RE: [ActiveDir] Changing Logon server authentication !!

2007-01-28 Thread Ken Schaefer 
Sorry - that should be AD Sites and Subnets...

 

Cheers

Ken

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: Sunday, 28 January 2007 10:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Changing Logon server authentication !!

 

Have you configured your AD Sites properly in AD Sites and Services MMC?

 

Cheers

Ken

 



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Sun 28/01/2007 9:32 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Changing Logon server authentication !!

Hi,

 

 

We have a server A in US. We has a Server B&C in India.

 

Global catalog servers are Server A & B.

 

FSMO Roles are with the server B.

 

Right now we are having Citrix member server D in US. When users are logging
on the Citrix server, it takes logon authentication from Server B. When we
use the set command it shows logon server name as Server B. Is it any way I
can do so that it takes authentication only from server A when it is
available.

 

Regards,

 

Senthil

RE: [ActiveDir] Changing Logon server authentication !!

2007-01-28 Thread Ken Schaefer 
Have you configured your AD Sites properly in AD Sites and Services MMC?
 
Cheers
Ken



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Sun 28/01/2007 9:32 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Changing Logon server authentication !!



Hi,

 

 

We have a server A in US. We has a Server B&C in India.

 

Global catalog servers are Server A & B.

 

FSMO Roles are with the server B.

 

Right now we are having Citrix member server D in US. When users are logging
on the Citrix server, it takes logon authentication from Server B. When we
use the set command it shows logon server name as Server B. Is it any way I
can do so that it takes authentication only from server A when it is
available.

 

Regards,

 

Senthil

RE: [ActiveDir] OT DNS forwarders..

2007-01-23 Thread Ken Schaefer 
DNS only maps names to IP addresses. It doesn't do anything with respect to
paths.
 
You could point the hostname "webi" to the same IP address as the host
"nzine33svr" and configure your web server software to accept requests for
either HTTP host header.
 
Then, to redirect the user to the correct path, you are best off configuring
this in your web server software (just about all web server software supports
redirection). Just redirect requests for "/" (the root) to
"/businessobj/enterprise/infoview"
 
Cheers
Ken



From: [EMAIL PROTECTED] on behalf of Frank Abagnale
Sent: Wed 24/01/2007 12:19 AM
To: Active
Subject: [ActiveDir] OT DNS forwarders..


I have a web application which currently has a url of 
http://nzine33svr/businessobj/enterprise/infoview
I would like to have some kind of redirector for this web link so that a user
only needs to type in http://webi   and it will forward the
request to the correct url.
How can I accompish this in AD DNS? or what would be the correct method?
thanks

RE: [ActiveDir] OT: Vista BSOD with more than 2GB of RAM

2007-01-10 Thread Ken Schaefer 
Minidump is <100kb, whilst a kernel dump is 150MB+ I would prefer you to
email me a 80-100kb file in the first instance if that is enough to solve the
problem :-)
 
Cheers
Ken



From: [EMAIL PROTECTED] on behalf of Matheesha Weerasinghe
Sent: Thu 11/01/2007 12:49 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Vista BSOD with more than 2GB of RAM



I didnt configure the memory dumps for this machine. I assume a kernel
dump is preferred over minidump? Either way I will check and let you
know. Thanks for the reply.

On 1/11/07, Ken Schaefer <[EMAIL PROTECTED]> wrote:
>
> Yes - I have a Dell Precision that has 4GB RAM, and which has had both
Vista
> x86 and x64 on it and it doesn't BSOD.
>
> The issue in the KB seems to be with devices that use DMA and you have more
> than 4GB of RAM. That used to cause issues on XP as well (which is why I
> believe SP2 for XP limited the amount of RAM that could be utilised to 4GB
> for 32bit editions).
>
> STOP 0xA is pretty common. If you want a detailed explanation of
> what's going on, then check out Part 1 here:
>
http://www.adopenstatic.com/cs/blogs/ken/archive/tags/Debugging/default.aspx
>
> Do you have minidump files handy? I'm happy to have a look if you want.
>
> Cheers
> Ken
>
> 
> From: [EMAIL PROTECTED] on behalf of
> Matheesha Weerasinghe
> Sent: Thu 11/01/2007 12:22 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] OT: Vista BSOD with more than 2GB of RAM
>
>
>
> Sorry! I meant to ask is there anyone with a Vista RTM X86 PC with
> more than 2GB of RAM.
>
> Thanks
> M@
>
> On 1/11/07, Matheesha Weerasinghe <[EMAIL PROTECTED]> wrote:
> > All
> >
> > Sorry for the OT topic. I have a PC I use as my lab with VMs. It has
> > Vista Ultimate and only has 2GB of RAM and was working fine. However I
> > tried to upgrade the memory by using a 512MB module and the PC wont
> > boot now. It blue screens with a message similar to KB 929777.
> >
> > I tried getting the hotfix from technet+ with no luck. Its stage is
> > "private" and wont be released until the 30th Jan. My Premier
> > connection doesn't seem to allow download of the hotfix either.
> >
> > I would like to know before I try and escalate this whether there is
> > anyone out there with a Vista RTM PC with more than 4GB of RAM. I have
> > run memtest86 on my PC and it reports everything is working. However
> > I'd appreciate if I can get some confirmation that there are others
> > who either have the issue or dont.
> >
> > Cheers
> >
> > M@
> >
> Sorry! I meant to ask is there anyone with a Vista RTM X86 PC with
> more than 2GB of RAM.
>
> Thanks
> M@
>
> On 1/11/07, Matheesha Weerasinghe <[EMAIL PROTECTED]> wrote:
> > All
> >
> > Sorry for the OT topic. I have a PC I use as my lab with VMs. It has
> > Vista Ultimate and only has 2GB of RAM and was working fine. However I
> > tried to upgrade the memory by using a 512MB module and the PC wont
> > boot now. It blue screens with a message similar to KB 929777.
> >
> > I tried getting the hotfix from technet+ with no luck. Its stage is
> > "private" and wont be released until the 30th Jan. My Premier
> > connection doesn't seem to allow download of the hotfix either.
> >
> > I would like to know before I try and escalate this whether there is
> > anyone out there with a Vista RTM PC with more than 4GB of RAM. I have
> > run memtest86 on my PC and it reports everything is working. However
> > I'd appreciate if I can get some confirmation that there are others
> > who either have the issue or dont.
> >
> > Cheers
> >
> > M@

RE: [ActiveDir] OT: Vista BSOD with more than 2GB of RAM

2007-01-10 Thread Ken Schaefer 
Yes - I have a Dell Precision that has 4GB RAM, and which has had both Vista
x86 and x64 on it and it doesn't BSOD.
 
The issue in the KB seems to be with devices that use DMA and you have more
than 4GB of RAM. That used to cause issues on XP as well (which is why I
believe SP2 for XP limited the amount of RAM that could be utilised to 4GB
for 32bit editions).
 
STOP 0xA is pretty common. If you want a detailed explanation of
what's going on, then check out Part 1 here:
http://www.adopenstatic.com/cs/blogs/ken/archive/tags/Debugging/default.aspx
 
 
Do you have minidump files handy? I'm happy to have a look if you want.
 
Cheers
Ken



From: [EMAIL PROTECTED] on behalf of Matheesha Weerasinghe
Sent: Thu 11/01/2007 12:22 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Vista BSOD with more than 2GB of RAM



Sorry! I meant to ask is there anyone with a Vista RTM X86 PC with
more than 2GB of RAM.

Thanks
M@

On 1/11/07, Matheesha Weerasinghe <[EMAIL PROTECTED]> wrote:
> All
>
> Sorry for the OT topic. I have a PC I use as my lab with VMs. It has
> Vista Ultimate and only has 2GB of RAM and was working fine. However I
> tried to upgrade the memory by using a 512MB module and the PC wont
> boot now. It blue screens with a message similar to KB 929777.
>
> I tried getting the hotfix from technet+ with no luck. Its stage is
> "private" and wont be released until the 30th Jan. My Premier
> connection doesn't seem to allow download of the hotfix either.
>
> I would like to know before I try and escalate this whether there is
> anyone out there with a Vista RTM PC with more than 4GB of RAM. I have
> run memtest86 on my PC and it reports everything is working. However
> I'd appreciate if I can get some confirmation that there are others
> who either have the issue or dont.
>
> Cheers
>
> M@
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Risks of exposure of machine account passwords

2007-01-09 Thread Ken Schaefer 
Hi Michael,
 
I'm not sure what we are gaining here. You talking about "When the client
sends the password hashes you
send them to the target server. So the web client doesn't authenticate with
the web server it authenticates directly with the target server by proxying
the NTLMSSP tokens"
 
Are you talking about transitioning the protocol as well? e.g. 
Client -- HTTP --> Your Website/PC -- RPC --> Domain Controller
 
Cheers
Ken



From: Michael B Allen [mailto:[EMAIL PROTECTED]
Sent: Tue 9/01/2007 5:24 PM
To: ActiveDir@mail.activedir.org
Cc: Ken Schaefer
Subject: Re: [ActiveDir] Risks of exposure of machine account passwords



On Tue, 9 Jan 2007 14:13:33 +1100
"Ken Schaefer" <[EMAIL PROTECTED]> wrote:

> I'm not sure what NTLM SSO Pass-Through is, but NTLM is not natively
> delegatable, so you can't (in the normal course of events) use this to
create
> an account anywhere except on the local machine. There may be easier ways
to
> create accounts on local machines.

Perhaps "proxy" would be a better term. When the web client requests the
challenge you request it from the target server (e.g. the DC) and send
it back to the client. When the client sends the password hashes you
send them to the target server. So the web client doesn't authenticate
with the web server it authenticates directly with the target server by
proxying the NTLMSSP tokens.

This is effectively a man-in-the-middle attack. Digital signatures are
used to twart an MITM so if you require SMB signing you can prevent such
an attack (although if you can authenticate LDAP with NTLM you might be
able to get around that).

Actually now that I think about it I think W2K3 requires SMB signing so
maybe this permutation wouldn't work. But workstations do not require
SMB signing. One could authenticate back to the client and place and
create an account or simply place an executable in their Startup.

But again, if you're already trusted on the network it's game over.

Mike

>
> On Mon, 8 Jan 2007 15:33:01 -0500
> "joe" <[EMAIL PROTECTED]> wrote:
>
>
> But I can add an improved permutation to your dirty trick. Send out an
> email with a link to your site but use NTLM SSO pass-through to create a
> bogus account with a predefined password. If someone with domain admin
> privs so much as stumbles across your site they will create the said
> account and not even know they did it. No credentials necessary and no
> SSO account necessary. Just a website with an FQDN.
>
> There is one simple security setting that will thwart this attack
> though. For bonus points, does anyone know what it is? :->
>
> Mike


--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/

RE: [ActiveDir] Risks of exposure of machine account passwords

2007-01-08 Thread Ken Schaefer 
I'm not sure what NTLM SSO Pass-Through is, but NTLM is not natively
delegatable, so you can't (in the normal course of events) use this to create
an account anywhere except on the local machine. There may be easier ways to
create accounts on local machines.
 
Cheers
Ken



From: [EMAIL PROTECTED] on behalf of Michael B Allen
Sent: Tue 9/01/2007 9:34 AM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Risks of exposure of machine account passwords



On Mon, 8 Jan 2007 15:33:01 -0500
"joe" <[EMAIL PROTECTED]> wrote:


But I can add an improved permutation to your dirty trick. Send out an
email with a link to your site but use NTLM SSO pass-through to create a
bogus account with a predefined password. If someone with domain admin
privs so much as stumbles across your site they will create the said
account and not even know they did it. No credentials necessary and no
SSO account necessary. Just a website with an FQDN.

There is one simple security setting that will thwart this attack
though. For bonus points, does anyone know what it is? :->

Mike

RE: [ActiveDir] Cross-Forest Kerberos Delegation

2007-01-01 Thread Ken Schaefer 
Hi Steve,

Are you sure about this?

I have the ISA Server, IIS Server and App Server in Forest1

If I logon to the client machine using a user from Forest1, then everything
works fine (I can see all the Kerberos stuff happening in Ethereal captures)

If I logon to the client machine using a user from Forest2, then I get an 403
that appears to come from ISA Server (nothing gets to the IIS server at all).

The above two happen regardless of whether the client machine is in Forest1
or Forest2.

The only thing I can think of is that User2 belongs to a different forest,
and because ISA Server supports constrained delegation only, this is stopping
things from working.

Cheers
Ken
 
--
www.adopenstatic.com/cs/blogs/ken/

: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of steve patrick
: Sent: Saturday, 30 December 2006 11:11 AM
: To: ActiveDir@mail.activedir.org
: Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation
: 
: Wow that turned out ugly didnt it?
: 
: Basically it should have shown that  all machines are in one domain in
: Forest1 and the user account is in Forest 2 and F1 trusts F2.
: 
: Sorry for the long delay  in reply also - I was on vacation ...
: 
: Happy New Years!
: 
: steve
: 
: - Original Message -
: From: "steve patrick" <[EMAIL PROTECTED]>
: To: 
: Sent: Friday, December 29, 2006 4:07 PM
: Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation
: 
: 
: > Hi Ken
: >
: > Based on your mail you seem to have the following setup:
: >
: >
: > F1> F2
: > | |
: > M1---> ISA---> IIS--->AppServer UserA
: >
: >
: > UserA logs on to M1 and hits the IIS Server which needs to access
: > AppServer with a proper token for UserA
: >
: > In this scenario - constrained delegation will work ok.
: >
: > Perhaps Joe was thinking of the docs which state you have to have the
: IIS
: > Server and the AppServer in the same forest and domain?
: >
: > steve
: >
: >
: >
: > - Original Message -
: > From: "Ken Schaefer" <[EMAIL PROTECTED]>
: > To: 
: > Sent: Tuesday, December 19, 2006 4:58 PM
: > Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation
: >
: >
: > Hi Joe,
: >
: > Thanks for your comments. Certainly using Basic is easier, and this is
: > mostly
: > what they are doing at the moment. I say mostly because I wasn't
: entirely
: > upfront about the "web server" component in my original diagram. That is
: > actually several dozen different web applications - some of which do not
: > have
: > an option to use Basic (either technical limitation -or- a security
: > standard). The aim of the project is to (a) see if transparent logons
: can
: > be
: > made available to users (i.e. via IWA challenges) and (b) see if SSO can
: > be
: > enabled (so users do not need to authenticate to different applications
: > behind the proxy) and (c) get away from Basic Auth. So I'm going to have
: > to
: > keep looking at Kerberos related solutions :-)
: >
: > Cheers
: > Ken
: >
: > --
: > My Blog: www.adOpenStatic.com/cs/blogs/ken
: >
: >
: > : -Original Message-
: > : From: [EMAIL PROTECTED] [mailto:ActiveDir-
: > : [EMAIL PROTECTED] On Behalf Of Joe Kaplan
: > : Sent: Wednesday, 20 December 2006 10:41 AM
: > : To: ActiveDir@mail.activedir.org
: > : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation
: > :
: > : My understanding is that you can get the actual protocol transition
: > : logon to
: > : work, but you cannot use delegation (which is what you really need)
: > : because
: > : PT is tied to constrained delegation and it only works in a single
: > : domain,
: > : not even in multiple domains in a forest.  Your understanding is
: > : basically
: > : correct.
: > :
: > : This is a documented limitation and not something I've played with
: > : personally, so I'm not sure if there is more to it than that.
: > :
: > : I honestly don't know if this can be made to work with unconstrained
: > : delegation/kerb auth in IIS, as I've never tried that either.
: However,
: > : giving out unconstrained delegation privileges is a bit icky.
: > :
: > : This may be one of those situations where it is easier to just pass
: the
: > : plaintext credentials around between the tiers using basic auth/SSL
: and
: > : such.
: > :
: > : Joe
: > :
: > : - Original Message -
: > : From: Ken Schaefer
: > : To: ActiveDir@mail.activedir.org
: > : Sent: Tuesday, December 19, 2006 5:29 PM
: > : Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation
: > :
: > :
: > : Hi Steve,
: > :
: > : Can you elaborate

RE: [ActiveDir] Cross-Forest Kerberos Delegation

2006-12-19 Thread Ken Schaefer 
Hi Joe,

Thanks for your comments. Certainly using Basic is easier, and this is mostly
what they are doing at the moment. I say mostly because I wasn't entirely
upfront about the "web server" component in my original diagram. That is
actually several dozen different web applications - some of which do not have
an option to use Basic (either technical limitation -or- a security
standard). The aim of the project is to (a) see if transparent logons can be
made available to users (i.e. via IWA challenges) and (b) see if SSO can be
enabled (so users do not need to authenticate to different applications
behind the proxy) and (c) get away from Basic Auth. So I'm going to have to
keep looking at Kerberos related solutions :-)

Cheers
Ken

--
My Blog: www.adOpenStatic.com/cs/blogs/ken


: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Joe Kaplan
: Sent: Wednesday, 20 December 2006 10:41 AM
: To: ActiveDir@mail.activedir.org
: Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation
: 
: My understanding is that you can get the actual protocol transition
: logon to
: work, but you cannot use delegation (which is what you really need)
: because
: PT is tied to constrained delegation and it only works in a single
: domain,
: not even in multiple domains in a forest.  Your understanding is
: basically
: correct.
: 
: This is a documented limitation and not something I've played with
: personally, so I'm not sure if there is more to it than that.
: 
: I honestly don't know if this can be made to work with unconstrained
: delegation/kerb auth in IIS, as I've never tried that either.  However,
: giving out unconstrained delegation privileges is a bit icky.
: 
: This may be one of those situations where it is easier to just pass the
: plaintext credentials around between the tiers using basic auth/SSL and
: such.
: 
: Joe
: 
: - Original Message -
: From: Ken Schaefer
: To: ActiveDir@mail.activedir.org
: Sent: Tuesday, December 19, 2006 5:29 PM
: Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation
: 
: 
: Hi Steve,
: 
: Can you elaborate on this? I'm familiar with what S4U2self is for, but
: not
: sure how to tell whether I would need it or not. Are you saying below
: that
: protocol transition can be used cross-forest? I thought protocol
: transition
: was tied to constrained delegation (in a user/computer account's
: properties,
: on the delegation tab there is an option that says "any protocol", but
: that's
: only available in the section for constrained delegation. If that's the
: case, then how can protocol transition work cross-forest?
: 
: Cheers
: Ken
: 
: --
: My Blog: www.adOpenStatic.com/cs/blogs/ken
: 
: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
: Sent: Wednesday, 20 December 2006 12:37 AM
: To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
: Cc: Ken Schaefer
: Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation
: 
: If I understand your scenario correctly 
: 
: In order for S4U2self ( protocol transition ) to work in this sceanrio
: you
: will need a 2 way forest  trust.
: If you do not need S4U2self you  can get by with the one way trust.
: 
: steve
: -- Original message --
: From: "Ken Schaefer" <[EMAIL PROTECTED]>
: 
: > Hi all,
: >
: > I am looking at a slightly tricky situation, at least for me - I'm
: sure
: > you
: > guys would find this a "walk in the park" :-)
: >
: > I have a situation where there are two forests (2003 Forest
: Functional
: > Level). Each contains a single domain. One domain is a resource
: domain
: > (DomainB), and the other contains the user accounts (DomainA). There
: is a
: > one-way forest trust, such that the resource forest/ domain trust the
: user
: > forest (and domain).
: >
: > The situation I have is as follows:
: >
: > Client ---> ISA Server 2006 ---> Web Server ---> App Server
: >
: > The user that is logged on to the client is from DomainA. All the
: servers
: > belong to DomainB. The user's credentials need to be passed from the
: web
: > server back to the app server. So I could use Basic Authentication
: all the
: > way through. Or I can try to use Kerberos & delegation.
: >
: > Now, ISA Server can use protocol transition, so that Client ---> ISA
: > Server
: > can be something other than Kerberos (e.g. forms authentication),
: however
: > Protocol Transition then requires the use of constrained delegation.
: Am I
: > right in thinking that constrained delegation is limited to accounts
: in
: > the
: > same domain? If so, then the fact that the user is in a different
: domain
: > to
: > the ISA Server will cause this to fail.
: >
: > On the other hand, if I didn't use constrained delegation, just
: regular
: > dele

RE: [ActiveDir] Cross-Forest Kerberos Delegation

2006-12-19 Thread Ken Schaefer 
Hi Steve,

 

Can you elaborate on this? I'm familiar with what S4U2self is for, but not
sure how to tell whether I would need it or not. Are you saying below that
protocol transition can be used cross-forest? I thought protocol transition
was tied to constrained delegation (in a user/computer account's properties,
on the delegation tab there is an option that says "any protocol", but that's
only available in the section for constrained delegation. If that's the case,
then how can protocol transition work cross-forest?

 

Cheers

Ken

 

--

My Blog: www.adOpenStatic.com/cs/blogs/ken
<http://www.adopenstatic.com/cs/blogs/ken> 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, 20 December 2006 12:37 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Cc: Ken Schaefer
Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation

 

If I understand your scenario correctly 

 

In order for S4U2self ( protocol transition ) to work in this sceanrio you
will need a 2 way forest  trust.

If you do not need S4U2self you  can get by with the one way trust.

 

steve

-- Original message ------ 
From: "Ken Schaefer" <[EMAIL PROTECTED]> 

> Hi all, 
> 
> I am looking at a slightly tricky situation, at least for me - I'm
sure you 
> guys would find this a "walk in the park" :-) 
> 
> I have a situation where there are two forests (2003 Forest
Functional 
> Level). Each contains a single domain. One domain is a resource
domain 
> (DomainB), and the other contains the user accounts (DomainA).
There is a 
> one-way forest trust, such that the resource forest/ domain trust
the user 
> forest (and domain). 
> 
> The situation I have is as follows: 
> 
> Client ---> ISA Server 2006 ---> Web Server ---> App Server 
> 
> The user that is logged on to the client is from DomainA. All the
servers 
> belong to DomainB. The user's credentials need to be passed from
the web 
> server back to the app server. So I could use Basic Authentication
all the 
> way through. Or I can try to use Kerberos & delegation. 
> 
> Now, ISA Server can use protocol transition, so that Client --->
ISA Server 
> can be something other than Kerberos (e.g. forms authentication),
however 
> Protocol Transition then requires the use of constrained
delegation. Am I 
> right in thinking that constrained delegation is limited to
accounts in the 
> same domain? If so, then the fact that the user is in a different
domain to 
> the ISA Server will cause this to fail. 
> 
> On the other hand, if I didn't use constrained delegation, just
regular 
> delegation (and no protocol transition), does that work across
Forests 
> though? I have read conflicting reports on this. I'm having some
difficulty 
> getting it working, so either the answer is "no", or my skills
aren't up to 
> the task (probably the latter, in combination with the former). 
> 
> Cheers 
> Ken 
> 
> -- 
> My Blog: www.adOpenStatic.com/cs/blogs/ken

[ActiveDir] Cross-Forest Kerberos Delegation

2006-12-18 Thread Ken Schaefer 
Hi all,

I am looking at a slightly tricky situation, at least for me - I'm sure you
guys would find this a "walk in the park" :-)

I have a situation where there are two forests (2003 Forest Functional
Level). Each contains a single domain. One domain is a resource domain
(DomainB), and the other contains the user accounts (DomainA). There is a
one-way forest trust, such that the resource forest/ domain trust the user
forest (and domain).

The situation I have is as follows:

Client ---> ISA Server 2006 ---> Web Server ---> App Server

The user that is logged on to the client is from DomainA. All the servers
belong to DomainB. The user's credentials need to be passed from the web
server back to the app server. So I could use Basic Authentication all the
way through. Or I can try to use Kerberos & delegation.

Now, ISA Server can use protocol transition, so that Client ---> ISA Server
can be something other than Kerberos (e.g. forms authentication), however
Protocol Transition then requires the use of constrained delegation. Am I
right in thinking that constrained delegation is limited to accounts in the
same domain? If so, then the fact that the user is in a different domain to
the ISA Server will cause this to fail.

On the other hand, if I didn't use constrained delegation, just regular
delegation (and no protocol transition), does that work across Forests
though? I have read conflicting reports on this. I'm having some difficulty
getting it working, so either the answer is "no", or my skills aren't up to
the task (probably the latter, in combination with the former).

Cheers
Ken

--
My Blog: www.adOpenStatic.com/cs/blogs/ken

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] OT: Issue with remote assistance offers

2006-10-25 Thread Ken Schaefer 
Interesting that the client would be failing on that port.

In a normal RA session, where the novice asks an expert to provide assistance
(e.g. via Messenger or file etc), the novice's computer attempts to open a
connection to the expert's computer on a high-order port. If the expert's
computer doesn't detect an incoming connection attempt within 5 seconds, it
attempts to open a connection back to the novice's computer on port 3389. I
have Ethereal packet captures of this in action. 

Details can be seen here: http://support.microsoft.com/?id=306298

Why, in the case where you are offering assistance, this might occur, I'm not
sure.

Cheers
Ken

--
My Blog: www.adOpenStatic.com/cs/blogs/ken


: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Mike Guest
: Sent: Wednesday, 25 October 2006 8:20 PM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] OT: Issue with remote assistance offers
: 
: Thanks for this.
: 
: I checked the settings.
: 
: DCOM is unrestricted (for administrators)
: Users are allowed to access computer from the network.
: I'm in the remote assistance users list, both as an admin and as my own
: id
: We're not using a local (xp or 3rd party) software firewall.
: 
: The only thing I did find is that an ethereal trace shows the client
: failing to make a connection on port 4213 - but I can find no docs on
: this port in Technet so I find this somewhat confusing - why that port?
: (also a LOT of TCP checksum errors - but I suspect this is ethereal
: rather than a real network issue)
: 
: I think I'm gonna just stick with the sms RC tool for now.
: 
: Thanks all.
: 
: Mike Guest
: IT Solutions
: HML
: Padiham DDI: +44 (0)1282 682550
: Internal Extension: (61) 2550
: 
: 
: -Original Message-
: From: Lucas, Bryan [mailto:[EMAIL PROTECTED]
: Sent: 24 October 2006 16:58
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] OT: Issue with remote assistance offers
: 
: I snagged this from my notes on when we deployed XP/GPO's and RA.  It
: was a beating to get this to work, maybe something in this will spark a
: thought on your part.
: 
:   Edit the new custom GPO to have the following settings
: 1.CompConfig, Windows Settings, Local Policies, Security Options:
: a.DCOM: Machine Access Restrictions
: b.DCOM: Machine Launch Restrictions
: Grant TCURAP-XYZ full control on all these rights when you define this
: setting.
: 
: 2.CompConfig, Windows Settings, Local Policies, User Rights
: Assignments:
: a.Access this computer from the network (add the TCURAP-XYZ group)
: 
: 3.CompConfig, Administrative Templates, System, Remote Assistance
: a.Offer Remote Assistance - Add the TCURAP-XYZ group (be sure to
: include the TCU\)
: 
: 4.Make sure the department has a TCU WinXP Firewall GPO with the
: following entries:
: 
: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApp
: l
: ications\List\%systemroot%\PCHEALTH\HelpCtr\Binaries\Helpctr.exe:*:enab
: l
: ed:Helpctr.exe
: 
: %systemroot%\PCHEALTH\HelpCtr\Binaries\Helpctr.exe:*:enabled:Helpctr.ex
: e
: 
: 
: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApp
: l
: ications\List\%systemroot%\PCHEALTH\HelpCtr\Binaries\helpsvc.exe:*:enab
: l
: ed:helpsvc.exe
: 
: %systemroot%\PCHEALTH\HelpCtr\Binaries\helpsvc.exe:*:enabled:helpsvc.ex
: e
: 
: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApp
: l
: ications\List\%systemroot%\system32\sessmgr.exe:*:enabled:sessmgr.exe
: 
: %systemroot%\system32\sessmgr.exe:*:enabled:sessmgr.exe
: 
: 
: 
: 
: Bryan Lucas
: Server Administrator
: Texas Christian University
: >
: > PS: forgot to mention. XP box is a domain member, windows firewall
: > disabled
: >
: > Mike Guest
: > IT Solutions
: > *HML
: > *Padiham DDI: +44 (0)1282 682550
: > Internal Extension: (61) 2550
: >
: >
: ---
: -
: >
: > *From:* Mike Guest
: > *Sent:* 24 October 2006 10:30
: > *To:* activedir@mail.activedir.org
: > *Subject:* [ActiveDir] OT: Issue with remote assistance offers
: >
: > Anyone seen this before?
: >
: > I have an xp box sitting behind an internal firewall (long story)
: that
: 
: > I want to be able to offer unsolicited remote assistance to. I can
: > already RDP to the box, but the session on that box I want to offer
: > assistance to is already an RDP session, so that solution's out.
: >
: > I have opened TCP135 and 3389. I can create an offer on the remote
: > system (as a file), move it to my machine and successfully initiate
: an
: 
: > RA session.
: >
: > However, when I try to initiate an RA session without an invite, the
: > help and support center window freezes for about 30 seconds then
: tells
: 
: > me "The remote machine does not exist or is unavailable" - I've tried
: > both by name and by IP
: >
: > I've double-checked with a port scanner and 135 is definitely open
: (as
: 
: > is 3

RE: [ActiveDir] The remote computer has ended the connection.

2006-10-17 Thread Ken Schaefer 
: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz -
: SBS Rocks [MVP]
: Sent: Wednesday, 18 October 2006 10:45 AM
: To: ActiveDir@mail.activedir.org
: Subject: Re: [ActiveDir] The remote computer has ended the connection.
: 
: There is no line item in there for feedback on existing products in the
: current Connect.microsoft.com feedback.

I didn't read the whole thread. I saw Brian's post about WSUS 3.0 and assumed
it was an issue with WSUS 3.0, for which you can report bugs via Connect.

: You have to pay the $245 to start the call process... they will not set
: up a support case to take you to the next level to begin the
: investigation until you pay the Server call.

Well that seems to vary between countries then. I have been asked to supply
credit card details, but not been charged.

Additionally, as someone else mentioned, security hotfix support should be
free shouldn't it?

