to be set on the user, I don't see anything bad
though I wouldn't recommend the mailnickname to have that format, I would
recommend it be the same as the sAMAccountName value. I tend to put the "nice"
full version of the name in the displayName and that is the only place it
is.
What info specifically
is the product trying to set and how is it setting it? You may have to do a
network trace or something like it.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mayuresh
KshirsagarSent: Friday, August
05, 2005 1:19 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Problem adding an
Exchange User - An operations error occurred
Hi
I am trying to use a metadirectory
to add an exchange user. An agent sitting on the Exchange server machine, which
will add the mail box for the user.
But when I try to add the user, I am
getting the following error An operations error
occurred
10:38:01.112: [1412.724] DataAccess:
UP_AddRecord EXCH2K
10:38:01.112: [1412.724] DataAccess:
EXCH2K: Operation: Mapping Add/Modify Request
10:38:01.112: [1412.724] DataAccess:
EXCH2K: Operation: Mapping Add/Modify operation to Exchange
operation
10:38:01.112: [1412.724] DataAccess:
EXCH2K: Operation: Getting an AD Object
10:38:01.112: [1412.724] DataAccess:
EXCH2K: Operation: Retrieving AD object
10:38:01.112: [1412.724] DataAccess:
EXCH2K: Operation: Retrieving AD object. Bind using Configured
Credentials:
10:38:01.127: [1412.724] DataAccess:
EXCH2K: Operation: Retrieving AD object. Success AD Object: LDAP://cn=ZZZHHH\,
ANGUS,OU=test,DC=gepurbsres01,DC=net
bind=ADS_SECURE_AUTHENTICATION
10:38:01.127: [1412.724] DataAccess:
EXCH2K: Operation: Getting an AD Object. Success
server=rlgmfurs1ad01.gepurbsres01.net AD Object=cn=ZZZHHH\,
ANGUS,OU=test,DC=gepurbsres01,DC=net
10:38:01.127: [1412.724] DataAccess:
EXCH2K: Operation: Add Or Move a Mailbox
10:38:01.127: [1412.724] DataAccess:
EXCH2K: Operation: Getting an AD User Object from an an AD
Object
10:38:03.502: [1412.724] DataAccess:
EXCH2K: Operation: Add Or Move a Mailbox Error: An operations error occurred...
Server=rlgmfurs1ad01.gepurbsres01.net, User=LDAP://cn=ZZZHHH\,
ANGUS,OU=test,DC=gepurbsres01,DC=net
10:38:03.502: [1412.724] DataAccess:
EXCH2K: Mapping Add/Modify Request, Error: An operations error
occurred...
10:38:03.502: [1412.724] DataAccess:
UP_AddRecord EXCH2K Failure = EXCH2K: Mapping Add/Modify Request, Error: An
operations error occurred...
10:38:03.502: [1412.724] RUPS:
Muws2UPAdapter::write(EXCH2K:0:01BE0064): Call of
UP_Add/Modify/Delete/RenameRecord(cn=ZZZHHH\,
ANGUS,OU=test,DC=gepurbsres01,DC=net) failed , error='UP_E_ADD_FAILED' (EXCH2K:
Mapping Add/Modify Request, Error: An operations error
occurred...)
Pasted the part of the tarce only
just in an attempt to give more information. The entry I am
[ActiveDir] OT: MIIS, ADAM, AD
We have an upcoming project which will require an LDAP directory containing both our internal users, and our extranet users. Currently, our internal users are in one AD domain, the extranet users are in another. The domains are in separate forests, and there are no trusts. My plan is to use ADAM for the central LDAP directory. However, I'm on the horns of an enema, um, I mean dilemma on how to sync ADAM to the two domains. A firstglance would suggest MIIS. However, MIIS looks pretty complicated, and difficult to configure. I'm considering writing my own sync code since the task at hand is relatively straight-forward. Passwords will be a bit of a problem, but not unworkable. We use Psynch to maintain our internal passwords, so I can have it change the ADAM passwords at the same time it changes the internal AD passwords. The extranet users change their password via an existing web app, so having it change the ADAM passwords won't be an issue. Reading about ADAM "proxy users" leads me to believe they'd be a perfect fit as the object type to use for our internal users (authentication is relayed to AD thus negating the need to sync passwords). However, the ADAM tech ref says proxy users should only be used as a last resort, and to refer to the next section as to why. Unfortunately, the next section doesn't explain why not to use them. Anybody know why proxy user objects are evil? Are there any good "MIIS for dummies" type documentation around? Any good ADAM and/or MIIS mailing lists?
RE: [ActiveDir] UDP vs TCP
We just push this registry setting out to all of our workstations: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parame ters] MaxPacketSize=dword:0001 This forces all kerberos traffic to use TCP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Friday, July 29, 2005 10:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] UDP vs TCP Hi, Does anyone know if its possible to tweak a domain controller so that authentication requests from a client that exceed 2000 bytes (not sure if thats the default for Windows 2000 domains XP) may be authenitcated by the DC. I know its possible with a regisrty hack on the client by either bumping that value or telling the client to just use TCP. We have a SOHO situation that utilizes Nortel VPN appliances and hence the authentication issue. This is a temporary location but in our business this is a frequent request. Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] UDP vs TCP
No latency. Like I said, we just push that registry setting out to all users. I've never seen a difference when logging in. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Friday, July 29, 2005 11:26 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] UDP vs TCP Hi Rick, I absolutely agree but I was hoping there was a way to set this variable on the server side. Worse scenario this may have to be tweaked client-side. By forcing these clients to authenticate using TCP does it add latency to the authentication process when they return to their home offices? Hmm, perhaps when you start with MCS and have access to their knowledge DB you could look this up for me, heheh... Thanks, Original Message Follows From: Rick Kingslan [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] UDP vs TCP Date: Fri, 29 Jul 2005 11:06:22 -0500 Devan, I'm still poking around for a more authoritative answer, but I don't believe that there is a 'server side' setting for changing that behavior. To really understand why, think about who needs to authenticate with who. It's not the server starting the conversation ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Friday, July 29, 2005 10:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] UDP vs TCP Hi, Does anyone know if its possible to tweak a domain controller so that authentication requests from a client that exceed 2000 bytes (not sure if thats the default for Windows 2000 domains XP) may be authenitcated by the DC. I know its possible with a regisrty hack on the client by either bumping that value or telling the client to just use TCP. We have a SOHO situation that utilizes Nortel VPN appliances and hence the authentication issue. This is a temporary location but in our business this is a frequent request. Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT)
You say tomato... :-) Seriously, I learned long ago to ignore any terminology from RAID card vendors other than the terms RAID 0 through RAID 5 - only those are standard across vendors. Anything else is basically marketing drivel. I suppose to get RAID 10 on an HP server, you could mirror pairs of drives at the controller level, then stripe those logical drives at the OS level. Not pretty, but it should work fine. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, July 22, 2005 2:57 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT) Not strange to define RAID 1+0 in a different way to rest of the world? Hmm... That meets my definition of strange :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: 21 July 2005 18:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT) Not strange at all when you consider that HP defines 1+0 to mean a mirror (RAID1) with striped reads (RAID0) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, July 21, 2005 11:56 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT) Indeed, the HP array software will happily allow a 2 disk array to be configured as RAID 1+0. Strange, since we all know you need 4 disks to do this :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: 21 July 2005 17:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT) I *think* HP uses 1+0 (or 0+1) to mean RAID 1 (mirrored), but striped reads (alternating across mirror halves). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, July 20, 2005 6:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT) so is anyone gonna answer my question? do i need at least 4 drives to support raid 0 +1? or can it be done with 2? Does Smart Array 6i support raid 10(1 +0)? Thanks btw, i'm nobody but i always was told there is a difference between raid 10 and 0+1 -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 20, 2005 7:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT) In looking at some further docs, there are a few things that are certain: 1. Standards aren't - when it comes to Hybrid RAID. 2. The only to know if your controller has what *I* consider RAID 10 (RAID 1+0) - 'Read the Frakking Docs'! One vendor's RAID 0+1 is another 1+vendor's RAID 1+0 3. Hybrid RAID is good - but expensive. Know what you want, why you want it, and be ready to justify the cost. 4. Apologies to Jose - it's a terminology thing. I wonder how many people order servers with RAID 1+0, get 0+1, and have a meltdown with the vendor who says, But, Sir - that's what you asked for, and what you explain is what we sent! Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, July 20, 2005 5:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Smart array(OT) Hi Rick, It's okay to disagree and if you do a lookup on RAID with Google it comes up with several sites with conflicting info ( Which means do not believe every thing your read unless you trust the source ). The authority on RAID is the hardware vendors, and each has there own interpretation or variance, however the true authority is IBM who invented it in the first place. Now companies like Network Appliance ( NETAPP ) have enhanced versions of a RAID 4 controller with patented write any where technology that makes them extremely fast and much faster then a vendor that uses RAID 4. So with that said I am including a link to Adaptec's site which explains their implementation of Raid 0+1 ( Raid 10 ). http://www.adaptec.com/worldwide/product/markeditorial.html?sess=nolang uage =English+UScat=%2fTechnology%2fRAID+Controllersprodkey=talk_about_raid Well that's my two cents, Jose Medeiros An old timer that worked at IBM supporting the engineers that invented the stuff. MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan Sent: Wednesday, July 20, 2005 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Smart array(OT) Jose, I respectfully disagree. RAID 0+1 is a mirrored array
[ActiveDir] OT: Virtual Server mailing lists?
Anyone know any good virtual server 2005 mailing lists?
RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT)
I *think* HP uses 1+0 (or 0+1) to mean RAID 1 (mirrored), but striped reads (alternating across mirror halves). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, July 20, 2005 6:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT) so is anyone gonna answer my question? do i need at least 4 drives to support raid 0 +1? or can it be done with 2? Does Smart Array 6i support raid 10(1 +0)? Thanks btw, i'm nobody but i always was told there is a difference between raid 10 and 0+1 -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 20, 2005 7:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT) In looking at some further docs, there are a few things that are certain: 1. Standards aren't - when it comes to Hybrid RAID. 2. The only to know if your controller has what *I* consider RAID 10 (RAID 1+0) - 'Read the Frakking Docs'! One vendor's RAID 0+1 is another 1+vendor's RAID 1+0 3. Hybrid RAID is good - but expensive. Know what you want, why you want it, and be ready to justify the cost. 4. Apologies to Jose - it's a terminology thing. I wonder how many people order servers with RAID 1+0, get 0+1, and have a meltdown with the vendor who says, But, Sir - that's what you asked for, and what you explain is what we sent! Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, July 20, 2005 5:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Smart array(OT) Hi Rick, It's okay to disagree and if you do a lookup on RAID with Google it comes up with several sites with conflicting info ( Which means do not believe every thing your read unless you trust the source ). The authority on RAID is the hardware vendors, and each has there own interpretation or variance, however the true authority is IBM who invented it in the first place. Now companies like Network Appliance ( NETAPP ) have enhanced versions of a RAID 4 controller with patented write any where technology that makes them extremely fast and much faster then a vendor that uses RAID 4. So with that said I am including a link to Adaptec's site which explains their implementation of Raid 0+1 ( Raid 10 ). http://www.adaptec.com/worldwide/product/markeditorial.html?sess=nolang uage =English+UScat=%2fTechnology%2fRAID+Controllersprodkey=talk_about_raid Well that's my two cents, Jose Medeiros An old timer that worked at IBM supporting the engineers that invented the stuff. MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan Sent: Wednesday, July 20, 2005 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Smart array(OT) Jose, I respectfully disagree. RAID 0+1 is a mirrored array with segments that are RAID 0 arrays. RAID 0+1 has the same level of fault tolerance as RAID 5. If a single drive fails, the array becomes effectively a RAID 0 array. RAID 10, on the other hand, is an available standard on many Enterprise controllers. It is implemented as a striped array who's segments are always RAID 1 arrays. RAID 10 has the same fault tolerance as RAID 1, and carries the same overhead as mirroring alone. It has a huge I/O gain in that all segments are RAID 1 stripes. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, July 20, 2005 4:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Smart array(OT) Hi Tom, Raid 0+1 is raid 10. If I recall, Adaptec and Dell coined the the Raid 10 term back in 1999. I always use the bios utility to create my drive raid arrays, what does that say? Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom Sent: Wednesday, July 20, 2005 11:42 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Smart array(OT) I'm using Smart Array 6i to create a raid 0 +1 array with 4 drives. I'm using the web array config utlilty from hp to do this. It offers to create a raid 0+1 array but when i do, it turns out to be just raid 1(thats what it says in the bios bot up screen) also, i have another array with 2 drives which the utility offers to make raid 0+1 which is impossible with 2 drives. but if you say ok, it happily goes on to do this(of course, it only turns out to be raid 1 as well) has anyone else had this issue or am i doing something wrong? Also, it never seems to have an option for raid 10. does smart array support this? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] Does a domain require a GC?
