RE: [ActiveDir] FYI - Office 2003 went RTM today
Heh - Roger's in rare form once again! Actually, I was told that everyone else is getting it free - however, Inovis is getting charged double. Hold onGads! That's still nothing! Damn! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Tuesday, August 19, 2003 8:02 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] FYI - Office 2003 went RTM today So they're worth their free price? ;) Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 8:39 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FYI - Office 2003 went RTM today Agreed...Outlook 2k3 is probably the best product in the group. Spam features alone are worth the price of admission. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 19, 2003 7:56 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] FYI - Office 2003 went RTM today Just a heads up to those of you who want to be 'in the know' If you haven't had the chance to use the new Outlook - it's very nice! Visio, SharePoint Portal will lag a little bit - October timeframe, as I recall. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] authoritative GPO restore
Graham, Though I don't totally disagree, I'm not sure what part of the picture is missing to cause you to make a statement such as: Microsoft seem incapable of delivering finished products ! The GPMC *does* make it much easier - and I have been a big champion on this product, and is by far the preferred method. But, before GPMC (6 years before, in fact) we have survived quite well with Auth Restore, Systems State resore, and Data backup restores. What part of the picture am I missing that would indicate Microsoft missed the boat on restoring GPOs in your case? Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Monday, August 18, 2003 3:05 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] authoritative GPO restore Darren, thanks for the very informative post reply. you seem only to confirm my views of what should be a relatively simple task is not so - although happy to see this complexity reduced with GPMC does not nothing to dispel my opinion that Microsoft seem incapable of delivering finished products ! Thanks again GT - Original Message - From: Darren Mar-Elia [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, August 17, 2003 9:30 PM Subject: RE: [ActiveDir] authoritative GPO restore Graham- You're absolutely rigth about the dependencies between the AD and SYSVOL portions of a GPO. As you probably have noticed, the AD portion is stored in the Domain NC under SYSTEM\POLICIES\GUID OF GPO and the SYSVOL part is in SYSVOL\POLICIES\GUID OF GPO. The AD portion, formerly called the Group Policy Container (GPC) (until MS released the GPMC and decided they didn't like any of the old names for stuff (!)), contains attributes that reference the SYSVOL path, the version of the GPO and some other stuff. If for example, you have used software installation policy to deploy applications via GPO, then the GPC contains a set of AD object known as the Class Store, which contains packageRegistration objects for each app deployed. These objects reference application advertisement scripts (.aas) file stored in the SYSVOL portion of the GPO (aka the Group Policy Container or GPT). In terms of disaster recovery of an individual GPO, you're correct that authoritative restore isn't very flexible. Your steps below seem reasonable although I haven't used that mechanism to restore a single GPO before. Frankly, I think you're better off using Microsoft's free GPMC tool to do backup/restore of individual GPOs. Its easy to use, scriptable and restores individual GPOs with their original GUID intact. This is a lot more flexible than authoritative restore or any other mechanism that has to try and extract portions of a single GPO from backups of system state. Darren -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: Sunday, August 17, 2003 11:42 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] authoritative GPO restore was hoping to get a bit more detail on the procedure of restore of a GPO and specifically the inter-dependencies of the sysvol folder data and AD data it would seem say in the scenario of an inadevertantly modified / deleted GPO (and which has been replicated throughout the domain) that it is not simply a matter of restore of the sysvol data, and that indeed it is required to go through a sequence along the lines of; boot into DS restore mode; restore system state to its original location restore system state to alternative location authoritatively restore the entire database (didn't understand this - i would have thought at most the object with the GUID of the GPO using restore subtree ?) restart the DC in normal mode and wait for the sysvol to mount then a copy of what looks to be like the folder of sysvol / policies with the GUID of the GPO from the alternative location have derived the above from the various papers on disaster recovery et al. hoping people can put any of the above right, especially with notes on the various interdependencies of the directory objects / file system contents relating to GPO List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Add junior admin to Local workstations admin group
Hmmm. Well, I guess whatever works for you. I just know that I have a heck of a time with UPN resolution taking a long time with our IOCs - yes, some are in their own forest with Trusts. But, I just can't imagine all of the explicit grants. Maybe I'm just a bit backward but I haven't really found it all that tough to track any one user's permission and membership trail to the point were I wouldn't want a Global group managing the cross domain 'collection' of users. And, the only denies that I have are on IIS servers. I don't know of another deny in our entire structure. But, then - you're dealing with something that, as I remember - is about 7 times as large as mine. But, then, I am the guy who forgot that DC Administrators group and a member server local Administrators group weren't actually the same thing. So, what do I know ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Sunday, August 17, 2003 12:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group We like to limit the security scope of the groups. Very difficult to chase permissions across the world when someone asks, what does this group have access to? At the worst, the permissions can only be applied within a specific geographic region or at least the machines that are part of it. Additionally, DLG's can take members from all domains and we don't have to have two or more groups for every resource being tied down (i.e. no user-global-local-permission nesting). People can do as much DLG nesting as they feel they may want to do which is ok. Resolution of the groups is easy as you don't have to have DC's chasing over to other Domain's DC's for the resolution. All of our permissions on the directory are grant perms with passive denies and most of that delegation is within the default partitions so it all works well. I HATE active denies, troubleshooting is a nightmare when you have to chase through that. Exchange has been a bit of a challenge since the E2K Dev guys figured AD was specifically built for them and so they just figured anything they thought was good for Exchange was good for an entire company but I will let you know how we fair with that in the end and they figured they should just put everything important to them in the config container. Personally I think that MS has to treat Exchange like a foreign app that they purchased and do the whole rewrite from the ground up strategy but this time use people who actually understand the directory they are trying to tie into. Also this time make heavy use of AD/AM, no point in all of that data being sent over an entire company when they use a centralized Exchange architecture. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2003 10:59 PM To: AD mailing list (Send) Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Put down the beer Rick, come now - Rick is far too sophisticated to be drinking beer ... Put down the Beaujolais seems more apt (actually, with all that crap said ... I know for a fact he drinks beer ... the phrase like a fish actually springs to mind) - just teasing Rick! Joe, I was wondering why you choose to use mostly DLGs and if you've encountered any behavioral oddities when using them to assign permission to the directory itself. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, August 17, 2003 10:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Put down the beer Rick... DC's have the local groups, especially administrators. If you didn't block you would get the specialgroup in your Domain Controllers administrators group. I have tens of thousands of local groups on my domains. We don't use Global/Universal except builting, everything else is DLG. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, August 16, 2003 10:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Deji, Good example - I like it, but I'm curious on one thing. You state that you block it at Domain Controllers. I'm not sure why, as DCs have no local groups. If you're just being specifically cautious, great. Me, I don't see the need to block it at the DC OU as it won't affect anything. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED
RE: [ActiveDir] Domain management and groups
And Joe - just because I'm curious (this so often happens between us...) how are you managing a multi-domain environment with no Global or Universals (I can understand not using the Unis)? How are users from other domains getting access to resources? I maybe assume too much, but all environments that I've seen, users are accessing resources in other domains. And, please - don't tell me that you're explicitly adding users from DomainA to DLGs or resources in DomainB. I've got that problem I'm dealing with as a legacy, and UPN resolution is painful. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Saturday, August 16, 2003 8:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Put down the beer Rick... DC's have the local groups, especially administrators. If you didn't block you would get the specialgroup in your Domain Controllers administrators group. I have tens of thousands of local groups on my domains. We don't use Global/Universal except builting, everything else is DLG. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, August 16, 2003 10:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Deji, Good example - I like it, but I'm curious on one thing. You state that you block it at Domain Controllers. I'm not sure why, as DCs have no local groups. If you're just being specifically cautious, great. Me, I don't see the need to block it at the DC OU as it won't affect anything. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, August 16, 2003 1:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group This is what I have in a batch file: net localgroup administrators if NOT %errorlevel%==0 GOTO :GERMAN net localgroup administrators /add myDomain\specialGroup GOTO :END :GERMAN net localgroup administratoren /add cmyDomain\specialGroup :END I then add the batch file to a Machine Startup GPO at the Domain Level, blocking it at the Domain Controllers. HTH Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: [EMAIL PROTECTED] on behalf of Narkinsky, Brian Sent: Fri 8/15/2003 7:33 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Add junior admin to Local workstations admin group I need to add two users to the local administrators group of every machine in an OU. I've looked at restricted groups GPO but, this doesn't really seem to do what I want. I don't need to restrict just add. I am also looking at writing a script to run at boot ,but again not sure there isn't an easier way. Any Ideas? Brian Narkinsky List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ attachment: winmail.dat
RE: [ActiveDir] Add junior admin to Local workstations admin group
Dean, Tease away - you know how I like my Guinness. How does that old Rodney Dangerfield go Bring a pitcher every 5 minutes until someone passes out - then bring two! Ahh, how I long for the English pub we found ourselves in one night for dinnerThe Dragon and George, was it? Wonderful Shepherd's Pie.. -rtk _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, August 16, 2003 9:59 PM To: AD mailing list (Send) Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Put down the beer Rick, come now - Rick is far too sophisticated to be drinking beer ... Put down the Beaujolais seems more apt (actually, with all that crap said ... I know for a fact he drinks beer ... the phrase like a fish actually springs to mind) - just teasing Rick! Joe, I was wondering why you choose to use mostly DLGs and if you've encountered any behavioral oddities when using them to assign permission to the directory itself. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, August 17, 2003 10:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Put down the beer Rick... DC's have the local groups, especially administrators. If you didn't block you would get the specialgroup in your Domain Controllers administrators group. I have tens of thousands of local groups on my domains. We don't use Global/Universal except builting, everything else is DLG. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, August 16, 2003 10:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Deji, Good example - I like it, but I'm curious on one thing. You state that you block it at Domain Controllers. I'm not sure why, as DCs have no local groups. If you're just being specifically cautious, great. Me, I don't see the need to block it at the DC OU as it won't affect anything. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, August 16, 2003 1:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group This is what I have in a batch file: net localgroup administrators if NOT %errorlevel%==0 GOTO :GERMAN net localgroup administrators /add myDomain\specialGroup GOTO :END :GERMAN net localgroup administratoren /add cmyDomain\specialGroup :END I then add the batch file to a Machine Startup GPO at the Domain Level, blocking it at the Domain Controllers. HTH Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: [EMAIL PROTECTED] on behalf of Narkinsky, Brian Sent: Fri 8/15/2003 7:33 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Add junior admin to Local workstations admin group I need to add two users to the local administrators group of every machine in an OU. I've looked at restricted groups GPO but, this doesn't really seem to do what I want. I don't need to restrict just add. I am also looking at writing a script to run at boot ,but again not sure there isn't an easier way. Any Ideas? Brian Narkinsky List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ attachment: winmail.dat
RE: [ActiveDir] Pagefile sizes... Its that time of year again.
Lucky you! :-) I've become quite adept at reading dumps and determining what the problem(s) are with specific instances - what driver faulted and why, what third party to contact and get a patch from - and MS has requested dumps from us on 3 different occasions with a 'teal' screen condition that ended up being a McAfee issue, etc. I'm glad that you've never needed a dump, Roger. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, August 15, 2003 11:56 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Pagefile sizes... Its that time of year again. Actually, I disable the dumps anyway - in 6+ years I've never once been asked for or needed one. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, August 15, 2003 10:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Pagefile sizes... Its that time of year again. Maximum pagefile size is not 4GB. The limit for a manually configured pagefile is 4GB. When set to System Managed, the page file(s) will be whatever the server needs. You 'must' use the setting of system managed to accommodate servers with more that this amount of memory. Otherwise the respective server would never be able to dump properly. And we all want good dumps... ;-) Windows 2003 seems to do a pretty good job at memory management (virtual physical). We run several large SQL2k ENT/W2k3 boxes are very pleased with the performance despite not being able to set the pagefile size(s) statically. Eric Jones, Senior SE Intel Server Group (W) 336.424.3084 (M) 336.457.2591 www.vfc.com |-+-- | | Michael B. Smith | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 08/15/2003 06:55 AM| | | Please respond to | | | ActiveDir | | | | |-+-- - -| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] Pagefile sizes... Its that time of year again. | - -| Pagefile max is 4 GB. Regardless of how much memory you have. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Friday, August 15, 2003 6:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Pagefile sizes... Its that time of year again. But in reality, that rule of thumb was created when RAM was very expensive, and systems usually had a very small amount of it. By that token, I'd require a separate array for the pagefile on my new database boxes - since I'd need to find space for a 9GB pagefile. With modern systems, I shoot for about 1-2GB max, depending on function. Most large memory hog applications - specifically Exchange and SQL server - don't like to page, and there is no performance benefit for them to do so, since all that data is already on disk within their store. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Costanzo, Ray [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 4:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Pagefile sizes... Its that time of year again. The rule of thumb I've always heard is RAM×1.5, so 1.5 GB. Ray at work -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] So you have a Gig of ram on a DC, what do you all set the pagefile size to? Memory +11 MB? Like to hear your feedback
RE: [ActiveDir] WOT Unreadable code (was Connection String)
Well, let's think for just a minute about this. If we're talking about a WAN-based network, couldn't the end-point devices (routers, firewall, bastion, etc.) be the terminus for the IPSec tunnel? And, if so, who cares what the clients speak? Seems to me that this would resolve many of the issues with the Windows-only concern. As to the original question, if you're stuck with RPC, then you are going to have a very tough time with a single port. RPC is, for lack of a better term, going to require a crap-load of ports to be open to operate at any where near efficiency. That's why the SMTP between sites has been so highly touted by Roger and others. It works, it's standard - and it has one advantage that RPC really doesn't: It's great for a network where reliability might be a problem and you need a 'storable message' mechanism that will communicate and stop on demand. Random thoughts here Flail away Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Wednesday, August 06, 2003 7:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) This still requires a list of semi trusted networks. I am curious would you use the IPSEC to limit the port range to the DC's for replication, or both the client level traffic and the DCs traffic? On problem with client traffic being encrypted is that we support multiple hosts connecting to our domains, (Mac, UNIX, old NTLM clients). I have to be honest, I have spoken with several engineers who have tried to do IPSEC on large scale deployments and they say it is more trouble than it is worth when you are not standardized on Windows 2000 or XP. The problem I am having is that some of the organizations in my operation want to view all traffic from outside their organization as totally untrusted. So basically their security experts want us to identify specific ports and trusted inbound communication from specific host for every domain in the forest. We have about 24 domains, and about 75 DC's. That's one big list to keep maintaining and coordinating for just the DC traffic. We also have 5 Class B address ranges of ports in our design (Remember we are the government) so exposing planning for client exposure is also somewhat an issue. So far I came up with two solutions to this, use DMZ's and limited/Static RPC replication, and allow inbound traffic from trusted networks to community network services (DNS, AD, Exchange Servers, Intranet servers), then separate mission critical servers and clients by connecting them through a second firewall to the border DMZ. Allow all outbound communication to occur, and allow limited inbound from DMZ servers to occur. What this basically will probably require is that AD replication and operations will work as expected for host inside the firewall and traveling users who work at other departments with in the organization. If the organization chooses to limit basically all inbound communication request except from the direct replication partners this potentially can break authentication from outside sources to local resources, provisioning via LDAP, and single sign-on using only Microsoft technology. So if the user ever visits another part of the organization that is behind a closed firewall DMZ design, they will have to VPN into their portion of the network to properly authenticate and access resources. So the question I posed earlier has still gone un-answered. Do you think RPC NTDS and FRS replication is fine with just on port being open, or do you think it would be better to open a range? Thanks, Todd Myrick -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 9:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Correct. One option is to run IPSec tunnels without encryption - that allows for full content inspection while still having reduced requirements for open ports. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 9:12 AM To: ActiveDir Subject: Re: [ActiveDir] WOT Unreadable code (was Connection String) I would like to see his thoughts on the matter. MS's published recommendations for using ipsec tunnels to traverse firewalls is fine between trusted environments, but most trusted environments can create their own vpn tunnels using firewalls more efficiently. And between untrusted environments it would be generally irresponsible (security-wise). -- Sent from my BlackBerry Wireless Handheld
RE: [ActiveDir] Anonymous Logon
:o) My security logs are 180MB. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Wednesday, August 06, 2003 3:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon I would not have been surprised to see this on a web server, but the domain controllers being audited do not have either www or ftp services running. I was not prepared for the voluminous amount of system and anonymous entries in the log. I've increased the log size to 5MB on each DC and have them scheduled to backup to a remote server every day at 23:55. I'm looking into purchasing a syslog server, it seems the only viable way to manage this mess. -Original Message- From: rick reynolds [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 10:10 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Anonymous Logon If web services or ftp are running on those, both those services allow anon to access the main page, - Original Message - From: Rittenhouse, Cindy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 1:02 PM Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymous, unless set to some manner of authentication (Windows, Basic, etc.) Now, for more detail, if you want to post some of the records that you're seeing (you should be able to follow the authentication trail via the ID's in the audit records) I can help you identify what is going on and what the anonymous access is all about. It would help to know what type of server this is, as well. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Monday, August 04, 2003 1:35 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Anonymous Logon I successfully upgraded my NT domain to AD yesterday. I now find my DC security log on the PDC emulator filling up twice a day. It is set to 2048 KB, do not overwrite (I have to save them for 3 years). The majority of events are Anonymous logons. Is it normal to have this quantity of Anonymous logons? Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http
RE: [ActiveDir] OT: Packaging Software for Deployment
Justin, Being a part of your HIPAA requirement solution, it would be somewhat imperative to get it righ the first time and know that you're in compliance, right? Given that, and the specifics of compliance under HIPAA (generally impossible, so why try) I'd suggest a mechanism that is going to log proper installation and confirmation of delivery and execution. This means, to me at least, that you're going to need much more than what GP could provide. Me - I'd be doing this manually with people eyeballing it. If it absolutely, positively has got to be there tomorrow... Bad joke - Never mind. You get what I mean, right? You don't have SMS, as I remember, so that not an option either. You really don't have much else left to ensure installation. How's your weekend looking? ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, August 07, 2003 7:56 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Packaging Software for Deployment It is a generic button plugin for outlook from the company certified mail.com www.certifiedmail.com This is our HIPAA solution for secure e-mail. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 6:15 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] OT: Packaging Software for Deployment Justin, What product is it? If it is Adobe Acrobat Reader, Winzip, DirectX, Windows Media Player etc. there are alternate methods available. James -Original Message- From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] Sent: Thursday, 7 August 2003 7:04 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Packaging Software for Deployment I believe that the last time I tried using a ZAP file, it didn't take UNCs, only drive letters (e.g. z:\myapp\setup.exe). Probably worth testing yourself though, since its been a while. As Rod's webpage notes, ZAP files don't provide privilege escalation like MSIs do. So, the user will need to have proper permissions on the workstation for the installation to complete successfully. Frankly, its probably worth it to you to repackage the app in MSI format. WinInstall LE usually works ok for basic snapshots and its free on the Win2K Server CD or, an updated version here: http://www.ondemandsoftware.com/freele2003/wifam.asp -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 1:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Packaging Software for Deployment The setup command part, would that be the UNC path to the install? Also, will the install run as administrator or as the user? Will the user be prompted to do anything during installation? -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 3:40 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] OT: Packaging Software for Deployment You can use a .Zap file: http://www.myitforum.com/articles/6/view.asp?id=648 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, August 06, 2003 3:05 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT: Packaging Software for Deployment Hello Everyone, I have a install that I need to push out to all users and would like to do it through GPO. However there is no MSI file associated with this install, it is just a EXE. How can I push this out through a GPO? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http
RE: [ActiveDir] WOT Unreadable code (was Connection String)
Heh Telemarketing company that I worked for in the early 80's did their coding in MUMPS. Interesting use for a language that was developed to target the medical industry, as I recall - Massachusetts General Hospital Utility Multi Programming System. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bjelke John A Contr AFRL/VSIO Sent: Tuesday, August 05, 2003 2:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Gil, I'm not THAT old! Man, next you'll be implying that I built the DARPAnet! (and we all know it was Al Gore who's responsible for that!) *grin* Nah, I just have a fondness for old, dead languages and remembered seeing that one before. I actually had a book mark to a history of computing type doc that had this very example of MUMPS code. As for DEC Ottawa, I doubt it, times and budgets being what they are. But I'll take the chicken... sounds like cool geek-schwag :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 12:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Wow John! I'm impressed. Were you at Unisys when MUMPS actually ran on Unisys minis? Or did you just get lucky with Google? :) I'm thinking that your answer deserves a world-famous Official DEC Screaming Yellow Rubber Chicken, whose hideous screech is known to strike fear in the hearts of dogs, cats, and small children. Are you coming to DEC Ottawa? I can give it to you there, along with your free beer. Otherwise, send me your shipping info offlist, and no beer for you. -gil -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) prints a table of primes, formatting it into columns. What's my prize :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] If it's as difficult as pulling teeth through an elephants rump, then the approach needs to be reevaluated. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:56 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Have you ever coded in MUMPS? It doesn't matter who the programmer is; its ALWAYS unreadable. I think MUMPS programmers invented the term write-only programs. Typical MUMPS program: f p=2,3:2 s q=1 x f f=3:2 q:f*fp!'q s q=p#f w:q p,?$x\8+1*8 If anyone can guess what this code does, I'll give them a prize. -g Gil Kirkpatrick CTO, NetPro -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 6:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Connection String Ha! It is not the language that makes code unreadable, it is the PROGRAMMER :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:38 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String HAHAHAPerl I like to be able to read my code and understand it again in 6 months :) Glenn - Original Message - From: Robbie Allen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 11:14 PM Subject: RE: [ActiveDir] Connection String Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. Come on guys, why go to VB.NET when you can get most of the benefits of a compiled language and a whole lot more in a lot fewer lines with Perl! muaahh...Muaahh...MUUAAAHH :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:54 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String Roger, You should be able to convert the Primary Windows NT Account into a Domain\Username pairI did do it some time ago (yeah, it was Ex 5.5 timeframe too)I'll have a dig around (from memory it was using LookupAccountSID *shudder*) If your UPN in 2k and Exchange email address use the same format (ie [EMAIL PROTECTED]), you could cheat a bit, and use the UPN conversion type code: ADS_NAME_TYPE_USER_PRINCIPAL_NAME = 9 User principal name format. For example, [EMAIL PROTECTED] *shrug* might be worth a stab. not sure about mixing NT v4 and 2k servers
RE: [ActiveDir] os version
Graham,
From the Script Center in Technet:
strComputer = .
Set objWMIService = GetObject(winmgmts: _
{impersonationLevel=impersonate}!\\ strComputer \root\cimv2)
Set colOperatingSystems = objWMIService.ExecQuery _
(Select * from Win32_OperatingSystem)
For Each objOperatingSystem in colOperatingSystems
Wscript.Echo objOperatingSystem.Caption objOperatingSystem.Version
Next
But one of the many ways to accomplish. And, as I remember, but can't
recall the name, I've used a CLI .exe in CMD type scripts to do a
determination of OS as well.
Many other ways to do this, as you obviously need to have WMI
installed/activated for the above to work.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcen
ter/compmgmt/ScrCM26.asp
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Thursday, August 14, 2003 6:09 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] os version
i know this one has probably been done about 500 times already, but was
hoping to sound the mailing list out on techniques of differentiating
between Windows 2000 / NT4 from login script, given that both Windows 2000
and NT4 return Windows NT from a query of the OS Version environment
variable
GT
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster recovery scenario comments requested.