Chees
Ken


 
: I just paid it earlier today to get into the queue.
: 
: Ken Schaefer wrote:
: >
: > You can report bugs via the Feedback/Bugs form at
: > http://connect.microsoft.com (you need a Passport/Live account to
: > signin, and if you haven't already, join the WSUS v3 open beta).
: >
: > PSS generally does not support products that are in beta - that is
: > handled by the product team. Different products have different
: > feedback mechanisms for reporting bugs. As the products moves closer
: > to release, support is transitioned across to PSS. If you have a
: > problem with a product that is PSS supported, and the problem is in
: > the Microsoft product, you do not have to pay $245.
: >
: > Cheers
: >
: > Ken
: >
: > --
: >
: > My Blog: www.adOpenStatic.com/cs/blogs/ken
: > <http://www.adopenstatic.com/cs/blogs/ken>
: >
: > *From:* [EMAIL PROTECTED]
: > [mailto:[EMAIL PROTECTED] *On Behalf Of *Vinnie
: Cardona
: > *Sent:* Wednesday, 18 October 2006 7:08 AM
: > *To:* ActiveDir@mail.activedir.org
: > *Subject:* RE: [ActiveDir] The remote computer has ended the
: connection.
: >
: > Don't have an account manager.
: >
: > WSUS3.0 beta is on our Dev side...UpdateExpert is on Prod.
: >
: > Thanks,
: >
: > -
: ---
: >
: > *From:* [EMAIL PROTECTED]
: > [mailto:[EMAIL PROTECTED] *On Behalf Of *Brian
: Desmond
: > *Sent:* Tuesday, October 17, 2006 12:49 PM
: > *To:* ActiveDir@mail.activedir.org
: > *Subject:* RE: [ActiveDir] The remote computer has ended the
: connection.
: >
: > *Do you have an account manager at MS? That's another avenue you can
: > take. *
: >
: > * *
: >
: > *WSUS3.0 is beta SW so shouldn't be running it in production. *
: >
: > * *
: >
: > *Thanks,*
: >
: > *Brian Desmond*
: >
: > [EMAIL PROTECTED]
: >
: > * *
: >
: > *c - 312.731.3132*
: >
: > * *
: >
: > *From:* [EMAIL PROTECTED]
: > [mailto:[EMAIL PROTECTED] *On Behalf Of *Vinnie
: Cardona
: > *Sent:* Tuesday, October 17, 2006 12:58 PM
: > *To:* ActiveDir@mail.activedir.org
: > *Subject:* RE: [ActiveDir] The remote computer has ended the
: connection.
: >
: > Susan,
: >
: > We don't have a MS support contract. Unfortunately rebooting the
: > server was cheaper than paying MS $245.
: >
: > Never used WSUS until this month. I am currently running WSUS 3.0.
: >
: > Now for those of you who have experienced this bug and do not have a
: > support contract:
: >
: > Just contacted MS @ (800) 936-4900 (option 2) and asked if I can just
: > report a bug without having to pay and he informed me that I will
: have
: > to report the bug via mail to the development team. The address he
: > gave me was:
: >
: > Microsoft Corporation
: >
: > 1 Microsoft Way
: >
: > Redmond, WA 98052
: >
: > Attention would be to the Development Team. Include the product name
: > and bug.
: >
: > Susan...I think informing MS in some way or form of this potential
: /bug/
: > is a good idea...

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] The remote computer has ended the connection.

2006-10-17 Thread Ken Schaefer 








You can report bugs via the
Feedback/Bugs form at http://connect.microsoft.com (you
need a Passport/Live account to signin, and if you haven’t already, join the
WSUS v3 open beta).

 

PSS generally does not support products that are in beta – that is
handled by the product team. Different products have different feedback
mechanisms for reporting bugs. As the products moves closer to release, support
is transitioned across to PSS. If you have a problem with a product that is PSS
supported, and the problem is in the Microsoft product, you do not have to pay
$245.

 

Cheers

Ken

 



--

My Blog: www.adOpenStatic.com/cs/blogs/ken



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Vinnie Cardona
Sent: Wednesday, 18 October 2006 7:08 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] The remote computer has ended the connection.





 

Don’t have an account manager.    

 

WSUS3.0 beta is on our Dev side…UpdateExpert is on Prod.

 

Thanks,

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, October 17, 2006 12:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] The remote computer has ended the connection.



 

Do you have an account manager at MS? That’s another avenue you
can take. 

 

WSUS3.0 is beta SW so shouldn’t be running it in production. 

 



Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Vinnie Cardona
Sent: Tuesday, October 17, 2006 12:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] The remote computer has ended the connection.





 

Susan,

 

We don't have a MS support contract.  Unfortunately
rebooting the server was cheaper than paying MS $245.

 

Never used WSUS until this month.  I am currently
running WSUS 3.0.  

 

Now for those of you who have experienced this bug and do
not have a support contract:

Just contacted MS @ (800) 936-4900 (option 2) and asked
if I can just report a bug without having to pay and he informed me that I will
have to report the bug via mail to the development team.  The address he
gave me was:

 

Microsoft Corporation

1 Microsoft Way

Redmond, WA 98052

 

Attention would be to the Development Team.  Include
the product name and bug.

 

Susan…I think informing MS in some way or form of this
potential bug is a good idea…

 

 

 

RE: [ActiveDir] OT: A short and sweet KB

2006-10-10 Thread Ken Schaefer 










 

Best … KB Article … Ever

 



 

 



--

My Blog: www.adOpenStatic.com/cs/blogs/ken



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Dmitri Gavrilov
Sent: Wednesday, 11 October 2006 7:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: A short and sweet KB





 

Do you mind writing a KB with the following content:

 

Whatever you are trying to do is not supported.

 

It would be a great KB to refer folks to. I really need it quite
often. I would memorize the KB number. Hell, I would include it into my
signature.

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Tuesday, October 10, 2006 2:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: A short and sweet KB





 

LOL that is great... 

 

I have thought about using my MVP Super Powers to write small KBs like
that in the past so I could point at it for people to read when I said
something simple that isn't specifically documented but they wanted to see
documents on Microsoft's site stating what I said... In the end I didn't do it
because, well it just doesn't seem right. ;)

 

  joe

RE: [ActiveDir] Domain Controller Bare Metal restore

2006-10-05 Thread Ken Schaefer 
Why do you need one sysprep image of all you DCs? Can't you just make one
sysprep image in total (and just add all the necessary drivers for each
model?). Alternatively there is an ADS image mounting tool you can use if you
need to make slight modifications to a captured image to cater for different
devices.

Cheers
Ken

: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF
: NASIC/SCNA
: Sent: Thursday, 5 October 2006 10:11 PM
: To: ActiveDir@mail.activedir.org
: Subject: [ActiveDir] Domain Controller Bare Metal restore
: 
: List,
: 
: I have been looking at several options to restore a failed DC from the
: ground up.  ADS seems to look promising, but its hard to get one
: SYSPREP image for all of my DCs even though they are all flavors of
: Dell PowerEdge, it has proven difficult.  Does anyone know of a good
: solution to restore a DC from the ground up utilizing a network
: connection, without inserting disk and going through the steps.
: 
: Thanks,
: Nathaniel V Bahta
: Sr. Systems Administrator
: General Dynamics Information Technology
: (937)257-4757
: 
: 
: 
: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Mark Parris
: Sent: Wednesday, October 04, 2006 3:24 AM
: To: ActiveDir.org
: Subject: Re: [ActiveDir] choose between SOAD and Netpro directory
: Troubleshooter.
: 
: SOAD has a lovely GUI and lots of flashing lights
: 
: 
: Mark Parris
: 
: Base IT Ltd
: Active Directory Consultancy
: Tel +44(0)7801 690596
: 
: 
: -Original Message-
: From: Yann <[EMAIL PROTECTED]>
: Date: Tue, 3 Oct 2006 20:11:12
: To:ActiveDir@mail.activedir.org
: Subject: [ActiveDir] choose between SOAD and Netpro directory
: Troubleshooter.
: 
: Hello all,
: 
: I don't know if it is the right place
: I'm about to test 2 AD Troubleshooters products and I have to choose
: one them to monitor,tshoot our AD infrastructure:
: Spoltligh on Active Directory (SOAD) and Netpro Active Directory
: Troubleshooter.
: Does someone have any experiences with the 2 products and could tell me
: what are the pros and cons of each of them ?
: 
: Thank you,
: 
: Yann
: 
: 
: 
: 
: 
:  Découvrez un nouveau moyen de poser toutes vos questions quel que soit
: le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances,
: vos opinions et vos expériences. Cliquez ici:
:  .
: .+Šw†ÛÿüÁ§Š÷Šºƒò²Ö§²ÑB§ÿö+v*®ŠË§²Örz§ÿö+v*®—û­æ±«
: .+w֧B+v*rz+v*汫

RE: [ActiveDir] Problem with Active Sync

2006-09-29 Thread Ken Schaefer 
Seems to indicate that the FE Exchange server is returning HTTP 400 (Bad
Request) in response to whatever is being sent from the client PC. The
httperr.log file on the Exchange FE server may have some further details on
why the HTTP request is invalid.

What you can do is enable logging on both the WM device, and at the FE
Exchange server (via NextTags) to see what is leaving the device, and what is
being seen at the Exchange FE server. It may be that something is altering
what is being sent.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
Tech.Ed Sydney: learn all about IIS 7.0 - See you there!


: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Ravi Dogra
: Sent: Saturday, 30 September 2006 7:19 AM
: To: ActiveDir@mail.activedir.org
: Subject: Re: [ActiveDir] Problem with Active Sync
: 
: Hi,
: 
: Sync seems to be working with GPRS but using local LAN or DSL
: connection i am not able to sync my mailbox i am getting Error Code
: 0x85010001 and there is not much mentioned in
: http://www.pocketpcfaq.com/faqs/activesync/exchange_errors.php
: 
: Can anyone please suggest what can be done in this case?
: 
: Thanks
: Ravi Dogra
: 
: On 9/29/06, Ravi Dogra <[EMAIL PROTECTED]> wrote:
: > Yes it was working fine till 4 days ago. Suddently it stopped
: > responding and gave some valid reasons which were rectified.
: >
: > Now i am not getting any errors. it keeps on looking for sync but
: > nothing happens. No error, nothing.
: >
: > Device is a windows Mobile device.
: >
: > Antivirus is Sophos. But i dont think this will be an issue. since it
: > was there when eveything was good.
: >
: >
: > On 9/29/06, Molkentin, Steve
: <[EMAIL PROTECTED]> wrote:
: > > Ravi,
: > >
: > > Was it ever working? What version of ActiveSync are you using, and
: what
: > > of the devices (what OS)?
: > >
: > > The reason I ask is that we have an issue with ActiveSync v4.2 and
: Trend
: > > OfficeScan where they DO NOT play together with Windows Mobile 5.0
: > > devices. No fix from Trend until later next year!!! Same (or at
: least
: > > similar) error to what you report.
: > >
: > > My $0.02 inc GST.
: > >
: > > themolk.
: > >
: > >
: > > > -Original Message-
: > > > From: [EMAIL PROTECTED]
: > > > [mailto:[EMAIL PROTECTED] On Behalf Of Ravi
: Dogra
: > > > Sent: Friday, 29 September 2006 7:15 AM
: > > > To: ActiveDir@mail.activedir.org
: > > > Subject: Re: [ActiveDir] Problem with Active Sync
: > > >
: > > > in this case how i can be sure if everything is good with my
: exchange
: > > > configuration and nothing is wrong with OMA/OWA/ Active Sync.
: > > >
: > > > Is it possible to verify is my server configuration is ok or not.
: > > >
: > > > A few days back when users reported me this problem i looked at
: the
: > > > error and that was authentication method problem. Which was later
: on
: > > > rectified.
: > > >
: > > > in addition to that after resolving auth problem i was able to
: see
: > > > items when i tried http://mail.domain.com/oma
: > > > Domain\Username
: > > > Password
: > > >
: > > > When this if fixed. do i need to check something else to make
: > > > active sync work.
: > > >
: > > > Thanks!!!
: > > > Ravi Dogra
: > > >
: > > > On 9/29/06, Bruyere, Michel <[EMAIL PROTECTED]> wrote:
: > > > > Hi,
: > > > >Last time i had this, I had to pin point the culprit
: > > > by removing
: > > > > all the items and then re add them 1 by 1 synching between
: > > > each item. It
: > > > > turned out to be a note that was "corrupted" I deleted it
: > > > and then re
: > > > > added the notes to the sync and all went well after that.
: > > > >
: > > > > My 0.02$
: > > > >
: > > > > (also, make sure your device is not connected to the pc
: > > > when you boot
: > > > > the pc. When windows detect the device before active sync
: > > > is started it
: > > > > screws things up a bit...)
: > > > >
: > > > >
: > > > >
: > > > > > -Original Message-
: > > > > > From: [EMAIL PROTECTED] [mailto:ActiveDir-
: > > > > > [EMAIL PROTECTED] On Behalf Of Ravi Dogra
: > > > > > Sent: September 28, 2006 3:17 PM
: > > > > > To: ActiveDir@mail.activedir.org
: > > > > > Subject: [ActiveDir] Problem with Active Sync
: > > > > >
: > > > > > Hi All,
: > > > > >
: > > > > > I am facing problems while trying to sync my PPC. I receive
: error
: > > > > > stating syncronization failed and support code is 80004004.
: > > > > >
: > > > > > I was facing some other problems with my active sync and oma
: which
: > > > > > were rectified by changing authentication methods to not
: allowing
: > > > > > anonymous and enabling Windows integrated and basic
: > > > authentication.
: > > > > >
: > > > > > However i am doubting on my Active Sync. I think there is
: > > > something
: > > > > > wrong with it and i have no clue...
: > > > > >
: > > > > > This is really urgent

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.a

RE: [ActiveDir] OT: admin account in Vista

2006-09-11 Thread Ken Schaefer 
--- Original Message ---
: From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
: Sent: Tuesday, 12 September 2006 12:47 AM
: To: ActiveDir@mail.activedir.org
: Subject: Re: [ActiveDir] OT: admin account in Vista
: 
: Yes Ken, I believe it is a departure to write down the admin password for
every single 
: workstation out there.

Certainly that is a departure.


: For many years the best practices have been to create passwords that were 
: difficult but able to be remembered so they would not have to be written
down. 
: Writing it down, the thinking goes, increases the risk that it would be
seen by 
: somebody else. 

Sure. But forcing people to memorize numerous passwords also has its own
risks. So we have tradeoffs here.

I think all that Jesper (et al) are saying is that blanket prohibitions on
writing down passwords tend to ignore the real reason why those prohibitions
came about in the first place. The password is the shared secret that enables
you to authenticate yourself. The shared secret must not be compromised, and
generally if you write down the password it can be compromised, because the
written down password tends to be easily accessible (e.g. taped to the user's
monitor). 

However *if* you are able to secure the written down password (e.g. by using
your own password manager application, or a physical safe, or your wallet, or
whatever), then the increased risk of compromise may be acceptable because it
allows you to maintain a more diverse, complex, set of passwords for systems
you need to connect to. If you can not secure the secret, then do not write
it down.

I don't think there's anything really radical in that argument. It's just
that the caveat (security around the secret) has been lost, and the
exhortation not to write down the password has remained.


: I strongly disagree with the assertion and reversal of thinking.

Fair enough. But the original blog post cited did say (emphasis added):

we recommend the follow tips for *home* users

As I mentioned before, for your home PC, if you write down the admin password
and store it under your keyboard are you really risking much (assuming you
live alone or can trust your housemates)? Anyone who has access to that piece
of paper has already probably already broken into your house. You probably
have other worries which are much more pressing than having your computer's
admin password compromised :-)

At the risk of repeating what we already know - security is about risk
management. We need to know what risks we're facing. Home users have more
physical security they can rely on than the average corporate cubicle.
Relying on that physical security may be an acceptable risk.

Cheers
Ken
[EMAIL PROTECTED])

RE: [ActiveDir] OT: admin account in Vista

2006-09-08 Thread Ken Schaefer 








Is it a departure really?

 

I’m always pretty sure that the advice has been to avoid writing
down your username/password and storing it in an *insecure* location
(i.e. taped to your monitor at work)

 

On the other hand, if you write down the details and store it in
a safe place (e.g. place it into a safe) then surely you are relying on the
security of the physical device to protect you. That may be an acceptable risk.
I’m pretty sure if you wrote down your admin password at home, and stored the
piece of paper underneath your keyboard, you probably wouldn’t have that much
to worry about (unless you couldn’t trust whoever else was living in the house/unit/apartment).
Anyone breaking into your house has full physical access anyway…

 

Cheers

Ken

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Al Mulnick
Sent: Friday, 8 September 2006 1:36 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: admin account in Vista





 



"Write down your
username and password and store it in a safe location."



 

That's an interesting departure from the
usual recommendations. ;-)





 





On 9/6/06, Susan Bradley, CPA aka
Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote: 

Windows Vista Security : Built-in Administrator Account
Disabled:
http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/27/windowsvistasecurity_.aspx






 

RE: [ActiveDir] Windows 2003 R2 Issue

2006-08-12 Thread Ken Schaefer 








In line with Brian’s question –
how is the OP reading the secret, and what are the differences between the two
servers (and DCs if there are different DCs involved)?

 

If you hook the functions that generate
the passwords and convey them to the DC, it would be possible to get this value
(in a similar way that you could get a user’s password via a custom
passfilt.dll). However without knowing what the OP is doing, and what the
differences are between the two environments, it’s impossible to state
with any certainty what the “problem” is in the second environment.

 

Cheers

Ken

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Sunday, 13 August 2006 3:28
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Windows
2003 R2 Issue



 

OK in that case how is the OP reading the secret?

 



Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Laura A. Robinson
Sent: Sunday, August 13, 2006
12:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Windows
2003 R2 Issue





 



Read the last line of the
original post.





 





Laura





 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Sunday, August 13, 2006
12:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Windows
2003 R2 Issue

He’s trying to read a secret – you’re not
allowed to do that period. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Al Mulnick
Sent: Saturday, August 12, 2006
8:12 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Windows
2003 R2 Issue





 



What rev is that other 2003 OS and what type of code
are you using?  .Net? Can you post a snippet? ( note: I'm not a
programmer, but I sometimes play one on the internet.  If it gets too
deep, we'll ask somebody like Joe K to help out; he does that stuff for a
living). 





 





Al

 





On 8/11/06, Manjeet Singh <[EMAIL PROTECTED]>
wrote: 







Hi,

 

I have one test setup with Windows 2003
R2 with SP1.

Single Domain Topology:

 

AD Server = Windows 2003 R2 + SP1

Exchange Server: - Windows 2003 R2 +
Exchange 2003 Ent + SP2 + latest Microsoft security patches. 

 

Problem: I am unable to read the
machine password of the Exchange Server. It says Error if I try to access the
machine password. I need the machine password of exchange server for testing
some code. Any idea what could be the reason? 

 

I am able to get the password
successfully from another exchange server which is running in Windows 2003 OS. 









 

RE: [ActiveDir] ldp in ADAM-SP1

2006-07-30 Thread Ken Schaefer 








Hi Al,

 

I’m going to have to disagree here.  I’d wager that the average
programmer has a better understanding of writing code that has:

a) 
proper specifications and design

b) 
robust error handling 

c)  
strong typing

d) 
etc

 

Of course, there are always deadlines that result in shoddy
code, and there are certainly some shoddy programmers. But the average scripter
(in my experience) seems to have far fewer clues on how to write robust,
reusable, defensive code than the average programmer. The average scripter
doesn’t know much about IDEs, debugging, source control, unit tests and all the
other goodies that make maintaining large bodies of code easy.

 

There’s nothing wrong with writing scripts – especially for
things that just require a few lines of code. Trying to maintain something that
has 1000+ lines of code is a nightmare when scripted using VBS/JScript

 

Cheers

Ken

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Al Mulnick
Sent: Sunday, 30 July 2006 10:17 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ldp in ADAM-SP1





 



I have to say that's weak logic joe.  Well, good logic,
but weak assumptions. 





 





Tool writers are no more likely to prevent unforseen
mistakes than a script writer. On the plus side, if you write your own script,
you'll have plenty of time to test it and will have gained a great deal more
knowledge than you previously had. Mostly about how not to do it, but that's
better than figuring that out in production or worse, trusting the tool writer
to have done the work for you and to have guessed what you wanted done. 





 





joeware tools excepted in most cases of course ;)

 





On 7/29/06, joe <[EMAIL PROTECTED]> wrote: 





I am curious about this statement





 

 

While you can use the command line tools as much as
possible, as joe and Guido both pointed out, consider rolling your own scripts
if you absolutely cannot do what you *need* to do at the GUI. 

 





In general, scripts are more dangerous than the command line tools
because there are a lot of screwups you can make in a script that a tool may
not make because hopefully a full blown tool writer understand the
permissioning model and the dev work behind it than a script writer. It is
quite easy to use a script and to add 30 duplicate ACEs to an ACL. I can't
count the number of times I have seen things like that. There is no guarantee
that a commandline tool won't do the same but there are fewer and hopefully
more experienced people writing command line tools than scripts. 





 

  joe

 



 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 









 

RE: [ActiveDir] Enumerating Group type and Mebership...

2006-07-25 Thread Ken Schaefer 








Hi,

 

Try these (if you don’t get any better answers from the
gurus):

 

For just groups and their membership (batch file)

 

dsquery group > all-groups.txt
for /f "tokens=1* delims=}" %a in (all-groups.txt) do @(echo GROUP:%a
& dsget group %a -members) >> group-members.txt

 

For groups, type and membership (vbs file):

 

' To output to a text file use:

' cscript //nologo test.vbs > filename.txt

 

Option Explicit

 

Dim objConn   '
ADODB.Connection

Dim objCommand    ' ADODB.Command

Dim objRS '
ADODB.Recordset

Dim objRootDSE    ' RootDSE

Dim objGroup  ' AD Group

Dim strDNSDomain  ' String

Dim strQuery  ' String

Dim strDN '
String

 

 

' Bind to the Root Container

Set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

 

' Create our Command Object

Set objCommand = CreateObject("ADODB.Command")

Set objCommand.ActiveConnection = objConn

 

 

' Determine the DNS domain from the RootDSE object.

Set objRootDSE = GetObject("LDAP://RootDSE")

strDNSDomain = objRootDSE.Get("defaultNamingContext")

 

' Search for all groups, return the Distinguished Name of each.

strQuery = ";(objectClass=group);distinguishedName;subtree"

objCommand.CommandText = strQuery

objCommand.Properties("Page Size") = 100

objCommand.Properties("Timeout") = 30

objCommand.Properties("Cache Results") = False

 

Set objRS = objCommand.Execute

If objRS.EOF Then

  Wscript.Echo "No groups found"

  objConn.Close

  Set objRootDSE = Nothing

  Set objConn = Nothing

  Set objCommand = Nothing

  Set objRS = Nothing

  Wscript.Quit

End If

 

' Enumerate all groups, bind to each, and document group
members.

Do Until objRS.EOF

  strDN = objRS.Fields("distinguishedName")

  Set objGroup = GetObject("LDAP://" & strDN)

  'Wscript.Echo objGroup.sAMAccountName & "
(" & GetType(objGroup.groupType) & ")"

  'If objGroup.GroupType = 2 or objGroup.GroupType = 4 or
objGroup.GroupType = 8 then

 Wscript.Echo objGroup.sAMAccountName
& " (" & GetType(objGroup.groupType) & ")"

 Call GetMembers(objGroup)

  'End If

  objRS.MoveNext

Loop

 

' Clean up.

objConn.Close

Set objRootDSE = Nothing

Set objGroup = Nothing

Set objConn = Nothing

Set objCommand = Nothing

Set objRS = Nothing

 

Function GetType(intType)

' Function to determine group type from the GroupType attribute.

  If (intType And &h01) <> 0 Then

    GetType = "Built-in"

  ElseIf (intType And &h02) <> 0 Then

    GetType = "Global"

  ElseIf (intType And &h04) <> 0 Then

    GetType = "Local"

  ElseIf (intType And &h08) <> 0 Then

    GetType = "Universal"

  End If

  If (intType And &h8000) <> 0 Then

    GetType = GetType & "/Security"

  Else

    GetType = GetType &
"/Distribution"

  End If

End Function

 

Sub GetMembers(objADObject)

' Subroutine to document group membership.

' Members can be users or groups.

  Dim objMember, strType

  For Each objMember In objADObject.Members

    If UCase(Left(objMember.objectCategory, 8)) =
"CN=GROUP" Then

  strType = "Group"

    Else

  strType = "User"

    End If

    Wscript.Echo "   Member:
" & objMember.sAMAccountName _

  & " (" &
strType & ")"

  Next

  WScript.Echo ""

  Set objMember = Nothing

End Sub

 

Cheers
Ken

 



--

My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

Tech.Ed Sydney: learn all about IIS 7.0 - See you there!



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Mike Hogenauer
Sent: Wednesday, 26 July 2006 7:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enumerating Group type and Mebership...





 

We’re medium size – and yes someone does want a
current outdated list J - 

Just trying to make it happen…. 

 



From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Matt Hargraves
Sent: Tuesday, July 25, 2006 2:02 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Enumerating Group type and Mebership...



 

You either have a small
environment or someone wants a document that will be completely outdated 12
minutes after it's compiled.

Though just to be honest, I'd love to be able to click on a '+' on groups and
show their members and continue to follow the '+' if there is nesting. 
That would be an awesome feature in the ADUC.  Maybe I should submit that
feature request to Quest and Microsoft. 



On 7/25/06, Mike Hogenauer
<[EMAIL PROTECTED]> wrote:







I need all Security Groups and Distribution
groups – and their members 

 

Thanks Laura!

 





From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Laura A. Robinson
Sent: Tuesday, July 25, 2006 12:00 PM






To: ActiveDir@mail.activedir.org





Subject: RE: [ActiveDir] Enumerating Group type and
Mebership...









 



What is "everything [you]
need", specifically?





 





Thanks,





 





Laura





 







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Hogenauer
Sent: Tuesday, July 2

RE: [ActiveDir] OT: Interview Techniques

2006-07-24 Thread Ken Schaefer 








I suppose there are several “roles”
that senior people could hold: some are managerial, some are architectural, and
some are deeply technical (i.e. high level support). Architects, in that taxonomy,
would do design work. Whereas a PSS engineer would probably spend more time
with a debugger than using Word and Visio to produce high-level designs.

 

Cheers

Ken

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Monday, 24 July 2006 5:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Interview Techniques





 

A senior guy IMO should be more focused on "design"
aspects than "support" and thus should be able to answer questions
along the line of:

 

"How would
you design a schema change process, encompassing initial request through to
implementation." 

 

The answer to the above should help determine alot of info from
that person (see below) - even if they cannot answer the question fully.

 

 - Does this person think logically

 - Does this person explain ideas in a cohesive manner

 - Does this person answer questions with fluff and BS or are
they succinct

 - etc

 

To answer 'what do the FSMOs do?' one can simply state - "I'd
look it up in a book". I'd therefore always try to ask questions which can
only be answered through experience (where possible) and not just through
reading a book.

 

My 2 penneth,

neil







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of mike kline
Sent: 24 July 2006 07:16
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Interview Techniques

Brian,

 

That was a good story, very funny.  So what did the guy do?
Did he just get up and leave?  I know from reading your posts you are usually
straight and to the point. I would be sweating if I had to interview with you.

 



Going off course a bit.  What are some types of AD questions
that you all consider to be "senior level"?   For example what if you
ask someone how to do a metadata cleanup?  Would you all consider that to be a
mid level question?   Just wondering because I always grapple trying to figure
out questions for the mid vs. senior level candidate.





 





 





 





 



 



On 7/23/06, Brian Desmond <[EMAIL PROTECTED]> wrote: 





I've got no second thoughts about
being an asshole during a tech
interview. I ask the question, you either answer it or tell me you don't 
know. If you choose not to tell me you don't know and demonstrate that
you don't know through what you tell me instead, I'm already pretty much
through. If you're arrogant like this candidate you describe, I'm likely 
through as well.

My favorite exchange as of late goes like this:

Me - Tell me a little bit about your experience migrating Exchange 5.5
orgs to 2003
Them - blah blah blah
Me - Ok, can you name the three types of connection agreements in the 
ADC?
Them - well uh blah blah well uh excuse excuse
Me - other questions
Me - So would you be comfortable migrating a 10K user 5.5 org to 2003?
Them - Absolutely
Me - How can you be comfortable doing that when you can't even explain 
the first step of the migration to me?


In any case, others have put some really good advice here. What you want
in a technical lead is someone who can get their hands dirty without
getting scared or screwing up. They should also have no second thoughts 
about delegating work and asking their subordinates for help. That
person needs to be able to deal with upper management, and they also
need to make sure their self esteem is in check - none of that "I did
X" 
when all they did is watch. Hiring your new manager can be a little
difficult on both sides from the point of view of why wasn't someone on
your team promoted to that position?

RE: [ActiveDir] Multihomed Domain Controllers

2006-07-12 Thread Ken Schaefer 
Can't your spyware just change/delete the host entries again? Or use an IP
address (or do you configure static routes for the subnets that the IP
addresses reside in that those host entries point to?)

Has this tactic ever helped anyone in a spyware-on-the-server situation?
(except possibly in a SOHO situation where the server's been treated like a
desktop?)

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
Tech.Ed Sydney: learn all about IIS 7.0 - See you there!


: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Kevin Brunson
: Sent: Thursday, 13 July 2006 3:00 AM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] Multihomed Domain Controllers
: 
: I have definitely found the hosts file to be useful on servers to keep
: them from EVER getting to spyware sites.  This guy has a great list :
: http://pgl.yoyo.org/adservers/serverlist.php?showintro=0&hostformat=hos
: t
: s
: 
: Just cut and paste into the hosts file and you are good to go.  I
: scripted it for all of the servers I deal with.  But I guess this is
: getting pretty far OT: :)
: Kevin
: 
: -Original Message-
: From: [EMAIL PROTECTED]
: [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
: CPA aka Ebitz - SBS Rocks [MVP]
: Sent: Wednesday, July 12, 2006 10:41 AM
: To: ActiveDir@mail.activedir.org
: Subject: Re: [ActiveDir] Multihomed Domain Controllers
: 
: In the year 2006.. I hope we are still not making host file entries on
: servers and workstations  :-)
: 
: Peter Johnson wrote:
: 
: > You might want to then create entries in the host file on the backup
: > server so that you guarantee that the backup server always uses the
: > right network connection.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] NTFS ( 16 Exabyte's )

2006-06-29 Thread Ken Schaefer 
TRUNCATE TABLE 

will be faster, especially for big tables. But this is going OT :-)

Cheers
Ken



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, 29 June 2006 3:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NTFS ( 16 Exabyte's )

Jose-

Take a look at Veritas Storage Foundation for this. It works with MSCS and
gives you a lot more control in this type of situation.

Alternatively

DELETE FROM BigTable
GO
exec dbcc_shrinkFile [BigDB], 10

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros
Sent: Thursday, June 29, 2006 12:01 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] NTFS ( 16 Exabyte's )

Hi Steve, 
 
Thank you for the reply. I was not aware of a GPT disk on X64. I realize that
I two terrabyte volume is large, however the group that I am suporting has a
database that is close to 4 terrabytes, and have asked for the largest volume
available.
 
