RE: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-26 Thread Kevin Brunson 
I don't know how AD would handle it.  However, if someone else chimes in
with "That will blow everything up!" then it seems like maybe you could
go with /19 or /20 networks at the primary site in AD and then manually
add any of the other ones that don't fit nicely.  Maybe that could save
you some work??

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 3:20 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Overlapping AD Subnet Boundaries

 

Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary
site, and another subnet as 10.10.41.0/24 and assign it to a secondary
site. Will AD treat a client address of, say, 10.10.41.104 as a client
on the secondary site, or will it default to the more general primary
subnet? The reason I ask is we now have a need for a second AD site (I
can see all the enterprise folks grinning now) and we have quite a
number of other subnets that I'd have to manually enter if this is not
the case. I don't mind doing it, but I was curious either way.

Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

RE: [ActiveDir] OT: Network latency on VBScript-mapped drive letters.

2007-01-23 Thread Kevin Brunson 
I saw something similar using kixtart-mapped drive letters a few months
ago.  The only thing affected seemed to be Office products and IE.  The
knowledge base described it as unable to browse the network, but I
certainly saw it as ranging from severe latency to complete inability to
browse the network or file shares.

Cut and paste from an email I sent at the time:
"MS06-015 along with certain HP products can cause some conflicts.
Side-effects include program freezes, an inability to follow a link you
type into Internet Explorer, inability to open or save files in Office
applications, inability to click the + sign while browsing My Documents
or My Pictures." 

Also see http://support.microsoft.com/?kbid=918165

Of course this may or may not be the problem, but it is the only thing I
have ever seen like what you are describing.

Hope it helps
Kevin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter
Sent: Tuesday, January 23, 2007 12:52 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Network latency on VBScript-mapped drive
letters.

So I have a VBScript that I use to map a network drive to a DFS share,
as follows:

strDriveLetter  = "S:"
strBaseDrivePath = "\"
Set objNetwork  = CreateObject("WScript.Network")
objNetwork.MapNetworkDrive strDriveLetter, strBaseDrivePath
set objNetwork  = nothing

When I map the DFS root using a drive letter using this code in a
login script, I get isolated-but-consistent client reports of network
latency when opening or saving a file; Word/Excel/whatever will choke
up for a good 5 or 6 seconds at a time.

If I disconnect the script-mapped drive and access this resource from
the same machine using any other method:

* map the drive using the GUI,
* map the drive from the CLI using 'net use', or
* manually enter the UNC path from the Run line

...all latency goes away.  It's not OS-specific as far as I can tell;
the machines currently reporting the latency are a handful of XPSP2
and 2KSP4 machines that don't have much else unique in common.

I've determined that it's not specifically DFS-related, as I've tested
mapping directly to the physical servername instead of the DFS
sharename and produced identical results.

Neither is it relevant that the script is being run as part of a login
script/GPO, as running the script manually from an affected desktop
also produces the same behaviour.

So it's either a VBScript thing, or it's something client-specific
that I haven't isolated on the half-dozen desktops that are
experiencing the issue.

Google has thus far yielded no joy, has anyone run into this before?

-- 
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Cookbook, Second Edition_
(http://tinyurl.com/z7svl)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Unsubing

2007-01-19 Thread Kevin Brunson 
OS X?  You've been cheating on us with that %&#(! ?

I don't know what's so special about her  I mean, after all the
plastic surgery she's nothing but UNIX.

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall
Sent: Friday, January 19, 2007 7:39 AM
To: ActiveDir@mail.activedir.org
Subject: Unsubing

 

Sorry to send this to the list, but I cant find the address to
unsubscribe. Can anyone help me out?

 

As much as I love you all, my recent affair with Apple OS X has left me
realising that  our love is just a sham and that other delights await
me.

Big up'.

Olly

www.g2support.com/backups

RE: [ActiveDir] Who needs that much ram anyway?

2007-01-16 Thread Kevin Brunson 
Sorry, that was supposed to say NOT required

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
Sent: Tuesday, January 16, 2007 4:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Who needs that much ram anyway?

Judging by the Exchange 2007 Microsoft Across America Launch Event that
I attended this morning, Exchange 2007 has no limits period.  If you
want it to block spam, it blocks spam.  If you want it to run with a
2000TB store on Standard, it will do it.  If you want it to cook you
breakfast, that might require the /baconandeggs switch, but it should be
able to do that as well.  The /baconandeggs switch might be
undocumented...

Seriously though, I know PAE is not supported on 64-bit, and I think I
remember reading that /3GB is required on 64-bit OS

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros
Sent: Tuesday, January 16, 2007 4:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Who needs that much ram anyway?

What about the 3Gb switch in the boot.in that is required to take
advantage 
of the additional memory.
Also depending on the age of the server and CPU, you may also need a PAE
/ 
AWE switch.
http://support.microsoft.com/kb/283037

Since the final realease of Exchange 2007 will only be 64 bit and
require a 
64 bit version of Windows 2003 or Longhorn, I am not sure if the switch
will 
be required, any one else know?

Jose


- Original Message - 
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" 
<[EMAIL PROTECTED]>
To: 
Sent: Tuesday, January 16, 2007 8:47 AM
Subject: Re: [ActiveDir] OT: Who needs that much ram anyway?


> Personally I was surprised that a Windows 2003 server and Exchange
2007 
> would need a patch to run more than 4 gigs because
> "This problem occurs because of a problem in the Windows kernel"
>
> Seems to me in the x64 era, we're all going to be running more than 4
gigs 
> so they should bundle this up in the Exchange 2007 installer from the
get 
> go rather than having everyone stumble across a KB article.
>
> I'm assuming it's discussed in the readme that no one reads?
>
>
> Brian Desmond wrote:
>> The more you can get in memory, the better. 32GB is the threshold for
>> Exchange before it stops making sense.
>>
>> I've remoted into SQL servers with dozens of CPUs and dozens of gigs
of
>> ram before...
>>
>> Thanks,
>> Brian Desmond
>> [EMAIL PROTECTED]
>>
>> c - 312.731.3132
>>
>>
>>
>>> -Original Message-
>>> From: [EMAIL PROTECTED] [mailto:ActiveDir-
>>> [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz
-
>>> SBS Rocks [MVP]
>>> Sent: Tuesday, January 16, 2007 4:01 AM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: [ActiveDir] OT: Who needs that much ram anyway?
>>>
>>>
>>>   The Microsoft Exchange Information Store service stops responding
on
>>> a
>>>   computer that is running Windows Server 2003 and Exchange Server
>>>
>> 2007
>>
>>> http://support.microsoft.com/?kbid=928368
>>>
>>> This problem occurs if Exchange Server 2007 is installed on a
computer
>>> that has more than 4 gigabytes (GB) of RAM.
>>>
>>> List info   : http://www.activedir.org/List.aspx
>>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>>> List archive: http://www.activedir.org/ma/default.aspx
>>>
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>>
>>
>
> -- 
> Letting your vendors set your risk analysis these days? 
> http://www.threatcode.com
>
> If you are a SBSer and you don't subscribe to the SBS Blog... man ...
I 
> will hunt you down...
> http://blogs.technet.com/sbs
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Who needs that much ram anyway?

2007-01-16 Thread Kevin Brunson 
Judging by the Exchange 2007 Microsoft Across America Launch Event that
I attended this morning, Exchange 2007 has no limits period.  If you
want it to block spam, it blocks spam.  If you want it to run with a
2000TB store on Standard, it will do it.  If you want it to cook you
breakfast, that might require the /baconandeggs switch, but it should be
able to do that as well.  The /baconandeggs switch might be
undocumented...

Seriously though, I know PAE is not supported on 64-bit, and I think I
remember reading that /3GB is required on 64-bit OS

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros
Sent: Tuesday, January 16, 2007 4:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Who needs that much ram anyway?

What about the 3Gb switch in the boot.in that is required to take
advantage 
of the additional memory.
Also depending on the age of the server and CPU, you may also need a PAE
/ 
AWE switch.
http://support.microsoft.com/kb/283037

Since the final realease of Exchange 2007 will only be 64 bit and
require a 
64 bit version of Windows 2003 or Longhorn, I am not sure if the switch
will 
be required, any one else know?

Jose


- Original Message - 
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" 
<[EMAIL PROTECTED]>
To: 
Sent: Tuesday, January 16, 2007 8:47 AM
Subject: Re: [ActiveDir] OT: Who needs that much ram anyway?


> Personally I was surprised that a Windows 2003 server and Exchange
2007 
> would need a patch to run more than 4 gigs because
> "This problem occurs because of a problem in the Windows kernel"
>
> Seems to me in the x64 era, we're all going to be running more than 4
gigs 
> so they should bundle this up in the Exchange 2007 installer from the
get 
> go rather than having everyone stumble across a KB article.
>
> I'm assuming it's discussed in the readme that no one reads?
>
>
> Brian Desmond wrote:
>> The more you can get in memory, the better. 32GB is the threshold for
>> Exchange before it stops making sense.
>>
>> I've remoted into SQL servers with dozens of CPUs and dozens of gigs
of
>> ram before...
>>
>> Thanks,
>> Brian Desmond
>> [EMAIL PROTECTED]
>>
>> c - 312.731.3132
>>
>>
>>
>>> -Original Message-
>>> From: [EMAIL PROTECTED] [mailto:ActiveDir-
>>> [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz
-
>>> SBS Rocks [MVP]
>>> Sent: Tuesday, January 16, 2007 4:01 AM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: [ActiveDir] OT: Who needs that much ram anyway?
>>>
>>>
>>>   The Microsoft Exchange Information Store service stops responding
on
>>> a
>>>   computer that is running Windows Server 2003 and Exchange Server
>>>
>> 2007
>>
>>> http://support.microsoft.com/?kbid=928368
>>>
>>> This problem occurs if Exchange Server 2007 is installed on a
computer
>>> that has more than 4 gigabytes (GB) of RAM.
>>>
>>> List info   : http://www.activedir.org/List.aspx
>>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>>> List archive: http://www.activedir.org/ma/default.aspx
>>>
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>>
>>
>
> -- 
> Letting your vendors set your risk analysis these days? 
> http://www.threatcode.com
>
> If you are a SBSer and you don't subscribe to the SBS Blog... man ...
I 
> will hunt you down...
> http://blogs.technet.com/sbs
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)

2007-01-15 Thread Kevin Brunson 
The problem with Broadcom NICs is not typically the hardware.  The
Broadcom drivers are absolutely horrible.  In particular the "Windows
Certified" drivers that shipped with 2003.  I have seen large file
copies using the native Windows driver move faster across 100BT than
gigabit Broadcom.  In fact, sometimes file copies on Broadcoms just
never end.  After a few minutes of copying, the ETA starts rising.
After a few minutes it has gone from 3 minutes to 812578990 minutes, at
which point the server bogs down.  I won't tell you not to use
Broadcoms, although I will tell you not to rely on the HP drivers.  Get
the most current driver directly from Broadcom's website, and test it
thoroughly before rolling it into production.  

I have also seen some Broadcom drivers that take too long to initialize
during the boot process.  Because the NIC is not up during the boot
process, the policies don't get applied.  By the time you get a logon
box, the NIC is finished.  That problem was resolved by replacing the
NIC or updating the Broadcom driver, depending on whether the individual
client wanted a long-term solution or a quick fix with the understanding
that other problems could pop up.

Kevin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton
Sent: Monday, January 15, 2007 2:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

After some investigating I am apparently running the latest drivers for
my NICs.  The only updated files since 2.8.13.0 are for things like
iSCSI which I do not use.  I wish driver numbers would correspond
though.  So now that I know I'm running the latest version I'm stumped.
Disabling slow link detection fixes the userenv errors but I still need
the fix for that to carry over to my TS users on that server.  And of
course this doesn't fix the root cause which forces me to disable the
slow link detection either.

Donavon

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton
Sent: Monday, January 15, 2007 3:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

I'm not about to give up on the Broadcom NICs as this is a brand new
server that cost as much as a Honda Accord.  I'm not sure I can believe
that HP would put a defective card in such a machine.  You'd think
others would have the same issues in mass quantity if that were the
case.  I'm also using Broadcoms in other HP servers here (including the
two DCs) and they have not had any issues.  It is all too easy to chalk
up a problem like this to network cards, but I don't think it explains
why the GPO is applied successfully without issues within the first 15
minutes or so after a reboot.  There are no other problems cropping up
from these Broadcoms either.

Now for a question, how do I disable slow link detection for all
terminal service users on this problem server since that seems to have
fixed the issue?  I need to make the change in the registry on the
problem server apparently as making the switch in the GPO itself seems
to not have any effect.

Donavon 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Monday, January 15, 2007 3:09 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

Dump the broadcoms and get Intel.
http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-network
-cards-are-evil.aspx

We've had no end of weirdness with those suckers.
Even the latest drivers don't work.
Donavon Yelton wrote:
> Yes, these are Broadcom NICs.  I want to go back to the last question 
> that was asked (if my network card drivers were up to date) and change

> my answer.  I had ran the HP update package for the NC series cards in

> the server and it showed as updated (even if I run it at the moment it

> tells me that the drivers are up to date) with version 2.8.22.0.  The 
> problem is that when I look at the actual driver version by going to 
> the device manager and viewing properties it shows a version of
2.8.13.0.
>
> On that note, in looking back at HP's revision history for their 
> driver for this card it has no mention of version 2.8.13.0 so is it 
> possible that this is the driver that came with Windows?  If so, how 
> can I go about getting rid of that driver and installing this new
driver from HP.
> Updating the driver and choosing the new driver explicitly doesn't 
> work and running HP's update package for the driver obviously fails to

> really update the driver.
>
> I can't say that this driver version is the root cause of the issue 
> but I do need the drivers updated to have a place to start from.
>
> Susan, is there a known issue with Broadcom's that could possibly 
> affect the problem I'm having?  Thanks for the assistance!

RE: [ActiveDir] R2 Schema

2007-01-12 Thread Kevin Brunson 
There shouldn't be a problem with running the R2 schema in an SP1
network.  As to what that buys you, maybe someone else can address
that??  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Friday, January 12, 2007 4:11 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] R2 Schema

I have a customer that is really pushing to have the R2 schema loaded in
our W2K3 SP1 environment.  The plan is to take advantage of the new DFS
extensions.

We don't have any plans to upgrade to R2 in the foreseeable future so
we'd basically be running W2K3 with the R2 schema for several months or
years.  Does anyone see any potential issues with that?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Strange Lock Out Issue

2006-12-18 Thread Kevin Brunson 
What client OS?

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, December 18, 2006 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Strange Lock Out Issue

 

I have a user, who is not logged in anywhere else, and while surfing the
web or access a program is getting locked out of her account for no
reason.  I have checked the logs on all three domain controllers and
nothing is showing a failed logon attempt or bad password.  It doesn't
even show when the account got locked.  Any ideas on how to rectify
this?

 

Justin A. Salandra

MCSE Windows 2000 & 2003

Network and Technology Services Manager

Catholic Healthcare System

646.505.3681 - office

917.455.0110 - cell

[EMAIL PROTECTED]

RE: [ActiveDir] OT: Replicating Print Queues To Multiple (40+) Servers via Script of Software?

2006-12-14 Thread Kevin Brunson 
What about using the built-in Citrix printer tools?  Are you talking
about copying the printer drivers, or actually publishing printers?  
If you are talking about printer drivers so that remote printing works,
then the Citrix Console can do all that.  Put the driver on one, and
tell it that the rest of the servers need the driver too.

If you are saying you want to set up 40 network printers on 40 servers,
then I would say you need some servers specifically set up as print
servers, and then you can set users to connect to the shared printers
automatically.

Can you give us some more info on what exactly you are trying to do?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, December 14, 2006 3:27 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Replicating Print Queues To Multiple (40+)
Servers via Script of Software?

Does anyone know of any software or script that you would like to share
that performs this?

I have between 20 and 60 citrix servers per client, each printer is
published on each server.  When a change or addition is made to one
server, all of the others have to change as well.  Print Migrator is a
way, but very much a pain to use.  

Thanks in advance,

Andrew
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Pagefile not being seen?

2006-12-06 Thread Kevin Brunson 
Check out this article for the Exchange memory settings.  There are a
few other tweaks in the registry.
http://support.microsoft.com/kb/815372

Do you have any third-party apps running on your Exchange servers?  I
have seen memory leaks in third-party apps cause this kind of virtual
memory issue.  
2K3 Standard does allow 4GB on a drive.  The way you have it set up with
2048 on two separate drives will give you a performance boost if they
are actually separate physical disks or RAID sets.  

I have typically heard 1.5 times physical for virtual, but I don't think
that is as much a best practice as a general rule of thumb.  Depending
on circumstances I have certainly set it lower or higher.  4 GB virtual
should certainly be enough.

Sorry for the random order of my answers.  I also have trouble following
directions and don't play well with others.

Hope this helps
Kevin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: Wednesday, December 06, 2006 1:28 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Pagefile not being seen?

Colleagues,

On two different Windows 2003 servers in as many weeks I have seen a
popup when I logged in that says "Your system is low on virtual memory.
Windows is increasing the size of your virtual memory paging file.
During this process, memory requests for some applications may be
denied."

On one server, I had 2048 pagefile on C. On the other, I had 4096
pagefile on C, but the note at the bottom of the screen showed only
2050. Both servers have 2Gb physical RAM, and both are Exchange 2003
servers. I have now put 2048 on C: and another 2048 on F: on both
servers.

So, I wonder if I have things set up right, so I have a few questions:

1. Isn't the pagefile limit in 2K3 Standard 4Gb per drive as I have
read? Or is it actually 2Gb per drive? 
2. With 2Gb physical RAM, isn't 4Gb pagefile the standard?
3. With the /3GB and /USERVA=3030 switches set, which is what I learned
to do in class, why do I still get the Event Log error message that says
"The memory settings for this server are not optimal for Exchange."?

-- 
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] OT: Possessed PCs

2006-12-05 Thread Kevin Brunson 
But I bet when you sit down in front of a computer, it knows it had
better behave :)

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Monday, December 04, 2006 8:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Possessed PCs

 

The watch thing happened to me until the East Coast blackout of 2003. I
used to have baskets of dead watches. Since the blackout, I've been able
to wear watches. They still die a lot faster than they do on other
people if they're battery-powered, but at least I can wear 'em now. I
also beta tested a watch for Timex (I kid you not; who knew they beta
test watches, anyway?) that had a battery that was supposed to be
guaranteed to last three years. It made it nine months on me, which is a
personal record. 

 

I also have street light, um, issues. However, I have never been
kidnapped by aliens. Born of them, perhaps, but not kidnapped by any.
:-)

 

Laura

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Guest
Sent: Monday, December 04, 2006 5:21 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Possessed PCs

Your father is probably mild

 

http://amasci.com/weird/unusual/zap.html these guys (if you
believe them) have real problems.

 

Mike Guest
IT Solutions
HML
Padiham DDI: +44 (0)1282 682550 
Internal Extension: (61) 2550





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] 
Sent: 01 December 2006 23:58
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Possessed PCs

 


Happens with my father and watches as well. The man cannot wear
a watch without it dying within weeks. But thats another story. If you
can isolate the symptoms to time of day or even the remote chance its a
bad ballast (flouresent lighting used to cause occasional problems with
old CRTs), etc. Atleast you can start to wittle things down a bit. But
in this case it sounds like RF overlap. Perhaps there is one mouse that
is emitting too strong a signal. 

I was a bit thrown this morning though when I thought I read
that this was happening with corded devices as well. 



Brent Eads
Employee Technology Solutions, Inc.

Office: (312) 762-9224
Fax: (312) 762-9275


The contents contain privileged and/or confidential information
intended for the named recipient of this email. ETSI (Employee
Technology Solutions, Inc.) does not warrant that the contents of any
electronically transmitted information will remain confidential. If the
reader of this email is not the intended recipient you are hereby
notified that any use, reproduction, disclosure or distribution of the
information contained in the email in error, please reply to us
immediately and delete the document. 

Viruses, Malware, Phishing and other known and unknown
electronic threats: It is the recipient/client's duties to perform virus
scans and otherwise test the information provided before loading onto
any computer system. No warranty is made that this material is free from
computer virus or any other defect.

Any loss/damage incurred by using this material is not the
sender's responsibility. Liability will be limited to resupplying the
material.

Message scanned by TrendMicro

 




***
This email is intended only for the addressee named above. As
this email may contain confidential or privileged information, if you
are not the named addressee or receive this message in error, please
notify us immediately, delete it and do not make use of or copy it.

This message is protected by copyright. HML accepts no
responsibility for viruses found in this message or any file attachment.