I can define a site using a 32 bit subnet mask? That's a possibility I hadn't considered! I'd have been afraid that would confuse the heck out of the kcc! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, July 20, 2005 7:53 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Does a domain require a GC? Dean killed the first question pretty well I think. The second question or implied question that I got was "don't I have to set up a special IP subnet to do this?" and the answer is no. You do not need a physical network breakup to define a logical site in AD andassign subnets. I did this in DataCentersquite often.A single data center with tons of subnets would have different pieces carved out and added to various sites depending on what DCs they needed to be with. Thiswas sometimes a pain but network didn't always want to work with us in terms of giving us whole ranges of physical subnets to work with. There were more than one singleIP subnets(32 bit mask) defined in that directory. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Tuesday, July 19, 2005 12:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Does a domain require a GC? I don't understand your comment about converting universal groups to local groups. Can you explain what you mean here? Your suggestion about moving the root DCs to a separate site would work, but it would require me to set up a dedicated IP subnet at the two different locations where the DCs are located. The networking folks would not want to do that. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari KoutiSent: Monday, July 18, 2005 6:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Does a domain require a GC? Hi Ken, There is (at least) one requirement for a GC in every domain. If you don't have a GC in a domain, you cannot convert universal groups in that domain to local groups. However, this is probably not a big concern for your empty root domain... Also a couple of suggestions: - Why not have all the DCs of the child domain as GCs? This wouldn't add practically any replication, or the size of the NTDS.DIT on those new GCs. - Instead of removing GCs from the root domain (because of the Outlook issue), how about putting the root domain DCs (which would be GCs) on a site with no clients, and with such a replication topology, that a child domain GC is always closer to any client than a root domain GC? Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Monday, July 18, 2005 7:19 PMTo: ActiveDir@mail.activedir.org; Exchange DiscussionsSubject: [ActiveDir] Does a domain require a GC? We have two domains in our forest. The "empty" root domain, and a resource domain where everything else lives. The root domain has two DCs - one each in two different sites. Our main domain has several DCs, and most of those are GCs as well. The sites containing the root DCs eachalso have at least one resource domain DC, and at least one of these DCs is a GC. In other words, all sites have at least one resource domain DC andat least one of those is a GC as well. My question is: can I remove GC function from thetwo root DCs? I seem to recall reading that at least one DC in a domain had to be a GC, but I can't find that requirement now. All DCs are server 2003. The forest is 2000 native mode. Why do I want to do this? We configure Outlook to use the "closest" GC. We want toinsure that Outlook can manage distributionlists (universal groups), and Outlook can only do that if the GCis in the same domain as the group. We are currently using a home-grown application to manage DL membership, but we'd like to switch back to outlook.
RE: [ActiveDir] Does a domain require a GC?
Title: Message But won't I still have the problem that clients in sites without a local DC/GC will randomly connect to this "isolated" root GC? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Thursday, July 21, 2005 11:54 AMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Does a domain require a GC? Why not create a new site and [logically] move the DC to that site. Restart netlogon to update DNS records and viola, the DC is now a member of the new site. I have seen this done for the PDCe so it receives less load than other DCs in the same location. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: 21 July 2005 17:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Does a domain require a GC? No it works just fine and is often used to isolate GC/DCs. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Thursday, July 21, 2005 11:21 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Does a domain require a GC? I can define a site using a 32 bit subnet mask? That's a possibility I hadn't considered! I'd have been afraid that would confuse the heck out of the kcc! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, July 20, 2005 7:53 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Does a domain require a GC? Dean killed the first question pretty well I think. The second question or implied question that I got was "don't I have to set up a special IP subnet to do this?" and the answer is no. You do not need a physical network breakup to define a logical site in AD andassign subnets. I did this in DataCentersquite often.A single data center with tons of subnets would have different pieces carved out and added to various sites depending on what DCs they needed to be with. Thiswas sometimes a pain but network didn't always want to work with us in terms of giving us whole ranges of physical subnets to work with. There were more than one singleIP subnets(32 bit mask) defined in that directory. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Tuesday, July 19, 2005 12:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Does a domain require a GC? I don't understand your comment about converting universal groups to local groups. Can you explain what you mean here? Your suggestion about moving the root DCs to a separate site would work, but it would require me to set up a dedicated IP subnet at the two different locations where the DCs are located. The networking folks would not want to do that. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari KoutiSent: Monday, July 18, 2005 6:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Does a domain require a GC? Hi Ken, There is (at least) one requirement for a GC in every domain. If you don't have a GC in a domain, you cannot convert universal groups in that domain to local groups. However, this is probably not a big concern for your empty root domain... Also a couple of suggestions: - Why not have all the DCs of the child domain as GCs? This wouldn't add practically any replication, or the size of the NTDS.DIT on those new GCs. - Instead of removing GCs from the root domain (because of the Outlook issue), how about putting the root domain DCs (which would be GCs) on a site with no clients, and with such a replication topology, that a child domain GC is always closer to any client than a root domain GC? Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Monday, July 18, 2005 7:19 PMTo: ActiveDir@mail.activedir.org; Exchange DiscussionsSubject: [ActiveDir] Does a domain require a GC? We have two domains in our forest. The "empty" root domain, and a resource domain where everything else lives. The root domain has two DCs - one each in two different sites. Our main domain has several DCs, and most of those are GCs as well. The sites containing the root DCs eachalso have at least one resource domain DC, and at least one of these DCs is a GC. In other words, all sites have at least one resource domain DC andat least one of those is a GC as well. My question is: can I remove GC function from thetwo root DCs? I seem to recall reading that at least one DC in a domain had to be a GC, but I can't find that requirement now. All DCs are server 2003. The forest is 2000 native mode. Why do I want to do this? We configure Outlook to use the "closest" GC. We want
RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT)
Not strange at all when you consider that HP defines 1+0 to mean a mirror (RAID1) with striped reads (RAID0) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, July 21, 2005 11:56 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT) Indeed, the HP array software will happily allow a 2 disk array to be configured as RAID 1+0. Strange, since we all know you need 4 disks to do this :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: 21 July 2005 17:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT) I *think* HP uses 1+0 (or 0+1) to mean RAID 1 (mirrored), but striped reads (alternating across mirror halves). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, July 20, 2005 6:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT) so is anyone gonna answer my question? do i need at least 4 drives to support raid 0 +1? or can it be done with 2? Does Smart Array 6i support raid 10(1 +0)? Thanks btw, i'm nobody but i always was told there is a difference between raid 10 and 0+1 -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 20, 2005 7:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WAY OT: Conflicting RAID terminiology (used to be Smart array(OT) In looking at some further docs, there are a few things that are certain: 1. Standards aren't - when it comes to Hybrid RAID. 2. The only to know if your controller has what *I* consider RAID 10 (RAID 1+0) - 'Read the Frakking Docs'! One vendor's RAID 0+1 is another 1+vendor's RAID 1+0 3. Hybrid RAID is good - but expensive. Know what you want, why you want it, and be ready to justify the cost. 4. Apologies to Jose - it's a terminology thing. I wonder how many people order servers with RAID 1+0, get 0+1, and have a meltdown with the vendor who says, But, Sir - that's what you asked for, and what you explain is what we sent! Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, July 20, 2005 5:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Smart array(OT) Hi Rick, It's okay to disagree and if you do a lookup on RAID with Google it comes up with several sites with conflicting info ( Which means do not believe every thing your read unless you trust the source ). The authority on RAID is the hardware vendors, and each has there own interpretation or variance, however the true authority is IBM who invented it in the first place. Now companies like Network Appliance ( NETAPP ) have enhanced versions of a RAID 4 controller with patented write any where technology that makes them extremely fast and much faster then a vendor that uses RAID 4. So with that said I am including a link to Adaptec's site which explains their implementation of Raid 0+1 ( Raid 10 ). http://www.adaptec.com/worldwide/product/markeditorial.html?sess=nolang uage =English+UScat=%2fTechnology%2fRAID+Controllersprodkey=talk_about_raid Well that's my two cents, Jose Medeiros An old timer that worked at IBM supporting the engineers that invented the stuff. MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan Sent: Wednesday, July 20, 2005 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Smart array(OT) Jose, I respectfully disagree. RAID 0+1 is a mirrored array with segments that are RAID 0 arrays. RAID 0+1 has the same level of fault tolerance as RAID 5. If a single drive fails, the array becomes effectively a RAID 0 array. RAID 10, on the other hand, is an available standard on many Enterprise controllers. It is implemented as a striped array who's segments are always RAID 1 arrays. RAID 10 has the same fault tolerance as RAID 1, and carries the same overhead as mirroring alone. It has a huge I/O gain in that all segments are RAID 1 stripes. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, July 20, 2005 4:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Smart array(OT) Hi Tom, Raid 0+1 is raid 10. If I recall, Adaptec and Dell coined the the Raid 10 term back in 1999. I always use the bios utility to create my drive raid arrays, what does that say? Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom Sent: Wednesday, July 20, 2005 11:42 AM
RE: [ActiveDir] Does a domain require a GC?
I don't understand your comment about converting universal groups to local groups. Can you explain what you mean here? Your suggestion about moving the root DCs to a separate site would work, but it would require me to set up a dedicated IP subnet at the two different locations where the DCs are located. The networking folks would not want to do that. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari KoutiSent: Monday, July 18, 2005 6:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Does a domain require a GC? Hi Ken, There is (at least) one requirement for a GC in every domain. If you don't have a GC in a domain, you cannot convert universal groups in that domain to local groups. However, this is probably not a big concern for your empty root domain... Also a couple of suggestions: - Why not have all the DCs of the child domain as GCs? This wouldn't add practically any replication, or the size of the NTDS.DIT on those new GCs. - Instead of removing GCs from the root domain (because of the Outlook issue), how about putting the root domain DCs (which would be GCs) on a site with no clients, and with such a replication topology, that a child domain GC is always closer to any client than a root domain GC? Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Monday, July 18, 2005 7:19 PMTo: ActiveDir@mail.activedir.org; Exchange DiscussionsSubject: [ActiveDir] Does a domain require a GC? We have two domains in our forest. The "empty" root domain, and a resource domain where everything else lives. The root domain has two DCs - one each in two different sites. Our main domain has several DCs, and most of those are GCs as well. The sites containing the root DCs eachalso have at least one resource domain DC, and at least one of these DCs is a GC. In other words, all sites have at least one resource domain DC andat least one of those is a GC as well. My question is: can I remove GC function from thetwo root DCs? I seem to recall reading that at least one DC in a domain had to be a GC, but I can't find that requirement now. All DCs are server 2003. The forest is 2000 native mode. Why do I want to do this? We configure Outlook to use the "closest" GC. We want toinsure that Outlook can manage distributionlists (universal groups), and Outlook can only do that if the GCis in the same domain as the group. We are currently using a home-grown application to manage DL membership, but we'd like to switch back to outlook.
[ActiveDir] Does a domain require a GC?
We have two domains in our forest. The "empty" root domain, and a resource domain where everything else lives. The root domain has two DCs - one each in two different sites. Our main domain has several DCs, and most of those are GCs as well. The sites containing the root DCs eachalso have at least one resource domain DC, and at least one of these DCs is a GC. In other words, all sites have at least one resource domain DC andat least one of those is a GC as well. My question is: can I remove GC function from thetwo root DCs? I seem to recall reading that at least one DC in a domain had to be a GC, but I can't find that requirement now. All DCs are server 2003. The forest is 2000 native mode. Why do I want to do this? We configure Outlook to use the "closest" GC. We want toinsure that Outlook can manage distributionlists (universal groups), and Outlook can only do that if the GCis in the same domain as the group. We are currently using a home-grown application to manage DL membership, but we'd like to switch back to outlook.
