RE: [ActiveDir] Automatically generated replication links
You might want to look into using Active Directory Load Balancing tool (adlb.exe); Ive never used the tool but it might help you control replication and the connection objects. Personally, I would trust the KCC and let it do its jobJ Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 08, 2006 8:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automatically generated replication links Russ, Perhaps you should consider disabling the KCC within one or more sites, or forest-wide if this is a big issue. Otherwise, I'd treat all DCs as equals and let the KCC 'do its thing' :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 08 March 2006 15:18 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automatically generated replication links All our remote sites automatically pick the same DC at DHQ, but this site picked a DC that is our primary DNS server at DHQ for some reason. We've never had that DC be selected by the KCC before, and I'm not sure why it picked that one instead. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, March 08, 2006 8:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automatically generated replication links Hi Russ, The KCC runs 5 mins after the DC boots and after that each 15 min.. The KCC creates CO as it sees fit (and that depends on the site and replication topology, partitions to replicate and replicas hosting partitions). If you remove the CO manually, it will recreate them during the next KCC cycle. The creation of auto COs also depends on what manual COs have been created. Manual created COs will never be touched by the KCC So, why do you think it is wrong or what do you mean with If you promote a new domain controller and it doesn't automatically generate the right replication links jorge From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ Sent: Wed 2006-03-08 15:50 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Automatically generated replication links If you promote a new domain controller and it doesn't automatically generate the right replication links, is it safe or recommended to delete the link it generated and manually create the replication link? Or if you delete it will it try to automatically generate it again? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A
RE: [ActiveDir] external trust between NT4 domain and windows 200 3 fails
It's been a while, but I created a bunch of these a while back. First off, remove the trusts from both sides. Then reboot both the NT PDC and the 2003 PDCE. When they come back up try to establish the trust again. If it still fails then look at the tips below. Make sure that the RestrictAnonymous is set to 0 on both the NT PDC and the 2003 PDCE. Key should be located under the following path, create it if its not there: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA Also, make sure that the LMCompatabilitylevel key is set to a level that will work on both the PDC/PDCE, i.e. NT PDC = 4 and 2003 PDCE = 5. Key is also located under the same path. Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Friday, March 03, 2006 12:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] external trust between NT4 domain and windows 2003 fails You might get more information if you run a network trace (e.g. using NetMon). Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, 4 March 2006 8:21 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] external trust between NT4 domain and windows 2003 fails Hi, Need help desperately to setup trust between NT4 and win2k3. I've error 'domain controller not found'. I'm pretty sure the name resolution for each other is fine (by lhmost), the trust was working before, however after it's broke, I can't re-establish again. Seen someone has the same error, http://www.experts-exchange.com/Operating_Systems/WinNT/Q_21631912.html, has tried the MSKB Article 325874 troubleshooting, but couldn't help much. Best Regards, Raynus Ky CHOO Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies Hotline: 215-8485 (24x5) Telnet: 215-7290 E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Limiting a computer account to specific workstati ons?
What you could do is put the specific systems in an OU and set the Allow log on locally in a GPO to the Administrators group and the user\users that only need to access those PCs. Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Medeiros, Jose [mailto:[EMAIL PROTECTED] Sent: Monday, February 27, 2006 12:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Limiting a computer account to specific workstations? Greetings, A have quick question. I have a requirement to limit a single account to logon to only specific systems (About 120). Although I have not tried this, one of our Systems Administrators stated that he was limited to adding only about 30. Does any one know if there is a work around? Has this number been increased in Active Directory 2003? Sincerely, Jose Medeiros MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell
RE: [ActiveDir] Limiting a computer account to specific workstati ons?
