RE: [ActiveDir] Problem: Limit Domain Admins and Administrators
I think a good approach to this without going down the slippery slope of trying to redefine the rights of a Domain Admin (which has been discussed here before I believe) is to use something like MOM to monitor the Domain Admins and Administrators group for membership changes. That way anytime someone is added to those groups everyone is alerted to it and it is logged for eternity (or until your data retention policy overwrites it ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 08, 2005 7:01 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem: Limit Domain Admins and Administrators Problem: Need to lockdown Domain Admins and Administrators so that they can not add additional users the Domain Admins and Administrators group. Possible Solution: Remove the permission's from the Domain Admins and Administrators so that only Enterprise Admins can change their membership. Anyone got a better idea or know if the solution will not work ? Thank You ! And have a nice day ! ** Mark Lunsford KAISER PERMANENTE Directory Services Identify Management (DSIM/NOS) Email: [EMAIL PROTECTED] Outside Phone: 925-926-5898 Tie Line Phone: 8-473-5898 C ell: 925-200-0047 Remedy Group: NOPS SCRTY DSIM NOS ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] deny internet
The issue with that approach is that anyone can login to those PCs and access the internet so if the point is to try and restrict internet access to specific people this won't really cover that. You could put workstation restrictions on the users but once you get past a certain number of people (and it's not a very large number) this begins to be a pain in the ass. A proxy server is your best bet since it will also allow you to setup caching which will likely improve your web performance. I'm interested in seeing the IPSec setup too though. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carr, Jonathan (OFT) Sent: Wednesday, March 09, 2005 8:26 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] deny internet you could use Cisco's ACL with DHCP reservations. that way the pc always get the same ip until you change the network card. You could also go into the configuration of the network card and give the special people a specific MAC and do the DHCP reservations that way From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Wed 3/9/2005 12:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] deny internet Get a Proxy Server and use it to control outbound internet access. Deji -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, March 08, 2005 7:22 PM To: ActiveDir (E-mail) Subject: [ActiveDir] deny internet hi all. If I want to deny a user internet access but allow everything else, is this possible via GPO? On win2k and winXP? also to include other browsers besides IE a firewall solution is not possible right now and the clients are dhcp so cisco acl's won't always work. Can I gpo this or is it easier to give the client a static ip and acl it on the router? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP dir syncproduct to AD
I am a much bigger fan of either cleaning up the NT domains prior to migration, or getting a list of current active users from the mainframe and only migrating those users from the NT domains. In both those situations you end up and only the active users in AD which I prefer to do since I don't want to migrate junk from old domains into my newly created and clean AD environment. Not much help on your dirsync issues, but I have't worked with either so I won't bother to comment on that part. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: Tuesday, March 08, 2005 10:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP dir syncproduct to AD Good question. At this stage this is what I've been made aware of: No RACF (phew) LDAP Connector to mainframe - I haven't been told what version yet User and Attribute sync to AD from the mainframe is the primary goal. The business centres around mainframe existance. If you don't exist on the mainframe - you don't exist. This means that user provisioning AND identity currently happens there as a start. At this point there's a TON of NT4 domains (around 600) that will be switched off. Users used to be created automagically via a process from mainframe to NT 4 domains, however users were never killed off the NT domains when they died on the mainframe. Going forward, this means that users will be synced from the mainframe via LDAP - ergo the sync tool requirement to AD to a dump container. Users from the NT domains will be merge migrated to a sepparate container, and whatever is left behind will be investigated and killed. Migration tools are in place to do this, that the easy bit. The unknown entity is talking to a mainframe via LDAP with no knowledge at this point of what flavour of LDAP it's talking. The Imanami product looks really fine on paper - generic ldap connectivity, attribute transformation, supports schema extensions, etc, however I've never met anyone who's used it in anger. I'm trying to stay away from a scripted solution, since object colision resolution, attribute transformation, object matching, delta syncing, etc are pretty standard in the tool world, without having to re-script the weel. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: 08 March 2005 04:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP dir syncproduct to AD I think Murray brings up some good points. What are your requirements exactly? To differentiate between the products (or others) you'll need to understand what the ultimate goal is and what you have to work with. For example, is this a RACF sync? Or LDAP or ?? What exactly needs to sync? Passwords? Accounts? Questions like that should help to differentiate. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Murray Wall Sent: Tuesday, March 08, 2005 6:45 AM To: ActiveDir@mail.activedir.org; Nicolas Blank Subject: RE: [ActiveDir] LDAP dir syncproduct to AD Nic, we have implemented Simple Sync, for roughly about 12 connectors and are pleased with the tool. It is syncing roughly 3 LDAP entries between exchange 5.5, 2000 and 2003 organizations with the exchange 5.5 organization being the root forest. In my mind, it would depend on your needs, and if you require a more advanced 'meta' directory. Simple Sync is a FIFO sync utility not a download all the updates to a meta dir, process them, then resync out (sounds like a description for msmail t1, t2 sync processes!) We are very pleased with the product and the support we get from them. I have no experience with the Imanami product. If you are looking for a LDAP in, LDAP out with transposing, or what have you, I would definitely recommend the Simple Sync. Murray Wall [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: Tuesday, March 08, 2005 1:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP dir syncproduct to AD Hi all Anyone ever have to choose between Simple Sync and Imanami Directory Transformation Manager ? I'm talking to a mainframe via LDAP going to AD and on paper Imanami looks the better choice. Anyone have any recommendations either way? I've seen simple sync mentioned at least once on this list and also know it's maybe not the best product out there, even though it does the job and am keen to get any feedback on anything else? Thanks in advance for any feedback Nic List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] LDAP and related Exchange question
One of the companies that I worked at in the not too distant past keyed all of that off the Employee number. When they created accounts in AD the EmployeeID was included somewhere in the user setup so that it was veiwable in the ADUC GUI and was queryable using management tools. It didn't matter what the user changed their name to everything went back to the HR database which held the employee number. This also let them update the information in various repositories based on the UserID (including AD), but it meant that the provisioning process required a valid EmployeeID in order for an account to be setup. That also meant that there was an EmployeeID scheme for Contractors and other non-permanent employees was devised. Not a bad approach, it worked fairly well and like Joe's company this was a fairly large employee base (60k) so it should work ok in other companies. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, March 04, 2005 1:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question How did they handle people changing their names? I see the ID, but does that ID make sense when the user changes their name from Joe to 'They' or something along those lines? That goes back to the idea of coming up with a unique identifier that expands the horizon beyond the AD forest(s) and into the rest of the realm. I maintain that at some point in just about every country and every company, there is a unique identifier that ensures that person gets their proper compensation. Not that it couldn't be messed up, but you'd know quickly if your paycheck were lower than expected or paid to you in Yuan vs. Rubles if that's what you expected. This needs to stretch beyond AD from what I can tell. Is that an incorrect assumption Marcus? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 04, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question I would tend to agree, I think objectGUID would be fine though it is a pain to deal with since it is binary. Another thing to consider is to stop the random wonton creation of samaccountnames. When someone gets hired, they get assigned from one source their ID for use within the company. That ID is used everywhere and forever identifies that person and is never reused anywhere else in that company. Someother company gets merged in, everyone gets new SAM IDs from the same source. One company I worked for I am the only and will always be the only jricha34 to ever be there. If I somehow for some reason go work on that network again I will get spun up a jricha34 ID for use. This is a company with hundreds of thousands of users and huge turnover every year and they still maintain all of those unique identifiers even if the actual NT or mainframe IDs are deleted so I know it is feasible for smaller companies. There was another single source for UIDS if you needed them and if you lost and got access to UNIX again, it would be with the same UID. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, March 04, 2005 1:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question Why wouldn't objectGuid be appropriate? AD generates the objectGuid attribute using UuidCreate() (or some variation) that is guaranteed with reasonable certainty to generate values that are unique across all machines, not just DCs in the forest. If you need a globally unique, immutable identifer, the objectGuid attribute should do the trick. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, March 04, 2005 10:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question GUID is likely NOT an option in a multiple forest scenario or multiple identity stores. But the concept can be applied to the sphere of identity stores you have responsibility for. It's just that the system won't do it for you out of the box. So one thought that comes to mind is to inject a Cox-specific GUID into each identity store from the authoritative source(s) and then use that to find what you need programmatically. That's a bigger undertaking than you may be able to go after, but it ultimately solves the issues that are so troublesome. Some where, you have to have a unique identifier that identifies consumers of your systems. Even if it's pay codes and PO numbers (non-employees), something will need to exist at some point in the lifecycle to identify the objects uniquely. That make sense or am I way off base in understanding your problem? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 04,
RE: [ActiveDir] User moves in a large environment
In that case than I think Al is on the right track: go with an automated workflow approach so that there doesn't need to be any admin intervention. A typical approach I think would be a good idea is to queue those changes up and process them all once a night. Follow whatever workflow makes sense for your group, but a web based utility with some approvals required (as Al mentioned) is probably the right way to deal with this. That takes the workload off the Admins and places it on the users. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Friday, March 04, 2005 4:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User moves in a large environment 15000 users moving at any one time was a conservative estimate. Most users are Military and Government Original Message Subject: RE: [ActiveDir] User moves in a large environment From: Mulnick, Al [EMAIL PROTECTED] Date: Fri, March 04, 2005 1:10 pm To: ActiveDir@mail.activedir.org 15000 users on the move at any given time? Anyway, for the move between OU's, have you considered a self-serv app or something that's (semi)automated inside of the move process? I haven't been in that large environment in a while, but seems that might make sense for between OU movement at the least. That would take the process rights from the OU owners up to another level for workflow etc. I would guess that something that had an approval process would work (i.e. Request to move user1 from OU1 to OU2 - ask OU2 owners for approval first) and so on. Might be controlled by your move coordinators or however that fits in your process. Domain moves: I could see using an automated or semi-automated process vs. the current hand-off process if your structure is stable enough to do so. It might be that it removes the account object and moves it to the staging OU in the target domain and sends a task, email or whatever if that's what you need. Workflow checks and balances for this as well. You will want to capture mail data and attributes I would guess but that depends on the move criteria and depth I would imagine. Automating it would make much more sense and you could orchestrate a series of events that are automated and checked to gather the appropriate information (files, attributes you intend to keep, etc) and move it where it belongs. Some of this would depend on the current provisioning processes you keep as to how you integrate it. These are the fun types of problems to solve :) My $0.04 anyway, Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Friday, March 04, 2005 2:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User moves in a large environment To All: (Sorry for the long post) I was wondering what everyone uses to facilitate user moves in a large environment? Scenario: Root domain with six (6) child domains. Each child domain has between thirty (30) to sixty (60) OUs. These OUs are geographic locations spread around a region. Each OU is managed by an IT Team that only has rights to their OU, IT Teams do not cross manage to other OUs. I need to develop or discover a way to facilitate user moves from one (1) OU to another in the same domain and to another domain. Our environment should have about 300,000 users and about five (5) percent is on the move from one (1) OU to another or from one (1) domain to another. In the old days, pre-2000, the process was to delete the user when they departed and recreate the user when they arrived. We do not yet have Exchange 2003 deployed but I can see it happening very very soon. Using a whiteboard (allows lots of erasing) I devised a OU structure that allowed the departing IT Team to place the user into an OutProcessing OU once the departing user fully outprocessed their current home. (I figure the departing user is removed from every domain security group except the Domain Users group). ATAMO The user is moved from the OutProcessing OU in one domain to the InProcessing OU of another domain. The user arrives at their new location, the local IT Team retrieves the user from the Inprocessing OU and places them in their new Home OU. Now, my PHBs have freaked out because we are not staffed for this kind of mission but, the customers are screaming at us to provide this service. I know I can permission the OUs to allow SOMEONE the rights to move users from one OU to another, even if the OU resides in a different domain. But the PHBs are screaming they do not want to take on this kind of mission, their thought is to continue to do things like we did in the past. I guess my main question is this: is anyone else required to move users around in a large environment and if so, how are they doing it? TIA Daniel
RE: [ActiveDir] DEC questions
Go figure that after a couple of years of trying to convince someone to send me to DEC I was about to be sent there this year...but I just got a new job that is starting on the 14th so I'll miss it again. Go figure! ;) Have fun at Whistler if you all make it! Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Tuesday, March 01, 2005 11:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DEC questions To answer Ken's quesiton directly, DEC is the Directory Experts Conference that NetPro sponsors along with Microsoft and others. It is a technology conference focused entirely on AD and intimately related technologies like DNS, ADFS, etc. The presenters are about a third/a third/a third Microsoft Program Managers, industry consultants (e.g. HP, EDS), and enterprise Active Directory customers. The topics are targeted toward technically savvy engineers, architects, and administrators who have been running AD for a while, i.e., there are no introductory This is what an OU is type sessions. There are also no product-pitch sessions... the sessions are all focused on understanding and using AD technology successfully. DEC is also a great place for networking with the Microsoft product team as well as other AD technicians. We've expanded DEC this year to include an MIIS track, which reflects Microsoft's direction of integrating their various IdM technologies. Stuart Kwan (Directory of Program Management for Identity and Access at Microsoft) will be discussing the future of AD, AD/AM, MIIS, ADFS, ID Card, etc. during the keynote. Find out more and register at www.netpro.com/events/dec2005. As far as the ski trip is concerned, they are just rumors. I haven't had a chance to even think about it. But I know some people are planning to head off to Whistler after the conference. I'm not sure I'm ready to give up the Chicken though... :) -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 01, 2005 8:00 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] DEC questions I heard a rumor that Gil was organizing a post DEC ski trip to Whistler and there would be a Chinese Downhill to determine who goes home with the rubber chicken. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Jorge de Almeida Pinto | | | [EMAIL PROTECTED]| | | icacmg.com| | | Sent by: | | | [EMAIL PROTECTED]| | | dir.org| | | | | | | | | 03/01/2005 03:22 PM CET| | | Please respond to ActiveDir| |-+-- --- ---| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] DEC questions | --- ---| is there some way to win that rubber chicken? ;-)) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Tuesday, March 01, 2005 14:55 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DEC questions It is a big meeting of AD experts with a guy holding a rubber chicken leading the discussions. Todd From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 01, 2005 8:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DEC questions Pardon my ignorance, but what is DEC? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Sullivan Sent: Monday, February 28, 2005 3:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DEC questions Hi Dave, This will be my fourth DEC and everyone has been worth it. I think I have learned more at this conference than any other I have attended. It is very focused, intimate and full of some incredibly interesting people who are out there doing it. The content ranges in complexity but almost all is going to be accessible if you have been working with AD for years. What helps at this show is after the talk you are having conversations with attendees who can clarify topics based on their own experiences as well as provide tips on how it may be
RE: [ActiveDir] DEC questions
I doubt my old company would still be willing to foot my bill now that I'm moving on. I'll have to make it a priority for next year though. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, March 02, 2005 5:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DEC questions Come on Phil, why not start on the 17th? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Wednesday, March 02, 2005 10:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DEC questions Go figure that after a couple of years of trying to convince someone to send me to DEC I was about to be sent there this year...but I just got a new job that is starting on the 14th so I'll miss it again. Go figure! ;) Have fun at Whistler if you all make it! Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Tuesday, March 01, 2005 11:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DEC questions To answer Ken's quesiton directly, DEC is the Directory Experts Conference that NetPro sponsors along with Microsoft and others. It is a technology conference focused entirely on AD and intimately related technologies like DNS, ADFS, etc. The presenters are about a third/a third/a third Microsoft Program Managers, industry consultants (e.g. HP, EDS), and enterprise Active Directory customers. The topics are targeted toward technically savvy engineers, architects, and administrators who have been running AD for a while, i.e., there are no introductory This is what an OU is type sessions. There are also no product-pitch sessions... the sessions are all focused on understanding and using AD technology successfully. DEC is also a great place for networking with the Microsoft product team as well as other AD technicians. We've expanded DEC this year to include an MIIS track, which reflects Microsoft's direction of integrating their various IdM technologies. Stuart Kwan (Directory of Program Management for Identity and Access at Microsoft) will be discussing the future of AD, AD/AM, MIIS, ADFS, ID Card, etc. during the keynote. Find out more and register at www.netpro.com/events/dec2005. As far as the ski trip is concerned, they are just rumors. I haven't had a chance to even think about it. But I know some people are planning to head off to Whistler after the conference. I'm not sure I'm ready to give up the Chicken though... :) -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 01, 2005 8:00 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] DEC questions I heard a rumor that Gil was organizing a post DEC ski trip to Whistler and there would be a Chinese Downhill to determine who goes home with the rubber chicken. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Jorge de Almeida Pinto | | | [EMAIL PROTECTED]| | | icacmg.com| | | Sent by: | | | [EMAIL PROTECTED]| | | dir.org| | | | | | | | | 03/01/2005 03:22 PM CET| | | Please respond to ActiveDir| |-+-- --- ---| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] DEC questions | --- ---| is there some way to win that rubber chicken? ;-)) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Tuesday, March 01, 2005 14:55 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DEC questions It is a big meeting of AD experts with a guy holding a rubber chicken leading the discussions. Todd From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 01, 2005 8:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DEC questions Pardon my ignorance, but what is DEC? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Sullivan Sent: Monday, February 28, 2005 3:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir
RE: [ActiveDir] Some thoughts on securing sensitive accounts....
