RE: [ActiveDir] "Sticky" group membership - Solved

[Rick Kingslan]

Yes, I am strange - thank you very much.  And, Bob's your Uncle, I know have
the information that I needed.

Thanks, Dean!

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Sunday, May 22, 2005 9:25 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] "Sticky" group membership - Solved

How strange, you're the 2nd person that's asked me that in as many days :-/

No particular ordering -

1. Caching Global Groups
- causes additional admin. requirements
- ridiculous, why cache what the DC already has
explicit knowledge of?
- answer, unable to sufficiently differentiate group types
at the time the cache is populated.  I've suggested approaches ... I guess
we'll see.

2. Cache is NOT replicated within the site (bad thing) or out of the site
(good thing), as such, each DC within a caching site independently updates
its own cache at a controllable interval 
- if the site contains more than 1 DC, they all update their cache
independently instead of 'bridgeheading' the operation and locally
replicating

3. If site contains more than 500 users (or sub-class derivatives)
containing a  non-stale cached membership
- the DC(s) will only update the first 500 objects (which can be
increased).  During the next pass, the DCs will NOT iterate though the list
thereby covering all relevant objects.  Instead, the DCs update the objects
based on (IIRC) their natural ordering within the DIT (which may differ from
DC to DC).

4. No automated failover capability (not critical may prove useful) 
- place a GC in the site = GC used and cache is populated locally
from it
- GC in site not found, cache is used

5. No interface to view, manage, update or pre-populate the cache
- under-the-hood mechanisms do exist but weren't exposed
- Eric wrote a CLI tool to view it some time ago
- Scripts are available for manual update and can be bolted into the
interface

6. DScrackNames API requires a GC when instructed to resolve locally-unknown
SPNs used when computers apply policy (may have long-since been resolved ...
haven't checked)

That's all I can think of ... hope it proves useful!

Dean

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, May 21, 2005 2:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "Sticky" group membership - Solved

Dean,

Would you be as kind as to elaborate on the other issues with Group
Membership Crashing?  

I know you're not into the 'joe' model of writing novels, but I'm interested
in what you've noted and why it occurs.

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Saturday, May 21, 2005 1:10 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] "Sticky" group membership - Solved

May I ask why it was on in the first place?  The caching of global groups is
but one of many inadequacies!

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ole Thomsen
Sent: Sunday, May 15, 2005 10:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "Sticky" group membership - Solved

I think I found a solution, at least I cannot provoke the error anymore.

Tests showed that the error was connected to one DC, every time the false
mebership was active it was the latest installed DC that processed the
logon.

Investigation eventlogs on the DC gave sporadic warnings of "group
membership cache refresh".

I turned off Universal Group Membership Caching, and now all seems to be
well :-)

What I don't understand is why this setting was influencing a global group,
but maybe someone here can enlighten me?

Thanks,
Ole Thomsen


> -Original Message-
> From: Ole Thomsen
> Sent: Saturday, May 14, 2005 10:11 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] "Sticky" group membership
> 
> I am well aware of the fact that group membership is only updated 
> during a new logon.
> 
> But this "false" membership can stick for several days, and we reboot 
> the terminal servers every night. My test user were removed from the 
> group two days ago, and still get the GPO applied on some of the 
> servers.
> 
> As far as I can see the membership is recognized correctly on the 
> network and file servers - just not during logon.
> 
> Thanks,
> Ole Thomsen
> 
> 
> 
> 
> > -Original Message-
> > From: joe [mailto:[EMAIL PROTECTED]
> > Sent: Saturday, May 14, 2005 8:42 PM
> &g

RE: [ActiveDir] "Sticky" group membership - Solved

[Rick Kingslan]

I think that you just like when Dean posts answers - period.

;o)

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, May 22, 2005 12:06 PM
To: 'Send - AD mailing list'
Subject: RE: [ActiveDir] "Sticky" group membership - Solved

I like it when Dean posts longer answers.  



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Sunday, May 22, 2005 10:25 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] "Sticky" group membership - Solved

How strange, you're the 2nd person that's asked me that in as many days :-/

No particular ordering -

1. Caching Global Groups
- causes additional admin. requirements
- ridiculous, why cache what the DC already has
explicit knowledge of?
- answer, unable to sufficiently differentiate group types
at the time the cache is populated.  I've suggested approaches ... I guess
we'll see.

2. Cache is NOT replicated within the site (bad thing) or out of the site
(good thing), as such, each DC within a caching site independently updates
its own cache at a controllable interval 
- if the site contains more than 1 DC, they all update their cache
independently instead of 'bridgeheading' the operation and locally
replicating

3. If site contains more than 500 users (or sub-class derivatives)
containing a  non-stale cached membership
- the DC(s) will only update the first 500 objects (which can be
increased).  During the next pass, the DCs will NOT iterate though the list
thereby covering all relevant objects.  Instead, the DCs update the objects
based on (IIRC) their natural ordering within the DIT (which may differ from
DC to DC).

4. No automated failover capability (not critical may prove useful) 
- place a GC in the site = GC used and cache is populated locally
from it
- GC in site not found, cache is used

5. No interface to view, manage, update or pre-populate the cache
- under-the-hood mechanisms do exist but weren't exposed
- Eric wrote a CLI tool to view it some time ago
- Scripts are available for manual update and can be bolted into the
interface

6. DScrackNames API requires a GC when instructed to resolve locally-unknown
SPNs used when computers apply policy (may have long-since been resolved ...
haven't checked)

That's all I can think of ... hope it proves useful!

Dean

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, May 21, 2005 2:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "Sticky" group membership - Solved

Dean,

Would you be as kind as to elaborate on the other issues with Group
Membership Crashing?  

I know you're not into the 'joe' model of writing novels, but I'm interested
in what you've noted and why it occurs.

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Saturday, May 21, 2005 1:10 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] "Sticky" group membership - Solved

May I ask why it was on in the first place?  The caching of global groups is
but one of many inadequacies!

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ole Thomsen
Sent: Sunday, May 15, 2005 10:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "Sticky" group membership - Solved

I think I found a solution, at least I cannot provoke the error anymore.

Tests showed that the error was connected to one DC, every time the false
mebership was active it was the latest installed DC that processed the
logon.

Investigation eventlogs on the DC gave sporadic warnings of "group
membership cache refresh".

I turned off Universal Group Membership Caching, and now all seems to be
well :-)

What I don't understand is why this setting was influencing a global group,
but maybe someone here can enlighten me?

Thanks,
Ole Thomsen


> -Original Message-
> From: Ole Thomsen
> Sent: Saturday, May 14, 2005 10:11 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] "Sticky" group membership
> 
> I am well aware of the fact that group membership is only updated 
> during a new logon.
> 
> But this "false" membership can stick for several days, and we reboot 
> the terminal servers every night. My test user were removed from the 
> group two days ago, and still get the GPO applied on some of the 
> servers.
> 
> As far as I can see the membership is recognized correctly on the 
> netwo

RE: [ActiveDir] Need AD Query Suggestion Please

[Rick Kingslan]

Oh, Jorge! Please stop!  We can barely get joe's head through most doors as
it is now  He REALLY doesn't need another cheerleader!

;op

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Tuesday, May 24, 2005 9:40 AM
To: 'Jerry Welch '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

don't thank me.. thank the guy who created the tool!. His name is Joe and he
can type more in a message than you can say in one day.. ;-)

#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 4:32 PM
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

Cool filter !!
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida
Pinto
Sent: Tuesday, May 24, 2005 9:56 AM
To: 'Krenceski, William '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

 To get all departments (incl DUPs)
try the following:
ADFIND -h  -nodn -nolabel -s subtree -b "" -f
"(&(objectCategory=person)(department=*)" department > OUTPUT.TXT

Load OUTPUT.TXT into excel, sort by name and list only unique values
using a
filter (pull down -menu data->filter->advanced filter Cheers #JORGE#

PS.: you can get ADFIND from www.joeware.net

-Original Message-
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Sent: 5/24/2005 3:33 PM
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

Every AD user and contact has a department assigned Querying by OU would
not
work because some departments do not fit perfectly with they're OU
(Departments are payroll based, not necessarily function based). I was
hoping to run something like (&(objectCategory=user)(department=*)) and
only
display department AND supress duplicates.

-Original Message-
From: Jorge de Almeida Pinto
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 24, 2005 8:53 AM
To: Krenceski, William; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Need AD Query Suggestion Please

How are the departments represented in AD? -> OUs, groups, something
else?

Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/24/2005 2:39 PM
Subject: [ActiveDir] Need AD Query Suggestion Please

Hello,
 
I am looking for a query or script that will go out and query all
departments in active directory (the easy part) AND I want to suppress
duplicates as to get a list of unique departments. Not caring about
displaying the users or anything else with the query.
 
 

William Krenceski
Network Administrator
Olean General Hospital
515 Main Street
Olean, NY 14760
Tel: 716-375-6475
Email: [EMAIL PROTECTED]   


 
 

Confidentiality Notice: The information contained in this message may be
legally privileged and confidential information intended only for the
use of
the individual or entity named above. If the reader of this message is
not
the intended recipient, or the employee or agent responsible to deliver
it
to the intended recipient, you are hereby notified that any release,
dissemination, distribution, or copying of this communication is
strictly
prohibited. If you have received this communication in error please
notify
the author immediately by replying to this message and deleting the
original
message. Thank you.


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
informatio

RE: [ActiveDir] lastlogontimestamp-

[Rick Kingslan]

You just made joe's head bigger...


Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, May 27, 2005 8:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp- 

I'll yield on this and stand corrected. Although I did not exactly remember
reading about (or observing) this behavior, current materials I just
consulted say that Joe and Diane are correct - as always.
 

Got to read more.

 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of joe
Sent: Fri 5/27/2005 6:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp- 



Yes, I agree with you, it is incorrect.

BDC's weren't entirely read only, non-replicating attributes such as last
logon, bad password count, etc were written locally and yes you had to query
all DCs to get an accurate accounting of what happened.

If this were the architecture of NT4, the PDC would have burned to the
ground in any decent sized enterprise.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane
Sent: Friday, May 27, 2005 7:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp-

> In NT4, all updates go up to the PDC. This is why you will get a true
> last
login report

Not that my small wattage can hold a candle to the brain power for the
others on the list but isn't this incorrect?  IIRC, under NT 4.0 the last
logon went to the authenticating DC.  That is why you had to query all the
DCs in a domain to get an accurate lastlogon value for an account.

Updates to an account such as pwd changes, etc went to the DC. 

Not that it really matter since NT 4.0 is no longer relevant.

Diane

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, May 27, 2005 2:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp-

In NT4, all updates go up to the PDC. This is why you will get a true last
login report.

Post NT4, most updates take place on any DC, and lastlogon is one such
update. Because it is possible that a user can be authenticated by different
DC at different time, AND because lastlogon is NOT replicated between DCs,
you will get different lastlogon report, depending on which DC you are
querying for it. The reason you are getting a consistent report today is
likely because you are querying the DC that logged you in today. If you
query ANOTHER DC now, you will get a different result IF that DC had not
authenticated you today.

Lastlogontimestamp was introduced in 2K3 to address this lack of correlation
in a multi-DC environment. Lastlogontimestamp is "eventually" replicated and
adjusted, so you will get more consistent result if you query multiple DCs
for lastlogontimestamp. Before lastlogontimestamp, you will have to query
ALL your DCs for lastlogon, then you will have to compare the results they
give you and find the most current in order to get a semblance of accurate
last logon.

HTH


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Medeiros, Jose
Sent: Fri 5/27/2005 1:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp-



Hi Al,

Thank you for taking the time to reply, and I very much appreacite your
effort on researching this. You know that I recall using USRSTAT on a NT4
Domain and it would show the Domain Controller that actually authenticated
the user account, however it does not seem to display this output in an
Active Directory Forrest. Go figure..

BTW: My last logon is the correct time and I have logged in several times
today.

Have a happy Memorial day weekend!

Peace!

Jose :-)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Al Mulnick
Sent: Friday, May 27, 2005 1:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp-


Part of the problem I see with your output below is that it doesn't show
which domain controller you last logged on to.  While that's not a problem
if you have only one DC in your forest, it can be if you have more than
that.  LastLogon is not replicated.  LastLogonTimeStamp is and as such you
have to query each possible DC to find out the last logon.
To make matters worse, there is a fix out there somewhere that causes ntlm
auth to actually update this field (or am I just dreaming it? :)

In the end, you'll wa

RE: [ActiveDir] _msdcs question

[Rick Kingslan]

But, my experiments have shown that though you might be able to get rid of
WINS for Exchange purposes, the Office team hasn't quite grown past its use.

Outlook (including 2003) has a bit of a hard time finding its mailbox if
WINS is not active (or, at least an LMHosts file in place).

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, May 31, 2005 8:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] _msdcs question

 Exchange also is relies on WINS name resolution.  You cannot install
Exchange without WINS name resolution.
 
If you mean in a multi-domain environment, yes but...
 
You don't need WINS per se. With appropriate DNS suffixes, you can overcome
the NetBIOS resolution limitations that necessitates the WINS requirement. I
am not saying don't use WINS or that you can get rid of WINS easily. I am
just saying that for purposes like these (Exchange install in a multi-domain
environ, or trust establishment, etc), it is not a necessity IF you do the
necessary home-work.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Santhosh Sivarajan
Sent: Tue 5/31/2005 4:59 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] _msdcs question



Deji,

I completely understand your point but from my experience, if you
don't have NetBIOS name resolution you cannot establish a trust.
Also, you need to make sure all the required ports are open between
two Domains.
(http://support.microsoft.com/default.aspx?scid=kb;en-us;179442)

Exchange also is relies on WINS name resolution.  You cannot install
Exchange without WINS name resolution.

HTH
Santhosh

Santhosh Sivarajan
MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+
Houston, TX


On 5/31/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Santhosh, I don't understand the significance of WINS here, as opposed to
> getting DNS resolution properly working. Since he's on W2K3, wouldn't it
be
> better that he uses a stub of each domain on the other side of the trust
(or
> even cond fwding for that matter)? Just curious.
>
> On a similar note, I've noticed that the trust process (and other
processes,
> like Exchange Server Migration in ADMT) uses NetBIOS lookup instead of
doing
> an FQDN lookup. One way I do this is to simply create an A record in MY
zone
> for the DC on the other side. By creating the A record, the query will
simply
> get handed the record for that DC. This works IF the name of the DC on the
> other side is not the same as the name of any of the DC in MY domain. Let
me
> explain with an example.
>
> MYDomain wants to trust YOURDomain. YourDomain has a DC called YourDC.
During
> the trust establishment process, I see a query for YourDC, which of course
> does not exist in MyDomain, and because YourDomain is also not on my
suffix,
> no record is located.
>
> So, I create an A record for YourDC and give it the true IP of YourDC. So,
> now the process goes and query for YourDC (instead of YourDC.YourDomain),
it
> gets resolved to the YourDC that is located in MyDomain, which happens to
be
> the same as YourDC.YourDomain.
>
>
> Deji
>
>
> 
>
> From: [EMAIL PROTECTED] on behalf of Santhosh Sivarajan
> Sent: Tue 5/31/2005 2:07 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] _msdcs question
>
>
>
> I don't think you have to do anything with your _msdcs zone.  You have
> to have WINS name resolution in-order to configure the trust.  What is
> your WINS configuration? Can you ping both Domain DCs using NetBIOS
> and FQDN?
>
> HTH
> Santhosh
>
> Santhosh Sivarajan
> MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+
> Houston, TX
>
>
> On 5/31/05, Rimmerman, Russ <[EMAIL PROTECTED]> wrote:
> >
> > We upgraded our Win2k AD domain to Win2k3 a few months ago.  Now I'm
> > attempting to set up a two-way trust with an outside Win2k3 domain, and
> > I found out that _msdcs.company.com in the Win2k3 domain is at the same
> > level as the company.com zone.  So I found out this means that they
> > build this as a Win2k3 domain rather than upgrading from Win2k.
> >
> > I found http://support.microsoft.com/?id=817470 on how to reconfigure an
> > _msdcs subdomain to a forest-wide DNS application directory partition
> > when you upgrade from Win2k to Win2k3, but we haven't done that (didn't
> > know about it until just now).
> >
> > Question is - I want to set up a two-way trust with this win2k3 domain,
> > but when I set them up as a secondary zone in our empty root domain, we
> > didn't get the _msdcs data since it's just a grey reference folder
> > rather than actual data.
> >
> > How do I get the two-way trust working?  Do I have to set up two
> > secondary zones in my empty root 

RE: [ActiveDir] lastlogontimestamp-

[Rick Kingslan]

" For instance... If you connect to a resource via IP, kerberos will not be
used, instead passthrough NTLM will be used."

joe, I'm not sure that I know the reason for this.  Can you help?  (Book
versions appreciated!  :o)

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, June 02, 2005 9:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp-

A remote NTLM Auth would be a remote authentication of a user for a resource
that uses NTLM authentication because kerberos for some reason or another
can't be used.

For instance... If you connect to a resource via IP, kerberos will not be
used, instead passthrough NTLM will be used. In this case neither lastLogon
NOR lastLogonTimeStamp will be updated. 

These attributes also aren't updated for successful simple LDAP binds as
well. Well there is an exception here. If you send bad creds, then follow
them up with good creds, you will get the attribute stamped. This is
something that seems to bite people doing AD Cleanups, they will have IDs
that are only used for simple AD Auths and the lastlogon never gets updated
which makes it seem like the accounts aren't being used even though they
could be authenticating hundreds of times a minute.

   joe





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford
Sent: Thursday, June 02, 2005 12:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp-

As I understand it, remote NTLM authentication is when someone doesn't log
on by doing CTRL ALT DEL and putting in a username/password but accesses
some resource which either prompts for username/password (perhaps a web page
or email program) or uses the stored token. This doesn't update the
lastlogontimestamp.

I think you need a plan C for checking the email stuff. How will students
access the email? Web? POP3? IMAP? Whichever it is, if you have logs for
access to this then you know who's accessing the email and (effectively)
who's not accessing the email - if you have a policy that you must access
the email at least once per month then you just check the logs each month,
build a list of those who have accessed; match this against your total list
of users and the "misses" are the ones who are now inactive.

Most of our funding depends on proving that students enrol, attend courses
and take and pass exams so our student records people are quite good at
keeping accurate lists - auditors pick up on things if they get it wrong!

Students can enrol to many courses at any time of the year and also drop
out, leave or get kicked out at any time of the year. If the leaving is
planned (eg they move away from London) then they are removed cleanly from
the system; if they just don't turn up for classes for a certain number of
weeks (it varies but I think it's about 4-6) then they get withdrawn.
There's no point for us leaving a student on the system if they're not
showing for classes - we don't get the funding for them (and if we leave
them on the system but they don't take the exam then that looks even worse -
we taught a student for a whole year and they failed at the end.)

What we actually do with the student accounts is to set the expiry date to
"yesterday" and move them to an "expired" OU. If it turns out that (eg) they
were sick but didn't get round to calling then it's easy to just re-instate
the account.


Steve

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Garello, 
> Kenneth
> Sent: 02 June 2005 13:45
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] lastlogontimestamp-
> 
> Steve,
> 
> Thanks for the alternate view.  Unfortunately, our business policy is 
> not that simple.  We basically allow for lifetime email as long as the 
> account is active.
> Do you simply delete the account when a student becomes inactive?  
> What determines enrollment at your school? (This is a problem in many 
> other areas of the butsiness - did a student leave or is he just not 
> taking classes)
> 
> I would still like to understand what a "remote NTLM Authentication" 
> is.
> 
> 
> Ken
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Steve 
> Rochford
> Sent: Thursday, June 02, 2005 8:17 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] lastlogontimestamp-
> 
> Is it possible to approach this from another way? Do you have any 
> access to enrolled student data? If so, then it might be easier to 
> delete students who are no longer enrolled rather than try and work 
> out those who haven't logged on.
> 
> I have a script that runs at regular intervals and pulls a listing of 
> all student accounts in the AD (and before someone starts worrying, 
> yes, I do use paging :-)) For each account I then run the function 
> below which returns true if the student is still enrolled and false if 
> not. The 

RE: [ActiveDir] lastlogontimestamp-

[Rick Kingslan]

Thanks to the both of you.  Much appreciated and the answer was more
interesting than I initially thought it might be.  Explains a few things
that I've seen in Sec Logs and wasn't quite certain what they were.

Now, I know.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, June 03, 2005 4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp-

Bingo.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, June 03, 2005 8:28 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] lastlogontimestamp-

Kerberos requires that a principal name (SPN) be specified in order to
locate keying material (computer accounts in AD speak) necessary to secure
(encrypt) the ticket content (primarily the PAC) both in transit and within
the ticket cache of the requesting user.  Since IP addresses are not
registered as SPNs (far too chatty), the use of an IP address prohibits the
ability to identify the target computer's computer object thereby preventing
the KDC's ability to locate any shared keying material which in turn
prohibits the construction of the ticket.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Friday, June 03, 2005 8:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp-

" For instance... If you connect to a resource via IP, kerberos will not be
used, instead passthrough NTLM will be used."

joe, I'm not sure that I know the reason for this.  Can you help?  (Book
versions appreciated!  :o)

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, June 02, 2005 9:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp-

A remote NTLM Auth would be a remote authentication of a user for a resource
that uses NTLM authentication because kerberos for some reason or another
can't be used.

For instance... If you connect to a resource via IP, kerberos will not be
used, instead passthrough NTLM will be used. In this case neither lastLogon
NOR lastLogonTimeStamp will be updated. 

These attributes also aren't updated for successful simple LDAP binds as
well. Well there is an exception here. If you send bad creds, then follow
them up with good creds, you will get the attribute stamped. This is
something that seems to bite people doing AD Cleanups, they will have IDs
that are only used for simple AD Auths and the lastlogon never gets updated
which makes it seem like the accounts aren't being used even though they
could be authenticating hundreds of times a minute.

   joe





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford
Sent: Thursday, June 02, 2005 12:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] lastlogontimestamp-

As I understand it, remote NTLM authentication is when someone doesn't log
on by doing CTRL ALT DEL and putting in a username/password but accesses
some resource which either prompts for username/password (perhaps a web page
or email program) or uses the stored token. This doesn't update the
lastlogontimestamp.

I think you need a plan C for checking the email stuff. How will students
access the email? Web? POP3? IMAP? Whichever it is, if you have logs for
access to this then you know who's accessing the email and (effectively)
who's not accessing the email - if you have a policy that you must access
the email at least once per month then you just check the logs each month,
build a list of those who have accessed; match this against your total list
of users and the "misses" are the ones who are now inactive.

Most of our funding depends on proving that students enrol, attend courses
and take and pass exams so our student records people are quite good at
keeping accurate lists - auditors pick up on things if they get it wrong!

Students can enrol to many courses at any time of the year and also drop
out, leave or get kicked out at any time of the year. If the leaving is
planned (eg they move away from London) then they are removed cleanly from
the system; if they just don't turn up for classes for a certain number of
weeks (it varies but I think it's about 4-6) then they get withdrawn.
There's no point for us leaving a student on the system if they're not
showing for classes - we don't get the funding for them (and if we leave
them on the system but they don't take the exam then that looks even worse -
we taught a student for a whole year and they failed at the end.)

What we actually do with the student accounts is to set the expiry date to
"yesterday" and move them to an "expired" O

RE: [ActiveDir] Seeking AD monitoring software recomendations

[Rick Kingslan]

Mark,

 

Tall order – specifically the ‘ramp
up and install’ time.  But, there is one suite that meets what you’re
looking for – and scales well to Enterprise
size, which summarizes your environment pretty well.

 

The NetPro Active Directory suite ( www.netpro.com ) is THE tool, IMHO, that does
all of this well – and integrates the pieces to provide a complete
end-to-end solution.

 



Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Windows Security (Affiliate)
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark
Sent: Sunday, June 05, 2005 6:47
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Seeking AD
monitoring software recomendations



 



I work for a large enterprise company running w2k3 in 2003
mode with the expectation the main user domain will hold 150K users. Currently
has about 80 DCs.





 





We finally have funding to buy some AD specific monitoring
tools.





 




 I am looking for an application(s) that will
 tell us when AD is not functioning as it should in a simple screen and
 email us.
 Would like to be able to bench mark systems.
 Will tell us when someone changed a piece of the
 infrastructure (Auditing)
 Would like to have the install done in about a
 week and be proficient in about a month.




I need a system I do not have to spend a lot of time with,
and will tell me when something wrong/changed.





 





anyone have any good suggestions ?





 





Thanks, You guys are great!





M. Lunsford

RE: [ActiveDir] Seeking AD monitoring software recomendations

[Rick Kingslan]

"you think you have enough DC's"

Probably would depend on the remote vs. local campus environment, I suppose!
:o)

Company that I was just with had over 100, but we had high demand for
redundancy in over 50 remote sites supporting anywhere from 200 to ~1200
production users at each site.  Given that we maintained two domains (one
for support staff and one for the production workers) it's easy to get there
in a highly distributed, international environment.

But, that's just me  ;o)

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Sunday, June 05, 2005 7:01 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Seeking AD monitoring software recomendations

MOM 2005, and do you think you have enough DC's? ;-)

Mark
-Original Message-
From: "Mark" <[EMAIL PROTECTED]>
Date: Sun, 5 Jun 2005 16:46:44 
To:
Subject: [ActiveDir] Seeking AD monitoring software recomendations

I work for a large enterprise company running w2k3 in 2003 mode with the
expectation the main user domain will hold 150K users. Currently has about
80 DCs. 
 
We finally have funding to buy some AD specific monitoring tools. 
   I am looking for an application(s) that will tell   us when AD is not
functioning as it should in a simple screen and email   us.   Would like to
be able to bench mark   systems.   Will tell us when someone changed a piece
of the   infrastructure (Auditing)   Would like to have the install done in
about a   week and be proficient in about a month. 
I need a system I do not have to spend a lot of time with, and will tell me
when something wrong/changed. 
 
anyone have any good suggestions ? 
 
Thanks, You guys are great! 
M. Lunsford
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Seeking AD monitoring software recomendations

[Rick Kingslan]

NetPro is focused on Directory Services - and in this case, AD.  It's the
primary thing that it does.  MOM, on the other hand can be configured to be
focused on AD, but the depth and breadth, IMHO, is not as good as NetPro.

MOM is great for a overall view of lots of Microsoft (and non-MS if you want
to grab SNMP data and compile MIBs) server and client pieces.  But, it is a
breadth piece and is tougher to get depth than something that is keenly
focused on AD.

That being said, there is a MOM management pack (per se) that NetPro sells
that will re-focus and deepen the understanding, alerting and functionality
that MOM has on AD.

We are a MOM 2005 shop - and I like it fine for specific things.  However, I
don't think it has enough depth out of the box to do a great job with AD.
Plus, MOM out of the box is NOT a fast install / learn, either.  Plus, it's
highly suggested that you bone up on VBScript and T-SQL, plus Reporting
Services are paramount.

I'd still opt for NetPro for an AD solution - but it can be pricey.  You do
pay for what you get.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark
Sent: Sunday, June 05, 2005 7:11 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Seeking AD monitoring software recomendations

What is the biggest difference between MOM 2005 and Netpro ?


- Original Message - 
From: "Mark Parris" <[EMAIL PROTECTED]>
To: 
Sent: Sunday, June 05, 2005 5:00 PM
Subject: Re: [ActiveDir] Seeking AD monitoring software recomendations


MOM 2005, and do you think you have enough DC's? ;-)

Mark
-Original Message-
From: "Mark" <[EMAIL PROTECTED]>
Date: Sun, 5 Jun 2005 16:46:44
To:
Subject: [ActiveDir] Seeking AD monitoring software recomendations

I work for a large enterprise company running w2k3 in 2003 mode with the 
expectation the main user domain will hold 150K users. Currently has about 
80 DCs.

We finally have funding to buy some AD specific monitoring tools.
   I am looking for an application(s) that will tell   us when AD is not 
functioning as it should in a simple screen and email   us.   Would like to 
be able to bench mark   systems.   Will tell us when someone changed a piece

of the   infrastructure (Auditing)   Would like to have the install done in 
about a   week and be proficient in about a month.
I need a system I do not have to spend a lot of time with, and will tell me 
when something wrong/changed.

anyone have any good suggestions ?

