RE: [ActiveDir] Exchange store size
Lazy way to do it ... run the Microsoft Exchange Best Practices Analyzer Tool against all your servers and stores. When you view the report under detailed view under statistics summary, it will give you number of mailboxes and size of the store for both public and private mailboxes. Robert From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric RasmusonSent: Friday, January 06, 2006 2:40 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange store size This script should do exactly what you're looking for. http://gsexdev.blogspot.com/2004/12/listing-file-sizes-of-all-exchange.html I've used some of Glen Scale's other scripts. His is a very useful Exchange blog. Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, January 06, 2006 12:47 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange store size I checked Google and all I get are links to check the size of one mailbox. I'm trying to avoid explorer. I have a lot of exchange servers and i'd just like to get the size of each store in each storage group on each server. Explorer would kill me and ESM only gives you per mailbox size. I'm not profficent in CDO. ExBPA actually gives you the size of every store together in your entire Org without giving you a per server or store stat. I just thought there was a tool that can do something this basic already available. Deji, sorry for how basic this question sounds. I wouldn't bug this list(the way i used to)without doing some research first and i honestly couldn't come up with anything. My apologies. Thanks alot On 1/6/06, Joe Pochedley [EMAIL PROTECTED] wrote: Windows Explorer? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, January 06, 2006 2:29 PMTo: activedirectorySubject: [ActiveDir] Exchange store size Is there any quick easy way to get the size of all your Exchange 2k mailbox/public stores in your Org? Thanks The information contained in this e-mail transmittal, including any attached document(s) is confidential. The information is intended only for the use of the named recipient. If you are not the named recipient, you are hereby notified that any use, disclosure, copying, or distribution of the contents hereof is strictly prohibited.
RE: [ActiveDir] Exchange store size
Miss read your post initially but I think you might not have dug down deep enough in the ExBPA tool. I think the info is there by server ... Admin Group - First Admin Group Exchange Sevrers Name of Server Information Store First Storage Group MailBox Store (server name) CIM_DataFile.name -path to store File Size = Robert From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. LealiSent: Friday, January 06, 2006 3:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange store size Lazy way to do it ... run the Microsoft Exchange Best Practices Analyzer Tool against all your servers and stores. When you view the report under detailed view under statistics summary, it will give you number of mailboxes and size of the store for both public and private mailboxes. Robert From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric RasmusonSent: Friday, January 06, 2006 2:40 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange store size This script should do exactly what you're looking for. http://gsexdev.blogspot.com/2004/12/listing-file-sizes-of-all-exchange.html I've used some of Glen Scale's other scripts. His is a very useful Exchange blog. Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, January 06, 2006 12:47 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange store size I checked Google and all I get are links to check the size of one mailbox. I'm trying to avoid explorer. I have a lot of exchange servers and i'd just like to get the size of each store in each storage group on each server. Explorer would kill me and ESM only gives you per mailbox size. I'm not profficent in CDO. ExBPA actually gives you the size of every store together in your entire Org without giving you a per server or store stat. I just thought there was a tool that can do something this basic already available. Deji, sorry for how basic this question sounds. I wouldn't bug this list(the way i used to)without doing some research first and i honestly couldn't come up with anything. My apologies. Thanks alot On 1/6/06, Joe Pochedley [EMAIL PROTECTED] wrote: Windows Explorer? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, January 06, 2006 2:29 PMTo: activedirectorySubject: [ActiveDir] Exchange store size Is there any quick easy way to get the size of all your Exchange 2k mailbox/public stores in your Org? Thanks The information contained in this e-mail transmittal, including any attached document(s) is confidential. The information is intended only for the use of the named recipient. If you are not the named recipient, you are hereby notified that any use, disclosure, copying, or distribution of the contents hereof is strictly prohibited.
RE: [ActiveDir] Biggest AD Gripes
It would be nice if the LimitLogin V 1.0 functionality were built into AD some how. Haven't looked in a while. Maybe they've come out with something better. Robert The information contained in this e-mail transmittal, including any attached document(s) is confidential. The information is intended only for the use of the named recipient. If you are not the named recipient, you are hereby notified that any use, disclosure, copying, or distribution of the contents hereof is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED
I misspoke. One is jao-dc1 and the other is jao-ad. Those are the only two DC's in the network. There was an old DC many moons ago but it has long since been demoted. I'll look at the metadata and see if I see any junk as well. R- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, June 28, 2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Roberthold on a sec, before you open a case. Are those your only two DC's? their names are DC1 DC2?? In your FRS debug log, you see that the EPT_S_NOT_REGISTERED is referring to jao-ad.lajao.org. Was jao-ad at some point a domain controller or does that name have any other significance to you? If that used to be a DC, then I'd recommend going through this article to remove all the metadata junk: 216498 How to remove data in Active Directory after an unsuccessful domain http://support.microsoft.com/?id=216498 You didn't mention any other problems, but if you once had this jao-ad server as a DC then the KCC on your other DC's would be complaining in the event log because they can't replicate with jao-ad. If I just saved you $245, a big THANK YOU will do :-) Come to think of it, if I just saved YOU $245 dollars then I just cost myself $245 dollars (I own part of the company of course). Please disregard everything above...LOL :-) Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 2:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Tried your suggestion and the file does replicate in both directions in the sysvol folder. Firewalls are off on both DC's and I successful did portqry on the ports shown in the KB article (NtFRS Service MS NT Directory DRS). My ports were slightly different but I was guessing that was expected behavior. (DC1 used 1071,1025,1030 and DC2 used 1053,1026,1027) Guess I'll take your other advise and open a case with PSS. Thanks! Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, June 28, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Hey Robert...you mentioned I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Which DC did you put the file on? My point is that maybe replication is broken in only one direction. Try putting a file on each DC named DCNAME.txt and see if you see that file replicate in *both* directions. Usually that error would indicate that there are RPC communication problems or that the FRS service is stopped but you said it was running. Maybe FRS is broken in one direction due to the firewall running on the other side (just a stab in the dark without knowing if FRS is replicating in both directions yet). FRS is pretty sticky sometimes and the detailed documentation is rather difficult to come across...it may be a good idea to open a case with PSS if you really wanna get to the bottom of things. Or you can feel free to keep posting here but it may take weeks to get all the details out so that any progress would be made (FRS is hard enough to troubleshoot in person sometimes...hehe) I hope that was helpful; have a great afternoon! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 10:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED I'm getting the following error when I run the FRSDIAG utility. FRSDiag v1.7 on 6/28/2005 8:08:25 AM .\jao-dc1 on 2005-06-28 at 8.08.25 AM Checking for errors in Directory Service Event Log passed Checking for minimum FRS version requirement ... passed Checking for errors/warnings in ntfrsutl ds ... passed Checking for Replica Set configuration triggers... passed Checking for suspicious file Backlog size... passed Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed Checking for suspicious inlog entries ... passed Checking for suspicious outlog entries ... passed Checking for appropriate staging area size ... passed Checking for errors in debug logs ... ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running
RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED
It's appears as if it's a recurring error. I agree with your logic about not fixing what isn't broken. I waited a week before I posted her to see if the error cleared. No luck.How long does it take the FRSlogs to wrap? Can they be cleared manually? R- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Tuesday, June 28, 2005 2:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED So even though you are replicating fine both ways and you don't see any real problem - you want to open a PSS case for this error in a debug log? Is this a consistent error in your FRS logs or was it a one time error? I dunno - just seems kinda silly to me to tshoot something which may have been a passing network hiccup or is simply not occurring any more. FRSdiag is simply parsing out your FS logs for keywords - as long as those entries are in your logs ( until the logs wrap) you will get the alert. The real deal is to see if your latest log entries have the same error. my .02 steve - Original Message - From: Robert N. Leali [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 11:38 AM Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Tried your suggestion and the file does replicate in both directions in the sysvol folder. Firewalls are off on both DC's and I successful did portqry on the ports shown in the KB article (NtFRS Service MS NT Directory DRS). My ports were slightly different but I was guessing that was expected behavior. (DC1 used 1071,1025,1030 and DC2 used 1053,1026,1027) Guess I'll take your other advise and open a case with PSS. Thanks! Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, June 28, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Hey Robert...you mentioned I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Which DC did you put the file on? My point is that maybe replication is broken in only one direction. Try putting a file on each DC named DCNAME.txt and see if you see that file replicate in *both* directions. Usually that error would indicate that there are RPC communication problems or that the FRS service is stopped but you said it was running. Maybe FRS is broken in one direction due to the firewall running on the other side (just a stab in the dark without knowing if FRS is replicating in both directions yet). FRS is pretty sticky sometimes and the detailed documentation is rather difficult to come across...it may be a good idea to open a case with PSS if you really wanna get to the bottom of things. Or you can feel free to keep posting here but it may take weeks to get all the details out so that any progress would be made (FRS is hard enough to troubleshoot in person sometimes...hehe) I hope that was helpful; have a great afternoon! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 10:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED I'm getting the following error when I run the FRSDIAG utility. FRSDiag v1.7 on 6/28/2005 8:08:25 AM .\jao-dc1 on 2005-06-28 at 8.08.25 AM Checking for errors in Directory Service Event Log passed Checking for minimum FRS version requirement ... passed Checking for errors/warnings in ntfrsutl ds ... passed Checking for Replica Set configuration triggers... passed Checking for suspicious file Backlog size... passed Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed Checking for suspicious inlog entries ... passed Checking for suspicious outlog entries ... passed Checking for appropriate staging area size ... passed Checking for errors in debug logs ... ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 883: S0: 18:16:33 ++ ERROR - EXCEPTION (06d9) : WStatus: EPT_S_NOT_REGISTERED ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 884: S0
[ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED
I'm getting the following error when I run the FRSDIAG utility. FRSDiag v1.7 on 6/28/2005 8:08:25 AM .\jao-dc1 on 2005-06-28 at 8.08.25 AM Checking for errors in Directory Service Event Log passed Checking for minimum FRS version requirement ... passed Checking for errors/warnings in ntfrsutl ds ... passed Checking for Replica Set configuration triggers... passed Checking for suspicious file Backlog size... passed Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed Checking for suspicious inlog entries ... passed Checking for suspicious outlog entries ... passed Checking for appropriate staging area size ... passed Checking for errors in debug logs ... ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 883: S0: 18:16:33 ++ ERROR - EXCEPTION (06d9) : WStatus: EPT_S_NOT_REGISTERED ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 884: S0: 18:16:33 :SR: Cmd 01225c78, CxtG a0cc0d78, WS EPT_S_NOT_REGISTERED, To jao-ad.lajao.org Len: (366) [SndFail - rpc exception] ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 904: S0: 18:16:33 :SR: Cmd 01225c78, CxtG a0cc0d78, WS EPT_S_NOT_REGISTERED, To jao-ad.lajao.org Len: (366) [SndFail - Send Penalty] Found 3 EPT_S_NOT_REGISTERED error(s)! Latest ones (up to 3) listed above . failed with 3 error entries Checking NtFrs Service (and dependent services) state...passed Checking NtFrs related Registry Keys for possible problems...passed Checking Repadmin Showreps for errors...passed I have 2 domain controllers in a Windows 2003 Domain both running AD Integrated DNS. I followed the KB Article 839880 How to troubleshoot RPC Endpoint Mapper errors in Windows Server 2003 and was not able to produce an error following all of the tests mentioned in the article that I ran. (DCDIAG, NETDIAG, Repadmin, Ntdsutil, Gpotool, Portqry) I did not run ADMT or DCPROMO. I also ran nslookup and verified my DNS was returning the proper IP address. I checked to see if the FRS service was running on both computers and it is indeed started. I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Everything seems to be working properly. Can I safely ignore this error? Does anyone know of a KB article that can help me correct this error or shed some light on what might be causing the error? Robert The information contained in this e-mail transmittal, including any attached document(s) is confidential. The information is intended only for the use of the named recipient. If you are not the named recipient, you are hereby notified that any use, disclosure, copying, or distribution of the contents hereof is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED
Tried your suggestion and the file does replicate in both directions in the sysvol folder. Firewalls are off on both DC's and I successful did portqry on the ports shown in the KB article (NtFRS Service MS NT Directory DRS). My ports were slightly different but I was guessing that was expected behavior. (DC1 used 1071,1025,1030 and DC2 used 1053,1026,1027) Guess I'll take your other advise and open a case with PSS. Thanks! Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, June 28, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Hey Robert...you mentioned I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Which DC did you put the file on? My point is that maybe replication is broken in only one direction. Try putting a file on each DC named DCNAME.txt and see if you see that file replicate in *both* directions. Usually that error would indicate that there are RPC communication problems or that the FRS service is stopped but you said it was running. Maybe FRS is broken in one direction due to the firewall running on the other side (just a stab in the dark without knowing if FRS is replicating in both directions yet). FRS is pretty sticky sometimes and the detailed documentation is rather difficult to come across...it may be a good idea to open a case with PSS if you really wanna get to the bottom of things. Or you can feel free to keep posting here but it may take weeks to get all the details out so that any progress would be made (FRS is hard enough to troubleshoot in person sometimes...hehe) I hope that was helpful; have a great afternoon! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 10:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED I'm getting the following error when I run the FRSDIAG utility. FRSDiag v1.7 on 6/28/2005 8:08:25 AM .\jao-dc1 on 2005-06-28 at 8.08.25 AM Checking for errors in Directory Service Event Log passed Checking for minimum FRS version requirement ... passed Checking for errors/warnings in ntfrsutl ds ... passed Checking for Replica Set configuration triggers... passed Checking for suspicious file Backlog size... passed Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed Checking for suspicious inlog entries ... passed Checking for suspicious outlog entries ... passed Checking for appropriate staging area size ... passed Checking for errors in debug logs ... ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 883: S0: 18:16:33 ++ ERROR - EXCEPTION (06d9) : WStatus: EPT_S_NOT_REGISTERED ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 884: S0: 18:16:33 :SR: Cmd 01225c78, CxtG a0cc0d78, WS EPT_S_NOT_REGISTERED, To jao-ad.lajao.org Len: (366) [SndFail - rpc exception] ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 904: S0: 18:16:33 :SR: Cmd 01225c78, CxtG a0cc0d78, WS EPT_S_NOT_REGISTERED, To jao-ad.lajao.org Len: (366) [SndFail - Send Penalty] Found 3 EPT_S_NOT_REGISTERED error(s)! Latest ones (up to 3) listed above . failed with 3 error entries Checking NtFrs Service (and dependent services) state...passed Checking NtFrs related Registry Keys for possible problems...passed Checking Repadmin Showreps for errors...passed I have 2 domain controllers in a Windows 2003 Domain both running AD Integrated DNS. I followed the KB Article 839880 How to troubleshoot RPC Endpoint Mapper errors in Windows Server 2003 and was not able to produce an error following all of the tests mentioned in the article that I ran. (DCDIAG, NETDIAG, Repadmin, Ntdsutil, Gpotool, Portqry) I did not run ADMT