Thank you for taking the time to reply, 
 
Jose :-)
- Original Message - 
From: Steve Linehan 
To: ActiveDir@mail.activedir.org 
Sent: Wednesday, June 28, 2006 7:54 PM
Subject: RE: [ActiveDir] NTFS ( 16 Exabyte's )

Jose,
  This is due to the fact that MBR disks are limited to 2 TB in size.  You
would need to go to GPT disks to see a larger disk,
http://www.microsoft.com/whdc/device/storage/GPT-on-x64.mspx .  Unfortunately
we do not support GPT disks on cluster servers at this time for the shared
disks.  As far as corruption we have customers running much larger volumes
and the biggest concern is disaster recovery times.

Thanks,

-Steve

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Wednesday, June 28, 2006 9:22 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] NTFS ( 16 Exabyte's )

Greetings, 

Quick question. I just finished building two new 2003 servers running
Microsoft Clustering services and presented two 2047 Gigabyte LUNS to each
cluster node. However, the OS is only seeing 1.99 Terabytes (Please see my
screen capture). I specifically recall from my Microsoft NT 3.51 server class
taught by Michael Van Dercreek at Technology Education Centers back in 1996
using official MOC, that NTFS is a 64 bit file system ( 2 to the 64th power
 = 16 Exabytes ). 16 Exabyte's is the largest partition available on NT 3.51,
however I do not seem to recall if this has been changed in 2003, since I
have only taken a course on Active Directory 2003, Exchange 2003, SQL 2005
and ISA 2004. 

So why I am only seeing 1.99 TB on a 2.47 TB LUN? Is any one else running a
larger LUN size using NTFS? Any issues or corruption of the MFT that I should
know about?

My apologies in advance for the newbie question ( I really should know this
answer ).

Sincerely,
Jose Medeiros
Storage Area Network Systems Engineer
MCP+I, MCSE, NT4 MCT 408-765-0437  Direct, 408-449-6621 Cell
"Anyone who has never made a mistake has never tried anything new."  Albert
Einstein 
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Event ID 20 :: KDC Certificate Error ::

2006-06-20 Thread Ken Schaefer 
: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Ravi Dogra
: Subject: [ActiveDir] Event ID 20 :: KDC Certificate Error ::
: 
: I am getting Event ID 20 :: KDC Error :: The currently selected KDC
: certificate was once valid, but now is invalid and no suitable
: replacement was found.  Smartcard logon may not function correctly if
: this problem is not remedied.  Have the system administrator check on
: the state of the domain's public key infrastructure.  The chain status
: is in the error data.
: 
: I dont know how this is affecting or will affect as these are warning
: messages. What is the impact?
: 
: I can see my Certificate is still valid. What could be the possible
: reason. I have installed a Enterprise CA a long time back and since
: then i can see this error every approx. 10 hours. (I think i did
: something wrong)

Is the CA's certificate valid?

Some other suggestions here:
http://www.eventid.net/display.asp?eventid=20&eventno=3396&source=KDC&phase=1

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
Tech.Ed Sydney: learn all about IIS 7.0 - See you there!
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] IIS 6

2006-05-23 Thread Ken Schaefer 
No, what you are stating below is incorrect.

You can add three entries to your host file.
On your IIS box, configure corresponding Host Header values for your three
sites.
Then you can access all three sites by name - no need to use alternate ports.

However you mentioned accessing sites by IP address:
" How can I access the individual URL using IP " 
Which to me means you want to use the IP address in the URL, rather than the
host name.

Can you clarify exactly what you are tryign to achieve?

Cheers
Ken


:  -Original Message-
:  From: [EMAIL PROTECTED] [mailto:ActiveDir-
:  [EMAIL PROTECTED] On Behalf Of Za Vue
:  Sent: Wednesday, 24 May 2006 10:26 AM
:  To: ActiveDir@mail.activedir.org
:  Subject: Re: [ActiveDir] IIS 6
:  
:  Correct. Using a host file only works for one website, which solved
:  part
:  of the problem. The other site will have to used another port.
:  The main site is registered with the external DNS(BIND), but the other
:  sites are registered with internal DNS(AD) server. No forwarding.
:  When
:  in production all sites will use port 80 on the same server and
:  register
:  with ext. DNS server.
:  
:  -Z.V.
:  
:  
:  Ken Schaefer wrote:
:  > :  -Original Message-
:  > :  From: [EMAIL PROTECTED] [mailto:ActiveDir-
:  > :  [EMAIL PROTECTED] On Behalf Of James Eaton-Lee
:  > :  Subject: RE: [ActiveDir] IIS 6
:  > :
:  > :  On Tue, 2006-05-23 at 10:59 +1000, Ken Schaefer wrote:
:  > :  > :  -Original Message-
:  > :  > :  From: [EMAIL PROTECTED] [mailto:ActiveDir-
:  > :  > :  [EMAIL PROTECTED] On Behalf Of Za Vue
:  > :  > :  Sent: Tuesday, 23 May 2006 10:54 AM
:  > :  > :  To: ActiveDir@mail.activedir.org
:  > :  > :  Subject: [ActiveDir] IIS 6
:  > :  > :
:  > :  > :  I have a web server running IIS6 hosting 3 websites-using
:  host
:  > :  > :  header.
:  > :  > :  How can I access the individual URL using IP?
:  > :  > :
:  > :  > :  -Z.V.
:  > :  >
:  > :  > http://10.10.10.10/yourURL.htm
:  > :  >
:  > :  > If you wish to be able to access all three websites, you will
:  either
:  > :  > need to have three IP addresses -or- run the websites on three
:  > :  > different ports (80, 81, 82 etc).
:  > :
:  > :  Or he could edit the hosts file, and then since the host will be
:  sent
:  > :  in the request to the webserver he'll be given content from the
:  > :  appropriate virtual host...
:  >
:  > >From my reading of the question, OP wanted to know how to access
:  the sites by
:  > IP address. Editing your hosts file doesn't help you with that.
:  >
:  > Cheers
:  > Ken
:  >
:  > --
:  > My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
:  > Tech.Ed Boston 2006 See you there: Everything the web administrator
:  needs to
:  > know about MOM 2005
:  > List info   : http://www.activedir.org/List.aspx
:  > List FAQ: http://www.activedir.org/ListFAQ.aspx
:  > List archive: http://www.mail-
:  archive.com/activedir%40mail.activedir.org/
:  >
:  
:  List info   : http://www.activedir.org/List.aspx
:  List FAQ: http://www.activedir.org/ListFAQ.aspx
:  List archive: http://www.mail-
:  archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] IIS 6

2006-05-23 Thread Ken Schaefer 
:  -Original Message-
:  From: [EMAIL PROTECTED] [mailto:ActiveDir-
:  [EMAIL PROTECTED] On Behalf Of James Eaton-Lee
:  Subject: RE: [ActiveDir] IIS 6
:  
:  On Tue, 2006-05-23 at 10:59 +1000, Ken Schaefer wrote:
:  > :  -Original Message-
:  > :  From: [EMAIL PROTECTED] [mailto:ActiveDir-
:  > :  [EMAIL PROTECTED] On Behalf Of Za Vue
:  > :  Sent: Tuesday, 23 May 2006 10:54 AM
:  > :  To: ActiveDir@mail.activedir.org
:  > :  Subject: [ActiveDir] IIS 6
:  > :
:  > :  I have a web server running IIS6 hosting 3 websites-using host
:  > :  header.
:  > :  How can I access the individual URL using IP?
:  > :
:  > :  -Z.V.
:  >
:  > http://10.10.10.10/yourURL.htm
:  >
:  > If you wish to be able to access all three websites, you will either
:  > need to have three IP addresses -or- run the websites on three 
:  > different ports (80, 81, 82 etc).
:  
:  Or he could edit the hosts file, and then since the host will be sent
:  in the request to the webserver he'll be given content from the
:  appropriate virtual host...

>From my reading of the question, OP wanted to know how to access the sites by
IP address. Editing your hosts file doesn't help you with that.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
Tech.Ed Boston 2006 See you there: Everything the web administrator needs to
know about MOM 2005
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] IIS 6

2006-05-22 Thread Ken Schaefer 
:  -Original Message-
:  From: [EMAIL PROTECTED] [mailto:ActiveDir-
:  [EMAIL PROTECTED] On Behalf Of Za Vue
:  Sent: Tuesday, 23 May 2006 10:54 AM
:  To: ActiveDir@mail.activedir.org
:  Subject: [ActiveDir] IIS 6
:  
:  I have a web server running IIS6 hosting 3 websites-using host header.
:  How can I access the individual URL using IP?
:  
:  -Z.V.

http://10.10.10.10/yourURL.htm

If you wish to be able to access all three websites, you will either need to
have three IP addresses -or- run the websites on three different ports (80,
81, 82 etc).

This is the reason we have HTTP Host Headers - to alleviate the need to lots
of IP addresses and ports.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
Tech.Ed Boston 2006 See you there: Everything the web administrator needs to
know about MOM 2005
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM

2006-05-19 Thread Ken Schaefer 
Wow - that would be frustrating. Glad you got it sorted.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
Tech.Ed Boston 2006 See you there: Everything the web administrator needs to
know about MOM 2005

:  -Original Message-
:  From: [EMAIL PROTECTED] [mailto:ActiveDir-
:  [EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)
:  Sent: Friday, 19 May 2006 9:57 PM
:  To: ActiveDir@mail.activedir.org
:  Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:  
:  Ken,
:  
:  Thanks for the help. The problem was someone felt the need to audit
:  computers objects in my testlab and was walking behind me turning off
:  that specific computer for delegation.  Grr.
:  
:  -Brandon
:  
:  -Original Message-
:  From: [EMAIL PROTECTED]
:  [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
:  Sent: Thursday, May 18, 2006 10:41 PM
:  To: ActiveDir@mail.activedir.org
:  Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:  
:  Well, you need to ensure that referrals are happening properly (so
:  that
:  the DC in your domain is referring you to the correct KDC in the
:  foreign
:  domain in the foreign forest)
:  
:  Cheers
:  Ken
:  
:  
:  :  -Original Message-
:  :  From: [EMAIL PROTECTED] [mailto:ActiveDir-
:  :  [EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)
:  :  Sent: Thursday, 18 May 2006 11:10 PM
:  :  To: ActiveDir@mail.activedir.org
:  :  Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:  :
:  :  I forgot one detail. I am accessing this site from a computer that
:  is
:  :  joined up to a different forest. That metabase key
:  :  NTAuthenticationProviders also didn't do what I was hoping for.
:  :
:  :  -Brandon
:  :
:  :  -Original Message-
:  :  From: Bernier, Brandon (.)
:  :  Sent: Thursday, May 18, 2006 8:56 AM
:  :  To: 'ActiveDir@mail.activedir.org'
:  :  Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:  :
:  :  I am running the application pool for this website as "Network
:  :  Service".
:  :  It is not explicitly defined in my IE Intranet Security Zone, but
:  we
:  :  have a proxy script that enables "bypass from proxy server" and we
:  :  have
:  :  that condition in IE security zone enabled, so yes its there.  I
:  know
:  :  it
:  :  is using Kerberos (unless .Net is wrong) because I do a catch that
:  :  poops
:  :  out the user context
:  :
:  :
:  System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLe
:  :  ve
:  :  l.ToString();
:  :
:  System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationT
:  :  yp
:  :  e;
:  :
:  :  and
:  :
:  :  HttpContext.Current.User.Identity.Name.ToString();
:  :
:  :  A.) Yes
:  :  B.) Yes
:  :  C.) Yes
:  :  D.) Until development is completed it is accessed under the server
:  :  FQDN,
:  :  I registered an HTTP SPN as followings "setspn -a servername.com
:  :  servername".
:  :  E.) Yes
:  :  F.) I'm not getting any related failures on either the IIS server
:  or
:  :  the
:  :  DC it contacting.
:  :
:  :  My network traces show it trying to authing as NTLM...I thought if
:  it
:  :  can use kerb it does that first then NTLM...I'm going to add
:  :  NTAuthenticationProviders=Negotiate in the metabase for this site
:  so
:  :  it
:  :  forces kerb or nothing. Thanks again!
:  :
:  :  -Brandon
:  :
:  :  
:  :
:  :  From: [EMAIL PROTECTED]
:  :  [mailto:[EMAIL PROTECTED] On Behalf Of Ken
:  Schaefer
:  :  Sent: Wednesday, May 17, 2006 7:45 PM
:  :  To: ActiveDir@mail.activedir.org
:  :  Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:  :
:  :
:  :
:  :  There's lots of information missing from your post.
:  :
:  :
:  :
:  :  If you are using a FQDN or IP address to access the site, then the
:  :  site
:  :  must be in IE's Intranet Security zone (not Internet zone). IE
:  doesn't
:  :  attempt Kerberos authentication for sites in the Internet zone.
:  :
:  :
:  :
:  :  You haven't mentioned what security contexts you are running your
:  :  website under. If your web application is running under a custom
:  :  account, all applications accessible at the same FQDN must also be
:  :  running under that account (even if they are in a different web app
:  :  pool). And you need to register the SPN under that custom account.
:  If
:  :  you are using the default Network Service account, then you do not
:  :  need
:  :  to register a HTTP SPN unless you are using a non-default port.
:  :
:  :
:  :
:  :  So, perhaps you can give us the following configuration details?
:  :
:  :  a)  Is website in Intranet security zone in IE?
:  :
:  :  b)  Is "Enable Integrated Windows AuthN" enabled in IE?
:  :
:  :  c)   Is IIS computer account trusted for delegation in AD?
:  :
:  :  d)  What is the URL you are using to access the site, what SPN
:  did
:  :  you register and where?
:  :
:  :  e)  The other applications accessible at the FQDN/IP address -
:  are
:  :  they al

RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM

2006-05-18 Thread Ken Schaefer 
Well, you need to ensure that referrals are happening properly (so that the
DC in your domain is referring you to the correct KDC in the foreign domain
in the foreign forest)

Cheers
Ken


:  -Original Message-
:  From: [EMAIL PROTECTED] [mailto:ActiveDir-
:  [EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)
:  Sent: Thursday, 18 May 2006 11:10 PM
:  To: ActiveDir@mail.activedir.org
:  Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:  
:  I forgot one detail. I am accessing this site from a computer that is
:  joined up to a different forest. That metabase key
:  NTAuthenticationProviders also didn't do what I was hoping for.
:  
:  -Brandon
:  
:  -Original Message-
:  From: Bernier, Brandon (.)
:  Sent: Thursday, May 18, 2006 8:56 AM
:  To: 'ActiveDir@mail.activedir.org'
:  Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:  
:  I am running the application pool for this website as "Network
:  Service".
:  It is not explicitly defined in my IE Intranet Security Zone, but we
:  have a proxy script that enables "bypass from proxy server" and we
:  have
:  that condition in IE security zone enabled, so yes its there.  I know
:  it
:  is using Kerberos (unless .Net is wrong) because I do a catch that
:  poops
:  out the user context
:  
:  System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLe
:  ve
:  l.ToString();
:  System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationT
:  yp
:  e;
:  
:  and
:  
:  HttpContext.Current.User.Identity.Name.ToString();
:  
:  A.) Yes
:  B.) Yes
:  C.) Yes
:  D.) Until development is completed it is accessed under the server
:  FQDN,
:  I registered an HTTP SPN as followings "setspn -a servername.com
:  servername".
:  E.) Yes
:  F.) I'm not getting any related failures on either the IIS server or
:  the
:  DC it contacting.
:  
:  My network traces show it trying to authing as NTLM...I thought if it
:  can use kerb it does that first then NTLM...I'm going to add
:  NTAuthenticationProviders=Negotiate in the metabase for this site so
:  it
:  forces kerb or nothing. Thanks again!
:  
:  -Brandon
:  
:  
:  
:  From: [EMAIL PROTECTED]
:  [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
:  Sent: Wednesday, May 17, 2006 7:45 PM
:  To: ActiveDir@mail.activedir.org
:  Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:  
:  
:  
:  There's lots of information missing from your post.
:  
:  
:  
:  If you are using a FQDN or IP address to access the site, then the
:  site
:  must be in IE's Intranet Security zone (not Internet zone). IE doesn't
:  attempt Kerberos authentication for sites in the Internet zone.
:  
:  
:  
:  You haven't mentioned what security contexts you are running your
:  website under. If your web application is running under a custom
:  account, all applications accessible at the same FQDN must also be
:  running under that account (even if they are in a different web app
:  pool). And you need to register the SPN under that custom account. If
:  you are using the default Network Service account, then you do not
:  need
:  to register a HTTP SPN unless you are using a non-default port.
:  
:  
:  
:  So, perhaps you can give us the following configuration details?
:  
:  a)  Is website in Intranet security zone in IE?
:  
:  b)  Is "Enable Integrated Windows AuthN" enabled in IE?
:  
:  c)   Is IIS computer account trusted for delegation in AD?
:  
:  d)  What is the URL you are using to access the site, what SPN did
:  you register and where?
:  
:  e)  The other applications accessible at the FQDN/IP address - are
:  they also running under the same user context?
:  
:  f)   In the Security event log, what logon failure events do you
:  see? Can you cut-n-paste them here please?
:  
:  
:  
:  Cheers
:  
:  Ken
:  
:  
:  
:  --
:  
:  My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
:  
:  Tech.Ed Boston 2006 See you there: Everything the web administrator
:  needs to know about MOM 2005
:  
:  
:  
:  From: [EMAIL PROTECTED]
:  [mailto:[EMAIL PROTECTED] On Behalf Of Bernier,
:  Brandon (.)
:  Sent: Thursday, 18 May 2006 6:51 AM
:  To: ActiveDir@mail.activedir.org
:  Subject: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:  
:  
:  
:  
:  
:  OK...I've got a nice issue here and I've been bashing my head against
:  my
:  desk to the point where I need help.
:  
:  I'm writing a very directory intensive application in C# with ASP.Net
:  2.0. If I authenticate to the webpage via NTLM my directory calls will
:  fail, this is because of the NTLM double hop (trying to pass it from
:  the
:  client to IIS and do stuff to Active Directory). So I say I'll use
:  Kerberos instead, I figured if I enabled the computer object for the
:  IIS
:  box to be trusted for delegation and give it an HTTP SPN it should
:  work.
:  It will work l

RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM

2006-05-18 Thread Ken Schaefer 
:  -Original Message-
:  From: [EMAIL PROTECTED] [mailto:ActiveDir-
:  [EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)
:  Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:  
:  I am running the application pool for this website as "Network
:  Service".
:  It is not explicitly defined in my IE Intranet Security Zone, but we
:  have a proxy script that enables "bypass from proxy server" and we
:  have that condition in IE security zone enabled, so yes its there. 

I would recommend against making assumptions for reasons that are listed
below. Verify by looking at the icon in IE

:  I know it is using Kerberos (unless .Net is wrong) because I do a 
:  catch that poops out the user context
:  
:  System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLe
:  ve
:  l.ToString();
:  System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationT
:  yp
:  e;

How do you know this is Kerberos and not NTLM?!? I think you are making an
assumption here as well. As you say below, your packet capture is showing
NTLM. You could look in the Windows Security event long on the IIS box to
find out which package is being used to authenticate the user.

:  D.) Until development is completed it is accessed under the server FQDN,
:  I registered an HTTP SPN as followings "setspn -a servername.com
servername".

Remove this SPN, it is not necessary. If you are running as Network Service,
the HOST SPN will be fine.


:  My network traces show it trying to authing as NTLM...I thought if it
:  can use kerb it does that first then NTLM

This is an incorrect assumption. There is no fall back. If IE is using NTLM,
then Kerberos is not being attempted at all. This is why I want you to verify
that IE thinks the site is in the Intranet security zone.

: ...I'm going to add
:  NTAuthenticationProviders=Negotiate in the metabase for this site so
:  it forces kerb or nothing. Thanks again!

This is another assumption. The Negotiate HTTP header does not force
Kerberos. It is a fancy way of telling the client that Kerberos is available
(and so is NTLM, and the browser needs to choose which out of the two it
wants to use). If you already have the Negotiate header in there, then IE is
deliberately choosing to use NTLM, and editing this property will not help
you.

If Negotiate is not there at all (and only NTLM is there), then you will need
to add it, and that may fix your problem.

Cheers
Ken

:  
:  -Brandon
:  
:  
:  
:  From: [EMAIL PROTECTED]
:  [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
:  Sent: Wednesday, May 17, 2006 7:45 PM
:  To: ActiveDir@mail.activedir.org
:  Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:  
:  
:  
:  There's lots of information missing from your post.
:  
:  
:  
:  If you are using a FQDN or IP address to access the site, then the
:  site
:  must be in IE's Intranet Security zone (not Internet zone). IE doesn't
:  attempt Kerberos authentication for sites in the Internet zone.
:  
:  
:  
:  You haven't mentioned what security contexts you are running your
:  website under. If your web application is running under a custom
:  account, all applications accessible at the same FQDN must also be
:  running under that account (even if they are in a different web app
:  pool). And you need to register the SPN under that custom account. If
:  you are using the default Network Service account, then you do not
:  need
:  to register a HTTP SPN unless you are using a non-default port.
:  
:  
:  
:  So, perhaps you can give us the following configuration details?
:  
:  a)  Is website in Intranet security zone in IE?
:  
:  b)  Is "Enable Integrated Windows AuthN" enabled in IE?
:  
:  c)   Is IIS computer account trusted for delegation in AD?
:  
:  d)  What is the URL you are using to access the site, what SPN did
:  you register and where?
:  
:  e)  The other applications accessible at the FQDN/IP address - are
:  they also running under the same user context?
:  
:  f)   In the Security event log, what logon failure events do you
:  see? Can you cut-n-paste them here please?
:  
:  
:  
:  Cheers
:  
:  Ken
:  
:  
:  
:  --
:  
:  My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
:  
:  Tech.Ed Boston 2006 See you there: Everything the web administrator
:  needs to know about MOM 2005
:  
:  
:  
:  From: [EMAIL PROTECTED]
:  [mailto:[EMAIL PROTECTED] On Behalf Of Bernier,
:  Brandon (.)
:  Sent: Thursday, 18 May 2006 6:51 AM
:  To: ActiveDir@mail.activedir.org
:  Subject: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:  
:  
:  
:  
:  
:  OK...I've got a nice issue here and I've been bashing my head against
:  my
:  desk to the point where I need help.
:  
:  I'm writing a very directory intensive application in C# with ASP.Net
:  2.0. If I authenticate to the webpage via NTLM my directory calls will
:  fail, this is becau

RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM

2006-05-17 Thread Ken Schaefer 
Title: [OT] IIS6 - Kerb/NTLM








There’s lots of information missing from your post.

 

If you are using a FQDN or IP address to access the site, then
the site must be in IE’s Intranet Security zone (not Internet zone). IE
doesn’t attempt Kerberos authentication for sites in the Internet zone.

 

You haven’t mentioned what security contexts you are
running your website under. If your web application is running under a custom
account, all applications accessible at the same FQDN must also be running
under that account (even if they are in a different web app pool). And you need
to register the SPN under that custom account. If you are using the default
Network Service account, then you do not need to register a HTTP SPN unless you
are using a non-default port.

 

So, perhaps you can give us the following configuration details?

a) 
Is website in Intranet security zone in IE?

b) 
Is “Enable Integrated Windows AuthN” enabled in IE?

c)  
Is IIS computer account trusted for delegation in AD?

d) 
What is the URL you are using to access the site, what SPN did
you register and where?

e) 
The other applications accessible at the FQDN/IP address –
are they also running under the same user context?

f)  
In the Security event log, what logon failure events do you see?
Can you cut-n-paste them here please?

 

Cheers

Ken

 



--

My
IIS Blog: www.adOpenStatic.com/cs/blogs/ken

Tech.Ed
Boston 2006 See you there: Everything the web administrator needs to know about
MOM 2005













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernier,
Brandon (.)
Sent: Thursday, 18 May 2006 6:51 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [OT] IIS6 - Kerb/NTLM



 

 

OK…I've got a nice
issue here and I've been bashing my head against my desk to the point where I
need help. 

I'm writing a very directory
intensive application in C# with ASP.Net 2.0. If I authenticate to the webpage
via NTLM my directory calls will fail, this is because of the NTLM double hop
(trying to pass it from the client to IIS and do stuff to Active Directory).
So I say I'll use Kerberos instead, I figured if I enabled the computer
object for the IIS box to be trusted for delegation and give it an HTTP SPN it
should work. It will work locally from the webserver, but not from any client.
My guess is it wants to the client computers to be trusted as well to support
the mutual auth (I hope I'm wrong). Any suggestions?

-Brandon

RE: [ActiveDir] DHCP migration(OT)

2006-05-16 Thread Ken Schaefer 








Tom,

 

I don’t want to seem rude, but this is something that
would take you <5 minutes to test yourself (e.g. in a VM). You could even
report your results back to the list.

 

Cheers

Ken

 

--

My
IIS Blog: www.adOpenStatic.com/cs/blogs/ken

Tech.Ed
Boston 2006 See you there: Everything the web administrator needs to know about
MOM 2005

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, 17 May 2006 6:53 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DHCP migration(OT)



 



I don't want to seem rude, but in my post i was primarily
concerned with overwriting the exisitng scopes on the target server.





I never asked about "how to migrate dhcp" but
rather "how to migrate a source dhcp to a target dhcp server which has
exisitng scopes on it".





 





I read those articles before posting. they never answered my
concern.





 





I may deserve a heap of sarcasm for other various other
posts I made but not this one :)





 





Thanks

 





On 5/16/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: 

Tom,

next time, try something like "move dhcp" or "move dhcp site: microsoft.com"
on google. See http://www.google.com/intl/en/help/cheatsheet.html
for
Google-Fu basics.

See KB325473 for the solution to your question. 


Sincerely,
  _
(,
/  |  /)  
/) /)
   /---| (/_  __   ___// _  
//  _
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)
  (/

Microsoft MVP - Directory Services
www.readymaids.com   -
we know IT
www.akomolafe.com 
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon


 

From: [EMAIL PROTECTED]
on behalf of Tom Kern
Sent: Tue 5/16/2006 6:35 AM
To: ActiveDir@mail.activedir.org 
Subject: Re: [ActiveDir] DHCP migration(OT)


Will netsh overwrite the scopes already exisitng on the target?

Also, does netsh migrate leases or just the scope and scope options?

Thanks


On 5/16/06, Matheesha Weerasinghe <[EMAIL PROTECTED]>
wrote:

   look into netsh. might be of use.

   On 5/12/06, Tom Kern < [EMAIL PROTECTED] > wrote:
   >
   > I want to migrate DHCP(scopes,scope
options,leases) from one win2k
box to
   > another.
   >
   > My issue is, the target server is
running DHCP with scopes,etc 
already
   > configured.
   >
   > Is there anyway to migrate the source
DHCP server to the target
without
   > overwriting the target's settings?
   >
   > I just want to merge the 2- move the
source info over while keeping 
the
   > target DHCP info intack as well.
   >
   > Is this possible?
   >
   > Thanks





 

RE: [ActiveDir] OT: Blank messages to lists???

2006-05-05 Thread Ken Schaefer 
I've seen this happen occasionally on other lists, but I don't know if it's
the same underlying cause.

The original post is encoded in some way, and then the addition of the list
footer means that the post isn't properly encoded anymore. Some email clients
then display this as a blank post. If you are able to get to the message
source in your client, you will see the message contents.

HTH

Cheers
Ken

: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of joe
: Sent: Saturday, 6 May 2006 6:57 AM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] OT: Blank messages to lists???
: 
: Nope, don't have that one installed.
: 
: The blanks I have been seeing are limited to this list of all of the lists
: I am on.
: 
: 
: --
: O'Reilly Active Directory Third Edition -
: http://www.joeware.net/win/ad3e.htm
: 
: 
: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS
: Rocks [MVP]
: Sent: Friday, May 05, 2006 4:41 PM
: To: ActiveDir@mail.activedir.org
: Subject: Re: [ActiveDir] OT: Blank messages to lists???
: 
: Okay dumb questions to folks..
: 
: E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : OWA fix on
: Microsoft Update:
: http://msmvps.com/blogs/bradley/archive/2006/04/28/92884.aspx
: 
: Are the folks that are sending blank emails .. have you deployed 911829?
: 
: Kevin Gent wrote:
: 
: > i'm seeing lots of blanks over the past week
: >
: >
: > - Original Message - From: "Douglas M. Long"
: > <[EMAIL PROTECTED]>
: > To: 
: > Sent: Friday, May 05, 2006 4:05 PM
: > Subject: [ActiveDir] OT: Blank messages to lists???
: >
: >
: > Anyone else receiving blank emails? The reply from Al (below Susans
: > email) and a couple of others I have got over the past couple of days
: > have had empty bodies.
: >
: >
: >
: >
: > -Original Message-
: > From: [EMAIL PROTECTED]
: > [mailto:[EMAIL PROTECTED] On Behalf Of Susan
: > Bradley, CPA aka Ebitz - SBS Rocks [MVP]
: > Sent: Friday, May 05, 2006 2:53 PM
: > To: ActiveDir@mail.activedir.org
: > Subject: Re: [ActiveDir] Optimize Exchange Pagefile
: >
: > Word  of advice --  put "SBS" in the subject line and you'll get
: > SBSlady from the get go  :-)
: >
: > "By design" SBS is maxed at 75 users/devices.
: >
: > As you have already stateddo not do a /3GB  (let me repeat that
: > again) DO NOT do a /3GB on a SBS box.  It's not necessary and doesn't
: > impact a thing.
: >
: > Remember with SP2 we now have 75 gigs to play with so plan accordingly
: > (and no snickers from the terrabyte people)
: >
: > SBS is pretty tuned as it is.. set your page files to be 1.5 and I
: > have mine spread on two drives.  What is more important is the layout
: > of those partitions..and boy... did a recent blog post bring out a lot
: > of comments
: > http://msmvps.com/blogs/bradley/archive/2006/05/02/93249.aspx
: >
: > Set the crash dump to minidump or even full dump... when that sucker
: > blows (and it's not that often and kinda fun when it does as you can
: > use the debugger tool) you want that dumpfile to be there and juicy.
: >
: > Exchange 'by design' will suck down the memory and release when needed.
: > Honestly Exchange ..while being a hog.. isn't the annoyance on my
: > boxes.. it's MSDE that is the troublesome child.
: >
: > After applications of SP1 (if it is not integrated that is) you need
: > to rerun the SBS monitoring wizard to get rid of a bogus STORE memory
: alert.
: >
: > Now then.. about that MSDE.
: >
: > The SBS health monitor function is set to warn you with an allocated
: > memory alert when the use is above 2 gigs..when you have a 4 gig
: > box..that 2 gig limit is a bit stupid.  So step one is to monitor your
: > box.. see where it hovers at.   I bumped mine up a bit.
: >
: > Next... the problem children.  ISA running on MSDE 'by design' will be
: > like Exchange and suck up all RAM and release when needed... sorry ISA
: > .. you don't need to do that (and before Joe has the inevitable heart
: > attack of a firewall on my DC.. it's in all honesty my 'second'
: > firewall as I have a hardware one in front..but I like the monitoring
: > and with Dana Epp's Scorpion Software Firewall dashboard tool, the GUI
: > pie charts of the firewall hits that 'do' hit my domain controller are
: > way coolI know, I know... it's the GUI..just shake your head and
: > walk away).
: >
: > SBSMonitoring 'can' and 'has' on my box and others in the community
: > gotten too 'hot' on my box as well.  So for both ISA and SBSmonitoring
: > there's a command (yes Joe, I did command line) to stomp on those msde
: > instances and make them behave
: >
: > http://msmvps.com/blogs/bradley/search.aspx?q=allocated+memory&p=1
: >
: > This is the ISA
: > http://msmvps.com/blogs/bradley/archive/2005/05/22/48500.aspx
: >
: > This is SBS montoring
: > http://msmvps.com/blogs/bradley/archive/2005/02/04/34984.aspx
: >
: > So for me

RE: [ActiveDir] Software to handle access requests

2006-03-16 Thread Ken Schaefer 








Hi Bonnie,

 

You could have a look at the Activate
product that these guys have:

http://www.innovation.co.nz/public/home.aspx

 

It’s a workflow solution based on
Biztalk, SQL Server and .NET. It ships with a bunch of included .NET assemblies
that handle common admin tasks (like share permissions, creating mailboxes,
deprovisioning users etc), but you can extend it using plain custom .NET code.
I believe it also integrates into SMS Server if you want to use the same
workflow for application and OS deployment.