Thanks, You guys are great!
M. Lunsford
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS Error

[Rick Kingslan]

I've seen exactly the same when an Infrastructure Master was missing.  Check
all FSMO owners to be sure that they really DO exist.  To do this, it's best
to run 

 

DCDIAG /v /test:KnowsOfRoleHolders

 

You will need to run this in each domain for the domain FSMO roles, but it
will query the domain controllers directly for who they know of and can they
be contacted ("have you heard from this DC lately").

 

This is superior to "NETDOM QUERY FSMO" which seems to just blindly return
the information without any verification.

 

Rick

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford
Sent: Sunday, June 05, 2005 4:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Error

 

When I had a similar error it was because the "domain naming master" was not
available (server had failed and been rebuilt but the FSMO role had not been
seized)

 

Steve

 

  _  

From: [EMAIL PROTECTED] on behalf of Za
Sent: Sat 04/06/2005 05:13
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS Error

Good evening all. A W2K DC was upgraded to W3K and it is also a DNS server.
No problem at all with prepping and upgrading from W2K->W3K. I am getting
the error below every few minutes. Anyone have a solution?


 
Event Type: Error   
Event Source:   DNS 
Event Category: None 
Event ID:   4015   
Date:   5/15/2004 
Time:   8:49:51 AM 
User:   N/A   
Computer:   PC Name 
Description:  
The DNS server has encountered a critical error from the   
Active Directory. Check that the Active Directory is   
functioning properly. The extended error debug   
information (which may be empty) is "". The event data   
contains the error.   



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

<>

RE: [ActiveDir] DNS Error

[Rick Kingslan]

Good point, David.  Thanks for enhancing the suggestion.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Sunday, June 05, 2005 7:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Error

The /e switch for dcdiag will run the test against every DC in the Forest.
Might be good to make sure every DC is seeing the same thing as all others. 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
> Sent: Sunday, June 05, 2005 19:24
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DNS Error
> 
> I've seen exactly the same when an Infrastructure Master was 
> missing.  Check all FSMO owners to be sure that they really 
> DO exist.  To do this, it's best to run 
> 
>  
> 
> DCDIAG /v /test:KnowsOfRoleHolders
> 
>  
> 
> You will need to run this in each domain for the domain FSMO 
> roles, but it will query the domain controllers directly for 
> who they know of and can they be contacted ("have you heard 
> from this DC lately").
> 
>  
> 
> This is superior to "NETDOM QUERY FSMO" which seems to just 
> blindly return the information without any verification.
> 
>  
> 
> Rick
> 
> 
> 
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Steve Rochford
> Sent: Sunday, June 05, 2005 4:32 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DNS Error
> 
>  
> 
> When I had a similar error it was because the "domain naming 
> master" was not available (server had failed and been rebuilt 
> but the FSMO role had not been seized)
> 
>  
> 
> Steve
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of Za
> Sent: Sat 04/06/2005 05:13
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] DNS Error
> 
> Good evening all. A W2K DC was upgraded to W3K and it is also 
> a DNS server.
> No problem at all with prepping and upgrading from W2K->W3K. 
> I am getting the error below every few minutes. Anyone have a 
> solution?
> 
> 
>  
> Event Type: Error   
> Event Source:   DNS 
> Event Category: None 
> Event ID:   4015   
> Date:   5/15/2004 
> Time:   8:49:51 AM 
> User:   N/A   
> Computer:   PC Name 
> Description:  
> The DNS server has encountered a critical error from the   
> Active Directory. Check that the Active Directory is   
> functioning properly. The extended error debug   
> information (which may be empty) is "". The event data   
> contains the error.   
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP SSL and Ipsec.

[Rick Kingslan]

There is no dependency between IPSec and the LDAP/S function.  That being
said, is there any reason that you NEED to disable IPSec?  I'd leave it
running - but that's just me.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Monday, June 06, 2005 8:40 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP SSL and Ipsec.

Hello,

I implement LDAPs (SSL) in my windows 2003 DC. Do I need to enable ipsec
service for LDAPs to function ?Is there any dependancy between LDAPs and
Ipsec or could I safely disable Ipsec service.

Thank U.

Cheers,

Yann


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Alternate install Directory for W2K3 load

[Rick Kingslan]

No, sorry to say that there isn't.  The installer is designed to take this
type of input from an answer file, and stipulated by the /u:
parameter.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V
Contr NASIC/SCNA
Sent: Monday, June 06, 2005 7:37 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Alternate install Directory for W2K3 load

Ok, but I am trying to do it from an install that I am doing interactively.
Isnt there some kind of command line switch or something like that for
WINNT.EXE?  I looked through the switches again, but none of them say they
are to change the install directory.

Nate 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: Monday, June 06, 2005 6:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Alternate install Directory for W2K3 load

I believe you can do this using an answer /transform file for the unattended
install process. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V
Contr NASIC/SCNA
Sent: 06 June 2005 12:06
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Alternate install Directory for W2K3 load

Hey all,

I am trying to create an image for Windows 2003 member servers for our
domain and the SMS/Tivoli folks want to keep the default directory for the
OS load at C:\WINNT.  I have gone through the setup many times booting from
the CD and walking through the menus, but there is no option for where I
want to install the OS besides selecting the drive and partition.  It
defaults to C:\WINDOWS.  I can specify which directory I want if I am
upgrading from a previous OS in the GUI setup mode, but this is to be made
for a fresh install, not an upgrade.  Any ideas on how to load W2K3 into
c:\winnt from the start?  

Thanks,
Nate 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, June 05, 2005 10:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Error

Good point, David.  Thanks for enhancing the suggestion.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Sunday, June 05, 2005 7:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Error

The /e switch for dcdiag will run the test against every DC in the Forest.
Might be good to make sure every DC is seeing the same thing as all others. 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
> Sent: Sunday, June 05, 2005 19:24
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DNS Error
> 
> I've seen exactly the same when an Infrastructure Master was missing.

> Check all FSMO owners to be sure that they really DO exist.  To do 
> this, it's best to run
> 
>  
> 
> DCDIAG /v /test:KnowsOfRoleHolders
> 
>  
> 
> You will need to run this in each domain for the domain FSMO roles, 
> but it will query the domain controllers directly for who they know of

> and can they be contacted ("have you heard from this DC lately").
> 
>  
> 
> This is superior to "NETDOM QUERY FSMO" which seems to just blindly 
> return the information without any verification.
> 
>  
> 
> Rick
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Steve 
> Rochford
> Sent: Sunday, June 05, 2005 4:32 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DNS Error
> 
>  
> 
> When I had a similar error it was because the "domain naming master" 
> was not available (server had failed and been rebuilt but the FSMO 
> role had not been seized)
> 
>  
> 
> Steve
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of Za
> Sent: Sat 04/06/2005 05:13
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] DNS Error
> 
> Good evening all. A W2K DC was upgraded to W3K and it is also a DNS 
> server.
> No problem at all with prepping and upgrading from W2K->W3K. 
> I am getting the error below every few minutes. Anyone have a 
> solution?
> 
> 
>  
> Event Type: Error   
> Event Source:   DNS 
> Event Category: None 
> Event ID:   4015   
> Date:   5/15/2004 
> Time:   8:49:51 AM 
> User:   N/A   
> Computer:   PC Name 
> Description:  
> The DNS server has encountered a critical error from the   
> Active Directory. Check that the Active Directory is   
> functioning properly. The extended error debug   
> information (which may be empty) is "". The event data   
> contains the error.   
> 
&

RE: [ActiveDir] LDAP SSL and Ipsec.

[Rick Kingslan]

Trust me on this  You're going to WANT IPSec in the near future.  Check
out "Domain Isolation with IPSec" white papers on the Microsoft site.  I
don't have the links available at the moment.

This is important now, and will become even more important when and if you
decide that you have a need for Network Access Protection (NAP).

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Monday, June 06, 2005 10:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP SSL and Ipsec.

Thanks for your input.

Yes I'd like to disable services that do not need to run on DC in order to
reduce open ports :-), and i do not need Ipsec service for my DC BUT only
LDAPs.

Regards,

Yann

-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Rick Kingslan
Envoyé : lundi 6 juin 2005 17:24
À : ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] LDAP SSL and Ipsec.

There is no dependency between IPSec and the LDAP/S function.  That being
said, is there any reason that you NEED to disable IPSec?  I'd leave it
running - but that's just me.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Monday, June 06, 2005 8:40 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP SSL and Ipsec.

Hello,

I implement LDAPs (SSL) in my windows 2003 DC. Do I need to enable ipsec
service for LDAPs to function ?Is there any dependancy between LDAPs and
Ipsec or could I safely disable Ipsec service.

Thank U.

Cheers,

Yann


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DFS and Bandwidth

[Rick Kingslan]

Ravi,

Though your thought process is likely correct for your environment, I think
that the math is off just a magnitude:

55GB * 5% = 275MB

So, rather than being ~1MB per hour over a 24 hr. period, it's closer to
12MB per hour over the same 24 hr. period.

You know your infrastructure - the magnitude in difference might now be too
much.

Rick 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
Sent: Monday, June 06, 2005 3:44 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DFS and Bandwidth

Thanks

This means DFS should work fine for me. I Need not to think much as i
have no big requirements of shares on my network the data is hardly
55GB. and an assumption is that my shared data is updated by  around
5% everyday (approx 25mb).



On 6/7/05, Joe Pochedley <[EMAIL PROTECTED]> wrote:
> 50 shares means nothing...  How much data do you have to replicate and
> how much data do you expect to change for each replication cycle?  How
> many DFS partners and what size pipe(s) do you have between them?  What
> type of data do you wish to replicate and how often?
> 
> There's a big difference, say if you have 100GB and 50% changes on a
> daily basis or if you have 1,000GB where .1% changes on a daily basis.
> 
> 
> 
> Joe Pochedley
> A computer terminal is not some clunky old television
> with a typewriter in front of it. It is an interface
> where the mind and body can connect with the universe
> and move bits of it about. -Douglas Adams
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
> Sent: Monday, June 06, 2005 3:33 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] DFS and Bandwidth
> 
> Hi All.
> 
> I have a question about DFS.
> 
> Does DFS will use maximum of my bandwidth? If it is so, than how can i
> take benifit of DFS without Compromising bandwidth utilization. (also
> what can i do about DFS Replication for best network performance)
> 
> I have over 50 shares. Kindly Suggest.
> 
> --
> Ravi Dogra
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 


-- 
Ravi Dogra
9899647200
This e-mail, together with any attachments, is confidential. It may be
read, copied and used only by the intended recipient. If you have
received it in error, please notify the sender immediately by e-mail
or telephone. Please then delete it from your computer without making
any copies or disclosing it to any other person.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP SSL and Ipsec.

[Rick Kingslan]

I see where you're coming from on all points here.  The IPSec isolation
stuff *IS* hard.  And, I really struggled with what to tell Yann on this
one.

OK, OK - I give.  I submit to the wisdom of the 'joe'.

;o>

Rick


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, June 06, 2005 9:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP SSL and Ipsec.

I actually kind of agree with Yann on this one. 

If you aren't using a service, shut it off. This is good for security,
stability, and resource use. The future use of a service doesn't mean you
should leave it on unless you already have it planned and ready to implement
(i.e. if it were off, you would be in the process of turning it back on at
that point in time). Implementing any ipsec structure is not going to be a
"oh ok, just flip the switch", it will be or should be a seriously
designed/planned project with a good implementation time line. If they
haven't started yet, it isn't going to be done in near future at least in my
definition of that time frame in terms of whether or not a service should be
on or off - if it will be months before I need a service, it is going to be
off. Anyway, it is pretty easy to turn this stuff back on again. 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, June 06, 2005 12:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP SSL and Ipsec.

Trust me on this  You're going to WANT IPSec in the near future.  Check
out "Domain Isolation with IPSec" white papers on the Microsoft site.  I
don't have the links available at the moment.

This is important now, and will become even more important when and if you
decide that you have a need for Network Access Protection (NAP).

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Monday, June 06, 2005 10:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP SSL and Ipsec.

Thanks for your input.

Yes I'd like to disable services that do not need to run on DC in order to
reduce open ports :-), and i do not need Ipsec service for my DC BUT only
LDAPs.

Regards,

Yann

-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Rick Kingslan
Envoyé : lundi 6 juin 2005 17:24 À : ActiveDir@mail.activedir.org Objet :
RE: [ActiveDir] LDAP SSL and Ipsec.

There is no dependency between IPSec and the LDAP/S function.  That being
said, is there any reason that you NEED to disable IPSec?  I'd leave it
running - but that's just me.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Monday, June 06, 2005 8:40 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP SSL and Ipsec.

Hello,

I implement LDAPs (SSL) in my windows 2003 DC. Do I need to enable ipsec
service for LDAPs to function ?Is there any dependancy between LDAPs and
Ipsec or could I safely disable Ipsec service.

Thank U.

Cheers,

Yann


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Q about Site Link Bridging

[Rick Kingslan]

joe,

Toss a command line out there for this.  Some might be interested in how you
collected this - now that we kno what flags we're looking for!

Thx!

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, June 06, 2005 11:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Q about Site Link Bridging

When you right click IP and select Properties and UNCHECK "Bridge all site
links", the attribute options gets bit 1 (value=2^1=2) set on the object
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,.

If you CHECK that checkbox, bit 1 gets cleared.

Basically Bit 1 is for bridge all site links. Default is cleared bit 1
meaning Bridge all. Set bit 1 means don't bridge. 


Bit 0 (2^0=1) is for Ignore schedules. Default is cleared bit 0 meaning
don't ignore. Set bit 0 to ignore.



Clearing checkbox
==

Updates between Tue Jun  7 00:45:00 2005 - Tue Jun  7 00:45:02 2005
Retrieving CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=joe,DC=com...OK...

UPDATE: CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=joe,DC=com

   UPD options: (0) -> (2)
   UPD uSNChanged: (2501219) -> (2501221)
   UPD whenChanged: (20050607044358.0Z) -> (20050607044501.0Z)

-



Setting checkbox


Searching for Updates: 2501222/2501222...OK...
Pushing DN () into list to retrieve
updates...
Retrieving 1 updated DN(s)...
-
Updates between Tue Jun  7 00:45:08 2005 - Tue Jun  7 00:45:09 2005
Retrieving CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=joe,DC=com...OK...

UPDATE: CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=joe,DC=com

   UPD options: (2) -> (0)
   UPD uSNChanged: (2501221) -> (2501222)
   UPD whenChanged: (20050607044501.0Z) -> (20050607044509.0Z)

-
Get highestCommittedUSN...OK...(2501222)...Sleeping 1..(Tue Jun  7 00:45:12
2005)..


   joe




Copyright 2005 joe :o)



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: Tuesday, June 07, 2005 12:27 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Q about Site Link Bridging

Hi guys,

When, in AD Sites and Services MMC Snapin, one unchecks the "bridge all site
links" checkbox, what gets updated in the directory?

>From what I can tell, this is stored in the Options attribute of:
cn=NTDS Settings,cn=,cn=sites,cn=configuration,dc=
and we do an:  OR &H10 to disable automatic generation of
inter-site links. We'd need to do this for each site. Is this correct? Or is
there some global attribute that gets set instead that I'm missing in my
research?

TIA!

Cheers
Ken

--
IIS Stuff: www.adOpenStatic.com/cs/blogs/ken/ 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Alternate install Directory for W2K3 load

[Rick Kingslan]

e-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, June 05, 2005 10:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Error

Good point, David.  Thanks for enhancing the suggestion.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Sunday, June 05, 2005 7:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Error

The /e switch for dcdiag will run the test against every DC in the Forest.
Might be good to make sure every DC is seeing the same thing as all others. 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
> Sent: Sunday, June 05, 2005 19:24
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DNS Error
> 
> I've seen exactly the same when an Infrastructure Master was missing.

> Check all FSMO owners to be sure that they really DO exist.  To do 
> this, it's best to run
> 
>  
> 
> DCDIAG /v /test:KnowsOfRoleHolders
> 
>  
> 
> You will need to run this in each domain for the domain FSMO roles, 
> but it will query the domain controllers directly for who they know of

> and can they be contacted ("have you heard from this DC lately").
> 
>  
> 
> This is superior to "NETDOM QUERY FSMO" which seems to just blindly 
> return the information without any verification.
> 
>  
> 
> Rick
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Steve 
> Rochford
> Sent: Sunday, June 05, 2005 4:32 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DNS Error
> 
>  
> 
> When I had a similar error it was because the "domain naming master" 
> was not available (server had failed and been rebuilt but the FSMO 
> role had not been seized)
> 
>  
> 
> Steve
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of Za
> Sent: Sat 04/06/2005 05:13
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] DNS Error
> 
> Good evening all. A W2K DC was upgraded to W3K and it is also a DNS 
> server.
> No problem at all with prepping and upgrading from W2K->W3K. 
> I am getting the error below every few minutes. Anyone have a 
> solution?
> 
> 
>  
> Event Type: Error   
> Event Source:   DNS 
> Event Category: None 
> Event ID:   4015   
> Date:   5/15/2004 
> Time:   8:49:51 AM 
> User:   N/A   
> Computer:   PC Name 
> Description:  
> The DNS server has encountered a critical error from the   
> Active Directory. Check that the Active Directory is   
> functioning properly. The extended error debug   
> information (which may be empty) is "". The event data   
> contains the error.   
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.act

RE: [ActiveDir] Q about Site Link Bridging

[Rick Kingslan]

Sorry I wasn't more clear, joe.  Yep, I meant the tool.  I knew what you
were changing - that wasn't a real mystery.  But the tool that showed the
cause and effect is really quite cool.

Nice little bit of a 'before and after'.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, June 07, 2005 3:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Q about Site Link Bridging

Err for what in particular?

If you mean the little process below that watched the changes to the
directory and dumped them to the screen. That version of the tool I can't
share, I actually wrote that specific version on the corporate dime. It is a
a nicely cleaned up version of something else I wrote to do this stuff
previously though. I will think about writing up another tool on my dime to
do it that can be publicly available. I won't release the original tool as
it is a train wreck for usability, I found myself looking at the source more
often than not trying to remember how to do things with it and I don't need
those email headache questions for a tool that isn't designed to be user
friendly. :o)

Overall though, it is extremely useful functionality and I have used that
functionality multiple times the last 5 years to find issues and bugs with
AD based programs. :o) Basically it simply implements
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/polli
ng_for_changes_using_usnchanged.asp

For those that work for the same company that I work work for that are
interested, there will be a KB available shortly concerning this tool. 


If you mean, how do you set that value from the command line, you can use
admod with a simple update command but the tricky part is the fact that it
isn't an absolute value, it is a bit flag and you should be aware of what is
already set before overwriting it. I have a change I am working on for a
future version of admod that will help with that, but it is a ways out
still.

  joe


 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Tuesday, June 07, 2005 2:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Q about Site Link Bridging

joe,

Toss a command line out there for this.  Some might be interested in how you
collected this - now that we kno what flags we're looking for!

Thx!

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, June 06, 2005 11:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Q about Site Link Bridging

When you right click IP and select Properties and UNCHECK "Bridge all site
links", the attribute options gets bit 1 (value=2^1=2) set on the object
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,.

If you CHECK that checkbox, bit 1 gets cleared.

Basically Bit 1 is for bridge all site links. Default is cleared bit 1
meaning Bridge all. Set bit 1 means don't bridge. 


Bit 0 (2^0=1) is for Ignore schedules. Default is cleared bit 0 meaning
don't ignore. Set bit 0 to ignore.



Clearing checkbox
==

Updates between Tue Jun  7 00:45:00 2005 - Tue Jun  7 00:45:02 2005
Retrieving CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=joe,DC=com...OK...

UPDATE: CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=joe,DC=com

   UPD options: (0) -> (2)
   UPD uSNChanged: (2501219) -> (2501221)
   UPD whenChanged: (20050607044358.0Z) -> (20050607044501.0Z)

-



Setting checkbox


Searching for Updates: 2501222/2501222...OK...
Pushing DN () into list to retrieve
updates...
Retrieving 1 updated DN(s)...
-
Updates between Tue Jun  7 00:45:08 2005 - Tue Jun  7 00:45:09 2005
Retrieving CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=joe,DC=com...OK...

UPDATE: CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=joe,DC=com

   UPD options: (2) -> (0)
   UPD uSNChanged: (2501221) -> (2501222)
   UPD whenChanged: (20050607044501.0Z) -> (20050607044509.0Z)

-
Get highestCommittedUSN...OK...(2501222)...Sleeping 1..(Tue Jun  7 00:45:12
2005)..


   joe




Copyright 2005 joe :o)



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: Tuesday, June 07, 2005 12:27 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Q about Site Link Bridging

Hi guys,

When, in AD Sites and Services MMC Snapin, one unchecks the "bridge all site
links" checkbox, what gets updated in the directory?

>From what I can tell, this is stored in the Options attribute of:
cn=NTDS Settings,cn=,cn=sites,cn=configuration,dc=
and we do an:  OR &H10 to disable automatic generation of
inter-site links. We&

RE: [ActiveDir] Event viewer Log files

[Rick Kingslan]

My first guess is that all auditing is shut off.  Something has to be turned
on to audit - otherwise nothing will be posted to the Sec Log.

If this is on the DCs, check the Default Domain Controller Policy.  If this
is Member Servers, look Default Domain Policy, OU GPO where Member exists,
or the local Security settings for the server itself.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda
Sent: Tuesday, June 07, 2005 3:28 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Event viewer Log files

I'm missing security logs for the pass year.  Can anyone tell me why the
event viewer would stop creating security log files?

Antonio

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Q about Site Link Bridging

[Rick Kingslan]

So  The real question is when are you going to have the
functionality available as a joeware tool?

Remember - I've offered money before for your utils - offer still stands
[1].  But, I'm not quite equipped to be the sole benefactor of your first
7-digit accumulation, old buddy.  ;o)

Rick

[1] In other words - Get Crackin'!

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, June 07, 2005 5:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Q about Site Link Bridging

Yep, I like it myself. Starting writing the first version of it about 2
weeks after I loaded my first domain controller back in like 1999/2000. I
got sick of doing windiff of two manual dumps right quick. 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Tuesday, June 07, 2005 5:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Q about Site Link Bridging

Sorry I wasn't more clear, joe.  Yep, I meant the tool.  I knew what you
were changing - that wasn't a real mystery.  But the tool that showed the
cause and effect is really quite cool.

Nice little bit of a 'before and after'.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, June 07, 2005 3:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Q about Site Link Bridging

Err for what in particular?

If you mean the little process below that watched the changes to the
directory and dumped them to the screen. That version of the tool I can't
share, I actually wrote that specific version on the corporate dime. It is a
a nicely cleaned up version of something else I wrote to do this stuff
previously though. I will think about writing up another tool on my dime to
do it that can be publicly available. I won't release the original tool as
it is a train wreck for usability, I found myself looking at the source more
often than not trying to remember how to do things with it and I don't need
those email headache questions for a tool that isn't designed to be user
friendly. :o)

Overall though, it is extremely useful functionality and I have used that
functionality multiple times the last 5 years to find issues and bugs with
AD based programs. :o) Basically it simply implements
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/polli
ng_for_changes_using_usnchanged.asp

For those that work for the same company that I work work for that are
interested, there will be a KB available shortly concerning this tool. 


If you mean, how do you set that value from the command line, you can use
admod with a simple update command but the tricky part is the fact that it
isn't an absolute value, it is a bit flag and you should be aware of what is
already set before overwriting it. I have a change I am working on for a
future version of admod that will help with that, but it is a ways out
still.

  joe


 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Tuesday, June 07, 2005 2:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Q about Site Link Bridging

joe,

Toss a command line out there for this.  Some might be interested in how you
collected this - now that we kno what flags we're looking for!

Thx!

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, June 06, 2005 11:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Q about Site Link Bridging

When you right click IP and select Properties and UNCHECK "Bridge all site
links", the attribute options gets bit 1 (value=2^1=2) set on the object
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,.

If you CHECK that checkbox, bit 1 gets cleared.

Basically Bit 1 is for bridge all site links. Default is cleared bit 1
meaning Bridge all. Set bit 1 means don't bridge. 


Bit 0 (2^0=1) is for Ignore schedules. Default is cleared bit 0 meaning
don't ignore. Set bit 0 to ignore.



Clearing checkbox
==

Updates between Tue Jun  7 00:45:00 2005 - Tue Jun  7 00:45:02 2005
Retrieving CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=joe,DC=com...OK...

UPDATE: CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=joe,DC=com

   UPD options: (0) -> (2)
   UPD uSNChanged: (2501219) -> (2501221)
   UPD whenChanged: (20050607044358.0Z) -> (20050607044501.0Z)

-



Setting checkbox


Searching for Updates: 2501222/2501222...OK...
Pushing DN () into list to retrieve
updates...
Retrieving 1 updated DN(s)...
-
Updates between Tue Jun  7 00:45:08 2005 - Tue Jun  7 00:45:09 2005
Retrieving CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configu

RE: [ActiveDir] Longhorn Beta

[Rick Kingslan]

Thanks, Mark.  I, too, would believe that AD will be in the initial betas,
but that all remains to be seen.

Glad to see that things are moving along with the next iteration.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 08, 2005 2:32 PM
To: ActiveDir.org
Subject: [ActiveDir] Longhorn Beta

Not sure if this is common knowledge but in a session on NAP at TechED they
just stated that there will be  Longhorn Server beta's available as of next
month (July). 

I assume AD will be part of the base beta.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active directory migration and security standards issues

[Rick Kingslan]

When you
say ‘Disk Encryption”, are you referring to EFS (Encrypted file
system)?

If so –
which disk is encrypted, and is your account a recovery agent?  Finally,
which OS?

Honestly –
I don’t know of anything that would prevent a system configured with the
basic information that you provide (EFS or not) that would allow you to join a
domain, but not allow you to see a Realm.  However, I am making a huge
leap that you are, in fact JOINing a W2k or W2k3 domain.  Is this a bad
assumption?

Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Lee
Sent: Wednesday, June 08, 2005
12:36 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Active
directory migration and security standards issues



 

I have several laptops that are encrypted per the new campus security
standards in my shop that are being used as desktop computers.  I am now
trying to bring them into our AD domain.  When joining the domain all
seems fine, reboot, then notice that the domain list does not include Berkeley.edu
(Kerberos REALM).  How does disk encryption affect Kerberos
authentication?  So far, this has happened only on machines that are
encrypted.  

Any iedas?





David D. Lee
Computer
Resource Specialist II
Office of Undergraduate Admissions
[EMAIL PROTECTED]
2-6417

RE: [ActiveDir] Renaming user and group object CNs

[Rick Kingslan]

As Phil states, this can be done.  However, some of these characters are in
there for good reason (such as the '/' as an escape character for the ',')
and I would seriously suggest setting up a complete test environment to test
out your proposed changes before you run a script against your production
AD.

Even then, I'd take a system state backup before you run the script so that
you can restore in the event of 'bad things'.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Wednesday, June 08, 2005 2:34 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Renaming user and group object CNs

You can script this using a tool like dsmod if you can come up with a
list of the CNsthat you want to change to. There are other scripting
options too, and if you want to change the CN to something like
Lastname, Firstname you could even use ADModify.

Phil

On 6/8/05, Frost, David: #CIO-BPI <[EMAIL PROTECTED]> wrote:
> I have been researching the implication of modifying object CNs for users
> and groups in order to provide a) a more consistent cn format for objects
in
> our directory, b) remove "special" characters such as /, #, and : that
make
> dealing with objects via scripting difficult.
>  
> Courtesy of the Active Directory Connector for Exchange, our AD user and
> Group Objects have CN attributes that are copies of the Exchange 5.5
> directory Display Name attribute.  Our initial testing did not seem to
> indicate that this would be a problem, but very shortly after we started
to
> migrate users in production we noticed some issues and modified the ADC to
> stop this behaviour.  Problem was that all the distribution groups had
> already been migrated along with 200-300 user objects (hence the cn= ex5.5
> display name).  
>  
> Now that migration of users and groups from NT4 and Ex5.5 is complete (and
> has been for a number of months) the full impact (annoyance) of having
these
> / , :, and # in the CN is is becoming visible. Command line tools such as
> dsquery etc, LDIFDE, CSVDE etc hiccup and generally add a number of
flaming
> hoops to jump through to the point that I would like to rename the CNs on
> these objects (users and Universal distribution groups).
>  
>  
> Is this possible to do on a large scale (200-300 users and 2700 + groups)?
> If so how, what are the gotchas etc 
>  
> Thanks in advance.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Security permissions on user object

[Rick Kingslan]

In fact, yes it will, Russ.