[ActiveDir] DC not failing over in single domain environment
I have a single domain, multi-site environment, Windows server 2003 standard version. I have two DC's sitting on the same subnet that are replicating to each other and both are Global Catalog Servers. When one of the DC's go down, users loose access to resources (i.e. Exchange 2003 can't look up address book, IE can't get web pages through authenticated ISA 2000, etc.). Basically, the LDAP queries seem to be failing. My guess is that the DC's are not registered properly in the DNS as the clients can't find the failover DC when one fails. I found a Group policy that seems to solve the problem under Computer Configuration - Administrative Template - System - Net Logon - DC Locator DNS - Dynamic Registration of the DC Locator DNS records - not configured. My questions is am I on the right track here? if so, is there a KB article that shows proper configuration or does anyone have some recommended settings for the above scenario? If I'm not on the right track, where would you look next? DCDIAG and NetDiag are showing all tests as passed. The only one with additional information is DNS test . . . . . . . . . . . . . : Passed PASS - All the DNS entries for DC are registered on DNS server '172.17.4.22' and other DCs also have some of the names registered. PASS - All the DNS entries for DC are registered on DNS server '172.17.4.2' and other DCs also have some of the names registered. Any help, advice and thoughts are greatly appreciated. Robert The information contained in this e-mail transmittal, including any attached document(s) is confidential. The information is intended only for the use of the named recipient. If you are not the named recipient, you are hereby notified that any use, disclosure, copying, or distribution of the contents hereof is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC not failing over in single domain environment
Yes, they both are GC's. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Friday, February 25, 2005 3:14 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] DC not failing over in single domain environment Are both DCs GCs as well? I believe that they both need to be so if you want them to failover for Exchange. -Original Message- From: Robert N. Leali [mailto:[EMAIL PROTECTED] Sent: Friday, February 25, 2005 3:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC not failing over in single domain environment I have a single domain, multi-site environment, Windows server 2003 standard version. I have two DC's sitting on the same subnet that are replicating to each other and both are Global Catalog Servers. When one of the DC's go down, users loose access to resources (i.e. Exchange 2003 can't look up address book, IE can't get web pages through authenticated ISA 2000, etc.). Basically, the LDAP queries seem to be failing. My guess is that the DC's are not registered properly in the DNS as the clients can't find the failover DC when one fails. I found a Group policy that seems to solve the problem under Computer Configuration - Administrative Template - System - Net Logon - DC Locator DNS - Dynamic Registration of the DC Locator DNS records - not configured. My questions is am I on the right track here? if so, is there a KB article that shows proper configuration or does anyone have some recommended settings for the above scenario? If I'm not on the right track, where would you look next? DCDIAG and NetDiag are showing all tests as passed. The only one with additional information is DNS test . . . . . . . . . . . . . : Passed PASS - All the DNS entries for DC are registered on DNS server '172.17.4.22' and other DCs also have some of the names registered. PASS - All the DNS entries for DC are registered on DNS server '172.17.4.2' and other DCs also have some of the names registered. Any help, advice and thoughts are greatly appreciated. Robert The information contained in this e-mail transmittal, including any attached document(s) is confidential. The information is intended only for the use of the named recipient. If you are not the named recipient, you are hereby notified that any use, disclosure, copying, or distribution of the contents hereof is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:problem
Maybe you could install Virtual PC on the box with the tape drive and do the restore into a virtual environment?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, January 26, 2005 9:04 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT:problem Say your company had a lawsuit and you needed to restore a few months of exchang2k email. and say you only backed up the entire info store. no brick-level backups. and say your deleted item rentenion was only 30 days. and then say, you only have one tape drive which is being used to backup your network. thus your new AD forest recovery server had no tape drive to recover your veritas backupexec backed up exchange server. what would you do? you don't have time to order another tape drive. the tape drive of your current backup server has the wrong scsi cable for your recovery server. could you install a new exchange server in your domain and redirect the restore to that? without screwing up your forest/org? does backup exec have an option to restore an info store from tape to a file? can ntbackupp read a veritas tape? what would you do? this is a real issue for me now. i have a tape backup and a recovery server in a recovery forest with no tape drive. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ The information contained in this e-mail transmittal, including any attached document(s) is confidential. The information is intended only for the use of the named recipient. If you are not the named recipient, you are hereby notified that any use, disclosure, copying, or distribution of the contents hereof is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Legal Question
This is an interesting/humerous article that ran on the topic in June of 2004 about Time, Inc.'s disclaimer and it's validity. http://slate.msn.com/id/2101561/ From: [EMAIL PROTECTED] on behalf of joe Sent: Sat 1/22/2005 2:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Legal Question Does anyone know if the disclaimer like the one below are actually legally binding on anyone? And if the answer is yes, has it ever really been tested in court? You don't have to agree to anything to read the email, you just look and by the point you see the disclaimer, it is too late, you have picked up the information in the note. The fact that you don't necessarily agree to it I think would mean you could forward it as you wish unless you worked for the company who stuck the disclaimer on the note in the first place. I think telling me I have to delete it if it doesn't pertain to me is like telling me I have to close my ears and forget anything I hear if a neighbor says something within my range and then says it can't be disclosed. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stockbrugger, Brian L. Sent: Friday, January 21, 2005 3:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Creating user accounts, home folders and assigning permissions to user and groups I need to create about 3400 user accounts, create home folders and assign the appropriate user and group permissions to the home drives automagically. We are using Windows Server 2003 and AD with a single domain. I know how to create the user accounts and home folders but not sure the best approach to assign the permissions. Any suggestions on doing all three or at least the permissions part. Thanks - Brian CAPISTRANO UNIFIED SCHOOL DISTRICT DISCLAIMER: This communication and any documents, files, or previous e-mail messages attached to it constitute an electronic communication within the scope of the Electronic Communication Privacy Act, 18 USCA 2510. This communication may contain non-public, confidential, or legally privileged information intended for the sole use of the designated recipient(s). The unlawful interception, use or disclosure of such information is strictly prohibited under 18 USCA 2511 and any applicable laws. The information contained in this e-mail transmittal, including any attached document(s) is confidential. The information is intended only for the use of the named recipient. If you are not the named recipient, you are hereby notified that any use, disclosure, copying, or distribution of the contents hereof is strictly prohibited. winmail.dat