 

It’s a pretty slick product from
what I can tell

 

Cheers

Ken

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den Wyngaert
Sent: Thursday, 16 March 2006 8:40
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Software
to handle access requests



 



Hi Bonnie,





 





Not that I know about. Most have companies I know have created their
own custom forms or flows (ex. in Notes) to request accesses. I suggest to
google for it.





 





Either way a developer can make it customized for you ofcourse...





 





Bart

 





On 3/14/06, [EMAIL PROTECTED]
<
[EMAIL PROTECTED]> wrote: 





The scenario: We currently have
a wide array of forms that are used to request access to our different
resources (both network and phone related). Some of our less technical end
users are getting confused on which form does what and who to send each form. 





 





We would like to implement some sort of app, available via
our Intranet site, that users can access to fill out the paperwork. We would
like to setup some sort of guided site that asks them questions, fills out the
forms based on their responses, and then prints the form to their default
printer OR emails the completed form to the supervisor for a signature. At
this point, business requirements require that a physical form with the
original department supervisor signature be submitted for every request. 





 





The example: It would be nice
to have a site that starts like so Are you a new employee? Yes or No? If
yes, do you need a telephone extension? Yes or No? Do you need a computer
login? Yes or No? If yes, ask for first name, last name, etc... 





 





We would also like to be able to set fields as
"required" so that the end user would not be able to proceed
without inputting information. Lastly, it would be even better if we had some
sort of work flow process setup that would notify the supervisor, or even
forward the completed form to the supervisor for signature so it doesn't have
to be physically walked around to each desk. 





 





The question: Does anyone know
of an app that can be downloaded or purchased that could handle this type of
setup? 





 





BONNIE POHLSCHNEIDER
COPELAND HELP DESK





 







 

RE: [ActiveDir] internet explorer is frozen

2006-03-15 Thread Ken Schaefer 
As mentioned before, please get a packet capture using Ethereal or Netmon.
Then we can see what's actually happening on the network.

Cheers
Ken

: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Sharif Naser
: Sent: Wednesday, 15 March 2006 6:03 PM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] internet explorer is frozen
: 
: 
: If I try to access the web server by ip address or the hostname it
: works.
: I mean IE just hung with connecting to site message down and does not
: display anything.
: 
: Regards,
: 
: -Original Message-
: From: [EMAIL PROTECTED]
: [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
: Sent: Wednesday, March 15, 2006 9:55 AM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] internet explorer is frozen
: 
: --- Original Message ---
: From: [EMAIL PROTECTED]
: [mailto:[EMAIL PROTECTED] On Behalf Of Sharif Naser
: Subject: [ActiveDir] internet explorer is frozen
: 
: > Internal explorer is frozen, I' m trying to access
: 
: > an internal site but it shows connecting to site
: 
: > and frozen.
: >
: 
: > DNS is working fine, what could be the reason for IE
: 
: > not being able to resolve names.
: 
: How do you know that the problem is IE resolving names? There doesn't
: seem to
: be any evidence that this is the problem. Maybe the problem is simply
: that
: the webserver is not responding.
: 
: Get a packet capture using Ethereal to see what's actually being placed
: onto
: the network.
: 
: Cheers
: Ken

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] internet explorer is frozen

2006-03-14 Thread Ken Schaefer 
--- Original Message ---
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sharif Naser
Subject: [ActiveDir] internet explorer is frozen

> Internal explorer is frozen, I' m trying to access 
> an internal site but it shows connecting to site 
> and frozen.
> 
> DNS is working fine, what could be the reason for IE 
> not being able to resolve names.

How do you know that the problem is IE resolving names? There doesn't seem to
be any evidence that this is the problem. Maybe the problem is simply that
the webserver is not responding.

Get a packet capture using Ethereal to see what's actually being placed onto
the network.

Cheers
Ken
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Folder redirection exceptions?

2006-03-14 Thread Ken Schaefer 
Hi,

For My Documents redirection, if you look at the second tab, there is an
option to not redirect the "My Pictures" folder

I know that doesn't help with "My Music"

Cheers
Ken


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Arnold Arce
Sent: Wednesday, 15 March 2006 12:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Folder redirection exceptions?

Hi everyone.   Long time reader, first time poster ☺

I have a simple question which I’m hoping has a simple answer.  I’ve set up a
group policy that redirects everyone’s ‘My Documents’ directory to their home
directory on the server.  Works great, except people’s Music and Pictures are
being stored on the server too.  IS there a way to exclude the My Music and
My Pictures directories from being redirected and left on the local
workstation?

Arnold
[EMAIL PROTECTED]   ��V�r�y�&��-�÷Š¾4���i�b��b��

RE: [ActiveDir] OT: Netlogon Service

2006-03-09 Thread Ken Schaefer 
Title: [ActiveDir] OT: Netlogon Service






For all we know, someone 
did exactly what you did (connect remotely using administrative credentials) and 
disabled the services.
 
Do you have logon auditing enabled? If so, 
have you checked to see who's logged onto the machine?
 
Cheers
Ken


From: [EMAIL PROTECTED] on 
behalf of Aaron VisserSent: Fri 3/10/2006 4:47 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Netlogon 
Service

Well I know this is a little off topic but I cannot find any 
answers so Ihave decided that I need to tap into this huge fountain of 
knowledge.Computer - Win XP Pro SP2 latest UpdatesProblem - 
Computer was working fine and all of a sudden after a reboot todayI can no 
longer login to it via the Domain (it says that the NetLogonService is not 
started)  So I logged onto another computer and remotelyconnected to 
the computer thru the Computer Management MMC Snap-In andchecked the 
Netlogon Service and sure enough it was disabled, so I set it toAuto and 
then proceeded to start the Service. But it will not start becauseit says 
that the RPC Locator Service (to the best of my recollection) needsto be 
started, so I check that and sure enough it is disabled also.  So Itry 
to start that service but it gives me some error that I cannot recall atthis 
time.  Anyways trying to make this story short I am pretty sure thatthe 
computer in question was targeted from within the LAN remotely.  So 
thebig question or questions are is it possible to attack a computer in 
thismanner?  If it is possible does anyone have any info on how to 
accomplishthis so that I can try and figure out how or what what used and 
maybe evennail the person (student) who did 
this.Thanks,Aaron

RE: [ActiveDir] Exchange ActiveSync (OT)

2006-02-16 Thread Ken Schaefer 
If this was working at some stage, then it's unlikely to be a certificate
issue.

I'm not familiar with this particular device, but since it's a Pocket PC
Phone device, there should be an option to turn on verbose ActiveSync logging
(via the ActiveSync applet). Turn that on, and look in
[device]\Windows\ActiveSync for a Server Exchange Log text file that should
contain the communication (what there is) between device and server.

Lastly, you sure you have your network connections set up correctly? A lot of
people get the "work" and "internet" connections messed up. Ed has a good
explanation here:
http://www.microsoft.com/windowsserver2003/iis/diagnostictools/default.mspx

Cheers
Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, 17 February 2006 8:06 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Exchange ActiveSync (OT)

Petergal's SBS Blog : 85010001 Error Trying to Sync with WM5.0 
Device/ActiveSync4.1/ISA2004:
http://blogs.technet.com/petergal/archive/2006/02/02/418663.aspx

Got a 85010001 error resolution  ;-)

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:

> My understanding over SSL, yes.
> Is this a pocket PC style device or a smart phone?
>
> If PPC you can manually move the cert (in SBSland we have two) to the 
> device and 'install' them by merely drilling down the file explorer 
> and clicking on it...this will 'install' it on the device.
>
> Smartphone mobile 5 you need a cert installer from the company.
>
> Nick Whittome - "The Naked MVP" : Windows Mobile 5.0 Devices and Self 
> Signed Certs:
> http://msmvps.com/blogs/thenakedmvp/archive/2005/11/15/75687.aspx
>
> We need to gather up all the resolutions and stick them in one blog post.
>
>
>
> Liz Vaibar wrote:
>
>> I tried that and couldn't get my cert to install. Do I absolutely need
>> the cert?
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
>> CPA aka Ebitz - SBS Rocks [MVP]
>> Sent: Thursday, February 16, 2006 11:52 AM
>> To: ActiveDir@mail.activedir.org
>> Subject: Re: [ActiveDir] Exchange ActiveSync (OT)
>>
>> http://blogs.technet.com/sbs their latest podcast is all about mobility.
>>
>> http://blogs.technet.com/sbs/archive/2006/02/12/419364.aspx
>>
>> You've added the cert to the device?
>>
>> Liz Vaibar wrote:
>>
>>  
>>
>>> Has anybody had the joyous experience of trying to make the new Palm 
>>> Treo 700w sync with their Exchange environment?
>>>
>>> I am running Exchange 2003 SP2 on clustered servers. I have OWA 
>>> running on a front-end server. I have checked configurations as the 
>>> OMA stuff is setup by default and verified that I can log into OMA. 
>>> I have added my mobile carrier, I can see messages in my logs saying 
>>> that things are working but the Palm never synchronizes. Instead, I 
>>> get an error on the Palm that says The server could not be reached.
>>> This can be caused by temporary network conditions. Support code: 
>>> 0x80072EFDI have had this thing miraculously begin working and 
>>> then suddenly stop. I cannot duplicate success. There is no rhyme or 
>>> reason to it. I have spent countless hours on this searching the web 
>>> and see there are a lot of other folks out there who are frustrated 
>>> but not a whole lot of support information on it. Does anyone have any
>>>   
>>
>>
>>  
>>
>>> suggestions?
>>>
>>> Thanks,
>>> Liz Vaibar
>>> Shape Corp.
>>> Systems Administrator

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Getting better control over DHCP

2006-02-03 Thread Ken Schaefer 
Title: Re: [ActiveDir] Getting better control over DHCP






I was under the impression it 
was 802.1x. Your certificate is stored on the smartcard.
 
Cheers
Ken


From: [EMAIL PROTECTED] on 
behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Sat 
2/4/2006 2:25 PMTo: ActiveDir@mail.activedir.orgSubject: 
Re: [ActiveDir] Getting better control over DHCP

Actually I don't think it was as there's a security issue with 
802.1xwired connections.. (wireless no, wired there's an issue that Slav 
andSteve Riley have discussed)Let me get a postDean 
Wells wrote:>>Microsoft uses 802.1x auth. I believe ... as do 
many.>>-->Dean Wells>MSEtechnology>* Email: 
[EMAIL PROTECTED]>http://msetechnology.com>>>-Original 
Message->From: [EMAIL PROTECTED]>[mailto:[EMAIL PROTECTED]] 
On Behalf Of Susan Bradley, CPA>aka Ebitz - SBS Rocks [MVP]>Sent: 
Friday, February 03, 2006 8:42 PM>To: 
ActiveDir@mail.activedir.org>Subject: Re: [ActiveDir] Getting better 
control over DHCP>>Can't this be done with ...what is MS using? Is 
it Ipsec and smartcard>authentication?>>You go to Redmond, 
stick in a rj45 and unless you have a lovely plastic>thingy with a chip 
you don't get access on corpnet.joe 
wrote:>> >>>There is nothing you can do 
around a DHCP server that will really help>>you as you point out. You 
simply need to plug into a port, enter any>>IP address or let one of 
the 169 addresses kick in and turn on a>>sniffer and you start seeing 
enough traffic to figure out where to>>come up with a random IP 
address at. All the DHCP server is is a>>helper, it doesn't give you 
network access, it helps you find it. This>>type of thing needs to be 
controlled either at the network level where>>the switches say, sorry 
you can't route packets anywhere but this>>private secured network or 
you need to make all proper network traffic>>secure with some kind of 
tunneling/vpn type tech. The later is quite>>popular for companies 
with wireless, you get on the wireless network>>and then have to VPN 
into the corporate network. That way anyone who>>compromises the WAPs 
still doesn't get anything but a network and all>>traffic from 
everyone properly on the network is encrypted. At best>>the company 
may allow you to surf out to the internet, this is>>especially good 
for companies who have visitors from other companies>>dropping by 
their facilities or are in close vicinity to other>>companies who may 
pick up their WAPs.>>You really want to start looking into Network 
Quarantine//Network>>Access Protection/etc. It is not a simple whip 
out in an hour>>solution, it will take forethought and possibly 
upgrades of network>>infrastructure and your machines to do it 
correctly. But with it you>>can set specific policy on who gets to get 
on the real network and who>>doesn't, this includes things like domain 
membership as well as what>>software is installed on machines and 
virus definition levels or OS>>fix levels, etc. You write the policy 
that the clients have to meet or>>else they don't get anything but a 
dead network.>>I would recommend going to google, typing in network 
quarantine and>>hit enter. You will almost certainly see several hits 
on MS because>>they have been spending a lot of time and energy the 
last 4 or so>>years working on this stuff and getting all of the right 
hardware>>people together to make a good solution. They had some 
preliminary>>stuff done a couple of years ago that people were really 
interested in>>but started redesigning some of it to make it more 
flexible/capable. I>>expect most of what happens in this space will 
most likely fall out of>>Cisco and 
Microsoft.>>joe>>-->>O'Reilly Active Directory 
Third Edition ->>http://www.joeware.net/win/ad3e.htm

RE: [ActiveDir] IIS 6 Urgent Help

2006-01-31 Thread Ken Schaefer 
You have entered the command incorrectly. From the screenshot you have
entered ISSuba (there is a missing I). 

The actual command you need to run is:
rundll %windir%\system32\iissuba.dll, RegisterIISSUBA

Cheers
Ken


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Wednesday, 1 February 2006 12:34 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] IIS 6 Urgent Help

I am trying to enable subauthentication in IIS 6. There are some copy right
contents that usernames and passwords are required to view. Digest
Authentication is through AD accounts.

When I run..rundll32 systemroot\system32\issuba,RegisterIISSUBA   I get
the attached error.

Environment: W23K AD
Server: W23K Web Edt.

Hopefully someone can help.

Thanks..
Z.V.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: WMF issue - patch on the 10th

2006-01-04 Thread Ken Schaefer 
Microsoft's stated that out-of-band releases will occur if a patch is ready
enough, and there's reason to release the patch (e.g. an exploit circulating
in the wild). From what I heard today, regression testing is still being
performed on the patch they are intending to release.

Cheers
Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hank Arnold
Sent: Wednesday, 4 January 2006 9:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: WMF issue - patch on the 10th

As one who lived through the days of patches generated at random (and often
re-issued with corrections) I really appreciate the "Patch Tuesday"
approach. It used to be a given that you applied *NO* update until you
waited a decent interval to see what problems the user community
reported Now, the risk is minimal and automatic patching (except for
servers) is the norm... Add to that the fact that existing tools and
practicing "safe computing" protect you from virtually all attacks and I
think we are *way* better ff than we used to be...

I think, though, that it might be useful for MS to be a bit more aggressive
in getting out security updates, especially critical ones like the WMF
exposure. How about a "Critical Patch Tuesday" (say the 4th Tuesday) used
only when a fix can't wait until Patch Tuesday"?


Regards,
Hank Arnold

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley
Sent: Tuesday, January 03, 2006 12:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: WMF issue - patch on the 10th

What's Microsoft's response to the availability of third party patches for
the WMF vulnerability?
Microsoft recommends that customers download and deploy the security update
for the WMF vulnerability that we are targeting for release on January 10,
2006.

As a general rule, it is a best practice to utilize security updates for
software vulnerabilities from the original vendor of the software. With
Microsoft software, Microsoft carefully reviews and tests security updates
to ensure that they are of high quality and have been evaluated thoroughly
for application compatibility. In addition, Microsoft's security updates are
offered in 23 languages for all affected versions of the software
simultaneously.

Microsoft cannot provide similar assurance for independent third party
security updates.

Why is it taking Microsoft so long to issue a security update?
Creating security updates that effectively fix vulnerabilities is an
extensive process. There are many factors that impact the length of time
between the discovery of a vulnerability and the release of a security
update. When a potential vulnerability is reported, designated product
specific security experts investigate the scope and impact of a threat on
the affected product. Once the MSRC knows the extent and the severity of the
vulnerability, they work to develop an update for every supported version
affected. Once the update is built, it must be tested with the different
operating systems and applications it affects, then localized for many
markets and languages across the globe.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Enable Windows Integrated Authentication through GPO

2006-01-03 Thread Ken Schaefer 
--- Original Message ---
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Subject: [ActiveDir] Enable Windows Integrated Authentication through GPO

: How does someone enable Windows Integrated Authentication 
: through a Group Policy.  You will find this on the 
: Advanced tab of Internet Options.


Justin,

AFAIK there is nothing in the supplied ADM templates that allows you to
toggle this setting. A quick google turned up the following (3rd hit) as a
custom ADM that you could try (I haven't tested it):

http://www.pragmaticutopia.com/index.php?option=com_content&task=view&id=90&I
temid=2

The only thing I would note is that it set up as "supported in IE6 or newer",
but I'm pretty sure that setting is there from IE5 and above (dunno if IE5 is
still used where you are. If so, edit the ADM as appropriate)

Cheers
Ken
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] VBScript help(OT)

2005-12-08 Thread Ken Schaefer 








Call
Randomize() to initialize the random number generation algorithm somewhere in
your script, prior to the first call to Rnd()

 

Could
I suggest you get the Windows Script Host 5.6 documentation:

http://www.microsoft.com/downloads/details.aspx?FamilyId=01592C48-207D-4BE1-8A76-1C4099D7BBB9&displaylang=en

 

Some
of the things you are running into are dealt with more quickly by just looking
up the relevant topics…

 

Cheers

Ken

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, 9 December 2005 5:08 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] _vbscript_ help(OT)

 



Thanks alot!!





 





 





Unfortuantely it only seems to work when i ran it the first
time.





 





if i kill it and run it again and it encounters a duplicate
file  in the source dir it throws an error-"file already
exisits".





 





will  it only work in one shot?





 





thanks
 





On 12/8/05, Rich Milburn <[EMAIL PROTECTED]>
wrote: 



Replace your
last sub:

sub
filelist(grp)

 for each
file in grp.files

  if
targ.files.count>=999 then full=true:exit for

   if
lcase(fso.getextensionname(file)) = "eml" then 

   set
objFile = fso.getfile(file)

  
arrFileName = Split(objfile.Name,".")

   
oldname = arrFileName(0)

   
ext = arrFileName(1)

   
if fso.FileExists(target & objFile.Name) then

   


 
newfile=oldname & cstr(int(Rnd * 1000)) & "." & ext 

   
Else 

 
newfile=objFile.Name

   
end if

   
wscript.echo newfile

  
fso.MoveFile file,target & newfile  

 end if

  next

End sub

 



--- 
Rich
Milburn
MCSE,
Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development 
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207 
913-967-2819 
--

"I
love the smell of red herrings in the morning" - anonymous







 

RE: [ActiveDir] VBScript help(OT)

2005-12-08 Thread Ken Schaefer 








getExtensionName()
requires you to pass it a filespec (a filename, or path to a file)

 

If
FSO.getExtensionName(“c:\windows\clock.avi”) = “avi” Then

    ‘
do foo

Else

    ‘
do bar

End
If

 

Cheers
Ken

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Thursday, 8 December 2005 1:48 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] _vbscript_ help(OT)

 



Oops, I guess i didn't check my code.





 





before i made any changes, i get "Wrong number of
arguments or invalid propery assignment:'fso.getextensionname'.





 





sorry.





I wonder why that is?

 





On 12/7/05, Ken Schaefer <[EMAIL PROTECTED]> wrote: 

At the moment you have this line which does the copy:

if lcase(fso.getextensionname) = "eml" then file.move target

So, instead of doing the copy, check to see if the file exists at the target,
and if not do the copy. If it does exist, rename the file at the source, then
do the copy.

If LCase(FSO.getExtensionName ) = "eml" Then

   If objTarg.FileExists(strSourceFileName)
Then

  
' Rename Source File

   End If

   ' Now do the copy

End If

Cheers
Ken



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
] On Behalf Of Tom Kern
Sent: Thursday, 8 December 2005 12:00 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] _vbscript_ help(OT)

Thanks.

My real problem is, I'm not sure where to put that in my exisiting script
without screwing things up

Should that be a seperate sub?

Thanks again


On 12/7/05, Brian Desmond <
[EMAIL PROTECTED]> wrote:
I don't see the need for a select case, but File.Exists would help.

What I would do is something like this

Dim moveName
moveName = CurrentNameOfFile

While TargetFolder.FileExists (currentNameofFile)
currentNameOfFile = currentNameofFile + Cstr(Int(Rnd * 1))
Wend

'moveTheFile()

Rnd*1000 will get you some random # 0 - 1000 int makes it an integer and cstr
makes it a string. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Tom Kern
Sent: Wednesday, December 07, 2005 7:01 PM
To: activedirectory 
Subject: [ActiveDir] _vbscript_ help(OT)

I have this _vbscript_ i wrote/stole tomove all files with an .eml extension
from many subdirs into a folder only if the folder is empty and only to move
999 at a time. 

it works great except when it sees files with duplicate names it bombs out
while moving them.
i'd like it to rename the dup(maybe add some random #'s or characters to the
end) and continune movingall thefiles. 

I think I have to use "FileExists" method and
"Select...Case" but I'm not
sure how.

Was wondering if anyone could help me with this.

Here is the code-


source="H:\tempxtender" 
target="c:\inetpub\mailroot\drop\"
Set fso = CreateObject("Scripting.FileSystemObject")
set root=fso.getFolder(source)
set targ=fso.getFolder(target)
dim full
do
if targ.files.count=0 then full=false
if full=false then call folderlist(root)
wscript.sleep 1000
loop
sub folderlist(grp)
call filelist(grp)
if full then exit sub
for each fldr in grp.subFolders
set nf=fso.GetFolder(fldr.path )
call folderlist(nf)
set nf=nothing
next
end sub
sub filelist(grp)
for each file in grp.files
if targ.files.count>=999 then full=true:exit for
if lcase(fso.getextensionname) = "eml" then file.move target
next
end sub


My aologies for bugging you guys with this OT.

Thanks


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




 

RE: [ActiveDir] VBScript help(OT)

2005-12-07 Thread Ken Schaefer 
At the moment you have this line which does the copy:

if lcase(fso.getextensionname) = "eml" then file.move target

So, instead of doing the copy, check to see if the file exists at the target,
and if not do the copy. If it does exist, rename the file at the source, then
do the copy.

If LCase(FSO.getExtensionName) = "eml" Then

If objTarg.FileExists(strSourceFileName) Then

' Rename Source File

End If

' Now do the copy

End If

Cheers
Ken



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Thursday, 8 December 2005 12:00 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] VBScript help(OT)

Thanks.
 
My real problem is, I'm not sure where to put that in my exisiting script
without screwing things up
 
Should that be a seperate sub?
 
Thanks again

 
On 12/7/05, Brian Desmond <[EMAIL PROTECTED]> wrote: 
I don't see the need for a select case, but File.Exists would help.
 
What I would do is something like this
 
Dim moveName
moveName = CurrentNameOfFile
 
While TargetFolder.FileExists(currentNameofFile)
    currentNameOfFile = currentNameofFile + Cstr(Int(Rnd * 1))
Wend
 
'moveTheFile()
 
Rnd*1000 will get you some random # 0 - 1000 int makes it an integer and cstr
makes it a string. 
 
Thanks, 
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, December 07, 2005 7:01 PM
To: activedirectory
Subject: [ActiveDir] VBScript help(OT)
 
I have this VBScript i wrote/stole to move all files with an .eml extension
from many subdirs  into a folder only if the folder is empty and only to move
999 at a time. 
 
it works great except when it sees files with duplicate names it bombs out
while moving them.
i'd like it to rename the dup(maybe add some random #'s or characters to the
end) and continune moving all the files.
 
I think I have to use "FileExists" method and "Select...Case" but I'm not
sure how.
 
Was wondering if anyone could help me with this.
 
Here is the code-
 
 
source="H:\tempxtender"
target="c:\inetpub\mailroot\drop\"
Set fso = CreateObject("Scripting.FileSystemObject")
set root=fso.getFolder(source)
set targ=fso.getFolder(target)
dim full
do
 if targ.files.count=0 then full=false
 if full=false then call folderlist(root)
 wscript.sleep 1000
loop
sub folderlist(grp)
 call filelist(grp)
 if full then exit sub
 for each fldr in grp.subFolders
  set nf=fso.GetFolder(fldr.path)
  call folderlist(nf) 
  set nf=nothing
 next
end sub
 sub filelist(grp)
 for each file in grp.files
  if targ.files.count>=999 then full=true:exit for
   if lcase(fso.getextensionname) = "eml" then file.move target
 next
 end sub
 
 
My aologies for bugging you guys with this OT.
 
Thanks
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Help with VB script to map printers

2005-12-07 Thread Ken Schaefer 
--- Original Message ---
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Thursday, 8 December 2005 7:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Help with VB script to map printers

: my WSH doesn't seem to like the double quotes I see some people 
: use sometimes (i.e. MsgBox "I said, ""Hello."" would always give me an
error.

You'd get an "unterminated string constant" error if you ran that code
snippet :-)

MsgBox "I said, ""Hello.""" would work

Cheers
Ken
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP Traffic Replay

2005-12-06 Thread Ken Schaefer 
10.13 has an expression builder for building your filters. 
And ip.src==10.10.10.1 isn't that complex a syntax :-)

Cheers
Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, 7 December 2005 3:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Traffic Replay

I can't figure out the filtering thing in ethereal. Netmon works great for
me, and the installer is on at least one server in every wan site I have. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, December 06, 2005 11:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Traffic Replay

Yeah I have the full netmon available to me but Ethereal kind of punks
netmon out. I stopped using netmon a couple of years ago now.  ;o)

Either way, both are simple monitors and that is a very small piece of what
I need. The hard parts are the breaking out into a replayable format and
replaying.
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield
Sent: Tuesday, December 06, 2005 10:59 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP Traffic Replay

Etherpeek is a network based tool.  I think that is what wildpackets
reference is but not sure.  I have NO idea but if you have SMS 2003 in your
environment they have a full-fledged network scanner.  Its free and if you
have it might be worth checking out.  good luck.

Steve Schofield
Microsoft MVP - ASP/ASP.NET
ASPInsider Member - MCP

http://www.orcsweb.com/
Managed Complex Hosting
#1 in Service and Support

- Original Message -
From: "joe" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, December 06, 2005 12:31 PM
Subject: [ActiveDir] LDAP Traffic Replay


> Is anyone aware of a tool that will sit and watch LDAP traffic and track 
> the
> threads/clients/etc and then be able to replay that traffic?
>
> Basically I am looking for a way to better judge DC perf in relation to
> Exchange LDAP queries. Setting up a whole Exchange environment to test the
> DCs is testing both Exchange and the DC and I am looking to try and narrow
> that to just AD so I can answer some of the questions of GC/DC capacity
> better than the 4:1 ratio business which everyone says isn't that great 
> but
> doesn't seem to have anything easy to do that is better. I would like to
> track traffic to production GC/DCs and then be able to replay that LDAP 
> load
> as desired over and over again against various pieces of hardware with
> different configs.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] authentication problem

2005-11-29 Thread Ken Schaefer 
Hi,

A) IIS logfiles must have something. The browser pops-up the credentials
dialogue when it receives a 401 HTTP status (Access Denied) back from the
server. Can you look in your IIS logfiles please, and post the corresponding
logfile entries please? If there is nothing in the IIS logfiles, then the
requests are not making it to IIS. Either there is a proxy device between the
client and server, or the connection is being dropped - have a look in the
httperr.log file on your server.

B) Have you got auditing for logon failure events enabled?

C) SPNs would be needed when using Kerberos Auth, but you indicated that
previous logons where using NTLM. That's a bit odd.

Cheers
Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Katrin Wilhelm
Sent: Wednesday, 30 November 2005 12:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] authentication problem

Hi Ken,

Thanks heaps for your respond. 

Currently I can give the following answers:

A) the IIS log files say nothing in particular they all look the same as
before the incident
B) I get no log entry in the security that authentication is failing -
seems to not get through at all so it keeps asking; not sure what is
normally used to authenticate think it's NTLM as the log files prior to
this where using it
C) the situation was that we had a new admin who was / is quite annoyed
with errors in log files ( me too but we have just about enough staff to
run the system and do some urgent projects so if it doesn't cause an
error I just don't touch it). He told me that we got KDC errors (11)
stating the ds_service_principal_name is registered to multiple accounts
- and around 1 week ago he deleted some SPN entrances by using ADSIEDIT
after checking in LDP which accounts have the service registered. I
first had my CRM down and then after a needed shutdown (we had work on
site with power turned off and prior to this I shutdown the servers) and
reboot nothing was working at all. I tried a few things and told my
college to reverse what he was doing but this didn't really fixed it.
The only way I could the intranet going again (with basically no
restrictions) was to register the cifs and http for this server
manually. Interesting is that if I am logged on the server CRM and
intranet is working perfectly. So it must be the actual authentication
on the server. 
D) thanks for the auditing information - I turned it instantly on.

Thanks for the help.