Looking back at the thread, I don't see any discussion about HOW these users
came to have the admincount attribute set to 1.  Do you have a root cause?

The reason that I ask is because I've dealt with this before when someone
(who I never caught) added a group to a Protected group.  This effectively
set the admincount attribute on about 200 techs, and it took a while to
clean up and straighten out.  If you don't know why it happened, you might
be reliving this pretty soon.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, June 08, 2005 9:52 PM
To: Robert Williams (RRE); ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security permissions on user object


Can I just use ADSIEDIT and go to individual users and set the admincount to
0?  Will that stick?  If that works, I could write a winbatch that will
prompt for a username, and set their admincount to 0 automatically.



From: Robert Williams (RRE) [mailto:[EMAIL PROTECTED]
Sent: Wed 6/8/2005 8:34 PM
To: Rimmerman, Russ; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security permissions on user object



Well...I guess you can reset it for all of them and count on the
AdminSDHolder thread to reset them to 1 in about an hour or so...other than
that, the logic needed in a script to differentiate between users who are /
are not currently in one of the 'protected groups' would be astounding.  You
shouldn't have a problem trusting the fact that it will happen to the
accounts still in the "protected groups" since that's what got you there in
the first place :-)




Hopefully that was helpful...have a great night!




Robert Williams, MCSE NT4/2K/2K3, Security+

Infrastructure Rapid Response Engineer

Northeast Region

Microsoft Corporation

Global Solutions Support Center






From: Rimmerman, Russ [mailto:[EMAIL PROTECTED]

Sent: Wednesday, June 08, 2005 8:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security permissions on user object




OK looks like ya'll are on the right track.  I found the script in the KB
article to reset all the admincounts to 0, but that sounds scary.  Can't I
selectively set admincounts to 0 on a user-by-user basis somehow?  Or is it
safe to reset all users' admincounts to 0?  I see "Administrator" in there,
so that vbscript in
http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 scares me.






From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE)
Sent: Wed 6/8/2005 6:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security permissions on user object

Also keep in mind that if you were ever a member of one of these 'protected
groups' that your inheritance will not be "turned on" again, nor will the
admincount attribute be reset to 0so you can change those back when you
know the user isn't a member of one of the 'protected groups' (changing
those values before ensuring this will result in the values being reset...as
you are well aware by this point).  AdminCount is just a 'book keeping'
method to know that the ACL has been stamped by AdminSDHolder.




I hope that helps.




Robert Williams, MCSE NT4/2K/2K3, Security+

Infrastructure Rapid Response Engineer

Northeast Region

Microsoft Corporation

Global Solutions Support Center






From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Wednesday, June 08, 2005 4:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security permissions on user object




It ssounds like it's the adminSDHolder behavior that's getting you. Are the
users members of any of the other protected groups? It varies across
versions, IIRC 2003 added more groups. The articles below should help point
in the right direction.




http://support.microsoft.com/default.aspx?scid=kb;en-us;318180

http://support.microsoft.com/default.aspx?scid=kb;en-us;817433






From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, June 08, 2005 12:26 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Security permissions on user object

We migrated all our users from an NT4 domain to our AD domain.  Anyone who
was in "Domain Admins" on our NT4 domain got migrated into "Domain Admins"
on our AD domain.  We took them out of Domain Admins on our AD domain, but
their accounts are inheriting the permissions like a normal user inherits.




Whenever someone who is NOT a domain admin tries to reset a password or
modify any properties of these migrated "Domain Admins" who are no longer
Domain Admins, they are denied access.



If I open up one of these users, they are not inheriting the permissions on
their user object like every other normal user does.  If I open their
account and go to the object security the "Inherit from

RE: [ActiveDir] Server Image Pushing Using Ghost Cast Server and DHCP

[Rick Kingslan]

The type of server is going to be of great importance.  If you are planning
to do this with a Domain Controller - just don't.  It's not worth the
trouble, and is technically not a sound practice.

If you are talking about a member server, are you thinking of imaging just
the base build and then applying a restore over that for the data?

As to some of the specifics you ask for Ghost  I dunno.  I don't use it,
so I can't answer the questions about DHCP for Ghost, or a 'cast server'.
Maybe others can help on some of the other specifics.

However, I think there is more info needed on what TYPE of systems and types
of images you want to capture, etc.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
Sent: Wednesday, June 08, 2005 7:13 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Server Image Pushing Using Ghost Cast Server and DHCP

Hi All,

I have a question? Can i have an ghost image for my server and if in a
situation of server crash i can rebuild it using ghost image.

But this all is to be done remotely, so i dont have any physical
access to the server. Can i have another server configured as dhcp so
that i can run this image through PXE boot. and the  some how i can
run ghost cast server to push image to this machine.

I am a little confused. But i am sure if it works than recovering a
server will be less time consuming job for me.

I have this as a backup option which i have to plan for our new site.

--
DR
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Security permissions on user object

[Rick Kingslan]

What group(s) is that principal currently a member of?  I suspect it's still
a member of a protected group.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Thursday, June 09, 2005 8:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security permissions on user object


OK this is odd, I changed admincount to 0 and an hour later it was
changed back to 1.  How frustrating.  What gives?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Wednesday, June 08, 2005 10:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security permissions on user object

In fact, yes it will, Russ.

Looking back at the thread, I don't see any discussion about HOW these
users came to have the admincount attribute set to 1.  Do you have a
root cause?

The reason that I ask is because I've dealt with this before when
someone (who I never caught) added a group to a Protected group.  This
effectively set the admincount attribute on about 200 techs, and it took
a while to clean up and straighten out.  If you don't know why it
happened, you might be reliving this pretty soon.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, June 08, 2005 9:52 PM
To: Robert Williams (RRE); ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security permissions on user object


Can I just use ADSIEDIT and go to individual users and set the
admincount to 0?  Will that stick?  If that works, I could write a
winbatch that will prompt for a username, and set their admincount to 0
automatically.



From: Robert Williams (RRE) [mailto:[EMAIL PROTECTED]
Sent: Wed 6/8/2005 8:34 PM
To: Rimmerman, Russ; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security permissions on user object



Well...I guess you can reset it for all of them and count on the
AdminSDHolder thread to reset them to 1 in about an hour or so...other
than that, the logic needed in a script to differentiate between users
who are / are not currently in one of the 'protected groups' would be
astounding.  You shouldn't have a problem trusting the fact that it will
happen to the accounts still in the "protected groups" since that's what
got you there in the first place :-)




Hopefully that was helpful...have a great night!




Robert Williams, MCSE NT4/2K/2K3, Security+

Infrastructure Rapid Response Engineer

Northeast Region

Microsoft Corporation

Global Solutions Support Center






From: Rimmerman, Russ [mailto:[EMAIL PROTECTED]

Sent: Wednesday, June 08, 2005 8:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security permissions on user object




OK looks like ya'll are on the right track.  I found the script in the
KB article to reset all the admincounts to 0, but that sounds scary.
Can't I selectively set admincounts to 0 on a user-by-user basis
somehow?  Or is it safe to reset all users' admincounts to 0?  I see
"Administrator" in there, so that vbscript in
http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 scares
me.






From: [EMAIL PROTECTED] on behalf of Robert Williams
(RRE)
Sent: Wed 6/8/2005 6:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security permissions on user object

Also keep in mind that if you were ever a member of one of these
'protected groups' that your inheritance will not be "turned on" again,
nor will the admincount attribute be reset to 0so you can change
those back when you know the user isn't a member of one of the
'protected groups' (changing those values before ensuring this will
result in the values being reset...as you are well aware by this point).
AdminCount is just a 'book keeping'
method to know that the ACL has been stamped by AdminSDHolder.




I hope that helps.




Robert Williams, MCSE NT4/2K/2K3, Security+

Infrastructure Rapid Response Engineer

Northeast Region

Microsoft Corporation

Global Solutions Support Center






From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Wednesday, June 08, 2005 4:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security permissions on user object




It ssounds like it's the adminSDHolder behavior that's getting you. Are
the users members of any of the other protected groups? It varies across
versions, IIRC 2003 added more groups. The articles below should help
point in the right direction.




http://support.microsoft.com/default.aspx?scid=kb;en-us;318180

http://support.microsoft.com/default.aspx?scid=kb;en-us;817433






From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] O

RE: [ActiveDir] Exchange Mailbox Limits

[Rick Kingslan]

Outlook .pst files have a problem with corruption at >2GB.  Mailbox size -
how big is the store? :0)

We had one lady who saved every report, every e-mail, I mean EVERYTHING,
since the day she started.  Her e-mail box on the Exchange server was (might
still be - not my problem anymore) approx. 30GB.  THAT was impressive!

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave A. Marquis
Sent: Thursday, June 09, 2005 10:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange Mailbox Limits

Really? I read somewhere that there is a 1.5 gig limit on mailbox size and
after that it can be corrupted with support from MS. Has anyone heard this?

David A. Marquis
Computer Systems Administrator
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Thursday, June 09, 2005 12:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange Mailbox Limits

Hi Joe, 

What version of Exchange are you using is it 2003? One of my user group
members just mentioned that he was limited to 2GB, however he had enforced "
prohibit send and receive " and tried setting the limit to 2.5GB when he
receive the error I have attached.

Sincerely, 

Jose Medeiros
Former Vice President and Postmaster NTEA
MCP+I, MCSE, NT4 MCT
www.ntea.net
www.tvnug.org
www.sfntug.org

-

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Joe Pochedley
Sent: Thursday, June 09, 2005 10:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange Mailbox Limits


Yes it is... I have one user with a 13Gb mailbox.  (Yes, that's gigabytes.) 


Joe Pochedley
A computer terminal is not some clunky old television
with a typewriter in front of it. It is an interface 
where the mind and body can connect with the universe
and move bits of it about. -Douglas Adams 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[Contractor]
Sent: Thursday, June 09, 2005 12:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange Mailbox Limits

In my current position they were in the process of migrating from Exchange
5.5 to 2000 and had to turn off the limitation policy for the migration (I
cannot remember why).  I have users with 800 - 1000 MB mailboxes.  My
information stores are growing somewhat out of control.  We are turning back
on our email deletion policy and are going to enforce 500MB limitations for
most users and probably 750MB for our "commanders".  It is amazing what
users will do when given the space.

Jeremy

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley
Sent: Thursday, June 09, 2005 12:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange Mailbox Limits

Dèjì,

I'd tend to agree with you there...  25Mb is nothing when you can go out and
get a free email account with a gig a space from many providers.  I do
believe I'd be drawn and quartered if I recommended a 25mb, or even a 250 mb
limit here...

That being said, every organization is different.  If they have a business
justification for such a small mailbox size that's up to them...  Hopefully
when being so restrictive, they're properly controlling the usage of PST's
(for various reasons) and controlling business use of external email
accounts (in part to control garbage, and in part to comply with any
retention regulations as applicable).


Joe Pochedley
A computer terminal is not some clunky old television with a typewriter in
front of it. It is an interface where the mind and body can connect with the
universe and move bits of it about. -Douglas Adams 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, June 09, 2005 11:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange Mailbox Limits

This is NOT personal, but let me say that your limits are overly restrictive
and counter-productive as far as fostering good relationship with your
end-users is concerned. In this day and age (html email and all), 25MB is
nothing, especially when you consider the fact that hard drive costs are
exponentially less than what they used to be 2-3 years ago.
 
That is all my opinion and, again, it's not meant to knock you in a personal
way.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Robin Smith
Sent: Thu 6/9/2005 5:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange Mailbox Limits


I'd be interested to hear what others have to say, too.  We are stingy with
our mailbox limits because the more we give o

RE: [ActiveDir] Exchange Mailbox Limits

[Rick Kingslan]

ROTLMAO!  I share your pain, Brian.

Yeah  Gotta love those 'Send to ALL' DLs - and the obvious misuse of
same.

"Black bronco in the north parking lot, second level - your lights are on"

Ummm, which city/site?  I only have 50 of them.  And, I'm guessing the
sender knows where he/she is.  So, why send to the ENTIRE COMPANY?  I could
almost understand using the ALL DL for that site.

And (I'm really kinda heartless, so excuse this, please) people who leave
their lights on need to be reminded that it's their problem - so who cares?

OK - apparently I'm cranky at 1AM  :oD

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, June 09, 2005 11:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange Mailbox Limits

And then I have this problem. We have CO All (2500 mailboxes) and CPS ALL
(60K mailboxes). Today the dumbasses with access to these DLs sent:

1x5K - CPS ALL
1x15K - CO ALL
1x270K - CO ALL (two fricken attachments)
1x9K - CO ALL


Now times all that out assuming SIS works perfectly by oh I think 260ish
mailstores.

Our quotas for teachers (like 50K of them): 60/70/80 and central office
employees - 250/400/450.

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, June 09, 2005 11:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange Mailbox Limits

LOL, a major customer you and I have both worked with currently has mailbox
limits of 20MB for most of their 200k or so mailboxes and as a whole, it
works fine. I think execs get 50-80MB. I had heard a few people complain
that some HTML messages are several MB so it doesn't take but an hour or so
for 20MB to get filled up. The response from the folks doing the mailbox
quota support was... Stop using HTML for messages. Unless you knew someone
who could yell at someone, chances are slim you will get an increase from
20MB. Once Exchange quotas got stored in my AD my quota mysteriously went to
80MB, we could never figure out what the misfire was in the system... I told
them I would look into it and get back to them. 

Seriously though, if you think about it, 20MB for 200K users is a lot of
space, no matter how cheap the disk and you have to consider deleted items
retention and backup space to go back say 30,60,90 or even more days on top
of all of that. 

You can go quite a ways with 20MB of plain text messages. You don't really
often needs graphics and pretty fonts to communicate with folks. I can see
companies making judgements along those lines. Especially as more and more
reports come out about how email and instant messaging is probably starting
to hurt productivity more than help. I have heard of a couple of companies
backing away from the email world and seeing tremendous productivity gains
and better customer service.

   joe




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, June 09, 2005 11:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange Mailbox Limits

This is NOT personal, but let me say that your limits are overly restrictive
and counter-productive as far as fostering good relationship with your
end-users is concerned. In this day and age (html email and all), 25MB is
nothing, especially when you consider the fact that hard drive costs are
exponentially less than what they used to be 2-3 years ago.
 
That is all my opinion and, again, it's not meant to knock you in a personal
way.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Robin Smith
Sent: Thu 6/9/2005 5:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange Mailbox Limits


I'd be interested to hear what others have to say, too.  We are stingy with
our mailbox limits because the more we give our users the more they abuse
it.
We limit most 'regular' users to 8MB with a warning at 7MB. When they reach
8MB they can't send. If a regular user's mailbox gets to 15MB then we
disable it. This forces the user to do something - either call the Help Desk
or clean out their mail. Directors and chiefs and commissioners and such are
generally given much higher limits. We start at 25MB and then increase by
10MB if necessary. We do have a handful of users who have no limits
whatsoever and their mailboxes are out of control. We are in the process of
migrating to
Exchange2003 and implementing mailbox manager.
 
Robin
 


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mischler Timothy J
Contractor NASIC/SCNA
Sent: Thursday, June 09, 2005 7:55 AM
To: ActiveDir@mail

RE: [ActiveDir] mstsc /console switch for non admins

[Rick Kingslan]

joe,

Yeah, you
had to know it was coming – Rick’s  $.02 worth.

Remember
what we both were relieved of our positions for?  Oh, that’s right –
I didn’t tell you about me!  Suffice it to say I took one for my
team because upper management was trying to get things done that were wrong,
technically, tactically and strategically.  They, in fact, are on the verge
of violating, IMHO, Sox 40x controls.  I complained, I argued, I provided
information that they were on the precipice of something really bad. 
Apparently, I finally hit nerve and my rubbing of folks the wrong way (from
their viewpoint) caused my layoff via ‘Elimination of my position’.

Whatever. 
I got fired for saying what I believed was right.  You and I see eye to
eye as it is with DC permissions and access controls.  You and I see eye
to eye on security as a whole.

However,
our view is not really a well accepted PRACTICE in Corporate
environments.  Our beliefs are actually radical when compared to the norm
in practice.

Does this
mean that we’re wrong?  No.  It DOES mean that our Secure Conscious
viewpoint can still get one fired.  It’s not a popular stance to say
“Of my 10 Systems Admins, only these two can log on to a DC.”  
The common rebut is “Everyone needs to be able to do these functions when
on call” or “when the help desk calls, we need everyone capable of
dealing with the problem at hand”.

I still
believe that we are correct, but – most folks don’t live in “Rick
and joe-land”.  They live in the screwed up Corporate world where
the only endgame is money, and the generation of it [1].  With IT being a
cost center, and Security viewed as an even bigger inhibiter to Production,
most companies need to have a *Serious*
computer security event to be convinced that they have their priorities in the
wrong places.  

Money
generated doesn’t matter if you can’t guarantee that you can SECURE
your customer’s money / data / private information.

Rick

[1] Case
in point.  One of the guys that I used to work with was told that one
thing management was really pissed about was the time it would take me to lock
down a server.  For estimation purposes, I told folks to plan for (and
published a timeline for planning purposes) 2 days for initial lockdown, 2 days
for final lockdown and application of IPSec filters, and 3 days for InfoSec to
certify the system (The time for InfoSec is THEIR guideline from their VP –
not my timeline at all).  Typically, I would have a server back to the
application team the same day to apply their apps, and would take one day to do
the final lockdown, apply IPSec, and scan it before sending to InfoSec (yeah, I’m
kind of funny that way – I like to KNOW what the scan looks like before I
send it for certification).  Typically, it would take the application
folks (who were the ones that complained about the time *I* took) about 2 – 3 weeks to get
their applications on to the box.

Now for
the funny part.  No one else has a clue how to do what I was doing 
Nada – nothing.  Nobody wanted to learn the boring, mundane, and
highly visible process of hardening servers for the perimeter and DMZ. 
So, other Supervisor gets this server that needs to be hardened.  He
assigns it to my friend and tells him, “I don’t care if you know
how to do it or not – just do it.”  He then proceeds to
instruct him to just tell InfoSec you have a server to scan.  When you get
the vulnerability report back, just fix what shows up as problems and send it
back over to them for certification again.  “And, I need it by
Friday, end of business…”  How long did this ‘abbreviated,
BS, crap, end run, corner cutting hardening method for losers’ attempt
take?

Three
days.  

Yeah. 
They shaved a whole bunch of time off of my usual time to delivery. 


R











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, June 10, 2005 10:33
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] mstsc
/console switch for non admins



 

I received a some offline questions
on this that can be collected into three main questions

 

1. What are the things these non-admin but
natively enhanced users do to compromise the DC or enhance their permissions?

 

2. What would you do in this situation?

 

3. SBS seems to contradict everything you
say, MS obviusly doesn't have an issue with these things all being together.

 

 

The first I will not respond to in any
real detail. I do not want a response from me becoming the guidebook for evil
people on how to escalate privs on a DC and compromise a forest, I am not
thinking any customers I help would be appreciative of that because there
really is no feasible way of locking this stuff down. Suffice to say that
someone in that position can run anything they want to on the DC and can easily
get a security context over and above what they should have. If you want the
simplest stupid thing that could be done is they could put a trojan on the box
that some silly domain admin runs. Alternative

RE: [ActiveDir] troubleshooting object permission inheritance

[Rick Kingslan]

Funny  I asked that about, oh, 4 days ago.  I didn't get an answer.
Maybe you carry enough weight, Jorge!  ;o)

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Friday, June 10, 2005 3:38 PM
To: 'John Singler '; '[EMAIL PROTECTED] ';
''ActiveDir@mail.activedir.org ' '
Subject: RE: [ActiveDir] troubleshooting object permission inheritance

John,

OK, the users you are talking about are non-default-admin-users and are not
members of protected groups and never have been.

Mayba a strange question.. which groups is the domain users group a member
of?

#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: 'ActiveDir@mail.activedir.org '
Sent: 6/10/2005 10:10 PM
Subject: Re: [ActiveDir] troubleshooting object permission inheritance

Jorge --

I was following those threads which unfortunately did not clue me in. 
The users that have AdminCount=1 but shouldn't have never been in a 
protected group nor are they in a non protected group that is nested in 
protected group.

I have even gone so far as to remove all group memberships (besides 
Domain Users) for a particular user, force replication, admod the 
attribute to 0 and still it resets to 1 after an hour.

Thanks for the reply - i'd appreciate any more feedback you may have.

john

Jorge de Almeida Pinto wrote:
> Hi,
> 
> This was a thread that was discussed a few days ago. See the following
post
> from Joe where he explains some things in addition to my own post.
> http://www.mail-archive.com/activedir@mail.activedir.org/msg29621.html
> 
> HINTS:
> * nested groups -> is that user a member of a
non-default-protected-group
> and where that non-default-protected-group IS a member of a protected
group.
> * were those users somehow members of protected groups in the past? If
they
> were and now are not the admincount will not be reset to 0
> 
> Is this an answer to your issue?
> 
> #JORGE#
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> To: ActiveDir@mail.activedir.org
> Sent: 6/10/2005 8:35 PM
> Subject: [ActiveDir] troubleshooting object permission inheritance
> 
> Greetings --
> 
> Using adfind to identify users who have the AdminCount attribute set
to
> 1.
> 
> Looking at the output there are users who are expected to have that
set 
> seeing that they are Domain Admins BUT i also see a handful of users
who
> 
> are not members of a protected group.
> 
> Using admod to set AdminCount=0 for those users temporarily sets it 
> until the PDC mechanism runs which compares the ACLs and resets it.
> 
> If the user isn't in a protected group then what is causing this 
> behavior?  And i guess once i know that i can set AdminCount=0 for
them,
> 
> permanently?
> 
> tia,
> 
> john
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] troubleshooting object permission inheritance

[Rick Kingslan]

John,

You're still not asking the question that has been asked at least twice:

What groups is the problem accounts a MEMBER OF?

You might have answered this in a manner that doesn't register with me - are
you saying that this user is a member of Domain Users and nothing else?

Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Windows Security (Affiliate)
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Singler
Sent: Friday, June 10, 2005 3:55 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] troubleshooting object permission inheritance

not a strange question ... i looked into that when i first started the 
troubleshooting process  Domain Users is a member of the Builtin 
Users group which is not a protected group in my environment.

Just so i have it straight:

If a user is a member of a protected group it's AdminCount attribute 
will be 1.  If said user is removed from that group it's AdminCount 
attribute will remain 1 until it is changed.  Once it is removed from 
the protected group and the attribute changed to 0 it should remain at 0 
  - yes?

Back to my problem - user is not a member of a protected group and i 
can't change the AdminCount to 0 w/o it being reset to 1.

thanks so far,

john

Jorge de Almeida Pinto wrote:
> John,
> 
> OK, the users you are talking about are non-default-admin-users and are
not
> members of protected groups and never have been.
> 
> Mayba a strange question.. which groups is the domain users group a member
> of?
> 
> #JORGE#
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> To: 'ActiveDir@mail.activedir.org '
> Sent: 6/10/2005 10:10 PM
> Subject: Re: [ActiveDir] troubleshooting object permission inheritance
> 
> Jorge --
> 
> I was following those threads which unfortunately did not clue me in. 
> The users that have AdminCount=1 but shouldn't have never been in a 
> protected group nor are they in a non protected group that is nested in 
> protected group.
> 
> I have even gone so far as to remove all group memberships (besides 
> Domain Users) for a particular user, force replication, admod the 
> attribute to 0 and still it resets to 1 after an hour.
> 
> Thanks for the reply - i'd appreciate any more feedback you may have.
> 
> john
> 
> Jorge de Almeida Pinto wrote:
> 
>>Hi,
>>
>>This was a thread that was discussed a few days ago. See the following
> 
> post
> 
>>from Joe where he explains some things in addition to my own post.
>>http://www.mail-archive.com/activedir@mail.activedir.org/msg29621.html
>>
>>HINTS:
>>* nested groups -> is that user a member of a
> 
> non-default-protected-group
> 
>>and where that non-default-protected-group IS a member of a protected
> 
> group.
> 
>>* were those users somehow members of protected groups in the past? If
> 
> they
> 
>>were and now are not the admincount will not be reset to 0
>>
>>Is this an answer to your issue?
>>
>>#JORGE#
>>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>To: ActiveDir@mail.activedir.org
>>Sent: 6/10/2005 8:35 PM
>>Subject: [ActiveDir] troubleshooting object permission inheritance
>>
>>Greetings --
>>
>>Using adfind to identify users who have the AdminCount attribute set
> 
> to
> 
>>1.
>>
>>Looking at the output there are users who are expected to have that
> 
> set 
> 
>>seeing that they are Domain Admins BUT i also see a handful of users
> 
> who
> 
>>are not members of a protected group.
>>
>>Using admod to set AdminCount=0 for those users temporarily sets it 
>>until the PDC mechanism runs which compares the ACLs and resets it.
>>
>>If the user isn't in a protected group then what is causing this 
>>behavior?  And i guess once i know that i can set AdminCount=0 for
> 
> them,
> 
>>permanently?
>>
>>tia,
>>
>>john
>>List info   : http://www.activedir.org/List.aspx
>>List FAQ: http://www.activedir.org/ListFAQ.aspx
>>List archive:
>>http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>>
>>This e-mail and any attachment is for authorised use by the intended
> 
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be
> copied, disclosed to, retained or used by, any other party. If you are
> not an intended recipient

RE: [ActiveDir] Bionet trojan,

[Rick Kingslan]

Hmmm.  let me think about that.

NO!

Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Windows Security (Affiliate)
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of rubix cube
Sent: Saturday, June 11, 2005 4:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Bionet trojan,

Hi guys,
Can any one send me the BioNet trojan, I am condcuting a training
session and I want to demonstrate for the staff how this works.
thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] mstsc /console switch for non admins

[Rick Kingslan]

Nah, don’t be sorry.  I’m
not!  You’re right – I was frustrated in that upper management
was making the strategic, as well as the technical decisions – with no
clear goals in mind.

 

I have no problem with management setting
directions and 3 – 5 year goals, but stay out of my decision process for
technical strategic /tactical direction.  I don’t get paid the money
I get to say ‘Yes sir – whatever you say’ and just sit around
and implement misinformed, Gartner newsletter, IDC Conference crap.

 

Their decision to implement CA products
across the board rather than MIIS, SMS, or other products that we had faith in
was unsettling.  What was even more unsettling is that there was no
inclusion of the Technical staff.  I believe that management has some idea
of how our environment works, but not to the level that they can sort out truth
from BS when CA is involved.  Does it seem that I have no trust for
CA?  I’ve had more than a few run-ins with their implementations –
and none have been good.

 

Security – yep, you and I see eye to
eye on this.  There is no room to compromise.

 

Thanks for the well wishes.  I’ll
keep you and all informed as I continue through the process.  I’ll
know what I’m doing after the 21st of June.  ;o)



Rick 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, June 10, 2005 11:11
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] mstsc
/console switch for non admins



 

Sorry to hear about that Rick. Hopefully
you have lined something else up. Shouldn't take long if you don't.

 

I will argue security to death with anyone
doing it poorly. Quite frankly, I would rather be fired for being too security
conscious than having someone compromise a system and me standing there saying,
yeah, I knew it was insecure but I didn't want to make waves and upset anyone.
If I am on the hook for the functioning or security of something, I take that
extremely seriously. My goals will be to have no compromises and not be called
at 2AM in the morning. I am a very firm believer in if you are going to do it,
do it right or else you will spend a hell of a lot more time later fixing it. 

 

It takes annoying people like us being
very vocal to keep other less diligent or less informed folks moving
forward in correcting this stuff. Remember, without deviation from norm, there
can be no progress. Any company that thinks that the proper functioning and
security of their computing infrastructure is not critically important
better be a very small organization where a paper airplane has a good chance in
sailing from one end of the building to the other in a single weak throw.
Otherwise they are almost certainly dead wrong. Companies that do that stuff
poorly will slowly find themselves eeked out of their markets by competitors
doing it better and faster due to a better computing setup. Look at Toyota, they are blowing
the shit out of the big three and that has a great deal to do with their
computing infrastructure and how efficient it makes them. Though having first
hand experience with several of the large auto manufacturers, I can say that it
doesn't take a whole lot to get more efficient and secure. 