RE: [ActiveDir] LDAP export pros/cons
Title: RE: [ActiveDir] LDAP export pros/cons I'll take a hard look at this option. I do have an ISA server on the intranet/dmz segment that I could add another NIC to and route that NIC on theextranet segment.To answer your question i do have internal network connectivity withthe third partyvia a fiber connection in the same building separated by a Cisco PIX on our end. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, January 20, 2005 3:42 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] LDAP export pros/cons The crazy thing here, is that they'd have to have the password too in order to make this a single or simplified-sign-on solution. I'd see that as a major issue. A trust has likely more access than you would want. Have you looked at what RADIUS solutions can do for you? Something along the lines of this http://www.isaserver.org/tutorials/ISA2004-RADIUS-Authentication-Web-Publishing-Rules-Part1.htmlwith a little creativity might give you what you want. The third-party host would use your reverse-proxy to permit or deny access. You'd have to allow access via the network at some point but the RADIUS server could be in the extranet/dmz to help off-set some possible concerns. I don't know as I'd use a regular trust for them however. I think this is a case of best tool for the job. Unless you have network connectivity with them already? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. LealiSent: Thursday, January 20, 2005 4:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP export pros/cons I understand what you are saying and agree. On the same topic, what do you suggest is thebest practice for having users authenticate to a third party web portal.Is it better to set up a one-way non-transitive trust between the two forests or domains, or go with an ldap export assuming this is going to be a long term solution. The only thing we are trying to do is to allow our users to log into the third party web portalwithout having to learn an additional user name password. I do not want to give out any more information than that about my users. Thanks for the quick responses. R- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, January 20, 2005 2:27 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] LDAP export pros/cons not sure there are any documented risks. Risks being relational to the entity taking them. However, as a disinterested third party I'd have to point out that the risk is not technical in nature but rather about the information you're sharing. I suppose the information you give out is far mare important to the conversation, but it seems you don't know these folks nor trust them really. If that's the case, then it's possible you could be giving out the account information to a non-trusted source. The questions you need to ask are "what can they do with the information I provide and can I take any action to protect myself?" Some folks wouldn't have a problem giving out that information. Others would. You'll need to assess that risk based on the information you plan to give out. Email addresses are a unique identifier by the way. And usually public knowledge. From: Robert N. Leali [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. LealiSent: Thursday, January 20, 2005 3:18 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP export pros/cons That's correct. Looking for risks associated From: [EMAIL PROTECTED] on behalf of Mulnick, AlSent: Thu 1/20/2005 2:05 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] LDAP export pros/cons Are you looking for risks associated with giving your directory away to asemi-trusted third party? Did I paraphrase that correctly?Al-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Robert N. LealiSent: Thursday, January 20, 2005 3:01 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP export pros/consCan someone point me to a white paper or article that gives the pros andcons and security implications of allowing a semi-trusted third-party toaccess our AD with an LDAP export to an RSA server?We are being asked to allow our users to authenticate to a third party webportal using their current Windows 2003 AD accounts. The third party wantsan LDAP export to their RSA server and an account that has appropriateaccess to allow authentication to the AD box. This is in an extra-netenvironment.Any guidance or advice would be appreciated.RobertThe information contained in this e-mail transmittal, including any attacheddocument(s) is confidential. The information is intended only for the use ofthe named recipient. If you are not
RE: [ActiveDir] LDAP export pros/cons
Maybe I'm not see the big picture of how this can be done with website redirection. Is it just a matter of making one mutual user account on both my web server and the third party portal server that is trusted by both machines and using that account to pass the web traffic after the users authenticate to my site? My ultimate goal is to keep my risk and exposure of user names/ passwords/ authentication to the bare minimum and still get the desired affect of not maintaining two user names/passwords per user. It's not that the third party isn't trusted as much as they aren't careful or vigilant in their security configurations and we have no control over that situation. We are trying to keep the attack surface coming from their side as small as possible because we are required to make the portal work for our users. I think I have a grasp on how a reverse proxy web publishing can achieve this and still keep everything encrypted and semi secure using certificates. R- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra Sent: Friday, January 21, 2005 3:30 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP export pros/cons Not worked that much on the 3rd party integrations.but have an idea Can you try do Authentication re-directions to that site - i mean instead of people going to 3rd party site for authentication -- can they come to your own website and get authenticated through your ldap or RSA server and get re-directed to the desired locations. Regards, Chandra On Thu, 20 Jan 2005 23:54:28 -0500, joe [EMAIL PROTECTED] wrote: Ditto. Whomever is running that web site gets to see all of the clear text passwords for every user that authenticates. I would say that is giving out a bit more info to the third party than you would normally like to supply. Heck I don't even like doing that on intranet sites run by people in the same company let alone someone outside of the company. Sort of on par with saying, hi, here are my most sensitive parts and giving them to a third party and asking them to be nice to them. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, January 20, 2005 6:54 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] LDAP export pros/cons Interesting. I may just not understand what you have in mind. I would agree, but I'm leery of ldap bind for authentication in this scenario. In addition, it seems that it would not really provide the full amount of usefulness to the solution since the user has to also remember a different set of creds if they use this portal with dual id. Am I just misunderstanding, or were you thinking of something different?? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Thursday, January 20, 2005 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP export pros/cons Here's a common scenario, where an application like the web portal outsources authentication to an external directory but retains authorizationyour user hits the web portal and gets a prompt for her login ID and password. She enters that information and hits the OK button, and your portal then attempts to do an authenticated bind to the user's object in the LDAP directory, using the submitted ID and password. If the bind is successful, then the LDAP directory returns a successful acknowledgement to the portal. The portal hears that the user ID and password are correct, so the portal can then present the user with the appropriate content based on the portal permissions assigned to her account. The key here is that there has to be a common identifier in the portal and LDAP directory, so that the user gets the right stuff (based on the authorization in the portal) as a result of successful LDAP login (based on the LDAP authentication). Typically the common identifier is the logon ID, so that the portal knows that a successful LDAP bind to jane.doe should be associated with the jane.doe object in the portal. It would be a good idea to ask what specific attributes the portal is looking for, or even the syntax of the LDAP queries they hope to issue. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Thursday, January 20, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP export pros/cons I understand what you are saying and agree. On the same topic, what do you suggest is the best practice for having users authenticate to a third party web portal. Is it better to set up a one-way non-transitive trust between the two forests or domains, or go with an ldap export assuming this is going to be a long term solution. The only thing we are trying