Jan, Do you know if they have published a paper or some detail on this process? Naturally, I'm interested in what they are proposing. Currently, their full-fledged technical document is slated for March 2004, which, IMHO, is way too late. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jan Wilson Sent: Sunday, August 10, 2003 10:56 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Disaster recovery scenario comments requested. Just as an aside here - MS of course displayed their VM server at tech ed - one nice idea was DR for Exchange 2003 - you would basically generate a new email server in minutes on a VM - users are then back online and you then begin to backfill their email from tape. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Power Options with GPO
Marc, Forewarned is ... Well, you get the drift. It would be irresonsible of me to suggest adding your own entries to an .ADM without first mentioning the issue. So with that disclaimer out of the way I'd suggest that your solution would likely be the best. Take a snapshot of what it looks like in the unconfigured state, then configure and look for the changes. For me, that works most of the time. Good luck! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of De Schepper Marc Sent: Sunday, August 10, 2003 11:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Power Options with GPO Rick, I know the risks. I even think I found the Reg key, but if I'm right the data is Binary, and there is the problem...;-) If I'm right then it should be the regkey HKEY_CURRENT_USER\Control Panel\PowerCfg\GlobalPowerPolicy\Policies and the data looks like this : Policies=hex:01,00,00,00,00,00,00,00,03,00,00,00,10,00,00,00,00,00,00,00,03 ,\ 00,00,00,10,00,00,00,02,00,00,00,03,00,00,00,00,00,00,00,02,00,00,00,03,00,\ 00,00,00,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,01,00,00,\ 00,00,00,00,00,01,00,00,00,03,00,00,00,03,00,00,00,04,00,00,c0,01,00,00,00,\ 05,00,00,00,01,00,00,00,0a,00,00,00,00,00,00,00,03,00,00,00,01,00,01,00,01,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,00,\ 00,17,00,00,00 I could still change ALL the settings and look for changes. Marc -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: zondag 10 augustus 2003 18:02 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Power Options with GPO Marc, Maybe Darren or others will weigh in on this more authoritatively than I, but I do have a fair amount of experience with GP and I don't know of a .ADM file that is going to help directly solve your problem. However, you can write your own that can be imported into your GP console and managed almost as if it was one of the supplied policies. But - there is a 'gotcha' - the GP entries will not be automatically removable. IOW, they will tattoo the registry, much like NT policies applied to clients. These policy entries are applied directly to the specific registry entry and not to the /policies subkey section reserved for GP and flushed when the user logs off or the machine is shut down. As long as you're aware of these limitations, you should be able to do anything as long as you can identify the reg key and the associated necessary values. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of De Schepper Marc Sent: Sunday, August 10, 2003 4:38 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Power Options with GPO I try to enforce a standard Policy for the POWER options in the control panel so that everybody ues the same power settings, this for Desktops as for portables. I can't seem to find any ADM file for this. Is there somebody who can help me on this one? Marc * Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen. This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the addressees. Any use of the information contained herein (including but not limited to total or partial reproduction or distribution in any form) by other persons than the addressees is prohibited. If you have received this e-mail in error, please notify the sender and delete its contents. * List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir
RE: [ActiveDir] Password change issue
Shaking head still hawking this old tired solution, eh? ;o) You've been busy tonight - you're weighing in on everything in one night. I just want to see the time when Joe answers questions 12 hours in advance. Now THAT would be a time saver Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Thursday, August 07, 2003 10:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Password change issue Get Q812499 or SP4. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carr, Jonathan (OFT) Sent: Thursday, August 07, 2003 7:06 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Password change issue OK here it is... PDC emulator at a central site. DC at a remote site connected to Central site VIA a WAN link have Bridgehead with scheduled replication to remote sites Have GP that has strong password , Max password life 90 days, Min password life 1 days User contacts help desk because they forgot password (password was old123$) and locked their acct Helpdesk at Central site reset acct and password (newpassword new123$)and ck box to have user change password at next logon User logs in with password (new123$) from Help Desk The local Dc does a Pass thru authentication to the PDC emulator which returns a authentication packet to the client PC User gets Must change password Dialog box In the dialog box the old password is automatically back filled with the password (new123$) he logon with User enter new password (newer123$)and confirms it. When the user tries to finalize the change password he get blow out by old password not correct. the local dc is trying to commit the password change If the user enters his original password (old123$)(kind of tuff cause he forgot it that is why he called the help desk in the first place) in the old password box and enters a new one (newer123$) He is ok and allowed to go foward. This is really strange I Know why it happens. If you force replication thru out the domain before the user logs on this does not happen but that would be a no no in this place. If change the password on the PDC emulator and the local dc it does not happen. anyone got a valid reason why the client pc does this?? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anonymous Logon
Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Tuesday, August 05, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymous, unless set to some manner of authentication (Windows, Basic, etc.) Now, for more detail, if you want to post some of the records that you're seeing (you should be able to follow the authentication trail via the ID's in the audit records) I can help you identify what is going on and what the anonymous access is all about. It would help to know what type of server this is, as well. Rick Kingslan MCSE, MCSA
RE: [ActiveDir] Power Options with GPO
Marc, Maybe Darren or others will weigh in on this more authoritatively than I, but I do have a fair amount of experience with GP and I don't know of a .ADM file that is going to help directly solve your problem. However, you can write your own that can be imported into your GP console and managed almost as if it was one of the supplied policies. But - there is a 'gotcha' - the GP entries will not be automatically removable. IOW, they will tattoo the registry, much like NT policies applied to clients. These policy entries are applied directly to the specific registry entry and not to the /policies subkey section reserved for GP and flushed when the user logs off or the machine is shut down. As long as you're aware of these limitations, you should be able to do anything as long as you can identify the reg key and the associated necessary values. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of De Schepper Marc Sent: Sunday, August 10, 2003 4:38 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Power Options with GPO I try to enforce a standard Policy for the POWER options in the control panel so that everybody ues the same power settings, this for Desktops as for portables. I can't seem to find any ADM file for this. Is there somebody who can help me on this one? Marc * Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen. This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the addressees. Any use of the information contained herein (including but not limited to total or partial reproduction or distribution in any form) by other persons than the addressees is prohibited. If you have received this e-mail in error, please notify the sender and delete its contents. * List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster recovery scenario comments requested.
Joe, David, all - Interestingly, we've been looking at exactly the same thing, due to our remote site environment and network infrastructure, we could use any remote as a DR site. Given this, there is some level of non-consistent hardware in the remote sites and we needed a solution that would allow a majority of core business resumption is the shortest time. VMWare or some 'virtual server' technology clearly is at the forefront of our thoughts. It simply means that a quick install or startup of the services associated with the VM and the 'import', if you will, of the image created at a timely period CAN be the best possible recovery. At the worst, it will give you the needed time to recover systems that one might consider more traditional and would be used for on-going long term business. At the best, it might provide a model that could transform some systems to a different model, as the actual running of the systems for business resumption provide a 'trial-by-fire' proof that VM servers are viable alternatives for some functions. However, our testing continues - and it's interesting to hear the opinions and reactions of those who are confused by the fact that it is possible to run multiple servers on one physical machine. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Friday, August 08, 2003 10:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. Actually VMWare or more likely Virtual Server are what we are *starting* to look at for a DR system. Basically the idea is to have a couple of nice sized Physical Servers running multiple virtual servers that are domain controllers for all Domains in the Forest. Every night one of the P-Servers shuts down all of the Virtuals and copies off the disk images to some other location for backup to tape. The next night the other P-Server does it. The beauty of this solution is that physical hardware becomes a lot less important for your DR site or your test lab (yes you could bring these images back up in a *segragated* test lab for testing of your production AD and data...). You simply load up your server and then install your virtualization software and then fire up your images and you are off to the races... We actually just got the hardware in for this, which we will use to develop the solution against the test environment and then once comfortable with it will go prod with it. Personally I think this is about the most flexible and safe DR solution you can have. I am not one for restoring AD from system state dumps. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chianese, David P. Sent: Friday, August 08, 2003 7:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. That would obviously kill the ghost image idea. I do however like the laptop and more graceful way of transferring roles at the DR site. I think I hear the chimes of VMWare ESX Server calling. Thanks for the feedback Don. I see another idea in my head now too. Alas, it's Friday and I'm late for Happy Hour -Dave -Original Message- From: Don Guyer [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. David, We use similar methodology for our DR tests, by keeping a laptop running as a DC on our live network, then transferring FSMO roles at the DR site. This has worked flawlessly for us. We are now looking to be able to restore our AD evironment to a totally different server. Problem is, when we do DR testing we usually get Compaq hardware, whereas we are a Dell shop here. Don Guyer IS Dept Citadel FCU Ph: 610.380.7072 Fax: 610.380.7008 [EMAIL PROTECTED] -Original Message- From: Chianese, David P. [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 1:17 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Disaster recovery scenario comments requested. All, I want to run this DR situation by the group and see if anyone else can identify any gotcha's in the process. We are currently testing out a DR scenario that involves off-site Domain controllers at a recovery center. During normal operations the DR DC's are linked to our network via VPN and fractional T1 line in order for replication to occur. When we declare a DR test or go into a live DR situation where one of our sites becomes unavailable for an extended period of time due to an outage, network issue or terrorist incident (remember 9/11?) we bring the DR site up, seize the PDC emulator roll (to add workstations, accounts and perform other urgent replication) and let our clients continue operations in all of our remote locations with little interruption
RE: [ActiveDir] Turn off account lockout feature on a account.
Title: Message 'system account' what? Not following you here, Rick. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rick reynoldsSent: Friday, August 08, 2003 12:03 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Turn off account lockout feature on a account. system account - Original Message - From: Myrick, Todd (NIH/CIT) To: '[EMAIL PROTECTED]' Sent: Thursday, August 07, 2003 9:54 PM Subject: RE: [ActiveDir] Turn off account lockout feature on a account. Thanks Joe, Just wanted to know if there might be someone who figured it out. Damn Exchange 5.5! Toddler -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 11:36 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Turn off account lockout feature on a account. Unfortunately this is not possible from anything I have ever seen. Be tricky and try to figure out how to make the service *safely* use the machine account (but not on a DC)... I don't think those can be locked out (though that is me guessing). -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Thursday, August 07, 2003 10:14 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Turn off account lockout feature on a account. Does anyone know how to disable account lockout restrictions on a account Like a service account, but leave the rest of the accounts with the ability to be locked out? Thanks, Toddler
RE: [ActiveDir] Anonymous Logon
Cindy, I've evaluated and have recommended MonitorWare to our Security Director for the needs of our environment which is combined Enterprise with Cisco, Windows, Unix (all flavors) ACDs, and Tandem systems. Clearly, our ability to send syslog formatted logs makes sense, as we're not the only players, just a bit more adaptable. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Wednesday, August 06, 2003 3:11 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Does anyone have any experience with MonitorWare. Since I'll need a syslog server, I'd like one that will also work with the logs on our Cisco devices? -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 23:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Tuesday, August 05, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems
RE: [ActiveDir] WOT Unreadable code (was Connection String)
Todd, If you're working with Microsoft, have them contact or engage Steve Riley. He's a 'softie that has specific experience in large environments (previously telecoms) and I seem to remember the last time we talked he was with some area of the Security practices - though I can't specifically state where. He is in Redmond now (last I knew), and has published some very interesting and promising work on AD over/through/around firewalls using IPSec and other advanced technologies. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Tuesday, August 05, 2003 3:31 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Well we are currently redesigning our Site Topology due to several organizations setting up firewalls and thinking they are guarding against Neo and the Matrix Gang. One thing we are working with Microsoft on is optimized Hub and Spoke topology by creating sites for networks that are behind firewalls. We want to address a couple of things here in the design as well. Failover DDNS service, Deployment of an Enterprise Level Directory Tripwire tool, and Enterprise Directory Monitoring. What would be cool is if there was a directory optimization tool as well. One that would set DNS SRV record Priorities. I haven't had a chance to look at the latest version of DT to see if it is in there yet. Part of the Firewall configuration is to set a static port. The question is Is one port enough?. I was reading some Backup Exec Documents and they recommended that their application have at least 20 ports open for their DCOM object. Anyone have experience here and what to help a brother out? Toddler -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 3:58 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) What's up Todd? You have a hankerin' for some chicken? And I probably should stop wasting everyone's inbox capacity with this silliness... Doesn't someone have some AD problems that need fixing? -gil -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 12:31 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Gil, you should give one out for every Enterprise purchase of Netpro Products. Todd Myrick -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 3:22 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) John, Stella has put the world-famous Official DEC Screaming Yellow Rubber Chicken in the mail, so you should get it by the end of the week or so. When you do get it, be sure to give it a good squeeze. When I spoke at the 2002 AFITC, a general from ACC (I've forgotten his name) told me that someone in his office had received one and the noise was driving him crazy. Scratch the chicken off the list of how to win friends and influence people. -gil -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 12:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Gil, I'm not THAT old! Man, next you'll be implying that I built the DARPAnet! (and we all know it was Al Gore who's responsible for that!) *grin* Nah, I just have a fondness for old, dead languages and remembered seeing that one before. I actually had a book mark to a history of computing type doc that had this very example of MUMPS code. As for DEC Ottawa, I doubt it, times and budgets being what they are. But I'll take the chicken... sounds like cool geek-schwag :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 12:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Wow John! I'm impressed. Were you at Unisys when MUMPS actually ran on Unisys minis? Or did you just get lucky with Google? :) I'm thinking that your answer deserves a world-famous Official DEC Screaming Yellow Rubber Chicken, whose hideous screech is known to strike fear in the hearts of dogs, cats, and small children. Are you coming to DEC Ottawa? I can give it to you there, along with your free beer. Otherwise, send me your shipping info offlist, and no beer for you. -gil -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:39 AM To: '[EMAIL
[ActiveDir] E2k3 Planning guides
Just found out over night that the Exchange 2003 Planning and Deployment guides have been released, for those that are interested. RSS is such a cool thing Enjoy! (Watch for URL wrap.) http://www.microsoft.com/downloads/details.aspx?familyid=9fc3260f-787c-4567- bb71-908b8f2b980ddisplaylang=en http://www.microsoft.com/downloads/details.aspx?familyid=77b6d819-c7b3-42d1- 8fbb-fe6339ffa1eddisplaylang=en Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GP overridden
Charles, I'd suggest strongly not to conclude that there's a problem simply because of this output. If you aren't seeing errors, there is no problems on the system (i.e. incorrect behavior, crashing, improper application of GPO or missing / incorrect settings) and the Application and System Event logs are not showing anything other than the successful SceCli messages - I'd not get too worried. Now, Tony mentioned that it's not a good idea to mess with the Default policies in Windows 2000. He's right, but I'm going to contradict my good friend Mr. Murray. I don't know of anything that READS the NAME of the policy. Much like a user, group or computer being identified by SID rather than display name, the Default policies are identified by GUID. You cannot delete the Default policies and recreate them by simply creating a new policy and naming them Default Domain Policy or Default Domain Controller Policy and expect them to work. The GUID must be exact. So, IMHO, if you want to rename it - you can. However, I'd leave it alone lest you forget what it really is and delete it - which, sadly, would be much worse than the report of duplicate objects in GPRESULT === Wait - I just thought of a situation where I have seen duplicate GPO names in GPRESULT. This was caused by a conflict resolved object that was visible via GPRESULT. I found it by using ADSIEdit and drilling into the Domain NC/System/Policies node. Here I found an object prefixed with a CNF: that needed to be removed. Caveat - this IN NOT an operation to be taken lightly! AND! In my case it was NOT the Default Domain Policy. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Campbell Sent: Thursday, July 31, 2003 1:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GP overridden Well, I must have a serious problem... I changed the name back to Default Domain Policy. Rebooted the server. Waited approximately 30 minutes, then ran GPResult from the Server. Below is the result: (More info after results) User Group Policy results for: CN=Administrator,CN=Users,DC= X,DC=com Domain Name: X Domain Type: Windows 2000 Site Name:Default-First-Site-Name Roaming profile: (None) Local profile:C:\Documents and Settings\Administrator The user is a member of the following security groups: X\Domain Users \Everyone BUILTIN\Administrators BUILTIN\Users NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users \LOCAL X \Group Policy Creator Owners X \Domain Admins X \Schema Admins X \Enterprise Admins X \OWS_4001231503_admin X \OLAP Administrators ### Last time Group Policy was applied: Thursday, July 31, 2003 at 2:09:33 PM Group Policy was applied from: mainserver.mainserver.com === The user received Registry settings from these GPOs: LAN Policy LAN Policy === The user received Internet Explorer Branding settings from these GPOs: Default Domain Policy Default Domain Policy ### Computer Group Policy results for: CN=MAINSERVER,OU=Domain Controllers,DC=X,DC=com Domain Name: X Domain Type: Windows 2000 Site Name:Default-First-Site-Name The computer is a member of the following security groups: BUILTIN\Administrators \Everyone BUILTIN\Users BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users X\MAINSERVER$ X \Domain Controllers X \Domain Admins X \Schema Admins X \Enterprise Admins NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS X \DnsAdmins ### Last time Group Policy was applied: Thursday, July 31, 2003 at 2:05:14 PM Group Policy was applied from: X.X.com === The computer received Registry settings from these GPOs: Local Group Policy LAN Policy LAN Policy === The computer received Security settings from these GPOs: Local Group Policy Default Domain Policy Default Domain Policy === The computer received EFS recovery settings from these GPOs: Local
RE: [ActiveDir] how to re-establish a w2k trust after offline for more than 60 days?
What - you have a problem with the walking dead? ;P Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Thursday, July 31, 2003 9:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] how to re-establish a w2k trust after offline for more than 60 days? Don't do it. Wipe the machine and manually remove from AD. You run the chance of resurrecting dead objects because the tombstones have been cleared. Rebuild the DC from the ground up. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, July 30, 2003 9:13 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] how to re-establish a w2k trust after offline for more than 60 days? Hi all, We have a Windows 2000 test network where one of the child domain DCs (the only one in that domain) was shutdown. That was back in April (more than 60 days). Is there a tool (nltest?) I can use to reestablish the trust? Just trying to hit the road running tomorrow when I get back to the testbed. Thanks! Mike Thommes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Planning the migration from NT4 to AD
See comments inline
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sharma, Shshank
Sent: Thursday, July 31, 2003 4:29 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Planning the migration from NT4 to AD
This works well for a single domain.
Dave, Any caveats for the multiple NT 4.0 domains ?
We do have another, smaller, not-so-AD-hungry-as-yet NT 4.0 domain that we
might consider merging into AD realm in the future.
Would that be a problem ?
No, don't foresee this being a problem at all. Process is pretty straight
forward, but you would have a few choices to make. Should this be a child
of the existing domain(s), a new tree in the forest, a new forest, or a
migration of users, groups and computer objects into an existing domain.
Each obviously have their benfits and drawbacks, but would suffice for the
goal that you're seeking.
Some things to watch:
- make sure you know how you're going to handle DNS - whether you're
going to use existing DNS servers, which servers will use Microsoft's
DNS, whether you want AD-integrated DNS or not (you do!), etc.
I was thinking of having one DC at each site run a DNS server locally. So,
the root domain DC DNS server doesn't get overwhelmed.
Sounds good ?
You could do this. However, I have 2 AD DNS servers and 4 BIND servers
(forwarding and stub) with 16 remote sites. We have about 6000 seats in our
metro campus and about 9000 in the 16 remotes. Granted, we're fairly fat on
pipe because of our business (ATM at 45M burstable and some DS-3 in other
areas, a couple T-1's tossed in for nostalgia) but the load seen by our
network engineers is fairly small and our DNS servers are rarely taxed.
Peaks are when you'd expect - 8AM and 5PM.
Plus, we really like the fact that the DNS is centrally located and under
our control - exclusively.
- if you'll have NT4 BDCs for awhile, have a plan on how to keep the
Netlogon replication in sync between the W2K DC environment (which
uses FRS), and the NT4 BDC environment (which uses LMRepl)
Yes,
http://download.microsoft.com/download/5/2/f/52f23d76-7d56-44d6-ad25-a95bf0
b
e5516/11_CHAPTER_8_Upgrading_Windows_NT_4.0_Domains_to_Windows_Server_2003_
A
ctive_Directory.doc {link may wrap} has a nicely documented procedure on
this. I plan to follow it.
Excellent guide.
Shshank
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
-Original Message-
From: Sharma, Shshank [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 30, 2003 11:37 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Planning the migration from NT4 to AD
Am planning the migration from NT 4.0 domain to AD domain. We have a
single NT domain presently.
Wondering if the the following is a possible migration path, and
solicit feedback on it
1. Phase A: Do an in-place upgrade for the NT domain controllers to AD
Domain Controllers. No restructuring and no reorganization involved.
Objective is to keep disruption as minimal as possible.
2. Phase B: Introduce restructuring, by moving users into respective
Ous, delegations etc.
Is there something obviously wrong that I am doing here ?