RE: [ActiveDir] Group Management
We have a centralized security department, and we used to do group management this way. As you found, it gets to be a chore, and the security people really don't know what the groups are for anyway. What we ended up doing was creating an OU structure that mimics our business unit divisions[1]. Each unit's groups are stored under their OU. We have one person at each business called a "security administrator". Each security administrator has rights to manage all the groups in their OU. Their job is to accept security related requests from their users and either handle them themselves (in the case of group management), or forward to corp security (new user setup, etc). [1]. We use alias names for each business unit (ie bu01, bu02, etc) because business units have a nasty habit of changing names. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, June 28, 2005 10:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group Management Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group. I don't mean the security around the administration, but the supporting business processes and workflows. We've just centralized security administration, and this has created a problem with group administration on quite a large scale. Our security admins will get a request to add UserA to GroupA. Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept. If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here. The problem is really two-fold, the security aspects, as well as the time it takes to complete the request. (multiply it by 1500 requests a day and the admins are really backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful? Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it. Thanks in advance, rb
RE: [ActiveDir] Group Management
Brian, I have a perl CGI script that allows the owner of a group to manage it's members. We use it for distribution lists, but it would work for any groups. It might take a few mods to work in your environment, but you are welcome to it if you like. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, June 28, 2005 10:15 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Management I wish we had a system to do that here. I wont create any group without the managed by attribute being populated. This way I can then pass off the membership management to whomever. I havent really identified yet the magnitude of the problem here, but, were going to figure out a way to get that attribute populated on as many groups as possible and then it will tie into a web portal for AD mgmt that were developing in house. IMHO thats the way to go. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, June 28, 2005 10:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group Management Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group. I don't mean the security around the administration, but the supporting business processes and workflows. We've just centralized security administration, and this has created a problem with group administration on quite a large scale. Our security admins will get a request to add UserA to GroupA. Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept. If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here. The problem is really two-fold, the security aspects, as well as the time it takes to complete the request. (multiply it by 1500 requests a day and the admins are really backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful? Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it. Thanks in advance, rb
RE: [ActiveDir] Joining pc to domain over vpn
I've run into something similar. I've forgot the details, but best I remember it involved joining a member server to a domain where NETBIOS name resolution was not available. Anyway, try creating an LMHOSTS file on the client with the following # DC nnn.nnn.nnn.nnn YOURDC #PRE #DOM:DOMAIN Nnn.nnn.nnn.nnn DOMAIN\0x1b#PRE Where nnn.nnn.nnn.nnn is the IP address of the domain controller DOMAIN is the NETBIOS name of the domain IMPORTANT! The name in the second line MUST end up containing exactly 16 characters. Put your domain name in and pad with spaces out to 15 characters before the \0x1b character. The \0x1b counts as one character. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, May 18, 2005 3:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Joining pc to domain over vpn That didin't work. I added a wins server anyway and i can ping both the wins and dns servers in the domain over the vpn. I can also do an nslookup and get the srv rr's. Still get the same the network location could not be reached error. I must be connecting to a dc because i am being prompted for a username and password to join the domain. does windows xp still use netbios to join a domain, btw? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 4:12 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Joining pc to domain over vpn Ive have had to do this in the past; I used the LMHOSTS file with the #DOM qualifier for the PDCE for the domain. Something like: 10.10.10.1servername#PRE #DOM:domainname This has worked using Secure Remote and Nortel VPN client software. Kern, Tom [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 05/18/2005 03:47 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir (E-mail) ActiveDir@mail.activedir.org cc Subject [ActiveDir] Joining pc to domain over vpn Can you join a pc to a domain over a win xp pptp vpn connection with changing the dns settings on the network adapter or does windows use only those settings and NOT the one's on the vpn adapter? If i don't change the dns settings on the nic adapter(the vpn adapter has the correct settings), i can't contact the domain. if i change the nic adapter dns settings, i get up to the part where i'm prompted for a password, but then it fails with domain.tld could not be contacted I'm using windows xp sp1 client with the default pptp vpn to a win2k RRAS server Any ideas? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI). List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Least Privilege User Account Provisioning for AD AND Exchange
My first thought would be to have the support people use a simple app that loads all of the required information into a database (or even flat files). A regularly scheduled batch job (running as an admin ID) would read these pending new users and do the actual AD account and mailbox creation. I have some perl code that I started for provisioning users, but I never finished it. It does include code for creating an Exchange mailbox. It's yours if you want it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frost, David: #CIO-BPISent: Wednesday, May 18, 2005 9:09 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Least Privilege User Account Provisioning for AD AND Exchange I have a scenario I need to explore where the ability to create and modify the AD user account and associated Exchange (2003)mailboxcreation is delegated out to 1st and 2nd line service desk personnel. It is not desirable t have 1 and 2 LS staff using native tools such as ADUC or Exchange System Manager.I have been able to successfully lock down the AD account creation permissions and script the process in such a way to reduce the possibility of data entry errors and provide consistent data. The sticky issue comes with the requirement to have the exchange mailbox assigned. It appears from most of the reading I have done, the users who create the mailbox enabled user account must be a member of Exchange View-only Administrators. This is even less desirable than allowing them to use ADUC or ESM. Then there is the issue of assigning the new user to the correct Exchange server/storage group/mailboxstore to ensure proper loading. So My questions; Is there a way to script the creation of a mailbox enabled user account in such a way as to not use ADUC and/or ESM AND not be a member of Exchange View-only admins? How to handle the Server/Storage Group/Mailbox Store selection? Is there a COTS tool for (simple) account provisioning that a) is"cheap and cheerful", b) does not require either a full blown meta-directory or connection to an HR systembe implemented (see point a) ; that will allow for service desk operators to create and manage user accounts? David Frost Directory Engineering - Messaging Directories and PKI Industry Canada (613) 957-8442 email [EMAIL PROTECTED]
RE: [ActiveDir] Scripting DC cleanup?
installing SP1 you don't need to select the site, domain, etc. Just select the server and kill it! QUOTE The Ntdsutil.exe command-line tool for managing the Active Directory database has new commands that make it easier to remove domain controller metadata. Preliminary steps, such as connecting to a server, domain, and site, are no longer required. You simply specify the server to remove. You can also specify the server on which to make the deletion. Cheers Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 18:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? I would recommend watching your AD to see exactly what NTDSUTIL is doing, you can actually just get away from using it and deleting the appropriate objects directly (hint look at the objects under the server containers of sites...) . In fact you can make a solution that is better than ntdsutil because last I looked, it didn't get rid of FRS references, etc. I recall a tool written by a friend of mine at the widget factory I used to work at that would do this quite well and quite fast and was called Whack-A-DC. It was used to clean up the test environment sucked off of the real environment after it was isolated from the real network. I have been slow to duplicate anything like this as a joeware tool because quite frankly, it is pretty dangerous stuff and would prefer to not have my tools used in script kiddies attack tool boxes. oldcmp specifically and very purposely avoids DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Friday, March 18, 2005 10:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? I guess I should have elaborated. NTDSUtil references domains, sites, and servers by sequential numbers. In order to write a simple command file for DC cleanup, I'd have to know what these numbers would be beforehand, and I'm not at all sure they won't change. What I'd like to do is write a perl script that will figure out what these numbers will be and write a script that I can feed into ntdsutil to do the dirty work. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, March 18, 2005 9:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? You can make ntdsutil work in a script. Just make a batch file. The syntax is to put a sapce between each command and put them in quotes: ntdsutil connect to domain 1 do something cool build an arc ntdsutil connect to domain 2 do something cool build an arc etc etc --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Ken Cornetet Sent: Fri 3/18/2005 7:33 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Scripting DC cleanup? It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have to perform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil? I stumbled across a script called metacleaner.vbs written by a gentleman at microsoft, but it did not appear to work. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003 SP1 RTM
I have Virtual Server running on w2k3 enterprise. I have installed SP1 on 4 of the virtual machines (which are domain controllers for a test forest). The virtual machines are using very little CPU (as shown by the VS status web page). The host is not using anywhere near 100% of it's CPU either. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, March 31, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 RTM BTW, just to note to Aric's issues on Virtual Server 2005 (which I'm also interested to hear if others have the same issue): I don't have these issues on VMware - SP1 runs just fine on my VMs (for quite a while now). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Donnerstag, 31. März 2005 21:03 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 RTM I have a specific problem related in some way to SP1. I have several test environments. In each I use Virtual Server 2005. Each environment is 100% Windows Server 2003. After upgrading any of the VMs with SP1, the upgraded VM runs at nearly 100% CPU consistently. Removing and reinstalling the VM Additions has no affect. Removing SP1 also removes the visible problem. You might understand that I have an apprehension towards installing SP1 in production, especially on those systems running as VMs. Any ideas? Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, March 31, 2005 10:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 RTM Dave can you quantify this statement please? I ask out of curiosity, not disagreement. Specifically: 1) You referred to SP1 having too many changes. How did you make this determination? What is the threshold where we cross in to too many? 2) What steps will you be going through between now and when you do install it? What will you do between now and deployment to give you the confidence level you need to fire it up on a box and see how it goes? Interested, so we can perhaps think through ways to make that less painful going forward. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave A. Marquis Sent: Thursday, March 31, 2005 8:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 RTM I am certainly going to be waiting to install this one for a while to many changes to jump right into it. David A. Marquis Computer Systems Administrator -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, March 31, 2005 6:48 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 SP1 RTM FYI. Windows Server 2003 SP1 went RTM yesterday http://www.microsoft.com/downloads/details.aspx?familyid=22CFC239-337C-4 D81- 8354-72593B1C1F43displaylang=en List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail message, including all attachments, is for the sole use of the intended recipients(s) and may contain confidential and privileged information. You may NOT use, disclose, copy, or disseminate this information. If you are not the intended recipient, please contact the sender by reply e-mail immediately. Please destroy all copies of the original message and all attachments. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripting DC cleanup?
Title: Message Have you ever actually had to clean up dozens of DCs using ntdsutil??? Maybe Microsoft should implement an environment variable called "ADMIN_BACKGROUND" If ADMIN_BACKGROUND is set to "unix", all tools default to "advanced" mode, and all safety checking is turned off. if ADMIN_BACKGROUND is set to "mac" all tools go to training wheels mode where the user is prompted "Are you sure?", "Are you REALLY sure?" if ADMIN_BACKGROUND is set to "windows", all command line utilities are disabled. if ADMIN_BACKGROUND is set to "mainframe" all windows switch to green-on-black text. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, March 21, 2005 8:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? I wasn't aware of that. That is kind of scary. People should have to go through those steps in a lot of cases as they may be doing the wrong thing... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Monday, March 21, 2005 7:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? If you're taling about W2K3 then after installing SP1 you don't need to select the site, domain, etc. Just select the server and kill it! QUOTE The Ntdsutil.exe command-line tool for managing the Active Directory database has new commands that make it easier to remove domain controller metadata. Preliminary steps, such as connecting to a server, domain, and site, are no longer required. You simply specify the server to remove. You can also specify the server on which to make the deletion. Cheers Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, March 18, 2005 18:00To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? I would recommend watching your AD to see exactly what NTDSUTIL is doing, you can actually just get away from using it and deleting the appropriate objects directly (hint look at the objects under the server containers of sites...). In fact you can make a solution that is better than ntdsutil because last I looked, it didn't get rid of FRS references, etc. I recall a tool written by a friend of mineat the widgetfactory I used to work at that would do this quite well and quite fast and was called Whack-A-DC.It was used to clean up the test environment sucked off of the real environment after it was isolated from the "real" network. I have been slow to duplicate anything like this as a joeware tool because quite frankly, it is pretty dangerous stuff and would prefer to not have my tools used in script kiddies attack tool boxes. oldcmp specifically and very purposely avoids DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Friday, March 18, 2005 10:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? I guess I should have elaborated. NTDSUtil references domains, sites, and servers by sequential numbers. In order to write a simple command file for DC cleanup, I'd have to know what these numbers would be beforehand, and I'm not at all sure they won't change. What I'd like to do is write a perl script that will figure out what these numbers will be and write a script that I can feed into ntdsutil to do the dirty work. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, March 18, 2005 9:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? You can make ntdsutil work in a script. Just make a batch file. The syntax is to put a sapcebetween each command and put them in quotes: ntdsutil "connect to domain 1" "do something cool" "build an arc" ntdsutil "connect to domain 2" "do something cool" "build an arc" etc etc --Brian Desmond[EMAIL PROTECTED]Payton on the web! www.wpcp.orgv - 773.534.0034 x135f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Ken CornetetSent: Fri 3/18/2005 7:33 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Scripting DC cleanup? It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have toperform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into
[ActiveDir] Scripting DC cleanup?
