[ActiveDir] DCacheUpdate registry key?
Hi, Can someone explain what the significance of DCacheUpdate in the Winlogon registry key is? The only info Google turns up is that it stores the domain name in binary form, and not to touch it. :-P Here's my problem... My lab systems are in an AD domain, but users authenticate to a 3rd party kerberos realm. I can set DefaultDomainName, CachePrimaryDomain, and AltDefaultDomainName to the mit realm name (which works fine), but here's where the problem starts: If I log in to the AD domain (lets say with my domain admin account), and log back out, then all 3 of those change to my AD domain name (which is fine - I expect it to). So, if I remotely push out the registry changes again to set those 3 values back to my MIT realm name, then wait a few minutes (or hit ctrl-alt-delete), then CachePrimaryDomain changes to my AD domain, and DefaultDomainName changes to the *local computer name*. In addition, I can see that DCacheUpdate changes its value as well. (I'm remotely viewing the registry while nobody is logged in to watch these values change). Why does it do this, and why does it seem to be linked to me logging in to the AD domain? If I were to log in to the mit realm, then those settings stay set to my MIT realm (with the exception of CachePrimaryDomain, but I dont think I really care about that one, do I?). So, does that make sense at all? Is the last logged in domain value stored somewhere else, and DCacheUpdate is rebuilt from that? Thanks, - Robbie -- Robbie Foust, CISSP, A+ OIT - CSI Duke University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] userenv bug in w2k3?
Hi, I have a w2k3 machine (terminal server) that works fine when a user logs in to the domain. But, if a user authenticates to a MIT kerberos realm (with a name mapping defined in AD) then the server logs an event id 1054 (Userenv). The description is: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. To make a long story shorter, I enabled debug logging for userenv and confirmed that it is looking in the wrong domain for the DC's when looking up group policy for the user. Its looking in the authenticating realm (the MIT kerberos realm) and not the AD domain. The server configuration *is* correct. In other words, the domain suffix is the AD domain name. (confirmed by ipconfig /all and netdiag). This server is using the same GP as another working (2000) server. I compared TGT's and they look the same, so I'm not sure where else to look. Suggestions? :-) Thanks! -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] userenv bug in w2k3? *solved*
Thanks for the suggestions -- I actually did have loopback processing configured, but not the cross-forest setting. That didn't correct the problem though. It was indeed a bug, someone from Microsoft posted the fix on another list that I am on. Here it is if anyone is interested: http://support.microsoft.com/default.aspx?scid=kb;en-us;827182 Thanks again for the help, - Robbie Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University Guy Teverovsky wrote: I just wonder whether W2K3 gets confused and tries to treat authenticating against MIT Kerberos realm as fully bloated cross-forest logon. Do you have loopback enabled in this GPO ? W2K3 and W2K behave a bit differently when doing cross-forest logons. W2K by default does not process the user policies, roaming profiles and logon scripts from the user account domain when authenticating over cross forest trust (but does not default to loopback). W2K3 (by default) disables the cross-forest GPO processing and defaults to loopback. Now if you explicitly disable the loopback, W2K still fails to process the logon scripts (I believe there is an open bug regarding this one). I'd suggest you to explicitly set Allow cross-forest User Policies and Roaming Profiles in the computer part of the GPO to Disabled and also check whether disabling/enabling loopback changes things. Well... Just my 2 mumbling cents. Guy -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Wednesday, February 16, 2005 8:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] userenv bug in w2k3? Hi, I have a w2k3 machine (terminal server) that works fine when a user logs in to the domain. But, if a user authenticates to a MIT kerberos realm (with a name mapping defined in AD) then the server logs an event id 1054 (Userenv). The description is: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. To make a long story shorter, I enabled debug logging for userenv and confirmed that it is looking in the wrong domain for the DC's when looking up group policy for the user. Its looking in the authenticating realm (the MIT kerberos realm) and not the AD domain. The server configuration *is* correct. In other words, the domain suffix is the AD domain name. (confirmed by ipconfig /all and netdiag). This server is using the same GP as another working (2000) server. I compared TGT's and they look the same, so I'm not sure where else to look. Suggestions? :-) Thanks! -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] java to AD? and cracklib?
Hi, Another department here is trying to get set up a web based password change site but is having trouble getting java to talk securely with AD. Also, they are wanting to use cracklib to check passwords. I am not a programmer at all so I am wondering if anyone could point me to some resources regarding these topics? Thanks, - Robbie -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] migration of domains
I believe you can use the Active Directory Migration Tool (ADMT) to do domain consolidations. A search on Microsoft's website for ADMT should bring up many references to it. It is a free program. - Robbie Calders Stijn wrote: Dear AD specialists, At our university, we have three domains in the same forest: KDG.BE (forest root domain with only two domain controllers), ADMIN.KDG.BE (child of KDG.BE with a lot of servers (like SQL server, Exchange server, Terminal Servers, )) and TEST.KDG.BE (child of KDG.BE with a few servers (SQL server, file server, )). We want to migrate everything from ADMIN.KDG.BE to KDG.BE. Three questions: 1) Is this possible? (And doesnt it cost too much effort?) 2) Is there a reason why this isnt a good idea? 3) And whats the best way to do this? How can we be sure everything is migrated right? Many thanks in advance, Stijn. -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] set AD password from linux?
Hi, Is there a way to (securely) set an AD account password through a web page on a linux or unix machine running apache? Assume that we can already verify the user's identity. Thanks! - Robbie -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] set AD password from linux?
Thanks Joe! Thats exactly what I needed. :-) - Robbie joe wrote: Yes, it requires LDAP and a 128 bit SSL connection to the Domain Controller. http://support.microsoft.com/?kbid=269190 You also might be able to find something in the Samba package which uses the NT Lan Man functionality. Though many would question just how secure that really is. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Wednesday, November 17, 2004 10:23 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] set AD password from linux? Hi, Is there a way to (securely) set an AD account password through a web page on a linux or unix machine running apache? Assume that we can already verify the user's identity. Thanks! - Robbie -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] set AD password from linux?