Shshank Sharma
QTC
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Local Admin
Title: Message By default, the Domain Administrator is a recovery agent, not the local admin. However, even the Domain Administrator can be removed as a recovery agent. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Thursday, July 31, 2003 9:51 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin Not up on EFS as I use PGP but can't the local admin recover the data if he/she/it wants to? And if so, it isn't really very safe. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, July 30, 2003 7:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin Means anyone who gets their hands on the machine is pretty much golden. Yeah, I think I'd subscribe a HEAVY dose of EFS for that company critical data because it's a minute away from being 'not yours anymore'. :-/ Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Wednesday, July 30, 2003 3:19 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Local Admin Means anyone who gets their hands on the machine is pretty much golden. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Malcolm Reitz [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 3:44 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin What about adding the NT Authority\Interactive account to the local Administrators group? That should give the currently logged-on user administrator privileges without having to explicitly name the user in the Administrators group. Malcolm -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 12:59 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin Making users admins on their "personal" computers is not at all appealing. But beauty and appeals were not of great importance at the time. Remember, it was a Management top-down mandate that had to be met as long as you want the paychecks to keep coming :) The idea of the startup script was exhaustively investigated and abandon due to the fact that the name of the Laptop owner is unknown, so you don't know whom exactly you will be adding to the group. So, I could script a query for the currently logged-on user and try to pass that as a parameter to the main script, but of course that won't work because IF the user already logs in, then the script won't be a startup script anymore, and the script would then be executing in the context of the currently logged-on user, who does not have the privilege to add him/herself to the admin group - otherwise there would be no need for a script in the first place. bragging rights Finally found an interesting puzzle that will likely stump Joe :) /bragging rights Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of JoeSent: Wed 7/30/2003 4:47 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin Restricted groups can be great, say you want to keep schema admins empty all of the time, you set the policy with no one in it and wham it is empty, then someone has to know to add themselves to the policy and to the group, not many hackers would think of that. Ditto but for setting specific members for enterprise admins, domain admins, domain controller admins, etc or if you want very specific admins for all machines on the network. Your particular issue is an interesting one. Assuming only the user him/herself would use the machine the first thing off the top of my head would be to have a startup script for the machine that did a net localgroup interactive /add That doesn't really appeal to the security side of me and really relies on physical security so no one else from the domain could log on to the machine or no bad local regular user accounts existed. Really though I don't recommend users being admins of their machines, usually your TCO goes way up w
RE: [ActiveDir] Local Admin
Title: Message Means anyone who gets their hands on the machine is pretty much golden. Yeah, I think I'd subscribe a HEAVY dose of EFS for that company critical data because it's a minute away from being 'not yours anymore'. :-/ Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Wednesday, July 30, 2003 3:19 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Local Admin Means anyone who gets their hands on the machine is pretty much golden. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Malcolm Reitz [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 3:44 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin What about adding the NT Authority\Interactive account to the local Administrators group? That should give the currently logged-on user administrator privileges without having to explicitly name the user in the Administrators group. Malcolm -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 12:59 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin Making users admins on their "personal" computers is not at all appealing. But beauty and appeals were not of great importance at the time. Remember, it was a Management top-down mandate that had to be met as long as you want the paychecks to keep coming :) The idea of the startup script was exhaustively investigated and abandon due to the fact that the name of the Laptop owner is unknown, so you don't know whom exactly you will be adding to the group. So, I could script a query for the currently logged-on user and try to pass that as a parameter to the main script, but of course that won't work because IF the user already logs in, then the script won't be a startup script anymore, and the script would then be executing in the context of the currently logged-on user, who does not have the privilege to add him/herself to the admin group - otherwise there would be no need for a script in the first place. bragging rights Finally found an interesting puzzle that will likely stump Joe :) /bragging rights Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of JoeSent: Wed 7/30/2003 4:47 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin Restricted groups can be great, say you want to keep schema admins empty all of the time, you set the policy with no one in it and wham it is empty, then someone has to know to add themselves to the policy and to the group, not many hackers would think of that. Ditto but for setting specific members for enterprise admins, domain admins, domain controller admins, etc or if you want very specific admins for all machines on the network. Your particular issue is an interesting one. Assuming only the user him/herself would use the machine the first thing off the top of my head would be to have a startup script for the machine that did a net localgroup interactive /add That doesn't really appeal to the security side of me and really relies on physical security so no one else from the domain could log on to the machine or no bad local regular user accounts existed. Really though I don't recommend users being admins of their machines, usually your TCO goes way up when you do that. Other alternative would be some sort of perl script to do the job with a mapping file... I.E. Who's PC, who gets admins... etc. -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, July 30, 2003 2:25 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin While it is true that the Restricted Group will wipe out the existing members (I still don'tunderstand the practicalnecessity of this group) and while it is true that you can indeed add a"KNOWN" user/group to any Local group on any domain member using startup/shutdown machine option in GPO,I have aslightly different take on this question: A while ago, I was faced with the unenviable task ofmakingEVERY Laptop user alocal admin on his/her Laptop. Yes, we now do this duringinitial installation of the Laptops. But at the time of this Management request, there we
RE: [ActiveDir] Windows 2000 VPN
Richard, I think that you used the proper approach to the solution. Doesn't really matter what IP range you use, as long as you are using a private range. Your office is using one, and you are now using another at home. Beuaty of classless subnets is that you can take the 192.168 and do whatever you want with it. If you still want the 192.168 at home, great. Use 192.168.10.0/24 at home and you're clear of the issues at the office. Elsewise, I'd just keep the 10.0.0.0 net and pare it down to a 24 or 25 bit (27?) bit mask. Whatever works for you - that's what is truly nice about the classless stuff. Good job on figuring it out, too! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Sumilang Sent: Monday, July 28, 2003 12:16 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Windows 2000 VPN Ok here's how I got things working but I don't know if this is the best way to do things. On the office network, they use the ips of 192.168.0.X/24 and at home network I use the same, 192.168.0.X/24. Problem is, when I was logging in the VPN I got two IP addresses, one from my home like 192.168.0.7 and one from the VPN 192.168.0.150. Now, when I was trying to connect to another computer or server I guess my computer gets confused when I say connect to 192.168.0.1 and it try's to connect to my network which I don't want it to. So basically what I had to do was change the IP addresses on my network to use a different range, now my network is 10.0.0.1/8 while the office uses 192.168.0.X/24 so when I connect to the VPN and I tell it to connect to 192.168.0.20 it then knows which network to use. Is there a better way to do this rather than changing my home network configuration? Maybe subnets or something? On Monday, July 28, 2003, at 05:37 AM, Andries Thijssen wrote: Richard, We use an L2TP VPN, so disclaimers apply. But by default after making the connection the VPN tunnel is used as the default route. (This can be disabled in the advanced TCP/IP properties of the VPN connection.) You use only one NIC in the RRAS server? I expect at least two: one connected to the internet and one connected to your internal network. When connected, using the client can you ping hosts on your internal network by name? If you run ipconfig /all on your client, do you have an IP address from your office LAN? If not, on your VPN server, go to routing remote access, right-click the server name - properties, access the tab for IP. Make sure the proper adapter is selected for 'Use the following adapter to obtain DHCP, DNS and WINS addresses for dial-up clients'. Otherwise the server cannot contact the DHCP server and will give out addresses in that 19x.x.x.x range that Windows 2000 and XP default to, which in turn screws up your routing. Andries -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: 26 July 2003 09:43 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Windows 2000 VPN Rick, On Friday, July 25, 2003, at 11:21 PM, Rick Kingslan wrote: Richard, Thinking about this for a few minutes while I was working on something else made me think that there might be something else that is being missed. What is the configuration of the NICs in the RRAS server? You only have one with a default gateway configured, correct? And the other gateway is configured via the 'route' comand, yes? I only have one NIC on my server and only one configuration to the gateway. I don't have another gateway conifgured via the route command. Windows is only capable of handling one default gateway through the GUI. The rest have to be configured through route statements. Could this be a part of the problem? I suspect that you're having an easy time getting TO the RRAS box over the external connection, but nothing is getting out to the internal network because it has no path that it can follow. This could be the whole problem since I didn't know I have to configure any route commands. You're right on the dot when it comes to no external data getting out of the network. Does this make sense? If you have 4 NICs in a RRAS box, only one can have a DG configured - the other three must be set via route command statements. Well I only have 1 NIC? Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Sumilang Sent: Friday, July 25, 2003 9:48 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Windows 2000 VPN Ok heres the deal. I set up Microsoft's VPN Service with the wizard provided when going to the Routing and Remote Access program. I thought just following that and testing
RE: [ActiveDir] DNS zones for domains in same forest
You MS person is talking about the classic 'DNS Island' issue that can come up. The issue is that the forest records should be hosted on other DNS servers in the event that the Forest Root DNS servers become unavailable (and the DNS server is a DC and pointing at itself AND is authoritative for the forest records) - hence creating a DNS 'island' with no one being able to resolve the Forest records. Creating secondaries of the DCGUID_msdcs records into the other domains prevents this problem in the event that the DNS becomes isolated or unavailable. Look here for more on this: http://support.microsoft.com/default.aspx?scid=kb;en-us;275278 It's an interesting problem that is fairly easy to model with VMWare and 3 copies of Win2k. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, July 28, 2003 1:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS zones for domains in same forest I am sure I am missing the obvious. We have a W2K forest with 2 trees and 6 domains. Three domains per tree. Our DNS is AD integrated. Our MS rep says each domain must have a secondary zone to points to any other domains in the forest. (i.e. in main.master.local create a secondary zone from master.local and vice versa for every domain.) I thought AD could handle this internally. Am I wrong - again? Many thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Do you allow users to add computers to AD themselves?
David, I change the default value because I only want Technical Services staff (whom I delegate the permissions and the right) and Domain Admins to be able to add machines. Otherwise, I want to know that it's going to happen - and one can request that a computer object be created and Lan Administration will create it. To accomplish this, I remove the ability of anyone else to be able to join machines and reduce the value to 0(zero) so that the average Joe (no offense, Joe) cannot add a machine as by default, they can add up to 10. Not on my network, they can't ;P Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Monday, July 28, 2003 1:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Do you allow users to add computers to AD themselves? Rick, I'm curious why you take the extra step of changing the default value? Just extra cautious or is limiting it via the User Right not reliable? As a practice of our environment, the less interaction the users have with our AD, the better. I've taken the default 10 to 0, and have a group for our Technical Services people created and delegated so that they can manage and maintain RISing of systems as well as the joining and removal of systems as part of their responsibility in the company. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, July 25, 2003 6:04 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Do you allow users to add computers to AD themselves? We're having some internal debates at work and I'm curious how other people do it and their reasons. I know authenticated users can add up to 10 computers to AD, but do you leave it at that or restrict it to some type of admin group? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- David List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 2000 VPN
Michael, You are correct in this, but I suspect we're past this point as he is making it to the authentication on the VPN (RRAS) server. So, I think the PPTP stuff is taken care of. I suspect that there is soemthing on the RRAS box that is not getting information from the RRAS out to the network. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Saturday, July 26, 2003 12:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2000 VPN You've gotta pass protocol 47 (GRE) as well as TCP port 1723. -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2003 10:48 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Windows 2000 VPN Ok heres the deal. I set up Microsoft's VPN Service with the wizard provided when going to the Routing and Remote Access program. I thought just following that and testing that the client connects fine is all I needed to do. I set the router to forward all data coming from port 1723 to the server also. I just got home, start up my personal computer running Windows 2000 and create a VPN connection to the office and it connected and authenticated my user information fine. Now heres the problem, I thought when I VPN into a network it is like actually physically being their with your computer so thus I should be able to ping and connect to shared files on the network but I cant? I don't see anything?!?!?!?! All I get is this little monitor connection sitting in my system tray saying that I am connected. I also thought it would be interesting to check the IP I am when I go to the internet and it gave the office's IP http://www.whatismyip.com/ and my internet IP when I disconnect so thus I know something is working. Can anyone help me with this problem? I want to be able see all the computers on the network, ping them, and access shares. Thanks - Richard S. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Space on computer
Title: Message when they want a file restored, we cannot even write to the folder But, the Backup Operator can ;-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rick reynoldsSent: Friday, July 25, 2003 1:31 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Space on computer we dont give the users full control, that way they cannot keep us out, when they want a file restored, we cannot even write to the folder. - Original Message - From: Rick Kingslan To: [EMAIL PROTECTED] Sent: Thursday, July 24, 2003 10:28 PM Subject: RE: [ActiveDir] Space on computer Just being the Administrator or some authority on the server can't prevent the users from removing you from access to their private (or any other folders or files where they have the ability to modify permission)folders. In many companies it is a common practice to allow users Full Control of their files and directories, or this might be granted by the Creator Owner special principal. Regardless of how it's granted, if the administrator permissions are removed, you have no rights to them - unless, of course, you take ownership. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Juan IbarraSent: Thursday, July 24, 2003 6:17 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Space on computer If you have administrator rights shouldn't that give you access to all files? Page file is set to 384MB. I have deleted internet files and cookies as well. Thanks Juan -Original Message-From: Crenshaw, Jason [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2003 3:46 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Space on computer The properties only calculate what you have rights access. No access...No file size counted against properties. You need to find a utility that uses the backup operator bit, something like TreesizePro or other space calculating tool. Jason -Original Message-From: Juan Ibarra [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2003 4:40 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Space on computer Hello, to all, sorry for the off topic question but this I can't find an answer to. I have a windows 2000 professional machine with a 12G HD with two partitions. C:\ is 9G D:\ is 3G C:\ says that it has 2G left of free space, If I unhide all hidden and system files and right click on them and go to properties, it tells me it is using 5Gs. My question here is: Where are the other 2Gs? I have done defrag on the disk and I don't seem to recover the missing space. Any comments would be appreciated. Thanks, Juan
RE: [ActiveDir] Why not allow users to add computers to AD?
It all relates to two very specific reasons in our company - secure control of company assests (the network and AD) and liability. We provide specifically built computers to perform functions for our workers and we also have a staff of people who are paid to maintain them. I don't want anyone bringing just anything in and plugging just any computer in (this also prevents, to a great degree, the rogue servers) without our knowledge. Also, the security of our environment I take very seriously - and I can't control what's on the network and in AD if I let just anyone with a logon to add computers to it. Finally, I can't, nor does the company want to, be respoinsible for our worker's personal systems. They can use them at home - I don't want the liability of them at work. Period. That's the long and short of it. :-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, July 25, 2003 7:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Why not allow users to add computers to AD? Like I thought, most people seem to not allow normal users add computers to AD. I'm curious why. For any specific concerns or just general precaution in wanting a more controlled Directory? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 2000 VPN
Richard, Need to know a bit more about how the VPN is connected, routing, size of the network, switched, routed, etc. Just having a VPN server on the network MAY NOT give you access to everything there - unless the routing and ACLs on the routers/switches are configured to allow such. However, I am glad to hear that the VPN is working and that the PPTP config helped. I hope that I was of some assistance on getting that done, and hope I can continue to be of assistance on this. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Sumilang Sent: Friday, July 25, 2003 9:48 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Windows 2000 VPN Ok heres the deal. I set up Microsoft's VPN Service with the wizard provided when going to the Routing and Remote Access program. I thought just following that and testing that the client connects fine is all I needed to do. I set the router to forward all data coming from port 1723 to the server also. I just got home, start up my personal computer running Windows 2000 and create a VPN connection to the office and it connected and authenticated my user information fine. Now heres the problem, I thought when I VPN into a network it is like actually physically being their with your computer so thus I should be able to ping and connect to shared files on the network but I cant? I don't see anything?!?!?!?! All I get is this little monitor connection sitting in my system tray saying that I am connected. I also thought it would be interesting to check the IP I am when I go to the internet and it gave the office's IP http://www.whatismyip.com/ and my internet IP when I disconnect so thus I know something is working. Can anyone help me with this problem? I want to be able see all the computers on the network, ping them, and access shares. Thanks - Richard S. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Do you allow users to add computers to AD themselves?
Too cool. I like this A LOT! And, *I'd* get fired in a heartbeat for doing it! :-D But, I still LIKE IT! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Friday, July 25, 2003 10:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Do you allow users to add computers to AD themselves? We allow local site admins to create and join workstations. We require them to submit tickets to the domain admins to create server objects. We have a script that scans the domains and if we find server objects in workstation OU's (i.e. not created by the domain admins) we put them in jail - i.e. an OU only enterprise admins have access to and wipe the ACL on the server object and disable it. It prevents them from using it and reusing the name. Also if we find workstations not following the standards we jail them as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, July 25, 2003 7:04 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Do you allow users to add computers to AD themselves? We're having some internal debates at work and I'm curious how other people do it and their reasons. I know authenticated users can add up to 10 computers to AD, but do you leave it at that or restrict it to some type of admin group? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Duplicate group memberships
Thomas, Did you use ADMT to migrate from one domain to another (or forest) with SidHistory enabled? If so, that's the reason that you're seeing it. I haven't delved deeply enough into it to understand at an atomic level why, but I suspect that it has something to do with the way that SIDs are resolved with SidHistory. But, yes - I have seen this. On most occasions, it seems to end up resolving itself, but there are a few user and computer accounts that I still have dupes for. They seem to cause no ill effect, and regardless of which one I operate on the modification of the object is effective. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Sent: Sunday, July 20, 2003 1:37 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Duplicate group memberships couple of days ago I noticed some strange things in our active directory: there are two accounts, one user account and a machine account, that are listed twice as members of domain users respectively domain computers. I always believed this was impossible under every circumstances, but this proved me wrong. every tool I use, including MS's 'Active Directory Users and Computers' gives me duplicate entries for the account membership lists as well as for the group members lists. since I could not find a way to reproduce this on another account, I suppose it must have happened during migration from win nt 4.0. so, does anyone else have experienced this phenomenon or does anybody know the real reason for this? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Installation Priviledges only on a DC
Yep - makes sense. But, I'll have to test this, as I'm not sure on that Roger. I've done lots of delegation for our Remote sites, and I don't recall anything other than the user being associated with a process through ADUC. Guess I'll have to bust out the Winternals tools and have a look Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Monday, July 21, 2003 6:01 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Installation Priviledges only on a DC Probably won't work. The deny is on the file system, but it all depends what's really writing to that file system now, doesn't it? For instance, when you make a change via ADUC, I'd expect that you're interacting with a service (LSASS or NetLogon, most likely) on the DC. That service is what's actually writing to the directory, so the deny isn't applicable. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Saturday, July 19, 2003 10:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC Then, given the end goal, (thinking here...might be a flaw) why not deny that same group permissions to the %SystemRoot%\NTDS directory? If the issue is AD and then mucking with the AD files themselves on the DC, just deny them. Unless I'm mistaken (and given that I've just gotten up... It's possible) the deny should override other permissions. (Now, Joe - what am I missing...?? ;0) ) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcus Oh Sent: Friday, July 18, 2003 11:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC The only hole is that it still affords them rights to make screw ups to the actual .dit file... -m -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Moran Sent: Friday, July 18, 2003 3:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC A quick down and dirty way to solve it would be to create an admin account for each person like ADMIN_username, then put them in a group, put the group in domain admins, and then place an explicit deny all at the root of the domain for the new group and let it trickle down through inheritance. Watch who has rights to the group or you could wind up letting someone lock you out. This will give them local administrative rights to the dc's without let them muck up AD. They still can do damage through RUN AS and some other exploits, but they would really have to go out of their way and if you mistrust them that much they should not touch a dc at all. Let me know if that works -John --- Bond, Simon [EMAIL PROTECTED] wrote: Basically my boss wants to give the server team the ability to install updates and patches, etc on domain controllers but not give them domain admins permissions. Is this possible? My gut feeling is no. -Original Message- From: Marcus Oh [mailto:[EMAIL PROTECTED] Sent: 18 July 2003 02:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC Eh? You want to allow someone else to change AD in some way? BAD! BAD! :-) What's the proposition??? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bond, Simon Sent: Thursday, July 17, 2003 10:15 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Installation Priviledges only on a DC Is there a way to create a user who can log onto a DC and install software on it but not be a domain admin? To me logically you would have to be since a piece of software you might be installing may need to alter AD in some way. However, this is what I have been asked to do so I was hoping someone may be able to tell me one way or another. Cheers Simon This e-mail and all attachments are confidential and may be privileged. If you have received this e-mail in error, notify the sender immediately. Do not use, disseminate, store or copy it in any way. Statements or opinions in this e-mail or any attachment are those of the author and are not necessarily agreed or authorised by News International (NI). NI Group may monitor emails sent or received for operational or business reasons as permitted by law. NI Group accepts no liability for viruses introduced by this e-mail or attachments. You should employ virus
RE: [ActiveDir] Installation Priviledges only on a DC
And, yep - that's what my research today showed as well. Netlogon, LSASS - not much difference when you can't block the process from writing when you need to Ah, well Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Monday, July 21, 2003 9:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Installation Priviledges only on a DC You can be logical and still be wrong, Seielstad - Mr. Howard, my 10th grade Chemistry teacher, still rings through my head some days. It is LSASS, which of course *is* NetLogon. According to process explorer, at least. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2003 9:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC Yep - makes sense. But, I'll have to test this, as I'm not sure on that Roger. I've done lots of delegation for our Remote sites, and I don't recall anything other than the user being associated with a process through ADUC. Guess I'll have to bust out the Winternals tools and have a look Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Monday, July 21, 2003 6:01 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Installation Priviledges only on a DC Probably won't work. The deny is on the file system, but it all depends what's really writing to that file system now, doesn't it? For instance, when you make a change via ADUC, I'd expect that you're interacting with a service (LSASS or NetLogon, most likely) on the DC. That service is what's actually writing to the directory, so the deny isn't applicable. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Saturday, July 19, 2003 10:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC Then, given the end goal, (thinking here...might be a flaw) why not deny that same group permissions to the %SystemRoot%\NTDS directory? If the issue is AD and then mucking with the AD files themselves on the DC, just deny them. Unless I'm mistaken (and given that I've just gotten up... It's possible) the deny should override other permissions. (Now, Joe - what am I missing...?? ;0) ) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcus Oh Sent: Friday, July 18, 2003 11:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC The only hole is that it still affords them rights to make screw ups to the actual .dit file... -m -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Moran Sent: Friday, July 18, 2003 3:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC A quick down and dirty way to solve it would be to create an admin account for each person like ADMIN_username, then put them in a group, put the group in domain admins, and then place an explicit deny all at the root of the domain for the new group and let it trickle down through inheritance. Watch who has rights to the group or you could wind up letting someone lock you out. This will give them local administrative rights to the dc's without let them muck up AD. They still can do damage through RUN AS and some other exploits, but they would really have to go out of their way and if you mistrust them that much they should not touch a dc at all. Let me know if that works -John --- Bond, Simon [EMAIL PROTECTED] wrote: Basically my boss wants to give the server team the ability to install updates and patches, etc on domain controllers but not give them domain admins permissions. Is this possible? My gut feeling is no. -Original Message- From: Marcus Oh [mailto:[EMAIL PROTECTED] Sent: 18 July 2003 02:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC Eh? You want to allow someone else to change AD in some way? BAD! BAD! :-) What's
RE: [ActiveDir] Terminal Service Port
Richard - TCP 3389 would be the port that you would use. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Sumilang Sent: Monday, July 21, 2003 12:48 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Terminal Service Port I'm using terminal services to remotely manage a workstation on my local network that I use for testing and stuff but I would like to use it remotely also. Does anyone know what port it uses so I can forward data to it? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] strange problem, possibly SP4 related?
Title: Message Ken, I can say that in all of the testing and in all of the systems that we have moved - I haven't seen this behavior. But, there is a first for almost everything. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Monday, July 21, 2003 2:40 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] strange problem, possibly SP4 related? We applied SP4 to all of our windows 2000 servers yesterday, and this morning Inoticed something very odd. DNS on alll of our domain controllers for our main domain (a dozen or so servers) decided to convert a standard secondary zone that they were all hosting into an AD integrated zone! Other domains DCsare hosting secondary DNS zones, and they did not change. I can't say for certain this was due to applying SP4, and I can't say this didn't happen before yesterday, but it certainly is suspcicious. Anyone hear of anything like this?