 

Anyway, it is the job of good technical
people to correct not as good technical people and their managers when they are
making bad choices or ill informed decisions. It may not make you popular but
it hasn't hurt me in the end. Just helped me move along in my career choices.
Every move has been tremendously good for me and I wouldn't change a single one
of the decisions in my career that either I made or was made for me.  If I
was happy with status quo, I would be washing dishes at Our Place Cafe' in Michigan still like I
did when I was 13. Even then I wasn't happy with inefficiency, I completely
changed how the bus boys and dishwashers did things which resulted in faster
more efficient operation[1]. I then reorganized how the breakfast
cooks handled their tasks as well. I went from $3.35 an
hour to $7 an hour in that job in the course of 2 years and pissed off nearly
every bus boy, dishwasher, and cook. The waitresses all liked me though. ;o)

 

Take it easy Rick. You seemed frustrated
in that position anyway, this will end up being good.

 

  joe



 





 





[1] It was actually more secure too if you
can believe it. It was more secure in that one of the dishwashers who will
remain nameless who liked to sample leftovers that came back from the dining
room was kicked out of the "group" that gave access to the food on
the dishes and from that point on only saw dishes that had been scraped.





 





 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Friday, June 10, 2005 11:30
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] mstsc
/console switch for non admins



joe,

Yeah, you
had to know it was coming – Rick’s  $.02 worth.

Rememb

RE: [ActiveDir] mstsc /console switch for non admins

[Rick Kingslan]

Douglas,

Thanks
for the kind words.  I basically feel that my ethics are worth more than
any job.  Simply, you play fair – no one gets hurt.  However,
it’s what they don’t tell the people who have to ANSWER for these
poorly thought out decisions that are actually in harms way.  In my case,
it was the Cxx’s that were going to get hurt as they were signing (or
will be signing) false documents of assurance from Auditors that have been
duped in one way or another into believing that ‘Due Diligence’ has
been done.

However,
I suspect by the end of the month – I’ll have work.  It’s
just a funny feeling…..  ;o)

Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Sunday, June 12, 2005 6:13
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] mstsc
/console switch for non admins



 

Hopefully this will change now that it
seems there is a company a day releasing that customer information has been
compromised. Here in Ohio,
the state actually decided to sue DSW for such a thing (which is the first
legal action in the states, I think). I know how politics works, so who knows,
nothing may come of it, but lets hope. Management seems to worry about making
everyone happy on the surface. “We will increase productivity, ease of
use, and your overall experience.” But
lets not tell them that is at the risk of security by implementing it to allow
such ease of use. Oh well, good luck on your job search. I may some
day get canned for the exact same sort of thing. 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Friday, June 10, 2005 11:30
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] mstsc
/console switch for non admins



 



joe,

Yeah, you
had to know it was coming – Rick’s  $.02 worth.

Remember
what we both were relieved of our positions for?  Oh, that’s right
– I didn’t tell you about me!  Suffice it to say I took one
for my team because upper management was trying to get things done that were
wrong, technically, tactically and strategically.  They, in fact, are on
the verge of violating, IMHO, Sox 40x controls.  I complained, I argued, I
provided information that they were on the precipice of something really
bad.  Apparently, I finally hit nerve and my rubbing of folks the wrong
way (from their viewpoint) caused my layoff via ‘Elimination of my
position’.

Whatever. 
I got fired for saying what I believed was right.  You and I see eye to
eye as it is with DC permissions and access controls.  You and I see eye
to eye on security as a whole.

However,
our view is not really a well accepted PRACTICE in Corporate
environments.  Our beliefs are actually radical when compared to the norm
in practice.

Does this
mean that we’re wrong?  No.  It DOES mean that our Secure
Conscious viewpoint can still get one fired.  It’s not a popular
stance to say “Of my 10 Systems Admins, only these two can log on to a
DC.”   The common rebut is “Everyone needs to be able to
do these functions when on call” or “when the help desk calls, we
need everyone capable of dealing with the problem at hand”.

I still
believe that we are correct, but – most folks don’t live in
“Rick and joe-land”.  They live in the screwed up Corporate
world where the only endgame is money, and the generation of it [1].  With
IT being a cost center, and Security viewed as an even bigger inhibiter to
Production, most companies need to have a *Serious*
computer security event to be convinced that they have their priorities in the
wrong places.  

Money
generated doesn’t matter if you can’t guarantee that you can SECURE
your customer’s money / data / private information.

Rick

[1] Case
in point.  One of the guys that I used to work with was told that one
thing management was really pissed about was the time it would take me to lock
down a server.  For estimation purposes, I told folks to plan for (and
published a timeline for planning purposes) 2 days for initial lockdown, 2 days
for final lockdown and application of IPSec filters, and 3 days for InfoSec to
certify the system (The time for InfoSec is THEIR guideline from their VP
– not my timeline at all).  Typically, I would have a server back to
the application team the same day to apply their apps, and would take one day
to do the final lockdown, apply IPSec, and scan it before sending to InfoSec
(yeah, I’m kind of funny that way – I like to KNOW what the scan
looks like before I send it for certification).  Typically, it would take
the application folks (who were the ones that complained about the time *I* took) about 2 – 3 weeks to get
their applications on to the box.

Now for
the funny part.  No one else has a clue how to do what I was doing 
Nada – nothing.  Nobody wanted to learn the boring, mundane, and
highly visible process of hardening servers for the perimeter and DMZ. 
So, other Supervisor gets this server that needs to be hardened.  He
assigns it to my friend and tells him

RE: [ActiveDir] mstsc /console switch for non admins

[Rick Kingslan]

“other members of their particular market
segment get hit, or their customers start worrying “

 

In my case, the other folks that were
being lied to (outside of the Cxx’s signing false documents and the Auditors
collecting bad information) ARE the customers.  They are being told that the
correct practices (Such as CISP, etc.) *are*
being followed and adhered to.

 

Bull-Hockery…

 

Rick

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB
Sent: Sunday, June 12, 2005 8:36
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] mstsc
/console switch for non admins



 



>>Hopefully this will change now that it seems there is a
company a day releasing that customer information has been compromised. 





 





Ha.   Everyone thinks that OTHER
companies make mistakes, but not them.





 





Plus, most Senior Managers aren't going to
see it as a problem unless the other members of their particular market segment
get hit, or their customers start worrying 





 





-ASB





 







 





On 6/12/05, Douglas
M. Long <[EMAIL PROTECTED]>
wrote: 



Hopefully this will change now that it seems there is a
company a day releasing that customer information has been compromised. Here in
Ohio, the
state actually decided to sue DSW for such a thing (which is the first legal
action in the states, I think). I know how politics works, so who knows,
nothing may come of it, but lets hope. Management seems to worry about making
everyone happy on the surface. "We will increase productivity, ease of
use, and your overall experience." But
lets not tell them that is at the risk of security by implementing it to allow
such ease of use. Oh well, good luck on your job search. I may some
day get canned for the exact same sort of thing. 



 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Rick Kingslan
Sent: Friday, June 10, 2005 11:30
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] mstsc
/console switch for non admins



 



joe,

Yeah, you
had to know it was coming – Rick's  $.02 worth.

Remember
what we both were relieved of our positions for?  Oh, that's right – I
didn't tell you about me!  Suffice it to say I took one for my team
because upper management was trying to get things done that were wrong,
technically, tactically and strategically.  They, in fact, are on the
verge of violating, IMHO, Sox 40x controls.  I complained, I argued, I
provided information that they were on the precipice of something really
bad.  Apparently, I finally hit nerve and my rubbing of folks the wrong
way (from their viewpoint) caused my layoff via 'Elimination of my position'. 

Whatever. 
I got fired for saying what I believed was right.  You and I see eye to
eye as it is with DC permissions and access controls.  You and I see eye
to eye on security as a whole. 

However,
our view is not really a well accepted PRACTICE in Corporate
environments.  Our beliefs are actually radical when compared to the norm
in practice. 

Does this
mean that we're wrong?  No.  It DOES mean that our Secure Conscious
viewpoint can still get one fired.  It's not a popular stance to say
"Of my 10 Systems Admins, only these two can log on to a
DC."   The common rebut is "Everyone needs to be able to do
these functions when on call" or "when the help desk calls, we need
everyone capable of dealing with the problem at hand". 

I still
believe that we are correct, but – most folks don't live in "Rick and
joe-land".  They live in the screwed up Corporate world where the
only endgame is money, and the generation of it [1].  With IT being a cost
center, and Security viewed as an even bigger inhibiter to Production, most
companies need to have a * Serious*
computer security event to be convinced that they have their priorities in the
wrong places.  

Money
generated doesn't matter if you can't guarantee that you can SECURE your
customer's money / data / private information.

Rick

[1] Case
in point.  One of the guys that I used to work with was told that one
thing management was really pissed about was the time it would take me to lock
down a server.  For estimation purposes, I told folks to plan for (and published
a timeline for planning purposes) 2 days for initial lockdown, 2 days for final
lockdown and application of IPSec filters, and 3 days for InfoSec to certify
the system (The time for InfoSec is THEIR guideline from their VP – not my
timeline at all).  Typically, I would have a server back to the
application team the same day to apply their apps, and would take one day to do
the final lockdown, apply IPSec, and scan it before sending to InfoSec (yeah,
I'm kind of funny that way – I like to KNOW what the scan looks like before I
send it for certification).  Typically, it would take the application
folks (who were the ones that complained about 

RE: [ActiveDir] Bionet trojan,

[Rick Kingslan]

I understand the reason for your request.  And, it's admirable that you want
to insightfully inform your user base.

However, looking for live virus or Trojans is not the way to do it.  If one
wants to show how things can go horribly wrong, controlled environment or
not, this is likely a good start.

What I'd suggest is to make use of the EICAR test string.  All AV programs
that I know of will respond to it, and will respond as if a real virus had
been detected.

IMHO, this is the safe a proper way to do virus and Trojan awareness
training for user and response team staffs.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of rubix cube
Sent: Monday, June 13, 2005 3:22 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Bionet trojan,

Ok my apology, didn't realize it will be taken this way.

I am a network administrator, and we are planning a security awareness
campaigne, this demonestration will be a part of training for the
staff to see the secuirty risks they can be into when opening an
attachement that they don't know about or executing a file. ( I have
it now).

I had a nobel cause so I asked a nobel list thats all, no offense for the
list.

r.c.


On 6/12/05, Tony Murray <[EMAIL PROTECTED]> wrote:
> Jorge's right.  Please contact me off-list before posting something like
> that.  There's off topic and there's off topic, if you know what I mean.
> 
> Tony [List owner]
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
> Pinto
> Sent: Saturday, 11 June 2005 11:15 p.m.
> To: 'rubix cube '; '[EMAIL PROTECTED] ';
> 'ActiveDir@mail.activedir.org '
> Subject: RE: [ActiveDir] Bionet trojan,
> 
> In my opinion this list is not the place to ask for stuff like that.
> But hey... that's me
> #JORGE#
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> To: ActiveDir@mail.activedir.org
> Sent: 6/11/2005 11:42 AM
> Subject: [ActiveDir] Bionet trojan,
> 
> Hi guys,
> Can any one send me the BioNet trojan, I am condcuting a training session
> and I want to demonstrate for the staff how this works.
> thanks
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be copied,
> disclosed to, retained or used by, any other party. If you are not an
> intended recipient then please promptly delete this e-mail and any
> attachment and all copies and inform the sender. Thank you.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT:BigIP LB, --- Was Load balancing LDAP request among my DCs

[Rick Kingslan]

Yep.  Have used it for application and web services load balancing.  Also
have used the Cisco CSS.

As long as your Engineer knows the traffic to look for, the destinations,
and if it is to be statefull or stateless - then it will work.

Obviously, the LDAP on 389 is not the only thing to take into account.  Be
aware of anything on 3268 as well as anything that is "/S" oriented as well.

Rick 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane
Sent: Monday, June 13, 2005 9:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Load balancing LDAP request among my DCs

Not to hijack the thread but has anyone used a hardware based load
balancer such as a BigIP appliance to load balance and/or fail over
LDAP?  We have some apps that have to be configured to a specific host
and this was one idea floated up.

Diane

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Monday, June 13, 2005 7:20 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Load balancing LDAP request among my DCs

Have you considered altering SRV record weights/priorities in DNS?

Check out this article
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/O
perations/df86810b-9fc5-49b8-a704-d01c042cf460.mspx - it may relate to
the PDC but applies to DCs in general too.

neil



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 13 June 2005 15:04
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Load balancing LDAP request among my DCs


Hello,
I have a site with 4 DCs 2003.
It seems that one of my DC can not deal with a large number of LDAP
queries, GC Response and NTLM/Kerberos Auth  I misunderstand
something but is my DC 2003 is able to check that it cannot deserve
these queries and forward automatically these queries to another DC that
is less busy ? In order wold, can AD 2003 natively load-balance queries
to another less busy DC ? Regards, Yann


==
Please access the attached hyperlink for an important electronic
communications disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml


==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Bionet trojan,

[Rick Kingslan]

Joe,

After going back and looking at the justification for the request, I now see
that this apparently is for the other systems admins - not just the average
end user.

Given that Fire Fighters in training are expected to go into a controlled
burn and learn with a mentor how to put out a fire, rescue people from a
burning building, etc., I'm very aware of what the need is, plus I'm all for
research and I'm all for learning.  In this case, to me - trust is
paramount.  I don't know Rubik's Cube.  If joe or Dean had asked - I could
have explored.  Them I know personally.

I'm sure that we can both agree that giving Anthrax to any nation that just
asks nice is not in the best interest of any nation - and why I refrain from
tossing around live code of that ilk  :o)

I'm not so worried about one person's network who decides to mess with these
types of bugs.  I'm a bit more altruistic - I'm worried about all of the
innocents and their networks who didn't have a say.

Cheers!  And, thank you for the comments.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley
Sent: Monday, June 13, 2005 1:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Bionet trojan,

Rick,

While I agree with you that using the EICAR test file to demonstrate how
A/V software will react when it finds a virus... The EICAR test file
doesn't demonstrate to end users just how nefarious a trojan can be...

Bionet is common script kiddie trojan builder...  The included
capabilities allow a controller to upload and download files, record
keystrokes, activate the microphone, or even activate an attached web
cam if there's one available.  Plus you can run script files either on
demand or at scheduled times...  With Bionet, a person can literally do
anything they want to your PC...

Now, it's one thing to tell a user...  "A script kiddie could do
anything they want with your PC and data"  and it's an entirely
different thing to show them just how easy it is  Really, it puts
the fear of God in the end user when you can demonstrate to them that it
really can work, much more so than just telling them...

OTOH, it's also good for administrators and security professionals to
learn how these tools work.  It may not be 100% necessary to understand
the tools to protect your computers and networks, but it certainly does
help.

Of course, all due caution should be used when playing with this stuff.
Keep it off any network or machine that you care about losing.  Use at
your own risk...  Your mileage may vary...  Wash your hands in warm,
soapy water for at least 60 seconds when finished...  Etc.


Joe Pochedley
A computer terminal is not some clunky old television
with a typewriter in front of it. It is an interface 
where the mind and body can connect with the universe
and move bits of it about. -Douglas Adams 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, June 13, 2005 12:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Bionet trojan,

I understand the reason for your request.  And, it's admirable that you
want to insightfully inform your user base.

However, looking for live virus or Trojans is not the way to do it.  If
one wants to show how things can go horribly wrong, controlled
environment or not, this is likely a good start.

What I'd suggest is to make use of the EICAR test string.  All AV
programs that I know of will respond to it, and will respond as if a
real virus had been detected.

IMHO, this is the safe a proper way to do virus and Trojan awareness
training for user and response team staffs.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of rubix cube
Sent: Monday, June 13, 2005 3:22 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Bionet trojan,

Ok my apology, didn't realize it will be taken this way.

I am a network administrator, and we are planning a security awareness
campaigne, this demonestration will be a part of training for the staff
to see the secuirty risks they can be into when opening an attachement
that they don't know about or executing a file. ( I have it now).

I had a nobel cause so I asked a nobel list thats all, no offense for
the list.

r.c.


On 6/12/05, Tony Murray <[EMAIL PROTECTED]> wrote:
> Jorge's right.  Please contact me off-list before posting something 
> like that.  There's off topic and there's off topic, if you know what
I mean.
> 
> Tony [List owner]
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de 
> Almeida Pinto
> Sent: Saturday, 11 June 2005 11:15 p.m.
> To: 'rubix cube '; '[EMAIL PROTECTED] '; 
> 'ActiveDir@mail.activedir.org '

RE: [ActiveDir] mstsc /console switch for non admins

[Rick Kingslan]

Guido,

Thanks
for the kind words.  Very much appreciated.

As to
qualifying the customer - ~50k staff and production, multi-national
company.  And, as many companies tend to be – they value the opinion
of Consultants and outsiders rather than their own employees to some
degree.  Many times, I think, management has a tendency to believe that
someone from the outside has a more “worldly” opinion or viewpoint,
while the employee is to narrow focused and too close to the problem.

It has
been my observation as a Consultant that I had a much easier time conveying
ideas to Management than when I was the employee conveying the ideas in a quite
similar manner.  In fact, I’ve garnered the respect and trust of
many of the folks that I worked with on projects as the outside consultant by
gathering some of their ideas and getting those implemented along with the
project – even though they had been trying to simply get and ear for 6
mos. or more.

It’s
politics – and the bigger the company, the bigger the disconnect from the
worker to the decision makers.

Rick











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Grillenmeier, Guido
Sent: Monday, June 13, 2005 2:58
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] mstsc
/console switch for non admins



 

Hey Rick - sorry to hear - but from how
I know you, this has simply made it easier for you to move on to a new company,
something you'll have wanted to do for a while now and never did due to the
complications involved.  I am very positive, that you won't need to worry
about finding anything. 

 

As to this discussion, I find too often,
that mid-size companies are not willing to take that last step which would
ensure a better security model - and many have good reasons to do so and accept
the risks involved. But then again, they've never had a real issue and if they
would, that thought would likely be different.  It's different with large
corporations - I can usually convince them to do the right thing.  So I
guess we must differentiate the type of customer when discussing these sort of
things.  This would make the discussion more "real world"
like.  

 

/Guido

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Samstag, 11. Juni 2005 05:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] mstsc
/console switch for non admins



joe,

Yeah, you
had to know it was coming – Rick’s  $.02 worth.

Remember
what we both were relieved of our positions for?  Oh, that’s right
– I didn’t tell you about me!  Suffice it to say I took one
for my team because upper management was trying to get things done that were
wrong, technically, tactically and strategically.  They, in fact, are on
the verge of violating, IMHO, Sox 40x controls.  I complained, I argued, I
provided information that they were on the precipice of something really
bad.  Apparently, I finally hit nerve and my rubbing of folks the wrong
way (from their viewpoint) caused my layoff via ‘Elimination of my
position’.

Whatever. 
I got fired for saying what I believed was right.  You and I see eye to
eye as it is with DC permissions and access controls.  You and I see eye
to eye on security as a whole.

However,
our view is not really a well accepted PRACTICE in Corporate
environments.  Our beliefs are actually radical when compared to the norm
in practice.

Does this
mean that we’re wrong?  No.  It DOES mean that our Secure
Conscious viewpoint can still get one fired.  It’s not a popular
stance to say “Of my 10 Systems Admins, only these two can log on to a
DC.”   The common rebut is “Everyone needs to be able to
do these functions when on call” or “when the help desk calls, we
need everyone capable of dealing with the problem at hand”.

I still
believe that we are correct, but – most folks don’t live in
“Rick and joe-land”.  They live in the screwed up Corporate
world where the only endgame is money, and the generation of it [1].  With
IT being a cost center, and Security viewed as an even bigger inhibiter to
Production, most companies need to have a *Serious*
computer security event to be convinced that they have their priorities in the
wrong places.  

Money
generated doesn’t matter if you can’t guarantee that you can SECURE
your customer’s money / data / private information.

Rick

[1] Case
in point.  One of the guys that I used to work with was told that one
thing management was really pissed about was the time it would take me to lock
down a server.  For estimation purposes, I told folks to plan for (and
published a timeline for planning purposes) 2 days for initial lockdown, 2 days
for final lockdown and application of IPSec filters, and 3 days for InfoSec to
certify the system (The time for InfoSec is THEIR guideline from their VP
– not my timeline at all).  Typically, I would have a server back to
the application team the same day to apply their apps, and would take one day
to do the fi

RE: [ActiveDir] Using AD Sizer

[Rick Kingslan]

Title: Using AD Sizer










See inline below…..





Rick







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Monday, June 13, 2005 12:11
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Using AD
Sizer



 

I’m
trying to run through the Microsoft-provided free Active
Directory Sizer tool to approximate what new hardware should look like so we
can replace some older DCs. I haven’t used this thing before, and a
couple of things are unclear to me:

1. 
It
asks “How many additional attributes will you have per
user?” – Are they talking about schema changes we may have
made for user accounts?

[RTK] Yep, that’s exactly what they are after.  5
added attributes per user times, say 10,000 – that’s a fair bit of
an added replication need.

2.   
It asks for Avg logon rate per
second in Interactive, Batch, and Network logons. How can I
approximate something like that?

[RTK]  We’re talking about DCs here, yes? 
So, you can assume that your Interactive and Batch logon rate is going to be
pretty low. These simply mean how many times per second will someone/something
logon at the console or logging on as a batch process.  If these are
either negligible or not happening, then ignore.

Network logons are likely quite different.  This is
likely to be the biggest impact item.  Now, you can either input a median
of the logon traffic over a period of time or the peak of the traffic. 
How are you going to get that figure?  Me, I’d use the Performance
Monitor and gather the data over a 24 hr. period as a baseline of
traffic.  Once you have this (granularity is up to you….  I’ve
collected as frequently as every second), export to a CSV and import into
Access, Excel, SQL, whatever your choice to analyze.

Then, input your peak or average network logons to get the
sizing for your DCs.  My opinion – the ADSizer works just as well as
alsomst anything elese you’ll find.

Alternatively,
has anyone seen a better tool to get this information? We are still Windows
2000 AD – no 2003 DCs yet.

Thanks

Mark
Creamer

Systems Engineer

Cintas Corporation


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.

RE: [ActiveDir] Windows 2000 DC Hardening

[Rick Kingslan]

Though I know that there will be as many opinions as people on this list as
to the subject, my preference is from Microsoft themselves.  They have
developed a very comprehensive Security Configuration guide which includes
templates that mimic the best practices from the guide, as well as other job
aids to help you get the job done.

Find the guides here:

http://www.microsoft.com/technet/security/prodtech/windowsserver2003.mspx
http://www.microsoft.com/technet/security/prodtech/windows2000.mspx

Or, for the whole set, look here under "Security Products and Technologies"

http://www.microsoft.com/technet/Security/default.mspx

Make no mistake - I won't take away from the NSA guides, SANS, or any of the
other very reputable sources for guidance in this subject.  However, I've
had complete success with the above referenced guides.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
Sent: Monday, June 13, 2005 8:15 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Windows 2000 DC Hardening

Hi List,

I have been doing my part of job without hardning my servers till now
(I know thats very bad). But i realise that server hardning is must
and will definately inhance my profile.

I just need a quick help on it. if someone can guide me on the same. i
have some documentations also but i need expert comments on this
topic.
 
-- 
DR
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Lost and found

[Rick Kingslan]

OK.  We now have the Dean and joe version of what is happening.  I'm good
with it.

So, why is Tom's LastKnownParent blank?  Now I'm interested.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, June 14, 2005 9:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Lost and found

Dean is correct, just tested it out on K3. When an object gets tossed into
lost and found the lastKnownParent gets populated as well as when an object
is deleted it gets populated. 

  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Tuesday, June 14, 2005 9:52 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Lost and found

Joe's -

lastKnownParent populated only during (group) object's-parent-deletion
coinciding with (group) object's-move into deleted (& same) parent ...
operations originated against individual DCs.

Dean's -

lastKnownParent also populated during 2K3 DC's decision (when resolving
conflict) to move (group) object into LostAndFound container due to absent
parent ... lastKnownParent was populated as a result of
conflict-resolution's 'move to LostAndFound' operation.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E.
Sent: Tuesday, June 14, 2005 9:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Lost and found

H, this last bit just piqued my interest:

[joe]
I think lastKnownParent is only available on objects deleted on a K3 DC.
I.E. If an object hasn't been deleted and if that deletion didn't occur on a
K3 DC, it wouldn't be populated.

[Dean]
Not quite, your statement is true ... but only to a point. Assuming the
origin of the move operation was a 2K3 DC, the lastKnownParent will indeed
be populated ... the attribute serves a greater purpose than most
documentation will elude to.
 
*stares*

Okay, what's the difference between what the two of you just said?  It would
appear that there's a subtlety I'm missing, since it reads the same to me.

- Laura



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP performance

[Rick Kingslan]

Title: LDAP performance










Nice machine name…..  descriptive, to be sure.

Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, June 14, 2005 8:04
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP
performance



 

From port 42217? What was the
client OS again? That doesn't sound like Windows. Windows client I would
expect port down in the range specified by the KB article. That modification
they specify is for the client machine.

 

For instance, I fired up several queries
to one of my DCs and let them complete, now I do a NETSTAT -A on my client and
I see

 

  TCP   
fastmofo:2497 
2k3dc10.child1.joe.com:ldap  TIME_WAIT
  TCP   
fastmofo:2526 
2k3dc10.child1.joe.com:ldap  TIME_WAIT
  TCP    fastmofo:2535 
2k3dc10.child1.joe.com:ldap  TIME_WAIT
  TCP   
fastmofo:2552 
2k3dc10.child1.joe.com:ldap  TIME_WAIT
  TCP   
fastmofo:2575 
2k3dc10.child1.joe.com:ldap  TIME_WAIT
  TCP   
fastmofo:2597 
2k3dc10.child1.joe.com:ldap  TIME_WAIT
  TCP   
fastmofo:2602 
2k3dc10.child1.joe.com:ldap  TIME_WAIT
  TCP   
fastmofo:2609 
2k3dc10.child1.joe.com:ldap  TIME_WAIT
  TCP   
fastmofo:2665 
2k3dc10.child1.joe.com:ldap  TIME_WAIT
  TCP    fastmofo:2675 
2k3dc10.child1.joe.com:ldap  TIME_WAIT
  TCP   
fastmofo:2686 
2k3dc10.child1.joe.com:ldap  TIME_WAIT
  TCP   
fastmofo:2697 
2k3dc10.child1.joe.com:ldap  TIME_WAIT

 

These connections are all closed, but
waiting on final cleanup. You can do a google on time_wait and get a better
explanation than I can give. According to that article, if I get enough of
these to eat up the pre-specified range on the client, the client will not be
able to make any more connections to the DC. The KB tells you how to open up
more ports for use on the client.

 

 

 

The trace should obviously go 

 

Client:x -> Server:389   SYN

Server:389 -> Client:x   SYN
ACK

Client:x -> Server:389   ACK

 

and then go into an LDAP conversation
starting most likely with a rootdse search or a bind. 

 

and then at the end you should see

 

Client:x -> Server:389   FIN
ACK

Server:389 -> Client:x   ACK

Server:389 -> Client:x   FIN
ACK

Client:x -> Server:389   ACK

 

assuming they are closing the connections
down properly. 

 

 

The trace below doesn't show this
occurring. The trace is already filtered though with hundreds of packets
missing so who knows what got screened, it could be a misrepresentation of
what is going on if someone didn't do the trace or the filter quite right. If
you get MS involved, you will almost certainly need to send them the whole
trace so they can see everything going on. Especially some queries working and
some not. I understand why you may not want to post a full trace to a group
like this. If you want, I would be willing to look at a full trace as well,
just zip and send to me offline and I will look at it in the evening when I get
a chance. Please send a format that can be opened in Ethereal. Digging through
text traces is a pain in the butt. It doesn't allow us to use the computer
tools that do this work so much better than we do.

 

  joe

 

 

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, June 14, 2005 12:06
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP
performance

The application owner says that they are
not seeing any extended error info.  The connections are simply being
disconnected.  Here is part of the network trace the network guys sent me. 
This basically shows the same connection attempting to connect to 389 from port
42217.  as you can see it trys a syn, waits a couple minutes, then trys
again.  It never gets acked.