Just FYI for anyone interested, my other option may be to do password resets on an IIS 6 box, but authenticate the user to the mit kerberos realm using Shibboleth. (http://shibboleth.internet2.edu/) - We already have a Shibboleth infrastructure in place so it wouldn't be that hard to do. - Robbie Eric Fleischman wrote: (should have noted I repro'd this on ADAM, not ADperhaps diff?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Wednesday, November 17, 2004 10:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] set AD password from linux? Ah hah! Yes it does work. I just tried it. But there is a trick. Trick: when doing this on XP, you must specify the creds explicitly, not pass null to use currently logged on user. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Wednesday, November 17, 2004 10:08 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] set AD password from linux? Believe Joe is right here... A little more outside of the box, is the kerberos set password protocols outlined in RFC 3244 - if i recall MS even had some nice sample code already written for *nix application. my .02 -steve - Original Message - From: joe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 17, 2004 7:56 AM Subject: RE: [ActiveDir] set AD password from linux? That will work for setting a password on AD (2K and K3)? I was under the impression you needed the 128 bit SSL if doing over straight LDAP. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Wednesday, November 17, 2004 10:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] set AD password from linux? ...or use ldap_opt_encrypt, but I don't know if your client side LDAP api supports that. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 17, 2004 9:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] set AD password from linux? Yes, it requires LDAP and a 128 bit SSL connection to the Domain Controller. http://support.microsoft.com/?kbid=269190 You also might be able to find something in the Samba package which uses the NT Lan Man functionality. Though many would question just how secure that really is. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Wednesday, November 17, 2004 10:23 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] set AD password from linux? Hi, Is there a way to (securely) set an AD account password through a web page on a linux or unix machine running apache? Assume that we can already verify the user's identity. Thanks! - Robbie -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] RDP
Ken Cornetet wrote: You also need enterprise for autoenrollment. Weird, I wonder why autoenrollment works for me then? I'm only running standard, not enterprise. Autoenrollment is definitely working. - Robbie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Monday, November 15, 2004 4:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] RDP There are a number of PKI things that can't be done without Enterprise Edition. I believe the most important being extra certificate templates that can be used (although my terminology may be wrong). Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Monday, November 15, 2004 3:32 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] RDP Ellis, Debbie wrote: I recently upgraded one of our Windows 2003 Domain Controllers to Enterprise Edition. (Needed for Certificates, auto enrollment). You don't need enterprise edition for that. I'm doing it with standard edition and it works fine. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] RDP
I'm sure that is the case. I'll take a look at my setup and see if I can figure out what I did to make it work. (or maybe discover that I'm completely going insane) :-) - Robbie Ellis, Debbie wrote: My company was using Standard and auto enrollment would not work. We consulted our TAM and he said we had to have Enterprise for Auto Enrollment. Debbie Ellis Systems Administrator Viasat, Inc. 4356 Communications Drive Norcross, GA 30093 678-924-2591 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Tuesday, November 16, 2004 10:28 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] RDP Ken Cornetet wrote: You also need enterprise for autoenrollment. Weird, I wonder why autoenrollment works for me then? I'm only running standard, not enterprise. Autoenrollment is definitely working. - Robbie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Monday, November 15, 2004 4:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] RDP There are a number of PKI things that can't be done without Enterprise Edition. I believe the most important being extra certificate templates that can be used (although my terminology may be wrong). Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Monday, November 15, 2004 3:32 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] RDP Ellis, Debbie wrote: I recently upgraded one of our Windows 2003 Domain Controllers to Enterprise Edition. (Needed for Certificates, auto enrollment). You don't need enterprise edition for that. I'm doing it with standard edition and it works fine. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] RDP
Ellis, Debbie wrote: I recently upgraded one of our Windows 2003 Domain Controllers to Enterprise Edition. (Needed for Certificates, auto enrollment). You don't need enterprise edition for that. I'm doing it with standard edition and it works fine. The problem I am having is when I try to connect remotely via Remote Desktop Protocol, the server reboots. It worked fine before the upgrade. Has anyone experienced this problem or know a solution? Does this happen as soon as the connection is established, or while you're logging on? I've never been a fan of domain controller upgrades. Too many things can break or become unstable. You're better off demoting it and rebuilding it from scratch. - Robbie -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] sysvol problems
Hi, I'm trying to track down a problem. This particular domain only has one domain controller (don't blame me) :-) and I am unable to access the sysvol through the domain name, like when I try to go to \\domain.duke.edu\sysvol I get The network path was not found. One other weird thing about the server, is that on the login dialog box, instead of listing the domain name as the domain to log in to, it lists something like domainserv. (names changed to protect the innocent) There's more to the story, but I'll leave it at that for now. The DNS config should be somewhat correct, at least enough that it should be working. I've corrected many problems associated with that, but still no go. A nslookup to the domain name does resolve to the server's IP address. Netbt was disabled so I've reenabled it to see if that helped. dcdiag things everything is fine, netdiag thinks everything is fine except it says: NetBT name test. . . . . . . . . . : Passed [WARNING] You don't have a single interface with the 00 'WorkStation Service', 03 'Messenger Service', 20 'WINS' names defined. I'm not 100% sure exactly what its talking about, since the server has everything registered in WINS. In fact, it has both server names registered. Both the real DC name and the name that shows up in the login dialog box. :-) Thanks! - Robbie -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] sysvol problems
Hi Robert, Thanks for the reply. If I net view the real dc name, then yes. If I net view the name that shows up in the login dialog box, then no. I get the network path not found message. - Robbie Robert Rutherford wrote: If you do a 'net view \\servername' can u see the shares, i.e. sysvol? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: 29 October 2004 15:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] sysvol problems Hi, I'm trying to track down a problem. This particular domain only has one domain controller (don't blame me) :-) and I am unable to access the sysvol through the domain name, like when I try to go to \\domain.duke.edu\sysvol I get The network path was not found. One other weird thing about the server, is that on the login dialog box, instead of listing the domain name as the domain to log in to, it lists something like domainserv. (names changed to protect the innocent) There's more to the story, but I'll leave it at that for now. The DNS config should be somewhat correct, at least enough that it should be working. I've corrected many problems associated with that, but still no go. A nslookup to the domain name does resolve to the server's IP address. Netbt was disabled so I've reenabled it to see if that helped. dcdiag things everything is fine, netdiag thinks everything is fine except it says: NetBT name test. . . . . . . . . . : Passed [WARNING] You don't have a single interface with the 00 'WorkStation Service', 03 'Messenger Service', 20 'WINS' names defined. I'm not 100% sure exactly what its talking about, since the server has everything registered in WINS. In fact, it has both server names registered. Both the real DC name and the name that shows up in the login dialog box. :-) Thanks! - Robbie -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] sysvol problems