What do you do when you have an AD support group than need access to Enterprise Admin privs if you only have one Enterprise Admin? I know I wouldn't want to be the only guy with those privs in the middle of the night on a weekend when I'm not on call ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment). So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest and all other admins should be domain admins in their own respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Some thoughts on securing sensitive accounts Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had carte blanche to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pinsAny other thoughts? Thanks! Francis Ouellet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Some thoughts on securing sensitive accounts....
Totally agree, but in very large environments that group of trusted admins is going to have to be more than just one guy. I think 2 or 3 guys (depending on the size of the environment) is a pretty reasonable number provided that they are admins you can trust with that level of access. And to answer Francis' next comment, I would never create a generic account with EA privs. I want to be able to track who did what if I have to comb through the logs after something happened and when you have a generic account how do you know for sure that Bob Smith was the one that logged in if 3 or 4 people all have access to the same username/password? If you are going to have more than one person with that level of access then create an ID for each of them (separate from their general AD login). Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, February 25, 2005 3:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts I wouldn't give those rights to a group... Just one or two people in the group, and only after proper vetting. Vetting would include the usual background checks and good corporate citizen-type evaluations, as well as AD technical knowledge. Would you want them fixing an AD disaster in the middle of the night while you're asleep? Will they do the right thing, even when you're not looking? It really comes down to a matter of trust. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Friday, February 25, 2005 1:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts What do you do when you have an AD support group than need access to Enterprise Admin privs if you only have one Enterprise Admin? I know I wouldn't want to be the only guy with those privs in the middle of the night on a weekend when I'm not on call ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment). So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest and all other admins should be domain admins in their own respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Some thoughts on securing sensitive accounts Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had carte blanche to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pinsAny other thoughts? Thanks! Francis Ouellet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Command Line AD Question
To move a computer from one OU to another I would recommend using dsmove Do a dsmove computer /? To get the syntax etc. Generally it would look like: Dsmove computer CN=computerName,ou=oldou,dc=domain,dc=com -newparent ou=newou,dc=domain,dc=com Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stuart, Cory G. Sent: Friday, February 11, 2005 11:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Command Line AD Question Hi Everyone, I'm going to be migrating a large number of machines from a workgroup into a domain. I'm probably going to have some people help me and I want to make it as easy for them as I can. I'm planning on giving them a CD with batch files to do all of the work for them. I'm familiar with using netdom to join systems to the domain, but I'm looking for the command line tool to move the system around within AD OUs. For example, before putting the machine into its permanent OU, I may want to put it into a software OU so that certain packages will be installed first. So what command line tool(s) would you recommend for this. I really appreciate your help!!! Thanks, Cory List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] PDC emulator in Native mode
The PDCe is still required in Native mode as it performs a number of functions that don't have anything to do with downlevel clients. Check out this KB article for a good explaination of the functions the PDCe provides: http://support.microsoft.com/default.aspx/kb/197132 Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Sent: Wednesday, February 09, 2005 10:44 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] PDC emulator in Native mode Hi, What happened to the PDC Emulator Role if we move from mixed mode to native mode. Is the PDC Emulator is required in Native mode... ? and if required then what will it do and what changes in the functional behaviour of it ? Best- Manjeet Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term' http://us.rd.yahoo.com/evt=30648/*http://movies.yahoo.com/movies/featur e/jibjabinaugural.html List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] PDC emulator in Native mode
The time sync thing is incorrect according to information provided to us by PSS the last time we had a time issue. We thought the same thing but were told that the process is actually: 1. A client will use any DC in it's domain for synchronization, but will tend to use the DC that authenticated it. 2. A DC will use the PDCe of it's domain, or any DC of the parent domain. 3. The PDCe of a child domain will use the PDCe, or any DC of it's parent domain. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, February 09, 2005 10:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PDC emulator in Native mode Hi, The PDC Emulator FSMO is required in both modes! In mixed mode the replication model is different (LAN MAnager) when replicating with older DCs (BDCs) In both mixed and native mode: * Time sync for the domain/forest * Primary source for GPO edits * Pwd change for legacy clients without the directory services client * Central repository for passwords when another DC needs to check the password when a user provided a wrong password against that DC * Participates in immediate replication for certain events through an RPC call * Acts as the master DC for BDCs (only in mixed mode) for replication * Provides directory updates to DFS root servers when Root Scalability is disabled At the moment I can't think of anything else, but I'm sure if there's more the other guys will add comments Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Sent: woensdag 9 februari 2005 16:44 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] PDC emulator in Native mode Hi, What happened to the PDC Emulator Role if we move from mixed mode to native mode. Is the PDC Emulator is required in Native mode... ? and if required then what will it do and what changes in the functional behaviour of it ? Best- Manjeet Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term' http://us.rd.yahoo.com/evt=30648/*http://movies.yahoo.com/movies/featur e/jibjabinaugural.html This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] PDC emulator in Native mode
Yeah, that's why I noted that it tends to use the DC that authenticated the client. It doesn't _have_ to, but in common practice that is where a client gets it's time sync. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, February 09, 2005 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PDC emulator in Native mode Regarding 2, a DC will occasionally peer up with another DC in it's own domain. I see it all the time. 1 also seems a little off since client time is supposed to synchronize over the secure channel with it's authenticating DC. I have not observered otherwise. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Wednesday, February 09, 2005 8:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PDC emulator in Native mode The time sync thing is incorrect according to information provided to us by PSS the last time we had a time issue. We thought the same thing but were told that the process is actually: 1. A client will use any DC in it's domain for synchronization, but will tend to use the DC that authenticated it. 2. A DC will use the PDCe of it's domain, or any DC of the parent domain. 3. The PDCe of a child domain will use the PDCe, or any DC of it's parent domain. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, February 09, 2005 10:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PDC emulator in Native mode Hi, The PDC Emulator FSMO is required in both modes! In mixed mode the replication model is different (LAN MAnager) when replicating with older DCs (BDCs) In both mixed and native mode: * Time sync for the domain/forest * Primary source for GPO edits * Pwd change for legacy clients without the directory services client * Central repository for passwords when another DC needs to check the password when a user provided a wrong password against that DC * Participates in immediate replication for certain events through an RPC call * Acts as the master DC for BDCs (only in mixed mode) for replication * Provides directory updates to DFS root servers when Root Scalability is disabled At the moment I can't think of anything else, but I'm sure if there's more the other guys will add comments Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Sent: woensdag 9 februari 2005 16:44 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] PDC emulator in Native mode Hi, What happened to the PDC Emulator Role if we move from mixed mode to native mode. Is the PDC Emulator is required in Native mode... ? and if required then what will it do and what changes in the functional behaviour of it ? Best- Manjeet Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term' http://us.rd.yahoo.com/evt=30648/*http://movies.yahoo.com/movies/featur e/jibjabinaugural.html This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SBS 2003
You can't have two SBS servers in the same forest so that won't be possible. What you could do is get rid of the SBS2000 server and install Windows Server 2003 and set it up as another DC in the same domain as the new SBS 2003. I believe there is a way to connect two SBS boxes together long enough to migrate off the old one to the new one, so that should make the transition easier. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info Sent: Wednesday, February 02, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SBS 2003 Hi all, Have a question about the following: I have a SBS 2000 running which is a domain controller and has exchange installed for email facilities. I would like to set down an extra server with SBS 2003 and migrate the exchange dbase to that new server. But I would like to leave the old server to be intact as a primary DC. So that authentications is done through old server but exchange is being handled through the new server. Since I heard there cant be trust between SBS servers I was wondering if this is possible at all. Some suggestions would be appreciated. Thx Jorre List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Sites and Folder Redirection
It is possible to implement this policy on computer accounts as well. You set User GPO settings on a GPO that is on a Computers OU, then when a user logs into that PC it will apply the User GPO settings. We do this with Folder redirection, but we redirect to the users home drive (which is set in the user profile). That helps us since then it doesn't matter what computer they log into. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, January 31, 2005 7:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Sites and Folder Redirection Noah, The policy that you want to implement (folder redirection) is a user based policy, so implementing it against the file servers (or an OU that contains one or more of the file servers to be more accurate) will not have the affect you want. If you want a policy to be implemented based on where the user is (currently), ensure that your site topology is up-to-date, and implement you GPOs based on sites. For users that roam from one site to another, this becomes a little more complex. If they move from Site A to Site B, the policies (if implemented against sites) will redirect them to a different server. This new location would of course not contain any data - which may (I suspect) or may not be a bad thing. This potential problem can be over come by replicating the home directory data between locations. Of course this process is not without its own issues: 1. Is there any organization issue (i.e. security, policy, etc.) with having this data replicated? 2. How will the data be replicated? (i.e. underlying storage infrastructure, third party data replication product, home grown process, etc.) 3. How much data is there? Have quotas been implemented? 4. Is there capacity for all data at each location? 5. Often should data be replicated between sites? How often do users roam between locations? 6. Is there enough available bandwidth to support replication at the scheduled times? 7. How will conflicts be resolved during the replication process? You could throw something like DFS on top of this to provide a common namespace and reduce the number of policies implemented. If you want your notebook users to be able to access their redirected folders when they have no access to the file server then offline files will be required. Some food for thought I suppose Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Monday, January 31, 2005 3:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Sites and Folder Redirection Hello: Say I have three sites: Site1, Site2, Site3 (all properly defined in Sites Services). Each site has a file server with a home directory share: \\server1\home$ file:///\\server1\home$ , \\server2\home$ file:///\\server2\home$ , and \\server3\home$ , respectively. I want to redirect My Documents to these home directories using a GPO that creates the subfolders and assigns tight permissions (as per MSKB 274443). Where is the best place to create these GPOs (a separate one for each server)? Obviously, it needs to apply to the users only at that site. So, I could place it at the Site level. However, then when a user from Site 1 logs in at Site 2 will they get a new home directory created on server2? I could create separate OUs that parallel the site structure and place users in those OUs and then apply the GPO there. However, that becomes a bit of an administrative hassle when users move around. Finally, how do either of these configurations affect laptop users that move from site to site? Slight aside: XP automatically sets these redirected folders to be available offline. Do people generally leave this enabled? Thanks. -- nme List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada
Stanley Park, Junior Hockey games, Whistler/Blackcomb, Vancouver Art Museum. I'm sure anyone who's lived in BC longer than I did will be able to tell you more stuff. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, January 30, 2005 3:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Hi, I hope you don't mind asking this... I'm visiting DEC (AD ttrack) in march and hope to meet some of you guys that are also visiting DEC. Besides visiting DEC I'm staying a few days longer hopefully to see very nice things in the region. Does any of you know what's worth visiting/seeing in the region of Vancouver? Regards, Jorge Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant __ ...OLE_Obj... LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (IDT) Kennedyplein 248, 5611 ZT, Eindhoven * Postbus 7089 5605 JB Eindhoven * Tel : +31-(0)40-29.57.777 * Fax : +31-(0)40-29.57.709 * Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] http://www.logicacmg.com/ http://www.logicacmg.com/ - Solutions that matter - This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada
Sorry for turning the list into a ski slope Joe :) Whistler is hands down one of the best ski areas in North America, I've spent a lot of time skiing and Whistler is the best place that I have ever skied. Even if you aren't a skier it's worth going and checking out, even if it is just for the views. A sunny day at the top of Whistler is pretty incredible. Did I hear someone mention geeks skiing? That sounds like fun ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Monday, January 31, 2005 11:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada If you are a skier then Whistler/Blackcomb is not to be missed. IMHO it is simply the best, extraordinary, largest, most varied terrain, (insert your own gushing adjective here)... ski area in North America. Maybe Gil needs to organize a NetPro ski trip... -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Monday, January 31, 2005 8:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Stanley Park, Junior Hockey games, Whistler/Blackcomb, Vancouver Art Museum. I'm sure anyone who's lived in BC longer than I did will be able to tell you more stuff. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, January 30, 2005 3:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Hi, I hope you don't mind asking this... I'm visiting DEC (AD ttrack) in march and hope to meet some of you guys that are also visiting DEC. Besides visiting DEC I'm staying a few days longer hopefully to see very nice things in the region. Does any of you know what's worth visiting/seeing in the region of Vancouver? Regards, Jorge Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant __ ...OLE_Obj... LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (IDT) Kennedyplein 248, 5611 ZT, Eindhoven * Postbus 7089 5605 JB Eindhoven * Tel : +31-(0)40-29.57.777 * Fax : +31-(0)40-29.57.709 * Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] http://www.logicacmg.com/ http://www.logicacmg.com/ - Solutions that matter - This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada
So you're saying you like to wear pants? I know what you're saying about winter...it is highly over-rated. If I had my choice I would be sitting by the beach except when I wanted to go skiing. If I can't be skiing then I don't see much point in the snow. Snowboarding is where I hurt myself. Once I did that I switched right back to skiing :) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 31, 2005 12:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada I broke my leg one year, a wrist another year, and sprained an ankle really bad yet another year when skiing when I was young and more dumb and thought I was invincible. I have since learned that the best part of skiing is sitting about 5 feet from the fire with some nice smooth alcoholic beverage and talking to the snow bunnies. My overall preference though is to be somewhere where snow is not. Growing up in Northern Lower Michigan I had seen far more than enough snow by the time I was 10. If going down a hill at high speed I rather it be on a mountain bike with shorts on. If fishing I rather it be on a nice big boat with shorts on. If snowmobiling, I rather do it in a videogame while sitting on a beach with shorts on. A perfect day for me is 76-80 degrees, sunny blue sky, top off the wrangler putzing around the boonies With shorts on. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, January 31, 2005 11:47 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Didn't all geeks grow up on skateboards, and then graduate to snowboards in a desperate attempt to fit in? Snowboards on the X-Box I mean of course. James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] Renouf, Phil [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org es.comcc: (bcc: James Day/Contractor/NPS) Sent by: Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada [EMAIL PROTECTED] tivedir.org 01/31/2005 11:34 AM EST Please respond to ActiveDir Sorry for turning the list into a ski slope Joe :) Whistler is hands down one of the best ski areas in North America, I've spent a lot of time skiing and Whistler is the best place that I have ever skied. Even if you aren't a skier it's worth going and checking out, even if it is just for the views. A sunny day at the top of Whistler is pretty incredible. Did I hear someone mention geeks skiing? That sounds like fun ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Monday, January 31, 2005 11:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada If you are a skier then Whistler/Blackcomb is not to be missed. IMHO it is simply the best, extraordinary, largest, most varied terrain, (insert your own gushing adjective here)... ski area in North America. Maybe Gil needs to organize a NetPro ski trip... -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Monday, January 31, 2005 8:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Stanley Park, Junior Hockey games, Whistler/Blackcomb, Vancouver Art Museum. I'm sure anyone who's lived in BC longer than I did will be able to tell you more stuff. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, January 30, 2005 3:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Hi, I hope you don't mind asking this... I'm visiting DEC (AD ttrack) in march and hope to meet some of you guys that are also visiting DEC. Besides visiting DEC I'm staying a few days longer hopefully to see very nice things in the region. Does any of you know what's worth visiting/seeing in the region of Vancouver? Regards, Jorge Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant __ ...OLE_Obj... LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (IDT) Kennedyplein 248, 5611 ZT, Eindhoven * Postbus 7089 5605 JB Eindhoven * Tel : +31-(0)40-29.57.777 * Fax : +31-(0)40
RE: [ActiveDir] LDAP export pros/cons
I'd be more concerned about malicious users inside your network being able to sniff that traffic and obtain usernames/passwords pretty easily. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Friday, January 21, 2005 10:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP export pros/cons In our case, it's a PeopleSoft portal that is using AD as the authentication provider via the LDAP bind. My logon IDs match in PeopleSoft and AD, so that's how PS correlates a successful AD bind to a PS user. No argument that using LDAP as an authentication method isn't nearly as secure as kerberos, but we sufficiently trust our in-house PeopleSoft folks to not get ulcers over the setup, along with some other technical and policy measures to reduce our risk exposure. There are other groups in our organization with whom we would not do something like this. Those groups probably don't trust us either :-) Hunter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Name to SID
Dsget computer dn of computer -sid Or: Dsquery computer -name computername | dsget computer -sid Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Wednesday, January 19, 2005 12:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Name to SID Hi all If I have a computer's account name how do I go about deciphering it's SID? Thanks Peter Johnson List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] email disappearing
Could it by Automatic Archiving settings? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Morentin Sent: Tuesday, January 18, 2005 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] email disappearing Yes its delivering to inbox. They come in, but soon disappear. No rules defined. hmmm List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Setup
If you don't install an Active Directory integrated DNS server then you will need to create those extra DNS entries by hand. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, January 18, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Setup Does DNS need to be setup with Active Directory? My DNS isn't showing any of the LDAP ports or standard stuff that shows when you have an AD Integrated DNS. I tried deleting all the Zones and re-creating them... but it doesn't seem to help. Thanks, -- Matt Brown [ SELECT * FROM users WHERE clue 0 ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Tuesday, January 18, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies that effect secure websites Putting the web sites into the security zones did not work. Still unable to browse to the sites on the XP workstations. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Thursday, January 13, 2005 5:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies that effect secure websites The firewall is disabled on the machines. I will try the security zones. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, January 13, 2005 5:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies that effect secure websites Are you sure it's the firewall and not some other setting? For example, some of the other security settings will prevent you from loading ActiveX controls and won't even prompt you for that. Firewall has nothing to do with that. Once you have connected to a web page via SSL, the conversation is encrypted and the firewall either allows the TCP 443 connection or it doesn't. Not partially, etc. Troubleshooting the firewall usually starts with logging. Have you tried logging the firewall to see what it's doing? Do you see it dropping connections to that page? You may also want to turn on script debugging to see if something is failing before the page loads. Finally, you may also want to put the web page into a different security zone for testing purposes to see if some of the security zone settings are too restrictive. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Thursday, January 13, 2005 4:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Policies that effect secure websites I am having an issue on a windows XP SP2 where some of the secure web sites will not come up. I have SSL and TSL selected and we are able to connect to our OWA server, but unable to connect a banking page for example. Now I checked on a windows 2000 machine and we are able to get to the page. I don't have anything in the policies that I see that tells IE how to handle secure sites but then I could be missing something. Any Ideas where to look. Jeff List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrating to Win2k3
If you are going with a 3rd party migration tool, take a serious look at both Quest and NetIQ, there are pros and cons to each and if you got 10 AD migration consultants in a room you'd never get a consenus on which one is the best ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra Sent: Saturday, January 15, 2005 4:45 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Migrating to Win2k3 I Agree with Jordondon't rely on ADMT if you wanted to go ahead with the parallel upgrade. I had several issues with the ADMT and MS was not able to resolve the problems and ended up migrating the pc's manually and then doing the security translation.i suggest you better get NETIQ tools for migration... Do not suggest a parallel upgrade for w2k to w2k3 unless your old domain is an upgrade from NT to w2k3... Chandra On Fri, 14 Jan 2005 13:54:55 -0600, Jordan Arendt [EMAIL PROTECTED] wrote: For 5000 users I would definitely recommend getting 3rd party tools. I've done a migration using ADMTv2. You get what you pay for. I would revisit the business case for renaming your domain. Why are you doing it? If it's just because you don't like the current name, it would well be worth your while to suck it up and just upgrade in place. Having done both a migration and an upgrade in place I would choose upgrade in place everytime, if I could. On Thu, 13 Jan 2005 11:06:38 +0100, Fush Grubber [EMAIL PROTECTED] wrote: Hello All, I am currently carrying out an upgrade from windows 2000 to windows 2003, and I want to change my domain name. Instead of upgrading all my domain controllers from to windows 2000 to windows 2003, I want to build an entirely new win2k3 machine as a new domain controller with the new domain name I want to move to; Set up a trust relationship with the 2 domains Use the ADMT tool to migrate all accounts from the old to the new domain Use the migration wizard to move mailboxes from my old exchange 2000 server to a new exchange 2003 server I want to set up in the new domain. One of the top questions lingering in my mind is that since I have about 5000 clients running windows xp, how will I automate the process of clients joining the new domain, since they are presently members of the old domain. Secondly, I want to find out if any one has used this method to carry out an upgrade and advice me if I am doing anything wrong and the best steps I would need to take to ensure the upgrade is successful. Fush _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange Backup
BackupExec (and most any Exchange aware backup program I suspect) can do brick level backups. They can be useful, but I think that with Exchange 2003 you can achieve better results with recovery storage groups. If you still want to use brick level backups, don't rely on them for disaster recovery: make sure you still run your full and incremental/differential backups in addition to the brick level backups. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra Sent: Friday, January 14, 2005 10:13 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange Backup I have not worked on backup exec for Exchange...however i have worked on Arkserv, which has one more type called Brick level backup - which does the backup mailbox by mailbox - gives an option for admin to restore sigle mailboxes...but takes for ever.. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:scsi controller errors
I know a long time ago an eventid 9 on a scsi controller or disk could also indicate a hardware issue. You might have a faulty/dieing controller. Not saying that is the answer, but I've seen that event caused by it. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, January 14, 2005 2:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:scsi controller errors I checked eventid.net before posting(always do). those comments refer to tape drives and other devices sharing the scsi bus OR hardware issues. the storage box is on its own bus and i checked cables,termination,flashed rom,etc. thanks -Original Message- From: Lou Vega [mailto:[EMAIL PROTECTED] Sent: Friday, January 14, 2005 2:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:scsi controller errors EventID.NET my friend http://www.eventid.net/display.asp?eventid=9eventno=2059source=adpu160 mph ase=1 They almost always have the answer to my event log questions! :) Regards, Lou -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, January 14, 2005 2:32 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT:scsi controller errors I'm running an active/passive Exchange2k cluster on win2kadv sp 4. lately i've been getting alot of event id 9 in the system log- Event Type: Error Event Source: cpqcissm Event Category: None Event ID: 9 Date: 1/14/2005 Time: 9:12:04 AM User: N/A Computer: CLUSNODE2A Description: The device, \Device\Scsi\cpqcissm1, did not respond within the timeout period. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrating to Win2k3
To deal with the 5000 workstations you migrate the computer accounts of the workstations and servers. I am pretty sure that ADMTv2 will deal with this ok, but the 3rd party migration tools from Quest and NetIQ will do this a little cleaner and offer you better logging/reporting. If you want to migrate your servers then you need to take a look at what servers you have, if any of them are complex they may need special attention. If you are using SQL servers that use both Windows Authentication and SQL Authentication then using the Quest tool is really your only option for migrating the server since NetIQ and ADMT don't deal with that situation. Of course you could also do it manually without a migration tool, it'll just take a bit more work. The method that you've proposed it a fairly commonly used method and you are definitely on the right track. The domain rename option is also there, but the migration method is also a very viable and well used method of achieving what you're trying to do. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fush Grubber Sent: Thursday, January 13, 2005 5:07 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migrating to Win2k3 Snip) One of the top questions lingering in my mind is that since I have about 5000 clients running windows xp, how will I automate the process of clients joining the new domain, since they are presently members of the old domain. Secondly, I want to find out if any one has used this method to carry out an upgrade and advice me if I am doing anything wrong and the best steps I would need to take to ensure the upgrade is successful. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Crazy question
You can't. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, January 13, 2005 12:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Crazy question Also?? How do you add a W3K Domain Controller to an existing NT4 domain? Thanks, Z.V. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Crazy question
The way to mitigate that risk is to install a BDC into the NT4 domain, let it replicate then shut it off. If anything goes wrong with the migration then you can scrap the upgraded PDC and bring this BDC back online, promote it to PDC and be back where you were before the attempted upgrade. I think Jorge also mentioned this in his very comprehensive message on upgrading an NT4 domain. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, January 13, 2005 12:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Crazy question I personally do no like to mess with a system that is in production already. You will be just hoping that nothing will go wrong with the upgrade. I have had my share of staying up to 3:00 AM. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 13, 2005 12:47 PM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Crazy question You could install NT 4 on it, make it a BDC and then upgrade it to W2K3. That will upgrade your domain and bring over all the good things in it now with users etc. It will also bring over all the problems groups, users, security issues, etc but nobody ever talks about that side of it. James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] I have been asked this from a friend of mine and wasn't sure of the outcome even though I have told him not to go ahead. I was just interested in the implications and whether it can be done. He has a customer with an existing NT4 domain one PDC that's it. He has bought a brand new box and installed W2K3 dcpromo'd the thing and set up users, thinking he could just add the box to the existing domain and everything would be okay to migrate the users and data over. I know this sounds pretty crazy, but it got me thinking what would the implications of doing this and what is the best procedure for him at this stage. If any. Gary List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Assistant attribute and Outlook.