Homeloan Management Limited
Registered in England No. 2214839
1 Providence Place, Skipton, North Yorkshire BD23 2HL




--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/565 - Release Date:
12/2/2006 9:39 PM


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date:
12/4/2006 7:18 AM

RE: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations?

2006-12-05 Thread Kevin Brunson 
I know there are a bunch of "exchange clones" out there, but I have yet
to come across one I would recommend.  That doesn't mean there is not
one out there.  If all you want to use it for is a shared calendar, you
may want to check out a company called softalk.
http://www.softalkltd.com 
They have several programs that do this kind of thing.  Honestly I
wouldn't use them as an email server, but if you want to use it for
Outlook synchronization and shared calendars, it does a pretty good job.
I think it only runs on Windows  It uses an Outlook plugin, so no
messy webapps, and if you don't use it for processing email you wouldn't
have to mess with your current email setup at all (which again I highly
recommend if you use this product).  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
Sent: Tuesday, December 05, 2006 4:02 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange?
Tips/Suggestions/Recommedations?

Hi!

Sorry if this question is a bit off-topic to the list, but I've seen
some Exchange-related questions here, so I know there is Exchange
expertise hanging around ;) and I didn't know where to ask; please
feel free to point me to the proper forums (forii?) to ask in.

I am looking for a way to implement shared calendars "a la exchange"
(ie, they have to be "visible" and used from within Outlook 2003), but
without actually using/hosting an Exchange Server ourselves. The idea
is that people should be able to see/manage the calendar of the people
they manage, so free/busy info is not enough. And the "outlook"
requisite is a must (as my CEO put it yesterday: "I live within
Outlook; I don't want to meddle with web apps or the like)

I know that it's a bit odd of a requisite, but we are a small co. (~
40 employees) and the president feels that having to babysit a server
in-house is a bit of a needless burden.

At present we host our email / web presence / customer ticketing
system in a pair of VPS from Verio, so if the proposed solution could
run on top of FreeBSD it'd be a big plus ;)

Of course (now going for the "and ask about the KitchenSink" part ;)
if we could put it into place without having to tweak our email setup
that'd be wonderful!!.

We understand that we'd probably have to install some Outlook plugin,
so that's OK...

If there is no way to have the "Shared Calendar" feature as a
stand-alone service/server, I guess the next step would be to ask
those of you who know Exchange for an "exchange clone" that runs on
FreeBDS / Unix. Or last but not least, I guess that there must be
"hosted Exchange" providers out there that you can recommend. That'd
mean re-doing our mail system, but I guess that we could live with it,
if need be.

Thanks a lot for those of you who have read this far.

  Best Regards

  Javier Jarava
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] OT: Geeks on Thanksgiving

2006-12-01 Thread Kevin Brunson 
I haven't gotten the nap thing down, but games and food are definitely
multi-threaded apps.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Friday, December 01, 2006 11:39 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Geeks on Thanksgiving

Well, yeah, but not when there's nummy food to be eaten, naps to be
taken
and games to watch!

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
> Sent: Friday, December 01, 2006 10:03 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: RE: RE: [ActiveDir] Split pagefile
> 
> Hey, I thought you loved it when people got all geeky :)
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
> Robinson
> Sent: Thursday, November 30, 2006 6:39 PM
> To: ActiveDir@mail.activedir.org
> Subject: OT: RE: RE: [ActiveDir] Split pagefile
> 
> I was out eating turkey. You people were reading the list? 
> Dang, that's dedication! 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> Kevin Brunson
> > Sent: Thursday, November 30, 2006 5:22 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: RE: [ActiveDir] Split pagefile
> > 
> > I think Susan brought this up last week or so.  Here's the link she 
> > gave.  I can't find the original post
> > http://blogs.technet.com/petergal/archive/2006/03/23/422993.aspx
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
> > Robinson
> > Sent: Thursday, November 30, 2006 2:21 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: OT: RE: [ActiveDir] Split pagefile
> > 
> > You know, you can actually do your own crashdump analysis. We even 
> > used to teach people how to do it back in the NT4 days.
> > I loved that class. :-D
> > 
> > Laura
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Don Hoehn
> > > Sent: Thursday, November 30, 2006 2:15 PM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] Split pagefile
> > > 
> > > Hi,
> > >   Best practice used to be to put the pagefile on a
> > different BUS than
> > > the OS. The idea is that you can read/write to both the OS
> > and the PF
> > > at the same time. We always put the entire PF on a separate
> > bus/drive
> > > in it's own partition. That way you have the added speed of a bus 
> > > apart from the OS bus and a contiguous PF. We never 
> bothered with a
> > > C: swapfile because we could never afford to send the dump
> > to M$ for
> > > decryption. :-}
> > > 
> > > Don
> > > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of 
> Ramon Linan
> > > Sent: Thursday, November 30, 2006 11:07 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] Split pagefile
> > > 
> > > Hi,
> > > 
> > > I have an answer and a question about the same.
> > > 
> > > Most of my servers have 2 partition, one for the OS and the
> > other for
> > > data, I always put the pagefile in the data partition, so
> > yes, you can
> > > have the have the whole thing in a different partition or
> > hard drive.
> > > 
> > > Actually, Linux system always create a swap partition 
> just for that 
> > > purpose, so I wonder if it would be more efficient to
> > always create a
> > > partition just for the pagefile... Anyone knows?
> > > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of
> > Larry Wahlers
> > > Sent: Thursday, November 30, 2006 12:09 PM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: RE: [ActiveDir] Split pagefile
> > > 
> > > Sorry for the reply to my own post, but this article:
> > > 
> > > http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003
> > > /AdminTips
> > > /Miscellaneous/EnhancePerformancebyMovingthePagefile.html
> > > 
> > > says I can move the whole thing to a different partition. 
> > > I'll leave a meg on the C drive just for the dumpfile,
> > which we limit
> > > t

RE: [ActiveDir] Split pagefile

2006-12-01 Thread Kevin Brunson 
If you can get to Computer Management, you could start the Telnet
service.  At that point, telnet to the server and do a shutdown /r.  And
I mean a standard telnet connection, not telnet to some fancy port.

I suspect you are having the dreaded "rdp doesn't work for some reason"
problem, which somehow clears itself up after a reboot most of the time.
I know this has been discussed on this board several times, but no one
has really come up with a solution from what I've seen, other than
reboot and see if it works. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: Friday, December 01, 2006 9:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Split pagefile

Laura,

Thanks ever so much for all your help. I will be trying some of these
things soon, but for now, I'm one of the over 400,000 people in St.
Louis without power. My workplace is closed, too, so I might end up
waiting it out 

One question, if you don't mind and have a minute: How do I reboot the
server if I can't log on?

Many thanks again.

-- 
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Laura A. Robinson
> Sent: Thursday, November 30, 2006 8:32 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Split pagefile
> 
> Inline... 
> 
> 
> > 
> > Thanks for replying, Laura!
> 
> Sure thing. 
> 
> > 
> > You wrote:
> > > Are you able to connect to the server via Computer Management?
> > 
> > Yes.
> 
> Then you can use that to reconfigure the pagefile, making 
> very, very sure
> you click "Set". :-) After you've connected to it in CM, 
> right click the
> computer, choose "Properties", go to the Advanced tab, yada yada yada.
> > 
> > >If so, can you see the service statuses and event logs on 
> > the  server?
> > 
> > Yes. I looked all through the event logs, and didn't see 
> > anything relating to terminal services failures. And the 
> > terminal services service is started.
> 
> How about the security log? Are you seeing logon failures?
> > 
> > > Can you
> > > telnet to the RDP port? 
> > 
> > If you mean, can I telnet to the server by name or by its IP 
> > address, no. But yes, I can telnet to port 3389 on the 
> > server, and the cursor sits there and blinks at me, but as 
> > soon as I hit any key, I get back to my command prompt.
> 
> Okay, port's open.
> 
> > > Can you map a drive to a share on the server?
> > 
> > Yes. And, in fact, I have the same 2Gb pagefile on C: that I 
> > had before, and no pagefile on E: So, I'm thinking that A. I 
> > forgot to hit the set button, or B. The server got confused.
> 
> The snow might have made it sluggish. (That's a joke, folks.) 
> See above for
> remedy (hopefully).
> 
> > 
> > > When
> > > you say you can't log on, do you get the logon dialog box and a 
> > > failure to let you log on, or do you get no remote desktop 
> > UI at all?
> > 
> > No remote desktop UI at all. I immediately get the 
> > "disconnected from server" message.
> 
> Okay. Try logging on with a different account that has TS connection
> permissions. Check the security logs. If you're not auditing 
> logon events,
> you'll need to do that. Check the terminal services 
> permissions, etc. Maybe
> do a preemptive reboot (or just do it as part of that 
> pagefile adjustment)
> and see if anything changes. If none of that works, there's 
> still more stuff
> to check, but I'm tired of typing right now and hopefully one 
> of the above
> things will determine the issue.
> > 
> > > Laura (probably a bit overcaffeinated now; can you tell?)
> > 
> > No problem. I'm snowed in, but the server is running. 
> > 
> > I guess what I'd like to do is see if I can reset the 
> > pagefile and reboot the server, all remotely, and still 
> > manage to terminal service to it and log in.
> > 
> > Thanks for your help, Laura. You deserve many pats on the 
> > back, attagirls, and stuff.
> > 
> No problem, and no pats necessary.
> 
> Laura
> 
> -- 
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.430 / Virus Database: 268.15.2/559 - Release 
> Date: 11/30/2006
> 5:07 AM
>  
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir@mail.activedir.org/
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: RE: RE: [ActiveDir] Split pagefile

2006-12-01 Thread Kevin Brunson 
Hey, I thought you loved it when people got all geeky :)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 6:39 PM
To: ActiveDir@mail.activedir.org
Subject: OT: RE: RE: [ActiveDir] Split pagefile

I was out eating turkey. You people were reading the list? Dang, that's
dedication! 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
> Sent: Thursday, November 30, 2006 5:22 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: RE: [ActiveDir] Split pagefile
> 
> I think Susan brought this up last week or so.  Here's the 
> link she gave.  I can't find the original post
> http://blogs.technet.com/petergal/archive/2006/03/23/422993.aspx
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
> Robinson
> Sent: Thursday, November 30, 2006 2:21 PM
> To: ActiveDir@mail.activedir.org
> Subject: OT: RE: [ActiveDir] Split pagefile
> 
> You know, you can actually do your own crashdump analysis. We 
> even used to teach people how to do it back in the NT4 days. 
> I loved that class. :-D 
> 
> Laura
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Don Hoehn
> > Sent: Thursday, November 30, 2006 2:15 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Split pagefile
> > 
> > Hi,
> > Best practice used to be to put the pagefile on a 
> different BUS than 
> > the OS. The idea is that you can read/write to both the OS 
> and the PF 
> > at the same time. We always put the entire PF on a separate 
> bus/drive 
> > in it's own partition. That way you have the added speed of a bus 
> > apart from the OS bus and a contiguous PF. We never bothered with a
> > C: swapfile because we could never afford to send the dump 
> to M$ for 
> > decryption. :-}
> > 
> > Don
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
> > Sent: Thursday, November 30, 2006 11:07 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Split pagefile
> > 
> > Hi,
> > 
> > I have an answer and a question about the same.
> > 
> > Most of my servers have 2 partition, one for the OS and the 
> other for 
> > data, I always put the pagefile in the data partition, so 
> yes, you can 
> > have the have the whole thing in a different partition or 
> hard drive.
> > 
> > Actually, Linux system always create a swap partition just for that 
> > purpose, so I wonder if it would be more efficient to 
> always create a 
> > partition just for the pagefile... Anyone knows?
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> Larry Wahlers
> > Sent: Thursday, November 30, 2006 12:09 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Split pagefile
> > 
> > Sorry for the reply to my own post, but this article:
> > 
> > http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003
> > /AdminTips
> > /Miscellaneous/EnhancePerformancebyMovingthePagefile.html
> > 
> > says I can move the whole thing to a different partition. 
> > I'll leave a meg on the C drive just for the dumpfile, 
> which we limit 
> > to 64K, in case the system crashes and I can actually 
> figure out how 
> > to read the dumpfile.
> > 
> > But, really, is it OK to leave absolutely NO pagefile on C:/? 
> > We normally leave at least 200Mb on the C: partition when 
> we move the 
> > rest to a different drive.
> > 
> > 
> > --
> > Larry Wahlers
> > Concordia Technologies
> > The Lutheran Church - Missouri Synod
> > mailto:[EMAIL PROTECTED]
> > direct office line: (314) 996-1876
> > 
> > 
> > 
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On
> > Behalf Of
> > > > Larry Wahlers
> > > > Sent: Thursday, November 30, 2006 9:55 AM
> > > > To: Exchange Discussions
> > > > Subject: Split pagefile
> > > > 
> > > > Colleagues,
> > > > 
> > > > Is there a best practice for splitting the pagefile on
> > Exchange 2003
> > > > across multiple drives? My C drive is up to nearly 9GB
> > used out of
>

RE: RE: [ActiveDir] Split pagefile

2006-11-30 Thread Kevin Brunson 
I think Susan brought this up last week or so.  Here's the link she
gave.  I can't find the original post
http://blogs.technet.com/petergal/archive/2006/03/23/422993.aspx


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 2:21 PM
To: ActiveDir@mail.activedir.org
Subject: OT: RE: [ActiveDir] Split pagefile

You know, you can actually do your own crashdump analysis. We even used
to
teach people how to do it back in the NT4 days. I loved that class. :-D 

Laura

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Don Hoehn
> Sent: Thursday, November 30, 2006 2:15 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Split pagefile
> 
> Hi,
>   Best practice used to be to put the pagefile on a 
> different BUS than the OS. The idea is that you can 
> read/write to both the OS and the PF at the same time. We 
> always put the entire PF on a separate bus/drive in it's own 
> partition. That way you have the added speed of a bus apart 
> from the OS bus and a contiguous PF. We never bothered with a 
> C: swapfile because we could never afford to send the dump to 
> M$ for decryption. :-}
> 
> Don
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
> Sent: Thursday, November 30, 2006 11:07 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Split pagefile
> 
> Hi, 
> 
> I have an answer and a question about the same.
> 
> Most of my servers have 2 partition, one for the OS and the 
> other for data, I always put the pagefile in the data 
> partition, so yes, you can have the have the whole thing in a 
> different partition or hard drive.
> 
> Actually, Linux system always create a swap partition just 
> for that purpose, so I wonder if it would be more efficient 
> to always create a partition just for the pagefile... Anyone knows?
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
> Sent: Thursday, November 30, 2006 12:09 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Split pagefile
> 
> Sorry for the reply to my own post, but this article:
> 
> http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003
> /AdminTips
> /Miscellaneous/EnhancePerformancebyMovingthePagefile.html
> 
> says I can move the whole thing to a different partition. 
> I'll leave a meg on the C drive just for the dumpfile, which 
> we limit to 64K, in case the system crashes and I can 
> actually figure out how to read the dumpfile.
> 
> But, really, is it OK to leave absolutely NO pagefile on C:/? 
> We normally leave at least 200Mb on the C: partition when we 
> move the rest to a different drive.
> 
> 
> --
> Larry Wahlers
> Concordia Technologies
> The Lutheran Church - Missouri Synod
> mailto:[EMAIL PROTECTED]
> direct office line: (314) 996-1876
> 
> 
> 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On 
> Behalf Of 
> > > Larry Wahlers
> > > Sent: Thursday, November 30, 2006 9:55 AM
> > > To: Exchange Discussions
> > > Subject: Split pagefile
> > > 
> > > Colleagues,
> > > 
> > > Is there a best practice for splitting the pagefile on 
> Exchange 2003 
> > > across multiple drives? My C drive is up to nearly 9GB 
> used out of 
> > > 10GB, and I'd like to move off most of the 3GB pagefile 
> to maybe the 
> > > database drive. We have only 500 users on that system, so
> > performance shouldn't
> > > be too much of an issue.
> > > 
> > > Thanks in advance, folks.
> > > 
> > > --
> > > Larry Wahlers
> > > Concordia Technologies
> > > The Lutheran Church - Missouri Synod 
> > > mailto:[EMAIL PROTECTED]
> > > direct office line: (314) 996-1876
> > > 
> > > _
> > > List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> > > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange
> > > To subscribe: 
> > http://e-newsletters.internet.com/discussionlists.html/
> > > To unsubscribe send a blank email to 
> > > [EMAIL PROTECTED]
> > > Exchange List admin:[EMAIL PROTECTED]
> > > To unsubscribe via postal mail, please contact us at:
> > > Jupitermedia Corp.
> > > Attn: Discussion List Management
> > > 475 Park Avenue South
> > > New York, NY 10016
> > > 
> > > Please include the email address which you have been 
> contacted with.
> > > 
> > > 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir@mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir@mail.activedir.org/
> 
> __
> This email has been scanned

RE: [ActiveDir] Split pagefile

2006-11-30 Thread Kevin Brunson 
Good call.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 12:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Split pagefile

That's only if you select the "custom size" radio button and try to set
it
to less than 16MB. If you select the "no paging file" option, it works
fine.

Laura 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
> Sent: Thursday, November 30, 2006 12:28 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Split pagefile
> 
> I think 2k3r2 requires at least 16MB on C:.  At least that is 
> the error message I have gotten before when I tried to make 
> it smaller than that.
> In 2000 I could make it 10MB without it complaining.  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
> Sent: Thursday, November 30, 2006 11:09 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Split pagefile
> 
> Sorry for the reply to my own post, but this article:
> 
> http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003
> /AdminTips
> /Miscellaneous/EnhancePerformancebyMovingthePagefile.html
> 
> says I can move the whole thing to a different partition. 
> I'll leave a meg on the C drive just for the dumpfile, which 
> we limit to 64K, in case the system crashes and I can 
> actually figure out how to read the dumpfile.
> 
> But, really, is it OK to leave absolutely NO pagefile on C:/? 
> We normally leave at least 200Mb on the C: partition when we 
> move the rest to a different drive.
> 
> 
> --
> Larry Wahlers
> Concordia Technologies
> The Lutheran Church - Missouri Synod
> mailto:[EMAIL PROTECTED]
> direct office line: (314) 996-1876
> 
> 
> 
> > > -Original Message-
> > > From: [EMAIL PROTECTED] 
> > > [mailto:[EMAIL PROTECTED] On 
> > > Behalf Of Larry Wahlers
> > > Sent: Thursday, November 30, 2006 9:55 AM
> > > To: Exchange Discussions
> > > Subject: Split pagefile
> > > 
> > > Colleagues,
> > > 
> > > Is there a best practice for splitting the pagefile on 
> Exchange 2003
> > > across multiple drives? My C drive is up to nearly 9GB used 
> > > out of 10GB,
> > > and I'd like to move off most of the 3GB pagefile to maybe 
> > > the database
> > > drive. We have only 500 users on that system, so 
> > performance shouldn't
> > > be too much of an issue.
> > > 
> > > Thanks in advance, folks.
> > > 
> > > -- 
> > > Larry Wahlers
> > > Concordia Technologies
> > > The Lutheran Church - Missouri Synod
> > > mailto:[EMAIL PROTECTED]
> > > direct office line: (314) 996-1876
> > > 
> > > _
> > > List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> > > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange
> > > To subscribe: 
> > http://e-newsletters.internet.com/discussionlists.html/
> > > To unsubscribe send a blank email to 
> > > [EMAIL PROTECTED]
> > > Exchange List admin:[EMAIL PROTECTED]
> > > To unsubscribe via postal mail, please contact us at:
> > > Jupitermedia Corp.
> > > Attn: Discussion List Management
> > > 475 Park Avenue South
> > > New York, NY 10016
> > > 
> > > Please include the email address which you have been 
> contacted with.
> > > 
> > > 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir@mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir@mail.activedir.org/
> 
> -- 
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.430 / Virus Database: 268.15.2/559 - Release 
> Date: 11/30/2006 5:07 AM
>  
> 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date:
11/30/2006
5:07 AM
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Split pagefile

2006-11-30 Thread Kevin Brunson 
I think 2k3r2 requires at least 16MB on C:.  At least that is the error
message I have gotten before when I tried to make it smaller than that.
In 2000 I could make it 10MB without it complaining.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: Thursday, November 30, 2006 11:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Split pagefile

Sorry for the reply to my own post, but this article:

http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips
/Miscellaneous/EnhancePerformancebyMovingthePagefile.html

says I can move the whole thing to a different partition. I'll leave a
meg on the C drive just for the dumpfile, which we limit to 64K, in case
the system crashes and I can actually figure out how to read the
dumpfile.

But, really, is it OK to leave absolutely NO pagefile on C:/? We
normally leave at least 200Mb on the C: partition when we move the rest
to a different drive.