Hi Tom, Yes, all of those have been checked. The first time I tried ipconfig /registerdns, I got an error and thats when I realized the admin had disabled netbios and disabled the dhcp client. So I re-enabled it and /registerdns worked. The DNS topic was one I was trying to avoid. :-) Like most universities, we already have a DNS (unix-based) system in place which isn't going away. So, when an Active Directory forest is set up, we configure it as its own DNS system (ad-integrated), but the primary campus DNS systems pull zone transfers from the AD domain controllers. They aren't willing to delegate the domain to us, which is mostly a political issue, but anyway, when configured properly, it works fine. Also, in AD, we don't have a reverse zone configured because there's no way to sync that to the main campus DNS servers. AD forests on campuses don't have their own IP address space so there isn't a clean way to do it. Anyway, this particular domain wasn't configured that way. They had configured the server as ad-integrated with its own 3rd level dns name, but the main campus dns servers don't pull zone transfers from it. The server name registered on the main campus DNS is completely different from what is registered in AD DNS. The network card DNS info on the DC was initially configured to point to itself for primary DNS, and campus DNS for secondary. I figure that might be why the server seems to think it has two names, but I'm not sure how to correct it. I've killed off the secondary DNS entry so it is only pointing to itself for DNS now, so it shouldn't care what is registered in the main campus DNS system. Everything in AD DNS is configured correctly now. So thats what I mean by it is somewhat fixed. :-) Hope that makes sense... - Robbie Kern, Tom wrote: do you have all the srv records in DNS for this server? do you have File and Print sharing installed? did you do and ipconfig/registerdns? when you say DNS config should be somewaht correct, what do you mean by somewhat thanks -Original Message- From: Robbie Foust [mailto:[EMAIL PROTECTED] Sent: Friday, October 29, 2004 10:10 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] sysvol problems Hi, I'm trying to track down a problem. This particular domain only has one domain controller (don't blame me) :-) and I am unable to access the sysvol through the domain name, like when I try to go to \\domain.duke.edu\sysvol I get The network path was not found. One other weird thing about the server, is that on the login dialog box, instead of listing the domain name as the domain to log in to, it lists something like domainserv. (names changed to protect the innocent) There's more to the story, but I'll leave it at that for now. The DNS config should be somewhat correct, at least enough that it should be working. I've corrected many problems associated with that, but still no go. A nslookup to the domain name does resolve to the server's IP address. Netbt was disabled so I've reenabled it to see if that helped. dcdiag things everything is fine, netdiag thinks everything is fine except it says: NetBT name test. . . . . . . . . . : Passed [WARNING] You don't have a single interface with the 00 'WorkStation Service', 03 'Messenger Service', 20 'WINS' names defined. I'm not 100% sure exactly what its talking about, since the server has everything registered in WINS. In fact, it has both server names registered. Both the real DC name and the name that shows up in the login dialog box. :-) Thanks! - Robbie -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Terminal services license
The license info is kept on the license server. You can't reset a license without uninstalling and reinstalling the license server service and calling Microsoft to re-activate your licenses. Licenses will be released on their own every 90 days (i think). - Robbie Kern, Tom wrote: Quick question- ii'm running term services in APP mode. If i reformat my clients pc's or give them new ones, do i have to reaquire a license for term services for each pc i replace? is the license info kept on the client machine? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] sysvol problems
Kern, Tom wrote: they really should delegate you authority for your AD zone and these issues will go away. Not really. We still would have a shared IP address space so reverse lookups in AD would still be disabled and would have to be manually registered in the campus DNS system. There really isn't a good way to do it in environments like ours. Luckily Microsoft has realized that and added appropriate configuration/policy options. point your dns server from your child domain to the root as a forwarder or pull down a secondary copy of the root AD domain would be even better. until then or if then, maybe if you fiddle around with your dns properties on the dc's network adapter. like uncheck append parent suffixes of the primary dns suffix I'm pretty sure the problem has to do with the server thinking it has two names. It probably happened during the initial dcpromo when it was pointing to two different dns systems. (btw, this is a single forest/single domain) Either way, its going to be a pain to correct so I'm just going to recommend that they join our central forest which is properly configured. Thanks for the suggestions! - Robbie -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Training
Your best bet for that topic would be to watch this webcast: http://support.microsoft.com/default.aspx?scid=kb;en-us;812954 and review these links: http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dssbf_upwn_fvlt.asp http://support.microsoft.com/default.aspx?scid=kb;en-us;325379 Hope this helps, - Robbie Devan Pala wrote: Hi, Can anyone recommend a good training class designed to cater for those looking to increase their skill set specifically for upgrading a Windows 2000 network to Windows Server 2003? Thanks in advance. Firefox - Make the switch today and rediscover the web List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Terminal services license
Kern, Tom wrote: i think they give you 90 days to connect with a tempoary license and then you have to provide a real one. i read that licensing info is kept on the client machine by the license server. i'm just wondering what this means if i have to issue someone a new pc. will i lose the license? can i copy it over? do i need to call the org i got the license from and get a new one? The license info is definitely kept on the license server. An available license is issued for 90 days. If the license server can determine that you are re-connecting from the same machine, the same license will be used. If not, a new license will be assigned (even if the computer name is the same). I'm not sure what method it uses to determine that, but it can be quite annoying at times if you don't have a lot of licenses free. :-) My guess is that if you give someone a new pc, it will issue a new license. You will not be able to use the previous license until its expiration date (look at Terminal Server Licensing in Administrative Tools). - Robbie thanks -Original Message- From: Robbie Foust [mailto:[EMAIL PROTECTED] Sent: Friday, October 29, 2004 11:50 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Terminal services license The license info is kept on the license server. You can't reset a license without uninstalling and reinstalling the license server service and calling Microsoft to re-activate your licenses. Licenses will be released on their own every 90 days (i think). - Robbie Kern, Tom wrote: Quick question- ii'm running term services in APP mode. If i reformat my clients pc's or give them new ones, do i have to reaquire a license for term services for each pc i replace? is the license info kept on the client machine? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Mixed network PC and Mac - AD or XServe