Forgot to add: You would also need to add the user\users to the Deny log on locally setting on the OU where all other systems reside. Hope you understand me, I think I made it sound kind of confusing. Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Olivarez, Sergio J Mr ANOSC/FCBS [mailto:[EMAIL PROTECTED] Sent: Monday, February 27, 2006 12:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Limiting a computer account to specific workstati ons? What you could do is put the specific systems in an OU and set the Allow log on locally in a GPO to the Administrators group and the user\users that only need to access those PCs. Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Medeiros, Jose [mailto:[EMAIL PROTECTED] Sent: Monday, February 27, 2006 12:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Limiting a computer account to specific workstations? Greetings, A have quick question. I have a requirement to limit a single account to logon to only specific systems (About 120). Although I have not tried this, one of our Systems Administrators stated that he was limited to adding only about 30. Does any one know if there is a work around? Has this number been increased in Active Directory 2003? Sincerely, Jose Medeiros MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell
RE: [ActiveDir] Smartcard Question
Marc, Brian is right about interactive logon. You're right about the password becoming long and complex. What you will have to do is have every user change their password back to something that meets your password policy. This means having every user visit an admin or someone with enough permission to change a user password. They will have to pull up the user account through ADUC and have the user set a new password. This will allow them to view OWA or whatever web application that they used to be able to with the newly set password, at the same time only allowing them interactive logon by smartcard. Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS -Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Friday, February 24, 2006 3:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Smartcard Question No, not true. Interactive logon is when you sit at a computer and press control alt delete and interactively log yourself into the computer. Accessing OWA, for example, is not an interactive logon. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Marc A. Mapplebeck Sent: Friday, February 24, 2006 4:48 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Smartcard Question I am looking at hardening security by requiring smartcards for interactive logons VIA the GPO. However, users also use OWA from home, as well as access a few web applications remotely while in the field, these are just using Integrated Authentication through our ISA server. My question however, relates back to the GPO setting. I was always under the impression that when you enable Require smartcard for interactive logon that it effectively disabled the password on the account(excessively long and complex password is set). Is this true, and if so, does anybody have a trick to get around this? - Marc List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] The system administrator has set policies to prev ent this installation
If you are trying to install Symantec NAV 2001 check out this link - http://support.microsoft.com/default.aspx?scid=kb;en-us;322963 Have you done an RSOP on the box to make sure that there is no software restriction policy? Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Antonio Aranda [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 22, 2006 10:21 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] The system administrator has set policies to prevent this installation On some workstations Ive been getting this message The system administrator has set policies to prevent this installation. The problem is that Im the system administrator and there are no such policies. I get this message even when Im logged on as local administrator. Does any one know what is going on here? Antonio
RE: [ActiveDir] The system administrator has set policies to prev ent this installation
Verify that the registry value DisableMSI under the key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer is NOT set to 1 or 2 (if it doesn't exist, it will default to 0 for WinXP or earlier) If it is set to 1 or 2, change it to 0. Machine Policies: DisableMSI http://msdn.microsoft.com/library/default.asp?url=""> Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Antonio Aranda [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 22, 2006 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The system administrator has set policies to prev ent this installation We dont use Norton, we use MacAfee. The only GP in use is the default GP; these workstations that are getting this message are in an OU that does not have a GP linked to it. Other then being joined to the domain they is nothing different from a stand alone machine. And like I said, we get this message even when logged on as local administrator which the AD GP should not apply. Antonio From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivarez, Sergio J Mr ANOSC/FCBS Sent: Wednesday, February 22, 2006 12:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The system administrator has set policies to prev ent this installation If you are trying to install Symantec NAV 2001 check out this link - http://support.microsoft.com/default.aspx?scid=kb;en-us;322963 Have you done an RSOP on the box to make sure that there is no software restriction policy? Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Antonio Aranda [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 22, 2006 10:21 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] The system administrator has set policies to prevent this installation On some workstations Ive been getting this message The system administrator has set policies to prevent this installation. The problem is that Im the system administrator and there are no such policies. I get this message even when Im logged on as local administrator. Does any one know what is going on here? Antonio
RE: [ActiveDir] Service Pack Level
systeminfo /s DC Name| find Build Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Harding, Devon [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 22, 2006 3:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Service Pack Level Is there a way to find out the service pack level for all domain controllers in my forest? Single command? Trying to update schema for R2 Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] ability to create container objects not in ADUC