-- 
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876



> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] On 
> > Behalf Of Larry Wahlers
> > Sent: Thursday, November 30, 2006 9:55 AM
> > To: Exchange Discussions
> > Subject: Split pagefile
> > 
> > Colleagues,
> > 
> > Is there a best practice for splitting the pagefile on Exchange 2003
> > across multiple drives? My C drive is up to nearly 9GB used 
> > out of 10GB,
> > and I'd like to move off most of the 3GB pagefile to maybe 
> > the database
> > drive. We have only 500 users on that system, so 
> performance shouldn't
> > be too much of an issue.
> > 
> > Thanks in advance, folks.
> > 
> > -- 
> > Larry Wahlers
> > Concordia Technologies
> > The Lutheran Church - Missouri Synod
> > mailto:[EMAIL PROTECTED]
> > direct office line: (314) 996-1876
> > 
> > _
> > List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange
> > To subscribe: 
> http://e-newsletters.internet.com/discussionlists.html/
> > To unsubscribe send a blank email to 
> > [EMAIL PROTECTED]
> > Exchange List admin:[EMAIL PROTECTED]
> > To unsubscribe via postal mail, please contact us at:
> > Jupitermedia Corp.
> > Attn: Discussion List Management
> > 475 Park Avenue South
> > New York, NY 10016
> > 
> > Please include the email address which you have been contacted with.
> > 
> > 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] OT: M$

2006-11-09 Thread Kevin Brunson 
I would think that M$ would really fit Morgan Stanley, the financial
services company, very well.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
Smith
Sent: Thursday, November 09, 2006 4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$

I use it fairly commonly.

Only several of the lists I frequent, if you use MS, then the
Morgan-Stanley people get all up in arms. And typing MSFT is just too
long. :-)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Thursday, November 09, 2006 3:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$

I never use that moniker but how about a positive spin...people use it
because the co-founders are always on the short list of top U.S.
philanthropists ? :-)



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 09, 2006 10:14 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: M$


Just out of curiosity, what makes people think it's appropriate to refer
to Microsoft as "M$" on an MS-focused mailing list whose participants
include Microsoft employees, Microsoft contractors, Microsoft MVPs and
various other people who may have a relatively positive view of
Microsoft?
 
Laura




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jitendra
Kalyankar
Sent: Thursday, November 09, 2006 10:16 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Beginner's Book on Scripting - WSH or
VBScript?


This is the link to M$ to start with...very good info
 

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnancho
r/html/scriptinga.asp
 

-- 
Sincerely,
J

 
On 11/9/06, Stu Packett <[EMAIL PROTECTED]> wrote: 

Hello everyone.  After reading through a lot of the
posts on this mailing list, I realize I could make my job easier if I
knew how to script.  I have no experience in scripting, but would like
to know what books do you recommend as a beginner's book on scripting?
Also, I don't really know the difference between WSH and VBScript, so if
anyone could explain that, I'd appreciate that.  After browsing through
Amazon, I saw several books on WSH and VBScript, but don't know where I
should focus on.  I'm also open to computer based training (CBT) videos
of any exist.  Thanks in advance. 




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] OT: M$

2006-11-09 Thread Kevin Brunson 








Wow, “the man” is busier than
I thought.  Who would know he would have time to make trillions on software,
crush all competition, plot the destruction of Europe (stupid anti-trust), and still
answer email.  There must be more than one “the man”. J

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Thursday, November 09, 2006
2:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$



 

Not that I really care if people say M$ or
not, but I thought I’d comment on one thing, in the name of full
disclosure….

 

My participation on this list has
__nothing__ to do with money. I don’t get compensated on any level for
this. Heck, I don’t even work on AD anymore, so this is like 2 degrees of
separation away from anything that MS compensates me for.

 

So, is MS out to make $? Sure.

Is AD part of that money-making strategy?
Sure.

Does that have anything to do with MS
employee participation on this list? I don’t think so. Others (at least
those that I can recall posting here as I type this mail) on this list fall in
to the same boat. A couple of them don’t work on AD anymore either.

 

Why do I hang out here? I do it because I
care about customers and about AD/ADAM. It has nothing to do with my salary.

It’s also why I still blog about AD,
answer newsgroup questions, answer internal questions (DLs, PSS, MCS, other
PGs, etc.), handle direct emails from a myriad of non-MS people (some I know,
some are totally out of the blue), fix code for people that ask for help, etc.
I don’t get paid for any of this.

 

~Eric

Borg #145719302

 

 



 

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona
Sent: Thursday, November 09, 2006
11:30 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$



 

I believe we
all know that your statement is correct “like
any other big company they are out to make $”, what I inferred from what she was implying (did
I get that right?J)
is that although we all know that Microsoft is not perfect (…anyone want to cast the first stone?)…a
grey-toned comment made on this mailing list is probably not
appreciated…especially when this mailing list is used to help
others.  I’m sure there are a myriad of other forums to take your
personal opinions to.   

 

 

--vC

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Condra, Jerry W Mr HP
Sent: Thursday, November 09, 2006
11:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$



 

I have a
mostly positive view of M$ and like their products. Heck, I’m certified
in their products. But that doesn’t make them inexpensive and like any
other big company they are out to make $. J

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Thursday, November 09, 2006
12:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: M$



 



Just out of curiosity, what makes
people think it's appropriate to refer to Microsoft as "M$" on
an MS-focused mailing list whose participants include Microsoft employees,
Microsoft contractors, Microsoft MVPs and various other people who may have a
relatively positive view of Microsoft?





 





Laura





 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar
Sent: Thursday, November 09, 2006
10:16 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Beginner's Book on Scripting - WSH or _vbscript_?



This is the link to M$ to start with...very good info





 





http://msdn.microsoft.com/library/default.asp?url="">





 






-- 
Sincerely,
J

 





On 11/9/06, Stu
Packett <[EMAIL PROTECTED]>
wrote: 

Hello everyone.  After reading through a lot of the posts on this
mailing list, I realize I could make my job easier if I knew how to
script.  I have no experience in scripting, but would like to know what
books do you recommend as a beginner's book on scripting?  Also, I don't
really know the difference between WSH and _vbscript_, so if anyone could explain
that, I'd appreciate that.  After browsing through Amazon, I saw several
books on WSH and _vbscript_, but don't know where I should focus on.  I'm
also open to computer based training (CBT) videos of any exist.  Thanks in
advance.

RE: [ActiveDir] Migration from Exchange Server to an SMTP Server?

2006-11-08 Thread Kevin Brunson 








All of this is done with the assumption
that by plain ol’ smtp server, you mean you are going to be using POP3 on
the client side.

Option 1

Enable POP3, set up POP accounts in
Outlook, right before you POP for the first time on a client get rid of the
Exchange connection.  POP the server, downloading all of the email to the
client.  Be prepared to wait a while.

 

Option 2

Redirect email to the new smtp/pop3
server.  Once you have confirmed that email is flowing to the new server, Exmerge
everyone’s email out to pst.  Copy that pst over to wherever you want it,
configure outlook to talk to the pst.  set up their outlook for the new server,
and pop the new server, dumping new mail in amongst their old mail.  You could
also take a variant of this and just bring their old pst in as an archive and
let new mail flow to a new pst.

 

Either way, running an exmerge before you
do anything else is probably a very good idea, just to make sure you keep with
the mandate of not losing email.

Kevin

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Corbett, Tony
Sent: Wednesday, November 08, 2006
4:11 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Migration
from Exchange Server to an SMTP Server?



 

Hi all,

Has anyone migrated OFF MS-Exchange to an SMTP email server?

Any tips on how to move the mail so the users don’t
lose all their historical email?

 

I’m trying to write up a detailed project plan to move
the users’ email from our Exchange server to a regular ol’ SMTP
server.   The only requirement is: “Don’t lose my
emails”.

 

I appreciate any help you have to offer.

 

TIA

 

Tony Corbett

[EMAIL PROTECTED]

770-870-2820 (desk)

 






DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee.  Access to this message by anyone else is unauthorized.  If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful.  Please immediately contact the sender if you have received this message in error. Thank you.

RE: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next

2006-11-07 Thread Kevin Brunson 








Citrix should be able to move between
domains without much problem.  You might have to recreate the farm connection
if you are using an SQL database, chfarm should do the trick.  It might carry
over fine though.  

Most of the Citrix apps run with local
credentials unless you change them, so it shouldn’t cause any great
grief.

 

Kevin

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, November 07, 2006
11:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Users,
Computers, and Mailboxes migrated - Servers next



 

I’d use ADMT … at a minimum you’ll want to run the
security translation wizard if you don’t use the move computer wizard.
MSSQL will require some manual work. I have no idea about Citrix. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Tuesday, November 07, 2006
12:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Users,
Computers, and Mailboxes migrated - Servers next





 

Thanks to advice from the ActiveDir community (this mailing list) and
Microsoft's ADMT and ExMerge, we have successfully completed an interforest
migration - of users, computers, and mailboxes. Next up: the servers, 12 of
them. Two DC's, the rest are made up of file, print, Exchange, MS SQL
(integrated auth), Citrix, and backup. The source forest will no longer be
necessary in a few weeks. Would you recommend using ADMT for the servers as
well? I know that the DC's and Exchange server will be done manually.. 

Thanks,
...D

RE: [ActiveDir] Problem driving me crazy

2006-10-31 Thread Kevin Brunson 








Check the Group Policies assigned to the
terminal server.  Under Computer Configuration>Windows
Settings>Security Settings>Local Policies>User Rights Assignments, look
for “Allow Logon through Terminal Services”.  This user was
probably added here.  

If you add a username to any of the
Windows Settings policies in a GPO, and the username changes, then you have to
go back and change it manually.  It is not automatically updated like most
of the rest of AD.  I would recommend using security groups instead of
users here for this reason.  The group name is less likely to
change.  

 

Kevin

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ramon Linan
Sent: Tuesday, October 31, 2006
9:26 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Problem
driving me crazy



 



Hi,





 





I have a user who got marry (changed her
last name) so I had to change her login username, email, etc.





 





Since I did that, she has not been able to
log on to a server (DC) using remote desktop connection, I checked and she has
the right permissions to use terminal services, etc.





 





 





What is the best way to troubleshoot this?





 





I am getting this log in the event log





 





Logon Failure:

Reason: The user has not been granted the requested

logon type at this machine

User Name: 

Domain: 

Logon Type: 10

Logon Process: User32 

Authentication Package: Negotiate

Workstation Name: 

For more information, see Help and Support Center
at 

 

Thanks all

RE: [ActiveDir] Exchange Log files --Disk Full--

2006-10-26 Thread Kevin Brunson 








Ntbackup considers the option to Flush Log
Files so obvious that it doesn’t even ask.  Are you seeing any errors in
the backup logs?  I have seen ntbackup fail after the data was backed up but
before it flushed logs, if some of the permissions were changed.  Of course
this was 3 years ago, so I don’t remember which permissions those were. 
Were backups flushing logs before 4 months ago?

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support
Sent: Thursday, October 26, 2006
2:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
Log files --Disk Full--



 





Yes, I have been doing full backup but
unfortunately logs arent flushed. What could be the possible reason for that. I
have to look for it.





 





I am using NTBackup. There is no option for Truncate Log
Files in this backup utility. I am running Info Store backup.





 





Any suggestions.





 





Thanks!!!





Ravi







 







From:
[EMAIL PROTECTED] on behalf of Michael B. Smith
Sent: Thu 10/26/2006 11:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
Log files --Disk Full--





If you do a full
(normal) backup using a real backup tool (ntbackup, Veritas with the Exchange
Backup Agent, etc) – the logs will be flushed. Period.

 

For some reason
– you aren’t getting a clean backup. That’s what you need to
be checking into.

 

Temporarily, you can
compress (using NTFS compression – not WinZIP or PowerArc or anything
like that) the logfiles until you can make that backup.

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support
Sent: Thursday, October 26, 2006
2:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange Log
files --Disk Full--





 



Hi All,





 





Kindly suggest, what i can do about my Exchange Log files?





I have about 120 GB Log files for past 4 months. I
have a few doubts:-





 





Do i really need all those log files?





If yes, Then how is it possible to manage with this as i
have a very limited space left.





Can i delete these log files?





Backup doesnt remove these log files?





 





i am really running out of space on my Exchange log storage
drive.





 





Thanks!!!





Ravi

RE: [ActiveDir] Exchange Log files --Disk Full--

2006-10-26 Thread Kevin Brunson 








Backup should truncate the log files. 
However, depending on which software you are using, sometimes “truncate
log files” is an option that you have to select.  What backup software are
you running?  Are you running an “exchange backup” or just a file
backup of the Exchange server?  If you are only backing up files, and not the
actual Info Store, then you are not getting a good (or even usable) backup.  

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support
Sent: Thursday, October 26, 2006
1:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange Log
files --Disk Full--



 



Hi All,





 





Kindly suggest, what i can do about my Exchange Log files?





I have about 120 GB Log files for past 4 months. I
have a few doubts:-





 





Do i really need all those log files?





If yes, Then how is it possible to manage with this as i
have a very limited space left.





Can i delete these log files?





Backup doesnt remove these log files?





 





i am really running out of space on my Exchange log storage
drive.





 





Thanks!!!





Ravi

RE: [ActiveDir] Blocking IE7

2006-10-19 Thread Kevin Brunson 
Are your users local admins?  Only admins can approve IE7 for install.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Thursday, October 19, 2006 2:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7

I must be missing something, I read:

* "The Blocker Toolkit will not prevent users from manually installing Internet 
Explorer 7 as a Recommended update from the Windows Update or Microsoft Update 
sites, from the Microsoft Download Center, or from external media. 

So it seems to me a hash rule combined with a filename rule should work unless 
they change both on me.

Bryan Lucas
Server Administrator
Texas Christian University

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Thursday, October 19, 2006 12:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7

You might want to re-read the page that you linked to below, since it answers 
all of your questions.
 
1. That toolkit is *not* designed to block WSUS deployments. With WSUS, you 
would simply not approve the update.
2. That toolkit *is* designed to block both the executable and automatic update 
installations.
 
Laura


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Thursday, October 19, 2006 12:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Blocking IE7
I see how to block IE7 from deploying through WSUS, but what I don't see is a 
way to block a user from manually installing it.

(http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en)

Our users are 90% XP SP2 and managed through GP.  What about building a 
restricted software GPO that has a hash of iesetup7.exe (if that even exists)?

I want to restrict them from getting it through microsoftupdate.com as well.

Bryan Lucas
Server Administrator
Texas Christian University

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Blocking IE7

2006-10-19 Thread Kevin Brunson 








http://www.microsoft.com/downloads/details.aspx?FamilyId=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en

 

If they are local admins, this will not
block them from manually installing it, but if they are local admins, there
aren’t a whole lot of options.

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Lucas, Bryan
Sent: Thursday, October 19, 2006
11:55 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Blocking IE7



 

I see how to block IE7 from deploying through WSUS, but what
I don’t see is a way to block a user from manually installing it.

 

(http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en)

 

Our users are 90% XP SP2 and managed through GP.  What
about building a restricted software GPO that has a hash of iesetup7.exe (if
that even exists)?

 

I want to restrict them from getting it through
microsoftupdate.com as well.

 

Bryan Lucas

Server Administrator

Texas Christian University

 

RE: [ActiveDir] The remote computer has ended the connection.

2006-10-17 Thread Kevin Brunson 








Are there any error messages in the event
log?  There are several problems I have seen where some kind of message
will show up in the logs that tell you where to start looking.

The most common one I have seen lately, if
you see an error in the system event log that says

The RDP
protocol component "DATA ENCRYPTION" detected an error in the
protocol stream and has disconnected the client.

http://support.microsoft.com/default.aspx?scid=kb;en-us;323497

 

Also, is the server running in Remote
Desktop mode or Terminal Services mode?  If Terminal Services is checked
in the Windows Components Wizard, then it is in Terminal Services mode. 
Otherwise, it is just a Remote Desktop.  If it is in Terminal Services
mode, then you need to make sure it is talking to a Terminal Services Licensing
server.  You would see errors in the event log for this too.

 

Kevin









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support
Sent: Tuesday, October 17, 2006
11:01 AM
To: ActiveDir@mail.activedir.org;
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] The
remote computer has ended the connection.



 





Yes it doesnt happened with any other
serves but i have rebooted it more than twice. but no gud luck.





 





what do you guys suggest in this case? did only rebooting
second time resolved the issue for you?





 





It worked for me when i have disjoined from my domain. but i
am sure this has nothing to do with any GPO. Also 





same thing happened for me when i joined this to any other
domain. other than the previous one.





 





Thanks!!!





Ravi







 







From:
[EMAIL PROTECTED] on behalf of Thommes, Michael M.
Sent: Tue 10/17/2006 8:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] The
remote computer has ended the connection.





I have also
seen where a second reboot is necessary for RDP to work.  I have not
determined the cause of this yet.  It does not happen on all servers.

 

Mike Thommes

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona
Sent: Tuesday, October 17, 2006
10:29 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] The
remote computer has ended the connection.



 

I have noticed
that after updating to the latest security patches and rebooting that some (not
all) of my servers had an issues with RDP.  It cleared after rebooting a
second time.  Root cause?  Unknown
at this time. 

 

-vC









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support
Sent: Tuesday, October 17, 2006
8:28 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] The remote
computer has ended the connection.
Importance: High



 



Hi,





 





I am trying to access one of my servers using Remote
Connection. I am using mstsc but its not connecting me to the server. error
"The remote computer has ended the connection". However
if i am using mstsc /v:IP Address /console
it lets me connect to it.





 





Problem is in this mode i can use only admin id when
connected like this. I want my engineers (who dont have administrator
priviledges) to access this. its not possible in this mode.





 





This all happened when i rebooted my server.





 





Please suggest what can be done to normalize the things.





 





Thanks!!!





Ravi

RE: [ActiveDir] RealVNC removal

2006-10-02 Thread Kevin Brunson 








Certainly disabling the service will be
easier than removing it.  That can be done network-wide via Group Policy.  I
have seen a kixtart script that removed VNC, but I think that was a version
from about 6 years ago, so I don’t know if that would do you any good,
especially if your users are not local admins.  Setting the service to disabled
is probably the best way to go for automation.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J B
Sent: Monday, October 02, 2006
1:37 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] RealVNC
removal



 



I was hoping to automate it, as it is on hundreds of laptops
- which may or may not be currently connected to the domain.  





 







- Original Message - 





From: SMREKAR,
JACK 





To: ActiveDir@mail.activedir.org






Sent: Monday, October
02, 2006 11:13 AM





Subject: RE: [ActiveDir]
RealVNC removal





 



You could use a piece of software called
Dameware, another remote control program. There are options that will uninstall
the software when you disconnect from the session. I would install that
software on your computer then use it to remote control to the laptops in
question and remove VNC. After that is done, use the Dameware to logout and
then when you click on the disconnect button it will remove the Dameware
service also.  That should leave you with no remote control program.

 

http://www.dameware.com/downloads/

 

 

 



Jack Smrekar

Appleton Area
 School District

920-993-7062 Ext. 2123

A+  N+  Server +

 





 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of J B
Sent: Monday, October 02, 2006
12:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] RealVNC
removal



 



I'd like to uninstall RealVNC from a number of machines
remotely.  These were part of a system image that was rolled out quite
some time ago.  Unfortunately, re-imaging the machines (they are
laptops) after simply removing the program from the image, is not an
option.  Luckily, it's an AD environment - all Windows XP in a Windows
2003 single domain environment.  It appears that the RealVNC app was
installed in service mode, and each machine runs the service upon boot. 
SMS 2003 is on the network as well, and all of these laptops are SMS clients,
but the app was not rolled out using an SMS package or MSI file.





 





What's the best way to uninstall such an application from
all these laptops at this point?  Startup script?  Something else
using SMS perhaps (I'm not TOO familiar with SMS)?  I have some ideas, but
would welcome any additional input from others, as I am sure that there are
better ideas and methods out there that I haven't thought of yet.  If
uninstallation is going to prove difficult, I can live with just disabling the
service if tha can be done easier than a complete removal of the app.





 

RE: [ActiveDir] Elevating privileges from DA to EA

2006-09-15 Thread Kevin Brunson 
"Elevating priveledges from DA to EA (or from physical DC access to EA)
is simple"

Is this physical access to a DC in the root domain or physical access to
a DC with a forest trust to the root domain?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, September 15, 2006 12:15 PM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Elevating privileges from DA to EA

Hi All

I wanted to weigh in with two comments.
1) Elevating priveledges from DA to EA (or from physical DC access to
EA)
is simple - it takes about 45 minutes and unless you have some very good
active monitoring is difficult to detect.  There are automated tools out
there for doing this.  I have been known to use the term lazy EAs to
refer
to domain admins.