Cheers,
Kat

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: Tuesday, 29 November 2005 10:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] authentication problem

Hi,

Do not change any more values without an understanding of the root cause
of the issue. Do not uncheck that checkbox, and do not change the
security zone that the site is in.

a) What do your IIS logfiles say for the requests in question?

b) What do your event logs say as far as failed logon attempts? What
authentication package is being used (NTLM or Kerberos) and why is the
logon failing?

c) Why did you add those alternate SPN values? The HOST SPN is
registered, by default, under the computer account. Why were you adding
it under user accounts?

d) In Win2k3 SP1 there's something called IIS Metabase Auditing that you
can enable, which will help you the "I didn't change anything, I swear"
scenario:
http://www.adopenstatic.com/faq/iismetabaseauditing.aspx

Cheers
Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, 29 November 2005 2:40 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] authentication problem

Should be error messages in your IIS log files though and if you have a
system state backup from before the changes that would have those [or
should have those] old AD values?

When if fails to log in what's the resulting error code?  401.1? 
Something like that?

Also I've seen permiission changes to web sites, .NET framework will
screw things up and start asking for passwords.  Did he mess with any of
the accounts that the aspnet and CRM services are running in?  So
exactly what was he doing again?

Google Groups : microsoft.public.crm:
http://groups.google.com/group/microsoft.public.crm/tree/browse_frm/thre
ad/e7
80a75e03330399/21602ba7ff5148b1?rnum=1&q=prompted+by+username+crm&_done=
%2Fgr
oup%2Fmicrosoft.public.crm%2Fbrowse_frm%2Fthread%2Fe780a75e03330399%2Ff4
c11fb
795df5768%3Flnk%3Dst%26q%3Dprompted+by+username+crm%26rnum%3D1%26#doc_f4
c11fb
795df5768

I'd look at some of these threads.

And on the off chance... try this too and see if this value is
checked
In IE, go to Tools menu >> Internet Options >> Advanced and scroll down
through the list until you see the Enable Integrated Windows
Authentication option near the bottom

RE: [ActiveDir] authentication problem

2005-11-29 Thread Ken Schaefer 
Hi,

Do not change any more values without an understanding of the root cause of
the issue. Do not uncheck that checkbox, and do not change the security zone
that the site is in.

a) What do your IIS logfiles say for the requests in question?

b) What do your event logs say as far as failed logon attempts? What
authentication package is being used (NTLM or Kerberos) and why is the logon
failing?

c) Why did you add those alternate SPN values? The HOST SPN is registered, by
default, under the computer account. Why were you adding it under user
accounts?

d) In Win2k3 SP1 there's something called IIS Metabase Auditing that you can
enable, which will help you the "I didn't change anything, I swear" scenario:
http://www.adopenstatic.com/faq/iismetabaseauditing.aspx

Cheers
Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, 29 November 2005 2:40 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] authentication problem

Should be error messages in your IIS log files though and if you have a 
system state backup from before the changes that would have those [or 
should have those] old AD values?

When if fails to log in what's the resulting error code?  401.1? 
Something like that?

Also I've seen permiission changes to web sites, .NET framework will 
screw things up and start asking for passwords.  Did he mess with any of 
the accounts that the aspnet and CRM services are running in?  So 
exactly what was he doing again?

Google Groups : microsoft.public.crm:
http://groups.google.com/group/microsoft.public.crm/tree/browse_frm/thread/e7
80a75e03330399/21602ba7ff5148b1?rnum=1&q=prompted+by+username+crm&_done=%2Fgr
oup%2Fmicrosoft.public.crm%2Fbrowse_frm%2Fthread%2Fe780a75e03330399%2Ff4c11fb
795df5768%3Flnk%3Dst%26q%3Dprompted+by+username+crm%26rnum%3D1%26#doc_f4c11fb
795df5768

I'd look at some of these threads.

And on the off chance... try this too and see if this value is checked
In IE, go to Tools menu >> Internet Options >> Advanced and
scroll down through the list until you see the Enable Integrated Windows
Authentication option near the bottom of the list.  Uncheck this value.

And check the security level for IE...put the web sites in the trusted zone.



Remember you can always call Microsoft product support.  Try the 
appropriate group or community, but if you need something working and in 
a hurry, and newsgroups are not cutting it, I grab the credit card and 
I'll call product support if I need things working.

Katrin Wilhelm wrote:
> It's CRM 1.2 as far I know he didn't change anything in IIS and I do not
> get any error messages in regards to this. My feeling tells me that it
> must be the Service principal names with which he was working on are the
> reasons for the problem. As I never done any work with it I have no idea
> where to start looking. So far used setspn -R to reset the host SPN and
> added with setspn -A the HOST SPN to the user accounts which earlier
> created an event ID 11 (KDC) on DC's. Not sure where to go from here.
>
> Regards,
>
> Katrin Wilhelm (MCSA)
> CVGT Employment & Training Specialists
> Australia
> E-mail: [EMAIL PROTECTED]
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
> CPA aka Ebitz - SBS Rocks [MVP]
> Sent: Tuesday, 29 November 2005 2:02 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] authentication problem
>
> What are the errors you are getting in the error logs? IIS access logs?
>
> CRM 1.2 or 3.0? {I'm assuming 1.2 since 3.0 is just out}
>
> CRM uses integrated authentication on that web app if memory serves me 
> right...given that its both your CRM and your intranet what IIS changes 
> did he/she make? I think it's supposed to be set for basic and 
> integrated security enabled, but I know enough about CRM to be 
> dangerous there are CRM yahoogroups and newsgroups that I'd head off
>
> to if you don't hear from here.
>
> Katrin Wilhelm wrote:
>   
>> Hello,
>>
>> I got a weird problem on a member server (2003) running MS CRM, SQL 
>> and our intranet.
>>
>> Every time you are accessing the intranet or the CRM site you get a 
>> pop up window for identification. It then does not accept any user 
>> name and password. Everything worked fine until last week and I am not
>> 
>
>   
>> sure what has changed. I believe the other admin used adsiedit to 
>> change SPN for 'host as it was registered to several user accounts. I 
>> found a work around that way that I allowed anonyms access and granted
>> 
>
>   
>> the everyone group read access but do not want to leave it like this. 
>> Does anybody know how I can fix this? I have no idea about SPN and had
>> 
>
>   
>> a look around but I am stuck an my CRM is not working as the access is
>> 
>
>   
>> not granted. Any suggestions?
>>
>> Thanks for this.
>>
>> *Katrin Wilhelm **(MCSA)

List info   : h

RE: [ActiveDir] Server Disappeared

2005-11-24 Thread Ken Schaefer 
Did you say that you can ping the internal NIC by IP address or name from a
workstation?

If so, it would appear that you have TCP/IP running just fine, and you have
some other issue.

What you mean by "Internally, using normal network protocols, I see nothing
of the server, AD, or anything." I'm not sure. TCP/IP is a "normal" protocol,
and you can reach the server using TCP/IP.

So, something else is up. What exactly are you attempting to do? And what's
happening as a result? Please list any error messages you are seeing.

Additionally, if you look in your Windows Event Logs, do you see anything
that might help shed light on the situation?

Thanks

Cheers
Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harald
Sent: Friday, 25 November 2005 11:44 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Server Disappeared

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] burped the following on 
24/11/2005 4:14 PM:

> After a meal of Ham my brain is a bit fuzzy [just ran home 'cause 
> Dad's on dial up and his a/v expired and I'm getting a new version 
> ...remind me to buy him DSL for Christmas]
>
> All I know is we can't just 'move' the nics... we have to tie the 
> services/what not to a loopback, then remove the nic, then put in a 
> new nic and transfer to the new nics.
>
>
> do an ipconfig/all and see what it says..on the WINS tab is Netbios 
> over tcp/ip bound to that internal nic?

What WINS tab? The only WINS tab I know of is under the TCP/IP protocol 
properties for the NIC, and all it has is a box for WINS server addresses.

>
> The home SBS/dual nic server [okay so no comments from the peanut 
> gallery regarding server/domain names]
>
> Microsoft Windows [Version 5.2.3790]
> (C) Copyright 1985-2003 Microsoft Corp.
>
> C:\Documents and Settings\Administrator>ipconfig /all
>
> Windows IP Configuration
>
>   Host Name . . . . . . . . . . . . : kikibitzfinal
>   Primary Dns Suffix  . . . . . . . : Kikibitzrtm.local
>   Node Type . . . . . . . . . . . . : Unknown
>   IP Routing Enabled. . . . . . . . : Yes
>   WINS Proxy Enabled. . . . . . . . : Yes
>   DNS Suffix Search List. . . . . . : Kikibitzrtm.local
>
> Ethernet adapter Local Area Connection:
>
>   Connection-specific DNS Suffix  . :
>   Description . . . . . . . . . . . : Kingston EtherRx KNE111TX PCI 
> Fast Ethern
> et Adapter
>   Physical Address. . . . . . . . . : 00-C0-F0-6C-6C-D4
>   DHCP Enabled. . . . . . . . . . . : No
>   IP Address. . . . . . . . . . . . : 192.168.1.2
>   Subnet Mask . . . . . . . . . . . : 255.255.255.0
>   Default Gateway . . . . . . . . . : 192.168.1.1
>   DNS Servers . . . . . . . . . . . : 192.168.16.2
>   NetBIOS over Tcpip. . . . . . . . : Disabled
>
> Ethernet adapter Server Local Area Connection:
>
>   Connection-specific DNS Suffix  . :
>   Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network 
> Connection
>   Physical Address. . . . . . . . . : 00-03-47-68-F5-E4
>   DHCP Enabled. . . . . . . . . . . : No
>   IP Address. . . . . . . . . . . . : 192.168.16.2
>   Subnet Mask . . . . . . . . . . . : 255.255.255.0
>   Default Gateway . . . . . . . . . :
>   DNS Servers . . . . . . . . . . . : 192.168.16.2
>   Primary WINS Server . . . . . . . : 192.168.16.2
>
>
Ok, here is the result of ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : starfleetcmd
Primary DNS Suffix  . . . . . . . : starfleet3.ca
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : starfleet3.ca
bc.hsia.telus.net

Ethernet adapter World:
Connection-specific DNS Suffix  . : bc.hsia.telus.net
Description . . . . . . . . . . . : Linksys LNE100TX(v5) Fast
Ethernet Adapter
Physical Address. . . . . . . . . : 00-03-6D-13-18-15
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 142.179.115.117
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . : 142.179.112.254
DHCP Server . . . . . . . . . . . : 64.114.195.133
DNS Servers . . . . . . . . . . . : 154.11.128.187
154.11.128.59
64.114.195.135
64.114.195.136
Lease Obtained. . . . . . . . . . : November 23, 2005 2:33:03 PM
Lease Expires . . . . . . . . . . : November 30, 2005 2:33:03 PM

Ethernet adapter Internal

Connection-specific DNS Suffix  . : starfleet3.ca
Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast
Ethernet Controller (3C905C-TX Compatible)
Physical Address. . . . . . . . . : 00-B0-D0-24-67-63
DHCP Enabled. . . . . . . . . . . : No

RE: [ActiveDir] OT:[DenyUrlSequences] Outlook Web Access.

2005-11-17 Thread Ken Schaefer 
I'm confused here.

First you say that allowing .. and % is a risk. But you also say to tell the
client to remove URLScan.

Which do you recommend?

Personally the actual code in URLScan that protects you against
canonicalization attacks is built into IIS6 now - it's pretty much the same
code base. If there's a problem with the canonicalization code in IIS6, it's
probably there in URLScan as well...

Cheers
Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, 18 November 2005 1:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:[DenyUrlSequences] Outlook Web Access.

The risk is NOT minimal. I don't know why you think it is, but I still go
through my logs every now and then and see significant Nimda-like attack
attempts. This specific feature (called Allowdotinpath in pre-IIS6 URL-speak)
is now handled by http.sys itself, so the only way to defeat it is for you to
hack http.sys. Good luck.
 
In E2K era, I used to send email to the user letting them know about this
behavior and telling them that only management can override. Then I show
management that Code Red and Blue, Nimda and every imaginable disaster WILL
happen to their entire infrastructure IF they listen to their users and
override this. Then I show the tech people how to override it in case the
management people don't know what I meant by "directory traversal".
 
Since E2K3, I just tell everyone that it's a feature of Exchange (actually
it's a feature of IIS, but let's not split hairs) and that evil things will
happen IF they try to cripple it. Bad things will happen indeed. If you don't
have a firewall that filters out those double-encoded garbage (like ISA
does), then your Exchange server won't last. Just look at your urlscan log on
a pre-IIS6 server or your firewall log and you will see what requests are
hitting your server. If after doing that, you feel comfortable with what you
see, then you can start hacking around http.sys
 
IF your client installed URLScan on their E2K3 box, you can tell them to
remove it. You don't really need it in IIS6 since, like I said, most of the
features have been rolled into http.sys when MS re-wrote it. You will know if
you need it. In the meantime, tell your client that blocking "... & %" and
the likes is now a part of life and they should learn to love it.
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Thu 11/17/2005 2:12 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT:[DenyUrlSequences] Outlook Web Access.



On a clients Exchange 2003 server, the Urlscan.ini has been configured to
utilise the default DenyUrlSequences configuration which means that any mail
with the following criteria in the subject line cannot be opened whilst using
OWA.

 

   ..  ./ \ : % & 

 

Has anyone configured their OWA to not utilise this feature and suffered any
ill effects?

 

I assume the risk is minimal but it must be there for a reason, but how real
is the issue?

 

"Microsoft KB 325965 The URLScan tool may cause problems in Outlook Web
Access"

 

Many thanks

 

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Microsofts Exchange Server 12 64 bit announcement

2005-11-15 Thread Ken Schaefer 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Subject: RE: [ActiveDir] Microsofts Exchange Server 12 64 bit announcement

> One thing I find interesting is, who are these MANY of 
> companies that are currently running 64 bit and getting 
> great benefits out of it? 

Well, I don't think many companies are running x64 yet. But many are buying
64bit capable hardware. Just about everything that's shipping now (at least
on the Intel side, especially in the server space) is EMT64. So, in 2-3 years
time, you could put a 64bit OS, and 64bit apps on it.

Cheers
Ken
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: In Servers how much tweaking are you doing?

2005-11-10 Thread Ken Schaefer 
There are any number of additional "tweaks" that may be implemented depending
on the environment.

This may involve revoking rights from specific groups or users. Setting
startup parameters for services etc. Sometimes one of the pre-existing MS
templates fits the bill. Other times you need a custom one.

It really depends on the requirements of the firm you are at...

Cheers
Ken

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS
> Rocks [MVP]
> Sent: Thursday, 10 November 2005 7:55 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] OT: In Servers how much tweaking are you doing?
> 
> I'm looking specifically for Security templates and such.
> 
> What does Windows 2003 not do that you are adjusting for?
> 
> [EMAIL PROTECTED] wrote:
> 
> >If tweaking means changing or adding settings via GPO, then "yes".
> >
> >Some tweaks are performance related and some are simply environmental or
> >filling gaps in GPO with custom crafted adm files.
> >
> >hth,
> >neil
> >
> >
> >
> >___
> >Neil Ruston
> >Global Technology Infrastructure
> >Nomura International plc
> >
> >
> >
> >-Original Message-
> >From: [EMAIL PROTECTED]
> >[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
> >CPA aka Ebitz - SBS Rocks [MVP]
> >Sent: 09 November 2005 21:02
> >To: ActiveDir@mail.activedir.org
> >Subject: [ActiveDir] OT: In Servers how much tweaking are you doing?
> >
> >Steve Riley's WebLog : When security breaks things:
> >http://blogs.technet.com/steriley/archive/2005/11/08/414002.aspx
> >
> >I know that Joe and Exchange still don't see eye to eye...but on your
> >DCs are you doing much tweaking these days?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Certificate Services & AD

2005-11-06 Thread Ken Schaefer 
Not a web resources, but I've found this MS Press book to be a reasonably
good primer. It covers hardware (to some extent), multiple levels of
hierarchy, developing your certificate policies etc.

http://www.amazon.com/exec/obidos/tg/detail/-/0735620210/
Microsoft Windows Server(TM) 2003 PKI and Certificate Security

Cheers
Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Monday, 7 November 2005 2:00 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Certificate Services & AD

Can anyone please recommend a good web resource for deploying certificate 
services in an Active Directory environment.

I was interested in best practices for CA hierarchy, stand-alone or 
enterprise, hardware config. etc.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes

2005-11-05 Thread Ken Schaefer 
Frankly my expectation from a file system that's marked as being robust and
enterprise ready is that you should lose nothing if the drive is "almost
full", and the file system should shut down gracefully if the drive is full,
especially in normal situations.

Sysadmins should not have to worry that they'll lose data to corruption if
the drive is "almost full" in the normal course of events. If you're doing
something like the extreme use cases noted in the KB article, then that's
possibly a different situation, but in that type of situation you're probably
monitoring your disks with an eagle eye anyway. Additionally, Microsoft is
correct to warn that a potential issue does exist.

Cheers
Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Sunday, 6 November 2005 3:08 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

Is it me or is that a dumb KB?

"A volume is full or almost full."

Yeah data will start getting screwed up when you have that situation.  
In SBSland we lose our CAL licenses and other such fun things on a too 
tight drive.



Almeida Pinto, Jorge de wrote:

>FYI
>
>Potential file corruption problem on NTFS volumes during extensive stress
tests in Windows Server 2003 Service Pack 1
>
>http://support.microsoft.com/default.aspx?scid=kb;en-us;909360
>
>Cheers,
>Jorge

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Web Servers

2005-11-04 Thread Ken Schaefer 








Um, doesn’t work that way (or I’m
not understanding what you are saying to do).

 

DNS does name -> ip address resolution
only. Nothing about ports. If you want wsus.domain.com to just work (no ports
included in the URL) then in IIS you need to configure a website to listen on
port 80 and respond to requests including that host header.

 

Now, the original question was about SUS –
you can definitely have SUS working on a website other than the default website
(I’ve done that before). Not sure about WSUS, but I’m sure that’s
not impossible either. It’s just a matter of duplicating the correct
settings across to another site. The Sharepoint config stuff mentioned by
others is probably what’s stopping your current config from working
though. Sharepoint (whether it’s SPS or WSS) installs an ISAPI filter
that intercepts incoming requests and reroutes it through to Sharepoint’s
internal document system. If the site’s been extended as a Sharepoint
site, you need to use the Sharepoint Admin website to set parts that other
products use as “managed” paths, and have them excluded from being
managed by Sharepoint.

 

Cheers

Ken

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ryan A. Conrad
Sent: Saturday, 5 November 2005
2:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Web
Servers



 

Use host headers in IIS for WSUS as an DNS
alias, then you can also advertise it on any port you wish.  

 

Servername.domain.com:8159

Alias: wsus.domain.com

 

You should be able to put both in your
GPO.

 



-Ryan











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Salandra, Justin A.
Sent: Thursday, November 03, 2005
9:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Web
Servers



 

I could install WSUS and elearning on the
same box though and not have to worry about it?  If I change the port for
WSUS or SUS will that have a negative affect on my clients?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Brian Desmond
Sent: Thursday, November 03, 2005
9:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Web
Servers

 

It’s likely Sharepoint that’s messing
things up for you.

 

You can do a couple of things:

 

De-extend the default website in the sharepoint
site settings

 

Exclude all of the WSUS and elearning paths from
the managed paths setting in the WSS site (likely what’s happening is WSS
is trapping the requests).

 



Thanks,
Brian
Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

 















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Thursday, November 03, 2005
8:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Web
Servers



 

Has anyone been able to figure out
how to install multiple products to a single web server?  I have noticed
that if I want to have MS SUS, SharePoint Services and Microsoft eLearning
Library all on the same server, they all want to install to the Default Web
Site and I can’t get them to work.  Besides buying a separate server
for each program, how can I get them all on the same webserver?

 

Justin A. Salandra

MCSE Windows 2000 & 2003

 

RE: [ActiveDir] Exchange now supported on virtual hardware [okay so now we're getting a bit OT]

2005-10-31 Thread Ken Schaefer 
I think what Susan's trying to say is that:

The POP3 connector is just a "transition tool" that allows your SBS box to
collect mail for your employees up until you start hosting your own SMTP
server and receive mail directly (rather than collecting it via the POP3
connector from your ISP's mailboxes, or wherever).

That said, I believe this is rapidly drifting more and more off-topic.

Cheers
Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Tuesday, 1 November 2005 3:39 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Exchange now supported on virtual hardware [okay so
now we're getting a bit OT]

Susan, SMTP isn't a client retrieval protocol (like POP), it's a mail
delivery protocol.  IMAP, POP, and MAPI are your client retrieval
protocols.  SMTP and (IIRC) MAPI are mail delivery protocols.  MAPI doing
double duty.  SMTP, IMAP, and POP are the open (i.e. standardized)
protocols.  IMAP is generally considered superior to POP (makes me wonder
does Exchange support IMAP?).

I must caveat and say I'm like 57% sure of all of the above, these things
are happening at least 2 or 3 layers above where I work.

Cheers,
-BrettSh [msft]
ESE Dev

Posting as is ...


On Mon, 31 Oct 2005, Susan Bradley wrote:

> You do realize that that is officially a "transition tool" that you 
> should use to transition 'to' SMTP
> 
> [and yes, even with a dynamic IP and all that you can still host your 
> own email]
> 
> Ed Crowley [MVP] wrote:
> 
> >I have no problem with SBS except that stupid POP mail connector.
> >
> >Ed Crowley MCSE+Internet MVP
> >Freelance E-Mail Philosopher
> >Protecting the world from PSTs and Bricked Backups!(tm)
> >
> >-Original Message-
> >From: [EMAIL PROTECTED]
> >[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA
> >aka Ebitz - SBS Rocks [MVP]
> >Sent: Monday, October 31, 2005 5:29 PM
> >To: ActiveDir@mail.activedir.org
> >Subject: Re: [ActiveDir] Exchange now supported on virtual hardware
> >
> >I would just like to point out that the person who has SBS Rocks as part
of
> >her email address did not post that
> >
> >I was thinking that though. :-)
> >
> >Ed Crowley [MVP] wrote:
> >  
> >
> >>Less than 50 means SBS, doesn't it?  Who needs virtualizaton? 
> >>
> >>Ed Crowley MCSE+Internet MVP
> >>Freelance E-Mail Philosopher
> >>Protecting the world from PSTs and Bricked Backups!(tm)
> >>
> >>-Original Message-
> >>From: [EMAIL PROTECTED]
> >>[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
> >>Smith
> >>Sent: Monday, October 31, 2005 1:45 PM
> >>To: ActiveDir@mail.activedir.org
> >>Subject: RE: [ActiveDir] Exchange now supported on virtual hardware
> >>
> From a book proposal I wrote:
> >>
> >>According to the United States Small Business Administration (the US 
> >>SBA, at http://www.sba.gov/advo/stats/arsbfaq.txt), small firms:
> >>
> >>* Total approximately 23 million in the United States.
> >>* Represent 99.7 percent of all employer firms.
> >>* Employ half of all private sector employees.
> >>* Pay 44.3 percent of the total U.S. private payroll.
> >>* Generate 60 to 80 percent of net new jobs annually.
> >>* Create more than 50 percent of non-farm, private gross domestic 
> >>product (GDP).
> >>* Are employers of 39 percent of high tech workers (such as 
> >>scientists, engineers, and computer workers).
> >>
> >>Now, the SBA defines a "small firm" as having less than 500 employees. 
> >>For the purpose of our discussion, we'll define a small company as 
> >>having less than 50 employees. According to 
> >>http://www.sba.gov/advo/stats/us_01ss.pdf,
> >>this makes up approximately 50% of all employer firms.
> >>
> >>M
> >>
> >>-Original Message-
> >>From: [EMAIL PROTECTED]
> >>[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
> >>Sent: Monday, October 31, 2005 4:39 PM
> >>To: ActiveDir@mail.activedir.org
> >>Subject: Re: [ActiveDir] Exchange now supported on virtual hardware
> >>
> >>Of course it's always best, but I have to wonder what the benefit of 
> >>running smaller exchange servers in a virtual environment would be?  
> >>Is that to deal with shrinking datacenter floor space?  I was thinking 
> >>this might be interesting in an environment where I had lots of branch
> >>
> >>
> >office deployments.
> >  
> >
> >>  Might be easier to deploy a "solution in a box" to those sites. 
> >>Faster recovery scenarios come to mind as well.
> >>
> >>I have to say, I'm with Deji on this.  If you want to deploy a mailbox 
> >>server, I don't see a problem with it up front as long as you treat it 
> >>like
> >>clustering: respect the tool and it's idiosynchratic behavior patterns. 
> >>Otherwise, how many people are really deploying >2500 user density 
> >>(and have heavy user populations) for Exchange?  Not nearly as many as 
> >>those deploying less if the majority of companies out there are ~99 
> >>employees in the first place. [1]
> >>
> >>[1] just some stat I picked up in a ma

RE: [ActiveDir] NTP response for peer ERROR

2005-10-30 Thread Ken Schaefer 
Susan - this looks like the NTP server (the DC) is rejecting the time request
from a client. I don't think anything needs to be configured on the server

Ravi - the IP address in your original message (that you blanked out). Does
it belong to a Windows 2000/XP client in your domain? Or something else (e.g.
non-domain machine, networking equipment)?

Cheers
Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Subject: Re: [ActiveDir] NTP response for peer ERROR

NTP?  Oh no... just make the workstations sync to the server.

[and don't trim the emails quite so much :-)

How do I setup the server as a time server:
http://www.smallbizserver.net/SBS2000/Serverissues/HowdoIsetuptheserverasatim
eserver/tabid/107/Default.aspx

Run those commands at the workstation at the server have it time 
sync with an external time source.

Ravi Dogra wrote:

>But for now how could i resolve the issue should i disjoin the
>machines and rejoin them to my domain.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Group Policy Object for Windows Firewall

2005-10-28 Thread Ken Schaefer 








It’ll be just like any other group
policy setting. If they conflict, group policy settings over-ride local
settings. But you can either allow something to be “not configured”,
or you can enable those settings like “allow local exceptions”,
which allows users on the machine to make further modifications to the firewall
settings.

 

Cheers

Ken

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Hofert
Sent: Friday, 28 October 2005
10:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Group
Policy Object for Windows Firewall



 

Peter,

 

Thanks for the reply. Next quick
question. Will these settings over ride the settings that are currently
configured via the local Group Policy?

 

Thanks In Advance

 

Todd

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: Friday, October 28, 2005
8:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Group
Policy Object for Windows Firewall

The difference between the two profiles is
that the domain profile is applied when the OS detects that the machine is in
one of your domain’s networks. When it detects that it is outside of your
network the standard profile is applied. I would recommend that your use both
profiles and make standard profile the tighter of the two since it’s what
would be applied in the wild so to speak.

 

Regards

Peter Johnson

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Hofert
Sent: 28 October 2005 14:04
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Group Policy
Object for Windows Firewall



 



I am implementing Windows Firewall settings via an Active
Directory Group Policy. I see there are two sets of settings; Domain Profile
and Standard Profile with no explanation of how these settings differ. Can
anyone explain which circumstances dictate which profile to use? I am assuming
it relates to roaming profiles vs. local profiles but I am not certain. I also
do not want to create both profile settings if it is not necessary.





 





Thanks



Todd
Hofert












This e-mail and any attachments may contain confidential and privileged
information. If you are not the intended recipient, please notify the
sender immediately by return e-mail, delete this e-mail and destroy any
copies. Any dissemination or use of this information by a person other
than the intended recipient is unauthorized and may be illegal.

RE: [ActiveDir] Group Policy Object for Windows Firewall

2005-10-28 Thread Ken Schaefer 
If the machine detects domain controllers on the network, it'll use the
domain profile. Otherwise it uses the standard profile. You could have a more
relaxed policy when the machine is "on the local LAN", and a tighter policy
when the machine (presumably a laptop) is roaming on non-managed networks.

This setting is detailed in "theBookofsp1.doc"
http://www.microsoft.com/downloads/details.aspx?FamilyID=c3c26254-8ce3-46e2-b
1b6-3659b92b2cde&DisplayLang=en
but you need to look at the section on Unattended setup support for the
Windows firewall to get a decent description.

Cheers
Ken


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Todd Hofert
Subject: [ActiveDir] Group Policy Object for Windows Firewall

I am implementing Windows Firewall settings via an Active Directory Group
Policy. I see there are two sets of settings; Domain Profile and Standard
Profile with no explanation of how these settings differ. Can anyone explain
which circumstances dictate which profile to use? I am assuming it relates to
roaming profiles vs. local profiles but I am not certain. I also do not want
to create both profile settings if it is not necessary. 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Geographic Domain Setup

2005-10-24 Thread Ken Schaefer 
You have multiple DCs for redundancy. If one goes down, the others are still
available. And your domain (usually) keeps functioning without you having to
do a restore.

I'm not sure having FE/BE Exchange servers accomplishes the same goal. Most
FE Exchange servers do not have a copy the store in my experience.

In terms of splitting AV/WSUS - that's something that can only be decided on
a case-by-case basis. What hardware exists? Does the administration of the
two need to be split between different people? Are they going to be located
in physically disparate sites?

Cheers
Ken

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS
> Rocks [MVP]
> Sent: Tuesday, 25 October 2005 11:11 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Geographic Domain Setup
> 
> Oh don't mind me... I'm SBS... if you are going to spend the bucks on
> two domain controllers...why not get duplicates on Exchange/ Front
> end/Back end OWA and all that jazz while you are at it.  I'm just as
> concerned about email these days as I am the domain itself that's all.  ;-
> )
> 
> Well.. I'd be implementing a domain even without the
> spam/spyware/viruses... I have a domain at home  :-)
> 
> Edwin wrote:
> > Hardware specifications were never mentioned.  I agree.  Beefy hardware
> is
> > not needed for WSUS or for a centralized Anti-Virus Server.  The
> hardware
> > was available and this did not add too much if any administrative
> overhead.
> > Ideally, if the option is available, you will want to isolate points of
> > failure; i.e. I would rather have a WSUS or Anti-Virus server go down
> > individually rather then have both of them go down because they were on
> the
> > same box.
> >
> > Correct.  Workstations were operated by end users without administrative
> > privileges.  It is because of massive amounts of spam, spyware and
> viruses
> > that a domain was implemented.  I basically took away Administrative
> rights
> > from every one except those that needed it (SysAdmins).  In those cases,
> > those individuals had their own workstations that were not on the domain
> but
> > the user still had access to MS Exchange.  That way if something
> happened to
> > their machine it would not affect the entire network.
> >
> > The files servers' main purpose was not for file sharing.  It was for
> > storage of roaming profiles and storage of personal files on a networked
> > drive.  This was needed so that anyone could sit anywhere and still have
> > access to their files.  SharePoint was available as an option but that
> was
> > not a domain controlled server and a separate project.
> >
> > I don't understand what you mean by having a front/back end Exchange
> server
> > because of the number of boxes built for the structure of the domain.
> Could
> > you explain how this relates?
> >
> >
> > Thanks,
> > Edwin
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
> CPA
> > aka Ebitz - SBS Rocks [MVP]
> > Sent: Monday, October 24, 2005 8:35 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Geographic Domain Setup
> >
> > 
> >
> > You guys really do a separate server for a/v 'and' WSUS? WSUS doesn't
> > take that much juice, does need IIS and msde..but still... most folks on
> > the WSUS patch management listserve at least aren't putting it on that
> > beefy of hardware anyway. Also these days unless you are running without
> > local admin rights on those workstations...where's your anti spyware
> > server since you are separating things out like that.
> >
> > Don't you guys want a front end/back end Exchange if you are going to
> > start building that many boxes?
> >
> > TS box?
> > SQL?
> > Sharepoint? [plain old file and printer sharing is s last year]
> >
> > And lets see...three locations in Hurricane target zones, one in
> > Earthquake zones, not quite sure about the risk factors for Atlanta and
> > Vancouver. That should be fun :-)
> >
> > 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Anti-virus protection in domain enviroment

2005-10-05 Thread Ken Schaefer 
But see the response. What if I can exploit something on your webserver to
upload a virus to your server, and use your server to distribute it to
others? Download.Ject etc? So, it's not doing anything bad to your server,
but your server is being used to deliver the badness to others. That's where
AV on your server is going to clean these things up.