I'm currently involved in migrating a network from Netware to AD/OS X Server. The problem with running Windows servers in a Mac invironment is that Microsoft has no plans to support the latest AFP version, which kinda sucks for various reasons. (auto reconnect, etc) Best way I can come up with is to use AD as the authenticator (and for group policy support of Windows clients), and use OS X Server as the file server. The trick is to be able to apply policies to OS X users through open directory. There's supposed to be a way to use AD as the primary LDAP directory and pull additional attributes from another local directory but haven't quite figured it out yet. Samba can be configured to use Kerberos, but it's not the default. Macs can't really be managed from AD like Windows can. Same goes in the other direction too. So ya kinda need both (AD and OD). In my scenario, I'm shooting for single sign-on using Kerberos. To make it even more complicated, I would really like to authenticate from a MIT Kerberos realm, but Samba doesn't have support for that yet. Documentation is very limited with it comes down to the fine details, unfortunately. Robbie Foust OIT - Systems and Core Services Duke University Noah Eiger wrote: Hello: I need some advice about file service, directory management, and user authentication in a mixed Windows/Mac environment. I have a magazine client with approximately 70 users: half Macs, half Windows. As you might expect, the Macs are the art department and editorial; the PCs are business, advertising, etc. All workstations will either be running OSX (most recent) or WinXP Pro. Currently, there is no NOS, and file service is handled by a mixture of WinNT, Win2k, and AppleShare 9x. My initial thought was to just let AD handle everything and spend the effort on getting the Macs to play nice with the Windows servers. Exchange is likely. However, the in-house IT guy wants to explore Apple's server offerings. So, the questions are: - Is the speed and quality of the Windows servers sufficient for Mac clients (many handling large image or graphics files)? - Is AD managing of Macs and Mac users sufficient? - If there is a reason to deploy an Apple server, can it be managed by AD? That is, can it play like a Windows member server? - Finally, is there any reason to entertain running the whole shop under the Apple server and Open Directory? Many thanks. -- Noah M. Eiger EIS Consulting for PRBO Conservation Science 510-717-5742 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Office2003 Rollout
Altiris deployment solution is a really handy product, but unfortunately you can't create a snapshot image of office and deploy it. You pretty much have to run the setup with an answer file over the network. I guess I would just use group policy to do it, or I wonder if there is a way to make a wmi script that would run it...like schedule it to run after hours, or manually start it. - Robbie Robbie Foust, IT Analyst Systems and Core Services Duke University GARY SMITH wrote: I have to roll out Office 2003 onto around 350 desktops. Any great in site into the best approach here. I have been looking at some third party applications in particularly Altiris, but I was wondering if it could be done through Group Policy / Software deployment. All desktops are W2K. Gary Smith List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] SUS 2.0 Beta
Looks like you can sign up for the open evaluation version here: http://www.microsoft.com/windowsserversystem/sus/wusbeta.mspx But I haven't been able to locate the beta version yet. Haven't found a Guest ID yet either. - Robbie Robbie Foust, IT Analyst Systems and Core Services Duke University England, Christopher M wrote: Greetings, I guess SUS 2.0 Beta has been released: _http://www.nwc.com/showitem.jhtml?articleID=18400592_ Does anyone have a Guest ID to get in on the Beta? Or is there just a download somewhere? Thanks all, Chris Christopher England Systems Administrator MCSA, Server+, Network+, A+ College Information Technology Office Indiana University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Firewall
I'm not using the XP firewall yet, but I'll consider it with SP2 since it is much better. The built in firewall isn't supposed to interfere with communications with DC's, I think. Are you getting any specific error message when users try to edit their attributes? Or do they just not have permission to do so? Check the event logs to see if there are any errors. Robbie Foust, IT Analyst Systems and Core Services Duke University Douglas M. Long wrote: Do you all force your XP clients to have the built-in firewall enabled? Are there any cons (such as some GPs not working) to having it enabled? The reason I ask is I am having a problem finding the culprit which is causing some users the inability to edit their editable (phone number, homepage, address, etc) attributes. Thanks in advance List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Photos in Active Directory
Thats a good point and one I had not thought of (killing the DC's with large photos). Another suggestion, if you do want to keep a photo stored in AD, I would do like Guido suggested and restrict the attribute to the appropriate groups or whatever, and use some program to limit the size of the photo. I haven't really looked into this much. There is a program called Imagemagick (www.imagemagick.org) that will do some cool stuff (resizing, etc). - Robbie Robbie Foust, IT Analyst Systems and Core Services Duke University Grillenmeier, Guido wrote: WARNING: let's look at the security aspects of photos in AD from another side. You need to be aware that the photo attribute is editable by default by every user himself (just like all the other attributes which are part of the personal information property set). But the photo-attribute is somewhat special: it's a binary blob which basically has no size limit... (depends on LDAP policy max msg size). This means that if you don't lock down this attribute, every user could potentially upload really large images (think of a 1 GB image) to this attribute and kill your all your DCs anytime he'd like either through replication or simply growing the DIT-file over the limits of your disks. So even if you're not going to use this attribute to store photos, you should also ensure that nobody else does it for you. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw Sent: Dienstag, 6. April 2004 17:55 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory I think the benefit is obvious - security. You may want to consider using Active Directory Application Mode or setting up an Application Partition in AD (assuming you are using W2K3). Either would enable you to isolate the data replication. Photos shouldn't change much so once you have done your initial replication there shouldn't really be any additional traffic to bear. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, April 06, 2004 12:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory It all depends on how large your organisation is I guess, how many sites, WAN links, etc. I wouldn't really recommend it as you really want to keep your AD as small as possible for replication and performance reasons. What benefit will you get out of having users photo's in the user object? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 05 April 2004 22:40 To: [EMAIL PROTECTED] Subject: [ActiveDir] Photos in Active Directory Hi all, We're in the middle of desiging our Active Directory (Server 2003) and our security group just came up with the idea that it would be great to include a photo of the user in each user object. I know this CAN be done but I'm looking for information that would tell me whether it SHOULD or SHOULD NOT be done. Any references anyone can think of or, better yet, personal experience with this? Thanks, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any use (including retransmission or copying) of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient of this transmission, please contact the sender and delete the material from any computer. The sender is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Any replies to this email may be monitored by the MCPS-PRS Alliance for quality control and other purposes. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] MS Audit Collection Service?