2) Replication boundaries is another reason for separate domains.  a
million objects can lead to huge DITs and very slow replication -
especially in a build a new DC case.  Separating that into multiple
domains
- to put smaller load on locations where bandwidth is an issue is worth
considering.  For example.
  90,000 users.  200 of those are in Alaska
  The rest of the world has good bandwidth, Alaska locations all
have
the equivalent of 56K modem speed.
  DIT and Sysvol size is about 7G, but for Alaska users there are
only
3 GPOs that affect them
  Rather then doing 1 domain I can put the 200 Alaska users in their
own domain.  Security wise, there is no advantage.  Replication wise,
the
Global Catalgue is a fraction the size of the full database, the Sysvol
never replicates anywhere in Alaska,and replicaiton for that
domain will cause less strain on their bandwidth - 200 users will create
a
much lower amount of changes then 90,000 users.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
202-230-2983
[EMAIL PROTECTED]


 

 "Al Mulnick"

 <[EMAIL PROTECTED]

 om>
To 
 Sent by:  ActiveDir@mail.activedir.org

 [EMAIL PROTECTED]
cc 
 ail.activedir.org

 
Subject 
   Re: [ActiveDir] Elevating

 09/15/2006 11:34  privileges from DA to EA

 AM AST

 

 

 Please respond to

 [EMAIL PROTECTED]

tivedir.org

 

 





I agree and add to that some additional thoughts:
Not long ago there was some conversation around a suggestion that
[EMAIL PROTECTED] put out regarding the idea of using multiple
forests
vs. domains in such a model.  Personally, I disagree with that
recommendation as given.  I think A LOT more additional information is
required before saying that, but I digress.

If you decide to use the multi-domain model, I have to assume that you
either have different password policies or a strong layer-8 contingent
driving things. If the latter, I hate it for you.

If you have a requirement to separate the domains from the forest, your
workload just went through the roof, and with that your costs.

Was it me I'd want to learn from my past mistakes ;0) and approach this
by
reversing the conversation.  By that I mean I'd want each potential
domain
owner to absolutely and in a detailed manner specify the functions they
need to execute.  From there, we'll encompass the rights needed for each
of
those functions. I think what you'll find is that you can do almost all
of
it with a single domain if different password policies are not needed
(mostly, but you know all of that anyway). From there, I'd be sure to
spell
all of that out the project sponsor because the costs (both ongoing and
up
front) can be significant.  The amount of complexity and issues with
other
directory based applications alone can be enough to put them off and
actually follow a recommendation such as this. The push obviously is to
get
as few actual DA's as possible.

Is the threat real? Yes.  If you feel you should have multiple domains,
chances are good you really need OU's and a better admin model that
includes less complexity and fewer moving parts.

Oh, one other thing that might be of interst to your planning group: ask
them about their restoration requirements.  In that model, restoration
can
be a bloody nightmare especially if the layer-8 issues are not resolved
up
front.

Al



On 9/15/06, Paul Williams <[EMAIL PROTECTED]> wrote:
  Neil,

  Try a re-read of the first couple of chapters of the first part of the
  deployment guide book designing and deploying directory and security
  services.  Obviously it doesn't spell out how to do this -it doesn't
even
  allude to how this is done- but does emphasise when and when not to go
  with the regional domain model.

  I'm not disputing what anyone is saying here -I agree.  I just happen
to
  think the regional model can be a good one, and that if done properly
  works.  Eve

RE: [ActiveDir] Elevating privileges from DA to EA

2006-09-15 Thread Kevin Brunson 








http://www.microsoft.com/technet/security/Bulletin/MS02-001.mspx
discusses some elevation of privilege attacks.  It also links to another
article that is supposed to have more details on SID filtering, which doesn’t
seem to exist anymore.  All references I have found point only at NT4 and
2000 as susceptible to this kind of attack, and they have a patch to fix
it.  So I guess 2003 is secure at least when it comes to the SIDHistory
method.  There must be other ways of doing it, though.  I don’t
know that they could possibly be “simple” if MS put out a patch to
fix this particular hole way back in 02.  The referenced article (for
those who don’t read it) calls for “a binary edit of
the data structures that hold the SIDHistory information”.  Not exactly “candy from a baby” level, unless you
happen to be a 3rd level black-belt in babies-canditsu.  But I’m
sure someone with extreme skills could take on an unpatched 2000 domain without
much trouble.  Either way, it looks like sidfiltering mitigates most of
the risk.  









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Friday, September 15, 2006
2:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Elevating
privileges from DA to EA



 

>>>Al - we are designing a forest with
regional domains (don't ask!) and one region has suggested it needs to split
from this forest since elevating rights in any regional domain from DA to EA
(forest wide) is 'simple' [and this would break the admin / support model].



 





What is being said is very very true.
Either you trust ALL Domain Admins (no matter the domain those are in) or you
do not trust ANY! Every Domain Admin or ANY person with physical access to a DC
has the possibility to turn the complete forest into crap!





Because if that was NOT the case the
DOMAIN would be the security boundary. Unfortunately it is not! The Forest is the security boundary, whereas EVERY single DC
in the forest MUST be protected and EVERY Domain Admin MUST be trusted!





 





>>>I am arguing that it is not simple
and am looking for methods which may be used to elevate rights as per the above





 





When you know HOW, it is as easy as
taking candy from a baby





 





jorge





 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, September 15, 2006
09:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Elevating
privileges from DA to EA

Thanks for responses, all.

 

Al - we are designing a forest with
regional domains (don't ask!) and one region has suggested it needs to split
from this forest since elevating rights in any regional domain from DA to EA
(forest wide) is 'simple' [and this would break the admin / support model].

 

I am arguing that it is not simple and am
looking for methods which may be used to elevate rights as per the above.

 

Make sense?

 

neil

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 14 September 2006 20:59
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Elevating
privileges from DA to EA

Can you reword?  I'm
not sure I clearly understand the question. 

FWIW, going from DA to EA is a matter of adding one's id to the EA group. 
DA's have that right in the root domain of the forest (DA's of the root domain
have that right). Editing etc. is not necessary. Nor are key-loggers etc. 
If physical access is available, there are plenty of ways to get the access you
require to a domain but I suspect you're asking how can a DA from a child
domain gain EA access; is that the question you're looking to answer?  

Just for curiousity, what brings up that question? 

Al



On 9/14/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]>
wrote: 





It
has been suggested by certain parties here that elevating one's rights from AD
to EA is 'simple'. 

I
have suggested that whilst it's possible it is not simple at all.


Does
anyone have any descriptions of methods / backdoors / workarounds etc that can
be used to elevate rights in this way? Naturally, you may prefer to send this
to me offline :) [
[EMAIL PROTECTED]]

I
can think of the following basic methods: 
 -
Remove DC disks and edit offline 
 -
Introduce key logger on admin workstation / DC 
 -
Inject code into lsass 

As
you can see, I don't want specific steps to 'hack' the DC, just basic ideas /
methods. 

Thanks,

neil




PLEASE READ: The information contained in this email is
confidential and 





intended for the named recipient(s) only. If you are not an
intended 





recipient of this email please notify the sender immediately
and delete your 





copy from your system. You must not copy, distribute or take
any further 





action in reliance on it. Email is not a secure method of
communication and 





Nomura International plc ('NIplc') will not, to the extent
permitted by law, 





accept responsibility or liability for (a) the accuracy or
completeness of,

RE: [ActiveDir] adm file management

2006-09-06 Thread Kevin Brunson 
This is basically true.  If you are supporting older clients or
unpatched servers, make sure you only edit the GPO's from a machine
running XP SP2 or 2003 SP1.  Otherwise, you need to install a patch from
MS
http://support.microsoft.com/default.aspx?kbid=842933

2000, XP SP1, and 2003 RTM cannot view the newest ADM files without
popping up about 1000 error messages.  The patch resolves this
issue, but it requires a reboot on 2000.

The new features included in an updated ADM will either work with older
clients, or they will only take effect on the clients that can support
it.  You will usually see a message that goes something like "Requires
Windows XP or 2003".

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Wednesday, September 06, 2006 9:41 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] adm file management

quick question (hopefully not too daft) ref ADM file management

it seems different OS's ship with different versions of the 'standard'
ADM files
that include conf.adm / interes.adm / system.adm ...

say if you are maintaining policies that link to containers holding say
XP , 2000,
2003 computers it would not be unreasonable to manage them all from a
single host on
which you edit policies.

am i correct to say that in maintaining the settings in these files are
always
cumulative - if that's the right word

if so then it is correct working practice to always use the MOST RECENT
version of
an ADM file with no fear of breaking previously functional GPO's ???

GT





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Steps to clean up after Etrust

2006-09-01 Thread Kevin Brunson 
You might very well find that it broke the HTTP SSL service.  Since
HTTPFilters runs as lsass.exe, it kinda screws things up.  This is the
only problem I am still dealing with.  WWW pub won't run without it.  So
no OWA.  Still trying to figure that one out.  Other than that, we've
fixed 30 servers at 20 sites.  Only a few of us lost our sanity.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Friday, September 01, 2006 6:39 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Steps to clean up after Etrust

The Official SBS Blog : SBS 2003 fails to boot (Gray screen after 
Windows splash screen):
http://blogs.technet.com/sbs/archive/2006/09/01/453504.aspx

...I'm just having a hard time understanding how flagging lsass could be

missed in testing...but hey...that's just me...

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT: Servers rebooting, etrust antivirus

2006-09-01 Thread Kevin Brunson 
We have found varying degrees of destruction, but so far none that could
not be recovered.  For some reason MS KB323497 seems to resolve just
about everything we have come across.

We have found a few servers that get blank screens in safe mode.  They
never get to a logon prompt.  Anyone gotten past this?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Friday, September 01, 2006 11:46 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Servers rebooting, etrust antivirus


CA eTrust Antivirus flagging lsass.e x e
http://isc.sans.org/diary.php?n&storyid=1665
Unsubscribe: http://isc.sans.org/notify.php


Yup

Kevin Brunson wrote:
>
> Anyone else out there dealing with the Computer Associates eTrust 
> Antivirus signature thing this morning?
>
> Symptoms: "The system process "C:\Windows\System32\lsass.exe" 
> terminated unexpectedly with status code 0. The system will now shut 
> down and restart."
>
> After the reboot, it once again gives the same message, over and over.
>
> Resolution: Update to the latest eTrust Antivirus signatures. The 
> version ending in .3056 is known stable.
>
> Details: Apparently the signatures are detecting lsass.exe as a virus 
> and trying to rename or delete it. Windows File Protection kicks in 
> and says no. They then argue for a bit and neither wins so the server 
> gives up and reboots.
>
> Hopefully no one else has experienced this, but if you are running ca,

> this should solve your problem. Almost all of my customers are running

> eTrust Antivirus, so it has been a very long morning.
>
> Kevin
>

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] OT: Servers rebooting, etrust antivirus

2006-09-01 Thread Kevin Brunson 








Anyone else out there dealing with the Computer Associates eTrust
Antivirus signature thing this morning?  

Symptoms:  “The system process “C:\Windows\System32\lsass.exe”
terminated unexpectedly with status code 0.  The system will now shut down
and restart.”

     
After the reboot, it once again gives the same message, over and over.

 

Resolution:  Update to the latest eTrust Antivirus
signatures.  The version ending in .3056 is known stable.  

 

Details:   Apparently the
signatures are detecting lsass.exe as a virus and trying to rename or delete
it.  Windows File Protection kicks in and says no.  They then argue
for a bit and neither wins so the server gives up and reboots.

 

Hopefully no one else has experienced this, but if you are
running ca, this should solve your problem.  Almost all of my customers
are running eTrust Antivirus, so it has been a very long morning.

 

Kevin

 

 

RE: [ActiveDir] nslookup. AD beginer question

2006-08-29 Thread Kevin Brunson 








I think the key to this question is a very
simple troubleshooting step.  Go into DNS and look at the (same as parent
folder) records.  Delete the ones that aren’t currently DNS servers.  If
you are using AD integrated DNS, then this should be any domain controllers
that you want clients to get DNS from.  Give it a day or two and see if the bad
ones come back.  If they don’t then you can assume this was an obsolete
entry.  If they do then you can start looking for why.  

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Tuesday, August 29, 2006
4:43 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] nslookup.
AD beginer question



 



If you do NSLOOKUP
DOMAIN-NAME.COM then you will get a list of all the DNS servers for that
domain.  For example, if you are using AD-Integrated DNS, you will get a
list of any DCs that are also DNS servers.  Basically, that command
returns the (Same as parent) records for the domain.





 





If you want to pull
all DCs in the domain, you need to run something like this:





 





nslookup -type=srv
_ldap._tcp.dc._msdcs.domain-name.com





 





 





If you run the above
command and get computer accounts back, see kb825675 as referenced by Steve. 
I wasn't aware that that bug also registered A records for the domain name, but
it might...





 





If you're new to
NSLOOKUP, consider what information you want.  There's a bunch of
different types of DNS record that might be of interest (A, CNAME, PTR, SRV,
MX).  When troubleshooting AD, the main ones to look for are A and SRV
(there's also an instance where you need to check the CNAME record too). 
Remember that simply pinging a DC doesn't mean that the necessary SRV records
are in place.  I personally always advise people to use a combination of
NSLOOKUP and NLTEST to troubleshoot DNS and the locator process.  Use
NSLOOKUP to see if the records that you expect are there, and NLTEST to make
the DsGetDC and DsGetSite calls.





 





 





--Paul







- Original Message - 





From: Ramon Linan 





To: ActiveDir@mail.activedir.org






Sent: Monday, August 28,
2006 7:14 PM





Subject: [ActiveDir]
nslookup. AD beginer question





 



Hi Everyone,

 

When I do a nslookup domain.com, being
domain.com my AD domain, what should I see? A list of the dns server in my
domain? A list of the DC? 

 

The fact is that I am doing nslookup and I
am getting, domain controllers but also a user’s computer

 

Thanks

RE: [ActiveDir] nslookup. AD beginer question

2006-08-28 Thread Kevin Brunson 








When you do an nslookup for the domain,
you are going to get whatever records are listed in DNS for “(same as
parent folder)”.  If there is an IP address listed in there that is old
and obsolete, it will still show until you go in and delete it.  It is possible
it was there from a time when that IP was in fact a DNS server, or possibly it
was a mistake.  But it was put in there intentionally or unintentionally at
some time.

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ramon Linan
Sent: Monday, August 28, 2006 3:03
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] nslookup.
AD beginer question



 

Thanks, but after reading all that I still
was not able to find out what kind of information do you get when you do lookup
domain.com, being domain.com your AD domain, and why am I getting a
user’s computer.

 

Thanks

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Akomolafe, Deji
Sent: Monday, August 28, 2006 2:21
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] nslookup.
AD beginer question



 





http://www.cni.org/pub/inetroom/nslookup.html





 





http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup.mspx?mfr=true





 





http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup__subcommands.mspx?mfr=true





 












Sincerely, 
  
_   

  (, /  | 
/)  
/) /)   
    /---| (/_  __   ___// _  
//  _ 
 ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)  
  
(/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon









 







From: Ramon Linan
Sent: Mon 8/28/2006 11:14 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] nslookup. AD
beginer question





Hi Everyone,

 

When I do a nslookup domain.com, being
domain.com my AD domain, what should I see? A list of the dns server in my
domain? A list of the DC? 

 

The fact is that I am doing nslookup and I
am getting, domain controllers but also a user’s computer

 

Thanks

RE: [ActiveDir] DC to DC communication

2006-08-25 Thread Kevin Brunson 








In Active Directory Sites and Services,
ensure that each WAN site you want segregated is configured as an AD site. 
Then you can specify which servers communicate to other AD sites, as well as
the schedule for replication.

Create a new site.  Configure the subnets
for that site.  Add domain controllers to that site.  Then configure one server
at each site as a bridgehead server.  Unless a WAN link is unreliable, you will
probably want to use IP instead of SMTP.  Then only that server will attempt to
replicate with the other sites.  If you need to tune it more, change the
replication schedule for the different site links.  

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Friday, August 25, 2006 3:25
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC to DC
communication



 

What are the various ways we can control
the amount of replication between a specific DC to other DCs?  We have one
site that's wan bandwidth is over utilized and we see that the DC at that site
is making connections to many other DCs (assumably for replication).  How
can we control this or reduce this traffic?  






~~
This e-mail is confidential, may contain proprietary information
of Cameron and its operating Divisions and may be confidential
or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

RE: [ActiveDir] OU tareq

2006-08-24 Thread Kevin Brunson 








Create a GPO for the computer OU. 
Edit that GPO, and expand to Computer Configuration>Windows Settings>Security
Settings>Restricted Groups.  Right-click Restricted Groups and hit Add
Group.  Add Administrators.  Configure membership for this group>Members
of this Group> Add domain users, administrators, and domain admins.  This
literally replaces everything in that group with the ones you specify for the
target computers.  Set the ACL properties for that GPO to Domain Computers>Apply
Policy.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of tareq ttt
Sent: Thursday, August 24, 2006
9:14 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OU tareq



 



dears,





How i can build a group policy that permit normal account in
the active directory to login  as Local Admin for any computer in one OU.





 





tareq



  







All-new
Yahoo! Mail - Fire up a more powerful email and get things done faster.

RE: [ActiveDir] Exchange question

2006-08-22 Thread Kevin Brunson 








I don’t guess I ever thought about moving
mailroot, but that is a really good idea.  Here’s an article that tells how to
do it just so no one has to go looking..

http://support.microsoft.com/?kbid=822933

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Al Mulnick
Sent: Tuesday, August 22, 2006
3:02 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Exchange
question



 



Just to add my $0.04 worth: 





 





By the time you ask what's the minimum, it's usually too late and not
enough. The SMTP queue drive should, as a general rule, not get below 10% free
space.  The way the product works, every smtp message is accepted then
acted upon. What that means to you is that SMTP messages are going to hit the
disk hard. This indicates that you want to separate that I/O from the rest of
the server where possible.  That would mean that you'd typically place
this directory on a dedicated set of spindles and the smallest drive size
you'll likely find these days is a 72GB drive.  If your average message is
~100KB, then you have approximately 72GB/(100KB-10%) of space before you would
even want to consider that your drive should stop.  That's a lot of a
messages for most corporate implementations and could easily translate into
several days worth of mail at those numbers. 





 





Wouldn't you want your mail system to stop sending at some point like
that? So that you go find the issue and resolve it? 





 





Honestly, I think the better questions to ask are going to be along the
lines of what is the typical formula for figuring out drive performance and
sizing of Exchange server drives for the various i/o types? That will give you
the better idea of what you can and should not get away with on those disks if
you need to make changes.  If you don't make changes, at least you'll know
the areas to be aware of. 





 





My thoughts anyway. 





 





al

 





On 8/22/06, Akomolafe,
Deji <[EMAIL PROTECTED]>
wrote: 









>>>minimum amount of HD space
needed for the smtp to work?









It depends mostly on how busy is the
server.





 











>>>Also, if the hard drive
gets full will that stop the queue from delivering the emails?









Of course.












Sincerely, 
  
_   

  (, /  | 
/)  
/) /)   
    /---| (/_  __   ___// _  
//  _ 
 ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)  
  
(/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon 





 







From: Ramon Linan
Sent: Tue 8/22/2006 11:51 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange
question

 











Hi,

 

I have 2 emails server in 2 different locations.

All the sudden emails are not coming from one server to the
other, I found out that smtp queue folder was in  a hard drive that was
running out of space. 

 

Do you guys know what is the minimum amount of HD space
needed for the smtp to work?

 

Also, if the hard drive gets full will that stop the queue
from delivering the emails?

 

 

Thanks

 

Rezuma











 

RE: [ActiveDir] joe - please say it isn't so!

2006-08-14 Thread Kevin Brunson 








Anyway, I think if he was gonna go out
like that, he would’ve ended it with something like:

 

“We Apologize for the Inconvenience”

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim
Sent: Monday, August 14, 2006 3:08
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] joe -
please say it isn't so!



 

Double check the
date of the entry.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Monday, August 14, 2006 3:28
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] joe -
please say it isn't so!





 

So here I went to take a look at
Dean’s article, and I find this: http://blog.joeware.net/cat/recipes/
, expecting to find more of joe’s great adfind codes.  At first, I
thought it got misfiled and should have been filed under “humor”
but I suspect this is hardly funny.  Joe, are you pulling our collective
legs?  Please tell me this blog is a poor Michigander’s joke! 
If not, please take me with you to New Zealand
– I need to see first hand that the Brown Trout there are bigger than
they are in Michigan! 
;-)

 

Mike Thommes

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe
Sent: Monday, August 14, 2006 2:02
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]



 



joe said "pretty decent" http://blog.joeware.net/2006/06/08/400/





 





I think thats an understatement ;-)





 





However, my profuse thanks to joe too. I wasnt aware of the article
until he blogged it.