 

I have the LDAP calls as
well however; (CISSPs close your ears), they are simple binds so I'll need
to do some cleaning before sending them out ;-)

 

In a nutshell here is the sequence that
the application goes through every time it auths a user:

 

1.  Use  a service account to
bind to the directory

2.  Search for the user account using
filter "(samaccountname=x)" retrieve the DN.

2.  Now that it has the DN, bind as
the user.

 

It does this for every single user
auth.  Terribly inefficient I know.  The newer version of the product
does not bind with the service account every single time and actually we do
have the newer version implemented in one location.  The newer version has
not seen this problem to date.



 





I'll go ahead and check out these
articles,  Thanks





 





***





No.
Time   
Source   
Destination  
Protocol Info
   6827 32.129301  
**.**.**.**  
**.**.**.**   
TCP  42217 > ldap [SYN] Seq=0 Ack=0 Win=65535 Len=0
MSS=1460 WS=0 TSV=5999338 TSER=0





 





Frame 6827 (78 bytes on wire, 78 bytes
captured)
Ethernet 

RE: [ActiveDir] My LDAP Query

[Rick Kingslan]

joe said:

“I am a bit tired and a little high from sniffing tile adhesive”

 

And, then later emoted:

“state how to make it performant without listing by name every other
mailbox server by full”

 

Looking at the first statement, and the
LACK OF COMPLETENESS to the second, I think the fumes overtook joe at some
point during the response…..

 



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, June 14, 2005 9:58
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] My LDAP
Query



 

I am a bit tired and a little high from
sniffing tile adhesive but a couple of things. First, I don't think you are
using the correct attribute, I think you want msExchHomeServerName. Second, I
would think you want NOT CO-XMB11 AND NOT CO-XMB12. 

 

 

I would write it more like

 

 

(&

    (objectcategory=person)

    (objectclass=user)

    (mail=*)

   
(!(msExchHomeServerName=*CO-XMB11))

   
(!(msExchHomeServerName=*CO-XMB12))



)





 





 





And yeah, I can't say that would probably
be very performant, but I am not sure in my present state how to make it
performant without listing by name every other mailbox server by full 





 





 





 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, June 14, 2005 9:27
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] My LDAP Query

I can’t get it to work and I’m tired. Anyone see my problem?
I want all the users in the current domain whose mailbox server is not CO-XMB11
or CO-XMB12. I really don’t care about perf, I’ll run it once and
forget about it.

 

(&(objectCategory=person)(objectClass=user)(mail=*)(!(|(msExchHomeServer=*CO-XMB11)(msExchHomeServer=*CO-XMB12

 

(&

    (objectCategory=person)(objectClass=user)(mail=*)

    (!

   
(|

   
(msExchHomeServer=*CO-XMB11)(msExchHomeServer=*CO-XMB12)

   
)

    )

)

 

Thanks,
Brian
Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 

 

RE: [ActiveDir] Passwords from SQL

[Rick Kingslan]

Maybe they need an 8-way, or more than 2GB of RAM for the database that runs
on it.

Honestly, though - this has gotten way off the point.  He's running MySQL,
and doesn't look like he's going to change just because we thought MSSQL is
a better fit.  Or not

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Wednesday, June 15, 2005 4:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Passwords from SQL

Why do you need the Enterprise version, are you running SQL Cluster's for
failover? 

Jose



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl
Sent: Wednesday, June 15, 2005 12:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Passwords from SQL


Well we purchased the enterprise MSSQL version.  Also we have already
purchased exchange here 


--
Jake

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Wednesday, June 15, 2005 3:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Passwords from SQL

Hi Jake, 

I know that Exchange is dirt cheap for Educational use, I am sure that SQL
is also much less. Let me check with an educational speacilist at Microsoft
in  San Francisco and see what it actually may be.  Just doing a serach on
the web for the retail copy comes up with. 
 
  Microsoft SQL Server 2000 Standard (5-Client) Full Version Retail Box
RETAIL Microsoft Part #: 228-00683 Save 18% off RETAIL  $1,225.00 Retail
$1,489.00  
  
Jose

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl
Sent: Wednesday, June 15, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Passwords from SQL


Educational price for MSSQL 2000 or whatever newest version is over $2000 


--
Jake

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley
Sent: Wednesday, June 15, 2005 2:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Passwords from SQL

Free to acquire, yes...  However, if you spend enough time in implementing,
creating, and supporting some functionality that you would otherwise gain in
the paid solution (password syncing?), have you really "saved" any money?

It's not a knock against "free" software...  I use MySQL here and have used
it for other personal applications as well...  Sometimes "free"
isn't always the best solution...  Of course there's always the oft repeated
quotes "Acquisition costs are only a fraction of TCO"


Joe Pochedley
A computer terminal is not some clunky old television with a typewriter in
front of it. It is an interface where the mind and body can connect with the
universe and move bits of it about. -Douglas Adams 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, June 15, 2005 1:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Passwords from SQL

When you have next to nothing for a budget, next to nothing is a lot when
you can get it for free. :o)

Of course free is a question begging term but for any uses I have used MySQL
for it has performed admirably.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Wednesday, June 15, 2005 1:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Passwords from SQL

I am not sure why, Microsoft sells their products to education institutions
for next to nothing.

Jose

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Freddie Coleman III
Sent: Wednesday, June 15, 2005 10:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Passwords from SQL


He's probably using MY SQL instead of MS SQL for monetary reasons.
Money is always an issue in education

fred


> Hi Jacob,
>
> I have a better ID. If you use Microsoft SQL instead of MY SQL then 
> you'll have the option of using Integrated Authentication  and use the

> usernames and passwords that your user's log into AD with.
>
> Jose
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl
> Sent: Wednesday, June 15, 2005 8:56 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Passwords from SQL
>
>
>
> I am running a MySQL server that holds data for a grading program here

> in the district.  Well teachers have the ability to change passwords 
> through that software and I was curious if AD could import passwords 
> for people on a scheduled increment from that SQL database.  Can 
> active directory connect to a SQL database to pull other information 
> or possibly import users directly from that database??
>
> --
> Jacob Stabl
> Network Engineer
> Plain Local School District
>   http://www.plainlocal.org
> Office:  330.492.3500
> Cell :330.704.1278
> IP Phone: 44

RE: [ActiveDir] Passwords from SQL

[Rick Kingslan]

The reason that it's off the point is because:

1)  MySQL is the database in which the application is deployed.
2)  Moving it the MSSQL might exceed the realistic 'cost' of the database
3)  It might be just as easy to use OpenLDAP (I'm assuming MySQL on Linux)
and communicate with AD that way

Make no mistake - I'm no bigot when it comes to using MS software.  Quite
the contrary.  But, there are times when the simple economics of a solution
scream out that Microsoft is not the right solution.

Most schools that I work with are this way.  Most of them would have to save
a huge chunk of non-salary related expenditures to afford a Standard version
of SQL.  Hence, Access is a really popular option, even though getting it to
work in some of the multi-user scenarios sucks - plainly and simply.

In one school that I work with, the majority of the desktop OSs that they
run are ones that I've donated.  One of the servers OSs is as well.

I'm not saying the you're wrong.  Far from it, in fact.  But, sometimes the
solution can't meet the available economic resources.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Wednesday, June 15, 2005 7:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Passwords from SQL

Hi Rick , 

Actually how is this off the point? He is looking for a solution that will
allow him to use the same user accounts in AD and authenticate against
MYSQL, right? He wants to save the time and labor of having to manually
update user accounts and passwords since they are maintained by two separate
systems and since there are no built in utilities in AD that allow him to
easily do so with an Open Source Database such as MYSQL.  I strongly believe
that by changing to a Microsoft SQL database this allows him to then use
integrated authentication and it would solve his problem ( He may not have
been aware that Microsoft SQL has had this feature since as far back as
version 6.5 ).

If the school can't even afford 2000.00 for an SQL database, I seriously
doubt that they would have an 8 way server that would easily cost 20,000 or
more.

But enough said, as far as I am concerned he has two choices and routes he
can take and it is up to him to  educate his management at the school
district office that he has such a need and that the solution has a small
cost. I am sure that any educator with common sense would concur that just
because some thing is free it does not always mean it is the best solution
and easiest to maintain for every environment.

Warmest regards, 

Jose Medeiros
Former CIS instructor 
San Jose City College


---
 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan
Sent: Wednesday, June 15, 2005 4:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Passwords from SQL


Maybe they need an 8-way, or more than 2GB of RAM for the database that runs
on it.

Honestly, though - this has gotten way off the point.  He's running MySQL,
and doesn't look like he's going to change just because we thought MSSQL is
a better fit.  Or not

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Wednesday, June 15, 2005 4:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Passwords from SQL

Why do you need the Enterprise version, are you running SQL Cluster's for
failover? 

Jose



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl
Sent: Wednesday, June 15, 2005 12:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Passwords from SQL


Well we purchased the enterprise MSSQL version.  Also we have already
purchased exchange here 


--
Jake

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Wednesday, June 15, 2005 3:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Passwords from SQL

Hi Jake, 

I know that Exchange is dirt cheap for Educational use, I am sure that SQL
is also much less. Let me check with an educational speacilist at Microsoft
in  San Francisco and see what it actually may be.  Just doing a serach on
the web for the retail copy comes up with. 
 
  Microsoft SQL Server 2000 Standard (5-Client) Full Version Retail Box
RETAIL Microsoft Part #: 228-00683 Save 18% off RETAIL  $1,225.00 Retail
$1,489.00  
  
Jose

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl
Sent: Wednesday, June 15, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Passwords from SQL


Educational price for MSSQL 2000 or whatever newest version is over $2000 


--
Jake

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED

RE: [ActiveDir] Event log settings in GPO

[Rick Kingslan]

Yes – you’re correct in that you can set this on a per OU
basis with GPO.  As Jorge points out, make sure that you are complying by
the processing rules of the GPO list so that your settings are not reverted by
another GPO inherited to that OU.

 

Rick

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC
Sent: Thursday, June 16, 2005 5:27
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Event log
settings in GPO



 



Just want to check to ensure.  But I
could say have a policy that is configured to set the maxsize of eventlogs to
128M and have that apply to a specific group so that the machines in that group
are set to that size.  And as long as this policy was set at the top of
the list in GP mangement then that policy would take precendence over any
policies under it.  Correct. ?





 





 

RE: [ActiveDir] Migration between domains with same NetBios name

[Rick Kingslan]

Guy,

Though it might seem trivial, it's not really easy in any way.  If you're
not in mixed-mode, or have child domains - forget it (IIRC).  You've passed
the last bastion of 'easy' in a hard process.

The way to do this, and not have tons of lingering issues is to demote all
other DCs back to members, stand up a NT 4.0 machine as a BDC in your
domain.  Demote the last Win2k DC.  Change the Win NT 4.0 to be the PDC.
Rename the domain.

Now you can upgrade the NT 4.0 PDC to the first DC in your new Win2k forest
- but it now has the right NetBios domain name.  DCPromo all of the other DC
'members' in the domain.

It's a royal PITA.  I've had to do this a few times in the early days of
Win2k as some of my rollouts had last minute (or better - last minute +5
minutes) changes from upper Management in naming.

Rick

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Thursday, June 16, 2005 6:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migration between domains with same NetBios name

 

Guido,

 

How about:

1) rename the NetBios name of the target AD

2) perform the migration

3) rename the NetBios name of the AD back to the original

 

Because you are changing only NetBios name and not the DNS name, the fixups
at the AD side are rather minor...

 

Or are we talking about target AD being already production and/or W2K ?

 

Guy

 

  _  

From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido
Sent: Thu 6/16/2005 8:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Migration between domains with same NetBios name

Here is a nice one - I've done quite a few migration with all kinds of
scenarios, so I hardly ask questions around this topic. 

 

But when migrating from one NT4 domain to an AD domain which both have the
same NetBios names, various issues and potential conflicts come to mind and
I wonder if others had to do this in the past, who could share their
experience.

 

Think about an existing NT4 domain called CORP and another existing AD
domain called CORP (with DNS=copr.company.com). And now you need to migrate
all users and resources from the NT4 CORP to the AD CORP and place AD DCs
into the same sites as the exising NT4 DCs... 

 

I can imagine various challenges, besides not being able to setup a trust
and thus loosing various options for doing a "normal" migration. At least I
have no need to register the AD domain in WINS; all clients are XP, but I
know for sure that I'm going to run into various other issues (the worst one
being that the account activation and the resource migration has to happend
instantaneously, since resource access won't be possible accross the
domains). But I'm also thinking of networking issues with and NT4 DC of the
one and an AD DC of the other domain in the same ip-subnet...

 

I wonder how others have tackled this challenge and what issues you ran
into. 

 

/Guido

<>

RE: [ActiveDir] Migration between domains with same NetBios name

[Rick Kingslan]

It's a concern that needs to be taken into account.  However, the reason
that I stand up a Windows NT BDC is to synch with the AD and be sure that
I've collected all of the domain security principals. [1] 

Mixed-mode is the trick, as it insures that we are still in a mode in which
a NT 4.0 BDC will communicate with our Win2k DCs.  It'll get most things -
not absolutely everything, but it's better than having to recreate all of
the security principals.

Rick

[1]  In fact - one step that I missed was to actually stand up BDC's, taking
number two offline and locking it away in a safe - just in case something
goes horribly wrong - then I have a backout

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Thursday, June 16, 2005 8:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migration between domains with same NetBios name

Hi Rick, 

The only problem I can see with using your method is if he has new accounts
and groups that have been created in his existing AD domain, if that is the
case then the method that your proposing will not work as it will delete
those AD objects. What Guido fails to mention  so that we can best determine
which migration path he should take is how many users, groups and machine
accounts is he migrating from the NT4 Domain to the AD domain and how large
is the AD domain.

If the NT4 domain has only several member servers then I concur with Jorge's
number 2 suggestion as it sounds like the best choice. Either way this
migration is going to have to be done after business hours. I would start
the migration on a Friday late afternoon and plan on being up all night. If
all goes well you'll have Saturday and Sunday to relax. If not I hope his
manager will give him time off to recuperate ( I rather have the time off
then a small bonus any day ).

Peace, 

Jose :-)



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan
Sent: Thursday, June 16, 2005 5:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migration between domains with same NetBios
name


Guy,

Though it might seem trivial, it's not really easy in any way.  If you're
not in mixed-mode, or have child domains - forget it (IIRC).  You've passed
the last bastion of 'easy' in a hard process.

The way to do this, and not have tons of lingering issues is to demote all
other DCs back to members, stand up a NT 4.0 machine as a BDC in your
domain.  Demote the last Win2k DC.  Change the Win NT 4.0 to be the PDC.
Rename the domain.

Now you can upgrade the NT 4.0 PDC to the first DC in your new Win2k forest
- but it now has the right NetBios domain name.  DCPromo all of the other DC
'members' in the domain.

It's a royal PITA.  I've had to do this a few times in the early days of
Win2k as some of my rollouts had last minute (or better - last minute +5
minutes) changes from upper Management in naming.

Rick

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Thursday, June 16, 2005 6:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migration between domains with same NetBios name

 

Guido,

 

How about:

1) rename the NetBios name of the target AD

2) perform the migration

3) rename the NetBios name of the AD back to the original

 

Because you are changing only NetBios name and not the DNS name, the fixups
at the AD side are rather minor...

 

Or are we talking about target AD being already production and/or W2K ?

 

Guy

 

  _  

From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido
Sent: Thu 6/16/2005 8:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Migration between domains with same NetBios name

Here is a nice one - I've done quite a few migration with all kinds of
scenarios, so I hardly ask questions around this topic. 

 

But when migrating from one NT4 domain to an AD domain which both have the
same NetBios names, various issues and potential conflicts come to mind and
I wonder if others had to do this in the past, who could share their
experience.

 

Think about an existing NT4 domain called CORP and another existing AD
domain called CORP (with DNS=copr.company.com). And now you need to migrate
all users and resources from the NT4 CORP to the AD CORP and place AD DCs
into the same sites as the exising NT4 DCs... 

 

I can imagine various challenges, besides not being able to setup a trust
and thus loosing various options for doing a "normal" migration. At least I
have no need to register the AD domain in WINS; all clients are XP, but I
know for sure that I'm going to run into various other issues (the worst one
being that the account activation and the resource migration has to happend
instantaneously, since resource access won't be possible

RE: [ActiveDir] Migration between domains with same NetBios name

[Rick Kingslan]

Yep - you're right.  I did overlook the fact that the ultimate goal was to
have the two domains (source, target) with the same domain name.

Never mind.

:o)

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, June 16, 2005 9:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migration between domains with same NetBios name

Rick, you are overlooking one important factor - client usually do not have
the tolerance for the method you are describing, especially not on an
existing, production domain. They don't want to disrupt the existing
infrastructure, they don't want to change what the users are used to, they
don't want to re-write all the apps they have been using for so long, and in
which they've hard-coded the existing netbios name.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Thu 6/16/2005 5:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migration between domains with same NetBios name



Guy,

Though it might seem trivial, it's not really easy in any way.  If you're
not
in mixed-mode, or have child domains - forget it (IIRC).  You've passed the
last bastion of 'easy' in a hard process.

The way to do this, and not have tons of lingering issues is to demote all
other DCs back to members, stand up a NT 4.0 machine as a BDC in your
domain.
Demote the last Win2k DC.  Change the Win NT 4.0 to be the PDC.  Rename the
domain.

Now you can upgrade the NT 4.0 PDC to the first DC in your new Win2k forest
-
but it now has the right NetBios domain name.  DCPromo all of the other DC
'members' in the domain.

It's a royal PITA.  I've had to do this a few times in the early days of
Win2k as some of my rollouts had last minute (or better - last minute +5
minutes) changes from upper Management in naming.

Rick

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Thursday, June 16, 2005 6:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migration between domains with same NetBios name

 

Guido,

 

How about:

1) rename the NetBios name of the target AD

2) perform the migration

3) rename the NetBios name of the AD back to the original

 

Because you are changing only NetBios name and not the DNS name, the fixups
at the AD side are rather minor...

 

Or are we talking about target AD being already production and/or W2K ?

 

Guy

 



From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido
Sent: Thu 6/16/2005 8:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Migration between domains with same NetBios name

Here is a nice one - I've done quite a few migration with all kinds of
scenarios, so I hardly ask questions around this topic. 

 

But when migrating from one NT4 domain to an AD domain which both have the
same NetBios names, various issues and potential conflicts come to mind and
I
wonder if others had to do this in the past, who could share their
experience.

 

Think about an existing NT4 domain called CORP and another existing AD
domain
called CORP (with DNS=copr.company.com). And now you need to migrate all
users and resources from the NT4 CORP to the AD CORP and place AD DCs into
the same sites as the exising NT4 DCs... 

 

I can imagine various challenges, besides not being able to setup a trust
and
thus loosing various options for doing a "normal" migration. At least I have
no need to register the AD domain in WINS; all clients are XP, but I know
for
sure that I'm going to run into various other issues (the worst one being
that the account activation and the resource migration has to happend
instantaneously, since resource access won't be possible accross the
domains). But I'm also thinking of networking issues with and NT4 DC of the
one and an AD DC of the other domain in the same ip-subnet...

 

I wonder how others have tackled this challenge and what issues you ran
into.


 

/Guido

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] RRAS pptp issue

[Rick Kingslan]

Tom,

 

I think what Ravi
is saying that this is a client side issue, and given the information on this
event – he’s likely as right as anyone else is going to be, given
the information.  The problem with the 20159 event is that anytime anyone
disconnects, a 20159 can be generated.  So, it’s a bit difficult to pin
this event down as substantive evidence of a problem.

 

I’d be interested on seeing
complimentary entries on the event logs or devices logs for the PPTP on the
client.  I suspect we are going to learn more from the one client that isn’t
working rather than the RRAS that appears to be working just fine.

 



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Friday, June 17, 2005 3:51
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] RRAS pptp
issue



 



all the other users are fine.





i have 5 users sharing this router and
only one has an issue...





 





 





thanks





-Original Message-
From: Ravi Dogra
[mailto:[EMAIL PROTECTED]
Sent: Friday, June 17, 2005 4:27
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] RRAS pptp
issue

Hi
Please check your ADSL equipment. There may be some issue with this equipment.
you can check it by using this equipment on some other user or you can swap
this equipment with any other working equipment.

--
DR

RE: [ActiveDir] FW: Batch Script Fun

[Rick Kingslan]

Heh….  I see that Dean has
already answered this, so I’m most interested to see what the “Wizard
of the Shell Script” has come up with….

 



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Saturday, June 18, 2005 6:00
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] FW: Batch
Script Fun



 

Maybe this didn’t go through this morning?



 

 











From: Brian Desmond
[mailto:[EMAIL PROTECTED] 
Sent: Saturday, June 18, 2005 2:34
PM
To: 'ActiveDir@mail.activedir.org'
Subject: Batch Script Fun



 

Ok, her’s what I need to do from within a .cmd file (this is the
only hook I have into a process that runs on every workstation once an hour
– no I can’t use a _vbscript_ or any of that):

 

Check device’s domain

If Domain <> MyDomain

    Run
netdom and remove

    Reboot

Otherwise

    Quit

 

Now I figured out a way to use wmic to get the domain, but it returns
multiple lines of text, and I don’t have a clue how I would parse that in
a batch file.

 

The output of “wmic computersystem get domain” looks like
this:

 

Z:\Files\PsTools>wmic computersystem get domain

Domain

WORKGROUP

 

 

Z:\Files\PsTools>

 

I just need that “WORKGROUP”.

 

Ideally my script needs to work on NT and newer. I’ll settle for
2000 & newer and the field guys can do the NT ones by hand if need be. The
NT inventory purportedly has WMI installed, which I presume means wmic would
work. I’m all up for a different way of doing this – I don’t
know of an environment variable or similar holding the machine’s domain. 

 

Anyone got a way I can make this work?

 

--brian

 

RE: [ActiveDir] FW: Batch Script Fun

[Rick Kingslan]

Hmmm…. 
Let me think…..

YES! 
;o)

Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Sunday, June 19, 2005 12:57
PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] FW: Batch
Script Fun



 



I appreciate the compliment Rick ...
nothing interesting this time I'm afraid ...





 





Anybody interested in a script that resets
every DC's DSRM password to the same value?  ;-)



--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, June 19, 2005 1:23
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FW: Batch
Script Fun

Heh….  I see that Dean has
already answered this, so I’m most interested to see what the
“Wizard of the Shell Script” has come up with….

 



Rick











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Brian Desmond
Sent: Saturday, June 18, 2005 6:00
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] FW: Batch
Script Fun



 

Maybe this didn’t go through this morning?



 

 











From: Brian Desmond
[mailto:[EMAIL PROTECTED] 
Sent: Saturday, June 18, 2005 2:34
PM
To: 'ActiveDir@mail.activedir.org'
Subject: Batch Script Fun



 

Ok, her’s what I need to do from within a .cmd file (this is the
only hook I have into a process that runs on every workstation once an hour
– no I can’t use a _vbscript_ or any of that):

 

Check device’s domain

If Domain <> MyDomain

    Run
netdom and remove

    Reboot

Otherwise

    Quit

 

Now I figured out a way to use wmic to get the domain, but it returns
multiple lines of text, and I don’t have a clue how I would parse that in
a batch file.

 

The output of “wmic computersystem get domain” looks like
this:

 

Z:\Files\PsTools>wmic computersystem get domain

Domain

WORKGROUP

 

 

Z:\Files\PsTools>

 

I just need that “WORKGROUP”.

 

Ideally my script needs to work on NT and newer. I’ll settle for
2000 & newer and the field guys can do the NT ones by hand if need be. The
NT inventory purportedly has WMI installed, which I presume means wmic would
work. I’m all up for a different way of doing this – I don’t
know of an environment variable or similar holding the machine’s domain. 

 

Anyone got a way I can make this work?

 

--brian

 

RE: [ActiveDir] Scripts

[Rick Kingslan]

Fully agreeing with what ~Eric and Nazim states, another way to do this and
lessen the security risk SLIGHTLY is to feed the password in as a parameter
OF the startup script, rather than as part of the script in the first place.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nazim Akperov
Sent: Sunday, June 19, 2005 10:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Scripts

Agree with "net user administrator thepassword" 
But 
1. This should be computer startup script
2. Set Visibility to disable otherwise "smart" users will note a new
password in a black window appeared for a couple of seconds.

Regards

Nazim

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie
Sent: Monday, June 20, 2005 02:22
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Scripts

Does anyone know of a script I can include in the login scripts to change
the local admin passwords on the computers in my environment?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Scripts

[Rick Kingslan]

Could we get some more detail on that?  I've used Hyena, but I'm not sure
how to use that in a scripted fashion.

Thanks!

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Haaker, Chris
Sent: Monday, June 20, 2005 11:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Scripts

I know of a piece of software that will; Hyena.

 
Chris Haaker
ITS Infrastructure
x7841
 
 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie
Sent: Sunday, June 19, 2005 5:22 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Scripts

Does anyone know of a script I can include in the login scripts to change
the local admin passwords on the computers in my environment?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO configuration

[Rick Kingslan]

However, this solves part of the problem, yes?  Seems that this won't
prevent the closing of Windows Explorer windows...  But, I could be wrong -
I haven't tried it.  :-)

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Tuesday, June 21, 2005 12:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO configuration

that's what I call a surprise ;-) 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman
III
Sent: Dienstag, 21. Juni 2005 16:03
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO configuration

Took me a while, but here it is:

User Configuration/Administrative Templates/Browser menus/"File menu: 
Disable closing the browser and Explorer windows"


> You could prevent users from logging on in the first place - this will
> ensure they can't close any window.  The only issue is that they can't
> open any either ;-))
>
> Just curious - why would you want to achieve this in the first place?
>
> /Guido
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Darren
Mar-Elia
> Sent: Donnerstag, 16. Juni 2005 00:07
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] GPO configuration
>
> I've not seen one. I think that would be pretty hard to pull off
unless
> you can remove the hot keys and window buttons.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Freddie
Coleman
> III
> Sent: Wednesday, June 15, 2005 1:47 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] GPO configuration
>
>
> Isn't there a GPO setting that can prevent users from closing any
window
> they open?


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir][OT] File copy with security intact

[Rick Kingslan]

Yep - what assist do you need, or what information related to it?

Happy to help

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Tuesday, June 21, 2005 6:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] File copy with security intact

Has anyone had any experience using the Microsoft File Server Migration
Toolkit?
http://www.microsoft.com/windowsserver2003/upgrading/nt4/tooldocs/msfsc.mspx

Jose 

-

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Medeiros, Jose
Sent: Tuesday, June 21, 2005 4:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] File copy with security intact


I don't want to seem like I am knocking Robocopy, however from my experience
Robocopy also does the same thing. It will stop when a file is locked or in
use. It does not copy at the block level like rsync. It is a very useful
tool but beware of it's limitations. (Although the version I used was from
the 2000 resource kit, so if there has been improvements I may be mistaken).

Jose

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, June 21, 2005 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] File copy with security intact


Robocopy is my FRS engine for Dfs.  :)

:m:dsm:cci:mvp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Webster
Sent: Tuesday, June 21, 2005 4:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] File copy with security intact

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Jorge de Almeida Pinto
> Subject: RE: [ActiveDir][OT] File copy with security intact
> 
> My experience with XCOPY is that with large amounts of data 
> it suddendly quits.

Jorge,

Try XXCopy.  Works great.


Webster

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Windows -> MIT Cross-realm auth to domains not in the same dns hierarchy

[Rick Kingslan]

Andrew,

Really interesting problem that you're experiencing here.  I can't say that
I have seen this, but I would say in my experience I've worked with a few
multi-tree and multi-forest scenarios.  Both the multi-tree and forest would
naturally use a different DNS namespace for each tree or forest.

I don't see this behavior, so it is concerning.  You note that this is
Windows Server 2003.  Is there anything that you can detail about the DNS
configuration?  Being a Realm 'root', is the DNS on BIND?  (Not that it's a
bad thing...)

How do the clients find the DNS that is authoritative for a given domain,
(standard forwarding, conditional, stub zones) and where are the glue
records for the specific cross-domain resolution (stub zones or
secondaries)?

If this was Windows 2000, I'd be more apt to be asking questions about the
configuration of the trusts - are they set as transitive for the Realm
Trusts? On and on and so forth...  2K3 seems to have resolved much of that
issue.



Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andrew Riley
Sent: Wednesday, June 22, 2005 4:06 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Windows -> MIT Cross-realm auth to domains not in the
same dns hierarchy

A few months ago I started aproject to allow a Windows domain to trust 
another windows domain that trusts an MIT Kerberos Realm for user logons.

An example of this setup would be

SCHOOL.EDU <- our MIT Realm
AD.SCHOOL.EDU <- the Windows domain that trusts the MIT Realm
OTHER.AD.SCHOOL.EDU <- a trusting windows domain

All of the Windows servers are Windows Server 2003.

We have established a forest trust between the two Windows domains/forests, 
entered a new Domain Suffix in AD.SCHOOL.EDU for SCHOOL.EDU, established a 
REALM Trust between AD.SCHOOL.EDU and SCHOOL.EDU, used KSETUP or registry 
entries to add the references to the KDCs for SCHOOL.EDU on the 
workstations in OTHER.AD.UPENN.EDU. Additionally users in AD.SCHOOL.EDU 
have a name mapping to their MIT kerberos principal.

In this setup, someone with a user account in AD.SCHOOL.EDU can walk up to 
a workstation in OTHER.AD.SCHOOL.EDU, and enter their MIT kerberos 
principal and password, and select SCHOOL.EDU(Kerberos Realm) from the "Log 
on to:" box and be authenticated as their user account in AD.SCHOOL.EDU.

The preceding solution works great, but I've found that if we establish a 
trust to a domain such as DOMAIN.SCHOOL.EDU (not in the same DNS hierarchy 
as AD.SCHOOL.EDU) then user logons fail.

I've gone as far as setting up 2 other domains in a different DNS hierarchy 
and then swapping the trust around between the 4 and it's definitely 
something to do with how the domains are arranged DNS-wise.  None of them 
are in the same forests, so It seems like some parent DNS suffix fallback 
that's being applied, but I have no idea where to look.

Any ideas?

thanks
andrew

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Windows -> MIT Cross-realm auth to domains not in the same dns hierarchy

[Rick Kingslan]

True, the forest/domain reference does assume different zones.  So, at least
at this point my first path of inquiry is along the lines of DNS.

You've determined that all authenticating elements in non-authenticating
domains can be resolved by name from a client that is experiencing problems?

I'm to some degree very interested in the DNS for the Windows domains.  Are
those, too, on BIND?  If so, do they have their own zones for AD.SCHOOL.EDU,
etc?  I'm concerned about the SRV records that the clients need.  It appears
to me that the clients are finding them, but I'm not clear where they are
and how they are being found.

Clearly, we need to have a KDC in each Kerberos authenticating domain or
realm to be responsible for the authentication in that 'area'.  Do the
clients know who the authenticating mechanism is?  For Win2k3, the SRV
records are going to handle this through the _kerberos record, which is
really a CNAME (with a few extra, but important elements) to each DC.

Of course, the problem could certainly be with the actual Kerberos elements
themselves.  They may not understand who is communicating to them, the key
material being passed may not be correct, or any multitude of other small
problems.

Look at this, if you haven't.  Even though it's for Windows 2000, it still
applies.  I'd also be interested in seeing logging or programmatic output
from the Windows as well as the Realm side.

http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.as
p


Rick
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andrew Riley
Sent: Wednesday, June 22, 2005 11:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Windows -> MIT Cross-realm auth to domains not in
the same dns hierarchy

The DNS is BIND.  And the there is only one DNS zone for this scenario in 
BIND, SCHOOL.EDU. All individual domains manually register the appropriate 
records from netlogon.dns.  I guess that the different forests/domains 
might assume that they are not in the same zone but I've never really run a 
full fledged MS DNS service before.

The problem seems to be solely that if the disparate domains are not 
arranged with the trusting domains at least one level further from the root 
of the DNS than the trusted domain, authentication fails.So it has to 
be DOMAIN.AD.SCHOOL.EDU trusts AD.SCHOOL.EDU not DOMAIN.SCHOOL.EDU trusts 
AD.SCHOOL.EDU.

The only thing I can figure is that somehow the authentication path for a 
user principal such as [EMAIL PROTECTED] tries to walk a path that 
hierarchically takes it closer to SCHOOL.EDU from whatever domain it's in. 
I thought it might be similar to how the default for unqualified hostname 
resolution in windows is to "Append parent suffixes of the primary DNS 
suffix".  So if the trusted domain doesn't happen to be in parent suffix it 
never looks there.  But that's just a guess.

andrew

--On Wednesday, June 22, 2005 11:04 PM -0500 Rick Kingslan 
<[EMAIL PROTECTED]> wrote:

> Andrew,
>
> Really interesting problem that you're experiencing here.  I can't say
> that I have seen this, but I would say in my experience I've worked with
> a few multi-tree and multi-forest scenarios.  Both the multi-tree and
> forest would naturally use a different DNS namespace for each tree or
> forest.
>
> I don't see this behavior, so it is concerning.  You note that this is
> Windows Server 2003.  Is there anything that you can detail about the DNS
> configuration?  Being a Realm 'root', is the DNS on BIND?  (Not that it's
> a bad thing...)
>
> How do the clients find the DNS that is authoritative for a given domain,
> (standard forwarding, conditional, stub zones) and where are the glue
> records for the specific cross-domain resolution (stub zones or
> secondaries)?
>
> If this was Windows 2000, I'd be more apt to be asking questions about the
> configuration of the trusts - are they set as transitive for the Realm
> Trusts? On and on and so forth...  2K3 seems to have resolved much of that
> issue.
>
>
>
> Rick
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Riley
> Sent: Wednesday, June 22, 2005 4:06 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Windows -> MIT Cross-realm auth to domains not in the
> same dns hierarchy
>
> A few months ago I started aproject to allow a Windows domain to trust
> another windows domain that trusts an MIT Kerberos Realm for user logons.
>
> An example of this setup would be
>
> SCHOOL.EDU <- our MIT Realm
> AD.SCHOOL.EDU <- the Windows domain that trusts the MIT Realm
> OTHER.AD.SCHOOL.EDU <- a trusting windows domain
>
> All of the Windows servers are Window

RE: [ActiveDir] Site IP Change

[Rick Kingslan]

Nathan,

Typically, the change of IP address, subnet, default gateway and associated
DNS entries will take care of most of what you need.

However, there is one more thing that needs to be done.  Pull up a command
prompt on the DC that you've re-IPed, and type this at the prompt (in its
entirety:

Net stop netlogon && net start netlogon

This will stop the netlogon service, then turn around and restart it
automatically.  As you might know, the NetLogon service is responsible for
maintaining the DNS entries (SRV records, et. al.) and updating those as
necessary.  The stop/start of the service forces the update to happen 'right
now', and will be updated with the new data you've entered.

Hope this helps you along in your process.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nathan Henderson
Sent: Thursday, June 23, 2005 11:59 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Site IP Change 

We are currently updating our network infrastructure and a part of this
is having to change IPs on our internal network. Most devices are pretty
simple, but the main point I'm concerned about is changing our DCs. They
will all still be in the same subnet just using a different IP range. Is
there anything I would need to take care of specially in this situation
besides updating DNS information during/after the change to ensure
replication between DCs will function?

I'm trying to think through possible scenarios or issues that could
arise. If anyone has any insight it would be much appreciated.


Nate
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Cannot Contact Domain over External Trust

[Rick Kingslan]

Justin,

My experience with this is simple:  Sometimes, trusts fail.  And, then the
existing elements no longer work.  It sucks, but it's true.  You can reset
and verify, you can NETDOM it to death - it's physically there, but no trust
is home.

As long as your WINS entries, DNS and/or LMHOSTS files are as you had them
before the trust failed, you can do this.

1)  Break trust(s)
2)  Re-establish the trust(s)

If it doesn't work, you should then have some event entries in the System
Event log to post back here for us to get a much keener idea of what the
problem is.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Thursday, June 23, 2005 1:56 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Cannot Contact Domain over External Trust

I have a trust that has been working and all of a sudden with zero
errors it has stopped.

I have a NT 4 and a 2000 Domain with an external trust setup so that I
can grant permissions to groups from the 2000 domain to resources on the
NT 4 domain.  When I go to the 2000 domain from the NT 4 domain I am not
able to see a listing of groups or users.  It cannot find the domain.  

DNS, WINS and the trust are all working and validated.

What could be the problem?

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Cannot Contact Domain over External Trust

[Rick Kingslan]

Were there any changes - I.E. did the FSMO roles (specifically the PDC-E
role) move?

Also, are you CERTAIN that the WINS records are complete and accurate?
Have you tried creating a LMHOSTS file to ensure that the naming is correct,
with the #PRE and #DOM directives specifying the elements on each side of
the trust?

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Thursday, June 23, 2005 3:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

Recreated the trust and still no good.  No errors in the event logs to
post, I get the following message when I try to choose a name or group
from the domain

The specified domain either does not exist or cannot be contacted.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Thursday, June 23, 2005 3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

Justin,

My experience with this is simple:  Sometimes, trusts fail.  And, then
the
existing elements no longer work.  It sucks, but it's true.  You can
reset
and verify, you can NETDOM it to death - it's physically there, but no
trust
is home.

As long as your WINS entries, DNS and/or LMHOSTS files are as you had
them
before the trust failed, you can do this.

1)  Break trust(s)
2)  Re-establish the trust(s)

If it doesn't work, you should then have some event entries in the
System
Event log to post back here for us to get a much keener idea of what the
problem is.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Thursday, June 23, 2005 1:56 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Cannot Contact Domain over External Trust

I have a trust that has been working and all of a sudden with zero
errors it has stopped.

I have a NT 4 and a 2000 Domain with an external trust setup so that I
can grant permissions to groups from the 2000 domain to resources on the
NT 4 domain.  When I go to the 2000 domain from the NT 4 domain I am not
able to see a listing of groups or users.  It cannot find the domain.  

DNS, WINS and the trust are all working and validated.

What could be the problem?

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir][OT] File copy with security intact

[Rick Kingslan]

It's a solid tool that MCS uses for consolidation of multiple systems to one
(think a bunch of file servers NT 4, Win2k, whatever), or for hardware to
hardware copy after the OS is installed.  Nice thing is it brings over the
security and is a bit easier for the command-line challenged, or when there
are a number of pick this, don't copy this, type decisions that need to be
made.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Thursday, June 23, 2005 5:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] File copy with security intact

Hi Rick,


I have not had any need to try yet and I was just wondering if any one liked
it, had any problems with it and how it compares to RoboCopy. It seems to be
a take off of Fastlane's server consolidator that was written for Microsoft
several years back. test 


Jose 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan
Sent: Wednesday, June 22, 2005 8:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] File copy with security intact


Yep - what assist do you need, or what information related to it?

Happy to help

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Tuesday, June 21, 2005 6:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] File copy with security intact

Has anyone had any experience using the Microsoft File Server Migration
Toolkit?
http://www.microsoft.com/windowsserver2003/upgrading/nt4/tooldocs/msfsc.mspx

Jose 

-

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Medeiros, Jose
Sent: Tuesday, June 21, 2005 4:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] File copy with security intact


I don't want to seem like I am knocking Robocopy, however from my experience
Robocopy also does the same thing. It will stop when a file is locked or in
use. It does not copy at the block level like rsync. It is a very useful
tool but beware of it's limitations. (Although the version I used was from
the 2000 resource kit, so if there has been improvements I may be mistaken).

Jose

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, June 21, 2005 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] File copy with security intact


Robocopy is my FRS engine for Dfs.  :)

:m:dsm:cci:mvp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Webster
Sent: Tuesday, June 21, 2005 4:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] File copy with security intact

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Jorge de Almeida Pinto
> Subject: RE: [ActiveDir][OT] File copy with security intact
> 
> My experience with XCOPY is that with large amounts of data 
> it suddendly quits.

Jorge,

Try XXCopy.  Works great.


Webster

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Cannot Contact Domain over External Trust

[Rick Kingslan]

Yeah  Those are fun, huh Mark?  ;o)

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, June 23, 2005 6:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

I had an issue like this a few weeks ago and it involved trouble shooting
the domain master browser.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: 23 June 2005 23:05
To: 'Salandra, Justin A. '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '; 'David Cliffe '
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

 check the documents anyway just to be sure the settings mentioned are not
the problem

#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org; David Cliffe ;
[EMAIL PROTECTED]
Sent: 6/23/2005 11:40 PM
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

No, I would and am the only one able to do so and I know that I have not
changed it.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Thursday, June 23, 2005 5:38 PM
To: 'David Cliffe '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

First I also thought it was the 1Ch record (the one that contains all
DCs
from a domain) If he can create the trust that means the record is
available.

Has someone been changing security things on W2K? like
restrictanonynous,
etc..

see
MS-KBQ889030 (Trust between a Windows NT domain and an Active Directory
domain cannot be established or it does not work as expected)
AND
MS-KBQ823659 (Client, service, and program incompatibilities that may
occur
when you modify security settings and user rights assignments)

Cheers,
#JORGE#
-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 6/23/2005 11:15 PM
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

This smells like WINS to me.  Sorry I can't offer much more, but I would
check and double check 1B/1C name registrations and any applicable
NetBIOS configs. (IP stack, LMOHSTS, etc...)

-DaveC
Reuters

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Thursday, June 23, 2005 5:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

Nope, this trust worked for weeks if not months and just poof stopped.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, June 23, 2005 5:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

Justin,
   Are any of the ports required by trusts
(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/
TechRef/108124dd-31b1-4c2c-9421-6adbc1ebceca.mspx) blocked?

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Thursday, June 23, 2005 3:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

No error, just that it says the domain cannot be contacted but I am able
to ping the servers and domain controllers in that domain via DNS, WINS
and IP

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Thursday, June 23, 2005 3:35 PM
To: Salandra, Justin A.; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

what error do you get?

#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 6/23/2005 8:56 PM
Subject: [ActiveDir] Cannot Contact Domain over External Trust

I have a trust that has been working and all of a sudden with zero
errors it has stopped.

I have a NT 4 and a 2000 Domain with an external trust setup so that I
can grant permissions to groups from the 2000 domain to resources on the
NT 4 domain.  When I go to the 2000 domain from the NT 4 domain I am not
able to see a listing of groups or users.  It cannot find the domain.  

DNS, WINS and the trust are all working and validated.

What could be the problem?

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, d

RE: [ActiveDir] Group policy question

[Rick Kingslan]

Charlie,

Can you post the rest of the USERENV log?  There should be some more lines
after the:

USERENV(e8.8338) 17:04:15:113 GetDeletedGPOList: Finished.

For all intents and purposes, the call CheckForGPOsToRemove does exactly
what it says.  They next line enumerates the GPOs that need to be removed
for the profile/principal that is logging on.

However, I can't determine (because of the missing lines) what happened at
this point.

You should see an enumeration of the GPOs that are candidates to remove, and
then the next lines should indicate more enumeration and removal, or that
there are no more old GPOs.

Plus, there should be some flags or the report of clearing the 'dirty bit'.

Shoot those out to us, and let's see what's what.  I'd restart it - if you
can do it without affecting production to a great degree.

Rick


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Thursday, June 23, 2005 7:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Group policy question

I have a application mode W2K terminal server that people use to access
an application. As an administrator, I need to access more stuff on it
than the application, so we use either a direct console login or a
DameWare session. I have recently created some new admin accounts as I
work to reducing the rights on all domain administrators' normal
accounts.
I found that when I log in to the console as a newly created account, I
get a locked down desktop, even as an admin on that server and/or a
domain admin. If I use an old account even if it's a user-level account,
I get a normal desktop.

We have two GPs that affect the OU the server is in (aside from the
default domain policy). One is a TermSrv lockdown which prohibits pretty
much anything except the LOB app that needs to run. The other is a
administrator access policy that allows full access for users in the
domain admins group.

I've determined that the TermSrv lockdown policy is being applied to the
new accounts, even if I disable it, thus causing my problem. In my
troubleshooting efforts, I've cranked up userenv logging, and get the
following in my log:
USERENV(e8.8338) 17:04:15:113 ProcessGPOs: Processing extension Registry
USERENV(e8.8338) 17:04:15:113 CheckForGPOsToRemove: GPO  needs to be removed
USERENV(e8.8338) 17:04:15:113 GetDeletedGPOList: Finished.

I can't find anything that references the "CheckForGPOsToRemove" line,
so I don't know what it's trying to do or if it's failing. I've run
secedit/refreshpolicy machine/user_policy /enforce with no effect. I am
considering a reboot to see if it will fix the issue.

Anyone know what the "CheckForGPOsToRemove" section means?
Thanks!

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Group policy question

[Rick Kingslan]

I wish I had a nickel for every time I solved a problem by explaining it to
someone else.  Verbalizing it or putting it on paper (or virtually so...)
has such a tendency to make you walk the steps.

That's why I wanted to see the USERENV log.  I suspected that you might be
dealing with a Profile problem, and not a GPO after all.  But, it's all a
process of elimination, and I thought we'd get the GPO either in or out.

Glad it's all resolved

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Thursday, June 23, 2005 9:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Group policy question

Rick; I sent you the file offlist. I just rebooted the machine and still
have the same problem. Back to the drawing board...
I wanted to run gpresult, but since I can't get to anything on the
machine... :-)
I did run it using PSExec from another machine while I was logged in as
the new user. I don't see the lockdown policy mentioned, but it's still
in effect. In my GPMC, the policy is shown as "all settings disabled".

Wait; wait; wait...

OK. I figured it out.

When I did the initial lockdown, I logged in as a test user and verified
that I couldn't get to anything. Once that was complete, I copied that
user's profile to the default user profile. I just tried copying one of
the old administrator-level profiles to the new account profile and it
works fine. It's not the GPO that's doing the lockdown; it's the
profile.
I wonder how I would have figured THAT out without knowing what I tend
to do with user profiles...

Thanks!

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
> Sent: Thursday, June 23, 2005 6:17 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Group policy question
> 
> Charlie,
> 
> Can you post the rest of the USERENV log?  There should be 
> some more lines
> after the:
> 
> USERENV(e8.8338) 17:04:15:113 GetDeletedGPOList: Finished.
> 
> For all intents and purposes, the call CheckForGPOsToRemove 
> does exactly
> what it says.  They next line enumerates the GPOs that need 
> to be removed
> for the profile/principal that is logging on.
> 
> However, I can't determine (because of the missing lines) 
> what happened at
> this point.
> 
> You should see an enumeration of the GPOs that are candidates 
> to remove, and
> then the next lines should indicate more enumeration and 
> removal, or that
> there are no more old GPOs.
> 
> Plus, there should be some flags or the report of clearing 
> the 'dirty bit'.
> 
> Shoot those out to us, and let's see what's what.  I'd 
> restart it - if you
> can do it without affecting production to a great degree.
> 
> Rick
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Charlie Kaiser
> Sent: Thursday, June 23, 2005 7:33 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Group policy question
> 
> I have a application mode W2K terminal server that people use 
> to access
> an application. As an administrator, I need to access more stuff on it
> than the application, so we use either a direct console login or a
> DameWare session. I have recently created some new admin accounts as I
> work to reducing the rights on all domain administrators' normal
> accounts.
> I found that when I log in to the console as a newly created 
> account, I
> get a locked down desktop, even as an admin on that server and/or a
> domain admin. If I use an old account even if it's a 
> user-level account,
> I get a normal desktop.
> 
> We have two GPs that affect the OU the server is in (aside from the
> default domain policy). One is a TermSrv lockdown which 
> prohibits pretty
> much anything except the LOB app that needs to run. The other is a
> administrator access policy that allows full access for users in the
> domain admins group.
> 
> I've determined that the TermSrv lockdown policy is being 
> applied to the
> new accounts, even if I disable it, thus causing my problem. In my
> troubleshooting efforts, I've cranked up userenv logging, and get the
> following in my log:
> USERENV(e8.8338) 17:04:15:113 ProcessGPOs: Processing 
> extension Registry
> USERENV(e8.8338) 17:04:15:113 CheckForGPOsToRemove: GPO  Lockdown> needs to be removed
> USERENV(e8.8338) 17:04:15:113 GetDeletedGPOList: Finished.
> 
> I can't find anything that references the "CheckForGPOsToRemove

RE: [ActiveDir] Increase ICMP packet size on a PIX - GPO related

[Rick Kingslan]

I initially started looking at this from one viewpoint, and then I began to
think about slow link detection.  

You've taken traces to determine the size...  What is the return message
from ICMP when this large packet is detected by the PIX?  Or, does the PIX
just discard it?

If the PIX is discarding it, I suspect it might be possible that the link is
being interpreted as very slow.

What if you disable slow link detection at the GPOs?

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
Sent: Friday, June 24, 2005 5:35 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Increase ICMP packet size on a PIX - GPO related

Hi,

I have a problem with remote sites in active directory not applying group
policies.  I've discovered that when the PC starts or logs on it will send
an oversize ICMP packet to the DC to establish that the connection is
available and good.  As my sites are connected through a VPN via a PIX I've
discovered that the ICMP gets blocked by the PIX.

App., by default, the PIX does not allow ICMP packets greater the 2k and the
packet from the PC to the DC is bigger than this, therefore the PC doesn't
get a reply so assumes that the connection is not that great, thus the
USERENV does not download and apply the GPO's.  

I've found that there are two work-arounds to this problem;  One is to
modify the registry on every PC to not bother sending the packet and just
download GPO's anyway by adding these keys:

Windows Registry Editor Version 5.00 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] 
"GroupPolicyMinTransferRate"=dword: 


Windows Registry Editor Version 5.00 
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System] 
"GroupPolicyMinTransferRate"=dword:

..and the other is to increase the allowed size of the ICMP packet on the
PIX from 2k to something higher like 3k.  

I can't really justify changing 1000's of PCs registry settings when I
believe there is a quicker solution by modifying the PIX.

So the question is (finally!), does anyone know how to increase the ICMP
packet size on the PIX?

TIA

Adam


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Advertising RPC services - best practices

[Rick Kingslan]

Title: Advertising RPC services - best practices










Neil,

What are
you trying to restrict?  Access to the App, access via RPC, or access via AD? 
I can help, but the scope is pretty big at this point.

Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Friday, June 24, 2005 9:40
AM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Advertising
RPC services - best practices



 

Does
anyone have any suggestions, comments or experiences with applications that
advertise themselves via the RPCservices container in AD?

Specifically,
the subject of security is of interest to me. i.e. how can the application be
restricted so that it has a minimum set of privileges without 'breaking' the
app?

I
have read various MS papers on the subject and am happy with the general
principles involved. I'm more interested in "real world" examples :)

 

TIA,

neil


==
Please access the attached hyperlink for an important electronic communications
disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==

RE: [ActiveDir] Increase ICMP packet size on a PIX - GPO related

[Rick Kingslan]

LOL!  Yeah, quite true - if I can't get the policy out, how do you disable
it?

I did the same in regards to the PIX docs.  I can't find any setting
anywhere that allows a define on the size of the ICMP packet.  As to the
actual size of the ICMP for slow link  Huh.  Don't know.  I did the same
as you, Darren.  Looked through some code and didn't find anything the
screamed 'here is where the max ICMP size is set'.

I like your registry.pol scheme, and it might be really the only option
available in this circumstance.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, June 24, 2005 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Increase ICMP packet size on a PIX - GPO related

This is one of those chicken and egg problems. When ICMP slow link
detection fails (i.e. no response is received to the ping request), no
GP processing occurs at all, so you can't disable slow detection through
GP. So you can't deliver the reg changes to disable slow link detection
through GP. Fun. One novel approach I've seen is to make the change on
the local GPO and then copy the relevant registry.pol files from the
local GPO to all machines in the environment. Not elegant, but it gets
the job done.

I've seen it documented that slow link detection uses max. packet sizes
of 2048 bytes. However, in looking at the code around slow link
detection, I found nothing in there that limited it to that, so I kinda
wonder. In sniffer traces that I've done, however, I've not seen it
above that, and often see smaller sizes. You say below that you are
allowing 2K packets--is it exactly 2000 bytes or is it 2048? Frankly,
rather than having to lose the benefits of slow link detection by
disabling it completely, I would definitely take the approach of opening
up the firewall a bit to allow it to happen naturally. Unfortunately, my
Cisco skills have evaporated over the years so I am no help in directing
you to actually make the change. A quick look at a Cisco Pix config.
guide didn't show it where I would have expected it, either in the
access list commands or in the icmp command. 

Darren



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Friday, June 24, 2005 8:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Increase ICMP packet size on a PIX - GPO
related

I initially started looking at this from one viewpoint, and then I began
to think about slow link detection.  

You've taken traces to determine the size...  What is the return message
from ICMP when this large packet is detected by the PIX?  Or, does the
PIX just discard it?

If the PIX is discarding it, I suspect it might be possible that the
link is being interpreted as very slow.

What if you disable slow link detection at the GPOs?

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
Sent: Friday, June 24, 2005 5:35 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Increase ICMP packet size on a PIX - GPO related

Hi,

I have a problem with remote sites in active directory not applying
group policies.  I've discovered that when the PC starts or logs on it
will send an oversize ICMP packet to the DC to establish that the
connection is available and good.  As my sites are connected through a
VPN via a PIX I've discovered that the ICMP gets blocked by the PIX.

App., by default, the PIX does not allow ICMP packets greater the 2k and
the packet from the PC to the DC is bigger than this, therefore the PC
doesn't get a reply so assumes that the connection is not that great,
thus the USERENV does not download and apply the GPO's.  

I've found that there are two work-arounds to this problem;  One is to
modify the registry on every PC to not bother sending the packet and
just download GPO's anyway by adding these keys:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"GroupPolicyMinTransferRate"=dword: 


Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
"GroupPolicyMinTransferRate"=dword:

..and the other is to increase the allowed size of the ICMP packet on
the PIX from 2k to something higher like 3k.  

I can't really justify changing 1000's of PCs registry settings when I
believe there is a quicker solution by modifying the PIX.

So the question is (finally!), does anyone know how to increase the ICMP
packet size on the PIX?

TIA

Adam


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
L

RE: [ActiveDir] Cannot Contact Domain over External Trust

[Rick Kingslan]

Tool from Sysinternal at Winternals

http://www.sysinternals.com/Utilities/TcpView.html

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Friday, June 24, 2005 11:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

What is tcpview?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, June 24, 2005 11:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

In my company a separate organization maintains the firewalls & routers
and sometimes they go through and change port/protocol settings with no
warning.  Looking at this thread, I'm leaning toward a connectivity
issue.  tcpview is a great tool.

Al Maurer
Service Manager, Naming and Authentication Services
IT | Information Technology
Agilent Technologies
(719) 590-2639; Telnet 590-2639
http://activedirectory.it.agilent.com
--
A good plan today is better than a perfect plan tomorrow.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Salandra, Justin
A.
Sent: Thursday, June 23, 2005 3:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust


Nope, this trust worked for weeks if not months and just poof stopped.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, June 23, 2005 5:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

Justin,
   Are any of the ports required by trusts
(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/
TechRef/108124dd-31b1-4c2c-9421-6adbc1ebceca.mspx) blocked?

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Thursday, June 23, 2005 3:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

No error, just that it says the domain cannot be contacted but I am able
to ping the servers and domain controllers in that domain via DNS, WINS
and IP

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Thursday, June 23, 2005 3:35 PM
To: Salandra, Justin A.; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

what error do you get?

#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 6/23/2005 8:56 PM
Subject: [ActiveDir] Cannot Contact Domain over External Trust

I have a trust that has been working and all of a sudden with zero
errors it has stopped.

I have a NT 4 and a 2000 Domain with an external trust setup so that I
can grant permissions to groups from the 2000 domain to resources on the
NT 4 domain.  When I go to the 2000 domain from the NT 4 domain I am not
able to see a listing of groups or users.  It cannot find the domain.  

DNS, WINS and the trust are all working and validated.

What could be the problem?

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.active

RE: [ActiveDir] Cannot Contact Domain over External Trust

[Rick Kingslan]

Wow!  They do that at your company, too?  And here I thought *I* was the
ONLY one with a non-communicative, dysfunctional network engineering group.

Huh.  Well, that ruins all of my 'these are the worst EVER network folks'
excuses.  You've just matched me!

;o)

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, June 24, 2005 10:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

In my company a separate organization maintains the firewalls & routers and
sometimes they go through and change port/protocol settings with no warning.
Looking at this thread, I'm leaning toward a connectivity issue.  tcpview is
a great tool.