Title: Message It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have toperform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil? I stumbled across a script called "metacleaner.vbs" written by a gentleman at microsoft, but it did not appear to work.
RE: [ActiveDir] Scripting DC cleanup?
Title: Message I guess I should have elaborated. NTDSUtil references domains, sites, and servers by sequential numbers. In order to write a simple command file for DC cleanup, I'd have to know what these numbers would be beforehand, and I'm not at all sure they won't change. What I'd like to do is write a perl script that will figure out what these numbers will be and write a script that I can feed into ntdsutil to do the dirty work. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, March 18, 2005 9:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? You can make ntdsutil work in a script. Just make a batch file. The syntax is to put a sapcebetween each command and put them in quotes: ntdsutil "connect to domain 1" "do something cool" "build an arc" ntdsutil "connect to domain 2" "do something cool" "build an arc" etc etc --Brian Desmond[EMAIL PROTECTED]Payton on the web! www.wpcp.orgv - 773.534.0034 x135f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Ken CornetetSent: Fri 3/18/2005 7:33 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Scripting DC cleanup? It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have toperform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil? I stumbled across a script called "metacleaner.vbs" written by a gentleman at microsoft, but it did not appear to work.
RE: [ActiveDir] DEC questions
Title: Message Pardon my ignorance, but what is DEC? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin SullivanSent: Monday, February 28, 2005 3:35 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DEC questions Hi Dave, This will be my fourth DEC and everyone has been worth it. I think I have learned more at this conference than any other I have attended. It is very focused, intimate and full of some incredibly interesting people who are out there doing it. The content ranges in complexity but almost all is going to be accessible if you have been working with AD for years. What helps at this show is after the talk you are having conversations with attendees who can clarify topics based on their own experiences as well as provide tips on how it may be applicable to your situation. Like Joe mentioned the ability to have candid conversations with people from Microsoft is also incredibly valuable. There are a slew of Microsoft people there and they are all focused on Directories and surrounding technologies. The networking outside of the Microsoft people is also a great value. Oh yeah, occasionally watching hung over people try to pay attention to deep DNS discussions is sort of fun as well G. Being a hung over person trying to pay attention to deep DNS discussions, well, that is not quite as fun! I hope to see you there. Kevin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David CliffeSent: Thursday, February 24, 2005 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DEC questions Hi all, Hope you don't mind these... My company has considered the idea of sending a couple of us to the conference, but are wondering if they shoulduse ourvouchers to have us attend someADtroubleshooting workshops [by Microsoft] instead. While I don't know any specific details as to what that entails, we've also never been to one of these DECs! Our managers have asked us tojustify in writing what we think we'll get out of this conference, and if it will prove more worthwhile than the MS offering (again - sorry that I don't know exactly *what* that is). Myself? I have4+ years in a live AD environment, andcan honestly say that some of what I've seen written on this list zooms high overhead (!), while other stuff falls right in line, so am hoping that I would be a good candidate to attend. I see many testimonials, etc...on the conf. website, so just hoping to get any brief thoughts from anyone - with many thanks in advance! -DaveC Reuters AITS Infrastructure -Visit our Internet site at http://www.reuters.comGet closer to the financial markets with Reuters Messaging - for moreinformation and to register, visit http://www.reuters.com/messagingAny views expressed in this message are those of the individualsender, except where the sender specifically states them to bethe views of Reuters Ltd.
RE: [ActiveDir] HP LH3000 W2K3 Upgrade?
We are running w2k3 on a couple of 3000s (a 3000 and a 6000 actually). It seems to work OK, but as you know, it isn't supported by either HP or Microsoft. Horsepower-wise, you'll be fine. But - do you *really* want your DCs running on an unsupported configuration? A new DL360 G4 or DL380 G4 with a pair or 36GB drives can be had for cheap: http://www.cdw.com/shop/products/rebates.aspx?EDC=674965 Even one of the HP cheapo servers - (DL110?) would be OK for a DC, and it would be supported by MS and HP. If you don't need to keep the same server names and IP addresses, I'd shut down the 3000 w2k DC, pull the disks out, put a new disk in, install w2k3 from the w2k3 CD, dcpromo to DC. If it looks good, shut it down, put the old disks in, boot up, and dcpromo down. Shutdown, re-install the w2k3 disk and use one of the old disks to mirror the new disk. Adjust your FSMO roles to taste. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Wednesday, February 23, 2005 9:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] HP LH3000 W2K3 Upgrade? I have two HP LH3000 servers, one is the PDC and the other a BDC. HP does not support an upgrade to W2K3 but I've read where it is possible to upgrade these servers from W2K to W2K3. The current domain is in native mode, no NT4 servers but I do have a mix of Win2k3 and Win2k computers. The LH3000's are P3 733MHz machines but we only have ~60 users, I'm wondering if it's even worth the upgrade or if I should put efforts in getting a couple new machines in here to replace the current DC's. If I upgrade the current LH3000's what is the safest process for doing so in case the upgrade doesn't take? Donavon Yelton List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Internet Explorer group policy
I'm a bit confused by IE group policy. There are two branches of the User Configuration that contain IE related policy. There is Windows Settings, Internet Explorer Maintenance where you edit policy by exporting your current IE policy. There is also Administrative Templates, Internet Explorer where you define values directly. There appears to be a great deal of overlap between the two areas. However, making a change in one area does not show up in the other. Does anyone know where I can find some decent documentation on IE group policy? I asked our TAM this question, and his answer was does not seem to exist. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] W32Time and *nix
Marvin the Martian's dog? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, February 18, 2005 11:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] W32Time and *nix You could also grab a copy of K9 and sync time with it Roger Seielstad E-mail Geek MS-MVP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, February 17, 2005 11:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] W32Time and *nix Maybe try what we did; set the AD time source to be a router or switch that can act as a time server. That router or switch then connects to an external time source. Different flavors of time synch can then connect to that router or switch and get time... That way, you also don't have to have a connection open on the time ports into your DC... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, February 17, 2005 10:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] W32Time and *nix Folks, I'd like to throw this back out for comments if I can. A while back I asked about using our current W32Time server, the forest root AD box, as the authoritative time server for the non-Windows clients on our network. I haven't had any luck getting this to work. If I remember correctly, W32Time is a derivation of the NTP protocol, (is it SNTP maybe??). Anyway, nothing I've tried enables the Linux and Unix boxes to sync with this server. One article I read said it will not work, but you obviously can't rely on everything posted on the net :-) Am I missing something, or do I need to maybe look at a 3rd party solution to handle all of the time services? What are some of you using for this situation? Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Time sync on non-domain W2K server?
There is a windows port of the standard NTP code available at http://www.five-ten-sg.com/ And http://norloff.org/ntp/ I used the former on many servers back in the nt4 days with no problems. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, February 17, 2005 4:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Time sync on non-domain W2K server? Ah. There we go. The w32tm -once showed a sync. Now the next question is: will the standalone server automatically sync with the listed time source or will I have to perform manual/scripted syncs? I know it's automatic within an AD structure, but what I've been reading doesn't address non-domain scenarios... Thanks much! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Free Sent: Thursday, February 17, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Time sync on non-domain W2K server? When you run Net Time \\somemachine /set you are using the old LanMan NetTOD api to locate an authoritative time source which doesn't work because you aren't in the domain and you have already told the box to use SNTP with the /setsntp arg. You want to use w32tm to test the SNTP function. Stop W32Time service and try w32tm -once and observe the console output. The arguments have changed in 2003 and XP and I don't have a W2K box handy but w32tm /? will give you all the args. It is confusing because you can use Net Time with the /setsntp or /querysntp but all you are doing there is making the registry setting or reading it. On Thu, 17 Feb 2005 11:45:42 -0800, Charlie Kaiser [EMAIL PROTECTED] wrote: Doesn't work. System error 5 has occurred. Access is denied. The Cisco servers are not in the domain, and the DCs won't allow communications from outside. If I do a runas with domain credentials, I can make it work, but I was hoping for a more elegant solution. I don't like doing runas with domain pwds in a file somewhere. It's my biggest beef with runas... If I try to do the same to the IP address of our switch, it says network path not found. You'd think there would be a way to allow a stand-alone server to synch with an external time source... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Thursday, February 17, 2005 11:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Time sync on non-domain W2K server? Seems to me, if the Cisco servers can talk to the DC's via TCP/IP, then you should be able to do a simple NET TIME \\DCname /SET /YES NET TIME \\DCipaddress . Make a batch file or run an AT job, anything that syncs them periodically. -Original Message- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, February 17, 2005 10:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Time sync on non-domain W2K server? Interesting...Charlie's message just popped up in my inbox as well. Looks like time sync is a current hot topic. Eagerly awaiting thoughts from the group. mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, February 17, 2005 1:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Time sync on non-domain W2K server? I have a W2K3 AD domain. Gets its time synch from our Cisco switch, which gets time from outside. Usually works OK; hiccups once in a while; no big deal. I've run into an interesting problem, though. We have Cisco VoIP phones, which display the time on the screen. A user complained because the time was about 6 minutes different between the phone and her PC. I started looking into it, took care of a few things, but came across something I can't resolve. Our Cisco Call Managers (W2K servers running Cisco call-handling apps) are not members of the domain. Cisco documentation says they should be stand-alone servers. I try and use net time /setsntp:switchIPaddress or net time /setsntp:PDCEname. Either one works, but when I do a net time /set, it fails with Could not locate a time-server. Q243574 explains that only the PDCe can so an external synch. So how do we get a stand-alone machine to set the time? It's kind of important, because the phones get their time display from the Call Managers' OS time. Any ideas? Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex
RE: [ActiveDir] Exclude a specific user (or group) from a GPO (WMI Filter?)
Title: Message Explicit deny would be my choice. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason BSent: Tuesday, February 08, 2005 11:45 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exclude a specific user (or group) from a GPO (WMI Filter?) Right, BUT in this case, it would be much easier to simply exclude the one user since removing "Authenicated Users" from the filter in the Default GPO and trying to add enough groups to include ALL our users minus him, would be tedious, at best. I suppose I could make a new group that includes everyone but him, but I would think that that wouldn't be the recommended method. I also didn't want to make a new GPO specifically for this setting, as that would be rather inefficient. Isn't WMI Filtering the *suggested* method for doing something like excluding a specific user or group? - Original Message - From: Steve Patrick To: ActiveDir@mail.activedir.org Sent: Tuesday, February 08, 2005 8:56 AM Subject: Re: [ActiveDir] Exclude a specific user (or group) from a GPO (WMI Filter?) For users\groups you can use a security filter as opposed to a WMI filter. see http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=""> steve patrick - Original Message - From: Jason B To: ActiveDir@mail.activedir.org Sent: Tuesday, February 08, 2005 7:51 AM Subject: [ActiveDir] Exclude a specific user (or group) from a GPO (WMI Filter?) In this example, I want to exclude our CEO from having a forced IE start page through GPO, while the remainder of our domain keeps a forced homepage. Is the best way to go about this, to write a WMI filter to exclude that specific user, or is there some better way to do it, as we have this set in ourDefault Domain Policy? If so, can anyone point me to a good tutorial for writing such a WMI script? Thanks.