 





M@

 





On 8/14/06, Dean
Wells <[EMAIL PROTECTED]>
wrote: 







Why thank you … but who said otherwise?  ;0)











--
Dean Wells
MSE technology
* Email: [EMAIL PROTECTED]
http://msetechnology.com











 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Matheesha Weerasinghe
Sent: Monday, August 14, 2006 2:35
PM






To: ActiveDir@mail.activedir.org





Subject: Re:
[ActiveDir] 









 



http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1192821,00.html?track=NL-463&ad=554811USCA&ad=554808






 





I dont
care what anyone says. Thats a damn fine article.





 





I couldnt
possibly thank Dean enough for that info.

M@





 





 





On
8/14/06, Graham Turner <[EMAIL PROTECTED]>
wrote: 

Alter ego
!

my thanks are due

worked out a treat - so the GC's are not so ***'d as i thought 

any info on the concept of the phantoms though ??

GT

> Hey Robert,
>
> In the article you posted, the registry key is incorrect in the KB 
> content.  It lists the registry key as: 
> HKCU\Software\Policies\Microsoft\Windows\Directory
>
> However, the correct registry key is:
> HKCU\Software\Policies\Microsoft\Windows\Directory UI 
>
> I've sent a comment to my former employer to ask for them to fix the 
> article...next time, test it *before* you post!
>
> Your Alter Ego,
> Robert Williams
>
> -Original Message- 
> From: [EMAIL PROTECTED]
> [mailto:
[EMAIL PROTECTED]] On Behalf Of Williams,
> Robert
> Sent: Monday, August 14, 2006 9:28 AM 
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir]
>
> Hey Graham,
>
> This may not be what you're experiencing, but it could be worth it to 
> check to see how many members you have in the group(s) in
question.  By 
> default, if the group has over 500 members in it, the user icons inside
> the group will turn grey.  Check out this article for more
information: 
> http://support.microsoft.com/kb/q281923/
>
> Let us know if that turned out to be the cause.
>
> Have a great day!
>
> Robert Williams 
>
>
> -Original Message- 
> From: [EMAIL PROTECTED]
> [mailto:
[EMAIL PROTECTED]] On Behalf Of Graham Turner
> Sent: Monday, August 14, 2006 9:01 AM
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] 
>
> Dear all, am experiencing issues that i think attributable to the
> concept of Active
> Directory phantoms
>
> the symptom is that when we open certain global groups the membership 
> list comes out
> with grey icons
>
> this is not all groups - affected ones being - Domain Users / Domain
> computers
>
> must confess to not a full understanding of the issue here -but it seems 
> this
> relates in some way to GC lookup ??
>
> i can for sure confirm that the GC port 3268 is open on the GC's
>
> not sure why as the group / user members are in the same domain ?
>
> after the understanding of what is going on here is, of course 'HOW DO
> WE FIX' ??
>
> technet seems to reference a concept of 'phantom clean up task' - a
> process that
> runs on the server running 'INFRASTRUCURE MASTER' fsmo role on a 
> scheduled basis to
> resolve the directory issue.
>
> would seem not in this case ?
>
> as a point to note, neither netdiag or dcdiag are coming up with nothing
> concliusive
> in this respect.
>
> help as always gladly received
>
> GT
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx

> Li

RE: [ActiveDir] Replication Topology Explanation..

2006-08-10 Thread Kevin Brunson 








As long as they have the bridgehead server
in their site they won’t even try to talk to the other domain controller unless
it is a FSMO.  So you might want to leave that off of there.  I would probably
make it a GC though.  

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz
Sent: Thursday, August 10, 2006
2:03 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Replication Topology Explanation..



 

thanks.

so if the DR domain controller is only set to replicate to 1 domain
controller  in HQ -- this should be fine ? should it hold any FSMO roles,
be a DC.

i would still imagine if the other DC's can't talk to this DC - dcdiag and
repadmin would fail or generate errors. 





On 8/10/06, Kevin Brunson <[EMAIL PROTECTED]>
wrote:







If you set the servers to want to communicate between sites
as bridgehead servers, then it will autogenerate site links that fit this
topology.  Otherwise all of the domain controllers will want to talk to
each other.  Being a member of the root domain, it will have everything
needed to get the root domain back up and running.  You might want to
consider having a DC for the subdomain as well, as the root domain controller
will not contain all information about the subdomain.  

 









From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of HBooGz
Sent: Thursday, August 10, 2006
10:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replication
Topology Explanation..







 

Hey all -


I have an HQ hosting the forest root domain company.com. I have a child domain off-site connected via
T1 and it's site.company.com


The HQ is running windows 2003 R2 std. The site is currently running windows
2000 sp4 but will be upgraded soon.

I have a DR site connected via P-T-P T1. The DR box was recently upgraded to R2
and it was DCPROMO'd into my HQ's domain, company.com.

The DR site DC is only set to replicate with one DC in the HQ. there is an ACL
on the DR network that prevents communication from any other host except the
one DC at HQ. so the other DC at HQ and the DC at the site can't talk to this
DR DC. 

is this a healthy replication topology ? i was told that since the HQ DC can
replicate to the other HQ DC and the site DC it has all the information needed
and only one replication connection from this "main" DC to the DR DC
is needed. 

could use some feedback on how to handle replication for  DR location.

we are using Double-Take but was told it really isn't necessary for an AD box,
but i would think communication needs to be open for all servers to communicate
to the DR boxes ? 


Thanks,

-- 
HBooGz:\> 














-- 
HBooGz:\>

RE: [ActiveDir] Replication Topology Explanation..

2006-08-10 Thread Kevin Brunson 








If you set the servers to want to
communicate between sites as bridgehead servers, then it will autogenerate site
links that fit this topology.  Otherwise all of the domain controllers will
want to talk to each other.  Being a member of the root domain, it will have
everything needed to get the root domain back up and running.  You might want
to consider having a DC for the subdomain as well, as the root domain
controller will not contain all information about the subdomain.  

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz
Sent: Thursday, August 10, 2006
10:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replication
Topology Explanation..



 

Hey all -


I have an HQ hosting the forest root domain company.com.
I have a child domain off-site connected via T1 and it's site.company.com 

The HQ is running windows 2003 R2 std. The site is currently running windows
2000 sp4 but will be upgraded soon.

I have a DR site connected via P-T-P T1. The DR box was recently upgraded to R2
and it was DCPROMO'd into my HQ's domain, company.com.

The DR site DC is only set to replicate with one DC in the HQ. there is an ACL
on the DR network that prevents communication from any other host except the
one DC at HQ. so the other DC at HQ and the DC at the site can't talk to this
DR DC. 

is this a healthy replication topology ? i was told that since the HQ DC can
replicate to the other HQ DC and the site DC it has all the information needed
and only one replication connection from this "main" DC to the DR DC
is needed. 

could use some feedback on how to handle replication for  DR location.

we are using Double-Take but was told it really isn't necessary for an AD box,
but i would think communication needs to be open for all servers to communicate
to the DR boxes ? 


Thanks,

-- 
HBooGz:\>

RE: [ActiveDir] Computer bootup speeds

2006-08-09 Thread Kevin Brunson 








First thing I would check is the DNS
settings on the client.  Are they pointing at a valid DNS server, and is it
responding?

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, August 09, 2006
1:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer
bootup speeds



 

No, just local.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, August 09, 2006
1:37 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer
bootup speeds


Do you have roaming profiles? 

Andrew
Fidel 




 
  
  "Rimmerman, Russ"
  <[EMAIL PROTECTED]> 
  Sent
  by: [EMAIL PROTECTED] 
  08/09/2006 02:29 PM 
  
   

Please
respond to
ActiveDir@mail.activedir.org

   
  
  
  
  
  
   

To





   
   

cc


 

   
   

Subject


[ActiveDir] Computer bootup speeds

   
  
   
  
   

 


 

   
  
  
  
 






Is there any easy way to determine why it's taking
so long for PCs in
our AD to boot up?  It sits at applying
settings for quite awhile, so
I'm thinking it may have something to do with
GPOs, but most computers
only have 2 or 3 GPOs applied to them.  I
wouldn't think the GPOs would
take that long to apply though.  Sometimes it
literally sits at applying
settings for 4 or 5 minutes!  
I guess I could move a computer to an OU with no
GPOs and see, but is
there any other ways?  

Thanks

~~
This e-mail is confidential, may contain
proprietary information
of Cameron and its operating Divisions and may be
confidential
or privileged.

This e-mail should be read, copied, disseminated
and/or used only
by the addressee. If you have received this
message in error please
delete it, together with any attachments, from
your system.
~~
List info   :
http://www.activedir.org/List.aspx
List FAQ    :
http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.activedir.org/ml/threads.aspx






~~
This e-mail is confidential, may contain proprietary information
of Cameron and its operating Divisions and may be confidential
or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

RE: [ActiveDir] Replication from ASP

2006-08-04 Thread Kevin Brunson 








See, I knew someone could do something
with that….

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Buford
Sent: Friday, August 04, 2006 2:10
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Replication from ASP



 

And you could take a _vbscript_ and roll it
into a .hta file and then you could access it from a webpage.

 

 

Ed Buford
 Network Administrator
Granger
 Community Church
630 E. University Drive
Granger, IN 46530
574.243.3506, x386 • 
[EMAIL PROTECTED]

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
 Brunson
Sent: Friday, August 04, 2006 2:57
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Replication from ASP

I have seen a script to do it in _vbscript_,
but not ASP.  Here’s a link to the
_vbscript_, maybe it’ll trigger something. 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Friday, August 04, 2006 1:05
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Replication from ASP



 

Anyone have any thoughts on this?

 

Thanks,

 



Bryan Lucas

Server Administrator

Texas Christian University











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas,
 Bryan
Sent: Monday, July 31, 2006 4:12
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replication
from ASP



 

Does anyone know how I force replication through ASP
2.0?  

 

My DC’s are all local (no WANs) and 2003 SP1.

 

I have a web page that does account creation and then points
the user to a portal which attempts to authenticate against AD.  The
portal software (Peoplesoft) can only attempt against a single DC, so if that
user didn’t create his account there it doesn’t work right
away.  

 

Bryan Lucas

Server Administrator

Texas Christian University

 

RE: [ActiveDir] Replication from ASP

2006-08-04 Thread Kevin Brunson 








I have seen a script to do it in _vbscript_,
but not ASP.  Here’s a link to the
_vbscript_, maybe it’ll trigger something. 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Friday, August 04, 2006 1:05
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Replication from ASP



 

Anyone have any thoughts on this?

 

Thanks,

 



Bryan Lucas

Server Administrator

Texas Christian University











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas,
 Bryan
Sent: Monday, July 31, 2006 4:12
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replication
from ASP



 

Does anyone know how I force replication through ASP
2.0?  

 

My DC’s are all local (no WANs) and 2003 SP1.

 

I have a web page that does account creation and then points
the user to a portal which attempts to authenticate against AD.  The
portal software (Peoplesoft) can only attempt against a single DC, so if that
user didn’t create his account there it doesn’t work right
away.  

 

Bryan Lucas

Server Administrator

Texas Christian University

 

RE: [ActiveDir] 2003 domain & 2000,

2006-08-04 Thread Kevin Brunson 








Sorry I wasn’t trying to be snappy. 
I was just afraid I was missing the connection.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert
Sent: Friday, August 04, 2006
11:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003
domain & 2000,



 

We didn’t…I was just
mentioning that with regard to having 2000 DC’s co-existing with 2003
DC’s…I didn’t know that it would matter to you that much I
replied to your message instead of someone else’s reply.

 



Have a great day!

Rob











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
 Brunson
Sent: Friday, August 04, 2006
11:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003
domain & 2000,



 

Sorry…., how did we get to the
topology generator from adprep?

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams,
 Robert
Sent: Friday, August 04, 2006
11:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003
domain & 2000,



 

Hey Kevin, I dunno if you’re already
aware of this or if it even applies in your environment…but if you have
more than one site then the new DC will automatically become the ISTG of the
site you put it into.  Whenever a 2003 DC is added to a site, it will
assume ISTG ownership if there are no other 2003 DC’s in that site. 
Might not even matter for your situation, but the following is a really good
read anyway to understand all the cool replication stuff.

 

Here’s a snippet from the following
URL:

http://technet2.microsoft.com/WindowsServer/en/library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx?mfr=true





ISTG Role Ownership and Viability

The owner of the ISTG role is communicated through normal
Active Directory replication. Initially, the first domain controller in the
site is the ISTG role owner. It communicates its role ownership to other domain
controllers in the site by writing the distinguished name of its child NTDS
Settings object to the interSiteTopologyGenerator attribute of the NTDS Site
Settings object for the site. As a change to the configuration directory
partition, this value is replicated to all domain controllers in the forest. 

The ISTG role owner is selected automatically. The role
ownership does not change unless:

• The current ISTG role owner becomes unavailable.

• All domain controllers in the site are running
Windows 2000 and one of them is upgraded to Windows Server 2003.

If at least one domain controller in a site is running
Windows Server 2003, the ISTG role is assumed by a domain controller that is
running Windows Server 2003.Robert Williams 


Have a great day!

Robert Williams 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
 Brunson
Sent: Friday, August 04, 2006 9:32
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003
domain & 2000,



 

They will be able to coexist with no
problems, assuming you take all of the appropriate steps before you
upgrade.  You will need to run adprep to prepare the forest and domain for
the 2003 schema.  Run adprep /forestprep on the schema master, and adprep
/domainprep on the infrastructure master.  If you haven’t moved
these roles, they will be installed on the first domain controller that was put
into place.  

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of shereen naser
Sent: Friday, August 04, 2006 8:21
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 domain
& 2000,



 



We have 5 domain controllers all 2000, one forest, now we want to add
one more domain controller, and the sever is 2003, if we add 2003 domain
controller is there going to be any issues with the 2000? compatibility issues,
replicaiton issues, errors that will show? any thing I should be worried about
when the 2 domain controllers (2000 and 2003) coexist? 





thank you

RE: [ActiveDir] OT:Microsoft Exchange Troubleshooting Assistant released

2006-08-04 Thread Kevin Brunson 








The only thing I have ever seen is the
Exchange Best Practices Analyzer.  I can’t think of a time that ever
helped me troubleshoot a problem, although PSS always insists on running it. 
If it is the same thing, then what was described below looks like it would be a
significant improvement.

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alex Alborzfard
Sent: Friday, August 04, 2006
11:14 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:Microsoft
Exchange Troubleshooting Assistant released



 

I thought they had already released a tool
which did similar things a while back. I remember using it once or twice.

May be they re-named or improved it?!

 

Thanks for posting this though!

 



Alex











From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, August 04, 2006 1:26
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT:Microsoft
Exchange Troubleshooting Assistant released



 

Microsoft Exchange Troubleshooting Assistant released - get it here

Yesterday
we released some new tools to help make your life as an email admin
easier.  It’s called the Microsoft
Exchange Troubleshooting Assistant v1.0.  Here’s
the description:



The Exchange Troubleshooting Assistant programmatically
executes a set of troubleshooting steps to identify the root cause of
performance, mail flow, and database mounting issues. The tool automatically
determines what set of data is required to troubleshoot the identified symptoms
and collects configuration data, performance counters, event logs and live
tracing information from an Exchange server and other appropriate sources. The
tool analyzes each subsystem to determine individual bottlenecks and component
failures, then aggregates the information to provide root cause analysis.



As
you can see, there’s some good stuff in the new assistant.  Get
it at http://www.microsoft.com/downloads/details.aspx?familyid=4BDC1D6B-DE34-4F1C-AEBA-FED1256CAF9A&displaylang=en

We’ll
be demoing this tool and a host of others starting next week as we launch the
Q1FY07 Microsoft TechNet Seminars.  We start the morning off with a Windows Vista Technical Overview
then later do a bunch of fun stuff with Exchange
Server 2003 and Exchange
Server 2007 Beta 2.  See the description of the events
at http://www.technetevents.com.




Published Thursday, August 03, 2006 11:30 PM by Keith Combs 

http://blogs.technet.com/keithcombs/archive/2006/08/03/444904.aspx








List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] 2003 domain & 2000,

2006-08-04 Thread Kevin Brunson 








Sorry…., how did we get to the
topology generator from adprep?

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert
Sent: Friday, August 04, 2006
11:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003
domain & 2000,



 

Hey Kevin, I dunno if you’re already
aware of this or if it even applies in your environment…but if you have
more than one site then the new DC will automatically become the ISTG of the
site you put it into.  Whenever a 2003 DC is added to a site, it will
assume ISTG ownership if there are no other 2003 DC’s in that site. 
Might not even matter for your situation, but the following is a really good
read anyway to understand all the cool replication stuff.

 

Here’s a snippet from the following
URL:

http://technet2.microsoft.com/WindowsServer/en/library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx?mfr=true





ISTG Role Ownership and Viability

The owner of the ISTG role is communicated through normal
Active Directory replication. Initially, the first domain controller in the
site is the ISTG role owner. It communicates its role ownership to other domain
controllers in the site by writing the distinguished name of its child NTDS
Settings object to the interSiteTopologyGenerator attribute of the NTDS Site
Settings object for the site. As a change to the configuration directory
partition, this value is replicated to all domain controllers in the forest. 

The ISTG role owner is selected automatically. The role
ownership does not change unless:

• The current ISTG role owner becomes unavailable.

• All domain controllers in the site are running
Windows 2000 and one of them is upgraded to Windows Server 2003.

If at least one domain controller in a site is running
Windows Server 2003, the ISTG role is assumed by a domain controller that is
running Windows Server 2003.Robert Williams 


Have a great day!

Robert Williams 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
 Brunson
Sent: Friday, August 04, 2006 9:32
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003
domain & 2000,



 

They will be able to coexist with no
problems, assuming you take all of the appropriate steps before you
upgrade.  You will need to run adprep to prepare the forest and domain for
the 2003 schema.  Run adprep /forestprep on the schema master, and adprep
/domainprep on the infrastructure master.  If you haven’t moved
these roles, they will be installed on the first domain controller that was put
into place.  

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser
Sent: Friday, August 04, 2006 8:21
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 domain
& 2000,



 



We have 5 domain controllers all 2000, one forest, now we want to add
one more domain controller, and the sever is 2003, if we add 2003 domain
controller is there going to be any issues with the 2000? compatibility issues,
replicaiton issues, errors that will show? any thing I should be worried about
when the 2 domain controllers (2000 and 2003) coexist? 





thank you

RE: [ActiveDir] Migrating From Windows 2000 AD to Win2k3 AD

2006-08-04 Thread Kevin Brunson 








If you promote that Exchange box to a
domain controller, it really will break a lot of stuff.  You will be able
to recover from most of it, but it will be a pain.  Then in the future, if
you ever want to make it NOT a DC again, it will break that same stuff, and
then you will probably NOT be able to recover it.  You WILL break
OWA.  Guaranteed.  You might very well kill some other Exchange
functionality as well.  It is possible you could get OWA back after a
tremendous amount of effort, but you really don’t want to promote that
Exchange box.

Kevin Brunson

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Pohlschneider
Sent: Friday, August 04, 2006 7:17
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating
>From Windows 2000 AD to Win2k3 AD



 

Hi Mike,

 

Our intention is to have the Exchange 2003
Box and the file server to be our new DC’s. We want both of these boxes
to be running WINS, DNS, DHCP. This is what our current DC’s are running
and we just want to move everything to newer hardware and move to AD 2003.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline
Sent: Thursday, August 03, 2006
11:43 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Migrating
>From Windows 2000 AD to Win2k3 AD



 



Chris,





 





Here is a link to your last question and you can see the follow-ups
there too.





 





http://www.activedir.org/ml/msg11411.aspx





 





 





When you say you want to move all services that run on the old DCs to
the exchange 2003 box and your file server does that mean that you
want the file server to become the new DC?  





 





What other services would you like to run on the exchange box? 
Check out the link below on exchange servers and domain controllers.





 





http://blogs.brnets.com/michael/archive/2005/01/24/319.aspx





 





Thanks





Mike





 





 







 





On 8/3/06, Chris
Pohlschneider <[EMAIL PROTECTED]>
wrote: 







Hello,

 

I
have some questions about doing a migration from Windows 2000 AD to Win2k3AD.
Our current environment entails two Windows 2000 AD domain controllers running
DNS,WINS, DHCP. We also have Exchange 2003 installed on a separate Windows 2003
Server. We want to keep the same domain name and move all of the services that
run on the old Windows 2000 Domain controllers onto the Exchange server and
also our main file server which is Windows 2003 Server. I am a bit of a newbie
and would like some guidance on how to perform this upgrade. I appreciate any
help. Sorry for asking this question again, but I have misplaced the e-mails
from this last discussion. 