Hi Eric, Thanks for the quick response! I searched quite a bit for it on Microsoft's site but couldn't locate anything. If you happen to find a link, it would be much appreciated. :-) Thanks again, - Robbie Robbie Foust, IT Analyst Systems and Core Services Duke University Eric Fleischman wrote: I'm afraid you got some bad information. MACS (Microsoft Audit Collection Service) is not out at this point in time. There is some pre-release documentation up on Microsoft.com though. You should be able to find it if you search for MACS, but let me know if not and I'll dig it up again. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Thursday, April 08, 2004 8:17 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] MS Audit Collection Service? Hi, I'm trying to find the Microsoft Audit Collection Service. I had never heard of it until today. A Microsoft rep at the Security Summit I attended today said it was out and available on the Technet site, but I can't find it. It really irritates me when I find out about a product like this well after the thing has been designed tested. I'm already on several lists and I check news sites regularly. Is there a better way? Some secret newsletter I'm not subscribed to? :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Can Microsoft Active Directory be configured to authenticate to an external ldap server ??
Hi Lara, I think what you are looking for is this... In AD Users Computers, click on View at the top and turn on Advanced Features. Then, right click on the user account and click on Name Mappings... Then click on the Kerberos Names tab and add the principal name there (such as [EMAIL PROTECTED]). Hope this helps! - Robbie Robbie Foust, IT Analyst Systems and Core Services Duke University Lara Adianto wrote: Thanks for all the replies guys..(I love this mailing list) :-) After spending sometimes understanding the kerberos concept in windows, I believe that to achieve my goal, I need to create a two way trust relationship between the windows 2000 domain and my kerberos realm on linux machine (just like what Robbie has suggested) The following is an excerpt from windows 2000 Kerberos Interoperability white paper (page 15): Two-Way Trust ... Goals The analysts authenticate to the Kerberos realm and can then access both UNIX-based resources and Windows 2000-based applications and services. * Kerberos Clients: Windows 2000 Professional * Kerberos KDC: UNIX-based Kerberos V5 KDC * Target Resource: Windows Application, File and Print Services Implementation This scenario builds on the client configuration and one-way trust implementations. First, the Windows 2000-based clients will be configured to logon to the Kerberos realm as discussed earlier. Secondly, a one-way trust relationship must be set up between the Windows 2000 domain and the Kerberos realm (the Windows domain trusts the Kerberos realm as an account domain). Finally, each Kerberos principal in the realm must have a corresponding Windows 2000 account. Each corresponding account (proxy account) in Windows 2000 must have the AltSecurityId property populated with the Kerberos principal name including the realm, for example, [EMAIL PROTECTED] Currently, I'm in the middle of trying to implement the above hints. I have added the external trust in my win2k domain. I have configured the client to authenticate to my linux's kerberos realm using ksetup (thanks Robbie)... BUTI'm stucked with the account mapping. I've already got win2k account for my kerberos principal in linux. Then the hint says that the mapping is contained in the AltSecurityId property of each win2k user. The problem is that I don't know how to set this AltSecurityId. I can't find it in the Active Directory Users and Computer. Where can I set the AltSecurityId to my linux kerberos realm ? (This might be a dummy question, but I've tried to seek help on the net, but couldn't find anything) Thanks a bunch, Lara --- Robbie Foust [EMAIL PROTECTED] wrote: You actually don't configure AD, what you need to do is run ksetup.exe on the workstations (must be 2000 or XP) and add the kerberos realm kerberos servers. (ksetup is part of the support tools). For example: C:\ ksetup /addkdc MIT.KERBREALM.COM kserver.kerb.com and then when the user logs in, they must select that realm from the drop down list. Also, the user account in AD needs to have the kerberos name mapping added so AD will know how to match up the accounts. The name mapping would be something like [EMAIL PROTECTED]. So basically, the password stored in AD is ignored. Let me know if this helps, or if this isn't what you're trying to do at all. :-) Robbie Foust, IT Analyst Systems and Core Services Duke University Lara Adianto wrote: Hi guys, As what the subject title said: can Microsoft Active Directory be configured to authenticate to an external ldap server (openLDAP in my case) ? To make things clearer, this is the objective that I want to achieve: I want authentication of Microsoft Active Directory's clients to be done by OpenLDAP server on Linux. So, when a client of Microsoft Active Directory authenticates itself to MS AD, MS AD will ask openLDAP for authentication service. openLDAP will return return reject or allow to MS AD. I believe that this can be achieved by using Kerberos. I currently have GSSAPI mechanism running on my openLDAP server, but I am not sure how to make MS AD talk to my openLDAP server. Any idea, suggestions, hints will be very appreciated Cheers - Lara - La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - Do you Yahoo!? *Yahoo! Mail* http://us.rd.yahoo.com/mailtag_us/*http://mail.yahoo.com - More reliable, more storage, less spam List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org
Re: [ActiveDir] Upgrade sp3 domain to sp4 or w2k3?