RE: [ActiveDir] Netlogon Polocies in W2K3 AD GP
Can't you use groups to realize your dream world? Have groups for fastlink, hub, slow dc, etc, and use security filtering on the GPOs -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, February 01, 2005 8:34 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Netlogon Polocies in W2K3 AD GP Hi Chandra We played with it a little bit in our test lab. Definately an improvement over making registry changes to force DCs to change SRV records (we did that in one domain with 15 DCs to make the main office the secondary site in case the onsite DC was down and it was a fair bit of work to change and keep track of). We did conclude that in order to make the GPO work you need to put separate OUs inside your Domain Controller OU - and only apply the settings on each OU. For instance, one of the settings is Priority setting - with the lowest priority being the first one that DNS will provide in the authentication lookup. Changing that for all DCs does not change anything. Raising that value for all DCs except the one at your hub site will force your hub site to the second choice for authentication after the DC within the site. We never checked to see how long it would take the changes to propogate out - we forced things by updating the GPO on the server, removing all the SRV records and forcing record reregistration to make the changes. One other thing we found that adds to the hassle a little bit - not only do universal changes require that you use OUs to separate your Domain Controllers, the settings can only be applied either via. registry or via. GPO. There is a setting to let the DC ignore the GPO but it ignores all settings in the GPO. That being said, we are looking to use parts of the GPO in our live forest shortly to control authentication in the other regions. In a perfect world, I would love it if you could find a way to set theses settings on a less global basis. Perhaps WMI filtering allows that, I have not played with that much. In my dream world, I would be able to say any DC that is designated a hub gets these settings, any DC that is designated a fast link gets these settings, any DC that is designated a slow link gets these settings, and any DC that starts with M gets these settings - and not have these be mutually exclusive (in essence a DC could get the hub, fast link, slow DC and starts with M settings all at the same time). I gripe less when the coffee supply is greater. James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] Chandra Burra [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org m cc: (bcc: James Day/Contractor/NPS) Sent by: Subject: [ActiveDir] Netlogon Polocies in W2K3 AD GP [EMAIL PROTECTED] tivedir.org 02/01/2005 07:49 AM EST Please respond to ActiveDir All, Just wondering if some one has worked on the Netlogon policies in the W2K3 GP (system.adm) This have options to specify the site - DC srv records and so on just was going through them...Can some one highlight on specifically tested and used. Thanks, Chandra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Netlogon Polocies in W2K3 AD GP
Works for us. That's how we test new computer policy. We have an OU for workstations with GPO links that look like this: 1. Lab computer policy (apply security granted to global group C-LABCOMPUTERS) 2. Pilot computer policy (apply security granted to global group C-PILOTCOMPUTERS) 3. Production computer policy (applies to domain computers) The lab group contains a couple of dozen guinea pigs - mostly in IT. The pilot group contains a couple of hundred business users. We try new settings in the lab policy first. If those settings don't break anything there, we back up the lab policy, and import it into the pilot policy. Once it's proofed there, the pilot policy gets backed up and imported into the production policy. I do have to admit I've not tried it on servers, just workstations. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, February 01, 2005 9:11 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Netlogon Polocies in W2K3 AD GP Hi Ken I do not think group based security filtering works on computers - we never got it to work anyways, although we only tried it once. Anybody have a definitive answer on this that goes beyond I think? Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] Ken Cornetet [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org omcc: (bcc: James Day/Contractor/NPS) Sent by: Subject: RE: [ActiveDir] Netlogon Polocies in W2K3 AD GP [EMAIL PROTECTED] tivedir.org 02/01/2005 09:04 AM EST Please respond to ActiveDir Can't you use groups to realize your dream world? Have groups for fastlink, hub, slow dc, etc, and use security filtering on the GPOs -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, February 01, 2005 8:34 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Netlogon Polocies in W2K3 AD GP Hi Chandra We played with it a little bit in our test lab. Definately an improvement over making registry changes to force DCs to change SRV records (we did that in one domain with 15 DCs to make the main office the secondary site in case the onsite DC was down and it was a fair bit of work to change and keep track of). We did conclude that in order to make the GPO work you need to put separate OUs inside your Domain Controller OU - and only apply the settings on each OU. For instance, one of the settings is Priority setting - with the lowest priority being the first one that DNS will provide in the authentication lookup. Changing that for all DCs does not change anything. Raising that value for all DCs except the one at your hub site will force your hub site to the second choice for authentication after the DC within the site. We never checked to see how long it would take the changes to propogate out - we forced things by updating the GPO on the server, removing all the SRV records and forcing record reregistration to make the changes. One other thing we found that adds to the hassle a little bit - not only do universal changes require that you use OUs to separate your Domain Controllers, the settings can only be applied either via. registry or via. GPO. There is a setting to let the DC ignore the GPO but it ignores all settings in the GPO. That being said, we are looking to use parts of the GPO in our live forest shortly to control authentication in the other regions. In a perfect world, I would love it if you could find a way to set theses settings on a less global basis. Perhaps WMI filtering allows that, I have not played with that much. In my dream world, I would be able to say any DC that is designated a hub gets these settings, any DC that is designated a fast link gets these settings, any DC that is designated a slow link gets these settings, and any DC that starts with M gets these settings - and not have these be mutually exclusive (in essence a DC could get the hub, fast link, slow DC and starts with M settings all at the same time). I gripe less when the coffee supply is greater. James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] Chandra Burra [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org m cc: (bcc: James
RE: [ActiveDir] Outlook/Exchange Issue
Title: Message We have lots of kerberos authentication problems over VPN connections. The solution is to force kerberos to use TCP. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]"MaxPacketSize"=dword:0001 Not sure if that is your problem, but it's worth a shot. BTW, does anyone why kerberos was designed to use UDP in the first place? Seems pretty silly to me. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefanoSent: Tuesday, February 01, 2005 1:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Outlook/Exchange Issue I have a frustrating problem: We have a W2k AD domain with 3 sites and 5 subnets 3 bound to our HQ site and one each bound to our other two sites. These sites are connected by persistent VPN connections using our Nokia Checkpoint firewalls two of our sites have dedicated T3 connections and the other site has a dedicated T1.Each site has a GC. I recently configured a laptop here in our main site for a user in our LA site. The laptop has a wired and wireless connection, however, our only site with wireless access is our main site but since the user travels between sites periodically I configured the wireless connection as well. I installed Office 2000 from an administrative installation point at this site and configured Outlook to connect to our sole Exchange server here at our main site. I also set up the users Outlook profile from this site, connected to our Exchange server, synchronized the users mailbox (I set up Outlook in cached mode) and all worked well. After shipping the laptop to the user at the remote site, I got a call from the user. Outlook hangs after opening and gives me the Not Responding even after leaving it alone for 10+minutes. One of the other techs here is working on the problem and he tried repairing the Office installation, disabling the wireless connection, reinstalling Outlook, tried creating a new user profile, but nothing has been successful so far. Has anyone experienced this before? If I have left out any info, please let me know and I will provide it. Dan DeStefano
RE: [ActiveDir] OT:exchange frontend
You can't even *install* e2k3 in a forest if there are e2k front-end servers. The topic of allowing OWA via the internet has been debated many times on the exchange mailing list. There has never been consensus, however the following suggestions have been made: 1. Use an ISA server in a DMZ (This is (or at least was) the MS preferred solution). 2. Use squid as a reverse proxy (never heard of anyone actually doing this, though) 3. Use apache in proxy mode (there was one guy doing this). Beware that OWA has a quirk that can complicate things somewhat: it uses absolute URLs to reference pages within frames. This means that if you use a proxy to do the SSL decryption, OWA sees the connection as http: and sends out URLS prefixed with http://...;. These URLs then don't make it through the proxy because it is expecting https. There is a KB article on this providing a DLL that you have to hook into IIS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Friday, January 28, 2005 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:exchange frontend I agree with Al that the same risk is taken, however the impact of a hack is not necessarily the same. I'd much rather lose a frontend OWA/SMTP box than a mailbox server; at least I'd keep internal messaging functional. Either way, having a proxy server between Exchange and the internet is a good idea if you can swing it. As far as I know, you can't run E2K frontend to E2K3 backend. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, January 28, 2005 8:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:exchange frontend IMHO, same risk is taken in regards to being hacked. As for operational availability risk, a FE server serves two purposes in my opinion: it allows you to hide the mail store for the user thereby allowing higher scalability and it also buffers the mail flow if deployed for the SMTP as well. That allows you some room to work if the mail gets backed up for some reason yet the mailboxes are still functional internally. Outside of that, it wouldn't be much of a difference in most cases. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, January 28, 2005 10:17 AM To: ActiveDir (E-mail) Subject: [ActiveDir] OT:exchange frontend I remeber this being spoken of before but I can't seem to find the thread, so my apologies in advance. my question is- are there any security issues with allowing outlook web access directly to your exchange server as opposed to using a front end server? we currently use a exchange2k front end with ssl cert, however we are migrating to exchange 2k3 and my dept doesn't want to spend the $$ on 2 copies of exchange2k3 and new hardware for the front-end server(our current frontend cannot support win2k3/exchange2k3). also, can my existing exchange2k frontend server perform this same role for a exchange2k3 server running on win2k3? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Firewalls and VPN questions
We are having exactly the same issue. We have an open call with PSS on this. For the short term, we make our standard settings the same as the domain settings. Not real wonderful, but what can we do? One of the PSS guys mentioned a trick involving unhiding the ipsecshm connectiod via a registry setting. He is supposed to be providing more information. Please let me know if you get any resolution on this. I'll do likewise. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, January 25, 2005 1:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Firewalls and VPN questions Is anybody really familiar with the GPO settings that control the XP2 firewall on/off network configurations? What I'm trying to do: I'm trying to setup and test IPSEC vpn connectivity back to the corp network and use the XP2 firewall as the firewall of choice. Expected results: When I am off the network, I should have full shields up. When on the corp network, it should be the settings defined via GPO, permissions, exceptions, etc. What I've done: The on-network settings are fine. The results are exactly what was expected. The off-network settings are also fine. The results are exactly what was expected and GPO's were set to control this. Firewall is up and can't be modified etc. Perfect. Problem: What is supposed to happen, is that when you make a change to the network you're on, it's checked to see if it is on the same network that the last GPO applied was from. The key that's checked is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\Network Name If that value matches the connection-specific setting of any of your connections (that are not slip or ppp) then it should assume it's on the corporate network that it last got it's GPO from (i.e. it's native network). The problem I'm having is that the connection specific entry is getting set on the VPN interface, but it's not triggering the change in networks as far as the firewall is concerned. Questions: First off, is this what is expected? I realize that the doc also says that vpn's aren't considered in the algorithm if they're slip or ppp. Fair enough, but I can't tell which I'm using. It's blasted contivity crud that really doesn't give much information at all. In fact, it shows up as an Ethernet connection, similar to the nic. It does not however, show up in the network settings, which is odd. It's a mini-port driver on the nic. Second, if this is expected, should I expect that the firewall is up for the phys NIC and not engaged for the VPN interface? In other words, is the VPN interface unable to be firewalled? If anybody has any links or information or other newsgroups where somebody would know this I would appreciate hearing about it. Thanks, Al List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Upgrade resources
See KB article 325379. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes Sent: Tuesday, January 18, 2005 9:30 AM Subject: [ActiveDir] Upgrade resources We are planning on 'upgrading' our AD boxes from Windows 2000 to Windows 2003. I was wondering if anyone knows of any caveats or gotchas that may bite us in the rear. 'Upgrade' for us is defined as moving FSMOs, removing AD, slicking the boxes, loading W2K3, DCPromo and moving FSMOs back. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] time server
Title: Message 510 software has a windows port of NTP that works very well (all of my servers were running it back in the NT4 days). I suppose a person could usew32timeto sync to the forest, and run ntp acting as a local time master to provide sync to the phone switch. You'd have to alternate them somehow (scheduled batch file?) because they'd both be trying to grab port 123. Messy, to say the least. Also, confguring NTP is a PITA. Can't you point the phone switch to some public NTP server? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, January 10, 2005 3:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] time server As Al pointed out, some MS docs need to be reviewed... The one Al specifically pointed out "http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/06wsdsu.mspx" says straight out that the Time Server is SNTP based. WindowsServer2003 time services are based upon the Simple Network Time Protocol (SNTP); this is a simplified version of the UNIX Network Time Protocol (NTP). The packet formats of both protocols are identical, and the servers and clients for each can be used interchangeably. The interchangeable part seems to be more of a theory or hope than strictly the real world. From chats I have had previously with people who played with the time stuff a lot it seems that it is more likely a SNTP client will be able to use a NTP source than an NTP client using a SNTP source. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan MuggliSent: Monday, January 10, 2005 3:02 PMTo: ActiveDir@mail.activedir.org; Send - AD mailing listSubject: RE: [ActiveDir] time server I own the time service for Windows, so I can field the OS question. The NTP server in Windows 2003 is NTP V3 RFC compliant and third party NTP clients can (well *should*) be able to sync with it. When you say doesnt seem to recognize, is there an error message? How does it find a valid NTP server? -Nathan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Monday, January 10, 2005 11:07 AMTo: Send - AD mailing listSubject: RE: [ActiveDir] time server Uncertain as to the OS in question here but Windows 2003 supports both NTP and SNTP - http://www.microsoft.com/technet/security/guidance/secmod118.mspx --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, January 10, 2005 1:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] time server Does your switch use/support SNTP (Simple NTP)? That is what Windows DCs support, not NTP. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, January 10, 2005 11:27 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] time server Our forest root server acts as the time server for AD domain member machines (I think that happens by default.) Do I have to take any additional steps to allow that same server to be the NTP server for a non-Windows device? The device is a phone switch on our network, and it doesnt seem to recognize that server as being a valid NTP server. Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation.