I believe it is msExchAssistantName. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, January 11, 2005 7:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Assistant attribute and Outlook. Trying to remember exactly, but I don't think that field is what is displayed in the GAL. Check your GAL settings and see if they don't use secretary vs. assistant when they build the GAL. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell Sent: Tuesday, January 11, 2005 6:58 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Assistant attribute and Outlook. Hello, I have an issue where the Assistant field doesn't get populated for users when I look at their info with Outlook within the global address list-user-properties. All of the other fields on that properties page can be seen by Outlook. I'm running Windows 2003 server and Exchange 2003. Exchange server and users are in different domains, same forest. I can see the Assistant attribute is populated with the correct DN when I look at the user in ADSI. CN=username,OU=orgunit,DC=domain,DC=COM I know it sounds like a trivial issue but it's making me nuts why this won't work and there are some people here that need to see it. Any help is appreciated. Thanks, Mike. Mike Newell Information Systems Manager OSI Systems List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Add users?
To answer your other question first: the reason that nothing shows up in the username field but does show up in the pre-win2k field is that you also need to specify the UPN on your dsadd command (use the -upn switch). A user should be able to login fine without it, but it is a very good idea to have it set properly. Why didn't they include the option of using an input file in dsadd? No idea, but there are other tools that will let you use an input file (like csvde or ldifde), but unfortunately they don't let you set a password and so they add an extra step. To set permissions on a command line use cacls.exe. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: Tuesday, January 11, 2005 1:59 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Add users? Thank you Phil But how practical is this? Why did they change the old way? I mean apprently the dsaddusers has many if not all the input parameteres, but the fact that you don't pass them through an input file is depressing :( anyways, now I have teh dsaddusers script ready (for one test user) an dI have the exchmbx command read to create the mailbox, the only thing I want to automate more is to create mailboxes for users who starts with letter A-F in a specific mailbox store, and I-O in another one, and so on so forth, so is there a way to automate this too? besides making a home directory to each username and setting the correct permission, mkdir will be fine but setting the permission in a command line how? thanks a lot On Mon, 10 Jan 2005 10:30:49 -0500, Renouf, Phil [EMAIL PROTECTED] wrote: The -uci switch you mention in dsadd isn't for input from a file, it is referencing input from pipe (ie: | ). You can use information from a tool like dsquery to pipe information to dsadd (you can pipe the DN for an account for example). Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: Monday, January 10, 2005 6:22 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Add users? Ok I could see it now, sorry, thanks its working great I have only one question, whats the use of the -uci option if I can't pass the parameteres in an input file? and I have to make the command each time I want to create a new user? Also in the addusers.exe windows2k tool, the username was used, now I have to use UserDN and samid and nither seem to be working as a username? thank you List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Slightly OT: Pix config for AD Replication
From a security standpoint only allowing communication via specific ports is always a better option, but in the case of Active Directory you need to open so many ports to enable full communication between the DCs that it's really pointless to lock it down by port. I would recommend setting up the VPN and making sure to restrict what IPs are able to use the tunnel. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega Sent: Tuesday, January 11, 2005 10:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Slightly OT: Pix config for AD Replication I'm working on setting up a site-to-site VPN using Cisco Pix 525's. I need to test Active Directory replication over the VPN as we will have domain controller's on each of the two sites connected via VPN. I've been reading various articles on either setting the Pix's up for wide open communication between the DC's or for manually allowing each port needed for AD/DNS replication. Has anyone got suggestions as to the best way to proceed? Thanks in advance group! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Add users?
The -uci switch you mention in dsadd isn't for input from a file, it is referencing input from pipe (ie: | ). You can use information from a tool like dsquery to pipe information to dsadd (you can pipe the DN for an account for example). Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: Monday, January 10, 2005 6:22 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Add users? Ok I could see it now, sorry, thanks its working great I have only one question, whats the use of the -uci option if I can't pass the parameteres in an input file? and I have to make the command each time I want to create a new user? Also in the addusers.exe windows2k tool, the username was used, now I have to use UserDN and samid and nither seem to be working as a username? thank you List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Add users?
To reply to myself, I made a dumb statement...you can't pipe the DN from dsquery to dsadd since the user wouldn't exist yet, but that is one thing that you can do with dsquery and some of the dstools (dsget, dsmod etc.) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: Monday, January 10, 2005 6:22 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Add users? Ok I could see it now, sorry, thanks its working great I have only one question, whats the use of the -uci option if I can't pass the parameteres in an input file? and I have to make the command each time I want to create a new user? Also in the addusers.exe windows2k tool, the username was used, now I have to use UserDN and samid and nither seem to be working as a username? thank you List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] time server
Is there anything on the network in between your AD domain and the phone switch? I know it's fairly common for phone switches to be behind some type of NATing firewall, although it doesn't happen everywhere. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, January 10, 2005 4:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] time server Have you checked the DC in question to see what it's reporting? You may also want to grab a net trace to see the packets on the wire. Those two things might help to clarify the issue faster (permissions, incompat, etc) faster. If the phone switch has a log file or output, that also might be helpful in this situation. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, January 10, 2005 3:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] time server It's an AVAYA S8700 Media Server. The phone system admin showed me the web page where the Network Time Server should be configured on the AVAYA. It doesn't let me choose which protocol, it simply has a place for the IP address or DNS name of the Network Time Server. We entered the IP, and it says Could not update Network Time Server (as if it tries to query and fails). We can ping the AVAYA from the DC, and they are on the same subnet. I think (though unconfirmed) that the AVAYA runs on a proprietary Linux version. Only other option I thought might be a factor is Multicast client support, which is currently set to no. Our AD domains are Windows 2000. mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Muggli Sent: Monday, January 10, 2005 3:02 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] time server I own the time service for Windows, so I can field the OS question. The NTP server in Windows 2003 is NTP V3 RFC compliant and third party NTP clients can (well *should*) be able to sync with it. When you say doesn't seem to recognize, is there an error message? How does it find a valid NTP server? -Nathan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, January 10, 2005 11:07 AM To: Send - AD mailing list Subject: RE: [ActiveDir] time server Uncertain as to the OS in question here but Windows 2003 supports both NTP and SNTP - http://www.microsoft.com/technet/security/guidance/secmod118.mspx -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 10, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] time server Does your switch use/support SNTP (Simple NTP)? That is what Windows DCs support, not NTP. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, January 10, 2005 11:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] time server Our forest root server acts as the time server for AD domain member machines (I think that happens by default.) Do I have to take any additional steps to allow that same server to be the NTP server for a non-Windows device? The device is a phone switch on our network, and it doesn't seem to recognize that server as being a valid NTP server. Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir] Forest trusts vs trusts within forests
If both domains are single domain forests then a Forest trust isn't as big a deal since it's major selling point is that the trust is transitive. I suppose that you also would be able to use Kerberos for cross forest authentication, which is a nice feature that I don't believe is available in external trusts. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Thursday, January 06, 2005 4:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Hi David, In addition to SID filtering, you can protect a trust between domains in two forests (either a forest trust or an external trust) by using selective authentication (SA). SA is sometimes called authentication firewall, and the idea is that only listed users can access only listed servers across the trust (in addition to traditional share and NTFS permissions). If the new domain creates a new forest, its domain admins are not subject to the Enterprise Admins of the existing forest. This may or may not be of relevance to you. I'm not sure if I understand your last question, but a forest trust is only possible, if both forest are on the WS2003 FFL. Yours, Sakari -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, January 06, 2005 10:32 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Forest trusts vs trusts within forests Happy New Year ! I'm having a design discussion with myself about adding a forest vs adding a domain to an existing forest. I understand about the automatic transitive trust between domains in a forest, and how it's possible for a clever domain admin in a subdomain to compromise the entire forest. What I'm shaky on is this: If you had two single-domain forests, and established trusts in both directions between them, do you have the same issues ? I would think not, because the configuration and schema NCs are not shared between them, but I'm looking for some confirmation on that. Also, since we're talking about two single-domain forests, I'm guessing that the 'forest trusts' available in W2K3 FFL don't really come into play here, correct ? In other words, getting the first domain to W2K3 FFL doesn't buy anything with respect to this trust ? Thanks, Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Add users?
The dsadd utility doesn't work with a csv file, if you want to use dsadd to bulk create users you will need to work up a .cmd file with each line having a dsadd command. Here we do this with Excel since our format is always the same we have predefined columns for the information that we need then we concatenate them into one column which pieces together the dsadd command so all you do is copy that column into a .cmd file and run it. Not too elegant, but it works. If you want to use a CSV file specifically then take a look at CSVDE. Be aware though that this won't allow you to set a password during user creation, you'd need to do that afterwards with another tool. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: Tuesday, January 04, 2005 6:04 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Add users? Thank you Sakari, interesting. So what are we going to do about it? how about if you post the instructions to modify the schema to show Employee ID in ADUC :) ? When I try to use the dsadd and pass an input file that has the users I want to create it says worng data format, C:\dsadd user -uci dsaddtest.csv dsadd failed:Value for `Target object for this command' has incorrect format. type dsadd /? for help. C:\ What should I do? also I get the same error if the file fromat is in .txt? thanx r.c. On Tue, 4 Jan 2005 01:50:11 +0200, Sakari Kouti [EMAIL PROTECTED] wrote: Hi, Another source for ADUC-to-LDAP mappings is on our book's Web site at http://www.kouti.com/tables.htm There is a direct HTML version, but the Excel version (included in a ZIP file) is much more convenient. It's a Windows 2000 version, but Windows Server 2003 didn't change the ADUC fields at all, so for this scope it's still current. Even though I made it I dare to recommend it. Among other things, it also documents what's in each property set. Who volunteers to write a control that adds a new tab to ADUC, including the EmployeeID? And better still, that control could enable you to modify any string or integer attribute that you define. Yours, Sakari List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] XP pro sp2 and printers
The policy you are looking for is the Point and Print policy. http://support.microsoft.com/Default.aspx?kbid=319939 Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Monday, December 20, 2004 9:50 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] XP pro sp2 and printers Am testing implementation of XP SP2 machines and as the user when you go to the network and attempt to add a printer you get this error. Policy is in effect on your computer which prevents you from connecting to this print queue. I cannot find a policy on the workstation either thru the local policy or domain policies that would cause this to happen. I am not sure if I am missing a policy or if it could be somewhere else that I need to look. Any Suggestions. Jeff List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Citrix and AD migrations
NetIQ. They have a very solid migration tool as well, but personally I think the Quest tool is slightly better, almost solely because it handles SQL migrations much better than NetIQ. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Tuesday, December 21, 2004 11:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Citrix and AD migrations One other point to be made, a lot of the third-party tools for migration have this issue solved and automated. Not that this would help you now, but you might review their websites and review how they approach migrations to get an idea of what you might run into in the future. I am familiar with Quest /Aeltia's migration tools and Bindview's Migration Service. Both are really good. One thing to keep in mind though is the automation portions require RPC connectivity a lot of times to work from a remote console. Todd Myrick (I don't think I left anyone's migration tools out, but if I did, please just add them on.) -Original Message- From: Robinson, Chuck [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 21, 2004 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Citrix and AD migrations Charlie, Two things: 1: Your Citrix servers should now use the same DNS servers as AD. 2: TS Profiles don't get translated using ADMT only User Profiles. The file/directory part of the profile can be accessed after the migration using SID History (assuming your doing this). However the Registry portion of the profile(NTUser.dat) cannot use SID history. You can fake this out by specifying the TS Profile as the User Profile before the migration. ADMT with then translate the whole profile, at that point you should return the User Profile back to it's original state. Hope this helps. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, December 21, 2004 9:37 AM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Citrix and AD migrations I'm conducting an NT 4 to 2003 AD migration and I'm having a bit of an issue with my Citrix setup. Background: I have about 40 remote sites and a Citrix farm that is located with our central IT staff. We are about 20% through the migration which does not include any of the central servers (we do have servers at most of our remote sites) or the Citrix farm. We are using the ADMTv2 tool to migration the users, groups, workstations and servers. Problem: Our Citrix profiles path don't seem to be working very well after we conduct the migration. We were having an issue with a number of our applications and we discovered that if we copied our Terminal Services Profile Home Folder to our Profile Home Folder location most of the apps then work correctly. However, I don't think that the profile stuff is functioning correctly. I have deleted one users Citrix Profile and what usually happens is when the user logs into Citrix it automatically creates a new profile for them. This doesn't seem to be happening, however they are still able to use Citrix. If this user still has her old profile then she receives an error when she tries to run the application. Has anyone seen this type of issue when conducting the migration of Citrix users? Thanks, Charlie List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain Name and DNS Problems
I wouldn't worry about it too much. The situation you are in may not be the optimal design, but it is not an uncommon design either. There are a pretty large number of AD installs that use a split level DNS structure the same way you are. I think you've got a pretty good setup right now with a script that replicated external DNS names in your internal DNS structure, most places would just leave that as a manual syncronization. I know of some very large companies that have split level DNS that replicate them manually. I'd say that live with it the way it is now and the next time you see an opportunity to restructure your AD environment, take the time to redesign the forest and DNS structure the way you want it. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Thursday, December 16, 2004 3:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Name and DNS Problems It looks like I am just going to have to deal with the DNS problem as it is. I can perform the upgrade as easy as it sounds but I have never done one before. I dont mind jumping in and doing the work but I dont think my superiors will let me. I know that I can setup a test environment to at least get me familiar with the process for the first time but I am sure that it will be deemed to risky by those who will make the ultimate decision of moving on with this or not. Aside from that there are licensing issues with the latest version of Exchange. I dont think that the money will be invested in the upgrade. One lesson definately learned is NEVER to use your already in use domain again for Active Directory. I guess next time management should have sent me to training instead of me having to come up with a solution on my own. Thank you all for your assistance. Edwin On Thu, 2004-12-16 at 14:58 +0100, Jorge de Almeida Pinto wrote: and be sure to have recovery procedure im place (up-to-date and tested) for your AD forest if something goes wrong! regards jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, December 14, 2004 20:01 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Name and DNS Problems Edwin, You could theoretically upgrade your Exchange server to E2K3 followed by an upgrade of the OS to W2K3. At this point, even with the W2K Pro systems, you could perform a domain rename assuming your forest has a functional level of (2) Windows Server 2003 as a fix now exists for E2K3. Keep in mind that the domain rename process is not for the faint of heart and you should dedicate an entire weekend to it for your relatively small environment...just in case. Also be sure and read through the approx. 90 page white paper regarding the rename process. Aside from that, you are doing what many other organizations do when a split-brain DNS is implemented. Regards, Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Tuesday, December 14, 2004 10:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Name and DNS Problems That is why I mentioned the Perl script that is used. That is exactly what it does. But this is not what I would like to see. I would like for our internal AD DNS to only host records for our internal systems and forward any other unresolved requests. On Tue, 2004-12-14 at 09:29 -0500, Salandra, Justin A. wrote: Why don't you just duplicate the records in the public DNS zone to the private zone. That is what I do since both my internal and external namespaces are the same. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Tuesday, December 14, 2004 9:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain Name and DNS Problems Hello Everyone. I have an ongoing problem and would like to get some assistance please. The domain that I am currently responsible for is the first domain that I have ever configured. As a result there was a lot of trial and error and most things were resolved but there remains this one problem that still lingers. I will try to explain as best as I can the scenario. I work for a company (mycompany.net) and we host many web servers out on the public Internet. Our servers follow a naming scheme that is dependent on the type of OS or special purpose for that server. i.e.