 

Chris Pohlschneider

Holloway Sportswear IT

937-494-2559

937-497-7300 (Fax)

[EMAIL PROTECTED]

 

 









 

RE: [ActiveDir] 2003 domain & 2000,

2006-08-04 Thread Kevin Brunson 








They will be able to coexist with no
problems, assuming you take all of the appropriate steps before you upgrade. 
You will need to run adprep to prepare the forest and domain for the 2003
schema.  Run adprep /forestprep on the schema master, and adprep /domainprep on
the infrastructure master.  If you haven’t moved these roles, they will
be installed on the first domain controller that was put into place.  

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser
Sent: Friday, August 04, 2006 8:21
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 domain
& 2000,



 



We have 5 domain controllers all 2000, one forest, now we want to add
one more domain controller, and the sever is 2003, if we add 2003 domain
controller is there going to be any issues with the 2000? compatibility issues,
replicaiton issues, errors that will show? any thing I should be worried about
when the 2 domain controllers (2000 and 2003) coexist? 





thank you

RE: [ActiveDir] Exchange attributes..

2006-08-03 Thread Kevin Brunson 








Do you have the Exchange System Management
Tools installed on the other domain controllers?  

From the Exchange cd, choose “Install
System Management Tools Only”.  Basically you will choose Custom from the Setup
and tell it to only install the Tools, not the Exchange services.  

I would be careful doing this on a
workstation with Outlook installed though, there have been some problems with
this in the past, depending on which version and all that. It can very easily
break Outlook.

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of HBooGz
Sent: Thursday, August 03, 2006
10:26 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange
attributes..



 

Hey Guys -

I don't get the Exchange tabs ( exchange general, exchange tasks, etc ) when i
right-click a user account and select properties when i'm accessing this
account from ADUC on a domain controller and on my windows xp machine running
adminpack. 

the only place,obviously, is on the ADUC located on the exchange box. The
exchange box is running windows 2000 sp4 and exchange 2003.

do i have to re-run  forestprep and domainprep from the exchange 2003
setup again ? 

-- 
HBooGz:\>

RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest

2006-08-03 Thread Kevin Brunson 
Title: Setting FFL=2 automatically when building first DC in forest








Don’t you love online translators

Am hwyl, dwi am ymateb drwy beidio a dweud dim byd mwy
nag adlewyrchu dy bwynt! = 

About sail , I am being about answer
through cease I go say anything world more nor reflect he covers point!

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, August 03, 2006
8:47 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Setting
FFL=2 automatically when building first DC in forest



 



Am hwyl, dwi am ymateb drwy beidio a dweud dim byd mwy
nag adlewyrchu dy bwynt!





 







- Original Message - 





From: [EMAIL PROTECTED]






To: ActiveDir@mail.activedir.org






Sent: Thursday, August
03, 2006 2:10 PM





Subject: OT: [ActiveDir]
Setting FFL=2 automatically when building first DC in forest





 





LOL.  Yep. 
I'm adverse to such things as I'm fed up of the damned English, Scottish,
Irish, South African and Australian (and there's a damned cheek) meet'g and
bleh'g at me...  ;-)





 





O dear - we'll be seeing posts in Welsh
next :)



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Paul Williams
Sent: 03 August 2006 13:43
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Setting
FFL=2 automatically when building first DC in forest



Ah nice, you got there before me with a better
answer!  :P





 





I'm poking around in there now, as I'm in a similar
position to Neil a the mo'.





 





Question: Can I provide schema.ini as an argument to the
promotion or unattended or do I need to mod the default file prior to running
the unattended script?





 





 





> mint-sauce-fearing friend 





 





LOL.  Yep.  I'm adverse to such things as I'm
fed up of the damned English, Scottish, Irish, South African and Australian
(and there's a damned cheek) meet'g and bleh'g at me...  ;-)





 





 







- Original Message - 





From: Dean
Wells 





To: Send - AD
mailing list 





Sent: Thursday, August
03, 2006 1:30 PM





Subject: RE: [ActiveDir]
Setting FFL=2 automatically when building first DC in forest





 



That’s v.
close my mint-sauce-fearing friend but it’s likely that that will set
only the dom. func. level to K3 native (though to be honest I’ve not
tried).  So, since forests tend to drag domains with them, functional
level wise, (i.e. when a new domain is created within an existing forest), we
simply need to tell the forest func. level to seed itself with a value of 2
… see my previous post for instructions on how to do that.













--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com













 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, August 03, 2006
8:18 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Setting
FFL=2 automatically when building first DC in forest





 



It might be worth looking at the
%systemroot%\system32\schema.ini file again.  I just had a poke around in
there after reading Dean's answer to your question yesterday and the first
section, the [DEFAULTROOTDOMAIN] section is setting nTMixedMode.  You can
change that to 0 (for native) and try adding mSDS-Behavior-Version and
setting it to 2.





 





I don't know if that will work, but you're probably in a
position to test this...





 





 





--Paul





 







- Original Message - 





From: [EMAIL PROTECTED]






To: ActiveDir@mail.activedir.org






Sent: Thursday, August
03, 2006 9:39 AM





Subject: [ActiveDir]
Setting FFL=2 automatically when building first DC in forest





 



According
to http://support.microsoft.com/kb/223757/en-us the
SetForestVersion entry in the dcpromo answer file can only be used to set
FFL to 1 or 0 when building a new forest.

Is
this correct? I'd like to automate the transition to FFL=2 when building the
first DC in a forest (without a script).

Perhaps
another change request for Longhorn? :) 

neil




PLEASE READ: The information contained in this email is
confidential and 





intended for the named recipient(s) only. If you are not an
intended 





recipient of this email please notify the sender immediately
and delete your 





copy from your system. You must not copy, distribute or take
any further 





action in reliance on it. Email is not a secure method of
communication and 





Nomura International plc ('NIplc') will not, to the extent
permitted by law, 





accept responsibility or liability for (a) the accuracy or
completeness of, 





or (b) the presence of any virus, worm or similar malicious
or disabling 





code in, this message or any attachment(s) to it. If verification
of this 





email is sought then please request a hard copy. Unless
otherwise stated 





this email: (1) is not, and should not be treated or relied
upon as, 





investment research; (2) contains views or opinio

RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?

2006-07-27 Thread Kevin Brunson 
Title: Exchange rollout - How much larger does NTDS.DIT become?








How many domains, how many users, is it
650 meg on a GC or non-GC?  Is this 650meg after an offline defrag?  If not
when was the last time it was defragged?  I am not sure it is answerable even
with that info, but it certainly doesn’t seem answerable without….

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of RM
Sent: Thursday, July 27, 2006
11:46 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange
rollout - How much larger does NTDS.DIT become?



 

NTDS.DIT
is currently 650megs.  Once Exchange has been fully deployed, any guesses
as to how much larger it will become?  Just looking for a ballpark
figure...

thx,

RM

RE: [ActiveDir] Adding the first Win2003 R2 DC

2006-07-27 Thread Kevin Brunson 








There is an adprep folder on the R2 cd.  Run
it just like you would for 2000 to 2003 upgrade.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Thursday, July 27, 2006
10:15 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Adding the
first Win2003 R2 DC



 

I have 4 DC’s that are Win2003 SP1 and 1 DC that is
still Win2000 SP4.  I’d like to add a new DC that is Win2003
R2.  Is there anything special I need to do (i.e. forestprep/domainprep)
or can I join it just like another Win2003 SP1 DC?

 

Thanks,

 

Bryan Lucas

Server Administrator

Texas Christian University

 

RE: [ActiveDir] OT: HP disk array expansion

2006-07-26 Thread Kevin Brunson 








If you do it that way, I would make sure
you’ve got the network cable unplugged when you boot it after
imaging.  Depending on what you are using the server for it could cause
problems.  

I had a customer follow this path with a
domain controller.  He booted the server from the old drives after copying
the image to the new drive set, and then booted it from the new drives. 
Active Directory considered this an abnormal USN rollback, and gave him all
kinds of fits.  It took me at least an hour getting replication working
again.  Don’t plug the network cable back in until you are sure you
have the server ready to go.

 

Kevin

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, James
Sent: Wednesday, July 26, 2006
4:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: HP
disk array expansion



 

James,

 

Have been in a similar
situation on numerous occasions with HP ML350 G3/G4’s. In our case we
installed a firewire card and a Lacie drive or utilised the native USB to
portable HD and Acronis True Image. We imaged the disks and then pulled them
out and put the new ones in and imaged it back, works nicely…This
solution even worked for an Exchange server and if it all fails you can simply
put the old disks back in and be back where you started…

 

James 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Carter
Sent: Thursday, 27 July 2006 7:36
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: HP disk
array expansion



 



Hi,





 





I have a HP ML370 Proliant Server. It currently has 4
x 36GB in a RAID 5 set.





 





I want to upgrade the disk capacity of this server. I
have bought 4 x 300gb disks as replacements.





 





At present I have 4 x 36GB disks in the server. I was
told I could replace one disk in the RAID with a 300GB, let the raid
rebuild and do the next disk. Repeat until all of the disks are 300GB and
then I can look in the ACU and create a second logical drive that sees all that
new space.





 





Can this be done? Anyone know how long it would take
to rebuild? currently there is 90gb used in the current volume.





 





My other alternative is to buy a Tape Drive, backup,
break array, create new array and then restore but this department don't want
any downtime.





 





Anyway shed some light as to which is the best method
to take?





 





thanks James



 __
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

RE: [ActiveDir] Securing DFS

2006-07-25 Thread Kevin Brunson 








Good call, if not using replication then
2000 does a dfs root just fine

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Tuesday, July 25, 2006 1:53
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Securing
DFS



 

changing the permissions to read only on
the DFS roots is no issue at all (doesn't matter what type of server the root
is hosted on - DC or member). I'd actually replace everyone with Auth. Users at
the same time.

 

as for Kevin's other comment on using
Win2000 for DFS vs. Win2003 or R2 - totally agree that especially R2 has
extensive improvements in the DFS service itself and especially in the
file-replication engine (DFS-R). But if Bryan
is not using file-replication in this Win2000 environment and "only"
needs to build a hierarchy of shares, he can already get quite far with Win2000
DFS roots.  Ofcourse there have been advancement such as multiple DFS
roots per server in 2003 and further cool stuff for the basic DFS service in
R2, such as sub-folder hierarchy for the DFS links, but Bryan may not need
them.

 

Fully agree though, if file replication
is involved, DFS-R in R2 is much preferred over FRS in Win2000 and Win2003
(RTM). Really depends on your situation if you need it.

 

/Guido

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
 Brunson
Sent: Monday, July 24, 2006 11:50
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Securing
DFS

I have never had any problems caused by
changing permissions on a DFS root.  One thing to consider before you move
too far down the road of configuration though is if you really want to invest
in a 2000 DFS structure when the 2003 R2 DFS structure is so much more robust
and reliable.  I have had and heard of countless problems with 2000
DFS.  I have not had any problems with 2003 R2 DFS at all.  If you
decide to move forward with 2000 DFS, be aware that they will probably stop
replicating occasionally.  You will then spend hours
troubleshooting.  Seriously it is worth building this on 2003 R2 servers
even if you don’t currently have any, if you are doing anything with
DFS.  I know that is not what you are asking, sorry.  

Anyone disagree?

Kevin
 Brunson

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Lucas, Bryan
Sent: Monday, July 24, 2006 4:07
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Securing DFS



 

We built a DFS Root on a windows 2000 domain controller and
the root of the share has “Everyone” Full Control.  E.g. if I
go to \\domain.com, right click on the dfs
root’s properties, the security tab.

 

Can I simply take FC away?  I’m a bit hesitant
because it lives on the DC and came this way by default.

 

Bryan Lucas

Server Administrator

Texas Christian University

 

RE: [ActiveDir] Securing DFS

2006-07-24 Thread Kevin Brunson 








I have never had any problems caused by
changing permissions on a DFS root.  One thing to consider before you move too
far down the road of configuration though is if you really want to invest in a
2000 DFS structure when the 2003 R2 DFS structure is so much more robust and
reliable.  I have had and heard of countless problems with 2000 DFS.  I have
not had any problems with 2003 R2 DFS at all.  If you decide to move forward
with 2000 DFS, be aware that they will probably stop replicating occasionally. 
You will then spend hours troubleshooting.  Seriously it is worth building this
on 2003 R2 servers even if you don’t currently have any, if you are doing
anything with DFS.  I know that is not what you are asking, sorry.  

Anyone disagree?

Kevin
 Brunson

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Monday, July 24, 2006 4:07
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Securing DFS



 

We built a DFS Root on a windows 2000 domain controller and
the root of the share has “Everyone” Full Control.  E.g. if I
go to \\domain.com, right click on the dfs
root’s properties, the security tab.

 

Can I simply take FC away?  I’m a bit hesitant
because it lives on the DC and came this way by default.

 

Bryan Lucas

Server Administrator

Texas Christian University

 

RE: [ActiveDir] Domain Trusts.

2006-07-21 Thread Kevin Brunson 








I guess the thing to remember about the
DIT file is that it will be different on every domain controller.  If it is a
global catalog it might very well be bigger than the DIT file on another domain
controller that is not a GC.  It will also depend on whether or not the
ntds.dit has been defragged offline.  

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Friday, July 21, 2006 1:55
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain
Trusts.



 

I've done some looking around on Microsoft's site, but can't find the
information that I need.

What can be done with/to the automatic trusts that are created when a new tree
is created in a forest and/or a new subdomain is created? 

I understand that 2-way transitive trusts are created, but can I break that or
alter it in any way and if so, what way can those trusts be changed?

One other quick question, as long as I'm asking what is the impact to a
parent domain's DIT database when you create a subdomain, if any?

RE: [ActiveDir] Disabling the file open security warning for certain VBS scripts

2006-07-21 Thread Kevin Brunson 
Title: Disabling the file open security warning for certain VBS scripts








I don’t think it matters if they are
in the Local Intranet or not.  It is the unsigned code that XP SP2 and
Win2k3 SP1 don’t like.  It is going to block unsigned code from any
network source.  I dealt with this for a customer who was running a custom
app during login.  It was calling a _vbscript_ from a domain controller in
the same subnet, and every time it ran it gave the security warning.  The
only way to fix it was to sign it or turn off the warning in IE for the entire
domain.  I think it is the “Check for Signatures on Downloaded
Programs” checkbox in Internet Options > Advanced.  

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Friday, July 21, 2006 10:07
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabling
the file open security warning for certain VBS scripts



 

You could add all of the possible source
servers to your IE "Local Intranet" zone via group policy.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, July 21, 2006 9:22
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabling
the file open security warning for certain VBS scripts

Thanks Kevin. I thought as much.

 

The option to store the files locally is
not viable - there are ~15,000 machines :)

 

Code signing may be viable altho I'm not
sure there is a single, trusted PKI within the org...

 

 

Thank again,

neil







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
 Brunson
Sent: 21 July 2006 15:06
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabling
the file open security warning for certain VBS scripts

You can’t turn it off for specific
files, or even file types.  You can set it via Internet Explorer GPO to
turn off the warning altogether, but I don’t think you really want that.

There are two options that I know
of.  You can either use a trusted source for code-signing, or you can
store the files locally on every machine in the environment.  If it is
stored locally Windows doesn’t consider it to be a threat.  
You would have to change the path to the vbs scripts to something that resolves
locally on the machines (c:\scripts\..., for example).  Of course the
admin overhead on that becomes insane.  If every user connects to your
network from a Citrix server or something like that, it is a little more
doable.  Otherwise code-signing is really the only viable option.  

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, July 21, 2006 3:04
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Disabling the
file open security warning for certain VBS scripts



 

 

I have a bunch of vbs scripts which are stored in SYSVOL.


They are called when a user right clicks an object in AD and
chooses one of the extra functions added to the context menu (via a
displaySpecifiers change) .

By default, these scripts generate a file open security
dialog - which I'd like to suppress. 

Any ideas as to how this might be done for just a select few
VBS scripts, without allowing all VBS scripts to run without a warning? The
scripts could be executed from any machine in the forest.

Software restriction policy? 
Code signing? 
IE zone changes? 
??? 

Thx, 
neil 



PLEASE READ: The information contained in this email is
confidential and 





intended for the named recipient(s) only. If you are not an
intended 





recipient of this email please notify the sender immediately
and delete your 





copy from your system. You must not copy, distribute or take
any further 





action in reliance on it. Email is not a secure method of
communication and 





Nomura International plc ('NIplc') will not, to the extent
permitted by law, 





accept responsibility or liability for (a) the accuracy or
completeness of, 





or (b) the presence of any virus, worm or similar malicious
or disabling 





code in, this message or any attachment(s) to it. If
verification of this 





email is sought then please request a hard copy. Unless otherwise
stated 





this email: (1) is not, and should not be treated or relied
upon as, 





investment research; (2) contains views or opinions that are
solely those of 





the author and do not necessarily represent those of NIplc;
(3) is intended 





for informational purposes only and is not a recommendation,
solicitation or 





offer to buy or sell securities or related financial
instruments. NIplc 





does not provide investment services to private customers.
Authorised and 





regulated by the Financial Services Authority. Registered in
England






no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 





London, EC1A 4NP. A member of the
Nomura group of companies. 





PLEASE READ: The information contained in this email is
confide

RE: [ActiveDir] Disabling the file open security warning for certain VBS scripts

2006-07-21 Thread Kevin Brunson 
Title: Disabling the file open security warning for certain VBS scripts








You can’t turn it off for specific
files, or even file types.  You can set it via Internet Explorer GPO to turn
off the warning altogether, but I don’t think you really want that.

There are two options that I know of.  You
can either use a trusted source for code-signing, or you can store the files
locally on every machine in the environment.  If it is stored locally Windows
doesn’t consider it to be a threat.   You would have to change the path
to the vbs scripts to something that resolves locally on the machines
(c:\scripts\..., for example).  Of course the admin overhead on that becomes
insane.  If every user connects to your network from a Citrix server or
something like that, it is a little more doable.  Otherwise code-signing is
really the only viable option.  

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Friday, July 21, 2006 3:04
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Disabling the
file open security warning for certain VBS scripts



 

 

I have a bunch of vbs scripts which are stored in SYSVOL.


They are called when a user right clicks an object in AD and
chooses one of the extra functions added to the context menu (via a
displaySpecifiers change) .

By default, these scripts generate a file open security
dialog - which I'd like to suppress. 

Any ideas as to how this might be done for just a select few
VBS scripts, without allowing all VBS scripts to run without a warning? The
scripts could be executed from any machine in the forest.

Software restriction policy? 
Code signing? 
IE zone changes? 
??? 

Thx, 
neil 



PLEASE READ: The information contained in this email is
confidential and 





intended for the named recipient(s) only. If you are not an
intended 





recipient of this email please notify the sender immediately
and delete your 





copy from your system. You must not copy, distribute or take
any further 





action in reliance on it. Email is not a secure method of
communication and 





Nomura International plc ('NIplc') will not, to the extent
permitted by law, 





accept responsibility or liability for (a) the accuracy or
completeness of, 





or (b) the presence of any virus, worm or similar malicious
or disabling 





code in, this message or any attachment(s) to it. If verification
of this 





email is sought then please request a hard copy. Unless
otherwise stated 





this email: (1) is not, and should not be treated or relied
upon as, 





investment research; (2) contains views or opinions that are
solely those of 





the author and do not necessarily represent those of NIplc;
(3) is intended 





for informational purposes only and is not a recommendation,
solicitation or 





offer to buy or sell securities or related financial
instruments. NIplc 





does not provide investment services to private customers.
Authorised and 





regulated by the Financial Services Authority. Registered in
England






no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 





London, EC1A 4NP. A member of the
Nomura group of companies.

RE: [ActiveDir] Vendor Domain

2006-07-20 Thread Kevin Brunson 








So they’re blowin a lot of smoke to
disguise their actual thought process:

 

“You” are a
liability we do not want to expose our servers to.  We do not believe you
to be capable of managing an Active Directory environment, and therefore we put
in our own stuff without giving you the passwords.  That way you can’t
screw something up.

Personally I would be offended.  Professionally I would
question whether they are any more qualified to manage my AD than I am.  

Kevin

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny
Sent: Thursday, July 20, 2006 2:46
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vendor
Domain



 

Thank you all. 

 

The vendor in question is bringing in a
medical solution. Here is the response from the vendor so far. Mind you that we
have lots of medical device solutions that exist in our domain, the FDA card is
played as a blanket so you stop asking questions... we ran into the same
issue with security patches. "why can't I patch that device?". When
we've looked at these FDA regulations in the past it turned out that there was
more liability by not patching. 