RE: [ActiveDir] RRAS VPN Ports
Richard, You don't say if this is a PPTP or IPSec VPN (or, it's also possible that either are acceptable). Anyway, these are the ports you'll be interested in: PPTP PPTP TCP 1723 GRE Protocol ID 47 IPSec IKE UDP 500 AH Protocol ID 51 ESP Protocol ID 50 And, yes - once authenticated to the network through the VPN server, it should be like 'you're there'. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Sumilang Sent: Monday, July 21, 2003 12:45 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] RRAS VPN Ports I set up the VPN server on my Windows 2000 Box and need to be able to connect to it remotely from wherever I am on the internet. What ports do I need to open up on my router that need to be forwarded to the server? I assume when this is working I can then from my home network connect to the network with the VPN server and access network resources such as printer, shared files on other computers on the network and etc just as if I was physically on the network correct? Thanks - Richard S. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Terminal Services Permissions
Richard, If you go to the Teminal Services Configuration applet in Administrative Tools, then properties, then Permissions, who all is there? If it should only be Administrators, remove every one (singly or by group) else and grant only that group permissions. If not explicitly granted, then denied in this case. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Sumilang Sent: Monday, July 21, 2003 5:42 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Terminal Services Permissions How do I block certain users from being able to connect to my terminal server running in Remote Administration mode? I just installed it but all users can log in to the server and manage it which isn't very good :-\ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Installation Priviledges only on a DC
Yep - and that's what I concluded after seeing your last message and going in and taking a look (Imagine - me actually LOOKING!) Seems to be an odd contradiction, though. We're going to allow you to delegate permissions so that you can better manage your environment. Oh, but except here, and here, and here, and (ad infinitum), oh ! And then there's Exchange. You thought the OS was really screwed? Hehe - you ain't seen nuthin' yet! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Monday, July 21, 2003 6:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC LOL. You kill me Rick... I haven't heard of anyone yet who has cracked the internal AD DIT format. Not sure how feasible it even is. However the flaw in this that the inherited perms don't override the explicit's so it isn't even worth going to this level of protection with the DIT because the front door is still wide open. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, July 19, 2003 10:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC Then, given the end goal, (thinking here...might be a flaw) why not deny that same group permissions to the %SystemRoot%\NTDS directory? If the issue is AD and then mucking with the AD files themselves on the DC, just deny them. Unless I'm mistaken (and given that I've just gotten up... It's possible) the deny should override other permissions. (Now, Joe - what am I missing...?? ;0) ) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Installation Priviledges only on a DC
And, Joe emoted: Well I guess you could but your system would probably become extremely secure and you would never have to worry about anyone including yourself modifying it ever again. Cool. Then once I have it configured and working, it shouldn't ever break. Change control becomes a thing of the past, and all good things But, then, so does expandability, but that's such a small negative given the overall secure nature of the mod. Reliability and security - what more could one want? ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Monday, July 21, 2003 6:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC It is true that ADUC runs in the context of the user who spawed the process. However the way it operates is that it connects to a service and requests a change, that service is sponsored by LSASS so indeed runs as localsystem. Obviously you can't remove the rights to the DIT for LSASS Well I guess you could but your system would probably become extremely secure and you would never have to worry about anyone including yourself modifying it ever again. The angle I thought you were going towards was the idea of someone modifying the DIT in a raw manner versus through the standard API. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, July 21, 2003 9:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC Yep - makes sense. But, I'll have to test this, as I'm not sure on that Roger. I've done lots of delegation for our Remote sites, and I don't recall anything other than the user being associated with a process through ADUC. Guess I'll have to bust out the Winternals tools and have a look Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Monday, July 21, 2003 6:01 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Installation Priviledges only on a DC Probably won't work. The deny is on the file system, but it all depends what's really writing to that file system now, doesn't it? For instance, when you make a change via ADUC, I'd expect that you're interacting with a service (LSASS or NetLogon, most likely) on the DC. That service is what's actually writing to the directory, so the deny isn't applicable. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Saturday, July 19, 2003 10:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC Then, given the end goal, (thinking here...might be a flaw) why not deny that same group permissions to the %SystemRoot%\NTDS directory? If the issue is AD and then mucking with the AD files themselves on the DC, just deny them. Unless I'm mistaken (and given that I've just gotten up... It's possible) the deny should override other permissions. (Now, Joe - what am I missing...?? ;0) ) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcus Oh Sent: Friday, July 18, 2003 11:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC The only hole is that it still affords them rights to make screw ups to the actual .dit file... -m -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Moran Sent: Friday, July 18, 2003 3:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC A quick down and dirty way to solve it would be to create an admin account for each person like ADMIN_username, then put them in a group, put the group in domain admins, and then place an explicit deny all at the root of the domain for the new group and let it trickle down through inheritance. Watch who has rights to the group or you could wind up letting someone lock you out. This will give them local administrative rights to the dc's without let them muck up AD. They still can do damage through RUN AS and some other exploits, but they would really have to go out of their way and if you mistrust them that much they should not touch a dc at all. Let me know if that works -John --- Bond, Simon [EMAIL PROTECTED] wrote: Basically my boss wants to give the server team
RE: [ActiveDir] Installation Priviledges only on a DC
Then, given the end goal, (thinking here...might be a flaw) why not deny that same group permissions to the %SystemRoot%\NTDS directory? If the issue is AD and then mucking with the AD files themselves on the DC, just deny them. Unless I'm mistaken (and given that I've just gotten up... It's possible) the deny should override other permissions. (Now, Joe - what am I missing...?? ;0) ) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcus Oh Sent: Friday, July 18, 2003 11:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC The only hole is that it still affords them rights to make screw ups to the actual .dit file... -m -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Moran Sent: Friday, July 18, 2003 3:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC A quick down and dirty way to solve it would be to create an admin account for each person like ADMIN_username, then put them in a group, put the group in domain admins, and then place an explicit deny all at the root of the domain for the new group and let it trickle down through inheritance. Watch who has rights to the group or you could wind up letting someone lock you out. This will give them local administrative rights to the dc's without let them muck up AD. They still can do damage through RUN AS and some other exploits, but they would really have to go out of their way and if you mistrust them that much they should not touch a dc at all. Let me know if that works -John --- Bond, Simon [EMAIL PROTECTED] wrote: Basically my boss wants to give the server team the ability to install updates and patches, etc on domain controllers but not give them domain admins permissions. Is this possible? My gut feeling is no. -Original Message- From: Marcus Oh [mailto:[EMAIL PROTECTED] Sent: 18 July 2003 02:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC Eh? You want to allow someone else to change AD in some way? BAD! BAD! :-) What's the proposition??? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bond, Simon Sent: Thursday, July 17, 2003 10:15 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Installation Priviledges only on a DC Is there a way to create a user who can log onto a DC and install software on it but not be a domain admin? To me logically you would have to be since a piece of software you might be installing may need to alter AD in some way. However, this is what I have been asked to do so I was hoping someone may be able to tell me one way or another. Cheers Simon This e-mail and all attachments are confidential and may be privileged. If you have received this e-mail in error, notify the sender immediately. Do not use, disseminate, store or copy it in any way. Statements or opinions in this e-mail or any attachment are those of the author and are not necessarily agreed or authorised by News International (NI). NI Group may monitor emails sent or received for operational or business reasons as permitted by law. NI Group accepts no liability for viruses introduced by this e-mail or attachments. You should employ virus checking software. News International Limited, 1 Virginia St, London E98 1XY, is the holding company for the News International group and is registered in England No 81701 This e-mail and all attachments are confidential and may be privileged. If you have received this e-mail in error, notify the sender immediately. Do not use, disseminate, store or copy it in any way. Statements or opinions in this e-mail or any attachment are those of the author and are not necessarily agreed or authorised by News International (NI). NI Group may monitor emails sent or received for operational or business reasons as permitted by law. NI Group accepts no liability for viruses introduced by this e-mail or attachments. You should employ virus checking software. News International Limited, 1 Virginia St, London E98 1XY, is the holding company for the News International group and is registered in England No 81701 __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ
RE: [ActiveDir] Last Logon Script
Yes - the best way is to programatically collect the name of all of the DCs, and then loop through them, collecting the specific information for the users. Then, parse back through the user information to find the REALLY last logged on time. Hope this helps Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann Danny Sent: Friday, July 18, 2003 2:35 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Last Logon Script Rick Do you know of any resolution to the problem of obtaining the User.LastLogoff date/time in Windows 2000/2003? It only works for NT4 domains. Cheers Danny Tim, In Windows 2000, that's a bit of a toughie - as the information is not stored in a replicated attribute. What this means (you, I think know) is that you have to query each DC to determine this information. In Windows Server 2003, this changed - a timestamp attribute is now replicated - but it's not guaranteed to be accurate any closer than a week, as I understand it. But, it's better than the unreliable nature of what is currently in place. As an example of what you could do (credit to Rod Trent for this code): On Error Resume Next Dim User Dim UserName Dim UserDomain UserDomain = InputBox(Enter the name of the domain:) UserName = InputBox(Enter the name of the user:) Set User = GetObject(WinNT:// UserDomain / UserName ,user) MsgBox The last time UserName logged on was: vbCRLf vbCRLf User.LastLogin Note that this code does not take into account the fact taht you need to parse through and query all DC that the user could have authenticated against. But, the code DOES work - however, if the user you are looking for has not authenticated against the DC that is queried then the user (for all you know) has never logged on. :-/ Good luck! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Last Logon Script
Tim,
In Windows 2000, that's a bit of a toughie - as the
information is not stored in a replicated attribute. What this means (you,
I think know)is that you have to query each DC to determine this
information. In Windows Server 2003, this changed - a timestamp attribute
is now replicated - but it's not guaranteed to be accurate any closer than a
week, as I understand it. But, it's better than the unreliable nature of
what is currently in place.
As an example of what you could do (credit to Rod Trent for
this code):
On Error Resume NextDim UserDim UserNameDim
UserDomainUserDomain = InputBox("Enter the name of the domain:")UserName
= InputBox("Enter the name of the user:")Set User = GetObject("WinNT://"
UserDomain "/" UserName ",user")MsgBox "The last
time " UserName " logged on was: " vbCRLf vbCRLf
User.LastLogin
Note that this code does not take into account the fact
taht you need to parse through and query all DC that the user could have
authenticated against. But, the code DOES work - however, if the user you
are looking for has not authenticated against the DC that is queried then the
user (for all you know) has never logged on. :-/
Good luck!
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
DirectoryAssociate ExpertExpert Zone -
www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wright, T. MR
NSSBSent: Thursday, July 17, 2003 8:07 PMTo:
'[EMAIL PROTECTED]'Subject: [ActiveDir] Last Logon
Script
Does
anyone have a script that will query an OU and tell me when the users last
logged on? Or for that matter? If they have logged on at
all.
Thanks,
-Tim
RE: [ActiveDir] Adding machines to OU directly
Title: Message Mayet, What you will likely need to do is to proceed along the following lines: 1. Right click on the OU of your choice and go to Security. 2. Select Advanced / Add / Select the group that you want to accomplish the task 3. By default, they should have READ, etc. Scroll down and select Allow Create / Delete Computer Objects 4. In the 'Apply on to:' dialog, select This Object and All Child Objects. Hit 'Apply' to save what we have so far. 5. Click 'Add' again in the Advanced Security dialog UI. Select the group for the task (same group as above). 6. In the 'Apply on to:' select 'Computer Objects' and grant Full Control 7. Click 'OK' until you completely exit This should do the following: Allow the selected group to Create and Delete Computer Objects within the OU in which this delegation was done (yep - still delegation - not done through the Delegate Control selection, but this *IS* what goes on behind the scenes anyway), then we delegated the permission to fully control Computer Objects - allowing the ability to create the various attributes that make up a computer object - but only computer objects, and nothing else. As you go through this exercise, it's interesting to note how many permissions are associated with these objects. Notice that there is a properties tab, too! This is what allows one to change the name, etc., of an object as this is a property of the object. Take your time as you go through this. If you get a grasp of what happens in this delegation, then the rest of your permissions tasks will be much easier. Good luck! Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayet, Yusuf YSent: Wednesday, July 16, 2003 11:01 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Adding machines to OU directly Well seeing this discussion has started I would like to throw a curve ball. In my environment I have chosen the route to train the junior lads into pre-creating the computer account into the relative OU. I have delegated the following permission over "Computer Objects" to "Add and Remove computer objects" The problem I am experiencing is that if the computer account already exists in the OU the error received is "access Denied" Thanks in advance Yusuf From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: 16 July, 2003 17:14 PMTo: [EMAIL PROTECTED] You don't need to give them account operator rights. You give them 'specific' delegated rights. There could be some complex solutions that involve automating the process of looking through the computers container and moving computer account to the appropriate container (that is if you know the appropriate container via a name designation or something). This can be automated and scheduled but if you are too understaffed I doubt you will be able to find the time to develop this kind of solution. To have full functionality to address some of the complexities of AD management easily you will probably want to evaluate third part administrative tools. (plugOh, yeah, my company has one./plug) Kevin Sullivan Aelita Software www.aelita.com From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 11:07 AMTo: [EMAIL PROTECTED] I saw that out on Technet. That's great as long as there is a person/group to handle that. We are understaffed and are looking for the OU admins to take care of this without giving them Account Operator rights. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rakes, Brandon A. NMIMC ContractorSent: Wednesday, July 16, 2003 9:58 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Adding machines to OU directly The way we have done it is to delegate administrative rights to the OU and then create the computer account in that OU first and then add the computer. If there is another way to automatically make it go in the desired OU I would love to hear how. Brandon -Original Message-From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 10:33 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Adding machines to OU directly Is there a way to delegate to a user the right to not only add machines to a domain, but place the user into the OU of their choice? I'm looking for an easy way to allow OU administrators to add machines and then instead of having the machine going into the computers container, go directly into the OU. Maybe I'm making this too complicated.. Chris Flesher The University of Chica
RE: [ActiveDir] Locking Down User Information Fields in AD
Sure. I just posted a message here already about delegating computer object stuff, but the user object stuff is pretty much the same. Let's say you don't want your users to change their phone number, for example. One point on this example - by default, all users have the right (or more appropriately - the permission) to modify their OWN information, so we'll need to take it away. 1. Go to the Domain or OU level of choice, right click / properties / Security / Advanced UI 2. If not already there, add the SELF principal. Makes life easier - see caveat [1] 3.Selectthe Properties tab, 'Applyonto:'andchooseUserObject 4.Check in the DENY column fields that you do not want the user to be able to Write to - the will still be able to View it. 5. Apply /OK / OK should get it done. [1] Caveat - make sure that you plan this carefully. SELF is great for this, unless you REALLY want to assign this explicitly to each and every user. Denys, as always are very nasty and a misplaced one can be very hard to track down. Apply this on to an OU for your users, leaving the Administrative accounts unscathed. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wright, T. MR NSSBSent: Wednesday, July 16, 2003 2:41 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Locking Down User Information Fields in AD Just curious how I would go about stopping a user from being able to update their address, website, etcunder their own account.AD... Basically I want them only to be able to update their own phone # and nothing else and I would also like to force it to be strictly a numeric only field (which it isn't by default.) Any ideas?? Thanks, -Tim
RE: [ActiveDir] AD DNS/DHCP issue/question
Title: Message It has to have a kerberos ticket in Secured Updates, IIRC. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Wednesday, July 16, 2003 1:10 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD DNS/DHCP issue/question What wont get registered in DNS if the zone is set to Secured Updates Only? Anything that does not have a object in the directory? -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED]Sent: Tuesday, July 15, 2003 3:09 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD DNS/DHCP issue/question That sounds like its properly configured, although I strongly suggest setting DNS for secured updates only. Routers won't cache DHCP info, either - they just forward it. You might want to look at the active leases to see what's happening. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Wright, T. MR NSSB [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 15, 2003 12:38 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD DNS/DHCP issue/question I can't speak for the network... I asked our network guy to change the IP-Helper address to point to the new DHCP server. He did that and I get my lease... Is there something else that I should ask him to look at? One thing I thought of is that it may be possible that there is a router that is doing caching in there somewhere... again I'm not sure. The DHCP server is set to 'update DNS only if DHCP client requests' and DNS is not set for secure updates only. One other thing the DHCP server is a seperate machine from DNS so any broadcasts that were intended for DNS(none that I am aware of) would fall on deaf ears becasue the helper address that is configuredwould send them to the DHCP server. Thanks, -Tim From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 15, 2003 9:35 AMTo: '[EMAIL PROTECTED]' I assume that all necessary routers are configured to use bootp forwarding from the client networks to the DHCP servers? It sounds like they might not be properly configured. Also, what are the DNS update settings for the DHCP servers?Are they set to update on behalf of the clients? Is DNS set for Secure Updates only? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Wright, T. MR NSSB [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 15, 2003 8:46 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] AD DNS/DHCP issue/question Gonna try and keep this short and sweet I have 1200 clients that I am adding to the network. They get their new machine with our ghost image called 'image' they plug it into the network, when they bring it up they are asked a few questions (name, username etc.) this info is passed into the answer file for sysprep. The machine reboots, sysprep runs, it changes the name to meet our naming convention, adds it to the domain etc. then the user logs in for the first time and the logon scripts take care of the rest. My issue is when they first plug the machine in, the lease in DHCP servershows up as 'image' and once the machine is renamed and added to the domain, for some reason it doesn't update itself in DHCP which in turn doesn't update the DNS PTR record. I'm concerned that having 1200 machines called 'image' on the network is not going to be a good thing. This is all happening in another building on campus (through a few routers/switches) When I do the same test on theSAME network as the DHCP/DNS servers it works like a charm,the name isupdated before the user logon box even appears. It seems as if there is some sort of broadcast traffic that is not getting to where it needs to get, although I was under the belief that once the client knows it's DHCP server it will automagically try to go back to the same machine first. I have asked the network guys to take a look, and as usualy they say theres nothing wrong with their network;-) I am using the default settings for the DHCP scope, and all the clients are WinXP pro SP1. I have a few ideas for a workaround but I would like to see it work as intended. Any ideas? Thanks, -Tim
RE: [ActiveDir] what to do with DMZ servers
Title: Message John, The DC is placed on our Private DMZ behind a Cisco CSS and an appliance-based firewall. This provides a high level of confidence in the safety of the DC as the controls through the CSS and the firewall give me all of the protection that I really need. What this allows is an acceptable one trust zone access to the DC from the Public DMZ and direct access (via controls through P-VLANs and spanned ports) in the private DMZ. Finally, the ability to do an outward push of synched AD data fro our internal DCs using MMS (MIIS, whatever this week) allows us to determine what data is replicated (at this point, specific OUs for authentication only) and to synch OUT to the Extranet DC only - nothing is ever synched back in. Also, it has the added advantage that if it dies or is compromised, the path back in is not available and the data can be easily changed and is not principals of interest or confidence anyway. Anyone that would have that level of access is either VPN or PKI cert'ed through other methods. We decided that this was the best and most viable solution due to the difficulty in managing the traffic through the firewall in putting it on the internal network. Also, we have hard and fast rules about conversations or communications across only one trust zone without being proxied. The proxy of this data was not a, shall we say, pleasurable or smalltask to try and undertake. Hence the thought that we should put a DC with push-replicated data for authentication came about. Effectively, we have 3 trust zones - External, or public; Private DMZ; and Internal network. I can talk from external (perimeter)device to a private DMZ device, but never from a perimeter to internal network device. Hope this helps, and feel free to re-direct. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John McGlincheySent: Wednesday, July 16, 2003 9:20 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] what to do with DMZ servers Rick, I like the separate forest. In your design, where did you place the DC's for the DMZ Forest/Domain? In the DMZ also, or inside your private network? Whichever you did, do you mind giving me some idea of your thoughts as to why you would do one over the other? Thanks. John McGlinchey Bristol-Myers Squibb Company From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Monday, July 14, 2003 1:17 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] what to do with DMZ servers No - we have a completely separate forest for the Extranet. Pardon for any confusion. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, BrianSent: Monday, July 14, 2003 7:45 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] what to do with DMZ servers Sorry for the confusionbut just for clarification...you are saying that you use a single forest (empty root) for all your domains including your DMZ/Internet? -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, July 11, 2003 6:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] what to do with DMZ servers Brian, We implemented an empty root design (we now have 6 other domains) but we planned this from the start knowing that our company will do acquisition and divestiture - leaving us in a position to easily move domains off of the structure. Our forest is very stable, very healthy, and it works well for us. Two additional domain controllers for the Root Domain - which left us with a solid base for the other child domains - was the total cost. Reasonable from a management perspective, knowing that we will add and remove domains. And, I do have a forest in our extranet. Plus, we are looking into MIIS (or, MMS 3.0 for us who have been working with the product for more than a month) to assist with SSO and to manage accounts in a push manner to our extranet forest. In addition, ADAM is beginning to play a part as some of the Applications that we use can use an LDAP service for Authentication / Authorization. Bottomline - it's all a matter of choice. You can make all kinds of decisions, but the best thing to do is not make one. I've seen more projects die because of analysis paralysis than any other single cause.Many timesimplementing a not perfectly 'optimal' implementation (but very workable and viable)is better than waiting until you have the best solution, only to find that the window was missed or confidence is in question. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
RE: [ActiveDir] Locking Down User Information Fields in AD
Maybe someone can indicate how to restrict the field to numeric only (it's not already??? Huh - never tried, I guess.), I suspect it's a schema mod - but I thought that I answered the rest of the question, did I not? Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wright, T. MR NSSBSent: Wednesday, July 16, 2003 9:27 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Locking Down User Information Fields in AD Just curious how I would go about stopping a user from being able to update their address, website, etcunder their own account.AD... Basically I want them only to be able to update their own phone # and nothing else and I would also like to force it to be strictly a numeric only field (which it isn't by default.) Any ideas?? Thanks, -Tim
RE: [ActiveDir] Locking Down User Information Fields in AD
Title: Message Huh. Tried it before I posted the information. Worked here - I best go check the DC. It might have gone up in a mushroom cloud as I've violated Microsoft force of will. :-p Well, then, folks - don't do this. Pester MS to let you control your own data. Hopefully in the next 3 - 4 years, we can get some traction on that one.. Yeah, right. :-/ Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, July 16, 2003 11:40 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Sorry Rick this won't really work this easily. The problem is that MS in their infinite wisdom (sorry this is one of thosesore spots with me) made lots of permissions part of the default sd for a given object. With user objects self gets rights on several property sets - Personal Information, Phone and Mail Options, Web Information. Because these default sd's get applied directly to the object combined with the fact that inheritedacesdo not overpower explicit aces (unless you have a 3 kings and a deuce) you can't trump the explicit grant of access to say address (which is in personal information property set) with an inherited deny. The only way to correct this is to (and not necessarily in this order) a. apply a deny ace for every property you want denied on every user object you want it denied on b. remove the self grant personal information ace and then add a new ace for any attributes in pers-inf you want the user to modify. Note that you really need to understand what is in the property set before you remove it so you know what you are breaking... like user certs for instance... I don't really recommend A and if you do B you will want to do the corresponding Schema update to modify the default SD for the object so you don't have to keep doing it for all the new users. exchange vent This is one of the many reasons why Exchange 2K Granular delegation is such a royal pain in the arse. Take a look at the public information property set and what you need to do basic Exchange mailbox support work such as deleting (disconnecting), reconnecting, and moving. If you have a setup where you want E2K admins to not dork with non-exchange attributes you have to add a bazillion aces (*slight* inflation of truth)tothe containers where user objects reside.Then in the meanwhile anybright exchange admin realizes they can give themselves more access by simply using an Exchange server to add themselves to an Exchange Server group and bypass your delegation because if you modify the delegation to the "main" Exchange Server/Services groups, you are no longer supported by MS. /exchange vent dream weaver sequence I would love to have seen less default perms given in the default sd's. Also I would like to see a separate workstation and server computer object so you can have different default sd's and inherited perms for them. Heck while I'm at it... I want operatingSystemHotfix to be updated on computer objects automatically (and make it multivalued)or at least someone to publish the format it will be using when it is published so I can write something to do it in the meanwhile... As joe patches for MS03-26. /dream weaver sequence -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, July 16, 2003 7:58 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Sure. I just posted a message here already about delegating computer object stuff, but the user object stuff is pretty much the same. Let's say you don't want your users to change their phone number, for example. One point on this example - by default, all users have the right (or more appropriately - the permission) to modify their OWN information, so we'll need to take it away. 1. Go to the Domain or OU level of choice, right click / properties / Security / Advanced UI 2. If not already there, add the SELF principal. Makes life easier - see caveat [1] 3.Selectthe Properties tab, 'Applyonto:'andchooseUserObject 4.Check in the DENY column fields that you do not want the user to be able to Write to - the will still be able to View it. 5. Apply /OK / OK should get it done. [1] Caveat - make sure that you plan this carefully. SELF is great for this, unless you REALLY want to assign this explicitly to each and every user. Denys, as always are very nasty and a misplaced one can be very hard to track down. Apply this on to an OU for your users, leaving the Administrative accounts unscathed. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone
RE: [ActiveDir] Service pack 4 and DCs
Title: Service pack 4 and DCs In our test environment and my lab here at home, I have a mixture of DCs and a mixture of SP levels. No problems noted with SPs fighting each other - at least from SP 2 up. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer FountainSent: Tuesday, July 15, 2003 7:51 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Service pack 4 and DCs I had an admin install sp4 on one of my DCs without coordinating it with me (and the other admins) while the other DCs are still running sp2. I was in the middle of testing sp4 and planning to upgrade all dcs to sp3 when I was told - that dc is already at sp4. What type of issues should I except from having one dc running at a higher sp than the others and has anyone ran into any problems with sp4? Cheers, Jenn "Cynicism is an unpleasant way of saying the truth"
RE: [ActiveDir] what to do with DMZ servers
Title: Message No - we have a completely separate forest for the Extranet. Pardon for any confusion. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, BrianSent: Monday, July 14, 2003 7:45 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] what to do with DMZ servers Sorry for the confusionbut just for clarification...you are saying that you use a single forest (empty root) for all your domains including your DMZ/Internet? -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, July 11, 2003 6:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] what to do with DMZ servers Brian, We implemented an empty root design (we now have 6 other domains) but we planned this from the start knowing that our company will do acquisition and divestiture - leaving us in a position to easily move domains off of the structure. Our forest is very stable, very healthy, and it works well for us. Two additional domain controllers for the Root Domain - which left us with a solid base for the other child domains - was the total cost. Reasonable from a management perspective, knowing that we will add and remove domains. And, I do have a forest in our extranet. Plus, we are looking into MIIS (or, MMS 3.0 for us who have been working with the product for more than a month) to assist with SSO and to manage accounts in a push manner to our extranet forest. In addition, ADAM is beginning to play a part as some of the Applications that we use can use an LDAP service for Authentication / Authorization. Bottomline - it's all a matter of choice. You can make all kinds of decisions, but the best thing to do is not make one. I've seen more projects die because of analysis paralysis than any other single cause.Many timesimplementing a not perfectly 'optimal' implementation (but very workable and viable)is better than waiting until you have the best solution, only to find that the window was missed or confidence is in question. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, BrianSent: Friday, July 11, 2003 3:32 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] what to do with DMZ servers I got used to being shocked and surprised at what happens here long ago J All I can do is try to make it better any way I can. Sadly without some serious firepower with an MS stamp of approval on it...it's an uphill battle. I can find a bazillion docs however that suggest people migrate their NT domains using the Empty root strategy...makes one wonder at times. -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, July 11, 2003 9:10 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] what to do with DMZ servers Brian, A few hours of sleep to think further about this - you ask for case studies. I would have to believe, and am certain of at least one - that SANS Institute is going to be able to provide this for you off of their site. We have a subscription and I can't say at the moment if this is pay or free (suspect pay - it usually is when you really need it...) but I just can't imagine what would posses someone to believe that what they are proposing is even remotely acceptable in any environment in today's computing world. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, BrianSent: Thursday, July 10, 2003 11:55 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] what to do with DMZ servers Have the exact same situation here. We currently have a separate NT domain (for a security boundary) for our INET machines. These machines exist on a DMZ...and run public internet sites that connect to a SQL backend inside our network. An ISA server provides the firewall and proxy services. Im currently having a fight with the operations staff on design. They want to do the Empty Root/two subdomain model (because they read a lot of useless MOC Courseware books). I can personally see very little benefit to consolidating these two separate domains into one forest. They see no logic in having a separate forest/separate domain for the Internet systems. Nothing short of a case study will sway them I believeany decent documents comparing the two? Or frankly..any documents that recommend a separate forest for your internet systems as a security boundary? -Original Message-From: Raymond McClinnis [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 11:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] what to do with DMZ servers
RE: [ActiveDir] Quick AD integrated DNS question :)
Title: Message We backed up on the DNS issue. When first deployed, it was DNS with DC - always. We have since done exhaustive studies that show that the traffic on the ATMwas not worth the added headaches in a 30+ remote site (Branch office - with some office locations exceeding 1000 seats) of DNS everywhere at least, in our experience. In fact, our DNS has evolved to the point that our corporate DNS is BIND 9.x and our AD is on Win2k (soon to be Win2k3). We have less problems now with DNS (and AD as a whole) than we EVER did when it was spread out over three continents. My .02. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Monday, July 14, 2003 10:28 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Quick AD integrated DNS question :) I see no reason to separate DNS from AD, except in extreme circumstances. AD and DNS are both core infrastructure, so there's no reason not to colocate them. It works well for both our 500 user company and the 4500 user company prior to that. My DC/DNS servers here are running on 800MHz boxes with half a gig of RAM, and we do quite heavy DNS traffic (lots of Unix systems in house) and never have load issues on the DC's. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rogers, Brian [mailto:[EMAIL PROTECTED] Sent: Monday, July 14, 2003 11:16 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Quick AD integrated DNS question :) Isnt the information replicated anyway via AD? I guess if they were all in the same site more than two would certainly be overkill. -Original Message-From: Craig Cerino [mailto:[EMAIL PROTECTED] Sent: Monday, July 14, 2003 11:09 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Quick AD integrated DNS question :) Wow - really - - I only hae one of my DCs as a DNS server - - all other DNS boxes are not DCs - - too much going on -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, July 14, 2003 10:58 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Quick AD integrated DNS question :) I always configure every DC as a DNS server. I consider that if a location requires a DC, it also requires local DNS. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rogers, Brian [mailto:[EMAIL PROTECTED] Sent: Monday, July 14, 2003 10:39 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Quick AD integrated DNS question :) 1. When configuring an AD Integrated DNS zone, at least one DC in each site should be running DNS? Or all DCs should be running DNS? Would it matter either way?