Seems like there were some kerberos cached ticket issues when it was first released, but patches were made available later for XP clients. I *think* it was SP4, or maybe I'm thinking of 2003... Anyway, I saw plenty of discussions on other lists that made me stay away from SP4. I'm also going straight from SP3 to 2003. - Robbie Robbie Foust, IT Analyst Systems and Core Services Duke University Al Lilianstrom wrote: joe wrote: We are moving from 2KSP3 to K3 directly. Didn't feel the risk of two upgrades within a half a year was worth it. Especially with many of the horror stories I have heard around SP4 and the fact of the even numbered MS SP issue urban legend... We were laughing about that exact urban legend the other day... Care to share any of the horror stories? Most of our w2k simple servers are sp4 and we haven't seen anything that unusual. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Wednesday, March 17, 2004 10:11 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Upgrade sp3 domain to sp4 or w2k3? Hi, we have a sp3 based domain - 6000 users, 2500 computers, empty root, and a single resource domain. Currently looking at upgrading to sp4 on the way to Windows 2003. Given our desire to get to w2k3 by fall and our own testing methods we're considering going from sp3 to w2k3 directly. The Microsoft documentation states that sp3 or later is required to upgrade to w2k3 so this should work. Any advice/words of wisdom/pitfalls/horror stories/etc would be appreciated. tia, al List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Can Microsoft Active Directory be configured to authenticate to an external ldap server ??
You actually don't configure AD, what you need to do is run ksetup.exe on the workstations (must be 2000 or XP) and add the kerberos realm kerberos servers. (ksetup is part of the support tools). For example: C:\ ksetup /addkdc MIT.KERBREALM.COM kserver.kerb.com and then when the user logs in, they must select that realm from the drop down list. Also, the user account in AD needs to have the kerberos name mapping added so AD will know how to match up the accounts. The name mapping would be something like [EMAIL PROTECTED]. So basically, the password stored in AD is ignored. Let me know if this helps, or if this isn't what you're trying to do at all. :-) Robbie Foust, IT Analyst Systems and Core Services Duke University Lara Adianto wrote: Hi guys, As what the subject title said: can Microsoft Active Directory be configured to authenticate to an external ldap server (openLDAP in my case) ? To make things clearer, this is the objective that I want to achieve: I want authentication of Microsoft Active Directory's clients to be done by OpenLDAP server on Linux. So, when a client of Microsoft Active Directory authenticates itself to MS AD, MS AD will ask openLDAP for authentication service. openLDAP will return return reject or allow to MS AD. I believe that this can be achieved by using Kerberos. I currently have GSSAPI mechanism running on my openLDAP server, but I am not sure how to make MS AD talk to my openLDAP server. Any idea, suggestions, hints will be very appreciated Cheers - Lara - La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - Do you Yahoo!? *Yahoo! Mail* http://us.rd.yahoo.com/mailtag_us/*http://mail.yahoo.com - More reliable, more storage, less spam List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Can Microsoft Active Directory be configured to a uthenticate to an external ldap server ??
Most universities have to do it this way since they already have kerberos realms in place and aren't willing to migrate everything to AD. The problem comes when a user needs to access something using NTLMv2. Two ways around that -- Either sync passwords from the MIT kerberos realm (using something like DirXML - but thats a pain because the password must be changed once before it can be synced), or don't do password syncing and come up with another way for users to change their windows passwords (usually through a web page that authenticates off the MIT realm, then lets the user set/reset their password). Oh and I didn't say it in the last email, but to configure the kerberos name mapping, it is done in Users Computers after turning on the Advanced view. Right click on the user account and there should be a Name Mappings selection. Robbie Foust, IT Analyst Systems and Core Services Duke University Roger Seielstad wrote: Cool... Didn't know about that one. (adds that to the list of stuff to try later) -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Robbie Foust [mailto:[EMAIL PROTECTED] Sent: Thursday, March 18, 2004 9:49 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Can Microsoft Active Directory be configured to authenticate to an external ldap server ?? You actually don't configure AD, what you need to do is run ksetup.exe on the workstations (must be 2000 or XP) and add the kerberos realm kerberos servers. (ksetup is part of the support tools). For example: C:\ ksetup /addkdc MIT.KERBREALM.COM kserver.kerb.com and then when the user logs in, they must select that realm from the drop down list. Also, the user account in AD needs to have the kerberos name mapping added so AD will know how to match up the accounts. The name mapping would be something like [EMAIL PROTECTED]. So basically, the password stored in AD is ignored. Let me know if this helps, or if this isn't what you're trying to do at all. :-) Robbie Foust, IT Analyst Systems and Core Services Duke University Lara Adianto wrote: Hi guys, As what the subject title said: can Microsoft Active Directory be configured to authenticate to an external ldap server (openLDAP in my case) ? To make things clearer, this is the objective that I want to achieve: I want authentication of Microsoft Active Directory's clients to be done by OpenLDAP server on Linux. So, when a client of Microsoft Active Directory authenticates itself to MS AD, MS AD will ask openLDAP for authentication service. openLDAP will return return reject or allow to MS AD. I believe that this can be achieved by using Kerberos. I currently have GSSAPI mechanism running on my openLDAP server, but I am not sure how to make MS AD talk to my openLDAP server. Any idea, suggestions, hints will be very appreciated Cheers - Lara - -- -- La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - -- -- Do you Yahoo!? *Yahoo! Mail* http://us.rd.yahoo.com/mailtag_us/*http://mail.yahoo.com - More reliable, more storage, less spam List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Can Microsoft Active Directory be configured to a uthenticate to an external ldap server ??