 

From the vendor:

 

"Let me start by
thanking you for considering our support model and continuing to pursue
supporting it in your organization.  Our designers have architected the
system to comply with Microsoft’s best practices. We have implemented our
own .local domain in an effort to provide solid system integrity founded on
Kerberos authentication and a single sign-on experience for your clinicians. 

 

Our system relies heavily on the integrity of the Active
Directory structure. We have integrated the launching of services and control
of processes using this Microsoft recommended model. 

 

It has been our experience that relying on a hospital’s
Active Directory structure is a dependency that has opened our customer’s
up to liabilities for the integrity of our  regulated medical device.
I liken the servers to a respirator. Having an outside person, no matter how
qualified, work on a respirator would be a concern from a clinical
standpoint.  We have witnessed Group Policies applied to servers in a more
open environment. This is a liability we do not want to expose our business
partners to. Any change, no matter how minute to our system, would endanger our
validation and designation as a XXX regulated medical device and would
open you to failing FDA auditing."

Thanks







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, July 20, 2006
12:12
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vendor
Domain

I would tend to agree except in the case of
Exchange, I am ALL FOR Exchange being run in a separate single domain forest,
it solves an incredible number of problems such as the GC/NSPI problems as well
as administrative isolation, etc. The exception there is if Exchange is
deployed in a decentralized fashion out to all of the sites you already
have DCs at, at that point, you probably want to fight with the issues with it
in the main forest.

 

The biggest complaint I have seen for
running a separate Single
 Domain Forest
for Exchange is around provisioning and quite frankly, that really isn't all
that involved and doesn't necessarily need a full blown MIIS/IIFP solution. It
depends on what data is needed where. If you need all of the GAL info
in the main NOS forest as well as the Exchange forest then you looking more
into metadat sync tools unless your provisioning is all being handled through a
centralized mechanism and then that can be used to send the info in both
directions and actual tie between the domains for syncing isn't necessarily
required.

 

But if this isn't Exchange, I would be
curious to hear the details of the app and why they want a separate forest.
Most vendors if they told me they did it in a stupid way that had that
requirement I would beat and tell them to fix it. With MSFT and Exchange, that
only works a little bit. :)



 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Thursday, July 20, 2006 2:32
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vendor
Domain

I think everyone would be conceptually
opposed - would be good to hear the vendor's reasoning for this. 

What does the app do? 

What benefit do you have from running
their app in a speparate (single domain) forest? 

 

I can think of many downsides, but if
the app is supposed to protect really sensitive data (isolation scenario), this
may potentially be the reason for them to demand a separate forest. Certainly
not, if the same folks manage both forests though...  So pls. aks them for
more details - doesn't hurt to understand their thinking.

 

/Guido

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny
Sent: Wednesday, July

RE: [ActiveDir] Clean install VS Upgrade of Windows 2003

2006-07-17 Thread Kevin Brunson 








Al

I wish I had that luxury.  I do
consulting.  Most of the time I am looking at an AD environment because
the customer realizes it is a complete mess, and my job is to clean it up and
walk away.  If they were willing to do it as you described, I would
probably not need to be involved in their network.  

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, July 17, 2006 10:25
AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Clean
install VS Upgrade of Windows 2003



 



Kevin, as someone who is currently living a similar situation, I
personally decided that there should no solution out there that I am
responsible that cannot be restored in a repeatable way.  It's a lot of
extra work, but one by one I go through each application (in order of stated
importance) and restore them to the lab environment until working as declared
by the business application owner. I document each step.  I make sure I
know where each piece of software is.  I make sure I have what's needed to
put it back together.  I try to catch some sleep in between at some
point.  I laugh at the weekends... wait, that's off-topic. Anyway, if you
have any other apps like that, and it's likely that you do, I think it's in the
best interest if you ensure that restoration procedures and documentation are
up to date and tested. I realize what a tremendous amount of extra work that is
with seemingly little tangible return. Similar to accident insurance,
you really don't see the benefit until you need it. 





 





It's worth the time to go through each of the apps.  Besides, you
might be surprised at what you find and at how much easier each day after that
becomes. 





 





Again, my $0.04 worth (all money values stated are USD unless otherwise
mentioned)







 





On 7/17/06, Kevin Brunson <[EMAIL PROTECTED]>
wrote: 







Certainly the biggest problem I have come across upgrading
from 2k to 2003 was because of one of these legacy settings.  I don't know
who at MS decided to go from "WINNT"  to "Windows",
but it can cause some pretty serious recovery issues if you are not using some
sort of bare metal restore.  Here's the scenario: 

 

You've got a server with some critical piece of
software.  Because you don't know anything about the software and it was
the last admin that installed it you decide to upgrade instead of clean
install.  This leaves Win2k3 running out of the WINNT folder instead of
the Windows folder.  After a few months, the server loses a RAID card,
corrupting the disk set, and it needs to be back up immediately.  You
begin a fresh load of 2003 on the server, and then notice that it is installing
to Windows, not WINNT.  After the fresh load finishes, you try to restore
the last backup.  BSOD.  Hmm, how do you make Win2k3 install to
WINNT, oh yeah that's right, you don't.  Now instead of restoring the last
backup and system state and moving on with life you are installing the apps
from scratch and hoping they work right.  Perhaps after a long weekend it
is back up again, but it shouldn't have been that hard.   Too bad the
last admin who worked here didn't leave any sort of documentation on how this
thing works.  

 

Sure, you're running all of your servers virtual so this
doesn't apply to you.  Bare-metal restore, no big deal.  Restore from
tape or file, good luck.  













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
] On Behalf Of joe
Sent: Sunday, July 16, 2006 6:28
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Clean
install VS Upgrade of Windows 2003









 

I agree with Jorge on this. Every new OS MSFT comes out with
they tell you that it is much better at handling upgrades than the last and how
bad the last one actually did it. So if someone tells me K3 does it great I
tell them to say that when say LongHorn comes out. :) 

 

Anyway, you will have legacy settings that stay around when
you do an upgrade say like the replication holdback reg settings, etc when you
do an upgrade and it could be confusing later when troubleshooting something. 

 

Unless there is absolutely no way possible to do a fresh
install then I would recommend going that way. 

 

 

Going slightly OT, I even reinstall my personal home clients
on a regular basis (normally every 6 months but occasionally that slides
depending on how busy I am) to get away from Windows rot and clean off
crap that I don't currently use. I am also getting big into using virtual
machines for most desktop functions now so that makes things even easier as I
can roll back to a predetermined point or just pull the backup image off of a
DVD that I made when I first made the image. Of course make sure you update the
image with new patches first thing. :)  In fact right now, I am
writing this email on a virtual XP instance running with about 15 other
vir

RE: [ActiveDir] Clean install VS Upgrade of Windows 2003

2006-07-17 Thread Kevin Brunson 








Certainly the biggest problem I have come
across upgrading from 2k to 2003 was because of one of these legacy
settings.  I don’t know who at MS decided to go from “WINNT” 
to “Windows”, but it can cause some pretty serious recovery issues
if you are not using some sort of bare metal restore.  Here’s the
scenario:

 

You’ve got a server with some
critical piece of software.  Because you don’t know anything about
the software and it was the last admin that installed it you decide to upgrade
instead of clean install.  This leaves Win2k3 running out of the WINNT
folder instead of the Windows folder.  After a few months, the server loses
a RAID card, corrupting the disk set, and it needs to be back up immediately. 
You begin a fresh load of 2003 on the server, and then notice that it is
installing to Windows, not WINNT.  After the fresh load finishes, you try
to restore the last backup.  BSOD.  Hmm, how do you make Win2k3
install to WINNT, oh yeah that’s right, you don’t.  Now
instead of restoring the last backup and system state and moving on with life
you are installing the apps from scratch and hoping they work right.  Perhaps
after a long weekend it is back up again, but it shouldn’t have been that
hard.   Too bad the last admin who worked here didn’t leave any
sort of documentation on how this thing works.  

 

Sure, you’re running all of your
servers virtual so this doesn’t apply to you.  Bare-metal restore,
no big deal.  Restore from tape or file, good luck.  









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, July 16, 2006 6:28
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Clean
install VS Upgrade of Windows 2003



 

I agree with Jorge on this. Every new OS
MSFT comes out with they tell you that it is much better at handling upgrades
than the last and how bad the last one actually did it. So if someone tells me
K3 does it great I tell them to say that when say LongHorn comes out. :)

 

Anyway, you will have legacy settings that
stay around when you do an upgrade say like the replication holdback reg
settings, etc when you do an upgrade and it could be confusing later when
troubleshooting something.

 

Unless there is absolutely no way possible
to do a fresh install then I would recommend going that way. 

 

 

Going slightly OT, I even reinstall my
personal home clients on a regular basis (normally every 6 months but
occasionally that slides depending on how busy I am) to get away from
Windows rot and clean off crap that I don't currently use. I am also getting
big into using virtual machines for most desktop functions now so that makes
things even easier as I can roll back to a predetermined point or just pull the
backup image off of a DVD that I made when I first made the image. Of course
make sure you update the image with new patches first thing. :)  In
fact right now, I am writing this email on a virtual XP instance running
with about 15 other virtuals on a machine that is on the other side of
my house.  Also all web surfing to untrusted sites is done
through a virtual I have with undo disks, after I finish surfing I tell it to
undo and it is ready for the next time. 



 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Sunday, July 16, 2006 3:25
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Clean
install VS Upgrade of Windows 2003





Personally I hate OS
upgrades and try hard to avoid them and prefer to choose a fresh clean
install...





Although supported when upgrading an OS old stuff from the
previous OS is kept and besides that you might run into issues because of
incompatibilities with software, drivers, etc. A clean install in combination
the migration of the stuff hosted on the old server to the new server gives you
a phased approach. Upgrading directly impacts the server and if the upgrade
fails you might end up with a trouble server.





 





IMHO:





* avoid OS upgrades when possible and only use it when
really necessary (like for example NT4 PDC -> W2K3 DC, which is mandatory)





 





 











Met vriendelijke
groeten / Kind regards,





Ing. Jorge de Almeida
Pinto





Senior Infrastructure
Consultant





MVP Windows
Server - Directory Services





 







LogicaCMG
Nederland B.V. (BU RTINC Eindhoven)





( Tel : +31-(0)40-29.57.777





(    Mobile : +31-(0)6-26.26.62.80



*   E-mail  : 









 







From:
[EMAIL PROTECTED] on behalf of Bahta, Nathaniel V CTR USAF
NASIC/SCNA
Sent: Sun 2006-07-16 20:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Clean install
VS Upgrade of Windows 2003







Hey all,





 





Does anyone have any comments/articles,
etc on the benefits or concerns of a clean install of Windows 2003 Server VS an
Upgrade?  My opinion is that doing a clean install keeps system root

RE: [ActiveDir] Group Policy won't rerun

2006-07-14 Thread Kevin Brunson 
Title: Group Policy won't rerun








By the way, the errors would be in the
Application log on the client, not the server.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Friday, July 14, 2006 5:17
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Group Policy
won't rerun



 

I'm
new to group policy and this is my first group policy with software
installation.  I have successfully created 2 msi files and placed them in
a group policy.  Earlier in the week, I was able to install the msi files
via group policy on a test laptop.  I then uninstall the application as I
was testing a few things.  I've been trying to have GP reinstall the
application, but it's just not happening.  I move the machine out of the
OU and back in, but no luck.

I've
even gone as far as ghosting the laptop, but it still won't install.  I've
done a gpupdate /force several times, but it just won't reinstall after
reboot.  Could someone please lead this newbie to fixing this issue? 
I ask because I know this will come up several times when do go into
productions.  Thanks in advance.

RE: [ActiveDir] Group Policy won't rerun

2006-07-14 Thread Kevin Brunson 
Title: Group Policy won't rerun








Are you seeing any errors in the event
log?  If you right-click on the Software Package, there is an option to
Redeploy the application.  You may want to try that.  

 

Kevin

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Friday, July 14, 2006 5:17
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Group Policy
won't rerun



 

I'm
new to group policy and this is my first group policy with software
installation.  I have successfully created 2 msi files and placed them in
a group policy.  Earlier in the week, I was able to install the msi files
via group policy on a test laptop.  I then uninstall the application as I
was testing a few things.  I've been trying to have GP reinstall the
application, but it's just not happening.  I move the machine out of the
OU and back in, but no luck.

I've
even gone as far as ghosting the laptop, but it still won't install.  I've
done a gpupdate /force several times, but it just won't reinstall after
reboot.  Could someone please lead this newbie to fixing this issue? 
I ask because I know this will come up several times when do go into
productions.  Thanks in advance.

RE: [ActiveDir] Loopback Processing Problem

2006-07-13 Thread Kevin Brunson 








Make sure that the permissions are set to
Apply Group Policy for both the computers AND the student accounts.  Otherwise
it will not apply the User Settings.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Piper, Pat
Sent: Thursday, July 13, 2006
11:48 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Loopback
Processing Problem



 

I am hoping someone can help us out
with a loopback processing issue we are having.

   

We are trying to add our lab
computers to our Active Directory and are going to have our students login
using their child domain credentials.   All the computers are added
as objects to the child domain that the students belong to.   
We want to manage group policy by applying it to the computers and not to the
users, this enables us to do things like locking down the background image for
all computers regardless of the logged on user.   

 

No matter what we try our policies
are not being applied and we can't get we want user policies to apply to
computer objects.  When local security policies are applied they work,
when user policies are applied they work, which means that the computer is
communicating with the domain properly.

 

We’ve read through the
following article from Microsoft but are not having any luck finding good
troubleshooting steps for this.   Does anyone know of any
“gotchas” for loopback processing or of a good troubleshooting
guide?

 

Loopback processing of Group Policy

http://support.microsoft.com/?id=231287

 

Pat

-

Desktop & Server Services

Keene State College

Keene, NH 03435-2615

603 358-2172

 

"Beware
the lollipop of mediocrity; lick it once and you'll suck forever." - Brian
Wilson.

 

RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?

2006-07-13 Thread Kevin Brunson 
Don't domain controllers register their SRV records with both primary
and secondary DNS?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, July 13, 2006 10:02 AM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Always point a DC with DNS installed to itself
as the preferred DNS server...always?

Hi Al

I did want to throw in a personl experience I had with W2K3 that
validates
the "Point your DNS server to a replication partner theory".  I did see
in
one environment where every DC had DNS and the msdcs partition was a
forest
partition.  An unfortunate DNS scavenge was done deleting some of the
GUID
records in the MSCDCS partition.  Replication started to fail shortly
after
that and the missing GUIDs were discovered.  The netlogon service was
restarted to make the DCs re-register but of course they re-registered
the
GUID on themselves.  They could find themselves but not their
replication
partners.  The replication partners could find them but not themeselves.
When the DCs were set to point to a hub replication partner for primary
and
themselves as secondary the problem went away - the netlogon service was
restarted, the GUIDs registered on the central DNS server, the spokes
did
the lookup for replication parnters on the hub site DC and eventually
things started working again.

This was pre - SP1 so this may not be a problem anymore, but after that
experience I have seen value in doing the DNS configuration so that the
DCs
all point to the hub first and themselves second.  I have not seen any
problems for the DC itself when the WAN link dropped for a length of
time
and the primary DNS server was not reachable.

Of course, if there are never any changes to DC IPs or names and the
MSDCS
is never scavenged (or the interval is long enough not to recreate the
above problem) then the above argument is moot.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
202-230-2983
[EMAIL PROTECTED]


 

  "Al Mulnick"

  <[EMAIL PROTECTED]>   To:
ActiveDir@mail.activedir.org

  Sent by:   cc:   (bcc:
James Day/Contractor/NPS)   
  [EMAIL PROTECTED]Subject:  Re:
[ActiveDir] Always point a DC with DNS installed to itself as the

  tivedir.org preferred DNS
server...always?

 

 

  07/12/2006 09:58 PM AST

  Please respond to

  ActiveDir

 





You don't work at the post office do you? ;)


There are many many many ways to properly configure DNS.  One thing that
helps is to think of the terms client and server vs. preferred and
alternate only. You are configuring a preferred server and an alternate
server that you want this DC to be a client of.

DNS is a standard.  Windows 2003 DNS follows those standards (comments
really, but let's not pick right?)  Microsoft has done some enhancements
above and beyond that make DNS play very well in the Microsoft
sphere[1].
You can however have DNS that is a third party DNS system, such as BIND.
Active Directory plays very well with such third party DNS systems.  You
could have your domain controllers not have any DNS hosted on them at
all.
You could have it hosted, but as a secondary zone.  You could also have
it
AD integrated meaning that you have a listener for DNS but the
data(base)
is stored in the active directory.

Something to clarify: what you're talking about is making the DC a
*client*
to another DNS server that hosts the zones.  You're also talking about
making dc1 a client of dc2 and vice versa.  That's silly, but I'll get
to
that.

If you have your dns hosted on a third party system such as BIND, you'll
have one server as the primary (not best practice, but you get the idea;
in
practice you'd have multiple for failure tolerance wan traffic
optimization) and your DC would be a client of that system.

If you have a traditional DNS hierarchy that has primary and secondary
transfers, you would be mimicking BIND topology and again could
configure
your DC's to be clients of the BIND or Microsoft DNS servers.

If you have the the DNS AD-Integrated, then after initial replication
you
should have the client configured to use itself as the DNS server.
That'd
be the best practice.  Before 2003 you could have an "island effect"
where
because you didn't have a full picture of the directory, you might not
have
all the records needed to fully *see* the entire DNS names list
effectively
creating an island of a DC.  In 2003 some additional code was put in to
make sure that doesn't happen.  You need to be a client of a working DNS
to
join the domain and to find the other DC's when you get promoted.  After
replication completes, you have a

RE: [ActiveDir] Multihomed Domain Controllers

2006-07-13 Thread Kevin Brunson 
Really the advantage is that the server can not easily get to the
spyware to begin with.  The list is basically a list of spyware and
adware servers on the internet, but the addresses are all pointed at
127.0.0.1.

Here's a few lines : 
127.0.0.1 007arcadegames.com
127.0.0.1 101com.com
127.0.0.1 101order.com
127.0.0.1 123banners.com
127.0.0.1 123found.com

If you hit a site that wants to go to one of these servers (with a
pop-up for example) the server tries to talk to back to itself.  If it
is running on a web server, it is especially funny.  I had a client once
who thought his web site had been hacked.  He was surfing the web from
one of his web servers, and every time he went to cnn.com it popped up a
copy of HIS site on the screen.  It took me a while to explain to him
through the laughter what was happening.  I think I finally convinced
him to stop surfing from his server farm.  

Once the spyware is on the server, it is way too late for this kind of
defense.  At that point you are going to have to go to some active
process to get rid of it.  

Kevin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: Thursday, July 13, 2006 1:21 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Multihomed Domain Controllers

Can't your spyware just change/delete the host entries again? Or use an
IP
address (or do you configure static routes for the subnets that the IP
addresses reside in that those host entries point to?)

Has this tactic ever helped anyone in a spyware-on-the-server situation?
(except possibly in a SOHO situation where the server's been treated
like a
desktop?)

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
Tech.Ed Sydney: learn all about IIS 7.0 - See you there!


: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Kevin Brunson
: Sent: Thursday, 13 July 2006 3:00 AM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] Multihomed Domain Controllers
: 
: I have definitely found the hosts file to be useful on servers to keep
: them from EVER getting to spyware sites.  This guy has a great list :
:
http://pgl.yoyo.org/adservers/serverlist.php?showintro=0&hostformat=hos
: t
: s
: 
: Just cut and paste into the hosts file and you are good to go.  I
: scripted it for all of the servers I deal with.  But I guess this is
: getting pretty far OT: :)
: Kevin
: 
: -Original Message-
: From: [EMAIL PROTECTED]
: [mailto:[EMAIL PROTECTED] On Behalf Of Susan
Bradley,
: CPA aka Ebitz - SBS Rocks [MVP]
: Sent: Wednesday, July 12, 2006 10:41 AM
: To: ActiveDir@mail.activedir.org
: Subject: Re: [ActiveDir] Multihomed Domain Controllers
: 
: In the year 2006.. I hope we are still not making host file entries on
: servers and workstations  :-)
: 
: Peter Johnson wrote:
: 
: > You might want to then create entries in the host file on the backup
: > server so that you guarantee that the backup server always uses the
: > right network connection.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Multihomed Domain Controllers

2006-07-12 Thread Kevin Brunson 
Hijack this thread?  I didn't know it could be hijacked any more than I
already had.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO
Sent: Wednesday, July 12, 2006 8:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Multihomed Domain Controllers

Don't mean to hijack this thread but on a similar note - whats the
downside for installing DCs with Adapter Teaming?