Al Maurer
Service Manager, Naming and Authentication Services
IT | Information Technology
Agilent Technologies
(719) 590-2639; Telnet 590-2639
http://activedirectory.it.agilent.com
--
A good plan today is better than a perfect plan tomorrow.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Salandra, Justin
A.
Sent: Thursday, June 23, 2005 3:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust


Nope, this trust worked for weeks if not months and just poof stopped.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, June 23, 2005 5:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

Justin,
   Are any of the ports required by trusts
(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/
TechRef/108124dd-31b1-4c2c-9421-6adbc1ebceca.mspx) blocked?

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Thursday, June 23, 2005 3:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

No error, just that it says the domain cannot be contacted but I am able
to ping the servers and domain controllers in that domain via DNS, WINS
and IP

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Thursday, June 23, 2005 3:35 PM
To: Salandra, Justin A.; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Cannot Contact Domain over External Trust

what error do you get?

#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 6/23/2005 8:56 PM
Subject: [ActiveDir] Cannot Contact Domain over External Trust

I have a trust that has been working and all of a sudden with zero
errors it has stopped.

I have a NT 4 and a 2000 Domain with an external trust setup so that I
can grant permissions to groups from the 2000 domain to resources on the
NT 4 domain.  When I go to the 2000 domain from the NT 4 domain I am not
able to see a listing of groups or users.  It cannot find the domain.  

DNS, WINS and the trust are all working and validated.

What could be the problem?

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Windows -> MIT Cross-realm auth to domains not in the same dns hierarchy

[Rick Kingslan]

IIRC, the trusts are defined and stored as GUIDs.  So, determining the GUIDs
are going to make it much easier to determine where the information is
stored.  Let me poke around a bit.

As I mentioned yesterday - things are a bit frantic right now, so I might
not get to it today.  But, soon the rush is going to be over and I'll be
able to get back to normal (well, some semblance of normal).

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andrew Riley
Sent: Friday, June 24, 2005 1:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Windows -> MIT Cross-realm auth to domains not in
the same dns hierarchy

I've gotten some new info on this topic.  Apparently the default in  MIT 
Kerberos is the trust path will go from a 4th level domain (in our CASE 
OTHER.AD.SCHOOL.EDU) to it's 3rd level parent (AD.SCHOOL.EDU) to it's 2nd 
level parent and so on.  If the trust is established, but the 
REALMS/domains are not laid out in such an order, you have to manually 
specify how to follow the trust path.

I'm curious if anyone knows where the trust information is stored in AD. 
I've been using ADSIEdit.exe to look though the domain info, but I can't 
seem to find any LDAP records of the trusts I've established.

andrew

--On Thursday, June 23, 2005 12:04 PM -0400 Andrew Riley 
<[EMAIL PROTECTED]> wrote:

> Sorry if I made this confusing, I tried to condense the problem as best I
> could but it's a bit hard to wrap up in a neat little package.
>
> The entire campus has a central BIND DNS, there is no use of individual
> MS or BIND DNS for the individual domains.  All domains manually register
> their records.
>
> All the hostnames, cnames, srv records etc. are resolvable by all of the
> hosts involved.
>
> When a client successfully authenticates their workstation gets a TGT
> from the MIT KDC and then gets that gets passed along to AD.SCHOOL.EDU.
> I'd assume that it must pass through their local domain controller on the
> way. Once it is mapped to an account in AD.SCHOOL.EDU it also gets a TGT
> from its local DC as well and any other tickets it is supposed to have.
>
> Here are some events that are logged when I try a valid user/pass from
> the MIT realm, that has not been mapped to a user account in
> AD.SCHOOL.EDU.
>
> When OTHER.AD.SCHOOL.EDU trusts AD.SCHOOL.EDU and I try to log on these
> errors are logged
>
> ON THE AD.SCHOOL.EDU domain controller
>
> --
> Event Type:   Failure Audit
> Event Source: Security
> Event Category:   Account Logon
> Event ID: 678
> Date: 6/23/2005
> Time: 11:47:44 AM
> User: NT AUTHORITY\SYSTEM
> Computer: EINS
> Description:
> Account Mapped for Logon.
>  Mapping Attempted By:
>   kdc
>  Client Name:
>   [EMAIL PROTECTED]
>   Mapped Name:
>   
>
> ---
>
>
> AND ALSO ON THE OTHER.AD.SCHOOL.EDU domain controller
>
> 
> Event Type:   Failure Audit
> Event Source: Security
> Event Category:   Account Logon
> Event ID: 678
> Date: 6/23/2005
> Time: 11:47:45 AM
> User: NT AUTHORITY\SYSTEM
> Computer: DREI
> Description:
> Account Mapped for Logon.
>  Mapping Attempted By:
>   kdc
>  Client Name:
>   [EMAIL PROTECTED]
>   Mapped Name:
>   
>
> -
>
> This is fine.  Since the user isn't mapped it tries to find the mapping
> in AD.SCHOOL.EDU because that's the one that trusts the SCHOOL.EDU realm,
> then it tries to find the mapping in OTHER.AD.SCHOOL.EDU.  Since it
> doesn't exist in either place, logon fails.
>
>
> When a user is mapped properly and successfully authenticated an entry
> like this is logged on the AD.SCHOOl.EDU domain controller
>
> -
> Event Type:   Success Audit
> Event Source: Security
> Event Category:   Account Logon
> Event ID: 678
> Date: 6/23/2005
> Time: 11:26:25 AM
> User: AD\myuser
> Computer: EINS
> Description:
> Account Mapped for Logon.
>  Mapping Attempted By:
>   kdc
>  Client Name:
>   [EMAIL PROTECTED]
>   Mapped Name:
>   myuser
>
> -
>
> So when set up as OTHER.SCHOOL.EDU trusts AD.SCHOOL.EDU an event as shown
> below is logged only on the workstation itself.
>
> --
> Event Type:   Failure Audit
> Event Source: Security
> Event Category:   Account Logon
> Event ID: 529
> Date: 6/23/2005
> Time: 11:26:25 AM
> User: NT AUTHORITY\SYSTEM
> Computer: myWorkstation
> Description:
> Logon Failure:
>   Reason: Unknown user name or bad password
>   User name:  myuser
>   Domain: SCHOOL.EDU
>   Logon Type: 2
>   Logon Process:  User32
>   Authentication Package:  Negotiate
>   Workstation Name:   myWorkstation
>

RE: [ActiveDir] Exchange SSL Certificate "Client Authentication"

[Rick Kingslan]

Noah,

I suspect
that you’re missing a root certificate.  Review your process of
creating and importing the certificate into the certificate store to ensure
that you, in fact, did have and use the proper Root CA, and
that it’s in the correct store.  

Ironically,
(and I know that this is hard to believe) sometimes Microsoft’s automatic
process for getting a cert into the right store doesn’t work.  ;o)

Rick











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Noah Eiger
Sent: Saturday, June 25, 2005 3:09
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange SSL
Certificate "Client Authentication"



 

Hi
–

 

I
have OWA running on Exchange 2003. I have purchased an SSL certificate from
GoDaddy.com and installed it. Now, when clients connect using https://webmail.mycompany.com/exchange,
they get a prompt (after supplying credentials):

 

Client
Authentication: “The Web site you want to view requests identification.
Select the certificate to use when connecting.” There are no certificates
supplied in the dialog box. Depending on the version of IE, the text is
slightly different. If the user simply clicks OK, they get in and the
transations appear to be going over SSL (the little lock is present and
closed). 

 

Finally,
this only seems to happen with clients accessing from the outside; internal
machines can see it fine. 

 

Any
ideas how to prevent this from happening?

 

Thanks.

 

--
nme

RE: [ActiveDir] Exchange SSL Certificate "Client Authentication"

[Rick Kingslan]

Or, the
Intermediate CA cert…..  ;-)

Rick











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Noah Eiger
Sent: Sunday, June 26, 2005 2:35
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
SSL Certificate "Client Authentication"



 

Thanks, Rick. I created the certreq.txt, pasted it into the
form at Godaddy, they sent me a public key which I then processed through the
IIS Certificate Wizard. One thing was that Godaddy also sent an
“Intermediate Certificate” which they had me install in the
Certificate snap-in. Could this be the source of the problem?

 

This is what they said about it:

ABOUT THE INTERMEDIATE CERTIFICATE

Before you install your Web Server Certificate you must
install our intermediate certificate -- the sf_issuing.crt  -- on your Web
server. An intermediate certificate is a subordinate certificate issued by the
trusted root specifically to issue end-entity server certificates. The result
is a chain that begins at the trusted root CA, through the intermediate
certificate, and ending with the Web Server SSL certificate issued to you. Such
a certificate is called "chained root certificate." The usage of an
intermediate certificate thus provides an added level of security as the
Certification Authority (CA) does not need to issue certificates directly from
its CA root certificate.

 













From: Rick Kingslan [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, June 25, 2005 1:48
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
SSL Certificate "Client Authentication"



 



Noah,

I suspect that you’re missing a root
certificate.  Review your process of creating and importing the
certificate into the certificate store to ensure that you, in fact, did have
and use the proper Root CA, and that it’s in the correct
store.  

Ironically, (and I know that this is hard to believe)
sometimes Microsoft’s automatic process for getting a cert into the right
store doesn’t work.  ;o)

Rick















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Saturday, June 25, 2005 3:09
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange SSL
Certificate "Client Authentication"



 

Hi –

 

I have OWA running on Exchange 2003. I have purchased
an SSL certificate from GoDaddy.com and installed it. Now, when clients connect
using https://webmail.mycompany.com/exchange,
they get a prompt (after supplying credentials):

 

Client Authentication: “The Web site you want to
view requests identification. Select the certificate to use when
connecting.” There are no certificates supplied in the dialog box.
Depending on the version of IE, the text is slightly different. If the user
simply clicks OK, they get in and the transations appear to be going over SSL (the
little lock is present and closed). 

 

Finally, this only seems to happen with clients
accessing from the outside; internal machines can see it fine. 

 

Any ideas how to prevent this from happening?

 

Thanks.

 

-- nme

RE: [ActiveDir] Domain Admins Group Membership

[Rick Kingslan]

Yes, I do.  But, his question had nothing to do with "Is it right or not?"
I count on joe to totally over-react to such things!

:op

But, just for the record, I don't condone in any way the overuse or the
mismanagement of advanced privileges and rights for convenience in any way,
shape or form.

I, personally, prefer to see a 'role based' administration model in which
the defined NEEDS (as compared to the whacked out wants of most technical
people) are developed in conjunction with the Technical people doing the
work and the Technical staff in one's Information Security dept.

These roles would align with what technical staff do.  I only NEED one or
two Domain Admins.  On the other hand, I need a bunch of people that can
manage, add, modify users, groups and computers, but they still have to earn
the privilege.  Same goes with GPO, etc, etc, etc.  Just because you can
spell GPO doesn't mean I trust you to work on them.

And, I am also a strong believer that if you can review event logs to
determine health of machines from your desktop, then why do you RDP to
servers?  I'm also not going to give you the right to shut down systems just
because you think you're making MY life easier. Wake me up...  If it needs
to be shut down, I'll do it.

I also am a strong believer in change control and following procedure.  But,
if you've done none of the above - then why bother with Change Control or
procedures?  Both assume that there is a sequence of control built into your
systems - which if you're not doing the above - isn't the case.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, June 28, 2005 3:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Group Membership

Now that we're beyond the technical specs... does anyone else cringe at
the idea of granting domain admin privileges to satisfy local
administrative rights privileges to machines?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, June 27, 2005 5:31 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Group Membership

Juan,

You won't be able to add users from another domain to the Domain Admins
group.  The Domain Admins group is a global group, and rules for Globals
Groups are that they can contain users from the domain in which the
global group was created.

By that rule, only users of Domain A may be members of the Domain Admins
group of Domain A.

However, IIRC, the Administrators group is a special group or a Domain
Local group, and will allow the add of users from Domain B.

Rick

> 
> From: "Ibarra, Juan" <[EMAIL PROTECTED]>
> Date: 2005/06/27 Mon AM 11:24:58 EDT
> To: 
> Subject: [ActiveDir] Domain Admins Group Membership
> 
> Hi,
> 
>  
> 
> I need to add certain users from domain B, Win 2000 Domain, to the
> Domain Admins group of Domain A, Windows 2003 Domain.  There is a two
> way trust between the two domains; however, I don't seem to find the
way
> to do this.  I am able to add users to shares but not the group.
> 
> 
> How could I accomplish this?
> 
>  
> 
> Thanks,
> 
> Juan 
> 
>  
> 
>  
> 
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT - just a bit OT. Visio and AD

[Rick Kingslan]

Yep - it *IS* very cool.  Guido showed us this during a Pre-Conference
session at this year's Directory Expert's conference.

However, I should note that even though there were many requests, Guido
flatly REFUSED to give away free copies to all attendees.

Guido is not very generous[1]  ;o)

Rick

[1] Guido, I certainly HOPE you know I'm just kidding.  You are, in fact
EXTREMELY generous. [2]  

[2] However, I still want a free copy...  :oP

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Friday, July 01, 2005 12:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - just a bit OT. Visio and AD

FWIW in the latest revision of the HP OVOw tool is now called the HP
OpenView Topology Viewer or OVTV.  The tool now accompanies both the AD
SPI and the Exchange SPI since it features the capability to visually
lay out both the Active Directory and the Exchange Organization.  Also
the tool can now save the views into an XML format for easy reuse and
possible data accessibility by another application or script.

I could not find any documentation on the HP web site showing updated
screen shots from the latest revision (although I did not look too hard)
so I have temporarily posted some basic screen shots of a test
environment at the following URL if anyone wants to take a peak.

http://www.sacnet.us/ovtv

Regards,

Aric Bernard 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, June 30, 2005 4:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - just a bit OT. Visio and AD

I think I could have called that one. ;o)

Thanks for doing that, my version was pretty old. Last time I ran it at

it generated a map that was like 14 pages wide or something like that.
Rather large but still useful.


Also since Guido hasn't mentioned it, folks may want to peek at the HP
OVO/W
ADSPI package. The old Age of Directories piece is in there and named
Active
Directory Topology Viewer (ADTV). The view you get with that is very
cool.
Heck it was very cool when I got it from Mickey back like 5-6 years ago.


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Thursday, June 30, 2005 7:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - just a bit OT. Visio and AD

Ok I received many me to posts and since most of you are likely blocking
attachments I have simply setup a download workspace that will be
available
for a day or so.  As I stated below this tool comes with no official
support
from Microsoft.  If you want to download it please use the following
workspace to do so:

https://sftus.one.microsoft.com/choosetransfer.aspx?key=d47fed07-f9fd-48
cf-9410-b597605c104a 

Select Receive Files from Microsoft and use the following password:
L#oHvsiu[d

Thanks,

-Steve


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Thursday, June 30, 2005 5:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - just a bit OT. Visio and AD

However there is a tool that is often used by support engineers at
Microsoft
called ADMap that can produce maps of your AD including OUs.
It is however not fully supported and simply a tool that allows for easy
documentation of an environment.  It will query the data from AD and
make
nice Visio diagrams of your AD and Exchange environment.  I will send it
to
you offline but it comes with no support. :-)

Thanks,

-Steve

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Thursday, June 30, 2005 5:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - just a bit OT. Visio and AD

Doh so now I have to manually create the layout.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, June 30, 2005 6:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - just a bit OT. Visio and AD

Microsoft removed this functionality; it is on the Vision website.

Mark

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: 30 June 2005 22:37
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT - just a bit OT. Visio and AD

Has anyone used Visio 2003 to connect to AD and get the OU structure?  I
have done it using an older version of Visio but seem to be having
problems
getting 2003 to do it.

Jeff

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
Li

RE: [ActiveDir] Corrupted NTDS.dit

[Rick Kingslan]

In all honesty, just because it's in a KB does not make it less confusing or
misleading.  There are many procedures and policies that make no sense at
all - they just haven't been changed, clarified or deleted.

I'd suggest that everyone just take a deep breath.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tetrault, Mike
(OFT)
Sent: Friday, July 01, 2005 12:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Corrupted NTDS.dit

http://support.microsoft.com/?kbid=216498

Maybe now you won't feel so confused or mislead.


Mike Tetrault
OFT
40 North Pearl St. Albany, NY
(518) 402-9300

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, July 01, 2005 1:09 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Corrupted NTDS.dit

When you say 'from Microsoft', may I ask where?  

IMHO, much of the statement is inaccurate at worst and misleading or
confusing at best.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tetrault, Mike
(OFT)
Sent: Friday, July 01, 2005 1:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Corrupted NTDS.dit

This is from Microsoft:


Remove the cname record in the _msdcs.root domain of forest zone in DNS.
Assuming that DC is going to be reinstalled and re-promoted, a new NTDS
Settings object is created with a new GUID and a matching cname record
in DNS. You do not want the DC's that exist to use the old cname record.


This is what I was trying to convey to you. Sorry if there was any
confusion.

Mike-

Mike Tetrault
OFT
40 North Pearl St. Albany, NY
(518) 402-9300

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, July 01, 2005 11:41 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Corrupted NTDS.dit

I don't follow you, ALL remaining DCs will still have the retired DC's
metadata until such time as it is 'cleaned up'.  Joe is not suggesting
anything to the contrary, he is stating that the since the DC GUID will
be reseeded during the promotion that CNAME resolution alone will not
cause replication to fail.  The replication relationship between two DCs
is expressed by a connection object, the connection object's fromServer
property refers to the DN of a DC's NTDS Settings object (its metadata),
the objectGUID property of the DC's NTDS Settings object is used to seed
each DC's DC GUID which is, in turn, registered in DNS by each DC's
respective NETLOGON service (along with a number of SRV records and A
records).

Joe's point is simply this; once the source DC used during the promotion
of the newly reborn DC has pushed the new metadata out, a replication
topology will be built by the existing DCs inclusive of the new DC.
Connection objects will then be created pointing to the new DCs NTDS
Settings object which will in turn provide the existing DCs with a means
of resolving it (replication latency and/or DNS cache TTLs accepted).

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tetrault, Mike
(OFT)
Sent: Friday, July 01, 2005 11:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Corrupted NTDS.dit

That is correct for a new Domain Controller. However, if a Domain
Controller is re-promoted before the old CNAME records are cleaned up,
there may be other Domain Controllers in the Domain that still have the
OLD CNAME record with the old GUID and if there are different GUIDs for
the same host name, replication problems can happen.

This is why they recommend running a metadata cleanup and removing any
old records before promoting the DC again. It is also recommended that
you remove the old FRS entries using ADSI Edit.


Mike Tetrault
OFT
40 North Pearl St. Albany, NY
(518) 402-9300

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, July 01, 2005 10:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Corrupted NTDS.dit

That really still shouldn't be an issue unless I am missing something
here.
Please bear with me.

The mapping in DNS isn't hostname to GUID, it is GUID to hostname. When
a DC wants to replicate with this new DC, it will use the new GUID and
that shouldn't exist in DNS until the repromoed DC registers it. 

Prior to registration the GUID would be unresolvable and no replication
would be allowed[1]. I used to use that for stopping DC's from pulling
replication from a specific DC - usually when the troublesome DC was on
the end of a misbehaving WAN connection and I was experiencing rough RPC
and excessive timeouts. 

Once registered, the GUID would be found and translated to a hostname
which can in turn be resolved to an IP. This would in turn allo

[ActiveDir] Change of status - Job-wise, at least.

[Rick Kingslan]

All,

Many of you have become good friends through the years on this list, so it's
only right that you be among the first to know.

On June 3rd, I was layed off from my job as a Sr. Systems
Engineer/Architect/Administrator/Security guy/Supervisor.  It was a
completely political move, as it seems I had (through my function as a
Supervisor and THE Security guy for Windows systems) pissed off one too many
VeePs, Sr. VeePs, and above.  (Apparently

Thanks for those who knew about this and responded with very gracious offers
to help me find a new position within their companies or one's that they
knew of.  Some were even willing to vouch for me, which still is a shock to
me.  :o)

However, ~4 Mos. ago I started on a journey that I was not so certain where
it was going to end.  Well, this week, it ended.  I was offered and accepted
a position with Microsoft Consulting Services on Infrastructure related
projects.  I will be working with Customers on Windows Server 2003, Exchange
2003, ISA Server 2004, and eventually SMS 2003 and MOM 2005.

So, to all of you that I've learned from here - and there are too many to
name - thank you.  I hope that I'll be a much more frequent visitor to the
list with this change of job.

Also - please don't post replies to the list.  Send them to me directly.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Friday, July 01, 2005 12:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - just a bit OT. Visio and AD

Yep - it *IS* very cool.  Guido showed us this during a Pre-Conference
session at this year's Directory Expert's conference.

However, I should note that even though there were many requests, Guido
flatly REFUSED to give away free copies to all attendees.

Guido is not very generous[1]  ;o)

Rick

[1] Guido, I certainly HOPE you know I'm just kidding.  You are, in fact
EXTREMELY generous. [2]  

[2] However, I still want a free copy...  :oP

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Friday, July 01, 2005 12:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - just a bit OT. Visio and AD

FWIW in the latest revision of the HP OVOw tool is now called the HP
OpenView Topology Viewer or OVTV.  The tool now accompanies both the AD
SPI and the Exchange SPI since it features the capability to visually
lay out both the Active Directory and the Exchange Organization.  Also
the tool can now save the views into an XML format for easy reuse and
possible data accessibility by another application or script.

I could not find any documentation on the HP web site showing updated
screen shots from the latest revision (although I did not look too hard)
so I have temporarily posted some basic screen shots of a test
environment at the following URL if anyone wants to take a peak.

http://www.sacnet.us/ovtv

Regards,

Aric Bernard 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, June 30, 2005 4:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - just a bit OT. Visio and AD

I think I could have called that one. ;o)

Thanks for doing that, my version was pretty old. Last time I ran it at

it generated a map that was like 14 pages wide or something like that.
Rather large but still useful.


Also since Guido hasn't mentioned it, folks may want to peek at the HP
OVO/W
ADSPI package. The old Age of Directories piece is in there and named
Active
Directory Topology Viewer (ADTV). The view you get with that is very
cool.
Heck it was very cool when I got it from Mickey back like 5-6 years ago.


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Thursday, June 30, 2005 7:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - just a bit OT. Visio and AD

Ok I received many me to posts and since most of you are likely blocking
attachments I have simply setup a download workspace that will be
available
for a day or so.  As I stated below this tool comes with no official
support
from Microsoft.  If you want to download it please use the following
workspace to do so:

https://sftus.one.microsoft.com/choosetransfer.aspx?key=d47fed07-f9fd-48
cf-9410-b597605c104a 

Select Receive Files from Microsoft and use the following password:
L#oHvsiu[d

Thanks,

-Steve


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Thursday, June 30, 2005 5:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - just a bit OT. Visio and AD

However there is a tool that is often used by support engineers at
Microsoft
called ADMap that can produce maps of your AD including OUs.
It is however not fully supported and simply a tool that allows for easy
documentation of an environment.  It wi

RE: [ActiveDir] Corrupted NTDS.dit

[Rick Kingslan]

Mike,

I agree with what you are saying, that from a best practices standpoint, one
SHOULD eventually remove the old CNAMEs.

However, the point of this discussion seems to be centered around what will
or will not cause problems with replication.  Old CNAMEs pointing to
deprecated DC GUIDs is not going to have the same profound effect on
replication as old metadata will.

My suggestion:

Get rid of the old metadata and get replication functioning once again.
THEN you are free to worry about DNS records of absolutely no consequence at
all.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tetrault, Mike
(OFT)
Sent: Friday, July 01, 2005 12:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Corrupted NTDS.dit

That is correct. This is the practice I have always followed and it has
never done me wrong, which is why I was trying to offer this advice to
the person who originally posted the message.  


Mike Tetrault
OFT
40 North Pearl St. Albany, NY
(518) 402-9300



This e-mail, including any attachments, may be confidential, privileged or
otherwise legally protected. It is intended only for the addressee. If you
received this e-mail in error or from someone who was not authorized to send
it to you, do not disseminate, copy or otherwise use this e-mail or its
attachments.  Please notify the sender immediately by reply e-mail and
delete the e-mail from your system.


-Original Message-

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura
E.
Sent: Friday, July 01, 2005 1:32 PM
To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Corrupted NTDS.dit

Unless my Google-fu is failing me (and I don't think it is), it looks
like Mike is quoting KB 216498, step 15. 

http://support.microsoft.com/?kbid=216498

- Laura

> -Original Message-
> From: Dean Wells [mailto:[EMAIL PROTECTED]
> Sent: Friday, July 01, 2005 1:09 PM
> To: Send - AD mailing list
> Subject: RE: [ActiveDir] Corrupted NTDS.dit
> 
> When you say 'from Microsoft', may I ask where?  
> 
> IMHO, much of the statement is inaccurate at worst and misleading or 
> confusing at best.
> 
> --
> Dean Wells
> MSEtechnology
> * Email: [EMAIL PROTECTED]
> http://msetechnology.com
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tetrault, 
> Mike
> (OFT)
> Sent: Friday, July 01, 2005 1:00 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Corrupted NTDS.dit
> 
> This is from Microsoft:
> 
> 
> Remove the cname record in the _msdcs.root domain of forest zone in 
> DNS.
> Assuming that DC is going to be reinstalled and re-promoted, a new 
> NTDS Settings object is created with a new GUID and a matching cname 
> record in DNS. You do not want the DC's that exist to use the old 
> cname record.
> 
> 
> This is what I was trying to convey to you. Sorry if there was any 
> confusion.
> 
> Mike-
> 
> Mike Tetrault
> OFT
> 40 North Pearl St. Albany, NY
> (518) 402-9300
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
> Sent: Friday, July 01, 2005 11:41 AM
> To: Send - AD mailing list
> Subject: RE: [ActiveDir] Corrupted NTDS.dit
> 
> I don't follow you, ALL remaining DCs will still have the retired DC's

> metadata until such time as it is 'cleaned up'.  Joe is not suggesting

> anything to the contrary, he is stating that the since the DC GUID 
> will be reseeded during the promotion that CNAME resolution alone will

> not cause replication to fail.  The replication relationship between 
> two DCs is expressed by a connection object, the connection object's 
> fromServer property refers to the DN of a DC's NTDS Settings object 
> (its metadata), the objectGUID property of the DC's NTDS Settings 
> object is used to seed each DC's DC GUID which is, in turn, registered

> in DNS by each DC's respective NETLOGON service (along with a number 
> of SRV records and A records).
> 
> Joe's point is simply this; once the source DC used during the 
> promotion of the newly reborn DC has pushed the new metadata out, a 
> replication topology will be built by the existing DCs inclusive of 
> the new DC.
> Connection objects will then be created pointing to the new DCs NTDS 
> Settings object which will in turn provide the existing DCs with a 
> means of resolving it (replication latency and/or DNS cache TTLs 
> accepted).
> 
> --
> 
> Dean Wells
> MSEtechnology
> * Email: [EMAIL PROTECTED]
> http://msetechnology.com
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tetrault, 
> Mike
> (OFT)
> Sent: Friday, July 01, 2005 11:11 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Corrupted NTDS.dit
> 
> That is correct for a new Domain Controller. However, if a Domain 
> Controller is re-promoted before the old CNAME recor

RE: [ActiveDir] Ds commands

[Rick Kingslan]

Tom,

Minimal mode would be Mixed.  Operations that you might attempt that aren't
supported in your current mode will fail.  e.g. Trying to use DSADD to
create a Universal Group in a mixed mode domain.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Friday, July 01, 2005 5:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Ds commands

What domain functional level do I have to be in to use the DS commands?
Thanks
--
Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net)

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Corrupted NTDS.dit

[Rick Kingslan]

Steve,

I'm glad that you do find the humor here.  It does exist - and many times,
it's just more obvious than others.

Heck, if there wasn't the gigging each other and the occasional off color
comments, this would be just like work!

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield
Sent: Friday, July 01, 2005 11:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Corrupted NTDS.dit

I don't post real often but besides slashdot postings being a bit humorous. 
This list ranks right up there in making me laugh.  Some of these posts are 
even funnier when I've had a few beers..Don't figure.  Happy 4th weekend...