[ActiveDir] LDAP export pros/cons
Can someone point me to a white paper or article that gives the pros and cons and security implications of allowing a semi-trusted third-party to access our AD with an LDAP export to an RSA server? We are being asked to allow our users to authenticate to a third party web portal using their current Windows 2003 AD accounts. The third party wants an LDAP export to their RSA server and an account that has appropriate access to allow authentication to the AD box. This is in an extra-net environment. Any guidance or advice would be appreciated. Robert The information contained in this e-mail transmittal, including any attached document(s) is confidential. The information is intended only for the use of the named recipient. If you are not the named recipient, you are hereby notified that any use, disclosure, copying, or distribution of the contents hereof is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP export pros/cons
That's correct. Looking for risks associated From: [EMAIL PROTECTED] on behalf of Mulnick, Al Sent: Thu 1/20/2005 2:05 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] LDAP export pros/cons Are you looking for risks associated with giving your directory away to a semi-trusted third party? Did I paraphrase that correctly? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Thursday, January 20, 2005 3:01 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP export pros/cons Can someone point me to a white paper or article that gives the pros and cons and security implications of allowing a semi-trusted third-party to access our AD with an LDAP export to an RSA server? We are being asked to allow our users to authenticate to a third party web portal using their current Windows 2003 AD accounts. The third party wants an LDAP export to their RSA server and an account that has appropriate access to allow authentication to the AD box. This is in an extra-net environment. Any guidance or advice would be appreciated. Robert The information contained in this e-mail transmittal, including any attached document(s) is confidential. The information is intended only for the use of the named recipient. If you are not the named recipient, you are hereby notified that any use, disclosure, copying, or distribution of the contents hereof is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] LDAP export pros/cons
Title: RE: [ActiveDir] LDAP export pros/cons I understand what you are saying and agree. On the same topic, what do you suggest is thebest practice for having users authenticate to a third party web portal.Is it better to set up a one-way non-transitive trust between the two forests or domains, or go with an ldap export assuming this is going to be a long term solution. The only thing we are trying to do is to allow our users to log into the third party web portalwithout having to learn an additional user name password. I do not want to give out any more information than that about my users. Thanks for the quick responses. R- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, January 20, 2005 2:27 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] LDAP export pros/cons not sure there are any documented risks. Risks being relational to the entity taking them. However, as a disinterested third party I'd have to point out that the risk is not technical in nature but rather about the information you're sharing. I suppose the information you give out is far mare important to the conversation, but it seems you don't know these folks nor trust them really. If that's the case, then it's possible you could be giving out the account information to a non-trusted source. The questions you need to ask are "what can they do with the information I provide and can I take any action to protect myself?" Some folks wouldn't have a problem giving out that information. Others would. You'll need to assess that risk based on the information you plan to give out. Email addresses are a unique identifier by the way. And usually public knowledge. From: Robert N. Leali [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. LealiSent: Thursday, January 20, 2005 3:18 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP export pros/cons That's correct. Looking for risks associated From: [EMAIL PROTECTED] on behalf of Mulnick, AlSent: Thu 1/20/2005 2:05 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] LDAP export pros/cons Are you looking for risks associated with giving your directory away to asemi-trusted third party? Did I paraphrase that correctly?Al-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Robert N. LealiSent: Thursday, January 20, 2005 3:01 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP export pros/consCan someone point me to a white paper or article that gives the pros andcons and security implications of allowing a semi-trusted third-party toaccess our AD with an LDAP export to an RSA server?We are being asked to allow our users to authenticate to a third party webportal using their current Windows 2003 AD accounts. The third party wantsan LDAP export to their RSA server and an account that has appropriateaccess to allow authentication to the AD box. This is in an extra-netenvironment.Any guidance or advice would be appreciated.RobertThe information contained in this e-mail transmittal, including any attacheddocument(s) is confidential. The information is intended only for the use ofthe named recipient. If you are not the named recipient, you are herebynotified that any use, disclosure, copying, or distribution of the contentshereof is strictly prohibited.List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Windows 2003 Clean Install results in high di sk space utlization
One more thing you might look at make sure you can see all the hidden and system files on the box, do a select all and then right click on properties and see what total size and size on disk being used by the files is. Then compare it against what is being reported as used space by windows. I once had an alternate data stream get into a box and that had similar symptoms. Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega Sent: Wednesday, October 27, 2004 12:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Windows 2003 Clean Install results in high di sk space utlization The other 3 are identical hardware-wise, i.e., all are 1655MC Blade servers in a single chassis. The other 3 were initially built this time last year. I'm to the point now where I'm just gonna slick the machine *again* and start fresh. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, October 27, 2004 1:22 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Windows 2003 Clean Install results in high di sk space utlization Really. You have three others where it worked fine and one that doesn't? All were provisioned identically and only one has the issue? Hmm... :) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ The information contained in this e-mail transmittal, including any attached document(s) is confidential. The information is intended only for the use of the named recipient. If you are not the named recipient, you are hereby notified that any use, disclosure, copying, or distribution of the contents hereof is strictly prohibited. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WAN outage caused issues...
Do you have the site DC/DNS box using itself as the alternate DNS server and the HQ as primary? just a thought. http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was There are currently no logon servers available to service the logon request. (0xc05e). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for WINS. Could the WINS be the issue? They couldn't contact WINS because the WAN link outage, that's for sure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 10:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir]
RE: [ActiveDir] GPO's not always applied.