RE: [ActiveDir] Quick AD integrated DNS question :)
Title: Message This would be correct. But, remember that in the replication strategy for Win2k - data goes to every DC regardless if it's a DNS server or not - because once it's DNS-integrated, it's now a part of the AD data. This trend is broken in Win2k3, where application partitions can handle DNS - and do. The DomainDNS and ForestDNS are just that, for all intents and purposes. They are AD Application parts handling DNS for just DNS servers - and no DNS data need be on the DCs, unless it too, is a DNS server once the full DNS app partition is configured. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, BrianSent: Monday, July 14, 2003 10:10 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Quick AD integrated DNS question :) I was looking more along the lines of replication traffic. However since the zone is replicated within ADthere shouldn't be any additional (or if so very minimal) replication traffic between the DNS servers other than the normal AD replication traffic correct? -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, July 14, 2003 10:58 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Quick AD integrated DNS question :) I always configure every DC as a DNS server. I consider that if a location requires a DC, it also requires local DNS. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rogers, Brian [mailto:[EMAIL PROTECTED] Sent: Monday, July 14, 2003 10:39 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Quick AD integrated DNS question :) 1. When configuring an AD Integrated DNS zone, at least one DC in each site should be running DNS? Or all DCs should be running DNS? Would it matter either way?
RE: [ActiveDir] Quick AD integrated DNS question :)
Deji, I might suggest that the attempt at levity include liberal smiley faces in the future. Gil got the jump before I did, because, given your posts in the past - this one seemed quite out of character. I really wasn't sure if you were having a bad day or if Brian had just really 'hit the wrong nerve'. And, he was asking ME to Woa, so if anyone should be offended, it should be me (and, I wasn't). Personally, I think that this is about enough of this thread. Not constructive. Let's move on. 'Nuff said. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, July 14, 2003 6:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Quick AD integrated DNS question :) I guess it's my time to say Woah Gil, my response was not in any way directed at you. It was directed at Brian and, if anything, it was an attempt at levity, not snottiness. So, where did the slam come from? I'd think that if anything is snotty, it would be Brian's increduluos Woah, not mine. Don't you think? As for Site coverage in Win2K being equal to GC-Less config in Win2K3, I firmly believe they are apple and orange. They are both fruits, but not the same. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Mon 7/14/2003 2:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Quick AD integrated DNS question :) I may have missed something, but the snotty tone seems inappropriate... In any case, to reduce the apparent confusion: GC-less sites have always been possible with AD since W2K. The facility is called site coverage. GC-less logon is new in WS2K3 and occurs because DCs can cache group memberships. This allows the DC to assemble a complete token even if a GC isn't available. This functionality has nothing to do with application partitions. Application partitions are a mechanism where you can host replicas of specific subtrees in the domain on any set of DCs in the forest. The subtrees may not contain security principals such as users, groups, and computers, When you create a zone in WS2K3, you can elect to configure it as an application partition and replicate the data to specific DCs in the forest. -gil -Original Message- From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Monday, July 14, 2003 1:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Quick AD integrated DNS question :) Yes, you did indeed miss it. So, go find it. Yourself, this time with no help. Hint: Application partition is the new partion in E2K3 which, in addtion to The Domain, Configuration and Schema Partitions now make up the AD database in E2K3. It is this change that makes it possible now to deploy GC-less Remote Sites. The Application Partition is SHARED(replicated) to ALL DCs in the Domain, including designated DCs in the Forest. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: [EMAIL PROTECTED] on behalf of Rogers, Brian Sent: Mon 7/14/2003 11:53 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Quick AD integrated DNS question :) WoahI musta missed that document. AD integrated DNS can now be separated from regular replication? Gotta link? Book? Paper? Smokesignal? Morse? :-) -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, July 14, 2003 1:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Quick AD integrated DNS question :) This would be correct. But, remember that in the replication strategy for Win2k - data goes to every DC regardless if it's a DNS server or not - because once it's DNS-integrated, it's now a part of the AD data. This trend is broken in Win2k3, where application partitions can handle DNS - and do. The DomainDNS and ForestDNS are just that, for all intents and purposes. They are AD Application parts handling DNS for just DNS servers - and no DNS data need be on the DCs, unless it too, is a DNS server once the full DNS app partition is configured. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, Brian Sent: Monday, July 14, 2003 10:10 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Quick AD integrated DNS question :) I was looking more along the lines of replication traffic. However since the zone is replicated within ADthere shouldn't be any additional (or if so very minimal) replication traffic between the DNS
RE: [ActiveDir] Printer Script
Bingo! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bryan Schlegel Sent: Monday, July 14, 2003 8:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Printer Script Save it as .vbs -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Monday, July 14, 2003 9:17 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Printer Script I tried that and it didn't work. I took it out of the bat file and tried it manually and I got this error... - C:\Documents and SettingsSet WshNetwork = CreateObject(WScript.Network) C:\Documents and Settings\WshNetwork.AddWindowsPrinterConnection \\AnotherComputer-27\HPLaserJ 'WshNetwork.AddWindowsPrinterConnection' is not recognized as an internal or external command, operable program or batch file. C:\Documents and Settings\_ - This is how my bat file looks like - net use Q: \\Server\Shared Set WshNetwork = CreateObject(WScript.Network) WshNetwork.AddWindowsPrinterConnection \\ AnotherComputer-27\HPLaserJ WshNetwork.SetDefaultPrinter \\ AnotherComputer-27\HPLaserJ Set WshNetwork = Nothing - I am running Windows 2000 Server and all clients are Windows 2000 Pro. Thanks - Richard S. On Monday, July 14, 2003, at 04:38 PM, [EMAIL PROTECTED] wrote: This should work: Set WshNetwork = CreateObject(WScript.Network) WshNetwork.AddWindowsPrinterConnection \\YourPrintServer\PrinterName WshNetwork.SetDefaultPrinter \\YourPrintServer\PrinterName Set WshNetwork = Nothing If you put that in a login script. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Richard Sumilang Sent: Mon 7/14/2003 3:42 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Printer Script Has anyone wrote a script to connect a user to a shared printer on the network when the log in? Is this possible? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] admt 2.0 - nt4 computer migration
Graham - I have no documentation of an 'allowedrunlist' policy or setting in NT 4.0 (not saying that it doesn't exist - just in the limited time I have this AM I can't find anything). But, given that it does exist, yes - that's what I'm saying. If the policy does truly enforce WHO can run WHAT - then this could be an issue. With that being said - this agent (ADMT), in my experience, runs at the LocalSystem context, and therefore should not be subject to the rules of a ruleset applied by system policy, AFAIK. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Friday, July 11, 2003 5:20 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration Rick, thanks for post reply. is your inference then that it is conceivable that a restrictive allowedrunlist tattooed into the registry is able to prevent whatever application it is to run on the NT4 workstation. ??? GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 10, 2003 1:13 AM Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration Graham, System Policy on NT 4.0 is truly tatooed to the system. If you turn it off and back on, it's still there - unless manually removed or the policy is backed out via the de-application of said policy. And, sadly - I can't tell you right now what needs to run (yes the Agent, damn it - but what IS the Agent?) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, July 09, 2003 4:25 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration but then thinking about it no - when i failed on the first nt4 host thought it was down to that computer so tried another one straight away - same access denied result have spoken with the developers of the nt4 build - there is a system policy with an allowedrunlist policy - that was that even while logged off this registry value is tattooed into the computer registry if this is possible which i must confess to not being sure on then need to work out what actually needs to be allowed to run for the admt dispatch agent to execute clutching at straws a bit !!! GT - Original Message - From: Wilkinson, Stephen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, July 09, 2003 2:01 PM Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration I think Larry's first response could be it Graham. We saw exactly this in our testing with the Quest Migrator product. You must make sure there is no computer account with the same name already in the AD - hiding in an OU you least expect it! (ours got there during testing by manually moving test boxes in and out of the ad domain and forgetting to remove the computer accounts. Stephen Wilkinson Tel +44(0)207 4759276 Mobile +44(0)7973 143970 E-Mail: [EMAIL PROTECTED] -Original Message- From: Duncan, Larry [mailto:[EMAIL PROTECTED] Sent: 08 July 2003 21:45 To: '[EMAIL PROTECTED]' Has the Everyone group been added to the Pre-Windows 2000 Compatible Access group in the new domain? -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 3:24 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] admt 2.0 - nt4 computer migration Am attempting the migration of computer from NT4 source domain to Windows 2000 target domain. the migration environment is working fine with windows 2000 professional clients have got issues with the migration of an NT4 workstation the extract from dispatch.log on the admt server is attached from which i am hoping to get a few clues as to the access denied have checked the obvious issues such as sourcedom\domain admins being a member of the local administrators group and the computer migration being run while logged an as a member of that sourcedom\domain admins group Thanks GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- List info : http://www.activedir.org/mail_list.htm List FAQ: http
RE: [ActiveDir] what to do with DMZ servers
Title: Message Brian, A few hours of sleep to think further about this - you ask for case studies. I would have to believe, and am certain of at least one - that SANS Institute is going to be able to provide this for you off of their site. We have a subscription and I can't say at the moment if this is pay or free (suspect pay - it usually is when you really need it...) but I just can't imagine what would posses someone to believe that what they are proposing is even remotely acceptable in any environment in today's computing world. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, BrianSent: Thursday, July 10, 2003 11:55 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] what to do with DMZ servers Have the exact same situation here. We currently have a separate NT domain (for a security boundary) for our INET machines. These machines exist on a DMZ...and run public internet sites that connect to a SQL backend inside our network. An ISA server provides the firewall and proxy services. Im currently having a fight with the operations staff on design. They want to do the Empty Root/two subdomain model (because they read a lot of useless MOC Courseware books). I can personally see very little benefit to consolidating these two separate domains into one forest. They see no logic in having a separate forest/separate domain for the Internet systems. Nothing short of a case study will sway them I believeany decent documents comparing the two? Or frankly..any documents that recommend a separate forest for your internet systems as a security boundary? -Original Message-From: Raymond McClinnis [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 11:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] what to do with DMZ servers I have a question... (Assuming that the Servers in the DMZ are already away from the in-house domain) If before the upgrade none of the servers needed AD or access to your in-house domain, why would you want them to have it after the upgrade? J Just thinking semi-logically... Thanks, Raymond McClinnis Network Administrator Provident Credit Union -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Thursday, July 10, 2003 7:19 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] what to do with DMZ servers It would help if you determined what was going to be public access (via DMZ or otherwise) and determine the needs of the applications there. The other option we've been talking about is AD Application Mode (ADAM) from Microsoft. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Pelle, Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 8:59 AMTo: ActiveDir ([EMAIL PROTECTED])Subject: [ActiveDir] what to do with DMZ servers Please help: My company is currently migrating from an NT domain structure to AD... I have some questions regarding how some of you went about hooking in your DMZ web servers to AD securely... What DID YOU DO?!! What are the recommended best practices? The options we have discussed so far are: Option1: Join DMZ servers to AD domain, open a half dozen ports on each server (Kerberos, LDAP, NetBios, etc) and lose the purpose of having a DMZ altogether. Option2: Create a separate forest for the DMZ servers and create a one-way trust between our two forests. Option3: Stand alone DMZ servers not joined to any domain. All other options: ?? Your suggestions are greatly appreciated! Is there even a need to hook DMZ into AD? I've heard MS talk about needing AD for apps like Sharepoint Portal... Joe Pelle Systems Analyst Information Technology Valassis / Targeted Print Media Solutions 35955 Schoolcraft Rd. Livonia, MI 48150 Tel 734.632.3753 Fax 734.632.6240 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent.
RE: [ActiveDir] what to do with DMZ servers
Title: Message Right - understood. But that only deals with the replication. It doesn't deal with the (quite exaggerated) 50 bazillion other protocols and communication streams that DCs seem to think that they really need to survive without going completely schizo. Ain't DC and AD and MS communication nuances FUN?!?! ;-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Friday, July 11, 2003 5:59 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] what to do with DMZ servers Actually, cross domain replication can be done via SMTP, which makes it a lot less messy. Doesn't fix the underly, gaping security hole that exists, but at least you don't need to allow 100 open ports. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 7:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] what to do with DMZ servers Are they daft or are they just convinced that there are no bad people wanting to own your domain? And, if they implement this empty root/ two domain model, where will each of the domains live? And the root? Oh, my goodness. Has anyone considered how absolutely horrific and difficult (OK - without turning your firewall into a cheese grater) the rules will be to deal with replication, etc to accommodate a domain in a DMZ? Say your prayers now Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, BrianSent: Thursday, July 10, 2003 11:55 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] what to do with DMZ servers Have the exact same situation here. We currently have a separate NT domain (for a security boundary) for our INET machines. These machines exist on a DMZ...and run public internet sites that connect to a SQL backend inside our network. An ISA server provides the firewall and proxy services. Im currently having a fight with the operations staff on design. They want to do the Empty Root/two subdomain model (because they read a lot of useless MOC Courseware books). I can personally see very little benefit to consolidating these two separate domains into one forest. They see no logic in having a separate forest/separate domain for the Internet systems. Nothing short of a case study will sway them I believeany decent documents comparing the two? Or frankly..any documents that recommend a separate forest for your internet systems as a security boundary? -Original Message-From: Raymond McClinnis [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 11:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] what to do with DMZ servers I have a question... (Assuming that the Servers in the DMZ are already away from the in-house domain) If before the upgrade none of the servers needed AD or access to your in-house domain, why would you want them to have it after the upgrade? J Just thinking semi-logically... Thanks, Raymond McClinnis Network Administrator Provident Credit Union -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Thursday, July 10, 2003 7:19 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] what to do with DMZ servers It would help if you determined what was going to be public access (via DMZ or otherwise) and determine the needs of the applications there. The other option we've been talking about is AD Application Mode (ADAM) from Microsoft. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Pelle, Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 8:59 AMTo: ActiveDir ([EMAIL PROTECTED])Subject: [ActiveDir] what to do with DMZ servers Please help: My company is currently migrating from an NT domain structure to AD... I have some questions regarding how some of you went about hooking in your DMZ web servers to AD securely... What DID YOU DO?!! What are the recommended best practices? The options we have discussed so far are: Option1: Join DMZ servers to AD domain, open a half dozen ports on each server (Kerberos, LDAP, NetBios, etc) and lose the purpose
RE: [ActiveDir] admt 2.0 - nt4 computer migration
Right - I would assume that this account is a member of the local Administrators group, either directly or by membership of some other group? Someone mentioned, and rightly so, that if you cannot map TO \\machine_name\admin$ as the account in question then the ADMT will not be able to install the Agent. Then, it really doesn't matter under what context it runs - it's not there. I would try and map to the admin$ share, copy an executable to the directory, then execute the program. Just so that you can prove that map, copy and execute. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Friday, July 11, 2003 9:58 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration Rick, thanks your time on this issue. my view is that we failing at the installation of the agent - as i read it this takes place using the credentials of the logged in user at the ADMT console ?? GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 11, 2003 2:05 PM Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration Graham - I have no documentation of an 'allowedrunlist' policy or setting in NT 4.0 (not saying that it doesn't exist - just in the limited time I have this AM I can't find anything). But, given that it does exist, yes - that's what I'm saying. If the policy does truly enforce WHO can run WHAT - then this could be an issue. With that being said - this agent (ADMT), in my experience, runs at the LocalSystem context, and therefore should not be subject to the rules of a ruleset applied by system policy, AFAIK. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Friday, July 11, 2003 5:20 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration Rick, thanks for post reply. is your inference then that it is conceivable that a restrictive allowedrunlist tattooed into the registry is able to prevent whatever application it is to run on the NT4 workstation. ??? GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 10, 2003 1:13 AM Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration Graham, System Policy on NT 4.0 is truly tatooed to the system. If you turn it off and back on, it's still there - unless manually removed or the policy is backed out via the de-application of said policy. And, sadly - I can't tell you right now what needs to run (yes the Agent, damn it - but what IS the Agent?) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, July 09, 2003 4:25 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration but then thinking about it no - when i failed on the first nt4 host thought it was down to that computer so tried another one straight away - same access denied result have spoken with the developers of the nt4 build - there is a system policy with an allowedrunlist policy - that was that even while logged off this registry value is tattooed into the computer registry if this is possible which i must confess to not being sure on then need to work out what actually needs to be allowed to run for the admt dispatch agent to execute clutching at straws a bit !!! GT - Original Message - From: Wilkinson, Stephen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, July 09, 2003 2:01 PM Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration I think Larry's first response could be it Graham. We saw exactly this in our testing with the Quest Migrator product. You must make sure there is no computer account with the same name already in the AD - hiding in an OU you least expect it! (ours got there during testing by manually moving test boxes in and out of the ad domain and forgetting to remove the computer accounts. Stephen Wilkinson Tel +44(0)207 4759276 Mobile +44(0)7973 143970 E-Mail: [EMAIL PROTECTED] -Original Message- From: Duncan, Larry [mailto:[EMAIL PROTECTED] Sent: 08 July 2003 21:45 To: '[EMAIL PROTECTED]' Has the Everyone group been added to the Pre-Windows 2000 Compatible Access group in the new domain? -Original Message- From
RE: [ActiveDir] admt 2.0 - nt4 computer migration
Stuart, Graham - The Agent exec is ADMTAGNT.EXE. Also, I don't remember it running under the Explorer process, as when we did our migrations (well, the on-going saga...) it was an easy matter to check how a machine was doing by bringing up task manager to determine status and load on the box. Had to do this numerous times as workstations took too long and we needed to determine the real status of the process. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Friday, July 11, 2003 3:41 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration G, Can't really speak to the specific technical upgrade process for ADMT. If I remember correctly, we simply installed the latest version over the top of the new one and everything seemed to work out. I think we did have to reinstall the password export service again... We ran the majority of our migrations from the ADMTv2 off of the .Net Server (e.g. 2003) Beta 3 CD. We wanted the v2 because of the password migration bit. We did update the ADMT from the Beta3 version to the RC1 version at about 3/4 through our migration. We didn't really see any differences and upgrading didn't solve a broke workstation migration issue we were having on a dual-proc machine. If it is the NT policy, then on the NT workstation you are trying to migrate, back out the allowed run policy and then try the migration again. If changing the policy via poledit doesn't work you can try looking at the reg keys. JSI FAQ (http://www.jsiinc.com/SUBA/tip/rh0050.htm) lists the two you need to look at (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explor er\ RestrictRun = 1 and entries under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explore r\RestrictRun). Test the workstation by running some unallowed application first so that you know the policy has really been backed out and not reapplied through whatever your distribution mechanism is. If backing off the NT policy doesn't work then re-verify the ADMT setup (http://support.microsoft.com/?kbid=260871). Can you migrate any other NT/2000/XP workstations? If so then ADMT is probably set up correctly and the trouble will be with the specific NT workstation build. According to JSI's note 0362, the RestrictRun policy only works on processes run from the Explorer process. I have no clue if the agent process is being remotely initiated on the workstation via the Explorer process but if between workee and no-workee this is the only difference. Additionally, I couldn't find in my brief surfing expedition what specifically the agent .exe are. Looking at our ADMT console the two probable candidates are ADMTAgnt.exe and DCTAgentService.exe. If the only solution is to add the agent executables to the allowed list then hopefully someone else on the mailing list knows what these really are. Stuart Fuller Active Directory State of Montana -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: Friday, July 11, 2003 12:25 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration Stuart, i share your views. i have assmued this is going to be a problem general to NT4 workstation migration - based on first two tested - both failed with identical message. the number of NT4 workstations still in production means a manual migration is not the most practical option. in the course of resolving this i have observed that the contents of the ADMT2 distribution are about 8 months more recent than the production ADMT2 programs that were in good faith !! from the .NET RC1 media, i am assuming the upgrade to be a supported process and will just see if this issue is not specific to ADMT version - i have also noted from netiq.com that they had to patch migration software to resolve similar issues of computer migration migration - do you have any issues specific to versions of ADMT ?? if it does prove to be issues of the allowedrunlist whacking me then the question remains as to what exe's need to be added to support the ADMT operation thanks for your support GT - Original Message - From: Fuller, Stuart [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 11, 2003 6:30 PM Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration G, Let me clarify what I stated earlier... ADMT needs to be able to resolve the name of the workstation (e.g. find it on the network) and be able to get to the admin$ share on the workstation. When you run ADMT workstation migration, you are running in the security context of the user logged into the ADMT console (unless you use runas). This user needs to have administrator privileges on the target workstation. You can test this very simply by mapping a drive
RE: [ActiveDir] what to do with DMZ servers
Title: Message Brian, We implemented an empty root design (we now have 6 other domains) but we planned this from the start knowing that our company will do acquisition and divestiture - leaving us in a position to easily move domains off of the structure. Our forest is very stable, very healthy, and it works well for us. Two additional domain controllers for the Root Domain - which left us with a solid base for the other child domains - was the total cost. Reasonable from a management perspective, knowing that we will add and remove domains. And, I do have a forest in our extranet. Plus, we are looking into MIIS (or, MMS 3.0 for us who have been working with the product for more than a month) to assist with SSO and to manage accounts in a push manner to our extranet forest. In addition, ADAM is beginning to play a part as some of the Applications that we use can use an LDAP service for Authentication / Authorization. Bottomline - it's all a matter of choice. You can make all kinds of decisions, but the best thing to do is not make one. I've seen more projects die because of analysis paralysis than any other single cause.Many timesimplementing a not perfectly 'optimal' implementation (but very workable and viable)is better than waiting until you have the best solution, only to find that the window was missed or confidence is in question. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, BrianSent: Friday, July 11, 2003 3:32 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] what to do with DMZ servers I got used to being shocked and surprised at what happens here long ago J All I can do is try to make it better any way I can. Sadly without some serious firepower with an MS stamp of approval on it...it's an uphill battle. I can find a bazillion docs however that suggest people migrate their NT domains using the Empty root strategy...makes one wonder at times. -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, July 11, 2003 9:10 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] what to do with DMZ servers Brian, A few hours of sleep to think further about this - you ask for case studies. I would have to believe, and am certain of at least one - that SANS Institute is going to be able to provide this for you off of their site. We have a subscription and I can't say at the moment if this is pay or free (suspect pay - it usually is when you really need it...) but I just can't imagine what would posses someone to believe that what they are proposing is even remotely acceptable in any environment in today's computing world. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, BrianSent: Thursday, July 10, 2003 11:55 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] what to do with DMZ servers Have the exact same situation here. We currently have a separate NT domain (for a security boundary) for our INET machines. These machines exist on a DMZ...and run public internet sites that connect to a SQL backend inside our network. An ISA server provides the firewall and proxy services. Im currently having a fight with the operations staff on design. They want to do the Empty Root/two subdomain model (because they read a lot of useless MOC Courseware books). I can personally see very little benefit to consolidating these two separate domains into one forest. They see no logic in having a separate forest/separate domain for the Internet systems. Nothing short of a case study will sway them I believeany decent documents comparing the two? Or frankly..any documents that recommend a separate forest for your internet systems as a security boundary? -Original Message-From: Raymond McClinnis [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 11:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] what to do with DMZ servers I have a question... (Assuming that the Servers in the DMZ are already away from the in-house domain) If before the upgrade none of the servers needed AD or access to your in-house domain, why would you want them to have it after the upgrade? J Just thinking semi-logically... Thanks, Raymond McClinnis Network Administrator Provident Credit Union -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Thursday, July 10, 2003 7:19 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] what to do with DMZ servers It would help if you determined what was going to be public access (via DMZ or otherwise) and determine the needs of the applications there. The other option we've been talking
RE: [ActiveDir] what to do with DMZ servers
Honestly, no. The risk, IMHO, is just too great. Extranets with a separate forest with some (read: controlled) synched or replicated data between the forests (internal, DMZ)- or as someone mentioned already, ADAM strikes me as a much better and safer option. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, BrianSent: Thursday, July 10, 2003 11:57 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] what to do with DMZ servers On this note...can anyone think of any possible reason to have public internet servers on a DMZ in the same forest as your internal AD environment? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 11:14 AMTo: ActiveDirSubject: Re: [ActiveDir] what to do with DMZ servers Not having them in the domain is the most secure option. If you cannot do that, then recognize that you are increasing potential surface area for hacks.With a separate forest in option 2 you will still need to open several ports to allow the trust. Search technet for firewall and trust. With option 1 look at microsoft's example in the Internet Data Center Reference, a document on MSDN, I believe. Personallu I feel their recommendations are insecure. You can open the ports, but you need to handle RPC traffic which is problematic. You can limit the rpc srvices for AD and FRS to use a single port each via registry entries. Or you can set up IPSEC tunnels between dc's via gpo's, but if the machine is compromised that opens a highway to a machine on your internal network.RPC proxy is a technology that could possibly help but I haven't seen an implementation yet.--Sent from my BlackBerry Wireless Handheld - Original Message - From: ActiveDir-owner Sent: 07/10/2003 08:58 AM To: "ActiveDir ([EMAIL PROTECTED])" [EMAIL PROTECTED] Subject: [ActiveDir] what to do with DMZ servers Please help: My company is currently migrating from an NT domain structure to AD... I have some questions regarding how some of you went about hooking in your DMZ web servers to AD securely... What DID YOU DO?!! What are the recommended best practices? The options we have discussed so far are: Option1: Join DMZ servers to AD domain, open a half dozen ports on each server (Kerberos, LDAP, NetBios, etc) and lose the purpose of having a DMZ altogether. Option2: Create a separate forest for the DMZ servers and create a one-way trust between our two forests. Option3: Stand alone DMZ servers not joined to any domain. All other options: ?? Your suggestions are greatly appreciated! Is there even a need to hook DMZ into AD? I've heard MS talk about needing AD for apps like Sharepoint Portal... Joe Pelle Systems Analyst Information Technology Valassis / Targeted Print Media Solutions 35955 Schoolcraft Rd. Livonia, MI 48150 Tel 734.632.3753 Fax 734.632.6240 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent.