RE: [ActiveDir] OT: intrusion prevention
Unless Snort has added some features it is just an Intrusion Detection System and does not offer Intrusion Prevention. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sean Johnson Sent: Tuesday, December 14, 2004 1:30 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT: intrusion prevention Snort ( http://www.snort.org ) won't cost you anything other than the time to learn it, and really no matter what kind of IDS solution you use, there is a decent learning curve to overcome. On Mon, 13 Dec 2004 18:05:50 -0500, Kern, Tom [EMAIL PROTECTED] wrote: my company is looking at getting cisco security agent for intrusion prevention. Personally, at $60,000, I think its a bit much. does anyone have any cheap intrusion prevention software they use out there? or can you lockdown your desktops enough via GPO's and good AV? we get alot of bots lately on our network. these bots infect fully patched boxes and start making outbound requests on ports 445 and 6667 flooding our network to a crawl and sometimes even DOSing our firewall. as i've said, they even infect patched pc's with fully updated AV defs(Symantec corporate 9.0). the attraction to cisco is that(according to cisco marketing..), an client agent is installed which will stop the action of any unauthorized app or service from running and alert an admin. still, i think there's got to be a cheaper way to stop this stuff. any ideas(or personal experience with cisco agent)? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Online scan to determine OS
NMAP will run on a windows box no problem. There is instructions on the NMAP site for how to get it working on Windows. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Thursday, December 09, 2004 11:23 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Online scan to determine OS I haven't played with NMAP that much, but I'll try to get it running. After all, it is a great tool. The only probably is that I need to make sure I can get it to run on a windows box. Thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, December 09, 2004 9:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Online scan to determine OS Have you tried NMAP? FWIW, some might be *nix boxes if they're using some version of SAMBA. It's possible, although they don't always show up as 9x boxes. I think I have a machine reporting as a 9x server out there somewhere ;0) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Thursday, December 09, 2004 10:10 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: Online scan to determine OS Very OT. I'm looking for an inexpensive scanner that I can use to scan my organization to see if there are any Windows 9x machines out there that I don't know of. I would conduct the scanning by IP address but I can't seem to find a reliable app to do this. I have pulled the Lan Guard NSS however it's results aren't that great. I have 9x boxes showing up like they are unix or Windows XP. Thanks, Charlie List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Stress testing and performance analysis of domain controllers
You don't need the /3GB switch for a DC. Just having more than 2GB of ram does not require using the /3GB switch, systems like Exchange require it, but a DC shouldn't need it. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, December 06, 2004 11:57 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Stress testing and performance analysis of domain controllers As part of a more general AD design refresh, I am re-visiting the DC hardware and OS configuration. I am proposing several changes to the DC spec, including the adoption of the following: * Use 4Gb RAM * Use /3gb switch * Place AD logs and database on separate disk spindles In order to 'sell' this idea, I would like to demonstrate the effective increase in 'horse power' that the above offers. I am therefore looking for a tool which can help me to show that a DC with config A can handle load x whilst DC spec B can handle load y. Ideally, this tool will act much like loadsim and simulate a load on the DC so as to identify the maximum load that each config is capable of handling. Is there such a tool available on the market? Thanks in advance, Neil Neil Ruston - MVP Directory Services == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Stress testing and performance analysis of domain controllers
The /3GB switch isn't about the size of the database, it is used when an application uses the /LARGEADDRESSAWARE switch. I don't believe that anything running on a DC (not taking into account any 3rd party apps) is using that switch, therefore the /3GB switch shouldn't be needed. You can set the /3GB switch on any server, but the only applications that recognize (and use) that switch are ones marked with /LARGEADDRESSAWARE. Any other applications running on that server will be unaffected and will still only address 2GB of virtual address space. Note that the /3GB switch is referencing virtual address space only. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, December 06, 2004 12:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Stress testing and performance analysis of domain controllers Really? Z:\ntds\dbdir ... 05/20/2004 07:47 AM 7,899,987,968 ntds.dit ... Cheers, -BrettSh On Mon, 6 Dec 2004, Renouf, Phil wrote: You don't need the /3GB switch for a DC. Just having more than 2GB of ram does not require using the /3GB switch, systems like Exchange require it, but a DC shouldn't need it. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, December 06, 2004 11:57 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Stress testing and performance analysis of domain controllers As part of a more general AD design refresh, I am re-visiting the DC hardware and OS configuration. I am proposing several changes to the DC spec, including the adoption of the following: * Use 4Gb RAM * Use /3gb switch * Place AD logs and database on separate disk spindles In order to 'sell' this idea, I would like to demonstrate the effective increase in 'horse power' that the above offers. I am therefore looking for a tool which can help me to show that a DC with config A can handle load x whilst DC spec B can handle load y. Ideally, this tool will act much like loadsim and simulate a load on the DC so as to identify the maximum load that each config is capable of handling. Is there such a tool available on the market? Thanks in advance, Neil Neil Ruston - MVP Directory Services == == == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == == == List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Stress testing and performance analysis of domain controllers
Gotcha, then yeah the /3gb switch would help with performance. I've learned something new, thanks :) The extra memory that it gets from the /3gb switch is still just virtual memory though, it doesn't have any effect on the amount of physical memory that LSASS would have access to. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, December 06, 2004 1:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Stress testing and performance analysis of domain controllers LSASS.EXE is built with the /LARGEADDRESSAWARE switch, and is capable of using the additional memory to cache the DIT. excerpt from dumpbin /all of lsass.exe FILE HEADER VALUES 14C machine (x86) 3 number of sections 3E7FFFBA time date stamp Tue Mar 25 00:05:30 2003 0 file pointer to symbol table 0 number of symbols E0 size of optional header 12F characteristics Relocations stripped Executable Line numbers stripped Symbols stripped --- Application can handle large (2GB) addresses 32 bit word machine -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Monday, December 06, 2004 11:00 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Stress testing and performance analysis of domain controllers The /3GB switch isn't about the size of the database, it is used when an application uses the /LARGEADDRESSAWARE switch. I don't believe that anything running on a DC (not taking into account any 3rd party apps) is using that switch, therefore the /3GB switch shouldn't be needed. You can set the /3GB switch on any server, but the only applications that recognize (and use) that switch are ones marked with /LARGEADDRESSAWARE. Any other applications running on that server will be unaffected and will still only address 2GB of virtual address space. Note that the /3GB switch is referencing virtual address space only. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, December 06, 2004 12:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Stress testing and performance analysis of domain controllers Really? Z:\ntds\dbdir ... 05/20/2004 07:47 AM 7,899,987,968 ntds.dit ... Cheers, -BrettSh On Mon, 6 Dec 2004, Renouf, Phil wrote: You don't need the /3GB switch for a DC. Just having more than 2GB of ram does not require using the /3GB switch, systems like Exchange require it, but a DC shouldn't need it. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, December 06, 2004 11:57 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Stress testing and performance analysis of domain controllers As part of a more general AD design refresh, I am re-visiting the DC hardware and OS configuration. I am proposing several changes to the DC spec, including the adoption of the following: * Use 4Gb RAM * Use /3gb switch * Place AD logs and database on separate disk spindles In order to 'sell' this idea, I would like to demonstrate the effective increase in 'horse power' that the above offers. I am therefore looking for a tool which can help me to show that a DC with config A can handle load x whilst DC spec B can handle load y. Ideally, this tool will act much like loadsim and simulate a load on the DC so as to identify the maximum load that each config is capable of handling. Is there such a tool available on the market? Thanks in advance, Neil Neil Ruston - MVP Directory Services == == == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == == == List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir
RE: [ActiveDir] Stress testing and performance analysis of domain controllers
Gotcha, then yeah the /3gb switch would help with performance. I've learned something new, thanks :) Maybe. It depends on the DIT size as well as what else needs memory. From what I understand based on old conversations, the DIT caching routines are sensitive to memory pressure and will not page DIT cache, it will release memory instead. Again if you have a DIT of 200MB, you can use /3gb and most likely wouldn't see a benefit. You might not see a benefit with a small DIT size, but then again why go with such a beefed up DC if your DIT size is that small (unless you are planning for it to grow substantially). Adding the /3GB switch shouldn't cause any issues even if the DIT is small enough to not get much benefit from it, unless the OS is effected by being reduced to 1GB of virtual address space. Hopefully ~Eric will pop along shortly with some info as I know he loves this stuff. In the meanwhile, you can be pretty sure BrettSh generally knows what he is talking about with AD. Not saying he can't be wrong, but all things being equal concerning a bet on AD internals, I would bet with Brett. Unless he was betting against Will, Dmitri, ~Eric, Dean or some of those guys and then I would simply put my wallet away, pull out some popcorn, and watch the show. I'm definitely interested to see what they have to say :) I certainly wasn't implying Brett didn't know what he was talking about, but showing me the size of a DIT really didn't tell me much without the information that LSASS is large address aware. Now it makes sense ;) Anyway, looking forward to some more information on this and its effect on performance. Phil List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Joining to different AD Domains
Also make sure to integrate your WINS environments. Establish a push pull replication between your two separate WINS environments to allow for full name resolution between both AD domains via DNS and WINS (assuming you are using WINS). Brian is on the right track I think. If sharing resources is you goal then a trust relationship between the two domains and the ability to do name resolution should enable you to do most of what you need to do in terms of resource sharing. Migrating 2 domains into one domain is not a trivial task, especially when it is required after a merger of two separate companies. There are so many things to take into account that a lot of planning, information gathering and testing really needs to be done before you go forward with a migration. Issues like network connectivity, bandwidth between the two companies, name resolution, security, administration etc. all need to be taken into consideration (along with other issues). Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, December 05, 2004 8:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Joining to different AD Domains Hi Mike, What you're looking for is a two way trust between the domains. You can set this up using AD Domains and Trusts. A trust will enable cross domain resource sharing. As far as DNS, I'd recommend creating a secondary zone for each organization on the other's DNS servers. Eventually you may want to collapse the two companies into a single domain using ADMT, but, this is not a quick 123 process. Thanks. --Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Payton on the web! www.wpcp.org http://www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Sunday, December 05, 2004 7:50 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Joining to different AD Domains Our company recently merged with another company. Both companies are running windows 2000 AD domains. I need to join these 2 domains ASAP to share resources and user groups, etc. I've never had to join two different AD domains into one domain so any first steps or good links would be appreciated. Just looking good advice, especially with regards to the 2 different DNS zones and combining or just recreating a new Zone. Thanks in advance Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Restore AD
I'm not sure of what might be coming from Microsoft, but if you are using a 3rd party administration tool from someone like Quest or NetIQ they will provide this sort of thing. NetIQ moves users to a RecycleBin OU before it gets actually deleted. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes Sent: Friday, December 03, 2004 2:02 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Restore AD Why is it that MS hasn't added a deleted Security Principal retention for AD much like Exchange Server's deleted mailbox retention? Wouldn't that greatly simply recovering from small mishaps? I am not talking about the tombstone feature with Windows 2003 AD where you still have to manually recover Group Membership when recovering an account, but something actually intelligent and useful that would restore Group Membership when restoring accounts. Shit, recover a Group from Deleted Security Principal retention and have it add the back links to the memberof attribute of the users that were members of the Group before the Group was deleted. Recover an OU and it restores Security Principals and Members and Memberof attributes of all Security Principals within the OU. Anybody heard of something like this coming down the pike? Shawn Hayes MCSE (2003, 2000, NT) Messaging Systems Engineer City of Virginia Beach (757) 219-2057 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Service Recovery
How about stopping the service manually? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Thursday, December 02, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Service Recovery I am setting up a batch file that will do the following: - Send notification to IT admins - Attempt to restart the service I have completed my batch file and want to test it in our test environment. Anyone have any idea how to get Windows 2000 to actually fail a service to test my batch file? I can't seem to find a way to get Windows 2000 service to actually fail (maybe a good thing) to test the batch file any ideas? Jeremy - Jeremy Burkes Strategic Systems Program MIS Department [EMAIL PROTECTED] PH: 202-764-1270 All that is necessary for the forces of evil to win in the world is for enough good men to do nothing. - Edmund Burke It is not how many times you get knocked down, it is how many times you get back up. - Vince Lombardi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Slightly OT: File Copy of Death - additional question in the same vein
Would Volume Shadow Copy be something you could look at to do this? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, December 01, 2004 9:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Slightly OT: File Copy of Death - additional question in the same vein Would a Perl Rsync implementation be better? http://search.cpan.org/~cbarratt/File-RsyncP-0.52/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Wednesday, December 01, 2004 3:20 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Slightly OT: File Copy of Death - additional question in the same vein All, Sorry to hijack this thread, however in the same vein, is anyone aware of a (preferably) freeware application that does a similar function to rsync on Linux ? We are looking at synchronising large amounts of data each night, including some 200+gb databases. Rsync seems to handle this situation a lot nicer than robocopy (which we use now), as it only copies block level changes to the file (robocopy does the whole thing again). I have looked at installing rsync using the Cygwin method, but it seems a bit clunky for my liking. TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Accessing resources when a domain controller is unavailable (sightly OT)
Yes, the client will continue to use Cached Credentials to allow you to log onto your workstation. How long you can do that depends on some customizable settings that you can control with GPOs. Off the top of my head I am not sure what the defaults are, but I am sure someone less lazy than me can fill us both in. One of the main concerns in that type of centralized DC setup is name resolution. If the DCs are your DNS servers and you don't have any local name resolution methods (DNS or perhaps WINS) then you'll have issues connecting to the other local servers by name while the DCs are unavailable. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Sent: Tuesday, November 30, 2004 11:59 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Accessing resources when a domain controller is unavailable (sightly OT) A question for planning placement of Domain Controllers. Windows 2003 Native mode domain in a mixed level forest Lets assume that all DC's are centralized in a central site and that there are robust high speed/high capacity lines connecting all sites. Lets further assume that each remote site has Windows 2000/XP clients and a local file server. Normally when a resource has to be contacted locally the workstation authenticates with the DC and gets granted access (too simple but for this example good enough). Now what happens when a DC is not available? Will the local file server accept Cached credentials? If so for how long? Will the workstation maintain access until the next time their kerberos ticket needs to be renewed? Is there some magic time period until the DC must be contacted again? I tested/seen how this works in practice, what I'm looking for is the actual reasons why access is granted/denied in this scenario. A link to a reference explaining this would also be great. Thanks Steve List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Slightly OT: File Copy of Death
I did a migration of a large Datawarehouse box from one server to another with ROBOCOPY and it ran great. We copied about 3TB of data over a weekend and the only issue we ran into was that file copy operations chew up a lot of system resources and we found that after copying a couple of ~500GB files in a row that ROBOCOPY wouldn't work properly. A quick reboot solved this issue. With 150GB of total data I'd say you should be fine, but run the copy from the more powerful server. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Tuesday, November 30, 2004 12:52 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Slightly OT: File Copy of Death So I just want some opinions to make sure I'm not missing out on anything: I need to copy off about 150GB of data, around 2 million files, from one server to another, and preferably not sit and babysit the process from start to finish since it'll be running over the Christmas holiday. Is ROBOCOPY still my best friend for this? Or is there a JoeWare special or something else I'm not aware of that people like a lot better these days? What are folks using to do a verify-after-copy, to be sure that what you copied is actually what you -think- you copied? Laura List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] What can you *do* with AD??