WehadproblemsprocessingthemachinepoliciesandlogonscriptstillwemadechangesinourCiscoswitchesand turned on Fast Port.Here'salinktoanarticle. http://www.cisco.com/warp/public/473/12.html I read Dell switches also show the same symptoms. Robert From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark OrlandoSent: Monday, October 04, 2004 1:26 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] GPO's not always applied. Yes, thanks Eric. I think that is the approach I will go with for lack a better one. Thanks for the input. Mark On Oct 4, 2004, at 12:50 PM, [EMAIL PROTECTED] wrote: I've had a similar problem. In digging through the problem, I found some of the following, usually by tracing through the eventlog on the respective machine. Computer account had a problem in the domain - just needed to be removed and put back in GPO policy processing - changed respective templates to always apply even if no changes had occurred NIC/Switch Port config - Found that there were cases that the computer would come up for login before the network connection was fully initialized. Once discovered it was simple to test. Simply boot up, logon..wait for everything to settle down. Then unplug the NIC and plug it back in. The network connection should come back immediately. If it doesn't then its possible that the computer may also be starting up before there's an available connection to a DC. This would cause inconsistent processing of user policies and prevent application of computer policies, other than those that had already been applied Local Policies on the computer - Local policies seem inert and possibly unimportant once on the AD domain, butnot in our environment. It was a 'twisted' implementation of local policies...scripts...and other things to ensure that local polices applied, reapplied...and couldn't be unapplied. So when we migrated the machines to AD, we experienced an unbelievable series of unpredictable results. Needless to say, one of which, was the lack of consistent GPO application - One of the permanent fixes was to automate the application of "Setup Security.inf" to all the respective clients upon their migration of AD The biggest problem by far was simply getting consistent failures to troubleshoot or getting the exact details of the respective occurrence from the desktop people in the field. When all else fails...turn up GPO and Winlogon logging, turn on failure auditing...get a fine tooth comb and settle in for a nice long debug session... Hope this helps. Eric Jones, Senior SE Intel Server Group (W) 336.424.3084 (M) 336.457.2591 www.vfc.com [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/04/2004 11:52 AM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject Re: [ActiveDir] GPO's not always applied. Hey Mark... You can try /computer configuration/administrative templates/system/group policy/scripts policy processing You can set to always process over slow connections, and even if the GPO hasn't changed. HTH John Mark Orlando [EMAIL PROTECTED] com To Sent by: Active Directory Mailing List [EMAIL PROTECTED] [EMAIL PROTECTED] ail.activedir.org cc Subject 10/04/2004 10:46 [ActiveDir] GPO's not always AM applied. Please respond to [EMAIL PROTECTED] tivedir.org I am having issues with GPO's not being fully applied at every login. I need to change this. I know it might have something to do with the volume of LAN traffic but I need to find away around this. I also have some add printer login scripts that don't always work either. I have the scripts running synchronously and slow link detection set to 0. Does anyone have any ideas? Mark Orlando Systems Administrator I.T. Department Linden Public Schools List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm
RE: [ActiveDir] OT:spyware
It is possible to get virus infections even with current virus definitions. My experience with Nachi/Welchia and 5000+ workstations at my last employer taught me that. If you have Nachi/Welchia in your system on just one machine, it's going to continually try to find machines to infect in your subnets. If you have current virus definitions but you haven't applied the Microsoft patch, the machines will get reinfected and then the virus scanner will clean the machine reporting that the virus was cleaned. It's a vicious cycle. Basically, you have to clean, patch, and then clean to end the cycle. In our situation, we used a start-up script toinstall the Microsoft patchon the machine and then execute McAfee's STINGER program to clean the virus. As to Spyware, we are using a web filter on the ISA Server to block spyware from ever getting to the machine. The vendor has a category called "spyware" that seems to cover everything except Gator/GAIN. We added URL's for those as well. So far, it seems to be working but we are only 3 weeks into the test. We also blocked downloading of executables and some other file types at the proxy. Hope this helps .. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Wednesday, September 29, 2004 4:52 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware As re: Symantec, a lot of the viruses Ive been getting lately have been viruses that are over a year old and defs have been out for awhile so Im puzzled as to why I keep getting infected. The spyware/adware I think may be virus related and not web push related, but Im not positive. When you say policy, you are referring to locking down desktops or a written set of standards provided by IT or upper management? Its diffcult for me to block web sites on content as I work for a large liquor distribution firm where many sales reps and managers have to go to bar/club or liquor sites that have content which result in a lot of false positives for me. Finally, we have over 400 users and if I really had a large outbreak(100+ pcs), I really dont know how I would take care of it. Im the only admin and going to each pc to clean individually would be insane. How would I take care of that? Its thoughts like that which keep me up at night Thanks From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware There are examples out there of viruses elevating privileges if that's what you're asking. The goal of virus defense is to limit the impact not necessarily prevent every single infection. Things happen and you have to either decide to limit the amount of damage a virus or errant user or hacker, etc can do or you have to bet that you are catching everything before it happens. Not only in your experience, but logically, you cannot prevent everything. Virus defs lag exploits because one has to exist before the other. Turns out the virus usually exists before the def does, right? Your spyware problem is different. It could be a lot of things, or it could be that this is a symptom of a larger issue. Can't quite tell from the thread information so far. Typical antivirus strategy has been to go after the "four sectors" file and print, smtp, desktops, and mail groupware servers. The web adds another sector to go after and changes the paradigm from a pull to a push type of flow. The users actively go after content vs. having it sent to them. Spyware may is not all bad though, right? Some of it is undesirable such as tracking cookies etc. Some of it leads to malware and really sucks to get rid of. Ask any IT person with a non-tech teenage neighbor ;) Best bet is to start with a policy and work back from there to a strategy and then to an execution plan. If your current strategy isn't working, it might be worth it to revisit the planning and then design the solution and deploy it to meet those requirements and direction. Why not just jump to action? I say this because you may be able to treat the symptoms now, but you'll just be waiting for the next one with no clear reaction plan or alternatives when it hits. My $0.02 anyway. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Wednesday, September 29, 2004 5:16 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware When a user gets a virus, that virus will execute under that users security context. So a regular user should NOT have a virus write to those keys. True? Or can a virus somehow get localsystem access? Thanks As to Symantec, I know this is not the forum for this, but Im pretty much at my limit with their products. I get infected by viruses that came out a year or 6 months ago AND all our definitions are up to date. I could chalk it up to my fault as an admin, if someone could just explain to me how I can be infected
RE: [ActiveDir] OT:spyware