And, someone, somehow, needs to get the content onto your webserver in the
first place, unless you let developers sit at the console typing in webpages
by hand using notepad. So that's another infection vector.

Nothing is simple. AV is one more line of defense. Wether it's worth
implementing depends on your situation.

For the record (in reference to an earlier post) I like Symantec's corporate
offering, and Trend's stuff as well.

Cheers
Ken

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS
> Rocks [MVP]
> Sent: Thursday, 6 October 2005 5:19 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Anti-virus protection in domain enviroment
> 
> Read the thread and see this blog post that Harlan did on the topic.  I
> don't think it's as cut and dried as this.  The idea is that the
> webserver in this instance would have no connection to your domain.
> 
> http://windowsir.blogspot.com/2005/07/av-software-on-web-servers-
> revisited.html
> 
> We want to do it because it's cheap and it's there.  But in reality it
> is a bandaid and is reactive.
> [EMAIL PROTECTED] wrote:
> 
> if you set up a server for a select job, lock it down only serve
> up
> 
> 
> >static pages.. why 'does' it need to be covered by A/V was the topic
> >
> >
> >
> >Maybe because if your server can "serve" anything, it can be "served" in
> >return. Where I come from, we call it the "scratch my back, I scratch
> your
> >back" factor :)
> >
> >With the prevalence of network-burrowing, SMB-crawling worms and trojans,
> the
> >fact that you are serving static files is no protection at all.
> >
> >
> >Sincerely,
> >
> >Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
> >Microsoft MVP - Directory Services
> >www.readymaids.com - we know IT
> >www.akomolafe.com
> >Do you now realize that Today is the Tomorrow you were worried about
> >Yesterday?  -anon
> >
> >
> >
> >From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA
> aka
> >Ebitz - SBS Rocks [MVP]
> >Sent: Wed 10/5/2005 10:28 AM
> >To: ActiveDir@mail.activedir.org
> >Subject: Re: [ActiveDir] Anti-virus protection in domain enviroment
> >
> >
> >
> >I came <> to ripping out Trend in my office due to the BSOD,
> >false positives and the infamous Friday incident.  They are on probation
> >right now.
> >
> >The ones bantered around in our A/V wars discussions:
> >
> >Symantec [not yellow box but corp]
> >Sophos
> >CA
> >
> >I have a fellow SBSer in AU who LOVES Nod32.
> >
> >Pick one... they are in reality ALL reactionary.
> >
> >Real geeks don't use A/V anyway.  [you should have seen the thread on
> >whether to stick a/v on a web server on the focus on ms listserve... if
> >you set up a server for a select job, lock it down only serve up
> >static pages.. why 'does' it need to be covered by A/V was the topic]
> >
> >
> >
> >Tim Vander Kooi wrote:
> >
> >
> >
> >>I've only been on the list a short time, but I must have missed the
> >>mandatory Trend Micro brainwashing. :-)
> >>So far from what I have noticed there seems to be a set answer to all AV
> >>questions.
> >>Question: I'm curious about the capabilities of NOD32.
> >>Answers (en mass): You should use Trend Micro.
> >>Question: Is anyone using Symantec?
> >>Answer (again en mass): You should buy Trend Micro.
> >>
> >>Not that there is anything wrong with Trend Micro's product, it's great
> >>in my opinion, but these responses don't seem to be very helpful with
> >>regard to the questions being asked.
> >>
> >>My apologies to the list "gods" if TM is the list sponsor. :-)
> >>Tim
> >>
> >>-Original Message-
> >>From: [EMAIL PROTECTED]
> >>[mailto:[EMAIL PROTECTED] On Behalf Of Glen Miller
> >>Sent: Wednesday, October 05, 2005 11:55 AM
> >>To: 'ActiveDir@mail.activedir.org'
> >>Subject: RE: [ActiveDir] Anti-virus protection in domain enviroment
> >>
> >>Look into a product called Office Scan, by a company called Trend Micro.
> >>I have been using this product happily since 1998.  It saved me from the
> >>"I love you" bug and a few rather nasty ones since.
> >>
> >>"I want my two dollars!"
> >>
> >>
> >>And Joe!  Petitioning Webster's to include Joe-isms as an actual word.
> >>
> >>
> >>
> >>
> >>-Original Message-
> >>From: [EMAIL PROTECTED]
> >>[mailto:[EMAIL PROTECTED] On Behalf Of Ahmed Al Awah
> >>Sent: Tuesday, October 04, 2005 12:35 PM
> >>To: 'ActiveDir@mail.activedir.org'
> >>Subject: RE: [ActiveDir] Anti-virus protection in domain enviroment
> >>
> >>Since we're on topic..is anyone using Symantec AntiVirus 10 corp edition
> >>for

RE: [ActiveDir] Kerberos Delegation

2005-09-22 Thread Ken Schaefer 








But isn’t the whole point of this
thread to get Delegation working? In that case, the Sharepoint/IIS server
should be connecting to ISA Server as the end user. Or am I missing something
here?

 

Cheers

Ken

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Thursday, 22 September 2005
11:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

By default, the IIS app
pool and (I believe) sharepoint both run under Network Service. Therefore, when
Sharepoint makes the request outbound, it will be making it within the context
of the NetworkService account, which means its going to present the server's
domain credentials.



 




Roger Seielstad
E-mail Geek 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken
 Schaefer
Sent: Wednesday, September 21,
2005 11:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation

Could I ask why
he’d need to do that?

 

Cheers

Ken

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Thursday, 22 September 2005
4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

So have you granted
domain\IISServer$ access through ISA?



 




Roger Seielstad
E-mail Geek 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Wednesday, September 21,
2005 8:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation

Well I have some screen
shots for you of AuthDiag and of wfetch, if you don’t mind I can send it
to you offline.

 

This is the weird part,
if I use wfetch to connect using Anonymous as authentication I get the web page
requested. 

 

If I specify any other
auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not
authorized to view this page.

 

With anonymous connection
I get:

WWW-Authenticate:
Negotiate

WWW-Authenticate: NTLM

 

With a specified auth
type I don’t get any of that (The screen shots explain)

 

AuthDiag still only
reports Test Authentication NTLM NO Kerberos.

 

I still have a copy of
the old Metabase.xml to prove that it was storing the incorrect settings when
IIS MMC was showing something else…..

 

Let me know if I can ping
the screen shots to you.

 

Thanks Ken, am I going to
get to see you at Redmond?


C

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken
 Schaefer
Sent: 21 September 2005 03:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

Odd.

 

If you use WFetch
(it’s in the IIS6 Res Kit) or just plain telnet, and request a page, what
WWW-Authenticate headers are coming back? You should see:

 

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

 

(basically the webserver
sends back a list of the auth mechanisms it supports, and the browser picks the
first one in the list that it supports). If you are only seeing the NTLM
option, then something’s up with IIS or Sharepoint. If you are seeing
both, then AuthDiag is lying to you.

 

Cheers

Ken

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Wednesday, 21 September 2005
10:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

Yeah Im not sure about
that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - .

 

I had the Share Point
website in the IIS MMC specify SPSAppPool (which was a App pool I created) when
I checked the MetaBase.XML file ( you know I love looking at the guts of
systemsJ ) it was still specifying DefaultAppPool (and I
mean I had rebooted the server a few times) also DO NOT RUN: 

 

Cscript adsutil.vbs set
w3svc/1/ntauthenticationproviders “Negotiate,NTLM”

Iisreset

 

I know it seems logical
but I KEPT the quotations in there and what it ended up doing was: ““Negotiate,NTLM”” ***Note the
double quotes

 

And all auth was being
defaulted to Anonymous (thank heavens for a network sniffer J )

 

Even though I fixed
these issues and I have made sure my Metabase.xml file is correct with
“Negotiate,NTLM” and with the correct App Pool with the correct
user etc,  when I run AuthDiag the only “Test Authentication”
option I get is NTLM, the Server Settings Node though specifies
“Negotiate,NTLM” for that Site. 

 

When I check my ISA
server I STILL see User – Anonymous so I am a bit stumped at the moment
!!!

 

YEAH it going to be
so cool to meet up with you guys in Redmond
next week J

 

C

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: 20 September 2005 10:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

Hi Carlos

 

As I said, I'm just starting
to look at Kerberos delegation, so take everything I say with a large pinch of
salt.  :-)

 

Anyway, here's

RE: [ActiveDir] Kerberos Delegation

2005-09-21 Thread Ken Schaefer 








Could I ask why he’d need to do
that?

 

Cheers

Ken

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Thursday, 22 September 2005
4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

So have you granted domain\IISServer$
access through ISA?



 




Roger Seielstad
E-mail Geek 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Wednesday, September 21,
2005 8:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation

Well I have some screen shots for you of
AuthDiag and of wfetch, if you don’t mind I can send it to you offline.

 

This is the weird part, if I use wfetch to
connect using Anonymous as authentication I get the web page requested. 

 

If I specify any other auth type i.e. NTLM
or Kerberos I get a ISA server page telling me I am not authorized to view this
page.

 

With anonymous connection I get:

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

 

With a specified auth type I don’t
get any of that (The screen shots explain)

 

AuthDiag still only reports Test
Authentication NTLM NO Kerberos.

 

I still have a copy of the old
Metabase.xml to prove that it was storing the incorrect settings when IIS MMC
was showing something else…..

 

Let me know if I can ping the screen shots
to you.

 

Thanks Ken, am I going to get to see you
at Redmond?


C

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: 21 September 2005 03:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

Odd.

 

If you use WFetch (it’s in the IIS6
Res Kit) or just plain telnet, and request a page, what WWW-Authenticate
headers are coming back? You should see:

 

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

 

(basically the webserver sends back a list
of the auth mechanisms it supports, and the browser picks the first one in the
list that it supports). If you are only seeing the NTLM option, then
something’s up with IIS or Sharepoint. If you are seeing both, then
AuthDiag is lying to you.

 

Cheers

Ken

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Wednesday, 21 September 2005
10:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

Yeah Im not sure about that either at the
moment IIS is REALLY ACTING WEIRD, KEN where are you :P - .

 

I had the Share Point website in the IIS
MMC specify SPSAppPool (which was a App pool I created) when I checked the
MetaBase.XML file ( you know I love looking at the guts of systemsJ ) it was still specifying
DefaultAppPool (and I mean I had rebooted the server a few times) also DO NOT
RUN: 

 

Cscript adsutil.vbs set
w3svc/1/ntauthenticationproviders “Negotiate,NTLM”

Iisreset

 

I know it seems logical but I KEPT the
quotations in there and what it ended up doing was: ““Negotiate,NTLM”” ***Note the
double quotes

 

And all auth was being
defaulted to Anonymous (thank heavens for a network sniffer J )

 

Even though I fixed
these issues and I have made sure my Metabase.xml file is correct with
“Negotiate,NTLM” and with the correct App Pool with the correct
user etc,  when I run AuthDiag the only “Test Authentication”
option I get is NTLM, the Server Settings Node though specifies
“Negotiate,NTLM” for that Site. 

 

When I check my ISA
server I STILL see User – Anonymous so I am a bit stumped at the moment
!!!

 

YEAH it going to be
so cool to meet up with you guys in Redmond
next week J

 

C

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Tony Murray
Sent: 20 September 2005 10:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

Hi Carlos

 

As I said, I'm just starting to look at
Kerberos delegation, so take everything I say with a large pinch of salt. 
:-)

 

Anyway, here's the logic I was following.

 

If I've understood it correctly, you want
the server hosting SharePoint to authenticate to the ISA server as the end user. 
Assuming you want to use constrained delegation (which is normal) then you need
to specify the ISA Server somewhere in the configuration, because you are
limiting (constraining) the scope of the delegation to the ISA
Server.  If you look at the Delegation tab of an object in ADUC, you will
see the section labeled "Services to which this account can present
delegated credentials:"  It would seem logical to me to have to
specify the ISA here.  Now whether you need to do configure this setting
in ADUC on the account being used for the identity of the application pool, or
the SharePoint server itself I don't know. 



 





Cheers





Tony





 





PS.  See you next week :-)



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Wednesday, 21 Septembe

RE: [ActiveDir] disabling users

2005-09-21 Thread Ken Schaefer 








Good point…

 

Cheers
Ken

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, 22 September 2005
11:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] disabling
users



 

If that’s the case you can just pipe the list of DNs into dsmod or
admod. 

 



Thanks,
Brian
Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: Wednesday, September 21,
2005 9:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] disabling
users



 

Just checked back to your original post.
You want to disable a bunch of users? If you have a list of DNs in a text file
(not sure why you’d want a CSV file), then you could just use a batch
file:

 

Just ripped this out of an existing set of
batch files, so excuse extraneous stuff. The following comes out of a file
called “runme.bat” J

 

FOR /F "eol=; tokens=1,2* delims=,
" %%i in (users.txt) do call disableUsers.bat %%i

 

And then in disableUsers.bat:

 

ECHO Disabling User: %1>> log.txt

dsmod user %1 -disabled yes

 

You’d need to have your users in a
text file called users.txt, and you should get your output in a file called
log.txt

 

In terms of the COM stuff – you
don’t need to know anything about COM. All you need is the necessary
reference material. So, to use ADO,
you’d go to MSDN, look up data access, and check the reference section.
You’ll see here all the methods/properties for all the various ADO objects. You use those
from with _vbscript_, _javascript_, Perl, whatever. No matter what language you
use, the COM objects you are instantiating are the same, and they have the same
methods/properties etc.

 

Cheers

Ken  

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Thursday, 22 September 2005
10:53 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] disabling
users



 



look, i have to confess, i've only been in IT for 4 years and have only
been around pc's for about 5.





i never took a class. just read books and screwed around.





the fact that right now, my second IT gig is for a big finanical firm
in NYC running their AD/Exchange and participating in their migration to a new
forest, is more of a testament to my dumb luck and the general ignorance in IT
than anything else. 





i'm the low quality admin joe is talking about.





 





so taking that into account, learning more than 1 lang is not possible
now(just had a second kid too) and perl seems the most ideal to me. its cross
platform and seems somehow more "real" as a programing lang than
_vbscript_ to this uneducated admin, at least in learning program constructs and
such... 





however, i have been studying perl and  outside of
linux/unix, there is little bang for my buck from the books i've been reading.





on windows, there doesn't seem to be much to do with perl when you're
first trying to learn it as opposed to on linux(at least not from most of the
o'reilly books i've read)





thats probably for me,beause while i know about com/adsi/wmi/activex, i
don't know how to use them in anyway and i need a good primer that i can then
use within perl in someway while i learn that.





 





i don't want to be the shody admin anymore...





 





thanks. thats my story and i'm sticking to it :)

 





On 9/2/05, Ken
Schaefer <[EMAIL PROTECTED]>
wrote: 



I would also add that _vbscript_ itself is (a) quite simple and
(b) quite limited. There's not much to learn, and what there is to learn is
quite simple. The power comes from being able to use COM objects. But using COM
objects (their methods and properties) is exactly the same from within perl as
from within _vbscript_ (or JScript or any other language for that matter). So why
use _vbscript_? There's an enormous array for pre-built scripts and tutorials out
there. That's why people use _vbscript_ even through Windows Script Host supports
JScript out-of-the-box as well (and JScript has extra functionality like
Try…Catch error handling and short-circuited condition checking etc). 

 

Cheers

Ken

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Brian Desmond
Sent: Thursday, 22 September 2005
9:29 AM
To: ActiveDir@mail.activedir.org
Subject: RE:
[ActiveDir] disabling users



 



No.

 

I happen to
know _vbscript_, VB.Net, C#, some Java, little bit of C & C++, little bit of _javascript_,
some PHP, T-SQL. I actually see a need to learn to write perl. I can read it
well enough just knowing how to read various other programming languages. I
could stand to learn to do C++ better too. I'm not a programmer, I just run a
big AD deployment. 

 

You'll find
that _vbscript_ works on most any Windows box wheras perl you need the
activestate stuff which you can't alway

RE: [ActiveDir] disabling users

2005-09-21 Thread Ken Schaefer 








Just checked back to your original post.
You want to disable a bunch of users? If you have a list of DNs in a text file
(not sure why you’d want a CSV file), then you could just use a batch file:

 

Just ripped this out of an existing set of
batch files, so excuse extraneous stuff. The following comes out of a file
called “runme.bat” J

 

FOR /F "eol=; tokens=1,2* delims=,
" %%i in (users.txt) do call disableUsers.bat %%i

 

And then in disableUsers.bat:

 

ECHO Disabling User: %1>> log.txt

dsmod user %1 -disabled yes

 

You’d need to have your users in a text file
called users.txt, and you should get your output in a file called log.txt

 

In terms of the COM stuff – you don’t need
to know anything about COM. All you need is the necessary reference material.
So, to use ADO,
you’d go to MSDN, look up data access, and check the reference section. You’ll
see here all the methods/properties for all the various ADO objects. You use those from with
_vbscript_, _javascript_, Perl, whatever. No matter what language you use, the COM
objects you are instantiating are the same, and they have the same
methods/properties etc.

 

Cheers

Ken  

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Thursday, 22 September 2005
10:53 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] disabling
users



 



look, i have to confess, i've only been in IT for 4 years and have only
been around pc's for about 5.





i never took a class. just read books and screwed around.





the fact that right now, my second IT gig is for a big finanical firm
in NYC running their AD/Exchange and participating in their migration to a new
forest, is more of a testament to my dumb luck and the general ignorance in IT
than anything else. 





i'm the low quality admin joe is talking about.





 





so taking that into account, learning more than 1 lang is not possible
now(just had a second kid too) and perl seems the most ideal to me. its cross
platform and seems somehow more "real" as a programing lang than
_vbscript_ to this uneducated admin, at least in learning program constructs and
such... 





however, i have been studying perl and  outside of
linux/unix, there is little bang for my buck from the books i've been reading.





on windows, there doesn't seem to be much to do with perl when you're
first trying to learn it as opposed to on linux(at least not from most of the
o'reilly books i've read)





thats probably for me,beause while i know about com/adsi/wmi/activex, i
don't know how to use them in anyway and i need a good primer that i can then
use within perl in someway while i learn that.





 





i don't want to be the shody admin anymore...





 





thanks. thats my story and i'm sticking to it :)

 





On 9/2/05, Ken
Schaefer <[EMAIL PROTECTED]>
wrote: 



I would also add that _vbscript_ itself is (a) quite simple and
(b) quite limited. There's not much to learn, and what there is to learn is
quite simple. The power comes from being able to use COM objects. But using COM
objects (their methods and properties) is exactly the same from within perl as
from within _vbscript_ (or JScript or any other language for that matter). So why
use _vbscript_? There's an enormous array for pre-built scripts and tutorials out
there. That's why people use _vbscript_ even through Windows Script Host supports
JScript out-of-the-box as well (and JScript has extra functionality like
Try…Catch error handling and short-circuited condition checking etc). 

 

Cheers

Ken

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Brian Desmond
Sent: Thursday, 22 September 2005
9:29 AM
To: ActiveDir@mail.activedir.org
Subject: RE:
[ActiveDir] disabling users



 



No.

 

I happen to
know _vbscript_, VB.Net, C#, some Java, little bit of C & C++, little bit of
_javascript_, some PHP, T-SQL. I actually see a need to learn to write perl. I
can read it well enough just knowing how to read various other programming
languages. I could stand to learn to do C++ better too. I'm not a programmer, I
just run a big AD deployment. 

 

You'll find
that _vbscript_ works on most any Windows box wheras perl you need the
activestate stuff which you can't always install on the box. 

 



Thanks, 
Brian
Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Tom Kern
Sent: Wednesday, September 21,
2005 6:56 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] disabling
users



 



you don't
think one can get by in IT with just one lang?





can't you
do everything in perl that you can do in _vbscript_ and then some?





I'm sure
you can get by on windows with just perl.





i'm in a
multi platform enviorment and frankly i just don't have the

RE: [ActiveDir] disabling users

2005-09-21 Thread Ken Schaefer 








I would also add that _vbscript_ itself is
(a) quite simple and (b) quite limited. There’s not much to learn, and
what there is to learn is quite simple. The power comes from being able to use
COM objects. But using COM objects (their methods and properties) is exactly
the same from within perl as from within _vbscript_ (or JScript or any other
language for that matter). So why use _vbscript_? There’s an enormous array
for pre-built scripts and tutorials out there. That’s why people use
_vbscript_ even through Windows Script Host supports JScript out-of-the-box as
well (and JScript has extra functionality like Try…Catch error handling
and short-circuited condition checking etc).

 

Cheers

Ken

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, 22 September 2005
9:29 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] disabling
users



 

No.

 

I happen to know _vbscript_, VB.Net, C#, some Java, little bit of C &
C++, little bit of _javascript_, some PHP, T-SQL. I actually see a need to learn
to write perl. I can read it well enough just knowing how to read various other
programming languages. I could stand to learn to do C++ better too. I’m
not a programmer, I just run a big AD deployment. 

 

You’ll find that _vbscript_ works on most any Windows box wheras perl
you need the activestate stuff which you can’t always install on the box.


 



Thanks,
Brian Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, September 21,
2005 6:56 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] disabling
users



 



you don't think one can get by in IT with just one lang?





can't you do everything in perl that you can do in _vbscript_ and then
some?





I'm sure you can get by on windows with just perl.





i'm in a multi platform enviorment and frankly i just don't have the
time to learn both _vbscript_ and perl.





i would end up just knowing both a little and badly.





my brain can't keep jumping from one to the other and in scripting, if you
don't use one lang for a while, you forget it.





in which case i'd just end up bugging you guys on this list again for
examples.





i'd like to get to the point where i can do it myself and trying to
learn both will never work for me.





i have a hard enough time keeping as much as i can about windows and AD
and exchange and some linux stuff in my head.





2 scripting langs will make my head explode. i'll never remeber them at
all.





i just need to learn one and devote myself to learning it well instead
of being a scripting jack of all trades and master of none.





 





as to perl books, then where can one lern COM on perl? 





 





thanks alot guys!

 





On 9/21/05, Brian Desmond <[EMAIL PROTECTED]> wrote:




Joe Richards might know
some Win32 Perl resources.



_vbscript_ isn't that hard, really. If you know the COM & ADSI stuff for Perl

as far as methods, names, etc, its just a different syntax for using it.
_vbscript_ you have the advantage of the technet scriptcenter which has
examples complete enough to copy and paste together and run.


I'm not a CS major either, I don't even have any formal training in this
field. The only things I've been taught in a classroom are how to read,
write, and do some math. Everything I know I learnt going to work everyday 
and doing new things, asking questions here and there around this list and
other places. I realized I needed to learn _vbscript_ and so I started
tackling projects with _vbscript_s, and with a bit of work I got to be pretty 
good at it. I still need a copy of the platform sdk on my other monitor to
remember methods, parameters, etc, but I know the syntax. That said, if I'm
feeling lazy I still go and piece things together with scriptcenter 
snippets.

My point here is that it would probably be long term beneficial to you to at
least be able to do simple things in _vbscript_ like read a file, run a
external command, etc. As I said in my first message, if you post what you 
have, I'll try and edit it as an example for you.


Thanks,
Brian Desmond

RE: [ActiveDir] Kerberos Delegation

2005-09-21 Thread Ken Schaefer 








Odd.

 

If you use WFetch (it’s in the IIS6
Res Kit) or just plain telnet, and request a page, what WWW-Authenticate
headers are coming back? You should see:

 

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

 

(basically the webserver sends back a list
of the auth mechanisms it supports, and the browser picks the first one in the
list that it supports). If you are only seeing the NTLM option, then something’s
up with IIS or Sharepoint. If you are seeing both, then AuthDiag is lying to
you.

 

Cheers

Ken

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Wednesday, 21 September 2005
10:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

Yeah Im not sure about that either at the
moment IIS is REALLY ACTING WEIRD, KEN where are you :P - .

 

I had the Share Point website in the IIS
MMC specify SPSAppPool (which was a App pool I created) when I checked the MetaBase.XML
file ( you know I love looking at the guts of systemsJ ) it was still
specifying DefaultAppPool (and I mean I had rebooted the server a few times)
also DO NOT RUN: 

 

Cscript
adsutil.vbs set w3svc/1/ntauthenticationproviders “Negotiate,NTLM”

Iisreset

 

I know it seems logical but I KEPT the
quotations in there and what it ended up doing was: ““Negotiate,NTLM”” ***Note the
double quotes

 

And all auth was being
defaulted to Anonymous (thank heavens for a network sniffer J )

 

Even though I fixed these
issues and I have made sure my Metabase.xml file is correct with
“Negotiate,NTLM” and with the correct App Pool with the correct
user etc,  when I run AuthDiag the only “Test Authentication”
option I get is NTLM, the Server Settings Node though specifies
“Negotiate,NTLM” for that Site. 

 

When I check my ISA
server I STILL see User – Anonymous so I am a bit stumped at the moment
!!!

 

YEAH it going to be
so cool to meet up with you guys in Redmond
next week J

 

C

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Tony Murray
Sent: 20 September 2005 10:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

Hi Carlos

 

As I said, I'm just starting to look at
Kerberos delegation, so take everything I say with a large pinch of salt. 
:-)

 

Anyway, here's the logic I was following.

 

If I've understood it correctly, you want
the server hosting SharePoint to authenticate to the ISA server as the end user. 
Assuming you want to use constrained delegation (which is normal) then you need
to specify the ISA Server somewhere in the configuration, because you are
limiting (constraining) the scope of the delegation to the ISA
Server.  If you look at the Delegation tab of an object in ADUC, you will
see the section labeled "Services to which this account can present
delegated credentials:"  It would seem logical to me to have to
specify the ISA here.  Now whether you need to do configure this setting
in ADUC on the account being used for the identity of the application pool, or
the SharePoint server itself I don't know. 



 





Cheers





Tony





 





PS.  See you next week :-)



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Wednesday, 21 September 2005
1:38 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation

Hey Tony,

 

Well can you explain “but wouldn't you also need an SPN for the web service on the
ISA Server?”  I don’t understand why, the ISA server is the
server that is needing the authentication to allow the web server to browse the
internet. 


So to elaborate:

 

I have a Share Point site it has a RSS
feed web part, this web part is requesting a RSS feed for example http://www.dirteam.com/blogs/carlos/default.aspx
now I monitor on the ISA 2004 server and I see the web server trying to access
the internet the user specified = Anonymous. The delegation is so that the user
viewing the Share Point site (hence calling the RSS web part) will be the user
credentials passed to the ISA server to be able to browse the internet.

 

That’s why I don’t see why we
need to register a SPN for the ISA server?

 

Thanks
C

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: 20 September 2005 01:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

Hi Carlos

 

I'm just starting to look at Kerberos
delegation for something myself, but wouldn't you also need an SPN for the
web service on the ISA Server?  And then specify that serviced in the
delegation tab on the user object?

 

Cheers

Tony

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Carlos Magalhaes
Sent: Tuesday, 20 September 2005
9:31 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Kerberos
Delegation

Hey all,

 

Ok late at night here and I’ve hit a mental block
(don’t laugh Dean). I have set this up like a gazillion time

RE: [ActiveDir] Kerberos Delegation

2005-09-19 Thread Ken Schaefer 








One addition: IE will not attempt to
negotiate Kerberos Auth if is the site is in the Internet Security Zone (which
sites accessed by FQDN are by default). Add the site to the local Intranet
zone.

 

Some other thoughts: If NTLM is not
desired (i.e. Kerberos only), then you can set the Auth Providers key to “Negotiate”
only, rather than “Negotiate,NTLM”. That will stop IE from using
NTLM

KB299838 only applies to IE5 upgraded to
IE6 AFAIK, so if you have, say, Windows XP that comes OOB with IE6, then the
checkbox mentioned is already checked (by default).

 

Lastly, if Kerberos isn’t an option
(e.g. users out on the Internet), then if you have a Windows 2003 Domain,
Protocol Transition may be a possibility (but I’ve never set that up on a
Sharepoint box, so I can’t say with 100% certainty that it’ll work):
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspx

 

But in OP’s case, I think the first
thing to check is the Auth Providers key, since Sharepoint does set that to
NTLM by default (as mentioned below)

 

Cheers

Ken

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, 20 September 2005
12:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

Carlos,

 

If I understand the situation correctly
you are going client -> Sharepoint IIS server -> ISA server. It sounds
like you need to pass the client's kerberos credentials all the way to the ISA
box. If that is correct, here is what I would try...

 

Client Browser: IE6SP1 will not negotiate
kerberos by default. You need to set the integrated authentication value as
detailed in KB299838.

 

Sharepoint IIS Server: The default
Sharepoint install disables kerberos by default (see KB823265 - this is an
exchange article but it documents the default sharepoint install behavior). See
KB832769 for directions on how to enable kerberos for sharepoint. We did the
following to allow the default website to use kerberos:

 

Cscript adsutil.vbs set
w3svc/1/ntauthenticationproviders “Negotiate,NTLM”

Iisreset

 

Next, setup the application pool service
account to permit delegation (ADU&C) "account is trusted for
delegation"

 

After this, you need to add an SPN to the
service account that you setup to run the application pool:

 

Setspn –A
HTTP/fqdnofyourserver yourdomain\youraccount



 





At this point your client should negotiate
kerberos when it connects to the SPS server. You can verify this with kerbtray
from the resource kit. You should see a ticket for the application pool service
account.