http://www.microsoft.com/WINDOWS2000/techinfo/howitworks/activedirectory/glo ssary.asp container -- a special type of Active Directory object. A container is like other directory objects in that it has attributes and is part of the Active Directory namespace. However, unlike other objects, it does not usually represent something concrete. It is the container for a group of objects and other containers. organizational unit (OU) -- a container object that is an Active Directory administrative partition. OUs can contain users, groups, resources, and other OUs. Organizational Units enable the delegation of administration to distinct subtrees of the directory. Thanks... ... ... ... Sergio J. Olivarez - Contractor Phone # (520) 538-2909 DSN: 879-2909 [EMAIL PROTECTED] GD-NS -Original Message- From: Mark Parris [mailto:[EMAIL PROTECTED] Sent: Thursday, February 16, 2006 4:23 PM To: ActiveDir.org Subject: Re: [ActiveDir] ability to create container objects not in ADUC A container is not an OU. -Original Message- From: Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] Date: Thu, 16 Feb 2006 15:26:22 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ability to create container objects not in ADUC What kind of container? An OU is a container. Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Thursday, February 16, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ability to create container objects not in ADUC Is there a technical reason why the ability to create a new container is not available in the Active Directory Users and Computers (ADUC) mmc? (Sorry if this is a dumb question.) Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Deleted OU issue
If the other DC has not replicated the deletion of the OU, you can put that DC into Directory Service Restore mode and perform an authoritative restore on the OU. This will set the USN at a higher # and it will not be deleted when the information is replicated. It will then replicate the OU back to the DC you deleted it on. If it has already replicated then you will need to perform an authoritative restore from the system state backup. Thanks... ... ... ... Sergio J. Olivarez - Contractor Phone # (520) 538-2909 DSN: 879-2909 [EMAIL PROTECTED] GD-NS -Original Message- From: Lev Zdenek [mailto:[EMAIL PROTECTED] Sent: Thursday, February 16, 2006 8:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Deleted OU issue Hello evr. I have two DC on AD 2003 native mode i WAN. Repl. interval is set to 8 hour. I deleted (my mistake) OU with users in active directoty users and computers MMC snap-in. Is it possible prevent replication this changes to second DC and bring my AD to state previous unwanted deletion ? I have backup AD state before my mistake txh Zdenek Lev List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ability to create container objects not in ADUC
What kind of container? An OU is a container. Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Thursday, February 16, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ability to create container objects not in ADUC Is there a technical reason why the ability to create a new container is not available in the Active Directory Users and Computers (ADUC) mmc? (Sorry if this is a dumb question.) Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Ntfrs Errors
If you are on a Windows 2000 be careful of copy and paste, better off using ntbackup!: Junctions graft the namespace (any bounded area in which a specific name can be resolved) of the destination file system location to an NTFS volume. An underlying reparse point permits NTFS to transparently remap an operation to the destination object. As a result, if you modify the data in the Sysvol structure, changes occur directly on these physical files. Additionally, if you perform a cut-and-paste operation or a copy-and-paste operation with these folders in the Sysvol structure that contains junction points, the cut-and-paste operation or the copy-and-paste operation occur in the junction point information. Microsoft recommends that you avoid performing a cut-and-paste operation or a copy-and-paste operation on the Sysvol structure, especially when you perform the paste operation on the same server. If you perform a cut-and-paste operation or a copy-and-paste operation on the Sysvol structure, a copy of the junction point information is created. This does not result in a copy of the actual data. Instead, a copy of the junction point information only is created. If you modify any of the files that appear in that folder, you modify the source files directly. http://support.microsoft.com/?kbid=324175 Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Umer Y [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 8:40 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntfrs Errors Justin, you wouldn't lose your AD data by deleting NTFRS Jet database. AD data is stored in ntds.dit file under Systemroot\Ntds\ folder. What you would want to do is to copy everything fromSYSTEMROOT\SYSVOL\SYSVOL\DOMAIN.com\ to another folder forbackup measures, before you perform that action. If you read the event 13555, it is explains on how to delete jet database as well. Also, restart your NTFRS NETLOGON services. Stop NTFRS, and NETLOGON, and then start NETLOGON and then NTFRS. Hope that helps. On 2/15/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: Guys, I found this article yesterday: http://www.jsifaq.com/SUBH/tip3600/rh3605.htm What do you think? When you perform these actions, the idea is that you delete the FRS database and logs, and when you restart the services these will be recreated using replicated information from other DCs in the domain? I think that's the part I'm unclear about: Does this process end with me losing all of my AD data for the problematic domain? Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. -- Ambition is a dream with a V8 engine. ~ Elvis Presley
RE: [ActiveDir] Local admin priviledges
Here are a couple articles that compare rights. http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_security_default_settings.mspx http://uis.georgetown.edu/software/documentation/win2000/win2000.account.group.permissions.html Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 14, 2006 8:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Local admin priviledges Well someone just realized that since all our users are local admins on their PCs that they can map to another users C$ share and see all their data. They asked mgmt if they knew about that, and now of course, they're concerned about it. It's been this way for years, but I digress. SO, what is the general conscensus on giving users full ability to install/remove software at will, but not allowing them to map to other PCs c$ drives? Make everyone Power Users instead? Is there anything that they might lose from going from local admins to power users on their PCs besides this c$ mapping functionality? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] NtFrs Errors