Steve

- Original Message - 
From: "Rocky Habeeb" <[EMAIL PROTECTED]>
To: 
Sent: Friday, July 01, 2005 4:00 PM
Subject: RE: [ActiveDir] Corrupted NTDS.dit


> joe (dog),
>
> Please send me a >complete< list of MS docs that are ... "confusing",
> "wrong" and "dangerous".  OK ... forget the confusing,  just the "wrong" 
> and
> "dangerous."
>
> "YMYMYM"
>
> Rocky
>
> ___
>
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of joe
> Sent: Friday, July 01, 2005 3:01 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Corrupted NTDS.dit
>
>
> Now this is a fun note chain. ;o)
>
> To further clarify what Dean has so eloquently said. MS sometimes makes
> mistakes in documentation. As a general rule I look at MS documentation 
> more
> as propoganda until otherwise proven correct, it tends to be safer that 
> way.
> Most of it is great, a lot of it is confusing, some of it is wrong, some 
> of
> it is outright dangerous. This is why there are many folks who submit
> changes to MS to get implemented into the documentation. I myself probably
> submit 5-10 KB changes a month, probably double that to MSDN per month.
>
> The comment "You do not want the DC's that exist to use the old cname
> record." is incorrect. The existence of it in DNS will not force the DC to
> use it. However, cleaning up after a demotion, failed or otherwise, is
> generally a good idea to do. I was simply trying to illustrate, as Dean
> indicated, that it won't actually cause a failure.
>
> I also want to point out the part Dean indicated about the value of this
> list. This is an incredible list, there can be a lot of side chatter but 
> you
> can learn things here that you won't find anywhere else. We have a ton of
> well known authors, Microsoft employees from
> PSS(ROSS/CPR/Other)/MCS/Dev(AD/JET)/Enterprise Computing, some of the top
> consultants in the industry, programmers, admins (from the smallest to the
> largest deployments), and we even have Rick Kingslan and sometimes let him
> post. The list isn't really just about posting a KB and sending someone on
> their way, you will often get a lot of opinion on the KB and/or the poster
> as well substantial background information on how things work and how they
> REALLY work.
>
> No one should really take anything personally or as an attack, it is just 
> a
> bunch of geeks trying to help each other out with varying levels of social
> and writing skills. As I once told a Microsoft Manager, I don't care if 
> your
> consultant kicks me every day when he sees me, as long as he knows what he
> is talking about I want him around. Oh there is one time there is personal
> attacks, it is every time Guido tries to confront me on Domain Local 
> Groups
> versus Universal groups. That is entirely personal. He even brought it up 
> in
> a DEC Conference to really dig me. Of course it doesn't bother too badly
> because I know I'm right. ;o)
>
> Ok, now where is my g/f. She snuck out to get her hair done when we were
> supposed to be getting ready to go up north for the weekend and I have 
> been
> waiting for 3 hours for her to get back!
>
> Reh!
>
>
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
> Sent: Friday, July 01, 2005 2:27 PM
> To: Send - AD mailing list
> Subject: RE: [ActiveDir] Corrupted NTDS.dit
>
> Hehehe ... I'm feeling neither confused nor mislead, though your last
> comment did evoke one response; mild annoyance, but it was fleeting ;o)
>
> I've no doubt that the article's instructions will work as (like many KB
> articles) they serve as an all encompassing solution.  Referencing the KB
> article's URL is also likely to be of use to Kevin who originally asked 
> the
> question but thi

RE: [ActiveDir] Ds commands

[Rick Kingslan]

Tom - you do not have to have Win2k3 DCs to use the DS commands.

However, I think there are a lot more reasons to run Win2k3 than just being
able to use the DS commands.

I trust that wasn't your only decision criteria.  I would hope that the
Security improvements, the reliability, the performance enhancements - not
to mention the Win2k3 Domain and Forest level improvements that make Win2k3
the operating system of choice.

If you're not moving TO it for these improvements, don't bother.  You'll be
moving for the wrong reasons.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Saturday, July 02, 2005 6:52 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Ds commands

Then why di I need any win2k3 Dc's to run it?
Or do I?
Can I just get the commands off the win2k3 cd and run them against a win2k
only domain?
Thanks
--
Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net)

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Ds commands

[Rick Kingslan]

Or a Windows XP against Win2k.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Saturday, July 02, 2005 2:48 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ds commands

executing the DS commands on a w2k3 box against a w2k AD domain will work
 
Cheers,
#JORGE#



From: [EMAIL PROTECTED] on behalf of Kern, Tom
Sent: Sat 7/2/2005 9:16 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Ds commands



I'm sorry. I wasn't being clear. 
I just wanted to know if you could use those commands on a pure win2k
domain. 
It wasn't a reason to move to win2k3. 

We'll be moving there soon. 
I'm pretty aware of all the improvements to AD and windows. 
They speak for themselevs. 

As to OS of choice, I haven't seen one of those yet. 
Maybe a combo of Monad and not having the GDI built into the kernel(more
like X windows) and some of the improvements of Novell(I know they've been
in the ldap dir game longer so its not totally fair) directory would make an
OS of choice.  

Depending on what you're doing, of course. 
But right now, windows 2k3 is pretty sweet. 

Thanks 
-- 
Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) 

List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Windows 2003 Shadow Copy

[Rick Kingslan]

Jenn,

New to me, I have to admit.  I haven't seen that behavior - nor have I
specifically tested for it, either.  I might be able to look into it a bit
further, if I can find a suitable external.

Now, when you say EMC, are you saying like a SAN or a NAS head?  Or,
something not mentioned?

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain
Sent: Sunday, July 03, 2005 11:29 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Windows 2003 Shadow Copy

 

Is anyone aware of a problem were if shadow copy is configure on an
external device (such as EMC Disk) and it does not come up before the
shadow copy service it clears the shadow copies? If so, how can I fix
this? Thanks in advance!

Thanks
Jenn 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LegacyExchangeDN

[Rick Kingslan]

Steve,

As someone who knows quite a bit about AD and LDAP, but am just now getting
my arms around the Exchange juggernaut (there is s much more to know
than I even imagined  I am awed by Exchange Guru's much like I'm
sure that they are awed by us) I'd wonder if this could be written as such:

Second line, with the Comma:

/O=THE COLLEGE OF NORTH WEST LONDON/OU=MAIN/CN=RECIPIENTS/CN=KENT\,
VANESSA

Which is specified in RFC 2253 - Lightweight Directory Access Protocol (v3):
UTF-8 String Representation of Distinguished Names

(http://www.faqs.org/rfcs/rfc2253.html)

And, which presents and eample of such:

CN=L. Eagle,O=Sue\, Grabbit and Runn,C=GB

Dunno - I'm not messing with the Exchange systems today, else I'd try it
out.  Let me know if you make progress.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford
Sent: Monday, July 04, 2005 10:04 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LegacyExchangeDN

I'm trying to use Exmerge to backup the Exchange store (this is an extra
to a "proper" store level backup so that we can retrieve odd messages
for people who manage to delete them; I do know that it's not the best
way to do the backup!).

It all works well except for users with a comma in the LegacyExchangeDN
- the mailboxes.txt file created by ExMerge has lines like:

/O=THE COLLEGE OF NORTH WEST LONDON/OU=MAIN/CN=RECIPIENTS/CN=1794
/O=THE COLLEGE OF NORTH WEST LONDON/OU=MAIN/CN=RECIPIENTS/CN=KENT,
VANESSA

The first of these backs up OK; the second doesn't. I'm guessing that
it's because of the comma. I could probably find some way of creating
the file so that there were quotes round the whole line but I'd rather
lose the comma. 

Is there anything which depends on the value of LegacyExchangeDN which
might fall over if I change the values for some accounts (running
Exchange 2003 on Windows 2003 but these accounts started life on
Exchange 5.5/NT4)

Steve
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LegacyExchangeDN

[Rick Kingslan]

However, seeing joe's reply - go with his suggestion.  He's got a better
instinct for this stuff than I do.  But, strangely he's not an Exchange whiz
kid either  funny, that.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, July 04, 2005 3:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LegacyExchangeDN

Steve,

As someone who knows quite a bit about AD and LDAP, but am just now getting
my arms around the Exchange juggernaut (there is s much more to know
than I even imagined  I am awed by Exchange Guru's much like I'm
sure that they are awed by us) I'd wonder if this could be written as such:

Second line, with the Comma:

/O=THE COLLEGE OF NORTH WEST LONDON/OU=MAIN/CN=RECIPIENTS/CN=KENT\,
VANESSA

Which is specified in RFC 2253 - Lightweight Directory Access Protocol (v3):
UTF-8 String Representation of Distinguished Names

(http://www.faqs.org/rfcs/rfc2253.html)

And, which presents and eample of such:

CN=L. Eagle,O=Sue\, Grabbit and Runn,C=GB

Dunno - I'm not messing with the Exchange systems today, else I'd try it
out.  Let me know if you make progress.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford
Sent: Monday, July 04, 2005 10:04 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LegacyExchangeDN

I'm trying to use Exmerge to backup the Exchange store (this is an extra
to a "proper" store level backup so that we can retrieve odd messages
for people who manage to delete them; I do know that it's not the best
way to do the backup!).

It all works well except for users with a comma in the LegacyExchangeDN
- the mailboxes.txt file created by ExMerge has lines like:

/O=THE COLLEGE OF NORTH WEST LONDON/OU=MAIN/CN=RECIPIENTS/CN=1794
/O=THE COLLEGE OF NORTH WEST LONDON/OU=MAIN/CN=RECIPIENTS/CN=KENT,
VANESSA

The first of these backs up OK; the second doesn't. I'm guessing that
it's because of the comma. I could probably find some way of creating
the file so that there were quotes round the whole line but I'd rather
lose the comma. 

Is there anything which depends on the value of LegacyExchangeDN which
might fall over if I change the values for some accounts (running
Exchange 2003 on Windows 2003 but these accounts started life on
Exchange 5.5/NT4)

Steve
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ADSizer

[Rick Kingslan]

The ADSizer is still the 'first shot, best guess' tool for the newer
technologist working with AD.  Given 3 - 6 mos. of experience with AD, one
should be able to determine for themselves what 'Best Practices' for their
given environment should be.

The basic problem with the ADSizer, as I see it, is that if you have done
the due diligence that is required for the input into the tool, you've
already done most of the work that would qualify someone to determine the
requirements by experience.

That being said, as a tool for Management to justify upgrades with input
from the Tech Staff, it's hard to refute a tool from Microsoft that says,
"You're systems need to be this big to handle the load that you indicate as
likely".

Also, I have to stress the need for baselining.  If you're not doing
baselines of systems, you'll find it difficult in the future to determine
what impact a given change has / will have, or when it's time to start
'stumping' for the next hardware upgrade.  Also, a good baseline makes
troubleshooting significantly easier, as the changes are readily apparent in
traffic, memory, LDAP usage, etc.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Jones
Sent: Tuesday, July 05, 2005 11:45 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADSizer

Is ADSizer still the best tool to do capacity planning for AD?  Or
does anyone have an nice Excel spreadsheet that would also be
applicable to Windows 2003?

TIA

-Eric
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Patching Strategy on DC's

[Rick Kingslan]

How about: (and maybe not in this order)

1) Install a test environment - test patches before implementation
2) Patch half after compatibility and performance, then patch the others
within 48 hrs. (less, if you're feeling comfortable or the patch is of a
very critical and high risk category)
3) Get a complete system state backup of all DCs before applying any
patches.

A couple thoughts - and to expand upon my earlier comment.

Security IS Risk Management - plain and simple.  Don't patch quickly just
for the sake of patching because Microsoft releases a fix.  Look closely at
the details of the patch - specifically the Technical sections.  Determine
what RISK this vulnerability poses to your environment.  If it has to do
with Alerter on your DCs, but you have the Alerter service off and Disabled,
then it poses less of a risk than, say - RPC which will allow remote
execution if exploited.

However, at the time you need to take into account that there is a real
potential that the application of any un-tested patch WILL cause disruption
of normal operations.  Thereby, you need to approach any patching with the
give and take of applying a patch because it is necessary and critical, with
that of the possibility of disruption.  Analyze the risk of either action,
and act accordingly.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Murray Wall
Sent: Tuesday, July 05, 2005 12:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Patching Strategy on DC's

I have a question about a patching strategy for Domain controllers.  We
have a single forest single domain, 4 dc's, when patching for security
patches should we do all the DC's at once, or do half of them or should
we introduce a test lab or lastly a latent replicated production site
with a dc in it?  Thoughts and approaches appreciated!
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Patching Strategy on DC's

[Rick Kingslan]

Good point, and one that I should mention.  One strategy that many smaller
shops do take is that they are not really in a position to do all of the
levels of testing usually required to detect and mitigate any regression
issues that might come up in specific systems.

Therefore, what I've done in the past is let the big guys take the lead -
let them do some of your testing for you.  Hang back just a couple, three
days to let some of the bigger issues surface.  The big issues are publicly
noted, the smaller ones are discussed on BugTraq or some of the other
Security related newsgroups.

Also, the Security related newsgroups should be your first stop to find out
what's really big (does this patch - the Important - not the Critical)
really impact me?  (Criticals impact everyone - make NO mistake on that)  

There is nothing wrong with watching to see what issues are being detected
by first responders.  Most of these folks are at the top of the game when it
comes to Security, and they had to get there much the same way - watching
what others did.

Where do best practices come from?  Someone learning that maybe this wasn't
such a great idea, and I should have done THAT instead  ;o)

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Taylor, Michael
Sent: Tuesday, July 05, 2005 2:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Patching Strategy on DC's

I've been wondering about this same thing.  I was just recently promoted
to server administrator of about 30 servers.  What would be the easiest
way to make sure a patch doesn't interfere with Exchange, SQL, IIS, etc?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Tuesday, July 05, 2005 12:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Patching Strategy on DC's

How about: (and maybe not in this order)

1) Install a test environment - test patches before implementation
2) Patch half after compatibility and performance, then patch the others
within 48 hrs. (less, if you're feeling comfortable or the patch is of a
very critical and high risk category)
3) Get a complete system state backup of all DCs before applying any
patches.

A couple thoughts - and to expand upon my earlier comment.

Security IS Risk Management - plain and simple.  Don't patch quickly
just for the sake of patching because Microsoft releases a fix.  Look
closely at the details of the patch - specifically the Technical
sections.  Determine what RISK this vulnerability poses to your
environment.  If it has to do with Alerter on your DCs, but you have the
Alerter service off and Disabled, then it poses less of a risk than, say
- RPC which will allow remote execution if exploited.

However, at the time you need to take into account that there is a real
potential that the application of any un-tested patch WILL cause
disruption of normal operations.  Thereby, you need to approach any
patching with the give and take of applying a patch because it is
necessary and critical, with that of the possibility of disruption.
Analyze the risk of either action, and act accordingly.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Murray Wall
Sent: Tuesday, July 05, 2005 12:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Patching Strategy on DC's

I have a question about a patching strategy for Domain controllers.  We
have a single forest single domain, 4 dc's, when patching for security
patches should we do all the DC's at once, or do half of them or should
we introduce a test lab or lastly a latent replicated production site
with a dc in it?  Thoughts and approaches appreciated!
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Another patching question

[Rick Kingslan]

No, not really. Up to the close date for inclusion INTO a SP (and there are
LOTS of factors that affect what does and doesn't make the SP) will be in
the SP.

If we assume that the close date for a given SP is D\M\, and the SP is
SPx, then any patch released after the date is either post SPx, or pre-SPy.

However, complicate this with the Rollups. Yes, those rollups are integral
SPs, as the contents are patches that have been released up to some point.

Add to this the Rollups that are product (say, IIS) specific.

Sound confusing?  Yes - to some degree, you need a scorecard to keep up with
it.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Tuesday, July 05, 2005 3:28 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Another patching question

Ladies and Gentlemen,

Is it true that we can assume that [for the most part] >all< patches and
>all< hotfixes released prior to the date of a major Service Pack >are<
included in the Service Pack?

Thanks.

RH
_

Rocky Habeeb
Microsoft Systems Administrator
James W. Sewall Company
Old Town, Maine
Voice: 207.827.4456  Ext. 387
Email: [EMAIL PROTECTED]
www.jws.com
_


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Windows 2003 Shadow Copy

[Rick Kingslan]

Jenn,

Quick check shows that the unit is designed to serve (at least in the
Windows world) as a file and print storage system for Windows 2000 and
Server 2003, as well as Exchange 2003.

Simply by that, I'd come to the conclusion that if there is a problem with
Shadow Copy functionality, there should be a big enough out cry that it
wouldn't remain private for long.

And, it's not like the AX100 is a unique device in the EMC arsenal.  I'd
contact EMC Field Support and tell them what you're experiencing.  It could
be a driver issue as well, however I doubt it.

Hopefully, ~Eric will chime in on this one as he has some (snicker... a
little :o) EMC equipment over in his "little Frankenstein" lab.  He might
have some insight or someone he can ping.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain
Sent: Tuesday, July 05, 2005 6:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Windows 2003 Shadow Copy

We are using an AX100 EMC external device.   



Thanks
Jenn 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, July 04, 2005 4:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Windows 2003 Shadow Copy

Jenn,

New to me, I have to admit.  I haven't seen that behavior - nor have I
specifically tested for it, either.  I might be able to look into it a
bit further, if I can find a suitable external.

Now, when you say EMC, are you saying like a SAN or a NAS head?  Or,
something not mentioned?

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jennifer
Fountain
Sent: Sunday, July 03, 2005 11:29 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Windows 2003 Shadow Copy

 

Is anyone aware of a problem were if shadow copy is configure on an
external device (such as EMC Disk) and it does not come up before the
shadow copy service it clears the shadow copies? If so, how can I fix
this? Thanks in advance!

Thanks
Jenn 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DMZ talking to your domain

[Rick Kingslan]

I would strongly advise against doing this.  If there is nothing available
that can proxy the incoming requests, then the solution needs to be
re-engineered with Security in mind.

Given your industry, HIPPA is very, very clear on matters of accidental
disclosure when reasonable measures could have been taken.

IMHO, this would be a very clear violation of 'due diligence' in relation to
HIPPA.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny
Sent: Wednesday, July 06, 2005 1:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DMZ talking to your domain


I have a request to join a server in our DMZ to the domain. The reason
appears to be for an application to leverage 
(SQL Reporting Server) and in order for this to work it needs to be in
the domain.

Sorry, to be vague.. I am trying to get more info. Are there best
practices for when you need to have a DMZ server join your domain?

Thanks

Johnny Figueroa
Enterprise Network Consultant/Integrator
Network Services Banner Health Voice (602)
495-4195 Fax (602) 495-4406
 
WARNING: This message, and any attachments, are intended only for the
use of the individual or entity to which it is addressed and may contain
information that is privileged, confidential and exempt from disclosure
under applicable law.  If the reader of this message is not the intended
recipient or employee/agent responsible for delivering the message to
the intended recipient, you are hereby notified that any dissemination,
distribution or copying of the communication is strictly prohibited.  If
you receive this communication in error, please notify us immediately

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Can a 2003 server be a domain controller in a 2000 domain?

[Rick Kingslan]

Antonio,

At the time that you decide to introduce Windows Server 2003 DCs into an
existing Windows 2000 domain /forest, there is the initial requirement to
upgrade the schema.

You must run adprep /forestprep and domainprep to be able to support the
inclusion of a 2003 DC.

However, running forestprep and domainprep is not going PREVENT any Windows
2000 functionality - until you begin to change Domain and Forest functional
levels.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda
Sent: Friday, July 08, 2005 9:25 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Can a 2003 server be a domain controller in a 2000
domain?



I have a 2000 domain with a mix of 2000 and 2003 member machines.  There is
an offsite where all the member machines are 2003.  And I wanted to setup an
alternative Domain controller at this site with what is already there.  I am
in the process of planning and testing the upgrade to a 2003 domain but
until then I need a domain controller at this site.  So would 2003 domain
controller work in a 2000 domain at least temporary?

Antonio

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Sysprep Win2k3 Servers...maybe a DC?

[Rick Kingslan]

Dean,

My process
(and I highly suspect that Brain’s will be the same) is that I have a
base MEMBER SERVER image of Standard and Enterprise
under our VLK (well, this would all be past tense now, I guess…).  I
deploy the base image of the selected version out to a system, then add feature
from there.  Add IIS for Web or Exchange, create added volumes as
needed.  

One step
on an imaged system would be to DCPromo that system to DC status.

Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Saturday, July 09, 2005 9:25
AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Sysprep
Win2k3 Servers...maybe a DC?



 



To ensure I understand, are you saying you
build a DC, sysprep it, image it and deploy the cloned DC or merely that you build
a server, sysprep it, image it, deploy that and later run DCpromo?



--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Saturday, July 09, 2005 1:28
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Sysprep
Win2k3 Servers...maybe a DC?

You can sysprep base images for servers and machines all day long. I
deploy hundreds of servers (inc DCs), believe me, I don’t use the CD in
every one of them. :)

 



Thanks,
Brian
Desmond

[EMAIL PROTECTED]

 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana
Sent: Friday, July 08, 2005 11:37
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Sysprep
Win2k3 Servers...maybe a DC?



 

I know “imaging” and “ghosting” has
been talked about before, especially in regards to backing up DCs and the
conclusion is don’t.  I totally understand this and agree, but what
about a base image of a win2k3 server, non-domain member, that has had sysprep
run for all servers, including maybe a future domain controller?  If
anyone has done this any things to look out for?

 

-Alex

RE: [ActiveDir] Sysprep Win2k3 Servers...maybe a DC?

[Rick Kingslan]

If that’s
what he’s thinking – beat him senseless for both of us,
please.  ;o)

Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Saturday, July 09, 2005
10:04 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Sysprep
Win2k3 Servers...maybe a DC?



 



Understood ... I was primarily after
clarification from Brian to ensure he wasn't recommending the deployment of
cloned DCs.



--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, July 09, 2005
11:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Sysprep
Win2k3 Servers...maybe a DC?



Dean,

My
process (and I highly suspect that Brain’s will be the same) is that I
have a base MEMBER SERVER image of Standard and Enterprise under our VLK (well, this would
all be past tense now, I guess…).  I deploy the base image of the
selected version out to a system, then add feature from there.  Add IIS
for Web or Exchange, create added volumes as needed.  

One step
on an imaged system would be to DCPromo that system to DC status.

Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Saturday, July 09, 2005 9:25
AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Sysprep
Win2k3 Servers...maybe a DC?



 



To ensure I understand, are you saying you
build a DC, sysprep it, image it and deploy the cloned DC or merely that you
build a server, sysprep it, image it, deploy that and later run DCpromo?



--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Saturday, July 09, 2005 1:28
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Sysprep
Win2k3 Servers...maybe a DC?

You can sysprep base images for servers and machines all day long. I
deploy hundreds of servers (inc DCs), believe me, I don’t use the CD in
every one of them. :)

 



Thanks,
Brian
Desmond

[EMAIL PROTECTED]

 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana
Sent: Friday, July 08, 2005 11:37
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Sysprep
Win2k3 Servers...maybe a DC?



 

I know “imaging” and “ghosting” has
been talked about before, especially in regards to backing up DCs and the
conclusion is don’t.  I totally understand this and agree, but what
about a base image of a win2k3 server, non-domain member, that has had sysprep
run for all servers, including maybe a future domain controller?  If
anyone has done this any things to look out for?

 

-Alex

RE: [ActiveDir] OT: File properties

[Rick Kingslan]

Title: [ActiveDir] DFS Client for Mac and UNIX










At the
level in which you WANT to CHANGE the permissions, is the check box to inherit
checked or not?  If it is – uncheck it, copy or remove – then add
or modify ACL / ACE as needed.

However,
Dan brings up a good point – are you trying to do this THROUGH a share,
or are you interactively logged in?  If via console, or TS – share permissions
won’t have an effect.  If you are simply accessing the share and
trying to mod permissions, the share permissions will most certainly have an
impact on your ability to do what you are wanting to do.

Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Thursday, July 14, 2005
11:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: File
properties



 

I take that back. The files in the share
are inherited. Nothing above that level in the tree is inheriting permissions
though

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Thursday, July 14, 2005
12:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: File
properties



 

It only seems like inheritance. Nothing is
actually set to inherit permissions. 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, July 14, 2005
12:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: File
properties



 



you have to go up the tree and set the
perms on the source of the inheritance or uncheck inheritance.





-Original Message-
From: Douglas M. Long
[mailto:[EMAIL PROTECTED]
Sent: Thursday, July 14, 2005
12:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: File
properties



I feel pretty stupid asking this question
because I know it is something very simple that I am overlooking. 

 

I have full control to a file or folder,
am the owner, but still can’t edit permissions. The buttons are all
greyed out. It seems like this just happened, although I could have overlooked
it in the past. It seems like everything is explicitly inheriting permissions.
Any ideas?

RE: [ActiveDir] Remote Desktop vs. Remote assistance

[Rick Kingslan]

With Remote Desktop, you are going to take over the machine (in the case of
XP) kicking off any logged on person in the act of taking over the machine.
Your access is the same as the credentials in which you login as.

With Remote Access, you need to receive an invitation and the user is not
kicked off.  Both of you will see what is on the screen, and initially you
have view only access.  The user has to GIVE you control, and can take it
back, in the event that you go nuts and attempt to format the drive, delete
files, etc.  Not that it would ever happen to you, Tom...  ;-)

Does that help?

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, July 14, 2005 12:30 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Remote Desktop vs. Remote assistance

What is the actual diff between RD and RA?

If i RD to a winxp desktop, that allows 1 connection. Can someone Shadow it
or no?

Is there any reason to use one over the other for support? or is RA just
easier/better  because you can share the session and you can see what a user
is doing and interact?



Also, is there a gpo or reg hack that allows me as a Domain Admin to RA to a
user w/o her asking for RA via and email or im or file transfer or
"allowing" me to log on?

Thanks





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Remote Desktop vs. Remote assistance

[Rick Kingslan]

I believe that Dan is correct - it CAN be controlled via policy.  But, again
with all the policies that get added, I have a hard time keeping up with
those functions, as I really don't spend much time on the 'user end', if you
will.

As to shadowing an Administrative TS session.  I seem to remember that you
can.  The only REAL difference between a Admin TS session and the
Application mode is the license method.  Included two license for Admin
purposes only, while the Application mode needs a lic server to manage the
licenses for sessions.

However, (and as Dan eloquently stated) I am "pulling one out" here, I think
that you can shadow or Remote Control these sessions as well.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, July 14, 2005 1:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance

thanks alot, rick and dan.

can you "shadow" a ts connection to xp like on server?


as to the user giving me control, i thought that was just a policy that
could be configured, NOT hardwired into the os somehow.
I thought if i was a DA and by default then a local admin on the box, when i
RA in, i could over rule that setting somehow since i am in actuallity a
admin of the box.
I only ask because we use VNC here for some help desk stuuf and i wanted to
replace it with RA since we are mostly xp on the client but i'm araid with
this "asking" for help stuff and "allowing" access, my users would get
confused awfully quick.
they don't adapt well to change.

usually, someone here calls them and then says "ok, i'm gonna connect to
your machine" or they might be away and a help desk admin connects to their
box.
RA doesn't seem to make this as simple as vnc does, i guess.

I still wonder how as an admin you can be denied RA access to a box or need
permission. is it a local system thing?

thanks for all your help and sorry to bore you with my issues.

-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 14, 2005 1:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance


With Remote Desktop, you are going to take over the machine (in the case of
XP) kicking off any logged on person in the act of taking over the machine.
Your access is the same as the credentials in which you login as.

With Remote Access, you need to receive an invitation and the user is not
kicked off.  Both of you will see what is on the screen, and initially you
have view only access.  The user has to GIVE you control, and can take it
back, in the event that you go nuts and attempt to format the drive, delete
files, etc.  Not that it would ever happen to you, Tom...  ;-)

Does that help?

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, July 14, 2005 12:30 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Remote Desktop vs. Remote assistance

What is the actual diff between RD and RA?

If i RD to a winxp desktop, that allows 1 connection. Can someone Shadow it
or no?

Is there any reason to use one over the other for support? or is RA just
easier/better  because you can share the session and you can see what a user
is doing and interact?



Also, is there a gpo or reg hack that allows me as a Domain Admin to RA to a
user w/o her asking for RA via and email or im or file transfer or
"allowing" me to log on?

Thanks





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/