 





If you connect to the SPS site by any
other URLs other than the FQDN (i.e. the netbios name of the server or some
other internal namespace URL - sps.app.local, etc) you will need to add
additional SPNs to the application pool service account:





 





Setspn –A
HTTP/netbiosservername yourdomain\youraccount

Setspn –A
HTTP/sps.app.local yourdomain\youraccount





 





Again, after you do this you shold be able
to access the site by any of the three URLs (server FQDN, server netbios, other
namespace URL) and see the ticket for the application pool service account in
kerbtray.





 





In my case the sharepoint server was the
endpoint of the connection trail but once you get to the SPS server with
kerberos you should be able to hop again to the ISA box.





 





Hope this helps - it may be a repeat of
what you have already done. This is an extract of the doc that I wrote for
myself when I had to figure this out. You amy also want to take a peek at the
ISA box to see if the ISA install also turned off Kerberos. I don't know about
this one because I have never had to look at that one...





 





Frank





 





 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Monday, September 19, 2005
5:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Kerberos
Delegation

Hey all,

 

Ok late at night here and I’ve hit a mental block
(don’t laugh Dean). I have set this up like a gazillion times but this
time cant get it to work.

 

Environment: 

 

Windows 2003 Native Forest Mode – All clients Windows
XP SP2 and above

 

Single forest single domain setup

 

Web Server – Windows Server 2003 Web Edition

Share Point Team Services installed.

 

That site has a web part that requires Kerb delegation for
access to a ISA firewall in order to stream RSS feeds. I can see on the ISA
server that when ever any user hits the site the HTTP request is sent as
ANONYMOUS.

 

So what I have done:

 


 I have
 - Set webserver for delegation (Kerb Only) 
 I have
 - Created username in AD and set for Delegation (Kerb Only) 
 I have
 - Set the Share Point Portal Application Pools (IIS 6.0)  to use the
 AD user mentioned above for the Identity of the App Pool (rebooted IIS
 server) 


a.   Purged all
tickets as well.


 I have - registerd a SPN fo

RE: [ActiveDir] Connecting to IIS

2005-09-10 Thread Ken Schaefer 
Hi there,

The tool (IIS Manager) uses RPC/DCOM to connect from client -> server.  It's
a bit odd that Computer Management works, but IIS Manager does not. I would
check any firewall configuration you do have (just in case), and check Event
Logs on the server as well for anything that might indicate why the
connection is failing.

Cheers
Ken
 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Saturday, 10 September 2005 8:34 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Connecting to IIS

I see. I am already using this. It does not work.

-Z.V.

Crawford, Scott wrote: 
The link just worked for me.  It has some wrapping though.  Try this

<http://www.microsoft.com/downloads/details.aspx?familyid=f9c1fb79-c903-
4842-9f6c-9db93643fdb7&displaylang=en>

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Friday, September 09, 2005 10:01 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Connecting to IIS

Link is dead.

Ken Schaefer wrote:

  
Hi,

Are you using the IIS6 Manager from the Win2003 AdminPak MSI? If so,
then try downloading and using this instead:
http://www.microsoft.com/downloads/details.aspx?familyid=f9c1fb79-c903-
4842-9f6c-9db93643fdb7&displaylang=en

Cheers
Ken

: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Za Vue
: Sent: Friday, 9 September 2005 2:43 AM
: To: ActiveDir@mail.activedir.org
: Subject: [ActiveDir] Connecting to IIS
: 
: I have a Win2003(sp1) web server in a W23k AD. Web server is member
: server.
: I cannot connect to administer IIS  from Windows XP using IIS6
: snap-in Manager . Getting "Unable to connect to this computer."
: Yes, logged in as domain admin to XP workstation. I can connect to
: the server from "Computer Management", but still can't view IIS 
: in Computer
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Connecting to IIS

2005-09-08 Thread Ken Schaefer 
Hi,

Are you using the IIS6 Manager from the Win2003 AdminPak MSI? If so, then try
downloading and using this instead:
http://www.microsoft.com/downloads/details.aspx?familyid=f9c1fb79-c903-4842-9
f6c-9db93643fdb7&displaylang=en

Cheers
Ken

: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Za Vue
: Sent: Friday, 9 September 2005 2:43 AM
: To: ActiveDir@mail.activedir.org
: Subject: [ActiveDir] Connecting to IIS
: 
: I have a Win2003(sp1) web server in a W23k AD. Web server is member
: server.
: I cannot connect to administer IIS  from Windows XP using IIS6 snap-in
: Manager . Getting "Unable to connect to this computer."
: Yes, logged in as domain admin to XP workstation. I can connect to the
: server from "Computer Management", but still can't view IIS in Computer
: Management.
: 
: Help!

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [Fwd: RE: [ActiveDir] Password policy change]

2005-08-27 Thread Ken Schaefer 
The original Password Change functionality used HTRs, and there was a buffer
overflow vulnerability in the ISAPI Extension that handled HTRs (ism.dll).
There's a download on the MS Downloads page that substitutes ASP pages:

http://support.microsoft.com/?id=331834
Change password functionality replaced with Active Server Pages

Cheers
Ken

: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of joe
: Sent: Saturday, 27 August 2005 5:08 PM
: To: ActiveDir@mail.activedir.org
: Subject: FW: [Fwd: RE: [ActiveDir] Password policy change]
: 
: >From a "shy" lurker MVP
: 
: It appears it is something you can enable. It isn't strictly part of OWA
: but
: the old IIS Password change tool. I recall there being issues with that
: tool
: and that is why they stopped enabling it by default but can't recall what
: they were this late at night or this early in the morning whatever it may
: be. ;o)
: 
: Thanks for the assist Mom. :)
: 
: 
: 
: -Original Message-
: Sent: Saturday, August 27, 2005 2:24 AM
: To: [EMAIL PROTECTED]
: Subject: [Fwd: RE: [ActiveDir] Password policy change]
: 
: http://www.petri.co.il/enable_password_changing_through_owa_in_exchange_20
: 03
: .htm
: 
: 
:  Original Message 
: Subject:  RE: [ActiveDir] Password policy change
: Date: Sat, 27 Aug 2005 02:16:14 -0400
: From: joe <[EMAIL PROTECTED]>
: Reply-To: ActiveDir@mail.activedir.org
: To:   
: 
: 
: 
: Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in
: Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if
: your
: password is expired (forced or otherwise) you aren't getting into OWA. I
: also don't believe it has a password change function if you just want to
: go
: and change it, but that could be something that could be enabled.
: Alternatively you set up another web page to do it.
: 
: As for the OPs original issue. It all comes down to implementation. You
: told
: the system to not allow people to change the password if the password age
: was less than one day and then were confused when it did exactly that. The
: reason for it is that there is one attribute for password age, pwdLastSet,
: and it doesn't distinguish between a helpdesk set operation or a normal
: password change, they are both password changes and you only want one day
: between every change. The proper way to handle that case is to force the
: user's to change their password on next logon (which sets the pwdLastSet
: to
: 0), but as you know, that will kill OWA users. So you either need another
: process to follow for OWA only users, install some third party or custom
: inhouse tool, or drop the minimum password aging.
: 
:joe
: 
: 
: -Original Message-
: From: [EMAIL PROTECTED]
: [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support
: Sent: Saturday, August 27, 2005 12:09 AM
: To: ActiveDir@mail.activedir.org
: Subject: Re: [ActiveDir] Password policy change
: 
: Your right Aaron, I didn't know what it meant.!
: 
: I am not an outlook sort of person (we use Notes...), but the inferred
: statement surprises me. It suggests that if the "must change password" is
: set, you can't logon to Outlook Web Access.
: 
: This would suggest that forcing users to change password after (say) 28
: days
: is also a no-no.
: 
: And, it would also suggest that Outlook Web Access won't let you change
: your
: password. If it did, it would surely allow you to logon, then require you
: to
: change  the password before you do anything..
: 
: This all seems unlikely, given Microsoft's recommended use of forcing
: password changes on a regular basis and forcing users to change a password
: when a new user is created.
: 
: If it is all true, maybe you have to provide some way that the users can
: go
: to a Citrix portal and change their password there, then go back and use
: Outlook Web Access.
: 
:  Alan Cuthbertson
: 
: 
:   Policy Management Software:-
:  http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
:  ADM Template Editor:-
:  http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
:  Policy Log Reporter(Free)
:  http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
: 
: 
: 
: 
: - Original Message -
: From: "Aaron Visser" <[EMAIL PROTECTED]>
: To: 
: Sent: Saturday, August 27, 2005 8:59 AM
: Subject: Re: [ActiveDir] Password policy change
: 
: 
: Nevermind OWA = Outlook Web Access
: 
: 
: On 8/26/05 3:39 PM, "Figueroa, Johnny" <[EMAIL PROTECTED]>
: wrote:
: 
: >
: > I mean, if I use the check box to "user must change password at next
: logon"
: > our users whose only way into the domain is OWA will not prompt them
: > to
: change
: > their password... Unless I am missing something.
: >
: > Thanks
: >
: > -Original Message-
: > From: [EMAIL PROTECTED]
: > [mailto:[EMAIL PROTECTED] On Behalf Of SysPro
: > Support
: > Sent: Friday, August 26, 2005 3:19 PM
: > To: ActiveD

RE: [ActiveDir] Kinda OT: Advice welcomed

2005-08-20 Thread Ken Schaefer 
Additionally, document the business costs/issues that arise later down the
track (if any). This will allow you to be prepared in case:
a) you need to push back against a similar suggestion down the track
b) this decision ever comes up for discussion again

Cheers
Ken

: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Hunter, Laura E.
: Sent: Saturday, 20 August 2005 9:13 PM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] Kinda OT: Advice welcomed
: 
: What Deji said.
: 
: Document the risks of what is being done, document what you think would be
: a better and more secure solution, and document what you will need to do
: on the remainder of your network to compensate for this insecurity (if
: that's even possible).  Then hand it to this person in two forms - email
: and on paper - that are dated and acknolwedged by the recipient.  Save all
: documentation for a later date, as you're probably going to need it.
: 
: When you're good at your job and take pride in that fact, it's very easy
: to take things like this personally...to jump up and down yelling
: "AAAGHH THE STUPID! IT BURNS LIKE FIRE!!!" because you
: know you're right.  But it's not personal and you can't treat it as such.
: Cover yourself and your network by making all concerned parties aware of
: the risks of the situation; there's not much else you can do...nothing
: that's professionally acceptable, anyway.
: 
: And remember: this is only IT, nobody dies.  (Unless you're in a
: medical/military/whatever line of work in which someone actually -might-,
: in which case use that as a barometer of how loudly you need to make your
: objections known.)
: 
: - Laura
: 
: 
: > -Original Message-
: > From: [EMAIL PROTECTED]
: > [mailto:[EMAIL PROTECTED] On Behalf Of
: > [EMAIL PROTECTED]
: > Sent: Saturday, August 20, 2005 12:41 AM
: > To: ActiveDir@mail.activedir.org
: > Subject: RE: [ActiveDir] Kinda OT: Advice welcomed
: >
: > You make your disagreement known to the CIO in a
: > corporately-acceptable way -
: > and move on. Chalk it down as one of the things numerous IT personnel
: > encounter on a very regular basis everyday.
: >
: > Don't take it personal, is what I tell myself.
: >
: >
: > Sincerely,
: >
: > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
: > Microsoft MVP - Directory Services
: > www.readymaids.com - we know IT
: > www.akomolafe.com
: > Do you now realize that Today is the Tomorrow you were worried about
: > Yesterday?  -anon
: >
: > 
: >
: > From: [EMAIL PROTECTED] on behalf of Douglas M. Long
: > Sent: Fri 8/19/2005 8:38 PM
: > To: ActiveDir@mail.activedir.org
: > Subject: [ActiveDir] Kinda OT: Advice welcomed
: >
: >
: >
: > Here's a question for everyone:
: >
: >
: >
: > Your CIO decides it is cheaper to host an application
: > remotely at a site that
: > you know nothing about (and for that reason do not trust). He
: > then decides on
: > his own that he will just tell the network guy to open port
: > 389 to one of
: > your production DCs without consulting, or even mentioning it
: > to you or
: > anyone else that may have something to say about the security
: > risks. Then he
: > asks you to create a test user account for a junior admin to
: > test with, and
: > gives the remote site the username and password.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Kerberos Delegation

2005-08-09 Thread Ken Schaefer 
You may want to have Kerberos authentication all the way through, rather than
using Protocol Transition. At least in the IIS world, protocol transition
involves running your worker processes as LocalSystem rather than any other
account, which is yet another security issue you need to manage.

Cheers
Ken

www.adOpenStatic.com/cs/blogs/ken/ 

: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Free, Bob
: Sent: Wednesday, 10 August 2005 7:33 AM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] Kerberos Delegation
: 
:  >Assuming that you are aware of what constrained delegation is, how it
: operates, and what it should be used for...
: 
: That's the point of my query, I certainly don't understand all I know
: about it and we have never allowed it, at this point I have just begun
: to scratch the surface. I was totally uncomfortable when it was first
: proposed and threw up the stop sign. I'm getting less comfortable by the
: minute as I read more about it.
: 
: I'm reading the Kerberos Protocol Transition and Constrained Delegation
: article and the Troubleshooting Kerberos Delegation white paper and like
: I said, trying to understand all I know about it ;-(
: 
: Everyone's comments so far are immensely appreciated.
: 
: Thanks
: 
: Bob
: 
: -Original Message-
: From: [EMAIL PROTECTED]
: [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
: Sent: Tuesday, August 09, 2005 1:38 PM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] Kerberos Delegation
: 
: Assuming that you are aware of what constrained delegation is, how it
: operates, and what it should be used for...
: 
: Anytime you allow someone or something to impersonate, err, act on
: behalf of another security principal, there is always cause for concern.
: Constrained delegation certainly provides some flexibility in achieving
: this goal and fulfilling the applications need, but like any Domain
: Admin in your forest the developer and the application must be trusted.
: 
: I would recommend clear documentation as to the architecture of the
: application, how and with what other systems it interoperates, and if
: you have the wherewithal (or can bring in someone who does) a code
: review to ensure that what is defined is accurate.
: 
: I know this seems a little over-the-top, but we are taking about you
: accepting someone else walking around with my ID and saying "he told me
: it was OK that I access  on his behalf."
: 
: Regards,
: 
: Aric Bernard
: 
: -Original Message-
: From: [EMAIL PROTECTED]
: [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
: Sent: Tuesday, August 09, 2005 1:07 PM
: To: ActiveDir@mail.activedir.org
: Subject: [ActiveDir] Kerberos Delegation
: 
: We have a developer who wants us to allow delegation for a couple of SQL
: servers and their service accounts so he can do distributed queries
: across linked servers. This is new ground for us from an AD perspective
: that I have just started researching and I'd like to hear other's
: thoughts, policies etc.
: 
: We are at 2003 functional level so from what I read, we can allow
: constrained delegation which is much better than un-constrained but most
: of the comments I come across indicate this isn't something to be taken
: lightly, has serious security ramifications, policies should be in place
: etc etc..
: 
: I can find a reasonable amount of information from the developers
: point-of-view, and I can see how to implement it technically (I think)
: but not a whole lot from the AD admin's perspective, especially as it
: pertains to the desirability of allowing it and how best to manage it if
: it is allowed.
: 
: Any info greatly appreciated.
: 
: Bob

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Integrating IIS and AD

2005-08-09 Thread Ken Schaefer 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of MeWe
Subject: [ActiveDir] Integrating IIS and AD

: I have 4 servers..
: And 2 of them are running the domain. and the last 2 
: is ment for IIS So here is my question, how do i 
: integrade the 4 servers into each other? and is 
: it possible, to integrade AD and IIS if they are 
: running on different servers? 


What do you mean by "integrate IIS and AD"?

You can certainly add the IIS servers as member servers of an AD domain.

Cheers
Ken

--
IIS Stuff: www.adOpenStatic.com/cs/blogs/ken/ 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 2003 sp1 security agent

2005-07-27 Thread Ken Schaefer 
SCW does more than just configure the Windows firewall. It can change service
startup settings, configure registry keys around what auth types are used,
configure your local security policy settings (SMB signing, auditing etc),
and do an IIS lockdown. And it supports roll-back, so it's worth checking
out.

Also supports:
a) analysis mode (compare server's actual configuration -vs- a proposed
configuration)
b) remote application mode (so you can apply polices to remote servers)
c) command line support (so you can do this all via batch files)
d) centralised storage of your policy files, so you can just update a single
location with new XML files that all your SCWs should use.

Cheers
Ken


: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Matt Brown
: Sent: Thursday, 28 July 2005 7:56 AM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] 2003 sp1 security agent
: 
: Ya, I mean the security config wizard.  I've normally never had any
: firewall
: stuff on my domain controllers... But was thinking it might be possible
: with
: 2003 SP1.
: 
: Anybody have any recommendations?
: 
: 
: Thanks,
: --
: Matt Brown [EMAIL PROTECTED]
: Consultant for Student Technology Fee
: website: http://techfee.ewu.edu/
: +--+
: | 509.359.6972 ph. - 509.359.7087 fx
: | 307 MONROE HALL | Cheney, WA 99004
: +--+
: 
: 
: -Original Message-
: From: [EMAIL PROTECTED]
: [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
: Sent: Wednesday, July 27, 2005 9:26 AM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] 2003 sp1 security agent
: 
: Security Config Agent  Not sure on that.  Do you mean the Security
: Config Wizard?  If so - nope - none at all.
: 
: Rick
: 
: -Original Message-
: From: [EMAIL PROTECTED]
: [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
: Sent: Wednesday, July 27, 2005 10:42 AM
: To: ActiveDir@mail.activedir.org
: Subject: [ActiveDir] 2003 sp1 security agent
: 
: Anybody used the security config agent and had any issues with it on
: Domain
: Controllers... Or any recommendations?
: 
: Thanks,

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Win2k3 server issue

2005-07-12 Thread Ken Schaefer 
Anything being logged in the SUALB-EXCH2 event logs?

Cheers
Ken

www.adOpenStatic.com/cs/blogs/ken/ 

: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Kern, Tom
: Sent: Tuesday, 12 July 2005 12:09 PM
: To: ActiveDir (E-mail)
: Subject: [ActiveDir] Win2k3 server issue
: 
: Ok, i'm going thru this one more time because its driving me nuts-
: 
: i win2k3 sp1 server was made a domain member by an admin.
: I then was called to install exchange 2k3 on it.. i term serviced to the
: server and ran domainprep(forestprep was run ages ago) and i got a
: "exchange2k3 is not compatibile with this software" error, which i googled
: and was told was benign as long as i installed sp1 for exchange after
: install.
: ok, i ran setup and i got an error that the win2k3 server was not a member
: of the exchange domain servers group and i would have to manually add it.
: That was weird because i could've sworn setup does it for you.
: so, i navaigate to the group via aduc and when i try to add the server,
: the object picker can't find it.
: you can see it in aduc in the computers container but the picker can't
: find it. also, the servr does not show up in Term Services manager
: the server also registered its a and ptr records in dns and is pointing to
: the correct dns servers.
: 
: on my gc, i get this error-
: 
: 
: Event Type:   Error
: Event Source: NETLOGON
: Event Category:   None
: Event ID: 5790
: Date: 7/11/2005
: Time: 1:29:02 PM
: User: N/A
: Computer: SUALB-USR1
: Description:
: No suitable Domain Controller is available for domain SUALB-EXCH2. An NT4
: or older domain controller is available but it cannot be used for
: authentication purposes in the Windows 2000 or newer domain that this
: computer is a member of. The following error occurred:
: Access is denied.
: 
: For more information, see Help and Support Center at
: http://go.microsoft.com/fwlink/events.asp.
: Data:
: : 22 00 00 c0   "..À
: 
: 
: 
: Now whats really weird about this is that SUALB-EXCH2 is NOT a domain but
: the name of the member server in question(no, its not running exchange
: yet).
: 
: and now,when i term service to it, i can't logon. "Domain cannot be
: found". also i get "access denied" when trying to connect via comp
: management ot event viewer.
: though i can browse to the admin$ share.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Command line to create a local account

2005-06-27 Thread Ken Schaefer 

: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC
: Subject: [ActiveDir] OT: Command line to create a local account
: 
: 
: What would be the syntax in a batch files that I could create a local
: account. Assign it a password and disable the account.  Also the account
: needs to be part of the guest group and password be required for it.


Would:

net user
-and-
net localgroup

do everything you need?

Cheers
Ken

--
IIS Stuff: www.adOpenStatic.com/cs/blogs/ken/ 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Last Logon attempts

2005-06-14 Thread Ken Schaefer 
What do you mean by a "consolidated report"? Just a listing of users and last
logon times?

This is untested (written straight into Outlook) so probably has a few bugs.
You could use something like this to get the DNs of all users in the
directory, and then (within a loop) use the code on the MSDN page linked to
previously. Maybe one of the gurus could supply something that's a little
more efficient.

Set objRootDSE = GetObject("LDAP://RootDSE")
strDefaultNC = objRootDSE.Get("defaultNamingContext")

Set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"

Set objCommand = CreateObject("ADODB.Command")
Set objCommand.ActiveConnection = objConn
strQuery = _
";" & _
  "(objectClass=user);" & _
"distinguishedName;" & _
"subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False

Set objRS = objCommand.Execute

If not objRS.EOF then
Do While Not objRS.EOF
' MSDN code here
' Use objRS.Fields("distinguishedName").Value
objRS.movenext
Loop
End If

Set objRS = Nothing
Set objCommand = Nothing
Set objConn = Nothing
Set objRootDSE = Nothing

Cheers
Ken

--
IIS Stuff: www.adOpenStatic.com/cs/blogs/ken/ 

: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Ravi Dogra
: Sent: Wednesday, 15 June 2005 10:09 AM
: To: ActiveDir@mail.activedir.org
: Subject: Re: [ActiveDir] Last Logon attempts
: 
: Hi Tony,
: 
: What i need is a consolidated report for all users, not a single user.
: If there is a third party solution then let it be.
: 
: --
: DR
: 
: On 6/15/05, Tony Murray <[EMAIL PROTECTED]> wrote:
: > Hi Ravi
: >
: > There's a good explanation and script (using lastLogonTimeStamp) shown
: here:
: >
: >
: http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.msp
: x
: >
: > Tony
: >
: > -Original Message-
: > From: [EMAIL PROTECTED]
: > [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
: > Sent: Wednesday, 15 June 2005 11:39 a.m.
: > To: ActiveDir@mail.activedir.org
: > Subject: [ActiveDir] Last Logon attempts
: >
: > Hi,
: >
: > Can we have a last logon consolidated report for all my users. I need
: > collective information about last logons of all my users.
: >
: > Can anyone suggest any easy way.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Change password web interface

2005-06-14 Thread Ken Schaefer 
You may wish to read this KB article:

http://support.microsoft.com/kb/331834/
Change password functionality replaced with Active Server Pages

which provides a set of ASP pages (even though they still have the .htr
extension) that implement the change password functionality, rather than
relying on the ism.dll ISAPI extension. The use of ASP may help mitigate some
of the concerns you have re the security of the IISAdmPwd vdir.

Cheers
Ken

--
IIS Stuff: www.adOpenStatic.com/cs/blogs/ken/ 

: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
: Sent: Tuesday, 14 June 2005 6:20 AM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] Change password web interface
: 
: iisadmpwd VD is one of the VDs that is ALWAYS neutered on any IIS server I
: touch - as part of my "server hardening" procedure. htr is one of the
: extensions that gets unmapped in any IIS installation I do. I have been
: doing
: this before IISLOCKDOWN and, luckily, before CodeRed I and II.
: 
: Your experience may be different. I am just pointing out that this is not
: a
: secure way to do what you are doing. Roll your own solution. IISAMDPWD and
: htr has been proven to be, shall we say, full of issues.
: 
: 
: Sincerely,
: 
: Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
: Microsoft MVP - Directory Services
: www.readymaids.com - we know IT
: www.akomolafe.com
: Do you now realize that Today is the Tomorrow you were worried about
: Yesterday?  -anon
: 
: 
: 
: From: [EMAIL PROTECTED] on behalf of Douglas M. Long
: Sent: Mon 6/13/2005 12:37 PM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] Change password web interface
: 
: 
: 
: http://support.microsoft.com/default.aspx?scid=kb;en-us;297121
: 
: 
: 
: 
: 
: 
: 
: 
: 
: From: [EMAIL PROTECTED]
: [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl
: Sent: Monday, June 13, 2005 3:35 PM
: To: ActiveDir@mail.activedir.org
: Subject: [ActiveDir] Change password web interface
: 
: 
: 
: I am looking for a way for employees to change their password at any time
: over a web interface.  Any scripts or free programs out there anyone could
: suggest?
: 
: --
: Jacob Stabl
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Q about Site Link Bridging

2005-06-06 Thread Ken Schaefer 
Hi guys,

When, in AD Sites and Services MMC Snapin, one unchecks the "bridge all site
links" checkbox, what gets updated in the directory?

>From what I can tell, this is stored in the Options attribute of:
cn=NTDS Settings,cn=,cn=sites,cn=configuration,dc=
and we do an:  OR &H10 to disable automatic generation of
inter-site links. We'd need to do this for each site. Is this correct? Or is
there some global attribute that gets set instead that I'm missing in my
research?

TIA!

Cheers
Ken

--
IIS Stuff: www.adOpenStatic.com/cs/blogs/ken/ 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Question on IIS management via AD...

2005-05-31 Thread Ken Schaefer 

: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Steven L Dunn
: Subject: [ActiveDir] Question on IIS management via AD...
: 
: I want to allow one of our users to manage our 
: website services (IIS, Indexing Service) without 
: giving them full administrative access to everything 
: else.
: 
: What's the best method to do this? Is there a primer 
: or some examples somewhere that point the way? Google 
: doesn't seem to be giving me what I
: need. Maybe it's just me!


What version of IIS? For IIS6, there's no supported delegation, however you
have a look at this post on Bernard Cheah (IIS MVP) blog:
http://msmvps.com/bernard/archive/2005/05/08/46074.aspx

Cheers
Ken

--
www.adOpenStatic.com/cs/blogs/ken/ 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] All - OT (and drifting further away)

2005-05-09 Thread Ken Schaefer 

: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Al Mulnick
: Subject: RE: [ActiveDir] All - OT (and drifting further away)
: 
: I will ask though: if Avenade might exist so that more complicated
: systems can be implemented without Microsoft having to do the work
: themselves, does that mean they're different than other partners?


Well, I suppose Microsoft doesn't own much, if anything, of the other
partners. When Avanade was founded, Microsoft owned 50% of the company. I
believe the split is about 20/80 now.

I suppose one reason for Microsoft agreeing to setup Avanade would be to have
a consulting firm that would have some ties back to the company, and
focus/specialise on Microsoft technology, but without having to be in the
consulting business itself. 


: If so, why and how Ken?  I have to admit I've met some really 
: bright folks from MCS, Avendade, Accenture, IBM, Compucom, 
: CSC, HP and so on.  The individual was far more important to 
: the conversation than the company.


Absolutely. Don't disagree with you one bit.


: My guess is that they aren't any different than other partners,


Maybe, maybe not. I'm not really a disinterested party, so I won't try to
argue one way or the other. I haven't been working for Avanade long enough to
know enough to argue the point either :-)

Avanade does have some ties back to Microsoft - our solutions delivery
practice developed (with PAG) the current .NET Enterprise Library that you
can download. I'm sure all the large consulting companies have similar ties
though.


: I'm curious now: were you just pointing out that 
: one was missed or that Avenade can do the complicated 
: systems that MCS doesn't have staff to handle?


I'm sure there isn't much that MCS can't handle. We'll probably have more
people (eventually). I think we're up around the 3000 mark ATM.

Cheers
Ken

 
: 
: -Original Message-
: From: [EMAIL PROTECTED]
: [mailto:[EMAIL PROTECTED] On Behalf Of joe
: Sent: Monday, May 09, 2005 9:37 PM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] All - OT (and drifting further away)
: 
: Oh wow, I never heard of them and they are the "leading global
: technology integrator"...
: 
: 
: 
: -Original Message-
: From: [EMAIL PROTECTED]
: [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
: Sent: Monday, May 09, 2005 8:54 PM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] All - OT (and drifting further away)
: 
: 
: : From: [EMAIL PROTECTED] [mailto:ActiveDir-
: : [EMAIL PROTECTED] On Behalf Of joe
: : Subject: RE: [ActiveDir] All - OT (and drifting further away)
: :
: : I think as MS gets more and more complicated products
: : deeper in the field (SMS, MIIS, MOM, Active Directory,
: : ADFS, SUA, etc) they will have not much choice but to offer
: : more and better consulting to get it all configured
: : and running properly together. Not doing so means that
: : people will set it up and often it will be set up poorly
: : or outright wrong which makes MS look bad.
: 
: 
: Perhaps this one of the reasons Avanade [1] exists...
: 
: Cheers
: Ken
: 
: [1] www.avanade.com
: 
: --
: www.adOpenStatic.com/cs/blogs/ken/
: 
: 
: 
: : Services is a great way to make money if you do a good job. If you do
: a
: : poor
: : job, it is a great way to piss customers off and lose money and people
: due
: : to issues and stress.
: :
: :
: :
: : -Original Message-
: : From: [EMAIL PROTECTED]
: : [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
: : Sent: Monday, May 09, 2005 4:08 PM
: : To: ActiveDir@mail.activedir.org
: : Subject: RE: [ActiveDir] All - OT (and drifting further away)
: :
: : ProServices at Microsoft is all about radical turns.  Trust me :)
: :
: : You're concept of partners having more/less in-depth experience than
: : Microsoft is intriguing.  I suppose that indicates that the Microsoft
: : consultants have a corporate sanctioned line back to the development
: team
: : (as opposed to making those relationships as best they can).
: Interesting
: : concept; I hope you're right.
: :
: :
: : SteveB absolutely has been consistent in saying that services (not
: just
: : MCS
: : anymore) is there as a value add.  They're a software company first
: and
: : foremost.  One of the great things about working there as a
: consultant,
: : I'm
: : sure.
: :
: : Getting partners to step up has more than the value of not having to
: : maintain headcount if you think about it.  It has benefit

RE: [ActiveDir] All - OT (and drifting further away)

2005-05-09 Thread Ken Schaefer 

: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of joe
: Subject: RE: [ActiveDir] All - OT (and drifting further away)
: 
: I think as MS gets more and more complicated products 
: deeper in the field (SMS, MIIS, MOM, Active Directory, 
: ADFS, SUA, etc) they will have not much choice but to offer 
: more and better consulting to get it all configured
: and running properly together. Not doing so means that 
: people will set it up and often it will be set up poorly 
: or outright wrong which makes MS look bad.