RE: [ActiveDir] Identity Management using AD
Title: Message You're that sure, are you Jackson? ;-) I had this really interesting discussion with Kim, Chuck (Director of AD??) a number of developers and Program and Product Mgrs.in February at the MVP Summit. I'm absolutely floored that you folks moved that fast on the Identity Management, given the discussions that we had. Obviously, this has been in the works for some time for MMS to morph. I can't say that I remember - were you there for that meeting (about 12 Server MVP's and about 10 MS folks packed into a conference room)? Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jackson ShawSent: Thursday, July 10, 2003 1:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Identity Management using AD Were going to make the MV writeable. J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Thursday, July 10, 2003 10:26 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity Management using AD Meaning being able to make changes in the metaview to replicate out It has not been decided. Todd -Original Message-From: Jackson Shaw [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 09, 2003 8:18 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Identity Management using AD We're going to make the MV writeable... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Tuesday, July 08, 2003 7:12 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity Management using AD We are in the process of evaluating MIIS here, and AD is currently our source for authentication information, for Enterprise application, we are using a custom database running on Critical Path to sync with other application directories, and get a metaview of the information for identity management. Currently no one allows the metaview write access anywhere. I hope our testing and subsequent deployment will allow for a more standardized approach like what was described below. To build on what Gil wrote, The reason why SQL server was used to store identity information, was probably because it was a metaview of all the relevant data needed to construct an employee including privacy information. Active Directory doesn't need access to privacy information (SSN#, DOB, etc) nor do many LDAP applications. The nice thing about MIIS, is that it can create that metaview for you and store it in a SQL server. So if your privacy information is only stored in the HR system, and Payroll, Then you can set ACL's on the info so only those systems get that info. If you are getting into directories for both network access and Enterprise Resource and Application use, I suggest subscribing to the Burton Group papers on Enterprise directory, and constructing your architecture based on some of their principals. Now if we could only find a group willing to figure out the Laws of directories we would be golden... Maybe Murphy is already doing them. Todd -Original Message-From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 5:30 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity Management using AD MSFT internally uses SQL Server as the authoritative store for identity information, and populates AD from that. -Original Message-From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 7:00 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Identity Management using AD All, We are in the process of redefining our Internet-enabled applications with a view to a centralised customer/client database. There has been quite a bit of discussion regarding using AD as this "customer store", since AD will already be in this environment. I'm a bit hesitant to recommend "vanilla" AD for this task, however I can see a number of benefits to this approach, as the support monkeys can manage the entire environment using the same tools they use to manage the production environment (ADUC etc). I've been reading up on the information regarding MIIS (what little there is), and can see some potential for a configuration such as this, eg: - Use AD to store the "core" customer information (user name, password, basic details) - Use ADAM or SQL (or whatever) for each application to store application specific extensions (
RE: [ActiveDir] what to do with DMZ servers
Title: Message Are they daft or are they just convinced that there are no bad people wanting to own your domain? And, if they implement this empty root/ two domain model, where will each of the domains live? And the root? Oh, my goodness. Has anyone considered how absolutely horrific and difficult (OK - without turning your firewall into a cheese grater) the rules will be to deal with replication, etc to accommodate a domain in a DMZ? Say your prayers now Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, BrianSent: Thursday, July 10, 2003 11:55 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] what to do with DMZ servers Have the exact same situation here. We currently have a separate NT domain (for a security boundary) for our INET machines. These machines exist on a DMZ...and run public internet sites that connect to a SQL backend inside our network. An ISA server provides the firewall and proxy services. Im currently having a fight with the operations staff on design. They want to do the Empty Root/two subdomain model (because they read a lot of useless MOC Courseware books). I can personally see very little benefit to consolidating these two separate domains into one forest. They see no logic in having a separate forest/separate domain for the Internet systems. Nothing short of a case study will sway them I believeany decent documents comparing the two? Or frankly..any documents that recommend a separate forest for your internet systems as a security boundary? -Original Message-From: Raymond McClinnis [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 11:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] what to do with DMZ servers I have a question... (Assuming that the Servers in the DMZ are already away from the in-house domain) If before the upgrade none of the servers needed AD or access to your in-house domain, why would you want them to have it after the upgrade? J Just thinking semi-logically... Thanks, Raymond McClinnis Network Administrator Provident Credit Union -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Thursday, July 10, 2003 7:19 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] what to do with DMZ servers It would help if you determined what was going to be public access (via DMZ or otherwise) and determine the needs of the applications there. The other option we've been talking about is AD Application Mode (ADAM) from Microsoft. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Pelle, Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 8:59 AMTo: ActiveDir ([EMAIL PROTECTED])Subject: [ActiveDir] what to do with DMZ servers Please help: My company is currently migrating from an NT domain structure to AD... I have some questions regarding how some of you went about hooking in your DMZ web servers to AD securely... What DID YOU DO?!! What are the recommended best practices? The options we have discussed so far are: Option1: Join DMZ servers to AD domain, open a half dozen ports on each server (Kerberos, LDAP, NetBios, etc) and lose the purpose of having a DMZ altogether. Option2: Create a separate forest for the DMZ servers and create a one-way trust between our two forests. Option3: Stand alone DMZ servers not joined to any domain. All other options: ?? Your suggestions are greatly appreciated! Is there even a need to hook DMZ into AD? I've heard MS talk about needing AD for apps like Sharepoint Portal... Joe Pelle Systems Analyst Information Technology Valassis / Targeted Print Media Solutions 35955 Schoolcraft Rd. Livonia, MI 48150 Tel 734.632.3753 Fax 734.632.6240 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent.
RE: [ActiveDir] Identity Management using AD
Title: Message Roger, I'm not sure that I follow.. Firstly, the acronym might have thrown me off - I haven't seen this one. 'WRT H' means? And, to speculate, (seeing as I might be missing information with the WRT H thing and all ;-) ) you've messaed around with ADAM, right? Can be on WinXP, Server 2003 - create multiple instances of an AD structure, but more like an AD-lite? Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Wednesday, July 09, 2003 6:25 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity Management using AD WRT H, isn't ADAM an Win2k3 'forest'? If so, this isn't an issue, right? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 10:12 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Identity Management using AD Glenn, Interesting questions, and I'd like to take a shot at lending an opinion on some of these points. Firstly, privacy seems to have become a trure art form in the States. From Graham-Leach-Bliley to HIPPA, we're regulated to the n-th degree. I'm not sure if it's good or bad - but it's something to be aware of. Then, to the other extreme - the Higher Educationalsystem where the 1st Amendment meets rational thought and security. ;-) a) I agree 100% I think AD is a very well designed store for this type of storage - given that triple-A is available out of the box (authorization, authentication, auditing) b) True - fairly static - not changing much. Just enough to keep the Identity portion in place. c) Nope - see D d)ADAM - Active Directory Application Mode. Synching available, greater level with MMS (MIIS??) multiple instances and truly designed for the application depository e) Joe is going to be the man to answer this - he's been doing the massive number management function - though I don't think to this number. ;-) f) Passport (and to some degree, rightly so) has been beat up pretty badly However, in your environment, Passport may be more viable than how it is being leveraged by MS g) Heh - layering these things is possible, though it can get hairy to manage. Mapping of certs to names / objects, expansion of schema for new funtion to handle biometrics, and the smart card option is all pretty good - but smart card is going to leverage certs to some degree at some level Not knowing what price level / sensitivity of data / regulations you are delaing with makes it a bit hard for me to suggest anything, but any layering is obviously going to raise the price becasue of the complexity / added hardware / software and added processor for keyed type solutions h) Can't say that I've run into any or know of anyone that has (well - not completely true I know Gary Olsen with HP, and he ran into the KCC issue mentioned in a moment)- obviously, they are there. Microsoft claims to have tested to billions of objects - and I have no reason to not believe this to be true. TheKCC topology(KCC cannot work if (1 + #Domains) x sites^2 100,000) issue of Windows 2000 does indicate that there are issues here and there. They get fixed, but usually are big fixes. In the case of the KCC issue, it's fixed in Server 2003, but only once you get to 2003 Forest Functional mode. That's a big move. i) Because it's there. Oh, wait! That's for mountains. never mind. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn CorbettSent: Tuesday, July 08, 2003 6:36 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Identity Management using AD Thanks Todd. At the moment, we arent hugely concerned about putting *some* privacy information into AD, as this instance of AD will only be for our external clients, and the attribute level ACL's provided by AD should provide enough security to stop certain applications / users from seeing this information. That being said, we are looking into the appropiate laws / leglislation / statutes regarding privacy and the storage of personal information to make sure we are covered from that aspect. I've done the required high level checking, andAD shouldnt have any trouble storing the amount and type of information we require (up to 6-8 million user objects, several thousand groups etc), its really down to the following questions: a) Is AD an *appropiate* store for this sort of information (my answer would be yes
RE: [ActiveDir] Identity Management using AD
Title: Message You're right - I can't keep up with the TLA's As to ADAM - it will run on XP/2003, but does not require that the domain be in native mode or forest functional as we're only hosting an AD environment for specific purposes - not a full functioning DS with every bell and whistle. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Wednesday, July 09, 2003 9:48 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity Management using AD WRT = "with regards to" What's the matter? Can't keep up with all the TLA's?[1] I haven't played with ADAM, but have done a bit of reading. I was assuming, probably incorrectly, that it would only function in the full native mode/2003 Forest mode. It doesn't seem to make sense for a product like this to be built to support downlevel DC's. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. [1] Three Letter Acronyms -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 09, 2003 9:21 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Identity Management using AD Roger, I'm not sure that I follow.. Firstly, the acronym might have thrown me off - I haven't seen this one. 'WRT H' means? And, to speculate, (seeing as I might be missing information with the WRT H thing and all ;-) ) you've messaed around with ADAM, right? Can be on WinXP, Server 2003 - create multiple instances of an AD structure, but more like an AD-lite? Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Wednesday, July 09, 2003 6:25 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity Management using AD WRT H, isn't ADAM an Win2k3 'forest'? If so, this isn't an issue, right? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 10:12 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Identity Management using AD Glenn, Interesting questions, and I'd like to take a shot at lending an opinion on some of these points. Firstly, privacy seems to have become a trure art form in the States. From Graham-Leach-Bliley to HIPPA, we're regulated to the n-th degree. I'm not sure if it's good or bad - but it's something to be aware of. Then, to the other extreme - the Higher Educationalsystem where the 1st Amendment meets rational thought and security. ;-) a) I agree 100% I think AD is a very well designed store for this type of storage - given that triple-A is available out of the box (authorization, authentication, auditing) b) True - fairly static - not changing much. Just enough to keep the Identity portion in place. c) Nope - see D d)ADAM - Active Directory Application Mode. Synching available, greater level with MMS (MIIS??) multiple instances and truly designed for the application depository e) Joe is going to be the man to answer this - he's been doing the massive number management function - though I don't think to this number. ;-) f) Passport (and to some degree, rightly so) has been beat up pretty badly However, in your environment, Passport may be more viable than how it is being leveraged by MS g) Heh - layering these things is possible, though it can get hairy to manage. Mapping of certs to names / objects, expansion of schema for new funtion to handle biometrics, and the smart card option is all pretty good - but smart card is going to leverage certs to some degree at some level Not knowing what price level / sensitivity of data / regulations you are delaing with makes it a bit hard for me to suggest anything, but any layering is obviously going to raise the price becasue of the complexity / added hardware / software and added processor for keyed type solutions h) Can't say that I've run into any or know of anyone that has (well - not completely true I know Gary Olsen with HP, and he ran into the KCC issue mentioned in a moment)- obviously, they are there. Microsoft claims to have tested to billions of objects - and I have no reason to not believe this to be true. TheKCC topology(KCC cannot work if (1 + #Domains) x sites^2 100,000) issue of Windows 2000 does indicate that there are i
RE: [ActiveDir] Finding things in the AD Users/Computers
Title: Message Mark, If you go to the properties of the object and then use the 'Object' tab, it will display the path to the object. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, MarkSent: Wednesday, July 09, 2003 10:07 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Finding things in the AD Users/Computers Please can someone tell me how I find which OU an object is in please. I can "find" the object using the find option on the AD UandC snap in but then there is no info which OU the little rascal is in. I have a group which someone moved accidently and I need to move it back but cant find where it ended up Many thanks
RE: [ActiveDir] Identity Management using AD
Title: Message Todd, And sorry for you, I am. I've had to look through much of this in my time, and - with all due respect - it is truly a wonder that this beautiful country of ours gets anything accomplished at all. Yes, Freedom does have its price - and its paid for in miles of red tape. Silly, quite actually. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Wednesday, July 09, 2003 10:39 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity Management using AD http://irm.cit.nih.gov/policy/legislation.html Here is what we have to follow. Todd -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 10:12 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Identity Management using AD Glenn, Interesting questions, and I'd like to take a shot at lending an opinion on some of these points. Firstly, privacy seems to have become a trure art form in the States. From Graham-Leach-Bliley to HIPPA, we're regulated to the n-th degree. I'm not sure if it's good or bad - but it's something to be aware of. Then, to the other extreme - the Higher Educationalsystem where the 1st Amendment meets rational thought and security. ;-) a) I agree 100% I think AD is a very well designed store for this type of storage - given that triple-A is available out of the box (authorization, authentication, auditing) b) True - fairly static - not changing much. Just enough to keep the Identity portion in place. c) Nope - see D d)ADAM - Active Directory Application Mode. Synching available, greater level with MMS (MIIS??) multiple instances and truly designed for the application depository e) Joe is going to be the man to answer this - he's been doing the massive number management function - though I don't think to this number. ;-) f) Passport (and to some degree, rightly so) has been beat up pretty badly However, in your environment, Passport may be more viable than how it is being leveraged by MS g) Heh - layering these things is possible, though it can get hairy to manage. Mapping of certs to names / objects, expansion of schema for new funtion to handle biometrics, and the smart card option is all pretty good - but smart card is going to leverage certs to some degree at some level Not knowing what price level / sensitivity of data / regulations you are delaing with makes it a bit hard for me to suggest anything, but any layering is obviously going to raise the price becasue of the complexity / added hardware / software and added processor for keyed type solutions h) Can't say that I've run into any or know of anyone that has (well - not completely true I know Gary Olsen with HP, and he ran into the KCC issue mentioned in a moment)- obviously, they are there. Microsoft claims to have tested to billions of objects - and I have no reason to not believe this to be true. TheKCC topology(KCC cannot work if (1 + #Domains) x sites^2 100,000) issue of Windows 2000 does indicate that there are issues here and there. They get fixed, but usually are big fixes. In the case of the KCC issue, it's fixed in Server 2003, but only once you get to 2003 Forest Functional mode. That's a big move. i) Because it's there. Oh, wait! That's for mountains. never mind. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn CorbettSent: Tuesday, July 08, 2003 6:36 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Identity Management using AD Thanks Todd. At the moment, we arent hugely concerned about putting *some* privacy information into AD, as this instance of AD will only be for our external clients, and the attribute level ACL's provided by AD should provide enough security to stop certain applications / users from seeing this information. That being said, we are looking into the appropiate laws / leglislation / statutes regarding privacy and the storage of personal information to make sure we are covered from that aspect. I've done the required high level checking, andAD shouldnt have any trouble storing the amount and type of information we require (up to 6-8 million user objects, several thousand groups etc), its really down to the following questions: a) Is AD an *appropiate* store for this sort of information (my answer would be yes, based on the Authentication / Authorisation provided by AD) b) What sorts of information should be stored in AD (I'll be pointing out the often read / rarely written aspects of AD) c
RE: [ActiveDir] admt 2.0 - nt4 computer migration
Graham, System Policy on NT 4.0 is truly tatooed to the system. If you turn it off and back on, it's still there - unless manually removed or the policy is backed out via the de-application of said policy. And, sadly - I can't tell you right now what needs to run (yes the Agent, damn it - but what IS the Agent?) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, July 09, 2003 4:25 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration but then thinking about it no - when i failed on the first nt4 host thought it was down to that computer so tried another one straight away - same access denied result have spoken with the developers of the nt4 build - there is a system policy with an allowedrunlist policy - that was that even while logged off this registry value is tattooed into the computer registry if this is possible which i must confess to not being sure on then need to work out what actually needs to be allowed to run for the admt dispatch agent to execute clutching at straws a bit !!! GT - Original Message - From: Wilkinson, Stephen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, July 09, 2003 2:01 PM Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration I think Larry's first response could be it Graham. We saw exactly this in our testing with the Quest Migrator product. You must make sure there is no computer account with the same name already in the AD - hiding in an OU you least expect it! (ours got there during testing by manually moving test boxes in and out of the ad domain and forgetting to remove the computer accounts. Stephen Wilkinson Tel +44(0)207 4759276 Mobile +44(0)7973 143970 E-Mail: [EMAIL PROTECTED] -Original Message- From: Duncan, Larry [mailto:[EMAIL PROTECTED] Sent: 08 July 2003 21:45 To: '[EMAIL PROTECTED]' Has the Everyone group been added to the Pre-Windows 2000 Compatible Access group in the new domain? -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 3:24 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] admt 2.0 - nt4 computer migration Am attempting the migration of computer from NT4 source domain to Windows 2000 target domain. the migration environment is working fine with windows 2000 professional clients have got issues with the migration of an NT4 workstation the extract from dispatch.log on the admt server is attached from which i am hoping to get a few clues as to the access denied have checked the obvious issues such as sourcedom\domain admins being a member of the local administrators group and the computer migration being run while logged an as a member of that sourcedom\domain admins group Thanks GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Finding things in the AD Users/Computers
Title: Message Dave, Thanks for the catch - I completely forgot the Advanced Features. It's become ubiquitous on my systems Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David ASent: Wednesday, July 09, 2003 11:03 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Finding things in the AD Users/Computers In ADUC, go to the View menu and make sure "Advanced Features" is checked. Then find the object and look at its Properties dialog - there's a tab called"Object"- the object's full name is listed there in the form domain/container/container.../object (example: ad.company.com/users/fred). Thecontainers are the full path of OUs where the object is located. The Objecttab is only visible if Advanced Features is selected. HTH Dave -Original Message-From: Abbiss, Mark [mailto:[EMAIL PROTECTED]Sent: Wednesday, July 09, 2003 10:07 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Finding things in the AD Users/Computers Please can someone tell me how I find which OU an object is in please. I can "find" the object using the find option on the AD UandC snap in but then there is no info which OU the little rascal is in. I have a group which someone moved accidently and I need to move it back but cant find where it ended up Many thanks
RE: [ActiveDir] Identity Management using AD
Title: Message I'm not sure that I would say that security is limited - authentication TO ADAM isa limited feature - supportspassword authentication to the user objects. You can bind as a Windows Principal or as an ADAM principal. Password and lockout policy will apply from the machine on which ADAM is installed. So ifpolicy isset at your Domain level and this is a member server, that's what applies. And, the connection for the bind has a signing option and an encryption option. Authorization is available on,and to objects using DSACLS for granting and denying permissions. Inheritance works, and the effective permissions can be viewed, again with DSACLS. So, on the surface, it might be easy toconclude that the security is limited, but in actuality - the only thing missing is Kerberos and NTLM - neither of which is really needed for what ADAM is intended for. Hence, AD-lite, not Security-lite. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, July 09, 2003 7:25 PMTo: ActiveDirSubject: Re: [ActiveDir] Identity Management using AD ADAM does not include a kerberos or NTLM subsystem, so security is limited. --Sent from my BlackBerry Wireless Handheld - Original Message - From: ActiveDir-owner Sent: 07/09/2003 08:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Identity Management using AD You're right - I can't keep up with the TLA's As to ADAM - it will run on XP/2003, but does not require that the domain be in native mode or forest functional as we're only hosting an AD environment for specific purposes - not a full functioning DS with every bell and whistle. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Wednesday, July 09, 2003 9:48 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity Management using AD WRT = "with regards to" What's the matter? Can't keep up with all the TLA's?[1] I haven't played with ADAM, but have done a bit of reading. I was assuming, probably incorrectly, that it would only function in the full native mode/2003 Forest mode. It doesn't seem to make sense for a product like this to be built to support downlevel DC's. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. [1] Three Letter Acronyms -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 09, 2003 9:21 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Identity Management using AD Roger, I'm not sure that I follow.. Firstly, the acronym might have thrown me off - I haven't seen this one. 'WRT H' means? And, to speculate, (seeing as I might be missing information with the WRT H thing and all ;-) ) you've messaed around with ADAM, right? Can be on WinXP, Server 2003 - create multiple instances of an AD structure, but more like an AD-lite? Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Wednesday, July 09, 2003 6:25 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity Management using AD WRT H, isn't ADAM an Win2k3 'forest'? If so, this isn't an issue, right? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 10:12 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Identity Management using AD Glenn, Interesting questions, and I'd like to take a shot at lending an opinion on some of these points. Firstly, privacy seems to have become a trure art form in the States. From Graham-Leach-Bliley to HIPPA, we're regulated to the n-th degree. I'm not sure if it's good or bad - but it's something to be aware of. Then, to the other extreme - the Higher Educationalsystem where the 1st Amendment meets rational thought and security. ;-) a) I agree 100% I think AD is a very well designed store for this type of storage - given that triple-A is available out of the box (authorization, authentication, auditing) b) True - fairly static - not changing much. Just enough to keep the Identity portion in place. c) Nope - see D d)ADAM - Active Directory Application Mode. Synching available, gre
RE: [ActiveDir] Identity Management using AD