Sorry I left that part out... Yes, you would have a one way trust (AD realm trusts the MIT kerberos realm). :-) The MIT realm is used for authentication and AD is used for authorization. I have nightmares at night about this! :-) haha Robbie Foust, IT Analyst Systems and Core Services Duke University Mulnick, Al wrote: Universities wouldn't want to use a realm trust scenario vs. this? Does this offer other advantages? -Original Message- From: Robbie Foust [mailto:[EMAIL PROTECTED] Sent: Thursday, March 18, 2004 10:09 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Can Microsoft Active Directory be configured to a uthenticate to an external ldap server ?? Most universities have to do it this way since they already have kerberos realms in place and aren't willing to migrate everything to AD. The problem comes when a user needs to access something using NTLMv2. Two ways around that -- Either sync passwords from the MIT kerberos realm (using something like DirXML - but thats a pain because the password must be changed once before it can be synced), or don't do password syncing and come up with another way for users to change their windows passwords (usually through a web page that authenticates off the MIT realm, then lets the user set/reset their password). Oh and I didn't say it in the last email, but to configure the kerberos name mapping, it is done in Users Computers after turning on the Advanced view. Right click on the user account and there should be a Name Mappings selection. Robbie Foust, IT Analyst Systems and Core Services Duke University Roger Seielstad wrote: Cool... Didn't know about that one. (adds that to the list of stuff to try later) -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Robbie Foust [mailto:[EMAIL PROTECTED] Sent: Thursday, March 18, 2004 9:49 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Can Microsoft Active Directory be configured to authenticate to an external ldap server ?? You actually don't configure AD, what you need to do is run ksetup.exe on the workstations (must be 2000 or XP) and add the kerberos realm kerberos servers. (ksetup is part of the support tools). For example: C:\ ksetup /addkdc MIT.KERBREALM.COM kserver.kerb.com and then when the user logs in, they must select that realm from the drop down list. Also, the user account in AD needs to have the kerberos name mapping added so AD will know how to match up the accounts. The name mapping would be something like [EMAIL PROTECTED]. So basically, the password stored in AD is ignored. Let me know if this helps, or if this isn't what you're trying to do at all. :-) Robbie Foust, IT Analyst Systems and Core Services Duke University Lara Adianto wrote: Hi guys, As what the subject title said: can Microsoft Active Directory be configured to authenticate to an external ldap server (openLDAP in my case) ? To make things clearer, this is the objective that I want to achieve: I want authentication of Microsoft Active Directory's clients to be done by OpenLDAP server on Linux. So, when a client of Microsoft Active Directory authenticates itself to MS AD, MS AD will ask openLDAP for authentication service. openLDAP will return return reject or allow to MS AD. I believe that this can be achieved by using Kerberos. I currently have GSSAPI mechanism running on my openLDAP server, but I am not sure how to make MS AD talk to my openLDAP server. Any idea, suggestions, hints will be very appreciated Cheers - Lara - -- -- La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - -- -- Do you Yahoo!? *Yahoo! Mail* http://us.rd.yahoo.com/mailtag_us/*http://mail.yahoo.com - More reliable, more storage, less spam List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Microsoft Patch
Well, SUS is also missing reporting and auditing, if I remember correctly... I can't wait to see the new version though (anyone know the beta guest id?) Several departments here use a product called Bigfix (www.bigfix.com) and it seems to work very well. Its scalable and even integrates with AD. :) - Robbie Robbie Foust, IT Analyst Systems and Core Services Duke University Roger Seielstad wrote: I'm running SUS 1.1 quite successfully for about 700 client machines (and servers). SUS 2, which is due in beta within the next 30 days or so, is going to add Office and a few other products for patching, which really is all that SUS is missing. I prefer the SUS methodology of an agent on the client that pulls down the updates as they are available - we have a lot of highly mobile users so that really makes things work well for us. Things like HKNetCheck require the box be online when you push the patches, which doesn't work well in a lot of environments. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- *From:* Cariglia, Daniel [mailto:[EMAIL PROTECTED] *Sent:* Monday, March 15, 2004 4:43 PM *To:* [EMAIL PROTECTED] *Subject:* [ActiveDir] Microsoft Patch I am in the process of looking at alternatives to distribute/manage Microsoft patches. We have SUS running in a lab setup and it seems alright. My question is are there superior products out there that someone has used and can recommend that work well with AD? Running AD with an empty root and 2 child domains where the users reside, users are either Windows 2000 Pro or XP Pro. Any suggestions would be appreciated. Thank You, *Dan * List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] RIS and software install by GPO replacement
Seyboldt, Volker wrote: But be aware that you cannot use Altiris and RIS in the same network... Sure you can -- Just configure both pxe servers to respond only to known hosts - although this also depends on the configuration of your DHCP server. If ya have multiple pxe servers with Altiris, then you can't have your dhcp server sending out an option 60. Not totally sure how this plays with RIS, but I'm sure they can work together. Microsoft's documentation even says so. :) Also, the Altiris pxe server used to have a limitation of how many MAC addresses you could list in the filter (it was a low number - like 48?) but I don't know if newer versions have raised that limit. At the time I was doing this, they blamed the limitation on Intel, but I'm skeptical about that... Robbie Foust, IT Analyst Systems and Core Services Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Best practice for default domain controller policy
From everything I've read, configuring seperate policies is the right thing to do - but don't disable your default domain policies. I think there are some settings that must be defined in the default policies, such as renaming the administrator account. (I think thats accurate - somebody correct me if I'm wrong) Robbie Foust, IT Analyst Systems and Core Services Duke University Wilkinson, Stephen wrote: Hi All, When we were designing our Win 2003 AD about this time last year, we were advised by our MCS consultant to copy the default domain and default domain controller policies, and then customise, rather than customising the default ones themselves. Subsequently now we are in production, we have had a small DNS zone transfer problem which we escalated to Microsoft and the response from the engineer included a change to the Manage auditing and security log policy on the DCs.. No problem.. But he then went on to say Looking at the policy setup it could be either as I notice that the default domain controller policy is disabled and replaced with a home grown one. (As an aside that definitely not best practice - the two default policies have well know GUIDs and some security mechanisms rely on writing effective settings to those policies.) I was wondering if anyone had any comments on that - as I thought we were doing the right thing - but I can't find any documentation to back up why we were doing it... Regards *Stephen Wilkinson* Tel +44(0)207 4759276 Mobile +44(0)7973 143970 E-Mail:_ [EMAIL PROTECTED] The information contained herein is confidential and is intended solely for the addressee. Access by any other party is unauthorised without the express written permission of the sender. If you are not the intended recipient, please contact the sender either via the company switchboard on +44 (0)20 7623 8000, or via e-mail return. If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] RIS and software install by GPO replacement