Perhaps this one of the reasons Avanade [1] exists...

Cheers
Ken

[1] www.avanade.com

--
www.adOpenStatic.com/cs/blogs/ken/



: Services is a great way to make money if you do a good job. If you do a
: poor
: job, it is a great way to piss customers off and lose money and people due
: to issues and stress.
: 
: 
: 
: -Original Message-
: From: [EMAIL PROTECTED]
: [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
: Sent: Monday, May 09, 2005 4:08 PM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] All - OT (and drifting further away)
: 
: ProServices at Microsoft is all about radical turns.  Trust me :)
: 
: You're concept of partners having more/less in-depth experience than
: Microsoft is intriguing.  I suppose that indicates that the Microsoft
: consultants have a corporate sanctioned line back to the development team
: (as opposed to making those relationships as best they can).  Interesting
: concept; I hope you're right.
: 
: 
: SteveB absolutely has been consistent in saying that services (not just
: MCS
: anymore) is there as a value add.  They're a software company first and
: foremost.  One of the great things about working there as a consultant,
: I'm
: sure.
: 
: Getting partners to step up has more than the value of not having to
: maintain headcount if you think about it.  It has benefits that reach much
: deeper than that. (I'm just pointing out the obvious).
: 
: "If they are ramping up it's because they see a rise in the need of talent
: in MCS at present, and demand from customers for more flesh in the game."
: Hmmm
: 
: 
: 
: 
: -Original Message-
: From: [EMAIL PROTECTED]
: [mailto:[EMAIL PROTECTED] On Behalf Of Kingslan, Rick T.
: Sent: Monday, May 09, 2005 3:36 PM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] All - OT (and drifting further away)
: 
: All (not just Al),
: 
: Microsoft has never really intended to be a true player in the Services
: market - unless they are taking a radical turn in the past few months.
: 
: They see services as a necessary tool for customers who require Microsoft
: to
: be involved in installs and the like.  If it wasn't for some very major
: players (Boeing, Ford, GE, etc...  I suspect) Microsoft would not have
: provided consulting at all.
: 
: Ballmer sees this end of the market as an 'at-best' break even game.  He
: would much prefer to see the Partners step up to the plate, but there are
: a
: whole other set of problems with that, only a couple being depth of
: experience and real commitment to the Microsoft Corporate vision, rather
: than their own interests.
: 
: Funny how that works.
: 
: If they are ramping up it's because they see a rise in the need of talent
: in
: MCS at present, and demand from customers for more flesh in the game.
: 
: joe, you might be talking to other folks than I am (I suspect that I have
: more recent contact with what's going on in recruiting with MCS than you
: do
: right now   ;o) but I don't get the impression that it's quite in the
: upper thousands, but there is a big push on to hire a bunch by fiscal
: year-end (June 30).
: 
: -rtk
: 
: > -Original Message-
: > From: [EMAIL PROTECTED] [mailto:ActiveDir-
: > [EMAIL PROTECTED] On Behalf Of Al Mulnick
: > Sent: Monday, May 09, 2005 1:44 PM
: > To: ActiveDir@mail.activedir.org
: > Subject: RE: [ActiveDir] All - OT (and drifting further away)
: >
: > I, more than many, would really appreciate Microsoft building up its
: > consulting ranks/headcount ;)
: >
: > Until then, I don't think they can be considered as a serious player
: > in the consulting arena.  I think they will never (by virtue of their
: > culture) be able to be a consulting organization that deals with end
: > to end consulting; they can't deal with hardware without really making
: > other vendors/partners irate for example.  Same goes for software that
: > Microsoft doesn't make, networking equipment/OS, etc.
: >
: > Compuware?  I suppose they could since they claim to deal with 90% of
: > the fortunate 100.
: >
: > Question to ask is how they get on the top 5 list.  Is it by revenue?
: > Profits?  Headcount? Did they make the list themselves?  ??
: >
: >
: >
: >
: >
: >
: > -Original Message-
: > From: [EMAIL PROTECTED] [mailto:ActiveDir-
: > [EMAIL PROTECTED] On Behalf Of joe
: > Sent: Monday, May 09, 2005 1:44 PM

RE: [ActiveDir] 2003 SP1 RTM

2005-03-31 Thread Ken Schaefer 
~~
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Dave A. Marquis
: Subject: RE: [ActiveDir] 2003 SP1 RTM
: 
: Also the Network Access Quarantine Control components 
: are new... Sounds like a mess if for some reason it 
: ever gets turned on mysteriously as some times happens in 
: AD...
~~

They are not "new" per se. They were included in the Windows 2003 Resource
Kit Tools IIRC. I'm not entirely sure how they would just "turn on"
mysteriously either. 

Computers aren't governed by "black magic" you know. :-) Things happen for a
reason. Whether that reason is fathomable by a particular user or
administrator is another question. But that just reflects most of life -
there are lots of things (most of nature comes to mind) that are not
explainable (beyond the very rudimentary) by a layman (as compared to an
expert in the field).

~~
: I am of the opinion to wait it out a bit and see how the fall 
: out goes on Win SP1...
~~

Sure - waiting to see others experience is always a way of getting additional
information on a product. But I think you really should be reading the
documentation (and testing the product) as well.

~~
: Also I think the firewall that is included is the bane 
: to all corporate admins as it is a headache to use in 
: this inviroment. I can explain further if anyone is interested...
~~

The firewall is not "on" by default - you will need to explicitly enable it.
Hopefully that addresses some of your concerns in that area.

Cheers
Ken

: David A. Marquis
: Computer Systems Administrator
: 
: 
: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
: Sent: Thursday, March 31, 2005 4:08 PM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] 2003 SP1 RTM
: 
: I'd add these as important ones to the list:
: 
: 15) ability to set cetain attributes to be "confidential" - i.e. they
: can't be read with normal "Read" permissions on an object
: 
: 16) ability to configure Drag & Drop in ADUC
: 
: 17) ability to configure visibility of foreign Universal Group memberships
: in ADUC
: 
: /Guido
: 
: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Nathan Muggli
: Sent: Donnerstag, 31. März 2005 21:38
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] 2003 SP1 RTM
: 
: We'll be releasing documentation soon.
: 
: For now, here's a quick list of new features (note this is a not a
: comprehensive list for AD).
: 
: 1) Support for DCs in Virtual Servers. Replication is halted and the
: system stops advertising if an improper restoration has occurred (USN
: rollback).
: 
: 2) Replication resolves additional forms of DNS names in order to be more
: robust and work sooner after install. Also improved event log text when
: there is a failure.
: 
: 3) Improve group membership consistency on authoritative restore
: 
: 4) Report if a directory partition has not been backed up recently
: 
: 5) Report if a FSMO role holder is set incorrectly or is not responding
: 
: 6) DNS diagnostic test for dcdiag.exe
: 
: 7) Authentication diagnostic test for dcdiag.exe
: 
: 8) Improved event log text with common repair steps included. There are
: existing w2k3 messages that are updated, and there are entirely new
: messages.
: 
: 9) Improved metadata cleanup for FRS objects
: 
: 10) Retain application partitions on IFM
: 
: 11) New default tombstone lifetime for new forests created using sp1
: 
: 12) Faster FSMO validation when FSMO holder has partners in other sites
: 
: 13) During forced removal, warn administrator if important roles will be
: orphaned
: 
: 14) Ability of Dirsync api to return "partial tombstones" in order to
: allow directory synchronizing applications to learn of object deletions
: 
: -Original Message-
: From: [EMAIL PROTECTED]
: [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet
: Sent: Thursday, March 31, 2005 10:50 AM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] 2003 SP1 RTM
: 
: Hi Eric,
: 
: Sorry David for hijacking your thread :)
: 
: Other than the tombstone life on clean installs of AD on SP1 what are the
: major impacts of SP1 on an AD deployment? Is the a public document that
: outlines the changes?
: 
: Thanks,
: Francis
: 
: -Original Message-
: From: [EMAIL PROTECTED]
: [mailto:[EMAIL PROTECTED] .org] On Behalf Of Eric Fleischman
: Sent: 31 mars 2005 13:27
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] 2003 SP1 RTM
: 
: Dave can you quantify this statement please? I ask out of curiosity, not
: disagreement.
: 
: Specifically:
: 1) You referred to SP1 having "too many changes." How d

RE: [ActiveDir] Very OT: Please Settle a Bet

2005-02-13 Thread Ken Schaefer 








What’s the definition of a 32 bit
OS? I only ask because Mark Russinovich’s book says that Win95 contained
oodles of 16 bit code. So the absence of 16bit code isn’t a requirement
for having a 32bit OS.

 

Cheers

Ken

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Sunday, 13 February 2005
3:41 PM
To: ActiveDir@mail.activedir.org;
'Send - AD mailing list'
Subject: RE: [ActiveDir] Very OT:
Please Settle a Bet



 

I've alway described
Win95 as a 24 bit operating system myself...

 

Actually, the OS (i.e.
the kernel) is (was) definitely 32-bit code. Rick backed into the correct
answer with that damn logic thing again.

 

However. explorer.exe
(i.e. the GUI) was most definitely a 16-bit app, because at the time they
hadn't figured out all the 32 bit optimizations for graphics - they had done
all the 3.x work in 16 bit. IMO - this is one of the reasons 9x has always been
relatively unstable - the mixture of 16 and 32 bit code.



 





Roger






Roger Seielstad
E-mail Geek & MS-MVP 





 





 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, February 12, 2005
12:18 PM
To: ActiveDir@mail.activedir.org;
'Send - AD mailing list'
Subject: RE: [ActiveDir] Very OT:
Please Settle a Bet

Charles,

 

I follow your line of
thinking and would tend to agree except for my first foray into Networked
OS’s – Netware.  Netware is CLEARLY an OS – is CLEARLY
32-bit, but requires DOS to boot the kernel, which then continues to load the
required pieces of Netware on the Netware kernel.  

 

So, in that –
Netware is not a frontend for DOS – it simply uses the load routines of
DOS to get going, then switches the processor to privileged mode to operate
with all of the features of the processor in 32-bit mode.

 

The question that should
be asked is this, which should solve the current puzzle and bet:

 

Can Windows 95 be run on
a 80286 processor?  If not – and must be run on a 80386 and greater
– it’s 32-bit and using privileged mode and the features that it
affords.

 

The answer to the above
question is no – it must be run on a 386 or greater processor because it
requires 32-bit addressing.  It emulates 16-bit for those legacy apps the
needed it.  DOS was used, as in Netware, as a launching platform for the
‘kernel’ (though not in anyway as complex).  The downside to
Win95 was the obvious leverage on some DOS functions, and complete lack of any
security and a very lackluster separation of program to program corruption.

 

If you want more info
– see here.  http://www.webdevelopersjournal.com/archive/win95.html

 

I remember Greg from the
‘Chicago’
(code name for Win95) beta days, and thought he wrote an article or two.

 

Hope this helps.

 

Rick Kingslan  MCSE,
MCSA, MCT, CISSP

Microsoft MVP:

Windows Server / Directory
Services

Windows Server / Rights
Management

Windows Security (Affiliate)

Associate Expert

Expert Zone - www.microsoft.com/windowsxp/expertzone

WebLog - www.msmvps.com/willhack4food

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Friday, February 11, 2005
4:18 PM
To: 'ActiveDir@mail.activedir.org';
Send - AD mailing list
Subject: RE: [ActiveDir] Very OT:
Please Settle a Bet



 



My vote is that Win 95
required DOS and therefore was a frontend DOS application and not a true
OS.  A good example, watch a Win 95 box boot, it always starts out with
DOS and then DOS runs the interface, WIN 95.





 





Gnome isn't and OS its
simply a shell, DOS is the same thing.





-Original
Message-
From: Dean Wells
[mailto:[EMAIL PROTECTED]
Sent: Friday, February 11, 2005
4:01 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Very OT:
Please Settle a Bet



32 bit cooperatively
multitasked if memory serves ...but it might not ;)





--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Friday, February 11, 2005
4:54 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Very OT:
Please Settle a Bet

Could anyone settle a bet for me? I would like to
know if Windows 95 was a 16 or 32-bit OS. One of us is saying that it was
natively 32-bit, but ran 16-bit apps in a VM, while the other one is saying the
reverse: it was a 16-bit OS that was capable of running 32-bit apps in a VM.

 

Also, one person is saying that W95 required DOS
(like Win3.1.1) and the other is saying that, while built on DOS, DOS was not
required and the OS went above and beyond its DOS roots.

 

If anyone can settle these issues and offer proof
like links to Web pages and such, we would be grateful.

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345
  Park Avenue South, 12th
Floor

New
  York, NY
 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on

RE: [ActiveDir] OT: SUS & WXPSP2

2004-12-15 Thread Ken Schaefer 
Are the users local admins? That is the most common cause of these types of
questions. The SUS deployment whitepaper should have answers to your
questions.

http://www.microsoft.com/windowsserversystem/sus/susdeployment.mspx
SUS Deployment Whitepaper

Other info:
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/xpsp2sus.mspx

Cheers
Ken

: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Devan Pala
: Sent: Thursday, 16 December 2004 8:26 AM
: To: [EMAIL PROTECTED]
: Subject: [ActiveDir] OT: SUS & WXPSP2
: 
: Hi,
: 
: Has anyone used SUS to deploy Windows XP Service Pack 2 to their client
: computers?
: I am doing some testing and basically how can one schedule an installation
: and effectively have it deployed automatically after the 2nd missed
: (scheduled) installation.
: 
: E.g.
: 
: 1. Set SUS through GPO to download and auto install SP set to the default
: time of 3:00am
: 2. User logs in the morning and gets a prompt (balloon text) saying there
: is
: a download and what would they like to do.
: 3. User clicks no
: 4. Next morning the user still gets the option to install rather then the
: installation starting automatically.
: 
: How can I set it to deploy automatically even if its on the first
: scheduled
: time. Most computers that are logged in at 3:00am have no problems the SP
: is
: installed and machine rebooted
: 
: Thank You in advance,
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Accessing resources when a domain controller is u navailable (sightly OT)

2004-12-01 Thread Ken Schaefer 
Can't the user connect using NTLM authentication (unless that's been turned
off)?

Cheers
Ken

: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto
: Sent: Wednesday, 1 December 2004 8:31 PM
: To: [EMAIL PROTECTED]
: Subject: RE: [ActiveDir] Accessing resources when a domain controller is u
: navailable (sightly OT)
: 
: * When logging on with cached credentials when no DC is available you won't
: get any kerberos tickets either and you most likely won't have access to
: resources.
: * When logging on while a DC is available you can get kerberos tickets to
: access resources. If after a while no DC is available because the WAN link
: or all DCs died you can still access those resources you have a ticket for
: and for the remaining time the ticket is valid (max 10 hours)
: 
: Correct me if I'm wrong
: Regards,
: Jorge
: 
: -Original Message-
: From: [EMAIL PROTECTED]
: [mailto:[EMAIL PROTECTED] On Behalf Of Steve
: Sent: dinsdag 30 november 2004 17:59
: To: [EMAIL PROTECTED]
: Subject: [ActiveDir] Accessing resources when a domain controller is
: unavailable (sightly OT)
: 
: A question for planning placement of Domain Controllers.
: 
: Windows 2003 Native mode domain in a mixed level forest
: 
: Lets assume that all DC's are centralized in a central site and that there
: are robust high speed/high capacity lines connecting all sites.
: 
: Lets further assume that each remote site has Windows 2000/XP clients and a
: local file server.
: 
: Normally when a resource has to be contacted locally the workstation
: authenticates with the DC and gets granted access (too simple but for this
: example good enough).
: 
: Now what happens when a DC is not available?  Will the local file server
: accept Cached credentials?  If so for how long?  Will the workstation
: maintain access until the next time their kerberos ticket needs to be
: renewed?  Is there some magic time period until the DC must be contacted
: again?
: 
: I tested/seen how this works in practice, what I'm looking for is the
actual
: reasons why access is granted/denied in this scenario.
: 
: A link to a reference explaining this would also be great.
: 
: Thanks
: 
: Steve
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome

2004-11-07 Thread Ken Schaefer 
The same thing is in the Windows 2003 Deployment Kit:

http://tinyurl.com/6qlkh
Establishing Group Policy Operational Guidelines


Do not modify the default domain policy or default domain controller policy
unless necessary. Instead, create a new GPO at the domain level and set it to
override the default settings in the default policies.


Whether or not it's worth following is another issue that I'd rather not buy
into :-) however there was a question in the 294 exam that asked about this,
so the official MCP way is as written

Cheers
Ken

: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan
: Sent: Monday, 8 November 2004 3:44 AM
: To: [EMAIL PROTECTED]
: Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows
: Logon Welcome
: 
: HmmThat is the recommended best practice for modifying the default
: Software Restriction Policy.
: 
: 
: 
: -Original Message-
: From: [EMAIL PROTECTED]
: [mailto:[EMAIL PROTECTED] On Behalf Of ASB
: Sent: Sunday, November 07, 2004 11:31 AM
: To: [EMAIL PROTECTED]
: Subject: Re: [ActiveDir] How to Enable a Warning Message During Windows
: Logon Welcome
: 
: Recommended Best Practices from Microsoft:
: 
: http://www.microsoft.com/resources/documentation/windowsserv/2003/standard
: /p
: roddocs/en-us/srp_bp.asp
: 
: --
: Do not modify the default domain policy.
: 
: If you do not edit the default domain policy policy, you always have
: the option of reapplying the default domain policy if something goes
: wrong with your customized domain policy.
: -
: 
: 
: 
: -ASB
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] IIS 6.0 AGAIN...

2004-10-21 Thread Ken Schaefer 
Is anything else listening on port 80?

(you can use this app from sysinternals to check:
http://www.sysinternals.com/ntw2k/source/tcpview.shtml)

Cheers
Ken

- Original Message - 
From: "Za Vue" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, October 21, 2004 10:46 PM
Subject: RE: [ActiveDir] IIS 6.0 AGAIN...


: NO I forgot to mention in my previous posts that I am only running FTP, 
port
: 21 and the main web site on port 80.
:
: Thanks,
: -Z.V
:
:
: -Original Message-
: From: [EMAIL PROTECTED]
: [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
: Sent: Wednesday, October 20, 2004 11:39 PM
: To: [EMAIL PROTECTED]
: Subject: Re: [ActiveDir] IIS 6.0 AGAIN...
:
: a) Are you running multiple applications listening on port 80 (eg if you
: have multiple IP addresses, and are running multiple webservers)
:
: b) Check your web site identities - you could have a conflicting set of 
web
: site identities (each active website must have it's own, unique, web site
: identity. A website identity consists of an IP address, TCP port and
: optional host-header name)
:
: Cheers
: Ken
:
: - Original Message - 
: From: "Za Vue" <[EMAIL PROTECTED]>
: Subject: [ActiveDir] IIS 6.0 AGAIN...
:
:
:: Hi all. Has anyone seen the error below? I am running IIS 6.0 on a 
Windows
:: 2003 server. Every time this error comes on my website asked for a
: username
:: and password. I restart IIS services and things are fine afterward.
::
:: Event Type: Error
:: Event Source: W3SVC
:: Event Category: None
:: Event ID: 1007
:: Date: 10/19/2004
:: Time: 3:59:49 PM
:: User: N/A
:: Computer: WebServer
:: Description:
:: Cannot register the URL prefix 'http://*:80/' for site '1'. The necessary
:: network binding may already be in use. The site has been deactivated.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] IIS 6.0 AGAIN...

2004-10-20 Thread Ken Schaefer 
a) Are you running multiple applications listening on port 80 (eg if you 
have multiple IP addresses, and are running multiple webservers)

b) Check your web site identities - you could have a conflicting set of web 
site identities (each active website must have it's own, unique, web site 
identity. A website identity consists of an IP address, TCP port and 
optional host-header name)

Cheers
Ken

- Original Message - 
From: "Za Vue" <[EMAIL PROTECTED]>
Subject: [ActiveDir] IIS 6.0 AGAIN...


: Hi all. Has anyone seen the error below? I am running IIS 6.0 on a Windows
: 2003 server. Every time this error comes on my website asked for a 
username
: and password. I restart IIS services and things are fine afterward.
:
: Event Type: Error
: Event Source: W3SVC
: Event Category: None
: Event ID: 1007
: Date: 10/19/2004
: Time: 3:59:49 PM
: User: N/A
: Computer: WebServer
: Description:
: Cannot register the URL prefix 'http://*:80/' for site '1'. The necessary
: network binding may already be in use. The site has been deactivated.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] IIS and Scripting Question

2004-09-01 Thread Ken Schaefer 
Can I get a quick clarification here:
a) Provisioning application runs on ServerA (which is part of a domain)
b) Webserver (serverB) is standalone (not in the domain)
c) Provisioning app (on ServerA) needs to create folders and/or files on ServerB

Question: Is the Provisioning App itself running on IIS? (ie IIS is also running on 
ServerA, and the provisioning app is web based). If so, then you could make use of 
IIS' pass-through UNC authentication system. 

Create two accounts with the same name: one on serverA, and one on serverB. In IIS 
Manager on ServerA, add a virtual directory that points to a share on ServerB. When 
asked what credentials to use, enter ServerB\AccountYouJustCreated and corresponding 
password. IIS will use this account when connecting to the remote share.

Whether you want to do this or not is another question :-)

HTH

Cheers
Ken


  Original Message 
> From: "Michael B. Smith" <[EMAIL PROTECTED]>
> Sent: Wednesday, September 01, 2004 3:37 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] IIS and Scripting Question
> 
> That would work if the web server were a member server, but not as a
> standalone server. You can't add accounts from another server to the
> ACLs on a standalone server.
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J
> Contr InDyne/Enterprise IT
> Sent: Wednesday, September 01, 2004 4:30 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] IIS and Scripting Question
> 
>  
> 
> I don't know if this would work, but...
> 
> Add the share on your data server to the website as a virtual directory.
> Then, add your web server's computer account or the IIS account with the
> access that the app needs to your data servers share.  I'm not sure
> which would be needed to work.
> 
> You could then use whatever your accounting mechanism is on the web
> server to control access to the share.
> 
>  
> 
> Dave
> 
>  
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
> Smith
> Sent: Wednesday, September 01, 2004 11:03 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] IIS and Scripting Question
> 
> No, the provisioning application needs to be able to create a folder and
> a file within that folder and assign rights.
> 
>  
> 
> It can't be a part of the domain (our policy is that shared hosting
> servers (excepting our Exchange hosting servers, which have their own
> domain) are standalone).
> 
>  
> 
> Thanks for the thought.
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
> Sent: Wednesday, September 01, 2004 1:53 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] IIS and Scripting Question
> 
> So really the rights you need are the ability to open a file on a file
> share you have rights to?  Is it possible to make it part of the domain?
> You could use the machine account or the IIS account then.  If not, then
> the trick here is to allow file system access to the application (the
> user-context of the application really). 
> 
>  
> 
> Would that work?
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
> Smith
> Sent: Wednesday, September 01, 2004 1:48 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] IIS and Scripting Question
> 
> I have a provisioning application that runs on a domain member that
> needs administrative access to a standalone server.
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
> Sent: Wednesday, September 01, 2004 1:27 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] IIS and Scripting Question
> 
> Credentials other than the ones that IIS is running under?
> 
>  
> 
> Personally, I haven't seen a way to do that and wonder why you would
> want to do it that way?
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
> Smith
> Sent: Wednesday, September 01, 2004 9:33 AM
> Subject: [ActiveDir] IIS and Scripting Question
> 
> Is there any way to create a FileSystemObject with alternate
> credentials, similar to what I can do with OpenDSObject for an ASP web
> page?
> 
>  
> 
> Thanks,
> 
> M 



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: IISadmpwd security vulnerability???

2004-08-17 Thread Ken Schaefer 
Hi,

IIRC the ISAPI extension that was used to provide this functionality originally had 
various buffer overflow issues.

I would check this out:
http://support.microsoft.com/?id=331834
Change password functionality replaced with Active Server Pages

Also this:
http://support.microsoft.com/?id=833734
FIX: You experience various problems when you use the Password Change pages in IIS 6.0

HTH

Cheers
Ken


Original Message:
>From: "Mulnick, Al" <[EMAIL PROTECTED]>
>To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
>Subject: RE: [ActiveDir] OT: IISadmpwd security vulnerability???
>Date: Tue, 17 Aug 2004 13:20:49 -0400

>What vulnerabilities were they specifically worried about?  There were many
>changes made in IIS6.0 that were meant to address security concerns but
>without knowing what they're concerned about specifically it can be tough to
>help out.
> 
>Al
>
>  _  
>
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Chris Flesher
>Sent: Tuesday, August 17, 2004 11:29 AM
>To: [EMAIL PROTECTED]
>Subject: [ActiveDir] OT: IISadmpwd security vulnerability???
>
>
>I know this is off topic, but this does pertain to AD authentication. I know
>there were serious vulnerabilities in IIS4/5 for IISadmpwd, but was
>wondering if the same is true for IIS 6.0? There are some folks over here
>that are worried about doing anything with IIS. 



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Any way out of this mess?

2004-07-27 Thread Ken Schaefer 
Hmmm, my MCSE study guide says to login using Safe Mode to get around GPOs
that stop interactive logons (I only remember this because it's not
something I've heard/seen mentioned before). I assume that's not a goer
then?

Cheers
Ken

- Original Message - 
From: "Aaron Visser" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 27, 2004 8:34 AM
Subject: Re: [ActiveDir] Any way out of this mess?


: On 7/26/04 1:40 PM, "Brian Desmond" <[EMAIL PROTECTED]> wrote:
:
: > If you can log onto one of the machines as a domain admin (using cached
: > credentials), you may be able to remotely reconfigure each machine.
That's a
: > long shot.
: >
: > Otherwise you'll need to restore a DC from your old domain from backup
and
: > make the policy change, and so on and so forth. Might want to check out
the
: > ADMT tool next go-around. :)
: >
: > --Brian Desmond
: > [EMAIL PROTECTED]
: > Payton on the Web! Http://www.wpcp.org
: >
: > v: 773.534.0034 x135
: > f: 773.534.0035
: >
: >
: >
: > -Original Message-
: > From: Aaron Visser [mailto:[EMAIL PROTECTED]
: > Sent: Monday, July 26, 2004 3:29 PM
: > To: [EMAIL PROTECTED]
: > Subject: [ActiveDir] Any way out of this mess?
: >
: > I have just rebuilt our Servers with Server 2003 (a fresh install) All
the
: > new users are created all the new groups done new GPO's etc etc etc. The
big
: > mistake I made was not removing the clients from the old Domain before I
: > blew it away (I thought I could just login as local admin and leave the
old
: > Domain and reboot and join the new one) Well that would have worked real
: > well if only I had known that the old Domain had a GPO that disallowed
even
: > the Local Admin to logon interactively to the computers. So now when I
try
: > to login to the Local admin account on the workstations that no longer
have
: > a valid domain membership I get 'the local policy of this system does
not
: > permit you to logon interactively' message and I cannot logon.
: >
: > Anything I can do to allow me to logon or remove the account from the
old
: > domain? All I can think of right now is reinstalling the OS on the
: > workstations but then I would have to reconfigure all the programs etc
for
: > every station (not liking that option)  :(
: >
: > Thanks,
: > Aaron
: >
: > List info   : http://www.activedir.org/mail_list.htm
: > List FAQ: http://www.activedir.org/list_faq.htm
: > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
: >
: Well this seems to be working (Cached Credentials) (Thanks Brian) :) The
: only problem I face now is I have not been to every workstation and logged
: in as admin since I have been here and I have no idea what the old admin
: passwords are lets just hope I don't run into to many of those computers.
: Also I do have access to the Admin share on these computers via the local
: network so I will be trying out Alex's idea for those ones that I am
unable
: to access the cached info. :)
:
: Thanks to all, wish it was Friday,
:
: Aaron

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT: Exchange 2003 SP1

2004-05-25 Thread Ken Schaefer 
Also continuing the OT note, it seems that the long-awaited server-side spam
filtering system (IMF) is available too:
http://www.microsoft.com/exchange/downloads/2003/imf/default.asp

Apologies if this has already been posted.

Cheers
Ken

~~
From: "Tony Murray" <[EMAIL PROTECTED]>
Subject: [ActiveDir] OT: Exchange 2003 SP1


: Is now out.
:
: http://tinyurl.com/35ddy
:
: Tony

~~

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] SUS 2.0 Beta

2004-04-14 Thread Ken Schaefer 
It is a closed beta at this stage. I spoke to some of the WUS people, and
they said that until they had finalised and filed some patent applications,
there were legal reasons they couldn't take on more than "x" people.

Cheers
Ken

~~
From: "Robbie Foust" <[EMAIL PROTECTED]>
Subject: Re: [ActiveDir] SUS 2.0 Beta


: Looks like you can sign up for the open evaluation version here:
:
: http://www.microsoft.com/windowsserversystem/sus/wusbeta.mspx
:
: But I haven't been able to locate the beta version yet.  Haven't found a
: Guest ID yet either.
:
: - Robbie
:
: Robbie Foust, IT Analyst
: Systems and Core Services
: Duke University
:
:
:
:
: England, Christopher M wrote:
:
: > Greetings,
: >
: > I guess SUS 2.0 Beta has been released:
: > _http://www.nwc.com/showitem.jhtml?articleID=18400592_ Does anyone
: > have a Guest ID to get in on the Beta? Or is there just a download
: > somewhere?

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] One computer is fine, one has "can't find domain controller" errors

2003-10-19 Thread Ken Schaefer 
A agree with Joe.

Bill - you've posted no data that you managed to collect from attempting to
troubleshoot this problem, so on what basis can you conclude (or expect us
to believe) that "it's definitely a bug in WinXP"?

We've got plenty of WinXP machines that we've either Ghosted, or Syspreped,
and then added to a domain. On some occasions it doesn't take, but removing
the machine, deleting the machine account in AD, and readding the machine
usually fixes things.

Cheers
Ken

- Original Message - 
From: "Joe" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, October 19, 2003 11:55 PM
Subject: RE: [ActiveDir] One computer is fine, one has "can't find domain
controller" errors


Just for an alternate viewpoint, we have tens of thousands of XP machines
that are staged in workgroup mode and added to the domain after the fact via
script. We don't see these issues.

  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Moran
Sent: Sunday, October 19, 2003 9:39 AM
To: [EMAIL PROTECTED]

roseta wrote:

This actually seems very similar, since the machine that has the errors was
originally part of a workgroup, then joined to the domain, whereas the one
that doesn't produce errors was never part of a workgroup.

This definately appears to be a bug in Windows XP.  We have all available
Windows updates installed, so it's apparently still a bug.

Thanks for the input.  I'm going to try to find time/resources to do an
actual test on this and prove/disprove this theory.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

  1   2   >