All I know is that when adapter teaming is enabled, setting up WINS
service will pops and error message (which can be ignored)...but
anything else? I've always been a firm believer of one nic and no
teaming...

Any comments? 


Thank you and have a splendid day!
 
Kind Regards,
 
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, July 12, 2006 11:41 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Multihomed Domain Controllers

In the year 2006.. I hope we are still not making host file entries on
servers and workstations  :-)

Peter Johnson wrote:

> You might want to then create entries in the host file on the backup 
> server so that you guarantee that the backup server always uses the 
> right network connection.
>
>  
>
> --
> --
>
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert 
> Rutherford
> *Sent:* 12 July 2006 12:57
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Multihomed Domain Controllers
>
>  
>
> No issues, if you...
>
>  
>
> Go to the TCP/IP settings of the backup network card, click advanced, 
> goto the DNS tab and untick register the connection in DNS.
>
>  
>
> Cheers,
>
>  
>
> Rob
>
>  
>
>   
>
>  
>
>   
>
> *Robert Rutherford*
> *QuoStar Solutions Limited*
>  
>
> The Enterprise Pavilion
> Fern Barrow
> Wallisdown
> Poole
> Dorset
> BH12 5HH
>  
>
>   
>
>  
>
>   
>
> *T:*
>
>   
>
> +44 (0) 8456 440 331
>
> *F:*
>
>   
>
> +44 (0) 8456 440 332
>
> *M:*
>
>   
>
> +44 (0) 7974 249 494
>
> *E: *
>
>   
>
> [EMAIL PROTECTED] 
>
> *W: *
>
>   
>
> www.quostar.com 
>
>   
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
> --
> --
>
>  
>
>  
>
> **From:** [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green
> *Sent:* 12 July 2006 11:43
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] Multihomed Domain Controllers
>
> Hi,
>
>  First posting to this list but I've lurked quite a while and I've

> been very impressed by the quality of replies by the gurus.
>
> My question is regarding the advisability of having multihomed DCs. 
> Basically I want
> to run backups over a separate GbE and as my servers have dual inbuilt

> NICs this seems an obvious route to take. I know there are some issues

> with DNS (I have a DNS integrated AD).
>
> Would this cause replication problems, etc ?
>
> Any other "gotchas" ?
>
>  
>
> Many Thanks,
>
> ---
> Jeff Green
> Network Support Manager
> SAPIENS (UK) Ltd
> t: +44 (0)1895 464228 f: +44 (0)1895 463098
>
> "I dream of hover cars and old transistor radios ... She dreams of 
> flowers in a field of sunny bungalows"
>
>
> --
> -- Confidentiality Note: The information contained in this email and
> document(s) attached are for the exclusive use of the addressee and 
> may contain confidential, privileged and non-disclosable information.
> If the recipient of this email is not the addressee, such recipient is

> strictly prohibited from reading, photocopying, distribution or 
> otherwise using this email or its contents in any way.
>
> Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail 
> immediately at [EMAIL PROTECTED], if you have received this

> email in error.
>
> Disclaimer: The views, opinions and guidelines contained in this 
> confidential e-mail are those of the originating author and may not be

> representative of Sapiens (UK) Ltd.
> --
> --
>

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/

RE: [ActiveDir] Multihomed Domain Controllers

2006-07-12 Thread Kevin Brunson 








Sorry, forgive me for my lack of clarity. 
 I was on the phone with Microsoft when I wrote that, so my head was
shrinking….  But don’t worry, they refunded my case.

 

I agree with you 100%.  

My rant was purely referring to the
desktop published app, not a physical workstation.  I was ranting about
admins who can’t seem to understand that citrix costs more than rdp, but
that is about the only difference if every user is connecting to the citrix
desktop instead of published apps.  Especially since they don’t want
to lock the users down on the citrix servers.  

 

Wow, it’s a long way from multihomed
domain controllers to Citrix and desktops vs. thin clients.

 

 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Matt Hargraves
Sent: Wednesday, July 12, 2006
3:46 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Multihomed Domain Controllers



 

Not so sure I agree with that.  Thin clients work just fine,
require less maintenance and can be replaced in 5 minutes, vs. the 3 hour
argument that you'll get if you try replacing someone's desktop because they
saved 19 items that have nothing to do with their job on the local hard
drive. 

Then again, desktops are about as expensive nowadays as thin clients, so the
justification for thin clients isn't what it used to be.

RE: [ActiveDir] Multihomed Domain Controllers

2006-07-12 Thread Kevin Brunson 
I only surf on the big ones.  The small ones just don't catch the waves
right.  

I don't even let them go to Windows Update.  WSUS connections configured
through Group Policy are about as far as I want them to go to the
internet.  The problem is users, and in many cases admins.  I get a
server just right, go back to my office, and by the time I get back
they've already installed 15 programs ending in "zilla".

And of course no self-respecting admin can get a $15 Citrix
infrastructure without immediately giving every STINKING user a desktop.
Forget published apps.  Forget everything that made it worth investing
any money whatsoever, let's just give them a STINKING desktop.  Sorry, I
guess I must have let all of my thinking about Defending Security
Infrastructure get to my head.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, July 12, 2006 12:45 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Multihomed Domain Controllers

You surf on your servers?

My servers go to WU/MU...and maybe to Joe's blog for information on 
Defending Security Infrastructure..iin fact they regularly hang out on 
Joe's blog for all the information I need to know on Defending 
Security Infrastructure.. in fact 
http://blog.joeware.net/2006/07/11/445/ that link is the home page so 
that I'm constantly reminded about Defending Security Infrastructur 
..but other than that... they don't have antispyware because they don't 
go anywhere to get spyware and the Enhanced IE is still on there.



Kevin Brunson wrote:

>I have definitely found the hosts file to be useful on servers to keep
>them from EVER getting to spyware sites.  This guy has a great list :
>http://pgl.yoyo.org/adservers/serverlist.php?showintro=0&hostformat=hos
t
>s
>
>Just cut and paste into the hosts file and you are good to go.  I
>scripted it for all of the servers I deal with.  But I guess this is
>getting pretty far OT: :)
>Kevin
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
>CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Wednesday, July 12, 2006 10:41 AM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] Multihomed Domain Controllers
>
>In the year 2006.. I hope we are still not making host file entries on 
>servers and workstations  :-)
>
>Peter Johnson wrote:
>
>  
>
>>You might want to then create entries in the host file on the backup 
>>server so that you guarantee that the backup server always uses the 
>>right network connection.
>>
>> 
>>
>>
>>
>>
>---
-
>  
>
>>*From:* [EMAIL PROTECTED] 
>>[mailto:[EMAIL PROTECTED] *On Behalf Of *Robert 
>>Rutherford
>>*Sent:* 12 July 2006 12:57
>>*To:* ActiveDir@mail.activedir.org
>>*Subject:* RE: [ActiveDir] Multihomed Domain Controllers
>>
>> 
>>
>>No issues, if you...
>>
>> 
>>
>>Go to the TCP/IP settings of the backup network card, click advanced, 
>>goto the DNS tab and untick register the connection in DNS.
>>
>> 
>>
>>Cheers,
>>
>> 
>>
>>Rob
>>
>> 
>>
>>  
>>
>> 
>>
>>  
>>
>>*Robert Rutherford*
>>*QuoStar Solutions Limited*
>> 
>>
>>The Enterprise Pavilion
>>Fern Barrow
>>Wallisdown
>>Poole
>>Dorset
>>BH12 5HH
>> 
>>
>>  
>>
>> 
>>
>>  
>>
>>*T:*
>>
>>  
>>
>>+44 (0) 8456 440 331
>>
>>*F:*
>>
>>  
>>
>>+44 (0) 8456 440 332
>>
>>*M:*
>>
>>  
>>
>>+44 (0) 7974 249 494
>>
>>*E: *
>>
>>  
>>
>>[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
>>
>>*W: *
>>
>>  
>>
>>www.quostar.com <http://www.quostar.com>
>>
>>  
>>
>> 
>>
>> 
>>
>> 
>>
>> 
>>
>> 
>>
>> 
>>
>> 
>>
>> 
>>
>> 
>>
>> 
>>
>>
>>
>>
>---
-
>  
>
>> 
>>
>> 
>>
>>**From:** [EMAIL PROTECTED] 
>>[mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green
>>*Sent:* 12 July 2006 11:43
>>*To:* ActiveDir@mail.activedir.org
>>*Subject:* [ActiveDir] Multihomed Domain Controllers
>>
>>Hi,
>>
>>

RE: [ActiveDir] Multihomed Domain Controllers

2006-07-12 Thread Kevin Brunson 
I have definitely found the hosts file to be useful on servers to keep
them from EVER getting to spyware sites.  This guy has a great list :
http://pgl.yoyo.org/adservers/serverlist.php?showintro=0&hostformat=host
s

Just cut and paste into the hosts file and you are good to go.  I
scripted it for all of the servers I deal with.  But I guess this is
getting pretty far OT: :)
Kevin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, July 12, 2006 10:41 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Multihomed Domain Controllers

In the year 2006.. I hope we are still not making host file entries on 
servers and workstations  :-)

Peter Johnson wrote:

> You might want to then create entries in the host file on the backup 
> server so that you guarantee that the backup server always uses the 
> right network connection.
>
>  
>
>

>
> *From:* [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert 
> Rutherford
> *Sent:* 12 July 2006 12:57
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Multihomed Domain Controllers
>
>  
>
> No issues, if you...
>
>  
>
> Go to the TCP/IP settings of the backup network card, click advanced, 
> goto the DNS tab and untick register the connection in DNS.
>
>  
>
> Cheers,
>
>  
>
> Rob
>
>  
>
>   
>
>  
>
>   
>
> *Robert Rutherford*
> *QuoStar Solutions Limited*
>  
>
> The Enterprise Pavilion
> Fern Barrow
> Wallisdown
> Poole
> Dorset
> BH12 5HH
>  
>
>   
>
>  
>
>   
>
> *T:*
>
>   
>
> +44 (0) 8456 440 331
>
> *F:*
>
>   
>
> +44 (0) 8456 440 332
>
> *M:*
>
>   
>
> +44 (0) 7974 249 494
>
> *E: *
>
>   
>
> [EMAIL PROTECTED] 
>
> *W: *
>
>   
>
> www.quostar.com 
>
>   
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>

>
>  
>
>  
>
> **From:** [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green
> *Sent:* 12 July 2006 11:43
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] Multihomed Domain Controllers
>
> Hi,
>
>  First posting to this list but I've lurked quite a while and I've

> been very impressed by
> the quality of replies by the gurus.
>
> My question is regarding the advisability of having multihomed DCs. 
> Basically I want
> to run backups over a separate GbE and as my servers have dual inbuilt

> NICs this
> seems an obvious route to take. I know there are some issues with DNS 
> (I have
> a DNS integrated AD).
>
> Would this cause replication problems, etc ?
>
> Any other "gotchas" ?
>
>  
>
> Many Thanks,
>
> ---
> Jeff Green
> Network Support Manager
> SAPIENS (UK) Ltd
> t: +44 (0)1895 464228 f: +44 (0)1895 463098
>
> "I dream of hover cars and old transistor radios ... She dreams of 
> flowers in a field of sunny bungalows"
>
>
>

> Confidentiality Note: The information contained in this email and 
> document(s) attached are for the exclusive use of the addressee and 
> may contain confidential, privileged and non-disclosable information. 
> If the recipient of this email is not the addressee, such recipient is

> strictly prohibited from reading, photocopying, distribution or 
> otherwise using this email or its contents in any way.
>
> Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail 
> immediately at [EMAIL PROTECTED], if you have received this

> email in error.
>
> Disclaimer: The views, opinions and guidelines contained in this 
> confidential e-mail are those of the originating author and may not be

> representative of Sapiens (UK) Ltd.
>

>

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Multihomed Domain Controllers

2006-07-12 Thread Kevin Brunson 
Title: Multihomed Domain Controllers








The one gotcha I have seen (only once
though), was that somehow multihoming a 2000 DC corrupted a couple of registry
keys.  I think KB 888048 appeared a few days after the 8 hour phone call with
MS.  Basically the dc no longer had a DNS name.  Needless to say that caused
problems.  But as long as you know which registry keys to change if it goes
bad, you should be fine.  I have seen a multitude of multihomed domain
controllers since with no issues.

Kevin Brunson

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Green
Sent: Wednesday, July 12, 2006
5:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Multihomed
Domain Controllers



 

Hi,



First posting to this list but I've lurked quite a while and I've been very
impressed by 
the
quality of replies by the gurus. 

My
question is regarding the advisability of having multihomed DCs. Basically I
want 
to run
backups over a separate GbE and as my servers have dual inbuilt NICs this

seems
an obvious route to take. I know there are some issues with DNS (I have

a DNS
integrated AD). 

Would
this cause replication problems, etc ? 

Any
other "gotchas" ? 

 

   
   
    Many Thanks,


---

Jeff
Green 
Network
Support Manager 
SAPIENS
(UK)
Ltd 
t: +44
(0)1895 464228 f: +44 (0)1895 463098 

"I
dream of hover cars and old transistor radios ... She dreams of flowers in a
field of sunny bungalows" 



Confidentiality Note: The information contained in this email and document(s)
attached are for the exclusive use of the addressee and may contain
confidential, privileged and non-disclosable information. If the recipient of
this email is not the addressee, such recipient is strictly prohibited from
reading, photocopying, distribution or otherwise using this email or its
contents in any way.

Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail
immediately at [EMAIL PROTECTED], if you have received this email in
error.

Disclaimer: The views, opinions and guidelines contained in this confidential
e-mail are those of the originating author and may not be representative of
Sapiens (UK) Ltd.

RE: [ActiveDir] Moving a Certificate Authority

2006-07-11 Thread Kevin Brunson 








The other advantage to doing it this way,
now that I think about it, is a little clearer recovery path if everything
blows up.  A system state restore on your old ca and an authoritative restore
on AD should (please everyone check me on this) get you back where you were
without having to reload the original un-upgraded OS on your original CA.

 

Kevin
 Brunson

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
 Brunson
Sent: Tuesday, July 11, 2006 8:48
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving a
Certificate Authority



 

Have you thought about putting a new
server (or an older one with good hardware) in the mix as 2000, moving the CA
to it, and then upgrading it to 2k3?  That way you don’t have to
worry about the hardware not supporting 2003 or something terrible like that. 
Then if you want you could move it from that 2003 server to another 2003
server, or you could just leave it where it is.  

Kevin
 Brunson

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, July 11, 2006 6:05
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving a
Certificate Authority



 

And will it ever be a slooow 2k3
machine indeed.  After continuing to do some reading and researching, it
does appear that my only option is to…

1)    Upgrade the old DC to 2k3

2)    Backup the CA and the registry key as stated in the KB298138
article.

3)    Remove the CA services, demote server and rename it.

4)    Promote a 2k3 server with the same name as the old DC and install
the CA services.

5)    Restore the CA data and registry key

6)    Cross my fingers and hope that I have a CA once again

I’ll give this a shot
tomorrow.  I just wonder what would be my backup plan should the CA
restoration fail on the new server?  The old server will have been demoted
and removed from Active Directory along with the CA services removed, not to
mention a new server now has its name.

Thanks for your .02 Steve, it seems to be
spot on.

~Ben

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick
Sent: Tuesday, July 11, 2006 3:17
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Moving a
Certificate Authority



 



You cannot move
from 2000 to 2003 as the database has changed. You could upgrade to 2k3 ( this
would be temporary ) and then move to another 2k3 server. I know that you said
that the HW was old - but perhaps a temporary sloow 2k3 machine?





 





You should keep the
hostname the same - if you took the defaults  for install ( 90% of CA's
out there ) then you have paths in all of your issued certs which hardcode to
this server, not to mention the name is also in AD as well as the CA web pages.
Unless you have a very good reason - it'd be best to keep it the same. I think
that the article doesnt mention moving to a new name, because it would vary
from customer to customer and cause more trouble then its worth.





 





my .02





 





steve







- Original
Message - 





From: WATSON, BEN 





To: ActiveDir@mail.activedir.org






Sent: Tuesday,
July 11, 2006 3:08 PM





Subject: [ActiveDir]
Moving a Certificate Authority





 



As part of my on-going journey into
upgrading a 2000 domain to 2003, I’ve run into the issue of moving the
Certificate Authority on one of the original domain controllers to a new
Windows 2003 domain controller.

I have found a couple KB articles that
seem to put me down a good path, but then don’t pan out.  Here is
the situation…

I am at the point in the domain upgrade
process where I need to eliminate the Windows 2000 Servers from the domain so I
can raise the functional level to 2003 native.  However, the CA is
currently on such old hardware that an OS upgrade to Windows 2003 from Windows
2000 is simply not possible so it will need to be demoted.  It was
originally a Windows NT 4.0 domain controller back in the day.  So I am in
a situation where I need to take a Certificate Authority from a Windows 2000 Server,
and transfer that over to a Windows 2003 Server.

As stated before, one KB article seemed to
be the most promising KB298138. 
However the instructions seem to be focused on moving a CA from a 2000 server
to a 2000 server, or a 2003 server to a 2003 server.

Is anyone familiar with the process of
moving a CA from a 2000 DC to a 2003 DC?  Also, is there a possibility of
moving the CA to a server with a different hostname than the original CA?

Thanks,

~Ben

RE: [ActiveDir] Moving a Certificate Authority

2006-07-11 Thread Kevin Brunson 








Have you thought about putting a new
server (or an older one with good hardware) in the mix as 2000, moving the CA
to it, and then upgrading it to 2k3?  That way you don’t have to
worry about the hardware not supporting 2003 or something terrible like that. 
Then if you want you could move it from that 2003 server to another 2003
server, or you could just leave it where it is.  

Kevin
 Brunson

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, July 11, 2006 6:05
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving a
Certificate Authority



 

And will it ever be a slooow 2k3
machine indeed.  After continuing to do some reading and researching, it
does appear that my only option is to…

1)    Upgrade the old DC to 2k3

2)    Backup the CA and the registry key as stated in the KB298138
article.

3)    Remove the CA services, demote server and rename it.

4)    Promote a 2k3 server with the same name as the old DC and install
the CA services.

5)    Restore the CA data and registry key

6)    Cross my fingers and hope that I have a CA once again

I’ll give this a shot tomorrow. 
I just wonder what would be my backup plan should the CA restoration fail on
the new server?  The old server will have been demoted and removed from
Active Directory along with the CA services removed, not to mention a new
server now has its name.

Thanks for your .02 Steve, it seems to be
spot on.

~Ben

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick
Sent: Tuesday, July 11, 2006 3:17
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Moving a
Certificate Authority



 



You cannot move
from 2000 to 2003 as the database has changed. You could upgrade to 2k3 ( this
would be temporary ) and then move to another 2k3 server. I know that you said
that the HW was old - but perhaps a temporary sloow 2k3 machine?





 





You should keep the
hostname the same - if you took the defaults  for install ( 90% of CA's
out there ) then you have paths in all of your issued certs which hardcode to
this server, not to mention the name is also in AD as well as the CA web pages.
Unless you have a very good reason - it'd be best to keep it the same. I think
that the article doesnt mention moving to a new name, because it would vary
from customer to customer and cause more trouble then its worth.





 





my .02





 





steve







- Original
Message - 





From: WATSON, BEN 





To: ActiveDir@mail.activedir.org






Sent: Tuesday,
July 11, 2006 3:08 PM





Subject: [ActiveDir]
Moving a Certificate Authority





 



As part of my on-going journey into
upgrading a 2000 domain to 2003, I’ve run into the issue of moving the Certificate
Authority on one of the original domain controllers to a new Windows 2003
domain controller.

I have found a couple KB articles that
seem to put me down a good path, but then don’t pan out.  Here is
the situation…

I am at the point in the domain upgrade
process where I need to eliminate the Windows 2000 Servers from the domain so I
can raise the functional level to 2003 native.  However, the CA is
currently on such old hardware that an OS upgrade to Windows 2003 from Windows
2000 is simply not possible so it will need to be demoted.  It was
originally a Windows NT 4.0 domain controller back in the day.  So I am in
a situation where I need to take a Certificate Authority from a Windows 2000
Server, and transfer that over to a Windows 2003 Server.

As stated before, one KB article seemed to
be the most promising KB298138. 
However the instructions seem to be focused on moving a CA from a 2000 server
to a 2000 server, or a 2003 server to a 2003 server.

Is anyone familiar with the process of
moving a CA from a 2000 DC to a 2003 DC?  Also, is there a possibility of
moving the CA to a server with a different hostname than the original CA?

Thanks,

~Ben