I've used Altiris Deployment Solution - its very good (has a learning curve) and I would highly recommend it. Also, you might want to check out Microsoft's ADS stuff. Sorta like RIS but does an image, i think, instead of an install. Wish it would work for clients. It only works for servers. :-/ Ghost is ok but I am very disappointed with Symantec's support. When I worked at UNC-Chapel Hill, I was trying to solve a multicasting issue and Symantec was totally unwilling to help. Robbie Foust, IT Analyst Systems and Core Services Duke University Jason Benway wrote: I've started to research didn't options to replace RIS and deploying software via GPO. We are currently running windows 2000 AD. We have 4 remote locations over different speed WAN links. Most of our PC's are win2k or XP. I've been able to get by using RIS and GPO. But I'm growing sick of the limitations. RIS limited to broadcasts, having to redistribute software when I update an admin share (office XP), Not being able to redistribute to only a single machine. Bandwidth issues for installs. I like the fact that RIS does an install not an image, but I would like to be able to image my dell server, the blade servers mostly. I'm looking at Ghost,On.com,landesk,Altiris,SMS,etc. We have about 460 workstations total. I'm just looking for feedback from the group. Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Account lockouts
Hi, Actually, this brings up a question I've wanted to ask for some time. Why does Event ID 1083 get logged when an account is locked out? I'm trying to understand what exactly is causing the directory is busy message. Thanks! Robbie Foust, IT Analyst Systems and Core Services Duke University Mike Hogenauer wrote: Question, We have 3 domain controllers in a single forest, single Domain environment running windows 2000 Server. I have 2 Domain Accounts that constantly get locked out. I keep getting this error, even after checking LDAP for duplicate accounts, I've moved the user account to a different OU and forced replication, etc. Also checked Microsoft KB, tried all suggestions. I've also had the user log off all terminal sessions, manually change the account password and then forced replication. I'm close to deleting and recreating the account. Thanks in advance for any help! Mike Event Type: Warning Event Source: NTDS Replication Event Category: Replication Event ID: 1083 Date: 3/10/2004 Time: 2:37:32 PM User: Everyone Computer: AD1 Description: Replication warning: The directory is busy. It couldn't update object CN=,CN=Users,DC=Domain,DC=com with changes made by directory 800fdc79-066f-4c5a-a1e4-e4e17a28eb47._msdcs.renditionnetworks.com. Will try again later. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] [Lessons Learned]: Schema Mismatch promoting firs t K3 DC to GC in production forest... Several new experiences.
Tivoli? Did someone say Tivoli? Yuck! I don't run Tivoli monitoring on my AD servers as I have avoided it like the plague, but we do have a Tivoli presence here, and I really really dislike it. I agree with your statement that IBM has no understanding of Windows. its like they get the product to compile, and then they're done. Right now I just use custom written scripts for monitoring, but have looked at MOM. Haven't made a decision on it yet though. Robbie Foust, IT Analyst Systems and Core Services Duke University joe wrote: Guido Guido Guido You insult me man... Of course I knew my replication was working in 2K. Both because it is monitored with custom joe scripts and we build DCs/GCs on a regular basis. Also we have a couple of thousand password changes a day and if every one had to be forwarded to the PDC my PDC would be falling over. We would use MOM but our company seems to think Tivoli is the way to go... I am not so sure, it seems they are really good at generating reports of which version of Tivoli is running but I can't see any other value. Of course the version of Tivoli running is exciting and important stuff... But... Well you know... I would kind of like to know about my Servers, not Tivoli. Does anyone have any good Tivoli stories? I haven't encountered anyone but IBM people and quite frankly, my opinion of IBM in the last year has gone from Ok to they positively suck and really have no understanding of Windows or what it takes to run an Enterprise... Check out their RSA solution, they need to go RAID Dell and hire away the DRAC guys. The Dell DRAC has the RSA beat by several years at least. Anyway, the issue according to the PSS guys was a new duplicate checking capability and this bad data was firing that functionality off... They didn't go into it any further than that. I.E. The 2K machines said, ok, you want me to replicate garbage, I have no problem with that. Whereas K3 said, NFW Unfortunately they said NFW and then told me a story about mice in south of France for the error message versus you have bad data. BTW, I will get to the other posts hopefully within the week, I have been hitting these one off (look at the last 5 posts) and see I have about 300 messages to read. Trying to finish up my review for Inside AD 2/E, really behind on that. Also I have to check out something for one of the Vendors that looks really cool that I asked for a long time ago. joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Sunday, March 07, 2004 1:04 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [Lessons Learned]: Schema Mismatch promoting firs t K3 DC to GC in production forest... Several new experiences. thanks Joe for the heads up - haven't had this one myself, however, I wonder what you're using to day to monitor replication of your AD? I suspect you'd have had similar replication issues with the european partition all along - no? Or was the bad data on a multivalued attribute of a printer object which was preventing the replication during the new 2003 GC promotion somehow known to all the other European DCs and GCs in your forest, prior to trying to promote that new DC to a GC? Could also be, that 2000 was less fussy about this bad data and now with some additional checks done on 2003 DCs, they don't replicate this data. I know for sure that this was the case during our implementation of 2k3 during the JDP over a year ago, but it was related to Foreign Princials Objects (FPO) that didn't have GUIDs, which were replicating fine between 2000 DCs, but not to 2003 DCs. Basically, the 2000 DCs were too stupid to notice that there is a problem with the corrupt FPOs and just ignored them. 2003 with the new added functionality around Single Instance Store for ACE etc. required to perform more checks on the data though. However, our problem was fixed in the RTM code of 2003 - but I wonder if you've hit something similar or if your problem also existed in 2000 and could have been seen prior to doing the 2003 forest/domain prep and introducing any new 2003 DCs? Would be good to know... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Samstag, 6. März 2004 19:39 To: [EMAIL PROTECTED] Subject: [ActiveDir] [Lessons Learned]: Schema Mismatch promoting first K3 DC to GC in production forest... Several new experiences. I wanted to document some stuff I learned this week. We finally have a K3 load with all of the stuff the company wants in it and tested, etc so we started deploying some K3 domain controllers. I tested this all out in our Exchange lab of course and it all worked well, in fact K3 DCs running in Virtual Server partitions were responding to queries faster than 2K DC running on physical hardware