RE: [ActiveDir] Slightly OT: File Copy of Death - additional question in the same vein
Would a Perl Rsync implementation be better? http://search.cpan.org/~cbarratt/File-RsyncP-0.52/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Wednesday, December 01, 2004 3:20 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Slightly OT: File Copy of Death - additional question in the same vein All, Sorry to hijack this thread, however in the same vein, is anyone aware of a (preferably) freeware application that does a similar function to rsync on Linux ? We are looking at synchronising large amounts of data each night, including some 200+gb databases. Rsync seems to handle this situation a lot nicer than robocopy (which we use now), as it only copies block level changes to the file (robocopy does the whole thing again). I have looked at installing rsync using the Cygwin method, but it seems a bit clunky for my liking. TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Monitoring Replication
That's pretty cool, but what does the information mean? What is largest delta? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, December 01, 2004 8:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Monitoring Replication repadmin /replsum * /bysrc /bydst Requires WinXP or later running Win2k3 repadmin or later. Caveat: It's not actual monitoring, it's like quick dirty checkup. -B Insert all the msft jazz about AS IS, caveat emptor, etc On Wed, 1 Dec 2004, Myrick, Todd (NIH/CIT) wrote: Depends on the size of your forest and how many domains; I am partial to Directory Analyzer for monitoring and alerting for forest with multiple domains. They have a stand alone monitor that is web enabled, or they can integrate with MOM and HP Openview. HP Openview has a set of AD tools. You might be able to get buy with just MOM for a single domain/forest solution. For troubleshooting I use Directory Troubleshooter 4.0 but I have also been reviewing Quest new AD tool as well. Both are excellent and DT is pretty cheap. You might want to get into the habbit of running the following tools after you promote a DC. NETDIAG (Network Config) DCDIAG (DC Config and health) Repadmin /showreps (Shows you the current AD replication connections on a DC) Portqry (check 53,88,123,135,139,445,389,1025,1026,3268) (Firewalls?) DNSlint (Good DNS check) NLTEST (Good at checking secure channels, DNS registration Todd -Original Message- From: Dennis Depp [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 7:34 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Monitoring Replication What is everyon using to monitor replication between domain controllers? I ran into a problem yesterday with replication. We are running a Bind DNS with the underscore domains delegated to Active Directory integrated DNS. I rebuilt a domain controller last Wednesday and everything did not get updated properly. As a result, replication was not working properly. I woln't go into the pain this cuased. I am interested in what others are doing to monitor the health of Active Directory. I monitor the event logs, but there were only a few warnings and nothing that particularly alarmed me. Thanks in advance for your input. Dennis List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Why no AD integrated DNS secondary zones?
OK, integrated stub zones are cool, but I'm curious - why did MS stop there? Why no integrated secondaries? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones?
Because I have a couple of dozen remote DCs that serve DNS for their locations. Our unix boxes are in a DNS zone that is handled by bind/unix server. All of my DCs carry this zone as a secondary. This works fine, but it is a bit of a pain to maintain. I have to remember to configure the zone on any new DCs, and I have to have the unix guys add a notify line on the bind server for the new DCs (OK, I don't HAVE to do the notify part...). Plus, replication of the zone is handled by DNS instead of the much more efficient AD replication. Ever since laying eyes on w2k3 DNS server, I've always wondered why the developers didn't allow for integrated secondaries. Don't get me wrong, integrated stubs are great, but between the two, I'd have thought integrated secondaries would have been the more desirable. I just assumed I was missing some technical reason that made it unfeasible. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 19, 2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones? Because when it's integrated, there is no concept of secondaries as we understood it to be in pre-2Kx world. It's there in AD, and any DC can see and write to it. Now, if you are secondarying the zones on another server located in another forest/network, why would you want to store that info in your own AD. You will not be modifying that zone locally on the secondary anyway. Or, are you intending to? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Ken Cornetet Sent: Fri 11/19/2004 6:56 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Why no AD integrated DNS secondary zones? OK, integrated stub zones are cool, but I'm curious - why did MS stop there? Why no integrated secondaries? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones?
I don't want to forward because the remotes are on already overburdened WAN links. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 19, 2004 12:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones? How many new DCs are you adding per day/week/month? :) If I were doing this, Stub or Secondaries would take a back-seat. I would be investing in Conditional Forwarding. I would have all my other DNS servers forward unresolved queries to one or (ideally) 2 of MY DNS servers. On those 2 designated DNS servers, I will configure Conditional Forwarders for all the foreign zones hosted on the Unix boxen and specify the Unix boxes as the DNS servers to forward the queries to. QED. No messing with secondaries or notify or such any more from then on. When I introduce a new DC/DNS server into my environment, all I will need to do is configure it to forward to MY designated DNS servers. When I want to add more designated servers, I don't have to recreate the conditionally-forwarded zones. They are stored in the registry of the existing designated servers, so I will just go export and import the hive as necessary. Of course, all my rants above is predicated on your designated DNS servers being W2K3 servers. I don't think the problem of AD-intg secondaries is simply technical feasibility. I think (shut up, Al :)) it is more of practicality. Post-NT, you typically create secondaries for foreign zones [1]. Since the zones you are secondarying are foreign, I think storing those foreign information in your AD is not a good idea. [1] I disagree with Minasi's recommendation of creating secondaries of every zones on every DNS server in a parent-child environment, but that's out of the scope of this discussion. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Ken Cornetet Sent: Fri 11/19/2004 8:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones? Because I have a couple of dozen remote DCs that serve DNS for their locations. Our unix boxes are in a DNS zone that is handled by bind/unix server. All of my DCs carry this zone as a secondary. This works fine, but it is a bit of a pain to maintain. I have to remember to configure the zone on any new DCs, and I have to have the unix guys add a notify line on the bind server for the new DCs (OK, I don't HAVE to do the notify part...). Plus, replication of the zone is handled by DNS instead of the much more efficient AD replication. Ever since laying eyes on w2k3 DNS server, I've always wondered why the developers didn't allow for integrated secondaries. Don't get me wrong, integrated stubs are great, but between the two, I'd have thought integrated secondaries would have been the more desirable. I just assumed I was missing some technical reason that made it unfeasible. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 19, 2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Why no AD integrated DNS secondary zones? Because when it's integrated, there is no concept of secondaries as we understood it to be in pre-2Kx world. It's there in AD, and any DC can see and write to it. Now, if you are secondarying the zones on another server located in another forest/network, why would you want to store that info in your own AD. You will not be modifying that zone locally on the secondary anyway. Or, are you intending to? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Ken Cornetet Sent: Fri 11/19/2004 6:56 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Why no AD integrated DNS secondary zones? OK, integrated stub zones are cool, but I'm curious - why did MS stop there? Why no integrated secondaries? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ
RE: [ActiveDir] RDP
You also need enterprise for autoenrollment. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Monday, November 15, 2004 4:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] RDP There are a number of PKI things that can't be done without Enterprise Edition. I believe the most important being extra certificate templates that can be used (although my terminology may be wrong). Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Monday, November 15, 2004 3:32 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] RDP Ellis, Debbie wrote: I recently upgraded one of our Windows 2003 Domain Controllers to Enterprise Edition. (Needed for Certificates, auto enrollment). You don't need enterprise edition for that. I'm doing it with standard edition and it works fine. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RDP
Ok, maybe this clears it up (from windows server 2003 help) Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition, is required to configure version 2 certificate templates for autoenrollment requests. However, autoenrollment manages certificates or pending certificate requests based on any version of certificate template. So it sounds like you need enterprise to autoenroll from version 2 templates. Again, from windows help: Version 2 certificate templates Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, certification authorities support two types of certificate templates: version 1 and version 2. Version 2 templates are new to the Windows Server 2003 family. They allow customization of most settings in the template. Several preconfigured version 2 templates are supplied in the default configuration, and more can be added as necessary. This allows complete configuration flexibility for administrators. Version 2 templates are only available as part of a certification authority that is installed as an enterprise certification authority. For that reason, they require Active Directory. Although Version 2 templates can be created and duplicated in the Windows Server 2003 family, certificates that are based on Version 2 templates can only be issued by a certification authority that is running Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Tuesday, November 16, 2004 10:41 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] RDP I'm sure that is the case. I'll take a look at my setup and see if I can figure out what I did to make it work. (or maybe discover that I'm completely going insane) :-) - Robbie Ellis, Debbie wrote: My company was using Standard and auto enrollment would not work. We consulted our TAM and he said we had to have Enterprise for Auto Enrollment. Debbie Ellis Systems Administrator Viasat, Inc. 4356 Communications Drive Norcross, GA 30093 678-924-2591 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Tuesday, November 16, 2004 10:28 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] RDP Ken Cornetet wrote: You also need enterprise for autoenrollment. Weird, I wonder why autoenrollment works for me then? I'm only running standard, not enterprise. Autoenrollment is definitely working. - Robbie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Monday, November 15, 2004 4:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] RDP There are a number of PKI things that can't be done without Enterprise Edition. I believe the most important being extra certificate templates that can be used (although my terminology may be wrong). Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Monday, November 15, 2004 3:32 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] RDP Ellis, Debbie wrote: I recently upgraded one of our Windows 2003 Domain Controllers to Enterprise Edition. (Needed for Certificates, auto enrollment). You don't need enterprise edition for that. I'm doing it with standard edition and it works fine. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Anyone using EAP-TLS for wireless?