Various apps require Active Directory as well (or work better or have additional features if AD integrated) SMS ISA Server Certificate Services (PKI) Microsoft Mobile Information Server AD also gives you better ability to easily manage your resources; gives you the ability to delegate administration; integrates better with Identity Management systems; lets you use AD Application Mode (which requires a whole email about what you can do with ADAM); better support for alternative authentication schemes (fingerprint readers, smart cards, SecurID, retina scanners etc.). Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Monday, November 29, 2004 2:39 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] What can you *do* with AD?? Group policy, software software distribution, create custom apps for it. -Christine Christine N. Allen Citrix/Windows 2000 Engineer BMC Healthnet Plan One Design Center Place Boston, MA 02210 Work: 617-748-6034 Cell: 617-290-4407 -Original Message- From: Michael Luevane [mailto:[EMAIL PROTECTED] Sent: Monday, November 29, 2004 1:54 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] What can you *do* with AD?? Okay. We've got AD. Great for logins. But there's got to be *more* to it... I've got books on how to *maintain* AD, how to configure it. But I've not seen anything that tells me what I can *do* with it, though. Any help? Michael Luevane Systems Analyst Quantec, LLC 6229 SE Milwaukie Ave Portland, OR 97202 http://www.quantecllc.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] migration of domains
Definitely true. If you are looking at migrating SQL or Exchange then using a 3rd party migration tool from Quest or NetIQ is probably a good idea. Specificly Quests tool would be preferred as it handles SQL servers better than NetIQ. It is a good idea to figure out why you want to make this change (as Peter points out) because with Exchange and SQL this can be a pretty serious task requiring quite a bit of testing and preparation. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Friday, November 19, 2004 8:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] migration of domains Migrating complete servers such as SQL/Exchange is not the easiest thing in the world. What do you wish to gain out of the exercise i.e. is it worth the effort/cost/time etc Regards Peter Johnson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Calders Stijn Sent: 19 November 2004 13:48 To: [EMAIL PROTECTED] Subject: [ActiveDir] migration of domains Dear AD specialists, At our university, we have three domains in the same forest: KDG.BE (forest root domain with only two domain controllers), ADMIN.KDG.BE (child of KDG.BE with a lot of servers (like SQL server, Exchange server, Terminal Servers, ...)) and TEST.KDG.BE (child of KDG.BE with a few servers (SQL server, file server, ... )). We want to migrate everything from ADMIN.KDG.BE to KDG.BE. Three questions: 1) Is this possible? (And doesn't it cost too much effort?) 2) Is there a reason why this isn't a good idea? 3) And what's the best way to do this? How can we be sure everything is migrated right? Many thanks in advance, Stijn. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Hot Spare Site
, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Thursday, November 18, 2004 4:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hot Spare Site Additionally, what do you define as restoration of service? Do you have to restore service and data to all users instantly or are some users more urgent than others? File/print restoration of service indicates that you want to have the data available seamlessly. That often looks like a replication and/or geographically disperse clustering solution. Exchange is another animal altogether and requirements definition needs to be tight to easily solve that one. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Thursday, November 18, 2004 3:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hot Spare Site It completely depends on the budget that youwould(could) have for a project like this and the corporate definition of the services that would be required to a Hot Site DR situation. You mentioned Exchange and file sharing as the two most important so that answers one side, what do you/your company deem as cost-effective? Would 25k be the range, or is 250k or 2.5mil a reasonable number. How immediate does the transfer from production site to DR site need to be? Does it need to be instant or is a lag of a few hours or even a day acceptable? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Thursday, November 18, 2004 3:44 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Hot Spare Site I have been given the task of coming up with some strategies for creating a physical hot spare site for our headquarters for disaster recovery. Not having done this before, I am not sure where to begin. The two major resources that need to be replicated are our file shares and our Exchange server. All other company data, web applications, Web sites, etc are at colocation sites. Does anyone have any suggestions on the best and most cost-effective way(s) to accomplish this? A good bulk of our users can perform their jobs remotely via terminal services temporarily if need be. Could a terminal server farm work effectively using primarily what's built into windows (terminal services and load balancing), or would Citrix be the only solution. I would greatly appreciate any help. _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net http://www.iagr.net/ Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Hot Spare Site
It completely depends on the budget that youwould(could) have for a project like this and the corporate definition of the services that would be required to a Hot Site DR situation. You mentioned Exchange and file sharing as the two most important so that answers one side, what do you/your company deem as cost-effective? Would 25k be the range, or is 250k or 2.5mil a reasonable number. How immediate does the transfer from production site to DR site need to be? Does it need to be instant or is a lag of a few hours or even a day acceptable? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Thursday, November 18, 2004 3:44 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Hot Spare Site I have been given the task of coming up with some strategies for creating a physical hot spare site for our headquarters for disaster recovery. Not having done this before, I am not sure where to begin. The two major resources that need to be replicated are our file shares and our Exchange server. All other company data, web applications, Web sites, etc are at colocation sites. Does anyone have any suggestions on the best and most cost-effective way(s) to accomplish this? A good bulk of our users can perform their jobs remotely via terminal services temporarily if need be. Could a terminal server farm work effectively using primarily what's built into windows (terminal services and load balancing), or would Citrix be the only solution. I would greatly appreciate any help. _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net http://www.iagr.net/ Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] csvde
Dsmod works great for updates to users too. Won't read from a CSV file, but you can build a .cmd or .bat file that will work pretty well. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, November 18, 2004 4:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] csvde Can't be done that way. The reason is that csvde is not for updates. You need to find an alternate method to do this such as script or ldifde. Feel free to contact me offline if you want to go the script route and want a starter that reads csv's etc. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, November 18, 2004 3:50 PM To: ActiveDir (E-mail) Subject: [ActiveDir] csvde Hi. I want to import just one change from a csv file into AD. I just want to import the telephone # attribute of the user object. The csv file only contains the lastname,firstname,telephone ext.,descripiton fields. The accounts already exist in AD. I just want the telephone ext changed. Will this overwrite anything else in the account or just update that one attribute for the corresponding account? All i want is to update the one attribute. and not affect anyother attribute or any other accounts not in the csv but in AD. Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RDP
There are a number of PKI things that can't be done without Enterprise Edition. I believe the most important being extra certificate templates that can be used (although my terminology may be wrong). Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Monday, November 15, 2004 3:32 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] RDP Ellis, Debbie wrote: I recently upgraded one of our Windows 2003 Domain Controllers to Enterprise Edition. (Needed for Certificates, auto enrollment). You don't need enterprise edition for that. I'm doing it with standard edition and it works fine. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD OpenLDAP
Yes, you can have the AD DNS server forward to your BIND system. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Romeyn Prescott Sent: Thursday, November 04, 2004 11:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD OpenLDAP While we do run BIND for everything else, we HAVE created a separate subnet for the labs and classrooms. I haven't started using it yet, but switching over would be trivial. So I could just let the AD server do the DNS for that subnet, I suppose. I'm assuming that AD's DNS server can be et up to take its cues from our other servers? ...ROMeyn -- signat-url: http://www2.potsdam.edu/prescor/signat-url.htm List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD OpenLDAP
No, it stands for Microsoft Identity Integration Server. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, November 04, 2004 12:59 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD OpenLDAP Does MIIS stand for Microsoft Internet Information Services? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, November 04, 2004 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD OpenLDAP AD is quick, painless and mostly maintenance free. That's easy. Think of it as an app that comes with it's own directory just like so many others :) Sounds like you want the account lifecycles to be authoritative in another system and just have them flow down to AD. If that's the case, they MIIS might be your ticket. It could also be that you want to have a look at the current metadirectory systems you have (for lack of a better name even if they're homegrown) to see if they can do what you want. For more reading on the product and how to plan, deploy, and run it have a look at the website: http://www.microsoft.com/ad Note that AD relies heavily on DNS which is the usual biggest fight for deployment. Best bet is to delegate a sub zone for AD usage and get the workstations to use a AD DNS and forwarders to other DNS systems if your environment is similar to ones I've seen before. That allows your AD infrastructure to be self-contained and mostly integrated with the other systems in the landscape. Over time somebody is bound to realize that the AD is the more important of the systems as it contains and controls the desktops which are the only access points of gates to the back room infrastructure. Helps to have it in place and working first though :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Romeyn Prescott Sent: Thursday, November 04, 2004 10:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD OpenLDAP I want the users of the PCs I manage to authenticate against AD so I can use Group Policies to manage (or micromanage) their permissions on the computer based either on A) who they are and/or B) which computer it is. Not having had a Windows server newer than NT4 to play/experiment with before now, I'm only going based on what I've read and seen others talk about on other lists. We run SCT Banner on a VAX. That is where all student data gets initially entered. Changes to that data are frequently sent to another of our systems, and that userbase is mirrored to various of our other systems and services. I sense I'm going to have a battle on my hands getting AD even turned ON in this environment. So if it can be quick, painless, and maintenance-free that'd be a huge selling point for me. :-) ...ROMeyn At 9:22 AM -0500 11/4/04, Mulnick, Al scribbled: Out of curiosity, why would you want Active Directory to not be the source or user accounts and then want to sync with openldap? Can you describe the goals a little more and why you're wanting to put Active Directory into your environment in the first place? What planning have you already done? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Thursday, November 04, 2004 9:17 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD OpenLDAP On Thu, 4 Nov 2004 09:11:57 -0500, Romeyn Prescott wrote 1) Does Active Directory come with Server 2003, or is it some sort of add-on which must be purchased separately. (Microsoft's web site seems, in at least one location, to indicate that it comes with it, but I just want to be sure.) It is built-in feature of Windows Server - You are establishing server as domain controller by running dcpromo.exe on the server 2) We have a relatively new OpenLDAP server (also running on Linux) which also mirrors our account base. Given that we do NOT want the Windows 2003 server to be the source for our user accounts, is it possible to tell it to synchronize with an OpenLDAP server? Is such a task trivial, complicated, or impossible? Depending on the approach: - You can write some scripts which will monitor OpenLDAP and will create users in AD - You can use products like for example MIIS 2003 to synchronize OpenLDAP and AD database. There can be more choices in this topic. -- Tomasz Onyszko - [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- signat-url: http://www2.potsdam.edu/prescor/signat-url.htm List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir] Windows 95\98 on Windows 2003 domain
Yes, as I mentioned in another post: when Windows 2003 AD came out it included 2 new security mechanisms that are required for authentication. Downlevel clients (WfW, Win9x and WinNT) are not capable of communicating with those security mechanisms unless they are upgraded (WfW) or have the DS Client. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Wednesday, November 03, 2004 9:48 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Just one last question before this string goes away: Has anyone joined a Windows 98 machine to a Native Windows 2003 AD Domain that was not upgraded from an NT domain before? All of the responses I have seen have only been for a Windows 2000 AD and I'm wondering if a new security enhancement in 2003 is what is preventing my 98 machines from seeing and connecting to the 2003 AD. charle -Original Message- From: Carerros, Charles [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain I think there is more I have to do to get it work with AD though. Don't have I to make sure that the workstation is using NTLM2 authentication and SMB signing? (In which case I still might have to write off my Win95 boxes because I don't believe that they support either of those.) I really hope that I'm wrong, but then again if I'm right then they will all be forced to upgrade. I just need to make sure that I exhaust all resources before I go and tell someone the bad news about the 95 boxes. But I think that the script option might be the best approach. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Ok, it was worth a shot. I have not heard of or seen any tool that will help you with this. The only thing I can think of it in your logon script have it copy a script to the 9x machine, modify the registry to RunOnce that script you just copied and have that script on next logon change the domain member ship If that is at all possible. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 12:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Upgrading is not an option in this case. Politically its not allowed and technically its not that feasible either (there is an issue with the number of Exchange 5.5 environments that are going to be migrated into the new forest and how this is planned to be done). -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain You could potentially upgrade your NT Domain to a child domain of a AD forest. This would allow you to keep the netbios name at least for your network. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain We are doing a migration from an NT domain into child domain of new AD forest so we cannot keep the same netbios name. We also have a slight problem with our naming convention in that all of our DCs are going to have nine character names. Thanks, chuck -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 10:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain If you build your Windows 2003 domain with the same netbios domain name they Win 9x won't care one way or another. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:39 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 95\98 on Windows 2003 domain Hey group, I'm trying to find an easy way to do a massive migration of Windows 95\98 workstation from an NT domain to a Windows 2003 AD domain, however the tools that I'm finding don't seem to function, don't exists, or after installation I can't seem to find a domain controller. Also, MS seems to have dropped the link to Q article 323466 which is supposed to have an updated DS client. If someone has already created some documentation on this process, it would be extremely helpful. Thanks, Charlie List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Notification containing new password
Many Canadian companies are affected by stuff like Sarbanes-Oxley, although granted a small shop here in Ontario probably isn't. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 03, 2004 2:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password I noticed the Canadian domain though and figure he has other issues to contend with. EU and US rules and regs aren't likely high among them yet (ofa.on.ca is the senders domain). But that would likely be true for that and many other regulations around the world. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, November 03, 2004 2:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Not to mention illegal, if you're under Sarbanes-Oxley controls, right? mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 03, 2004 2:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Yup, you brought it on Deji. :) To add to the fodder: Keep in mind that passwords are stored in a way that prevents you from getting them back out without cracking them. That's not a foolproof way to gather the data you want. I agree it is a bad idea to do that. However, if you wanted to get them and let them change their own passwords, you would want a web based system that collects the data at the beginning of the cycle. You could then use the web interface to change passwords on other systems as well providing additional benefit. Something like IISADMPWD in a modified version might be useful for such a solution. If you haven't heard it enough already, it's a bad idea to collect user passwords though. It defeats a ton of safeguards and puts you at risk for finger pointing etc. Better to just reset passwords and tell the user of their new password should you need to access the services as that user, as suggested by plenty of others on this thread. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, November 03, 2004 2:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Omg, Deji...here we go mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 1:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password I don't think there is such tool natively. I imagine that you could put a web interface on a vbscript where you direct your users to go to when they need to change their passwords. In the code, you will then put in a routine that grabs the value they type in and email it to you. Now, I will get away quickly before Joe shows up with another why-you-should-not-do-this clue stick (I mean, KB article) :p Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Matthew Crape Sent: Wed 11/3/2004 10:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Notification containing new password Hi Group, I have already delved into the archives and I couldn't find quite what I was looking for. It is very possible that I looked over it, and if I did I apologize in advance. Now, to my question: We are a fairly small shop here (about 40 users) and the traditional way of doing a password change was to collect new passwords from everyone and then I change them in AD as well as in a couple of other places (i.e. like synchronizing them with our non-Exchange mail server). We did this so that in case somebody was away on vacation and we needed to log on to their computer (with their profile) we could do it. It saves the hassle of say, logging in with a domain account and then manually opening up a PST file or something like that. I would like to have the user's change their own passwords, but I would also like to be able to know their new passwords. We have had numerous issues in the past with people telling us their wrong passwords, so I would like to get it straight from AD if possible. Right now the only solution I can see is cracking all of the passwords, but that isn't the most feasible way. Does anyone know of a solution? Maybe something like an email generated by some sort of script with the new password? Sorry if this email dragged on for a bit. Any help is appreciated. Thanks. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Notification containing new password