Title: Message Glenn, Interesting questions, and I'd like to take a shot at lending an opinion on some of these points. Firstly, privacy seems to have become a trure art form in the States. From Graham-Leach-Bliley to HIPPA, we're regulated to the n-th degree. I'm not sure if it's good or bad - but it's something to be aware of. Then, to the other extreme - the Higher Educationalsystem where the 1st Amendment meets rational thought and security. ;-) a) I agree 100% I think AD is a very well designed store for this type of storage - given that triple-A is available out of the box (authorization, authentication, auditing) b) True - fairly static - not changing much. Just enough to keep the Identity portion in place. c) Nope - see D d)ADAM - Active Directory Application Mode. Synching available, greater level with MMS (MIIS??) multiple instances and truly designed for the application depository e) Joe is going to be the man to answer this - he's been doing the massive number management function - though I don't think to this number. ;-) f) Passport (and to some degree, rightly so) has been beat up pretty badly However, in your environment, Passport may be more viable than how it is being leveraged by MS g) Heh - layering these things is possible, though it can get hairy to manage. Mapping of certs to names / objects, expansion of schema for new funtion to handle biometrics, and the smart card option is all pretty good - but smart card is going to leverage certs to some degree at some level Not knowing what price level / sensitivity of data / regulations you are delaing with makes it a bit hard for me to suggest anything, but any layering is obviously going to raise the price becasue of the complexity / added hardware / software and added processor for keyed type solutions h) Can't say that I've run into any or know of anyone that has (well - not completely true I know Gary Olsen with HP, and he ran into the KCC issue mentioned in a moment)- obviously, they are there. Microsoft claims to have tested to billions of objects - and I have no reason to not believe this to be true. TheKCC topology(KCC cannot work if (1 + #Domains) x sites^2 100,000) issue of Windows 2000 does indicate that there are issues here and there. They get fixed, but usually are big fixes. In the case of the KCC issue, it's fixed in Server 2003, but only once you get to 2003 Forest Functional mode. That's a big move. i) Because it's there. Oh, wait! That's for mountains. never mind. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn CorbettSent: Tuesday, July 08, 2003 6:36 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Identity Management using AD Thanks Todd. At the moment, we arent hugely concerned about putting *some* privacy information into AD, as this instance of AD will only be for our external clients, and the attribute level ACL's provided by AD should provide enough security to stop certain applications / users from seeing this information. That being said, we are looking into the appropiate laws / leglislation / statutes regarding privacy and the storage of personal information to make sure we are covered from that aspect. I've done the required high level checking, andAD shouldnt have any trouble storing the amount and type of information we require (up to 6-8 million user objects, several thousand groups etc), its really down to the following questions: a) Is AD an *appropiate* store for this sort of information (my answer would be yes, based on the Authentication / Authorisation provided by AD) b) What sorts of information should be stored in AD (I'll be pointing out the often read / rarely written aspects of AD) c) for application specific extensions, is this appropiate to store in AD (my current thinking is NO, as I'll end up with several hundred additional user properties, better to store them elsewhere and sync) d) in relation to c, if not in AD, then where, and how to keep these disprate databases in sync e) What management tools / processes are required to manage a 6-8 million user AD, and what are the associated security implications (eg exposing the admin interfaces to the internet, as opposed to just internal exposure) f) What other solutions are available that may be able to provide the Authentication / Authorisation that is required (mention has been made of Passport etc, and how would this tie in with AD - if at all) g) What additional authentication methods can be layered on AD to provide additional levels of authentication (Certifications, SmartCards, Biometrics etc)- I know AD can do all these, its really how to integrate them, and the associated security / management implications. h) What are some of the constraints on AD that could be an issue down the track (like the X
RE: [ActiveDir] AD DOS vulnerability
Darren, Thanks for providing the clarity. No intent to be 'stealthy' about the vulnerability, but - frankly, I couldn't think of the proper words at the moment. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, July 07, 2003 1:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability I think this refers to the issue recently identified where a member of the Domain Admins group, with access to a domain controller within a domain in the forest, could, for example, start a process within the security context of LocalSystem (e.g. using the AT scheduler), and thus gain privileged access to the schema and configuration naming contexts that they weren't granted explicitly. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 6:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD DOS vulnerability Could you expand on what the specific vulnerability is there? I've not heard that terminology before. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, July 04, 2003 5:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability Joe, Unfortunately, one of the biggest issues with AD can't be addressed with an upgrade, and that's the Security vulnerability from cross-domain admins. Looking to NetPro's monitoring tool to aid in this as a 'burglar alarm'. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Friday, July 04, 2003 10:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability Also note that there is another D.O.S. capable bug that SP4 fixes if I recall correctly. It was something with referrals. Note that there are several things that can be done to W2K AD by a bright programmer with internal access who has had a chance to sit back and think about it that can hurt AD. Some only require having an account in AD, some requiring a machine account. Won't give details here or anywhere due to social conscience and not willing to expose shit that could hurt me personally but they are there... Move to W2K3 when you can as that may help based on some of the newer docs I have seen. I agree with what everyone else has said on SP4... Test test test, then deploy. When you do have an issue, post back here or in the newsgroups so others can learn of the experience. Even if you call MS and they say, nope, no one is having that issue. I have found that they know of things but won't come fully forward with them until some minimum number of customers/people have complained. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Thursday, July 03, 2003 10:04 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD DOS vulnerability Thanks Everyone for the great information. We have already begun patching the systems as a result of the information from the list. Todd Myrick -Original Message- From: Robert Moir [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 8:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability I'd certainly concur with the idea of using the hotfix before rushing SP4 out of the door without the usual acceptance testing but it might be worth remembering that someone who is posting from an educational establishment is in an environment where malicious attacks from within the network are not just possible, or likely, but are simply another day at the office. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: 03 July 2003 12:51 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD DOS vulnerability Given that this vulnerability can generally only be exploited through malicious use from *within* the network (at least for most organisations), you may want to hold off on SP4. This will depend on your assessment of the threat in your environment. SP4 was only released last week and it is usually prudent to wait to see if any major bugs appear before installing it. I'm sure you remember the problems introduced by Windows NT 4.0 SP6, which were then urgently fixed in SP6a? You could always install the hotfix first and hold off a while on SP4. More info on this vulnerability here: http://www.coresecurity.com/common/showdoc.php?idx=351idxseccion=10 Tony
RE: [ActiveDir] SP4
Title: Message Lab testing at present is proceeding slowly, but no issues as of yet. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Murawski (Lenox)Sent: Monday, July 07, 2003 2:40 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] SP4 Anyone installed SP4 yet on their DC's? If so, have you had any issues? Don L. Murawski Sr. Network Administrator WorldTravel BTI Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264 mcse_small.gif
RE: [ActiveDir] DFS errors 13544 / 13552
Graham, Have run into this before. Use ADSIEdit to get rid of the conflict [CNF:GUID] objects. Then, look at the following, and run the procedure from Gary Wilson: http://www.eventid.net/display.asp?eventid=13552source= The 13544 errors are 'ghosts' of Dfs links that aren't going to be created. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Sunday, July 06, 2003 11:39 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DFS errors 13544 / 13552 am trying to diagnose and remedy errors returned by NTFRS (on Windows 2000 / sp3) error codes are 13544 / 13552 given the DFS is not in production have been able to take the corrective action of removing all replicas of the DFS link / the DFS root itself this procedure seems to have left behind some data in the Active Directory (as i view from the advanced features of AD users and computers ) in the following folder; ..\SYSTEM\DFS-volumes\DFS\linkname CNF followed by a whole load of characters the link name is that which is referenced in the events listed above and the removal of this data from the Active Directory would seem to be key to the resolution of the problem can i please get instruction on how to remove this obviously erroneous AD data ntfrsutl / dfsutil ? Thanks GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Taking DC Offline
H. Now I understand the bigger picture. That's a bit of a stickler. Friend of mine is in IT at ASU and he's in the same kind of fight all of the time. Strange how our (arguably) most important right (1st Amendment) is the anti-thesis of Security. Difficult balance, this is. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC)Sent: Sunday, July 06, 2003 8:25 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Taking DC Offline The whole purpose of this is all political. It has already been decided to enable password complexity but to help make the campus more agreeable ( we are an edu!) our Security director wants to shoot them some stats. The % of PWs that they could crack, etc Why this is good for you, you know the deal. Im still hoping my boss will see the light and just say no! J Thanks for all the responses, there might be some other options. Paul -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Friday, July 04, 2003 4:51 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Taking DC Offline Paul, I'm somewhat mystified by the request. I might be completely missing the point, but unless the scan is going to be destructive, what is the value of giving the Security Director a DC that has been taken off-line? I do agree with what others have said here to this point (remove connection objects, clean up the objects from the DIT via NTDSUTIL, etc.), but the value of the work that is being done is still questionable. The DC is no longer in your environment, which from the standpoint of testing the security or the password complexity, makes it no longer a viable environment to do such. And, if the process is going to be destructive, is this something that they will want to do on a quarterly basis (again with questionable value in the security realm)? Also, do your Security Analysts already have Administrative context access? If not, all passwords of this type should be nulled out. Even if they do - those that are not theirs should be erased as well. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC)Sent: Thursday, July 03, 2003 4:32 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Taking DC Offline Our Security Director has requested that we build a temporary DC for his group. They want to take it offline and audit the current password complexity and strength. This DC will never return to the domain so I will have to manually remove the replication connections in the NTDS settings for each repl partner, plus the DNS records created. Im just wondering if Im missing something obvious and that this might not be such a good idea. Possibility of orphaned objects or something to that nature? It wont be online long but.. Paul Simpsen Windows ServerAdministrator Enterprise Systems, IT University of Oklahoma HSC 405.271.2262 ext 50230 Fax: 405.271.2126 CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.
RE: [ActiveDir] Domain Rename
Guido, Thanks for the reply - always appreciate hearing from you. I agree completely that the complexity of a domain rename is not a light undertaking (understatement of the year) given that the Microsoft White Paper detailing the process wheighs in at a whopping 100 pages. (Clearing the record) I hope that no one construed that my advice was that the domain rename was 'not as bad as it looks'. The message was that getting to Forest Functional mode was not a huge issue - no where near as daunting as getting to Windows 2000 Native. In no way am I suggesting that the domain rename process is easily accomplished or advisable - the process, as you pointed out is fraught with difficulty. I, too, would love to witness the planning and execution of a successful rename. However, I doubt that it's going to occur with the given toolset. At present, the risks FAR outweigh the minimal reward. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Friday, July 04, 2003 2:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Rename can you do a live demo when you do the rename? I'd love to be part of it... This is seriously a major undertaking, and you should obviously check the dependency of all your applications leveraging the netbios name of your domain within them (e.g. SMS is still a friend of the NetBios domain name...). The Exchange piece was already mentioned, but another known challenge is with domain based DFS, as the rename will likely break the DFS referrals. Be prepared to build a big lab which can host a very realistic environment with most of your apps and then do a lot of testing. Hope you have no NT4 left in your environment, as you'll (obviously) need to rejoin these to the renamed domain. Regarding the overall effort, don't forget that if DC DNS names should match new domain names, then each DC must undergo the DC rename procedure. Maybe even more important: you need RPC connectivity to every DC in the forest from the host running rendom.exe tool during operation - this can be quite challenging itself accross the WAN to 85 sites. I'd say the road to Windows 2000 Native was a piece of cake ;-) At least a cake that you could cut into pieces - the domain rename cake you have to swallow at once. I am sure MS will succeed in making this much easier in the future, but for now, if you don't absolutely have to do it in an environment of your size, you might want to think twice about it. Just something to cheer you up on your journey... /Guido -Original Message- From: Jan Wilson [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 2. Juli 2003 02:59 To: [EMAIL PROTECTED] Thanks Rick - we find the two reboots per device requirement a bit ... tricky. (24 x 7 operations with 450 servers - 12500 workstations - 85 sites). Sounds like a mess of work for what I consider optics! - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 01, 2003 5:08 PM Subject: RE: [ActiveDir] Domain Rename Jan, Key point is that you must be in Windows Server 2003 Forest Functional Mode - only W2k3 DCs in the forest. It's not anywhere near as bad as it looks. Not anywhere as daunting as the road to Windows 2000 Native List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD DOS vulnerability
Joe, Unfortunately, one of the biggest issues with AD can't be addressed with an upgrade, and that's the Security vulnerability from cross-domain admins. Looking to NetPro's monitoring tool to aid in this as a 'burglar alarm'. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Friday, July 04, 2003 10:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability Also note that there is another D.O.S. capable bug that SP4 fixes if I recall correctly. It was something with referrals. Note that there are several things that can be done to W2K AD by a bright programmer with internal access who has had a chance to sit back and think about it that can hurt AD. Some only require having an account in AD, some requiring a machine account. Won't give details here or anywhere due to social conscience and not willing to expose shit that could hurt me personally but they are there... Move to W2K3 when you can as that may help based on some of the newer docs I have seen. I agree with what everyone else has said on SP4... Test test test, then deploy. When you do have an issue, post back here or in the newsgroups so others can learn of the experience. Even if you call MS and they say, nope, no one is having that issue. I have found that they know of things but won't come fully forward with them until some minimum number of customers/people have complained. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Thursday, July 03, 2003 10:04 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD DOS vulnerability Thanks Everyone for the great information. We have already begun patching the systems as a result of the information from the list. Todd Myrick -Original Message- From: Robert Moir [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 8:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability I'd certainly concur with the idea of using the hotfix before rushing SP4 out of the door without the usual acceptance testing but it might be worth remembering that someone who is posting from an educational establishment is in an environment where malicious attacks from within the network are not just possible, or likely, but are simply another day at the office. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: 03 July 2003 12:51 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD DOS vulnerability Given that this vulnerability can generally only be exploited through malicious use from *within* the network (at least for most organisations), you may want to hold off on SP4. This will depend on your assessment of the threat in your environment. SP4 was only released last week and it is usually prudent to wait to see if any major bugs appear before installing it. I'm sure you remember the problems introduced by Windows NT 4.0 SP6, which were then urgently fixed in SP6a? You could always install the hotfix first and hold off a while on SP4. More info on this vulnerability here: http://www.coresecurity.com/common/showdoc.php?idx=351idxseccion=10 Tony -- Original Message -- Wrom: NKMBIPBARHDMNNSKVFVWRKJVZCMHVIBGDADRZFSQHYUC Reply-To: [EMAIL PROTECTED] Date: Thu, 3 Jul 2003 11:10:44 +0100 I received notification about a vulnerability in AD this morning - details are at http://support.microsoft.com/default.aspx?kbid=319709 It looks like the recommended fix is to upgrade my DCs to SP4. I was planning to wait a lot longer before I inflict SP4 on any machines that I care about, but it looks like this might force my hand a bit. What's everyone else doing? Has anyone heard of *any* problems with SP4 yet? -- Steve Bennett, Systems Support Lancaster University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org
RE: [ActiveDir] Missing Sysvol and Netlogon
Title: Missing Sysvol and Netlogon Yusuf, Minimal time, so this will be quick - I'll let the other good folks fill in more detail. 1. Domain Admin and above to delete the files 2. It's one step in the process, but may not be enough - it sure isn't going to hurt in a crisis 3. Lots of FRS white papers on www.microsoft.com/windows in the Server technical downloads section, or my new personal favorite book, "Inside Active Directory" 4. Default Domain Policy and Default Domain Controller POlicy are both unique and tied to unique GUIDs. I'm not sure as referenced by "may not be enough" in #2, that simply copying will restore these two properly. An Authoritative restore in DS Restore mode would be a better route. These two are not easily 'copied' Sorry I don't have more time Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayet, Yusuf YSent: Thursday, July 03, 2003 7:41 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Missing Sysvol and Netlogon I am hoping that you guys could share some light on the following problem I encountered. Doing my usual Administrative Task I had to disable an option in the Domain Policy and I experienced errors opening the policies. Had a look at the "sysvol and netlogon" contents and picked up that the entire content was removed and this had been replicated throughout the domain. So after brain storming we figured that we would just copy the contents we had from a previous backup and hey presto everything started working and the changes were replicated back to all the DC's. So my questions are these: What level of access does one require to be able to delete the contents of the "Sysvol and Netlogon"? Was the copying of the contents the right move that was made? I know that the FRS service and Active Directory replication work independently can someone tell me where I can read up slightly more information for FRS. I am having errors currently opening my "Default Domain Policy" where it reports errors on certain lines and after selecting "Ok" I have access to the policy but the question is do I just copy a "default Adm" file and apply the changes or is there an alternative method. __ For information about the Standard Bank group visit our web site www.standardbank.co.za__Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way.Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference.___
RE: [ActiveDir] Domain Rename
Jan, Key point is that you must be in Windows Server 2003 Forest Functional Mode - only W2k3 DCs in the forest. It's not anywhere near as bad as it looks. Not anywhere as daunting as the road to Windows 2000 Native Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jan Wilson Sent: Tuesday, July 01, 2003 6:28 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain Rename As it happens to many we need to rename our W2K domain. Our plan is to upgrade our DCs to W3K then rename. Has anyone ventured down this road (to hell) yet? The amount of work looks daunting! Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain Rename
You're quite correct. If you have an E2K/E2k3 ORG, you still have a bit of a problem. You can rename the domain, the ORG however - another issue altogether. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, July 01, 2003 9:55 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Domain Rename As far as I know, MS has still not addressed the issues that Exchange has with Domain Rename, even in Windows 2003. This is something to bear in mind, if you have Exchange in the mix. The last litterature I read (admittedly, it's a while back), indicates that domain rename in a pre-existing Exchange Domain is officially not suported. I have been known to be a little tardy in my information, though. HTH Deji Akomolafe - Original Message - From: Jan Wilson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 01, 2003 5:58 PM Subject: Re: [ActiveDir] Domain Rename Thanks Rick - we find the two reboots per device requirement a bit ... tricky. (24 x 7 operations with 450 servers - 12500 workstations - 85 sites). Sounds like a mess of work for what I consider optics! - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 01, 2003 5:08 PM Subject: RE: [ActiveDir] Domain Rename Jan, Key point is that you must be in Windows Server 2003 Forest Functional Mode - only W2k3 DCs in the forest. It's not anywhere near as bad as it looks. Not anywhere as daunting as the road to Windows 2000 Native List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MMS 2003 and ADAM 2003
Title: Message H. and that's what I though VMWare was for! VBG BTW, I agree wholeheartedly about your use of ADAM. As I said, this is a very cool product. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn CorbettSent: Friday, June 27, 2003 7:54 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] MMS 2003 and ADAM 2003 ADAM is also good for those applications that want to start doing some AD integration functionality without actually having to set up an AD forest. Makes us Infrastructure guys nice and happy, don't have to keep setting up and pulling down AD forests every week or so for the apps dev guys :) Glenn - Original Message - From: Rick Kingslan To: [EMAIL PROTECTED] Sent: Friday, June 27, 2003 11:38 PM Subject: RE: [ActiveDir] MMS 2003 and ADAM 2003 IMHO, ADAM is the more exciting of the two. Granted MMS is nice in what it does (been working with it on and off for a while) but ADAM is really a special product in what you can do with it. For those of you that want to integrate your application, but don't want to go to the time expense and trouble of integrating AD or directory sevices (e.g. LDAP) into the app natively, ADAM could be your answer. Other solutions abound -from simple services to security uses. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Friday, June 27, 2003 7:24 AMTo: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]Subject: [ActiveDir] MMS 2003 and ADAM 2003 I just got word that MMS 2003 and ADAM 2003 are shipping the week of July 3rd. Now to afford the server requirements to run MMS 2003. Requirements for MMS 2003 Windows 2003 EE SQL 2000 EE Visual Studio .NET 2003 Hardware Makes Simple Sync look very attractive, but the MMS requirements do offer some tangible benefits. Todd
RE: [ActiveDir] MMS 2003 and ADAM 2003
Title: Message IMHO, ADAM is the more exciting of the two. Granted MMS is nice in what it does (been working with it on and off for a while) but ADAM is really a special product in what you can do with it. For those of you that want to integrate your application, but don't want to go to the time expense and trouble of integrating AD or directory sevices (e.g. LDAP) into the app natively, ADAM could be your answer. Other solutions abound -from simple services to security uses. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Friday, June 27, 2003 7:24 AMTo: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]Subject: [ActiveDir] MMS 2003 and ADAM 2003 I just got word that MMS 2003 and ADAM 2003 are shipping the week of July 3rd. Now to afford the server requirements to run MMS 2003. Requirements for MMS 2003 Windows 2003 EE SQL 2000 EE Visual Studio .NET 2003 Hardware Makes Simple Sync look very attractive, but the MMS requirements do offer some tangible benefits. Todd
RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4
Title: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 Martin, Thanks for the link to the final bits, and closing out this thread appropriately. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin TuipSent: Thursday, June 26, 2003 12:31 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 The final build 4.081 should now be available at http://www.microsoft.com/windows2000/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rick reynoldsSent: Thursday, June 26, 2003 6:24 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 Thanks Rick - Original Message - From: Rick Kingslan To: [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 10:30 AM Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 Update - legit. Been released to Premier sites, and these links are not public. Apparently, whoever started floating this link around *IS* a Premier site. Is it OK to download it? Well it's a deep link intended for Premier sites - not the Public. Your conscience is your guide. By Friday, I sould guess - it will be public to Windows Update and through the other download channels. So, how do I know this? Not because I'm on the beta - we got a link from our Premier status at work. Just found out about 5 minutes ago. The mail distro is slow at MS, too, on these types of things. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 25, 2003 8:32 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 Can't confirm or deny. The file is legit - it's not a leak. However, I (we) in the beta have: 1. Not been informed that it's gone release 2. Don't yet have a link ourselves to the final bits, which is typical. Also, doing a seach at the download site doesn't yield an SP4, but that - again - doesn't mean that it's not legit. It's just not PUBLIC knowledge yet. :-) Likely what is happening, as is typical - it takes about 24 hrs. for content on the MS servers to synch from the distribution points. Once everything is in place, the switch gets thrown and the announcement is made to co-incide with what (should be at least) is the availabilty of the SP. Is it really released? Next 24 hrs. will tell. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leeuwen van, JWJ (Joost)Sent: Wednesday, June 25, 2003 7:44 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 Is this the final version or a leaked one? Joost -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 25, 2003 2:39 PM To: [EMAIL PROTECTED] http://download.microsoft.com/download/e/6/a/e6a04295-d2a8-40d 0-a0c5-241 bfecd095e/w2ksp4_en.exeList info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail.
RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4
Title: Message Shawn, Thank you for originally posting the link. It is appreciated by all when others want to share thier findings. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, June 26, 2003 3:40 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 I started the link in this group, but I am not a Premier customer. I grabbed the link from another newsletter and figured this group would appreciate it... Hope it made someone happy. End of Thread Shawn -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 4:19 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 Martin, Thanks for the link to the final bits, and closing out this thread appropriately. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin TuipSent: Thursday, June 26, 2003 12:31 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 The final build 4.081 should now be available at http://www.microsoft.com/windows2000/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rick reynoldsSent: Thursday, June 26, 2003 6:24 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 Thanks Rick - Original Message - From: Rick Kingslan To: [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 10:30 AM Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 Update - legit. Been released to Premier sites, and these links are not public. Apparently, whoever started floating this link around *IS* a Premier site. Is it OK to download it? Well it's a deep link intended for Premier sites - not the Public. Your conscience is your guide. By Friday, I sould guess - it will be public to Windows Update and through the other download channels. So, how do I know this? Not because I'm on the beta - we got a link from our Premier status at work. Just found out about 5 minutes ago. The mail distro is slow at MS, too, on these types of things. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 25, 2003 8:32 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 Can't confirm or deny. The file is legit - it's not a leak. However, I (we) in the beta have: 1. Not been informed that it's gone release 2. Don't yet have a link ourselves to the final bits, which is typical. Also, doing a seach at the download site doesn't yield an SP4, but that - again - doesn't mean that it's not legit. It's just not PUBLIC knowledge yet. :-) Likely what is happening, as is typical - it takes about 24 hrs. for content on the MS servers to synch from the distribution points. Once everything is in place, the switch gets thrown and the announcement is made to co-incide with what (should be at least) is the availabilty of the SP. Is it really released? Next 24 hrs. will tell. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leeuwen van, JWJ (Joost)Sent: Wednesday, June 25, 2003 7:44 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 Is this the final version or a leaked one? Joost -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 25, 2003 2:39 PM To: [EMAIL PROTECTED] http://download.microsoft.com/download/e/6/a/e6a04295-d2a8-40d 0-a0c5-241 bfecd095e/w2ksp4_en.exeList info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te
RE: [ActiveDir] OT: Todd Myrick - SearchWin2000.com's 2003 Innovator Award winner
Title: Message Doug, Thanks for bringing this to our attention. Todd, congratulations. Well deserved! Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hazelman, DougSent: Thursday, June 26, 2003 3:36 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Todd Myrick - SearchWin2000.com's 2003 Innovator Award winner Just wanted to let everyone know that Todd Myrick has been recognized by SearchWin2000 for all his hard work. Way to go Todd! http://searchwin2000.techtarget.com/originalContent/0,289142,sid1_gci911991,00.html -doug __ Doug Hazelman Director, Product Management Aelita Software [EMAIL PROTECTED] http://www.aelita.com 1-800-263-0036, extension 769 Mobile: 614-596-1345 Fax: 614-761-9620 NEW! Domain Migration Wizard 6.0 Designed for Windows Server 2003. Only Aelita Domain Migration Wizard offers ZeroIMPACT migration technology to let you take control of your enterprise-wide migration and take advantage of Windows Server 2003. Get your trial version of DMW today!
RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4
Title: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 Can't confirm or deny. The file is legit - it's not a leak. However, I (we) in the beta have: 1. Not been informed that it's gone release 2. Don't yet have a link ourselves to the final bits, which is typical. Also, doing a seach at the download site doesn't yield an SP4, but that - again - doesn't mean that it's not legit. It's just not PUBLIC knowledge yet. :-) Likely what is happening, as is typical - it takes about 24 hrs. for content on the MS servers to synch from the distribution points. Once everything is in place, the switch gets thrown and the announcement is made to co-incide with what (should be at least) is the availabilty of the SP. Is it really released? Next 24 hrs. will tell. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leeuwen van, JWJ (Joost)Sent: Wednesday, June 25, 2003 7:44 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 Is this the final version or a leaked one? Joost -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 25, 2003 2:39 PM To: [EMAIL PROTECTED] http://download.microsoft.com/download/e/6/a/e6a04295-d2a8-40d 0-a0c5-241 bfecd095e/w2ksp4_en.exeList info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail.
RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4
Rick, The RC1 that we got the other day had NO warnings - standard EULA. So, I wouldn't base the reality of release or beta on 'big warnings'. That's not always the case. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Reynolds Sent: Wednesday, June 25, 2003 10:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 http://download.microsoft.com/download/e/6/a/e6a04295-d2a8-40d0-a0c5-241bfec d095e/w2ksp4_en.exe I am downloading now, I will let you know what Microsoft Says in the install. Beta stuff has big warnings.. of course so does the regular patches to. From: Leeuwen van, JWJ (Joost) [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 Date: Wed, 25 Jun 2003 14:44:17 +0200 MIME-Version: 1.0 Received: from mail.activedir.org ([64.245.160.7]) by mc9-f39.bay6.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Wed, 25 Jun 2003 07:40:41 -0700 Received: from RELAY02.rabobank.nl [145.72.69.21] by mail.activedir.org with ESMTP (SMTPD32-7.07) id A972E0600F0; Wed, 25 Jun 2003 08:45:38 -0400 X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP Message-ID: [EMAIL PROTECTED] Return-Receipt-To: Leeuwen van, JWJ (Joost) [EMAIL PROTECTED] X-WSS-ID: 12E747131949507-01-01 X-WSS-ID: 12E746331337517-01-01 Precedence: bulk Sender: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 25 Jun 2003 14:40:42.0040 (UTC) FILETIME=[C0C4EB80:01C33B27] Is this the final version or a leaked one? Joost -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 2:39 PM To: [EMAIL PROTECTED] http://download.microsoft.com/download/e/6/a/e6a04295-d2a8-40d 0-a0c5-241 bfecd095e/w2ksp4_en.exe List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RIS and Windows Server 2003 Upgrades
Larry, Can you cite where this is coming from so that I can put it into context? The reason that I say this is because I have other Win2k3 servers that are running RIS that were joined to the domain, and others that I've upgraded outside of that process. I've had nothing impacted. If I can read where you're reading this, I might be able to clear up what it's REALLY saying, if you know what I mean. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Duncan, LarrySent: Wednesday, June 25, 2003 9:50 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] RIS and Windows Server 2003 Upgrades Hello! I've just read that "If your network uses RIS with Windows 2000 Server, you should make the RIS server the first computer that you upgrade to Windows Server 2003. You won't be able to use RIS later unless it is upgraded first because of design changes in the way that Active Directory performs authentication." Can anyone elaborate on this? Particularly to what impact this has had on your Windows Server 2003 migration strategies and exactly what "design changes" caused such an silly mandate.
RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4
Shawn, With all due respect, I'm neither pissed or pleased. Doesn't bother me at all that someone with Premier access decided to publicly post a deep link, against the agreement that they have with Microsoft. The question was asked early on if this was legit or not - I only posted what I found. If you took any of my comments to construe that I was upset in anyway that this was in the wild - that is what you read into it. Believe me when I say that my only desire when working beta is to get a good product to you. If you have it before me (which, isn't likely - I already have the beta), so what? Me, I'm mystified by the attitude. shrug Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 1:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 Sounds like the boys with Beta and Premier access are pissed we PUBLIC only individuals can obtain this software at the same time or before them. Like any other software from MS, use at your own discretion and test, test, test before production. Enjoy or don't it is up to you. -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 2:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 Add to that the fact that you could void certain warranties and contracts you have with Microsoft (support etc) if a box you have STB on you while you're running an app/service pack etc that your class of service has not yet been made privy to -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 2:15 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 You should also note, that service packs have been yanked after being released to Premier customers that have had to be retooled before public release. So, its really not a good idea to apply a service pack in a production environment that doesn't yet have full public support. If you have problems with a pre-public release, you are SOL. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Tuip Sent: Wednesday, June 25, 2003 1:59 PM To: [EMAIL PROTECTED] So who is going to get 'slapped' ? Martin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent Sent: Wednesday, June 25, 2003 7:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 Win2k SP4 was released to Premier customers this morning. Those are the links you are seeing. Public availability is June 30th. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, June 25, 2003 1:16 PM To: [EMAIL PROTECTED] Rick, The RC1 that we got the other day had NO warnings - standard EULA. So, I wouldn't base the reality of release or beta on 'big warnings'. That's not always the case. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Reynolds Sent: Wednesday, June 25, 2003 10:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 http://download.microsoft.com/download/e/6/a/e6a04295-d2a8-40d0-a0c5-241 bfec d095e/w2ksp4_en.exe I am downloading now, I will let you know what Microsoft Says in the install. Beta stuff has big warnings.. of course so does the regular patches to. From: Leeuwen van, JWJ (Joost) [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 Date: Wed, 25 Jun 2003 14:44:17 +0200 MIME-Version: 1.0 Received: from mail.activedir.org ([64.245.160.7]) by mc9-f39.bay6.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Wed, 25 Jun 2003 07:40:41 -0700 Received: from RELAY02.rabobank.nl [145.72.69.21] by mail.activedir.org with ESMTP (SMTPD32-7.07) id A972E0600F0; Wed, 25 Jun 2003 08:45:38 -0400 X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP Message-ID: [EMAIL PROTECTED] Return-Receipt-To: Leeuwen van, JWJ (Joost) [EMAIL PROTECTED] X-WSS-ID: 12E747131949507-01-01 X-WSS-ID: 12E746331337517-01-01 Precedence: bulk Sender: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 25 Jun 2003 14:40:42.0040 (UTC) FILETIME=[C0C4EB80:01C33B27] Is this the final version or a leaked one? Joost -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 2:39 PM To: [EMAIL PROTECTED] http://download.microsoft.com/download/e/6/a/e6a04295-d2a8-40d 0
RE: [ActiveDir] RIS and Windows Server 2003 Upgrades
Larry, Reading the full context of the two paragraphs, I would proceed in this order: 0. Run theadprep /forestprep andadprep /domainprep on Schema Master 1. PDC Emulator upgrade 2. Any other key FSMO role holder DCs 3. RIS servers I think what they are getting at is that you want to have a solid AD foundation - both Windows 2000 and Server 2003, but the RIS servers should follow closely behind. Because of changes in the AD structure, certain opertaional elements will not operate correctly in RIS if they are left behind and not upgraded near the front of the pack. Hope this helps Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Duncan, LarrySent: Wednesday, June 25, 2003 2:43 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] RIS and Windows Server 2003 Upgrades Certainly. It's in the "Windows Server 2003 - Upgrading from Windows 200 to Windows Server 2003" document from Microsoft. http://www.microsoft.com/windowsserver2003/evaluation/whyupgrade/win2k/w2ktows03-2.mspx -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 12:25 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] RIS and Windows Server 2003 Upgrades Larry, Can you cite where this is coming from so that I can put it into context? The reason that I say this is because I have other Win2k3 servers that are running RIS that were joined to the domain, and others that I've upgraded outside of that process. I've had nothing impacted. If I can read where you're reading this, I might be able to clear up what it's REALLY saying, if you know what I mean. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Duncan, LarrySent: Wednesday, June 25, 2003 9:50 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] RIS and Windows Server 2003 Upgrades Hello! I've just read that "If your network uses RIS with Windows 2000 Server, you should make the RIS server the first computer that you upgrade to Windows Server 2003. You won't be able to use RIS later unless it is upgraded first because of design changes in the way that Active Directory performs authentication." Can anyone elaborate on this? Particularly to what impact this has had on your Windows Server 2003 migration strategies and exactly what "design changes" caused such an silly mandate.
RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4
Title: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 Update - legit. Been released to Premier sites, and these links are not public. Apparently, whoever started floating this link around *IS* a Premier site. Is it OK to download it? Well it's a deep link intended for Premier sites - not the Public. Your conscience is your guide. By Friday, I sould guess - it will be public to Windows Update and through the other download channels. So, how do I know this? Not because I'm on the beta - we got a link from our Premier status at work. Just found out about 5 minutes ago. The mail distro is slow at MS, too, on these types of things. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 25, 2003 8:32 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 Can't confirm or deny. The file is legit - it's not a leak. However, I (we) in the beta have: 1. Not been informed that it's gone release 2. Don't yet have a link ourselves to the final bits, which is typical. Also, doing a seach at the download site doesn't yield an SP4, but that - again - doesn't mean that it's not legit. It's just not PUBLIC knowledge yet. :-) Likely what is happening, as is typical - it takes about 24 hrs. for content on the MS servers to synch from the distribution points. Once everything is in place, the switch gets thrown and the announcement is made to co-incide with what (should be at least) is the availabilty of the SP. Is it really released? Next 24 hrs. will tell. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leeuwen van, JWJ (Joost)Sent: Wednesday, June 25, 2003 7:44 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT: Link to Windows 2000 Service Pack 4 Is this the final version or a leaked one? Joost -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 25, 2003 2:39 PM To: [EMAIL PROTECTED] http://download.microsoft.com/download/e/6/a/e6a04295-d2a8-40d 0-a0c5-241 bfecd095e/w2ksp4_en.exeList info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail.
RE: [ActiveDir] suggestions for OU delegation information sources
If they only could have had a few chapters on Exchange 2K integration and how to make it less painful... :oP Oh, you are NOT EVEN gonna get this started again! Huh-uh! ;-D Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Thursday, June 19, 2003 8:00 PM To: [EMAIL PROTECTED] Bob: I agree on the book recommendation. Chapter 4 is a virtual mountain of good info. For the more involved/intense AD Admin I would also point out and recommend Managing Enterprise Active Directory Services (Robbie Allen/Richard Puckett Addison Wesley Publishing). That book will probably fly over the head of most AD Admins out there but the info is really good, I especially was impressed on the section on SDDLs. If they only could have had a few chapters on Exchange 2K integration and how to make it less painful... :oP Michael what specific things are you looking to delegate? As a general rule I avoid the GUI's as the command line is generally much more efficient and people are more consistent when they run scripts than when they do things in the GUI. With GUI I think ad hoc and you don't admin AD ad hoc or at least you don't do it for long or else it will bite you. Anyway if you give specifics of things you are looking for, people on the list could recommend how to do it, etc. Such as how to delegate unlock capability to the HelpDesk group on the users OU of domain.com dsacls CN=Users,DC=domain,DC=com /I:S /G Domain\HelpDesk:RPWP;lockoutTime;user Or reset password to the same group on the same OU dsacls CN=Users,DC=domain,DC=com /I:S /G Domain\HelpDesk:CA;Reset Password;user Obviously the more delegation you do that fits patterns the better the scripts pay off for you in terms of save time realized and consistency of configuration. You can wrap dsacls into a script or you can actually call and modify the security descriptores directly. Writing scripts to do this stuff at the command line usually starts giving benefits of side tools that will let you do ACL audits and such a little easier as well and best of all puts things in formats that you want and can be set up to take advantage of things you know are set up in specific ways in your environment. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 6:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't have the book (highly recommended BTW) MS published that particular chapter on TechNet. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt echnol/AD/windows2000/deploy/confeat/securead.asp -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 1:45 PM To: Active Directory Mailing List (E-mail) Hi All! As we continue to flesh out our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a control freak, I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf file that we could borrow from? Is there any literature out there regarding delegation that someone would recommend? Any help is always appreciated! Thanks! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory Monitoring with MOM
Title: Message Well, now that's cool. That's the first time that I remember them doing that. Thanks for the pointer. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jan WilsonSent: Friday, June 13, 2003 1:00 AMTo: [EMAIL PROTECTED] hmm click on http://www.mymsevents.com/MyMSEvents/then teched 2003 then sessions - powerpoints are listed under some of the courses. let me know? - Original Message - From: Rick Kingslan To: [EMAIL PROTECTED] Sent: Thursday, June 12, 2003 10:18 PM Subject: RE: [ActiveDir] Active Directory Monitoring with MOM Jan, I suspect that the average person is not going to be able to get the slides for anything other than specific public sessions - keynotes, etc. Typically, the site (as it is this year as well) is username and password protected. If I'm missing something, let me know. All I see here is the Global Mobility. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jan WilsonSent: Friday, June 13, 2003 12:09 AMTo: [EMAIL PROTECTED] Tech Ed had a few sessions on MOM. It might be worth checking the site http://www.mymsevents.com/MyMSEvents/Search.aspxMany of them have the PowerPoint slides available for downloading.
RE: [ActiveDir] Active Directory Monitoring with MOM
Todd, Funny you should ask. I just found the same flippin' thing in my AD at work. Brought it to my boss' attention (he's my best friend and my ex-subordinate from the consulting company we used to be at - it's a weird relationship.tracks with the compnay pretty well) and he blew it off and told me that I had more important things to work on. I have to admit, though, it pissed me off a bit. But - I'm primarily Security now and backup on AD architecture. So, if something goes horribly bad - not my problem. ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Friday, June 13, 2003 12:43 PM To: '[EMAIL PROTECTED]' Here is one for the books. I run repadmin /showvector dc=domain,dc=name The results are this. CN=NTDS Settings,CN=server1,CN=Servers,CN=Site-1,CN=Sites,CN=Configuration,DC=domain ,DC=LOCAL 7317912 CN=NTDS Settings,CN=server2,CN=Servers,CN=Site-1,CN=Sites,CN=Configuration,DC=domain ,DC=LOCAL 2959567 CN=NTDS Settings,CN=servre3,CN=Servers,CN=Site-1,CN=Sites,CN=Configuration,DC=domain ,DC=LOCAL 7143798 8b145e6f-c8cf-4ff4-8355-aa43879acb14 (Unresolvable) 108851 CN=NTDS Settings,CN=server4,CN=Servers,CN=Site-2,CN=Sites,CN=Configuration,DC=domain ,DC=LOCAL 4059138 CN=NTDS Settings,CN=server5,CN=Servers,CN=Site-2,CN=Sites,CN=Configuration,DC=domain ,DC=LOCAL 2241307 e1c85236-1a75-4762-b749-d6abc37772fc (Unresolvable) 180159 CN=NTDS Settings,CN=server6,CN=Servers,CN=Site-2,CN=Sites,CN=Configuration,DC=domain ,DC=LOCAL 1457416 These two GUIDs are unresolvableand I believe they are demoted domain controllers. 8b145e6f-c8cf-4ff4-8355-aa43879acb14 (Unresolvable) 108851 e1c85236-1a75-4762-b749-d6abc37772fc (Unresolvable) 180159 Does anyone know how to get rid of them? Thanks, Todd List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Aelita Enterprise Migration Manager - comments?
Jan, The Aelita solution will work fine for what you want to do. However, we used Microsoft's Active Diretory Migration Tool(ADMT) ver 2.0 quite successfully in migrating our 25K users 15k computers, plus all of the groups, etc. Also, if you've already got GPOs setup in the old forest, look at Microsoft's Group Policy Management Console to copy (migrate, what have you) from one forest to another. GPMC is the single best tool to come out of Microsoft since AD. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jan Wilson Sent: Friday, June 13, 2003 9:02 PM To: [EMAIL PROTECTED] Message We need to migrate a W2K forest A of 6000 users to our existing W2K forest B. (Then shut down the forest A) We are considering Aelita Enterprise Migration Manager and I am interested in any comments. Many thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Possibly OT - DFS vs 3rd party DR
Title: Message Hmmm... I guess we can agree to disagree on the VSS. I can't think of a better solution than to have a fat pipe between two remote data centers with SANs of critical data being replicated in real time. Having data separated by 1500 miles and being up-to-the-second replicated - what more would one need? We're doing this at present with Cisco FC switches for the SAN, ATM for the fat pipe. Intent is to get Win2k3 involved as the method for user managed restore of deleted files. My experiences with Dfs have more to do with FRS and general issues that are about 3 years old. FRS is better - not great, and had to do with just a lot of limitation that was in Dfs 3 years ago that likely may no longer exist. We're quite successful without it - and the lastI need to do is to create more headaches. The client departments do enough of that for me. ;-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey DubynSent: Thursday, June 12, 2003 5:27 AMTo: [EMAIL PROTECTED]Cc: 'Rick Kingslan' Rick - Thanks for the info. I've found VSS to be quite useful in our lab, but don't think it will work well for Disaster Recovery. What bad experience did you have with DFS? Jeff -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 8:09 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Possibly OT - DFS vs 3rd party DR Jeffrey, I personally am not a big fan of Dfs - mainly due to a very bad experience in the early days of Windows 2000 (April 2000). It has gotten better, but is not really a great solution to bank your DR process on. IMHO, depending on what your bandwidth is like, the move with Windows Server 2003 might justify itself with Volume Shadow Services. I've been working closely with VSS and primarily, Volume Shadow Copy, and IMHO, it Rocks! Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey DubynSent: Wednesday, June 11, 2003 6:31 PMTo: [EMAIL PROTECTED] I have a customer looking for a disaster recovery solution for their Active Directory domain. They have one site on each coast and want to replicate the data. A VPN is available to each location. I was looking at either DoubleTake or a Veritas solution (Volume Replicator or Storage Replicator) but am having a hard time justifying using this over the built-in DFS. Anyone with any thoughts on this?