If anyone is using EAP-TLS, are you using computer certificates or user certificates? Why? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripting question - Net Send command
As a security feature on w2k3, the IUSR_ user id has no permissions to any files (including net.exe). Either give the IUSR_ account permissions to net.exe, or configure the web site to run under a user id that has permission. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, November 03, 2004 12:42 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Scripting question - Net Send command We're porting our old intranet (NT4/IIS4) to a new server (W2K3/IIS6) and have run into an authentication issue that I need some help with. There's a legacy code chunk that does a net send command to create a popup on a user's PC to tell them a new request has come in that they need to deal with. I'd prefer that they used email for this, but apparently checking email regularly is too much trouble for them. They want a pop-up. :-) The problem is that we can't get Net Send to launch properly. Here's the distilled code: % dim oWSH Set oWSH = CreateObject(WScript.Shell) oWSH.Run NET SEND test4 testing. % That is embedded into an ASP file, which is run by a user connecting to a webpage stored on the new IIS server. The rest of the script includes some authentication procedures that identify the logged on user and allow or deny page access based on AD Group membership. If I run it from my workstation, with my admin credentials, it runs fine. If I run it from a PC logged in as a standard user, we get Microsoft VBScript runtime error '800a0046' Permission denied /CNK/ww2.asp, line 4. Is there a way to: 1. Force the net send command to securely run as a different user without exposing elevated credentials? 2. Use a different method to create the popup window? Thanks for any help... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripting question - Net Send command
Create a virtual directory for the web page, and configure it to run as the local or domain user of your choice. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, November 03, 2004 4:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting question - Net Send command That was my thought; I'd prefer not to have IUSR running that type of executable. Any pointers towards how we could run it in another account context? I thought about RunAs, but didn't want to pass pwds in an asp script... Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 12:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting question - Net Send command It's an ugly hole. My option would be to have the tool run in the context of another account (like a service account). Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Charlie Kaiser Sent: Wed 11/3/2004 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting question - Net Send command Yeah; that's kinda what I ran into. Two things... One, if we provide access to net.exe to the IUSR account, how ugly is that hole? If they can run net send, they can run net anything, right? Not sure I like that, but I'm not sure how ugly it really is. Two, how do we provide the perms on net.exe? I tried copying it to another directory and applying read and execute perms to that directory, but it didn't change anything. Is there a how-to anywhere for us non-IIS gurus? Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, November 03, 2004 11:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting question - Net Send command As a security feature on w2k3, the IUSR_ user id has no permissions to any files (including net.exe). Either give the IUSR_ account permissions to net.exe, or configure the web site to run under a user id that has permission. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, November 03, 2004 12:42 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Scripting question - Net Send command We're porting our old intranet (NT4/IIS4) to a new server (W2K3/IIS6) and have run into an authentication issue that I need some help with. There's a legacy code chunk that does a net send command to create a popup on a user's PC to tell them a new request has come in that they need to deal with. I'd prefer that they used email for this, but apparently checking email regularly is too much trouble for them. They want a pop-up. :-) The problem is that we can't get Net Send to launch properly. Here's the distilled code: % dim oWSH Set oWSH = CreateObject(WScript.Shell) oWSH.Run NET SEND test4 testing. % That is embedded into an ASP file, which is run by a user connecting to a webpage stored on the new IIS server. The rest of the script includes some authentication procedures that identify the logged on user and allow or deny page access based on AD Group membership. If I run it from my workstation, with my admin credentials, it runs fine. If I run it from a PC logged in as a standard user, we get Microsoft VBScript runtime error '800a0046' Permission denied /CNK/ww2.asp, line 4. Is there a way to: 1. Force the net send command to securely run as a different user without exposing elevated credentials? 2. Use a different method to create the popup window? Thanks for any help... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List
RE: [ActiveDir] FW: Exchange 2003 on DC
Title: Message But, MS has promised us their products are secure... :-) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 28, 2004 5:21 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Ack, you said SBS... as joe scurries back to the light... I await the day that someone writes a bad virus that targets Domain Controllers. I figure that the SBS machines will be the first to get hit with something like that since there are so many vectors to the security bastion on that product. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Thursday, October 28, 2004 5:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Um, SBS users don't have a choice... -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 28, 2004 3:44 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Don't install Exchange on a Domain Controller, even you Michael B. Smith Article ID : 994678345 Last Review : October 28, 2004 Revision : 1.0 This article was previously published under Q994678345 SYMPTOMS In a Windows 2000 domain some people like to install Exchange on a Domain Controller. They also like to use them for file and print as well or for other not authentication/authorization services. They sometimes find they run into security and/or stability issues. CAUSE This behavior occurs typically occurs whenbecause they installed products on a domain controller which is supposed to be the bastion of your enterprise security, not handling menial services such as exchange and file sharing et alii. RESOLUTION To resolve this problem,remove the non authentication/authorization related services from the domain controller. STATUS Microsoft has confirmed that this is a problem in thereal world. This problem was first correctedwhen people started treating the DCs like a KDC and not a regular server. APPLIES TO All versions of Windows that run as Domain Controllers :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Wednesday, October 20, 2004 7:53 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] FW: Exchange 2003 on DC I've run across a couple of KB articles regarding the issues of promoting/demoting a DC under Exchange 2003 (on the same box). Shame on me, I didn't bookmark them. Does anyone have those handy? My google-fu is not up-to-par today apparently...the one's I've found (plus summary) are: 822179 - don't change DC status after Exchange is installed 305504 - impact of making DC a GC with Exchange installed 305065 - impact of removing a GC from a DC with Exchange installed 829361 - long shut down time on a DC when Exchange is installed 822575 - DS2MB stops running when DC status is removed and Exchange is installed The only one I've found that directly affects the search I'm on is the last (822575). Thanks, M
RE: [ActiveDir] FW: Exchange 2003 on DC
You've been reading too much SBS marketing material. SBS is just plain old windows server, exchange (and possibly SQL and ISA) with a few wizards and a POP3 connector thrown in. It is not specifically designed for anything. The only difference is that it is artificially hobbled to limit the number of users, and prevent domain trusts. It is not limited in functionality (other than the user and trust limits). Running DHCP on a 2K domain controller is a security risk. The same vulnerability exists in SBS2000. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Friday, October 29, 2004 8:59 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] FW: Exchange 2003 on DC SBS is specifically designed to support this configuration, for a specific number of users, and it is limited in functionality re: normal domain controller options. - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Thu, 28 Oct 2004 16:24:27 -0500, Ken Cornetet [EMAIL PROTECTED] wrote: Um, SBS users don't have a choice... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 28, 2004 3:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Don't install Exchange on a Domain Controller, even you Michael B. Smith Article ID:994678345 Last Review:October 28, 2004 Revision:1.0 This article was previously published under Q994678345 SYMPTOMS In a Windows 2000 domain some people like to install Exchange on a Domain Controller. They also like to use them for file and print as well or for other not authentication/authorization services. They sometimes find they run into security and/or stability issues. CAUSE This behavior occurs typically occurs when because they installed products on a domain controller which is supposed to be the bastion of your enterprise security, not handling menial services such as exchange and file sharing et alii. RESOLUTION To resolve this problem, remove the non authentication/authorization related services from the domain controller. STATUS Microsoft has confirmed that this is a problem in the real world. This problem was first corrected when people started treating the DCs like a KDC and not a regular server. APPLIES TO All versions of Windows that run as Domain Controllers :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, October 20, 2004 7:53 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] FW: Exchange 2003 on DC I've run across a couple of KB articles regarding the issues of promoting/demoting a DC under Exchange 2003 (on the same box). Shame on me, I didn't bookmark them. Does anyone have those handy? My google-fu is not up-to-par today apparently...the one's I've found (plus summary) are: 822179 - don't change DC status after Exchange is installed 305504 - impact of making DC a GC with Exchange installed 305065 - impact of removing a GC from a DC with Exchange installed 829361 - long shut down time on a DC when Exchange is installed 822575 - DS2MB stops running when DC status is removed and Exchange is installed The only one I've found that directly affects the search I'm on is the last (822575). Thanks, M List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FW: Exchange 2003 on DC
Title: Message Um, SBS users don't have a choice... -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 28, 2004 3:44 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Don't install Exchange on a Domain Controller, even you Michael B. Smith Article ID : 994678345 Last Review : October 28, 2004 Revision : 1.0 This article was previously published under Q994678345 SYMPTOMS In a Windows 2000 domain some people like to install Exchange on a Domain Controller. They also like to use them for file and print as well or for other not authentication/authorization services. They sometimes find they run into security and/or stability issues. CAUSE This behavior occurs typically occurs whenbecause they installed products on a domain controller which is supposed to be the bastion of your enterprise security, not handling menial services such as exchange and file sharing et alii. RESOLUTION To resolve this problem,remove the non authentication/authorization related services from the domain controller. STATUS Microsoft has confirmed that this is a problem in thereal world. This problem was first correctedwhen people started treating the DCs like a KDC and not a regular server. APPLIES TO All versions of Windows that run as Domain Controllers :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Wednesday, October 20, 2004 7:53 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] FW: Exchange 2003 on DC I've run across a couple of KB articles regarding the issues of promoting/demoting a DC under Exchange 2003 (on the same box). Shame on me, I didn't bookmark them. Does anyone have those handy? My google-fu is not up-to-par today apparently...the one's I've found (plus summary) are: 822179 - don't change DC status after Exchange is installed 305504 - impact of making DC a GC with Exchange installed 305065 - impact of removing a GC from a DC with Exchange installed 829361 - long shut down time on a DC when Exchange is installed 822575 - DS2MB stops running when DC status is removed and Exchange is installed The only one I've found that directly affects the search I'm on is the last (822575). Thanks, M
RE: [ActiveDir] AD LDAP Data Conversion Question
Title: Message It's in a format called VT_FILETIME. If memory serves, it is the number of milliseconds since some date long ago (1600 comes to mind). VB has a variant type to convert it for you. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Menten, JeffSent: Wednesday, October 27, 2004 10:23 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] AD LDAP Data Conversion Question All, I would like to extract the "lastLogon" value from AD to check for orphan workstations, etc. This attribute has an INTEGER8 format - which, as far as I can tell, is an eight-byte data structure. Does anyone know of an easy way to convert this value via VBscript to a readable format that will actually print? Thanks, - Jeff M. ___ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
RE: [ActiveDir] Macs, LDAP Source
Title: Message Just use the DNS name of your domain as the LDAP server. If you are using Microsoft DNS servers, they will sort the response so that DCs in the same subnet as the mac will be first in response. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Thursday, October 14, 2004 9:18 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Macs, LDAP Source My asst managed to get OS X 10.2.SomeInt to authenticate to the AD here. I typed in my username and password and it was just as fast as logging in from an nt class box. Aside from the various implementation issues on the mac side, I have this dilemma: The Macs are not actually AD aware they just need an LDAP source. I could buy this cool program called ADmitMac which creates domain accounts for the Macs and emulates an NT box as far as user mgmt goes on the Mac. Cool, but, the quote was nearly as much as I paid for the OS X licenses. So, anyway, the mac needs a explicit dns hostname for ldap. I could give it one DC, but, if hat DC goes down, all my macs are Fed. So, what I did is setup a round-robin with all the DCs in the site the macs are located in. Im not totally satisfied with this workaround. It just seems sort of half-ass to me. It requires a certain degree of management, and if one of the DCs is down, a portion for the macs will need to be rebooted until they receive a referral from the DNS server in an order which includes a working DC first. Whilst I am not totally happy 100% with this solution, I dont have a better idea anybody? I remember hearing about NLB for LDAP, which I think might do the trick, Ive never used MS NLB does it apply to this situation? Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101
[ActiveDir] OT: Wireless EAP-TLS, IAS, and certificates
Title: Message Is there any way to force EAP-TLS wireless authentication to use machine certificates exclusively (instead of user certs) for client side authentication? Or better yet, require BOTH user and machine certs? Here's the setup: IBM Thinkpads with either integrated cisco 802.11b or Cisco cards. Running XP. Cisco access points MS Internet Authentication Server running on a non DC 2k3 box.
RE: [ActiveDir] Quick ldap question
Yes, but searches are not. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Wednesday, October 06, 2004 1:52 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Quick ldap question We have a windows 2000 AD. By default are anonymous ldap queries allowed? Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WAN outage caused issues...
Is the domain in question a child of another domain? Do your remote DCs have secondary zones for the root domain's DNS? For example, if your parent domain is acme.com, and your user domain is coyote.acme.com, do the coyote.acme.com DC's have a secondary for acme.com (or at least the _ subdomains of acme.com)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was There are currently no logon servers available to service the logon request. (0xc05e). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for WINS. Could the WINS be the issue? They couldn't contact WINS because the WAN link outage, that's for sure. -Original Message- From: [EMAIL PROTECTED
RE: [ActiveDir] WAN outage caused issues...
2000 DCs should point to another DC as their primary DNS server. They should point to themselves as secondary. A 2000 DC pointing to himself for primary DNS is subject to islanding. If his IP address changes, he'll update himself, then cease replicating with the rest of the world (because AD replication is pull and the other DCs will never see the new IP address). I think 2003 has logic to avoid this problem so that a DC can be his own DNS server. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 3:15 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Wouldn't it make more sense to have the server use itself for DNS resolution? I mean, if the wan link goes down, it wouldn't be able to resolve names right? g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 4:07 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the sites DC is using HQ as its primary and secondary DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert N. Leali Sent: Tuesday, October 05, 2004 3:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Do you have the site DC/DNS box using itself as the alternate DNS server and the HQ as primary? just a thought. http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was There are currently no logon servers available to service the logon request. (0xc05e). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE
RE: [ActiveDir] WAN outage caused issues...
Well, there ya go! I'm assuming that there are no root domain DCs in the remote sites. Clients need to be able to do DNS lookups on various things in the _ subdomains of the root. If your child domain's DCs are set to forward to the root DCs, and the WAN is down, they can't find things. For 2000, my advice is to simply add the root domain as secondaries on the remote DCs DNS. If you are running 2003 on your DCs, you can configure your zones to show up on all DCs in the forest. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 3:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... The domain in question is a child of a root domain yes. Our child domain DNS servers don't point to our root domain for DNS resolution at all. They just forward requests up to the root domain DNS servers if they dont have an answer. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Is the domain in question a child of another domain? Do your remote DCs have secondary zones for the root domain's DNS? For example, if your parent domain is acme.com, and your user domain is coyote.acme.com, do the coyote.acme.com DC's have a secondary for acme.com (or at least the _ subdomains of acme.com)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was There are currently no logon servers available to service the logon request. (0xc05e). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I
RE: [ActiveDir] WAN outage caused issues...