You are correct. Canadian companies doing business in the US (and some doing business with US companies) will have to comply with Sarbanes-Oxley. A Canadian company only doing business in Canada won't. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 03, 2004 3:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password A small Canadian lobby organization likely won't have that issue unless they lobby in the US, right? Or is there something that says a Canadian org needs to comply with US regulations even if they don't do business with a US company? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Wednesday, November 03, 2004 3:06 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Many Canadian companies are affected by stuff like Sarbanes-Oxley, although granted a small shop here in Ontario probably isn't. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 03, 2004 2:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password I noticed the Canadian domain though and figure he has other issues to contend with. EU and US rules and regs aren't likely high among them yet (ofa.on.ca is the senders domain). But that would likely be true for that and many other regulations around the world. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, November 03, 2004 2:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Not to mention illegal, if you're under Sarbanes-Oxley controls, right? mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, November 03, 2004 2:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Yup, you brought it on Deji. :) To add to the fodder: Keep in mind that passwords are stored in a way that prevents you from getting them back out without cracking them. That's not a foolproof way to gather the data you want. I agree it is a bad idea to do that. However, if you wanted to get them and let them change their own passwords, you would want a web based system that collects the data at the beginning of the cycle. You could then use the web interface to change passwords on other systems as well providing additional benefit. Something like IISADMPWD in a modified version might be useful for such a solution. If you haven't heard it enough already, it's a bad idea to collect user passwords though. It defeats a ton of safeguards and puts you at risk for finger pointing etc. Better to just reset passwords and tell the user of their new password should you need to access the services as that user, as suggested by plenty of others on this thread. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, November 03, 2004 2:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password Omg, Deji...here we go mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 1:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Notification containing new password I don't think there is such tool natively. I imagine that you could put a web interface on a vbscript where you direct your users to go to when they need to change their passwords. In the code, you will then put in a routine that grabs the value they type in and email it to you. Now, I will get away quickly before Joe shows up with another why-you-should-not-do-this clue stick (I mean, KB article) :p Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Matthew Crape Sent: Wed 11/3/2004 10:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Notification containing new password Hi Group, I have already delved into the archives and I couldn't find quite what I was looking for. It is very possible that I looked over it, and if I did I apologize in advance. Now, to my question: We are a fairly small shop here (about 40 users) and the traditional way of doing a password change was to collect new passwords from everyone and then I change them in AD as well as in a couple of other places (i.e. like synchronizing them with our non-Exchange mail server). We did this so that in case somebody was away on vacation and we needed to log
RE: [ActiveDir] Windows 95\98 on Windows 2003 domain
How many Win95/98 clients are you talking about? Another question is: Why do you have Win95/98 clients at all? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 12:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Upgrading is not an option in this case. Politically its not allowed and technically its not that feasible either (there is an issue with the number of Exchange 5.5 environments that are going to be migrated into the new forest and how this is planned to be done). List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 95\98 on Windows 2003 domain
Understandable, if it's not broke why fix it. Although you do need to live with the fact that it has less functionality within Active Directory (even with the DS Client) and is no longer supported by Microsoft. My rant ends here ;) For 300 clients you might just want to send out a pre and post-migration notice to all users (ie: have a piece of paper on their desk) that indicates for any Windows 95/98 users to type in the new domain name in the domain box. It's as easy as that to get a 95/98 box to log into a different domain, so if it comes down to it I would say a well written communication to the users should do the trick. If you are using SMS you could create a script that would update the registry to change the Domain that is listed in the Domain box and push that out on the night of migration. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 12:22 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain We have them for the same reason that everyone else does, economics. If they still perform their function and can access the network resources why spend the money to upgrade what isn't broken. I have someone looking for the number right now, but it was indicated that it might be as many as 300 but that is just a guess number, it could be more or less. We won't know for sure until I get the audit report out of SMS. Oh, most of those are at sites not located near me (central administrative group). Which makes things even more fun. -Original Message- From: Renouf, Phil [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain How many Win95/98 clients are you talking about? Another question is: Why do you have Win95/98 clients at all? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 12:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Upgrading is not an option in this case. Politically its not allowed and technically its not that feasible either (there is an issue with the number of Exchange 5.5 environments that are going to be migrated into the new forest and how this is planned to be done). List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 95\98 on Windows 2003 domain
Windows 2003 requires clients to support SMB signing and (quoting) signing of secure channel network traffic. To enable that on downlevel clients (Win9x or WinNT) you need to install the DS Client, although the recommended approach is to upgrade the OS. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, November 02, 2004 12:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Why would they need NTLM2 authentication and SMB Signing? Is this something that Windows 2003 requires? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 12:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain I think there is more I have to do to get it work with AD though. Don't have I to make sure that the workstation is using NTLM2 authentication and SMB signing? (In which case I still might have to write off my Win95 boxes because I don't believe that they support either of those.) I really hope that I'm wrong, but then again if I'm right then they will all be forced to upgrade. I just need to make sure that I exhaust all resources before I go and tell someone the bad news about the 95 boxes. But I think that the script option might be the best approach. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Ok, it was worth a shot. I have not heard of or seen any tool that will help you with this. The only thing I can think of it in your logon script have it copy a script to the 9x machine, modify the registry to RunOnce that script you just copied and have that script on next logon change the domain member ship If that is at all possible. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 12:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Upgrading is not an option in this case. Politically its not allowed and technically its not that feasible either (there is an issue with the number of Exchange 5.5 environments that are going to be migrated into the new forest and how this is planned to be done). -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain You could potentially upgrade your NT Domain to a child domain of a AD forest. This would allow you to keep the netbios name at least for your network. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain We are doing a migration from an NT domain into child domain of new AD forest so we cannot keep the same netbios name. We also have a slight problem with our naming convention in that all of our DCs are going to have nine character names. Thanks, chuck -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 10:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain If you build your Windows 2003 domain with the same netbios domain name they Win 9x won't care one way or another. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:39 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 95\98 on Windows 2003 domain Hey group, I'm trying to find an easy way to do a massive migration of Windows 95\98 workstation from an NT domain to a Windows 2003 AD domain, however the tools that I'm finding don't seem to function, don't exists, or after installation I can't seem to find a domain controller. Also, MS seems to have dropped the link to Q article 323466 which is supposed to have an updated DS client. If someone has already created some documentation on this process, it would be extremely helpful. Thanks, Charlie List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir] Rename local and global groups
What is it exactly that you are looking for? You can rename groups through Active Directory Users Computers. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Wohlgemuth Sent: Tuesday, November 02, 2004 1:51 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Rename local and global groups Hello I´am looking for a possibility to rename local and global groups into a AD. Can anybody help me? THX Thomas List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Rename local and global groups
You could create a script based on dsmove to change the names of groups: dsmove DN of group -newname New group name -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Wohlgemuth Sent: Tuesday, November 02, 2004 2:11 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Rename local and global groups Hello I would create a little script for renaming a great amount of groups from time to time (changes in the structure of our company). Thomas - Original Message - From: Renouf, Phil [EMAIL PROTECTED] To: unsure; [EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 8:05 PM Subject: RE: [ActiveDir] Rename local and global groups What is it exactly that you are looking for? You can rename groups through Active Directory Users Computers. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Wohlgemuth Sent: Tuesday, November 02, 2004 1:51 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Rename local and global groups Hello I´am looking for a possibility to rename local and global groups into a AD. Can anybody help me? THX Thomas List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extranet's
Good points, although for giving external users access to internal resources I think Terminal Services is a bad idea if you are concerned enough about security to be looking into a separate forest for your Extranet. Citrix has much more flexibilty for giving access to internal resources in a setup like this by using published applications and not a published desktop. This allows you to lock the user down much better and limit them to only being able to run the application and never getting to see a desktop. Still not as secure as not having them login to your internal forest, but better than TS that gives a user a full desktop. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Monday, October 25, 2004 10:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Extranet's Here are some sources to reference in your design process. http://www.microsoft.com/technet/security/topics/identity/idmanage/P1Pla t_4.mspx Couple of points to Raise, 1. To support this infrastructure you will require DNS and Additional Hardware. Make sure you provision accordingly. 2. You need to decide if there needs to be TRUST involved. Make sure you plan for IPSEC to make the trust more secure. 3. You should monitor the extra-net for availability, and also audit it heavily and use restrictive security policies to enforce compliance. 4. If your goal is to give external users access to internal application, you might investigate Terminal Services and user accounts with more restrictive settings. 5. If you only need a LDAP for authentication, look into using ADAM and third party SSO's. Less infrastructure requirements. 6. Remember to patch, patch, patch. Good Luck Todd From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Monday, October 25, 2004 12:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Extranet's yep, done it several times this way - at least for the users. Depending on how your machines need to talk to the internal servers, you might not even need to setup a trust. But if you don't get around it, you could still limit it's reach using selective authentication. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 25, 2004 2:57 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Extranet's We are looking at redesigning our extranet and are considering a separate forest for the extranet users and eventually most of the resources needed for the extranet will be put into that forest. My thinking is that since a domain isn't a true security boundary and it really won't cost us more to bring up a forest vs. domain why not go with a separate forest. The users in the extranet forest won't necessarily need access to the internal systems but some of the machines will need to talk to internal servers so I assume at some point we will need a trust relationship. My question is simply what am I missing and has anyone done similar setups? Holland + Knight Travis Abrams MCSE, GCIH Systems Engineer Holland Knight LLP NOTICE: This e-mail is from a law firm, Holland Knight LLP (HK), and is intended solely for the use of the individual(s) to whom it is addressed. If you believe you received this e-mail in error, please notify the sender immediately, delete the e-mail from your computer and do not copy or disclose it to anyone else. If you are not an existing client of HK, do not construe anything in this e-mail to make you a client unless it contains a specific statement to that effect and do not disclose anything to HK in reply that you expect it to hold in confidence. If you properly received this e-mail as a client, co-counsel or retained expert of HK, you should maintain its contents in confidence in order to preserve the attorney-client or work product privilege that may be available to protect confidentiality. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Backup Strategy
This is becoming a pretty common scenario for companies who have a shrinking backup window but still require the same or higher level of uptime. Backing up to disk then running your tape backup on that disk based backup is a great way to keep your backup window small and still provide offsite storage of backup media and quicker restores from your disk based backup. When you architect the backup environment I would try and provide for a backup network that is separate from your production LAN so that when you are running those tape backups during the day you don't impact the production network with that traffic. A SAN would also limit the network traffic and unless your environment is very large would probably negate the need for the backup network. I think you are referring to LTO when you say lso. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodriguez, Daniel [EPM/SRM] Sent: Monday, October 25, 2004 12:29 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Backup Strategy I am kinda in the same boat as you. I have talked to my management and they seem please with the recommendations that I have shown them. Now what I have: I have two DLT-IV Tape Libraries that are backing up a combined total of 200Gb a night. I am looking at the Compaq Itanium Disk Array with LSO Tape Backup. I am using Backup Exec 9.1 and will utilize their Disk-to-Disk Backup at night, and then during the day, backup to LSO Tape so I can monitor it. Also, the disk array will allow me to move the data off some of our servers for disaster recovery. The money that you invest in you scenario, you can purchase a good tape library, disk array. IMHO. Daniel E. Rodriguez Information Technology Emerson Process Management Fisher Controls Division Sherman, Texas (903)868-3357 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dan DeStefano Sent: Monday, October 25, 2004 10:52 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Backup Strategy I am sorry if this is off-topic, but I greatly respect the opinions/suggestions that come from this list. I am working on a backup strategy for my company. We have just over 300GB of data to back up. I have been asked to estimate storage capacity/cost required to keep data for 1 month and 3 months, so this means that we will need between 1 and 3 TB of storage. The current backups are stored on a SCSI array and the plan is to use USB drives for offsiting our data. This means that we will need 4-12 300GB USB drives to store our offsite data. I personally do not like this solution and am in favor of a disk/tape solution; using a disk array for onsite backups and using tape for offsite backups. The company prefers disk-based backup because of its speed. However, I think that disks are less reliable than tape and that using USB drives is not an enterprise-class solution (I have also heard that those 300GB USB drives are not too reliable). Not to mention the fact that these drives are bulky and our server room is already pretty cramped. Does anyone have any suggestions? Are my concerns valid? Is my suggestion of disk/tape the best solution? _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net http://www.iagr.net/ Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Backup Strategy