A quick look at that worm on the Symantec website shows it can use the same mechanisms to spread as Nachi/Welchia. We had problems with the patch mentioned in MS03-026 deploying correctly when the machine was infected. Try using the Stinger http://vil.mcafeesecurity.com/vil/averttools.asp#stingerto clean the box first. Then reapply the patch. I don't consider myself an expert, I can only tell you my experience on this. The patch stops the spreading and then the AV starts the clean-up. I think I read somewhere the only way to truly patch an infected machine is to wipe it clean and start over. You may have other problems installed beyond what the AV is detecting. As to going to each PC, a tool I've found to be very useful is Atelier Web Remote Commander. As long as you have an admin account to the box, you can log on to it remotely without it having a client installed. http://www.atelierweb.com/rcomm/. Scripting is a lot quicker for mass problems, but for one or two machines here and there at remote locations, it very useful. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Thursday, September 30, 2004 8:41 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware The viruses Ive been getting are w32.spybot.worm and bat.mumu.A.worm(all Symantecs names). We are patched and up to date. The machines(anywhere from 5-10) get infected and then start going out on ports 445 and 6667. This is enough to slow our network to a crawl at times. I thought patching just prevents those holes from being exploited but does not prevent you from getting the virus and having it use your machine to attack another unpatched one. Am I wrong? thanks From: Robert N. Leali [mailto:[EMAIL PROTECTED] Sent: Thursday, September 30, 2004 9:05 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware It is possible to get virus infections even with current virus definitions. My experience with Nachi/Welchia and 5000+ workstations at my last employer taught me that. If you have Nachi/Welchia in your system on just one machine, it's going to continually try to find machines to infect in your subnets. If you have current virus definitions but you haven't applied the Microsoft patch, the machines will get reinfected and then the virus scanner will clean the machine reporting that the virus was cleaned. It's a vicious cycle. Basically, you have to clean, patch, and then clean to end the cycle. In our situation, we used a start-up script toinstall the Microsoft patchon the machine and then execute McAfee's STINGER program to clean the virus. As to Spyware, we are using a web filter on the ISA Server to block spyware from ever getting to the machine. The vendor has a category called "spyware" that seems to cover everything except Gator/GAIN. We added URL's for those as well. So far, it seems to be working but we are only 3 weeks into the test. We also blocked downloading of executables and some other file types at the proxy. Hope this helps .. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Wednesday, September 29, 2004 4:52 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware As re: Symantec, a lot of the viruses Ive been getting lately have been viruses that are over a year old and defs have been out for awhile so Im puzzled as to why I keep getting infected. The spyware/adware I think may be virus related and not web push related, but Im not positive. When you say policy, you are referring to locking down desktops or a written set of standards provided by IT or upper management? Its diffcult for me to block web sites on content as I work for a large liquor distribution firm where many sales reps and managers have to go to bar/club or liquor sites that have content which result in a lot of false positives for me. Finally, we have over 400 users and if I really had a large outbreak(100+ pcs), I really dont know how I would take care of it. Im the only admin and going to each pc to clean individually would be insane. How would I take care of that? Its thoughts like that which keep me up at night Thanks From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware There are examples out there of viruses elevating privileges if that's what you're asking. The goal of virus defense is to limit the impact not necessarily prevent every single infection. Things happen and you have to either decide to limit the amount of damage a virus or errant user or hacker, etc can do or you have to bet that you are catching everything before it happens. Not only in your experience, but logically, you cannot prevent everything. Virus defs lag exploits because one has to exist before the other. Turns out the virus usually exists before the def does, right? Your spyware problem is different
RE: [ActiveDir] Unlock user account in mass
Title: Kerberos question Brian - If I hadnt already figured that out, youd be right J Was helping a friend at my last job undo the damage already inflicted. Thanks for all the replies that were supplied problem solved. Joes solution was the easiest and quickest, thus we used that. Robert From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, August 05, 2004 7:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Unlock user account in mass Don't you think that there's a bigger issue that needs to be tackled first? What is causing this? I'd make sure auditing is turned on for your domains ecurity policy and start looking at failure records on your DCs. That aside, ADModify.Net can probably do this. --Brian -Original Message- From: Robert N. Leali [mailto:[EMAIL PROTECTED] Sent: Thu 8/5/2004 3:42 PM To: [EMAIL PROTECTED] Cc: Subject: [ActiveDir] Unlock user account in mass What is the easiest way to unlock multiple user accounts in Active Directory? Random accounts locked up today and I need a way to unlock them without having to go user by user. Is there a tool or script already written? Any help would be appreciated. Robert
[ActiveDir] Unlock user account in mass
Title: Kerberos question What is the easiest way to unlock multiple user accounts in Active Directory? Random accounts locked up today and I need a way to unlock them without having to go user by user. Is there a tool or script already written? Any help would be appreciated. Robert From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 2:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question I am looking that up now Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 3:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question This stands out Pre-authentication failed: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 3:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question The program uses apache, I am still working with the vendor on this. This is the error from the DC: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 8/5/2004 Time: 3:15:59 PM User: NT AUTHORITY\SYSTEM Computer: KINGS-DC01 Description: Pre-authentication failed: User Name: ricktest User ID: KINGS\ricktest Service Name: krbtgt/KINGS.EDU Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 10.1.18.48 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 2:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question There are tools to monitor kerberos conversations (capture), but I think you're likely better off using success/failure audit logging to see what's going on, what's being attempted and whereauthentication isfailing. I think the following is most likely to be helpful http://support.microsoft.com/default.aspx?kbid=326985 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 2:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Question,: is there a utility that would use Kerberos to login (Kind of like a test login utility)? We are not experiencing any problem with logins anywhere (except as mentioned).. This is the first non windows application we are deploying that uses Kerberos (outside of windows). IT does recognize a bad password as a bad password, but throws an error with the correct password is given: ERROR(1006) An error occurred in WebCT authorization. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 2:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question So that leads to the next question then: do you have a problem going on? If so, can you give some details? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 11:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question The application is called WebCT. www.webct.com. It is a distance learning app that runs off a web server. Their documentation is some what lacking, and their support is not really that good. I do have everything set up as they request, so I was thinking that my problem is on my end. I do have a support call scheduled with them later today. I wanted to try to rule out a AD problem. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 10:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Sorry Rick. Thread overlap. :) Whether or not you need to make a change depends on the application. For example, if they use the operating system to handle the authentication calls, then it should work fine, right? If they do something else, they should have documented it and should tell you what is needed. What is the application saying they need to do?Which application is it out of curiosity? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
RE: [ActiveDir] Remote site slowdown weirdness
I think Im having the same problem at my site and havent been able to isolate or resolve. Basically, the mapped shares time out with a red X. I saw on a Microsoft article than you can increase the time out period on a W2K or W2K3 server share, but not sure if this is the solution as not all of the sites have the problem. My sites connections are a combination of ATM/T1. Could the time out disconnect be coming from the router/switch configuration? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, August 01, 2004 10:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote site slowdown weirdness This is a complete guess, but when you click My Computerit is doublechecking all of the drives so it is reaching out to all of the file shares. When it does that it is probably locking certain things up in the network stack or workstation service that can only be done serially. I would recommend a network trace of a machine while doing that to see what calls are going out and taking so long to be responded to. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, July 30, 2004 2:19 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Remote site slowdown weirdness We have a remote site connected to us with a 768k link. Intermittently, when the users at the remote site double-click My Computer, it takes 15-20 seconds or more for the drives to appear. When it's happening, it takes them a long time to access drive letters back at our headquarters over the WAN. We have tons of other sites connected this way, and have no issues. The WAN link utilization is generally below 50% when this is occurring. If they disconnect all their network mapped drives, the problem magically goes away. Is there some settings in WinXP and 2K that may cause the OS to do all kinds of checking and searching whenever My Computer is launched that might slow them down? We've been troubleshooting this site problem for over 2 years now. We also tried giving them their own local WINS server, and they have their own local DNS server running on their local domain controller. There is about 50 users at the site. Any ideas? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Summer Maintenance