Yes, effectively. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 3:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Correct, no root domain DCs at the remote sites, but if the WAN link is down, what good are the root domain as secondaries on the remote DCs DNS going to do? Will it be cached or something? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 3:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Well, there ya go! I'm assuming that there are no root domain DCs in the remote sites. Clients need to be able to do DNS lookups on various things in the _ subdomains of the root. If your child domain's DCs are set to forward to the root DCs, and the WAN is down, they can't find things. For 2000, my advice is to simply add the root domain as secondaries on the remote DCs DNS. If you are running 2003 on your DCs, you can configure your zones to show up on all DCs in the forest. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 3:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... The domain in question is a child of a root domain yes. Our child domain DNS servers don't point to our root domain for DNS resolution at all. They just forward requests up to the root domain DNS servers if they dont have an answer. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Is the domain in question a child of another domain? Do your remote DCs have secondary zones for the root domain's DNS? For example, if your parent domain is acme.com, and your user domain is coyote.acme.com, do the coyote.acme.com DC's have a secondary for acme.com (or at least the _ subdomains of acme.com)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was There are currently no logon servers available to service the logon request. (0xc05e). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use
RE: [ActiveDir] WAN outage caused issues...
Title: Message No, they don't have all they need. Clients should be able to resolve at least the "_" subdomains of the root domain. That's all covered in the AD design books. GC location (among other things) is done via DNS lookups into the "_msdcs" subdomain of the root domain. -Original Message-From: Robert Rutherford [mailto:[EMAIL PROTECTED] On Behalf Of Robert RutherfordSent: Tuesday, October 05, 2004 3:51 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage caused issues... They are AD integrated though they should have all they need to logon to the local dc. I cant remember if u said u had a single forest Russ? From: [EMAIL PROTECTED] on behalf of Ken CornetetSent: Tue 05/10/2004 21:40To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage caused issues... Well, there ya go!I'm assuming that there are no root domain DCs in the remote sites.Clients need to be able to do DNS lookups on various things in the "_"subdomains of the root. If your child domain's DCs are set to forward tothe root DCs, and the WAN is down, they can't find things.For 2000, my advice is to simply add the root domain as secondaries onthe remote DCs DNS.If you are running 2003 on your DCs, you can configure your zones toshow up on all DCs in the forest.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, RussSent: Tuesday, October 05, 2004 3:28 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] WAN outage caused issues...The domain in question is a child of a root domain yes. Our childdomain DNS servers don't point to our root domain for DNS resolution atall. They just forward requests up to the root domain DNS servers ifthey dont have an answer.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On Behalf Of Ken CornetetSent: Tuesday, October 05, 2004 3:19 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage caused issues...Is the domain in question a child of another domain? Do your remote DCshave secondary zones for the root domain's DNS?For example, if your parent domain is acme.com, and your user domain iscoyote.acme.com, do the coyote.acme.com DC's have a secondary foracme.com (or at least the "_" subdomains of acme.com)?-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, RussSent: Tuesday, October 05, 2004 2:24 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] WAN outage caused issues...Yes, they're using their own site's DC for DNS resolution and there is areverse DNS zone there. DNS is active directory integrated. The DCitselfis pointed at HQ for dns lookups on its tcp/ip properties (although Idont think that matters?)-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On Behalf Of Mulnick, AlSent: Tuesday, October 05, 2004 1:45 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] WAN outage caused issues...So I have to ask for more information:Are your clients using their own site's DC for DNS resolution? And isthere a reverse DNS zone setup there?-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, RussSent: Tuesday, October 05, 2004 2:35 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage caused issues...OK I got more info. Here's whats in the eventlogs of the workstationsduring the time they were broken:10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator)40961 N/A CAE12350828 The Security System could not establishasecured connection with the server cifs/cae123fs01.ourdomain.com. Noauthentication protocol was available.10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator)40960 N/A CAE12350828 "The Security System detected anattempteddowngrade attack for server cifs/cae123fs01.ourdomain.com. The failurecode from authentication protocol Kerberos was ""There are currently nologon servers available to service the logon request. (0xc05e)""."-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Burkes, Jeremy[Contractor]Sent: Tuesday, October 05, 2004 12:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage caused issues...I believe Windows 2000 and Windows XP will attach their own domain namesuffix to search for the host in DNS. For example if you give hostnameand the workstation's domain name is domain.com it will tryhostname.domain.com to see if it can resolve it in DNS. The searchorder for Windows 2000 and XP clients I believe is:DNS CacheLocal Hosts File (host file)DNS ServerLMHost FileWINSJeremy-Jeremy BurkesSSPMIS Department[EMAIL PROTECTED]PH: 202-764-1270-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL
RE: [ActiveDir] How to take away the password never expirers check box right?
I think the easiest approach would be to write a script that walks through all your user accounts and clears the never expire bit if it is set. Schedule it to run every night. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Tuesday, September 28, 2004 10:37 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] How to take away the password never expirers check box right? On Tue, 28 Sep 2004 10:17:27 -0500, Centenni, Jason wrote Ok, first time poster long time lurker. Welcome - almost the same I am :) How do I make it so a OU admin (Each OU has a group acl'd to full control of user objects/computer objects etc inside that OU) so that they can't check the Password never expirers check box? I would like if possible to JUST take away the right for hem to use that check box in the MMC. This can be tough - this property is stored in the useraccountcontrol property of the user and to achive Your goal You should place proper ACls on this property. But useraccountcontrols is responsible for few more items: http://www.jsiinc.com/SUBL/tip5500/rh5504.htm and you cann't set the ACls only for one of them. To get rid only the GUI element from ADUC MMC You will have to make Your own version of the DLL in which this dialog is defined. -- Tomasz Onyszko - [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: DHCP Export
Does anyone know of a way to export information (specifically reservations) from either 2k or 2k3 DHCP server? I tried opening the MDB file from the backups directory with Access - no joy. I tried doing a netsh export from a 2k3 server. The example docs for the netsh DHCP export show a tantalizing output file name of dhcp.txt, but the output file is not text. Viewed in a hex editor, the export file looks sort of like unicode, but notepad won't open it. Any ideas? WMI? Why do I ask? We are considering putting our network printers in DHCP using reservations. I want to make sure I can get to the data back out later if needed. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Move group across domains
I need to move several groups from one domain to another inside a forest (2000 level now, soon to be 2003). These groups are used as security principals for Exchange 2000 mailboxes. Are there any tools available to do this? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Move group across domains
Thanks all! I guess I was too stuck thinking that the Exchange objects would have to be re-ACL'ed and I didn't even think about SID history. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, September 20, 2004 2:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move group across domains ADMT 2.0 would be a good bet. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Montag, 20. September 2004 21:07 To: [EMAIL PROTECTED] Subject: [ActiveDir] Move group across domains I need to move several groups from one domain to another inside a forest (2000 level now, soon to be 2003). These groups are used as security principals for Exchange 2000 mailboxes. Are there any tools available to do this? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Unauthorized DHCP Requests
Title: Message Resistance is futile - you will be assimilated. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Monday, September 13, 2004 9:31 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Unauthorized DHCP Requests It's part of our plan to force a pure MS environment :-). I asked our network group about this last week, and was told that the non-MS devices would need a "placeholder" account in AD. I haven't had a chance to check through the documentation to verify this. I'll post back whatever I can dig up. From: Ayers, Diane [mailto:[EMAIL PROTECTED] Sent: Monday, September 13, 2004 8:19 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Unauthorized DHCP Requests Hunter: With Cisco ACS, how are you going to deal with non-MS based devices that get DHCP addresses? That's always been the hang-up for us to shift to a setup like you describe. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Monday, September 13, 2004 6:41 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Unauthorized DHCP Requests Our network folks are starting to roll out Cisco's Access Control Server. They plan to tie it into our AD, and eventually configure all of the network devices so that machines won't get on the network unless they're joined to the AD and have successfully authenticated. I'm not sure who else besides Cisco has this kind of thing, but I suspect they're not the only one. Hunter From: Joe L. Casale [mailto:[EMAIL PROTECTED] Sent: Sunday, September 12, 2004 4:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Unauthorized DHCP Requests Yea, it's ugly as heck to manage though. Mac reservations for all, but anyone can spoof that if they have a wit. Your problem is a common one, but not a simple one. If you hear of a slicker solution then that, pray tell! jlc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Thursday, September 09, 2004 4:21 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Unauthorized DHCP Requests Our domain is using a Win2K3 server which is also a domain controller as its DHCP solution. Often I look at the DHCP tables and notice that there are unauthorized machines that connect to our network. This seems to occur from employees who bring in their laptop during the weekend when the workload is light and management does not have as much a presence. The workstations within the domain all follow a naming scheme. For example, ORL-RM3-204-2 which means, the server is located in Orlando, physically located in Room3, desk number 204 and the number of times that that particular workstation has been replaced. So if I see a workstation in the DHCP tables that does not follow that naming scheme, then I know that something else has managed to get an IP Address from the network. Is there a way to prevent unauthorized machines from retrieving an IP address? If so, is there also a way to make an exception to the rule should a non-standard naming convention machine require authorized access to the network? Thank you all for your replies. Edwin
RE: [ActiveDir] OT:logon script
Have you tried pskill from sysinternals?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Tuesday, September 07, 2004 10:05 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:logon script
The key keeps getting recreated as soon as i delete it and the process
won't let me kill it.
any suggestions on how to automoate the cleaning of such a worm without
going to each pc? what do you guys usually do when a bunch of pc's get
infected? do you send your staff to each indivual pc? is there a way to
kill a process remotely and subvert the access denied message? can i
run some utility that i can script which can kill a process no matter
what?
thanks
-Original Message-
From: Dale, Rick [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 07, 2004 10:22 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT:logon script
Tom,
I haven't tried this but it should work. Run this script then kill the
process that is running then delete the file.
~~SCRIPT START~~
Option Explicit
const HKEY_LOCAL_MACHINE = H8002
strComputer = INSERT COMPUTER HERE or . for local computer
Set oReg=GetObject(winmgmts:{impersonationLevel=impersonate}!\\ _
strComputer \root\default:StdRegProv)
strKeyPath = software\microsoft\windows\currentversion\run\NAME OF
REGKEY
oReg.DeleteKey HKEY_LOCAL_MACHINE, strKeyPath
~SCRIPT END~~
HTH
Rick
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Tuesday, September 07, 2004 8:53 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] OT:logon script
Hi, I went on vacation and upon returning my network seems to have been
infected with worm_sypbot.dn(Trend Micro's name) . i have about 50
pc's(win2k/xp) infected and even though my symantec corp defs are up to
date, it can't clean the worm because its already running in mem. i know
it creates a reg entry in
hkey_local_machine\software\microsoft\windows\currentversion\run.
my question is, rather than go to 50 pc's and reboot in safe mode and do
a scan, can someone point me to a good vbscript that i can run as a
logon script to delete the reg entries. unless someone out there has a
better solution. thanks alot
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NTP
Title: Message SNTP is a subset of NTP. Windows will get time from a NTP server. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, September 01, 2004 10:49 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] NTP Will Windows 2000 server respond to devices (cisco etc) who ask for NTP sync over the network? I know how to enable SNTP on a Win2k server, but our Cisco devices only talk NTP, not SNTP. Is there any way to enable both or do I have to buy some 3rd party time server for our network? ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] NTP
Title: Message You might be able to use ntpdate to query time from from an SNTP server, but you won't be able to sync to a SNTP server. Unless the Cisco devices have an option to periodically poll via SNTP, I think you are out of luck. Why in the world would you want your DCs to be the master time source anyway? Why not point one of your Cisco routers to a public level 2 time server, then point the PDC emulator of your root domain to that router? Are you doing Y10K testing or something :-) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Travis RiddleSent: Wednesday, September 01, 2004 12:25 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] NTP I know my unix servers (which use NTP only) can use ntpdate to update their clock from my rootDC and then maintain that with the DC specificed as the primary NTP time server. I imagineCisco would work the same way. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, September 01, 2004 11:16 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] NTP I want it to work the other way around. I want my Cisco devices to get their time from my Win2k AD root controller. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Wednesday, September 01, 2004 12:13 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] NTP SNTP is a subset of NTP. Windows will get time from a NTP server. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, September 01, 2004 10:49 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] NTP Will Windows 2000 server respond to devices (cisco etc) who ask for NTP sync over the network? I know how to enable SNTP on a Win2k server, but our Cisco devices only talk NTP, not SNTP. Is there any way to enable both or do I have to buy some 3rd party time server for our network? ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