Did you delete the DC in AD Sites and Services? Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Clay, Justin (ITS) [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 14, 2006 12:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NtFrs Errors Im seeing errors 13555 and 13552 in the event log ever since one of our DCs died and had to be pulled out of AD. When the DC died, I did the following: 1. Seized its PDC role 2. Removed all entries for this DC using Metadata cleanup in ntdsutil 3. Followed the rest of the steps outlined for Windows 2003 pre-SP1 here: http://support.microsoft.com/default.aspx?kbid=216498 Ive removed all entries I can find for this dead DC (SBASVISDC03 is the dead DCs name) using ADSIEdit, Metadata cleanup, and the DNS console. I ran FRSDiag this morning and found that one of the other DCs (SBASVISDC01) still shows SBASVISDC03 as an INBOUND NEIGHBOR. Now Ive looked and looked and cannot find where this INBOUND NEIGHBOR information is being stored. What am I doing wrong? There must be some place Im overlooking. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] NtFrs Errors
If youre seeing 13505 13506 check out the links below: http://support.microsoft.com/kb/823230/EN-US/ http://mcpmag.com/Features/article.asp?EditorialsID=403 http://www.experts-exchange.com/Operating_Systems/Q_21579612.html Thanks... ... ... ... Sergio J. Olivarez - Contractor Phone # (520) 538-2909 DSN: 879-2909 [EMAIL PROTECTED] GD-NS From: Clay, Justin (ITS) [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 14, 2006 1:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NtFrs Errors Yes I did. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivarez, Sergio J Mr ANOSC/FCBS Sent: Tuesday, February 14, 2006 1:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NtFrs Errors Did you delete the DC in AD Sites and Services? Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Clay, Justin (ITS) [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 14, 2006 12:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NtFrs Errors Im seeing errors 13555 and 13552 in the event log ever since one of our DCs died and had to be pulled out of AD. When the DC died, I did the following: 1. Seized its PDC role 2. Removed all entries for this DC using Metadata cleanup in ntdsutil 3. Followed the rest of the steps outlined for Windows 2003 pre-SP1 here: http://support.microsoft.com/default.aspx?kbid=216498 Ive removed all entries I can find for this dead DC (SBASVISDC03 is the dead DCs name) using ADSIEdit, Metadata cleanup, and the DNS console. I ran FRSDiag this morning and found that one of the other DCs (SBASVISDC01) still shows SBASVISDC03 as an INBOUND NEIGHBOR. Now Ive looked and looked and cannot find where this INBOUND NEIGHBOR information is being stored. What am I doing wrong? There must be some place Im overlooking. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] permon access
How about utilizing the Performance Monitor Users built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto:[EMAIL PROTECTED] Sent: Monday, February 13, 2006 8:14 AM To: activedirectory Subject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them alocal admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
RE: [ActiveDir] permon access
Yeah sorry bout that! I realized that after I had already sent it. Check out the links below maybe they will help! http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html http://support.microsoft.com/default.aspx?scid=kb;en-us;164018 Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto:[EMAIL PROTECTED] Sent: Monday, February 13, 2006 8:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] permon access Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS [EMAIL PROTECTED] wrote: How about utilizing the Performance Monitor Users built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AM To: activedirectory Subject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them alocal admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
RE: [ActiveDir] ldifde download
Have you tried copying the ldifde.exe over to your XP workstation from a Server? Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Harding, Devon [mailto:[EMAIL PROTECTED] Sent: Monday, February 13, 2006 10:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ldifde download Where can I download this to run on XP Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] Hash-based Software Restriction Policy
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Clay, Justin (ITS) [mailto:[EMAIL PROTECTED] Sent: Monday, February 13, 2006 12:27 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Hash-based Software Restriction Policy Hey All, I was curious if any of you have set up hash-based software restriction policies. Id like to set up a policy to only allow the executables that Ive hashed to run, and Im hoping that someone has a list of all of the base executables Ill need to hash just for WinXP to boot and log in successfully. Hopefully someone else has already done the work, so that I dont have to use trial and error to figure out all the exes I need to hash. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] DSQUERY filter for space character only
Have you tried * * Thanks... ... ... ... Sergio J. Olivarez From: Sitton Glen E [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 10:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DSQUERY filter for space character only I need to run an obscure DSQUERY with a filter that finds displayNames with a value of a single space character. I'm stumped. I've tried every escape character possibility that I'm aware of. I know how to find null values, but can't seem to query on a space character alone. It hoses the ldap syntax. When ADUC builds the ldap query itself, it fails: ((objectCategory=user)(displayName= )) The query filter ... is not a valid query string. I've tried: ' ' %20 + and escaping it with a \ or a ^ Any ideas? Thanks in advance, - Glen
RE: [ActiveDir] DSQUERY filter for space character only
Been using the archive for a while, but I just subscribed yesterday! Thanks... ... ... ... Sergio J. Olivarez From: Gilbert, Daniel L Mr ANOSC/FCBS [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DSQUERY filter for space character only You follow this list? From: Olivarez, Sergio J Mr ANOSC/FCBS [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 11:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DSQUERY filter for space character only Have you tried * * Thanks... ... ... ... Sergio J. Olivarez From: Sitton Glen E [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 10:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DSQUERY filter for space character only I need to run an obscure DSQUERY with a filter that finds displayNames with a value of a single space character. I'm stumped. I've tried every escape character possibility that I'm aware of. I know how to find null values, but can't seem to query on a space character alone. It hoses the ldap syntax. When ADUC builds the ldap query itself, it fails: ((objectCategory=user)(displayName= )) The query filter ... is not a valid query string. I've tried: ' ' %20 + and escaping it with a \ or a ^ Any ideas? Thanks in advance, - Glen