Title: RE: [ActiveDir] Summer Maintenance Most likely the answer is yes, speaking from experience in a K-12 setting. What is the specialized software? Why not roll out the software as an msi file using group policies? Robert From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Thursday, July 22, 2004 7:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Maybe I am being ignorant but can I use sysprep if I have specialized software that I want to have on my master image?? -- Jake From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, July 21, 2004 8:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Please explain the reasoning here. Running newsid does not constitute running sysprep. --Brian -Original Message- From: Jared Manhat [mailto:[EMAIL PROTECTED] Sent: Wed 7/21/2004 4:00 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance Yes, just use Ghost and run Sysinternals NewSID on each pc BEFORE ADDING IT TO THE DOMAIN. http://www.sysinternals.com/ntw2k/source/newsid.shtml Jared Manhat Systems Administrator Accutest Laboratories 2235 Route 130 Dayton, NJ 08810 (732) 329-0200 x254 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Wednesday, July 21, 2004 4:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance I have word of using sysprep along with Ghost. From what I have read sysprep is just do the OS and allows for different configurations. If I am doing a lab that has special software and the same hardware config, is it not better to just use ghost after the master computer has been configured? -- Jake From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Wednesday, July 21, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance I think you can use Unicast instead of Multicast in the newer versions of Norton ghost. It goes slower but it wont bog down the network. Also, make sure your hop count is set correctly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Sunday, July 18, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance We tend to do them in blocks of max 30 because it's more manageable (and most rooms don't have more than that many computers!) I've done it enough times now to know that although we shouldn't have to get involved with boot floppies sometimes things just don't go the way you plan :-) Not sure why Ghost does cause the network problems you describe but I know it does and we just plan round it - making sure no-one's trying to do anything important at the same time etc. Steve From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: 16 July 2004 21:31 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Things really slow down when multicasting to a load of computers where I am (all Cisco 2900XL series switches with fiber links to a 4005 series backbone switch). The multicast slows to a crawl, as does other network traffic. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 From: Doug M. Long [mailto:[EMAIL PROTECTED] On Behalf Of Doug M. Long Sent: Friday, July 16, 2004 1:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance If your multicasting, network congestion shouldnt be an issue (assuming that you are putting the same image on all machines), right? Or am I missing something here? From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Fri 7/16/2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance You got it Steve. I don't know if you've ever done this before, but be prepared to have a handful of them screw up and need reimaging with a floppy disk. Also, don't think of doing em all at once. 100 - 150 is enough to saturate your network. --Brian -Original Message- From: Steve Rochford [mailto:[EMAIL PROTECTED] Sent: Fri 7/16/2004 8:08 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance I love comments like The result is that as the imaged computers are powered up, the admin will type in each unique computer name and walk away. We're re-imaging about 1000 student computers this summer and I'm not intending to go anywhere near most of them so typing in anything is a no-no! As others have said, Ghost will happily rename and join to the domain and it will also work with sysprep so you can have the best of both worlds :-) Steve -Original Message- From: Brad Corob [mailto:[EMAIL PROTECTED]] Sent: 15 July 2004 05:00 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance 2
RE: [ActiveDir] Summer Maintenance
Title: RE: [ActiveDir] Summer Maintenance I think you can use Unicast instead of Multicast in the newer versions of Norton ghost. It goes slower but it wont bog down the network. Also, make sure your hop count is set correctly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Sunday, July 18, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance We tend to do them in blocks of max 30 because it's more manageable (and most rooms don't have more than that many computers!) I've done it enough times now to know that although we shouldn't have to get involved with boot floppies sometimes things just don't go the way you plan :-) Not sure why Ghost does cause the network problems you describe but I know it does and we just plan round it - making sure no-one's trying to do anything important at the same time etc. Steve From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: 16 July 2004 21:31 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance Things really slow down when multicasting to a load of computers where I am (all Cisco 2900XL series switches with fiber links to a 4005 series backbone switch). The multicast slows to a crawl, as does other network traffic. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 From: Doug M. Long [mailto:[EMAIL PROTECTED] On Behalf Of Doug M. Long Sent: Friday, July 16, 2004 1:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance If your multicasting, network congestion shouldnt be an issue (assuming that you are putting the same image on all machines), right? Or am I missing something here? From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Fri 7/16/2004 11:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance You got it Steve. I don't know if you've ever done this before, but be prepared to have a handful of them screw up and need reimaging with a floppy disk. Also, don't think of doing em all at once. 100 - 150 is enough to saturate your network. --Brian -Original Message- From: Steve Rochford [mailto:[EMAIL PROTECTED] Sent: Fri 7/16/2004 8:08 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Summer Maintenance I love comments like The result is that as the imaged computers are powered up, the admin will type in each unique computer name and walk away. We're re-imaging about 1000 student computers this summer and I'm not intending to go anywhere near most of them so typing in anything is a no-no! As others have said, Ghost will happily rename and join to the domain and it will also work with sysprep so you can have the best of both worlds :-) Steve -Original Message- From: Brad Corob [mailto:[EMAIL PROTECTED]] Sent: 15 July 2004 05:00 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Summer Maintenance 2) Regardless of how you image the computers, using sysprep is the *only* supported way of using imaged workstations on a network. Look into it if you haven't used it. I find it quite simple to use and extrememly effective. The sysprep process can be automated. I typically find it most useful to automate all of the mini-setup answers except for computer name. The result is that as the imaged computers are powered up, the admin will type in each unique computer name and walk away. You can also join a domain during the sysprep process (automated or not). One caveat here is the default 10-computer limit each user account can create in AD (but it worked fine when we tested it!). The suggested method is to create a designated account for Sysprep imaging and delegate the appropriate rights to your Computer OU's. If joining the computer to the domain during sysprep doesn't work for you, you can also script the process. Technet gives an example script here: http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm31 .msp x but MSDN actually documents the WMI method here: http://msdn.microsoft.com/library/en-us/wmisdk/wmi/joindomainorworkgroup _met hod_in_class_win32_computersystem.asp Particularly helpful is the AccountOU parameter, as it will allow you to specify the OU in which to place the computer object to further ease your post-deployment admin tasks. [The script method works wonders in large deployments when you can't join a domain during the Sysprep process, for example, if this particularly vexing, poorly documented, almost-12-month-old and as-yet-unfixed issue plagues your environment like the spawn of Satan: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10086130.htm No, I'm not bitter. Not one bit.] -Brad List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/