If the USBD drive is just a typical harddrive inside of a USB enclosure then your rish of drive failure is about the same as the risk of loosing a harddrive. The increase in likelyhood is that typical harddrives are not meant to be transported around and that may increase the failure rate if the drives have not been designed for travel. You are also giving yourself a single point of failure because if you loose a drive and it is just a single drive (no RAID) then you have lost all the data on that drive. The same holds true to some extent for a tape: if the tape gets damaged then you lost the data on the tape. Where tape is better in this regard is that you have probably got multiple tapes with that data on it if you have architected your backup strategy properly and may even still have that data on the disk-based backup as well. Since you will be keeping weekly and monthly backups at a minimum you have given yourself a bit of redundancy in the event that one of your tapes is lost/damaged. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Monday, October 25, 2004 1:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Backup Strategy Thank you for your suggestions. What about the USB drives? Am I right to be concerned about their reliability. Would these concerns be mitigated by using an offsiting service such as Iron Mountain (which is also being considered)? I forgot to mention that we are using Backup Exec 9. _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net http://www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Monday, October 25, 2004 12:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Backup Strategy This is becoming a pretty common scenario for companies who have a shrinking backup window but still require the same or higher level of uptime. Backing up to disk then running your tape backup on that disk based backup is a great way to keep your backup window small and still provide offsite storage of backup media and quicker restores from your disk based backup. When you architect the backup environment I would try and provide for a backup network that is separate from your production LAN so that when you are running those tape backups during the day you don't impact the production network with that traffic. A SAN would also limit the network traffic and unless your environment is very large would probably negate the need for the backup network. I think you are referring to LTO when you say lso. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodriguez, Daniel [EPM/SRM] Sent: Monday, October 25, 2004 12:29 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Backup Strategy I am kinda in the same boat as you. I have talked to my management and they seem please with the recommendations that I have shown them. Now what I have: I have two DLT-IV Tape Libraries that are backing up a combined total of 200Gb a night. I am looking at the Compaq Itanium Disk Array with LSO Tape Backup. I am using Backup Exec 9.1 and will utilize their Disk-to-Disk Backup at night, and then during the day, backup to LSO Tape so I can monitor it. Also, the disk array will allow me to move the data off some of our servers for disaster recovery. The money that you invest in you scenario, you can purchase a good tape library, disk array. IMHO. Daniel E. Rodriguez Information Technology Emerson Process Management Fisher Controls Division Sherman, Texas (903)868-3357 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dan DeStefano Sent: Monday, October 25, 2004 10:52 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Backup Strategy I am sorry if this is off-topic, but I greatly respect the opinions/suggestions that come from this list. I am working on a backup strategy for my company. We have just over 300GB of data to back up. I have been asked to estimate storage capacity/cost required to keep data for 1 month and 3 months, so this means that we will need between 1 and 3 TB of storage. The current backups are stored on a SCSI array and the plan is to use USB drives for offsiting our data. This means
RE: [ActiveDir] Centralized vs. decentralized administration
There are a number of ways to keep track of and audit the changes in your environment without going to the extreme of moving back to a centralized administration model. Administration tools like Quests ActiveRoles or NetIQs DRA offer that sort of granular logging and auditing right out of the box. You can do alerting with MOM if you get into the nuts and bolts of auditing. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Wednesday, October 20, 2004 7:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Centralized vs. decentralized administration I think the main reason which many companies are now facing is down to compliance. It is now becoming necessary for many companies to re-design AD to bring about a centralised model again. This is basically to ensure that head office knows about and has knowledge of details, such as - who is added to the domain, removed, etc. Rob From: [EMAIL PROTECTED] on behalf of Nathan Casey Sent: Wed 20/10/2004 23:40 To: [EMAIL PROTECTED] Subject: [ActiveDir] Centralized vs. decentralized administration Anyone have a good argument against decentralized administration in a single domain, multi site AD environment. Currently all user, computer, group, etc admin is handled by the IT dept. Now, we need to justify why we should NOT let users at the sites admin their own users, computer, groups, etc. For the most part the users at the sites that want to admin their own users have no AD admin experience. Any suggestions would be helpful Thanks Nathan List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] HOSTS file modification via GP?
True enough, you could use DNS forwarding as well, but I tend to perfer having a proxy server in place as it also lets you have some control over your users internet traffic and allows you more flexibilty with DNS if you don't use your ISP for your external DNS. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Boza Sent: Wednesday, October 13, 2004 12:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] HOSTS file modification via GP? You don't need a proxy to accomplish that - point your clients (typically via DHCP) to your internal DNS, and have your internal DNS forward to your ISP. Never point your clients directly to your ISP. Having said that, I thought the gist of the problem was specifically for laptop users when they are not on the internal network, but working remotely and directly connected to the net outside the protected LAN environment? Or am I missing something? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Wednesday, October 13, 2004 12:31 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] HOSTS file modification via GP? Are you using a proxy server? If not I'd put a proxy server in place and have your clients use it to browse the internet. This will allow you to place only Internal DNS servers on your clients and let your proxy server have the External ISP DNS servers and do that resolution. This should stop the issue of the clients prompting for authentication when the browse the internet. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, October 13, 2004 10:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] HOSTS file modification via GP? No its not. Does this seem like the only solution? To buy the domain? -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Wednesday, October 13, 2004 9:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] HOSTS file modification via GP? Is the domain for sale? -Za List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WAN outage caused issues...
If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for WINS. Could the WINS be the issue? They couldn't contact WINS because the WAN link outage, that's for sure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 10:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Were the clients trying to use the remote DCs when they shouldn't be? What was the scope of the problem? Was it all users or just a few users in the site? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, all our domain controllers are also DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Tuesday, October 05, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Has the remote site got its own DNS server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004 16:27 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] WAN outage caused issues... What's the deal on WAN links going down between AD sites? As long as each site has a Global Catalog, they should be fine, correct? We had a remote site's WAN link go down the other day, and users eventually could not access any network drives (on the local file server even). They rebooted and it took forever to get the ctrl-alt-del logon box too. They couldn't get any network resources at all, just local drives and printers. We're in an Win2k AD domain with SP4. Most of the clients are XP and some are Win2k. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List
RE: [ActiveDir] WAN outage caused issues...
Are they mapping their drives in a logon script? If so just check there. If not then you'd have to look on their desktop and see how they have manually mapped the drive. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 12:25 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WAN outage caused issues...
If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for WINS. Could the WINS be the issue? They couldn't contact WINS because the WAN link outage, that's for sure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 10:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Were the clients trying to use the remote DCs when they shouldn't be? What was the scope of the problem? Was it all users or just a few users in the site? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, all our domain controllers are also DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Tuesday, October 05, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Has the remote site got its own DNS server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004 16:27 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] WAN outage caused issues... What's the deal on WAN links going down between AD sites? As long as each site has a Global Catalog, they should be fine, correct? We had a remote site's WAN link go down the other day, and users eventually could not access any network drives (on the local file server even). They rebooted and it took forever to get the ctrl-alt-del logon box too. They couldn't get any network resources at all, just local drives and printers. We're in an Win2k AD domain with SP4. Most of the clients are XP and some are Win2k. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system
RE: [ActiveDir] NetIQ or Quest Active Roles...
Active Roles is a better product in my experience and has had richer features for a longer time. With Quests addition of Aelita they are starting to incorporate some great stuff into their products including into Active Roles. I use DRA as well and it is a very functional product and should do everything you need it to. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Allen [MSBU] Sent: Friday, October 01, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] NetIQ or Quest Active Roles... We use NetIQ's DRA. I find it to be a useful tool in our environment. They are staring to get the product to be fairly rich as far as content goes. All depends on what you need it to do. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: 01 October 2004 14:23 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] NetIQ or Quest Active Roles... Personally, I look for products that don't get hooked into the directory. My preference is to be able to later switch to a different product if the current one can no longer meet my needs. Outside of that, I think personal preference and unique company needs dictate which product to choose. My $0.02 anyway. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCall, Iain Sent: Thursday, September 30, 2004 5:52 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] NetIQ or Quest Active Roles... I'm currently looking at Active Directory delegation tools and NetIQ Directory Resource Administrator and Quest Active Roles are the two products which I have looked over briefly. Does anyone have any experience of views of either of these to deploy in the enterprise? Any pro's/con's to look out for or alternative products? Thanks... Iain ** This email contains information intended for the addressee only. It may be confidential and may be the subject of legal and/or professional privilege. Any dissemination, distribution, copyright or use of this communication without prior permission of the sender is strictly prohibited. ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Lockout resets in large companies
That is one ugly way do deal with that small issue though. The additional administrative overhead involved in having that many subdomains (I am guess it is a number of locations based on 90 DCs) would far outweigh the slight gain in time saved for the helpdesk staff. I'd much prefer to spend a little time educating the helpdesk and let them spend a few minutes tracking down the right location than have a higher paid admin have to deal with the extra overhead of that many subdomains. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Sent: Wednesday, September 22, 2004 10:28 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Account Lockout resets in large companies The first thing that comes to mind is using subdomains for the physical sites, that should fix that specific problem.. but of course that'd have to fit in with your network design. Regards, Paul. - Original Message - From: Snyder, Robert W. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 22, 2004 4:02 PM Subject: [ActiveDir] Account Lockout resets in large companies We are in the midst of rolling out our AD implementation world-wide with about 90 DC's globally. One of the issues we are wrestling with is how to ensure that Account unlocks happen on the users local DC so that they aren't forced to wait on replication. We've looked at the Acctinfo.DLL but it doesn't seem to give the correct site info unless you know the machine name and most users probably don't know this nor can they find it if they are currently locked out. We also tried Lockoutstatus.exe tool. Account unlocks seemed to work here, but the password changes aren't working. We'd like one method for doing both. Obviously, we can try to train our help desk to try to determine what the correct DC is and then point their ADUC to the right DC when making the change. We'd like to find a simpler solution though. We were wondering how other large international companies with central help desks may have resolved this problem. Anyone have any suggestions. Thanks in advance for your help. Bob Snyder Sr. Technical Programmer/Analyst Global Software Support [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPOs through trust?
The only GPOs that won't apply are machine account GPOs since those will be based on the DA GPOs since the workstation is a member of the DA domain. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, September 13, 2004 2:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPOs through trust? Idan- It makes part sense, but in general, yes, Group Policy does not have an issue with trusts. Your described scenario below is a bit confusing. If U1 is defined in domain DB, then I'm assuming that when you say that U1 signs into domain DA, you mean that U1 is sitting at a workstation whose machine account resides in DA? In that case, when the user U1 logs on, Windows will chase the GPLinks that apply to the user account in DB as normal, and, as long as the trusts are good and both AD and SYSVOL in DB are accessible to U1, then processing works as expected, though with some small performance overhead due to having to pass-through the domain trusts. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, September 13, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPOs through trust? Hi All, I have a question about whether GPOs get applied in a situation where domain trust is used.. Assume AD domain DA trusts DB. There is a user U1 defined in DB. U1 belongs to a group G1 on DB. A particular GPO applies to G1 in DB. Now when user U1 signs into domain DA, using trust, does the GPO get applied, despite the fact that it's actually defined on DB, for G1 which also does not exist on DA? (Hopefully that makes sense...) Thanks! -- Idan List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Logon types
You can't do that. If you type in user@ the domain dropdown box is grayed out and does not apply. The login process uses the information after the @ sign for where to authenticate you, so as long as you are typing in a valid UPN you will get authenticated to the domain just like you do if you type in username, password and choose a domain from the dropdown list, Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, September 10, 2004 12:10 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logon types In example 2, you specify a domain user credential, [EMAIL PROTECTED] (where domain is the same domain used in example 1) You enter the same password, since to you it's the same account. But in the logon to drop down, you specify the local machine vs. the domain. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Logon types
There is no difference when logging on with a UPN vs. logging on with the old NT4 style: they both use Kerberos as their authentication method and both use DNS to find a domain controller. Why you are seeing issues when logging on with a UPN is definitely very odd, but when logging on with a UPN you are logging into the domain. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Friday, September 10, 2004 3:04 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logon types Now I know that it isn't logging into the domain in the same context (as a few people have agreed) either way, because I have odd problems with applications when logging in with the UPN. I just wonder what the actual differences are...although for no other reason than to know, because I definitely do not recommend that people login this way. How this user even figured out that they could use the UPN is beyond me (because they are lucky to know what logging on means). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega Sent: Friday, September 10, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logon types Perhaps the confusion lies with the fact that even after the drop down is grayed-out when you user [EMAIL PROTECTED] to login, it still says either Workstation or the domain depending on what was selected prior to typing in the [EMAIL PROTECTED] login info. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Friday, September 10, 2004 12:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logon types You can't do that. If you type in user@ the domain dropdown box is grayed out and does not apply. The login process uses the information after the @ sign for where to authenticate you, so as long as you are typing in a valid UPN you will get authenticated to the domain just like you do if you type in username, password and choose a domain from the dropdown list, Phil List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/